Assessment

The reviewers need to check that the specific methods and/or techniques used for the HRA are suitable and that they have been correctly applied.

The plant specific and event sequence boundary conditions warrant careful consideration, for example, the adequate integration and/or feasibility of the human actions from a systems point of view within every single event sequence has to be examined and traceably documented. This refers to issues such as:

(a) Description of human actions;

(b) Precise indication of relevant part/subpart/paragraph of operational documen-tation, if they exist;

(c) Modelling in system functions and event sequences (together with a description of previous failures);

(d) Necessity/feasibility/entry and/or transfer criteria of considered human actions referring to the modelled position in the PSA (boundary conditions, assump-tions and prerequisites).

With reference to the specific HRA method and/or technique selected, all the information and data needed for the assessment of the event sequences which depend on human performance have to be considered. Finally, it is necessary to pay attention to a coherent HRA and PSA modelling in the framework of a static assessment. This means, for example, that the interconnections between human actions have to be examined along an event path (sequence).

Thus a detailed HRA should be performed for all the human actions that appear in important cut sets using the initial screening values. It is also important to ensure that combinations of human actions are not truncated out of the screening quantification

because human action dependences have usually not been considered at this point.

Often in screening, the dependence between human interactions is set to 1.0 to ensure that the related human action dependence is not eliminated in the process.

The reviewers need to check that the screening values used initially to help focus the analysis effort represent an upper bound for the human error probability.

To assess pre-accident (Type A) human actions, the following should be clearly identified and documented in the PSA:

(1) The components with which the operator or other personnel interact,

(2) The tasks and restoration actions that are specifically involved in each interaction, (3) The relative locations of the different components when the operator interacts

with multiple components,

(4) The components that have to be restored and for which alarms are activated in the control room if not restored,

(5) The type of post-test or post-maintenance validation process that is per-formed after a test or maintenance (such as operational test or plant staff observation).

It is important to check that all this information is given in the PSA. Evaluations of the probabilities of human error need to be reviewed to assess the data and quan-tification techniques used.

In order to assess post-accident (Type C) operator actions, it is important that the PSA clearly identify and document two sets of actions:

(i) Post-accident operator actions required for systems to operate successfully, (ii) Post-accident operator recovery actions associated with specific accident

minimal cut sets.

The first set of operator actions, those required for systems to operate success-fully, includes manual operations of systems and components and manual initiations of systems and components as a backup to automatic initiations. All these operator actions should be identified clearly and documented in the PSA, including whether or not the actions can be taken from the control room, the procedures used, the control room indications used, the alarm and feedback indicators, the times required for the actions and the stress levels of the actions.

It is important to ascertain that all this information is available in the PSA and has been properly documented.

The reviewers need to check whether the methods and techniques selected are applicable and adequate for the assessment of human interactions modelled and considered in the PSA. This has to be assessed in particular for operator actions for which no (or no written) procedures are available.

The specific operator performance modelling should to be checked using appropriate techniques, for example, walk-through or talk-through procedures.

The reviewers then need to review the specific evaluations of human error probabilities to determine their consistency with the approach used.

Checks may be needed to determine whether the estimated probabilities are sensible with regard to the influences present and the assumptions made. The involvement of plant personnel needs to be sought in the assessment and modelling process.

It is important to identify any cases where several operator actions are com-bined together in the same sequence and to ensure that any dependences between the actions have been accounted for.

If expert judgement methods, such as the direct estimation approach, are used, the reviewers should examine the process carefully to find out how it was carried out.

The review should cover the detailed description of human interactions, the situa-tional influences with regard to the event sequences or scenario, the selection and number of experts, and the elicitation process itself.

The second set of operator actions, those required to recover specific minimal cut sets of accident sequences, includes those recovery actions that are linked to com-binations of events (the minimal cut set events).

The reviewers need to check that the specific rules used for excluding and including recovery actions are identified and justified. The rules should cover the feasibility of the recovery actions. The modelling of human interactions has to be thoroughly documented. The PSA needs to identify clearly and document all the minimal cut sets that have recovery actions and the recovery action included. If more than one recovery action is applied to the same cut set, then verification is required that if the probabilities of these actions are independent there are no dependences between them, or if they are dependent then that the dependence is accounted for.

For the recovery actions that have been included, the reviewers need to check that the time to diagnose and correct the failures (this may mean that co-ordination is required between the main control room (MCR) staff and auxiliary operators), the location at which the recovery can be performed (the MCR or locally), the environ-ment at the location, the access to the location and the stress level are all identified, justified and documented.

For the incorporation of the human interaction events into the systemic analy-ses, Type A actions are usually located in the fault trees and these need to be inspected for double counting or omission of common cause influences. Type C actions are usually located in the event trees or at a top level in the fault trees.

The reviewers should check the coherence of the modelling of the HRA and the systemic analyses in the overall PSA model, i.e. the incorporation of the results of HRA into the PSA has to be assessed.