Learning from accidents: Analysis of multi-attribute events and implications to improve design and reduce human errors

High-technology accidents are likely to occur under a complex interaction of multiple active failures and latent conditions, and recent major accidents investigations are increasingly highlighting the role of human error or human-related factors as significant contributors. Latent conditions might have long incubation periods, which implies that a number of design failures may be embedded in systems until human errors trigger an accident sequence. Consequently, there is a need to scrutinise the relationship between enduring design deficiencies and human erroneous actions as a conceivable way to minimise accidents. This study will tackle this complex problem by applying an artificial neural network approach to a proprietary multi-attribute accident dataset, in order to disclose multidimensional relationships between human errors and design failures. Clustering and data mining results are interpreted to offer further insight into the latent conditions embedded in design. Implications to support the development of design failure prevention schemes are then discussed

Risk effectiveness evaluation of surveillance testing

To address the concerns about nuclear power plant surveillance tests, i.e., their adverse safety impact due to negative effects and too burdensome requirements, it is necessary to evaluate the safety significance or risk effectiveness of such tests explicitly considering both negative and positive effects. This paper defines the negative effects of surveillance testing from a risk perspective, and then presents a methodology to quantify the negative risk impact, i.e., the risk penalty or risk increase caused by the test. The method focuses on two important kinds of negative effects, namely, test-caused transients and test-caused equipment degradations. The concepts and quantitative methods for the risk evaluation can be used in the decision-making process to establish the safety significance of the tests and to screen the plant-specific surveillance test requirements. 6 refs., 2 figs., 2 tabs

Evaluation of risk effective STIs with specific application to diesels

From a risk standpoint, the objective of surveillance tests is to control the risk arising from failures which can occur while the component is on standby. At the same time, risks caused by the test from test-caused failures and test-caused degradations need also to be controlled. Risk-acceptable test intervals balance these risks in an attempt to achieve an acceptable low, overall risk. Risk and reliability approaches are presented which allow risk-acceptable test intervals to be determined for any component. To provide focus for the approaches, diesels are specifically evaluated, however, the approaches can be applied not only to diesels, but to any component with suitable data. Incorporation of the approaches in personal computer (PC) software is discussed, which can provide tools for the regulator or plant personnel for determining acceptable diesel test intervals for any plant specific or generic application. The FRANTIC III computer code was run to validate the approaches and to evaluate specific issues associated with determining risk effective test intervals for diesels. Using the approaches presented, diesel accident unavailability can be more effectively monitored and be controlled on a plant-specific or generic basis. Test intervals can be made more risk effective than they are now, producing more acceptable accident unavailabilities. The methods presented are one step toward performance-based technical specifications, which more directly control risks

Evaluation of allowed outage times (AOTs) from a risk and reliability standpoint

This report describes the basic risks which are associated with allowed outage times (AOTs), defines strategies for selecting the risks to be quantified, and describes how the risks can be quantified. The report furthermore describes criteria considerations in determining the acceptability of calculated AOT risks, and discusses the merits of relative risk criteria versus absolute risk criteria. The detailed evaluations which are involved in calculating AOT risks, including uncertainty considerations are also discussed. The report also describes the proper ways that risks from multiple AOTs should be considered so that risks are properly accumulated from proposed multiple AOT changes, but are not double-counted. Generally, average AOT risks which include the frequency of occurrence of the AOT need to be accumulated but single downtime risks don't since they apply to individual AOTs. 8 refs., 22 tabs

Risk-based configuration control system: Analysis and approaches

This paper presents an analysis of risks associated with component outage configurations during power operation of a nuclear power plant and discusses approaches and strategies for developing a risk-based configuration control system. A configuration, as used here, is a set of component states. The objective of risk-based configuration control is to detect and control plant configurations using a risk-perspective. The configuration contributions to core-melt frequency and core-melt probability are studied for two plants. Large core-melt frequency can be caused by configurations and there are a number of such configurations that are not currently controlled by technical specifications. However, the expected frequency of occurrence of the impacting configurations is small and the actual core-melt probability contributions are also generally small. Effective strategies and criteria for controlling configuration risks are presented. Such control strategies take into consideration the risks associated with configurations, the nature and characteristics of the configuration risks, and also the practical considerations such as adequate repair times and/or options to transfer to low risk configurations. Alternative types of criteria are discussed that are not overly restrictive to result in unnecessary plant shutdown, but rather motivates effective tests and maintenance practices that control; risk-significant configurations to allow continued operation with an adequate margin to meet challenges to safety. 3 refs., 7 figs., 2 tabs

Safety system function trend indicator: Theory and test application

Methods for formulation, interpretation, and validation of dynamic risk and reliability indicators are studied. The use of these indicators for monitoring various levels of safety performance in nuclear power plants, as identified by probabilistic risk assessments (PRAs), such as safety system unavailability, safety system failure frequency, and core-damage frequency, are explored. Simplified indicators for detecting trends in the unavailability of safety systems in nuclear power plants not requiring PRA models and extensive data collection effort are being developed for possible NRC use. These indicators, called safety system function trend indicators (SSFT), are designed because they are easy to implement to display trends in system unavailability which can be detected through their visual inspections. The characteristics of these indicators are studied and optimized through simulation studies to assure sufficient capability in displaying a trend. To further substantiate the findings from visual examination of these indicators, statistical trend tests for sparse data are developed to aid the interpretation of these indicators. To evaluate the indicators from a safety point of view (rather than pure statistical sense) methods for comparing these indicators to a given alert level are being explored. Finally, approaches for engineering interpretation of these indicators are being studied by identifying the major contributors and causes for anomalies in indicator behavior. A preliminary pilot application/validation of these indicators, based on data from a sample of eight units, was completed in FY89. The findings are promising and warrant further refinement in the methodology. 5 refs., 3 figs