HRA-SARENA-2021

Human Reliability Analysis
Reliability and Risk Analysis
César Queral
Master in Nuclear Science and Technology

Joint Master in Safe and Reliable Nuclear Applications (SARENA)
April 2021
Index
1 Introduction. Human Reliability
2 Main Control Room Personnel
3 Human Errors. Types of human errors
4 Systematic Human Reliability Analysis Process (SHARP)
5 HRA Quantification Methodologies. THERP and TRC-SAIC Methodologies
6 Dependency
7 Conclusion
8 Appendix A: Other HRA methodologies
9 Appendix B: HRA applied to Level 2 PSA
César Queral Human Reliability Analysis Reliability and Risk Analysis 1 / 92

1. Introduction. Human Reliability
Index
6 Dependency
7 Conclusion

Human Reliability Analysis (HRA)
• Human Reliability Analysis (HRA): Procedure(s) for a systematic analysis of

actions that perform or may be needed to be performed by NPP personnel for
accident mitigation
• HRA Objective: Quantitative analysis of human action incidence in the risk
of plant operation when dealing with core damage events
• HRA includes: Identification, description, modeling, quantify and analyze the
importance of credible human errors (not including malevolent actions) that
have an influence in accident evolution

Human Reliability Analysis (HRA)
• Human reliability analysis is an integral element in several PSA aspects:

Event Tree headers quantification, System unavailability, IE frequency
quantification etc.
• HRA includes large uncertainties which are necessary to analize.

2. Main Control Room Personnel
Index
6 Dependency
7 Conclusion

Main Control Room
The Main Control Room is the onsite location from which the nuclear power plant
is operated.
It contains the instrumentation, controls, and displays for:
• Nuclear systems,
• Reactor coolant systems,
• Steam systems,
• Electrical systems,
• Safety systems (including engineered safety features), and
• Accident monitoring systems.

Main Control Room

Main Control Room Crew. Types of reactor operators license
There are two types of reactor operators license:

• Reactor Operator (RO) License (Spain: licencia de operador ) and
• Senior Reactor Operator (SRO) License (Spain: licencia de supervisor )
The regulation related with RO and SRO licenses depends on the country,
• USA: 10CFR55 (https://www.nrc.gov/reading-rm/doc-
collections/cfr/part055/full-text.html). See also NUREG-0696 and
NUREG-0654/FEMA-REP-1 (Rev. 2).
• Spain: Instruction IS-11, revision 1, of 30th January 2019, of the Nuclear
Safety Council on nuclear power plant operating personnel licenses.

Shift Personnel. Main Control Room Crew
Each shift of the Main Control Room (MCR) is composed by (it depends on the
country and/or NPP, see IAEA-TECDOC-1502):
• The Shift Manager (SM) or Senior Shift Supervisor (Spain: Jefe de turno),
who is licensed as a SRO. The SM may have management authority of more
than one reactor plants at the same plant complex and their presence is not
always required in the MCR. The SM functions depend on the country (e.g.
Spain: to manage emergencies with the CSN, organize evacuations, etc).
• The Shift Supervisor (SS) or Control Room Supervisor (CRS), (Spain: Jefe
de sala o supervisor de sala o ayudante del jefe de turno), who is licensed as
a SRO and is present in the MCR during the entire shift. The CRS is
responsible for reading the Emergency Operating Procedures (EOPs).
• Reactor operator (RO), who is licensed as RO. The RO has a responsibility
for operations related to the primary side (i.e. nuclear island).
• Balance of Plant (BOP) Operator or Turbine Operator (TO), who is licensed
as RO. The TO has a responsibility for operations related to the secondary or
the BOP.
Main Control Room Crew Responsibilities and Regulation
The responsibilities of the MCR crew include actions taken to:

• Diagnose the abnormal conditions;
• Perform corrective actions;
• Mitigate the abnormal conditions;
• Manage plant operations;
• Manage emergency response;
• Inform Federal, State, and local officials;
• Recommend public protective measures to State and local officials;
• Restore the plant to a safe condition; and
• Recover from the abnormal conditions.

Shift Personnel and other personnel
• There are also other possible members of the shift personnel in the MCR
depending on the country and technology:
• Shift Technical Advisor (STA) whose function is to provide engineering and
accident assessment advice to the CRS/SS and not to operate the plant like
the SROs and ROs. The STA function stems from the Three Mile Island
nuclear event in the USA in 1979. The STA could hold an SRO license but
this is not required. There is no STA in the Spanish MCRs.
• In some countries the shift personnel also includes mechanical and electrical
attendants (AT-M, AT-E). e.g. in Cofrentes NPP the MCR shift personnel
includes an AT-E.
• Multi-module control rooms for SMRs could require that a single RO manages
several SMRs.
• There are also a large number of unlicensed auxiliar operators (AO) and
maintenance personnel outside the MCR who generally depend on the
operators who are in charge of setting up and calibrating the equipment and
components of the plant systems.

Main Control Room Crew (USA)

Main Control Room Crew (Germany)

Main Control Room Crew: advanced reactors and SMRs

MCR Communication

3. Human Errors. Types of human errors
Index
6 Dependency
7 Conclusion

Influence of the human action
• Operator errors
• May occur before or after or be a cause of the initiating event
• Reduce the availability of safety systems
• Are the source of incidents leading to an initiator
• Do not avoid accident progression
• Worsen accident conditions
• Human Error is a Significant Contributor to Risk (From: D.I. Gertman & H.S.
Blackman, Human Reliability & Safety Analysis Data Handbook,
Wiley-Interscience, 1994):
• Accidents at Sea 90% Chemical Industry 80-90% Airline Industry 60-87%
Commercial Nuclear Industry 65%
• Human error has been shown to contribute from 50 to 70% of the risk at nuclear
power plants (From: T.A. Trager, Jr., Case Study Report on Loss of Safety System
Function Events, AEOC/C504, US-NRC, 1985).

Human error prevention at NPPs
• Education/Training
• Design considerations, ergonomic
• Supervision
• Procedures
• Self-verification and cross-verification techniques
• Human Factors Engineering
• Working Environment
• Tasks analysis
• Equipment needed

Types of human errors: Classification
There are several classifications (taxonomies) of human errors,

• Swain and Guttman Taxonomy (1983)
• Errors of omission: Fail to do something required
• Errors of commission: Do something you shouldn’t do
• Sequence errors: Do something in wrong order
• Timing errors: Do something too slowly or too quickly

Types of human errors: Classification
Type (personnel involved)

Type 1 (Category A): Prior to the initiating event occurrence (maintenance
personnel)
Type 2 (Category B): Inducing the initiating event (maintenance personnel
or MCR crew)
Type 3 (Category C-1): After the occurrence of the initiating event, while
following EOPs; Performance error: omission, does not end on time
or incorrectly performed actions (MCR crew)
Type 4 (Category C-2): After the occurrence of the initiating event, while
following EOPs; Misdiagnosis or wrong selection of a mitigation
strategy (MCR crew)
Type 5 (Category C-3): After the occurrence of the initiating event, not
foreseen in EOPs; Failure to perform (MCR crew)
There are more Type 1 human errors than Type 3 in the PSA models.

Human errors classification: Examples
Type 1 Incorrect realignments of components/equipment/systems after

maintenance/test/calibration; calibration errors
Type 2 Erroneous actuation of components; failure to avoid an initiator;
out-of-time actuation; mistakes in testing procedures
Type 3 Error to support automatic actions; error in manual actuation;
errors in process control
Type 4 Misdiagnosis; erroneous strategy selection
Type 5 Non-recovery of equipment; error in system/component actuation

Human errors classification: Pre-initiator events
Type 1 (Category A)
• Human errors occurring before initiating events
• Contribute to system or component unavailability
• Modeled as basic events in system Fault Trees
1 Instrumentation personnel error when performing the calibration of a vessel

level channel, hindering automatic initiation of the HPCS at Low Level (Level
3) at a BWR
2 Instrumentation personnel error when performing the calibration Low-Low SG
Level setpoint for AFWS startup
3 Faulty test for the A Safety Injection pump leaving a recirculation alignment
and the injection valve closed
4 Incorrect calibration of relays for the actuation of solenoids for PZR PORV,
so that they would not open on high pressure signal
5 Incorrect alignment of the injection flowpath after the periodic recirculation
test of AFWS MDP “A”, making the flowpath unavailable for injection
Human errors classification: Pre-initiator events

Human errors classification: Initiating events
Type 2 (Category B)
• Human errors that cause an initiating event
• Increase the probability of initiating events
• Modeled within the initiating event model
1 Operator failure to startup and alignment of the ESW stand-by train, leading
to high temperature at the RCS main pump bearings so that they have to be
tripped and has the consequence of a reactor SCRAM
2 Instrumentation personnel error when performing the calibration of the high
neutron flux reactor trip channel, producing a reactor trip
3 Maintenance personnel error while making the change from A to B service air
system that provokes a loss of service air causing the closure of MFW
isolation valves that in turn leads to a reactor trip on low-low SG level

Human errors classification: Initiating events

Human errors classification: Actions in response to an initiator
Type 3 (Category C-1)

• Procedure following errors (symptom-based)
• Modeled as Headers in Event Trees, Basic events in system Fault Trees, or
Basic Events in Functional Trees

• Errors for non symptom-based procedures that need diagnosis

• Error in performing recovery actions
• Non procedural actions, or in plant procedures not part of the EOPs
• Modelled in Event Trees or in Minimal Cut Set post-processing


1 Type 3 Operator error to perform Feed&Bleed, following FR-H.1

2 Type 3 Operator failure to complete transfer to recirculation mode because of
depletion of the Reactor Water Storage Tank, following the “unfold page” of
E-1 and procedure ES-1.3
3 Type 3 Reactor operator failure to start the Auxiliary Feedwater System
pumps after failure of the auto start signal, at E-0 step 17, for a PWR
4 Type 4 Operator mistake while reading Control Room instruments, leading to
an incorrect diagnose of a Small-Break LOCA instead of an Open Pressurizer
Valve
5 Type 5 Recovery, non proceduralized action to open Auxiliary Feedwater test
valves left closed after a maintenance
6 Type 5 Operator failure to manually open motor operated valves that
remained closed on open signal failure. Non proceduralized action




4. Systematic Human Reliability Analysis Process (SHARP)
Index
6 Dependency
7 Conclusion

SHARP Methodology
• SHARP: Systematic Human Action Reliability Procedure

• It is a general framework for HRA analysis
• It was developed by EPRI (Electric Power Research Institute), EPRI NP-3583
(1984).
• Later, it was updated to SHARP-1, EPRI RP-3206 (1990).
• There are other systematic HRA proccess like IDEAS, ATHEANA, SPAR-H

Main steps in SHARP methodology
• It does not include the dependency analysis between several human errors.
• In the screening step the HA is classified (available time, stress,
procedures...) and then a first quantification is performed.
• The detailed analysis is performed only if the human error has impact in the
CDF equation.

5. HRA Quantification Methodologies. THERP and TRC-SAIC Methodologies
Index
6 Dependency
7 Conclusion

Human action: Cognitive and manual decomposition
• Two types of human action processes are analyzed and quantified

• Decision processes (cognitive part)
• Actuation processes (manual part)
• Some actions are only quantified for the manual part: calibration (Type 1),
control actions
• HEP = Pc + ( 1 - Pc )Pm . Where Pm and Pc are median values.

HRA Quantification Methodologies
Some of the most ussual HRA quantification methodologies are,

• Screening. There are several options like NSAC/60, EPRI-3583,
NUREG/CR-4772 and NUREG-1278.
• Technique for Human Error Rate Prediction (THERP). Manual Part (+
cognitive part). It is applied in Spain (all NPPs) for manual part.
• Human Cognitive Reliability (HCR). Cognitive part (applied in Almaraz and
Trillo NPPs).
• HCR/Operator Reliability Experiments (HCR/ORE). Cognitive part (CSN
has proposed to apply this methodology instead of HCR).
• Time reliability Correlation-SAIC (TRC-SAIC). Cognitive part (applied in
Asco, Cofrentes and Vandellos-II NPPs).
• Cause Based Decision Tree (CBDT). Cognitive part.
• Standardized Plant Analysis Risk human reliability analysis (SPAR-H).
Manual Part + cognitive part. It is applied in SPAR models and L2-PSA.
• EPRI HRA Calculator (It is not a methodology, includes several ones). It is
applied in USA and also in Spain (only for dependence analysis).
• MERMOS (France). Experimental database plus operating experience.
HRA Quantification Methodologies

HRA: Time definitions (NUREG-1921, Human actions Type 3)

HRA: Time definitions (NUREG-1921, Human actions Type 3)
• T0 : start time, start of the event

• Tdelay : time delay. time interval it takes for an operator to recornize the cue
(SRO arrives to the corresponding EOP step or an alarm is produced)
• Tsw : system time window (last moment in which the action is effective).
• Tavail : available time for the human action = Tsw - Tdelay
• Tcog : cognition time consisting of detection, diagnosis, and decision making
• Texe : execution time including travel, collection of tools, donning of
personal protection equipment and manipulation of relevant equipment
• Treqd : time required, response time to accomplish the action. Treqd = Tcog
+ Texe
• Treqd and/or Texe are obtained from crew training or from questionnaires to
operators.
• Tmargin = Tavail − Texe . Ussually, Tmargin ≈ Tavail − Treqd .

SHARP. Screening
Screening values
Cognitive part
Tavail Skill Rules Knowledge
Very short 0.1 0.5 1
(< 5min)
Short 10−3 3 · 10−2 0.3
(> 5min y < 1h)
Long 3 · 10−4 3 · 10−3 0.01
Manual part
3 · 10−3 3 · 10−2 0.3
• The values used in different NPPs could be different because there are
several sources/references.
• There is no specific threshold value for detailed analysis to be mandatory.

Technique for Human Error Rate Prediction (THERP). Manual Part.
• It was developed by Alan Swain (SNL) for the US NRC at the beginning of
the 80s.
• Human action broken down in tasks (NUREG/CR-1278)
• Standard values for the probability of error in each task
• Examples:
• Location of an indicator at the control room panels
• Reading of the indicator
• Location of the handle/actuator
• Operation of the handle
• Control of a process (flow control)
• Elementary tasks where quantification exists
• Sequential breakdown tree, mimicking the procedure
• Possibility of recovery:
• CRS: while reading and following procedures
• SM: while performing communication tasks
• Stress correction factor(s)




THERP. Example: Feed and Bleed.

THERP. Example: Feed and Bleed.
Feed and bleed. Critical Tasks: steps 9-16 of FR-H.1. Labeled as tasks A-F
A Step 9: Loss of heat sink criterion (Low Steam Generator Level or Pressurizer
pressure)
B Step 10: Safety Injection actuation
C/D Step 11: Verification of the feed path
E Step 15: Opening of two PORVs
F Step 16: Verification of the bleed path
Breakdown into tasks
A Error of commission reading wide range SG level instruments, HEP= 6 · 10−3
B Error of commission locating the handles, HEP= 1 · 10−3
C Error of commission locating the flow meter, HEP= 1 · 10−3
D Error of commission reading the flow meter, HEP= 2 · 10−3
E Error of commission in the selection of the valves, HEP= 1 · 10−3
F Error of commission opening valves indicator lights, HEP= 1 · 10−3
THERP. Example: Feed and Bleed. Quantification
• Sub-task analysis
1 Basic HEP estimation
2 Shift recovery actions (0.05; 0.15)
3 Stress level assignment (2)
4 Error factor assignment (10)
Tables from NUREG/CR-1278
F1 = 6.E-3×0.05×2
F2 = 1.E-3×1.E-3×0.15×2
F3 = 1.E-3×2.E-3×0.15×2
F4 = 1.E-3×1.E-3×0.15×2
P4
Pm = i=1 Fi = 6.02 · 10−4

Technique for Human Error Rate Prediction (THERP). Cognitive Part.
There is also a model for Cognitive Part in THERP methodology, but is not
applied in Spain.

Time reliability Correlation-SAIC (TRC-SAIC). Cognitive Part.
The Time Reliability Correlation (TRC-SAIC) bases are:

• Two different behavior types considered:
• Skill-based
• Do not require extensive thinking
• Response to known events/situations
• Knowledge-based (Hesitancy )
• Require analysis
• Response to unknown, new events
• Whether or not procedures exist is taken into account
• Two pairs of curves are needed (with/without procedures; with/without
hesitation)
References
• E. M. Dougherty; J. R. Fragola Human Reliability Analysis, John Wiley &
Sons, 1988.
• M. Dougherty (Ed.); Joseph R. Fragola & Erin P. Collins Human Reliability
Analysis, Science Applications International Corporation (SAIC)
SAIC/NY-86-1-OR, April, 1986
The Human Error Probability (cognitive part) is:

PC = 1 − Φ(LN(Tmargin ); µ; σ)
Where:
• Φ is the normal cumulative distribution.
• Tmargin = Tavail − Texe . Ussually, Tmargin ≈ Tavail − Treqd .
• µ = LN (kC · 4 · 21−2·SLI ) is the mean diagnosis time.
√ 2 +[LN (1,68)]2 )
• σ = ([LN (fR )]1,645 is the distribution variance.

• kc = 1 No procedures (general diagnosis & recovery)
0.5 Procedures (ruled based)

• fR = 3.2 No hesitation
6.4 Hesitation (e.g. the crew recieves many signals)

TRC-SAIC: Time definitions

• e.g. TRC-SAIC values with SLI=0.5

Success Likelihood Index (SLI) is a factor affecting operator response time: in the
best case (SLI=1) response time is halved (2 minutes); for the worst case (SLI=0)
it is doubled (8 minutes).
• Assigns importance (Ii ) and quality (Qi ) to the following Performance
Shaping Factors:
• Procedures
• Training/Experience
• Man/Machine Interface
• Relationship/Size of the Operating Crew
• Communication
• Workload
• Stress
• SLI is obtained as the sum over all PSFs of the products of relative
importance (Ii ) times quality (Qi )
P
1 i Ii · Qi
SLI = P
100 j Ij

SLI Calculation. e.g. PSF for Procedures
Importance (actuation) Quality (Procedure)

• 0-20 Direct, memorized • 0-20 Ambiguous, unclear
• 20-40 Simple, deductible • 20-40 One-path, no check-off
• 40-60 Complex, deductible • 40-60 Several paths, with check-off
• 60-80 Complex, sequential • 60-80 Symptom-based
• 80-100 Impossible to memorize • 80-100 Computer aided

SLI Calculation. e.g. PSF for Training/Experience
Importance (actuation) Quality

• 0-20 Usual, long time • 0-20 No training or experience
• 20-40 Usual, simple • 20-40 Informally explained
• 40-60 Usual, short time • 40-60 Within the training program
• 60-80 Unusual • 60-80 Training at the simulator
• 80-100 Unusual, short time • 80-100 Actual experience in normal
conditions

TRC-SAIC. Example: Feed and Bleed.

TRC-SAIC. Example: Feed and Bleed. Quantification
• Available time (Tavail = 31 min); Required time (Treqd = 3 min)

• Time Reliability Correlation
• Performance Shaping Factors, PSF
Importance Quality
Procedures 60 70
Training/Experience 90 80
Man/Machine Interface 50 30
Relationships/size shift 60 80
Communications 60 60
Workload 60 60
Stress 90 10
• Hesitancy is considered; SLI = 0, 55
Pc = 7.45 · 10−3

Final HEP Quantification. Example: Feed and Bleed.
Pm = 6.02 · 10−4 (Manual part: THERP)
Pc = 7.45 · 10−3 (Cognitive part: TRC-SAIC)
HEP = Pc + (1 − Pc )Pm = 8.05 · 10−3
Now, we need to analize Dependency ⇒

6. Dependency
Index
6 Dependency
7 Conclusion

6. Dependency
Dependency
• Several human actions may have to be performed for successful mitigation of

an initiator
• Actions may need to be performed by Control Room personnel
• Simultaneously or within a short time
• Using the same instrumentation or controls
• As part of the same sequence of tasks
• Sequentially and coordinated
• In this cases, failure of human actions may not be independent
• Failures coupled through a “state of mind” of the operator(s)

6. Dependency
Dependency: Process
• Failure probability has to be modified to account for dependency

• Such coupling can be discovered through analysis of the sequence of actions
or in Minimal Cut Sets.
• Beware of truncation: standard procedure is to set Human Reliability events
to a probability / 1 and requantify
• Thus, MCS containing human errors will show up
• The combinations of human actions have to be analyzed to set new
probability values for the dependent action failure conditional on the failure
of the preceding action
• Through MCS post-process, modify human action error probability

6. Dependency
Dependency level

6. Dependency
Dependency probability values
• Set as a function of the preceding task probability (NUREG/CR-1278)

• Considers error bounds
Cond. Prob. of Dep. Action
BHEP
LD MD HD CD
<0.01 0.05 0.15 0.5 1
0.05 0.1 0.19 0.53 1
0.1 0.15 0.23 0.55 1
0.15 0.19 0.27 0.58 1
0.2 0.24 0.31 0.6 1
0.25 0.29 0.36 0.63 1

7. Conclusion
Index
6 Dependency
7 Conclusion

7. Conclusion
Conclusion. Decision Making: Factors that affect human performance
• Modelled in PRAs
• Operating crew structure
• Tasks distribution
• Training and experience
• Workload and stress level
• Quality of man-machine interface (tools, control room design)
• Quality of procedures
• Operation aids (alarms, parameter display systems, communication systems
etc.)

7. Conclusion
Conclusion: Results
• Classification of important actions in a Nuclear Power Pant

• Detailed, systematic analysis of human actions: breakdown in tasks
• Factors having an influence on human behavior
• Model for actuation (Rule-based/Knowledge/Skill)
• Stress
• Quality of procedures
• Training and experience
• Possibility of recovery
• Available time
• Quantification of human error probabilities

7. Conclusion
Conclusion: Results

8. Appendix A: Other HRA methodologies
Index
6 Dependency
7 Conclusion

Human Cognitive Reliability (HCR). Cognitive Part.
Human Cognitive Reliability (HCR) uses a 3 parameter Weibull distribution.

∗ b !
Tavail /Treqd −a

Pc = exp −
c
∗
Q3
• Where Treqd = Treqd j=1 (1 + kj ). Modified required time using 3 PSFs
((1 + kj ), 300% upwards and 40% downwards). These PSFs are related to
stress, experience and human/machine interface.
• (a, b, c) are behaviour-type-specific coefficients. There are values for skill,
rule and knowledge based behaviour:
• Skill-based: (0.7, 1.2, 0.407)
• Rule-based: (0.6, 0.9, 0.601)
• Knowledge-based: (0.5, 0.8, 0.791)

• It cannot be applied for TDA < TR∗

PSFs Coefficients ki

HCR/Operator Reliability Experiments (HCR/ORE). Cognitive Part.
• (HCR)/Operator Reliability Experiments (ORE), results from the ORE

program resulted in a revision of the HCR method.
• The application of the previous HCR method is no longer recommended by
EPRI.
• HCR/ORE, is used for the cognitive part (Pc):
• It was primarily developed to quantify post-initiator human actions (e.g.,
actions performed by operating crew associated with emergency and abnormal
operating procedures) in a NPP PSA. The method uses a
simulator measurement based TRC to estimate the non-response probabilities
for human actions.
• In this approach, the non-response probability for a given event obtained from
the TRC (which focuses on diagnosis and timely initiation of the correct
response) is added to the probability of failure to execute the response to
obtain the overall HEP.


ln(Tavail /Texe )
Pc (t) = 1 − Φ
σ
• Φ, standard normal cumulative distribution.
• σ, Logarithmic standar deviation. σ values are based on cue-response
structure. 3 cues groups exist, and they do differ beetween PWRs and BWRs.

• The HCR/ORE recommended approach is to collect plant-specific

simulator data for events and scenarios being analyzed and estimate the
parameters directly.
• However, if this cannot be done, it is recommended that the expert
judgment of operators be used to obtain estimates of Texe and the
range of likely response times.
• As a third alternative, the data collected from similar events and scenarios
simulated in the ORE experiments can be generalized to the plant-specific
analysis.
• The method only address the probability of not responding within a certain
time period, based on data from simulator runs or analyst estimates with
operator input and, therefore, an underlying assumption of the way the
method gets applied is essentially that diagnosis will not fail given enough
time.

CBDT
Cause Based Decision Tree (CBDT) is a quantification technique for estimating

Pc .
• General causal model of human behavior involving decomposition into causes
and human failure mechanisms in the form of decision trees.
• Identifies a set of mechanisms and/or situational characteristics that could
lead to error or nonresponse.
• Guided by analysis of errors occurring in ORE experiments and elsewhere.
• HEPs included in the method’s decision trees are based on adaptation of
data from THERP
• Uses a decision tree approach whereby analysts answer questions related to a
set of influencing factors, and resulting HEPs are provided.
• The HEPs obtained from the eight decision trees are allowed credit for
self-recovery by crew members if time permits it. The resulting HEPs are
then summed together, along with an HEP for failure to execute the
response, to obtain the final HEP.

SPAR-H
The Standardized Plant Analysis Risk (SPAR) Human Reliability Analysis (HRA)
method is a simplified HRA approach intended to be used in conjunction with the
development of SPAR PSA models.
• Decomposes probability into contributions from diagnosis failures (cognitive)
and action failures (execution, manual).
• Accounts for the context associated with human failure events (HFEs) by
using PSFs, and dependency assignment to adjust a base-case HEP.
• Uses pre-defined base-case HEPs and PSFs, together with guidance on how
to assign the appropriate value of the PSF.
• Employs a beta distribution for uncertainty analysis, which can mimic normal
and log-normal distributions, but it has the advantage that probabilities
calculated with this approach range from 0 to 1.
• Uses designated worksheets to ensure analyst consistency.

SPAR-H Bases
• Currently, SPAR-H employs worksheets for full power or LP/SD situations.

• Nominal error rates for the diagnosis/ action parts are provided.
• These nominal values are multiplied for 8 differents PSFs.
• PSFs can increase or decrease the error rate.
• Corrections are applied when 3 PSF are greater than 1.
• Dependencies are taken into account with tables (consistently).

SPAR-H Performance Shaping Factors (PSFs)(1/2)
The SPAR-H PSFs are:

1 Available time
2 Stress/Stressors
3 Complexity
4 Experience/Training
5 Procedures
6 Ergonomic/HMI
7 Fitness for duty
8 Work processes

SPAR-H Performance Shaping Factors (PSFs)(2/2)
1 Available time. Amount of time that the operator has to diagnose or act
2 Stress/Stressors. Level of undesirable conditions and circunstances that
prevent the operator from easily completing a task
3 Complexity. How difficult the task is to perform in the given context.
Includes the enviroment
4 Experience/Training. Experience and training of the operator(s)
5 Procedures. Existence and use of formal operation procedures for the task
under consideration
6 Ergonomic/HDI. Equipment, displays and controls, layout, quality of
information available from instrumentation and the interaction of the
operator(s) with the equipment.
7 Fitness for duty. Whether or not the individual is physhically and mentally
fit to perform the task
8 Work Processes. Inter-organizational, safety culture, work planning,
communication and management support and policies
SPAR-H Flow Diagram for Completing Worksheets
Figure: SPAR-H Flow Diagram

SPAR-H Worksheets Overview: Cog., Action, Depend.
Plant: Initiating Event: Basic Event : ____________ Event Coder:___________

HRA Worksheets for At-Power Plant: Initiating Event: Basic Event : ____________ Event Coder:___________ Plant: Initiating Event: Basic Event : ____________ Event Coder:___________
SPAR HUMAN ERROR WORKSHEET Basic Event Context:
Basic Event Context: Basic Event Context:
Basic Event Description:
Plant: Initiating Event: Basic Event : ____________ Event Coder:___________ Basic Event Description:
Basic Event Context: Part II. EVALUATE EACH PSF FOR ACTION
B. Calculate the Diagnosis Failure Probability. B. Calculate the Action Failure Probability.
Basic Event Description: A. Evaluate PSFs for the Action Portion of the Task, If Any.
(1) If all PSF ratings are nominal, then the Diagnosis Failure Probability = 1.0E-2 PSFs PSF Levels Multiplier for Please note specific reasons for (1) If all PSF ratings are nominal, then the Action Failure Probability = 1.0E-3
Does this task contain a significant amount of diagnosis activity? YES (start with Part I–Diagnosis) NO (skip Action PSF level selection in this
Part I – Diagnosis; start with Part II – Action) Why? (2) Otherwise, the Diagnosis Failure Probability is: 1.0E-2 x Time x Stress or Stressors x Complexity x Experience (2) Otherwise, the Action Failure Probability is: 1.0E-3 x Time x Stress or Stressors x Complexity x Experience or
or Training x Procedures x Ergonomics or HMI x Fitness for Duty x Processes column. Training x Procedures x Ergonomics or HMI x Fitness for Duty x Processes
Available Inadequate time P(failure) = 1.0
PART I. EVALUATE EACH PSF FOR DIAGNOSIS Diagnosis: 1.0E-2x x x x x x x x = Time Time available is § the time required 10 Action: 1.0E-3x x x x x x x x =
Nominal time 1
A. Evaluate PSFs for the Diagnosis Portion of the Task, If Any. Time available 5x the time required 0.1
PSFs PSF Levels Multiplier for Please note specific reasons for C. Calculate the Adjustment Factor IF Negative Multiple (3) PSFs are Present. Time available is 50x the time required 0.01 C. Calculate the Adjustment Factor IF Negative Multiple (3) PSFs are Present.
Diagnosis PSF level selection in this Insufficient Information 1
column. When 3 or more negative PSF influences are present, in lieu of the equation above, you must compute a composite Stress/ Extreme 5 When 3 or more negative PSF influences are present, in lieu of the equation above, you must compute a composite
Available Inadequate time P(failure) = 1.0 PSF score used in conjunction with the adjustment factor. Negative PSFs are present anytime a multiplier greater Stressors High 2 PSF score used in conjunction with the adjustment factor. Negative PSFs are present anytime a multiplier greater
Time than 1 is selected. The Nominal HEP (NHEP) is 1.0E-2 for Diagnosis. The composite PSF score is computed by Nominal 1 than 1 is selected. The Nominal HEP (NHEP) is 1.0E-3 for Action. The composite PSF score is computed by
Barely adequate time (§2/3 x nominal) 10
Insufficient Information 1 multiplying all the assigned PSF values. Then the adjustment factor below is applied to compute the HEP:
Nominal time 1 multiplying all the assigned PSF values. Then the adjustment factor below is applied to compute the HEP:
Extra time (between 1 and 2 x nominal and > 0.1 Complexity Highly complex 5
Moderately complex 2
than 30 min)
NHEP PSFcomposite Nominal 1 NHEP PSFcomposite
Expansive time (> 2 x nominal and > 30 min) 0.01 HEP
HEP
Insufficient information 1 NHEP PSFcomposite 1 1
Insufficient Information 1
NHEP PSFcomposite 1 1
Stress/ Extreme 5 Experience/ Low 3
Stressors High 2 Training Nominal 1
Nominal 1 Diagnosis HEP with Adjustment Factor = High 0.5 Action HEP with Adjustment Factor =
Insufficient Information 1 Insufficient Information 1
Complexity Highly complex 5 Procedures Not available 50 D. Record Final Action HEP.
D. Record Final Diagnosis HEP. Incomplete 20
Moderately complex 2
Nominal 1 Available, but poor 5 If no adjustment factor was applied, record the value from Part B as your final action HEP. If an adjustment factor was applied, record the
If no adjustment factor was applied, record the value from Part B as your final diagnosis HEP. If an adjustment factor was applied, record Nominal 1
Obvious diagnosis 0.1 the value from Part C. value from Part C.
Insufficient Information 1 Insufficient Information 1
Experience/ Low 10 Ergonomics/ Missing/Misleading 50 Final Action HEP =
Final Diagnosis HEP = HMI Poor 10
Training Nominal 1
High 0.5 Nominal 1
Insufficient Information 1 Good 0.5
Procedures Not available 50
Incomplete 20 Fitness for Unfit P(failure) = 1.0
Duty Degraded Fitness 5
Available, but poor 5
Nominal 1 Nominal 1
Diagnostic/symptom oriented 0.5 Insufficient Information 1
Insufficient Information 1 Work Poor 5
Processes Nominal 1
Ergonomics/ Missing/Misleading 50
HMI Good 0.5
Poor 10
Nominal 1
Good 0.5
Fitness for Unfit P(failure) = 1.0
Duty Degraded Fitness 5
Nominal 1
Work Poor 2
Processes Nominal 1
Good 0.8
Rev 1 (1/20/04)
Reviewer: ___________ Reviewer: ___________ Reviewer: ___________ Reviewer: ___________
A-5
A-4 A-6
A-3
Plant: Initiating Event: Basic Event : ____________ Event Coder:___________
Basic Event Context:
PART III. CALCULATE TASK FAILURE PROBABILITY WITHOUT FORMAL DEPENDENCE (PW/OD)
Calculate the Task Failure Probability Without Formal Dependence (Pw/od) by adding the Diagnosis Failure
Probability from Part I and the Action Failure Probability from Part II. In instances where an action is required
without a diagnosis and there is no dependency, then this step is omitted.
Pw/od = Diagnosis HEP _________ + Action HEP _________ =
Part IV. DEPENDENCY

For all tasks, except the first task in the sequence, use the table and formulae below to calculate the Task Failure
Probability With Formal Dependence (Pw/d).
If there is a reason why failure on previous tasks should not be considered, such as it is impossible to take the
current action unless the previous action has been properly performed, explain here:
Dependency Condition Table

Condition Crew Time Location Cues Dependency Number of Human Action Failures Rule
Number (same or (close in time (same or (additional or - Not Applicable.
different) or not close different) no Why?_________________
in time) additional)
1 s c s na complete When considering recovery in a series
2 a complete e.g., 2nd, 3rd, or 4th checker
3 d na high
4 a high If this error is the 3rd error in the
5 nc s na high sequence, then the dependency is at
6 a moderate least moderate.
7 d na moderate
8 a low If this error is the 4th error in the
9 d c s na moderate sequence, then the dependency is at
10 a moderate least high.
11 d na moderate
12 a moderate
13 nc s na low
14 a low
15 d na low
16 a low
17 zero
Using Pw/od = Probability of Task Failure Without Formal Dependence (calculated in Part III):
For Complete Dependence the probability of failure is 1.

For High Dependence the probability of failure is (1+ Pw/od)/2
For Moderate Dependence the probability of failure is (1+6 x Pw/od)/7
For Low Dependence the probability of failure is (1+19 x Pw/od)/20
For Zero Dependence the probability of failure is Pw/od
Calculate Pw/d using the appropriate values:

Pw/d = (1 + (_______ * _______))/ _______ =
César Queral Human Reliability Analysis Reviewer: ___________

Reliability and Risk Analysis 83 / 92
SPAR-H: Quantification

j
NHEPj · PSFc If less than 3 PSFs > 1


HEPj =
j = c, m  NHEPj ·PSFjc


NHEPj ·(PSFjc −1)+1
If 3 or more 3 PSFs > 1
8
Y
• PSFc = PSFj
j=1
• NHEPc = 1E-2; NHEPm = 1E-3
HEP= HEPc +HEPm

EPRI HRA Calculator
A software tool that facilitates the use of several HRA methods (not a method
itself) for quantifying pre and post-initiator human actions. Relies on SHARPI for
guidance on many elements of the HRA process (e.g., modeling HFEs).
• Automates the use of any of five methods for performing HRA (i.e., THERP,
ASEP,HCR/ORE, CBDT, and SPAR-H).
• Allows for analyst changes to some of the modeling (e.g., change decision
trees or use other PSFs) using judgment, although this is not recommended.
• Version 3 of the software includes a means to facilitate analysis of a variety of
dependency issues.

9. Appendix B: HRA applied to Level 2 PSA
Index
6 Dependency
7 Conclusion

Characteristics of HRA in L2PSA (1/3)
In L1PSA the selection of the appropriate strategies are responsibility of the

operating crew in the Main Control Room (MCR). But in L2PSA, these
responsibilities are assigned tipically to the Technical Support Center (TSC), while
the operating crew remains responsible for the implementation of the strategies.
Issues:
• The impact of human error dependencies may be reduced
• The quality of coordination and communication between the MCR and TSC
may impact the outcome and is unknown
• The operating crew is on position all time, but it is unknown if the TSC staff
will be on position on time

• In L2PSA the emergency teams follow SAMGs instead of EOPs. SAMGs are
guidance, not procedure, and the emergency team may not follow verbatim
the instructions. They may not perform a recommended task because they
have evaluated a negative consequence. Thus the impact of the evaluation
process and potential outcome when using new documents shall be taken
into account.

• In L1PSA, there are generally succesfull decision paths to mitigate core

damage, while in L2PSA the decision making may require trade-offs among
less desirable outcomes.
• Unlike L1PSA, there is generally diminished and less accurate information
available, as indicators may be degraded or certain part of the plant may be
not accessible, also preventing some activities outside the MCR because they
are dangerous or impossible.
• Plants are equipped to handle L1PSA events. L2PSA requires additional
personnel and gear, the availability of which may not be guaranteed, specially
when regional severe consequences beyond the NPP occur.

Type of actions: L2PSA considerations
The following consideration towards each human action type should be taken into
account in L2PSA:
Type Description Impact on PSA L2PSA Aspects
1 HA before the IE during Miscalibrations, misalign- L2PSA may include some
normal operation that de- ments explicitly modelles in systems not considered in
grade system availability the PSA (system FTs) L1PSA
2 HA that contribute to initi- Not explicitly modelled in Not relevant in L2PSA
ating events the PSA for full power
mode . Treated at IE data
level. Explicitly considered
for LW/SD PSA
3 HA during the accident HFE explicitly modelled Main task in HRA for
following the correct pro- in the PSA (ETs and L2PSA. Includes analysis
cedures FTs) of actions made by op-
erators and TSO usings
EOPs and SAMG
4 HA during the accident Identified EOC explicitly Critical to identify erro-
that, due to the inade- modelled in the PSA (ETs neous actions that may lead
quate recognition of the sit- and FTs) to the containment failure,
uation or the selection of e.g due to the wrong timing
the wrong strategy, make it of the action
worse
5 HA during the accident, Recovery actions explictly As in L1PSA important, to
trying to recover the situa- modelled in the PSA (in se- be consistent to what ex-
tion; for example repairs of quences) tent and under which con-
equipment ditions recovery actions are
accounted for
Identification of possible actions in L2PSA
Identification of human actions is based on comprehensive co-operation between

event sequence and system analysts. The following list can be used as a starting
point for potential operator actions to be included in the L2PSA:
• Actions specified in the EOPs, but not credited in L1PSA as it is considered
ineffective in preventing core damage
• Operator actions specified in the EOPs that are assumed failed in the L1PSA,
but are recoverable
• Operator actions specified in the SAMG
Of these actions only those which can be effective in preventing containment
failure need to be modelled in L2PSA.

L2PSA HRA. Current situation. Examples
• France.The IRSN developed Human and Organizational Reliability Analysis in

Accident Management (HORAAM) in the late nineties to take into account
human actions in L2PSA. The model is based on the observation of the
French crisis exercises. For immediate actions, the PANAME model is
applied (this model has been adapted to severe accident context .
• Belgium. A L2PSA HRA methodology has been developed. It is mainly based
on the HRA methodology for the L1PSA of the Belgian units.THERP and
SPAR-H complete the set of references used. The L1PSA methodology
for HRA is applied for the L2PSA as far as possible for consistency.
• Spain. The BWR (SAG) contains all the human actions demanded during a
severe accident. No other human actions were considered in the L2PSA. The
same human reliability methodology was used for both the L1 and L2PSA,
based on the THERP method and SAIC-TRC.
• Hungary. The HEPs were determined on the basis of the method worked out
for the HRA in the L1PSA.

HRA-SARENA-2021

Uploaded by

Copyright:

Available Formats

HRA-SARENA-2021

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

HRA-SARENA-2021

Uploaded by

Copyright:

Available Formats

Human Reliability Analysis

Reliability and Risk Analysis

Master in Nuclear Science and Technology

1 Introduction. Human Reliability

2 Main Control Room Personnel

3 Human Errors. Types of human errors

4 Systematic Human Reliability Analysis Process (SHARP)

5 HRA Quantification Methodologies. THERP and TRC-SAIC Methodologies

8 Appendix A: Other HRA methodologies

9 Appendix B: HRA applied to Level 2 PSA

César Queral Human Reliability Analysis Reliability and Risk Analysis 1 / 92

1 Introduction. Human Reliability

2 Main Control Room Personnel

3 Human Errors. Types of human errors

4 Systematic Human Reliability Analysis Process (SHARP)

5 HRA Quantification Methodologies. THERP and TRC-SAIC Methodologies

8 Appendix A: Other HRA methodologies

9 Appendix B: HRA applied to Level 2 PSA

César Queral Human Reliability Analysis Reliability and Risk Analysis 2 / 92

Human Reliability Analysis (HRA)

• Human Reliability Analysis (HRA): Procedure(s) for a systematic analysis of

César Queral Human Reliability Analysis Reliability and Risk Analysis 3 / 92

Human Reliability Analysis (HRA)

• Human reliability analysis is an integral element in several PSA aspects:

• HRA includes large uncertainties which are necessary to analize.

César Queral Human Reliability Analysis Reliability and Risk Analysis 4 / 92

1 Introduction. Human Reliability

2 Main Control Room Personnel

3 Human Errors. Types of human errors

4 Systematic Human Reliability Analysis Process (SHARP)

5 HRA Quantification Methodologies. THERP and TRC-SAIC Methodologies

8 Appendix A: Other HRA methodologies

9 Appendix B: HRA applied to Level 2 PSA

César Queral Human Reliability Analysis Reliability and Risk Analysis 5 / 92

Main Control Room

César Queral Human Reliability Analysis Reliability and Risk Analysis 6 / 92

Main Control Room

César Queral Human Reliability Analysis Reliability and Risk Analysis 7 / 92

Main Control Room Crew. Types of reactor operators license

There are two types of reactor operators license:

César Queral Human Reliability Analysis Reliability and Risk Analysis 8 / 92

Shift Personnel. Main Control Room Crew

Main Control Room Crew Responsibilities and Regulation

The responsibilities of the MCR crew include actions taken to:

César Queral Human Reliability Analysis Reliability and Risk Analysis 10 / 92

Shift Personnel and other personnel

César Queral Human Reliability Analysis Reliability and Risk Analysis 11 / 92

Main Control Room Crew (USA)

César Queral Human Reliability Analysis Reliability and Risk Analysis 12 / 92

Main Control Room Crew (Germany)

César Queral Human Reliability Analysis Reliability and Risk Analysis 13 / 92

Main Control Room Crew: advanced reactors and SMRs

César Queral Human Reliability Analysis Reliability and Risk Analysis 14 / 92

César Queral Human Reliability Analysis Reliability and Risk Analysis 15 / 92

1 Introduction. Human Reliability

2 Main Control Room Personnel

3 Human Errors. Types of human errors

4 Systematic Human Reliability Analysis Process (SHARP)

5 HRA Quantification Methodologies. THERP and TRC-SAIC Methodologies

8 Appendix A: Other HRA methodologies