Contents of the presentation Practical method of objective trees for - - PowerPoint PPT Presentation
Enhancing Human and Organizational Factors in Defence in Depth Jozef Misak, UJV Rez a.s., Czech Republic, e-mail: Jozef.Misak@ujv.cz, phone number: +420 602 293 882 Germaine Watts, Intelligent Organizational Systems, Canada, e-mail:
Jozef Misak, UJV Rez a.s., Czech Republic, e-mail: Jozef.Misak@ujv.cz, phone number: +420 602 293 882 Germaine Watts, Intelligent Organizational Systems, Canada, e-mail: germainewatts@intelorgsys.com, phone number: 1-506-333-7093
equipment and procedures to maintain the effectiveness of physical barriers placed between radioactive material and workers, the public or the environment, in normal operation, anticipated operational occurrences and, for some barriers, in accidents at the plant
with sufficient margins to compensate for equipment failure and human errors Defence in depth is generally recognized as an effective way for preventing and mitigating consequences of accidents in nuclear power plants Provisions for compliance with defence in depth include both technological items as well as human controlled or influenced items Defence in depth is often oversimplified focusing on engineering aspects (barriers and their integrity) while “soft” aspects are much weaker Human and organizational issues including safety culture are associated with large uncertainties, while they can affect several levels
3.31. The primary means of preventing and mitigating the consequences of accidents is ‘defence in depth’. Defence in depth is implemented primarily through the combination of a number of consecutive and independent levels
to people or to the environment. If one level of protection or barrier were to fail, the subsequent level or barrier would be available. When properly implemented, defence in depth ensures that no single technical, human or
combinations of failures that could give rise to significant harmful effects are
3.32. Defence in depth is provided by an appropriate combination of:
strong safety culture.
providing safety margins, diversity and redundancy, mainly by the use of:
procedures.
3
Level of defence Objective Essential design means Essential operational means Level 1 Prevention of abnormal operation and failures Conservative design and high quality in construction of normal
monitoring and control systems Operational rules and normal operating procedures Level 2 Control of abnormal operation and detection
Limiting and protection systems and other surveillance features Abnormal operating procedures/emergency
Level 3 Control of design basis accidents (postulated single initiating events) Engineered safety features (safety systems) Emergency operating procedures Level 4 Control of design extension conditions (postulated multiple failures events) including prevention of accident progression and mitigation of the consequences of severe accidents Safety features for design extension conditions. Technical Support Centre Complementary emergency operating procedures/ severe accident management guidelines Level 5 Mitigation of radiological consequences of significant releases of radioactive materials On-site and off-site emergency response facilities On-site and off-site emergency plans
CONSEQUENCES FREQUENCY LEVEL 1 LEVEL 2 LEVEL 3 LEVEL 4 LEVEL 5
Challenges to Level 1 dealt with by provisions of Level 1 Failure of Level 1 an event sequence is initiated Failure of Level 2 an accident sequence is initiated Failure of Level 3 Acceptance criteria for DBAs exceeded Failure of Level 4 prompt off-site measures needed Provisions
Success: Normal operation Success: Return to normal operation, prevention of DBA Success: Consequences within design basis Success: Containment integrity
5
have physical barriers and means to protect the barriers, while their level of defence can be very different
provisions for ensuring defence in depth was needed
IAEA several years ago to respond to the need
implementation of the concept of defence in depth, which includes a comprehensive
provisions and challenges to safety objectives at different levels of defence
the physical barriers against releases of radioactive substances include much more than just NPP technological systems and procedures
the barriers
functions should be performed
combination of similar mechanisms represents a challenge to safety functions
provisions of different kinds should be implemented
depicted in objective trees
Variety of safety provisions: organizational, behavioural and design measures, namely
inherent safety characteristics safety margins active and passive systems
human factors and other organizational measures safety culture aspects
Although plant systems are very important, they are not the only important component of defence in depth How to ensure that a set of provisions is comprehensive enough? – Basic Safety Principles (INSAG-12) Safety principles form a fundamental set of rules how to achieve nuclear safety objectives and ensure comprehensiveness of provisions INSAG-12: The safety principles do not guarantee that NPPs will be
absolutely free of risk, but, when hen the p the princip rinciples les are a are adeq dequate uately ly impleme implemented nted, , the p the plants lants shou hould ld be v be very ery saf afe
(3); General technical principles (10)
(2); Commissioning (4); Operation (12); Accident management (3); Emergency preparedness (3); Decommissioning (1)
interactions of all individuals and organizations engaged in activities related to nuclear power.
Explanatory text in 4 articles, more than 2 pages of text
are trained and qualified to perform their duties. The possibility of human error in nuclear power plant operation is taken into account by facilitating correct decisions by operators and inhibiting wrong decisions, and by providing means for detecting and correcting or compensating for error.
Explanatory text in 6 articles, about 2 pages of text
that reactivity induced accidents are protected against, with a conservative margin
Explanatory text in 2 articles, approx. 1 page of text
their responsibilities for the provisions of equipment and construction of high quality by using well proven and established techniques and procedures supported by quality assurance techniques. Explanatory text in 4 articles, approx. 1 page of text
LEVEL 1 LEVEL 2 LEVEL 3 LEVEL 4 LEVEL 5 LEVEL 1 LEVEL 2 LEVEL 3 LEVEL 4 LEVEL 5
15
accident
malfunction; 4. Erroneous start-up of a loop; 5. Release of absorber deposits; 6. Incorrect refueling operations; 7. Inadvertent boron dilution
For Level 1: Design margins minimizing need for automatic control Operational strategy with most rods out For Level 2: Monitoring of control rod position Limited speed of control rod withdrawal Limited worth of control rod groups For Level 3: Negative reactivity feedback coefficient Conservative set-points of reactor protection system Reliable and fast shutdown system
17
Monitoring
position Limited speed of rod withdrawal Limited worth
rod groups Control rod withdrawal In-core instrumentation Monitoring
position Control rod malfunction (drop, alignment) Limitations on inactive loop parameters Limited speed for a loop connection Erroneous startup
Adequate coolant chemistry In-core instrumentation Release of absorber deposits In-core instrumentation Sufficient shutdown margin Negative reactivity coefficient feedback Incorrect refuelling
Adequate
procedures Monitoring system for makeup water Long time for operator response Inadvertent boron dilution Insertion of reactivity with potential for fuel damage SF(1) affected: to prevent unacceptable reactivity transients
SAFETY PRINCIPLE: Protection against power transient accidents
19
Safety functions Challenges Mechanisms Provisions
safety functions: challenges: mechanisms: provisions: SF(7) affected: to remove residual heat in operational states and accidents with RPB intact SF(6) affected: to remove heat from the core after a failure of the RPB to limit fuel damage SF(8) affected: to transfer heat from other safety systems to the ultimate heat sink Body of water (sea, river, lake,etc.) lost due to exter- nal hazards Atmospheric UHS not designed to withstand extreme events natural phenomena human induced events Analysis of all site relevant extreme events for design natural phenomena human induced events diversity of UHS diversity of supply systems (power, fluid) External hazards properly addressed in in UHS design Long term ultimate heat sink (UHS) not adequate proven components redundancy diversity interconnection isolation physical separation HTSs designed according to the importance of their contribution to HT Heat transport systems(HTS) not reliable Evaporation of water process in UHS impacted Raising of the temperature process of UHS impacted Support systems for UHS not proper designed rates within limits pressure limits interconnection and isolation capabilities leak detection power and fluid supply LOOP redundancy diversity independence safety margins design precautions for external hazards Proper design
HTS venting additional water for spray system Extended capabilities for heat transfer in case of severe accidents Heat transport systems(HTS) vulnerable
Objective tree for Levels 1,2,3,4 of defence in depth. SAFETY PRINCIPLE: Ultimate heat sink provisions(142)
20
Objective tree for Level 3 of defence in depth SAFETY PRINCIPLE: Dependent failures)
Independence of safety systems from other plant systems Fail-safe design
to the extent possible Sufficient redundancy and diversity in power sources Redundancy, diver- sity, independence
for safety systems Interaction
systems CCF due to internal events (loss of power, lack of fuel for DGs, etc.) Independent, re- dundant systems linked with diversity QA programme implemented in all phases of plant lifetime Independent verification/ assessment of design Margins incorpo- rated in design to cope with ageing and wear-out Coordination of different operational maintenance, support groups CCF due to system errors in design, con- struction, operation, maintenance, tests Avoid sharing of important systems between units Demonstration of safety for all ope- rational states and DBA on any of units Safe shutdown and cooling of one re- actor with severe accident on other CCF due to events
units on the same site Risk analysis of internal hazards and implementation
Physical separa- tion by barriers, distance or
Redundant systems located in different compartments Crucial equipment qualified for environmental conditions External events con- sidered as initiators for internal hazards (fires, floods,...) Overpressurization
system avoided CCF due to internal hazards (flooding, missiles, pipe whip, jet impact) Fire hazard analysis performed to specify barriers, detection, fighting systems Preference to fail-safe operation
Use of non- combustible, fire retardant and heat resistant materials Separation of redun- dant systems by fire resistant walls/doors Preferable use of non-flammable lubricants Control of combustibles and ignition sources Sufficient fire fighting capability available Automatic initiation
system Inspection, mainte- nance, testing of fire fighting system Fire resistant sys- tems for shutdown, RHR, monitoring,
Avoid impairment
by function of fire fighting systems External fire fighting services considered Organization of relevant training
CCF due to fires and internal explosions Consideration of seismicity in site selection Sufficient margins in anti- seismic design Safety equipment qualified for seismic events by tests and analysis Events possibly induced by earth- quakes e.g. floods considered Failure of non-safety equipment to affect performance of sa- fety equip. avoided CCF due to earthquakes Assessment
man-induced hazards Subset of man- induced events included into design Transport routs declined from vicinity
CCF due to human made hazards (air- craft crash, gas clouds, explosives) Most extreme con- conditions conside- red in special design features CCF due to external events (high winds, floods, extreme
Safety systems fail when performing their functions due to common-cause failure vulnerabilities All FSFs affected: controlling reactivity cooling fuel confining rad. mat.
ns:
21
22
INSAG 12 safety principles indicated clear role of human and organizational factors for achieving safety objectives at all levels of defence Defence in depth is often oversimplified focusing on engineering aspects (barriers and their integrity) while “soft” aspects are neglected Human and organizational issues are associated with large uncertainties, and can affect several levels of defence at the same time Objective trees illustrate clear links between weaknesses in human and
eliminate them It is obvious that there is always a room for improvements, and comprehensive assessment of Fukushima offers broad opportunity for improvements
Mechanisms Challenges Provisions
Responsible plant manager in place Organizational structure under plant manager in place Executive management supports plant manager Important ele- ments for achieving safety not established Implementation and enforcement
principles Operation not governed by safety financial technical support material chemistry radiological protection
resources to operation Executive management provides resources Resources not provided by executive management Job descriptions to state responsibilities Missing or incomplete job descriptions Long term
programme for crucial staff Sharing of expe- rience of senior experts with new staff Competitive conditions for neces- sary expertise Maintaining moti- vation of staff during shut down periods Maintaining documentation important for cor- porate memory Support of good students in relevant areas Loss
corporate memory Degraded respon- sibility of operating
safe operation Enough qualified staff is employed Insufficient number of qualified staff Appropriate schedule for normal activities Undue stress
delay in activities e.g. maintenance, etc. Appropriate schedule for supervision by
Weak supervi- sion during periods of excep- tional workload Backup for key positions Taking account
attrition Time reservation for retraining Insufficient staffing specifications Degraded staff actions in normal
Qualified staff for damage assessment and control Qualified staff for AMP Qualified staff for fire fighting Qualified staff for first aid treatment Qualified staff for on- and off-site monitoring Emergency service in the locality Staff not qualified for special tasks; emergency ser- vice not available Degraded staff actions in accident situation and beyond All FSFs affected: controlling reactivity cooling fuel confining rad. mat.
Example: Objective tree for Levels 1-3: HOF SAFETY PRINCIPLE Training Safety functions Challenges Mechanisms Provisions
Comprehensive training programme for all staff Supporting training
sufficient resources and facilities Inclusion of safety culture principles into training Avoidance of conflict
and training
Assessment and improvement of training programme Training
and cooperation with plant personnel Approval of training programme by regulatory body Inclusion of tests
into training programme Insufficient development
awareness Systematic approach to training Inclusion of variety of aspects:neutronics, TH, radiological, technological into training Importance of maintaining fundamental safety functions into training Importance of maintaining plant limits and conditions into training Inclusion of plant lay-out, role and location of important components and systems into training Inclusion of location of ra- materials and measures to prevent their dispersal into training Covering plant normal, abnormal and accident conditions in training Inclusion of relevant plant walk-through into staff training Specify intervals for refreshment training Non-effective staff training Routine staff activities potentially compromising safety due to overall lack
Priority
production in training Covering role
ensuring plant safety Inclusion of PSA results into training Familiarization with results of accident analysis within DBA Analysis of
feedback from same
Specialized management training insufficient Degraded plant safety performance due to inappropriate safety management Covering detailed training of normal operating procedures Plant familiarization and on the job training Simulator training for plant operating regimes Inclusion of analysis
into training Arrangement for formal approval (licensing) of
Degraded or
knowledge Includsion of PSA results into training Familiarization of staff with results of accident analysis within DBA Covering details
DBA including diagnostic skills Detailed EOP training, retraining and testing
personnel Emphasizing team work and coordination of activities Use of plant full scope simulator in training for accidents within DBA Analysis
accidents occured in similar plants Limited theoretical and practical knowledge of the plant Unqualified conduct
On the job training Use of special equipment and mockups in training Potential safety consequences
procedural errors Covering records of reliability and faults
during maintenance Analyzing spurious ini- tiation of events and activation of plant systems during maintenance Specialized maintenance staff training insufficient Failures of plant systems initiated or resulting from unqualified maintenance All FSFs affected: controlling reactivity cooling fuel confining rad. mat.
Example: Objective tree for Level 4: HOF SAFETY PRINCIPLE Training and procedures for accident management Safety functions Challenges Mechanisms Provisions
Review of emergency
qualification
Development of a list
qualifications Sufficient human resources for accident management Definition of lines
and authority for all personnel Establishment of a specialist team to advice operators in emergency Call-on system for personnel Personnel assignement not effective for BDBA Lack of personnel for accident management Specification of scenarios representative
significantly to risk Definition of plant states to be covered by EOPs and their symptoms Proposal and verification of recovery actions for BDBA Availability
to detect level and trend of severity Verification of performance
equipment under BDBA conditions Definition of conditions for operator involvement
Verification and validation
selected BDBA Availability
locations Emergency operating procedures not developed adequately for BDBA Procedures for all strategies and check their effectiveness User friendly format
Completness
vs strategies for accident managem. Availability
to detect level/trend
Verification of performance and access of equipment required for each strategy Definition of expected positive and negative effects for each strategy
Definition of entry and exit conditions for each strategy and further steps Verification and to the extent possible validation of SAGs Availability
locations Severe accident guidelines inadequate Inadequate response
due to lack of AM procedures Definition of training needs for different personnel Inclusion of simulators to reasonable extent to training programme Covering details
into programme Familiarization of staff with results
analysis for the NPP Inclusion of relevant plant walk-through into training programme Making available AMP development material for training Availability
for validation and training Consistency
and guidelines with simulation Making training programme available to regulator Training programme for AM inadequate Arrangemment for regular retraining and testing
Involvement of emergency staff into functional tests
Inclusion of relevant
into training Inclusion of other site and external personnel into training Performance of training for AM inadequate Inadequate response
due to lack of AM training All FSFs affected: controlling reactivity cooling fuel confining rad. mat.
Example: Objective tree for Levels 1-4: HOF SAFETY PRINCIPLE Engineering and technical support of operations Safety functions Challenges Mechanisms Provisions
Education and training for the country (links with universities, etc) Contact to foreign partners or international
Establishment of links with the plant suppliers Support of relevant research programmes Overall lack
in the country Definition of necessary expertise needed to ensure plant safety throughout lifetime Internal group for support of operation, inde- pendent assessment and control of external support Strategy for assistan- ce in evaluation of events plant modifications, repair, tests and analytical support Links and clear interfaces with external technical support
Inclusion of results of research programmes into technical support Insufficient coordination
support for NPP Use of more efficient expertise of plant personnel Sharing resources with
having similar needs Use of resources from international sponsorships programmes Availability of sufficient resources to contract external
Lack of resources for comprehensive engineering and technical support Evaluation of expertise available and support development of lacking expertise Involvement of several engineering and technical support
Adequate quality assurance programmes in technical support organizations Support competitive working conditions in technical support organizations compared to other industries Support of relevant research programmes Links with foreign technical support
Insufficient expertise in technical support
Engineering and technical support inadequate to maintain required capability of disciplines important to safety All FSFs affected: controlling reactivity cooling fuel confining rad. mat.
Organizational changes, including recognition of the need for the independence of the regulatory body The development of additional regulatory requirements, expectations and guidance on human and organizational factors The regulatory body providing licensees the authority at the preparedness stage to perform activities in emergency situations that may be outside the existing operating procedures and regulatory requirements but that are necessary in order to mitigate consequences The regulatory body and the licensee holding joint dialogues about safety culture The development of an integrated approach to safety by the regulatory body to enable dialogue on topics beyond compliance and regulation Enhanced efforts by the regulatory body to go out in the field and engage the licensee in conversations at the working level about safety practices and policies Efforts supporting safety culture self-assessment by the regulatory body and the sharing of that information with licensees
Implementation of more practical ways for managers to strengthen safety culture supporting prioritization of nuclear safety (in particular, if a NPP is part of non-nuclear utility) Strengthening leadership and management for safety, mainly for top-level managers Identifying ways to ensure that safety is a top priority Objectively assessing efforts to strengthen safety and informing staff about safety initiatives Proactively introducing resources to ensure safety Questioning whether safety culture is a high enough priority Recognizing the efforts of personnel to protect and ensure the safety of the public, the workers and the plant Improvements with regard to decision making and consideration of the use of tools to support decision making in emergency response Identification of additional training, including understanding resilience, for operating personnel
Implementation of systemic approach to safety, taking into account interaction between individual, technical and organizational factors Strengthening mutual interactions and cooperation among all stakeholders (operators, vendors, regulators, contractors, TSOs, corporate organizations, international organizations) Strengthening interdisciplinary expertise by involvement of social and behavioural sciences Continuously improving maintenance management to ensure safety and establishing closer cooperation with manufacturers and contractors Establishing and maintaining the trust of local communities Use of new communication interfaces and arrangements with all stakeholder organizations Consideration of human and organizational factors in the planning, conduct and evaluation of emergency drills and exercises
31
Example: Objective tree for Level 1-4: HOF SAFETY PRINCIPLE Organization, responsibility and staffing
IAEA IEM on HOF (21-24 May 2013) - importance of adopting a systemic approach to safety that considers the interaction between individual, technical and organizational factors.
investigate the non-linear interactions between the hard and ‘soft’ logic trees, and to look beyond traditional organizational boundaries
WHY? ‘Complicated’ systems – the relationship between cause and effect requires analysis or some other form of investigation and/or the application of expert knowledge (sense-analyse-respond)
expert and rational leaders, top-down planning, smooth implementation of policies, and a clock-like organization can ensure flawless operation
‘Complex’ systems – the relationship between cause and effect can only be fully perceived in retrospect (probe-sense-respond)
filled with hundreds of moving parts, potentially thousands of actors with varied expertise and independence, and no central point that orchestrates all these different parts within an ever-changing context
Reality: Behaviour is contextualized: continuously adapt in and evolve with a changing environment; conflict and unplanned changes occur all the time, perceptions and projections have impact Result: Very high degrees of uncertainty that represent a different risk- management challenge than in technical systems; emergent, fractal property; normal tools for predictability are insufficient Requirement: Use a screening process that looks at how the entire ‘complex’ system is adapting to changes, dealing with conflicts, and learning as a whole (next slide)
Maintain and strengthen ‘virtuous’ cycles to support the ultimate goal of safety conscious decisions and actions, Intervene in ‘vicious’ cycles that undermine the information flows, cooperation, and conservative decision-making
35
A systemic perspective enhances application of the defence in depth concept by screening interactions multi-directionally, and across many
Novel practice Emergent practice Good practice Best practice
Purpose deepen understanding of human and organizational factors demonstrate application of the systemic mapping methodology to real life scenarios provide opportunity for participants to explore safety challenges in their own
Target Audience middle managers in operating, regulatory and technical support organizations, including non-technical leaders such as performance improvement, training, and leadership or organization development managers Timing March 29 – April 1, 2016
Defence in depth is an essential strategy to ensure nuclear safety for both existing and new NPPs The use of objective trees for screening the comprehensiveness of defence in depth provides a powerful tool for understanding links between technological and organizational provisions for ensuring safety
Defence in depth should not be oversimplified by reducing it to the capacity of barriers to protect against releases of radioactive substances. The large uncertainties associated with predicting human behaviour, alongside their sensitivity to organizational factors and societal influences, requires special attention to be given to ‘soft’ logic trees within the defence in depth framework and screening process.
Defence in depth can be further strengthened by understanding nuclear power programmes as ‘complex’ systems, and by taking into account all the components of the system, from operators, through middle level managers, NPP managers, up to corporate, governmental and even international levels when assessing risk. Cross-correlation and mutual interdependence between all components of this complex system’s defence in depth needs to be given considerable attention in the future. The use of system mapping for exploring the non-linear interactions between individual, technical and organizational factors can enhance defence in depth by providing a method for screening the multiplicity of dynamics within and between organizations that drive the overall culture for safety within a national nuclear programme.