Description
Knowledge is a familiarity with someone or something, which can include facts, information, descriptions, or skills acquired through experience or education.
ABSTRACT
Title of Document:
MODELING AND SIMULATION OF OPERATOR KNOWLEDGE-BASED BEHAVIOR Yuandan Li, Ph.D., 2013
Directed By:
Professor Ali Mosleh, Department of Mechanical Engineering
Many accidents are attributed to human errors. Abundant evidences could be found in major accidents in petro-chemical, nuclear, aviation, and other industries. In the nuclear power industry, safe operation heavily relies on the operators’ interaction with plant systems. For example, Three Mile Island accident was exacerbated by the operators’ misdiagnosis of the situation, which led to the termination of the plant’s automatic protection system that could have prevented meltdown of the reactor core. Hence, human Reliability Analysis (HRA) is an important ingredient of Probabilistic Risk Assessment (PRA), particularly in the nuclear industry. HRA aims to predict possible human errors, identify “error forcing contexts”, and assess error probabilities. Despite advances in HRA discipline over the past two decades, virtually all existing methods lack a causal model and few leverage the theoretical and empirical insights for error prediction in a systematic and formal way. One approach that has attempted to address this major shortcoming is IDAC crew simulation model of ADS-IDAC dynamic PRA platform. Through the interactions between an IDAC crew model and a pressurizer water reactor plant model, ADS-IDAC dynamically simulates the operators’ cognitive activities and actions in an
accident condition. The goal of proposed research is to introduce an advanced reasoning capability and structured knowledge representation to enhance the realism and predictive power of in the IDAC model for situations where crew behaviors are governed by both the Emergency Operating Procedure (EOP) and their knowledge of the plant. This is achieved by: 1) Developing and implementing a cognitive architecture to simulate operators’ understanding of accident conditions and plant response, their reasoning processes and knowledge utilization to make a diagnosis. A reasoning module has been added to the individual operator model within IDAC model to mimic operators knowledge-based reasoning processes; 2) Developing and applying a comprehensive set of Performance Shaping Factors (PSF) to model the impacts of situational and cognitive factors on operators’ behaviors. The effects and interdependencies of PSFs are incorporated the reasoning module; and 3) Performing a calibration and validation of the model predictions by comparing the simulation results with results of a number of plantcrew simulator exercises.
MODELING AND SIMULATION OF OPERATOR KNOWLEDGE-BASED BEHAVIOR
By Yuandan Li
Dissertation submitted to the Faculty of the Graduate School of the University of Maryland, College Park, in partial fulfillment of the requirements for the degree of Doctor of Philosophy 2013
Advisory Committee: Professor Ali Mosleh, Chair Professor Thomas S. Wallsten, Dean’s Representative Professor Mohammad Modarres Professor Gary Pertmer Professor Monifa Vaughn-Cooke Dr. Kevin A. Coyne, Special Member
© Copyright by Yuandan Li 2013
Acknowledgements
This work was funded through a Collaborative Research Grant (NRC-04-09-143) by the U.S. Nuclear Regulatory Commission (USNRC). A lot of people have helped me through this project. I am grateful for the help from every one of them. Here I would like to specifically acknowledge the assistance and support from the following people. First and foremost, I would like to thank my advisor Professor Ali Mosleh (Center for Risk and Reliability in University of Maryland) for giving me the opportunity to work in such an interesting research project, guiding and supporting me over the years. I would like to thank my dear friends Nsimah Ekanen (University of Maryland) and Hui Jin (Norwegian University of Science and Technology). You two gave me huge support and encouragement. Thank you for cheering me up in this long journey. I would like to thank Dr. James Chang, Dr. Kevin A. Coyne, Dr. Song-Hua Shen in U.S. Nuclear Regulatory Commission, and Dr. Dongfeng Zhu (University of Maryland) for their technique assistance. Thank you for explaining ADS-IDAC 2.0 to me, providing me necessary knowledge of power plant systems, discussing my research and giving me valuable advices. I would like to thank Professor Xiaoshan Yi (Chinese National University of Defense Technology). Thank you for spending hours and hours in listening to me nagging about my research ideas and giving me many practical suggestions.
ii
I also want to thank my committee members: Professor Ali Mosleh, Professor Thomas S. Wallsten, Professor Mohammad Modarres, Professor Gary Pertmer, Professor Monifa Vaughn-Cooke, and Dr. Kevin A. Coyne. Thank you for being interested in this research.
iii
Table of Contents
Acknowledgements ............................................................................................................. ii Table of Contents ............................................................................................................... iv List of Figures ................................................................................................................... vii List of Tables ..................................................................................................................... ix Acronyms ............................................................................................................................ x 1 Introduction ................................................................................................................. 1 1.1 Motivation ........................................................................................................... 1 1.2 Objectives of the Research.................................................................................. 7 1.3 Structure of this dissertation ............................................................................... 8 2 Overview of ADS-IDAC .......................................................................................... 10 2.1 Overview of IDAC cognitive model ................................................................. 10 2.2 Overview of ADS-IDAC simulation platform .................................................. 12 3 Gap Analysis ............................................................................................................. 16 3.1 Procedure and knowledge-based models in ADS-IDAC .................................. 16 3.1.1 Procedure model ........................................................................................... 16 3.1.2 Knowledge-based behavior: mental belief and diagnose engine .................. 17 3.2 Simulation of operator information perception paths ....................................... 18 3.3 Simulation of operators reasoning decision-making, and operator actions ...... 19 3.4 Branching capabilities for capturing crew-to-crew variance: ........................... 19 3.5 The need for more deliberative reasoning process ........................................... 20 3.6 Cognitive Architectures .................................................................................... 21 4 Architecture of Reasoning Module ........................................................................... 25 4.1 Overview of the reasoning module ................................................................... 25 4.2 Memory and representation .............................................................................. 33 4.2.1 Memory layout .............................................................................................. 33 4.2.2 Semantic representation ................................................................................ 35 4.2.3 Knowledge base web .................................................................................... 36 4.2.4 Mental representation of the situation........................................................... 43 4.2.5 Accident event schema ................................................................................. 45 4.2.6 An example of building a knowledge base ................................................... 46 4.3 Implementation functions of the reasoning module.......................................... 56 4.3.1 Flow of reasoning module and information generated in the simulation ..... 56 4.3.2 An algorithm for calculating accident diagnosis confidence level ............... 62 4.3.3 Activation propagation.................................................................................. 71 4.3.4 Decay of investigation items in the working memory .................................. 75 4.3.5 Information perception module enhancement .............................................. 77 4.3.6 Modeling diagnosis ambiguity...................................................................... 80 4.3.7 Model operators’ diagnosis of indicator failures .......................................... 83 4.4 Modeling the calculation aid ............................................................................. 86 5 Integration of procedure-based and knowledge-based operator response ................ 88 6 Modeling Performance Shaping Factors ................................................................... 90 6.1 Introduction ....................................................................................................... 90 6.2 Mechanism PSFs ............................................................................................... 94 iv
6.2.1 Attention ....................................................................................................... 94 6.2.2 Problem-solving style ................................................................................... 98 6.2.3 Expertise (knowledge/experience/skill/training) ........................................ 109 6.2.4 Other mechanisms and process factors ....................................................... 110 6.3 Quantitative PSFs............................................................................................ 112 6.3.1 Time constraint load ................................................................................... 112 6.3.2 Passive information (alarm) load ................................................................ 113 6.3.3 Cognitive task load ..................................................................................... 116 6.3.4 Task complexity .......................................................................................... 119 6.3.5 Stress ........................................................................................................... 124 6.3.6 Fatigue......................................................................................................... 125 6.4 Model parameters—manifestation of PSFs .................................................... 128 6.4.1 Maximal length of alarm stack ................................................................... 128 6.4.2 Cognitive resource use ................................................................................ 129 6.4.3 Information processing speed multiplier .................................................... 130 6.4.4 Routine monitoring interval multiplier ....................................................... 130 6.4.5 Attention span multiplier ............................................................................ 131 6.4.6 Memory span multiplier.............................................................................. 131 6.4.7 Decay time of unattended investigation item multiplier ............................. 132 6.4.8 Static model parameters .............................................................................. 132 6.4.9 Model parameter static multiplier ............................................................... 134 6.5 Summary of PSF assessments and PSF manifestations .................................. 135 7 Simulation Case for Model Calibration and Validation ......................................... 137 7.1 Introduction ..................................................................................................... 137 7.2 Scenario description ........................................................................................ 138 7.3 ADS-IDAC simulation model......................................................................... 141 7.4 Outputs layout ................................................................................................. 141 8 General Simulation Results..................................................................................... 143 8.1 Observation and explanation of observations ................................................. 143 8.2 Accident Diagnosis ......................................................................................... 152 8.3 Simulation Outputs: PSFs and Manifestations ............................................... 156 9 Simulation Results for Crew Problem-Solving Styles ............................................ 164 9.1 Alarm information .......................................................................................... 165 9.2 Diagnosis of MSLB ........................................................................................ 167 9.2.1 Overview of the three Operators’ Diagnosis Progression........................... 167 9.2.2 Narratives of operator activities generated in the simulation ..................... 170 Time ................................................................................................................................ 174 9.2.3 Information usage ....................................................................................... 181 9.3 Diagnosis of SGTR ......................................................................................... 185 9.3.1 Diagnosis progression ................................................................................. 187 9.3.2 Highlights of OG’s diagnosis process......................................................... 188 9.3.3 Highlights of OH’s diagnosis process......................................................... 190 9.3.4 Highlights of OV’s diagnosing process ...................................................... 191 10 Comparison of Results ............................................................................................ 193 10.1 Crew-to-Crew variability in timing ................................................................ 193 10.1.1 Varying timing to reach diagnosis .......................................................... 193 v
10.1.2 Varying pace of using procedure ............................................................ 198 10.2 Procedure progression—comparison with Halden data .................................. 199 10.3 Comparison with simulation result of earlier ADS-IDAC and improvements 207 11 Robustness of the Knowledge Base Model ............................................................ 213 11.1 Turbine trip case ............................................................................................. 214 11.2 Pressurizer PORV stuck open ......................................................................... 215 11.3 Simple SGTR accident .................................................................................... 216 11.4 Main Feed Regulation Valve (MFRV) failure ................................................ 217 11.5 Chapter conclusion.......................................................................................... 217 12 Summary and Conclusions ..................................................................................... 217 12.1 Information perception channel improvements .............................................. 218 12.2 Reasoning module ........................................................................................... 220 12.3 Decision-making ............................................................................................. 222 12.4 Performance-shaping factors .......................................................................... 222 12.5 Modeling operator variance ............................................................................ 223 12.6 Model calibration and validation .................................................................... 223 12.7 General Conclusion ......................................................................................... 224 13 Suggestion for Future Work.................................................................................... 225 Appendix 1: Tiered Classification of PSFs (Groth 2009)............................................... 227 Appendix 2: Knowledge-Web Coded in the Complex SGTR Simulation Case............. 228 Bibliography ................................................................................................................... 240
vi
List of Figures
Figure 1-1 Advantages of cognitive simulation model for HRA ........................................ 6 Figure 2-1 A high level view of IDAC dynamic response model (Chang, 2007) ............ 11 Figure 2-2 ADS dynamic PRA framework and dynamic event tree (Chang, 2007) ........ 12 Figure 2-3 Overview of modules of ADS-IDAC platform ............................................... 14 Figure 3-1 Brief summary of ADS-IDAC 2.0 capabilities ............................................... 20 Figure 4-1, Abstracted information process diagram ....................................................... 26 Figure 4-2 Illustration of the interpretation function in the reasoning module................. 26 Figure 4-3 Example of thought threads pool .................................................................... 28 Figure 4-4 Enhanced ADS-IDAC operator cognitive flow model with reasoning module ........................................................................................................................................... 32 Figure 4-5 Memory Structure of the proposed Reasoning Module .................................. 34 Figure 4-6 Semantic Representation Example.................................................................. 36 Figure 4-7 Knowledge base web example ........................................................................ 37 Figure 4-8 A Knowledge link structure ............................................................................ 38 Figure 4-9 Knowledge link examples ............................................................................... 39 Figure 4-10 Mental representation example ..................................................................... 44 Figure 4-11 Example: An schema highlights paths between an accident and symptoms 45 Figure 4-12 Example: accident schema of SGTR-A ........................................................ 46 Figure 4-13 Knowledge link examples of parameter trends ............................................. 53 Figure 4-14 Knowledge link examples of alarm dynamics .............................................. 53 Figure 4-15 Knowledge coding examples of component indicator dynamics .................. 54 Figure 4-16 Knowledge link examples of other plant phenomena ................................... 54 Figure 4-17 Simulation process of ADS-IDAC ................................................................ 56 Figure 4-18 Investigation function structure of investigation item .................................. 60 Figure 4-19 Example of one investigation item ................................................................ 61 Figure 4-20 An example of reasoning chain ..................................................................... 63 Figure 4-21 Confidence level of uncertain causal paths ................................................... 65 Figure 4-22 Spreading confidence among multiple uncertain causes .............................. 65 Figure 4-23 A system block diagram resembles the way of integrating path confidences67 Figure 4-24 A knowledge link shows that A causes B ..................................................... 68 Figure 4-25 Causal paths between accident A and its positive symptoms ....................... 68 Figure 4-26 Calculation of SGTR confidence level ........................................................ 70 Figure 4-27 Activation propagation paths in the semantic base ....................................... 72 Figure 4-28 An example of activation propagation .......................................................... 74 Figure 4-29 Investigation item decay and resume in memory.......................................... 76 Figure 4-30 Diagnosis progress with ambiguous among two hypotheses ........................ 82 Figure 4-31 Information conflicts of SG-A level indicator failure example .................... 85 Figure 4-32 Calculation aid-containment flammability.................................................... 86 Figure 4-33 Fitting of the calculation aid curve of severe hydrogen challenge boundaries ........................................................................................................................................... 87 Figure 6-1Treisman’s attention model .............................................................................. 94 Figure 6-2 Information perception process (Knudsen 2007) ............................................ 97 vii
Figure 6-3 A system block diagram resembles path confidences integration ................ 106 Figure 6-4 Weighting of alarm activities in recent 18 seconds ...................................... 115 Figure 6-5 Decaying factor of cognitive task load.......................................................... 117 Figure 6-6 Diagram of passive alarm load and max alarm stack length ......................... 129 Figure 6-7 Delta time before actively checking the next symptom ................................ 134 Figure 6-8 Surrogates-PSFs-Manifestations propagation paths ..................................... 135 Figure 7-1Main steam line system .................................................................................. 139 Figure 8-1 An example of simulation outputs—explanation of Tave decrease.............. 144 Figure 8-2 Key parameter trends in the simulation (Part 1 of 2) .................................... 145 Figure 8-3 Key parameter trends in the simulation (Part 2 of 2) .................................... 146 Figure 8-4 Simulation result—operator’s diagnosis of MSLB accident ........................ 152 Figure 8-5 Simulation result—operator’s diagnosis of SG-A fault accident .................. 153 Figure 8-6 Simulation result—operator’s diagnosis of SGTR-A accident ..................... 153 Figure 8-7 Passive alarm load in complex SGTR accident ............................................ 156 Figure 8-8 Passive alarm load with three problem-solving styles .................................. 157 Figure 8-9 Cognitive task load in complex SGTR accident ........................................... 157 Figure 8-10 Cognitive task complexity in complex SGTR accident .............................. 158 Figure 8-11 Cognitive task complexity with three problem-solving styles .................... 159 Figure 8-12 Stress level in complex SGTR accident ...................................................... 159 Figure 8-13 Mental fatigue level in complex SGTR accident ........................................ 160 Figure 8-14 Maximal alarm stack length ........................................................................ 160 Figure 8-15 Model parameter: cognitive resource use ................................................... 161 Figure 8-16 Model parameter: cognitive time cost multiplier ........................................ 161 Figure 8-17 Model parameter: routine monitoring interval multiplier ........................... 162 Figure 8-18 Model parameter: investigation item decay time ........................................ 162 Figure 8-19 Model parameter: memory span multiplier ................................................. 163 Figure 8-20 Model parameter: attention span multiplier ................................................ 163 Figure 9-1 Alarm activities in first 5 minutes ................................................................. 165 Figure 9-2 Diagnosis progresses of MSLB accident ...................................................... 168 Figure 9-3 Knowledge for explaining “Control rod moving out” .................................. 168 Figure 9-4 Activation levels of two causes of “control rod moving out” ....................... 169 Figure 9-5 Drawing of steam generator levels ................................................................ 187 Figure 9-6 Three operators’ diagnosis progresses of SGTR accident ............................ 188 Figure 10-1 Diagnosis confidence of SGTR and confidence threshold ......................... 195 Figure 10-2 Diagnosis time range due to varying activeness between 0.67 and 10.0 .... 196 Figure 10-3 Two diagnosis confidence progression with two activeness values ........... 197 Figure 10-4 Comparison: Halden data vs. ADS-IDAC predicted time range ................ 197 Figure 10-5 Branching points in the complex SGTR simulation ................................... 203 Figure 10-6 Procedure progression paths based on simulation results ........................... 204 Figure 10-7 Mental belief activation Paths in ADS-IDAC 2.0 simulation ..................... 208
viii
List of Tables
Table 4-1 Human errors from HERA data ........................................................................ 30 Table 4-2 Knowledge retrieval easiness assessment reference......................................... 40 Table 4-3 Prior probability assessment reference ............................................................. 40 Table 4-4 Familiarity assessment reference ...................................................................... 41 Table 4-5 Knowledge base applicability across different accident types ......................... 43 Table 4-6 Systems, components, and indicators included in the knowledge base ........... 47 Table 4-7 System dynamics types..................................................................................... 50 Table 4-8 Knowledge link examples ................................................................................ 51 Table 4-9 An accident event schema—MSLB ................................................................. 55 Table 4-10 situational statement samples ......................................................................... 57 Table 4-11 Investigation Functions .................................................................................. 58 Table 4-12 Investigation item samples ............................................................................. 60 Table 6-1 Classification of selected PSFs ......................................................................... 93 Table 6-2 Capacity theory of attention ............................................................................. 95 Table 6-3 Approaches to integrate different problem solving styles ................................ 98 Table 6-4 Approaches to implement 4 problem solving styles....................................... 109 Table 6-5 Inputs of decomposed behavior to the task load ............................................ 118 Table 6-6 Factors contributing to fatigue........................................................................ 125 Table 6-7 Manifestations of fatigue in the simulation model ......................................... 127 Table 7-1 Procedures involved in the complex SGTR accident ..................................... 140 Table 8-1 Explanations of some key phenomena in one simulation sequence ............... 147 Table 8-2 Perception of information ............................................................................... 155 Table 9-1 Number of alarms missed by the operators .................................................... 166 Table 9-2 Narrative of OV’s reasoning activities ........................................................... 171 Table 9-3 Narrative of OG’s reasoning activities ........................................................... 174 Table 9-4 Narrative of OH’s reasoning activities ........................................................... 178 Table 9-5 Use of clues .................................................................................................... 181 Table 9-6 Time when SGTR diagnosis confidence exceeds 0.9 .................................... 187 Table 10-1 Comparison of one crew responses with one simulation sequence .............. 199 Table 10-2 Procedure progression and basis for transfer to E-3 in complex scenario ... 201
ix
Acronyms
ADS IDAC ADS-IDAC Accident Dynamic Simulator Information, Decision, and Action in a Crew Context Accident Dynamic Simulator-Information, Decision, and Action in a Crew Context DDET PSF PIF PRA PWR HRA HERA MSLB MSIV NPP SGTR SGTR-A LOFW SA Discrete Dynamic Event Tree Performance Shaping Factor Performance Influencing Factor Probabilistic Risk Assessment Pressurizer Water Reactor Human Reliability Analysis Human Event Repository and Analysis Main Steam Line Break Main Steam Isolation Valve Nuclear Power Plant Steam Generator Tube Rupture Steam Generator Tube Rupture in Steam Generator-A Loss of Feed Water Situation Awareness
x
1
1.1
Introduction
Motivation
Human errors are estimated to have caused or contributed to 60 to 90 percent of accidents across industries (Salminen and Tallberg 1996; Dhillon 2007). In the nuclear power industry, where safe operation heavily relies on the operators’ interaction with plant systems, the Three Mile Island accident was exacerbated by operators’ misdiagnosis of the situation, which led to the termination of the plant’s automatic protection system that could have prevented meltdown of the reactor core. U.S. Federal Aviation Administration (FAA) accident reports also include many cases that were caused by human errors. On 08-27-2006, the pilots of Comair Flight 191 took off on a wrong runway that was too short. The plane crashed; 47 passengers and two crewmembers were killed. Human Reliability Analysis (HRA) is an important ingredient of Probabilistic Risk Assessment (PRA), particularly in the nuclear industry. HRA aims to predict possible human errors, identify “error forcing contexts”, and assess error probabilities. The first generation of HRA methods treated human functions and errors in a manner that resembled modeling of hardware system and components. The analyst would identify the human failure modes and estimate the corresponding failure probabilities. Although some methods (e.g. THERP) provided a general set of error modes and suggested error probability values, none offered a full coverage of possible human errors and rules for assessing error rates were limited, leading to highly subjective assignment of probabilities when they were applied to specific cases.
1
HRA methods generally include internal and external factors believed to impact human errors. These are known as Performance Shaping Factors (PSF) or Performance Influencing Factors (PIF). Each HRA method (e.g. SPAR-H) has its own PSF set, and the human error probabilities (HEP) are usually adjusted based on a qualitative/quantitative assessment of the PSFs, bringing more contextual information into the HEP assessment process. Second generation HRA methods delved more into the cognitive mechanism of human error. An example is the Cognitive Reliability Error Analysis Method (CREAM) model where human errors are classified by and mapped to various “micro cognitive processes”. However, despite recent advancements in methods, none of the presently used methods are adequately rooted in theoretical and empirical findings in cognitive and behavioral sciences. Some methods have started to fill this void. In the late 80s and early 90s, Cognitive Environment Simulation (CES) was developed to model intention errors. The U.S. NRC sponsored the work. CES simulates operator’s cognitive behaviors, including monitoring and tracking changes in the plant states, identifying abnormal plant processes, building explanations and situation assessment, and formulating intentions to take actions. In this simulation model, the knowledge of the plant is represented by knowledge couplers, which link and specify the relations of the plant dynamics. An knowledge coupler is activated to generate inference when its condition rules are satisfied (D. D 1987). This approach demonstrates strength at predicting correct operator performance and provides insights about the necessary factors leading to a successful diagnosis. The CES simulation results were compared with experiment data, one fining was that the CES intelligence system was too fast in processing large amount of information, which is beyond the ability of real human being. 2
“Attention and processing resource limits of people” (Roth, Woods et al. 1992) were not included in the CES model. In the early 90s, a Cognitive Simulation Model (COSIMO) was developed by the Commission of the European Communities, for simulating nuclear power plant operator’s behaviors (Cacciabue, Decortis et al. 1992). This simulation model was built on an information-processing flow structure: Filtering->Diagnosing->Hypothesis Evaluation>Execution. Its filtering function was built on a salience criterion, based on physical salience and cognitive salience. These two salience features provide good basis for modeling the operator’s attention focus, however, the goal-driven attention was not adequately included. In a control room, there are many control panels providing numerous of information. For the operator to detect an indicator, except auditory alarm, it has to be within the operator’s visual field, which is determined by the operator’s position, viewing angle, and gazing control. These three factors are heavily dependent on the operator’s deliberative goal-driven attention. So without analyzing the operator’s goaldriven attention, it would be impossible to provide a good attention filtering process. The diagnosing and hypothesis evaluation processes of COSIMO are supported by two techniques: similarity matching, and frequency gambling. They show advantages in capturing short-cut heuristic reasoning, but fall short in mimicking the deep reasoning process. Another modeling and simulation approach, Adaptive Control of Thought-Rational (ACT-R), has gone through decades of development. ACT-R is not specially designed for simulating nuclear power plant crew behavior, but it has many important features relevant to the subject. ACT-R has models of sensory and motor response to represent 3
interactions with the environment. In addition, intentional forming and declarative modules are utilized to model operator information processing. The processed information is stored in buffers for communication among different modules, which form the short-term memory (Anderson, Bothell et al. 2004). In ACT-R, the long-term knowledge is coded as production rules. Other features include functions based on a distinction between declarative information and procedural memory (Anderson 2007), and a spreading activation theory of memory (Anderson 1983). These are also used for inferences of modeling memory retrieval in the present work. In summary, modeling attention mechanism (particularly the goal-driven attention) and limitation of cognitive resources will add much improvement to simulation-based HRA methods. In order to better mimicking human’s reasoning, a desirable HRA simulation model should be capable of capturing both the short-cut heuristic reasoning and rigorous deep reasoning, as well as switching and mixing these two modes. Another approach of cognitive simulation with a structured causal model of the cognitive processes and team behavior is IDAC method. IDAC model is implemented in a dynamic PRA simulation environment known as ADS-IDAC. A cognitive simulation model such as ADS-IDAC has several salient features: The idea of ADS-IDAC is to embed relevant knowledge and rules from theoretical and empirical findings in psychology and other disciplines, accident reports, and data, into the simulation program and to apply them to specific case simulations automatically. This is in principle the same information base that human experts use to analyze cases. The difference is that computational power in 4
•
a simulation environment enables the analysis to be done at greater depth and complexity beyond what a human expert could achieve. • It is easier to capture the dynamic interactions between the human operator and the system in a simulation model. Operators need to perform appropriate functions to bring the plant to a desired state, e.g. plant startup, and plant shutdown in routine operations. Operators also need to monitor the plant to maintain safe operation. Once something goes wrong with the plant, the operators play an important role in controlling the course of events and bringing the plant back to a safe state and minimizing potential adverse consequences. However, human errors could complicate the situation and even lead to accidents. Interactions between human operators and the plant hardware system are highly dynamic and interdependent. Analyzing crew performance usually requires analyzing the task, and answering questions such as: In this accident situation what would be the operator’s proper response? What does the operator have to do to satisfy the situation demand? How much time does the operator need to finish a task? What information does the operator need to have in order to correctly diagnose the situation and make the right decision? The answer to all these questions could be explicitly and more completely included in a simulation tool. ADS-IDAC shows its advantage in capturing the interactions between human and system in two aspects. Firstly, it generates rich contextual information, which provides input to the operators’ perception—the key information used to predict the operator’s behavior. Secondly, it sends the operator’s actions to the hardware systems and propagates them to the consequences. Through these two types of
5
interactions, the simulation model diligently traces various combinations of the systems dynamics and the operator’s behaviors in a desired temporal resolution.
Figure 1-1 Advantages of cognitive simulation model for HRA • Simulation models can be designed to predict human behaviors not just human error. Human error is usually defined based on its consequence. It represents a human activity that may incur negative consequences or that inappropriately deviates from an expected course. Before an erroneous human action that directly impacts the system (often referred to as human failure event, HFE), there are cognitive activities that cause it. Simulation programs such as ADS-IDAC could trace HFEs back to the root causes, and causally generate human error based on the chain of operator cognitive and physical activities at different times.
6
•
Simulation models can provide a better way to utilize theoretical and empirical findings of human error causation. For instance we can learn from the available theoretical and empirical findings that show how the cognitive processes are affected by various factors—cognitive factors or situational factors. For example fatigue could slow down the cognitive processing speed and weaken goal-driven attention function. These findings provide helpful guidance and basis for human error prediction. However, it is challenging to convert them into observable human error.
This aim of this work is to further improve the capabilities of ADS-IDAC in modeling the cognitive aspects of operator response. This is realized by enhancing the simulation of operator’s knowledge-based reasoning, adding an attention control mechanism in the individual operator model, integrating the operator’s knowledge-based responses and procedure-based responses, and integrating more Performance Shaping Factors into IDAC cognitive model. 1.2 Objectives of the Research
The goal of research is introduce an advanced reasoning capability and structured knowledge base to enhance the realism and predictive power of IDAC model for situations where crew behaviors are governed by both the Emergency Operating Procedure (EOP) and their knowledge of the plant and its responses. This is achieved by: Developing and implementing a cognitive architecture to simulate operators’ understanding of accident conditions and plant responses, their reasoning processes and knowledge utilization to make a diagnosis, while following 7
•
procedures which attempt to do the same. A reasoning module has been added to the individual operator model within IDAC model to mimic operators knowledgebased reasoning processes; • Developing and applying a comprehensive set of Performance Shaping Factors (PSF) to model the impact of situational and cognitive factors on operators’ behaviors. The effects and interdependencies of PSFs are incorporated by using a causal model to drive the reasoning processes; • Demonstrating and validating the capabilities of the enhanced ADS-IDAC through an application to a complex accident case (a Steam Generator Tube Rupture (SGTR) accident), and comparing the results with empirical data from simulator exercises involving real operators. 1.3 Structure of this dissertation
Following the introductory chapter, Chapter 2 provides an overview of the IDAC cognitive model and ADS-IDAC simulation platform. Chapter 3 analyzes the gap and the improvement need in ADS-IDAC. Chapter 4 introduces a reasoning module architecture developed in this research, including an approach to mental representation and information-processing functions of the reasoning module in ADS-IDAC. Chapter 5 offers an approach to simulate operators’ procedure-based and knowledge-based responses. Chapter 6 discusses a set of highly relevant Performance Shaping Factors (PSFs) and ways to integrate them into ADS-IDAC. Chapter 7-10 uses a simulation case to demonstrate new features in ADS-IDAC and validate the models. Chapter 7 describes the accident scenario and operators’ tasks in the scenario. Chapter 8 provides samples of ADS-IDAC simulation results to demonstrate the new capabilities. Section 8.3 presents 8
different operator behaviors generated in the simulation results, with three different problem-solving styles modeled in ADS-IDAC. Chapter 10 discusses the capability of modeling crew variance and validates this model by comparing a set of simulation results with the responses of real crews in an international empirical study. Additionally we discuss improvements introduced by this research by comparing the simulation results with earlier ADS-IDAC simulation results for the same accident case. Chapter 11 presents some simulation results of another four accident scenarios to demonstrate the robustness of the knowledge base coding. Chapter 12 summarizes the main features and contributions of in this research. In the end, we give several suggestions for future research.
9
2
2.1
Overview of ADS-IDAC
Overview of IDAC cognitive model
IDAC is an operator behavior model developed based on many relevant findings from cognitive psychology, behavioral sciences, neuroscience, human factors, field observations, and various first and second-generation HRA methodologies. It models individual operator behavior in a crew context and in response to plant abnormal conditions. Three generic types of operators are modeled: Decision Maker (e.g., Shift Supervisor), Action Taker (operators at the control panel), and Consultant (e.g., resource experts in the control room). IADC models constrained behavior, largely regulated through training, procedures, standardized work processed, and professional discipline. These constraints significantly reduce the complexity of the problem, when compared to modeling general human response. IDAC covers the operator’s various dynamic response phases, including situation assessment, diagnosis, and recovery actions. At a high level of abstraction, IDAC is composed of models of information processing (I), problem-solving and decision-making (D), action execution (A), of a crew (C). Given incoming information, the crew model generates a probabilistic response, linking the context to the action through explicit causal chains.
10
System, Other Crew Members, Other External Resources
External Filter - Ask for Information - Give Command - Provide Information - Check System Info. - Change System State
Incoming Information
Dynamic Influencing Factors
Static Influencing Factors
Outgoing Action
Mental State Working Memory Rules of Behavior
Problem Decision Decomposition Dynamics Goal Strategy
Intermediate Memory
Knowledge Base
Figure 2-1 A high level view of IDAC dynamic response model (Chang, 2007) Figure 2-1 is a schematic representation of the main elements of the IDAC modeling concept and its key elements in form of the umbrella I-D-A dynamic loop for each member of the crew. IDAC is composed of (1) a Problem Solving Model, (2) Mental State as Engine of Cognition, (3) Memory and Knowledge Base Model, (4) Casual Model of Internal and External Performance Shaping Factors. Cognitive engine of IDAC combines the effects of rational and emotional dimensions forming a small number of generic rules of behavior that govern the dynamic response of the operator. The architecture of IDAC is such that its main modeling elements can be repeatedly embedded in a layered and progressively detailed representation of the cognitive process. 11
2.2
Overview of ADS-IDAC simulation platform
Due to the variety, quantity, and relatively detailed nature of the input information, and also the complexity of applying its internal rules, the IDAC model is presently only implemented through a computer simulation. IDAC has been implemented as the HRA module of the Dynamic PRA computer code ADS. With its embedded models of a nuclear power plant including the RELAP5 thermal-hydraulic simulation code and a plant hardware model, ADS simulates accident scenarios that form the context for the IDAC operator response model.
0 t ti = i t Time
P3 P1 P2
P4 P5 Prob.(End State) = P1P2P3P4P5
Branch Points (BP) System Hardware State BP Physical Variables BP Human Action BP Software BP End State
Pi ? Branch Probability
Crew State Model System Hardware System Hardware State Model State Model Physical Variables Model
Temperature
ti-1
Figure 2-2 ADS dynamic PRA framework and dynamic event tree (Chang, 2007) ADS uses the Discrete Dynamic Event Tree (D-DET) approach to generate possible timedependent scenarios based on dynamically changing states of various systems and operator responses. Similar to the conventional event trees, D-DETs start with an initiating event (e.g., a pipe break) occurring at a specific time. Branches are then 12
generated at discrete points in time following the initiating event, based on probable outcomes of system/operator state changes (Figure 2-2). Also, as in conventional PRAs, the probability of a scenario is calculated as the product of conditional probabilities of branches that constitute the scenario. ADS-IDAC simulation program is the integration of the IDAC crew model with ADS Dynamic PRA computer code. ADS-IDAC platform simulates situational contexts that might lead to human failure events. Operator actions in turn impact the key plant parameters and potentially change the trajectory of accident scenarios. Therefore, in generating the D-DET sequences dealing with operator response, ADS provides IDAC module the values of the set of dynamically changing factors (e.g., plant physical process parameters, and system states). The IDAC crew model then tracks the operators’ internal responses to the situation, and generates dynamically changing values of the indicators of psychological states, and resulting cognitive behaviors or physical actions. The spectrum of the potentially very large set of event sequences that could be generated reflect the probabilistic outcomes of operator and plant interactions as modeled by ADSIDAC modules. Predefined rules and dynamic parameters within ADS-IDAC govern the timing of these events. Scenarios are terminated when a set of predefined plant states are realized, when scenario probabilities drop below a pre-specified truncation limit, or when the simulation time limit reached. In post-simulation analyses, the generated histories can be examined to identify the contributing factors. The scenarios typically includes branch points corresponding to key plant hardware events and alarms, “cognitive events” related to situation assessments and recovery actions, execution of procedural steps, communications among the operators, and the operators’ actions on the plant. 13
U se r
U se r In te rfa ce M o d u le
S c h e d u le r M o d u le
C rew M o d u le
In d ic a to r M o d u le
S y stem M o d u le
C om p on ent F a i lu r e M o d u le
Figure 2-3 Overview of modules of ADS-IDAC platform ADS-IDAC Platform contains six modules (Figure 2-3). The User Interface Module enables the user to edit the inputs such as system and operator initial conditions, and control the analysis parameters. The Scheduler Module implements the D-DET algorithms and produces risk scenarios. Operators, plant processes, and equipment states are represented, respectively, by the Crew Module (IDAC), the Indicator Module (the human-machine interface), the System Module (currently RELAP5, plus a model of plant control logic and hardware), and the Component Reliability Module. The Scheduler Module coordinates the interactions among these modules. ADS-IDAC has gone through an evolutionally process over the past 20 years with a number of software versions. These versions have some similarities as well as differences, both in capabilities and focus on different aspects of advanced HRA and dynamic PRA analysis. Recent additions to ADS-IDAC simulation model have dramatically improved its ability to realistically represent operator knowledge, skills, and problem-solving styles. 14
Additionally, implementation of dynamic PSFs have reinforced the man-machine feedback loops and enhanced the capability to provide more context sensitive PSF information to the cognitive model of ADS-IDAC. Taken together, these factors improve the ability of ADS-IDAC to model dependencies among operator behaviors such as skipping steps, selection of problem-solving strategies, and information gathering. This research started with ADS-IDAC version 2.0, and the new developments added by this research are included in ADS-IDAC version 3.0.
15
3
Gap Analysis
This research started with ADS-IDAC version 2.0 (Kevin, 2009) and developed ADSIDAC 3.0. In this Chapter we briefly summarize the main capabilities of ADS-IDAC 2.0 and identify the areas for enhancements. 3.1
3.1.1
Procedure and knowledge-based models in ADS-IDAC
Procedure model
Operators of nuclear power plants are trained to use and guided by all sorts of procedures to operate the plant and manage accidents. Procedures are designed as action packages to deal with different situations. Each procedure has its objectives and functions, and there are specific conditions provided for procedure entrance and exit. For example, Emergency Operating Procedure (EOP) E-0 is entered after the reactor trips or safety injection is actuated. It guides the operator to verify the plant state and to diagnose possible accidents. It leads the operator to transfer to another appropriate procedure for this current situation when the transfer conditions are satisfied. Procedure usage is modeled in ADS-IDAC. The user could code the procedure steps and the logic linkages between the steps in the input file. It represents the real procedure structure with high fidelity. Using the same format of formal procedure, the user could code the operator’s “mental procedures”. Mental procedure is a series of programmed actions, which represents the operator’s skill-based, rule-based or knowledge-based action package in response to a
16
specific type of situation. Actuation of the mental procedures is trigged by knowledgebased diagnosis.
3.1.2 Knowledge-based behavior: mental belief and diagnose engine
Mental belief and diagnose engine are two key techniques used in ADS-IDAC 2.0 to simulate the operator’s knowledge-based behavior. Mental Belief: “Mental beliefs represent discrete decisions or observations and serve as the basic decision-making building blocks in ADS-IDAC.” (Kevin A. Coyne 2008). A mental belief is a two-state memory unit—activated state or inactivated state. It represents the operator’s judgment of the situation. The activation conditions of each mental belief are provided by the user, using k/n logic. The percentage of the conditions satisfied at present moment is compared with a user-specified threshold value. When it exceeds the threshold, the program activates this mental belief. There are five types of activation conditions: Expected parameter value Expected component state Expected alarm state Expected state of another mental belief Expected state of a procedure usage
• • • • •
Since one mental belief could be the condition of another mental belief, this provides the user with a flexible way of constructing complex logic combination of mental believes. This activation mechanism of mental belief mimics a pattern matching process. The user 17
could also link one mental belief with a mental procedure step. Activation of the mental belief will lead the operator to enter this mental procedure step. In a simulation, the operator could follow a mental procedure in parallel with following a written (formal) procedure. Diagnosis Engine: Diagnosis engine uses a fuzzy-logic process to mimic the operator’s heuristic reasoning(Kevin A. Coyne 2008). The operator’s knowledge is represented in a symptom-event membership matrix, in which the user specifies the likelihood of a symptom would be observed given the occurrence of event. The diagnosis engine evaluates the likelihood that plant events given a set of observed symptoms. Each symptom is a mental belief. “The event confidence level is represented by two probability values: a lower bound estimate and an upper bound estimate. 3.2 Simulation of operator information perception paths
Several information perception paths are available in ADS-IDAC 2.0: Passive information path. All alarm information is perceived and processed by operators • Active information path. The operator can read indicator information required in a procedure step in use. • Scan queue. The operator repeatedly monitors indicators listed in a “scan queue”. The initial list is determined by the user as an input file. During the simulation, more could be added to the list from specific procedure step actions. The length of the scan queue is limited, so it is truncated based on indicators’ relevancy to the current situation. 18
•
A major shortcoming of the information perception module is lack of a path for actively gathering information driven by the knowledge-based reasoning, which is an important attention control mechanism. Another shortcoming is the lack of an “information throttle” for the alarm information, which might be overwhelming to the operators if too many activate in a short period of time. A third shortcoming is that the scan queue technique makes the IDAC model take in a bunch of indicator information at one time; a more realistic approach is to let IDAC monitor different indicators at separate points in time. 3.3 Simulation of operators reasoning decision-making, and operator actions
In ADS-ODAC 2.0 two pattern-matching technologies are used, (a) mental belief and (b) fuzzy symptom-event matrix diagnosis, as introduced in Section 3.1.2. Operator actions on the plant are realized by procedure step execution. Mental belief and symptom-event matrix are used to trigger use of relevant procedure and to enter various steps procedure. These two technologies are used at simulating operators’ heuristic reasoning. However, several important features are missing and we will discuss them in Section 3.5. 3.4 Branching capabilities for capturing crew-to-crew variance:
During a simulation, ADS-IDAC generates branches at branching points. In version 2.0, the following branching rules are used to generate different sequences in one simulation: Time delay branches for executing procedure step. Branches with different control values for control actions. Branches for memory information use in procedure steps. (a) use old reading values of indicators from memory; or (b) read a new value. • Strategy branches: whether or not formal procedure is used. 19
• • •
• •
Branches about mental belief activation. Branches for system failures.
Figure 3-1 Brief summary of ADS-IDAC 2.0 capabilities 3.5 The need for more deliberative reasoning process
In ADS-IDAC 2.0, both the mental belief and the diagnosis engine represent an effortless pattern matching process, which generates the conclusion (event confidence level, mental belief confidence level) based on the operators’ observation of symptom presence or absence. They are capable of mimicking the operators’ one-step short cut heuristic reasoning. However, the current knowledge-based reasoning in ADS-IDAC 2.0 shows several limitations. Missing loop—no feedback to the information perception stage. The mental beliefs and the diagnosis engine do not guide the operator to acquire more relevant information from the control panel. 20
•
•
Limitation on capturing longer, multi-step reasoning chain. Although the mental beliefs are programmable and that gives the user the flexibility to build multilayer reasoning path, the user needs to explicitly design the reasoning path and write it down in input files. A more desirable model is to predict and generate the reasoning path during a simulation, instead of requiring the user to design the reasoning path.
•
Restricted memory information. In the implemented human model several types of situational information are stored in the memory: (1) reading values of the indicators, which are in the raw form of perceived information from control panel; (2) activation states of mental beliefs and (3) confidence levels of event diagnosis, which are the products of the reasoning process. However, the total amount of type (2) and (3) memory items are determined by the number of mental beliefs and events specified in ADS-IDAC input files. The memory information represents snapshots of the operator’s diagnosis. This is not enough to tell a complete story, to represent the operator’s situation awareness (including the intermediate products of the reasoning process), and to capture the dependencies of the operator’s cognitive activities at different time.
3.6
Cognitive Architectures
In this section, we discuss a general architecture of cognitive simulation models, capabilities and components. Langley has given an excellent description of cognitive architecture, which provides a basis for our discussion. “A cognitive architecture specifies the underlying infrastructure 21
for an intelligent system” (Langley, Laird et al. 2009). A typical cognitive architecture usually contains the following elements: Memory (short-term or long-term), representations of the information contained in memory (It is the format for representing the information, not the information content itself), and cognitive processes that utilize the information to arrive at a conclusion. Langley offers a good analogy to compare cognitive architecture to building architecture—“architecture consists of permanent features like its foundation, roof, and rooms, rather than its furniture and appliances, which one can move or replace”. Langley has also summarized some general capabilities of cognitive architectures. We will compare each of them against the needs for ADSIDAC simulation model. Recognition and categorization. When an intelligent system communicates with the environment, it needs to translate perceived information into a format that it can understand and utilize. In ADS-IDAC, the possible communication channels are control panel-to-operator, and operator-to-operator. Control panel-to-operator communication is in the scope of this research. 1 Categorization of the control panel information is simple. There are three types of information communicated between control panel and operator: Reading of parameter, component state, and alarm state. ADS-IDAC needs a quantitative interpretation process to translate the perceived raw data into plant dynamics (e.g. parameter trends, system actions). • Perception. Since a cognitive architecture communicates with its environment, it needs to “confront the issue of ‘attention’, that is, deciding how to allocate and direct its limited perceptual resources to detect relevant information in a complex
1
•
Operator-to-operator communication is out of this research scope.
22
environment” (Langley, Laird et al. 2009). As discussed in Section 3.5, the topdown attention control based on knowledge reasoning is missing in ADS-IDAC 2.0 and needs to be constructed, with the support of reasoning functions. • Reasoning and belief maintenance. The system should be able to generate situation judgments or diagnosis based on the integration of the perceived raw information and the knowledge base. Reasoning and sense-making are key functions to achieve this. As indicated in Section 3.5, the knowledge-based reasoning should be able to generate more complex reasoning chain, in addition to pattern matching which is a one-step process, and to provide feedback to the information perception loop and guide operator’s attention to acquire more relevant information from control panel, with the supports of enhanced modeling of memory and representation. • Problem-solving and planning. Operators are equipped with extensive procedures for different functions and purposes. The procedures are like pre-designed action packages, so the requirement for planning is largely weakened in the simulation. The focus of the planning shifts to identifying the right procedure (action packages) to use from impromptu planning. • Decision-making and choice. Some general decision-making points are identified and embedded in ADS-IDAC program. With the future development, more relevant decision-making points will be added into the program (e.g. procedure compliance when the procedure guidance is inconsistent with operator’s subjective situation assessment).
23
•
Execution and action. This function is available in the current ADS-IDAC. The human model sends action order to the control panel, and the control panel conveys it to the plant model.
•
Remembering, reflection and learning. Remembering refers to the “ability to encode and store the results of cognitive processing in memory and to retrieve or access them later”. In ADS-IDAC, several information types should be stored and indexed in the memory: Direct observations from control panel, inferences from the direct observations, operator’s decisions, plans, and actions. “The resulting content is often referred to as episodic memories”. Reflection is the ability “to access to traces of cognitive activity”. In ADS-IDAC, the intelligence agent (operator) needs to be able to reflect the cognitive reasoning traces for the justification and explanation of the inferences, decisions and plans. Learning refers to the ability to generate new knowledge or modify the existing knowledge during the simulation. The primary goal of ADS-IDAC is to predict human errors in the phase when the operator applies his/her learned knowledge, so learning is currently not within our research scope.
Regarding all the features discussed above, several key capabilities that ADS-IDAC needs to develop or enhance with high priority are: Perception guided by the attention mechanism, memory structure, deliberative reasoning, identification of more general decision-making points, and knowledge-based problem-solving.
24
4
4.1
Architecture of Reasoning Module
Overview of the reasoning module
In a nuclear power plant accident condition, forming an accurate situation assessment and diagnosis is the basis for making good decisions and planning proper actions. The underpinning processes for operators’ situation assessment are: 1) Perceiving information from control panel and following the system dynamics or transients; 2) Using one’s knowledge or experience to make sense of the perceived information and to explain the observed phenomena; 3) Projecting the future status of the system. This is consistent with Endsley’s model of situation awareness. It should be emphasized that explaining is a key process that integrates the observed information and one’s knowledge and experience to form an understanding of the plant in one’s mental model. Trying to explain the observed phenomena builds the interrelations of all the observations. It helps the operator to trace the symptoms back to the root causes and to form a diagnosis. In addition, it feeds back to the information perceiving process and guides the operator to actively fetch the information needed. ADS-IDAC simulation environment utilizes the thermal-hydraulic model and control panel model to provide rich contextual information to the operator model. A reasoning module is added to IDAC model in this research. During a simulation, the reasoning module guides an operator’s attention to selectively get information from the control panel. Three types of external information are provided to the operator model: plant parameter values, component states, and alarms. Alarm activities (actuation and clear) are
25
“passive information” that draws operators’ attention automatically, while other information requires operators’ initiative to pay attention.
Information perceiving
Interpretation
Attention
Investigation Explaining
Figure 4-1, Abstracted information process diagram For each piece of perceived control panel information, a generic information process flow is used in the reasoning module: perception-interpretation-explanation-investigation, as shown in Figure 4-1.
Figure 4-2 Illustration of the interpretation function in the reasoning module During a simulation, the interpretation component matches the perceived information with the existing ontology concepts in the operator’s mental model, and translates it into
26
a representation that could be utilized for reasoning, computing, and storing information to the memory. An analogy example is provided in Figure 4-2. Explanation and investigation utilize the available information in the working memory and knowledge base to explain the perceived information. Investigation can also feed back to the perception component and actively gather more information from control panels to support the investigation. Not all pieces of perceived information necessarily go through every component in Figure 4-2 for several reasons. The information may already be consistent with one’s expectation and require no more investigation; a high volume of passive information causes some to be filtered out before future processing; or the attention is shifted to other information of higher interest while the information decays away from the working memory before it gets attended to again. If a piece of perceived information needs further investigation, a new investigation item2, is generated. One investigation item could lead to the generation of another investigation item in order to verify whether a hypothetical cause has occurred or not. An investigation though thread consists of a set of investigation items linked by causal or inference relations. The reasoning module employs a thought thread pool to retain and organize all investigation items.
Investigation item is the building block of reasoning thought lines. An investigation item is corresponding to a specific plant phenomenon. Each item has two objectives: 1) examine whether a specified phenomenon has happen or not in a specified time range; 2) investigate the causes of this phenomenon. 27
2
Linking investigation items forms the operator’s thought trains. Two or more investigation items might exist in the working memory at the same time; only one item is processed at a time due to cognitive resources limitations. A prioritizing mechanism is designed to prioritize and select one item from the pool to work on. The unattended items decay with time and might be forgotten and moved out from the thought thread pool. This thought thread management system can predict several types of human errors like delay in conducting a task, failure to detect key system dynamic transients, inadequate information use, and tasks getting interrupted and forgotten.
Figure 4-3 Example of thought threads pool In Endsley’s conceptual model, situation awareness is discussed at three levels: Level 1, perception of elements in current situation; Level 2, comprehension of current situation; Level 3, projection of future status (Endsley 1995). The reasoning module currently deals with the operators’ cognitive processes in Levels 1 and 2. The interpretation function abstracts meaning from the perceived raw information (parameter value, component state, alarm state) and generates semantic statements describing the situation, which 28
corresponds to Level 1. Those statements regarding the plant dynamics are further processed in the investigation/explanation function. The program uses the knowledge base and actively fetches more information from control panels to explain the observed plant dynamics, and this corresponds to Level 2. The outputs of this reasoning module are an operator’s view of the plant state, explanations of the system dynamics, and accident diagnosis. They serve as input for the operator’s decision-making, e.g., deciding which operating procedure to use for the current situation. They also serve as important input for predicting the plant’s future states (Level 3). The reasoning module simulates an “abductive reasoning3” process—the operator uses the mental model (knowledge base) to account for the observed plant dynamics and to form explanations. It is an effortful conscious process, in contrast to pattern matching process. The pace of event in power plant control room is often different from the pace of activities in other situations such as combat or sports that requires instant response. Thus it allows the operator to conduct more deliberative reasoning to a larger extent. The reasoning process is driven in part by the attention Operators in the control room are surrounded by a large number of sensory stimuli, visual or auditory, which include hundreds of indicators on the control panel, noises, verbal communications among crew members, sounds of annunciators and alarms, etc. Crucial questions that direct operators’ cognitive activities include: what information to be
3
Abductive reasoning is a form of logical inference that goes from data description of something to a hypothesis that accounts for the data
29
attended to, and what sub-task to work on at a given moment. Attention directs one’s limited cognitive resources and allows selectively processing of the information and cognitive sub-tasks. A review of the Human Event Repository and Analysis (HERA) data found that “simultaneous tasks with high attention demands” contributed to 30/145 human errors, and “information present but not adequately used” applied to 27/145 human errors. A closer look at those human errors reveals that many errors trace back to one common cause: the operator does not attend to the proper cue that points to the problem or does not attend to the sub-task that could have avoided further complications. Some examples are provided in Table 4-14 Table 4-1 Human errors from HERA data Human Error Cause/Distraction
Operator failed to recognize that reactor The operator left his post to go to the power was still decreasing due to the electrical distribution panel to perform bus delayed effect of a boron addition. transfers
Operator failed to diagnose the cause of The operator was busy with initiating a RCS the pressurizer level decrease while the cool-down. indicator was available. Operator failed to monitor the system The operator only monitored reactor coolant
4
Information source: U.S. Nuclear Regulatory Commission. (2008). Human Event Repository and Analysis (HERA) Database. Washington DC.
30
response of faster rate of pulling the average temperature, but not the power. control rod. Distractions: communications with Unit 2 and operators in the intake structure, the reactor operator was also assigned to keep the control room log. Operators were late to cool torus, as The operators were focusing on restoring the required condenser as the main heat sink.
As human cognitive resources are not limitless, an operator could only attend to a certain amount of information and sub-tasks. This is manifested in three macro levels: 1) selectively gathering information from the control panel; 2) selectively activating and using one’s knowledge in the long term memory; 3) selectively processing the perceived information. These three types of selectivity direct the course of human’s activities, and play a crucial role in human error productions. The direction of this research was in part inspired by this finding. What drives and directs the operators’ attention? Salient features of the stimuli (loudness, brightness, flashing, striking color, etc.) draw one’s attention automatically and passively. An obvious example is alarms and annunciators in the control room. More importantly, attention is also driven by the operator’s present mental state, knowledge, and experience, in an active control fashion. Human errors are often generated when a key piece of information is not properly attended to. We aimed to capture the human errors due to misdirected attention and limited capability for multitasking, which was missing in earlier versions of the IDAC model and ADS31
IDAC simulation platform. To achieve this, a knowledge-based reasoning function is essential to direct the operator’s attention to the selected external information, memory information, and thought thread. A reasoning module is added to the individual cognitive information flow of IDAC model, providing a knowledge-based reasoning function, a thought thread management system, and cognitive thread prioritization function in the situation awareness phase.
Figure 4-4 Enhanced ADS-IDAC operator cognitive flow model with reasoning module As shown in Figure 4-4, the reasoning module takes inputs from the perceived information, including all actively gathered information and passive alarm information. The reasoning module processes the perceived information through interactions with the operator’s knowledge base. It generates the operator’s situation assessment elements: (1) statements of direct observations, (2) statements inferred during the reasoning process, and (3) accident diagnosis confidence. The generated situation assessment forms part of 32
operator’s “mental state” and is used to support the operator’s decision-making and problem-solving module. The reasoning process also actively feeds back to the information perception process in order to gather more relevant information from the external world. This is a way to simulate the operator’s top-down attention control mechanism. Although this reasoning module is built for an individual operator, the framework and structure applies to each operator of the three types of operators in the IDAC crew model. The output of individual’s situation awareness provides input for the team situation awareness. 4.2 Memory and representation
This section discusses the underlying structure of the reasoning. It supports the interpretation, explaining/investigation and information perception functions in the information-processing module of IDAC. The cognitive architecture, while capable of utilizing and integrating many relevant psychological findings, is design in such a way as to make it easy to construct case-specific input models. The key elements of this cognitive architecture are: (1) memory structure, (2) representation of information contained in the memory, (3) functions that utilize the memory and representation contents.
4.2.1 Memory layout
In the reasoning module, the operator memory layout is shown in Figure 4-5. A semantic base is the foundation of the memory information, which stores the semantic elements
33
used for the knowledge base construction and the mental representation of a plant conditions. The semantic base and the knowledge base are provided by the user as input files. The contents will not change during simulation (modeling adaptive learning is not in the scope of this model). Each unit of the semantic base has an activation level that is dynamically computed and updated in ADS-IDAC simulation. We do not distinguish between long-term memory and short-term memory by the storage separation but by using the activation level to infer whether the content is in short-term memory or not.
Figure 4-5 Memory Structure of the proposed Reasoning Module The knowledge base has a “knowledge web” whose nodes are composed of semantic sentences from the semantic base, and “accident event schemas” which index accident related knowledge in the knowledge web. The mental representation and part of the thought thread pool constitute the operator’s working memory. As mentioned in previous section, the thought thread pool is a place to store and manage cognitive thought items. The mental representation is a structural memory that contains all of the perceived or inferred situational information. The reasoning function has access to all the memory
34
components. A detailed description of each component is provided in the following sections.
4.2.2 Semantic representation
Operators’ knowledge of plant systems and his memory of plant situation are represented in a semantic way. Both of them link to a semantic base, which contains all the semantic elements. There are three types of semantic elements, as described below: A basic concept unit is the smallest semantic unit in the representation. It uses English words to present concepts of object, attributive, process, relationship etc. Examples are “temperature”, “pressure”, “steam-generator”, “reactor coolant system”, “increase”, “on”, “off”. • A composite concept unit, as the name suggests, is composed of some basic concept units or other composite concept units. A composite concept has one core component concept unit and one or more defining concept units. For example, “pressurizer_pressure” has “pressure” as the core concept unit and “pressurizer” as the defining concept unit. • A semantic sentence is composed of several concept units, which describe plant states or situational phenomena. Examples are “pressurizer_pressure” + “increase”, “TDAFWP” + “on”, “secondary_load” + “bigger” + “nuclear_power”. An example is depicted in Figure 4-6. It shows the decomposition of a semantic sentence describing a plant phenomenon: pressure of SG-A decreases.
•
35
Figure 4-6 Semantic Representation Example
4.2.3 Knowledge base web
In the reasoning module, operator knowledge is organized in a knowledge web and accident event schemas. The knowledge web is constructed with two types of information, as described below: A knowledge element contains one semantic sentence with a negation logic flag. A knowledge node is a combination of one or more knowledge elements by an “AND” or “OR” gate, and represents a node in the knowledge web. • A knowledge link unit connects two knowledge nodes by their inference/causal relationship. The connections among knowledge nodes form the knowledge web. Additionally the knowledge link unit provides the inference/causal type and strengths of the linkage between two nodes (a forward strength, a backward strength, and a familiarity strength). Linkage strengths are used in the memory retrieval process. It also gives the temporal information regarding the time delay between the upstream and downstream phenomena. For example
•
“SG_A_level_increase” could be observed immediately after a SGTR occurrence.
36
In contrast, there is a longer delay to observe the level difference between SGs. These could be denoted in knowledge link units.
Figure 4-7 Knowledge base web example Figure 4-7 shows an example of a knowledge web. In the knowledge web, each node corresponds to a plant phenomenon that is described by a semantic sentence. The interactions among different plant phenomena are represented by the causal/inference knowledge links in this web. Figure 4-8 displays a typical structure of a knowledge link. The parameter forward strength means how likely an operator would consider this causal/inference relationship, given the cause phenomenon as cue. The parameter backward strength means how likely an operator would consider this causal/inference relationship, given the effect phenomenon as cue. These input knowledge parameters could be coded based on knowledge of domain experts (e.g. plant operators), operator training and other design documents. During the simulation, when the operator tries to explain an observed phenomenon, the program refers to the related causal links in the knowledge web, which contain the observed phenomenon as an effect of other phenomena. Together with the semantic activation level of each possible cause, the backward strength determines the operator’s 37
investigation order of the possible causes. Higher backward strength and higher semantic activation level mean higher chance of being investigated first.
Condition phenomenon Cause phenomenon Forward strength Backward strength Effect phenomenon
Figure 4-8 A Knowledge link structure The occurrence of some plant phenomena could be directly verified from control panel indicators, e.g. the reactor coolant temperature trends (increase/ decrease / stable) can be observed from several indicators. The occurrence of some phenomena cannot be directly verified from control panel indicators, thus they are uncertain. Many accident root causes are uncertain phenomena, e.g. “main steam line break”. Operators’ diagnosis consists of two processes: identifying possible accidents and forming a diagnosis confidence level of each suspected accident. These two processes are modelled in the reasoning module by applying relevant causal paths in the knowledge web to the present situation to find one or more explanations of operator’s observations. During the reasoning, the operator’s thought train starts with some observed phenomena and traces backward to their possible causes. For the knowledge links that contain uncertain phenomena as causes, the backward strength also contains information about the operator’s prior judgment of the occurrence frequency of an uncertain cause given the occurrence of its effect phenomenon. If an effect phenomenon has more than one
38
uncertain causes, the backward strengths are used as operators’ prior judgments to calculate the operator’s confidence level of each causal path during the simulation. Figure 4-9 gives an illustration example that an effect phenomenon has multiple possible causes. It has two possible uncertain causes. We define that event n means the effect phenomenon is caused by possible cause n. If backward strength 2 equals to twice of
backward strength 3, it means that: in the operator’s prior knowledge, given the effect
phenomenon is observation, the probability of event 2 is twice of the probability of event
3.
Possible cause 1 Backward strength 2
Possible cause 2 (uncertain) Possible cause 3 (uncertain)
Effect phenomenon
Figure 4-9 Knowledge link examples A procedure is proposed to elicit a domain expert’s knowledge of a given plant phenomenon through a survey:
Step 1: elicit information from a domain expert Question 1: given a phenomenon X is observed, what possible causes of this
phenomenon can you think of? (There shouldn’t be time limit for answering this question, stop when the operator feels he couldn’t think of any more.) Pseudo answers: cause 1, cause 2, … cause 3. 39
Question 2: could you rank these causes in the order of time when they come into your
mind? And assess the easiness to recall each possible cause as guided by the description in Table 4-2, ranging between 0 and 1. Table 4-2 Knowledge retrieval easiness assessment reference
Score 1: Easiness recall 0.8-1.0
0.5-0.8 0.1-0.4 0-0.1
Description to
The operator could easily recall this cause and the operator recalls it very fast. It is easy to recall this cause and the operator recalls it fast. The operator could recall this cause well but it takes a bit longer time to come to mind. It takes moderate or a lot of effort for the operator to recall this cause.
Question 3: Please use your experience and knowledge to assess the occurrence
frequency of each possible cause given the occurrence of the effect phenomenon. When the phenomenon X happens, how likely is it caused by each possible cause that you have identified? In another word, given the fact that phenomenon X is happening, what are the frequency that it is due to cause 1, the frequency that it is due to cause 2, … and cause n? Table 4-3 Prior probability assessment reference
Score 2: Description Prior frequency of a possible cause 0.8-1.0 In most situation, phenomenon X is due to this cause. 0.5-0.8 It is common that the phenomenon X is due to this cause. 0.1-0.4 It is not common, but still relatively frequent. 0-0.1 It is rare that phenomenon X is due to this cause. Question 4: for each possible cause, how much are you familiar with its causal
relationship? Please assess a familiarity level (ranging between 0 and 1) as guided by Table 4-4.
40
Table 4-4 Familiarity assessment reference
Score 3: Familiarity 0.8-1.0 0.5-0.8 0.1-0.4 0-0.1
Description
High level of familiarity. Moderate level of familiarity. Low level of familiarity. Unfamiliar with this cause.
Step 2: convert the elicitation to knowledge web coding
After finishing these three questions in the survey, we can get the possible causes of a given phenomenon and three scores for each possible cause: score 1-easiness to recall, and score 2-prior frequency and score 3-familiarity level. A knowledge link should be coded for each possible cause accordingly. Score 3—familiarity level is used as the input parameter—familiarity strength—in a knowledge link. This parameter affects the accessibility of the knowledge link in a random knowledge bug generator during the simulation.5
Score 2—prior frequency, as shown in Equation 4-1. ? is the weighting factor for easiness to recall and (1- ? ) is the weighting factor for prior frequency.
Backward strength is calculated by a weighted average of Score 1—easiness to recall and
? ???????? ?????????? ? ? ??? ????1 ? ?1 ? ?? ? ??? ????2
Equation 4-1
During a simulation, the input parameter backward strength is used for affecting the order of investigating the possible causes (e.g. which possible caused is investigated first) and for assessing the operator’s judgment regarding the likelihood of the uncertain causes.
5
More detail available in Section 6.2.3.
41
Studies show that people rely on a set of heuristic rules for assessing probability of uncertain events’ occurrence (Kahneman, 1975). One of the rules is availability heuristic. People’s subjective assessment of frequency of an event is affected by the ease with which instances or occurrences can be brought to mind. In other words, it is affected by the retrievability of instances. Familiarity and salience of instances play influential roles in the retrieval process. The easier to retrieve instances, the higher probability one might get from subjective assessment. In the reasoning module, we model this availability heuristic in the process of retrieving knowledge for explaining the operator’s observations and the process of calculating operators’ subjective assessment of probabilities. The availability heuristic is reflected in the input parameter—backward
strength. This parameter is a weighted mixture of easiness to recall and prior frequency.
A higher weighting factor ? means stronger influence on the probability assessment by the knowledge retrievability, and thus renders a stronger availability heuristic bias. The user could adjust the weighting factor ? to simulate different levels of heuristic bias.
In this section, we introduced a guidance to elicit information from experts to calculate the backward strength of knowledge link. A similar procedure is used to calculate the
forward strength based on two scores: score 1—the easiness to recall an effect
phenomenon, given a cause phenomenon as retrieval cue; score 2—the frequency that an effect phenomenon would occur, given the occurrence of a cause phenomenon. Knowledge web is suitable for representing the basic interactions between plant dynamics, which are applicable across different accident types. Thus it enables the reuse of the constructed knowledge pieces. Table 5-2 shows a partial list of some PWR plant systems that have dynamic changes observed in different accidents. We can see a lot of 42
overlaps across different accidents. The knowledge links that represent the generic plant dynamic interactions could be reused across different accident simulations. This makes the effort of coding simulation input case quite traceable and under control. Table 4-5 Knowledge base applicability across different accident types Key System\Initiating Event Rod control system Pressurizer RCS pump CVCS system Emergency Core Cooling System Steam Generator Main Steam Line Steam Dump System Condenser System Feed Water System Aux feed water system Turbine System Component Cooling System Service Water System Condenser Circulating Water System Rod drop x x LOCA x x x x SGTR x x x x x x x x x x MSLB x x x x x x x x x x x x x x x x x x x x x Loss of Main Feed x x x Loss of offsite power x x x x
4.2.4
Mental representation of the situation
The mental representation is the model of the operator’s mental picture of the plant. It provides two functions for the reasoning module: (1) storing situational information. The temporal attributives of each piece of information are also recorded, which provide reference for memory decay computation and time-based reasoning; (2) supporting the information interpretation function by matching the perceived raw information to existing
43
ontology concepts in the semantic base, translating it, and providing necessary ingredients for cognitive reasoning.
Figure 4-10 Mental representation example The mental representation contains two types of elements: A situational statement is a basic memory unit of the plant situation. It is composed of a semantic sentence, a truth flag, and the effective time range of the described phenomenon.
•
•
A control panel item retains the following information: a link that bridges an indicator with its corresponding ontology concept in the semantic base; a recent reading value and the time of reading; and the past readings in history. Together with situational statements, they form the operator’s episodic memory—view of the situation.
44
4.2.5
Accident event schema
Accident Event Schema is another type of knowledge in the knowledge base, in addition to the knowledge web. It has a specific knowledge structure that represents a pattern of an accident. It points to the accident-related knowledge links in the knowledge web and highlights the patterns of how an accident causally gives rise to one or more observable symptoms. It provides the operator with a more organized and convenient way to index or retrieve the knowledge related to the accident. This is used to model the experts’ way of managing knowledge and chunking information.
Figure 4-11 Example: An schema highlights paths between an accident and symptoms Figure 4-11 shows an example of accident event schema—SGTR-A. This example only shows part of a knowledge web. The paths highlighted in yellow are the relevant knowledge of “SGTR-A” accident.
45
The abstracted pattern is shown in Figure 4-12. Without this accident event schema, the relevant accident knowledge pieces are scattered in the knowledge web, in the background noise of other knowledge pieces. With the accident event schema, the relevant knowledge pieces could be accessed more efficiently.
Figure 4-12 Example: accident schema of SGTR-A In the simulation, when an operator observes a symptom that might be caused by a type of accident, and he makes this causal connection between the symptom and the accident for the first time, the corresponding accident event schema is activated and an investigation of that accident is initiated in the simulation. Once the accident diagnosis confidence level is above a threshold value, accident investigation is activated in the operator’s mind and he will then actively check other possible symptoms to confirm or disconfirm the diagnosis.
4.2.6 An example of building a knowledge base
This section provides an example of building knowledge base for a simulation case. As introduced in earlier sections of this chapter, a semantic representation is proposed to represent memory contents. Operator’s understanding of a plant is represented by causal/inference links of plant phenomena in a knowledge web. Plant phenomena are 46
represented by semantic sentences, e.g. reactor power increase. Each semantic sentence is composed of several semantic elements, namely semantic concept units. Hence, semantic concept units should be built first as basic building blocks.
Step 1: identify relevant power plant systems, components, parameters and alarms to
include into knowledge base. Table 4-6 lists power plant systems, components and indicators we coded in an input model. Table 4-6 Systems, components, and indicators included in the knowledge base Systems Parameter/component indicators Steam SG-A wide range level generator A SG-A narrow range level (same for SG-A pressure SG-B and SG-A feed water flow SG-C) SG-A steam flow SG-A PORV state Alarm indicator SG-A level high-high alarm SG-A level high alarm SG-A level low alarm SG-A level low-low alarm SG-A pressure low alarm Low-low SG level reactor trip alarm Low SG pressure reactor trip alarm Low SG pressure safety injection alarm Main steam isolation alarm Main steam main feed mismatch reactor trip alarm Main feed water pump trip alarm Main feed water pump 1 trip alarm Main feed water pump 2 trip alarm Turbine driven auxiliary feed water pump auto start alarm Motor driven auxiliary feed water pump auto start alarm
Main steam MSIV-A, MSIV-B, MSIV-C line Feed water Main feed water flow system Auxiliary feed water flow Turbine driven auxiliary feed water pump Motor driven auxiliary feed water pump Main feed water pump 1 Main feed water pump 2 SG-A main feed water regulation valve regulation valve Motor driven auxiliary feed-SG-A valve Turbine driven auxiliary feed-SG-A valve Steam dump position 47
Condenser Reactor Coolant system
Air ejector radiation level Pressurizer pressure Pressurizer level Pressurizer proportional heater Pressurizer backup heater Pressurizer spray 1 Pressurizer spray 2 Pressurizer PORV Tave(average coolant temperature) Tave minus Tref Charging flow Safety injection indicator Reactor core power Reactor trip indicator
Air ejector radiation alarm Pressurizer level low alarm Tave low deviation alarm Safety injection alarm Low pressurizer pressure reactor trip alarm Low pressurizer pressure safety injection alarm
Reactor power
Control rods move out alarm Control rods move in alarm Reactor trip alarm Over power delta T reactor trip alarm Over temperature delta T reactor trip alarm High power trip alarm Turbine runback alarm
Other
Turbine trip indicator Containment pressure
Step 2: Create a concept unit for each parameter, component, and alarm, and decompose
the concept unit as needed; link indicator concept units with corresponding indicator IDs in the RELAP model respectively. We provide three examples in this step: a parameter indicator, a component indicator and an alarm indicator. Parameter example: SG-A pressure. A composed concept unit “SG_A_pres” is created for this parameter. It is decomposed into two member concept units: “pressure” as the core member, “SG_A” as the defining member. “SG_A” is future decomposed into two: “Steam Generator” as the core member, and “loop_A” as the defining member. “loop_A” is further decomposed into two: “loop” as the core concept and “A” as the defining
48
member. Concept unit “SG_A_pres” is linked to two control panel indicator IDs: one— “SG_A_Pressure”—indicates the pressure and the other—“RATE_SG_A_Pressure”— indicates its changing rate. Component example: turbine driven auxiliary feed water pump. A composed concept unit “TDAFWP” is created. It is decomposed into two member concept units: “AFWP” as the core member, and “turbine_driven” as the defining member. “AFWP” is further decomposed into two members: “pump” as the core member and “AFW” as the defining member. “AFW” is further decomposed into two members: “feed water” as the core member and “auxiliary” as the defining member. Concept unit “TDAFWP” is linked to a control panel indicator ID: “TDAFP_On”. Alarm example: SG-A level low-low alarm. It is represented by a composed concept unit— “alarm_SG_A_level_lowlow”. This concept unit is decomposed into 3 member concepts units: “alarm” as the core member, “SG_A_level” and “lowlow” as defining members. “SG_A_level” is further decomposed into two member concept units: “level” as the core member and “SG_A” as the defining member. “alarm_SG_A_level_lowlow” is linked to a control panel indicator ID “A_SG_LoLo_Level”.
Step 3: group similar indicator concepts and create an indefinite concept for each one.
For example, “SG_A_pres”, “SG_B_pres”, and “SG_C_pres” are similar concepts. We put them in a group. The difference is that they are in difference loops (A, B or C). An indefinite concept unit “SG_X_pres” is created. When we code knowledge of SG pressure, we can use “SG_X_pres” to represent anyone in the group. During the
49
simulation, knowledge unit containing “SG_X_pres” could be automatically applied to any SG pressure by converting “loop_X” to a specific loop.
Step 4: group indicators based on their location proximity.
Indicators of
“SG_A_WR_level”, “SG_B_WR_level”, and “SG_C_WR_level” are placed close to each other on the control panel. When the operator checks anyone of them, it is easy for him to check the other two.
Step 5: build semantic sentences to describe plant phenomena. Users do not need to build
sentences for each phenomenon. The program will automatically generate a set of sentences to describe the indicator states and their dynamic changes. For each system dynamics listed in Table 4-7, a semantic sentence is automatically generated for each one respectively. So the user does not need to create these semantic units. Table 4-7 System dynamics types Indicator type Parameter indicator System dynamic types Parameter increases; Parameter decreases; Parameter is stable. Component with ON/OFF state Component turns on; Component turns off. Component with position Valve opens bigger; indication Valve closes smaller. (valve position between 0%100% open ) Alarm Alarm turns on; Alarm turns off. Component/Alarm state / Component is ON; Component is OFF; /
Alarm is ON; Alarm is OFF;
For plant phenomena that are not linked to a specific indicator or not included in the system dynamic types in Table 4-7, the user needs to manually build semantic sentences. For example, there is no indicator directly indicating a SGTR accident, the user needs to create semantic sentence to describe this phenomenon. We create a “SG_A_ruptured” 50
sentence for this. It has a subject concept “SG_A”, and an attributive concept “ruptured” to describe the phenomenon. Note that if the concept “ruptured” has not been coded in the concept unit base, then we need to add it. New concept units could be gradually added to the model as needed.
Step 6: code knowledge for each parameter/component/alarm. Each semantic sentence
has two knowledge nodes with different truth flags in the knowledge web. One has “True” flag and the other has “False” flag. Their IDs are “KE_” + sentence ID and “KE_FALSE_” + sentence ID. A knowledge link connects two knowledge nods by causal or inference relations. It might have one knowledge node as condition. Two examples are provided in Table 4-8. Table 4-8 Knowledge link examples Input Codes A_Knowledge_Unit Causal_Type: 2 Inference_Type: 0 Knowledge_Unit_Strength: 1.0 Forward_Retrieve_Rate: 1 Backward_Retrieve_Rate: 1 Effective_Time_Forward_DeltaT1: -10 Effective_Time_Backward_DeltaT2: 10 UpperStream_Type: 1 UpperStream_ID: KE_steam_load_increase DownStream_ID: KE_Control_rod_move_out Is_There_A_Permission_Condition: 0 A_Knowledge_Unit Causal_Type: 0 Inference_Type: 1 Knowledge_Unit_Strength: 1.0 Forward_Retrieve_Rate: 1.0 Backward_Retrieve_Rate: 1.0 Effective_Time_Forward_DeltaT1: -10 Effective_Time_Backward_DeltaT2: 5 UpperStream_Type: 1 UpperStream_ID: KE_SG_X_NR_level_decrease 51 Meaning “steam load increase” could cause “control rod move out” with in 10s
“SG-X narrow range decrease” infers “SG decrease”
level level
Another knowledge link connects “SG-X level decrease” with “SG-X wide range decrease”
DownStream_ID: KE_SG_X_level_decrease Is_There_A_Permission_Condition: 0
In this step, users code the causes or inferences of plant phenomena. We suggest to put the plant phenomena into two lists, list 1 contains the system dynamics in Table 4-7 and list 2 contains phenomena not included in Table 4-7. Then code the causes of each phenomenon one by one. Take “SG_A_pres” indicator for example. We want to code the causes for both “SG_A_pres_increase” and “SG_A_pres_decrease”. For “SG_A_pres_decrease”, we know it could be caused by steam load increase or SG_A fault. So far we don’t have a semantic sentence describing steam load increase and SG_A fault. So we manually code two semantic sentences for them, named as “steam_load_increase” and “SG_A_faulted”, and add these two phenomena to list 2. Then we add two causal knowledge links accordingly. For “SG_A_faulted”, the control room operator doesn’t need to investigate what has caused a fault SG during the simulation (This task goes to the maintenance team), so we do not code its causes in the knowledge web. For those phenomena that we do not code their causes any further, they form the boundary of the knowledge web. Some knowledge link examples are provided in Figure 4-13, Figure 4-15, Figure 4-14, and Figure 4-16. In these figures, solid arrow denotes causal relation, dash arrow denotes inference relation, and bold double bar denotes knowledge web boundary.
52
PRZ_pres_decrease
PRZ_level_decrease PRZ_spary_X_ON PRZ_propotional_heaters_turn_off PRZ_PORV_open steam_space_LOCA_true
Tave_decrease
steam_load_increase control_rod_movin_in reactor_trip_turn_on safety_injection_ON
Tave_increase
steam_load_derease control_rod_movin_out steam_load_increase steam_load_increase steam_load_increase steam_load_decrease Tave_minus_Tref_<_-3 Tave_increase Tref_decrease
PRZ_pres_increase
PRZ_level_increase PRZ_backup_heaters_tun_on PRZ_spray_X_turn_off PRZ_PORV_close_smaller SG_X_pres_increase SG_X_pres_decrease SG_X_pres_decrease SG_X_pres_increase steam_dump_open_bigger Tave_minus_Tref_increase Tave_minus_Tref_decrease
PRZ_level_increase
Tave_increase charging_flow_>_letdown_flow safety_injection_ON
PRZ_level_decrease
Tave_decrease charging_flow_>_letdown_flow safety_injection_ON LOCA_true
…
Figure 4-13 Knowledge link examples of parameter trends
alarm_Tave_low_ON high_power_reactor_trip_ON alarm_SG_X_level_lowlow_ON alarm_SG_X_level_low_ON Tave_low reactor_power_high SG_X_level_lowlow SG_X_level_low
…
Figure 4-14 Knowledge link examples of alarm dynamics
53
reactor_trip_turns_on
OPDT_reactor_trip_turn_on OTDT_reactor_trip_turn_on high_power_reactor_trip_turn_on … MF_MS_mismatch_ractor_trip_turn_on
safety_injection_turn_on
low_SG_pres_safety_injection_turn_on low_PRZ_pres_safety_injection_turn_on … reactor_trip_ON AND Tave_low
MFWP_trip_turn_on
…
Figure 4-15 Knowledge coding examples of component indicator dynamics
SG_A_level_>_SG_B_level FW_A_flow_>_FW_B_flow MS_A_flow_<_MS_B_flow SG_A_ruptured Steam_X_flow_>_5 turbine_ON steam_dump_open SG_X_PORV_open KE_SG_X_faulted MSLB_true MSLB_true KE_SG_X_faulted FW_A_flow_>_FW_B_flow MS_A_flow_<_MS_B_flow SG_A_ruptured
…
Figure 4-16 Knowledge link examples of other plant phenomena
Step 7: code accident event schemas. Identify the causal paths between accidents and
their observable symptoms. Index them in accident event schemas, also link accident schemas with appropriate procedures if applicable. An example is provided in Table 4-9.
54
Table 4-9 An accident event schema—MSLB
Event_KE_ID: No_of_Symptoms: KE_MSLB_true 6 KE_SG_A_pres_decrease KE_load_increase->KE_SG_X_pres_decrease KE_MSLB_true->KE_load_increase KE_SG_B_pres_decrease KE_load_increase->KE_SG_X_pres_decrease KE_MSLB_true->KE_load_increase KE_SG_C_pres_decrease KE_load_increase->KE_SG_X_pres_decrease KE_MSLB_true->KE_load_increase KE_SG_A_pres_<_600 KE_MSLB_true->KE_SG_X_pres_low KE_SG_B_pres_<_600 KE_MSLB_true->KE_SG_X_pres_low KE_SG_C_pres_<_600 KE_MSLB_true->KE_SG_X_pres_low NONE NONE
Symptom_KE_ID: No_of_causal_chains: 2 KU_ID: KU_ID: Symptom_KE_ID: No_of_causal_chains: 2 KU_ID: KU_ID: Symptom_KE_ID: No_of_causal_chains: 2 KU_ID: KU_ID: Symptom_KE_ID: No_of_causal_chains: 1 KU_ID: Symptom_KE_ID: No_of_causal_chains: 1 KU_ID: Symptom_KE_ID: No_of_causal_chains: 1 KU_ID: Response_Procedure_Name: Response_Procedure_Step:
This concludes the major steps of coding a knowledge base.6
6
More information about coding input model is available in ADS-IDAC 3.0 input manual.
55
4.3
Implementation functions of the reasoning module
This section describes the simulation implementation of the reasoning module.
4.3.1 Flow of reasoning module and information generated in the simulation
ADS program runs a RELAP5 thermal hydraulic model and the IDAC human model alternatively with a time step of 0.5 sec of the simulation clock, as shown in Figure 4-17. IDAC calls reasoning module once at a time step. Even though the reasoning module runs at discrete time steps, it mimics a seamlessly continuous cognitive process. Token variables are used in the reasoning module to mark the reasoning progress. At the beginning of the each time step, these tokens direct the program to pick up cognitive functions from where it stopped at the end of previous time step.
Figure 4-17 Simulation process of ADS-IDAC In ADS-IDAC simulation, the reasoning module starts with routine monitoring of key plant indicators. An interpretation function in the reasoning module translates the perceived indicator reading into semantic statements and stores them into memory. A 56
statement describes an observed phenomenon or a situational judgment produced in the reasoning module, which could be a parameter trend, component/alarm state, component/alarm state change, accident diagnosis and etc. provides some statement samples from a simulation run. Table 4-10 situational statement samples
ID … statement_130 statement_131 statement_132 … Statement_139 … Time of Content … Tave_lowlow Truth Confidence Effective … … TRUE 1.0 1.0 1.0 … 0.97 … … <35.575 Time
35.575 35.575 36.104 … 48.271 …
,
Tave_decrease TRUE low_PRZ_pres_reactor_trip_turn_on TRUE … … MSLB_true TRUE … …
(-3.001 , 178.01> <36.104 , … (n/a, 20.568) …
Each statement has its effective time range for the described phenomenon. The time range is described in two forms. One denotes that the operator observes a current phenomenon at a time point; the other denotes that the phenomenon has happened in a time range instead of a specific time point. In the “effective time range” column of: “( t1” means the effective time is later than a time point t = t1; “< t1” means the effective time is later than and including a time point t = t1; “t2 )” means the effective time is earlier than a time point t = t2; “t2 >” means the effective time is earlier than and including a time point t = t2.
• • • •
Take statement_131 for example, it means that at t = 35.6s, the operator detected that Tave had decreased and it was still decreasing.
57
“Time of generation” column records the time when each statement is generated. The statements with time information consist of the operator’s episodic memory of situation awareness. Statements generated from direct observations on indicators are given confidence value of 1, while the inferred situation judgments are assigned a confidence value between 0 and 1 by the reasoning process, see statement_139 in Table 4-10, it records the operator’s diagnosis that a main steam line break accident had happened and the operator’s confidence level was 0.97. We will discuss the confidence calculation in a later Section 4.3.2. Once an abnormal phenomenon is observed, the reasoning module switches to the investigation mode—working on explaining the observations and monitoring key indicators intermittently. For each system dynamic phenomenon or abnormal observation, an investigation item is generated for explaining that phenomenon. Investigation item is a basic unit in the reasoning chain. An investigation item could be generated by three ways: 1) initiated by a statement; 2) initiated by another investigation item to verify a hypothetic cause; 3) initiated by an accident diagnosis to collect more evidence. Accordingly, each investigation item has two objectives: 1) examine whether a specified phenomenon has happen or not in a specified time range; 2) investigate the causes of this phenomenon. To achieve these two objectives, ADS-IDAC employs a set of functions to simulate decomposed operator activities, see in Table 4-11. Table 4-11 Investigation Functions Investigation Token 3001 3002 Corresponding Investigation Function Locate a knowledge node in the knowledge web corresponding to the to-be-investigated statement Check whether there is a statement from memory corresponding 58
3003 3004 3005 3006 3007 3008 3009 3012 3013 3014
to this investigation item. Check whether there is relevant information from indicator readings in the memory—mental representation Check whether the required information could be gathered from control panel Identify a list of indicators to be checked Request to read an indicator from the control panel module of ADS-IDAC Examine the presence/absence of an event described in a knowledge element based on the available information Feed the examination result back to the downstream investigation items Determine whether to continue this investigation Generate or link this investigation item to upstream investigation items Retrieve one hypothetical cause and move to the corresponding upstream investigation item Evaluate the causality after getting new feedbacks from upstream investigation item.
Each investigation function is associated with an investigation token value, see the first column in the Table 4-11. An investigation item has a token variable to mark its investigation progress. When finishing each investigation function, the program identifies the next investigation function for this investigation item and changes its token variable value accordingly. The flow of investigation functions is shown in Figure 4-18. This technique provides a structure that loops the cognitive functions for each investigation item and ceases it on conditions. It enables the investigation pause at anywhere of the flow and be resumed later, thus enable the operator switches his attention from one investigation item to another. The program records the time consumption for each investigation function. The total consumed time is compared with the simulation clock time. The reasoning module pauses and the program jumps out of it when it has consumed all the equivalent time in each
59
time step. Pause criterion is defined in a way to run the reasoning module reasonably far in a time step as compared with what a human mind could do within a given time length.
Figure 4-18 Investigation function structure of investigation item Table 4-12 provides two investigation item examples from an accident simulation run. Investigator_31 was generated based on the observation—statement_127: main steam and main feed mismatch. Investigator_32 was generated based on the observation— statement_131: Tave decrease. The investigation progress of each item is recorded in the column “Investigator Token Timeline”. The progression of Investigator_32 is also highlighted in the function flow chart, see Figure 4-19. As shown in the table and the figure, the operator thoroughly examined three possible causes of Tave decrease, while he had not processed the observation of main steam and main feed mismatch. Investigator_31 slipped from his memory.
Table 4-12 Investigation item samples 60
Investigation Item ID
Time of Generation (sec)
Corresponding Observation statement_127: MS_MF_mismatc h
Investigation Token Timeline
Upperstream Investigation Item ID and Status
Investigator_31
31.872
3001 (3001-60.623) (3012-60.623) (3014-61.152) (3013-62.211) (3014-63.269) (3009-63.269) (3013-64.857) (3014-67.503) (3009-67.503) 3098
Investigator_32
35.575
statement_131: Tave_decrease
Investigator_50: Not Happen Investigator_2: Possible Investigator_51: Happen
Figure 4-19 Example of one investigation item An investigation line is a set of investigation items linked by their causal relations. Multiple lines of investigations could be initiated by multiple observations and they could exist in the working memory at the same time. The reasoning module only works on one investigation item at a time. This features the effect of cognitive resources limitations. If
61
there are more than one active investigation items, the program needs to select one investigation line and one investigation item in that line. A prioritization function is designed to determine which item to process at the present moment. The prioritization process navigates the operator’s attention through the active investigation items and the routine monitoring task in the working memory pool and thus forms the operator’s thought train. There are two operator agents in ADS-IDAC, a decision-maker (ODM) and an actiontaker (OAT). The reasoning module generically applies to both. The user could give these two roles different profiles in input files (e.g. different knowledge bases).
4.3.2 An algorithm for calculating accident diagnosis confidence level
Computing causal path confidence level
Investigation items generated during the simulation are linked by their causal relations. An example is shown in Figure 4-20. Each block represents an investigation item. The connections between the investigation items represent causal paths (in a connection, the item in the lower level could cause the item the in higher level). In this figure, blocks in green are phenomena directly observed from control panel indicators; blocks in red are believed have not happened in a specified time range; and blocks in yellow could not be directly verified from control panels, thus they are uncertain.
62
Figure 4-20 An example of reasoning chain In this example, the pressurizer pressure was observed as decreasing, an investigation item I50 was created for explaining this phenomenon. Retrieving possible causes in the knowledge base, the program identified 5 hypothetical causes, shown below I50 in Figure 4-20. I4 and I34 already existed in the memory by earlier observations and investigations, and the program only needed to connect them to I50. For the other three hypothetical causes, the program initiated new investigation items (I36-I41) to examine their respective status. In this example, the program examined the status of each possible cause7. The program calculates a confidence level (between 0 and 1) of each causal path that connects an uncertain cause with a confirmed observation, and there might be more than one links between them. The path confidence level is the produce of the confidence level of each segment in this path.
The reasoning module might only examine part of the possible causes, depending on the operator’s problem-solving style setting. Refer to Section 6.2.2 for more information.
7
63
Path confidence is defined as the operator’s subjective assessment of the probability that a plant phenomenon is caused by a specific causal path. For example, there are two links between I15 and I4 in Figure 4-20: I15->I8->I4. This path represents the event that I4 “Tave decrease” was due to I8 “steam load increase” and I8 was due to I15 “MSLB true”. Its path confidence is the probability of the event of this causal path. The confidence level of a causal link (A->B) is the operator’s subjective assessment of the probability of an event that B is caused by A. One causal link provides an explanation of an effect phenomenon. If the occurrences of the cause phenomenon and the condition phenomenon (if any) are verified by control panel indicators, the confidence level of this causal link is 1. If the cause phenomenon or the condition phenomenon (if any) is determined not happen in a corresponding time interval, the confidence level of this causal link is 0. A path confidence is the product of the confidence level of each causal link in the path, as shown in Equation 4-2.
?? ??????: ? ? ?? ?????? ?? ????? ? ???;
????????????? ?????? ? ? ? ??? ? ????????????? ?????? ? ??? ? ????????????? ?????? ? ???
????????????? ?????? ? ??? ??;? ????? ?? ??????????? ??
Equation 4-2 For an uncertain cause that could not be directly verified from control panel indicators, its confidence level depends on the presence of competing explanations. As shown in Figure 4-21, if there is no confirmed competing cause, the confidence level of the uncertain cause paths gets a high value of 0.9 in total. If there is one or more confirmed cause, a small confidence value of 0.1 will be distributed to the uncertain causes. In the example 64
in Figure 4-20, “I8: steam load increase” could not be directly verified from control panel indicators, so it is an uncertain cause of I4. Since there is a competing confirmed cause “I9: safety injection ON”, the confidence of uncertain causal path I8->I4 gets a low value of 0.1 in total.
Figure 4-21 Confidence level of uncertain causal paths
Uncertain Cause 1 Uncertain Cause 2 … Uncertain Cause n Knowledge Web Reasoning Module Uncertain Cause 1 Uncertain Cause 2 … Uncertain Cause n Prob(E2) 0.1 or 0.9 Effect phenomenon Back strength 2 Effect phenomenon
Figure 4-22 Spreading confidence among multiple uncertain causes
65
If there are two or more uncertain causes, the total confidence level is distributed among them in proportion to the backward strengths of the corresponding knowledge links specified in the knowledge web. See in Equation 4-3 and Figure 4-22.
?? : ??????????? ??? ??? ? ????? ??????? ??????? ????? ??????????? ? ? ????????????? ?????? ? ?? ??? ???? ??
???? : ? ? ????? ????????? ?? ??? ?? ?????? ??? ???? ??????
0.9 ?? ?? ????? ????????? ????????? ?? ?? ?????????? ?????? ? 0.1 ?? ?????? ?????????? ????????? ???? ?? ????
Equation 4-3 In the example shown in Figure 4-20, “I36: loss of coolant accident” and “I38-I40: steam generators rube rupture” are two uncertain causes of I34. In the knowledge web, these two causal relations have been assigned the same strength, so they distribute the total confidence level of 0.1 equally and each link gets a confidence of 0.05. For each possible uncertain item in the reasoning chain, the program generates a statement with a confidence level between 0 and 1 to represent the operator’s judgment. The statement confidence level is equal to the confidence level of the causal path connecting it to a confirmed observation. For an accident diagnosis, the program generates a statement only once, and its confidence is determined and updated by the aggregation of all the confidence paths that connect it to its observable symptoms.
Computing accident diagnosis confidence level
66
In the simulation, the reasoning module calculates the diagnosis confidence level of an accident by referring its corresponding accident schema to integrate all evidence in a big picture way, see Equation 4-4.
Diagnosis confidence?A? ? ??? P????? ?? ? Symptom Coverage?.? ??????????? Symptom Coverage ?
?
N???????? N????? ? N???????
• •
?? represents the ith symptom of accident A.
causal path.
Equation 4-4
???? means the event that symptom ?? is caused by accident A through a specific ???? means the event that symptom ?? is caused by some other reason but not
P( ???? ) is the probability of event ???? based on the operator’s prior knowledge without considering the other evidence. It is a path confidence level.
•
accident A.
•
Path confidence 1(this accidence causes symptom 1)
Path confidence 2(this accidence causes symptom 2)
…
Path confidence n(this accidence causes symptom n)
In Equation 4-4, ?? P????? ? aggregates all the positive symptoms together like a parallel system (see Figure 4-23). It is the conditional probability of accident A given all the observed positive symptoms. 67
Figure 4-23 A system block diagram resembles the way of integrating path confidences
In the knowledge web, each causal link represents a certain causal relationship. A knowledge link in Figure 4-24 represents a causal relationship between A and B. If A is true and there are no other factors that cancel or compensate the effect of A on B, B should be true. If B is true and A is true, then the event that B is caused by A is true8.
A
B
Figure 4-24 A knowledge link shows that A causes B
S1 A S2 … Sn
Figure 4-25 Causal paths between accident A and its positive symptoms In the reasoning module, positive symptoms of an accident mean the occurrences of these symptoms have been detected by the operator and the operator has made causal connections between the symptoms and this accident by using his knowledge. Given positive symptoms S1, S2…Sn have been observed, if accident A is true, event E1, E2,…En are true; if accident A is false, event ???? , ???? , …???? are true. In other words, if accident A has not happened, each of these symptoms has to be caused by something else other than accident A. Hence:
During calculation, we treat event ???? , ???? , …???? independently. Hence:
8
P?A??? , ?? , … ?? ? ? P????? ? ???? , … ? ???? ?
Note it doesn’t mean A is the only cause of B. B might have more than one causes.s
68
P?A??? , ?? , … ?? ? ? ? P????? ? ? ??1 ? P????? ?
? ?
Hence:
P?A|?? , ?? , … ?? ? ? 1 ? P?A??? , ?? , … ?? ? ? 1 ? ??1 ? P????? ? ? ? P????? ?
We don’t directly use P?A|?? , ?? , … ?? ? as the operator’s diagnosis confidence, but add
? ?
two more factors to it: symptom coverage and negative symptoms. Symptom coverage measures the percentage of symptoms observed. “Blocked symptom” means that a symptom is blocked by some system conditions and the operator has justified its absence, so the absence of a blocked symptom will not be used as evidence for the accident absence. When computing the symptom coverage, the number of blocked symptoms is taken out of the total number of symptoms. The term ?Symptom Coverage?.? ? has is means a higher symptom coverage requirement. Power of 0 means the operator doesn’t take the symptom coverage into account. N??????? is number of absent symptoms that the operator has not found any justification for their absence. The higher the number of missing symptoms, the lower the confidence level is. In the reasoning module, once the operator finds a missing symptom that he could not justify. The investigation of that accident pauses until some new positive evidence appears. The following are two examples of blocked symptoms in a complex SGTR accident. A typical symptom of SGTR is high secondary radiation level. But the operator will not see 69
raised to a power of 0.5, which could be adjusted between 0 and 1; higher power value
this phenomenon if the piping between the ruptured steam generator and the radiation detector has been blocked by closed valves. Decreasing pressurizer water level is another symptom of a SGTR accident; however, it could be masked by some plant conditions, for example when Safety Injection system adds water to the reactor coolant system and compensates the water loss due to leakage.
Figure 4-26 Calculation of SGTR confidence level Figure 4-26 shows an example of a SGTR accident confidence calculation. Five symptoms are specified in the accident event schema of SGTR-A. Two of them are blocked symptoms. Confidence levels of the other three paths are marked in the figure. Applying Equation 4-4, the program generates a diagnosis confidence level of 0.991. This approach captures several important aspects that affect operators’ diagnosis confidence: It takes into account the degree to which an accident hypothesis accounts for the observations. If one or more competing explanations exist, diluted confidence level goes to that hypothesis.
•
70
•
Symptom coverage (the percentage of symptoms that have been observed) is included in the equation.
• •
Absence of expected symptoms negatively affects the diagnosis confidence level. Once the operator figures out that the symptom absence is due to some other reasons, it is taken out of the equation, that's is it no longer affects the diagnosis confidence.
This algorithm allows the operator to have a high diagnosis confidence level if it is the only explanation of one or more symptoms. It also integrates different pieces of evidence together, so it is possible to get a high confidence level given multiple observed symptoms, even if each symptom has other competing explanations. If the operator notices that an expected symptom is absent, it results in a decrease in the confidence level. By applying these rules, the algorithm replicates in a natural way the operators’ use of evidence to make diagnoses
4.3.3 Activation propagation
As mentioned earlier, explaining observed plant phenomena is an important process of situation assessment. For an observed phenomenon, the reasoning module implements investigation in two main steps: 1) retrieving the possible causes from knowledge bases; 2) examining whether a possible cause has happened or not in a specific time range around the phenomenon, by checking the available information in memory or requesting more information from control panels. This section discusses the information retrieval algorithm.
71
Each semantic element (basic concept unit, composite concept unit and semantic sentence unit) has an activation level in the range from 0 to 1. The simulation program continuously updates the activation level of each element. The activation levels change in three ways: activation firing, activation propagation among semantic elements, and memory decays. During the simulation, the reasoning module selects one investigation item to process at a time. The program fires the semantic sentence unit that describes the phenomenon in the selected investigation item, by increasing its activation level to 1. Also, when a new statement is generated, the program fires its semantic sentence activation level. The activation propagation starts from the fired semantic sentence to the other related elements in the semantic base. It triggers one round of activation propagation: a top-down propagation and a bottom-up propagation, as shown in Figure 4-27. The top-down process propagates the activation from one element to its member elements, while the bottom-up process propagates the activation from member elements to other elements that contain them. This is inspired by the compound cue theory (Hintzman 1986; Plaut 1995). The activation propagation is based on the similarity among memory elements.
Figure 4-27 Activation propagation paths in the semantic base 72
This mechanism enables that activation propagates from one semantic sentence to other semantic sentences. An example is given in Figure 4-28. At time 200sec, the operator observes that “Steam Generator A” is “decreasing”. This newly generated statement fires the activation level of the semantic sentence “SG_A_pressure_decrease”. Next the
program increases the activation levels of its member elements: “SG_A_pressure” and “increase”. “SG_A_pressure” has two member elements: “SG_A” and “pressure”, the program increases their activation levels. “SG_A” has two member elements: “SG” and “Loop_A”, and their activation levels are increased accordingly. “Loop_A” has two members: “Loop” and “A”, and the program also increases their activation levels. In this recursive process, the program propagates activation level from semantic sentence unit to related basic concept units and finishes the top-down propagation. In the bottom-up propagation process, the program picks out those elements that are affected in the top-down propagation process, then propagates the activation changes from the component members to the higher-level elements and finishes one round of propagation. In Figure 4-28, the red boxes and red arrows highlight the updated semantic elements and the activation propagation paths. This figure shows that the program propagates activation change from one sentence “SG_A_pressure_decrease” to a similar sentence “SG_A_Tave_decrease”9. This example demonstrates the way that one semantic sentence within attention focus “preheats” the other semantic sentences based on their similarities.
9
Except for “SG_A_Tave_decrease”, more similar sentences’ activation levels are updated in this process, e.g. “SG_B_pressure_decrease” and “SG_C_pressure_decrease”. They are not shown in this figure.
73
Figure 4-28 An example of activation propagation Retrieval of an existing situational statement in the memory is based on the activation level of the semantic sentence and the length of time since it was last attended to. For knowledge retrieval, Associative Activation Spreading Theory (Anderson 1983; Plaut 1995) is utilized in addition to the Compound Cue Theory. The knowledge retrieval process starts from one knowledge node within the attention focus as the retrieval cue. Retrieval scores of knowledge nodes linked with the retrieval cue in the knowledge web are calculated based on two factors: the activation level of the semantic sentence associated with the knowledge node and the strength knowledge link between the retrieval cue and the target knowledge node, see Equation 4-5. The retrieval score is compared with a retrieval threshold specified by the user, and only knowledge nodes with score higher than the threshold can be retrieved. The retrieval time is inversely proportional to the retrieval score with a cap value. The user can use different retrieval
74
threshold values to capture individual differences. The node with highest retrieval score will be processed first. This module has the ability to extend this retrieval mechanism by adaptively changing the retrieval threshold based on the investigation progress and some PSFs like stress level.10
???????? ??????????? ????? ? ?????????????????? ????? ? ????????????|?????? ????
Equation 4-5 Using both compound cue theory and activation spreading theory in this system offers two advantages: (1) Capturing the dependency of one’s cognitive activities at different times. Through activation propagation in the semantic pool, the memory of the past cognitive activities selectively preheats the relevant semantic elements; (2) Mimicking heuristic reasoning based on familiarity. The strength of knowledge links between the knowledge nodes represents operator’s familiarity and the frequency of using this inference/causal path; a target knowledge node with stronger link strength has a better chance to get retrieved and investigated. Thus, rare events and new situations increase the difficulty of diagnosis.
4.3.4 Decay of investigation items in the working memory
Limited capacity of working memory is modeled in the reasoning module. As introduced in Section 4.1, a thought thread pool stores all the investigation items. A subset of the investigation items in indexed in an active-thread pool, as shown in Figure 4-28. The
10
This is a good area for future research.
75
active-thread pool has limited capacity and belongs to the working memory, while the multi-thought thread pool has no capacity limit. Only items indexed in the active-thread pool participate in the prioritization function and have chance to be processed.
Figure 4-29 Investigation item decay and resume in memory Under three circumstances, the program removes an investigation item from the activethread pool: a) When an investigation item is resolved; b) When an investigation item has not been attended for a longer, that is a time more than a specific time limit; c) When number of investigation items in the active-thread pool exceeds the capacity. Time limit and capacity are two model parameters subject to adjustments by PSFs. Circumstance b) and c) can simulate a process that investigation items are interrupted or postponed and thus forgotten. This mechanism assists in mimicking the effects of alarm interruptions and task overflow.
76
A forgotten item could be moved back to the active-thread pool when the operator is reminded of it by some cues (other relevant investigation items that link to it, and repeated observations). An example is the case where an operator has observed a parameter trend but hasn’t explained it because his attention was occupied by other issues. He forgot it. Later when he observed this parameter trend again, this information became fresh again in his working memory. This scenario can be reproduced in the reasoning module. Every time when an unexplained phenomenon is observed again, the corresponding investigation item would be added back to the active-thread pool. We should also note that moving back to the active-thread pool doesn’t guarantee it will be attended and processed. It only means it becomes a candidate for the prioritization process.
4.3.5 Information perception module enhancement
Information perceiving channels in ADS-IDAC have been updated and expanded in this research. Five information channels are modeled for operator perceiving external information from control panels: a) Information requested by reasoning processes and accident investigations; b) Information requested by executing procedure steps; c) Information requested by control panel scanning; d) Information requested by routine monitoring; e) Passive alarm information. Chanel “a” is a new feature introduced by this research. It models the operator’s topdown attention driven by reasoning and diagnosing. Through this information channel, 77
the reasoning module actively collects relevant information to support the reasoning and diagnosis process. In the reasoning module, once an accident hypothesis is initiated and its confidence level is above a threshold, the corresponding accident event schema actively guides the operator to search for the remaining symptoms included in the schema one by one. In the program, the time of requesting information is determined by two factors: 1) current diagnosis confidence level; and 2) a personal characteristic— activeness in gathering accident evidence. At higher confidence level, the operator pays closer attention to investigate the accident. When diagnosing an accident, operators could either passively wait for more symptoms to be exposed by themselves, or actively gather more evidence by checking some relevant indicators. To capture individual differences, a model parameter named activeness in gathering accident evidence is employed. Users specify its value in the input file. Section 6.4.8 provides detailed discussion regarding how to use this model parameter in ADS-IDAC. Chanel “d” is also a new feature developed in the reasoning module. It simulates an operator routinely checking a list of indicators to monitor the plant state. The indicator list is specified by users in an input file. The monitoring frequency of each indicator is specified in the input by the user, and it is dynamically adjusted during the simulation11. By varying indicators specified in the list and the monitoring frequency of each, this model enables users to tailor operators’ work routines. In a real control room crew, operators have different roles and thus are in charge of different parts of the plant. Here is an example of a real crew structure and showing task divisions among different operators:
11
Refer to Section 6.4.4 for more detail.
78
•
A shift supervisor is in charge of making decisions and coordinating activities of other operators.
•
A reactor operator focuses on the primary loop (reactor coolant system and reactor) of the plant.
•
A balance of plant operator focuses on the secondary loop (steam generators, main steam line, turbine, condenser, feed water systems and etc.)
•
A shift technique advisor assists the other operators, provides advices and consultations.
Chanel “e” for passive alarms existed in ADS-IDAC version 2.0 (Coyne 2009). It has been modified with a filter in the reasoning module to model limitation of cognitive resources and individual’s tendency in perceiving alarms. In the control room, alarm activities are intrusive and grab operators’ attention by their salient features: bright/flashing light and loud sounds. When many alarms are activated in a short time interval, it could be beyond operators’ cognitive capacities to process all. In the reasoning module, a bandwidth is used to control the maximal alarm flow that could get into the operator’s working memory. A “first in-first out” alarm stack buffers the unprocessed alarm activities. The maximal alarm stack length is adjusted during the simulation by several performance shaping factors12. When the number of alarm activities exceeds the maximal stack length, the stack pops out the oldest alarm activity and thus it would not be processed further in the reasoning module. In addition to the information channels, the research modeled proximity feature of control panel designs. Many control panels are designed to group relevant indicators together so
12
Refer to Section 6.4.1 for more information.
79
that it is natural and easy for the operator to perceive items together and to compare their reading values. ADS-IDAC 3.0 lets the user group indicators in an input file. During the simulation, once the reasoning module perceives information of any indicator in a group, the program automatically passes the reading of other indicators in that group to the reasoning module. In addition to the information channels, the research modeled proximity feature of control panel designs. A lot of control panels are designed to group relevant indicators together so that it is natural and easy for the operator to perceive items together and to compare their reading values. ADS-IDAC 3.0 lets the user to group indicators in an input file. During the simulation, once the reasoning module perceives information of any indicator in a group, the program automatically passes the reading of other indicators in that group to the reasoning module.
4.3.6 Modeling diagnosis ambiguity
Some accidents share similar symptoms and it creates diagnosis ambiguity, which could lead to misdiagnosis. The reasoning module captures the diagnosis ambiguity in the simulation. In 4.2.6, we introduced how the reasoning module computes the confidence levels of causal paths and accident diagnosis. Basically, the more accident symptoms observed, the higher confidence level is generated. If an accident hypothesis is the single explanation of a symptom, it gets high confidence level. If there are several competing explanations, the total confidence level is distributed among them. The confidence level of an accident
80
diagnosis naturally changes over time as more evidence (positive or negative) becomes available. A confidence threshold is used for declaring a diagnosis. When the confidence level of an accident hypothesis exceeds the threshold, the reasoning module declares this diagnosis. The declared diagnosis consequently guides the operators’ decision-making and response planning, e.g. entering the proper response procedure. A low threshold might lead to early misdiagnosis, especially when there is ambiguity between two similar hypothetical accidents. A high threshold might cause operators spend too much time in making diagnosis, cutting into time for response planning and taking necessary actions. In real life, different operators hold different levels of prudence and different problemsolving styles. Some would declare a diagnosis when they see a few symptoms that represent the accident heuristically, without thoroughly searching for more evidence or fully considering other possibilities. Some are reluctant to declare a diagnosis before they get sufficient evidence and tend to investigate more alternative explanations. These individual differences could be captured by varying the confidence threshold in the reasoning module. At the early phase of an accident, a few symptoms are manifested and observed by the operator. They might be explained by several alternative hypotheses. The confidence is distributed among the competing explanations and confidence level of none is high. Over time, more evidence is gained by actively checking the relevant indicators or by passively receiving alarm information. The new evidence confirms or disconfirms some accident diagnoses. Consequently the confidence levels of different accidents will diverge when 81
some key evidence is obtained. Therefore different confidence thresholds for declaring a diagnosis can be used to model different problem-solver types, i.e., rushing to a conclusion, or adopting a slower and more methodic approach.
Diagnosis Progress-Ambiguity Removal
Accident Diagnosis Confidence 1 0.8 0.6 0.4 0.2 0 0 200 400 Time (sec) 600 800
Diagnosis Declared Hypothesis
SG faulted MSLB
Figure 4-30 Diagnosis progress with ambiguous among two hypotheses Figure 4-30 shows a simulation example. The initiating event is a Main Steam Line Break (MSLB) that happened at time 00:00. The operator found an unexpected power increase before reactor tripped, and he believed it was caused by unknown steam load increase in the secondary loop of the plant. At t = 30s, the operator started to suspect that there might be a MSLB or steam generator faults, because both of them could cause rapid steam load increase. At t = 150s, low steam generator pressure alarms were actuated. These alarms pointed to possible steam leakage in the secondary loop and thus increased the confidences of both MSLB and steam generator faults hypotheses. With further investigation, the operator identified that the pressures in three steam generators were all low, so the leakage was more likely in the downstream of MSIVs than in a single steam generator. The confidence level of MSLB exceeded the confidence level of steam
82
generator faults and the difference became greater. Continuing the investigation, the operator saw no pressure difference among the three steam generators and thus rejected the hypothesis of steam generator faults. The confidence level of MSLB was high and it was accepted as the final diagnosis. In this example, if the confidence threshold is low, the operator would might rush into a misdiagnosis and declare a steam generate faults accident.
4.3.7 Model operators’ diagnosis of indicator failures
Historically some power plant accidents involved indicator failure, which misled operators’ situation awareness and diagnosis. An example is Three Mile Island accident—the worst nuclear power plant accident in U.S. In Three Mile Island accident, the pressurizer PORV was stuck open but the indicator failed showing it was closed. It misled the operators’ situation awareness and consequently led to inappropriate operator actions. In an accident with indicator failure, being able to identify the failed indicator is important for successful operation. Hence, it is valuable to study operators’ performance in a circumstance with indicator failure. The reasoning module in ADS-IDAC simulates operator reasoning and making inferences with available information, provides a great advantage for modeling operators’ diagnosis of indicator failure. Clues of indicator failure arise from information inconsistency—the reading of the failed indicator conflicts with other available information, which provides evidence for the indicator failure. Operators start to suspect an indicator failure when they discover some information inconsistency. This can be simulated in the reasoning module. We use an
83
accident scenario 13 to discuss how to achieve this. In a loss of feed water accident, operators initiate steam dump to the atmosphere through steam generator PORVs, in order to cool down the reactor. The stopping criterion for steam dump is when all of three steam generator water levels are below 12%, in order to prevent SGs from drying out. In this scenario, SG-A water level indicator fails and is stuck at a level of 15%. The level is actually decreasing and steam generator is becoming empty. The challenge to the operators is to find out the failure of steam generator A level indicator. Some conflicting information provides clues to the operator if noticed. 1) there is no feed water to steam generators. Steam flows out of the steam generator but no feed water comes in, thus the water inventory in steam generator should be decreasing instead of being stable at 15%. 2) water levels in the other two steam generator are decreasing, if no other reason, the water level in steam generator A should be decreasing as well. One or more reasoning steps need to be taken by the operator before he or she can see the information conflict. The reasoning module in ADS-IDAC can provide the necessary infrastructures to mimic this reasoning process. When the program encounters conflicting information, it generates suspicion of indicators’ correctness. An algorithm of computing the suspicion level is proposed in this research. For a pair of conflicting information, suspicion is produced for each side. In Figure 4-31, asterisk is used to mark the suspicion level. In this example, there are three pairs of information conflicts: 1? SG-A level should be decreasing vs. SG-A level is indicated stable at 15%; 2? SG-B level is decreasing vs.. SG-A level is indicated stable at 15%; and 3? SG-C level is decreasing vs. SG-A level is indicated stable at 15%. In conflict 1,
13
This scenario is from Halden experiments, named as complex LOFW accident.
84
more suspicion is given to SG-A level indicator because there are other information backing up the indicators on the other side (steam flow indicator and feed flow indicator)—SG-A PORV is open and thus steam flow is above 0? feed water pumps have already tripped and thus the feed water is 0. In conflict 2 and conflict 3, SG-A level indicator gets suspicion from all the three pairs of information conflicts. As a result of this algorithm, SG-A level indicator is at the center of suspicion. We should note that the suspicion of the failed indicator is not necessarily raised in each simulation sequence. It varies based on whether or not the operator’s attention is directed to the conflicting information and whether or not the operator makes necessary inferences to realize the conflicts. Hence, this program could generate sequences where the operator fails to diagnose indicator failure and his situation awareness is misled by it.
SG-A level decrease
*
Conflict 1
**
SG-A level stable at 15%
SG-A: Steam flow > Feed flow
*
Conflict 2
*
*
Conflict 3
SG-B level decrease
*
*
SG-C level decrease
SG-B: Steam flow > Feed flow
SG-C: Steam flow > Feed flow
Figure 4-31 Information conflicts of SG-A level indicator failure example In this section, we discussed how to utilize the existing infrastructure in the reasoning module to simulate operators’ responses to indicator failure. An algorithm of computing the suspicion level is proposed. This algorithm has not been implemented into ADSIDAC codes. It could be a good topic for future research.
85
4.4
Modeling the calculation aid
Sometimes the operators need to do more complex calculations to compute a control setting value or determine the plant condition. In order to alleviate the operators’ cognitive load, calculation aids are provided so that the operator could easily get the results based on one or two parameter values. Usually a calculation aid is presented in form of graphs. An example is shown in Figure 4-32. Several curves divide the whole region into 5 containment conditions. Knowing the input parameter values (containment pressure and hydrogen percentage) one could locate and identify the containment flammability condition using this figure. This helps the operator to assess the situation and support related decision-making.
Figure 4-32 Calculation aid-containment flammability
86
16
H y d r o d e n P e r c e n t
H y d r o g e n C h a ll e n g e Z o n e
6 13 23
C o n t a in m e n t P r e s s u r e
33
43
53
Figure 4-33 Fitting of the calculation aid curve of severe hydrogen challenge boundaries In order to simulate operators use of calculation aid (charts and graphs), a new capability has been added to ADS-IDAC. With this new feature the user can code the calculation aid curves in the input file. Each calculation aid curve is fitted to a polynomial function with highest order of 5. A fitting example of the hydrogen severe challenge boundaries is provided in Figure 4-33. During the simulation, the operator uses one input parameter value (e.g. containment pressure) to find a reference point on the curve, which provides a reference output parameter value (e.g. hydrogen percentage), the operator compares the reference output value with the actual parameter value to determine the situation. This work extended the capabilities of ADS-IDAC to simulate the operator using calculation aid, in addition to procedure. This new capability is used in one of our research projects—applying ADS-IDAC to perform Level 1 and Level 2 dynamic PRA.
87
5
Integration of procedure-based and knowledge-based
operator response
In nuclear power plants, procedures are written to guide the operators to diagnose abnormal or accident situations, to respond to plant dynamics, to recover systems’ functions, and to alleviate the consequences. Operators are trained to follow procedure during operation. Each procedure has its entrance and exit conditions, and there are transfer points that link different procedures. A procedure consists of a set of procedure steps. Each step has its logic links that lead to the next to-be-followed step, so there are conditional transitions among procedure steps and among procedures. There are rationales that underpin the logic paths of procedure steps to match a situation to the right procedure steps. A procedure should have a good coverage of relevant plant situations. However, procedures are not omnipotent. Some uncommon situations may not be fully covered by the procedures. During the operation, in addition to following procedure, the operators also think, reason with their knowledge, and assess the situation. They could form their own opinions of how to respond to the plant situation and what procedure should be used. When the procedure guidance is not consistent with the operator’s situation awareness, operators are faced with choice between following the procedure and following their own opinions. This decision may have significant consequences. Deviation from the procedure might exacerbate the situation, improve the solution, or might even save the plant.
88
An important function of the reasoning module is to identify the context where there is inconsistency between the procedure guidance and the operator’s knowledge-based judgment. Based on this, several branching rules were proposed and implemented in ADS-IDAC 3.0: B1. Once an accident diagnosis is declared, whether to immediately transfer to the desired procedure or not (P-1) (2 branches). B2. When reaching a procedure step which contains a transfer to the desired procedure but the condition is not satisfied, whether to transfer or not (2 branches). B3. When reaching a procedure step that guides the operator inappropriately to transfer to another procedure (P-2), whether to transfer to P-2, whether or not transfer to P-1, and whether or not continue in the current procedure (named P-0). (3 branches) B4. If the procedure in use does not guided the operator to transfer to the corresponding accident procedure after some time, the operator might decide to transfer to the desired procedure even without procedure guidance for this transfer. (2 branches) These branching rules allow ADS-IDAC to explore different operator’s choices of procedures.
89
6
6.1
Modeling Performance Shaping Factors
Introduction
Performance Shaping Factors (PSFs) are widely used in HRA methods for analyzing the human error. PSFs are factors that could influence human error as modifier—enhance or degrade human performance e.g. stress, or could even causally lead to human error, e.g.
training, task complexity. PSFs used in typical HRAs cover a wide range of factors. They
include one’s psychological feeling or state (e.g. fatigue), one’s personal capability limits (knowledge/training), or task attributes (e.g. task complexity), or environmental factor (e.g. temperature), ergonomic factors (e.g. human system interface quality), organizational factors (e.g. safety culture), and team factors (e.g. communication). Using of PSF gives analyst great flexibility to include what they believe to be relevant and important for the study. Several motivations that drive the use of PSFs: 1) capturing the situation characteristics that cause or foment human errors; 2) capturing the personal/crew characteristics that cause or foment human errors; 3) reflecting the individual/crew differences. In ADSIDAC, PSFs are also utilized for these purposes. Integrating PSFs into a cognitive simulation model enhances its causal prediction by manifesting the influence of each PSF on the cognitive processes, instead of treating the cognitive processes as a black box and only adjusting the human error probability. There is no standard PSF set in human reliability area. Human reliability analysts use different sets of PSFs, which varies across methods and applications. A set of PSFs
90
summarized by Katrina Groth (Groth 2009) was used as a starting map for choosing the PSFs to be modeled in ADS-IDAC, because it covers most of the relevant PSFs that have significant influence on control room operators’ performance, and it has a clear and orthogonal classification structure. In addition, a database—Human Event Repository and Analysis (HERA)—of human errors in 26 nuclear power plant accidents was reviewed to identify the important and relevant PSFs. In Groth’s PSFs set, (see Appendix 1: Tiered Classification of PSFs (Groth 2009), there are five major categories: organization PSFs, team PSFs, personal PSFs, situation PSFs, and machine design PSFs. Among the five, personal and situational PSFs are the main focus of this research, since the main objective of this work is to enhance the individual operator’s cognitive module of ADS-IDAC. With careful consideration of the importance and ability to measure or to model, we have selected 13 PSF candidates to integrate into ADS-IDAC, listed in Table 6-1. Among these PSFs, some are modeled as quantitative factors that have quantitative assessments, while others are modeled as mechanisms within the causal model of the various cognitive processes. A simulation approach has a particular advantage to more realistically model PSF effects on operator behavior through explicit information processing paths. In many of the human reliability methods, levels of PSFs are assessed either quantitatively or qualitatively. The resulting values are used primarily for estimating human error probabilities, and in some cases for error identification and prediction. Prediction of human errors is one of the main goals of ADS-IDAC simulation model. As stated earlier, for some PSFs it is more appropriate to use a metric to quantify the level. PSFs such as fatigue, task load, time load, passive information load, and task complexity are in this category. Other PSFs that represent cognitive mechanisms should be built into 91
the cognitive architecture of the simulation model. PSFs such as attention, problem-
solving style, prioritization and information use fall into this category. We note that when
analyzing a human error retrospectively, one could assign a value to the PSF attention to indicate how adequate the attention was on the task, and indicate the degree to which it contributed to the error. However, in a prospective analysis of possible human errors, one must also consider the different ways that attention mechanism affect different aspects of the cognitive process. In ADS-IDAC program, the user could construct the operator’s knowledge base for the simulation through the input file, so the level of expertise (Knowledge/Experience/ Training) is implicitly included in the knowledge base. In addition to the knowledgereasoning process, a quantitative PSF variable is used to represent the general level of expertise. It is defined to capture the operators’ differences in cognitive capabilities for processing information (e.g. information chunking). It is also important to note that some PFSs are static through the entire simulation, an example being expertise. Others dynamically change during the simulation. For the PSFs that are not directly built into the model as cognitive mechanisms, one has to assess their levels, and also determine their impact on the cognitive process. PSFs are assessed in two ways. The analyst specifies the values of static factors in the input file. Values of dynamic PSFs are calculated in the simulation as a function of other tangible information extracted from the program (surrogates). The impacts of PSFs are seen through their influence on cognitive process parameters, such as processing span.
92
Table 6-1 Classification of selected PSFs
PSF
Attention Problem-solvingstyle Prioritization Information Use Time load Task load Expertise (Knowledge/experience/training) Passive information load Information load System criticality Task complexity Stress Fatigue
Quantitative Mechanism Assessment modeling X X X X X X X X
X X X X X X
D/S
D D D D D D S D D D D D D
Model Version14 2.0/3.0* 3.0* 3.0* 2.0/3.0* 2.0/3.0* 3.0* 3.0*
3.0* 2.0/3.0 2.0/3.0 3.0* 3.0* 3.0*
In this section we summarize the results of our study of the PSFs chosen for inclusions in the model. We offer PSF definitions, theoretical basis, and more importantly, ways to integrate them into ADS-IDAC, particularly through the reasoning module. For quantitative PSFs, we present ways to use information from the input model and the simulation variables in ADS-IDAC to assess corresponding levels and to model their impact on operator’s behavior. Note that we use a continuous scale from 0 to 1 for quantitative PSFs in the reasoning module.
14
ADS-IDAC with this research work is marked as version 3.0. In “Model version”
column, 3.0* denotes the new content developed in this research.
93
6.2
6.2.1
Mechanism PSFs
Attention
Although the concept of “attention” is widely used in daily life and scientific literature, no unified definition can be found. A few definitions are presented here: “Attention is the means by which we actively process a limited amount of information from the enormous amount of information available through our senses, our stored memories, and our other cognitive processes.” (Sternberg and Mio 2009)
•
•
“Attention is the taking possession of the mind, in clear and vivid form, of one out of what seem several simultaneously possible objects or trains of thought…It implies withdrawal from some things in order to deal effectively with others.” (James 1950)
•
“Attention: refers to whether sufficient cognitive and physical resources are put at the ‘‘right’’ places.”(Chang and Mosleh 2007)
Sensory memory(raw info, last about ¼ sec)
Attenuation Filter
Working memory Long-term memory
Figure 6-1Treisman’s attention model
94
A common notion in these definitions is that attention is about limited cognitive resources and the selectivity processing. Several classic models of attention reflect these two aspects. Broadbent provided an early study of attention. As humans are surrounded by large volume of sensory information, attention works like a filter—filtering out most of the information, only letting a small part get through (Broadbent 1958). Treisman revised Broadbent’s model, changing the “All or None Filter” to “Attenuation Filter” helping to explain more observations in the experiments (Treisman 1964), see Figure 6-1. Later, capacity theory (Schneider and Shiffrin 1977) was developed where attention is considered to be capacity (channel/bandwidth) limitation. This theory quickly dominated the thinking. Cognitive activities are categorized into two types: automatic and
controlled process. Controlled process is attention demanded, while automatic is not. A comparison of automatic process and controlled process is summarized in Table 6-2. Attention is required in the controlled process, which is effortful, capacity limited, serial, under conscious control and has interference with others. Table 6-2 Capacity theory of attention Controlled process(attention demanded) Effortful Capacity limited Interference among tasks Serial operation Under conscious control Automatic process Effortless Not capacity limited No interference Parallel operation Not conscious
Some concepts of attention used in clinical area: Focused and selective attention: The ability to focus.
•
95
•
Sustained attention: The ability to maintain focus and alertness over time. It is also referred as vigilance or alertness.
•
Shift attention: The ability to switch attentive focus in a flexible and adaptive manner.
Figure 6-2 is a diagram of the information perception process and the mechanism for attention selectivity. When external information goes through this process, firstly the signal strength is determined by the physical signal strength as is. Continuing further in the neural circuits, the signal strength is modulated by the sensitivity control, which is a top-down active control based on one’s interest in the signal. It then proceeds to the selection process, the strongest signals pass through and are perceived. Based on literature review, here we summarize factors that impact one’s attention:
•
Fatigue reduces the goal-directed (top-down) attention, and stimulus-driven
(bottom-up) weighs more in the competitive selection stage of information perceiving process. Fatigue degrades the sensitivity control, so more information passes the competitive selection, due to the salience features and not because one is interested in it. At higher fatigue levels, the operator is more susceptible to distraction. (Boksem, Meijman et al. 2005)
•
Passive Information Load works as distracter from other key information. For
example, actuation of alarms in the control room could interrupt operator’s current work and cause him to lose focus.
•
Stress causes attention-narrowing, blocks some information from being processed.
96
Figure 6-2 Information perception process (Knudsen 2007) In the new ADS-ODAC model, attention is embedded into the information-processing model as a mechanism. We propose the following ways to model attention mechanism and its impact on the cognitive processes: Thought thread management, only one cognitive thread is processed at a time; the direction of the operator’s attention is determined by a prioritization process, which is driven by the operator’s reasoning.
•
•
Alarms could automatically interrupt one’s ongoing cognitive activities. The time duration of the interruption is based on the number of alarms and the operator’s fatigue level.
97
•
A stack buffer is used to store the unprocessed alarms in the operator’s short memory. The length of this stack is determined by the operator’s cognitive resource availability and the attention narrowing condition.
•
Attention narrowing increases the threshold for processing the cognitive-thread candidates, thus fewer cognitive threads remain active in the working memory. While attention narrowing might improve the operator’s efficiency, it might also reduce his chance to get some important clues that are out of the plan.
6.2.2
Problem-solving style
Five different problem-solving styles were identified in the CES HRA method (D. D. Woods 1987). Table 6-3 summarizes the characteristics of each and the approaches we developed to model different problem-solving styles in the reasoning module. Table 6-3 Approaches to integrate different problem solving styles
Problem-solving style(D. D. Woods 1987)
ADS-IDAC simulation modeling
Vagabond: tends to jump from issue to issue Effects modeled through: without satisfactory resolution of any. • Wide attention and less attention tunneling. • Failure to synthesize or converge multiple views of the situation • The operator is easily distracted by • Many potential views of the set of passive information and allocates more resources to process alarms significant findings are active but remain information. independent • A response orientation emphasized over • When there are more than one explanation building so that more observed phenomena that need to be coherent explanations never emerge investigated, the operator jumps from one to another without • Too interrupt-driven so that every new necessarily finishing either. finding seizes priority • Newly generated investigation item Time pressure foments the vagabond style. gets higher priority.
98
Hamlet: tends to consider many possible Exhaustive investigation style. Even when one or more causes are identified, explanation of observed finding. the operator still continues searching for • Missing acceptance criteria other possible causes. • Explanation building is greatly emphasized over response management activities Garden Path: shows excessive persistence on Attention tunneling. The operator’s attention is fixated on one cognitive a single issue or activity. thread, while ignoring others until the • Pursues only a single point of view to current one is fully explored. explain findings • Not interrupt driven enough • Insensitive to violation of expectation Inspector Plodder: slowly and deliberately Less use of pattern matching to guide the builds up and then narrows in on possibilities. operator’s attention. Use more rigorous (minimal reasoning shortcuts) reasoning. Expert Focuser: adept at seeing and focusing Less attention switching cost (time and in on the critical data for the current context cognitive load). so that it is always working on the most Use proper confidence level threshold as relevant part of the situation criteria of accepting an explanation and closing the investigation process. • Wide field of attention • High level of interruptability • Good criteria for scheduling competing activities • Good criteria for what is a good explanation
In ADS-IDAC 3.0, three problem solving styles have been implemented: Vagabond, Hamlet, and Garden-Path styles15. The difference of the three problem solving styles by varying the following model parameters or information process functions. We discuss them one by one in this section
15
Inspector-plodder and Expert-focuser can be added by future research
99
Maximal alarm stack length
In the reasoning module, a “first in-first out” alarm stack is employed to throttle passive alarm flow to model the limitation of cognitive resources and individuals sensitivity in perceiving alarms. It stores unprocessed passive alarm activities (alarm actuation or alarm clear). A model parameter—maximal alarm stack length—is used to limit the number of alarms buffered in the stack. Long alarm stack would cause the operator be distracted by the alarms all the time if it occurs in a busy alarm context; while short length stack might make the operator miss some important cues for making the diagnosis or responding to the dynamic situation. It is obvious that extreme lengths (too long or too short) are not wise strategies for an operator. Different lengths of this stack are used to tailor different problem-solving style. Even though the alarm information would interrupt the operator’s ongoing thought line, the operator could choose to ignore the alarm and go back to his ongoing thought. How much the operator is open or susceptible to alarm interruptions is partly represented by the maximal alarm stack length. The longer the stack, the more interruptive the alarm activities are. According to numerous studies in psychology, human short-term memory has a capacity between 3 and 7 “chunks”. So number 5 is used as an anchor value of a nominal alarm stack length (a reference parameter). The maximal alarm stack length is dynamically adjusted during the simulation by several performance shaping factors: Time Constraint Load, Passive Alarm Information Load, and Fatigue 16 . Basically, the more load the
16
More discussion in Section 6.4.1
100
operator has, the less cognitive resources are available for processing the passive alarm information. Vagabond style operator’s attention is interrupt-driven and always shifts to the new information. This trait makes the operator spend more time in processing the passive alarm information and less time on investigation. It enables broader information bandwidth but shallower processing. Based on this tendency, the alarm stack length of Vagabond style uses bigger value than the nominal alarm stack length in the simulation17. “Garden Path problem-solving style is fixation prone and not interrupt-driven enough”. Operators of this style are less interrupted by the passive alarms. A shorter alarm stack length is used for simulating Garden Path style operator. Hamlet doesn’t have a particular tendency in the interrupt-driven aspect. It is neutral between the Garden Path style and the Vagabond style. So we use nominal alarm stack length for the Hamlet passive alarm stack length.
Prioritization among different investigation item
As introduced in Section 4.3.4, the reasoning module employs an active-thread pool to retain operators’ thought threads in the operator’s working memory. When there are two or more active investigation items in the operator’s working memory, a prioritization process is used to determine which one to be processed at the current moment. For different problem-solving styles, different prioritization rules are used in the reasoning module.
17
Section 6.4.1 introduces an equation to calculate the maximal alarm stack length
101
In the prioritization process, the program evaluates each active investigation item in the pool to calculate a priority score based on four factors: 1) how long this investigation item has not been resolved; 2) the activation level of the semantic sentence associated with this item; 3) whether the phenomenon described in this item is still ongoing; and 4) whether it is in an investigation line initiated by an accident event schema for investigating a symptom. The default prioritization rule is that the item with highest score will be chosen to be processed at the current moment. This rule is adjusted or overridden in some conditions in order to model each problem-solving style. This algorithm provides several features in the simulation: 1) the operator intends to resolve existing investigation items; 2) fresher information gets higher score, given other conditions the same; 3) the operator’s attention is in favor of ongoing phenomenon against disappeared phenomenon; 4) operator’s attention is in favor of accident information. For Vagabond style, the program doesn’t use the priority score. Instead, it compares the
latest activating time of each investigation item and chooses the latest one to process. The
latest activating time is the latest time of the following three: the initiation time of the investigation item; the generation time of its situational statement; or the last time when this investigation item was processed. This rule simulates the case where the operator’s mind always jumps to the freshest information without necessarily getting a conclusion on each one. It features an interrupt-driven information process so that every new finding seizes priority. In addition, a model parameter—attention span— is used in the prioritization function. It is a variable of time length. If the operator stays in one thought line18 more than his attention span, the program will let the operator to switch back to one
18
A thought line is a set of investigation items, which are linked by their causal relations.
102
of several recent but unfinished thought line existing in the working memory19. This is used to model the phenomenon that the Vagabond style operator jumps from one issue to another. For investigation items related to an ongoing accident investigation, the program automatically modifies their latest activating time to the current time clock and thus keeps it being prioritized. For Hamlet style, the program uses the priority score with an adjustment. For investigation item within the ongoing investigation line, the program multiplies its priority score by 1.5 as if the operator stayed in this investigation line less than his
attention span. In this way, the operator tends to stay on one investigation line as long as
it is within his attention span. If time spent on the current thought line exceeds the attention span, the program stops favoring its investigation items. For Garden Path style, the operator’s attention is fixated on one thought line and won’t move to the next one until the current one is finished. After the operator finishes all the investigation items in the current line, the program selects a next investigation item that has the highest priority score and moves to its corresponding thought line.
Routine monitoring interval
In dynamic plant condition, the operator works on investigation and routine monitoring task alternatively; investigation is to explain the observed plant dynamics, while routine monitoring task maintains the operators’ situation awareness by routinely checking a set of key indicators. To model the limited cognitive capacity, the program processes only
Note that investigation items could decay away from the working memory or be overflowed by other investigation items. If there is no investigation item of a thought line still active in the working memory, the thought line will not be visited until one of its investigation items moves back to the working memory.
19
103
one investigation line at a time or only conducts routine monitoring task. The program switches to routine monitoring mode when it finishes processing all the active investigation items in the working memory20. Users specify a list of indicators for routine monitoring, and a suggested time interval between two consecutive readings for an indicator respectively. In routine monitoring mode, the program selects one indicator to check at one time. An equation is used to calculate a score for each indicator, see Equation 6-1.
???????????????? ? ?
? ???? ????????? ???????? ???? ?? ????? ??????????? ???? ?????????? ? ?????????????? ????????
Equation 6-1
When the highest score is above 1, the program sends a request to read the corresponding indicator. Varying the interval multiplier adjusts the routine monitoring frequency.
Interval multiplier is adjusted by a dynamic PSF and problem solving style 21 . Lower
interval multiplier mimics the operator being more active in checking plant condition; higher interval multiplier mimics the operator being less active. Problem solving style is used to adjust the base value of interval multiplier, to model operators’ individual differences. In our program, Hamlet style is most active in checking plant condition, and Vagabond is least active.
Capability of integrating accident evidences
Note it only requires finishing all items in the working memory, not takes items in the intermediate memory into account. 21 Refer to Section 6.4.4.
20
104
Vagabond style operator is weak at “synthesizing or converging multiple views of a situation”, thus “many potential views of the set of significant findings are activated but remaining independent”. Due to the fast switching attention focus, Vagabond operator’s investigation is shallow, and investigation lines would be abandoned too early to reach the root cause. Without maintaining a main thought line, Vagabond operator would fail to make connections among observed plant dynamics. These characters are well represented in the prioritization rules as introduced earlier.
Accident Confidence
? ??? Causal Path Confidence? ? ? Symptom Coverage?.? ???????????
?
Symptom Coverage ?
N???????? N????? ? N???????
Equation 6-2
In addition to the prioritization rules, equation for calculating accident confidence level was modified to mimic the weakness of converging evidences. The original equation was
??? Causal Path Confidence? ? put all the path confidence together like a parallel system. ???? ? ?????? ? ?1 ? ?????? ? ? C?
discussed in Section 4.3.2. It is copied here in Equation 6-2. A part of this equation
? ??? ??????? ??? ??? ??? ???????? ??? ??????? ???? ?????
105
???? ???C? ???? ????? ?????????? ??? ??
Equation 6-3
???? ?? ????? Causal Path Confidence? ? ?? Equation 6-2.
Path confidence 1(this accidence causes symptom 1)
Path confidence 2(this accidence causes symptom 2)
…
Path confidence n(this accidence causes symptom n)
Figure 6-3 A system block diagram resembles path confidences integration Equation 6-3 represents an operator is good at integrating evidences to generate the overall accident confidence. It is used for Hamlet and Garden-Path styles. In order to mimic a degraded capability of integrating evidences for Vagabond style, a variation is added to Equation 6-3, see below:
? ????????????? ?????????? ? ??, 0 ? ? ? 1
A capability coefficient ? is added to the equation. When ? is 1, the equation is the same as Equation 6-3, representing a good capability of integrating evidences. When ? is 0, the equation equals to Max?C? ?, representing failure to integrate evidences but using them Equation 6-4
C? ??????? ?? ????? ???? ?????? ??
???? ? ?????? ? ? ? ?1 ? ?????? ? ? C?
separately. A value between 0 and 1 of ? represents a partially degraded capability. In the program, ? ? 0.7 is used for Vagabond style.
Investigation termination criteria
106
For one plant phenomenon, there might be two or more possible causes coded in the knowledge base. In this simulation, the program does not necessarily examine each one. Once the program finds a valid cause, stopping criteria are used to determine whether to continue examining the remaining possible causes. By varying the termination criteria in the program, ADS-IDAC could mimic different problem-solving styles: exhaustive investigation, satisfactory termination and an intermediate termination style in the middle between the former two. Hamlet problem solver “looks at each situation from multiple viewpoints and considers many possible explanations of observed finding” and “explanation building is greatly emphasized over response management activities”. These traits are modeled by an exhaustive investigation rule in the reasoning module. For the Hamlet style operator, the reasoning module tries to examine all the possible causes one by one, even after a satisfactory explanation has been found. This rule simulates a slow but thorough investigation process. Garden Path problem solver “pursues only a single point of view to explain findings”. To mimic this feature, a satisfactory termination rule is used for the Garden Path style operator. Once a valid explanation has been found for an investigation item, the program stops examining other possible causes. This rule allows faster investigation but it might lead the investigation stop with one plausible cause while missing some real hidden causes. Vagabond doesn’t have an obvious tendency on the investigation termination criteria. It stays between the two extreme termination rules (the exhaustive investigation and the 107
satisfactory termination). For Vagabond style, once the program has found one valid cause, the program evaluates the remaining possible causes and calculates a retrieval score for each of them. If the highest retrieval score is below a cutoff value, the program stops investigating more causes.
Accident awareness threshold
Accident awareness threshold is a model parameter, which represents an operator’s vigilance level for potential accidents. As introduced in Section 4.2.5, once the confidence level of one accident diagnosis exceeds an awareness threshold, this accident investigation becomes active in the operator’s mind, and the program will actively gather more relevant information from the control panel to support this accident investigation. Hamlet problem solver tends to conduct exhaustive investigation, so the program uses value 0 as the awareness threshold to let the operator examine all the possibilities. Value 0.05 is used for the Vagabond and Garden Path styles, which allows onset of active investigation only after the operator has considerable evidence to suspect an accident. In this section, we discussed modeling different problem solving styles by adding variations to the reasoning module in six places: maximal alarm stack length, prioritization rules, routine monitoring time interval, capability of integrating accident evidences, investigation termination criteria, and accident awareness threshold. Various combinations of the above factors enable simulating different problem solving styles. The approach is summarized in Table 6-4. Each combination is a specific simulation configuration, representing a set of operator traits.
108
Table 6-4 Approaches to implement 4 problem solving styles VagaBond Hamlet Routing monitoring time interval greater Maximal alarm stack length smaller Garden Path neutral
Prioritization algorithm Investigation Termination Criteria Neutral exhaustive Capability of integrating evidences Degraded Full Accident Awareness Threshold Neutral 0
greater Neutral smaller prefer new prefer current issue if fixate on one issue within attention span issue Neutral Full Neutral
6.2.3
Expertise (knowledge/experience/skill/training)
Nuclear power plant operators get systematic and extensive training before they are given operating license. Their knowledge is at expert level. In the new ADS-IDAC simulation model, the knowledge base is explicitly coded in the input files. Operators’ understanding of the plant system functions and the causal relations of plant dynamics are represented in a form of knowledge link in a knowledge web. The operator’s knowledge gaps or deficiencies could be explicitly coded in the knowledge base. For each knowledge link, the strength of each knowledge link is coded by two parameters: forward retrieval
strength, and backward retrieval strength. These represent the ease or difficulty for the
operator to recall that knowledge link (causal/inference relation) given one end of this link as the retrieval cue. Small retrieval strength might lead to a longer recalling process or even failure of retrieval. In the input file, each knowledge link has a parameter—familiarity level (range from 0 to 1) specified by users. Familiarity level is used to generate “knowledge bugs”. At the beginning of a simulation, for each knowledge link, the program generates a random 109
number between 0 and 1. If this random number is smaller than the familiarity level, this knowledge link is blocked in the knowledge web, creating a knowledge bug, meaning that the reasoning module will not use this knowledge link in the simulation. In addition, we use a quantitative metric (in the range 0 to1) to represent the operator’s general expertise level, with impacts on assessments of task load and task complexity, and working memory span (one’s expertise doesn’t not really expand one’s physical working memory span, but provides better chunking ability which in turn enhance ability to process more information). Operator’s expertise is formed through training and work experience. It serves as a static factor and doesn’t change through a simulation run.
6.2.4 Other mechanisms and process factors
Groth’s PSF includes some items which are individual behavioral characteristics but not factors that influence human performance. These items provide useful perspective in the study human reliability. They are included in the proposed model, not in a form of quantitative PSFs but rather as processes or mechanisms similar to the way attention has been treated. This section briefly describes how they are included.
Information use “relates to how well people use the information presented to them”
(Groth 2009), including both written information (e.g. procedure) and information from the control panel. “Inadequate information use may entail information that is present but not properly used or failure to access any/all available sources of information”. In the proposed model, the reasoning module would utilize the knowledge base and guide the operator to selectively acquire information from the control panel. Also, the output of the reasoning process serves as input to decision-making, e.g., deciding on which procedure 110
to use. These mechanisms mimic how the operator makes use of the available information.
Prioritization “is how an individual chooses to order tasks”(Groth 2009). This is directly
tackled in the proposed thought thread management system. The operator alternates different task threads in investigating observations and in routinely monitoring key parameters. The frequency of the routine monitoring task is dynamically adjusted in the simulation. The investigations of different observations are prioritized based on the interrelations among investigation chains, the activation level of each item, the investigation time length, and the time of observations, etc. more detail has been discussed in Section 6.2.2.
Familiarity with situation “refers to the similarities the worker perceives between the
situation and the worker’s general industry knowledge and previous experience”(Groth 2009). In the proposed knowledge web representation, each causal link is assigned a weight that represents operator’s familiarity with this causal path and the frequency of using that causal path in his/her past experience. A smaller weight gives a smaller chance of retrieving this knowledge link, which might lead the operator to investigate other possible causes first. By using this mechanism, an unfamiliar situation will add complication to the operator’s investigation.
Bias is a broad term. There are over 100 cognitive biases listed in wikipedia. In this
research we have included several types; Familiarity heuristic, recency effect and priming. When the operator agent retrieves possible explanations for the observation, the retrieving order is based on the operator’s familiarity of that causal link, frequency of 111
using it in the past, and the semantic activity of its content. The activation propagation in the semantic base allows the activated element to propagate its activation and preheat other related concepts, thus simulating the priming effect. Also, in the simulation, success in using one knowledge unit to explain one’s observation will introduce bias towards using the same knowledge unit to explain the same observations that happen later.
6.3
6.3.1
Quantitative PSFs
Time constraint load
Time constraint load refers the pressure induced by the perception of the available time to complete a task. Applying this to the control room operator, “the time constraint load represents the time available until a monitored plant parameter exceeds a critical threshold.” (Coyne 2009). In other literature, time constraint load is also referred to as time pressure and time stress. Time constraint load assessment was already created and built into ADS-IDAC 2.0 by Coyne, and is used in the same way in the new version of the code. The user specifies a list of critical parameters. Equation 6-5 is used to assess the available time before the parameter exceeds a defined threshold. Two thresholds are used for different conditions, one for normal operation and one for accident situation. The available time is compared with the predefined lower bound and upper bound to get the PSF value, and the time constraint load is determined by the most limiting parameter. Coyne’s assessment of time constraint load scales from 1 to 10. We have normalized it to fit into the 0 to 1 scale used in the reasoning module of ADS-IDAC 3.0.
112
t ?,????????? ?
P? ? P?,????????? P??
PSF?,???? ?????????? ? 10 ?1 ?
PSF???? ?????????? ? Max?PSF?,???? ?????????? ?
?t ?,????????? ? t ????? ? ? ?t ????? ? t ????? ?
Equation 6-5 In response to the time constraint load, one could employ two types of strategies in order to finish the task at hand: (1) acceleration of the information processing speed, and (2) filtration, i.e., selectively processing only part of the information (Maule, Hockey et al. 2000). Maule’s experiment’s also found that “in addition to feeling time-pressured participants choosing within a deadline were more anxious and more energetic. It may reflect the greater task involvement and the need to work harder that occurs when a deadline is imposed.” The assessment of time constraint load serves as input to the Stress, and Cognitive
Resource Use which impact the cognitive processing speed. It also increases the attention
tunneling effect, which means the operator spends more time and cognitive resources to tackle the problem at hand instead of monitoring other plant indicators. In addition, higher time constraint load makes Vagabond style problem-solver jump from one issue to another more frequently.
6.3.2 Passive information (alarm) load
Passive information refers to some salient stimuli that catch one’s attention automatically (e.g. the alarms in the control room). Because passive information is intrusive and grabs 113
one’s attention, it interrupts the ongoing cognitive process. Too much passive information could be overwhelming. In addition to causing mental stress, it shifts one’s attention and impedes the ability to refocus. An example is the control room situation during the Three Mile Island accident. Here is a description according the operators’ recall: “within minutes, the control room console went wild. Hundreds of lights started flashing, accompanied by piercing horns and sirens. One operator recalled that the console was lit up like a Christmas tree."22 Passive information load is a measure of the amount of passive information that distracts the operator’s attention (in the range 0 to 1). Equation 6-6 is proposed for assessing the passive information load in ADS-IDAC. This equation tracks the alarm activity in the preceding 18 seconds.
PSF??????? ? Min ? ? Min ??
Where:
???? ???
??.??????? ????? ? ??? ?e
??.??????? ????? ??? e
?? ? ? , 1?
0.2059? ??.??????? ?
?? , 1? 3
n? ? ?????? ??? ?? ????? ??? ?? ?????? ??????????? ?? ??????. n? ? number of alarm activities in the ith time step n ? a nominal number as reference for n? .
This is excerpted from transcripts of an documentary film "Meltdown at Three Mile Island" produced by Chana Gazit and David Stewart, PBS, 1999. 114
22
3 is used for n. it is moderate challenging for a nominal working memory capacity?5 ? 2?.
Equation 6-6
Weighting of Alarm Activites
0.25 0.2 Weighting 0.15 0.1 0.05 0 0 5 10 15 20 25 30 35 Delta Time Elapsed from Alarm Activities (Sec) 40 y = 0.2059e-0.461x
Figure 6-4 Weighting of alarm activities in recent 18 seconds This equation takes account of the alarm counts in the recent 18 seconds (36 time steps, 0.5 sec/step) with different weights. The weighting curve gives most weight to the alarm counts in recent 5 seconds. It allows a prompt increase of the passive alarm load after the alarms arrive. Note ni is number of unprocessed alarms in the stack, which is different from the number of new alarms in the ith time step. If the operator doesn’t process alarms quickly enough and he has space in stack to buffer alarms, the unprocessed alarms roll over to next step and keep being counted and contributing to the Passive Alarm Load. The assessment of passive information load is an input to the PSF stress. Also, the effect of passive information load is modeled in the cognitive process mechanisms. When one or more alarms arrive, the operator’s attention is automatically shifted to processing the
115
alarm information, which interrupts the ongoing cognitive activity and may or may not bring back the attention later. If the alarms are too many for the operator to handle, the operator could employ a strategy to filter the alarms and he keeps focus on the ongoing cognitive activity. However, the passive alarm information would still interfere by consuming certain amount of time and other cognitive resources.
6.3.3 Cognitive task load
The following provides a definition of task load: “Task Load refers to the actual task demand assigned to a person in terms of the number and type of tasks” (Groth 2009). Control room operations do not normally involve heavy physical work, so when we assess the task load, only the cognitive task load is of interest. Comparing to other HRA methods, simulation models possess a unique advantage of tracking each activity performed by the operator, which allows the program to count and to assess the workload specifically. In the reasoning module of ADS, the operator behavior has been decomposed into 6 types of activities as shown in Table 6-5. A cognitive task load increment for performing each type of activity is assigned based on judgment (to be replaced with results from survey of real operators). Equation 6-7 is proposed and implemented in ADS for assessing cognitive task load during the simulation:
?????????????? ????, ? ? ????????????? ????, ??? ? ? ??.?????? ? ?????, ? ?????, ? ? ????? ? ?? ?
??? ?
116
Equation 6-7 It measures the rate of performing task activities as the amount of work performed in a time unit. Two parts are summed to give the cognitive load of a time point: one is the cognitive load in the previous time step with a decaying factor; the other is the load built up from the activities performed in the current step. If the ?????, ? is equal to the cognitive load decayed between two consecutive time steps— ????????????? ????, ??? ?
?1 ? ? ??.?????? ?, it means the operator is keeping the same work pace and, the cognitive
load doesn’t change. If the increment is less than the decayed load, it means the operator’s work pace is slowing down and the cognitive load decreases; if it is greater than the decayed load, it means the operator is working at a faster pace and the cognitive load increases.
Decaying Factor of Cognitive Task Load
1 0.9 0.8 0.7 0.6 0.5 0.4 0.3 0.2 0.1 0 0
Decaying Factor
y = e-0.013x
50 100 150 200 250 Delta Time from Cogntive Activity Time(second)
300
Figure 6-5 Decaying factor of cognitive task load Figure 6-5 shows the decaying of cognitive load over time. The cognitive load induced by an activity decays in minutes—10% is left at 3 minutes after the activity. The proposed equation updates the cognitive load in a gradual way in the time scale of 117
minutes. It takes account of the activities in the current time step and in the past several minutes. Table 6-5 Inputs of decomposed behavior to the task load
Type Activity
1 2 3 4 5 Attend to one control panel indicator Interpret one indicator reading Generate a new situational statement Match a statement in memory with an investigation item Retrieve a knowledge link
Full load reference
6
Determine explanation
an
Load increment per activity, ?j Reads 10 indicators in 10 1 ? ? ??.??????? ? 0.0129 seconds 1 Full rate: 1 activity/sec Interpret 10 indicators in 2 1 ? ? ??.??????? ? 0.0026 seconds 5 Full rate: 5 activity/sec Generate 3 statements in 1 1 ? ? ??.??????? ? 0.0043 second 3 Full rate: 3 activity/sec 5 matching activities in 1 1 ? ? ??.??????? ? 0.0026 second 5 Full rate: 5 activity/sec Retrieve 5 knowledge link 1 ? ? ??.??????? ? 0.0258 in 10 seconds 0.5 Full rate: 0.5 activity/sec ?????????????? ?? ?????? ?1 ? 0.5 ? ?????????????? ? 5 activities in 1 second 1 ? ? ??.??????? ? 0.0026 Full rate: 5 activity/sec 5
Each type of activity corresponds with a set of functions in the program. Reference points are used to calibrate this equation, as shown in the “Full load reference” column. Type 1 activity denotes the operator’s preparation for reading an indicator, which includes walking to a proper position near the indicator and necessary attention required to take a reading. For type 1 activity, the reference is that reading 10 indicators within 10 seconds gives a full load 1, which could be adjusted by consulting with experts and real operators. A full load (value 1) decays to ? ??.??????? = 0.971 in 1 second, and if the operator attends to one indicator in that 1 second, it keeps the full load. So the load increment for the type 1 activity is 1-0.971 = 0.0129. The reader might notice that the load increment is 118
calculated regardless of which indicator the operator attends to. In a real control room, the distance to different indicators varies, thus the actual load increment changes. The reference in this table gives an average load increment. Type 2 activity represents the process of reading and interpreting one indicator, e.g. determining a parameter trend or changing of a component/alarm state. Type 3 activity is registering the observation into memory in a form of situational statement. Type 4 activity is recalling a situational statement and connecting it with an investigation item. Type 5 activity is retrieving a relevant knowledge link for a specific phenomenon. Type 6 is determining the explanations of one phenomenon after getting necessary information from either operator memory or the control panel. This load increment, induced by the operator’s performing each type of activity, can be calibrated by surveys of real operator and expert judgments, which attach meanings to the load increment value. The value of cognitive task load level serves as inputs to several other PSFs or Factors: stress, fatigue and cognitive resource use. In addition to the PSF modeling of cognitive task load, the effects of high cognitive task load is also captured in the information processing in the reasoning module, e.g. omission or delay of tasks and failure to use available information for diagnosing and planning.
6.3.4 Task complexity
Task complexity is “Cognitive demands of the task at hand. It considers the difficulty of diagnosing and executing work, the amount of knowledge required to complete the task, the number of steps required to complete the task, the precision required, and the 119
ambiguity of the situation” (Groth 2009). In some literature, task complexity is defined as a function of objective task characteristics without considering the individual’s capability. In some, task complexity is treated as a purely subjective psychological experience, and in others, it is a measure of interaction among task characteristics, personal capability and feeling. The last definition is adopted in this research. ADS-IDAC provides cognitive contextual information on task attributes. Combining the task attributes with the operator’s expertise level, the program calculates the level of task complexity. In this research, we are only interested at the task complexity in the situational diagnosing phase of the operator; currently the task complexity in response-planning and action-taking phases is not included23. Some facets of task complexity from existing literature and data are summarized here (Patterson and Roth 2010; Navon and Gopher 1979; Campbell 1988; Andrews and Halford 2002; Arend, Colom et al. 2003): 1. Amount of information involved in the task; 2. Number of cognitive processes; 3. Data overload—“Problems that need to be detected and addressed are buried in a large amount of potentially relevant information”; 4. Attention demand—“Requirements for rapid attention shift”; 5. Internal consistency of the information, variability and diversity of the information; 6. False prime explanations;
23
These aspects could be extended in future research.
120
7. Stereotype violations; 8. Missing information; 9. Misleading indicators; 10. Effects at a distance; cascading effects; 11. Novel situation; 12. Context change; 13. Inadequate guidance/preparation; 14. Uncertain information These facets are highly relevant to the complexity in the diagnosis phase. Facets 1-5 reflect some context features that could be directly sensed by the operator; 6-10 are some factors that affect the outcome of the diagnosis (e.g. success/failure, fast/slow), but the operator might not be able to be aware of these effects, for example, some information is misleading but the operator does not know that he is misled by this information (or else he would not likely be misled); some important information is missing, but the operator is not aware of this. As we decided to measure the complexity as an interaction among task characteristics, personal capability and feeling, 6-10 are not taken into the calculation of complexity. Even though facets 6-10 are not included in the quantitative assessment, their effects are modeled in the information processing. In other words, the following influences are taken into account in the simulation:
121
•
False prime explanations: during the simulation, if the operator has found one or more plausible explanations, he might stop exploring other explanations and thus the real explanation might be hidden.
•
Stereotype violation: if the operator sees one or more typical accident symptoms are missing, his confidence of this accident would be diminished, which would discourage the operator from considering this accident and investigating it.
•
Misleading information and missing information: in the simulation, the operator reasons with the incomplete information and misleading information, which degrade his situation awareness and diagnosis.
•
Effects at a distance: this implies that the relation between the root cause and the observable effects is not obvious. It takes multiple links to connect the root cause and the observable symptom. The reasoning module of ADS naturally models the difficulty posed by this. It takes more time and effort for the operator to go through these causal links to reach the root cause in the simulation. Due to alarm interruption and attention switching modeled in the program, the reasoning might be interrupted in the middle and be forgotten. Also, the reasoning might deviate to some alternative explanations in the middle. Due to all of these factors, the operator has less chance to successfully make connections between the observable effects and the root cause.
Facets 11 and 12 are modeled by the knowledge retrieval strength parameters in the knowledge base. Facet 13—inadequate guidance/preparation is represented by a PSF “Expertise level”, as an input for calculating task complexity. Facet 14—uncertain information could be a very important factor in some severe accidents, when the plant is 122
severely damaged, the indicator degrades and reliability of indicator is an issue. Operator’s trust on degraded indicators (different from reasoning of specific indicator failure) is a topic not included in this research24. Based on the literature review and scope of this study, we have identified several types of information for assessing the task complexity in the diagnosing phase: A) observed system dynamics, B) diagnosis confusion, and C) operator’s expertise level. Observed system dynamics include parameter trend changes, component state changes, and alarm state changes. System dynamics represents facets 1-4 well. Faster pace of system dynamics poses a greater challenge for the operator to keep following the situational changes and to make sense of the observation. Operator expertise facilitates operator’s coping with fast system dynamics in several ways: structuring and sorting the observations systematically, speeding the retrieval of knowledge for explaining the observation, and making connections between different pieces of information. Diagnosis confusion represents the complexity induced by inconsistent information—facet 5. For example, in an SGTR accident, the typical symptom—high secondary radiation—is missing due to indicator failure, but other evidence points to an SGTR accident. This causes confusion to the operator. In the program, the higher the diagnosis confidence built up by other evidence, the stronger the degree of confusion the operator feels. Equation 6-8 is proposed to measure the task complexity in ADS-IDAC. Observed system dynamic and diagnosis confusion are two main sources of complexity, and system dynamic is compensated by the PSF—expertise level. Similar to the measure of cognitive
24
Future research.
123
load, ??????? ???????? measures the rate of dynamic changes in recent period of time (in a scale of minutes).
??? ???????????? ? 0.8 ?
??????????
??????? ???????? , ? ? ??????? ????????, ??? ? ? ??.?????? ? ????????, ? ? 0.0129
??????? ???????? ? 0.2 ? ?????????? ?0.5 ? ?????????????? ?
? ??????????????? ??????? ???? ?? ??? ???? ???????? ?? ?? ????????????
Where:
????????, ? ? ??? ???? ???? ?? ???????? ??????? ??????? ?? ??????
Equation 6-8 The calculated value of task complexity serves as input to assess stress level and level of cognitive resource use.
6.3.5 Stress
i ? time step
The PSF stress combines the various stressors into one factor: time constraint load, passive information load, cognitive task load, and task complexity. Equation 6-9 is used for quantitatively assessing the stress level.
124
??????????? ?
1 4
? ??????????????? ???? ? ????????? ???? ? ???????????? ????? ???? ? ??????????????? ?
Equation 6-9
6.3.6 Fatigue
Human fatigue is a widely used concept with different meanings. Fatigue has been defined in several dimensions: general fatigue—the feeling of being tired, bushed, and exhausted; mental fatigue—cognitive degradation; physical fatigue; sleepiness and sometimes lack of motivation or lack of activity (Akerstedt, Knutsson et al. 2004). The subjects of this research are operators in the control room. There is not much heavy physical duty involved in their tasks. Thus we will only consider the following three dimensions: mental fatigue, sleepiness, lack of motivation/ activity. Human fatigue is induced in two ways (DeLuca 2005): prolonged effort—performing tasks over a long period of time; sustained effort—maintaining intensive and constant effort.
• •
Based on a literature review (Akerstedt, Knutsson et al. 2004; DeLuca 2005; Duntley 2005), we summarize some factors that contribute to fatigue and discuss how to include each one in the simulation model, see in Table 6-6. Table 6-6 Factors contributing to fatigue Factors Modeling Comments 125
Sleep deprivation, Medications antihistamines) Unhealthy lifestyles Medical conditions Task load Stress/Pressure
These are static factors, determined before the simulation. ADS allows the user to specify an initial (e.g., fatigue level in an input file.
Task load induces accumulation of fatigue over time. Stress works as an accelerating factor, which causes one to become fatigued more quickly.
Equation 6-10 is proposed for assessing the fatigue level in ADS program. The first term
6-6 to assign a value. The second term denotes the fatigue induced by the prolonged work time; this part gradually increases over time irrespective of the workload. The third term
C??????? refers the initial fatigue level and the user could refer to the static factors in Table
is the fatigue induced by the sustained effort; it presents accumulation of fatigue by
??????????? ?? gives higher weight to the load under higher stress. PSF??????? ? C??????? ? 0.2 ? ?1 ? ? ????? ? ?1 ? ? ??.????
?? ??
performing tasks. The fatigue development is accelerated by stress level. ?1 ?
?? ????? ??? ? ????????? ???? ????????????? ? ?? ?
? ? 0.8
Where:
?
t ? working time, in seconds
Equation 6-10
126
A typical crew shift is 8 hours. The term ?1 ? ? ?????
?? ??
28800s (8 hour). As an example to illustrate this quantification, in a scenario of an intensive 3-hour examine, assuming the cognitive load is full (value 1) and the stress level is also full (value 1), the term ?1 ? ? ??.???? gives a value of 0.9 after 3 hours of work.
?? ????? ??? ? ????????? ???? ????????????? ? ?? ?
? gives a value of 0.9 at t =
?
Impacts on cognitive process
The impacts of human fatigue includes: decline in working memory, short-term memory, degradation executive function or complex attention, vigilance, verbal fluency, or verbal memory (DeLuca 2005); impairment in attention, concentration (Akerstedt, Knutsson et al. 2004; Boksem, Meijman et al. 2005; Deluca 2005); Slower processing speed (Akerstedt, Knutsson et al. 2004; DeLuca 2005). Table 6-7 lists ways to model the effects of fatigue in ADS-IDAC. Table 6-7 Manifestations of fatigue in the simulation model Effect On Attention Manifestation Modeling As fatigue developed, attention degrades at top-down selective control level and is more driven by the stimuli in a bottom-up fashion. This affects the tasks which demand top-down attention control, e.g. routine monitoring. The ability to concentrate also degrades with fatigue developed. Memory Fatigue degrades the working memory maintenance. Less memory information could be buffered in short term memory; Unattended investigation items decay faster;
Working Maintenance, span
127
Cognitive Speed
Processing Higher fatigue renders slower cognitive processing speed.
6.4
6.4.1
Model parameters—manifestation of PSFs
Maximal length of alarm stack
Maximal alarm stack length is dynamically adjusted by three factors: 1) passive alarm load, 2) fatigue level, and 3) openness to interruption. As shown in Equation 6-11, the terms ?4 ? 3 ? ??????????? sets the baseline of the maximal length, which is comparable to the short term memory capacity 5 ? 2 ; the three PSFs ( ???????????? ????? ???? ,
????????? ???? and ???????????? ) can change dynamically to adjust the maximal length of the
alarm stack. Fatigue adjusts the cap of cognitive resources for buffering alarm information; and cutting the task pile is one of the responses to the time pressure (the other is accelerating work pace). Passive information load feeds back to update the maximal stack length as a way of coping heavy alarm load, illustrated in Figure 6-6.
??????? ???????? ?
? ?4 ? 3 ? ??????????? ? ?1 ?
????????? ???? ? ? ?1 ? 0.6 ? ???????????? ? 2
???????????? ????? ???? ? ? ?1 2 ? ??????????
Where:
0.5 ?? ?????? ???? ??????? ?? ????????? ?1.0 ?? ? ????? ??????? 2.0 ?? ?????? ????? ????
Equation 6-11
128
Figure 6-6 Diagram of passive alarm load and max alarm stack length
6.4.2 Cognitive resource use
Cognitive resource use denotes the level an operator is motivated by his or her feeling of the challenges of the task. It is used for adjusting the operator’s working pace. Similar to the stress level, the cognitive resource use is a function of time constraint load, passive alarm load, cognitive load and task complexity. These four factors give different incentives to the operator for accelerating his or her work. Therefore they are given different weights. Time constraint load gives the most incentive, so it has the highest weight (0.4), followed by passive alarm load (0.3), cognitive load (0.1) and task complexity (0.1).
129
? ??? ???????? ??????????
? ?????????????? ???? ? 0.1 ? ???????????????
? 0.4 ? ????????? ???? ? 0.3 ? ???????????? ????? ???? ? 0.2
Equation 6-12
6.4.3
Information processing speed multiplier
The information processing speed multiplier is used to adjust the time cost of each
function in the program. It is determined by the cognitive resource use and the ???????????? , see Equation 6-13. When the motivation of working fast is high, more cognitive resource is used, and hence the processing speed is increased. But the processing speed has a cap, because the cognitive resource is limited; this cap is adjusted by the fatigue level.
?? ????? ??????????? ?1 ? ???? ???????? ????????????1 ? 0.80 ? ???????????? ?
Equation 6-13
6.4.4 Routine monitoring interval multiplier
Routine monitoring interval multiplier is a parameter to adjust the monitoring interval. When the user specifies a list of key indicators to be routinely monitored, a nominal time interval between two consecutive indicator readings is usually given to each indicator. This nominal interval may be adjusted by the routine monitoring interval multiplier, which is a function of ???????????? and the problem solving style, see Equation 6-14.
?? ?????????? ???????? ??????? ???????? ?1 ? ???????????? ? ? ?????? 0.5 ??????? ?????? ??? ? ?????? ? 1.5 ?? ????? ???????? ??? 1.0 ??????? ???? ?????? ???
130
Equation 6-14
6.4.5 Attention span multiplier
During the simulation, the program records the time that the operator has been working on the current thought line and compares it with a model parameter—attention span. For Vagabond style operator, if the time exceeds the attention span and there is one or more other unfinished investigation lines in the working memory, the operator’s attention will jump out of the current investigation line and switch to a different one. For Hamlet style operator, if the time is less than the attention span, the prioritization function will favor the investigation items within the current thought line by boosting their priority scores. But Garden-Path style operator is not affected by the attention span, because he or she is narrowly focused and always refocuses back to the ongoing investigation line. When the operator is under time load (pressure) or fatigued, he or she may incline to switching from one issue to another. This is modeled by adjusting the attention span with an attention span multiplier. This multiplier, as shown in Equation 6-15, decreases when time load increases or the operator develops fatigue.
? ?????????? ???? ???????????
1 ?1 ? ????????? ????? ? ? ?1 ? ???????????? ?
Equation 6-15
6.4.6
Memory span multiplier
Memory span limits the maximal number of active investigation items stored in the working memory. When the limit is exceeded, the program removes the oldest
131
investigation item (that has not been attended for the longest time) from working memory. The program dynamically adjusts the memory span parameter with a multiplier. As shown in Equation 6-16, fatigue degrades the capacity of memory span; Time constraint load reduces the memory span, this is to model attention channeling; Memory span increases with expertise level, because expert employs structured memory schemas to store information, thus more information could be retained in the working memory.
? ?????????? ???? ????????
1 ? ?????????????? ?1 ? ???????????? ? ? ?1 ? 0.2????????? ???? ?
Equation 6-16
6.4.7
Decay time of unattended investigation item multiplier
In the program, if an investigation item has not been attended to for a period of time longer than a decay time threshold, this item will decay and be removed from the working memory to intermediate memory. The decayed item doesn’t participate in the prioritization process (selection for processing) until it is brought back to the working memory under several conditions. The decay time threshold is adjusted by a multiplier. This multiplier can be obtained by using Equation 6-17.
? ?????????? ???? ??????????
1 ?1 ? ???????????? ? ? ?1 ? ???????????? ????? ???? ?
Equation 6-17
6.4.8
Static model parameters
In ADS-IDAC, several model parameters of the reasoning module are specified by the user and are static—do not change throughout of the simulation. These parameters 132
include accident awareness threshold, diagnosis confidence threshold and Activeness in gathering accident evidence.
Accident awareness threshold (range from 0 to 1) represents an operator’s vigilance level
for potential accidents. Once the confidence level of one accident diagnosis exceeds the accident awareness threshold, this accident investigation becomes active in the operator’s mind, and the program will actively gather more relevant information from the control panel to support this accident investigation.
Diagnosis confidence threshold (range from 0 to 1).When an accident diagnosis
confidence level exceeds diagnosis confidence threshold, the program declares this accident. Adjusting the confidence threshold will affect the time of reaching accident diagnosis. Higher threshold requires more and stronger evidence to support the diagnosis thus it might take longer time to declare an accident. This mimics the operator’s prudence in declaring an accident.
Activeness in gathering accident evidence (range from 0.5 to 10) is used to calculate the
time for the program to actively check the next symptom and explain it, see Equation 6-18. Once an accident diagnosis confidence level is above a specified threshold, the program actively examines its undiscovered symptom one by one. Figure 6-7 shows the delta time between two symptom investigations. Higher activeness in gathering accident evidence gives smaller time delay between two symptom investigations; this mimics an operator who is more actively in checking accident symptoms.
????? ???????
673 ? ? ??.??????????? ?????????? ????? ? ???????? ? ????????? ???????? ????????? ?? ???????????
133
Equation 6-18
600 500 Delta T (sec) 400 300 200 100 0 0 0.2 0.4 0.6 Diagnosis confidence 0.8 1
Activeness
1 2 4 6 8 10
Figure 6-7 Delta time before actively checking the next symptom
6.4.9 Model parameter static multiplier
In order to provide more flexibility in tailoring operator performance modeling to reflect operator’s individual differences, the program allows the user to assign a static baseline multiplier for each of the following model parameters in the input file: Maximal length of alarm stack Information processing speed Routine monitoring interval Attention span Memory span Decay time of unattended investigation item
• • • • • •
During the simulation, these parameters are adjusted by the product of its static baseline multiplier and the corresponding dynamic multiplier (introduced in Section 6.4.1to 6.4.7).
134
6.5
Summary of PSF assessments and PSF manifestations
Figure 6-8 summarizes the impact flow among surrogates, PSFs and the manifestation model parameters. Surrogates are contextual information obtained from ADS-IDAC simulation, shown as green nodes. These surrogates are used to assess the value of the quantitative PSFs (yellow nodes). The manifestation nodes (in pink) are models parameters to implement the impact of the quantitative PSFs on cognitive processes.
Figure 6-8 Surrogates-PSFs-Manifestations propagation paths Due to space limitation, the bubbles’ titles in Figure 6-8 are shortened to one or two words, or abbreviation. Their full explanations are provided below, and the link to the detailed discussion of each is attached:
135
•
Parameter—a list of critical plant parameters used to assess the time constraint load. By comparing the current parameter value with a threshold, we may assess how fast the parameter will reach the threshold. Refer to 6.3.1.
• •
Alarms—passive alarm activities (alarm actuation and alarm clear). Refer to 6.3.2. Activities—the information processing activities that are visited in the scenarios (e.g., reading an indicator, interpreting one indicator reading, retrieving a corresponding knowledge element/statement/indicator reading, evaluating the cause of an observation). Each of these activities incurs time and/or cognitive load increment. Refer to 6.3.3.
•
Dynamics—system dynamics includes: change of parameter trend, change of component state and change of alarm state. Refer to 6.3.4.
•
Confusion—diagnosis confusion due to inconsistent information: positive evidence vs. negative evidence. Refer to 6.3.4.
• • • • • • • •
Cognitive load—cognitive task load. Refer to 6.3.3. Complexity—situation diagnosis complexity. Refer to 6.3.4. Fatigue—mental fatigue. Refer to 6.3.6. Styles—problem-solving styles. Refer to 6.2.2. CRU—cognitive resource use. Refer to 6.4.2. Speed—information processing speed. Refer to 6.4.3. Alarm stack—maximal length of alarm stack. Refer to 6.4.1. Monitor F—monitor time interval. Refer to 6.4.4.
136
7
7.1
Simulation Case for Model Calibration and Validation
Introduction
A simulation case study is used to calibrate and validate ADS-IDAC model. The new features of ADS-IDAC are shown through thorough discussions of the simulation outputs in chapter 8-10. The simulation case was selected from an international HRA empirical study (E. Lois 2009). The core of the empirical study is experiments performed at the Halden Reactor Project HAMMLAB research simulator, where human crews were asked to respond to specifically designed accident situations. Four accident scenarios were used in Halden experiments. They are: basic SGTR, complex SGTR, basic LOFW, and complex LOFW accidents. Correct diagnosis of the complex SGTR is a challenging task for the operator, while the accident diagnoses of the other three are simple and straightforward. The current research focuses on enhancing modeling of operator situation awareness and accident diagnosis, so the challenging complex SGTR accident was selected with the aim to calibrate ADS-IDAC as well as to demonstrate the new features. The validation and calibration are mostly achieved qualitatively, and at the face validity level. Model calibration is an iterative process, whenever any unreasonable result was observed in the simulation outputs, the model was modified and new simulations were performed to generate new outputs for further review. This process keeps on iterating until we reached a good state. With the calibrated model, we simulated the operator responses to complex SGTR. The results of our simulation were compared with those
137
from Halden experiments in the following measurements: the coverage of crews’ accident diagnosis timings and the coverage of operator procedure progressions—how many of the observed procedure progressions in the Halden experiments were actually reproduced in our simulation. This chapter describes the simulation case scenario and the ADS-IDAC input model. Detailed simulation outputs can be found in chapter 8, and thorough discussions of the simulation results are given in chapter 9-13.
7.2
Scenario description
Halden simulator mimics a three-loop Pressurizer Water Reactor (PWR). The complex SGTR scenario takes place when the plant is in normal operation with 100% power. The event starts with a MSLB which causes a quick automatic reactor trip. The auto control system closes MSIVs in response to the MSLB. Meanwhile, a SGTR happens coincidently. Since the MSIVs are closed, the radioactive material leaking through the ruptured steam generation does not reach the condenser air ejector detector, which is located downstream of the MSIVs. Moreover, the secondary radiation indicators/alarms in main steam line are failed. The operators are trained to use the high secondary radiation reading as the primary symptom of a SGTR accident. However, this symptom is masked by the closure of MSIVs together with failure of radiation indicators in main steam line, which adds complication to the operators’ diagnosis.
138
Figure 7-1Main steam line system Procedures are deigned to guide operators in making diagnosis and bringing the plant to a safe and stable condition after a disturbance. However, the procedures do not cover everything. There are situations that the procedures failed to address. Whereas the operators are required to follow procedures, they also think and assess the situation with their own knowledge and experiences. The knowledge-based reasoning serves as an important check on whether or not the procedure is suitable for the current situation. This check is achieved by comparing the rationale behind the procedure guidance and the operators’ situational assessment. Knowledge-based reasoning is a key back-up when procedures do not cover the accidental situation well, which is the case in complex SGTR accident. In Table 7-1, a list of relevant procedures for the complex SGTR case is given. E-3 is the correct procedure for coping with the complex SGTR accident. So operator entering E-3 139
marks the correct diagnosis. Hence the operator procedure progression is of interest for validating ADS-IDAC predictive capabilities. Table 7-1 Procedures involved in the complex SGTR accident Procedure E-0 Function Guides the operator to diagnose the problem and identify the procedure that should be used to bring back the plant to safe conditions. Deals with one or several faulted steam generators Deals with tube rupture in one or several steam generators Terminates the safety injection
E-2 E-3 ES-1.1
Following a reactor trip, the operators are expected to enter the Emergency Operating Procedure (EOP) E-0 for diagnosing the accident. In E-0, the direct diagnosis step for SGTR (E-0 step 19) asks the operator to check the secondary radiation level. This is inadequate for the operator to reach the diagnosis of SGTR. Another important symptom of SGTR accident is that the water level of the ruptured SG is significantly higher than the intact SGs. The water level symptom is used in several places in the procedure to guide the transfer to E-3, but not in E-0 step 19 which is the primary diagnosis step for SGTR. Since the procedure guidance of transferring to E-3 is not evident or straightforward in this case. The operator knowledge-based reasoning is challenged. To predict the operators’ performance in events like this, simulation of the knowledge-based reasoning is an essential part.
140
7.3
ADS-IDAC simulation model
A knowledge base was built for this case study. It contains 172 knowledge links for the operator’s knowledge of 26 parameter indicators, 31 component state indicators and 44 alarms. The most relevant systems or components are: steam generators, main feed water and auxiliary feed water systems, level control systems, main steam line system, pressurizer system, steam dump system, and rod control system. In ADS-IDAC simulations of the complex SGTR case, the initiating event MSLB onsets at t=850s. It takes around 600 seconds for the RELAP thermal hydraulic model to reach a stable full power operation state from t=0s. The reasoning module starts to run at 700s and the operator starts with the routine monitoring task. SGTR is set to happen when the MSIVs close. For the sake of simplicity, we subtract the time clock by 850s in the following chapters, i.e., the initiating event happens at time 0.
7.4
Outputs layout
The outputs of the reasoning module provide the following information for each simulation sequence: Accident event diagnosis confidence over time. Operator’s view of the plant state, including direct observations and judgments inferred by reasoning.
• •
•
Operator’s investigation of the observed abnormal plant dynamics and corresponding explanations.
•
Log of operator activity—recording operator attention focus over time. 141
• • •
History of the indicator readings. History of semantic unit activation values. History of dynamic PFSs and model parameters
We discuss and present the simulation results in chapter 9-11. .
142
8
General Simulation Results
In this chapter, simulation results of the complex SGTR case 25 are presented. The program could generate multiple sequences in one simulation. Here one sequence is used to illustrate typical products of the reasoning module. Detailed discussions are given to the operator’s general situation awareness—observations and explanations of key phenomena, accident diagnoses, evolution of quantitative PSFs and dynamic model parameters over time.
8.1
Observation and explanation of observations
This section presents the operators’ situation awareness of key phenomena in the complex SGTR accident. To form good situation awareness, the operator needs to closely follow and understand the plant dynamics. This includes the trends of key parameters and the actuation of automatic system control actions. The operators’ situation awareness can be assessed by considering whether or not the operator successful explained the observed phenomenon. In one simulation sequence, 636 investigation items were created 26 . Among these investigation items, 279 were initiated by the operator observations of plant dynamics, and 357 were created in reasoning process to support other investigation items. Through
25 26
Case description is available in Chapter 7. 636 Investigation items seem to be too many for 40 minutes operation. It contains a lot of repeatedly observed phenomena. Only 397 of them got processed in the memory. A lot of the 397 items got very shallow process. So this program does not simulate a super “fast” operator. Chapter 8.3 provides narratives of the operator activities in the first several minutes. They show that the operator in the simulation process information at a reasonable pace like real human being.
143
the reasoning chains (connections of all the investigation items), the program put different pieces of information together to form explanations of the observations. An example is shown in Figure 8-1. Each block in the figure is an investigation item, corresponding to a plant phenomenon. A block in red represent a phenomenon is absent; a block in green is an observed phenomenon; and a block in orange represent a possible phenomenon. For the observed phenomenon “Tave decrease”, the operator examined three hypothetical causes: “control rods move in” didn’t happen at that time so it was not the cause; “steam load increase” was possible; “safety injection is on” was true, which explained the “Tave decrease”.
• • •
Figure 8-1 An example of simulation outputs—explanation of Tave decrease In this reasoning chain, the operator accepted safety injection as the cause of “Tave decrease” and believed “SG fault” and “MSLB” were possible but this piece of evidence—“Tave decrease”—was not strong. This example shows how explanations of observation were generated. We summarize the generated observations and explanations of key parameter trends in this scenario together in Figure 8-2, Figure 8-3 and Table 8-1.
144
Figure 8-2 and Figure 8-3 show the key parameter trends in this accident scenario.
PRZ pressure
2500
Pressure (psig)
2000 1500 1000 500
(1)
(6) (3) (4) (5) (2)
PRZ pressure
-10
0
10
20 30 40 Time from Initiating Event (min)
50
60
Tave
Temperature (F)
600 550 500 450 400 -10 0 10 20 30 Time from Initiating Event (min) 40 50 60
(7) (8) (9)
Tave
PRZ_level
1 0.8
Level
0.6 0.4 0.2 0
(11) (10)
PRZ_level 0 10 20 30 Time from Initiating Event (min) 40 50 60
-10
SG_Levels
1.2 1 0.8
(13) (12)
(15)
SG_A_WR_Level SG_B_WR_Level SG_C_WR_Level SG_A_NR_Level
Level
0.6 0.4 0.2 0
(14)
10 20 30 40 Time from Initiating Event (min) 50 60
SG_B_NR_Level SG_C_NR_Level
-10
-0.2 0
Figure 8-2 Key parameter trends in the simulation (Part 1 of 2)
145
(16)
1000
SGs Pressure
(19) (20)
SG_A_Pressure SG_B_Pressure SG_C_Pressure 50 60
Pressure (psi)
800 600 400 200 0 0
(17)
(18)
10 20 30 40 Time from Initiating Event (min)
-10
SG Feedwater Flow
Feedwater Flow (lb/s)
1500 1000 500 0 -500 0 10 20 30 40 Time from Initiating Event (min) 50 60 SG_A_FW_Flow SG_B_FW_Flow
(21)
-10
Figure 8-3 Key parameter trends in the simulation (Part 2 of 2) In Table 8-1, the operator’s explanations of the key phenomena generated by the reasoning module are given in correspondence with the parameter trends in Figure 8-2 and Figure 8-3. 27 It can be seen that the operators’ attention was reasonably directed to follow the key phenomena in the accident contexts. These key phenomena were perceived through different information perception channels. Some of these key phenomena were detected by the operators’ routine monitoring and scanning, some were passively perceived through the actuated alarms, and some were gathered by the operators’ active attention control mechanism—actively gathering relevant information to support the knowledge-based reasoning and accident diagnosis.
Note: some phenomena might have been observed more than once, so more than one investigation items could have been generated in the reasoning process for each. To make this chapter concise, we combine the similar investigations and discuss each once here.
27
146
Table 8-1 Explanations of some key phenomena in one simulation sequence
No Key phenomenon Operator’s explanation generated in reasoning Explanation module correctness
(1)
Pressurizer pressure He believed it was caused by the decreasing RCS Correct decreased after the temperature and decreasing pressurizer level. main steam line broke. Pressurizer pressure increased after the The operator failed to explain this phenomenon at Partially first. It happened after the MSIVs closure. The MSIVs closure operator saw that the RCS was cooling down, which should have led the pressurizer pressure to increase instead of decrease. So that was not the cause. The actual reasons for the pressurizer pressure increase were: • The increased RCS inventory due to the actuated safety injection. However, the operator was not aware of the increase in inventory. Normally operators use pressurizer level to monitor the RCS inventory. At that moment, the pressurizer was empty, so the operator could not directly see the change of the RCS inventory. Closure of MSIVs stopped the large cooling down from the secondary.
(2)
•
Increasing pressurizer pressure was explained later after the RCS inventory increased above pressurizer’s bottom and the operator could see the pressurizer level was increasing. (3) The operator explained this by the decreasing RCS The pressurizer temperature. There was a clear turn between trend Not accurate pressure is (2)-pressurizer pressure increasing and (3)decreasing pressurizer pressure decreasing. However, there wasn’t a clear turn of the RCS temperature trend or pressurizer level trend. So, there should be another reason to explain this phenomenon. The actual reason was also not clear to the authors. It might be a change unrevealed in the RELAP model. The pressurizer The operator explained this by two observations: Correct pressure is pressurizer level was increasing, and pressurizer increasing backup heaters were on.
(4)
147
(5)
The reasoning module did not try to explain stable The pressurizer parameter, but it could initiate investigation to / pressure is stable explain why an expected increasing/decreasing trend was not observed The pressurizer is The operator explained this by the RCS cooling Correct decreasing down. The RCS average The operator explained this phenomenon by two temperature is confirmed causes: reactor trip and safety injection. decreasing In addition, the operator started to doubt the possibility of MSLB, which could quickly cool down the RCS. Correct (started the diagnosis of MSLB)
(6)
(7)
(8)
The RCS average The operator explained this by the ongoing safety Correct temperature is injection. decreasing The RCS average The operator explained it by the ongoing safety Correct temperature is injection and the secondary cooling down. decreasing The pressurizer level The operator explained it by the decreasing RCS Correct is decreasing temperature after the reactor trip and started to suspect the possibility of LOCA or SGTR. The pressurizer level The operator explained it by the ongoing safety Correct is increasing injection The steam generator The operator explained it by the reactor trip Correct level is decreasing transient and the fact that feed water supply was less than the steam flow. Steam generator A The operator explained it by the increased feed Correct level is increasing water to steam generator A. He thinks of SGTR-A, which could also increase the water level in SG-A. Hence, the confidence level of SGTR was increase just a little bit by this finding, due to the presence of a strong competing explanation.
(9)
(10)
(11)
(12)
(13)
148
(14) (15)
Steam generator A level is much greater than the levels of steam generator B and C.
The operator at first thought about the feeding rates and found it could not explain the different levels in SG-A and SG-B, because in order to control the water level in steam generator A, the operator had already decreased the feed water flow to steam generator A. With this the operator ruled out one possible cause. The only cause left was that SG-A received water from another source other than the feed water—a SGTR accident.
Correct (This is a crucial cue for the operator to reach the diagnosis of SGTR.) to
(16)
The pressure of steam generator is increasing after the reactor trip.
This is a transient after reactor trip. This piece of Fail knowledge was not included in the operator’s Explain knowledge base (in the input model), so the operator failed to explain this phenomenon.
(17)
The pressure is This is caused by the MSLB. The operator decreasing in three explained this by a faulted SG accident or a MSLB steam generators. accident. Since the operator observed large pressure drop in all three steam generators, the operator thought MSLB accident was more likely. The operator explained this by the closing of MSIV.
Correct (More evidence for the diagnosis of MSLB) Correct
(18)
The pressure is increasing in three steam generators.
(19)
The pressure was This was actually due to the reverse cooling down Misdiagnosi decreasing in three (the RCS cools down the secondary side by the cold s steam generators. coolant from safety injection). However, this piece of knowledge was not included in the operator’s knowledge base. The operator could only think of a possible explanation: steam generators faulted, which is not true. The pressure was The operator explained this by the increasing Correct increasing in steam inventory in the steam generator A, due to the generator A after the leakage from the RCS to steam generator A. isolation of steam generator A.
(20)
149
(21)
The feed water flow to steam generator A was smaller than the feed water to steam generator B
This is due to the operator’s actions on the feed water regulator valves, in order to control the water level in steam generator A. This is used as supporting information for ruling out one possible cause of the phenomena (14) and (15)—the difference between steam generator A level and the other two steam generator levels. It helped the operator to reach the diagnosis of SGTR accident.
Supporting information for diagnosis of SGTR accident.
From the simulation results, it can be seen that ADS-IDAC is capable of reproducing the following types of behaviors and mechanisms: The active attention control mechanism, driven by the knowledge-based reasoning process. Examples from the case includes: a) when the operator perceived TaveTref low deviation alarm, his knowledge drove him to check Tave reading and he found Tave had decreased. b) The operator suspected that a SGTR accident might have happened. His knowledge of this accident led him to actively check the relative indicator: secondary radiation level.
•
•
The use of operator’ knowledge to generate correct explanations of the observations. For example: the operator explained phenomenon (1)—“pressurizer pressure decrease”—by “pressurizer pressure level decrease”, and he explained phenomenon (12)—“steam generator level decrease”—as an expected transient after reactor trip.
•
The operator’s failure of explaining phenomena due to knowledge deficit in the knowledge base. See phenomenon (19), the real cause of “steam generator pressure decrease” was the reverse cooling: reactor coolant system reversely cools water in the steam generator, which is not commonly seen. This piece of
150
knowledge is not included in the knowledge base, thus the operator mistakenly attributed this to steam leakage in steam generator, which could 28 lead to an incorrect diagnosis.
•
The operator’s failure of explaining phenomena due to missing information. Take phenomenon (2) for example, due to the limitation of indicator range, the operator wasn’t able to see that the reactor coolant inventory was increasing, which he could have used to explain the increasing pressurizer pressure.
•
The operator’s suspicion of a possible accident by making causal connection between a hypothetic accident and an observed phenomenon. See phenomenon (7), the operator observed that Tave was decreasing, he found two valid explanations and suspected another possible cause—steam load increase. Continuing with this suspicion, he thought of MSLB, which could cause unexpected steam load increase. Through his reasoning, his thought reached to suspicion of a MSLB accident.
•
The operator’s reasoning with more evidences to support his/her diagnosis. See phenomenon (17), the operator actively checked the pressure in three steam generators for his diagnosis of MSLB accident and faulted steam generator accident, he found the pressure in all steam generators were low and no pressure difference among three steam generators. This new evidence helped him to confirm his diagnosis of MSLB and to reject the diagnosis of faulted steam generator accident.
Declaration of an accident is based on two factors: 1) accident confidence level; and 2) diagnosis confidence threshold.
28
151
•
The operator’s strengthening of a diagnosis by ruling out other possible explanations of an observation. See phenomenon (21), the operator saw that steam generator A level was much higher than steam generator B level, his reasoning led him to check one hypothetical cause: feed water flow to steam generator A higher than to steam generator B. He found that the feed water flow was the same, and then he ruled out this hypothesis and were left with the only one cause—SGTR accident.
8.2
Accident Diagnosis
In the simulated scenario, the operator reached the diagnosis of MSLB accident and SGTR accident by knowledge-based reasoning.
1 0.9 0.8 0.7 0.6 0.5 0.4 0.3 0.2 0.1 0 0
SG-A pressure low SG-A pressure decrease SG-C pressure low SG-C pressure decrease SG-B pressure low SG-B pressure decrease SG-A feed flow < steam flow Control rods move out 0.5 1 Tave decrease 1.5 2 Time (minutes) 2.5 3 3.5
Confidence Level
Figure 8-4 Simulation result—operator’s diagnosis of MSLB accident
152
0.7 0.6 Confidence level 0.5 0.4 0.3 0.2 0.1 0 0
SG pressures decrease, MSIVs were closed, The operator attibuted it to SG faults SG pressures decrease SG feed flow < steam flow Tave decrease Rods move out No difference between SG pressures
1
2
3
4 5 Time (minutes)
6
7
8
9
Figure 8-5 Simulation result—operator’s diagnosis of SG-A fault accident
1 SG-A level > SG-C level 0.9 0.8 SG-A level > SG-B level 0.7 0.6 0.5 0.4 SG-A level increase 0.3 0.2 PRZ level decrease 0.1 0 0 5 10 15
MSIVs blocked radioactive material from reaching detector in the condenser secondary radiation low
Confidence Level
20 Time (minutes)
25
30
35
40
Figure 8-6 Simulation result—operator’s diagnosis of SGTR-A accident Figure 8-4, Figure 8-5, and Figure 8-6 show the operator’s diagnosis confidence progression. At the starting points of these graphs, the operator started to suspect an accident condition, and when the operator made a causal connection between an observation and the accident hypothesis for the first time. Over time, the operator got more evidence, positive or negative. His confidence of accident was dynamically adjusted accordingly. Note that the accident confidence is not updated at the time when
153
the operator makes the observation; instead it is updated when the operator makes connections between the observation and the accident hypothesis. The green texts in these figures represent the observed symptoms confirm the diagnosis; red texts represent missing symptoms, and orange texts indicate a symptom that is missing but the operator had figured out that this symptom did not apply to the current situation any more. The calculation of the accident diagnosis confidence is based on not only symptom presence or absence, but also the likelihood of that the operator believed the observed symptoms were caused by a hypothetical accident. In the simulation, the symptoms of the MSLB accident were straightforward hence the operator was able to reach the diagnosis in minutes, whereas the diagnosis of SGTR took longer time. The confidence level of SG fault accident was also considerably high in the middle of the scenario. During a simulation, the program declares an accident diagnosis when the confidence level exceeds a user-specified threshold. Hence, the operator might make a misdiagnosis—SG fault accident, depending on the operator’s prudence— confidence threshold29. Table 8-2 lists some of the key observations that made progress of operator’s diagnoses and how they were brought to the operator’s attention. As shown in the table, most of the MSLB symptoms were evident and appeared as alarms, which caught the operator’s attention, while most of the SGTR symptoms required operator’s active controlled attention. This simulation demonstrated the improved capability of simulating operator’s attention direction and information usage.
If we set the threshold greater than 0.631, the operator does not declare a steam generator fault accident in the simulation; otherwise, the operator will incorrectly declare a steam generator fault accident.
29
154
Table 8-2 Perception of information
Observation
MSLB And SG fault diagnosis SG-A feed flow < steam flow Control rods move out Tave decrease
How it is perceived by the operator
Cued by alarm “Control rod move out” Active attention driven by knowledgebased reasoning Cued by alarm “MS_MF mismatch”
Steam generator pressure low Cued by alarm “Low SG pressure alarm”, and decrease and cued by routine monitoring later. SGTR Pressurizer level decrease Cued by alarm “Low pressurizer level” Detected by routine monitoring
diagnosis SG-A level increase
SG-A level was much higher Detected by routine monitoring than the other two SGs Secondary radiation low MSIVs blocked material Active controlled accident diagnosis attention driven by attention driven by
radioactive Active controlled accident diagnosis
155
8.3
Simulation Outputs: PSFs and Manifestations
This section presents the PSF assessments and their effects on cognitive model parameters in the simulation of complex SGTR accident. The PSFs and model parameters are presented together with explanations and comments.
1 0.8 0.6 0.4 0.2 0 0 -0.2 5 10 15 20 25 30 35
MSLB related alarms SGTR related alarms
Time(minutes)
Figure 8-7 Passive alarm load in complex SGTR accident The passive alarm load is given in Figure 8-7. From Figure 8-7, we may conclude that the alarms come in clusters, because high passive alarm load are clustered in the beginning and end. In turn, this is explained by the fact that the MSLB related alarms concentrated in the first several minutes and the SGTR related alarms appeared late in the scenario and in between the alarm clusters, there are alarm clear activities.
1.2 0.7 0.2 -0.3 0 0.2 0.4 0.6 Time(minute) 0.8 1 1.2 Garden Path Hamlet Vagabond Linear (Vagabond)
156
Figure 8-8 Passive alarm load with three problem-solving styles Figure 8-8 shows the passive alarm loads of three operators with different problemsolving styles in the first 1.2 minute. Due to their different personal characteristics, Vagabond operator processes most of the alarms and Garden-Path operator ignores most of them. Therefore Vagabond operator is the most interrupted by alarms and has the highest passive information load; Garden-Path operator is the least interrupted and stressed by the alarm load; and Hamlet operator is in-between.
PSF_Cognitive_Task_Load
1 0.9 0.8 0.7 0.6 0.5 0.4 0.3 0.2 0.1 0 0
busy with diagnosing the situation (MSLB symptoms)
busy with diagnosing situation (SGTR symptoms)
15 Time(minute) 20
pay close attention to some indicators
5
10
25
30
Figure 8-9 Cognitive task load in complex SGTR accident
Figure 8-9 shows an operator’s cognitive task load in the simulation. After the initiating event at t=0, the operator’s cognitive load quickly increased as a series of system dynamics appeared. The operator was very busy in the first several minutes. Later when he reached the diagnosis of the MSLB accident and explained a lot of the observed system dynamics, his cognitive load decreased and the plant system was relatively calm
157
from t=10 min to t=17 min. As the symptoms of the SGTR accident appeared later, the operator became busy again. After he reached the diagnosis of SGTR, he was still busy because he paid close attention to a set of indicators as required in several mental procedures.
PSF_Cognitive_Task_Complexity
1 0.9 0.8 0.7 0.6 0.5 0.4 0.3 0.2 0.1 0 0
Complexity induced by system dynamics
System dynamics due to SGTR Confusion raised Confusion resolved
5
10
15 Time(minute)
20
25
30
Figure 8-10 Cognitive task complexity in complex SGTR accident Figure 8-10 draws the cognitive task complexity over time. In the first several minutes, there were a lot of system dynamics (changes of parameter trend, alarm state and component state), which contributed to the complexity. As the system calmed down, the complexity dropped. At t=17 min, the complexity soared due to the confusing information the operator perceived: on the one hand, the operator observed that the water level in steam generator A was increasing abnormally faster than the other two steam generators, which strongly indicated a SGTR accident; on the other hand, confusingly, the most common symptom of SGTR—high secondary radiation level—is missing. Later when the operator figured out the reason for the missing symptom, the complexity dropped immediately.
158
PSF_Cognitive_Task_Complexity
0.4 0.35 0.3 0.25 0.2 0.15 0.1 0.05 0 0 5 10 15 20 Time(minute) 25 30 35
V G H
Vagabond Hamlet Garden-Path
Figure 8-11 Cognitive task complexity with three problem-solving styles Figure 8-11 shows the complexity difference between three problem-solving styles. The confusion started sooner for Hamlet style operator and later for the other two, due to their different diagnosis timing. The three operators spent different lengths of time in confusion.
1 0.8 0.6 0.4 0.2 0 0 5 10
PSF_Stress
15 Time(minute)
20
25
30
Figure 8-12 Stress level in complex SGTR accident Figure 8-12 shows the operator stress level in the complex SGTR accident scenario. It is the average of passive information load, cognitive task load, task complexity and time constraint load. The spikes on the curve are induced by the passive alarms. 159
1 0.8 0.6 0.4 0.2 0 0 5 10
PSF_Fatigue
15 Time(minute)
20
25
30
Figure 8-13 Mental fatigue level in complex SGTR accident The operator’s mental fatigue develops over time, see Figure 8-13. The slope changes with task load and stress level.
Model_Parameter: Max_Alarm_Stack_Length
10 5 0 0 0.2 0.4 0.6 Time(minute) 0.8 1 1.2 Garden Path Hamlet Vagabond
Figure 8-14 Maximal alarm stack length Figure 8-14 shows that Vagabond style operator has the most cognitive resources open for the passive alarm information, and Garden-Path style operator is the least open for alarms. The stack lengths are comparable with short term memory capacity (5?2).
160
Model_Parameter: Cognitive_Resouse_Use
1 0.8 0.6 0.4 0.2 0 0 5 10 15 Time(minute) 20 25 30
Figure 8-15 Model parameter: cognitive resource use Figure 8-15 shows the cognitive resource use in the complex SGTR accident. It represents the level of motivation for working fast.
Model_Parameter: Cognitive_Time_Cost_Multiplier
1 0.5 0 0 5 10 15 Time(minute) 20 25 30
Figure 8-16 Model parameter: cognitive time cost multiplier Because of fatigue developed, time cost of cognitive processes increases over time, see Figure 8-16. It fluctuates with cognitive resource use—motivation of working fast.
161
Model_Parameter: Routin_Monitor_Interval_Multiplier
1 0.8 0.6 0.4 0.2 0 0 5 10 15 Time(minute) 20 25 30
Figure 8-17 Model parameter: routine monitoring interval multiplier With fatigue developed, the operator is less active in monitoring the plant situation. This is captured by the model parameter: routine monitoring interval multiplier, see in Figure 8-17. Greater interval multiplier means the operator is less active in checking indicators and updating his mental model.
Model_Parameter: Investigation_Item_Decay_Time
1.2 1 0.8 0.6 0.4 0.2 0 0 5 10 15 Time(minutes) 20 25 30
Figure 8-18 Model parameter: investigation item decay time With fatigue developed, the unattented investigation item decays faster in the working memory, see in Figure 8-18. Also, it is impacted by the passive alarms.
162
Model_Parameter: Memory_Span_Multiplier
1.5 1 0.5 0 0 5 10 15 Time(minutes) 20 25 30
Figure 8-19 Model parameter: memory span multiplier Figure 8-19 shows the memory function degrades over time. It is due to fatigue. With smaller memory span, less investigation items could be maitained in the working memory and more will be overflowed to the intermediate memory.
Model_Parameter: Attention_Span_Multiplier
0.6 0.4 0.2 0 0 5 10 15 Time(minutes) 20 25 30
Figure 8-20 Model parameter: attention span multiplier Figure 8-20 shows attention span degrades over time. It is due to fatigue. With fatigue developed, it is easier to lose focus. This simulation result demonstrates that the PSF assessments cover key contextual characteristics and the effects of PSFs are realized by the model parameter changes.
163
9
Simulation Results for Crew Problem-Solving Styles
This chapter presents details of the simulation results for the problem-solving styles implemented in ADS-IDAC. Three simulations of a complex SGTR accident case were run each using a different problem-solving style configuration (Hamlet, Vagabond and Garden-Path). Different features of the three problem-solving styles were demonstrated in the simulation results. This section presents narratives of operator behaviors in the first several minutes after the initiating event, operator use of information, comparison of three operators’ attention direction and highlights of the diagnosis progression. The focus of this section is only on the accident diagnosis phase. The operator response after the accident diagnosis will be discussed in a later section regarding procedure usage. The accident scenario was introduced in chapter 7. The initiating event is a main steam line break downstream of the MSIVs, occurring at time t = 0. A tube rupture of the steam generator A happens when the MSIVs automatically close at t = 03:21(min:sec). For convenience, the names given to the three operators were consistent with their problem-solving styles: OV—Vagabond style operator; OH—Hamlet style operator; and OG—Garden-Path style operator. In the complex SGTR accident, the symptoms of MSLB and SGTR appeared at different time periods. MSLB rapidly causes a lot of plant dynamic changes in the first 5 minutes of the simulation, while the symptoms of SGTR are revealed much later. Hence, we discuss the diagnosis of these two accidents separately. Some relevant abbreviations used in this section are indicated below: 164
• •
Tave—average reactor coolant temperature; Tref—reference temperature of reactor coolant, which is calculated based on the steam power. It is the target reactor coolant temperature input to the reactor automatic control system;
• • • 9.1
MSIV—main steam isolation valve; MSLB—main steam line break (downstream of the MSIV); STGR – steam generator tube rupture.
Alarm information
8 7 6 Alarms 5 4 3 2 1 0 0
Auxiliary feed auto starts
Reactor trips
Safety injection actuates
Steam generator pressure low Main steam isolation actuates
0.5
1
1.5
2
2.5 3 Time (minute)
3.5
4
4.5
5
Figure 9-1 Alarm activities in first 5 minutes
(A red + is an alarm activity. A dot denotes the time that an operator starts to suspect a MSLB accident)
The 1st alarm is actuated 6s after the initiating event, followed by the 2nd alarm at 7s. The 3rd alarm comes at 13s. They are “Control rods moving out alarm”, “Tave-Tref low deviation alarm” and “Turbine running back alarm”. These 3 alarms provide very useful clues for diagnosing the MSLB accident. Here are the causal links between MSLB and these three alarms: 165
•
MSLB=>steam load increases=>control rods move out automatically to match the steam power;
• •
MSLB=>steam load increases=>Tave decreases=>Tave-Tref low deviation; MSLB=>steam load increases=>control rods move out=>reactor power increases=>reactor power > 104%=>Turbine runs back;
•
MSLB=>steam load increase=>Tave decrease=>reactor power increases
Reactor trips at 18s. There are a lot of plant dynamics following the reactor trip. These dynamics generate busy information. Only some of these alarms provide clues and point to the root accident. Table 9-1 Number of alarms missed by the operators OV (Vagabond) Alarm missed 10 OH (Hamlet) 15 OG (Garden-Path) 21
There are 57 alarm activities in total in the first 201seconds, 47 alarm actuations and 11 alarm clears (in control room, sounds are generated when alarms actuate or go off). Table 9-1 summarizes the number of alarm activities missed by the operators. OG’s attention is most fixated and least interrupt-driven; he missed 21 alarm activities. On the contrary, OV’s attention is wide open for interruption, so he checked most of the alarm activities and only missed 10. OH is in between OV and OG; he missed 15 alarm activities.
166
9.2
9.2.1
Diagnosis of MSLB
Overview of the three Operators’ Diagnosis Progression
Figure 9-2 shows the diagnosis progress made by the 3 operators. The Three operators exhibit different paces of diagnosis. Each marker denotes an update of the diagnosis confidence when the operator gets more evidence. Their suspicion of MSLB starts at different times (OV at 01:47, OH at 00:47 and OG at 1:07). This is because their attention is focused on different aspects of the situation and hence, they begin to suspect the occurrence of the MSLB at different points in time. OV’s attention always jumps from one issue to another without solving any. When he gets distracted, he leaves his ongoing thought line and attends to the new perceived information. Often, his reasoning doesn’t go far enough to hit the root cause, even if his flexible attention allows him to perceive a lot of clues pointing to the accident. His reasoning first hits the MSLB at t = 01:48 in a relative long time gap between alarm activities at t = 00:59 and t = 02:30 (See the blue dot in Figure 9-1), which allows his mind to focus on his thought without interruption.
167
Diagnosis of MSLB
1 0.9 0.8 0.7 0.6 0.5 0.4 0.3 0.2 0.1 0 0 0.5 1 1.5 2 Time(minute) 2.5 3 3.5 Confidence Level
Vagabond Hamlet Garden Path
Figure 9-2 Diagnosis progresses of MSLB accident Different from OV, OG’s attention is fixated on one issue until he finishes it while OH’s attention is assigned in favor of the ongoing issue as long as it is within his attention span. Both OH and OG could stay on one issue longer than OH. After perceiving the first alarm, they spent enough time to investigate it and hit the suspicion of MSLB accident earlier than OV.
Cause 1: Tave – Tref < -1 Control rod moving out Cause 2: Steam power increase
Figure 9-3 Knowledge for explaining “Control rod moving out” Between OV and OG, their though trains deviate at the very beginning due to their different problem-solving styles even though they both started with the alarm “control rod moving out”. Two possible causes are coded in the knowledge base for explaining this phenomenon, as shown in Figure 9-3, and both are valid causes in this situation. Prompted by the 2nd alarm “Tave-Tref low deviation”, the activation level of semantic 168
concept “Tave-Tref < -1” became high, see in Figure 9-4. Even though cause 2 is more frequent cause of “control rod moving out” according to their retrieval weight, both OV and OG first thought of cause 1 due to its high activation in the working memory. They checked the control panel and confirmed cause 1. Because OG tends to explain from single point of view, after he got cause 1 as the explanation, he didn’t consider the other possible cause and his thought went to the direction of investigating “Tave-Tref < -1”. On the contrary, OH possesses an exhaustive investigation style; he trends to consider many possible explanations of observed finding. Though he found cause 1 as a valid explanation, he continued to consider the other cause—“Steam power increase” and his thought line went that direction. This demonstrates how different problem-solving styles lead the operators to different tracks.
Activation level of two possible causes
1.2 1 0.8 Activation 0.6 0.4 0.2 0 -0.2 0 2 4 6 8 10 Time(seconds)
Got into attention focus perceived alarm "Tave_Tref low deviation"
Activation decay
Cause 1: Tave_minus_Tref_<_-1 Cause 2: load_increase
Figure 9-4 Activation levels of two causes of “control rod moving out”
Three steam generator pressure low alarms actuate at t = 02:30, providing crucial clues of MSLB. All the three operators perceived these alarms, and their diagnosis confidences 169
soar quickly. As we can see from Figure 9-1, the actuation time of these three alarms is separate from other alarms. So the passive information load at that time is relatively low and all the three operators can clearly perceive them. If other alarms are actuated along with these three, the operator may be overwhelmed and the three alarms go unnoticed, leading to time delay of the diagnosis. Before 02:30, OV and OH each only reached suspicion of MSLB once, while OH used plant information in a way that led him to MSLB three times, at t = 00:47, 01:48 and 02:09. Instead of the first evidence—Control rod moving out, OH increased his confidence with observations “Tave decrease” and “Mismatch of feed flow and steam flow”. The two pieces of evidence didn’t increase his confidence much because of other competing explanations: safety injection explains Tave decrease, and trip of main feed pumps explains feed flow decrease.
9.2.2 Narratives of operator activities generated in the simulation
Three tables provide detailed information regarding each operator’s mental reasoning activities and attention focus in the first several minutes of the simulation. Table 9-2 reports mental activities of OV(Operator Vagabond) generated in the simulation, Table 9-3 reports mental activities of OG(Operator Garden-Path), and Table 9-4 reports mental activities of OH(Operator Hamlet). As shown in the narrative, OV’s reasoning gets interrupted by a lot of alarm activities; new information gets priority of being processed. Within the first 164 seconds of the accident, OV’s mind switched from one issue to another 11 times.
170
OG’s attention was fixated on one issue at a time. Even though his reasoning got paused by new alarms, he always returned back to his ongoing thought line after checking the alarms. He only switched to a new thought line after completing the previous. In the first 175 seconds of the accident, he switched thought line 3 times. OH has longer attention span than OV. His prioritization of unresolved investigation items favors the items in the ongoing thought line. Hence OH often went back to his ongoing thought line after a short interruption by new alarms. He switched thought line 3 times within the first 175 seconds. Table 9-2 Narrative of OV’s reasoning activities Time --:-Summarized Script (OV: Vagabond style) (Normal Operation, plant is stable at full power) OV routinely monitors key parameters 00:00 00:06 00:06 00:07 00:08 00:14 00:14 00:14 (Initiating Event, Main Steam Line Break happens) (The 1st alarm breaks the peace: control rods move out and make ticking sounds) OV attends to the alarm. (The 2nd alarm follows: Tave - Tref low deviation alarm.
(Thought line switches. No. 1)
OV shifts his attention to the 2nd alarm and investigates the cause of the TaveTref deviation. He looks at the Tave indicator and finds out that it is decreasing. The 3rd alarm actuates, indicating turbine is running back.
(Thought line switches. No. 2)
OV’s attention is distracted by the new alarm. He recalls from his knowledge that turbine runs back when the reactor power is greater than 104%. 171
00:17 00:18 00:18 00:25 00:25 00:26 00:26 00:27 00:32 00:33 00:36 (More alarms are activated) As always, OV shifts his attention to the new alarms. He sees steam generator A/B/C levels are low; low-low steam generator level reactor trip is on; motor driven auxiliary feed water pump automatically turns on; and main feed and main steam mismatch. (Reactor trips and a big wave of new alarms are activated.) OV’s attention is busy reviewing the new alarms individually. He recognizes the reactor trip alarm; over power delta temperature reactor trip alarm is on; and low pressurizer pressure alarm is on. Even though OV doesn’t intentionally ignore any alarm, he still misses some of the alarms due to limited cognitive resources. OV wants to see whether the reactor power was above 104%, but the reactor has already tripped. He missed the chance to confirm this directly from the control panel but only infers this from the alarms.
(Thought line switches. No. 3)
OV switches to investigate the mismatch of main steam and main feed. But he doesn’t have enough time because alarms keep activating and interrupting his thought.. He notices some and misses others. He notices that Tave reaches low-low threshold and low pressurizer pressure reactor trip turns on.
00:37 00:50
(Thought line switches. No. 4)
No more alarms are activated at this point. OV now investigates the most recent phenomenon—low pressurizer pressure. Why is it decreasing? He asks himself. The first possible cause that comes to his mind is the coolant volume change. He confirms this by looking at the pressurizer level. Yes, the level is decreasing and the coolant volume is decreasing. Continuing with this thought line, he thinks the decreasing pressurizer level should be due to Tave decreasing. He looks at the Tave indicator and confirms this.
00:50
(Thought line switches. No. 5)
OV’s investigation time exceeds his attention span limit. He leaves the current 172
00:57
thought line. He attends to the low Tave phenomenon first, then moves to low pressurizer pressure phenomenon, then jumps to the phenomenon of motor driven auxiliary feed water pumps automatically turning on. He recalls from his knowledge that when the steam generator levels reach low-low threshold, the auxiliary pumps would automatically turn on. (More alarms are activated) OV attends to the new alarms. He observes that Tave-Tref deviation alarm is on; pressurizer level is low; safety injection automatically turns on; main feed water pumps trip; low pressurizer pressure safety injection alarm is on; and steam generator level low-low is on. OV’s attention shifts from one alarm to the other.
00:57 00:57 01:04 01:04
(Thought line switches. No. 6)
OV attends to the issue of low pressurizer safety injection.
01:04 01:42
(Thought line switches. No.7)
OV observes that Tave is low and decreasing. He starts to think about the reason fir Tave decrease. Since the reactor has already tripped, Tave is no more controlled by the control rod. So it’s not a control rod problem. Then he thinks of another possible cause—safety injection is on. The cold water is being injected into the reactor. Also, Tave is supposed to drop immediately after the reactor is tripped by the steam dump. Moreover, he suspects that there may be some unexpected steam load. No more alarms are activated, so OV stays in this investigation line for a long time. He checks the steam generator PORVs and finds them in normal closed position. He examines the steam dump valves and they are also in closed position.
Then he starts to think there might be a steam leakage, either steam generator fault or main steam line break.
01:45 01:56 01:57 Finishing the investigation of the causes of Tave decrease, OV investigates other possible causes of pressurizer pressure decrease. He examines the pressurizer spray valves and finds they are all closed. He looks at the pressurizer pressure PORV and it is also closed. He ends the investigation of pressurizer pressure.
(Thought line switches. No. 8)
173
02:08 02:08 02:17
OV’s attention jumps back to an earlier investigation item—Tave-Tref low deviation. Since the reactor has already tripped, the Tref is stable. Then the only explanation is Tave decrease, which he just investigated.
(Thought line switches. No. 9)
OV switches to monitoring mode and attends to the steam generator level. He sees that steam generator level has decreased a lot and it is still decreasing. He knows that the steam generator level is expected to drop a lot right after the reactor trip. The thought of reactor trip leads him to think about safety injection, so he investigates the cause of safety injection automatic actuation. He recalls that low pressurizer pressure safety injection was on and thinks that should be the cause of safety injection.
02:18 02:30 02:30 02:31 02:44
(Thought line switches. No. 10)
OV’s previous investigation time length has reached his attention span limit. His attention shifts to the decreasing steam generator level issue. He checks the feed water flow and steam flow and finds out that the feed water flow is less than the steam flow. (Three new alarms actuate after about 100 seconds from the last alarm activity)
(Thought line switches. No. 11)
OV attends to the new alarms. He finds out that steam pressures in all three steam generators are low and decreasing. This information quickly leads him to the diagnosis of steam leakage. It might be either steam generator fault or main steam line break. OV sees the pressures in all of the three steam generators are equally low and believes it is much more likely that a main steam line break has happened downstream of MSIVs. He reaches a diagnosis.
Table 9-3 Narrative of OG’s reasoning activities Time --:-Summarized Script (OG: Garden-Path style) (Normal Operation, plant is stable at full power) OG routinely monitors key parameters
174
00:00 00:06 00:07 00:07 00:08 00:13
(Initiating Event, Main Steam Line Break happens) (The 1st alarm breaks the peace: control rods move out and make ticking sounds) OG’s attention is distracted by the alarm. He stops his routine monitoring task and starts to investigate this alarm. This is his first investigation thought line. (The 2nd alarm sounds: Tave- Tref low deviation alarm. OG notices the Tave-Tref deviation alarm. He decides to continue with the investigation of the 1st alarm. The 2nd alarm reminds him that Tave-Tref low deviation could have led the automatic system to pull the rods out in order to adjust Tave to match Tref. He confirms this by taking a look at the control panel—Tave is indeed decreasing. Next, OG thinks about the reason that caused Tave to decrease. (Another alarm actuates: turbine runs back.) (Turbine runs back alarm goes off.) OG ignores the new alarm and keeps staying in his current thought line and thinks why Tave is decreasing. (A wave of alarms are activated: the reactor trips) OG’s thought gets paused by these alarms shortly. He only looks at some of these alarms and not all of them. He notices that reactor has tripped; turbine has tripped; high power reactor trip alarm is ON, and turbine tripped. The other alarm activities are ignored by OG, among which 3 alarms could have helped his diagnosis if he had noticed them—high steam generator A/B/C main feed flow alarms.
00:13 00:14 00:15 00:18 00:18 00:27
00:20 00:29 00:29 00:29 -
OG doesn’t like to interrupt his ongoing task and there are so many new alarm activities. He tries to refocus his attention back to his thought line before these alarms. “I was investigating the reason for Tave decrease”, he says to himself. Some possible causes cross his mind but get rejected. Control rods moving in? No, on the opposite it was moving out. (More alarms are activated) OG only takes a quick look ata few of these new alarms. He sees that steam generator level low alarms are on; steam generator level low-low alarms are on; motor driven auxiliary feed water pumps automatically turn on; and main 175
00:32
steam-main feed mismatch alarm is on. The other alarms are ignored.
00:26 00:32 00:33 00:34 00:35 00:37 00:50 00:51 00:55 00:57 00:57 01:01 01:02 01:07
OG feels there are too many alarms. He tries hard to stay focused on his thought line of investigating the reason for Tave decrease. Was there cool coolant injected into the reactor? He asks himself. No.
OG thinks there is only one reason left to explain the decreasing Tave—steam load increased unexpected, which cooled the reactor more.
(More alarms are activated) Continuing with the unexpected steam load increase issue, OG firs suspects the steam generator PORV valves. Are they unexpectedly open? After checking all the steam generator PORVs, OG finds they are all closed in normal position.
Now OG suspects steam dump valves. He checks them on the control panel and finds they are also in normal close position.
(A new wave of alarms after 16 seconds of silence. Safety injection is activated) OG looks at the new alarms and notices that pressurizer level is low; main feed pumps trip; safety injection is activated; and low pressurizer pressure safety injection alarm is on. The other alarms are ignored. Even though OG’s thought was paused by the alarm activities shortly, OG’s thought doesn’t shift to the new alarm information. He continues to track the possible steam load increase. For the first time, he suspects two possible causes: one is faulty steam generator(s), and the other is the main steam line break (downstream of MSIVs). This investigation line initiated by the first alarm(control rods moving out) has 176
reached the end. 01:08 Even though there were a lot of alarms and plant dynamics that were observed by OG, these have decayed or overflowed from his working memory because OG has stayed on his first investigation line for a long while. OG switches to monitoring mode. He checks the control panel and sees that the steam generator level is low 01:11 01:32
(Thought line switches. No. 1)
OG starts to think about the steam generator level issue. He knows that there is a big drop of steam generator level immediately after the reactor trip. So this is not unexpected. Then it leads him to investigate the cause of reactor trip. He tries to recall the situation at the time of the reactor trip, but that memory is not very fresh on his mind. He looks at the control panel and sees that low-low steam generator level reactor trip is on. His investigation of reactor trip stops here. OG always stops his investigation when he has one explanation. OG’s attention is still on the steam generator level. It has reached low-low level. He finds that it is still decreasing eventhough it’s been a long while since the reactor trip. OG checks the feed water flow and main steam flow and finds that the feed water flow is smaller than the steam flow. He knows that the feed flow has decreased because the main feed water pumps have turned off; he thinks that’s why the feed flow doesn’t catch up with the steam flow. He also notices that the feed flow increased after the auxiliary feed water pumps turned on when the steam generator level reached low-low. OG doesn’t get any more clue from this investigation because he fails to take the steam flow into consideration. He did notice that there was still some steam flow(if not the leakage in the steam line, there shouldn’t be any steam flow at that moment), but his attention didn’t switch to this promptly and it slipped from his working memory.
01:32 02:15
02:15 02:23 02:23 02:31 02:31 -
(Thought line switches. No. 2)
Then OG switches back to monitoring and see that the pressurizer level is decreasing. OG thinks that the decreasing pressurizer pressure is caused by the decreasing Tave. OG switches back to monitoring and then takes a brief break. (Three alarms activate after about 91 seconds of silence. Pressures in three steam generator reach low threshold.)
(Thought line switches. No. 3)
OG attends to the new alarms and notices the low pressure in the steam 177
02:55
generators. This information quickly leads him to the diagnosis of steam leakage. It might be either steam generator fault or main steam line break. OG sees the pressures in all of the three steam generators are equally low, OG believes it is much more likely that a main steam line break has happened downstream of MSIVs. He reaches a diagnosis.
Table 9-4 Narrative of OH’s reasoning activities Time --:-Summarized Script(OH: Hamlet style) (Normal Operation, plant is stable at full power) OH routinely monitors key parameters 00:00 00:06 00:07 00:07 00:07 00:09 00:12 (Initiating Event, Main Steam Line Break happens) (The 1st alarm breaks the peace: control rods move out and make ticking sounds) OH attends to the alarm and starts to investigate the reason for the control rod moving out. (The 2nd alarm sounds: Tave (average reactor coolant temperature) deviates from Tref (reference coolant temperature) low. OH checks the new alarm and learns that it is Tave – Tref low deviation alarm. OH’s attention returns back the control rod moving out issue. He first recalls that if Tave is lower than Tref and the difference is greater than 1o, the autocontrol system would move the rods out. Also this is confirmed by the TaveTref deviation alarm. He finds the first explanation. But OH doesn’t stop at the first explanation. He continues to think about another reason why the control rods to move out. Then he recalls it could also be driven by increasing steam load in the secondary side. 00:13 00:14 (The 3rd alarm is activated: turbine runs back) OH notices that the turbine runback was on for a short second and then went 178
off. 00:15 00:18 00:19 00:22 00:29 OH returns back to his earlier thought line before the alarms. Now he wants to find out whether there is any unexpected steam load increase. First, he thinks about steam generator PORVs. (A bunch of alarm activities occur at times. Some alarms went off and some new alarms are activated) OH notices a lot of dynamics. Reactor trips, turbine trips, over power delta T alarm is on, pressurizer pressure is low. There are more alarm activities, but the rest are ignored by OH. He doesn’t want to be too distracted, so he only review some but not all of the alarms. Continuing with his investigation of unexpected steam load, he checks the three steam generator PORVs and finds them in normal closed position. The steam generator PORVs are fine. 00:30 00:30 00:34 00:35 00:39 00:40 00:47 After eliminating two possible causes of steam load increase, now OH can only think of two possible causes: steam generator fault and steam line break. OH starts to suspect these two types of accidents. End of investigation of control rod moving out issue. Even though there is another explanation of rods moving out: Tave decreases, the corresponding investigation item decayed from the working memory. He returns back to his investigation of unexpected steam load. Now he checks the steam dump valves and finds them also in closed position. (More alarms are activated.) OH notices that the steam generator low level alarms are on; steam generator low-low level reactor trip alarm is on; auxiliary feed water pumps automatically start; main steam-main feed mismatch reactor trip alarm is on.
00:47 00:54
(Thought line switches. No. 1)
OH attends to the decreasing pressurizer pressure, and he thinks it is caused by the decreasing pressurizer level. Also, he sees a new alarm pressurizer level low deviates from the reference level, which is consistent with his thought.
179
00:55 00:57 00:57 00:60 01:00 01:18 01:19 01:50
In addition to the decreasing pressurizer level, he wants to examine the other possible causes of pressurizer pressure decrease. Meanwhile, he takes a quick look of Tave and finds out that it has reached low-low threshold.
(More alarms are activated.) OH notices that pressurizer level is low; main feed water pumps trip; safety injection is activated, low pressurizer pressure safety injection alarm is on. Continuing to examine other possible causes of decreasing pressurizer pressure, OH checks the pressurizer sprays and finds them all off as they should be.. He checks the pressurizer PORV and finds it is also closed. He even thinks of the possibility of LOCA in the steam space though it is only very little likely. OH’s attention switches to Tave. It is decreasing—another reason for decreasing pressurizer pressure. He knows that Tave would decrease rapidly after reactor trip due to steam dump in a very short period. Now the steam dump is closed but Tave is still decreasing. An earlier guess of unexpected steam load jumps to his mind. Soon, he finds another explanation: the ongoing safety injection injects cool coolant to the reactor thus decreases Tave. The confidence of SG fault accident and main steam line break accident increases a little, not much, because of the competing explanation.
01:50 02:41
(Thought line switches. No. 2)
OH now attends to the steam generator level. It has decreased a lot. This is expected. It would normally decrease a lot immediately after the reactor trip. As usual, he always checks other possible causes in an exhaustive way. So he wants to compare whether the feed water is matching with the main steam. Not too surprising, he finds the feed flow is smaller than the steam flow. He thinks of two possible causes to explain why feed flow is smaller than the steam flow. One is the unexpected steam load, the other is that the feed flow has decreased; both of them are valid explanations. He knows that main feed water pumps have tripped, the main feed has been isolated; that’s why the feed water decreased. According to his exhaustive investigation style, he also diligently examines the flow paths from the auxiliary feed water pumps (both the motor driven and the turbine driven pumps) and finds they are working fine. He sees 180
the steam flow is above zero (there shouldn’t be any flow at this time, if not the main steam line leak) but it doesn’t grab his attention instantly, and it gets overflowed from his working memory. 2:30 2:41 2:55 (three alarms are activated: steam generator pressure low)
(Thought line switches. No. 3)
After finishing the explanation of the decreasing steam generator level , OH attends to the new steam generator pressure low alarms. He notices that steam generator B pressure is low and explain this by possible faulted steam generator accident or main steam line break. Then he also notices that the steam generator A and C pressures are also low. He thinks that since the pressures are low in all of the three steam generators, it is more likely that the leakage has occurred downstream of the MSIVs than in just one specific steam generator. His confidence of main steam line break accident soars much higher and he reaches the diagnosis of MSLB.
9.2.3
Information usage
Here we summarize 7 key phenomena that provide clues for diagnosing MSLB and examine how the three operators used them in the simulation. In Table 9-5, for each phenomenon, a drawing is used to indicate the information processing level and how far the reasoning has gone on the way of making the connection between the observation and MSLB accident. The causal links are provided below the drawing. Even though the corresponding knowledge of these causal links exists in the operator knowledge base, they don’t necessarily get utilized in the investigation reasoning. Also, the usage of these clues varies among the three operators with different problem-solving styles. Table 9-5 Use of clues 1
181
Causal links: MSLB => steam load increase => control rod moving out.
• •
•
OH’s reasoning went through this path; OG investigated this phenomenon, but he explained it using Tave-Tref deviation and failed to make the connection between “steam power increase” and “control rod moving out”; OV focusedon this phenomenon for just 1 sec, then he got distracted by other alarms and never came back to this issue again.
2
Causal links: MSLB => steam load increases => Tave decreases.
• • •
OG’s reasoning has gone through this causal path; OV detected Tave decrease trend before reactor trip, but got distracted by another alarm; OH noticed Tave decrease trend before reactor trip, but postponed the investigation which decayed away from his working memory. When his attention later returned to Tave, it was after the reactor trip and there were stronger 182
competing explanations for Tave decrease at that point. 3
Casual links: MSLB => Steam load increases => Control rods move out => Power increase => Power > 104%
• • •
OG perceived the over power reactor trip alarm, but he didn’t attend to this information. OH missed the over power reactor trip alarm, but he perceived over power delta T alarm, which is similar to this, he didn’t attend to it. OV perceived this alarm and initiated an investigation but didn’t go far enough to reach MSLB.
4
Causal links: MSLB => steam load increases => Tave decreases. 183
•
•
5
OV and OH visited this causal path but there were two other explanations for Tave decrease: a) safety injection puts cold water into the reactor; and b) rapid steam dump brings Tave down after reactor trip. Therefore, their confidence of MSLB didn’t increase much. OG already explained the observed Tave decrease before reactor trip.
Causal links: MSLB => steam load increase => steam flow > feed flow
• • •
OV perceived the feed flow-steam flow mismatch alarm, but he didn’t attend to this issue. OH noticed the flow mismatch by the alarm. He visited this causal path and made the connection. OG missed the flow mismatch alarm due to his fixated attention. He discovered the mismatch later when he attended to the steam generator issue. He made the causal connection.
6
184
Causal links: MSLB => Steam generator pressure decrease MSLB => Steam generator pressure low
•
This is the most straightforward evidence of MSLB. All the three operators observed the information and quickly made the connection.
7
Causal links: MSLB => main steam flow > 0 (During this accident a while after the reactor trip, Tave was very low, so the steam dump shut. There shouldn’t be any steam flow if not steam leakage)
•
All of the three operators noticed the steam flow, but they didn’t pay attention to this in a vigilant way. OV figured this out late at t = 04:24.
9.3
Diagnosis of SGTR
The SGTR happens at t = 2:32 when the MSIVs automatically close. There are several symptoms of SGTR. A) secondary radiation level normally goes high immediately after SGTR; this actually confused the operators in this accident because they saw the secondary radiation level was normal. This is due to the closing of MSIVs, which blocks the flow of radioactive material to the detector in the condenser. B) reactor coolant water 185
leaks to the ruptured steam generator, which could increase its water level and develop level difference over time; this is the key information that leads the operator to the diagnosis. C) SGTR might cause the level decrease in the reactor coolant system; if there is another source of water that is feeding the reactor coolant system, the operator might not observe this symptom. In this simulation, the diagnosis confirmation time is determined by the following factors: When the operator detects significant water level differences in the three steam generators
•
•
The speed at which at which the operator actively gather information for the diagnosis
•
When does the operator resolve the inconsistent information (e.g. missing symptom of secondary radiation high)
Figure 9-5 provides diagrams of the three steam generator water levels. For each steam generator, there are two water level indicators: a wide range level indicator which shows the water level in a steam generator as a percentage of the full height in a full range. While the narrow range level indicator is a zoom-in of the 60%-100% part of the full range. When the water level is above 60% in the steam generator, the narrow range indicator shows a positive reading. Otherwise, the narrow range reads zero. The SG level indicators use graphic displays similar to the diagrams, showing the water level in a shorter period of time. In the first 10 minutes, the narrow range read zero after the reactors tripped and the difference of the wide range levels is not evident enough. The difference appears when 186
the water level in SG A reaches the bottom of narrow range. It becomes evident to the operator when there is a positive reading of SG A narrow range while the other two read zero.
SG_A_NR_Level
1 0.8 0.6 0.4 0.2 0 0 10 Time (min) 20
SG_B_NR_Level
1 0.8 0.6 0.4 0.2 0 0 10 Time (min) 20
SG_C_NR_Level
1 0.8 0.6 0.4 0.2 0 0 10 Time (min) 20
Level
Level
-10
-10
Level
-10
SG_A_WR_Level
1 0.8 0.6 0.4 0.2 0 0 10 Time (min) 20
SG_B_WR_Level
1 0.8 0.6 0.4 0.2 0 0 10 Time (min) 20
SG_C_WR_Level
1 0.8 0.6 0.4 0.2 0 0 10 Time (min) 20
Level
-10
Level
-10
Figure 9-5 Drawing of steam generator levels
9.3.1 Diagnosis progression
Figure 9-6 shows the three operators’ diagnosis confidences of SGTR accident over time. Diagnosis pace varies among the operators with different problem-solving styles. OH is fastest in this accident; and OV is the slowest one30. The highlights of each operator’s diagnosis process are provided below. Table 9-6 Time when SGTR diagnosis confidence exceeds 0.9 Operator Time when confidence exceeds 0.9 SG-A NR water level (min:sec)
Note that we do not want to generalize this result to any accident. We do not claim that Hamlet is faster in any accident scenario
30
187
Level
-10
OH OG OV
19:55 23:09 33:16
24.8% 49.6% 69.90%
Diagnosis of SGTR
1.2 1 Confidence Level 0.8 0.6 0.4 0.2 0 0 10 20 Time (minute) 30 40 Vagabond Hamlet Garden Path
Figure 9-6 Three operators’ diagnosis progresses of SGTR accident
9.3.2 Highlights of OG’s diagnosis process
From t = 3 min, the water levels of the three steam generators were rising, as expected because the operators wanted to restore the steam generator water level back to 44% in the narrow range. Nothing looked suspicious. At t = 16:42 (min:sec), OG noticed significant water level differences between SG_A and SG_B, and between SG_A and SG_C, hence, he started suspecting a SGTR accident. These observations were made while monitoring routinely. Figure 9-5 shows both the wide and narrow range water levels.. In a typical control panel with indicators of SG levels, the operator can view the water level graphs of the three steam generators side by side. As observed in Figure 9-5, at t = 16:42, significant differences among the wide 188
range levels are not obvious. However, it is very evident to see big differences among the narrow range levels. SG_A_NR_Level reads more than 10%, while the other two read zero. These differences caught the operator’s attention. The operator started investigating this issue. He compared the feed flow in the three steam generators. The feed flows were the same, however steam generator A got much more water than the other two. It looked like there may be some other water source to steam generator A, then he thought about SGTR accident. His diagnosis confidence started with a high number because there was no other explanation for the water level difference. To verify his diagnosis hypothesis, he began to actively gather more evidence, directed by his knowledge and experience of SGTR accident. At t = 18:30, he checked the secondary radiation indicator but found the radiation level was normal. This dampened the SGTR diagnosis because high secondary radiation level is the most typical symptom of SGTR, according to the way he was trained. Soon at t = 18:40, he noticed that the pressurizer level was increasing, which was not consist with the SGTR diagnosis. If there is a leakage from the reactor coolant system, the operator would expect to see the water level in the pressurizer go down. This dampened the SGTR diagnosis more. The operator got a little confused. At t = 21.07, the operator realized that the increasing pressurizer level was caused by the ongoing safety injection and that counteracted the water loss from the leakage. Thus the confidence level of SGTR bounced up a little.
189
At t = 23:09, the water level in steam generator A continued increasing, which was a symptom of SGTR. But the operator believed this could be accounted for by the feed water. So he thought it didn’t mean much for the SGTR diagnosis. The operator was confused because the secondary radiation level was normal and decided to troubleshoot this puzzle by checking the path for transporting the radioactive water from the leakage part to the secondary radiation detector in the condenser. At 24:32, he figured out that the closed MSIVs intercepted the radioactive material from reaching the detector in the condenser. Puzzle solved! Then he was 99% confidence that steam generator A had ruptured. His diagnosis was confirmed later by strong evidence: the feeding to steam generator A was stopped but its level continued increasing.
9.3.3 Highlights of OH’s diagnosis process
OH’s suspicion of SGTR started very earlier at t = 4:44. He observed that the pressurizer level had decreased a lot. He had a very strong explanation: because Tave decreased a lot, the volume of reactor coolant had shrunk. However, he didn’t stop at the first explanation and considered all the possibilities, including the possibility of SGTR accident. The confidence of SGTR was small due to the strong competing explanation. His confidence of SGTR increased when he saw the steam generator A level was increasing at t = 15:27. It only increased a little because of other strong competing reason. Operators were feeding the steam generators to try to bring the level back to 44%, so the increasing trend was expected. OH just kept the possibility of SGTR in mind.
190
At t = 16:48, OH noticed the level differences among three steam generator. Level of steam generator A was significantly higher than levels of the other two, but the feeding flow to the three steam generators were the same. So he believed that steam generator A might get water from other places e.g. leaking from reactor coolant. His confidence of SGTR increased significantly. He noticed the level difference earlier than OG did because he (OH) monitored key parameters more frequently. Since his confidence of SGTR was very high, he started to actively seek another important symptom—high secondary radiation. Confusingly, he saw the radiation level was very low. Later he found out it was the MSIVs that blocked the way of radioactive material to the detector. His diagnosis confidence soared to 0.991 and he declared that SGTR had happened. His diagnosis was confirmed later by strong evidence: the feeding to steam generator A was stopped but its level continued increasing.
9.3.4 Highlights of OV’s diagnosing process
At t = 18:46 (min:sec), OV noticed significant water level differences in the three steam generators and he started suspecting a SGTR accident. This timing is later than the other two operators because OV monitored key parameters less frequently. Also, OV was less active in gathering evidence than the other two, hence, his pace was slower. At t = 20:54, his diagnosis got dampened when he saw the radiation level was low. At t = 25:32, his confidence increased a little bit by the evidence that water level of steam generator A was increasing.
191
At t = 27:56, he realized that pressurizer level was not decreasing, which is not consistent with the diagnosis of SGTR. At t = 31:36, he figured out that the secondary radiation level was low because that MSIVs blocked the way of radioactive material to the detector. Later at t = 31:36 he realized he couldn’t observe decrease of pressurizer level because of safety injection. He solved all the puzzles.
192
10
Comparison of Results
A complex SGTR accident is used to demonstrate and validate recent advances of ADSIDAC. Chapter 7 has introduced the accident scenario and the simulation input model. This chapter introduces crew variations in the simulation results and presents the comparison of ADS-IDAC simulation results and Halden experiment data, respectively in operator procedure progression, and demonstrates merits of the new ADS-IDAC by comparing its simulation results with simulation results of old ADS-IDAC.
10.1
Crew-to-Crew variability in timing
This section discusses the crew-to-crew variability in this simulation case. Time of declaring SGTR diagnosis and time of entering procedure E-3(response procedure for SGTR accident), and time to isolate the ruptured SG provide reference check points for model calibration and model validation. Accident diagnosis is used to support the operators’ decision at some key procedure transfers points. Hence, time of entering E-3 is determined by both time of declaring SGTR diagnosis and operator pace of procedure usage. Therefore the crew variations in response time could be modeled by introducing variations in diagnosis time and procedure use pace.
10.1.1 Varying timing to reach diagnosis
Model parameters are used to compute operator activities in the reasoning module. Some of them could be adjusted by the user in the input file, in order to tailor operator performance (refer to Section 6.4.8 and 6.4.9). Different input settings of these model parameters introduce variations of simulation results. 193
Three model parameters significantly impact the timing of reaching accident diagnosis:
• • •
Problem-solving styles Diagnosis confidence threshold for declaring a type for the accident Activeness in gathering accident evidence
Different problem-solving style settings result in different courses of operator activities, as discussed in chapter 8.3, thus give different accident confidence progression, as repeated in Figure 10-1. Accident diagnosis confidence is dynamically calculated during the simulation. It represents the operator’s belief on the likelihood that an accident has happened based on the available evidence. When the diagnosis confidence exceeds the model parameter diagnosis confidence threshold, the program declares this accident diagnosis. Adjusting the confidence threshold will adjust the timing of reaching a diagnosis. Higher thresholds require more and stronger evidence to support the diagnosis thus it might take longer time, while lower thresholds result in shorter time. This mimics the operator’s prudence in declaring accident. In Figure 10-1, the dash lines represent different levels of confidence threshold, and three solid lines show the operator’s confidence progression over time in three simulations. The first crossing of the threshold line and a diagnosis progression curve is the time of declaring SGTR accident diagnosis. As seen in Figure 10-1, by varying the confidence threshold, the program generates visible variations on diagnosis timing.
194
1.2
1
Confidence Level
0.8
0.6
Vagabond Hamlet Garden Path
0.4
0.2
0 0 5 10 15 20 25 Time (minute) 30 35 40
Figure 10-1 Diagnosis confidence of SGTR and confidence threshold During an accident operators have two strategies at their disposal to make a diagnosis. One is using their knowledge of possible accidents and actively collecting relevant evidences. The other is by following the procedural guidance and collecting relevant evidence as specified by the procedure. Activeness of gathering accident evidences is a quantitative measure of how actively the operators use the knowledge-based approach to gather accident evidence from the control room. In this simulation case, when the procedure fails to lead the operator to the diagnosis of SGTR accident in a straightforward way, the timing of reaching SGTR accident diagnosis highly depends on operators using their knowledge-based reasoning to gather evidences. Activeness in
gathering accident evidences is a model parameter of the reasoning module; it is used to
calculate the frequency of using the accident schema to actively gather relevant
195
information. This parameter has a large impact on the timing of reaching SGTR diagnosis in the simulation case.
Time Range (confidence level exceeds 0.9)
40 35 30 Time (minute) 25 20 15 10 5 0 Hamlet Garden Path Vagabond
Lower bound: Activeness = 10.0 Higher bound: Activeness = 0.67
Figure 10-2 Diagnosis time range due to varying activeness between 0.6731 and 10.0 We ran multiple simulations, setting different values for activeness in gathering accident
evidences between 0.67-10, the diagnosis of SGTR progressed faster with higher
activeness value, and slower with lower activeness value. The time when the diagnosis confidence of SGTR exceeded 0.9 was recorded and its range is shown in Figure 10-2. Time range for Vagabond style: (22.7, 35.3) min; Time range for Garden Path style: (19.7, 35.1) min; Time range for Hamlet style: (19.3, 22.0) min.
• • •
By combining with variations of diagnosis confidence threshold (from 0.05 to 0.90), variation of activeness in gathering accident evidences (from 0.67-10) and variations of
problem solving style, the program generates a wide spectrum of diagnosis timing: (14.3,
31
0.67 = 1/1.5. It means 1.5 times slower.
196
35.3)min; A slow diagnosis progression and a fast diagnosis progression of Vagabond style are shown in Figure 10-3.
Diagnosis confidence progression (Vagabond)
1 Confidence level 0.8 0.6 0.4 0.2 0 0 10 20 Time (minute) 30 40 Activeness: 0.69 Activeness: 10
Figure 10-3 Two diagnosis confidence progression with two activeness values
0:50:00 0:40:00 Time (hh:mm:ss) 0:30:00 0:20:00 0:10:00 0:00:00
Halden Data, entering E-3 Range of simulation results
Figure 10-4 Comparison: Halden data vs. ADS-IDAC predicted time range The available Halden data32 do not provide crews’ times of reaching diagnosis of SGTR. It provides the times when crews isolated the ruptured SG. According to the report (Lois 2009), it took 6 minutes on average for crews to isolate ruptured SG after they entered E3. By subtracting 6 minutes from the time of SG isolation, we inferred approximate times
32
Data source: International HRA Empirical Study - Phase 1 Report (Lois 2009)
197
when the 14 crews entered E-3, which happened soon after they reached SGTR diagnosis. In Figure 10-4, we compare these time points with time range of declaring SGTR diagnosis generated by ADS-IDAC. It shows that ADS-IDAC has a good coverage of crews’ diagnosis progress in terms of time.
10.1.2 Varying pace of using procedure
Timing of reaching to key procedure steps (decision points) also impacts the time of entering E-3. In ADS-IDAC simulation, timing of procedure progression is determined by several factors: Time duration (specified) for previous procedure steps Action time multiplier Time cost of transferring between two procedure steps Time cost for transferring between two different procedures Time cost of mental procedures concurrently in use
• • • • •
Among these, action time multiplier provides a way to generally scale the procedure progression pace—how fast the operators go through procedure steps. In addition to the general pace of procedure progression, some of the 14 crews paused at a controversial step (E-0 step 21) and had a briefing to discuss the situation, while some of the 14 crews had no briefing there. We could add a time-delay procedure pause for mimicking the time-delay caused by the crew briefing. During the time-delay procedure pause in the simulation, the reasoning module still continues to run, conducting more cognitive activities and gathering more information. This provides a workaround for 198
mimicking the crew gathering more evidence by merging the available information from each member during briefings. From the empirical data, we do not have direct information regarding the time of the 14 crews reaching the SGTR diagnosis. However, the time of crews entering procedure E-3 is available. This information is used for validating the prediction capability of ADSIDAC, in addition to the procedure progression. In the example simulation case, the time of entering E-3 is mainly determined by the following factors: 1) Progress of the SGTR accident diagnosis; 2) Pace of using procedure; 3) Operator’s decision when their knowledge-based diagnosis is inconsistent with the procedure instructions. In the previous sections, we discussed ADS-IDAC’s capability to capture the crew differences in these three aspects, by varying few model factors mentioned above (in the simulation configuration). ADS-IDAC could approximately reproduce procedure progression paths and timing of 8 of the crews. An example is provided in Table 10-1. Table 10-1 Comparison of one crew responses with one simulation sequence Time to Reach diagnosis of SGTR Reach E-0 Step 19 Reach E-0 Step 21 Enter ES-1.1 Enter E-3 Halden Crew (min) unknown 9:55 11:50 17:42 20:50 M One Simulation Sequence (min) 20:48 10:06 12:21 18:01 21:15
10.2
Procedure progression—comparison with Halden data
Procedure E-3 is for coping with a SGTR accident. So the operators should use E-3 in this complex SGTR situation, and entering E-3 marks operator’s correct diagnosis. 199
In control room, the operators are expected to enter the Emergency Operating Procedure (EOP) E-0 following a reactor trip. E-0 is used for diagnosing the plant conditions and leading to appropriate response procedure accordingly. In procedure E-0, step-19, step-21, step-24 and step-25 are key steps in this complex SGTR accident case. Step-19, step-24 and step-25 contain diagnosis guidance for SGTR accident, and step-21 might mislead the operator to procedure ES-1.1. The crew might branch to different procedure paths at these steps: Step 18 is the specific diagnosing step for steam generator fault accident. The condition is “one or more steam generator decreasing in an uncontrolled manner”. In this case the steam generator pressures are decreasing as they are cooled by the reactor coolant water but not due to steam generator faults. If the operators misdiagnoses the situation and declare a steam generator fault accident, they might mistakenly transfer to E-2 at this step.
•
•
Step 19 is the specific diagnosing step for SGTR accident. However, it only uses the secondary radiation level as the condition of transferring to E-3, which is masked in this accident situation. It does not use the water level difference between SGs as an indicator.
•
Step 21 contains a transfer link to ES-1.1 for terminating the safety injection. The transfer condition is met in the simulation. However, the safety injection should not be terminated in this SGTR accident at this point. Some crews may branch out at this step. If the operators reach the diagnosis of SGTR accident, they might choose to go to E-3 based on their knowledge reasoning. They might choose to stay in E-0. Or they might transfer to ES-1.1. 200
•
Step 24 contains a transfer link to E-3. Instead of asking the secondary radiation level, it provides a cue for the operators to check the SG levels, which is essential for diagnosing the SGTR in this accident situation. The operator might use this step properly or not.
•
Step 25 contains a transfer link to E-3. It only asks the secondary radiation level, thus it is no more helpful than step 19. However, it provides another chance for the operator to re-think about the possibility of a SGTR accident.
Table 10-2 shows 14 crews’ procedure progression and their basis for transferring to E-3 in Halden experiments. Of the 14 crews, 9 transferred to E-3 based on their knowledgebased reasoning, while 6 out of 14 crews found basis for transferring to E-3 according to the procedure guidance. Table 10-2 Procedure progression and basis for transfer to E-3 in complex scenario Crew A B C D E F G H I J K L M N Point of transfer to E-3 E-0 step 21 – ES-1.1 foldout page E-0 step 24 E-0 step 21 E-0 step 34-25 E-0 step 21 – ES-1.1 – E-0 step 19 Basis for transfer to E-3 SG level SG level Knowledge-based (SG level) Knowledge-based (SG level) SG1 gamma levels 1 and 2 (slow crew) E-0 step 21 – ES-1.1 – E-0 step 19 Knowledge-based (SG level) E-0 step 21 Knowledge-based (SG level) E-0 step 21 – ES-1.1 – FR-H5 – E-0 Knowledge-based (SG level) step 19 E-0 step 21 – ES-1.1 –E-0 step 19 Knowledge-based (SG level) E-0 (second loop) step 14 – E-2 step 7 Knowledge-based (SG level) E-0 step 19 Gamma radiation E-0 step 21 Knowledge-based (SG level) + ES1.1 foldout E-0 step 21 – ES-1.1 foldout page SG level E-0 step 21 Knowledge-based (SG level)
201
With variations introduced by varying the operator’s profile (refer to Section 10.1) and branching rules for procedure usage decisions (refer to chapter 5), ADS-IDAC have identified 11 paths of procedure progression performed by the virtual operators, as shown in Figure 10-6. There are 5 branching rules activated in this simulation. They are marked as yellow boxes in the figure, and explained below: B1 33 . Step-18 constrains a transfer to E-2, but the transfer condition is not satisfied. The operator misdiagnosed the situation and believed there were faulty SGs. The operators branch out in two paths: 1) Transferring to E-2 based on the misdiagnosis, and 2) Following the procedure guide and staying in E-0.
•
•
B1. Step-19 contains a transfer to E-3, but the transfer condition is not satisfied literally. The operators branch out in two paths: 1) Transferring to E-3 based on their knowledge reasoning, and 2) Following the procedure guide and continuing in the current procedure.
•
B2. At this time point, the operators are confident that a SGTR accident has happened. They might branch out in two ways: 1) go to E-3 immediately, or 2) stay on the current procedure, expecting the current procedure will lead them to E-3.
•
B3. The current procedure step leads the operator to transfer to a third procedure other than E-3. The operators have three alternatives: 1) go to E-3 based on their knowledge reasoning; 2) follow the procedure guide strictly and transfer to the third procedure; 3) staying in the current procedure and move to the next step.
B1-B4 denote branching types describe in Chapter 5. B5 is a branching triggered by mental belief activation.
33
202
•
B4. Since by this time it has been a while since the operators SGTR diagnosis and the fact the current procedure still has not led them to E-3, so they decide to go to E-3. This rule has only one branch.
•
B5. The foldout page of Procedure ES-1.1 contains a condition of transferring to E-3. While ES-1.1 is in use, the operators may read and use the foldout page and transfer to E-3, and they may also forget to use the foldout page. In Sequence No. 6 (marked by a brown dot) in the figure, B5 is encountered twice. This simulates a scenario that the operators forget to use the foldout page at beginning but recall it later.
Figure 10-5 Branching points in the complex SGTR simulation
203
E-3 E-0
1
E-3
2
M
ES-1.2
B2
ES-1.1
3
E-3
B5
E-2 E-0, 18
0
J
E-0, 21 E-0, 19
ES-1.1, 5
B3
E-3
4
5
A
B1
B3
E-3
ES-1.1, 5
B1 7 L
B5
ES-1.1
B4
G N C
E-3
E-3
6
8
B
E-3
E-0, 21
E-0, 24
B1
E-3
9
D
E-0, 25
11
K
B1
E-0
B4
E-3
10
Figure 10-6 Procedure progression paths based on simulation results In Figure 10-6, 7 of the 12 procedure progression paths identified in the simulation replicate 10 out of 14 crews’ procedure progression paths, as shown in Table 10-2. The letters in green dots are the codes used for crews in the international HRA empirical study Phase 1 report. The numbers in brown dots are the codes of sequences of ADSIDAC simulation results. The mapping between ADS-IDAC simulation sequences and crews with same procedure progression path is summarized here: ADS Sequence No. 0: Halden Crew J34. The operators transferred to E-2 in the second loop of E-0 based on a misdiagnosis. In the Halden experiments, Crew J incorrectly made a diagnosis of a feed water leakage accident based on two observations: abnormal steam in the turbine building which was actually caused by the MSLB, and water level difference among three steam generators which
34
•
Halden crew J transferred to E-2 and later transferred to E-3 based on their knowledge. In our simulation runs, we only replicated the operator’s misdiagnosis and incorrect transfer to E-2. Procedure E-2 has not been coded yet, thus the simulation truncated after entering E-2. If we have E-2 coded, the operator is expected to transfer to E-3 based on knowledge-based reasoning.
204
was actually caused by the SGTR. In ADS sequence No. 0, the operator incorrectly made a diagnosis of a steam generator fault accident based on several observations: low pressure in steam generators which was actually caused by the MSLB, and SG pressure decrease which was actually caused by the MSLB and the reverse cooling phenomenon. In both these two sequences, the operators made incorrect diagnosis of the situation, due to confusing symptoms and incorrect explanation of the plant phenomena. Though ADS sequence No. 0 doesn’t match Halden Crew J specifically, it demonstrates the capabilities of predicting operators’ misdiagnosis of situation due to symptom confusions and knowledge deficiency.
•
ADS Sequence No. 2: Halden Crew M. The operators transferred to ES-1.1 and went to E-3 guided by the foldout page.
•
ADS Sequence No. 5: Halden Crew A. The operators transferred to ES-1.1 and went to E-3 guided by the foldout page after finishing a few steps in ES-1.1.
•
ADS Sequence No. 7: Halden Crews C, L, G, N. The operators determined that they should not terminate the Safety Injection at E-0 Step 21. Instead of going to ES-1.1, they chose to transfer to E-3 at this step based on their knowledge.
•
ADS Sequence No. 8: Halden Crew B. The operators determined that they should not terminate the Safety Injection at E-0 step 21. They identified the SGTR accident and transferred to E-3 at E-0 Step 24 based on their knowledge reasoning.
•
ADS Sequence No. 9: Halden Crew D. The operators determined that they should not terminate the Safety Injection at E-0 step 21. They identified the SGTR accident and transferred to E-3 at E-0 Step 25 based on their knowledge.
205
•
ADS Sequence No. 11: Halden Crew K. The operators determined that a SGTR has happened and they transfer to E-3 at E-0 Step 19. These two transfers were based on different reasons. Halden Crew K avoided the masking of the secondary radiation. Due to their manual reactor trip action, the SGTR happened when the MSIVs were closed, so they were able to observe the high secondary radiation in the experiment. ADS Sequence 1 represents a fast crew which makes correct SGTR diagnosis early, so they transfer to E-3 directly at E-0 Step 19.
Procedure progression paths of 4 crews are not covered in this simulation results. They crews involved are E, F, H, I. Halden Crews E, F and I: Operators entered ES-1.1 and returned back to E-0. There are no transfer points to E-0 in ES-1.1, these 3 crews did this transfer back to E-0 based on their knowledge. This piece of knowledge was not included in the knowledge base input model. Once added the simulation model can also reproduce the action of these crews.
•
•
Halden Crew H. The operators entered a function recovery procedure FR-H5. However to limit the scope we did not include FR-H5 and entering conditions in this ADS-IDAC simulation.
The simulation results show good coverage of repeating the crews’ procedure progression paths in the Halden experiment. With the newly added reasoning module and branching rules, 10 out of 14 crews’ procedure progressions were replicated in the simulation. By expanding the input case model, ADS-IDAC might be able to cover more of the procedure progressions. 206
10.3
Comparison with simulation result of earlier ADS-IDAC and improvements
A separate simulation of this complex accident was run with an earlier version of ADSIDAC 2.0 (Coyne 2009). We compare ADS-IDAC 2.0 simulation results with results of ADS-IDAC 3.0, and discuss the improvements in this section. An ADS-IDAC 2.0 input model, coded by previous ADS-IDAC developers was used for the complex SGTR accident simulation. The simulation predicted one diagnosis time of SGTR accident and one procedure progression path: the operators entered procedure E-0 and transferred to ES-1.1 at E-0 step 21. The operators reached the diagnosis of SGTR accident at t = 25.5 (minute), and a mental belief was activated correspondingly and led the operators to transfer to procedure E-3. These predictions fit into the operators’ performances in the Halden experiments, but do not provide good coverage of the variance of the 14 crews’ responses. In the input model of ADS-IDAC 2.0, the operator’s knowledge is represented by mental beliefs. The operator’s diagnosis of the SGTR accident is represented by the state of a mental belief—“Possible_SG_Tube_Rupture”. The activation of this mental belief means that the operator believes that a SGTR accident has occurred. A specific logic path was designed for activating the mental belief “Possible_SG_Tube_Rupture”, as shown in Figure 10-7. In this path, there are three relevant mental beliefs: SG_Uncontrolled_Level_Increase Reactor_Coolant_System_Leak High_Secondary_Radiation
• • •
207
Figure 10-7 shows the activation process of these mental beliefs during the simulation.
•“A_SG_A_Hi_Level”, (this alarm was received when SG-A NR level = 50%, at t = 25.5min) •“RATE_SG_A_NR_Level>0.02”, (satisfied) •“SG_A_Level_Deviation>2” (satisfied) •“SG_A_FW_Flow<15”(not satisfied, the operators never scanned this parameter)
3/4 logic
(These 4 conditions were satisfied after SI was terminated ) •“SG_Uncontrolled_Level_Increase” at t = 25.5min) •A_PZR_Level_Lo_Dev •A_PZR_Pressure_Lo_Dev •RATE_PZR_Level<-0.01 •RATE_PZR_Pressure<-15.0 2/3 logic “Possible_SG_Tube_Rupture”
4/4 logic
•“Reactor_Coolant_System_Leak” •“High_Secondary_Radiation”(masked by closing the MSIV)
Figure 10-7 Mental belief activation Paths in ADS-IDAC 2.0 simulation In order to activate mental belief “SG_Uncontrolled_Level_Increase”, at least 3 out of 4 conditions need to be satisfied. One condition (“SG_A_FW_Flow<15”) was not activated through the simulation, because the operators never checked this parameter. This reflects a shortcoming of the mental belief mechanism: it doesn’t guide the operators to actively gather relevant information for the accident diagnosis. This limits the full utilization of the mental beliefs in simulating operator’s knowledge-based reasoning. This shortcoming has been overcome in ADS-IDAC 3.0. The reasoning module guides the operator to actively gather relevant information to explain observations and to gather evidence for the accident diagnosis. In the simulation with ADS-IDAC 3.0, the operator’s top-down attention driven by the reasoning is modeled, so the operator actively checked the SG-A feed flow multiple times. This complemented the mental belief mechanism—in ADSIDAC.
208
The mental belief-activating rule only takes account of symptom presence or absence. It allows the operator to quickly reach a diagnosis by the presence of some salient symptoms and thus mimics heuristic reasoning fairly well. However, the activating conditions are hard-coded. Thus, little variation is generated. Review of the logical activation path of these mental beliefs shows that, in order to activate the mental belief “Possible_SG_Tube_Rupture”, the mental belief “SG_Uncontrolled_Level_Increase” has to be activated and thus “A_SG_A_Hi_Level” has to be activated. The timing of
reaching the diagnosis of SGTR accident is determined by how fast the steam generator water level physically reaches the high alarm level. As a result, ADS-IDAC 2.0 only predicted a single timing for reaching SGTR diagnosis, limiting the ability to capture the variations among crews. In ADS-IDAC 3.0, the reasoning module has improved the capabilities of predicting operators’ variability in terms of diagnosis timing and procedure progressions, by various combinations of operators’ problem solving styles, model parameters (activeness in gathering accident evidence, accident diagnosis confidence threshold, and procedure progression pace), operators’ choices when facing conflict between procedure guidance and knowledge-based reasoning, as discussed in Section 10.1. Furthermore the new ADS-IDAC addresses some of the gaps we have identified in earlier versions of ADS-IDAC, by improving the capabilities of modeling operators’ knowledge-based diagnosis and responses. Corresponding to the gap analysis in Section 3, we briefly summarize the improvements introduced by this research:
209
•
ADS 3.0 added the capability of mimicking top-down attention control mechanism. The reasoning process guides the operators’ attention to actively gather relevant information to facilitate the diagnosis process. In this simulation case, the reasoning module guided the operators to use knowledge to investigate why the water level in steam generator A was much higher than the levels in steam generator B and C. The investigation directed the operators to check the feed water condition. In earlier ADS-IDAC, the user has to add the relevant indicators to the scanning list or to a procedure step to make sure the operators would get the necessary information during the simulation. However, the new ADS-IDAC automatically directs the operators’ attention to the relevant indicators based on the reasoning.
•
Provides a more formal reasoning process in addition to the heuristic reasoning processes. The accident diagnosis confidence is computed based on the confidence of the causal paths between accidents and symptoms, while the heuristic reasoning processes are based on the presence of the symptoms. In the new ADS-IDAC, the calculation of diagnosis confidence also takes account of the explanations of the observations, in addition to the presence or absence of symptoms. For example, one symptom of SGTR accident is loss of inventory in the RCS (reflected as decreasing pressurizer level). In the scenario, even though this symptom was observed by the operators, it contributed only a little to the diagnosis confidence of SGTR, because there was another strong competing explanation—the expected cooling down process after the reactor trip, early in the scenario. Later in the scenario, this symptom is masked by the safety injection
210
(the operator could not see the loss of RCS inventory anymore). In contrast, for a mental belief, the activation is solely determined by the state of its conditions and it does not differentiate the importance of different conditions. Reasoning module in the new ADS-IDAC provides a more structured way to mimic the operator’s diagnosis confidence formation.
•
Provides a continuous representation of diagnosis confidence. The mental belief has only two states, “activated” or “not activated”. In comparison, the reasoning module calculates accident diagnosis confidence level, which is a continuous value between 0 and 1, providing a more flexible way to mimic operator’s subjective diagnosis confidence before declaring an accident and the confidence progression. This improves the robustness of the simulation model. In the previous version of ADS-IDAC, the user has to be very careful in designing the mental belief activation logics in order to get certain mental beliefs activated in the simulation.
•
Provides an improved way to capture crew variations. The reasoning module in ADS-IDAC is parametrically adjustable in many aspects: pace of using procedures, diagnosis confidence threshold, activeness of gathering relevant evidence, cognitive processing speed, routine monitoring frequency, knowledge link weight to represent the strength of a knowledge unit, sensitivity to parameter change, short-term memory decay rate, etc. By adjusting those parameters in the reasoning module, ADS-IDAC could simulate a wide spectrum of crew responses.
211
•
Dynamically generates the operator’s reasoning chain. In comparison, in the previous version of ADS-IDAC, the user has to pre-design the thought train— mental belief activation path (see Figure 10-7).
•
Offers higher flexibility to dynamically allocate memory to store operator’s situation awareness information. ADS-IDAC 3.0 simulation generates the operators’ situation assessment and stores them in the mental representation, which could be flexibly used by subsequent cognitive processes. In earlier ADSIDAC, the operator’s situation assessment is represented by the states of mental believes and the confidence levels in the event-symptom matrix. Each mental belief is a binary-state memory unit, and the total number of these memory units is pre-determined in the input file and could not extent during the simulation.
•
Provides reasoning paths to identify disabled symptoms. In this demonstration simulation case, one key symptom of SGTR accident—high secondary radiation—was absent because MSIVs were closed. The reasoning module provides the capability to lead the operator to figure out that the absence of the symptom is due to closure of MSIV.
In all, the reasoning module has significantly improved the realism of operator performance model. Operator’s performance can be varied by adjusting specific model parameters (e.g. the confidence threshold, cognitive speed). It can capture a wider spectrum of possible operator performances, thus improving the predictive capabilities of the IDAC model.
212
11
Robustness of the Knowledge Base Model
As discussed in Section 4.2.3, knowledge web has been designed to represent the operator’s understanding of the inherent interactions among plant dynamics. Once a knowledge web input is coded, many of its knowledge links represent the generic knowledge of the systems interactions and this could be reused in different accident simulations, thus it helps to make the input modeling effort under control. In the simulation case we coded for the complex SGTR accident, there are 175 knowledge links in the knowledge web. Among these175 knowledge links, 5 directly link to SGTR accident nodes; 3 directly connect to the MSLB accident node; 11 link to LOCA accident nodes; 9 connect to SG fault accident node; the remaining 147 are general knowledge across different accident simulations. Though this knowledge-web has been only calibrated for the complex SGTR accident (calibration is to make sure the important knowledge related to the plant dynamics in the accident is included in the knowledge base), we used the same knowledge model to run some test simulations with other different accident scenarios and examined the robustness of the knowledge web at face validity level—check whether the simulation results make sense. 4 simulations were run with 4 different initiating events respectively: turbine trip, open pressurizer PORV, simple SGTR and Main Feed Water Regulation Valve (MFWR) failure. We present operators’ important observations and explanations in the first several minutes35 of each simulation in this chapter.
35
Most system dynamics and transients happen in the first several minutes of these accident scenarios.
213
11.1
Turbine trip case
The initiating event is a turbine trip. It causes the reactor to trip immediately. There is no more complication in this scenario. This case is for examining the operator’s situation awareness in a normal reactor trip accident. Here we summarize some key observations and explanations generated in the simulation. The operator observed the turbine tripped and the reactor tripped immediately after that. They understood that the reactor trip was caused by the turbine trip. The reason of turbine trip is not provided in the contexts and knowledge base. The operator observed a set of expected plant transients after the reactor trip and successfully explained them: Pressurizer pressure decrease was caused by reactor coolant temperature decrease and the pressurizer pressure level decrease. The operator also thought of a very small chance of LOCA accident.
•
•
Pressurizer level decrease was due to the shrinkage of the reactor coolant. Also the operator considered a very small chance of LOAC or SGTR accident.
•
Steam generator level decreased after the reactor trip. This is expected transient phenomenon after the reactor trip.
•
Tave decrease was also expected. Steam dump was actuated to bring the temperature down to a specific level.
•
With the Tave decrease, the feed water system switched from main feeding to auxiliary feeding.
•
Steam generator level gradually increased back. 214
11.2
Pressurizer PORV stuck open
The scenario starts with an initiating event—pressurizer PORV being stuck open at 33% position. In the simulation, the first dynamic came to the operator’s attention: “control rod move out” alarm. The operator explained it by Tave-Tref deviation, which was correct. He also suspected that there might be some unexpected steam load increase that could cause control rods to move out and thus thought of possible MSLB accident and SG fault accident. In addition to these two possible causes, there is another one that the operator was not aware of: decreasing nuclear power. Due to the depressurization of the reactor coolant system, the voids expanded in the reactor coolant, added negative reactivity, and thus reduced the nuclear power. The reactor power decrease caused the control rods to move out to make compensation. This causal relationship was not included in the knowledge base. It could be added in future. Alarms activated. The operator noticed the pressurizer pressure was decreasing. Soon the safety injection actuated and the operator determined it was due to the low pressurizer pressure. Then he investigated the pressurizer pressure decrease and explained it by Tave decrease and pressurizer level decrease. Moreover, he checked the pressurizer PORV and found it was stuck open. Tave was decreasing due to multiple causes: steam dump after the reactor trip and safety injection. The operator also observed some other expected phenomena after a reactor trip and explained them. For example, the steam generator increased after the turbine tripped.
215
11.3
Simple SGTR accident
The initiating event is a rupture in SG A. In this scenario, the plant doesn’t trip automatically. The simulation started with full power and normal operation state. Alarms activated. The operator observed the pressurizer pressure decreasing and control rods moving out. He checked the pressurizer level and found the level was also decreasing, which explained the pressure decrease. Also he thought of a small chance of steam space LOCA accident. He investigated the possible causes of pressurizer level decrease. The Tave was stable and the makeup flow increased, so these two could not be the cause of pressurizer level decrease. Then he suspected there might be a LOCA or SGTR accident. The air ejector radiation alarm activated. It is a strong indication of a SGTR accident. The operator then found the water level in SG A was increasing. He verified the feed flow and steam flow in SG A. He saw the feed flow was smaller than the steam flow. It meant to him that there was some other source of water coming to SG A, and thus he further confirmed his diagnosis of SGTR accident. The operator noticed the reactor power had decreased but he couldn’t explain this because of his knowledge deficiency. It was due to the negative reactivity added by the expanded voids in the reactor coolant, which was caused by the pressurizer pressure decrease. This knowledge was not included in the knowledge base.
216
11.4
Main Feed Regulation Valve (MFRV) failure
The initiating event is a MFRV failure (stuck at 50% open position) in steam generator A loop. The simulation started with full power and normal operation state. After the initiating event, the operator firstly noticed an abnormal phenomenon: SG A level decrease. Then he checked the feed flow and steam flow. He noticed that the feed water flow had decreased. Further, he looked at the position of MFRV and found it was stuck at half open position.
11.5
Chapter conclusion
Even though the knowledge base was not calibrated and tailored for these 4 accident scenarios, the simulations generated reasonable results in terms of predicting the operator’s attention focus and mimicking that the operator use knowledge to explain his observations. During the simulations, the operator’s attention was naturally directed to some important accident related evidence and his investigation traced back from some observable symptoms to the root problems. The coded generic knowledge of the plant systems showed robustness in applications of different simulation scenarios. Also, through exercises like these, the users are able to identify the places for further developing and expanding the knowledge base in the input model.
12
Summary and Conclusions
This dissertation introduces a methodology for modeling and simulating nuclear power plant operators’ knowledge-based behavior. This research has enhanced the IDAC 217
individual operator cognitive model and improved the ADS-IDAC simulation tool. Predictive capabilities and realisms of ADS-IDAC have been significantly improved in the following aspects: 1) embedded attention mechanism in information perception channels, better capturing cognitive resource limitations and top-down attention control; 2) developed and implemented a reasoning module into ADS-IDAC. It simulates an operator making sense of perceived information, connecting different pieces of information to form a big mental picture of the plant situation, and making accident diagnoses; 3) enhanced decision-making module to integrate procedure-based and knowledgebased operator behaviors; 4) expanded the PSF module by modeling a much larger set of PSFs: several
mechanism PSFs have been rooted in the cognitive processes, assessment
methods of several quantitative PSFs have been proposed and implemented, the effects of quantitative PSFs were manifested via model parameters in cognitive processes; 5) captured more crew variations given same accident contexts. We briefly summarize the new features added to ADS-IDAC in the following sections.
12.1
Information perception channel improvements
This research has improved both the active and passive information perception channels in ADS-IDAC.
218
Top-down attention control mechanism plays an essential role in determining operator responses. It guides operators to actively select information from external environment and it is driven by operators’ intentions. The operator’s intentions of explaining the observed plant phenomena and making diagnosis are newly added to ADS-IDAC by this research. With support of a new knowledge-based reasoning function, the program computes operators’ intentions of information gathering, which guide the operator to actively check indicators on control panels as needed. We also added a routine monitoring information channel to simulate an operator’s routinely monitoring a set of key indicators to maintain overall situation awareness. This routine set (list of indicators and monitor frequencies) can be tailored by the user, thus reflecting operators’ individual habits and preferences. The monitoring task is also subject to dynamic adjustment, determined by several Performance Shaping Factors (PSFs) and the prioritization of routine monitoring task and existing investigation tasks in the working memory. The passive alarm information channel has been enhanced by adding a filter. This filter throttles the passive alarm information flow from moving on to further cognitive processes, to mimic the effects of cognitive resource limitations. It is adjusted by operator preference (openness to interruption), passive alarm load, and cognitive resource limits. We also modeled a proximity feature in order to mimic parallel information perception. The control room panels are designed to group relevant indicators together so that it is natural and easy for the operator to perceive items together as a group. This process was added to ADS-IDAC. During a simulation, perception of one indicator reading 219
automatically triggers perceptions of other indicators in a proximity group. The program offers users the flexibility of tailoring the control panels’ grouping features in the simulation input files.
12.2
Reasoning module
Through this project, we developed a semantic representation of operators’ knowledge of plant systems. In the new knowledge representation, a knowledge web is used to represent an operator’s understanding of the causal relations of system dynamics, and accident event schemas are used to index the causal paths between accidents and observable symptoms in this knowledge web, providing maps for retrieving accidentrelated knowledge during a simulation. Several key components are built into the reasoning module to achieve the knowledgebased reasoning functions. A mental representation is used to link the operator’s ontology concepts of power plant parameters, components or systems, and alarms with the external perceivable indications and then store the operator’s observations. Together with the mental representation, an interpretation module is employed to translate the raw external information into situation statements (e.g. parameter trends, component/alarm state changes, comparisons between parameters, and comparisons between parameters and threshold values). The generated Situation Statements are marked with time information to construct operators’ episodic memories of the plant situation. Memory is represented in semantic form. Each Semantic Unit has an activation level. Activation spreading among semantic units and activation decay are modeled to simulate priming effect and memory retrieval. Combining the activation level of each knowledge unit and its 220
knowledge retrieval strengths (knowledge familiarity and using frequency), the program dynamically calculates the accessibility of each knowledge unit during the simulation. In the reasoning module, some of these observations are selected for further processing, building the explanations and gathering more information from control panel if needed. The investigation item is the basic building block in reasoning chains, which connect different observations in order to form explanations. To simulate the limitations of cognitive resources, the program processes only one investigation item at a time. During the simulation, a prioritization function selects one item to process at current moment. Investigation items could be decayed and moved from the working memory to intermediate memory because of information overflow or being unattended for too long. The reasoning module links relevant information to form explanations. If a generated reasoning path causally connects an observed symptom to an accident hypothesis, it provides evidence for that accident diagnosis. The program calculates a confidence level for this causal path, the value determined by the presence of competing explanations. By putting all the accident evidences (absent symptoms and justification of their absence, present symptoms and their causal path confidence numbers) together, the program generates a confidence level for an accident diagnosis and updates this confidence level over time. This mechanism naturally simulates an operator’s diagnosis progression in the following ways: The operator starts to suspect an accident when he or she first connects an observation to it. The operator updates this diagnosis confidence when he or she receives more evidence (up if it is positive evidence or down if it is negative evidence), and the operator actively checks for other associated symptoms and requests information from control panels. The operator tries to explain one or more missing or negating 221
symptoms and continues this diagnosis line if he or she is successful in justifying such symptoms or rejects the hypothesis if he or she fails to justify it. Finally, the operator declares that an accident has happened if the diagnosis confidence exceeds a userspecified threshold value. This threshold value represents the operator’s prudence of accident diagnosis.
12.3
Decision-making
In the power plant control room, operators are equipped with procedures for operating the plant. An operator typically follows procedure in parallel with knowledge-based reasoning when making a diagnosis. The accident diagnoses generated from the reasoning module is used to support the decisions at procedure transferring points. Several decision-making points are identified where the procedure guidance is not consistent with or in the same place as the operator’s diagnoses. Accordingly, branching rules are added to capture different operator choices. These allow the program to explore different choices in the simulation.
12.4
Performance-shaping factors
More PSFs have been added or extended in ADS-IDAC. This enables models to better capture the effects of contextual and personal factors on cognitive processes. Some of these PSFs, mechanism PSFs, refer to cognitive responses or mechanisms; they are directly modeled as part of the cognitive information processes or knowledge representations. Examples of these PSFs are attention, prioritization, problem-solving styles, expertise, information use, recent effects, and situational familiarity. Other PSFs have quantitative assessments in the model, so they are called quantitative PSFs: 222
expertise, time constraint load, passive information load, cognitive task load, task complexity, stress, and fatigue. The program extracts relevant simulation information to assess the quantitative PSFs and manifest their effects on operator behavior by adjusting seven modeling parameters within the reasoning module.
12.5
Modeling operator variance
Many model parameters in the reasoning module provide flexibility for shaping an operator’s cognitive processes and introducing operator variances. Some of the model parameters are static i.e., do not change during the course of simulated scenarios, and are configured by the user before the simulation; examples would be the confidence
threshold for declaring an accident or activeness in gathering accident evidence. Some
model parameters are dynamically adjusted during a simulation. Variance could be introduced by varying baseline values such as memory span or cognitive processing
speed baseline values and routine monitoring time intervals. Introduction of three
different problem-solving styles brings a major source of variation in operator responses. With different problem-solving styles, the program generates completely different paths for operator responses, mainly in attention direction and information usage, which play crucial roles in accident diagnoses.
12.6
Model calibration and validation
The face validity and content validity of our project have been demonstrated through many simulation results. This research has significantly improved simulation realism in the information perception, information sense-making, and diagnosis phases. The reasoning outputs support decision-making with operators’ procedure usage. The 223
program is able to identify situations when the procedure in use is inconsistent with the operator’s knowledge-based diagnosis, and to generate branches to explore different operators’ choices—transferring to a “proper” procedure according to the knowledgebased diagnosis or following the procedure in use strictly. With this advancement, we have largely increased the coverage of operator-procedure progressions, as shown in our comparison of ADS-IDAC simulation results and Halden benchmark experiments. In addition, we have provided a quantitative calibration channel for some model parameters, including time cost and operator’s task load.
12.7
General Conclusion
This research has further demonstrated that it is possible to model individual operator’s underlying cognitive processes and generate realistic response scenarios through dynamic simulation. The new ADS-IDAC could generates accident diagnosis failures (misdiagnosis and late diagnosis) induced by knowledge deficiency, situation complexity and inadequate use of information. Significant realism has been added by modeling “problem-solving styles” and impact of context through detailed models of performance shaping factors.
224
13
Suggestion for Future Work
This research has also identified some areas where this model could be further improved. 1. Indicator failures involved in several nuclear power plant accidents in history. They have misled operators’ situation assessment and have led severe consequences, an example being the indicator failure of the stuck open pressurizer PORV in Three Mile Island accident. It is valuable to study operators’ performance in a circumstance with indicator failure. An approach was proposed in this research, referring to Section 4.3.7. A possible future research is to implement this approach and to further enhance the memory representation and reasoning functions, in order to capture operators’ diagnosis of indicator failure in ADS-IDAC. 2. The current reasoning module contains necessary infrastructures (memory representation and information processing functions) for a cognitive architecture. It simulates operators’ perception and comprehension of the plant situation, which corresponds with Level 1 and Level 2 in Endley’s situation awareness model (Endsley 1995). Operators’ projection of future situation status (Level 3 in Endley’s model) is not included in the current IDAC model. If modeled by future research, it will also significantly improve ADS-IDAC’s predictive capability. 3. In ADS-IDAC, mental belief model and diagnosis engine simulate patternmatching reasoning process, while the reasoning module generates a more deliberate and rigorous reasoning processes. Both of them play import roles in operators’ situation awareness. A future research area is to integrate these two
225
types of reasoning results and to form a hybrid model. Also, the reasoning module algorithm could be future improved by adding short-cuts in the reasoning paths for some familiar situations that the operator has learned or seen many time. 4. Further calibration and validation of the reasoning module, PSF models, and branching probabilities are needed based on data from actual operating experience and simulator exercises with real operators.
226
Appendix 1: Tiered Classification of PSFs (Groth 2009)
227
Appendix 2: Knowledge-Web Coded in the Complex SGTR Simulation Case36
causal type 2 2 2 2 2 2 2 2 2 2 2 inference type 0 0 0 0 0 0 0 0 0 0 0 familia rity 1 1 0.9 1 1 1 1 1 1 0.9 1 strengt h1 1 1 1 1 1 0.2 0.2 1 1 1 0.8 strengt h2 1 1 0.9 1 0.9 0.9 0.9 1 0.9 1 0.8 delta T1 -5 -10 -10 -10 -10 -10 -10 -10 -10 -5 -5 delta T2 10 10 10 10 10 10 10 10 10 5 20 conditional phenomenon MSI_OFF
upstream phenomenon SG_X_ruptured load_increase Tave_minus_Tref_<_-1 Tave_decrease Tref_increase power_increase power_decrease Tave_increase Tref_decrease Tave_minus_Tref_>_1 Tave_decrease
36
downstream phenomenon air_ejector_radiation_>_10 Control_rod_move_out Control_rod_move_out Tave_minus_Tref_decrease Tave_minus_Tref_decrease Tref_increase Tref_decrease Tave_minus_Tref_increase Tave_minus_Tref_increase Control_rod_move_in Tave_minus_Tref_<_-1
Explanation of the parameters’ meanings: Link A-B, A is the upstream phenomenon, B is the downstream phenomenon. Causal type: 0-no causal relationship between A and B; 1-A is the only cause of B; 2-A is a cause of B but not the only cause. Inference type: 0-no inference relationship between A and B; 1-A true infers B true; 2-B true infers A true; 3-A true infers B true and B true infers A true. Description of familiarity, strength1, strength2 is available in Section 4.2.3. Delta T1, delta T2: if A happens at time t, B is supposed to be observed in the time range (t+T1, t+T2). Conditional phenomenon: the causal/inference relationship is only valid when the condition is met. More description is available in ADS-3.0 input file description document.
228
upstream phenomenon Tave_decrease Control_rod_move_in load_increase reactor_trip_turn_on load_increase SI_ON SG_PORV_open SG_X_PORV_open steam_dump_open_bigger SG_X_faulted SG_A_faulted SG_A_faulted SG_B_faulted SG_B_faulted SG_C_faulted SG_C_faulted MSLB_true Tave_increase
downstream phenomenon power_increase Tave_decrease Tave_decrease Tave_decrease power_increase Tave_decrease load_increase SG_PORV_open load_increase load_increase SG_A_pres_<_SG_B_pres SG_A_pres_<_SG_C_pres SG_B_pres_<_SG_A_pres SG_B_pres_<_SG_C_pres SG_C_pres_<_SG_A_pres SG_C_pres_<_SG_B_pres load_increase PRZ_level_increase
causal type 1 1 2 2 1 2 2 2 2 2 2 2 2 2 2 2 2 2
inference type 4 4 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0
familia rity 1 1 1 1 1 0.8 1 1 1 1 1 1 1 1 1 1 1 0.9
strengt h1 0.8 0.8 0.5 0.8 0.2 0.3 0.8 1 1 0.2 1 1 1 1 1 1 0.8 1
strengt h2 0.5 0.8 0.8 0.7 0.8 0.5 0.5 1 0.5 0.2 1 1 1 1 1 1 0.2 1
delta T1 -5 -5 -5 -5 -5 -5 -5 -5 -5 -5 -60 -60 -60 -60 -60 -60 -5 -5
delta T2 5 5 5 25 5 5 5 5 5 5 10 10 10 10 10 10 20 5
conditional phenomenon
reactor_trip_OFF
MSI_OFF
229
upstream phenomenon SI_ON makeup_flow_>_0.5 Tave_decrease alarm_PRZ_level_high_devi ate_ON makeup_flow_<_-0.5 LOCA_true SG_X_ruptured Tave_increase PRZ_level_increase backup_PRZ_heater_ON Tave_decrease PRZ_level_decrease PRZ_spray_X_ON proportional_PRZ_heater_O N PRZ_PORV_open LOCA_steam_space_true LOCA_inside_containment_t
downstream phenomenon PRZ_level_increase PRZ_level_increase PRZ_level_decrease PRZ_level_decrease PRZ_level_decrease PRZ_level_decrease PRZ_level_decrease PRZ_pres_increase PRZ_pres_increase PRZ_pres_increase PRZ_pres_decrease PRZ_pres_decrease PRZ_pres_decrease PRZ_pres_increase PRZ_pres_decrease LOCA_true LOCA_true
causal type 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2
inference type 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
familia rity 1 1 1.0 1 1 1 1 0.95 1 1 1 1 1 1 1 1 1
strengt h1 0.8 1 0.9 1 1 1 0.7 0.9 1 0.5 0.9 1 1 1 1 1 1
strengt h2 0.8 0.9 1 0.05 0.9 0.05 0.05 0.9 1 0.5 0.9 1 0.6 0.3 0.2 0.15 0.15
delta T1 -5 -5 -10 -5 -10 -5 -5 -5 -5 -5 -5 -5 -5 -5 -5 -5 -5
delta T2 5 5 5 5 5 5 5 5 5 5 5 5 5 5 5 5 5
conditional phenomenon
letdown_isolatio n_OFF
230
upstream phenomenon rue LOCA_outside_containment _true LOCA_steam_space_true LOCA_steam_space_true PRZ_PORV_open LOCA_inside_containment_t rue reactor_trip_turn_on
downstream phenomenon
causal type
inference type
familia rity
strengt h1
strengt h2
delta T1
delta T2
conditional phenomenon
LOCA_true PRZ_pres_decrease containment_pres_increase LOCA_steam_space_true containment_pres_increase turbine_trip_turn_on reactor_trip_turn_on reactor_trip_turn_on OPDT_reactor_trip_turn_on Tave_increase reactor_trip_ON SI_turn_on
2 2 2 2 2 2
0 0 0 0 0 0
1 1 1 1 1 1
1 1 1 1 1 1
0.15 0.15 0.15 0.15 0.15 1.9
-5 -5 -5 -5 -5 0
5 5 5 5 5 5
turbine_trip_turn_on
KN_any_reactor_trip_turn_o n37 power_increase power_increase KN_any_reactor_trip_ON KN_any_SI_turn_on38
1 1 3 0 1
0 0 0 1 1
1 0.9 1 1 1
1 1 1 1 1
1 1 1 1 1
-2 -1 -1 0 -10
5 5 5 5 10
KN_any_reactor_trip_ON is a combination of 10 phenomena with an OR gate: OPDT_reactor_trip_turn_on, OTDT_reactor_trip_turn_on, high_power_reactor_trip_turn_on, low_PRZ_pres_reactor_trip_turn_on, lowlow_SG_level_reactor_trip_turn_on, high_PRZ_pres_reactor_trip_turn_on, high_PRZ_level_reactor_trip_turn_on, low_RCS_flow_reactor_trip_turn_on, MF_MS_mismatch_reactor_trip_turn_on, SI_turn_on. It’s the same of the “KN_any_reactor_trip_ON” 38 KN_any_SI_turn_on is a combination of 2 phenomena with an OR gate: low_SG_pres_SI_turn_on and low_PRZ_pres_SI_turn_on.
37
231
upstream phenomenon load_decrease load_decrease reactor_trip_turn_on steam_dump_close_smaller SG_PORV_close_smaller MSI_turn_on KN_there_is_load_after_MS IV FW_X_flow_<_MS_X_flow reactor_trip_turn_on load_increase FW_X_flow_decrease MFWP_trip AFWP_trip FWRV_X_close_smaller MDAFWP_X_V_close_smal ler TDAFWP_X_V_close_small er
downstream phenomenon Tave_increase power_decrease power_decrease load_decrease load_decrease load_decrease load_after_MSIV_true SG_X_level_decrease SG_X_level_decrease FW_X_flow_<_MS_X_flow FW_X_flow_<_MS_X_flow FW_X_flow_decrease FW_X_flow_decrease FW_X_flow_decrease FW_X_flow_decrease FW_X_flow_decrease
causal type 2 1 1 2 2 2 1 2 2 2 2 2 2 2 2 2
inference type 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
familia rity 0.9 1 1 1 1 0.9 1 1 1 1 1 1 1 1 1 1
strengt h1 1 1 1 0.3 0.3 0.8 0.8 1 1 0.6 0.8 1 1 1 1 1
strengt h2 0.9 0.9 0.9 0.3 0.3 0.2 1 0.9 1 0.9 0.8 0.5 0.5 1 1 1
delta T1 -5 -5 -5 -5 -5 -5 -5 -100 -20 -5 -5 -30 -30 -5 -5 -5
delta T2 20 20 20 5 5 10 5 5 20 20 30 10 10 5 10 10
conditional phenomenon
reactor_trip_OFF
load_after_MSIV _true
232
upstream phenomenon MFIV_X_close_smaller MFWP_X_trip_turn_on MDAFWP_turn_off TDAFWP_turn_off TDAFWP_X_V_close_small er FW_X_flow_>_MS_X_flow reactor_trip_turn_on SG_X_ruptured SG_A_ruptured FW_A_flow_>_FW_B_flow SG_A_ruptured FW_A_flow_>_FW_C_flow load_decrease FW_X_flow_increase MFW_X_flow_increase AFW_X_flow_increase FWRV_X_open_bigger
downstream phenomenon FW_X_flow_decrease MFWP_trip AFWP_trip AFWP_trip AFW_X_flow_decrease SG_X_level_increase SG_X_level_increase SG_X_level_increase SG_A_level_>_SG_B_level SG_A_level_>_SG_B_level SG_A_level_>_SG_C_level SG_A_level_>_SG_C_level FW_X_flow_>_MS_X_flow FW_X_flow_>_MS_X_flow FW_X_flow_increase FW_X_flow_increase MFW_X_flow_increase
causal type 2 0 0 0 2 2 2 2 2 2 2 2 2 2 2 2 2
inference type 0 1 1 1 0 0 0 0 0 0 0 0 0 0 0 0 0
familia rity 1 1 1 1 1 1 1 0.9 0.9 1 1 1 0.9 1 1 1 1
strengt h1 1 1 1 1 1 1 1 1 1 1 1 1 0.8 0.8 1 1 1
strengt h2 0.5 0.5 0.5 0.6 1 0.9 20 0.05 0.5 0.9 0.5 0.9 0.9 0.9 0.9 0.9 0.9
delta T1 -5 -5 -5 -5 -5 -20 -20 -20 -5 -35 -5 -60 -20 -5 -5 -5 -5
delta T2 10 5 10 10 10 10 300 10 10 200 30 200 10 10 10 10 10
conditional phenomenon
233
upstream phenomenon MDAFWP_turn_on MDAFWP_X_V_open_bigg er TDAFWP_turn_on TDAFWP_X_V_open_bigge r SG_X_faulted MSLB_true load_increase load_decrease SG_X_level_increase Tave_minus_Tref_>_5 Tave_increase Tave_decrease containment_pres_highhigh SG_pres_low PRZ_pres_<_2210 PRZ_pres_>_2218
downstream phenomenon AFW_X_flow_increase AFW_X_flow_increase AFW_X_flow_increase AFW_X_flow_increase SG_X_pres_low SG_X_pres_low SG_X_pres_decrease SG_X_pres_increase SG_X_pres_increase steam_dump_open_bigger steam_dump_open_bigger steam_dump_close_smaller MSI_turn_on MSI_turn_on backup_PRZ_heater_turn_on backup_PRZ_heater_turn_off
causal type 2 2 2 2 2 2 2 2 2 2 2 2 2 2 1 1
inference type 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
familia rity 1 1 1 1 1 1 1 1 1 1 1 1 1 1 0.9 1
strengt h1 1 1 1 1 1 0.8 1 0.8 0.5 1 1 1 0.8 0.8 1 1
strengt h2 0.5 0.9 0.6 0.9 0.2 0.2 0.9 0.9 0.3 0.9 0.9 0.9 0.8 0.8 1 1
delta T1 -5 -5 -5 -5 -5 -5 -5 -5 -5 -5 -5 -5 -5 -5 -5 -5
delta T2 10 10 10 10 5 5000 5 5 5 5 5 5 5 5 5 5
conditional phenomenon
MSI_OFF
reactor_trip_ON steam_dump_ope n steam_dump_ope n
234
upstream phenomenon PRZ_pres_>_2335 Tave_low SI_ON SG_level_highhigh SG_X_level_lowlow SG_X_level_lowlow SG_X_level_lowlow KN_MFWPs_trip KN_MFWPs_trip SI_ON SG_X_PORV_close_smaller SG_X_PORV_open_bigger SG_X_NR_level_decrease SG_X_WR_level_decrease SG_X_NR_level_increase SG_X_WR_level_increase SG_A_NR_level_>_SG_B_ NR_level
downstream phenomenon PRZ_PORV_open_bigger MFIV_X_close_smaller MFIV_X_close_smaller MFIV_X_close_smaller MDAFWP_1_turn_on MDAFWP_2_turn_on TDAFWP_turn_on TDAFWP_turn_on MDAFWP_X_turn_on MDAFWP_X_turn_on SG_PORV_close_smaller SG_PORV_open_bigger SG_X_level_decrease SG_X_level_decrease SG_X_level_increase SG_X_level_increase SG_A_level_>_SG_B_level
causal type 1 2 2 2 2 2 2 2 2 2 0 0 0 0 0 0 0
inference type 0 0 0 0 0 0 0 0 0 0 1 1 1 1 1 1 1
familia rity 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1
strengt h1 1 0.8 0.6 1 1 1 1 1 1 1 1 1 1 1 1 1 1
strengt h2 1 0.8 0.7 1 0.8 0.8 0.8 0.8 0.8 0.8 1 1 1 1 1 1 1
delta T1 -5 -5 -5 -5 -5 -5 -5 -5 -5 -5 -5 -5 -5 -5 -5 -5 -5
delta T2 5 5 5 5 5 5 5 5 5 5 5 5 5 5 5 5 5
conditional phenomenon
reactor_trip_ON
235
upstream phenomenon SG_A_NR_level_>_SG_C_ NR_level SG_A_WR_level_>_SG_B_ WR_level SG_A_WR_level_>_SG_C_ WR_level SG_X_level_highhigh SG_X_pres_low MDAFWP_X_turn_off MDAFWP_X_turn_on air_ejector_radiation_>_10 power_>_1.04 MFWP_X_trip_ON SG_X_level_lowlow SG_X_pres_low reactor_trip_ON turbine_runback_ON power_high OPDT_high
downstream phenomenon SG_A_level_>_SG_C_level SG_A_level_>_SG_B_level SG_A_level_>_SG_C_level SG_level_highhigh SG_pres_low MDAFWP_turn_off MDAFWP_turn_on alarm_air_ejector_radiation_ ON turbine_runback_ON alarm_MFWP_X_trip_ON alarm_SG_X_level_lowlow_ ON alarm_SG_X_pres_low_ON alarm_reactor_trip_ON alarm_turbine_runback_ON high_power_reactor_trip_ON OPDT_reactor_trip_ON
causal type 0 0 0 1 1 1 1 1 1 1 1 1 1 1 1 1
inference type 1 1 1 1 1 1 1 2 0 2 2 2 2 2 2 2
familia rity 1 1 1 1 1 1 1 1 0.8 1 1 1 1 1 1 1
strengt h1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1
strengt h2 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1
delta T1 -5 -5 -5 -5 -80 -5 -5 -5 -5 -5 -5 -5 -5 -5 -5 -5
delta T2 5 5 5 5 5 5 5 5 5 5 5 5 5 5 5 5
conditional phenomenon
236
upstream phenomenon OTDT_high PRZ_pres_low SG_level_lowlow PRZ_pres_high PRZ_level_high RCS_flow_low Control_rod_move_out Control_rod_move_in PRZ_level_low Tave_lowlow PRZ_pres_SI_low SG_pres_low SI_ON MS_X_flow_>_FW_X_flow MS_MF_mismatch MFIV_X_close MSI_ON
downstream phenomenon OTDT_reactor_trip_ON low_PRZ_pres_reactor_trip_ ON lowlow_SG_level_reactor_tri p_ON high_PRZ_pres_reactor_trip_ ON high_PRZ_level_reactor_trip _ON low_RCS_flow_reactor_trip_ ON alarm_control_rod_out_ON alarm_control_rod_in_ON alarm_PRZ_level_low_ON alarm_Tave_lowlow_ON low_PRZ_pres_SI_ON low_SG_pres_SI_ON alarm_SI_ON MS_MF_mismatch MF_MS_mismatch_reactor_t rip_ON MSI_ON alarm_MSI_ON
causal type 1 1 1 1 1 1 1 1 1 1 1 1 1 1 0 0 0
inference type 2 2 2 2 2 2 2 2 2 2 2 2 2 0 2 2 2
familia rity 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1
strengt h1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1
strengt h2 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1
delta T1 -5 -5 -5 -5 -5 -5 -5 -5 -5 -5 -5 -5 -5 -40 -5 -5 -5
delta T2 5 5 5 5 5 5 5 5 5 5 5 5 5 5 5 5 5
conditional phenomenon
237
upstream phenomenon Tave_low MFWP_X_trip_turn_on MFWP_X_trip_turn_on SG_X_level_high SG_X_level_highhigh Tave_minus_Tref_<_-1 PRZ_pres_low MDAFWP_X_ON TDAFWP_ON SG_X_level_low SG_X_level_lowlow turbine_trip reactor_trip_turn_on turbine_trip_OFF steam_dump_open SG_X_PORV_open SG_X_faulted
downstream phenomenon MFWP_X_trip_turn_on alarm_MFWP_X_trip_ON alarm_MFWP_trip_ON alarm_SG_X_level_high_ON alarm_SG_X_level_highhigh _ON alarm_Tave_low_deviate_O N alarm_PRZ_pres_low_ON alarm_MDAFWP_aut
N alarm_TDAFWP_autN alarm_SG_X_level_low_ON alarm_SG_A_level_lowlow_ ON alarm_turbine_trip_ON turbine_trip MS_X_flow_>_5 MS_X_flow_>_5 MS_X_flow_>_5 MS_X_flow_>_5
causal type 0 0 0 0 0 0 0 0 0 0 0 0 2 2 2 2 2
inference type 2 2 2 2 2 2 2 2 2 2 2 2 0 0 0 0 0
familia rity 0.9 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1
strengt h1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1
strengt h2 1 1 1 1 1 1 1 1 1 1 1 1 1 1 0.5 0.3 0.05
delta T1 -5 -5 -5 -5 -5 -5 -5 -5 -5 -5 -5 -5 -10 -50 -50 -50 -50
delta T2 5 5 5 5 5 5 5 5 5 5 5 5 5 10 10 10 10
conditional phenomenon
MSI_OFF
238
upstream phenomenon MSLB_true
downstream phenomenon MS_X_flow_>_5
causal type 2
inference type 0
familia rity 1
strengt h1 1
strengt h2 0.3
delta T1 -50
delta T2 10
conditional phenomenon MSI_OFF
239
Bibliography
Åkerstedt, Torbjörn, et al. "Mental fatigue, work and sleep." Journal of psychosomatic Research 57.5 (2004): 427-433. Anderson, Alan Ross, ed. Minds and machines. Englewood Cliffs, NJ: Prentice-Hall, 1964. Anderson, John R. "A spreading activation theory of memory." Journal of verbal learning and verbal behavior 22.3 (1983): 261-295. Anderson, John R. "ACT: A simple theory of complex cognition." American Psychologist 51.4 (1996): 355-365. Anderson, John R. How can the human mind occur in the physical universe?. Vol. 3. Oxford University Press, USA, 2007. Anderson, John R., et al. "An integrated theory of the mind." Psychological review 111.4 (2004): 1036. Andrews, Glenda, and Graeme S. Halford. "A cognitive complexity metric applied to cognitive development." Cognitive psychology 45.2 (2002): 153-219. Arend, Isabel, et al. "Quantifying cognitive complexity: evidence from a reasoning task." Personality and individual differences 35.3 (2003): 659-669. Boksem, Maarten AS, Theo F. Meijman, and Monicque M. Lorist. "Effects of mental fatigue on attention: an ERP study." Cognitive Brain Research 25.1 (2005): 107-116. Boring, R. L. "Dynamic human reliability analysis: Benefits and challenges of simulating human performance." Risk, Reliability and Societal Safety 2 (2007): 1043-1049. Broadbent, Donald Eric. "Perception and communication." (1958). Bye, A., et al. "The international HRA empirical study—Phase 2 Report, Results from comparing HRA method predictions to HAMMLAB simulator data on SGTR scenarios, HWR-915." (2010). Cacciabue, P. C. "Cognitive modelling: a fundamental issue for human reliability assessment methodology?." Reliability Engineering & System Safety 38.1 (1992): 91-97. Cacciabue, Pietro Carlo, et al. "COSIMO: A cognitive simulation model of human decision making and behavior in accident management of complex plants." Systems, Man and Cybernetics, IEEE Transactions on 22.5 (1992): 1058-1074.
240
Campbell, Donald J. "Task complexity: A review and analysis." Academy of management review 13.1 (1988): 40-52. Chang, Y. H. J., and A. Mosleh. "Cognitive modeling and dynamic probabilistic simulation of operating crew response to complex system accidents. Part 1: Overview of the IDAC Model." Reliability Engineering & System Safety 92.8 (2007): 991-1013. Chang, Y. H. J., and A. Mosleh. "Cognitive modeling and dynamic probabilistic simulation of operating crew response to complex system accidents. Part 2: IDAC performance influencing factors model." Reliability Engineering & System Safety 92.8 (2007): 1014-1040. Chang, Y. H. J., and A. Mosleh. "Cognitive modeling and dynamic probabilistic simulation of operating crew response to complex system accidents. Part 4: IDAC causal model of operator problem-solving response." Reliability Engineering & System Safety 92.8 (2007): 1061-1075. Chang, Y. H. J., and A. Mosleh. "Cognitive modeling and dynamic probabilistic simulation of operating crew response to complex system accidents. Part 5: Dynamic probabilistic simulation of the IDAC model." Reliability Engineering & System Safety 92.8 (2007): 1076-1101. Chang, Y. H. J., and A. Mosleh. "Cognitive modeling and dynamic probabilistic simulation of operating crew response to complex system accidents: Part 3: IDAC operator response model." Reliability Engineering & System Safety 92.8 (2007): 10411060. Chang, Y.H.J. et al. “A Nuclear Plant Accident Diagnosis Method to Support Prediction of Errors of Commission.” International topical meeting on Nuclear plant instrumentation, control, and human-machine interface technologies, Albuquerque. 2006. Cooper, Joel. Cognitive dissonance: 50 years of a classic theory. Sage Publications Limited, 2007. Coyne, K., and A. Mosleh. "Implementation of a Dynamic PRA Approach for the Prediction of Operator Errors During Abnormal Nuclear Power Plant Events." PSAM-9, Hong Kong (2008). Coyne, K., and A. Mosleh. "Modeling nuclear plant operator knowledge and actions: ADS-IDAC simulation approach." ANS PSA Topical Meeting-Challenges to PSA during the nuclear renaissance. Knoxville. 2008. Coyne, K., et al.. “Nuclear Power Plant Precursor Risk Assessment Using a Dynamic Probabilistic Risk Method.” PSAM-11 & ESREL-2012, Helsinki (2012). Coyne, Kevin. "A predictive model of nuclear power plant crew decision-making and performance in a dynamic simulation environment." Diss. University of Maryland, 2009. 241
DeLuca, John. "3 Fatigue, Cognition, and Mental Effort." Fatigue as a window to the brain (2005): 37. Dhillon, Balbir S. "Human reliability and error in transportation systems."Human Reliability and Error in Transportation Systems, by BS Dhillon. Berlin: Springer, 2007. 1 (2007). Dror, Itiel E., Beth Basola, and Jerome R. Busemeyer. "Decision making under time pressure: An independent test of sequential sampling models." Memory & Cognition 27.4 (1999): 713-725. Duntley, S. P. "Fatigue and sleep." Fatigue as a Window to the Brain (2005): 209. EMILIE, M., D. WOODS DAVID, and E. POPLE HARRY Jr. "Cognitive simulation as a tool for cognitive task analysis." Ergonomics 35.10 (1992): 1163-1198. Endsley, Mica R. "Toward a theory of situation awareness in dynamic systems." Human Factors: The Journal of the Human Factors and Ergonomics Society 37.1 (1995): 32-64. Fischer, Peter, et al. "Selective exposure to information: The impact of information limits." European Journal of Social Psychology 35.4 (2005): 469-492. Forester, John, et al. ATHEANA user's guide. US Nuclear Regulatory Commission, 2007. Gallistel, Charles R., and Adam Philip King. Memory and the computational brain: why cognitive science will transform neuroscience. Vol. 3. Wiley-Blackwell, 2009. Genesereth, Michael R., and Nils J. Nilsson. Logical foundations of artificial intelligence. Vol. 9. Los Altos, CA: Morgan Kaufmann, 1987. Gertman, David I., et al. The SPAR-H human reliability analysis method. US Nuclear Regulatory Commission, 2005. Grant, S. "Cognitive architecture for modelling human error in complex dynamic tasks." Le Travail Humain (1997): 363-385. Groth, Katrina M. "A data-informed model of performance shaping factors for use in human reliability analysis." Diss. University of Maryland, (2009). Hart, William, et al. "Feeling validated versus being correct: a meta-analysis of selective exposure to information." Psychological bulletin 135.4 (2009): 555. Hart, William, et al. "Feeling validated versus being correct: a meta-analysis of selective exposure to information." Psychological bulletin 135.4 (2009): 555-588. Heussen, Kai, Arshad Saleem, and Morten Lind. "Control architecture of power systems: Modeling of purpose and function." Power & Energy Society General Meeting, 2009. PES'09. IEEE. IEEE, 2009. 242
Hintzman, Douglas L. "" Schema abstraction" in a multiple-trace memory model." Psychological review 93.4 (1986): 411-428. Hollands, Justin G., and Christopher D. Wickens. Engineering psychology and human performance. New Jersey: Prentice Hall, 1999. Hollands, Justin G., and Christopher D. Wickens. Engineering psychology and human performance. New Jersey: Prentice Hall, 1999. Hollnagel, Erik, et al. "Analysis of Comair flight 5191 with the functional resonance accident model." Proceedings of the 8th International Symposium of the Australian Aviation Psychology Association. 2008. Hollnagel, Erik. "Reliability analysis and operator modelling." Reliability Engineering & System Safety 52.3 (1996): 327-337. Hollnagel, Erik. Cognitive reliability and error analysis method (CREAM). Elsevier Science, 1998. Iani, Cristina, and Christopher D. Wickens. "Factors affecting task management in aviation." Human Factors: The Journal of the Human Factors and Ergonomics Society 49.1 (2007): 16-24. James, William. "The principles of psychology, Vol I." (1890). James, William. "The principles of psychology, Vol II." (1913). Jerison, Harry J. "Effects of noise on human performance." Journal of Applied Psychology 43.2 (1959): 96-101. Kahneman, Daniel, Paul Slovic, and Amos Tversky, eds. Judgment under uncertainty: Heuristics and biases. Cambridge University Press, 1982. Kim, I. S. "Human reliability analysis in the man–machine interface design review." Annals of nuclear energy 28.11 (2001): 1069-1081. Kirwan, Barry. "Human error identification in human reliability assessment. Part 1: Overview of approaches." Applied Ergonomics 23.5 (1992): 299-318. Kirwan, Barry. "Human error identification in human reliability assessment. Part 2: Detailed comparison of techniques." Applied ergonomics 23.6 (1992): 371-381. Kirwan, Barry. "Human error identification techniques for risk assessment of high risk systems—Part 1: review and evaluation of techniques." Applied ergonomics 29.3 (1998): 157-177. Kirwan, Barry. "Human error identification techniques for risk assessment of high risk systems—Part 2: towards a framework approach." Applied ergonomics 29.5 (1998): 299243
318. Kirwan, Barry. A guide to practical human reliability assessment. CRC, 1994. Klein, Gary, et al. "A data-frame theory of sensemaking." Expertise out of context (2007): 113-155. Knudsen, Eric I. "Fundamental components of attention." Annu. Rev. Neurosci.30 (2007): 57-78. Kolaczkowski, A., et al. "Good Practices for Implementing Human Reliability Analysis." US Nuclear Regulatory Commission NUREG-1792 (2005). Labeau, P. E., Carol Smidts, and S. Swaminathan. "Dynamic reliability: towards an integrated platform for probabilistic risk assessment." Reliability engineering & system safety 68.3 (2000): 219-254. Lachance, Jeff. et al. “Development and Application of a Dynamic Level 1 and 2 Probabilistic Safety Assessment Tool.” PSAM-11 & ESREL-2012, Helsinki. 2012. Langley, Pat, John E. Laird, and Seth Rogers. "Cognitive architectures: Research issues and challenges." Cognitive Systems Research 10.2 (2009): 141-160. Lavie, Nilli. "Distracted and confused?: Selective attention under load." Trends in cognitive sciences 9.2 (2005): 75-82. Lee, Mal-Rey, and Jong-Chul Oh. "Expert system for a nuclear power plant accident diagnosis using a fuzzy inference method." Journal of Applied Mathematics and Computing 8.2 (2001): 413-426. Li, Y., and Mosleh, A. “Simulation of Nuclear Power Plant Operators Reasoning Process for Situation Diagnosis in ADS-IDAC Dynamic PRA Platform.” PSAM-11 & ESREL2012, Helsinki. 2012. Lind, M. "Multilevel flow modelling of process plant for diagnosis and control." International Meeting on Thermal Nuclear Reactor Safety, Chicago, (1982). Lois, E., et al. "International HRA Empirical Study—Pilot Phase Report: Description of Overall Approach and First Pilot Results from Comparing HRA Methods to Simulator Data." HWR-?844, Halden: OECD Halden Reactor Project(2008). Lois, Erasmia. International HRA Empirical Study--phase 1 Report: Description of Overall Approach and Pilot Phase Results from Comparing HRA Methods to Similar Performance Data. Office of Nuclear Regulatory Research, US Nuclear Regulatory Commission, 2009. Maule, A. John, G. Robert J. Hockey, and Larissa Bdzola. "Effects of time-pressure on decision-making under uncertainty: changes in affective state and information processing 244
strategy." Acta Psychologica 104.3 (2000): 283-301. Mosleh, A., and Y. H. Chang. "Model-based human reliability analysis: prospects and requirements." Reliability Engineering & System Safety 83.2 (2004): 241-253. Navon, David, and Daniel Gopher. "On the economy of the human-processing system." Psychological review 86.3 (1979): 214.
NTSB, “Attempted takeo? from wrong runway, Comair Flight 5191,” National Transportation Safety Board, Accident Report NTSB/AAR-07/05. 2007
Nuclear Regulatory Commission, Washington. "Reactor safety study: an assessment of accident risks in US commercial nuclear power plants, app 3-4." (1975). Park, Jinkyun, and Wondea Jung. "The operators' non-compliance behavior to conduct emergency operating procedures—comparing with the work experience and the complexity of procedural steps." Reliability Engineering & System Safety 82.2 (2003): 115-131. Patterson, E. S., E. M. Roth, and D. D. Woods. "Facets of complexity in situated work." Macrocognition Metrics and Scenarios: Design and Evaluation for Real-World Teams. Ashgate, Aldershot, UK (2010). Plaut, David C. "Semantic and associative priming in a distributed attractor network." Proceedings of the 17th annual conference of the cognitive science society. Vol. 17. 1995. Pleskac, Timothy J., and Jerome R. Busemeyer. "Two-stage dynamic signal detection: a theory of choice, decision time, and confidence." Psychological review 117.3 (2010): 864. Prince, Alan, and Steven Pinker. "Rules and connections in human language."Trends in Neurosciences 11.5 (1988): 195-202. Purves, Dale. Brains: how they seem to work. Ft Press, 2010. Rassin, Eric. "Individual differences in the susceptibility bias."Netherlands Journal of Psychology 64.2 (2008): 87-93. Reason, James. Human error. Cambridge university press, 1990. Roth, E. M., R. J. Mumaw, and P. M. Lewis. An empirical investigation of operator performance in cognitively demanding simulated emergencies. No. NUREG/CR--6208. Nuclear Regulatory Commission, Washington, DC (United States). Div. of Systems Research; Westinghouse Electric Corp., Pittsburgh, PA (United States). Science and Technology Center, 1994. Salminen, Simo, and Tuija Tallberg. "Human errors in fatal and serious occupational 245 to confirmation
accidents in Finland." Ergonomics 39.7 (1996): 980-988. Salvucci, Dario D. "Modeling driver behavior in a cognitive architecture." Human Factors: The Journal of the Human Factors and Ergonomics Society 48.2 (2006): 362380. Schneider, Walter, and Richard M. Shiffrin. "Controlled and automatic human information processing: I. Detection, search, and attention." Psychological review 84.1 (1977): 1. Searle, John R. "Minds, brains, and programs." Behavioral and brain sciences3.3 (1980): 417-457. Shen, S. H., C. Smidts, and A. Mosleh. "A methodology for collection and analysis of human error data based on a cognitive model: IDA." Nuclear engineering and design 172.1 (1997): 157-186. Siu, N. "Risk assessment for dynamic systems: an overview." Reliability engineering & system safety 43.1 (1994): 43-73. Smidts, C., S. H. Shen, and A. Mosleh. "The IDA cognitive model for the analysis of nuclear power plant operator response under accident conditions. Part I: problem solving and decision making model." Reliability Engineering & System Safety 55.1 (1997): 5171. Sternberg, Robert J., Jeff Mio, and Jeffery Scott Mio. Cognitive psychology. Wadsworth Publishing Company, 2009. Sundaramurthi, R., and Smidts, C. "Human reliability modeling for the Next Generation System Code." Annals of Nuclear Energy 52 (2013): 137-156. Swain, Alan D., and Henry E. Guttmann.Handbook of human-reliability analysis with emphasis on nuclear power plant applications. Final report. No. NUREG/CR-1278; SAND-80-0200. Sandia National Labs., Albuquerque, NM (USA), 1983. Takano, Kenichi, and James Reason. "Psychological biases affecting human cognitive performance in dynamic operational environments." Journal of Nuclear Science and Technology 36.11 (1999): 1041-1051. Treisman, Anne. "Monitoring and storage of irrelevant messages in selective attention." Journal of Verbal Learning and Verbal Behavior 3.6 (1964): 449-459. U.S. Nuclear Regulatory Commission. (2008). Human Event Repository and Analysis (HERA) Database. Washington DC. Wallsten, Thomas S., and David V. Budescu. "A review of human linguistic probability processing: General principles and empirical evidence." Knowledge Engineering
246
Review 10.1 (1995): 43-62.
Wessely, Simon. Fatigue as a Window to the Brain. Ed. John DeLuca. MIT Press, 2005. Wickens, Christopher D., Sallie E. Gordon, and Yili Liu. "An introduction to human factors engineering." (2004). Williams, J. C. "HEART–a proposed method for assessing and reducing human error." 9th Advances in Reliability Technology Symposium. 1986. Woods, David D., et al. Cognitive environment simulation: An artificial intelligence system for human performance assessment (1/3). Division of Reactor and Plant Systems, Office of Nuclear Regulatory Research, US Nuclear Regulatory Commission, 1987. Woods, David D., et al. Cognitive environment simulation: An artificial intelligence system for human performance assessment (2/3). Division of Reactor and Plant Systems, Office of Nuclear Regulatory Research, US Nuclear Regulatory Commission, 1987. Woods, David D., et al. Cognitive environment simulation: An artificial intelligence system for human performance assessment (3/3). Division of Reactor and Plant Systems, Office of Nuclear Regulatory Research, US Nuclear Regulatory Commission, 1987. Zhu, Dongfeng, et al. "The Use of Distributed Computing for Dynamic PRA: The ADS Approach." Ninth International Probabilistic Safety Assessment and Management Conference (PSAM-9), Hong Kong. 2008. Zio, Enrico. The Monte Carlo simulation method for system reliability and risk analysis. Berlin, Springer-Verlag GmbH. 2012
247
doc_237117194.pdf
Knowledge is a familiarity with someone or something, which can include facts, information, descriptions, or skills acquired through experience or education.
ABSTRACT
Title of Document:
MODELING AND SIMULATION OF OPERATOR KNOWLEDGE-BASED BEHAVIOR Yuandan Li, Ph.D., 2013
Directed By:
Professor Ali Mosleh, Department of Mechanical Engineering
Many accidents are attributed to human errors. Abundant evidences could be found in major accidents in petro-chemical, nuclear, aviation, and other industries. In the nuclear power industry, safe operation heavily relies on the operators’ interaction with plant systems. For example, Three Mile Island accident was exacerbated by the operators’ misdiagnosis of the situation, which led to the termination of the plant’s automatic protection system that could have prevented meltdown of the reactor core. Hence, human Reliability Analysis (HRA) is an important ingredient of Probabilistic Risk Assessment (PRA), particularly in the nuclear industry. HRA aims to predict possible human errors, identify “error forcing contexts”, and assess error probabilities. Despite advances in HRA discipline over the past two decades, virtually all existing methods lack a causal model and few leverage the theoretical and empirical insights for error prediction in a systematic and formal way. One approach that has attempted to address this major shortcoming is IDAC crew simulation model of ADS-IDAC dynamic PRA platform. Through the interactions between an IDAC crew model and a pressurizer water reactor plant model, ADS-IDAC dynamically simulates the operators’ cognitive activities and actions in an
accident condition. The goal of proposed research is to introduce an advanced reasoning capability and structured knowledge representation to enhance the realism and predictive power of in the IDAC model for situations where crew behaviors are governed by both the Emergency Operating Procedure (EOP) and their knowledge of the plant. This is achieved by: 1) Developing and implementing a cognitive architecture to simulate operators’ understanding of accident conditions and plant response, their reasoning processes and knowledge utilization to make a diagnosis. A reasoning module has been added to the individual operator model within IDAC model to mimic operators knowledge-based reasoning processes; 2) Developing and applying a comprehensive set of Performance Shaping Factors (PSF) to model the impacts of situational and cognitive factors on operators’ behaviors. The effects and interdependencies of PSFs are incorporated the reasoning module; and 3) Performing a calibration and validation of the model predictions by comparing the simulation results with results of a number of plantcrew simulator exercises.
MODELING AND SIMULATION OF OPERATOR KNOWLEDGE-BASED BEHAVIOR
By Yuandan Li
Dissertation submitted to the Faculty of the Graduate School of the University of Maryland, College Park, in partial fulfillment of the requirements for the degree of Doctor of Philosophy 2013
Advisory Committee: Professor Ali Mosleh, Chair Professor Thomas S. Wallsten, Dean’s Representative Professor Mohammad Modarres Professor Gary Pertmer Professor Monifa Vaughn-Cooke Dr. Kevin A. Coyne, Special Member
© Copyright by Yuandan Li 2013
Acknowledgements
This work was funded through a Collaborative Research Grant (NRC-04-09-143) by the U.S. Nuclear Regulatory Commission (USNRC). A lot of people have helped me through this project. I am grateful for the help from every one of them. Here I would like to specifically acknowledge the assistance and support from the following people. First and foremost, I would like to thank my advisor Professor Ali Mosleh (Center for Risk and Reliability in University of Maryland) for giving me the opportunity to work in such an interesting research project, guiding and supporting me over the years. I would like to thank my dear friends Nsimah Ekanen (University of Maryland) and Hui Jin (Norwegian University of Science and Technology). You two gave me huge support and encouragement. Thank you for cheering me up in this long journey. I would like to thank Dr. James Chang, Dr. Kevin A. Coyne, Dr. Song-Hua Shen in U.S. Nuclear Regulatory Commission, and Dr. Dongfeng Zhu (University of Maryland) for their technique assistance. Thank you for explaining ADS-IDAC 2.0 to me, providing me necessary knowledge of power plant systems, discussing my research and giving me valuable advices. I would like to thank Professor Xiaoshan Yi (Chinese National University of Defense Technology). Thank you for spending hours and hours in listening to me nagging about my research ideas and giving me many practical suggestions.
ii
I also want to thank my committee members: Professor Ali Mosleh, Professor Thomas S. Wallsten, Professor Mohammad Modarres, Professor Gary Pertmer, Professor Monifa Vaughn-Cooke, and Dr. Kevin A. Coyne. Thank you for being interested in this research.
iii
Table of Contents
Acknowledgements ............................................................................................................. ii Table of Contents ............................................................................................................... iv List of Figures ................................................................................................................... vii List of Tables ..................................................................................................................... ix Acronyms ............................................................................................................................ x 1 Introduction ................................................................................................................. 1 1.1 Motivation ........................................................................................................... 1 1.2 Objectives of the Research.................................................................................. 7 1.3 Structure of this dissertation ............................................................................... 8 2 Overview of ADS-IDAC .......................................................................................... 10 2.1 Overview of IDAC cognitive model ................................................................. 10 2.2 Overview of ADS-IDAC simulation platform .................................................. 12 3 Gap Analysis ............................................................................................................. 16 3.1 Procedure and knowledge-based models in ADS-IDAC .................................. 16 3.1.1 Procedure model ........................................................................................... 16 3.1.2 Knowledge-based behavior: mental belief and diagnose engine .................. 17 3.2 Simulation of operator information perception paths ....................................... 18 3.3 Simulation of operators reasoning decision-making, and operator actions ...... 19 3.4 Branching capabilities for capturing crew-to-crew variance: ........................... 19 3.5 The need for more deliberative reasoning process ........................................... 20 3.6 Cognitive Architectures .................................................................................... 21 4 Architecture of Reasoning Module ........................................................................... 25 4.1 Overview of the reasoning module ................................................................... 25 4.2 Memory and representation .............................................................................. 33 4.2.1 Memory layout .............................................................................................. 33 4.2.2 Semantic representation ................................................................................ 35 4.2.3 Knowledge base web .................................................................................... 36 4.2.4 Mental representation of the situation........................................................... 43 4.2.5 Accident event schema ................................................................................. 45 4.2.6 An example of building a knowledge base ................................................... 46 4.3 Implementation functions of the reasoning module.......................................... 56 4.3.1 Flow of reasoning module and information generated in the simulation ..... 56 4.3.2 An algorithm for calculating accident diagnosis confidence level ............... 62 4.3.3 Activation propagation.................................................................................. 71 4.3.4 Decay of investigation items in the working memory .................................. 75 4.3.5 Information perception module enhancement .............................................. 77 4.3.6 Modeling diagnosis ambiguity...................................................................... 80 4.3.7 Model operators’ diagnosis of indicator failures .......................................... 83 4.4 Modeling the calculation aid ............................................................................. 86 5 Integration of procedure-based and knowledge-based operator response ................ 88 6 Modeling Performance Shaping Factors ................................................................... 90 6.1 Introduction ....................................................................................................... 90 6.2 Mechanism PSFs ............................................................................................... 94 iv
6.2.1 Attention ....................................................................................................... 94 6.2.2 Problem-solving style ................................................................................... 98 6.2.3 Expertise (knowledge/experience/skill/training) ........................................ 109 6.2.4 Other mechanisms and process factors ....................................................... 110 6.3 Quantitative PSFs............................................................................................ 112 6.3.1 Time constraint load ................................................................................... 112 6.3.2 Passive information (alarm) load ................................................................ 113 6.3.3 Cognitive task load ..................................................................................... 116 6.3.4 Task complexity .......................................................................................... 119 6.3.5 Stress ........................................................................................................... 124 6.3.6 Fatigue......................................................................................................... 125 6.4 Model parameters—manifestation of PSFs .................................................... 128 6.4.1 Maximal length of alarm stack ................................................................... 128 6.4.2 Cognitive resource use ................................................................................ 129 6.4.3 Information processing speed multiplier .................................................... 130 6.4.4 Routine monitoring interval multiplier ....................................................... 130 6.4.5 Attention span multiplier ............................................................................ 131 6.4.6 Memory span multiplier.............................................................................. 131 6.4.7 Decay time of unattended investigation item multiplier ............................. 132 6.4.8 Static model parameters .............................................................................. 132 6.4.9 Model parameter static multiplier ............................................................... 134 6.5 Summary of PSF assessments and PSF manifestations .................................. 135 7 Simulation Case for Model Calibration and Validation ......................................... 137 7.1 Introduction ..................................................................................................... 137 7.2 Scenario description ........................................................................................ 138 7.3 ADS-IDAC simulation model......................................................................... 141 7.4 Outputs layout ................................................................................................. 141 8 General Simulation Results..................................................................................... 143 8.1 Observation and explanation of observations ................................................. 143 8.2 Accident Diagnosis ......................................................................................... 152 8.3 Simulation Outputs: PSFs and Manifestations ............................................... 156 9 Simulation Results for Crew Problem-Solving Styles ............................................ 164 9.1 Alarm information .......................................................................................... 165 9.2 Diagnosis of MSLB ........................................................................................ 167 9.2.1 Overview of the three Operators’ Diagnosis Progression........................... 167 9.2.2 Narratives of operator activities generated in the simulation ..................... 170 Time ................................................................................................................................ 174 9.2.3 Information usage ....................................................................................... 181 9.3 Diagnosis of SGTR ......................................................................................... 185 9.3.1 Diagnosis progression ................................................................................. 187 9.3.2 Highlights of OG’s diagnosis process......................................................... 188 9.3.3 Highlights of OH’s diagnosis process......................................................... 190 9.3.4 Highlights of OV’s diagnosing process ...................................................... 191 10 Comparison of Results ............................................................................................ 193 10.1 Crew-to-Crew variability in timing ................................................................ 193 10.1.1 Varying timing to reach diagnosis .......................................................... 193 v
10.1.2 Varying pace of using procedure ............................................................ 198 10.2 Procedure progression—comparison with Halden data .................................. 199 10.3 Comparison with simulation result of earlier ADS-IDAC and improvements 207 11 Robustness of the Knowledge Base Model ............................................................ 213 11.1 Turbine trip case ............................................................................................. 214 11.2 Pressurizer PORV stuck open ......................................................................... 215 11.3 Simple SGTR accident .................................................................................... 216 11.4 Main Feed Regulation Valve (MFRV) failure ................................................ 217 11.5 Chapter conclusion.......................................................................................... 217 12 Summary and Conclusions ..................................................................................... 217 12.1 Information perception channel improvements .............................................. 218 12.2 Reasoning module ........................................................................................... 220 12.3 Decision-making ............................................................................................. 222 12.4 Performance-shaping factors .......................................................................... 222 12.5 Modeling operator variance ............................................................................ 223 12.6 Model calibration and validation .................................................................... 223 12.7 General Conclusion ......................................................................................... 224 13 Suggestion for Future Work.................................................................................... 225 Appendix 1: Tiered Classification of PSFs (Groth 2009)............................................... 227 Appendix 2: Knowledge-Web Coded in the Complex SGTR Simulation Case............. 228 Bibliography ................................................................................................................... 240
vi
List of Figures
Figure 1-1 Advantages of cognitive simulation model for HRA ........................................ 6 Figure 2-1 A high level view of IDAC dynamic response model (Chang, 2007) ............ 11 Figure 2-2 ADS dynamic PRA framework and dynamic event tree (Chang, 2007) ........ 12 Figure 2-3 Overview of modules of ADS-IDAC platform ............................................... 14 Figure 3-1 Brief summary of ADS-IDAC 2.0 capabilities ............................................... 20 Figure 4-1, Abstracted information process diagram ....................................................... 26 Figure 4-2 Illustration of the interpretation function in the reasoning module................. 26 Figure 4-3 Example of thought threads pool .................................................................... 28 Figure 4-4 Enhanced ADS-IDAC operator cognitive flow model with reasoning module ........................................................................................................................................... 32 Figure 4-5 Memory Structure of the proposed Reasoning Module .................................. 34 Figure 4-6 Semantic Representation Example.................................................................. 36 Figure 4-7 Knowledge base web example ........................................................................ 37 Figure 4-8 A Knowledge link structure ............................................................................ 38 Figure 4-9 Knowledge link examples ............................................................................... 39 Figure 4-10 Mental representation example ..................................................................... 44 Figure 4-11 Example: An schema highlights paths between an accident and symptoms 45 Figure 4-12 Example: accident schema of SGTR-A ........................................................ 46 Figure 4-13 Knowledge link examples of parameter trends ............................................. 53 Figure 4-14 Knowledge link examples of alarm dynamics .............................................. 53 Figure 4-15 Knowledge coding examples of component indicator dynamics .................. 54 Figure 4-16 Knowledge link examples of other plant phenomena ................................... 54 Figure 4-17 Simulation process of ADS-IDAC ................................................................ 56 Figure 4-18 Investigation function structure of investigation item .................................. 60 Figure 4-19 Example of one investigation item ................................................................ 61 Figure 4-20 An example of reasoning chain ..................................................................... 63 Figure 4-21 Confidence level of uncertain causal paths ................................................... 65 Figure 4-22 Spreading confidence among multiple uncertain causes .............................. 65 Figure 4-23 A system block diagram resembles the way of integrating path confidences67 Figure 4-24 A knowledge link shows that A causes B ..................................................... 68 Figure 4-25 Causal paths between accident A and its positive symptoms ....................... 68 Figure 4-26 Calculation of SGTR confidence level ........................................................ 70 Figure 4-27 Activation propagation paths in the semantic base ....................................... 72 Figure 4-28 An example of activation propagation .......................................................... 74 Figure 4-29 Investigation item decay and resume in memory.......................................... 76 Figure 4-30 Diagnosis progress with ambiguous among two hypotheses ........................ 82 Figure 4-31 Information conflicts of SG-A level indicator failure example .................... 85 Figure 4-32 Calculation aid-containment flammability.................................................... 86 Figure 4-33 Fitting of the calculation aid curve of severe hydrogen challenge boundaries ........................................................................................................................................... 87 Figure 6-1Treisman’s attention model .............................................................................. 94 Figure 6-2 Information perception process (Knudsen 2007) ............................................ 97 vii
Figure 6-3 A system block diagram resembles path confidences integration ................ 106 Figure 6-4 Weighting of alarm activities in recent 18 seconds ...................................... 115 Figure 6-5 Decaying factor of cognitive task load.......................................................... 117 Figure 6-6 Diagram of passive alarm load and max alarm stack length ......................... 129 Figure 6-7 Delta time before actively checking the next symptom ................................ 134 Figure 6-8 Surrogates-PSFs-Manifestations propagation paths ..................................... 135 Figure 7-1Main steam line system .................................................................................. 139 Figure 8-1 An example of simulation outputs—explanation of Tave decrease.............. 144 Figure 8-2 Key parameter trends in the simulation (Part 1 of 2) .................................... 145 Figure 8-3 Key parameter trends in the simulation (Part 2 of 2) .................................... 146 Figure 8-4 Simulation result—operator’s diagnosis of MSLB accident ........................ 152 Figure 8-5 Simulation result—operator’s diagnosis of SG-A fault accident .................. 153 Figure 8-6 Simulation result—operator’s diagnosis of SGTR-A accident ..................... 153 Figure 8-7 Passive alarm load in complex SGTR accident ............................................ 156 Figure 8-8 Passive alarm load with three problem-solving styles .................................. 157 Figure 8-9 Cognitive task load in complex SGTR accident ........................................... 157 Figure 8-10 Cognitive task complexity in complex SGTR accident .............................. 158 Figure 8-11 Cognitive task complexity with three problem-solving styles .................... 159 Figure 8-12 Stress level in complex SGTR accident ...................................................... 159 Figure 8-13 Mental fatigue level in complex SGTR accident ........................................ 160 Figure 8-14 Maximal alarm stack length ........................................................................ 160 Figure 8-15 Model parameter: cognitive resource use ................................................... 161 Figure 8-16 Model parameter: cognitive time cost multiplier ........................................ 161 Figure 8-17 Model parameter: routine monitoring interval multiplier ........................... 162 Figure 8-18 Model parameter: investigation item decay time ........................................ 162 Figure 8-19 Model parameter: memory span multiplier ................................................. 163 Figure 8-20 Model parameter: attention span multiplier ................................................ 163 Figure 9-1 Alarm activities in first 5 minutes ................................................................. 165 Figure 9-2 Diagnosis progresses of MSLB accident ...................................................... 168 Figure 9-3 Knowledge for explaining “Control rod moving out” .................................. 168 Figure 9-4 Activation levels of two causes of “control rod moving out” ....................... 169 Figure 9-5 Drawing of steam generator levels ................................................................ 187 Figure 9-6 Three operators’ diagnosis progresses of SGTR accident ............................ 188 Figure 10-1 Diagnosis confidence of SGTR and confidence threshold ......................... 195 Figure 10-2 Diagnosis time range due to varying activeness between 0.67 and 10.0 .... 196 Figure 10-3 Two diagnosis confidence progression with two activeness values ........... 197 Figure 10-4 Comparison: Halden data vs. ADS-IDAC predicted time range ................ 197 Figure 10-5 Branching points in the complex SGTR simulation ................................... 203 Figure 10-6 Procedure progression paths based on simulation results ........................... 204 Figure 10-7 Mental belief activation Paths in ADS-IDAC 2.0 simulation ..................... 208
viii
List of Tables
Table 4-1 Human errors from HERA data ........................................................................ 30 Table 4-2 Knowledge retrieval easiness assessment reference......................................... 40 Table 4-3 Prior probability assessment reference ............................................................. 40 Table 4-4 Familiarity assessment reference ...................................................................... 41 Table 4-5 Knowledge base applicability across different accident types ......................... 43 Table 4-6 Systems, components, and indicators included in the knowledge base ........... 47 Table 4-7 System dynamics types..................................................................................... 50 Table 4-8 Knowledge link examples ................................................................................ 51 Table 4-9 An accident event schema—MSLB ................................................................. 55 Table 4-10 situational statement samples ......................................................................... 57 Table 4-11 Investigation Functions .................................................................................. 58 Table 4-12 Investigation item samples ............................................................................. 60 Table 6-1 Classification of selected PSFs ......................................................................... 93 Table 6-2 Capacity theory of attention ............................................................................. 95 Table 6-3 Approaches to integrate different problem solving styles ................................ 98 Table 6-4 Approaches to implement 4 problem solving styles....................................... 109 Table 6-5 Inputs of decomposed behavior to the task load ............................................ 118 Table 6-6 Factors contributing to fatigue........................................................................ 125 Table 6-7 Manifestations of fatigue in the simulation model ......................................... 127 Table 7-1 Procedures involved in the complex SGTR accident ..................................... 140 Table 8-1 Explanations of some key phenomena in one simulation sequence ............... 147 Table 8-2 Perception of information ............................................................................... 155 Table 9-1 Number of alarms missed by the operators .................................................... 166 Table 9-2 Narrative of OV’s reasoning activities ........................................................... 171 Table 9-3 Narrative of OG’s reasoning activities ........................................................... 174 Table 9-4 Narrative of OH’s reasoning activities ........................................................... 178 Table 9-5 Use of clues .................................................................................................... 181 Table 9-6 Time when SGTR diagnosis confidence exceeds 0.9 .................................... 187 Table 10-1 Comparison of one crew responses with one simulation sequence .............. 199 Table 10-2 Procedure progression and basis for transfer to E-3 in complex scenario ... 201
ix
Acronyms
ADS IDAC ADS-IDAC Accident Dynamic Simulator Information, Decision, and Action in a Crew Context Accident Dynamic Simulator-Information, Decision, and Action in a Crew Context DDET PSF PIF PRA PWR HRA HERA MSLB MSIV NPP SGTR SGTR-A LOFW SA Discrete Dynamic Event Tree Performance Shaping Factor Performance Influencing Factor Probabilistic Risk Assessment Pressurizer Water Reactor Human Reliability Analysis Human Event Repository and Analysis Main Steam Line Break Main Steam Isolation Valve Nuclear Power Plant Steam Generator Tube Rupture Steam Generator Tube Rupture in Steam Generator-A Loss of Feed Water Situation Awareness
x
1
1.1
Introduction
Motivation
Human errors are estimated to have caused or contributed to 60 to 90 percent of accidents across industries (Salminen and Tallberg 1996; Dhillon 2007). In the nuclear power industry, where safe operation heavily relies on the operators’ interaction with plant systems, the Three Mile Island accident was exacerbated by operators’ misdiagnosis of the situation, which led to the termination of the plant’s automatic protection system that could have prevented meltdown of the reactor core. U.S. Federal Aviation Administration (FAA) accident reports also include many cases that were caused by human errors. On 08-27-2006, the pilots of Comair Flight 191 took off on a wrong runway that was too short. The plane crashed; 47 passengers and two crewmembers were killed. Human Reliability Analysis (HRA) is an important ingredient of Probabilistic Risk Assessment (PRA), particularly in the nuclear industry. HRA aims to predict possible human errors, identify “error forcing contexts”, and assess error probabilities. The first generation of HRA methods treated human functions and errors in a manner that resembled modeling of hardware system and components. The analyst would identify the human failure modes and estimate the corresponding failure probabilities. Although some methods (e.g. THERP) provided a general set of error modes and suggested error probability values, none offered a full coverage of possible human errors and rules for assessing error rates were limited, leading to highly subjective assignment of probabilities when they were applied to specific cases.
1
HRA methods generally include internal and external factors believed to impact human errors. These are known as Performance Shaping Factors (PSF) or Performance Influencing Factors (PIF). Each HRA method (e.g. SPAR-H) has its own PSF set, and the human error probabilities (HEP) are usually adjusted based on a qualitative/quantitative assessment of the PSFs, bringing more contextual information into the HEP assessment process. Second generation HRA methods delved more into the cognitive mechanism of human error. An example is the Cognitive Reliability Error Analysis Method (CREAM) model where human errors are classified by and mapped to various “micro cognitive processes”. However, despite recent advancements in methods, none of the presently used methods are adequately rooted in theoretical and empirical findings in cognitive and behavioral sciences. Some methods have started to fill this void. In the late 80s and early 90s, Cognitive Environment Simulation (CES) was developed to model intention errors. The U.S. NRC sponsored the work. CES simulates operator’s cognitive behaviors, including monitoring and tracking changes in the plant states, identifying abnormal plant processes, building explanations and situation assessment, and formulating intentions to take actions. In this simulation model, the knowledge of the plant is represented by knowledge couplers, which link and specify the relations of the plant dynamics. An knowledge coupler is activated to generate inference when its condition rules are satisfied (D. D 1987). This approach demonstrates strength at predicting correct operator performance and provides insights about the necessary factors leading to a successful diagnosis. The CES simulation results were compared with experiment data, one fining was that the CES intelligence system was too fast in processing large amount of information, which is beyond the ability of real human being. 2
“Attention and processing resource limits of people” (Roth, Woods et al. 1992) were not included in the CES model. In the early 90s, a Cognitive Simulation Model (COSIMO) was developed by the Commission of the European Communities, for simulating nuclear power plant operator’s behaviors (Cacciabue, Decortis et al. 1992). This simulation model was built on an information-processing flow structure: Filtering->Diagnosing->Hypothesis Evaluation>Execution. Its filtering function was built on a salience criterion, based on physical salience and cognitive salience. These two salience features provide good basis for modeling the operator’s attention focus, however, the goal-driven attention was not adequately included. In a control room, there are many control panels providing numerous of information. For the operator to detect an indicator, except auditory alarm, it has to be within the operator’s visual field, which is determined by the operator’s position, viewing angle, and gazing control. These three factors are heavily dependent on the operator’s deliberative goal-driven attention. So without analyzing the operator’s goaldriven attention, it would be impossible to provide a good attention filtering process. The diagnosing and hypothesis evaluation processes of COSIMO are supported by two techniques: similarity matching, and frequency gambling. They show advantages in capturing short-cut heuristic reasoning, but fall short in mimicking the deep reasoning process. Another modeling and simulation approach, Adaptive Control of Thought-Rational (ACT-R), has gone through decades of development. ACT-R is not specially designed for simulating nuclear power plant crew behavior, but it has many important features relevant to the subject. ACT-R has models of sensory and motor response to represent 3
interactions with the environment. In addition, intentional forming and declarative modules are utilized to model operator information processing. The processed information is stored in buffers for communication among different modules, which form the short-term memory (Anderson, Bothell et al. 2004). In ACT-R, the long-term knowledge is coded as production rules. Other features include functions based on a distinction between declarative information and procedural memory (Anderson 2007), and a spreading activation theory of memory (Anderson 1983). These are also used for inferences of modeling memory retrieval in the present work. In summary, modeling attention mechanism (particularly the goal-driven attention) and limitation of cognitive resources will add much improvement to simulation-based HRA methods. In order to better mimicking human’s reasoning, a desirable HRA simulation model should be capable of capturing both the short-cut heuristic reasoning and rigorous deep reasoning, as well as switching and mixing these two modes. Another approach of cognitive simulation with a structured causal model of the cognitive processes and team behavior is IDAC method. IDAC model is implemented in a dynamic PRA simulation environment known as ADS-IDAC. A cognitive simulation model such as ADS-IDAC has several salient features: The idea of ADS-IDAC is to embed relevant knowledge and rules from theoretical and empirical findings in psychology and other disciplines, accident reports, and data, into the simulation program and to apply them to specific case simulations automatically. This is in principle the same information base that human experts use to analyze cases. The difference is that computational power in 4
•
a simulation environment enables the analysis to be done at greater depth and complexity beyond what a human expert could achieve. • It is easier to capture the dynamic interactions between the human operator and the system in a simulation model. Operators need to perform appropriate functions to bring the plant to a desired state, e.g. plant startup, and plant shutdown in routine operations. Operators also need to monitor the plant to maintain safe operation. Once something goes wrong with the plant, the operators play an important role in controlling the course of events and bringing the plant back to a safe state and minimizing potential adverse consequences. However, human errors could complicate the situation and even lead to accidents. Interactions between human operators and the plant hardware system are highly dynamic and interdependent. Analyzing crew performance usually requires analyzing the task, and answering questions such as: In this accident situation what would be the operator’s proper response? What does the operator have to do to satisfy the situation demand? How much time does the operator need to finish a task? What information does the operator need to have in order to correctly diagnose the situation and make the right decision? The answer to all these questions could be explicitly and more completely included in a simulation tool. ADS-IDAC shows its advantage in capturing the interactions between human and system in two aspects. Firstly, it generates rich contextual information, which provides input to the operators’ perception—the key information used to predict the operator’s behavior. Secondly, it sends the operator’s actions to the hardware systems and propagates them to the consequences. Through these two types of
5
interactions, the simulation model diligently traces various combinations of the systems dynamics and the operator’s behaviors in a desired temporal resolution.
Figure 1-1 Advantages of cognitive simulation model for HRA • Simulation models can be designed to predict human behaviors not just human error. Human error is usually defined based on its consequence. It represents a human activity that may incur negative consequences or that inappropriately deviates from an expected course. Before an erroneous human action that directly impacts the system (often referred to as human failure event, HFE), there are cognitive activities that cause it. Simulation programs such as ADS-IDAC could trace HFEs back to the root causes, and causally generate human error based on the chain of operator cognitive and physical activities at different times.
6
•
Simulation models can provide a better way to utilize theoretical and empirical findings of human error causation. For instance we can learn from the available theoretical and empirical findings that show how the cognitive processes are affected by various factors—cognitive factors or situational factors. For example fatigue could slow down the cognitive processing speed and weaken goal-driven attention function. These findings provide helpful guidance and basis for human error prediction. However, it is challenging to convert them into observable human error.
This aim of this work is to further improve the capabilities of ADS-IDAC in modeling the cognitive aspects of operator response. This is realized by enhancing the simulation of operator’s knowledge-based reasoning, adding an attention control mechanism in the individual operator model, integrating the operator’s knowledge-based responses and procedure-based responses, and integrating more Performance Shaping Factors into IDAC cognitive model. 1.2 Objectives of the Research
The goal of research is introduce an advanced reasoning capability and structured knowledge base to enhance the realism and predictive power of IDAC model for situations where crew behaviors are governed by both the Emergency Operating Procedure (EOP) and their knowledge of the plant and its responses. This is achieved by: Developing and implementing a cognitive architecture to simulate operators’ understanding of accident conditions and plant responses, their reasoning processes and knowledge utilization to make a diagnosis, while following 7
•
procedures which attempt to do the same. A reasoning module has been added to the individual operator model within IDAC model to mimic operators knowledgebased reasoning processes; • Developing and applying a comprehensive set of Performance Shaping Factors (PSF) to model the impact of situational and cognitive factors on operators’ behaviors. The effects and interdependencies of PSFs are incorporated by using a causal model to drive the reasoning processes; • Demonstrating and validating the capabilities of the enhanced ADS-IDAC through an application to a complex accident case (a Steam Generator Tube Rupture (SGTR) accident), and comparing the results with empirical data from simulator exercises involving real operators. 1.3 Structure of this dissertation
Following the introductory chapter, Chapter 2 provides an overview of the IDAC cognitive model and ADS-IDAC simulation platform. Chapter 3 analyzes the gap and the improvement need in ADS-IDAC. Chapter 4 introduces a reasoning module architecture developed in this research, including an approach to mental representation and information-processing functions of the reasoning module in ADS-IDAC. Chapter 5 offers an approach to simulate operators’ procedure-based and knowledge-based responses. Chapter 6 discusses a set of highly relevant Performance Shaping Factors (PSFs) and ways to integrate them into ADS-IDAC. Chapter 7-10 uses a simulation case to demonstrate new features in ADS-IDAC and validate the models. Chapter 7 describes the accident scenario and operators’ tasks in the scenario. Chapter 8 provides samples of ADS-IDAC simulation results to demonstrate the new capabilities. Section 8.3 presents 8
different operator behaviors generated in the simulation results, with three different problem-solving styles modeled in ADS-IDAC. Chapter 10 discusses the capability of modeling crew variance and validates this model by comparing a set of simulation results with the responses of real crews in an international empirical study. Additionally we discuss improvements introduced by this research by comparing the simulation results with earlier ADS-IDAC simulation results for the same accident case. Chapter 11 presents some simulation results of another four accident scenarios to demonstrate the robustness of the knowledge base coding. Chapter 12 summarizes the main features and contributions of in this research. In the end, we give several suggestions for future research.
9
2
2.1
Overview of ADS-IDAC
Overview of IDAC cognitive model
IDAC is an operator behavior model developed based on many relevant findings from cognitive psychology, behavioral sciences, neuroscience, human factors, field observations, and various first and second-generation HRA methodologies. It models individual operator behavior in a crew context and in response to plant abnormal conditions. Three generic types of operators are modeled: Decision Maker (e.g., Shift Supervisor), Action Taker (operators at the control panel), and Consultant (e.g., resource experts in the control room). IADC models constrained behavior, largely regulated through training, procedures, standardized work processed, and professional discipline. These constraints significantly reduce the complexity of the problem, when compared to modeling general human response. IDAC covers the operator’s various dynamic response phases, including situation assessment, diagnosis, and recovery actions. At a high level of abstraction, IDAC is composed of models of information processing (I), problem-solving and decision-making (D), action execution (A), of a crew (C). Given incoming information, the crew model generates a probabilistic response, linking the context to the action through explicit causal chains.
10
System, Other Crew Members, Other External Resources
External Filter - Ask for Information - Give Command - Provide Information - Check System Info. - Change System State
Incoming Information
Dynamic Influencing Factors
Static Influencing Factors
Outgoing Action
Mental State Working Memory Rules of Behavior
Problem Decision Decomposition Dynamics Goal Strategy
Intermediate Memory
Knowledge Base
Figure 2-1 A high level view of IDAC dynamic response model (Chang, 2007) Figure 2-1 is a schematic representation of the main elements of the IDAC modeling concept and its key elements in form of the umbrella I-D-A dynamic loop for each member of the crew. IDAC is composed of (1) a Problem Solving Model, (2) Mental State as Engine of Cognition, (3) Memory and Knowledge Base Model, (4) Casual Model of Internal and External Performance Shaping Factors. Cognitive engine of IDAC combines the effects of rational and emotional dimensions forming a small number of generic rules of behavior that govern the dynamic response of the operator. The architecture of IDAC is such that its main modeling elements can be repeatedly embedded in a layered and progressively detailed representation of the cognitive process. 11
2.2
Overview of ADS-IDAC simulation platform
Due to the variety, quantity, and relatively detailed nature of the input information, and also the complexity of applying its internal rules, the IDAC model is presently only implemented through a computer simulation. IDAC has been implemented as the HRA module of the Dynamic PRA computer code ADS. With its embedded models of a nuclear power plant including the RELAP5 thermal-hydraulic simulation code and a plant hardware model, ADS simulates accident scenarios that form the context for the IDAC operator response model.
0 t ti = i t Time
P3 P1 P2
P4 P5 Prob.(End State) = P1P2P3P4P5
Branch Points (BP) System Hardware State BP Physical Variables BP Human Action BP Software BP End State
Pi ? Branch Probability
Crew State Model System Hardware System Hardware State Model State Model Physical Variables Model
Temperature
ti-1
Figure 2-2 ADS dynamic PRA framework and dynamic event tree (Chang, 2007) ADS uses the Discrete Dynamic Event Tree (D-DET) approach to generate possible timedependent scenarios based on dynamically changing states of various systems and operator responses. Similar to the conventional event trees, D-DETs start with an initiating event (e.g., a pipe break) occurring at a specific time. Branches are then 12
generated at discrete points in time following the initiating event, based on probable outcomes of system/operator state changes (Figure 2-2). Also, as in conventional PRAs, the probability of a scenario is calculated as the product of conditional probabilities of branches that constitute the scenario. ADS-IDAC simulation program is the integration of the IDAC crew model with ADS Dynamic PRA computer code. ADS-IDAC platform simulates situational contexts that might lead to human failure events. Operator actions in turn impact the key plant parameters and potentially change the trajectory of accident scenarios. Therefore, in generating the D-DET sequences dealing with operator response, ADS provides IDAC module the values of the set of dynamically changing factors (e.g., plant physical process parameters, and system states). The IDAC crew model then tracks the operators’ internal responses to the situation, and generates dynamically changing values of the indicators of psychological states, and resulting cognitive behaviors or physical actions. The spectrum of the potentially very large set of event sequences that could be generated reflect the probabilistic outcomes of operator and plant interactions as modeled by ADSIDAC modules. Predefined rules and dynamic parameters within ADS-IDAC govern the timing of these events. Scenarios are terminated when a set of predefined plant states are realized, when scenario probabilities drop below a pre-specified truncation limit, or when the simulation time limit reached. In post-simulation analyses, the generated histories can be examined to identify the contributing factors. The scenarios typically includes branch points corresponding to key plant hardware events and alarms, “cognitive events” related to situation assessments and recovery actions, execution of procedural steps, communications among the operators, and the operators’ actions on the plant. 13
U se r
U se r In te rfa ce M o d u le
S c h e d u le r M o d u le
C rew M o d u le
In d ic a to r M o d u le
S y stem M o d u le
C om p on ent F a i lu r e M o d u le
Figure 2-3 Overview of modules of ADS-IDAC platform ADS-IDAC Platform contains six modules (Figure 2-3). The User Interface Module enables the user to edit the inputs such as system and operator initial conditions, and control the analysis parameters. The Scheduler Module implements the D-DET algorithms and produces risk scenarios. Operators, plant processes, and equipment states are represented, respectively, by the Crew Module (IDAC), the Indicator Module (the human-machine interface), the System Module (currently RELAP5, plus a model of plant control logic and hardware), and the Component Reliability Module. The Scheduler Module coordinates the interactions among these modules. ADS-IDAC has gone through an evolutionally process over the past 20 years with a number of software versions. These versions have some similarities as well as differences, both in capabilities and focus on different aspects of advanced HRA and dynamic PRA analysis. Recent additions to ADS-IDAC simulation model have dramatically improved its ability to realistically represent operator knowledge, skills, and problem-solving styles. 14
Additionally, implementation of dynamic PSFs have reinforced the man-machine feedback loops and enhanced the capability to provide more context sensitive PSF information to the cognitive model of ADS-IDAC. Taken together, these factors improve the ability of ADS-IDAC to model dependencies among operator behaviors such as skipping steps, selection of problem-solving strategies, and information gathering. This research started with ADS-IDAC version 2.0, and the new developments added by this research are included in ADS-IDAC version 3.0.
15
3
Gap Analysis
This research started with ADS-IDAC version 2.0 (Kevin, 2009) and developed ADSIDAC 3.0. In this Chapter we briefly summarize the main capabilities of ADS-IDAC 2.0 and identify the areas for enhancements. 3.1
3.1.1
Procedure and knowledge-based models in ADS-IDAC
Procedure model
Operators of nuclear power plants are trained to use and guided by all sorts of procedures to operate the plant and manage accidents. Procedures are designed as action packages to deal with different situations. Each procedure has its objectives and functions, and there are specific conditions provided for procedure entrance and exit. For example, Emergency Operating Procedure (EOP) E-0 is entered after the reactor trips or safety injection is actuated. It guides the operator to verify the plant state and to diagnose possible accidents. It leads the operator to transfer to another appropriate procedure for this current situation when the transfer conditions are satisfied. Procedure usage is modeled in ADS-IDAC. The user could code the procedure steps and the logic linkages between the steps in the input file. It represents the real procedure structure with high fidelity. Using the same format of formal procedure, the user could code the operator’s “mental procedures”. Mental procedure is a series of programmed actions, which represents the operator’s skill-based, rule-based or knowledge-based action package in response to a
16
specific type of situation. Actuation of the mental procedures is trigged by knowledgebased diagnosis.
3.1.2 Knowledge-based behavior: mental belief and diagnose engine
Mental belief and diagnose engine are two key techniques used in ADS-IDAC 2.0 to simulate the operator’s knowledge-based behavior. Mental Belief: “Mental beliefs represent discrete decisions or observations and serve as the basic decision-making building blocks in ADS-IDAC.” (Kevin A. Coyne 2008). A mental belief is a two-state memory unit—activated state or inactivated state. It represents the operator’s judgment of the situation. The activation conditions of each mental belief are provided by the user, using k/n logic. The percentage of the conditions satisfied at present moment is compared with a user-specified threshold value. When it exceeds the threshold, the program activates this mental belief. There are five types of activation conditions: Expected parameter value Expected component state Expected alarm state Expected state of another mental belief Expected state of a procedure usage
• • • • •
Since one mental belief could be the condition of another mental belief, this provides the user with a flexible way of constructing complex logic combination of mental believes. This activation mechanism of mental belief mimics a pattern matching process. The user 17
could also link one mental belief with a mental procedure step. Activation of the mental belief will lead the operator to enter this mental procedure step. In a simulation, the operator could follow a mental procedure in parallel with following a written (formal) procedure. Diagnosis Engine: Diagnosis engine uses a fuzzy-logic process to mimic the operator’s heuristic reasoning(Kevin A. Coyne 2008). The operator’s knowledge is represented in a symptom-event membership matrix, in which the user specifies the likelihood of a symptom would be observed given the occurrence of event. The diagnosis engine evaluates the likelihood that plant events given a set of observed symptoms. Each symptom is a mental belief. “The event confidence level is represented by two probability values: a lower bound estimate and an upper bound estimate. 3.2 Simulation of operator information perception paths
Several information perception paths are available in ADS-IDAC 2.0: Passive information path. All alarm information is perceived and processed by operators • Active information path. The operator can read indicator information required in a procedure step in use. • Scan queue. The operator repeatedly monitors indicators listed in a “scan queue”. The initial list is determined by the user as an input file. During the simulation, more could be added to the list from specific procedure step actions. The length of the scan queue is limited, so it is truncated based on indicators’ relevancy to the current situation. 18
•
A major shortcoming of the information perception module is lack of a path for actively gathering information driven by the knowledge-based reasoning, which is an important attention control mechanism. Another shortcoming is the lack of an “information throttle” for the alarm information, which might be overwhelming to the operators if too many activate in a short period of time. A third shortcoming is that the scan queue technique makes the IDAC model take in a bunch of indicator information at one time; a more realistic approach is to let IDAC monitor different indicators at separate points in time. 3.3 Simulation of operators reasoning decision-making, and operator actions
In ADS-ODAC 2.0 two pattern-matching technologies are used, (a) mental belief and (b) fuzzy symptom-event matrix diagnosis, as introduced in Section 3.1.2. Operator actions on the plant are realized by procedure step execution. Mental belief and symptom-event matrix are used to trigger use of relevant procedure and to enter various steps procedure. These two technologies are used at simulating operators’ heuristic reasoning. However, several important features are missing and we will discuss them in Section 3.5. 3.4 Branching capabilities for capturing crew-to-crew variance:
During a simulation, ADS-IDAC generates branches at branching points. In version 2.0, the following branching rules are used to generate different sequences in one simulation: Time delay branches for executing procedure step. Branches with different control values for control actions. Branches for memory information use in procedure steps. (a) use old reading values of indicators from memory; or (b) read a new value. • Strategy branches: whether or not formal procedure is used. 19
• • •
• •
Branches about mental belief activation. Branches for system failures.
Figure 3-1 Brief summary of ADS-IDAC 2.0 capabilities 3.5 The need for more deliberative reasoning process
In ADS-IDAC 2.0, both the mental belief and the diagnosis engine represent an effortless pattern matching process, which generates the conclusion (event confidence level, mental belief confidence level) based on the operators’ observation of symptom presence or absence. They are capable of mimicking the operators’ one-step short cut heuristic reasoning. However, the current knowledge-based reasoning in ADS-IDAC 2.0 shows several limitations. Missing loop—no feedback to the information perception stage. The mental beliefs and the diagnosis engine do not guide the operator to acquire more relevant information from the control panel. 20
•
•
Limitation on capturing longer, multi-step reasoning chain. Although the mental beliefs are programmable and that gives the user the flexibility to build multilayer reasoning path, the user needs to explicitly design the reasoning path and write it down in input files. A more desirable model is to predict and generate the reasoning path during a simulation, instead of requiring the user to design the reasoning path.
•
Restricted memory information. In the implemented human model several types of situational information are stored in the memory: (1) reading values of the indicators, which are in the raw form of perceived information from control panel; (2) activation states of mental beliefs and (3) confidence levels of event diagnosis, which are the products of the reasoning process. However, the total amount of type (2) and (3) memory items are determined by the number of mental beliefs and events specified in ADS-IDAC input files. The memory information represents snapshots of the operator’s diagnosis. This is not enough to tell a complete story, to represent the operator’s situation awareness (including the intermediate products of the reasoning process), and to capture the dependencies of the operator’s cognitive activities at different time.
3.6
Cognitive Architectures
In this section, we discuss a general architecture of cognitive simulation models, capabilities and components. Langley has given an excellent description of cognitive architecture, which provides a basis for our discussion. “A cognitive architecture specifies the underlying infrastructure 21
for an intelligent system” (Langley, Laird et al. 2009). A typical cognitive architecture usually contains the following elements: Memory (short-term or long-term), representations of the information contained in memory (It is the format for representing the information, not the information content itself), and cognitive processes that utilize the information to arrive at a conclusion. Langley offers a good analogy to compare cognitive architecture to building architecture—“architecture consists of permanent features like its foundation, roof, and rooms, rather than its furniture and appliances, which one can move or replace”. Langley has also summarized some general capabilities of cognitive architectures. We will compare each of them against the needs for ADSIDAC simulation model. Recognition and categorization. When an intelligent system communicates with the environment, it needs to translate perceived information into a format that it can understand and utilize. In ADS-IDAC, the possible communication channels are control panel-to-operator, and operator-to-operator. Control panel-to-operator communication is in the scope of this research. 1 Categorization of the control panel information is simple. There are three types of information communicated between control panel and operator: Reading of parameter, component state, and alarm state. ADS-IDAC needs a quantitative interpretation process to translate the perceived raw data into plant dynamics (e.g. parameter trends, system actions). • Perception. Since a cognitive architecture communicates with its environment, it needs to “confront the issue of ‘attention’, that is, deciding how to allocate and direct its limited perceptual resources to detect relevant information in a complex
1
•
Operator-to-operator communication is out of this research scope.
22
environment” (Langley, Laird et al. 2009). As discussed in Section 3.5, the topdown attention control based on knowledge reasoning is missing in ADS-IDAC 2.0 and needs to be constructed, with the support of reasoning functions. • Reasoning and belief maintenance. The system should be able to generate situation judgments or diagnosis based on the integration of the perceived raw information and the knowledge base. Reasoning and sense-making are key functions to achieve this. As indicated in Section 3.5, the knowledge-based reasoning should be able to generate more complex reasoning chain, in addition to pattern matching which is a one-step process, and to provide feedback to the information perception loop and guide operator’s attention to acquire more relevant information from control panel, with the supports of enhanced modeling of memory and representation. • Problem-solving and planning. Operators are equipped with extensive procedures for different functions and purposes. The procedures are like pre-designed action packages, so the requirement for planning is largely weakened in the simulation. The focus of the planning shifts to identifying the right procedure (action packages) to use from impromptu planning. • Decision-making and choice. Some general decision-making points are identified and embedded in ADS-IDAC program. With the future development, more relevant decision-making points will be added into the program (e.g. procedure compliance when the procedure guidance is inconsistent with operator’s subjective situation assessment).
23
•
Execution and action. This function is available in the current ADS-IDAC. The human model sends action order to the control panel, and the control panel conveys it to the plant model.
•
Remembering, reflection and learning. Remembering refers to the “ability to encode and store the results of cognitive processing in memory and to retrieve or access them later”. In ADS-IDAC, several information types should be stored and indexed in the memory: Direct observations from control panel, inferences from the direct observations, operator’s decisions, plans, and actions. “The resulting content is often referred to as episodic memories”. Reflection is the ability “to access to traces of cognitive activity”. In ADS-IDAC, the intelligence agent (operator) needs to be able to reflect the cognitive reasoning traces for the justification and explanation of the inferences, decisions and plans. Learning refers to the ability to generate new knowledge or modify the existing knowledge during the simulation. The primary goal of ADS-IDAC is to predict human errors in the phase when the operator applies his/her learned knowledge, so learning is currently not within our research scope.
Regarding all the features discussed above, several key capabilities that ADS-IDAC needs to develop or enhance with high priority are: Perception guided by the attention mechanism, memory structure, deliberative reasoning, identification of more general decision-making points, and knowledge-based problem-solving.
24
4
4.1
Architecture of Reasoning Module
Overview of the reasoning module
In a nuclear power plant accident condition, forming an accurate situation assessment and diagnosis is the basis for making good decisions and planning proper actions. The underpinning processes for operators’ situation assessment are: 1) Perceiving information from control panel and following the system dynamics or transients; 2) Using one’s knowledge or experience to make sense of the perceived information and to explain the observed phenomena; 3) Projecting the future status of the system. This is consistent with Endsley’s model of situation awareness. It should be emphasized that explaining is a key process that integrates the observed information and one’s knowledge and experience to form an understanding of the plant in one’s mental model. Trying to explain the observed phenomena builds the interrelations of all the observations. It helps the operator to trace the symptoms back to the root causes and to form a diagnosis. In addition, it feeds back to the information perceiving process and guides the operator to actively fetch the information needed. ADS-IDAC simulation environment utilizes the thermal-hydraulic model and control panel model to provide rich contextual information to the operator model. A reasoning module is added to IDAC model in this research. During a simulation, the reasoning module guides an operator’s attention to selectively get information from the control panel. Three types of external information are provided to the operator model: plant parameter values, component states, and alarms. Alarm activities (actuation and clear) are
25
“passive information” that draws operators’ attention automatically, while other information requires operators’ initiative to pay attention.
Information perceiving
Interpretation
Attention
Investigation Explaining
Figure 4-1, Abstracted information process diagram For each piece of perceived control panel information, a generic information process flow is used in the reasoning module: perception-interpretation-explanation-investigation, as shown in Figure 4-1.
Figure 4-2 Illustration of the interpretation function in the reasoning module During a simulation, the interpretation component matches the perceived information with the existing ontology concepts in the operator’s mental model, and translates it into
26
a representation that could be utilized for reasoning, computing, and storing information to the memory. An analogy example is provided in Figure 4-2. Explanation and investigation utilize the available information in the working memory and knowledge base to explain the perceived information. Investigation can also feed back to the perception component and actively gather more information from control panels to support the investigation. Not all pieces of perceived information necessarily go through every component in Figure 4-2 for several reasons. The information may already be consistent with one’s expectation and require no more investigation; a high volume of passive information causes some to be filtered out before future processing; or the attention is shifted to other information of higher interest while the information decays away from the working memory before it gets attended to again. If a piece of perceived information needs further investigation, a new investigation item2, is generated. One investigation item could lead to the generation of another investigation item in order to verify whether a hypothetical cause has occurred or not. An investigation though thread consists of a set of investigation items linked by causal or inference relations. The reasoning module employs a thought thread pool to retain and organize all investigation items.
Investigation item is the building block of reasoning thought lines. An investigation item is corresponding to a specific plant phenomenon. Each item has two objectives: 1) examine whether a specified phenomenon has happen or not in a specified time range; 2) investigate the causes of this phenomenon. 27
2
Linking investigation items forms the operator’s thought trains. Two or more investigation items might exist in the working memory at the same time; only one item is processed at a time due to cognitive resources limitations. A prioritizing mechanism is designed to prioritize and select one item from the pool to work on. The unattended items decay with time and might be forgotten and moved out from the thought thread pool. This thought thread management system can predict several types of human errors like delay in conducting a task, failure to detect key system dynamic transients, inadequate information use, and tasks getting interrupted and forgotten.
Figure 4-3 Example of thought threads pool In Endsley’s conceptual model, situation awareness is discussed at three levels: Level 1, perception of elements in current situation; Level 2, comprehension of current situation; Level 3, projection of future status (Endsley 1995). The reasoning module currently deals with the operators’ cognitive processes in Levels 1 and 2. The interpretation function abstracts meaning from the perceived raw information (parameter value, component state, alarm state) and generates semantic statements describing the situation, which 28
corresponds to Level 1. Those statements regarding the plant dynamics are further processed in the investigation/explanation function. The program uses the knowledge base and actively fetches more information from control panels to explain the observed plant dynamics, and this corresponds to Level 2. The outputs of this reasoning module are an operator’s view of the plant state, explanations of the system dynamics, and accident diagnosis. They serve as input for the operator’s decision-making, e.g., deciding which operating procedure to use for the current situation. They also serve as important input for predicting the plant’s future states (Level 3). The reasoning module simulates an “abductive reasoning3” process—the operator uses the mental model (knowledge base) to account for the observed plant dynamics and to form explanations. It is an effortful conscious process, in contrast to pattern matching process. The pace of event in power plant control room is often different from the pace of activities in other situations such as combat or sports that requires instant response. Thus it allows the operator to conduct more deliberative reasoning to a larger extent. The reasoning process is driven in part by the attention Operators in the control room are surrounded by a large number of sensory stimuli, visual or auditory, which include hundreds of indicators on the control panel, noises, verbal communications among crew members, sounds of annunciators and alarms, etc. Crucial questions that direct operators’ cognitive activities include: what information to be
3
Abductive reasoning is a form of logical inference that goes from data description of something to a hypothesis that accounts for the data
29
attended to, and what sub-task to work on at a given moment. Attention directs one’s limited cognitive resources and allows selectively processing of the information and cognitive sub-tasks. A review of the Human Event Repository and Analysis (HERA) data found that “simultaneous tasks with high attention demands” contributed to 30/145 human errors, and “information present but not adequately used” applied to 27/145 human errors. A closer look at those human errors reveals that many errors trace back to one common cause: the operator does not attend to the proper cue that points to the problem or does not attend to the sub-task that could have avoided further complications. Some examples are provided in Table 4-14 Table 4-1 Human errors from HERA data Human Error Cause/Distraction
Operator failed to recognize that reactor The operator left his post to go to the power was still decreasing due to the electrical distribution panel to perform bus delayed effect of a boron addition. transfers
Operator failed to diagnose the cause of The operator was busy with initiating a RCS the pressurizer level decrease while the cool-down. indicator was available. Operator failed to monitor the system The operator only monitored reactor coolant
4
Information source: U.S. Nuclear Regulatory Commission. (2008). Human Event Repository and Analysis (HERA) Database. Washington DC.
30
response of faster rate of pulling the average temperature, but not the power. control rod. Distractions: communications with Unit 2 and operators in the intake structure, the reactor operator was also assigned to keep the control room log. Operators were late to cool torus, as The operators were focusing on restoring the required condenser as the main heat sink.
As human cognitive resources are not limitless, an operator could only attend to a certain amount of information and sub-tasks. This is manifested in three macro levels: 1) selectively gathering information from the control panel; 2) selectively activating and using one’s knowledge in the long term memory; 3) selectively processing the perceived information. These three types of selectivity direct the course of human’s activities, and play a crucial role in human error productions. The direction of this research was in part inspired by this finding. What drives and directs the operators’ attention? Salient features of the stimuli (loudness, brightness, flashing, striking color, etc.) draw one’s attention automatically and passively. An obvious example is alarms and annunciators in the control room. More importantly, attention is also driven by the operator’s present mental state, knowledge, and experience, in an active control fashion. Human errors are often generated when a key piece of information is not properly attended to. We aimed to capture the human errors due to misdirected attention and limited capability for multitasking, which was missing in earlier versions of the IDAC model and ADS31
IDAC simulation platform. To achieve this, a knowledge-based reasoning function is essential to direct the operator’s attention to the selected external information, memory information, and thought thread. A reasoning module is added to the individual cognitive information flow of IDAC model, providing a knowledge-based reasoning function, a thought thread management system, and cognitive thread prioritization function in the situation awareness phase.
Figure 4-4 Enhanced ADS-IDAC operator cognitive flow model with reasoning module As shown in Figure 4-4, the reasoning module takes inputs from the perceived information, including all actively gathered information and passive alarm information. The reasoning module processes the perceived information through interactions with the operator’s knowledge base. It generates the operator’s situation assessment elements: (1) statements of direct observations, (2) statements inferred during the reasoning process, and (3) accident diagnosis confidence. The generated situation assessment forms part of 32
operator’s “mental state” and is used to support the operator’s decision-making and problem-solving module. The reasoning process also actively feeds back to the information perception process in order to gather more relevant information from the external world. This is a way to simulate the operator’s top-down attention control mechanism. Although this reasoning module is built for an individual operator, the framework and structure applies to each operator of the three types of operators in the IDAC crew model. The output of individual’s situation awareness provides input for the team situation awareness. 4.2 Memory and representation
This section discusses the underlying structure of the reasoning. It supports the interpretation, explaining/investigation and information perception functions in the information-processing module of IDAC. The cognitive architecture, while capable of utilizing and integrating many relevant psychological findings, is design in such a way as to make it easy to construct case-specific input models. The key elements of this cognitive architecture are: (1) memory structure, (2) representation of information contained in the memory, (3) functions that utilize the memory and representation contents.
4.2.1 Memory layout
In the reasoning module, the operator memory layout is shown in Figure 4-5. A semantic base is the foundation of the memory information, which stores the semantic elements
33
used for the knowledge base construction and the mental representation of a plant conditions. The semantic base and the knowledge base are provided by the user as input files. The contents will not change during simulation (modeling adaptive learning is not in the scope of this model). Each unit of the semantic base has an activation level that is dynamically computed and updated in ADS-IDAC simulation. We do not distinguish between long-term memory and short-term memory by the storage separation but by using the activation level to infer whether the content is in short-term memory or not.
Figure 4-5 Memory Structure of the proposed Reasoning Module The knowledge base has a “knowledge web” whose nodes are composed of semantic sentences from the semantic base, and “accident event schemas” which index accident related knowledge in the knowledge web. The mental representation and part of the thought thread pool constitute the operator’s working memory. As mentioned in previous section, the thought thread pool is a place to store and manage cognitive thought items. The mental representation is a structural memory that contains all of the perceived or inferred situational information. The reasoning function has access to all the memory
34
components. A detailed description of each component is provided in the following sections.
4.2.2 Semantic representation
Operators’ knowledge of plant systems and his memory of plant situation are represented in a semantic way. Both of them link to a semantic base, which contains all the semantic elements. There are three types of semantic elements, as described below: A basic concept unit is the smallest semantic unit in the representation. It uses English words to present concepts of object, attributive, process, relationship etc. Examples are “temperature”, “pressure”, “steam-generator”, “reactor coolant system”, “increase”, “on”, “off”. • A composite concept unit, as the name suggests, is composed of some basic concept units or other composite concept units. A composite concept has one core component concept unit and one or more defining concept units. For example, “pressurizer_pressure” has “pressure” as the core concept unit and “pressurizer” as the defining concept unit. • A semantic sentence is composed of several concept units, which describe plant states or situational phenomena. Examples are “pressurizer_pressure” + “increase”, “TDAFWP” + “on”, “secondary_load” + “bigger” + “nuclear_power”. An example is depicted in Figure 4-6. It shows the decomposition of a semantic sentence describing a plant phenomenon: pressure of SG-A decreases.
•
35
Figure 4-6 Semantic Representation Example
4.2.3 Knowledge base web
In the reasoning module, operator knowledge is organized in a knowledge web and accident event schemas. The knowledge web is constructed with two types of information, as described below: A knowledge element contains one semantic sentence with a negation logic flag. A knowledge node is a combination of one or more knowledge elements by an “AND” or “OR” gate, and represents a node in the knowledge web. • A knowledge link unit connects two knowledge nodes by their inference/causal relationship. The connections among knowledge nodes form the knowledge web. Additionally the knowledge link unit provides the inference/causal type and strengths of the linkage between two nodes (a forward strength, a backward strength, and a familiarity strength). Linkage strengths are used in the memory retrieval process. It also gives the temporal information regarding the time delay between the upstream and downstream phenomena. For example
•
“SG_A_level_increase” could be observed immediately after a SGTR occurrence.
36
In contrast, there is a longer delay to observe the level difference between SGs. These could be denoted in knowledge link units.
Figure 4-7 Knowledge base web example Figure 4-7 shows an example of a knowledge web. In the knowledge web, each node corresponds to a plant phenomenon that is described by a semantic sentence. The interactions among different plant phenomena are represented by the causal/inference knowledge links in this web. Figure 4-8 displays a typical structure of a knowledge link. The parameter forward strength means how likely an operator would consider this causal/inference relationship, given the cause phenomenon as cue. The parameter backward strength means how likely an operator would consider this causal/inference relationship, given the effect phenomenon as cue. These input knowledge parameters could be coded based on knowledge of domain experts (e.g. plant operators), operator training and other design documents. During the simulation, when the operator tries to explain an observed phenomenon, the program refers to the related causal links in the knowledge web, which contain the observed phenomenon as an effect of other phenomena. Together with the semantic activation level of each possible cause, the backward strength determines the operator’s 37
investigation order of the possible causes. Higher backward strength and higher semantic activation level mean higher chance of being investigated first.
Condition phenomenon Cause phenomenon Forward strength Backward strength Effect phenomenon
Figure 4-8 A Knowledge link structure The occurrence of some plant phenomena could be directly verified from control panel indicators, e.g. the reactor coolant temperature trends (increase/ decrease / stable) can be observed from several indicators. The occurrence of some phenomena cannot be directly verified from control panel indicators, thus they are uncertain. Many accident root causes are uncertain phenomena, e.g. “main steam line break”. Operators’ diagnosis consists of two processes: identifying possible accidents and forming a diagnosis confidence level of each suspected accident. These two processes are modelled in the reasoning module by applying relevant causal paths in the knowledge web to the present situation to find one or more explanations of operator’s observations. During the reasoning, the operator’s thought train starts with some observed phenomena and traces backward to their possible causes. For the knowledge links that contain uncertain phenomena as causes, the backward strength also contains information about the operator’s prior judgment of the occurrence frequency of an uncertain cause given the occurrence of its effect phenomenon. If an effect phenomenon has more than one
38
uncertain causes, the backward strengths are used as operators’ prior judgments to calculate the operator’s confidence level of each causal path during the simulation. Figure 4-9 gives an illustration example that an effect phenomenon has multiple possible causes. It has two possible uncertain causes. We define that event n means the effect phenomenon is caused by possible cause n. If backward strength 2 equals to twice of
backward strength 3, it means that: in the operator’s prior knowledge, given the effect
phenomenon is observation, the probability of event 2 is twice of the probability of event
3.
Possible cause 1 Backward strength 2
Possible cause 2 (uncertain) Possible cause 3 (uncertain)
Effect phenomenon
Figure 4-9 Knowledge link examples A procedure is proposed to elicit a domain expert’s knowledge of a given plant phenomenon through a survey:
Step 1: elicit information from a domain expert Question 1: given a phenomenon X is observed, what possible causes of this
phenomenon can you think of? (There shouldn’t be time limit for answering this question, stop when the operator feels he couldn’t think of any more.) Pseudo answers: cause 1, cause 2, … cause 3. 39
Question 2: could you rank these causes in the order of time when they come into your
mind? And assess the easiness to recall each possible cause as guided by the description in Table 4-2, ranging between 0 and 1. Table 4-2 Knowledge retrieval easiness assessment reference
Score 1: Easiness recall 0.8-1.0
0.5-0.8 0.1-0.4 0-0.1
Description to
The operator could easily recall this cause and the operator recalls it very fast. It is easy to recall this cause and the operator recalls it fast. The operator could recall this cause well but it takes a bit longer time to come to mind. It takes moderate or a lot of effort for the operator to recall this cause.
Question 3: Please use your experience and knowledge to assess the occurrence
frequency of each possible cause given the occurrence of the effect phenomenon. When the phenomenon X happens, how likely is it caused by each possible cause that you have identified? In another word, given the fact that phenomenon X is happening, what are the frequency that it is due to cause 1, the frequency that it is due to cause 2, … and cause n? Table 4-3 Prior probability assessment reference
Score 2: Description Prior frequency of a possible cause 0.8-1.0 In most situation, phenomenon X is due to this cause. 0.5-0.8 It is common that the phenomenon X is due to this cause. 0.1-0.4 It is not common, but still relatively frequent. 0-0.1 It is rare that phenomenon X is due to this cause. Question 4: for each possible cause, how much are you familiar with its causal
relationship? Please assess a familiarity level (ranging between 0 and 1) as guided by Table 4-4.
40
Table 4-4 Familiarity assessment reference
Score 3: Familiarity 0.8-1.0 0.5-0.8 0.1-0.4 0-0.1
Description
High level of familiarity. Moderate level of familiarity. Low level of familiarity. Unfamiliar with this cause.
Step 2: convert the elicitation to knowledge web coding
After finishing these three questions in the survey, we can get the possible causes of a given phenomenon and three scores for each possible cause: score 1-easiness to recall, and score 2-prior frequency and score 3-familiarity level. A knowledge link should be coded for each possible cause accordingly. Score 3—familiarity level is used as the input parameter—familiarity strength—in a knowledge link. This parameter affects the accessibility of the knowledge link in a random knowledge bug generator during the simulation.5
Score 2—prior frequency, as shown in Equation 4-1. ? is the weighting factor for easiness to recall and (1- ? ) is the weighting factor for prior frequency.
Backward strength is calculated by a weighted average of Score 1—easiness to recall and
? ???????? ?????????? ? ? ??? ????1 ? ?1 ? ?? ? ??? ????2
Equation 4-1
During a simulation, the input parameter backward strength is used for affecting the order of investigating the possible causes (e.g. which possible caused is investigated first) and for assessing the operator’s judgment regarding the likelihood of the uncertain causes.
5
More detail available in Section 6.2.3.
41
Studies show that people rely on a set of heuristic rules for assessing probability of uncertain events’ occurrence (Kahneman, 1975). One of the rules is availability heuristic. People’s subjective assessment of frequency of an event is affected by the ease with which instances or occurrences can be brought to mind. In other words, it is affected by the retrievability of instances. Familiarity and salience of instances play influential roles in the retrieval process. The easier to retrieve instances, the higher probability one might get from subjective assessment. In the reasoning module, we model this availability heuristic in the process of retrieving knowledge for explaining the operator’s observations and the process of calculating operators’ subjective assessment of probabilities. The availability heuristic is reflected in the input parameter—backward
strength. This parameter is a weighted mixture of easiness to recall and prior frequency.
A higher weighting factor ? means stronger influence on the probability assessment by the knowledge retrievability, and thus renders a stronger availability heuristic bias. The user could adjust the weighting factor ? to simulate different levels of heuristic bias.
In this section, we introduced a guidance to elicit information from experts to calculate the backward strength of knowledge link. A similar procedure is used to calculate the
forward strength based on two scores: score 1—the easiness to recall an effect
phenomenon, given a cause phenomenon as retrieval cue; score 2—the frequency that an effect phenomenon would occur, given the occurrence of a cause phenomenon. Knowledge web is suitable for representing the basic interactions between plant dynamics, which are applicable across different accident types. Thus it enables the reuse of the constructed knowledge pieces. Table 5-2 shows a partial list of some PWR plant systems that have dynamic changes observed in different accidents. We can see a lot of 42
overlaps across different accidents. The knowledge links that represent the generic plant dynamic interactions could be reused across different accident simulations. This makes the effort of coding simulation input case quite traceable and under control. Table 4-5 Knowledge base applicability across different accident types Key System\Initiating Event Rod control system Pressurizer RCS pump CVCS system Emergency Core Cooling System Steam Generator Main Steam Line Steam Dump System Condenser System Feed Water System Aux feed water system Turbine System Component Cooling System Service Water System Condenser Circulating Water System Rod drop x x LOCA x x x x SGTR x x x x x x x x x x MSLB x x x x x x x x x x x x x x x x x x x x x Loss of Main Feed x x x Loss of offsite power x x x x
4.2.4
Mental representation of the situation
The mental representation is the model of the operator’s mental picture of the plant. It provides two functions for the reasoning module: (1) storing situational information. The temporal attributives of each piece of information are also recorded, which provide reference for memory decay computation and time-based reasoning; (2) supporting the information interpretation function by matching the perceived raw information to existing
43
ontology concepts in the semantic base, translating it, and providing necessary ingredients for cognitive reasoning.
Figure 4-10 Mental representation example The mental representation contains two types of elements: A situational statement is a basic memory unit of the plant situation. It is composed of a semantic sentence, a truth flag, and the effective time range of the described phenomenon.
•
•
A control panel item retains the following information: a link that bridges an indicator with its corresponding ontology concept in the semantic base; a recent reading value and the time of reading; and the past readings in history. Together with situational statements, they form the operator’s episodic memory—view of the situation.
44
4.2.5
Accident event schema
Accident Event Schema is another type of knowledge in the knowledge base, in addition to the knowledge web. It has a specific knowledge structure that represents a pattern of an accident. It points to the accident-related knowledge links in the knowledge web and highlights the patterns of how an accident causally gives rise to one or more observable symptoms. It provides the operator with a more organized and convenient way to index or retrieve the knowledge related to the accident. This is used to model the experts’ way of managing knowledge and chunking information.
Figure 4-11 Example: An schema highlights paths between an accident and symptoms Figure 4-11 shows an example of accident event schema—SGTR-A. This example only shows part of a knowledge web. The paths highlighted in yellow are the relevant knowledge of “SGTR-A” accident.
45
The abstracted pattern is shown in Figure 4-12. Without this accident event schema, the relevant accident knowledge pieces are scattered in the knowledge web, in the background noise of other knowledge pieces. With the accident event schema, the relevant knowledge pieces could be accessed more efficiently.
Figure 4-12 Example: accident schema of SGTR-A In the simulation, when an operator observes a symptom that might be caused by a type of accident, and he makes this causal connection between the symptom and the accident for the first time, the corresponding accident event schema is activated and an investigation of that accident is initiated in the simulation. Once the accident diagnosis confidence level is above a threshold value, accident investigation is activated in the operator’s mind and he will then actively check other possible symptoms to confirm or disconfirm the diagnosis.
4.2.6 An example of building a knowledge base
This section provides an example of building knowledge base for a simulation case. As introduced in earlier sections of this chapter, a semantic representation is proposed to represent memory contents. Operator’s understanding of a plant is represented by causal/inference links of plant phenomena in a knowledge web. Plant phenomena are 46
represented by semantic sentences, e.g. reactor power increase. Each semantic sentence is composed of several semantic elements, namely semantic concept units. Hence, semantic concept units should be built first as basic building blocks.
Step 1: identify relevant power plant systems, components, parameters and alarms to
include into knowledge base. Table 4-6 lists power plant systems, components and indicators we coded in an input model. Table 4-6 Systems, components, and indicators included in the knowledge base Systems Parameter/component indicators Steam SG-A wide range level generator A SG-A narrow range level (same for SG-A pressure SG-B and SG-A feed water flow SG-C) SG-A steam flow SG-A PORV state Alarm indicator SG-A level high-high alarm SG-A level high alarm SG-A level low alarm SG-A level low-low alarm SG-A pressure low alarm Low-low SG level reactor trip alarm Low SG pressure reactor trip alarm Low SG pressure safety injection alarm Main steam isolation alarm Main steam main feed mismatch reactor trip alarm Main feed water pump trip alarm Main feed water pump 1 trip alarm Main feed water pump 2 trip alarm Turbine driven auxiliary feed water pump auto start alarm Motor driven auxiliary feed water pump auto start alarm
Main steam MSIV-A, MSIV-B, MSIV-C line Feed water Main feed water flow system Auxiliary feed water flow Turbine driven auxiliary feed water pump Motor driven auxiliary feed water pump Main feed water pump 1 Main feed water pump 2 SG-A main feed water regulation valve regulation valve Motor driven auxiliary feed-SG-A valve Turbine driven auxiliary feed-SG-A valve Steam dump position 47
Condenser Reactor Coolant system
Air ejector radiation level Pressurizer pressure Pressurizer level Pressurizer proportional heater Pressurizer backup heater Pressurizer spray 1 Pressurizer spray 2 Pressurizer PORV Tave(average coolant temperature) Tave minus Tref Charging flow Safety injection indicator Reactor core power Reactor trip indicator
Air ejector radiation alarm Pressurizer level low alarm Tave low deviation alarm Safety injection alarm Low pressurizer pressure reactor trip alarm Low pressurizer pressure safety injection alarm
Reactor power
Control rods move out alarm Control rods move in alarm Reactor trip alarm Over power delta T reactor trip alarm Over temperature delta T reactor trip alarm High power trip alarm Turbine runback alarm
Other
Turbine trip indicator Containment pressure
Step 2: Create a concept unit for each parameter, component, and alarm, and decompose
the concept unit as needed; link indicator concept units with corresponding indicator IDs in the RELAP model respectively. We provide three examples in this step: a parameter indicator, a component indicator and an alarm indicator. Parameter example: SG-A pressure. A composed concept unit “SG_A_pres” is created for this parameter. It is decomposed into two member concept units: “pressure” as the core member, “SG_A” as the defining member. “SG_A” is future decomposed into two: “Steam Generator” as the core member, and “loop_A” as the defining member. “loop_A” is further decomposed into two: “loop” as the core concept and “A” as the defining
48
member. Concept unit “SG_A_pres” is linked to two control panel indicator IDs: one— “SG_A_Pressure”—indicates the pressure and the other—“RATE_SG_A_Pressure”— indicates its changing rate. Component example: turbine driven auxiliary feed water pump. A composed concept unit “TDAFWP” is created. It is decomposed into two member concept units: “AFWP” as the core member, and “turbine_driven” as the defining member. “AFWP” is further decomposed into two members: “pump” as the core member and “AFW” as the defining member. “AFW” is further decomposed into two members: “feed water” as the core member and “auxiliary” as the defining member. Concept unit “TDAFWP” is linked to a control panel indicator ID: “TDAFP_On”. Alarm example: SG-A level low-low alarm. It is represented by a composed concept unit— “alarm_SG_A_level_lowlow”. This concept unit is decomposed into 3 member concepts units: “alarm” as the core member, “SG_A_level” and “lowlow” as defining members. “SG_A_level” is further decomposed into two member concept units: “level” as the core member and “SG_A” as the defining member. “alarm_SG_A_level_lowlow” is linked to a control panel indicator ID “A_SG_LoLo_Level”.
Step 3: group similar indicator concepts and create an indefinite concept for each one.
For example, “SG_A_pres”, “SG_B_pres”, and “SG_C_pres” are similar concepts. We put them in a group. The difference is that they are in difference loops (A, B or C). An indefinite concept unit “SG_X_pres” is created. When we code knowledge of SG pressure, we can use “SG_X_pres” to represent anyone in the group. During the
49
simulation, knowledge unit containing “SG_X_pres” could be automatically applied to any SG pressure by converting “loop_X” to a specific loop.
Step 4: group indicators based on their location proximity.
Indicators of
“SG_A_WR_level”, “SG_B_WR_level”, and “SG_C_WR_level” are placed close to each other on the control panel. When the operator checks anyone of them, it is easy for him to check the other two.
Step 5: build semantic sentences to describe plant phenomena. Users do not need to build
sentences for each phenomenon. The program will automatically generate a set of sentences to describe the indicator states and their dynamic changes. For each system dynamics listed in Table 4-7, a semantic sentence is automatically generated for each one respectively. So the user does not need to create these semantic units. Table 4-7 System dynamics types Indicator type Parameter indicator System dynamic types Parameter increases; Parameter decreases; Parameter is stable. Component with ON/OFF state Component turns on; Component turns off. Component with position Valve opens bigger; indication Valve closes smaller. (valve position between 0%100% open ) Alarm Alarm turns on; Alarm turns off. Component/Alarm state / Component is ON; Component is OFF; /
Alarm is ON; Alarm is OFF;
For plant phenomena that are not linked to a specific indicator or not included in the system dynamic types in Table 4-7, the user needs to manually build semantic sentences. For example, there is no indicator directly indicating a SGTR accident, the user needs to create semantic sentence to describe this phenomenon. We create a “SG_A_ruptured” 50
sentence for this. It has a subject concept “SG_A”, and an attributive concept “ruptured” to describe the phenomenon. Note that if the concept “ruptured” has not been coded in the concept unit base, then we need to add it. New concept units could be gradually added to the model as needed.
Step 6: code knowledge for each parameter/component/alarm. Each semantic sentence
has two knowledge nodes with different truth flags in the knowledge web. One has “True” flag and the other has “False” flag. Their IDs are “KE_” + sentence ID and “KE_FALSE_” + sentence ID. A knowledge link connects two knowledge nods by causal or inference relations. It might have one knowledge node as condition. Two examples are provided in Table 4-8. Table 4-8 Knowledge link examples Input Codes A_Knowledge_Unit Causal_Type: 2 Inference_Type: 0 Knowledge_Unit_Strength: 1.0 Forward_Retrieve_Rate: 1 Backward_Retrieve_Rate: 1 Effective_Time_Forward_DeltaT1: -10 Effective_Time_Backward_DeltaT2: 10 UpperStream_Type: 1 UpperStream_ID: KE_steam_load_increase DownStream_ID: KE_Control_rod_move_out Is_There_A_Permission_Condition: 0 A_Knowledge_Unit Causal_Type: 0 Inference_Type: 1 Knowledge_Unit_Strength: 1.0 Forward_Retrieve_Rate: 1.0 Backward_Retrieve_Rate: 1.0 Effective_Time_Forward_DeltaT1: -10 Effective_Time_Backward_DeltaT2: 5 UpperStream_Type: 1 UpperStream_ID: KE_SG_X_NR_level_decrease 51 Meaning “steam load increase” could cause “control rod move out” with in 10s
“SG-X narrow range decrease” infers “SG decrease”
level level
Another knowledge link connects “SG-X level decrease” with “SG-X wide range decrease”
DownStream_ID: KE_SG_X_level_decrease Is_There_A_Permission_Condition: 0
In this step, users code the causes or inferences of plant phenomena. We suggest to put the plant phenomena into two lists, list 1 contains the system dynamics in Table 4-7 and list 2 contains phenomena not included in Table 4-7. Then code the causes of each phenomenon one by one. Take “SG_A_pres” indicator for example. We want to code the causes for both “SG_A_pres_increase” and “SG_A_pres_decrease”. For “SG_A_pres_decrease”, we know it could be caused by steam load increase or SG_A fault. So far we don’t have a semantic sentence describing steam load increase and SG_A fault. So we manually code two semantic sentences for them, named as “steam_load_increase” and “SG_A_faulted”, and add these two phenomena to list 2. Then we add two causal knowledge links accordingly. For “SG_A_faulted”, the control room operator doesn’t need to investigate what has caused a fault SG during the simulation (This task goes to the maintenance team), so we do not code its causes in the knowledge web. For those phenomena that we do not code their causes any further, they form the boundary of the knowledge web. Some knowledge link examples are provided in Figure 4-13, Figure 4-15, Figure 4-14, and Figure 4-16. In these figures, solid arrow denotes causal relation, dash arrow denotes inference relation, and bold double bar denotes knowledge web boundary.
52
PRZ_pres_decrease
PRZ_level_decrease PRZ_spary_X_ON PRZ_propotional_heaters_turn_off PRZ_PORV_open steam_space_LOCA_true
Tave_decrease
steam_load_increase control_rod_movin_in reactor_trip_turn_on safety_injection_ON
Tave_increase
steam_load_derease control_rod_movin_out steam_load_increase steam_load_increase steam_load_increase steam_load_decrease Tave_minus_Tref_<_-3 Tave_increase Tref_decrease
PRZ_pres_increase
PRZ_level_increase PRZ_backup_heaters_tun_on PRZ_spray_X_turn_off PRZ_PORV_close_smaller SG_X_pres_increase SG_X_pres_decrease SG_X_pres_decrease SG_X_pres_increase steam_dump_open_bigger Tave_minus_Tref_increase Tave_minus_Tref_decrease
PRZ_level_increase
Tave_increase charging_flow_>_letdown_flow safety_injection_ON
PRZ_level_decrease
Tave_decrease charging_flow_>_letdown_flow safety_injection_ON LOCA_true
…
Figure 4-13 Knowledge link examples of parameter trends
alarm_Tave_low_ON high_power_reactor_trip_ON alarm_SG_X_level_lowlow_ON alarm_SG_X_level_low_ON Tave_low reactor_power_high SG_X_level_lowlow SG_X_level_low
…
Figure 4-14 Knowledge link examples of alarm dynamics
53
reactor_trip_turns_on
OPDT_reactor_trip_turn_on OTDT_reactor_trip_turn_on high_power_reactor_trip_turn_on … MF_MS_mismatch_ractor_trip_turn_on
safety_injection_turn_on
low_SG_pres_safety_injection_turn_on low_PRZ_pres_safety_injection_turn_on … reactor_trip_ON AND Tave_low
MFWP_trip_turn_on
…
Figure 4-15 Knowledge coding examples of component indicator dynamics
SG_A_level_>_SG_B_level FW_A_flow_>_FW_B_flow MS_A_flow_<_MS_B_flow SG_A_ruptured Steam_X_flow_>_5 turbine_ON steam_dump_open SG_X_PORV_open KE_SG_X_faulted MSLB_true MSLB_true KE_SG_X_faulted FW_A_flow_>_FW_B_flow MS_A_flow_<_MS_B_flow SG_A_ruptured
…
Figure 4-16 Knowledge link examples of other plant phenomena
Step 7: code accident event schemas. Identify the causal paths between accidents and
their observable symptoms. Index them in accident event schemas, also link accident schemas with appropriate procedures if applicable. An example is provided in Table 4-9.
54
Table 4-9 An accident event schema—MSLB
Event_KE_ID: No_of_Symptoms: KE_MSLB_true 6 KE_SG_A_pres_decrease KE_load_increase->KE_SG_X_pres_decrease KE_MSLB_true->KE_load_increase KE_SG_B_pres_decrease KE_load_increase->KE_SG_X_pres_decrease KE_MSLB_true->KE_load_increase KE_SG_C_pres_decrease KE_load_increase->KE_SG_X_pres_decrease KE_MSLB_true->KE_load_increase KE_SG_A_pres_<_600 KE_MSLB_true->KE_SG_X_pres_low KE_SG_B_pres_<_600 KE_MSLB_true->KE_SG_X_pres_low KE_SG_C_pres_<_600 KE_MSLB_true->KE_SG_X_pres_low NONE NONE
Symptom_KE_ID: No_of_causal_chains: 2 KU_ID: KU_ID: Symptom_KE_ID: No_of_causal_chains: 2 KU_ID: KU_ID: Symptom_KE_ID: No_of_causal_chains: 2 KU_ID: KU_ID: Symptom_KE_ID: No_of_causal_chains: 1 KU_ID: Symptom_KE_ID: No_of_causal_chains: 1 KU_ID: Symptom_KE_ID: No_of_causal_chains: 1 KU_ID: Response_Procedure_Name: Response_Procedure_Step:
This concludes the major steps of coding a knowledge base.6
6
More information about coding input model is available in ADS-IDAC 3.0 input manual.
55
4.3
Implementation functions of the reasoning module
This section describes the simulation implementation of the reasoning module.
4.3.1 Flow of reasoning module and information generated in the simulation
ADS program runs a RELAP5 thermal hydraulic model and the IDAC human model alternatively with a time step of 0.5 sec of the simulation clock, as shown in Figure 4-17. IDAC calls reasoning module once at a time step. Even though the reasoning module runs at discrete time steps, it mimics a seamlessly continuous cognitive process. Token variables are used in the reasoning module to mark the reasoning progress. At the beginning of the each time step, these tokens direct the program to pick up cognitive functions from where it stopped at the end of previous time step.
Figure 4-17 Simulation process of ADS-IDAC In ADS-IDAC simulation, the reasoning module starts with routine monitoring of key plant indicators. An interpretation function in the reasoning module translates the perceived indicator reading into semantic statements and stores them into memory. A 56
statement describes an observed phenomenon or a situational judgment produced in the reasoning module, which could be a parameter trend, component/alarm state, component/alarm state change, accident diagnosis and etc. provides some statement samples from a simulation run. Table 4-10 situational statement samples
ID … statement_130 statement_131 statement_132 … Statement_139 … Time of Content … Tave_lowlow Truth Confidence Effective … … TRUE 1.0 1.0 1.0 … 0.97 … … <35.575 Time
35.575 35.575 36.104 … 48.271 …
,
Tave_decrease TRUE low_PRZ_pres_reactor_trip_turn_on TRUE … … MSLB_true TRUE … …
(-3.001 , 178.01> <36.104 , … (n/a, 20.568) …
Each statement has its effective time range for the described phenomenon. The time range is described in two forms. One denotes that the operator observes a current phenomenon at a time point; the other denotes that the phenomenon has happened in a time range instead of a specific time point. In the “effective time range” column of: “( t1” means the effective time is later than a time point t = t1; “< t1” means the effective time is later than and including a time point t = t1; “t2 )” means the effective time is earlier than a time point t = t2; “t2 >” means the effective time is earlier than and including a time point t = t2.
• • • •
Take statement_131 for example, it means that at t = 35.6s, the operator detected that Tave had decreased and it was still decreasing.
57
“Time of generation” column records the time when each statement is generated. The statements with time information consist of the operator’s episodic memory of situation awareness. Statements generated from direct observations on indicators are given confidence value of 1, while the inferred situation judgments are assigned a confidence value between 0 and 1 by the reasoning process, see statement_139 in Table 4-10, it records the operator’s diagnosis that a main steam line break accident had happened and the operator’s confidence level was 0.97. We will discuss the confidence calculation in a later Section 4.3.2. Once an abnormal phenomenon is observed, the reasoning module switches to the investigation mode—working on explaining the observations and monitoring key indicators intermittently. For each system dynamic phenomenon or abnormal observation, an investigation item is generated for explaining that phenomenon. Investigation item is a basic unit in the reasoning chain. An investigation item could be generated by three ways: 1) initiated by a statement; 2) initiated by another investigation item to verify a hypothetic cause; 3) initiated by an accident diagnosis to collect more evidence. Accordingly, each investigation item has two objectives: 1) examine whether a specified phenomenon has happen or not in a specified time range; 2) investigate the causes of this phenomenon. To achieve these two objectives, ADS-IDAC employs a set of functions to simulate decomposed operator activities, see in Table 4-11. Table 4-11 Investigation Functions Investigation Token 3001 3002 Corresponding Investigation Function Locate a knowledge node in the knowledge web corresponding to the to-be-investigated statement Check whether there is a statement from memory corresponding 58
3003 3004 3005 3006 3007 3008 3009 3012 3013 3014
to this investigation item. Check whether there is relevant information from indicator readings in the memory—mental representation Check whether the required information could be gathered from control panel Identify a list of indicators to be checked Request to read an indicator from the control panel module of ADS-IDAC Examine the presence/absence of an event described in a knowledge element based on the available information Feed the examination result back to the downstream investigation items Determine whether to continue this investigation Generate or link this investigation item to upstream investigation items Retrieve one hypothetical cause and move to the corresponding upstream investigation item Evaluate the causality after getting new feedbacks from upstream investigation item.
Each investigation function is associated with an investigation token value, see the first column in the Table 4-11. An investigation item has a token variable to mark its investigation progress. When finishing each investigation function, the program identifies the next investigation function for this investigation item and changes its token variable value accordingly. The flow of investigation functions is shown in Figure 4-18. This technique provides a structure that loops the cognitive functions for each investigation item and ceases it on conditions. It enables the investigation pause at anywhere of the flow and be resumed later, thus enable the operator switches his attention from one investigation item to another. The program records the time consumption for each investigation function. The total consumed time is compared with the simulation clock time. The reasoning module pauses and the program jumps out of it when it has consumed all the equivalent time in each
59
time step. Pause criterion is defined in a way to run the reasoning module reasonably far in a time step as compared with what a human mind could do within a given time length.
Figure 4-18 Investigation function structure of investigation item Table 4-12 provides two investigation item examples from an accident simulation run. Investigator_31 was generated based on the observation—statement_127: main steam and main feed mismatch. Investigator_32 was generated based on the observation— statement_131: Tave decrease. The investigation progress of each item is recorded in the column “Investigator Token Timeline”. The progression of Investigator_32 is also highlighted in the function flow chart, see Figure 4-19. As shown in the table and the figure, the operator thoroughly examined three possible causes of Tave decrease, while he had not processed the observation of main steam and main feed mismatch. Investigator_31 slipped from his memory.
Table 4-12 Investigation item samples 60
Investigation Item ID
Time of Generation (sec)
Corresponding Observation statement_127: MS_MF_mismatc h
Investigation Token Timeline
Upperstream Investigation Item ID and Status
Investigator_31
31.872
3001 (3001-60.623) (3012-60.623) (3014-61.152) (3013-62.211) (3014-63.269) (3009-63.269) (3013-64.857) (3014-67.503) (3009-67.503) 3098
Investigator_32
35.575
statement_131: Tave_decrease
Investigator_50: Not Happen Investigator_2: Possible Investigator_51: Happen
Figure 4-19 Example of one investigation item An investigation line is a set of investigation items linked by their causal relations. Multiple lines of investigations could be initiated by multiple observations and they could exist in the working memory at the same time. The reasoning module only works on one investigation item at a time. This features the effect of cognitive resources limitations. If
61
there are more than one active investigation items, the program needs to select one investigation line and one investigation item in that line. A prioritization function is designed to determine which item to process at the present moment. The prioritization process navigates the operator’s attention through the active investigation items and the routine monitoring task in the working memory pool and thus forms the operator’s thought train. There are two operator agents in ADS-IDAC, a decision-maker (ODM) and an actiontaker (OAT). The reasoning module generically applies to both. The user could give these two roles different profiles in input files (e.g. different knowledge bases).
4.3.2 An algorithm for calculating accident diagnosis confidence level
Computing causal path confidence level
Investigation items generated during the simulation are linked by their causal relations. An example is shown in Figure 4-20. Each block represents an investigation item. The connections between the investigation items represent causal paths (in a connection, the item in the lower level could cause the item the in higher level). In this figure, blocks in green are phenomena directly observed from control panel indicators; blocks in red are believed have not happened in a specified time range; and blocks in yellow could not be directly verified from control panels, thus they are uncertain.
62
Figure 4-20 An example of reasoning chain In this example, the pressurizer pressure was observed as decreasing, an investigation item I50 was created for explaining this phenomenon. Retrieving possible causes in the knowledge base, the program identified 5 hypothetical causes, shown below I50 in Figure 4-20. I4 and I34 already existed in the memory by earlier observations and investigations, and the program only needed to connect them to I50. For the other three hypothetical causes, the program initiated new investigation items (I36-I41) to examine their respective status. In this example, the program examined the status of each possible cause7. The program calculates a confidence level (between 0 and 1) of each causal path that connects an uncertain cause with a confirmed observation, and there might be more than one links between them. The path confidence level is the produce of the confidence level of each segment in this path.
The reasoning module might only examine part of the possible causes, depending on the operator’s problem-solving style setting. Refer to Section 6.2.2 for more information.
7
63
Path confidence is defined as the operator’s subjective assessment of the probability that a plant phenomenon is caused by a specific causal path. For example, there are two links between I15 and I4 in Figure 4-20: I15->I8->I4. This path represents the event that I4 “Tave decrease” was due to I8 “steam load increase” and I8 was due to I15 “MSLB true”. Its path confidence is the probability of the event of this causal path. The confidence level of a causal link (A->B) is the operator’s subjective assessment of the probability of an event that B is caused by A. One causal link provides an explanation of an effect phenomenon. If the occurrences of the cause phenomenon and the condition phenomenon (if any) are verified by control panel indicators, the confidence level of this causal link is 1. If the cause phenomenon or the condition phenomenon (if any) is determined not happen in a corresponding time interval, the confidence level of this causal link is 0. A path confidence is the product of the confidence level of each causal link in the path, as shown in Equation 4-2.
?? ??????: ? ? ?? ?????? ?? ????? ? ???;
????????????? ?????? ? ? ? ??? ? ????????????? ?????? ? ??? ? ????????????? ?????? ? ???
????????????? ?????? ? ??? ??;? ????? ?? ??????????? ??
Equation 4-2 For an uncertain cause that could not be directly verified from control panel indicators, its confidence level depends on the presence of competing explanations. As shown in Figure 4-21, if there is no confirmed competing cause, the confidence level of the uncertain cause paths gets a high value of 0.9 in total. If there is one or more confirmed cause, a small confidence value of 0.1 will be distributed to the uncertain causes. In the example 64
in Figure 4-20, “I8: steam load increase” could not be directly verified from control panel indicators, so it is an uncertain cause of I4. Since there is a competing confirmed cause “I9: safety injection ON”, the confidence of uncertain causal path I8->I4 gets a low value of 0.1 in total.
Figure 4-21 Confidence level of uncertain causal paths
Uncertain Cause 1 Uncertain Cause 2 … Uncertain Cause n Knowledge Web Reasoning Module Uncertain Cause 1 Uncertain Cause 2 … Uncertain Cause n Prob(E2) 0.1 or 0.9 Effect phenomenon Back strength 2 Effect phenomenon
Figure 4-22 Spreading confidence among multiple uncertain causes
65
If there are two or more uncertain causes, the total confidence level is distributed among them in proportion to the backward strengths of the corresponding knowledge links specified in the knowledge web. See in Equation 4-3 and Figure 4-22.
?? : ??????????? ??? ??? ? ????? ??????? ??????? ????? ??????????? ? ? ????????????? ?????? ? ?? ??? ???? ??
???? : ? ? ????? ????????? ?? ??? ?? ?????? ??? ???? ??????
0.9 ?? ?? ????? ????????? ????????? ?? ?? ?????????? ?????? ? 0.1 ?? ?????? ?????????? ????????? ???? ?? ????
Equation 4-3 In the example shown in Figure 4-20, “I36: loss of coolant accident” and “I38-I40: steam generators rube rupture” are two uncertain causes of I34. In the knowledge web, these two causal relations have been assigned the same strength, so they distribute the total confidence level of 0.1 equally and each link gets a confidence of 0.05. For each possible uncertain item in the reasoning chain, the program generates a statement with a confidence level between 0 and 1 to represent the operator’s judgment. The statement confidence level is equal to the confidence level of the causal path connecting it to a confirmed observation. For an accident diagnosis, the program generates a statement only once, and its confidence is determined and updated by the aggregation of all the confidence paths that connect it to its observable symptoms.
Computing accident diagnosis confidence level
66
In the simulation, the reasoning module calculates the diagnosis confidence level of an accident by referring its corresponding accident schema to integrate all evidence in a big picture way, see Equation 4-4.
Diagnosis confidence?A? ? ??? P????? ?? ? Symptom Coverage?.? ??????????? Symptom Coverage ?
?
N???????? N????? ? N???????
• •
?? represents the ith symptom of accident A.
causal path.
Equation 4-4
???? means the event that symptom ?? is caused by accident A through a specific ???? means the event that symptom ?? is caused by some other reason but not
P( ???? ) is the probability of event ???? based on the operator’s prior knowledge without considering the other evidence. It is a path confidence level.
•
accident A.
•
Path confidence 1(this accidence causes symptom 1)
Path confidence 2(this accidence causes symptom 2)
…
Path confidence n(this accidence causes symptom n)
In Equation 4-4, ?? P????? ? aggregates all the positive symptoms together like a parallel system (see Figure 4-23). It is the conditional probability of accident A given all the observed positive symptoms. 67
Figure 4-23 A system block diagram resembles the way of integrating path confidences
In the knowledge web, each causal link represents a certain causal relationship. A knowledge link in Figure 4-24 represents a causal relationship between A and B. If A is true and there are no other factors that cancel or compensate the effect of A on B, B should be true. If B is true and A is true, then the event that B is caused by A is true8.
A
B
Figure 4-24 A knowledge link shows that A causes B
S1 A S2 … Sn
Figure 4-25 Causal paths between accident A and its positive symptoms In the reasoning module, positive symptoms of an accident mean the occurrences of these symptoms have been detected by the operator and the operator has made causal connections between the symptoms and this accident by using his knowledge. Given positive symptoms S1, S2…Sn have been observed, if accident A is true, event E1, E2,…En are true; if accident A is false, event ???? , ???? , …???? are true. In other words, if accident A has not happened, each of these symptoms has to be caused by something else other than accident A. Hence:
During calculation, we treat event ???? , ???? , …???? independently. Hence:
8
P?A??? , ?? , … ?? ? ? P????? ? ???? , … ? ???? ?
Note it doesn’t mean A is the only cause of B. B might have more than one causes.s
68
P?A??? , ?? , … ?? ? ? ? P????? ? ? ??1 ? P????? ?
? ?
Hence:
P?A|?? , ?? , … ?? ? ? 1 ? P?A??? , ?? , … ?? ? ? 1 ? ??1 ? P????? ? ? ? P????? ?
We don’t directly use P?A|?? , ?? , … ?? ? as the operator’s diagnosis confidence, but add
? ?
two more factors to it: symptom coverage and negative symptoms. Symptom coverage measures the percentage of symptoms observed. “Blocked symptom” means that a symptom is blocked by some system conditions and the operator has justified its absence, so the absence of a blocked symptom will not be used as evidence for the accident absence. When computing the symptom coverage, the number of blocked symptoms is taken out of the total number of symptoms. The term ?Symptom Coverage?.? ? has is means a higher symptom coverage requirement. Power of 0 means the operator doesn’t take the symptom coverage into account. N??????? is number of absent symptoms that the operator has not found any justification for their absence. The higher the number of missing symptoms, the lower the confidence level is. In the reasoning module, once the operator finds a missing symptom that he could not justify. The investigation of that accident pauses until some new positive evidence appears. The following are two examples of blocked symptoms in a complex SGTR accident. A typical symptom of SGTR is high secondary radiation level. But the operator will not see 69
raised to a power of 0.5, which could be adjusted between 0 and 1; higher power value
this phenomenon if the piping between the ruptured steam generator and the radiation detector has been blocked by closed valves. Decreasing pressurizer water level is another symptom of a SGTR accident; however, it could be masked by some plant conditions, for example when Safety Injection system adds water to the reactor coolant system and compensates the water loss due to leakage.
Figure 4-26 Calculation of SGTR confidence level Figure 4-26 shows an example of a SGTR accident confidence calculation. Five symptoms are specified in the accident event schema of SGTR-A. Two of them are blocked symptoms. Confidence levels of the other three paths are marked in the figure. Applying Equation 4-4, the program generates a diagnosis confidence level of 0.991. This approach captures several important aspects that affect operators’ diagnosis confidence: It takes into account the degree to which an accident hypothesis accounts for the observations. If one or more competing explanations exist, diluted confidence level goes to that hypothesis.
•
70
•
Symptom coverage (the percentage of symptoms that have been observed) is included in the equation.
• •
Absence of expected symptoms negatively affects the diagnosis confidence level. Once the operator figures out that the symptom absence is due to some other reasons, it is taken out of the equation, that's is it no longer affects the diagnosis confidence.
This algorithm allows the operator to have a high diagnosis confidence level if it is the only explanation of one or more symptoms. It also integrates different pieces of evidence together, so it is possible to get a high confidence level given multiple observed symptoms, even if each symptom has other competing explanations. If the operator notices that an expected symptom is absent, it results in a decrease in the confidence level. By applying these rules, the algorithm replicates in a natural way the operators’ use of evidence to make diagnoses
4.3.3 Activation propagation
As mentioned earlier, explaining observed plant phenomena is an important process of situation assessment. For an observed phenomenon, the reasoning module implements investigation in two main steps: 1) retrieving the possible causes from knowledge bases; 2) examining whether a possible cause has happened or not in a specific time range around the phenomenon, by checking the available information in memory or requesting more information from control panels. This section discusses the information retrieval algorithm.
71
Each semantic element (basic concept unit, composite concept unit and semantic sentence unit) has an activation level in the range from 0 to 1. The simulation program continuously updates the activation level of each element. The activation levels change in three ways: activation firing, activation propagation among semantic elements, and memory decays. During the simulation, the reasoning module selects one investigation item to process at a time. The program fires the semantic sentence unit that describes the phenomenon in the selected investigation item, by increasing its activation level to 1. Also, when a new statement is generated, the program fires its semantic sentence activation level. The activation propagation starts from the fired semantic sentence to the other related elements in the semantic base. It triggers one round of activation propagation: a top-down propagation and a bottom-up propagation, as shown in Figure 4-27. The top-down process propagates the activation from one element to its member elements, while the bottom-up process propagates the activation from member elements to other elements that contain them. This is inspired by the compound cue theory (Hintzman 1986; Plaut 1995). The activation propagation is based on the similarity among memory elements.
Figure 4-27 Activation propagation paths in the semantic base 72
This mechanism enables that activation propagates from one semantic sentence to other semantic sentences. An example is given in Figure 4-28. At time 200sec, the operator observes that “Steam Generator A” is “decreasing”. This newly generated statement fires the activation level of the semantic sentence “SG_A_pressure_decrease”. Next the
program increases the activation levels of its member elements: “SG_A_pressure” and “increase”. “SG_A_pressure” has two member elements: “SG_A” and “pressure”, the program increases their activation levels. “SG_A” has two member elements: “SG” and “Loop_A”, and their activation levels are increased accordingly. “Loop_A” has two members: “Loop” and “A”, and the program also increases their activation levels. In this recursive process, the program propagates activation level from semantic sentence unit to related basic concept units and finishes the top-down propagation. In the bottom-up propagation process, the program picks out those elements that are affected in the top-down propagation process, then propagates the activation changes from the component members to the higher-level elements and finishes one round of propagation. In Figure 4-28, the red boxes and red arrows highlight the updated semantic elements and the activation propagation paths. This figure shows that the program propagates activation change from one sentence “SG_A_pressure_decrease” to a similar sentence “SG_A_Tave_decrease”9. This example demonstrates the way that one semantic sentence within attention focus “preheats” the other semantic sentences based on their similarities.
9
Except for “SG_A_Tave_decrease”, more similar sentences’ activation levels are updated in this process, e.g. “SG_B_pressure_decrease” and “SG_C_pressure_decrease”. They are not shown in this figure.
73
Figure 4-28 An example of activation propagation Retrieval of an existing situational statement in the memory is based on the activation level of the semantic sentence and the length of time since it was last attended to. For knowledge retrieval, Associative Activation Spreading Theory (Anderson 1983; Plaut 1995) is utilized in addition to the Compound Cue Theory. The knowledge retrieval process starts from one knowledge node within the attention focus as the retrieval cue. Retrieval scores of knowledge nodes linked with the retrieval cue in the knowledge web are calculated based on two factors: the activation level of the semantic sentence associated with the knowledge node and the strength knowledge link between the retrieval cue and the target knowledge node, see Equation 4-5. The retrieval score is compared with a retrieval threshold specified by the user, and only knowledge nodes with score higher than the threshold can be retrieved. The retrieval time is inversely proportional to the retrieval score with a cap value. The user can use different retrieval
74
threshold values to capture individual differences. The node with highest retrieval score will be processed first. This module has the ability to extend this retrieval mechanism by adaptively changing the retrieval threshold based on the investigation progress and some PSFs like stress level.10
???????? ??????????? ????? ? ?????????????????? ????? ? ????????????|?????? ????
Equation 4-5 Using both compound cue theory and activation spreading theory in this system offers two advantages: (1) Capturing the dependency of one’s cognitive activities at different times. Through activation propagation in the semantic pool, the memory of the past cognitive activities selectively preheats the relevant semantic elements; (2) Mimicking heuristic reasoning based on familiarity. The strength of knowledge links between the knowledge nodes represents operator’s familiarity and the frequency of using this inference/causal path; a target knowledge node with stronger link strength has a better chance to get retrieved and investigated. Thus, rare events and new situations increase the difficulty of diagnosis.
4.3.4 Decay of investigation items in the working memory
Limited capacity of working memory is modeled in the reasoning module. As introduced in Section 4.1, a thought thread pool stores all the investigation items. A subset of the investigation items in indexed in an active-thread pool, as shown in Figure 4-28. The
10
This is a good area for future research.
75
active-thread pool has limited capacity and belongs to the working memory, while the multi-thought thread pool has no capacity limit. Only items indexed in the active-thread pool participate in the prioritization function and have chance to be processed.
Figure 4-29 Investigation item decay and resume in memory Under three circumstances, the program removes an investigation item from the activethread pool: a) When an investigation item is resolved; b) When an investigation item has not been attended for a longer, that is a time more than a specific time limit; c) When number of investigation items in the active-thread pool exceeds the capacity. Time limit and capacity are two model parameters subject to adjustments by PSFs. Circumstance b) and c) can simulate a process that investigation items are interrupted or postponed and thus forgotten. This mechanism assists in mimicking the effects of alarm interruptions and task overflow.
76
A forgotten item could be moved back to the active-thread pool when the operator is reminded of it by some cues (other relevant investigation items that link to it, and repeated observations). An example is the case where an operator has observed a parameter trend but hasn’t explained it because his attention was occupied by other issues. He forgot it. Later when he observed this parameter trend again, this information became fresh again in his working memory. This scenario can be reproduced in the reasoning module. Every time when an unexplained phenomenon is observed again, the corresponding investigation item would be added back to the active-thread pool. We should also note that moving back to the active-thread pool doesn’t guarantee it will be attended and processed. It only means it becomes a candidate for the prioritization process.
4.3.5 Information perception module enhancement
Information perceiving channels in ADS-IDAC have been updated and expanded in this research. Five information channels are modeled for operator perceiving external information from control panels: a) Information requested by reasoning processes and accident investigations; b) Information requested by executing procedure steps; c) Information requested by control panel scanning; d) Information requested by routine monitoring; e) Passive alarm information. Chanel “a” is a new feature introduced by this research. It models the operator’s topdown attention driven by reasoning and diagnosing. Through this information channel, 77
the reasoning module actively collects relevant information to support the reasoning and diagnosis process. In the reasoning module, once an accident hypothesis is initiated and its confidence level is above a threshold, the corresponding accident event schema actively guides the operator to search for the remaining symptoms included in the schema one by one. In the program, the time of requesting information is determined by two factors: 1) current diagnosis confidence level; and 2) a personal characteristic— activeness in gathering accident evidence. At higher confidence level, the operator pays closer attention to investigate the accident. When diagnosing an accident, operators could either passively wait for more symptoms to be exposed by themselves, or actively gather more evidence by checking some relevant indicators. To capture individual differences, a model parameter named activeness in gathering accident evidence is employed. Users specify its value in the input file. Section 6.4.8 provides detailed discussion regarding how to use this model parameter in ADS-IDAC. Chanel “d” is also a new feature developed in the reasoning module. It simulates an operator routinely checking a list of indicators to monitor the plant state. The indicator list is specified by users in an input file. The monitoring frequency of each indicator is specified in the input by the user, and it is dynamically adjusted during the simulation11. By varying indicators specified in the list and the monitoring frequency of each, this model enables users to tailor operators’ work routines. In a real control room crew, operators have different roles and thus are in charge of different parts of the plant. Here is an example of a real crew structure and showing task divisions among different operators:
11
Refer to Section 6.4.4 for more detail.
78
•
A shift supervisor is in charge of making decisions and coordinating activities of other operators.
•
A reactor operator focuses on the primary loop (reactor coolant system and reactor) of the plant.
•
A balance of plant operator focuses on the secondary loop (steam generators, main steam line, turbine, condenser, feed water systems and etc.)
•
A shift technique advisor assists the other operators, provides advices and consultations.
Chanel “e” for passive alarms existed in ADS-IDAC version 2.0 (Coyne 2009). It has been modified with a filter in the reasoning module to model limitation of cognitive resources and individual’s tendency in perceiving alarms. In the control room, alarm activities are intrusive and grab operators’ attention by their salient features: bright/flashing light and loud sounds. When many alarms are activated in a short time interval, it could be beyond operators’ cognitive capacities to process all. In the reasoning module, a bandwidth is used to control the maximal alarm flow that could get into the operator’s working memory. A “first in-first out” alarm stack buffers the unprocessed alarm activities. The maximal alarm stack length is adjusted during the simulation by several performance shaping factors12. When the number of alarm activities exceeds the maximal stack length, the stack pops out the oldest alarm activity and thus it would not be processed further in the reasoning module. In addition to the information channels, the research modeled proximity feature of control panel designs. Many control panels are designed to group relevant indicators together so
12
Refer to Section 6.4.1 for more information.
79
that it is natural and easy for the operator to perceive items together and to compare their reading values. ADS-IDAC 3.0 lets the user group indicators in an input file. During the simulation, once the reasoning module perceives information of any indicator in a group, the program automatically passes the reading of other indicators in that group to the reasoning module. In addition to the information channels, the research modeled proximity feature of control panel designs. A lot of control panels are designed to group relevant indicators together so that it is natural and easy for the operator to perceive items together and to compare their reading values. ADS-IDAC 3.0 lets the user to group indicators in an input file. During the simulation, once the reasoning module perceives information of any indicator in a group, the program automatically passes the reading of other indicators in that group to the reasoning module.
4.3.6 Modeling diagnosis ambiguity
Some accidents share similar symptoms and it creates diagnosis ambiguity, which could lead to misdiagnosis. The reasoning module captures the diagnosis ambiguity in the simulation. In 4.2.6, we introduced how the reasoning module computes the confidence levels of causal paths and accident diagnosis. Basically, the more accident symptoms observed, the higher confidence level is generated. If an accident hypothesis is the single explanation of a symptom, it gets high confidence level. If there are several competing explanations, the total confidence level is distributed among them. The confidence level of an accident
80
diagnosis naturally changes over time as more evidence (positive or negative) becomes available. A confidence threshold is used for declaring a diagnosis. When the confidence level of an accident hypothesis exceeds the threshold, the reasoning module declares this diagnosis. The declared diagnosis consequently guides the operators’ decision-making and response planning, e.g. entering the proper response procedure. A low threshold might lead to early misdiagnosis, especially when there is ambiguity between two similar hypothetical accidents. A high threshold might cause operators spend too much time in making diagnosis, cutting into time for response planning and taking necessary actions. In real life, different operators hold different levels of prudence and different problemsolving styles. Some would declare a diagnosis when they see a few symptoms that represent the accident heuristically, without thoroughly searching for more evidence or fully considering other possibilities. Some are reluctant to declare a diagnosis before they get sufficient evidence and tend to investigate more alternative explanations. These individual differences could be captured by varying the confidence threshold in the reasoning module. At the early phase of an accident, a few symptoms are manifested and observed by the operator. They might be explained by several alternative hypotheses. The confidence is distributed among the competing explanations and confidence level of none is high. Over time, more evidence is gained by actively checking the relevant indicators or by passively receiving alarm information. The new evidence confirms or disconfirms some accident diagnoses. Consequently the confidence levels of different accidents will diverge when 81
some key evidence is obtained. Therefore different confidence thresholds for declaring a diagnosis can be used to model different problem-solver types, i.e., rushing to a conclusion, or adopting a slower and more methodic approach.
Diagnosis Progress-Ambiguity Removal
Accident Diagnosis Confidence 1 0.8 0.6 0.4 0.2 0 0 200 400 Time (sec) 600 800
Diagnosis Declared Hypothesis
SG faulted MSLB
Figure 4-30 Diagnosis progress with ambiguous among two hypotheses Figure 4-30 shows a simulation example. The initiating event is a Main Steam Line Break (MSLB) that happened at time 00:00. The operator found an unexpected power increase before reactor tripped, and he believed it was caused by unknown steam load increase in the secondary loop of the plant. At t = 30s, the operator started to suspect that there might be a MSLB or steam generator faults, because both of them could cause rapid steam load increase. At t = 150s, low steam generator pressure alarms were actuated. These alarms pointed to possible steam leakage in the secondary loop and thus increased the confidences of both MSLB and steam generator faults hypotheses. With further investigation, the operator identified that the pressures in three steam generators were all low, so the leakage was more likely in the downstream of MSIVs than in a single steam generator. The confidence level of MSLB exceeded the confidence level of steam
82
generator faults and the difference became greater. Continuing the investigation, the operator saw no pressure difference among the three steam generators and thus rejected the hypothesis of steam generator faults. The confidence level of MSLB was high and it was accepted as the final diagnosis. In this example, if the confidence threshold is low, the operator would might rush into a misdiagnosis and declare a steam generate faults accident.
4.3.7 Model operators’ diagnosis of indicator failures
Historically some power plant accidents involved indicator failure, which misled operators’ situation awareness and diagnosis. An example is Three Mile Island accident—the worst nuclear power plant accident in U.S. In Three Mile Island accident, the pressurizer PORV was stuck open but the indicator failed showing it was closed. It misled the operators’ situation awareness and consequently led to inappropriate operator actions. In an accident with indicator failure, being able to identify the failed indicator is important for successful operation. Hence, it is valuable to study operators’ performance in a circumstance with indicator failure. The reasoning module in ADS-IDAC simulates operator reasoning and making inferences with available information, provides a great advantage for modeling operators’ diagnosis of indicator failure. Clues of indicator failure arise from information inconsistency—the reading of the failed indicator conflicts with other available information, which provides evidence for the indicator failure. Operators start to suspect an indicator failure when they discover some information inconsistency. This can be simulated in the reasoning module. We use an
83
accident scenario 13 to discuss how to achieve this. In a loss of feed water accident, operators initiate steam dump to the atmosphere through steam generator PORVs, in order to cool down the reactor. The stopping criterion for steam dump is when all of three steam generator water levels are below 12%, in order to prevent SGs from drying out. In this scenario, SG-A water level indicator fails and is stuck at a level of 15%. The level is actually decreasing and steam generator is becoming empty. The challenge to the operators is to find out the failure of steam generator A level indicator. Some conflicting information provides clues to the operator if noticed. 1) there is no feed water to steam generators. Steam flows out of the steam generator but no feed water comes in, thus the water inventory in steam generator should be decreasing instead of being stable at 15%. 2) water levels in the other two steam generator are decreasing, if no other reason, the water level in steam generator A should be decreasing as well. One or more reasoning steps need to be taken by the operator before he or she can see the information conflict. The reasoning module in ADS-IDAC can provide the necessary infrastructures to mimic this reasoning process. When the program encounters conflicting information, it generates suspicion of indicators’ correctness. An algorithm of computing the suspicion level is proposed in this research. For a pair of conflicting information, suspicion is produced for each side. In Figure 4-31, asterisk is used to mark the suspicion level. In this example, there are three pairs of information conflicts: 1? SG-A level should be decreasing vs. SG-A level is indicated stable at 15%; 2? SG-B level is decreasing vs.. SG-A level is indicated stable at 15%; and 3? SG-C level is decreasing vs. SG-A level is indicated stable at 15%. In conflict 1,
13
This scenario is from Halden experiments, named as complex LOFW accident.
84
more suspicion is given to SG-A level indicator because there are other information backing up the indicators on the other side (steam flow indicator and feed flow indicator)—SG-A PORV is open and thus steam flow is above 0? feed water pumps have already tripped and thus the feed water is 0. In conflict 2 and conflict 3, SG-A level indicator gets suspicion from all the three pairs of information conflicts. As a result of this algorithm, SG-A level indicator is at the center of suspicion. We should note that the suspicion of the failed indicator is not necessarily raised in each simulation sequence. It varies based on whether or not the operator’s attention is directed to the conflicting information and whether or not the operator makes necessary inferences to realize the conflicts. Hence, this program could generate sequences where the operator fails to diagnose indicator failure and his situation awareness is misled by it.
SG-A level decrease
*
Conflict 1
**
SG-A level stable at 15%
SG-A: Steam flow > Feed flow
*
Conflict 2
*
*
Conflict 3
SG-B level decrease
*
*
SG-C level decrease
SG-B: Steam flow > Feed flow
SG-C: Steam flow > Feed flow
Figure 4-31 Information conflicts of SG-A level indicator failure example In this section, we discussed how to utilize the existing infrastructure in the reasoning module to simulate operators’ responses to indicator failure. An algorithm of computing the suspicion level is proposed. This algorithm has not been implemented into ADSIDAC codes. It could be a good topic for future research.
85
4.4
Modeling the calculation aid
Sometimes the operators need to do more complex calculations to compute a control setting value or determine the plant condition. In order to alleviate the operators’ cognitive load, calculation aids are provided so that the operator could easily get the results based on one or two parameter values. Usually a calculation aid is presented in form of graphs. An example is shown in Figure 4-32. Several curves divide the whole region into 5 containment conditions. Knowing the input parameter values (containment pressure and hydrogen percentage) one could locate and identify the containment flammability condition using this figure. This helps the operator to assess the situation and support related decision-making.
Figure 4-32 Calculation aid-containment flammability
86
16
H y d r o d e n P e r c e n t
H y d r o g e n C h a ll e n g e Z o n e
6 13 23
C o n t a in m e n t P r e s s u r e
33
43
53
Figure 4-33 Fitting of the calculation aid curve of severe hydrogen challenge boundaries In order to simulate operators use of calculation aid (charts and graphs), a new capability has been added to ADS-IDAC. With this new feature the user can code the calculation aid curves in the input file. Each calculation aid curve is fitted to a polynomial function with highest order of 5. A fitting example of the hydrogen severe challenge boundaries is provided in Figure 4-33. During the simulation, the operator uses one input parameter value (e.g. containment pressure) to find a reference point on the curve, which provides a reference output parameter value (e.g. hydrogen percentage), the operator compares the reference output value with the actual parameter value to determine the situation. This work extended the capabilities of ADS-IDAC to simulate the operator using calculation aid, in addition to procedure. This new capability is used in one of our research projects—applying ADS-IDAC to perform Level 1 and Level 2 dynamic PRA.
87
5
Integration of procedure-based and knowledge-based
operator response
In nuclear power plants, procedures are written to guide the operators to diagnose abnormal or accident situations, to respond to plant dynamics, to recover systems’ functions, and to alleviate the consequences. Operators are trained to follow procedure during operation. Each procedure has its entrance and exit conditions, and there are transfer points that link different procedures. A procedure consists of a set of procedure steps. Each step has its logic links that lead to the next to-be-followed step, so there are conditional transitions among procedure steps and among procedures. There are rationales that underpin the logic paths of procedure steps to match a situation to the right procedure steps. A procedure should have a good coverage of relevant plant situations. However, procedures are not omnipotent. Some uncommon situations may not be fully covered by the procedures. During the operation, in addition to following procedure, the operators also think, reason with their knowledge, and assess the situation. They could form their own opinions of how to respond to the plant situation and what procedure should be used. When the procedure guidance is not consistent with the operator’s situation awareness, operators are faced with choice between following the procedure and following their own opinions. This decision may have significant consequences. Deviation from the procedure might exacerbate the situation, improve the solution, or might even save the plant.
88
An important function of the reasoning module is to identify the context where there is inconsistency between the procedure guidance and the operator’s knowledge-based judgment. Based on this, several branching rules were proposed and implemented in ADS-IDAC 3.0: B1. Once an accident diagnosis is declared, whether to immediately transfer to the desired procedure or not (P-1) (2 branches). B2. When reaching a procedure step which contains a transfer to the desired procedure but the condition is not satisfied, whether to transfer or not (2 branches). B3. When reaching a procedure step that guides the operator inappropriately to transfer to another procedure (P-2), whether to transfer to P-2, whether or not transfer to P-1, and whether or not continue in the current procedure (named P-0). (3 branches) B4. If the procedure in use does not guided the operator to transfer to the corresponding accident procedure after some time, the operator might decide to transfer to the desired procedure even without procedure guidance for this transfer. (2 branches) These branching rules allow ADS-IDAC to explore different operator’s choices of procedures.
89
6
6.1
Modeling Performance Shaping Factors
Introduction
Performance Shaping Factors (PSFs) are widely used in HRA methods for analyzing the human error. PSFs are factors that could influence human error as modifier—enhance or degrade human performance e.g. stress, or could even causally lead to human error, e.g.
training, task complexity. PSFs used in typical HRAs cover a wide range of factors. They
include one’s psychological feeling or state (e.g. fatigue), one’s personal capability limits (knowledge/training), or task attributes (e.g. task complexity), or environmental factor (e.g. temperature), ergonomic factors (e.g. human system interface quality), organizational factors (e.g. safety culture), and team factors (e.g. communication). Using of PSF gives analyst great flexibility to include what they believe to be relevant and important for the study. Several motivations that drive the use of PSFs: 1) capturing the situation characteristics that cause or foment human errors; 2) capturing the personal/crew characteristics that cause or foment human errors; 3) reflecting the individual/crew differences. In ADSIDAC, PSFs are also utilized for these purposes. Integrating PSFs into a cognitive simulation model enhances its causal prediction by manifesting the influence of each PSF on the cognitive processes, instead of treating the cognitive processes as a black box and only adjusting the human error probability. There is no standard PSF set in human reliability area. Human reliability analysts use different sets of PSFs, which varies across methods and applications. A set of PSFs
90
summarized by Katrina Groth (Groth 2009) was used as a starting map for choosing the PSFs to be modeled in ADS-IDAC, because it covers most of the relevant PSFs that have significant influence on control room operators’ performance, and it has a clear and orthogonal classification structure. In addition, a database—Human Event Repository and Analysis (HERA)—of human errors in 26 nuclear power plant accidents was reviewed to identify the important and relevant PSFs. In Groth’s PSFs set, (see Appendix 1: Tiered Classification of PSFs (Groth 2009), there are five major categories: organization PSFs, team PSFs, personal PSFs, situation PSFs, and machine design PSFs. Among the five, personal and situational PSFs are the main focus of this research, since the main objective of this work is to enhance the individual operator’s cognitive module of ADS-IDAC. With careful consideration of the importance and ability to measure or to model, we have selected 13 PSF candidates to integrate into ADS-IDAC, listed in Table 6-1. Among these PSFs, some are modeled as quantitative factors that have quantitative assessments, while others are modeled as mechanisms within the causal model of the various cognitive processes. A simulation approach has a particular advantage to more realistically model PSF effects on operator behavior through explicit information processing paths. In many of the human reliability methods, levels of PSFs are assessed either quantitatively or qualitatively. The resulting values are used primarily for estimating human error probabilities, and in some cases for error identification and prediction. Prediction of human errors is one of the main goals of ADS-IDAC simulation model. As stated earlier, for some PSFs it is more appropriate to use a metric to quantify the level. PSFs such as fatigue, task load, time load, passive information load, and task complexity are in this category. Other PSFs that represent cognitive mechanisms should be built into 91
the cognitive architecture of the simulation model. PSFs such as attention, problem-
solving style, prioritization and information use fall into this category. We note that when
analyzing a human error retrospectively, one could assign a value to the PSF attention to indicate how adequate the attention was on the task, and indicate the degree to which it contributed to the error. However, in a prospective analysis of possible human errors, one must also consider the different ways that attention mechanism affect different aspects of the cognitive process. In ADS-IDAC program, the user could construct the operator’s knowledge base for the simulation through the input file, so the level of expertise (Knowledge/Experience/ Training) is implicitly included in the knowledge base. In addition to the knowledgereasoning process, a quantitative PSF variable is used to represent the general level of expertise. It is defined to capture the operators’ differences in cognitive capabilities for processing information (e.g. information chunking). It is also important to note that some PFSs are static through the entire simulation, an example being expertise. Others dynamically change during the simulation. For the PSFs that are not directly built into the model as cognitive mechanisms, one has to assess their levels, and also determine their impact on the cognitive process. PSFs are assessed in two ways. The analyst specifies the values of static factors in the input file. Values of dynamic PSFs are calculated in the simulation as a function of other tangible information extracted from the program (surrogates). The impacts of PSFs are seen through their influence on cognitive process parameters, such as processing span.
92
Table 6-1 Classification of selected PSFs
PSF
Attention Problem-solvingstyle Prioritization Information Use Time load Task load Expertise (Knowledge/experience/training) Passive information load Information load System criticality Task complexity Stress Fatigue
Quantitative Mechanism Assessment modeling X X X X X X X X
X X X X X X
D/S
D D D D D D S D D D D D D
Model Version14 2.0/3.0* 3.0* 3.0* 2.0/3.0* 2.0/3.0* 3.0* 3.0*
3.0* 2.0/3.0 2.0/3.0 3.0* 3.0* 3.0*
In this section we summarize the results of our study of the PSFs chosen for inclusions in the model. We offer PSF definitions, theoretical basis, and more importantly, ways to integrate them into ADS-IDAC, particularly through the reasoning module. For quantitative PSFs, we present ways to use information from the input model and the simulation variables in ADS-IDAC to assess corresponding levels and to model their impact on operator’s behavior. Note that we use a continuous scale from 0 to 1 for quantitative PSFs in the reasoning module.
14
ADS-IDAC with this research work is marked as version 3.0. In “Model version”
column, 3.0* denotes the new content developed in this research.
93
6.2
6.2.1
Mechanism PSFs
Attention
Although the concept of “attention” is widely used in daily life and scientific literature, no unified definition can be found. A few definitions are presented here: “Attention is the means by which we actively process a limited amount of information from the enormous amount of information available through our senses, our stored memories, and our other cognitive processes.” (Sternberg and Mio 2009)
•
•
“Attention is the taking possession of the mind, in clear and vivid form, of one out of what seem several simultaneously possible objects or trains of thought…It implies withdrawal from some things in order to deal effectively with others.” (James 1950)
•
“Attention: refers to whether sufficient cognitive and physical resources are put at the ‘‘right’’ places.”(Chang and Mosleh 2007)
Sensory memory(raw info, last about ¼ sec)
Attenuation Filter
Working memory Long-term memory
Figure 6-1Treisman’s attention model
94
A common notion in these definitions is that attention is about limited cognitive resources and the selectivity processing. Several classic models of attention reflect these two aspects. Broadbent provided an early study of attention. As humans are surrounded by large volume of sensory information, attention works like a filter—filtering out most of the information, only letting a small part get through (Broadbent 1958). Treisman revised Broadbent’s model, changing the “All or None Filter” to “Attenuation Filter” helping to explain more observations in the experiments (Treisman 1964), see Figure 6-1. Later, capacity theory (Schneider and Shiffrin 1977) was developed where attention is considered to be capacity (channel/bandwidth) limitation. This theory quickly dominated the thinking. Cognitive activities are categorized into two types: automatic and
controlled process. Controlled process is attention demanded, while automatic is not. A comparison of automatic process and controlled process is summarized in Table 6-2. Attention is required in the controlled process, which is effortful, capacity limited, serial, under conscious control and has interference with others. Table 6-2 Capacity theory of attention Controlled process(attention demanded) Effortful Capacity limited Interference among tasks Serial operation Under conscious control Automatic process Effortless Not capacity limited No interference Parallel operation Not conscious
Some concepts of attention used in clinical area: Focused and selective attention: The ability to focus.
•
95
•
Sustained attention: The ability to maintain focus and alertness over time. It is also referred as vigilance or alertness.
•
Shift attention: The ability to switch attentive focus in a flexible and adaptive manner.
Figure 6-2 is a diagram of the information perception process and the mechanism for attention selectivity. When external information goes through this process, firstly the signal strength is determined by the physical signal strength as is. Continuing further in the neural circuits, the signal strength is modulated by the sensitivity control, which is a top-down active control based on one’s interest in the signal. It then proceeds to the selection process, the strongest signals pass through and are perceived. Based on literature review, here we summarize factors that impact one’s attention:
•
Fatigue reduces the goal-directed (top-down) attention, and stimulus-driven
(bottom-up) weighs more in the competitive selection stage of information perceiving process. Fatigue degrades the sensitivity control, so more information passes the competitive selection, due to the salience features and not because one is interested in it. At higher fatigue levels, the operator is more susceptible to distraction. (Boksem, Meijman et al. 2005)
•
Passive Information Load works as distracter from other key information. For
example, actuation of alarms in the control room could interrupt operator’s current work and cause him to lose focus.
•
Stress causes attention-narrowing, blocks some information from being processed.
96
Figure 6-2 Information perception process (Knudsen 2007) In the new ADS-ODAC model, attention is embedded into the information-processing model as a mechanism. We propose the following ways to model attention mechanism and its impact on the cognitive processes: Thought thread management, only one cognitive thread is processed at a time; the direction of the operator’s attention is determined by a prioritization process, which is driven by the operator’s reasoning.
•
•
Alarms could automatically interrupt one’s ongoing cognitive activities. The time duration of the interruption is based on the number of alarms and the operator’s fatigue level.
97
•
A stack buffer is used to store the unprocessed alarms in the operator’s short memory. The length of this stack is determined by the operator’s cognitive resource availability and the attention narrowing condition.
•
Attention narrowing increases the threshold for processing the cognitive-thread candidates, thus fewer cognitive threads remain active in the working memory. While attention narrowing might improve the operator’s efficiency, it might also reduce his chance to get some important clues that are out of the plan.
6.2.2
Problem-solving style
Five different problem-solving styles were identified in the CES HRA method (D. D. Woods 1987). Table 6-3 summarizes the characteristics of each and the approaches we developed to model different problem-solving styles in the reasoning module. Table 6-3 Approaches to integrate different problem solving styles
Problem-solving style(D. D. Woods 1987)
ADS-IDAC simulation modeling
Vagabond: tends to jump from issue to issue Effects modeled through: without satisfactory resolution of any. • Wide attention and less attention tunneling. • Failure to synthesize or converge multiple views of the situation • The operator is easily distracted by • Many potential views of the set of passive information and allocates more resources to process alarms significant findings are active but remain information. independent • A response orientation emphasized over • When there are more than one explanation building so that more observed phenomena that need to be coherent explanations never emerge investigated, the operator jumps from one to another without • Too interrupt-driven so that every new necessarily finishing either. finding seizes priority • Newly generated investigation item Time pressure foments the vagabond style. gets higher priority.
98
Hamlet: tends to consider many possible Exhaustive investigation style. Even when one or more causes are identified, explanation of observed finding. the operator still continues searching for • Missing acceptance criteria other possible causes. • Explanation building is greatly emphasized over response management activities Garden Path: shows excessive persistence on Attention tunneling. The operator’s attention is fixated on one cognitive a single issue or activity. thread, while ignoring others until the • Pursues only a single point of view to current one is fully explored. explain findings • Not interrupt driven enough • Insensitive to violation of expectation Inspector Plodder: slowly and deliberately Less use of pattern matching to guide the builds up and then narrows in on possibilities. operator’s attention. Use more rigorous (minimal reasoning shortcuts) reasoning. Expert Focuser: adept at seeing and focusing Less attention switching cost (time and in on the critical data for the current context cognitive load). so that it is always working on the most Use proper confidence level threshold as relevant part of the situation criteria of accepting an explanation and closing the investigation process. • Wide field of attention • High level of interruptability • Good criteria for scheduling competing activities • Good criteria for what is a good explanation
In ADS-IDAC 3.0, three problem solving styles have been implemented: Vagabond, Hamlet, and Garden-Path styles15. The difference of the three problem solving styles by varying the following model parameters or information process functions. We discuss them one by one in this section
15
Inspector-plodder and Expert-focuser can be added by future research
99
Maximal alarm stack length
In the reasoning module, a “first in-first out” alarm stack is employed to throttle passive alarm flow to model the limitation of cognitive resources and individuals sensitivity in perceiving alarms. It stores unprocessed passive alarm activities (alarm actuation or alarm clear). A model parameter—maximal alarm stack length—is used to limit the number of alarms buffered in the stack. Long alarm stack would cause the operator be distracted by the alarms all the time if it occurs in a busy alarm context; while short length stack might make the operator miss some important cues for making the diagnosis or responding to the dynamic situation. It is obvious that extreme lengths (too long or too short) are not wise strategies for an operator. Different lengths of this stack are used to tailor different problem-solving style. Even though the alarm information would interrupt the operator’s ongoing thought line, the operator could choose to ignore the alarm and go back to his ongoing thought. How much the operator is open or susceptible to alarm interruptions is partly represented by the maximal alarm stack length. The longer the stack, the more interruptive the alarm activities are. According to numerous studies in psychology, human short-term memory has a capacity between 3 and 7 “chunks”. So number 5 is used as an anchor value of a nominal alarm stack length (a reference parameter). The maximal alarm stack length is dynamically adjusted during the simulation by several performance shaping factors: Time Constraint Load, Passive Alarm Information Load, and Fatigue 16 . Basically, the more load the
16
More discussion in Section 6.4.1
100
operator has, the less cognitive resources are available for processing the passive alarm information. Vagabond style operator’s attention is interrupt-driven and always shifts to the new information. This trait makes the operator spend more time in processing the passive alarm information and less time on investigation. It enables broader information bandwidth but shallower processing. Based on this tendency, the alarm stack length of Vagabond style uses bigger value than the nominal alarm stack length in the simulation17. “Garden Path problem-solving style is fixation prone and not interrupt-driven enough”. Operators of this style are less interrupted by the passive alarms. A shorter alarm stack length is used for simulating Garden Path style operator. Hamlet doesn’t have a particular tendency in the interrupt-driven aspect. It is neutral between the Garden Path style and the Vagabond style. So we use nominal alarm stack length for the Hamlet passive alarm stack length.
Prioritization among different investigation item
As introduced in Section 4.3.4, the reasoning module employs an active-thread pool to retain operators’ thought threads in the operator’s working memory. When there are two or more active investigation items in the operator’s working memory, a prioritization process is used to determine which one to be processed at the current moment. For different problem-solving styles, different prioritization rules are used in the reasoning module.
17
Section 6.4.1 introduces an equation to calculate the maximal alarm stack length
101
In the prioritization process, the program evaluates each active investigation item in the pool to calculate a priority score based on four factors: 1) how long this investigation item has not been resolved; 2) the activation level of the semantic sentence associated with this item; 3) whether the phenomenon described in this item is still ongoing; and 4) whether it is in an investigation line initiated by an accident event schema for investigating a symptom. The default prioritization rule is that the item with highest score will be chosen to be processed at the current moment. This rule is adjusted or overridden in some conditions in order to model each problem-solving style. This algorithm provides several features in the simulation: 1) the operator intends to resolve existing investigation items; 2) fresher information gets higher score, given other conditions the same; 3) the operator’s attention is in favor of ongoing phenomenon against disappeared phenomenon; 4) operator’s attention is in favor of accident information. For Vagabond style, the program doesn’t use the priority score. Instead, it compares the
latest activating time of each investigation item and chooses the latest one to process. The
latest activating time is the latest time of the following three: the initiation time of the investigation item; the generation time of its situational statement; or the last time when this investigation item was processed. This rule simulates the case where the operator’s mind always jumps to the freshest information without necessarily getting a conclusion on each one. It features an interrupt-driven information process so that every new finding seizes priority. In addition, a model parameter—attention span— is used in the prioritization function. It is a variable of time length. If the operator stays in one thought line18 more than his attention span, the program will let the operator to switch back to one
18
A thought line is a set of investigation items, which are linked by their causal relations.
102
of several recent but unfinished thought line existing in the working memory19. This is used to model the phenomenon that the Vagabond style operator jumps from one issue to another. For investigation items related to an ongoing accident investigation, the program automatically modifies their latest activating time to the current time clock and thus keeps it being prioritized. For Hamlet style, the program uses the priority score with an adjustment. For investigation item within the ongoing investigation line, the program multiplies its priority score by 1.5 as if the operator stayed in this investigation line less than his
attention span. In this way, the operator tends to stay on one investigation line as long as
it is within his attention span. If time spent on the current thought line exceeds the attention span, the program stops favoring its investigation items. For Garden Path style, the operator’s attention is fixated on one thought line and won’t move to the next one until the current one is finished. After the operator finishes all the investigation items in the current line, the program selects a next investigation item that has the highest priority score and moves to its corresponding thought line.
Routine monitoring interval
In dynamic plant condition, the operator works on investigation and routine monitoring task alternatively; investigation is to explain the observed plant dynamics, while routine monitoring task maintains the operators’ situation awareness by routinely checking a set of key indicators. To model the limited cognitive capacity, the program processes only
Note that investigation items could decay away from the working memory or be overflowed by other investigation items. If there is no investigation item of a thought line still active in the working memory, the thought line will not be visited until one of its investigation items moves back to the working memory.
19
103
one investigation line at a time or only conducts routine monitoring task. The program switches to routine monitoring mode when it finishes processing all the active investigation items in the working memory20. Users specify a list of indicators for routine monitoring, and a suggested time interval between two consecutive readings for an indicator respectively. In routine monitoring mode, the program selects one indicator to check at one time. An equation is used to calculate a score for each indicator, see Equation 6-1.
???????????????? ? ?
? ???? ????????? ???????? ???? ?? ????? ??????????? ???? ?????????? ? ?????????????? ????????
Equation 6-1
When the highest score is above 1, the program sends a request to read the corresponding indicator. Varying the interval multiplier adjusts the routine monitoring frequency.
Interval multiplier is adjusted by a dynamic PSF and problem solving style 21 . Lower
interval multiplier mimics the operator being more active in checking plant condition; higher interval multiplier mimics the operator being less active. Problem solving style is used to adjust the base value of interval multiplier, to model operators’ individual differences. In our program, Hamlet style is most active in checking plant condition, and Vagabond is least active.
Capability of integrating accident evidences
Note it only requires finishing all items in the working memory, not takes items in the intermediate memory into account. 21 Refer to Section 6.4.4.
20
104
Vagabond style operator is weak at “synthesizing or converging multiple views of a situation”, thus “many potential views of the set of significant findings are activated but remaining independent”. Due to the fast switching attention focus, Vagabond operator’s investigation is shallow, and investigation lines would be abandoned too early to reach the root cause. Without maintaining a main thought line, Vagabond operator would fail to make connections among observed plant dynamics. These characters are well represented in the prioritization rules as introduced earlier.
Accident Confidence
? ??? Causal Path Confidence? ? ? Symptom Coverage?.? ???????????
?
Symptom Coverage ?
N???????? N????? ? N???????
Equation 6-2
In addition to the prioritization rules, equation for calculating accident confidence level was modified to mimic the weakness of converging evidences. The original equation was
??? Causal Path Confidence? ? put all the path confidence together like a parallel system. ???? ? ?????? ? ?1 ? ?????? ? ? C?
discussed in Section 4.3.2. It is copied here in Equation 6-2. A part of this equation
? ??? ??????? ??? ??? ??? ???????? ??? ??????? ???? ?????
105
???? ???C? ???? ????? ?????????? ??? ??
Equation 6-3
???? ?? ????? Causal Path Confidence? ? ?? Equation 6-2.
Path confidence 1(this accidence causes symptom 1)
Path confidence 2(this accidence causes symptom 2)
…
Path confidence n(this accidence causes symptom n)
Figure 6-3 A system block diagram resembles path confidences integration Equation 6-3 represents an operator is good at integrating evidences to generate the overall accident confidence. It is used for Hamlet and Garden-Path styles. In order to mimic a degraded capability of integrating evidences for Vagabond style, a variation is added to Equation 6-3, see below:
? ????????????? ?????????? ? ??, 0 ? ? ? 1
A capability coefficient ? is added to the equation. When ? is 1, the equation is the same as Equation 6-3, representing a good capability of integrating evidences. When ? is 0, the equation equals to Max?C? ?, representing failure to integrate evidences but using them Equation 6-4
C? ??????? ?? ????? ???? ?????? ??
???? ? ?????? ? ? ? ?1 ? ?????? ? ? C?
separately. A value between 0 and 1 of ? represents a partially degraded capability. In the program, ? ? 0.7 is used for Vagabond style.
Investigation termination criteria
106
For one plant phenomenon, there might be two or more possible causes coded in the knowledge base. In this simulation, the program does not necessarily examine each one. Once the program finds a valid cause, stopping criteria are used to determine whether to continue examining the remaining possible causes. By varying the termination criteria in the program, ADS-IDAC could mimic different problem-solving styles: exhaustive investigation, satisfactory termination and an intermediate termination style in the middle between the former two. Hamlet problem solver “looks at each situation from multiple viewpoints and considers many possible explanations of observed finding” and “explanation building is greatly emphasized over response management activities”. These traits are modeled by an exhaustive investigation rule in the reasoning module. For the Hamlet style operator, the reasoning module tries to examine all the possible causes one by one, even after a satisfactory explanation has been found. This rule simulates a slow but thorough investigation process. Garden Path problem solver “pursues only a single point of view to explain findings”. To mimic this feature, a satisfactory termination rule is used for the Garden Path style operator. Once a valid explanation has been found for an investigation item, the program stops examining other possible causes. This rule allows faster investigation but it might lead the investigation stop with one plausible cause while missing some real hidden causes. Vagabond doesn’t have an obvious tendency on the investigation termination criteria. It stays between the two extreme termination rules (the exhaustive investigation and the 107
satisfactory termination). For Vagabond style, once the program has found one valid cause, the program evaluates the remaining possible causes and calculates a retrieval score for each of them. If the highest retrieval score is below a cutoff value, the program stops investigating more causes.
Accident awareness threshold
Accident awareness threshold is a model parameter, which represents an operator’s vigilance level for potential accidents. As introduced in Section 4.2.5, once the confidence level of one accident diagnosis exceeds an awareness threshold, this accident investigation becomes active in the operator’s mind, and the program will actively gather more relevant information from the control panel to support this accident investigation. Hamlet problem solver tends to conduct exhaustive investigation, so the program uses value 0 as the awareness threshold to let the operator examine all the possibilities. Value 0.05 is used for the Vagabond and Garden Path styles, which allows onset of active investigation only after the operator has considerable evidence to suspect an accident. In this section, we discussed modeling different problem solving styles by adding variations to the reasoning module in six places: maximal alarm stack length, prioritization rules, routine monitoring time interval, capability of integrating accident evidences, investigation termination criteria, and accident awareness threshold. Various combinations of the above factors enable simulating different problem solving styles. The approach is summarized in Table 6-4. Each combination is a specific simulation configuration, representing a set of operator traits.
108
Table 6-4 Approaches to implement 4 problem solving styles VagaBond Hamlet Routing monitoring time interval greater Maximal alarm stack length smaller Garden Path neutral
Prioritization algorithm Investigation Termination Criteria Neutral exhaustive Capability of integrating evidences Degraded Full Accident Awareness Threshold Neutral 0
greater Neutral smaller prefer new prefer current issue if fixate on one issue within attention span issue Neutral Full Neutral
6.2.3
Expertise (knowledge/experience/skill/training)
Nuclear power plant operators get systematic and extensive training before they are given operating license. Their knowledge is at expert level. In the new ADS-IDAC simulation model, the knowledge base is explicitly coded in the input files. Operators’ understanding of the plant system functions and the causal relations of plant dynamics are represented in a form of knowledge link in a knowledge web. The operator’s knowledge gaps or deficiencies could be explicitly coded in the knowledge base. For each knowledge link, the strength of each knowledge link is coded by two parameters: forward retrieval
strength, and backward retrieval strength. These represent the ease or difficulty for the
operator to recall that knowledge link (causal/inference relation) given one end of this link as the retrieval cue. Small retrieval strength might lead to a longer recalling process or even failure of retrieval. In the input file, each knowledge link has a parameter—familiarity level (range from 0 to 1) specified by users. Familiarity level is used to generate “knowledge bugs”. At the beginning of a simulation, for each knowledge link, the program generates a random 109
number between 0 and 1. If this random number is smaller than the familiarity level, this knowledge link is blocked in the knowledge web, creating a knowledge bug, meaning that the reasoning module will not use this knowledge link in the simulation. In addition, we use a quantitative metric (in the range 0 to1) to represent the operator’s general expertise level, with impacts on assessments of task load and task complexity, and working memory span (one’s expertise doesn’t not really expand one’s physical working memory span, but provides better chunking ability which in turn enhance ability to process more information). Operator’s expertise is formed through training and work experience. It serves as a static factor and doesn’t change through a simulation run.
6.2.4 Other mechanisms and process factors
Groth’s PSF includes some items which are individual behavioral characteristics but not factors that influence human performance. These items provide useful perspective in the study human reliability. They are included in the proposed model, not in a form of quantitative PSFs but rather as processes or mechanisms similar to the way attention has been treated. This section briefly describes how they are included.
Information use “relates to how well people use the information presented to them”
(Groth 2009), including both written information (e.g. procedure) and information from the control panel. “Inadequate information use may entail information that is present but not properly used or failure to access any/all available sources of information”. In the proposed model, the reasoning module would utilize the knowledge base and guide the operator to selectively acquire information from the control panel. Also, the output of the reasoning process serves as input to decision-making, e.g., deciding on which procedure 110
to use. These mechanisms mimic how the operator makes use of the available information.
Prioritization “is how an individual chooses to order tasks”(Groth 2009). This is directly
tackled in the proposed thought thread management system. The operator alternates different task threads in investigating observations and in routinely monitoring key parameters. The frequency of the routine monitoring task is dynamically adjusted in the simulation. The investigations of different observations are prioritized based on the interrelations among investigation chains, the activation level of each item, the investigation time length, and the time of observations, etc. more detail has been discussed in Section 6.2.2.
Familiarity with situation “refers to the similarities the worker perceives between the
situation and the worker’s general industry knowledge and previous experience”(Groth 2009). In the proposed knowledge web representation, each causal link is assigned a weight that represents operator’s familiarity with this causal path and the frequency of using that causal path in his/her past experience. A smaller weight gives a smaller chance of retrieving this knowledge link, which might lead the operator to investigate other possible causes first. By using this mechanism, an unfamiliar situation will add complication to the operator’s investigation.
Bias is a broad term. There are over 100 cognitive biases listed in wikipedia. In this
research we have included several types; Familiarity heuristic, recency effect and priming. When the operator agent retrieves possible explanations for the observation, the retrieving order is based on the operator’s familiarity of that causal link, frequency of 111
using it in the past, and the semantic activity of its content. The activation propagation in the semantic base allows the activated element to propagate its activation and preheat other related concepts, thus simulating the priming effect. Also, in the simulation, success in using one knowledge unit to explain one’s observation will introduce bias towards using the same knowledge unit to explain the same observations that happen later.
6.3
6.3.1
Quantitative PSFs
Time constraint load
Time constraint load refers the pressure induced by the perception of the available time to complete a task. Applying this to the control room operator, “the time constraint load represents the time available until a monitored plant parameter exceeds a critical threshold.” (Coyne 2009). In other literature, time constraint load is also referred to as time pressure and time stress. Time constraint load assessment was already created and built into ADS-IDAC 2.0 by Coyne, and is used in the same way in the new version of the code. The user specifies a list of critical parameters. Equation 6-5 is used to assess the available time before the parameter exceeds a defined threshold. Two thresholds are used for different conditions, one for normal operation and one for accident situation. The available time is compared with the predefined lower bound and upper bound to get the PSF value, and the time constraint load is determined by the most limiting parameter. Coyne’s assessment of time constraint load scales from 1 to 10. We have normalized it to fit into the 0 to 1 scale used in the reasoning module of ADS-IDAC 3.0.
112
t ?,????????? ?
P? ? P?,????????? P??
PSF?,???? ?????????? ? 10 ?1 ?
PSF???? ?????????? ? Max?PSF?,???? ?????????? ?
?t ?,????????? ? t ????? ? ? ?t ????? ? t ????? ?
Equation 6-5 In response to the time constraint load, one could employ two types of strategies in order to finish the task at hand: (1) acceleration of the information processing speed, and (2) filtration, i.e., selectively processing only part of the information (Maule, Hockey et al. 2000). Maule’s experiment’s also found that “in addition to feeling time-pressured participants choosing within a deadline were more anxious and more energetic. It may reflect the greater task involvement and the need to work harder that occurs when a deadline is imposed.” The assessment of time constraint load serves as input to the Stress, and Cognitive
Resource Use which impact the cognitive processing speed. It also increases the attention
tunneling effect, which means the operator spends more time and cognitive resources to tackle the problem at hand instead of monitoring other plant indicators. In addition, higher time constraint load makes Vagabond style problem-solver jump from one issue to another more frequently.
6.3.2 Passive information (alarm) load
Passive information refers to some salient stimuli that catch one’s attention automatically (e.g. the alarms in the control room). Because passive information is intrusive and grabs 113
one’s attention, it interrupts the ongoing cognitive process. Too much passive information could be overwhelming. In addition to causing mental stress, it shifts one’s attention and impedes the ability to refocus. An example is the control room situation during the Three Mile Island accident. Here is a description according the operators’ recall: “within minutes, the control room console went wild. Hundreds of lights started flashing, accompanied by piercing horns and sirens. One operator recalled that the console was lit up like a Christmas tree."22 Passive information load is a measure of the amount of passive information that distracts the operator’s attention (in the range 0 to 1). Equation 6-6 is proposed for assessing the passive information load in ADS-IDAC. This equation tracks the alarm activity in the preceding 18 seconds.
PSF??????? ? Min ? ? Min ??
Where:
???? ???
??.??????? ????? ? ??? ?e
??.??????? ????? ??? e
?? ? ? , 1?
0.2059? ??.??????? ?
?? , 1? 3
n? ? ?????? ??? ?? ????? ??? ?? ?????? ??????????? ?? ??????. n? ? number of alarm activities in the ith time step n ? a nominal number as reference for n? .
This is excerpted from transcripts of an documentary film "Meltdown at Three Mile Island" produced by Chana Gazit and David Stewart, PBS, 1999. 114
22
3 is used for n. it is moderate challenging for a nominal working memory capacity?5 ? 2?.
Equation 6-6
Weighting of Alarm Activites
0.25 0.2 Weighting 0.15 0.1 0.05 0 0 5 10 15 20 25 30 35 Delta Time Elapsed from Alarm Activities (Sec) 40 y = 0.2059e-0.461x
Figure 6-4 Weighting of alarm activities in recent 18 seconds This equation takes account of the alarm counts in the recent 18 seconds (36 time steps, 0.5 sec/step) with different weights. The weighting curve gives most weight to the alarm counts in recent 5 seconds. It allows a prompt increase of the passive alarm load after the alarms arrive. Note ni is number of unprocessed alarms in the stack, which is different from the number of new alarms in the ith time step. If the operator doesn’t process alarms quickly enough and he has space in stack to buffer alarms, the unprocessed alarms roll over to next step and keep being counted and contributing to the Passive Alarm Load. The assessment of passive information load is an input to the PSF stress. Also, the effect of passive information load is modeled in the cognitive process mechanisms. When one or more alarms arrive, the operator’s attention is automatically shifted to processing the
115
alarm information, which interrupts the ongoing cognitive activity and may or may not bring back the attention later. If the alarms are too many for the operator to handle, the operator could employ a strategy to filter the alarms and he keeps focus on the ongoing cognitive activity. However, the passive alarm information would still interfere by consuming certain amount of time and other cognitive resources.
6.3.3 Cognitive task load
The following provides a definition of task load: “Task Load refers to the actual task demand assigned to a person in terms of the number and type of tasks” (Groth 2009). Control room operations do not normally involve heavy physical work, so when we assess the task load, only the cognitive task load is of interest. Comparing to other HRA methods, simulation models possess a unique advantage of tracking each activity performed by the operator, which allows the program to count and to assess the workload specifically. In the reasoning module of ADS, the operator behavior has been decomposed into 6 types of activities as shown in Table 6-5. A cognitive task load increment for performing each type of activity is assigned based on judgment (to be replaced with results from survey of real operators). Equation 6-7 is proposed and implemented in ADS for assessing cognitive task load during the simulation:
?????????????? ????, ? ? ????????????? ????, ??? ? ? ??.?????? ? ?????, ? ?????, ? ? ????? ? ?? ?
??? ?
116
Equation 6-7 It measures the rate of performing task activities as the amount of work performed in a time unit. Two parts are summed to give the cognitive load of a time point: one is the cognitive load in the previous time step with a decaying factor; the other is the load built up from the activities performed in the current step. If the ?????, ? is equal to the cognitive load decayed between two consecutive time steps— ????????????? ????, ??? ?
?1 ? ? ??.?????? ?, it means the operator is keeping the same work pace and, the cognitive
load doesn’t change. If the increment is less than the decayed load, it means the operator’s work pace is slowing down and the cognitive load decreases; if it is greater than the decayed load, it means the operator is working at a faster pace and the cognitive load increases.
Decaying Factor of Cognitive Task Load
1 0.9 0.8 0.7 0.6 0.5 0.4 0.3 0.2 0.1 0 0
Decaying Factor
y = e-0.013x
50 100 150 200 250 Delta Time from Cogntive Activity Time(second)
300
Figure 6-5 Decaying factor of cognitive task load Figure 6-5 shows the decaying of cognitive load over time. The cognitive load induced by an activity decays in minutes—10% is left at 3 minutes after the activity. The proposed equation updates the cognitive load in a gradual way in the time scale of 117
minutes. It takes account of the activities in the current time step and in the past several minutes. Table 6-5 Inputs of decomposed behavior to the task load
Type Activity
1 2 3 4 5 Attend to one control panel indicator Interpret one indicator reading Generate a new situational statement Match a statement in memory with an investigation item Retrieve a knowledge link
Full load reference
6
Determine explanation
an
Load increment per activity, ?j Reads 10 indicators in 10 1 ? ? ??.??????? ? 0.0129 seconds 1 Full rate: 1 activity/sec Interpret 10 indicators in 2 1 ? ? ??.??????? ? 0.0026 seconds 5 Full rate: 5 activity/sec Generate 3 statements in 1 1 ? ? ??.??????? ? 0.0043 second 3 Full rate: 3 activity/sec 5 matching activities in 1 1 ? ? ??.??????? ? 0.0026 second 5 Full rate: 5 activity/sec Retrieve 5 knowledge link 1 ? ? ??.??????? ? 0.0258 in 10 seconds 0.5 Full rate: 0.5 activity/sec ?????????????? ?? ?????? ?1 ? 0.5 ? ?????????????? ? 5 activities in 1 second 1 ? ? ??.??????? ? 0.0026 Full rate: 5 activity/sec 5
Each type of activity corresponds with a set of functions in the program. Reference points are used to calibrate this equation, as shown in the “Full load reference” column. Type 1 activity denotes the operator’s preparation for reading an indicator, which includes walking to a proper position near the indicator and necessary attention required to take a reading. For type 1 activity, the reference is that reading 10 indicators within 10 seconds gives a full load 1, which could be adjusted by consulting with experts and real operators. A full load (value 1) decays to ? ??.??????? = 0.971 in 1 second, and if the operator attends to one indicator in that 1 second, it keeps the full load. So the load increment for the type 1 activity is 1-0.971 = 0.0129. The reader might notice that the load increment is 118
calculated regardless of which indicator the operator attends to. In a real control room, the distance to different indicators varies, thus the actual load increment changes. The reference in this table gives an average load increment. Type 2 activity represents the process of reading and interpreting one indicator, e.g. determining a parameter trend or changing of a component/alarm state. Type 3 activity is registering the observation into memory in a form of situational statement. Type 4 activity is recalling a situational statement and connecting it with an investigation item. Type 5 activity is retrieving a relevant knowledge link for a specific phenomenon. Type 6 is determining the explanations of one phenomenon after getting necessary information from either operator memory or the control panel. This load increment, induced by the operator’s performing each type of activity, can be calibrated by surveys of real operator and expert judgments, which attach meanings to the load increment value. The value of cognitive task load level serves as inputs to several other PSFs or Factors: stress, fatigue and cognitive resource use. In addition to the PSF modeling of cognitive task load, the effects of high cognitive task load is also captured in the information processing in the reasoning module, e.g. omission or delay of tasks and failure to use available information for diagnosing and planning.
6.3.4 Task complexity
Task complexity is “Cognitive demands of the task at hand. It considers the difficulty of diagnosing and executing work, the amount of knowledge required to complete the task, the number of steps required to complete the task, the precision required, and the 119
ambiguity of the situation” (Groth 2009). In some literature, task complexity is defined as a function of objective task characteristics without considering the individual’s capability. In some, task complexity is treated as a purely subjective psychological experience, and in others, it is a measure of interaction among task characteristics, personal capability and feeling. The last definition is adopted in this research. ADS-IDAC provides cognitive contextual information on task attributes. Combining the task attributes with the operator’s expertise level, the program calculates the level of task complexity. In this research, we are only interested at the task complexity in the situational diagnosing phase of the operator; currently the task complexity in response-planning and action-taking phases is not included23. Some facets of task complexity from existing literature and data are summarized here (Patterson and Roth 2010; Navon and Gopher 1979; Campbell 1988; Andrews and Halford 2002; Arend, Colom et al. 2003): 1. Amount of information involved in the task; 2. Number of cognitive processes; 3. Data overload—“Problems that need to be detected and addressed are buried in a large amount of potentially relevant information”; 4. Attention demand—“Requirements for rapid attention shift”; 5. Internal consistency of the information, variability and diversity of the information; 6. False prime explanations;
23
These aspects could be extended in future research.
120
7. Stereotype violations; 8. Missing information; 9. Misleading indicators; 10. Effects at a distance; cascading effects; 11. Novel situation; 12. Context change; 13. Inadequate guidance/preparation; 14. Uncertain information These facets are highly relevant to the complexity in the diagnosis phase. Facets 1-5 reflect some context features that could be directly sensed by the operator; 6-10 are some factors that affect the outcome of the diagnosis (e.g. success/failure, fast/slow), but the operator might not be able to be aware of these effects, for example, some information is misleading but the operator does not know that he is misled by this information (or else he would not likely be misled); some important information is missing, but the operator is not aware of this. As we decided to measure the complexity as an interaction among task characteristics, personal capability and feeling, 6-10 are not taken into the calculation of complexity. Even though facets 6-10 are not included in the quantitative assessment, their effects are modeled in the information processing. In other words, the following influences are taken into account in the simulation:
121
•
False prime explanations: during the simulation, if the operator has found one or more plausible explanations, he might stop exploring other explanations and thus the real explanation might be hidden.
•
Stereotype violation: if the operator sees one or more typical accident symptoms are missing, his confidence of this accident would be diminished, which would discourage the operator from considering this accident and investigating it.
•
Misleading information and missing information: in the simulation, the operator reasons with the incomplete information and misleading information, which degrade his situation awareness and diagnosis.
•
Effects at a distance: this implies that the relation between the root cause and the observable effects is not obvious. It takes multiple links to connect the root cause and the observable symptom. The reasoning module of ADS naturally models the difficulty posed by this. It takes more time and effort for the operator to go through these causal links to reach the root cause in the simulation. Due to alarm interruption and attention switching modeled in the program, the reasoning might be interrupted in the middle and be forgotten. Also, the reasoning might deviate to some alternative explanations in the middle. Due to all of these factors, the operator has less chance to successfully make connections between the observable effects and the root cause.
Facets 11 and 12 are modeled by the knowledge retrieval strength parameters in the knowledge base. Facet 13—inadequate guidance/preparation is represented by a PSF “Expertise level”, as an input for calculating task complexity. Facet 14—uncertain information could be a very important factor in some severe accidents, when the plant is 122
severely damaged, the indicator degrades and reliability of indicator is an issue. Operator’s trust on degraded indicators (different from reasoning of specific indicator failure) is a topic not included in this research24. Based on the literature review and scope of this study, we have identified several types of information for assessing the task complexity in the diagnosing phase: A) observed system dynamics, B) diagnosis confusion, and C) operator’s expertise level. Observed system dynamics include parameter trend changes, component state changes, and alarm state changes. System dynamics represents facets 1-4 well. Faster pace of system dynamics poses a greater challenge for the operator to keep following the situational changes and to make sense of the observation. Operator expertise facilitates operator’s coping with fast system dynamics in several ways: structuring and sorting the observations systematically, speeding the retrieval of knowledge for explaining the observation, and making connections between different pieces of information. Diagnosis confusion represents the complexity induced by inconsistent information—facet 5. For example, in an SGTR accident, the typical symptom—high secondary radiation—is missing due to indicator failure, but other evidence points to an SGTR accident. This causes confusion to the operator. In the program, the higher the diagnosis confidence built up by other evidence, the stronger the degree of confusion the operator feels. Equation 6-8 is proposed to measure the task complexity in ADS-IDAC. Observed system dynamic and diagnosis confusion are two main sources of complexity, and system dynamic is compensated by the PSF—expertise level. Similar to the measure of cognitive
24
Future research.
123
load, ??????? ???????? measures the rate of dynamic changes in recent period of time (in a scale of minutes).
??? ???????????? ? 0.8 ?
??????????
??????? ???????? , ? ? ??????? ????????, ??? ? ? ??.?????? ? ????????, ? ? 0.0129
??????? ???????? ? 0.2 ? ?????????? ?0.5 ? ?????????????? ?
? ??????????????? ??????? ???? ?? ??? ???? ???????? ?? ?? ????????????
Where:
????????, ? ? ??? ???? ???? ?? ???????? ??????? ??????? ?? ??????
Equation 6-8 The calculated value of task complexity serves as input to assess stress level and level of cognitive resource use.
6.3.5 Stress
i ? time step
The PSF stress combines the various stressors into one factor: time constraint load, passive information load, cognitive task load, and task complexity. Equation 6-9 is used for quantitatively assessing the stress level.
124
??????????? ?
1 4
? ??????????????? ???? ? ????????? ???? ? ???????????? ????? ???? ? ??????????????? ?
Equation 6-9
6.3.6 Fatigue
Human fatigue is a widely used concept with different meanings. Fatigue has been defined in several dimensions: general fatigue—the feeling of being tired, bushed, and exhausted; mental fatigue—cognitive degradation; physical fatigue; sleepiness and sometimes lack of motivation or lack of activity (Akerstedt, Knutsson et al. 2004). The subjects of this research are operators in the control room. There is not much heavy physical duty involved in their tasks. Thus we will only consider the following three dimensions: mental fatigue, sleepiness, lack of motivation/ activity. Human fatigue is induced in two ways (DeLuca 2005): prolonged effort—performing tasks over a long period of time; sustained effort—maintaining intensive and constant effort.
• •
Based on a literature review (Akerstedt, Knutsson et al. 2004; DeLuca 2005; Duntley 2005), we summarize some factors that contribute to fatigue and discuss how to include each one in the simulation model, see in Table 6-6. Table 6-6 Factors contributing to fatigue Factors Modeling Comments 125
Sleep deprivation, Medications antihistamines) Unhealthy lifestyles Medical conditions Task load Stress/Pressure
These are static factors, determined before the simulation. ADS allows the user to specify an initial (e.g., fatigue level in an input file.
Task load induces accumulation of fatigue over time. Stress works as an accelerating factor, which causes one to become fatigued more quickly.
Equation 6-10 is proposed for assessing the fatigue level in ADS program. The first term
6-6 to assign a value. The second term denotes the fatigue induced by the prolonged work time; this part gradually increases over time irrespective of the workload. The third term
C??????? refers the initial fatigue level and the user could refer to the static factors in Table
is the fatigue induced by the sustained effort; it presents accumulation of fatigue by
??????????? ?? gives higher weight to the load under higher stress. PSF??????? ? C??????? ? 0.2 ? ?1 ? ? ????? ? ?1 ? ? ??.????
?? ??
performing tasks. The fatigue development is accelerated by stress level. ?1 ?
?? ????? ??? ? ????????? ???? ????????????? ? ?? ?
? ? 0.8
Where:
?
t ? working time, in seconds
Equation 6-10
126
A typical crew shift is 8 hours. The term ?1 ? ? ?????
?? ??
28800s (8 hour). As an example to illustrate this quantification, in a scenario of an intensive 3-hour examine, assuming the cognitive load is full (value 1) and the stress level is also full (value 1), the term ?1 ? ? ??.???? gives a value of 0.9 after 3 hours of work.
?? ????? ??? ? ????????? ???? ????????????? ? ?? ?
? gives a value of 0.9 at t =
?
Impacts on cognitive process
The impacts of human fatigue includes: decline in working memory, short-term memory, degradation executive function or complex attention, vigilance, verbal fluency, or verbal memory (DeLuca 2005); impairment in attention, concentration (Akerstedt, Knutsson et al. 2004; Boksem, Meijman et al. 2005; Deluca 2005); Slower processing speed (Akerstedt, Knutsson et al. 2004; DeLuca 2005). Table 6-7 lists ways to model the effects of fatigue in ADS-IDAC. Table 6-7 Manifestations of fatigue in the simulation model Effect On Attention Manifestation Modeling As fatigue developed, attention degrades at top-down selective control level and is more driven by the stimuli in a bottom-up fashion. This affects the tasks which demand top-down attention control, e.g. routine monitoring. The ability to concentrate also degrades with fatigue developed. Memory Fatigue degrades the working memory maintenance. Less memory information could be buffered in short term memory; Unattended investigation items decay faster;
Working Maintenance, span
127
Cognitive Speed
Processing Higher fatigue renders slower cognitive processing speed.
6.4
6.4.1
Model parameters—manifestation of PSFs
Maximal length of alarm stack
Maximal alarm stack length is dynamically adjusted by three factors: 1) passive alarm load, 2) fatigue level, and 3) openness to interruption. As shown in Equation 6-11, the terms ?4 ? 3 ? ??????????? sets the baseline of the maximal length, which is comparable to the short term memory capacity 5 ? 2 ; the three PSFs ( ???????????? ????? ???? ,
????????? ???? and ???????????? ) can change dynamically to adjust the maximal length of the
alarm stack. Fatigue adjusts the cap of cognitive resources for buffering alarm information; and cutting the task pile is one of the responses to the time pressure (the other is accelerating work pace). Passive information load feeds back to update the maximal stack length as a way of coping heavy alarm load, illustrated in Figure 6-6.
??????? ???????? ?
? ?4 ? 3 ? ??????????? ? ?1 ?
????????? ???? ? ? ?1 ? 0.6 ? ???????????? ? 2
???????????? ????? ???? ? ? ?1 2 ? ??????????
Where:
0.5 ?? ?????? ???? ??????? ?? ????????? ?1.0 ?? ? ????? ??????? 2.0 ?? ?????? ????? ????
Equation 6-11
128
Figure 6-6 Diagram of passive alarm load and max alarm stack length
6.4.2 Cognitive resource use
Cognitive resource use denotes the level an operator is motivated by his or her feeling of the challenges of the task. It is used for adjusting the operator’s working pace. Similar to the stress level, the cognitive resource use is a function of time constraint load, passive alarm load, cognitive load and task complexity. These four factors give different incentives to the operator for accelerating his or her work. Therefore they are given different weights. Time constraint load gives the most incentive, so it has the highest weight (0.4), followed by passive alarm load (0.3), cognitive load (0.1) and task complexity (0.1).
129
? ??? ???????? ??????????
? ?????????????? ???? ? 0.1 ? ???????????????
? 0.4 ? ????????? ???? ? 0.3 ? ???????????? ????? ???? ? 0.2
Equation 6-12
6.4.3
Information processing speed multiplier
The information processing speed multiplier is used to adjust the time cost of each
function in the program. It is determined by the cognitive resource use and the ???????????? , see Equation 6-13. When the motivation of working fast is high, more cognitive resource is used, and hence the processing speed is increased. But the processing speed has a cap, because the cognitive resource is limited; this cap is adjusted by the fatigue level.
?? ????? ??????????? ?1 ? ???? ???????? ????????????1 ? 0.80 ? ???????????? ?
Equation 6-13
6.4.4 Routine monitoring interval multiplier
Routine monitoring interval multiplier is a parameter to adjust the monitoring interval. When the user specifies a list of key indicators to be routinely monitored, a nominal time interval between two consecutive indicator readings is usually given to each indicator. This nominal interval may be adjusted by the routine monitoring interval multiplier, which is a function of ???????????? and the problem solving style, see Equation 6-14.
?? ?????????? ???????? ??????? ???????? ?1 ? ???????????? ? ? ?????? 0.5 ??????? ?????? ??? ? ?????? ? 1.5 ?? ????? ???????? ??? 1.0 ??????? ???? ?????? ???
130
Equation 6-14
6.4.5 Attention span multiplier
During the simulation, the program records the time that the operator has been working on the current thought line and compares it with a model parameter—attention span. For Vagabond style operator, if the time exceeds the attention span and there is one or more other unfinished investigation lines in the working memory, the operator’s attention will jump out of the current investigation line and switch to a different one. For Hamlet style operator, if the time is less than the attention span, the prioritization function will favor the investigation items within the current thought line by boosting their priority scores. But Garden-Path style operator is not affected by the attention span, because he or she is narrowly focused and always refocuses back to the ongoing investigation line. When the operator is under time load (pressure) or fatigued, he or she may incline to switching from one issue to another. This is modeled by adjusting the attention span with an attention span multiplier. This multiplier, as shown in Equation 6-15, decreases when time load increases or the operator develops fatigue.
? ?????????? ???? ???????????
1 ?1 ? ????????? ????? ? ? ?1 ? ???????????? ?
Equation 6-15
6.4.6
Memory span multiplier
Memory span limits the maximal number of active investigation items stored in the working memory. When the limit is exceeded, the program removes the oldest
131
investigation item (that has not been attended for the longest time) from working memory. The program dynamically adjusts the memory span parameter with a multiplier. As shown in Equation 6-16, fatigue degrades the capacity of memory span; Time constraint load reduces the memory span, this is to model attention channeling; Memory span increases with expertise level, because expert employs structured memory schemas to store information, thus more information could be retained in the working memory.
? ?????????? ???? ????????
1 ? ?????????????? ?1 ? ???????????? ? ? ?1 ? 0.2????????? ???? ?
Equation 6-16
6.4.7
Decay time of unattended investigation item multiplier
In the program, if an investigation item has not been attended to for a period of time longer than a decay time threshold, this item will decay and be removed from the working memory to intermediate memory. The decayed item doesn’t participate in the prioritization process (selection for processing) until it is brought back to the working memory under several conditions. The decay time threshold is adjusted by a multiplier. This multiplier can be obtained by using Equation 6-17.
? ?????????? ???? ??????????
1 ?1 ? ???????????? ? ? ?1 ? ???????????? ????? ???? ?
Equation 6-17
6.4.8
Static model parameters
In ADS-IDAC, several model parameters of the reasoning module are specified by the user and are static—do not change throughout of the simulation. These parameters 132
include accident awareness threshold, diagnosis confidence threshold and Activeness in gathering accident evidence.
Accident awareness threshold (range from 0 to 1) represents an operator’s vigilance level
for potential accidents. Once the confidence level of one accident diagnosis exceeds the accident awareness threshold, this accident investigation becomes active in the operator’s mind, and the program will actively gather more relevant information from the control panel to support this accident investigation.
Diagnosis confidence threshold (range from 0 to 1).When an accident diagnosis
confidence level exceeds diagnosis confidence threshold, the program declares this accident. Adjusting the confidence threshold will affect the time of reaching accident diagnosis. Higher threshold requires more and stronger evidence to support the diagnosis thus it might take longer time to declare an accident. This mimics the operator’s prudence in declaring an accident.
Activeness in gathering accident evidence (range from 0.5 to 10) is used to calculate the
time for the program to actively check the next symptom and explain it, see Equation 6-18. Once an accident diagnosis confidence level is above a specified threshold, the program actively examines its undiscovered symptom one by one. Figure 6-7 shows the delta time between two symptom investigations. Higher activeness in gathering accident evidence gives smaller time delay between two symptom investigations; this mimics an operator who is more actively in checking accident symptoms.
????? ???????
673 ? ? ??.??????????? ?????????? ????? ? ???????? ? ????????? ???????? ????????? ?? ???????????
133
Equation 6-18
600 500 Delta T (sec) 400 300 200 100 0 0 0.2 0.4 0.6 Diagnosis confidence 0.8 1
Activeness
1 2 4 6 8 10
Figure 6-7 Delta time before actively checking the next symptom
6.4.9 Model parameter static multiplier
In order to provide more flexibility in tailoring operator performance modeling to reflect operator’s individual differences, the program allows the user to assign a static baseline multiplier for each of the following model parameters in the input file: Maximal length of alarm stack Information processing speed Routine monitoring interval Attention span Memory span Decay time of unattended investigation item
• • • • • •
During the simulation, these parameters are adjusted by the product of its static baseline multiplier and the corresponding dynamic multiplier (introduced in Section 6.4.1to 6.4.7).
134
6.5
Summary of PSF assessments and PSF manifestations
Figure 6-8 summarizes the impact flow among surrogates, PSFs and the manifestation model parameters. Surrogates are contextual information obtained from ADS-IDAC simulation, shown as green nodes. These surrogates are used to assess the value of the quantitative PSFs (yellow nodes). The manifestation nodes (in pink) are models parameters to implement the impact of the quantitative PSFs on cognitive processes.
Figure 6-8 Surrogates-PSFs-Manifestations propagation paths Due to space limitation, the bubbles’ titles in Figure 6-8 are shortened to one or two words, or abbreviation. Their full explanations are provided below, and the link to the detailed discussion of each is attached:
135
•
Parameter—a list of critical plant parameters used to assess the time constraint load. By comparing the current parameter value with a threshold, we may assess how fast the parameter will reach the threshold. Refer to 6.3.1.
• •
Alarms—passive alarm activities (alarm actuation and alarm clear). Refer to 6.3.2. Activities—the information processing activities that are visited in the scenarios (e.g., reading an indicator, interpreting one indicator reading, retrieving a corresponding knowledge element/statement/indicator reading, evaluating the cause of an observation). Each of these activities incurs time and/or cognitive load increment. Refer to 6.3.3.
•
Dynamics—system dynamics includes: change of parameter trend, change of component state and change of alarm state. Refer to 6.3.4.
•
Confusion—diagnosis confusion due to inconsistent information: positive evidence vs. negative evidence. Refer to 6.3.4.
• • • • • • • •
Cognitive load—cognitive task load. Refer to 6.3.3. Complexity—situation diagnosis complexity. Refer to 6.3.4. Fatigue—mental fatigue. Refer to 6.3.6. Styles—problem-solving styles. Refer to 6.2.2. CRU—cognitive resource use. Refer to 6.4.2. Speed—information processing speed. Refer to 6.4.3. Alarm stack—maximal length of alarm stack. Refer to 6.4.1. Monitor F—monitor time interval. Refer to 6.4.4.
136
7
7.1
Simulation Case for Model Calibration and Validation
Introduction
A simulation case study is used to calibrate and validate ADS-IDAC model. The new features of ADS-IDAC are shown through thorough discussions of the simulation outputs in chapter 8-10. The simulation case was selected from an international HRA empirical study (E. Lois 2009). The core of the empirical study is experiments performed at the Halden Reactor Project HAMMLAB research simulator, where human crews were asked to respond to specifically designed accident situations. Four accident scenarios were used in Halden experiments. They are: basic SGTR, complex SGTR, basic LOFW, and complex LOFW accidents. Correct diagnosis of the complex SGTR is a challenging task for the operator, while the accident diagnoses of the other three are simple and straightforward. The current research focuses on enhancing modeling of operator situation awareness and accident diagnosis, so the challenging complex SGTR accident was selected with the aim to calibrate ADS-IDAC as well as to demonstrate the new features. The validation and calibration are mostly achieved qualitatively, and at the face validity level. Model calibration is an iterative process, whenever any unreasonable result was observed in the simulation outputs, the model was modified and new simulations were performed to generate new outputs for further review. This process keeps on iterating until we reached a good state. With the calibrated model, we simulated the operator responses to complex SGTR. The results of our simulation were compared with those
137
from Halden experiments in the following measurements: the coverage of crews’ accident diagnosis timings and the coverage of operator procedure progressions—how many of the observed procedure progressions in the Halden experiments were actually reproduced in our simulation. This chapter describes the simulation case scenario and the ADS-IDAC input model. Detailed simulation outputs can be found in chapter 8, and thorough discussions of the simulation results are given in chapter 9-13.
7.2
Scenario description
Halden simulator mimics a three-loop Pressurizer Water Reactor (PWR). The complex SGTR scenario takes place when the plant is in normal operation with 100% power. The event starts with a MSLB which causes a quick automatic reactor trip. The auto control system closes MSIVs in response to the MSLB. Meanwhile, a SGTR happens coincidently. Since the MSIVs are closed, the radioactive material leaking through the ruptured steam generation does not reach the condenser air ejector detector, which is located downstream of the MSIVs. Moreover, the secondary radiation indicators/alarms in main steam line are failed. The operators are trained to use the high secondary radiation reading as the primary symptom of a SGTR accident. However, this symptom is masked by the closure of MSIVs together with failure of radiation indicators in main steam line, which adds complication to the operators’ diagnosis.
138
Figure 7-1Main steam line system Procedures are deigned to guide operators in making diagnosis and bringing the plant to a safe and stable condition after a disturbance. However, the procedures do not cover everything. There are situations that the procedures failed to address. Whereas the operators are required to follow procedures, they also think and assess the situation with their own knowledge and experiences. The knowledge-based reasoning serves as an important check on whether or not the procedure is suitable for the current situation. This check is achieved by comparing the rationale behind the procedure guidance and the operators’ situational assessment. Knowledge-based reasoning is a key back-up when procedures do not cover the accidental situation well, which is the case in complex SGTR accident. In Table 7-1, a list of relevant procedures for the complex SGTR case is given. E-3 is the correct procedure for coping with the complex SGTR accident. So operator entering E-3 139
marks the correct diagnosis. Hence the operator procedure progression is of interest for validating ADS-IDAC predictive capabilities. Table 7-1 Procedures involved in the complex SGTR accident Procedure E-0 Function Guides the operator to diagnose the problem and identify the procedure that should be used to bring back the plant to safe conditions. Deals with one or several faulted steam generators Deals with tube rupture in one or several steam generators Terminates the safety injection
E-2 E-3 ES-1.1
Following a reactor trip, the operators are expected to enter the Emergency Operating Procedure (EOP) E-0 for diagnosing the accident. In E-0, the direct diagnosis step for SGTR (E-0 step 19) asks the operator to check the secondary radiation level. This is inadequate for the operator to reach the diagnosis of SGTR. Another important symptom of SGTR accident is that the water level of the ruptured SG is significantly higher than the intact SGs. The water level symptom is used in several places in the procedure to guide the transfer to E-3, but not in E-0 step 19 which is the primary diagnosis step for SGTR. Since the procedure guidance of transferring to E-3 is not evident or straightforward in this case. The operator knowledge-based reasoning is challenged. To predict the operators’ performance in events like this, simulation of the knowledge-based reasoning is an essential part.
140
7.3
ADS-IDAC simulation model
A knowledge base was built for this case study. It contains 172 knowledge links for the operator’s knowledge of 26 parameter indicators, 31 component state indicators and 44 alarms. The most relevant systems or components are: steam generators, main feed water and auxiliary feed water systems, level control systems, main steam line system, pressurizer system, steam dump system, and rod control system. In ADS-IDAC simulations of the complex SGTR case, the initiating event MSLB onsets at t=850s. It takes around 600 seconds for the RELAP thermal hydraulic model to reach a stable full power operation state from t=0s. The reasoning module starts to run at 700s and the operator starts with the routine monitoring task. SGTR is set to happen when the MSIVs close. For the sake of simplicity, we subtract the time clock by 850s in the following chapters, i.e., the initiating event happens at time 0.
7.4
Outputs layout
The outputs of the reasoning module provide the following information for each simulation sequence: Accident event diagnosis confidence over time. Operator’s view of the plant state, including direct observations and judgments inferred by reasoning.
• •
•
Operator’s investigation of the observed abnormal plant dynamics and corresponding explanations.
•
Log of operator activity—recording operator attention focus over time. 141
• • •
History of the indicator readings. History of semantic unit activation values. History of dynamic PFSs and model parameters
We discuss and present the simulation results in chapter 9-11. .
142
8
General Simulation Results
In this chapter, simulation results of the complex SGTR case 25 are presented. The program could generate multiple sequences in one simulation. Here one sequence is used to illustrate typical products of the reasoning module. Detailed discussions are given to the operator’s general situation awareness—observations and explanations of key phenomena, accident diagnoses, evolution of quantitative PSFs and dynamic model parameters over time.
8.1
Observation and explanation of observations
This section presents the operators’ situation awareness of key phenomena in the complex SGTR accident. To form good situation awareness, the operator needs to closely follow and understand the plant dynamics. This includes the trends of key parameters and the actuation of automatic system control actions. The operators’ situation awareness can be assessed by considering whether or not the operator successful explained the observed phenomenon. In one simulation sequence, 636 investigation items were created 26 . Among these investigation items, 279 were initiated by the operator observations of plant dynamics, and 357 were created in reasoning process to support other investigation items. Through
25 26
Case description is available in Chapter 7. 636 Investigation items seem to be too many for 40 minutes operation. It contains a lot of repeatedly observed phenomena. Only 397 of them got processed in the memory. A lot of the 397 items got very shallow process. So this program does not simulate a super “fast” operator. Chapter 8.3 provides narratives of the operator activities in the first several minutes. They show that the operator in the simulation process information at a reasonable pace like real human being.
143
the reasoning chains (connections of all the investigation items), the program put different pieces of information together to form explanations of the observations. An example is shown in Figure 8-1. Each block in the figure is an investigation item, corresponding to a plant phenomenon. A block in red represent a phenomenon is absent; a block in green is an observed phenomenon; and a block in orange represent a possible phenomenon. For the observed phenomenon “Tave decrease”, the operator examined three hypothetical causes: “control rods move in” didn’t happen at that time so it was not the cause; “steam load increase” was possible; “safety injection is on” was true, which explained the “Tave decrease”.
• • •
Figure 8-1 An example of simulation outputs—explanation of Tave decrease In this reasoning chain, the operator accepted safety injection as the cause of “Tave decrease” and believed “SG fault” and “MSLB” were possible but this piece of evidence—“Tave decrease”—was not strong. This example shows how explanations of observation were generated. We summarize the generated observations and explanations of key parameter trends in this scenario together in Figure 8-2, Figure 8-3 and Table 8-1.
144
Figure 8-2 and Figure 8-3 show the key parameter trends in this accident scenario.
PRZ pressure
2500
Pressure (psig)
2000 1500 1000 500
(1)
(6) (3) (4) (5) (2)
PRZ pressure
-10
0
10
20 30 40 Time from Initiating Event (min)
50
60
Tave
Temperature (F)
600 550 500 450 400 -10 0 10 20 30 Time from Initiating Event (min) 40 50 60
(7) (8) (9)
Tave
PRZ_level
1 0.8
Level
0.6 0.4 0.2 0
(11) (10)
PRZ_level 0 10 20 30 Time from Initiating Event (min) 40 50 60
-10
SG_Levels
1.2 1 0.8
(13) (12)
(15)
SG_A_WR_Level SG_B_WR_Level SG_C_WR_Level SG_A_NR_Level
Level
0.6 0.4 0.2 0
(14)
10 20 30 40 Time from Initiating Event (min) 50 60
SG_B_NR_Level SG_C_NR_Level
-10
-0.2 0
Figure 8-2 Key parameter trends in the simulation (Part 1 of 2)
145
(16)
1000
SGs Pressure
(19) (20)
SG_A_Pressure SG_B_Pressure SG_C_Pressure 50 60
Pressure (psi)
800 600 400 200 0 0
(17)
(18)
10 20 30 40 Time from Initiating Event (min)
-10
SG Feedwater Flow
Feedwater Flow (lb/s)
1500 1000 500 0 -500 0 10 20 30 40 Time from Initiating Event (min) 50 60 SG_A_FW_Flow SG_B_FW_Flow
(21)
-10
Figure 8-3 Key parameter trends in the simulation (Part 2 of 2) In Table 8-1, the operator’s explanations of the key phenomena generated by the reasoning module are given in correspondence with the parameter trends in Figure 8-2 and Figure 8-3. 27 It can be seen that the operators’ attention was reasonably directed to follow the key phenomena in the accident contexts. These key phenomena were perceived through different information perception channels. Some of these key phenomena were detected by the operators’ routine monitoring and scanning, some were passively perceived through the actuated alarms, and some were gathered by the operators’ active attention control mechanism—actively gathering relevant information to support the knowledge-based reasoning and accident diagnosis.
Note: some phenomena might have been observed more than once, so more than one investigation items could have been generated in the reasoning process for each. To make this chapter concise, we combine the similar investigations and discuss each once here.
27
146
Table 8-1 Explanations of some key phenomena in one simulation sequence
No Key phenomenon Operator’s explanation generated in reasoning Explanation module correctness
(1)
Pressurizer pressure He believed it was caused by the decreasing RCS Correct decreased after the temperature and decreasing pressurizer level. main steam line broke. Pressurizer pressure increased after the The operator failed to explain this phenomenon at Partially first. It happened after the MSIVs closure. The MSIVs closure operator saw that the RCS was cooling down, which should have led the pressurizer pressure to increase instead of decrease. So that was not the cause. The actual reasons for the pressurizer pressure increase were: • The increased RCS inventory due to the actuated safety injection. However, the operator was not aware of the increase in inventory. Normally operators use pressurizer level to monitor the RCS inventory. At that moment, the pressurizer was empty, so the operator could not directly see the change of the RCS inventory. Closure of MSIVs stopped the large cooling down from the secondary.
(2)
•
Increasing pressurizer pressure was explained later after the RCS inventory increased above pressurizer’s bottom and the operator could see the pressurizer level was increasing. (3) The operator explained this by the decreasing RCS The pressurizer temperature. There was a clear turn between trend Not accurate pressure is (2)-pressurizer pressure increasing and (3)decreasing pressurizer pressure decreasing. However, there wasn’t a clear turn of the RCS temperature trend or pressurizer level trend. So, there should be another reason to explain this phenomenon. The actual reason was also not clear to the authors. It might be a change unrevealed in the RELAP model. The pressurizer The operator explained this by two observations: Correct pressure is pressurizer level was increasing, and pressurizer increasing backup heaters were on.
(4)
147
(5)
The reasoning module did not try to explain stable The pressurizer parameter, but it could initiate investigation to / pressure is stable explain why an expected increasing/decreasing trend was not observed The pressurizer is The operator explained this by the RCS cooling Correct decreasing down. The RCS average The operator explained this phenomenon by two temperature is confirmed causes: reactor trip and safety injection. decreasing In addition, the operator started to doubt the possibility of MSLB, which could quickly cool down the RCS. Correct (started the diagnosis of MSLB)
(6)
(7)
(8)
The RCS average The operator explained this by the ongoing safety Correct temperature is injection. decreasing The RCS average The operator explained it by the ongoing safety Correct temperature is injection and the secondary cooling down. decreasing The pressurizer level The operator explained it by the decreasing RCS Correct is decreasing temperature after the reactor trip and started to suspect the possibility of LOCA or SGTR. The pressurizer level The operator explained it by the ongoing safety Correct is increasing injection The steam generator The operator explained it by the reactor trip Correct level is decreasing transient and the fact that feed water supply was less than the steam flow. Steam generator A The operator explained it by the increased feed Correct level is increasing water to steam generator A. He thinks of SGTR-A, which could also increase the water level in SG-A. Hence, the confidence level of SGTR was increase just a little bit by this finding, due to the presence of a strong competing explanation.
(9)
(10)
(11)
(12)
(13)
148
(14) (15)
Steam generator A level is much greater than the levels of steam generator B and C.
The operator at first thought about the feeding rates and found it could not explain the different levels in SG-A and SG-B, because in order to control the water level in steam generator A, the operator had already decreased the feed water flow to steam generator A. With this the operator ruled out one possible cause. The only cause left was that SG-A received water from another source other than the feed water—a SGTR accident.
Correct (This is a crucial cue for the operator to reach the diagnosis of SGTR.) to
(16)
The pressure of steam generator is increasing after the reactor trip.
This is a transient after reactor trip. This piece of Fail knowledge was not included in the operator’s Explain knowledge base (in the input model), so the operator failed to explain this phenomenon.
(17)
The pressure is This is caused by the MSLB. The operator decreasing in three explained this by a faulted SG accident or a MSLB steam generators. accident. Since the operator observed large pressure drop in all three steam generators, the operator thought MSLB accident was more likely. The operator explained this by the closing of MSIV.
Correct (More evidence for the diagnosis of MSLB) Correct
(18)
The pressure is increasing in three steam generators.
(19)
The pressure was This was actually due to the reverse cooling down Misdiagnosi decreasing in three (the RCS cools down the secondary side by the cold s steam generators. coolant from safety injection). However, this piece of knowledge was not included in the operator’s knowledge base. The operator could only think of a possible explanation: steam generators faulted, which is not true. The pressure was The operator explained this by the increasing Correct increasing in steam inventory in the steam generator A, due to the generator A after the leakage from the RCS to steam generator A. isolation of steam generator A.
(20)
149
(21)
The feed water flow to steam generator A was smaller than the feed water to steam generator B
This is due to the operator’s actions on the feed water regulator valves, in order to control the water level in steam generator A. This is used as supporting information for ruling out one possible cause of the phenomena (14) and (15)—the difference between steam generator A level and the other two steam generator levels. It helped the operator to reach the diagnosis of SGTR accident.
Supporting information for diagnosis of SGTR accident.
From the simulation results, it can be seen that ADS-IDAC is capable of reproducing the following types of behaviors and mechanisms: The active attention control mechanism, driven by the knowledge-based reasoning process. Examples from the case includes: a) when the operator perceived TaveTref low deviation alarm, his knowledge drove him to check Tave reading and he found Tave had decreased. b) The operator suspected that a SGTR accident might have happened. His knowledge of this accident led him to actively check the relative indicator: secondary radiation level.
•
•
The use of operator’ knowledge to generate correct explanations of the observations. For example: the operator explained phenomenon (1)—“pressurizer pressure decrease”—by “pressurizer pressure level decrease”, and he explained phenomenon (12)—“steam generator level decrease”—as an expected transient after reactor trip.
•
The operator’s failure of explaining phenomena due to knowledge deficit in the knowledge base. See phenomenon (19), the real cause of “steam generator pressure decrease” was the reverse cooling: reactor coolant system reversely cools water in the steam generator, which is not commonly seen. This piece of
150
knowledge is not included in the knowledge base, thus the operator mistakenly attributed this to steam leakage in steam generator, which could 28 lead to an incorrect diagnosis.
•
The operator’s failure of explaining phenomena due to missing information. Take phenomenon (2) for example, due to the limitation of indicator range, the operator wasn’t able to see that the reactor coolant inventory was increasing, which he could have used to explain the increasing pressurizer pressure.
•
The operator’s suspicion of a possible accident by making causal connection between a hypothetic accident and an observed phenomenon. See phenomenon (7), the operator observed that Tave was decreasing, he found two valid explanations and suspected another possible cause—steam load increase. Continuing with this suspicion, he thought of MSLB, which could cause unexpected steam load increase. Through his reasoning, his thought reached to suspicion of a MSLB accident.
•
The operator’s reasoning with more evidences to support his/her diagnosis. See phenomenon (17), the operator actively checked the pressure in three steam generators for his diagnosis of MSLB accident and faulted steam generator accident, he found the pressure in all steam generators were low and no pressure difference among three steam generators. This new evidence helped him to confirm his diagnosis of MSLB and to reject the diagnosis of faulted steam generator accident.
Declaration of an accident is based on two factors: 1) accident confidence level; and 2) diagnosis confidence threshold.
28
151
•
The operator’s strengthening of a diagnosis by ruling out other possible explanations of an observation. See phenomenon (21), the operator saw that steam generator A level was much higher than steam generator B level, his reasoning led him to check one hypothetical cause: feed water flow to steam generator A higher than to steam generator B. He found that the feed water flow was the same, and then he ruled out this hypothesis and were left with the only one cause—SGTR accident.
8.2
Accident Diagnosis
In the simulated scenario, the operator reached the diagnosis of MSLB accident and SGTR accident by knowledge-based reasoning.
1 0.9 0.8 0.7 0.6 0.5 0.4 0.3 0.2 0.1 0 0
SG-A pressure low SG-A pressure decrease SG-C pressure low SG-C pressure decrease SG-B pressure low SG-B pressure decrease SG-A feed flow < steam flow Control rods move out 0.5 1 Tave decrease 1.5 2 Time (minutes) 2.5 3 3.5
Confidence Level
Figure 8-4 Simulation result—operator’s diagnosis of MSLB accident
152
0.7 0.6 Confidence level 0.5 0.4 0.3 0.2 0.1 0 0
SG pressures decrease, MSIVs were closed, The operator attibuted it to SG faults SG pressures decrease SG feed flow < steam flow Tave decrease Rods move out No difference between SG pressures
1
2
3
4 5 Time (minutes)
6
7
8
9
Figure 8-5 Simulation result—operator’s diagnosis of SG-A fault accident
1 SG-A level > SG-C level 0.9 0.8 SG-A level > SG-B level 0.7 0.6 0.5 0.4 SG-A level increase 0.3 0.2 PRZ level decrease 0.1 0 0 5 10 15
MSIVs blocked radioactive material from reaching detector in the condenser secondary radiation low
Confidence Level
20 Time (minutes)
25
30
35
40
Figure 8-6 Simulation result—operator’s diagnosis of SGTR-A accident Figure 8-4, Figure 8-5, and Figure 8-6 show the operator’s diagnosis confidence progression. At the starting points of these graphs, the operator started to suspect an accident condition, and when the operator made a causal connection between an observation and the accident hypothesis for the first time. Over time, the operator got more evidence, positive or negative. His confidence of accident was dynamically adjusted accordingly. Note that the accident confidence is not updated at the time when
153
the operator makes the observation; instead it is updated when the operator makes connections between the observation and the accident hypothesis. The green texts in these figures represent the observed symptoms confirm the diagnosis; red texts represent missing symptoms, and orange texts indicate a symptom that is missing but the operator had figured out that this symptom did not apply to the current situation any more. The calculation of the accident diagnosis confidence is based on not only symptom presence or absence, but also the likelihood of that the operator believed the observed symptoms were caused by a hypothetical accident. In the simulation, the symptoms of the MSLB accident were straightforward hence the operator was able to reach the diagnosis in minutes, whereas the diagnosis of SGTR took longer time. The confidence level of SG fault accident was also considerably high in the middle of the scenario. During a simulation, the program declares an accident diagnosis when the confidence level exceeds a user-specified threshold. Hence, the operator might make a misdiagnosis—SG fault accident, depending on the operator’s prudence— confidence threshold29. Table 8-2 lists some of the key observations that made progress of operator’s diagnoses and how they were brought to the operator’s attention. As shown in the table, most of the MSLB symptoms were evident and appeared as alarms, which caught the operator’s attention, while most of the SGTR symptoms required operator’s active controlled attention. This simulation demonstrated the improved capability of simulating operator’s attention direction and information usage.
If we set the threshold greater than 0.631, the operator does not declare a steam generator fault accident in the simulation; otherwise, the operator will incorrectly declare a steam generator fault accident.
29
154
Table 8-2 Perception of information
Observation
MSLB And SG fault diagnosis SG-A feed flow < steam flow Control rods move out Tave decrease
How it is perceived by the operator
Cued by alarm “Control rod move out” Active attention driven by knowledgebased reasoning Cued by alarm “MS_MF mismatch”
Steam generator pressure low Cued by alarm “Low SG pressure alarm”, and decrease and cued by routine monitoring later. SGTR Pressurizer level decrease Cued by alarm “Low pressurizer level” Detected by routine monitoring
diagnosis SG-A level increase
SG-A level was much higher Detected by routine monitoring than the other two SGs Secondary radiation low MSIVs blocked material Active controlled accident diagnosis attention driven by attention driven by
radioactive Active controlled accident diagnosis
155
8.3
Simulation Outputs: PSFs and Manifestations
This section presents the PSF assessments and their effects on cognitive model parameters in the simulation of complex SGTR accident. The PSFs and model parameters are presented together with explanations and comments.
1 0.8 0.6 0.4 0.2 0 0 -0.2 5 10 15 20 25 30 35
MSLB related alarms SGTR related alarms
Time(minutes)
Figure 8-7 Passive alarm load in complex SGTR accident The passive alarm load is given in Figure 8-7. From Figure 8-7, we may conclude that the alarms come in clusters, because high passive alarm load are clustered in the beginning and end. In turn, this is explained by the fact that the MSLB related alarms concentrated in the first several minutes and the SGTR related alarms appeared late in the scenario and in between the alarm clusters, there are alarm clear activities.
1.2 0.7 0.2 -0.3 0 0.2 0.4 0.6 Time(minute) 0.8 1 1.2 Garden Path Hamlet Vagabond Linear (Vagabond)
156
Figure 8-8 Passive alarm load with three problem-solving styles Figure 8-8 shows the passive alarm loads of three operators with different problemsolving styles in the first 1.2 minute. Due to their different personal characteristics, Vagabond operator processes most of the alarms and Garden-Path operator ignores most of them. Therefore Vagabond operator is the most interrupted by alarms and has the highest passive information load; Garden-Path operator is the least interrupted and stressed by the alarm load; and Hamlet operator is in-between.
PSF_Cognitive_Task_Load
1 0.9 0.8 0.7 0.6 0.5 0.4 0.3 0.2 0.1 0 0
busy with diagnosing the situation (MSLB symptoms)
busy with diagnosing situation (SGTR symptoms)
15 Time(minute) 20
pay close attention to some indicators
5
10
25
30
Figure 8-9 Cognitive task load in complex SGTR accident
Figure 8-9 shows an operator’s cognitive task load in the simulation. After the initiating event at t=0, the operator’s cognitive load quickly increased as a series of system dynamics appeared. The operator was very busy in the first several minutes. Later when he reached the diagnosis of the MSLB accident and explained a lot of the observed system dynamics, his cognitive load decreased and the plant system was relatively calm
157
from t=10 min to t=17 min. As the symptoms of the SGTR accident appeared later, the operator became busy again. After he reached the diagnosis of SGTR, he was still busy because he paid close attention to a set of indicators as required in several mental procedures.
PSF_Cognitive_Task_Complexity
1 0.9 0.8 0.7 0.6 0.5 0.4 0.3 0.2 0.1 0 0
Complexity induced by system dynamics
System dynamics due to SGTR Confusion raised Confusion resolved
5
10
15 Time(minute)
20
25
30
Figure 8-10 Cognitive task complexity in complex SGTR accident Figure 8-10 draws the cognitive task complexity over time. In the first several minutes, there were a lot of system dynamics (changes of parameter trend, alarm state and component state), which contributed to the complexity. As the system calmed down, the complexity dropped. At t=17 min, the complexity soared due to the confusing information the operator perceived: on the one hand, the operator observed that the water level in steam generator A was increasing abnormally faster than the other two steam generators, which strongly indicated a SGTR accident; on the other hand, confusingly, the most common symptom of SGTR—high secondary radiation level—is missing. Later when the operator figured out the reason for the missing symptom, the complexity dropped immediately.
158
PSF_Cognitive_Task_Complexity
0.4 0.35 0.3 0.25 0.2 0.15 0.1 0.05 0 0 5 10 15 20 Time(minute) 25 30 35
V G H
Vagabond Hamlet Garden-Path
Figure 8-11 Cognitive task complexity with three problem-solving styles Figure 8-11 shows the complexity difference between three problem-solving styles. The confusion started sooner for Hamlet style operator and later for the other two, due to their different diagnosis timing. The three operators spent different lengths of time in confusion.
1 0.8 0.6 0.4 0.2 0 0 5 10
PSF_Stress
15 Time(minute)
20
25
30
Figure 8-12 Stress level in complex SGTR accident Figure 8-12 shows the operator stress level in the complex SGTR accident scenario. It is the average of passive information load, cognitive task load, task complexity and time constraint load. The spikes on the curve are induced by the passive alarms. 159
1 0.8 0.6 0.4 0.2 0 0 5 10
PSF_Fatigue
15 Time(minute)
20
25
30
Figure 8-13 Mental fatigue level in complex SGTR accident The operator’s mental fatigue develops over time, see Figure 8-13. The slope changes with task load and stress level.
Model_Parameter: Max_Alarm_Stack_Length
10 5 0 0 0.2 0.4 0.6 Time(minute) 0.8 1 1.2 Garden Path Hamlet Vagabond
Figure 8-14 Maximal alarm stack length Figure 8-14 shows that Vagabond style operator has the most cognitive resources open for the passive alarm information, and Garden-Path style operator is the least open for alarms. The stack lengths are comparable with short term memory capacity (5?2).
160
Model_Parameter: Cognitive_Resouse_Use
1 0.8 0.6 0.4 0.2 0 0 5 10 15 Time(minute) 20 25 30
Figure 8-15 Model parameter: cognitive resource use Figure 8-15 shows the cognitive resource use in the complex SGTR accident. It represents the level of motivation for working fast.
Model_Parameter: Cognitive_Time_Cost_Multiplier
1 0.5 0 0 5 10 15 Time(minute) 20 25 30
Figure 8-16 Model parameter: cognitive time cost multiplier Because of fatigue developed, time cost of cognitive processes increases over time, see Figure 8-16. It fluctuates with cognitive resource use—motivation of working fast.
161
Model_Parameter: Routin_Monitor_Interval_Multiplier
1 0.8 0.6 0.4 0.2 0 0 5 10 15 Time(minute) 20 25 30
Figure 8-17 Model parameter: routine monitoring interval multiplier With fatigue developed, the operator is less active in monitoring the plant situation. This is captured by the model parameter: routine monitoring interval multiplier, see in Figure 8-17. Greater interval multiplier means the operator is less active in checking indicators and updating his mental model.
Model_Parameter: Investigation_Item_Decay_Time
1.2 1 0.8 0.6 0.4 0.2 0 0 5 10 15 Time(minutes) 20 25 30
Figure 8-18 Model parameter: investigation item decay time With fatigue developed, the unattented investigation item decays faster in the working memory, see in Figure 8-18. Also, it is impacted by the passive alarms.
162
Model_Parameter: Memory_Span_Multiplier
1.5 1 0.5 0 0 5 10 15 Time(minutes) 20 25 30
Figure 8-19 Model parameter: memory span multiplier Figure 8-19 shows the memory function degrades over time. It is due to fatigue. With smaller memory span, less investigation items could be maitained in the working memory and more will be overflowed to the intermediate memory.
Model_Parameter: Attention_Span_Multiplier
0.6 0.4 0.2 0 0 5 10 15 Time(minutes) 20 25 30
Figure 8-20 Model parameter: attention span multiplier Figure 8-20 shows attention span degrades over time. It is due to fatigue. With fatigue developed, it is easier to lose focus. This simulation result demonstrates that the PSF assessments cover key contextual characteristics and the effects of PSFs are realized by the model parameter changes.
163
9
Simulation Results for Crew Problem-Solving Styles
This chapter presents details of the simulation results for the problem-solving styles implemented in ADS-IDAC. Three simulations of a complex SGTR accident case were run each using a different problem-solving style configuration (Hamlet, Vagabond and Garden-Path). Different features of the three problem-solving styles were demonstrated in the simulation results. This section presents narratives of operator behaviors in the first several minutes after the initiating event, operator use of information, comparison of three operators’ attention direction and highlights of the diagnosis progression. The focus of this section is only on the accident diagnosis phase. The operator response after the accident diagnosis will be discussed in a later section regarding procedure usage. The accident scenario was introduced in chapter 7. The initiating event is a main steam line break downstream of the MSIVs, occurring at time t = 0. A tube rupture of the steam generator A happens when the MSIVs automatically close at t = 03:21(min:sec). For convenience, the names given to the three operators were consistent with their problem-solving styles: OV—Vagabond style operator; OH—Hamlet style operator; and OG—Garden-Path style operator. In the complex SGTR accident, the symptoms of MSLB and SGTR appeared at different time periods. MSLB rapidly causes a lot of plant dynamic changes in the first 5 minutes of the simulation, while the symptoms of SGTR are revealed much later. Hence, we discuss the diagnosis of these two accidents separately. Some relevant abbreviations used in this section are indicated below: 164
• •
Tave—average reactor coolant temperature; Tref—reference temperature of reactor coolant, which is calculated based on the steam power. It is the target reactor coolant temperature input to the reactor automatic control system;
• • • 9.1
MSIV—main steam isolation valve; MSLB—main steam line break (downstream of the MSIV); STGR – steam generator tube rupture.
Alarm information
8 7 6 Alarms 5 4 3 2 1 0 0
Auxiliary feed auto starts
Reactor trips
Safety injection actuates
Steam generator pressure low Main steam isolation actuates
0.5
1
1.5
2
2.5 3 Time (minute)
3.5
4
4.5
5
Figure 9-1 Alarm activities in first 5 minutes
(A red + is an alarm activity. A dot denotes the time that an operator starts to suspect a MSLB accident)
The 1st alarm is actuated 6s after the initiating event, followed by the 2nd alarm at 7s. The 3rd alarm comes at 13s. They are “Control rods moving out alarm”, “Tave-Tref low deviation alarm” and “Turbine running back alarm”. These 3 alarms provide very useful clues for diagnosing the MSLB accident. Here are the causal links between MSLB and these three alarms: 165
•
MSLB=>steam load increases=>control rods move out automatically to match the steam power;
• •
MSLB=>steam load increases=>Tave decreases=>Tave-Tref low deviation; MSLB=>steam load increases=>control rods move out=>reactor power increases=>reactor power > 104%=>Turbine runs back;
•
MSLB=>steam load increase=>Tave decrease=>reactor power increases
Reactor trips at 18s. There are a lot of plant dynamics following the reactor trip. These dynamics generate busy information. Only some of these alarms provide clues and point to the root accident. Table 9-1 Number of alarms missed by the operators OV (Vagabond) Alarm missed 10 OH (Hamlet) 15 OG (Garden-Path) 21
There are 57 alarm activities in total in the first 201seconds, 47 alarm actuations and 11 alarm clears (in control room, sounds are generated when alarms actuate or go off). Table 9-1 summarizes the number of alarm activities missed by the operators. OG’s attention is most fixated and least interrupt-driven; he missed 21 alarm activities. On the contrary, OV’s attention is wide open for interruption, so he checked most of the alarm activities and only missed 10. OH is in between OV and OG; he missed 15 alarm activities.
166
9.2
9.2.1
Diagnosis of MSLB
Overview of the three Operators’ Diagnosis Progression
Figure 9-2 shows the diagnosis progress made by the 3 operators. The Three operators exhibit different paces of diagnosis. Each marker denotes an update of the diagnosis confidence when the operator gets more evidence. Their suspicion of MSLB starts at different times (OV at 01:47, OH at 00:47 and OG at 1:07). This is because their attention is focused on different aspects of the situation and hence, they begin to suspect the occurrence of the MSLB at different points in time. OV’s attention always jumps from one issue to another without solving any. When he gets distracted, he leaves his ongoing thought line and attends to the new perceived information. Often, his reasoning doesn’t go far enough to hit the root cause, even if his flexible attention allows him to perceive a lot of clues pointing to the accident. His reasoning first hits the MSLB at t = 01:48 in a relative long time gap between alarm activities at t = 00:59 and t = 02:30 (See the blue dot in Figure 9-1), which allows his mind to focus on his thought without interruption.
167
Diagnosis of MSLB
1 0.9 0.8 0.7 0.6 0.5 0.4 0.3 0.2 0.1 0 0 0.5 1 1.5 2 Time(minute) 2.5 3 3.5 Confidence Level
Vagabond Hamlet Garden Path
Figure 9-2 Diagnosis progresses of MSLB accident Different from OV, OG’s attention is fixated on one issue until he finishes it while OH’s attention is assigned in favor of the ongoing issue as long as it is within his attention span. Both OH and OG could stay on one issue longer than OH. After perceiving the first alarm, they spent enough time to investigate it and hit the suspicion of MSLB accident earlier than OV.
Cause 1: Tave – Tref < -1 Control rod moving out Cause 2: Steam power increase
Figure 9-3 Knowledge for explaining “Control rod moving out” Between OV and OG, their though trains deviate at the very beginning due to their different problem-solving styles even though they both started with the alarm “control rod moving out”. Two possible causes are coded in the knowledge base for explaining this phenomenon, as shown in Figure 9-3, and both are valid causes in this situation. Prompted by the 2nd alarm “Tave-Tref low deviation”, the activation level of semantic 168
concept “Tave-Tref < -1” became high, see in Figure 9-4. Even though cause 2 is more frequent cause of “control rod moving out” according to their retrieval weight, both OV and OG first thought of cause 1 due to its high activation in the working memory. They checked the control panel and confirmed cause 1. Because OG tends to explain from single point of view, after he got cause 1 as the explanation, he didn’t consider the other possible cause and his thought went to the direction of investigating “Tave-Tref < -1”. On the contrary, OH possesses an exhaustive investigation style; he trends to consider many possible explanations of observed finding. Though he found cause 1 as a valid explanation, he continued to consider the other cause—“Steam power increase” and his thought line went that direction. This demonstrates how different problem-solving styles lead the operators to different tracks.
Activation level of two possible causes
1.2 1 0.8 Activation 0.6 0.4 0.2 0 -0.2 0 2 4 6 8 10 Time(seconds)
Got into attention focus perceived alarm "Tave_Tref low deviation"
Activation decay
Cause 1: Tave_minus_Tref_<_-1 Cause 2: load_increase
Figure 9-4 Activation levels of two causes of “control rod moving out”
Three steam generator pressure low alarms actuate at t = 02:30, providing crucial clues of MSLB. All the three operators perceived these alarms, and their diagnosis confidences 169
soar quickly. As we can see from Figure 9-1, the actuation time of these three alarms is separate from other alarms. So the passive information load at that time is relatively low and all the three operators can clearly perceive them. If other alarms are actuated along with these three, the operator may be overwhelmed and the three alarms go unnoticed, leading to time delay of the diagnosis. Before 02:30, OV and OH each only reached suspicion of MSLB once, while OH used plant information in a way that led him to MSLB three times, at t = 00:47, 01:48 and 02:09. Instead of the first evidence—Control rod moving out, OH increased his confidence with observations “Tave decrease” and “Mismatch of feed flow and steam flow”. The two pieces of evidence didn’t increase his confidence much because of other competing explanations: safety injection explains Tave decrease, and trip of main feed pumps explains feed flow decrease.
9.2.2 Narratives of operator activities generated in the simulation
Three tables provide detailed information regarding each operator’s mental reasoning activities and attention focus in the first several minutes of the simulation. Table 9-2 reports mental activities of OV(Operator Vagabond) generated in the simulation, Table 9-3 reports mental activities of OG(Operator Garden-Path), and Table 9-4 reports mental activities of OH(Operator Hamlet). As shown in the narrative, OV’s reasoning gets interrupted by a lot of alarm activities; new information gets priority of being processed. Within the first 164 seconds of the accident, OV’s mind switched from one issue to another 11 times.
170
OG’s attention was fixated on one issue at a time. Even though his reasoning got paused by new alarms, he always returned back to his ongoing thought line after checking the alarms. He only switched to a new thought line after completing the previous. In the first 175 seconds of the accident, he switched thought line 3 times. OH has longer attention span than OV. His prioritization of unresolved investigation items favors the items in the ongoing thought line. Hence OH often went back to his ongoing thought line after a short interruption by new alarms. He switched thought line 3 times within the first 175 seconds. Table 9-2 Narrative of OV’s reasoning activities Time --:-Summarized Script (OV: Vagabond style) (Normal Operation, plant is stable at full power) OV routinely monitors key parameters 00:00 00:06 00:06 00:07 00:08 00:14 00:14 00:14 (Initiating Event, Main Steam Line Break happens) (The 1st alarm breaks the peace: control rods move out and make ticking sounds) OV attends to the alarm. (The 2nd alarm follows: Tave - Tref low deviation alarm.
(Thought line switches. No. 1)
OV shifts his attention to the 2nd alarm and investigates the cause of the TaveTref deviation. He looks at the Tave indicator and finds out that it is decreasing. The 3rd alarm actuates, indicating turbine is running back.
(Thought line switches. No. 2)
OV’s attention is distracted by the new alarm. He recalls from his knowledge that turbine runs back when the reactor power is greater than 104%. 171
00:17 00:18 00:18 00:25 00:25 00:26 00:26 00:27 00:32 00:33 00:36 (More alarms are activated) As always, OV shifts his attention to the new alarms. He sees steam generator A/B/C levels are low; low-low steam generator level reactor trip is on; motor driven auxiliary feed water pump automatically turns on; and main feed and main steam mismatch. (Reactor trips and a big wave of new alarms are activated.) OV’s attention is busy reviewing the new alarms individually. He recognizes the reactor trip alarm; over power delta temperature reactor trip alarm is on; and low pressurizer pressure alarm is on. Even though OV doesn’t intentionally ignore any alarm, he still misses some of the alarms due to limited cognitive resources. OV wants to see whether the reactor power was above 104%, but the reactor has already tripped. He missed the chance to confirm this directly from the control panel but only infers this from the alarms.
(Thought line switches. No. 3)
OV switches to investigate the mismatch of main steam and main feed. But he doesn’t have enough time because alarms keep activating and interrupting his thought.. He notices some and misses others. He notices that Tave reaches low-low threshold and low pressurizer pressure reactor trip turns on.
00:37 00:50
(Thought line switches. No. 4)
No more alarms are activated at this point. OV now investigates the most recent phenomenon—low pressurizer pressure. Why is it decreasing? He asks himself. The first possible cause that comes to his mind is the coolant volume change. He confirms this by looking at the pressurizer level. Yes, the level is decreasing and the coolant volume is decreasing. Continuing with this thought line, he thinks the decreasing pressurizer level should be due to Tave decreasing. He looks at the Tave indicator and confirms this.
00:50
(Thought line switches. No. 5)
OV’s investigation time exceeds his attention span limit. He leaves the current 172
00:57
thought line. He attends to the low Tave phenomenon first, then moves to low pressurizer pressure phenomenon, then jumps to the phenomenon of motor driven auxiliary feed water pumps automatically turning on. He recalls from his knowledge that when the steam generator levels reach low-low threshold, the auxiliary pumps would automatically turn on. (More alarms are activated) OV attends to the new alarms. He observes that Tave-Tref deviation alarm is on; pressurizer level is low; safety injection automatically turns on; main feed water pumps trip; low pressurizer pressure safety injection alarm is on; and steam generator level low-low is on. OV’s attention shifts from one alarm to the other.
00:57 00:57 01:04 01:04
(Thought line switches. No. 6)
OV attends to the issue of low pressurizer safety injection.
01:04 01:42
(Thought line switches. No.7)
OV observes that Tave is low and decreasing. He starts to think about the reason fir Tave decrease. Since the reactor has already tripped, Tave is no more controlled by the control rod. So it’s not a control rod problem. Then he thinks of another possible cause—safety injection is on. The cold water is being injected into the reactor. Also, Tave is supposed to drop immediately after the reactor is tripped by the steam dump. Moreover, he suspects that there may be some unexpected steam load. No more alarms are activated, so OV stays in this investigation line for a long time. He checks the steam generator PORVs and finds them in normal closed position. He examines the steam dump valves and they are also in closed position.
Then he starts to think there might be a steam leakage, either steam generator fault or main steam line break.
01:45 01:56 01:57 Finishing the investigation of the causes of Tave decrease, OV investigates other possible causes of pressurizer pressure decrease. He examines the pressurizer spray valves and finds they are all closed. He looks at the pressurizer pressure PORV and it is also closed. He ends the investigation of pressurizer pressure.
(Thought line switches. No. 8)
173
02:08 02:08 02:17
OV’s attention jumps back to an earlier investigation item—Tave-Tref low deviation. Since the reactor has already tripped, the Tref is stable. Then the only explanation is Tave decrease, which he just investigated.
(Thought line switches. No. 9)
OV switches to monitoring mode and attends to the steam generator level. He sees that steam generator level has decreased a lot and it is still decreasing. He knows that the steam generator level is expected to drop a lot right after the reactor trip. The thought of reactor trip leads him to think about safety injection, so he investigates the cause of safety injection automatic actuation. He recalls that low pressurizer pressure safety injection was on and thinks that should be the cause of safety injection.
02:18 02:30 02:30 02:31 02:44
(Thought line switches. No. 10)
OV’s previous investigation time length has reached his attention span limit. His attention shifts to the decreasing steam generator level issue. He checks the feed water flow and steam flow and finds out that the feed water flow is less than the steam flow. (Three new alarms actuate after about 100 seconds from the last alarm activity)
(Thought line switches. No. 11)
OV attends to the new alarms. He finds out that steam pressures in all three steam generators are low and decreasing. This information quickly leads him to the diagnosis of steam leakage. It might be either steam generator fault or main steam line break. OV sees the pressures in all of the three steam generators are equally low and believes it is much more likely that a main steam line break has happened downstream of MSIVs. He reaches a diagnosis.
Table 9-3 Narrative of OG’s reasoning activities Time --:-Summarized Script (OG: Garden-Path style) (Normal Operation, plant is stable at full power) OG routinely monitors key parameters
174
00:00 00:06 00:07 00:07 00:08 00:13
(Initiating Event, Main Steam Line Break happens) (The 1st alarm breaks the peace: control rods move out and make ticking sounds) OG’s attention is distracted by the alarm. He stops his routine monitoring task and starts to investigate this alarm. This is his first investigation thought line. (The 2nd alarm sounds: Tave- Tref low deviation alarm. OG notices the Tave-Tref deviation alarm. He decides to continue with the investigation of the 1st alarm. The 2nd alarm reminds him that Tave-Tref low deviation could have led the automatic system to pull the rods out in order to adjust Tave to match Tref. He confirms this by taking a look at the control panel—Tave is indeed decreasing. Next, OG thinks about the reason that caused Tave to decrease. (Another alarm actuates: turbine runs back.) (Turbine runs back alarm goes off.) OG ignores the new alarm and keeps staying in his current thought line and thinks why Tave is decreasing. (A wave of alarms are activated: the reactor trips) OG’s thought gets paused by these alarms shortly. He only looks at some of these alarms and not all of them. He notices that reactor has tripped; turbine has tripped; high power reactor trip alarm is ON, and turbine tripped. The other alarm activities are ignored by OG, among which 3 alarms could have helped his diagnosis if he had noticed them—high steam generator A/B/C main feed flow alarms.
00:13 00:14 00:15 00:18 00:18 00:27
00:20 00:29 00:29 00:29 -
OG doesn’t like to interrupt his ongoing task and there are so many new alarm activities. He tries to refocus his attention back to his thought line before these alarms. “I was investigating the reason for Tave decrease”, he says to himself. Some possible causes cross his mind but get rejected. Control rods moving in? No, on the opposite it was moving out. (More alarms are activated) OG only takes a quick look ata few of these new alarms. He sees that steam generator level low alarms are on; steam generator level low-low alarms are on; motor driven auxiliary feed water pumps automatically turn on; and main 175
00:32
steam-main feed mismatch alarm is on. The other alarms are ignored.
00:26 00:32 00:33 00:34 00:35 00:37 00:50 00:51 00:55 00:57 00:57 01:01 01:02 01:07
OG feels there are too many alarms. He tries hard to stay focused on his thought line of investigating the reason for Tave decrease. Was there cool coolant injected into the reactor? He asks himself. No.
OG thinks there is only one reason left to explain the decreasing Tave—steam load increased unexpected, which cooled the reactor more.
(More alarms are activated) Continuing with the unexpected steam load increase issue, OG firs suspects the steam generator PORV valves. Are they unexpectedly open? After checking all the steam generator PORVs, OG finds they are all closed in normal position.
Now OG suspects steam dump valves. He checks them on the control panel and finds they are also in normal close position.
(A new wave of alarms after 16 seconds of silence. Safety injection is activated) OG looks at the new alarms and notices that pressurizer level is low; main feed pumps trip; safety injection is activated; and low pressurizer pressure safety injection alarm is on. The other alarms are ignored. Even though OG’s thought was paused by the alarm activities shortly, OG’s thought doesn’t shift to the new alarm information. He continues to track the possible steam load increase. For the first time, he suspects two possible causes: one is faulty steam generator(s), and the other is the main steam line break (downstream of MSIVs). This investigation line initiated by the first alarm(control rods moving out) has 176
reached the end. 01:08 Even though there were a lot of alarms and plant dynamics that were observed by OG, these have decayed or overflowed from his working memory because OG has stayed on his first investigation line for a long while. OG switches to monitoring mode. He checks the control panel and sees that the steam generator level is low 01:11 01:32
(Thought line switches. No. 1)
OG starts to think about the steam generator level issue. He knows that there is a big drop of steam generator level immediately after the reactor trip. So this is not unexpected. Then it leads him to investigate the cause of reactor trip. He tries to recall the situation at the time of the reactor trip, but that memory is not very fresh on his mind. He looks at the control panel and sees that low-low steam generator level reactor trip is on. His investigation of reactor trip stops here. OG always stops his investigation when he has one explanation. OG’s attention is still on the steam generator level. It has reached low-low level. He finds that it is still decreasing eventhough it’s been a long while since the reactor trip. OG checks the feed water flow and main steam flow and finds that the feed water flow is smaller than the steam flow. He knows that the feed flow has decreased because the main feed water pumps have turned off; he thinks that’s why the feed flow doesn’t catch up with the steam flow. He also notices that the feed flow increased after the auxiliary feed water pumps turned on when the steam generator level reached low-low. OG doesn’t get any more clue from this investigation because he fails to take the steam flow into consideration. He did notice that there was still some steam flow(if not the leakage in the steam line, there shouldn’t be any steam flow at that moment), but his attention didn’t switch to this promptly and it slipped from his working memory.
01:32 02:15
02:15 02:23 02:23 02:31 02:31 -
(Thought line switches. No. 2)
Then OG switches back to monitoring and see that the pressurizer level is decreasing. OG thinks that the decreasing pressurizer pressure is caused by the decreasing Tave. OG switches back to monitoring and then takes a brief break. (Three alarms activate after about 91 seconds of silence. Pressures in three steam generator reach low threshold.)
(Thought line switches. No. 3)
OG attends to the new alarms and notices the low pressure in the steam 177
02:55
generators. This information quickly leads him to the diagnosis of steam leakage. It might be either steam generator fault or main steam line break. OG sees the pressures in all of the three steam generators are equally low, OG believes it is much more likely that a main steam line break has happened downstream of MSIVs. He reaches a diagnosis.
Table 9-4 Narrative of OH’s reasoning activities Time --:-Summarized Script(OH: Hamlet style) (Normal Operation, plant is stable at full power) OH routinely monitors key parameters 00:00 00:06 00:07 00:07 00:07 00:09 00:12 (Initiating Event, Main Steam Line Break happens) (The 1st alarm breaks the peace: control rods move out and make ticking sounds) OH attends to the alarm and starts to investigate the reason for the control rod moving out. (The 2nd alarm sounds: Tave (average reactor coolant temperature) deviates from Tref (reference coolant temperature) low. OH checks the new alarm and learns that it is Tave – Tref low deviation alarm. OH’s attention returns back the control rod moving out issue. He first recalls that if Tave is lower than Tref and the difference is greater than 1o, the autocontrol system would move the rods out. Also this is confirmed by the TaveTref deviation alarm. He finds the first explanation. But OH doesn’t stop at the first explanation. He continues to think about another reason why the control rods to move out. Then he recalls it could also be driven by increasing steam load in the secondary side. 00:13 00:14 (The 3rd alarm is activated: turbine runs back) OH notices that the turbine runback was on for a short second and then went 178
off. 00:15 00:18 00:19 00:22 00:29 OH returns back to his earlier thought line before the alarms. Now he wants to find out whether there is any unexpected steam load increase. First, he thinks about steam generator PORVs. (A bunch of alarm activities occur at times. Some alarms went off and some new alarms are activated) OH notices a lot of dynamics. Reactor trips, turbine trips, over power delta T alarm is on, pressurizer pressure is low. There are more alarm activities, but the rest are ignored by OH. He doesn’t want to be too distracted, so he only review some but not all of the alarms. Continuing with his investigation of unexpected steam load, he checks the three steam generator PORVs and finds them in normal closed position. The steam generator PORVs are fine. 00:30 00:30 00:34 00:35 00:39 00:40 00:47 After eliminating two possible causes of steam load increase, now OH can only think of two possible causes: steam generator fault and steam line break. OH starts to suspect these two types of accidents. End of investigation of control rod moving out issue. Even though there is another explanation of rods moving out: Tave decreases, the corresponding investigation item decayed from the working memory. He returns back to his investigation of unexpected steam load. Now he checks the steam dump valves and finds them also in closed position. (More alarms are activated.) OH notices that the steam generator low level alarms are on; steam generator low-low level reactor trip alarm is on; auxiliary feed water pumps automatically start; main steam-main feed mismatch reactor trip alarm is on.
00:47 00:54
(Thought line switches. No. 1)
OH attends to the decreasing pressurizer pressure, and he thinks it is caused by the decreasing pressurizer level. Also, he sees a new alarm pressurizer level low deviates from the reference level, which is consistent with his thought.
179
00:55 00:57 00:57 00:60 01:00 01:18 01:19 01:50
In addition to the decreasing pressurizer level, he wants to examine the other possible causes of pressurizer pressure decrease. Meanwhile, he takes a quick look of Tave and finds out that it has reached low-low threshold.
(More alarms are activated.) OH notices that pressurizer level is low; main feed water pumps trip; safety injection is activated, low pressurizer pressure safety injection alarm is on. Continuing to examine other possible causes of decreasing pressurizer pressure, OH checks the pressurizer sprays and finds them all off as they should be.. He checks the pressurizer PORV and finds it is also closed. He even thinks of the possibility of LOCA in the steam space though it is only very little likely. OH’s attention switches to Tave. It is decreasing—another reason for decreasing pressurizer pressure. He knows that Tave would decrease rapidly after reactor trip due to steam dump in a very short period. Now the steam dump is closed but Tave is still decreasing. An earlier guess of unexpected steam load jumps to his mind. Soon, he finds another explanation: the ongoing safety injection injects cool coolant to the reactor thus decreases Tave. The confidence of SG fault accident and main steam line break accident increases a little, not much, because of the competing explanation.
01:50 02:41
(Thought line switches. No. 2)
OH now attends to the steam generator level. It has decreased a lot. This is expected. It would normally decrease a lot immediately after the reactor trip. As usual, he always checks other possible causes in an exhaustive way. So he wants to compare whether the feed water is matching with the main steam. Not too surprising, he finds the feed flow is smaller than the steam flow. He thinks of two possible causes to explain why feed flow is smaller than the steam flow. One is the unexpected steam load, the other is that the feed flow has decreased; both of them are valid explanations. He knows that main feed water pumps have tripped, the main feed has been isolated; that’s why the feed water decreased. According to his exhaustive investigation style, he also diligently examines the flow paths from the auxiliary feed water pumps (both the motor driven and the turbine driven pumps) and finds they are working fine. He sees 180
the steam flow is above zero (there shouldn’t be any flow at this time, if not the main steam line leak) but it doesn’t grab his attention instantly, and it gets overflowed from his working memory. 2:30 2:41 2:55 (three alarms are activated: steam generator pressure low)
(Thought line switches. No. 3)
After finishing the explanation of the decreasing steam generator level , OH attends to the new steam generator pressure low alarms. He notices that steam generator B pressure is low and explain this by possible faulted steam generator accident or main steam line break. Then he also notices that the steam generator A and C pressures are also low. He thinks that since the pressures are low in all of the three steam generators, it is more likely that the leakage has occurred downstream of the MSIVs than in just one specific steam generator. His confidence of main steam line break accident soars much higher and he reaches the diagnosis of MSLB.
9.2.3
Information usage
Here we summarize 7 key phenomena that provide clues for diagnosing MSLB and examine how the three operators used them in the simulation. In Table 9-5, for each phenomenon, a drawing is used to indicate the information processing level and how far the reasoning has gone on the way of making the connection between the observation and MSLB accident. The causal links are provided below the drawing. Even though the corresponding knowledge of these causal links exists in the operator knowledge base, they don’t necessarily get utilized in the investigation reasoning. Also, the usage of these clues varies among the three operators with different problem-solving styles. Table 9-5 Use of clues 1
181
Causal links: MSLB => steam load increase => control rod moving out.
• •
•
OH’s reasoning went through this path; OG investigated this phenomenon, but he explained it using Tave-Tref deviation and failed to make the connection between “steam power increase” and “control rod moving out”; OV focusedon this phenomenon for just 1 sec, then he got distracted by other alarms and never came back to this issue again.
2
Causal links: MSLB => steam load increases => Tave decreases.
• • •
OG’s reasoning has gone through this causal path; OV detected Tave decrease trend before reactor trip, but got distracted by another alarm; OH noticed Tave decrease trend before reactor trip, but postponed the investigation which decayed away from his working memory. When his attention later returned to Tave, it was after the reactor trip and there were stronger 182
competing explanations for Tave decrease at that point. 3
Casual links: MSLB => Steam load increases => Control rods move out => Power increase => Power > 104%
• • •
OG perceived the over power reactor trip alarm, but he didn’t attend to this information. OH missed the over power reactor trip alarm, but he perceived over power delta T alarm, which is similar to this, he didn’t attend to it. OV perceived this alarm and initiated an investigation but didn’t go far enough to reach MSLB.
4
Causal links: MSLB => steam load increases => Tave decreases. 183
•
•
5
OV and OH visited this causal path but there were two other explanations for Tave decrease: a) safety injection puts cold water into the reactor; and b) rapid steam dump brings Tave down after reactor trip. Therefore, their confidence of MSLB didn’t increase much. OG already explained the observed Tave decrease before reactor trip.
Causal links: MSLB => steam load increase => steam flow > feed flow
• • •
OV perceived the feed flow-steam flow mismatch alarm, but he didn’t attend to this issue. OH noticed the flow mismatch by the alarm. He visited this causal path and made the connection. OG missed the flow mismatch alarm due to his fixated attention. He discovered the mismatch later when he attended to the steam generator issue. He made the causal connection.
6
184
Causal links: MSLB => Steam generator pressure decrease MSLB => Steam generator pressure low
•
This is the most straightforward evidence of MSLB. All the three operators observed the information and quickly made the connection.
7
Causal links: MSLB => main steam flow > 0 (During this accident a while after the reactor trip, Tave was very low, so the steam dump shut. There shouldn’t be any steam flow if not steam leakage)
•
All of the three operators noticed the steam flow, but they didn’t pay attention to this in a vigilant way. OV figured this out late at t = 04:24.
9.3
Diagnosis of SGTR
The SGTR happens at t = 2:32 when the MSIVs automatically close. There are several symptoms of SGTR. A) secondary radiation level normally goes high immediately after SGTR; this actually confused the operators in this accident because they saw the secondary radiation level was normal. This is due to the closing of MSIVs, which blocks the flow of radioactive material to the detector in the condenser. B) reactor coolant water 185
leaks to the ruptured steam generator, which could increase its water level and develop level difference over time; this is the key information that leads the operator to the diagnosis. C) SGTR might cause the level decrease in the reactor coolant system; if there is another source of water that is feeding the reactor coolant system, the operator might not observe this symptom. In this simulation, the diagnosis confirmation time is determined by the following factors: When the operator detects significant water level differences in the three steam generators
•
•
The speed at which at which the operator actively gather information for the diagnosis
•
When does the operator resolve the inconsistent information (e.g. missing symptom of secondary radiation high)
Figure 9-5 provides diagrams of the three steam generator water levels. For each steam generator, there are two water level indicators: a wide range level indicator which shows the water level in a steam generator as a percentage of the full height in a full range. While the narrow range level indicator is a zoom-in of the 60%-100% part of the full range. When the water level is above 60% in the steam generator, the narrow range indicator shows a positive reading. Otherwise, the narrow range reads zero. The SG level indicators use graphic displays similar to the diagrams, showing the water level in a shorter period of time. In the first 10 minutes, the narrow range read zero after the reactors tripped and the difference of the wide range levels is not evident enough. The difference appears when 186
the water level in SG A reaches the bottom of narrow range. It becomes evident to the operator when there is a positive reading of SG A narrow range while the other two read zero.
SG_A_NR_Level
1 0.8 0.6 0.4 0.2 0 0 10 Time (min) 20
SG_B_NR_Level
1 0.8 0.6 0.4 0.2 0 0 10 Time (min) 20
SG_C_NR_Level
1 0.8 0.6 0.4 0.2 0 0 10 Time (min) 20
Level
Level
-10
-10
Level
-10
SG_A_WR_Level
1 0.8 0.6 0.4 0.2 0 0 10 Time (min) 20
SG_B_WR_Level
1 0.8 0.6 0.4 0.2 0 0 10 Time (min) 20
SG_C_WR_Level
1 0.8 0.6 0.4 0.2 0 0 10 Time (min) 20
Level
-10
Level
-10
Figure 9-5 Drawing of steam generator levels
9.3.1 Diagnosis progression
Figure 9-6 shows the three operators’ diagnosis confidences of SGTR accident over time. Diagnosis pace varies among the operators with different problem-solving styles. OH is fastest in this accident; and OV is the slowest one30. The highlights of each operator’s diagnosis process are provided below. Table 9-6 Time when SGTR diagnosis confidence exceeds 0.9 Operator Time when confidence exceeds 0.9 SG-A NR water level (min:sec)
Note that we do not want to generalize this result to any accident. We do not claim that Hamlet is faster in any accident scenario
30
187
Level
-10
OH OG OV
19:55 23:09 33:16
24.8% 49.6% 69.90%
Diagnosis of SGTR
1.2 1 Confidence Level 0.8 0.6 0.4 0.2 0 0 10 20 Time (minute) 30 40 Vagabond Hamlet Garden Path
Figure 9-6 Three operators’ diagnosis progresses of SGTR accident
9.3.2 Highlights of OG’s diagnosis process
From t = 3 min, the water levels of the three steam generators were rising, as expected because the operators wanted to restore the steam generator water level back to 44% in the narrow range. Nothing looked suspicious. At t = 16:42 (min:sec), OG noticed significant water level differences between SG_A and SG_B, and between SG_A and SG_C, hence, he started suspecting a SGTR accident. These observations were made while monitoring routinely. Figure 9-5 shows both the wide and narrow range water levels.. In a typical control panel with indicators of SG levels, the operator can view the water level graphs of the three steam generators side by side. As observed in Figure 9-5, at t = 16:42, significant differences among the wide 188
range levels are not obvious. However, it is very evident to see big differences among the narrow range levels. SG_A_NR_Level reads more than 10%, while the other two read zero. These differences caught the operator’s attention. The operator started investigating this issue. He compared the feed flow in the three steam generators. The feed flows were the same, however steam generator A got much more water than the other two. It looked like there may be some other water source to steam generator A, then he thought about SGTR accident. His diagnosis confidence started with a high number because there was no other explanation for the water level difference. To verify his diagnosis hypothesis, he began to actively gather more evidence, directed by his knowledge and experience of SGTR accident. At t = 18:30, he checked the secondary radiation indicator but found the radiation level was normal. This dampened the SGTR diagnosis because high secondary radiation level is the most typical symptom of SGTR, according to the way he was trained. Soon at t = 18:40, he noticed that the pressurizer level was increasing, which was not consist with the SGTR diagnosis. If there is a leakage from the reactor coolant system, the operator would expect to see the water level in the pressurizer go down. This dampened the SGTR diagnosis more. The operator got a little confused. At t = 21.07, the operator realized that the increasing pressurizer level was caused by the ongoing safety injection and that counteracted the water loss from the leakage. Thus the confidence level of SGTR bounced up a little.
189
At t = 23:09, the water level in steam generator A continued increasing, which was a symptom of SGTR. But the operator believed this could be accounted for by the feed water. So he thought it didn’t mean much for the SGTR diagnosis. The operator was confused because the secondary radiation level was normal and decided to troubleshoot this puzzle by checking the path for transporting the radioactive water from the leakage part to the secondary radiation detector in the condenser. At 24:32, he figured out that the closed MSIVs intercepted the radioactive material from reaching the detector in the condenser. Puzzle solved! Then he was 99% confidence that steam generator A had ruptured. His diagnosis was confirmed later by strong evidence: the feeding to steam generator A was stopped but its level continued increasing.
9.3.3 Highlights of OH’s diagnosis process
OH’s suspicion of SGTR started very earlier at t = 4:44. He observed that the pressurizer level had decreased a lot. He had a very strong explanation: because Tave decreased a lot, the volume of reactor coolant had shrunk. However, he didn’t stop at the first explanation and considered all the possibilities, including the possibility of SGTR accident. The confidence of SGTR was small due to the strong competing explanation. His confidence of SGTR increased when he saw the steam generator A level was increasing at t = 15:27. It only increased a little because of other strong competing reason. Operators were feeding the steam generators to try to bring the level back to 44%, so the increasing trend was expected. OH just kept the possibility of SGTR in mind.
190
At t = 16:48, OH noticed the level differences among three steam generator. Level of steam generator A was significantly higher than levels of the other two, but the feeding flow to the three steam generators were the same. So he believed that steam generator A might get water from other places e.g. leaking from reactor coolant. His confidence of SGTR increased significantly. He noticed the level difference earlier than OG did because he (OH) monitored key parameters more frequently. Since his confidence of SGTR was very high, he started to actively seek another important symptom—high secondary radiation. Confusingly, he saw the radiation level was very low. Later he found out it was the MSIVs that blocked the way of radioactive material to the detector. His diagnosis confidence soared to 0.991 and he declared that SGTR had happened. His diagnosis was confirmed later by strong evidence: the feeding to steam generator A was stopped but its level continued increasing.
9.3.4 Highlights of OV’s diagnosing process
At t = 18:46 (min:sec), OV noticed significant water level differences in the three steam generators and he started suspecting a SGTR accident. This timing is later than the other two operators because OV monitored key parameters less frequently. Also, OV was less active in gathering evidence than the other two, hence, his pace was slower. At t = 20:54, his diagnosis got dampened when he saw the radiation level was low. At t = 25:32, his confidence increased a little bit by the evidence that water level of steam generator A was increasing.
191
At t = 27:56, he realized that pressurizer level was not decreasing, which is not consistent with the diagnosis of SGTR. At t = 31:36, he figured out that the secondary radiation level was low because that MSIVs blocked the way of radioactive material to the detector. Later at t = 31:36 he realized he couldn’t observe decrease of pressurizer level because of safety injection. He solved all the puzzles.
192
10
Comparison of Results
A complex SGTR accident is used to demonstrate and validate recent advances of ADSIDAC. Chapter 7 has introduced the accident scenario and the simulation input model. This chapter introduces crew variations in the simulation results and presents the comparison of ADS-IDAC simulation results and Halden experiment data, respectively in operator procedure progression, and demonstrates merits of the new ADS-IDAC by comparing its simulation results with simulation results of old ADS-IDAC.
10.1
Crew-to-Crew variability in timing
This section discusses the crew-to-crew variability in this simulation case. Time of declaring SGTR diagnosis and time of entering procedure E-3(response procedure for SGTR accident), and time to isolate the ruptured SG provide reference check points for model calibration and model validation. Accident diagnosis is used to support the operators’ decision at some key procedure transfers points. Hence, time of entering E-3 is determined by both time of declaring SGTR diagnosis and operator pace of procedure usage. Therefore the crew variations in response time could be modeled by introducing variations in diagnosis time and procedure use pace.
10.1.1 Varying timing to reach diagnosis
Model parameters are used to compute operator activities in the reasoning module. Some of them could be adjusted by the user in the input file, in order to tailor operator performance (refer to Section 6.4.8 and 6.4.9). Different input settings of these model parameters introduce variations of simulation results. 193
Three model parameters significantly impact the timing of reaching accident diagnosis:
• • •
Problem-solving styles Diagnosis confidence threshold for declaring a type for the accident Activeness in gathering accident evidence
Different problem-solving style settings result in different courses of operator activities, as discussed in chapter 8.3, thus give different accident confidence progression, as repeated in Figure 10-1. Accident diagnosis confidence is dynamically calculated during the simulation. It represents the operator’s belief on the likelihood that an accident has happened based on the available evidence. When the diagnosis confidence exceeds the model parameter diagnosis confidence threshold, the program declares this accident diagnosis. Adjusting the confidence threshold will adjust the timing of reaching a diagnosis. Higher thresholds require more and stronger evidence to support the diagnosis thus it might take longer time, while lower thresholds result in shorter time. This mimics the operator’s prudence in declaring accident. In Figure 10-1, the dash lines represent different levels of confidence threshold, and three solid lines show the operator’s confidence progression over time in three simulations. The first crossing of the threshold line and a diagnosis progression curve is the time of declaring SGTR accident diagnosis. As seen in Figure 10-1, by varying the confidence threshold, the program generates visible variations on diagnosis timing.
194
1.2
1
Confidence Level
0.8
0.6
Vagabond Hamlet Garden Path
0.4
0.2
0 0 5 10 15 20 25 Time (minute) 30 35 40
Figure 10-1 Diagnosis confidence of SGTR and confidence threshold During an accident operators have two strategies at their disposal to make a diagnosis. One is using their knowledge of possible accidents and actively collecting relevant evidences. The other is by following the procedural guidance and collecting relevant evidence as specified by the procedure. Activeness of gathering accident evidences is a quantitative measure of how actively the operators use the knowledge-based approach to gather accident evidence from the control room. In this simulation case, when the procedure fails to lead the operator to the diagnosis of SGTR accident in a straightforward way, the timing of reaching SGTR accident diagnosis highly depends on operators using their knowledge-based reasoning to gather evidences. Activeness in
gathering accident evidences is a model parameter of the reasoning module; it is used to
calculate the frequency of using the accident schema to actively gather relevant
195
information. This parameter has a large impact on the timing of reaching SGTR diagnosis in the simulation case.
Time Range (confidence level exceeds 0.9)
40 35 30 Time (minute) 25 20 15 10 5 0 Hamlet Garden Path Vagabond
Lower bound: Activeness = 10.0 Higher bound: Activeness = 0.67
Figure 10-2 Diagnosis time range due to varying activeness between 0.6731 and 10.0 We ran multiple simulations, setting different values for activeness in gathering accident
evidences between 0.67-10, the diagnosis of SGTR progressed faster with higher
activeness value, and slower with lower activeness value. The time when the diagnosis confidence of SGTR exceeded 0.9 was recorded and its range is shown in Figure 10-2. Time range for Vagabond style: (22.7, 35.3) min; Time range for Garden Path style: (19.7, 35.1) min; Time range for Hamlet style: (19.3, 22.0) min.
• • •
By combining with variations of diagnosis confidence threshold (from 0.05 to 0.90), variation of activeness in gathering accident evidences (from 0.67-10) and variations of
problem solving style, the program generates a wide spectrum of diagnosis timing: (14.3,
31
0.67 = 1/1.5. It means 1.5 times slower.
196
35.3)min; A slow diagnosis progression and a fast diagnosis progression of Vagabond style are shown in Figure 10-3.
Diagnosis confidence progression (Vagabond)
1 Confidence level 0.8 0.6 0.4 0.2 0 0 10 20 Time (minute) 30 40 Activeness: 0.69 Activeness: 10
Figure 10-3 Two diagnosis confidence progression with two activeness values
0:50:00 0:40:00 Time (hh:mm:ss) 0:30:00 0:20:00 0:10:00 0:00:00
Halden Data, entering E-3 Range of simulation results
Figure 10-4 Comparison: Halden data vs. ADS-IDAC predicted time range The available Halden data32 do not provide crews’ times of reaching diagnosis of SGTR. It provides the times when crews isolated the ruptured SG. According to the report (Lois 2009), it took 6 minutes on average for crews to isolate ruptured SG after they entered E3. By subtracting 6 minutes from the time of SG isolation, we inferred approximate times
32
Data source: International HRA Empirical Study - Phase 1 Report (Lois 2009)
197
when the 14 crews entered E-3, which happened soon after they reached SGTR diagnosis. In Figure 10-4, we compare these time points with time range of declaring SGTR diagnosis generated by ADS-IDAC. It shows that ADS-IDAC has a good coverage of crews’ diagnosis progress in terms of time.
10.1.2 Varying pace of using procedure
Timing of reaching to key procedure steps (decision points) also impacts the time of entering E-3. In ADS-IDAC simulation, timing of procedure progression is determined by several factors: Time duration (specified) for previous procedure steps Action time multiplier Time cost of transferring between two procedure steps Time cost for transferring between two different procedures Time cost of mental procedures concurrently in use
• • • • •
Among these, action time multiplier provides a way to generally scale the procedure progression pace—how fast the operators go through procedure steps. In addition to the general pace of procedure progression, some of the 14 crews paused at a controversial step (E-0 step 21) and had a briefing to discuss the situation, while some of the 14 crews had no briefing there. We could add a time-delay procedure pause for mimicking the time-delay caused by the crew briefing. During the time-delay procedure pause in the simulation, the reasoning module still continues to run, conducting more cognitive activities and gathering more information. This provides a workaround for 198
mimicking the crew gathering more evidence by merging the available information from each member during briefings. From the empirical data, we do not have direct information regarding the time of the 14 crews reaching the SGTR diagnosis. However, the time of crews entering procedure E-3 is available. This information is used for validating the prediction capability of ADSIDAC, in addition to the procedure progression. In the example simulation case, the time of entering E-3 is mainly determined by the following factors: 1) Progress of the SGTR accident diagnosis; 2) Pace of using procedure; 3) Operator’s decision when their knowledge-based diagnosis is inconsistent with the procedure instructions. In the previous sections, we discussed ADS-IDAC’s capability to capture the crew differences in these three aspects, by varying few model factors mentioned above (in the simulation configuration). ADS-IDAC could approximately reproduce procedure progression paths and timing of 8 of the crews. An example is provided in Table 10-1. Table 10-1 Comparison of one crew responses with one simulation sequence Time to Reach diagnosis of SGTR Reach E-0 Step 19 Reach E-0 Step 21 Enter ES-1.1 Enter E-3 Halden Crew (min) unknown 9:55 11:50 17:42 20:50 M One Simulation Sequence (min) 20:48 10:06 12:21 18:01 21:15
10.2
Procedure progression—comparison with Halden data
Procedure E-3 is for coping with a SGTR accident. So the operators should use E-3 in this complex SGTR situation, and entering E-3 marks operator’s correct diagnosis. 199
In control room, the operators are expected to enter the Emergency Operating Procedure (EOP) E-0 following a reactor trip. E-0 is used for diagnosing the plant conditions and leading to appropriate response procedure accordingly. In procedure E-0, step-19, step-21, step-24 and step-25 are key steps in this complex SGTR accident case. Step-19, step-24 and step-25 contain diagnosis guidance for SGTR accident, and step-21 might mislead the operator to procedure ES-1.1. The crew might branch to different procedure paths at these steps: Step 18 is the specific diagnosing step for steam generator fault accident. The condition is “one or more steam generator decreasing in an uncontrolled manner”. In this case the steam generator pressures are decreasing as they are cooled by the reactor coolant water but not due to steam generator faults. If the operators misdiagnoses the situation and declare a steam generator fault accident, they might mistakenly transfer to E-2 at this step.
•
•
Step 19 is the specific diagnosing step for SGTR accident. However, it only uses the secondary radiation level as the condition of transferring to E-3, which is masked in this accident situation. It does not use the water level difference between SGs as an indicator.
•
Step 21 contains a transfer link to ES-1.1 for terminating the safety injection. The transfer condition is met in the simulation. However, the safety injection should not be terminated in this SGTR accident at this point. Some crews may branch out at this step. If the operators reach the diagnosis of SGTR accident, they might choose to go to E-3 based on their knowledge reasoning. They might choose to stay in E-0. Or they might transfer to ES-1.1. 200
•
Step 24 contains a transfer link to E-3. Instead of asking the secondary radiation level, it provides a cue for the operators to check the SG levels, which is essential for diagnosing the SGTR in this accident situation. The operator might use this step properly or not.
•
Step 25 contains a transfer link to E-3. It only asks the secondary radiation level, thus it is no more helpful than step 19. However, it provides another chance for the operator to re-think about the possibility of a SGTR accident.
Table 10-2 shows 14 crews’ procedure progression and their basis for transferring to E-3 in Halden experiments. Of the 14 crews, 9 transferred to E-3 based on their knowledgebased reasoning, while 6 out of 14 crews found basis for transferring to E-3 according to the procedure guidance. Table 10-2 Procedure progression and basis for transfer to E-3 in complex scenario Crew A B C D E F G H I J K L M N Point of transfer to E-3 E-0 step 21 – ES-1.1 foldout page E-0 step 24 E-0 step 21 E-0 step 34-25 E-0 step 21 – ES-1.1 – E-0 step 19 Basis for transfer to E-3 SG level SG level Knowledge-based (SG level) Knowledge-based (SG level) SG1 gamma levels 1 and 2 (slow crew) E-0 step 21 – ES-1.1 – E-0 step 19 Knowledge-based (SG level) E-0 step 21 Knowledge-based (SG level) E-0 step 21 – ES-1.1 – FR-H5 – E-0 Knowledge-based (SG level) step 19 E-0 step 21 – ES-1.1 –E-0 step 19 Knowledge-based (SG level) E-0 (second loop) step 14 – E-2 step 7 Knowledge-based (SG level) E-0 step 19 Gamma radiation E-0 step 21 Knowledge-based (SG level) + ES1.1 foldout E-0 step 21 – ES-1.1 foldout page SG level E-0 step 21 Knowledge-based (SG level)
201
With variations introduced by varying the operator’s profile (refer to Section 10.1) and branching rules for procedure usage decisions (refer to chapter 5), ADS-IDAC have identified 11 paths of procedure progression performed by the virtual operators, as shown in Figure 10-6. There are 5 branching rules activated in this simulation. They are marked as yellow boxes in the figure, and explained below: B1 33 . Step-18 constrains a transfer to E-2, but the transfer condition is not satisfied. The operator misdiagnosed the situation and believed there were faulty SGs. The operators branch out in two paths: 1) Transferring to E-2 based on the misdiagnosis, and 2) Following the procedure guide and staying in E-0.
•
•
B1. Step-19 contains a transfer to E-3, but the transfer condition is not satisfied literally. The operators branch out in two paths: 1) Transferring to E-3 based on their knowledge reasoning, and 2) Following the procedure guide and continuing in the current procedure.
•
B2. At this time point, the operators are confident that a SGTR accident has happened. They might branch out in two ways: 1) go to E-3 immediately, or 2) stay on the current procedure, expecting the current procedure will lead them to E-3.
•
B3. The current procedure step leads the operator to transfer to a third procedure other than E-3. The operators have three alternatives: 1) go to E-3 based on their knowledge reasoning; 2) follow the procedure guide strictly and transfer to the third procedure; 3) staying in the current procedure and move to the next step.
B1-B4 denote branching types describe in Chapter 5. B5 is a branching triggered by mental belief activation.
33
202
•
B4. Since by this time it has been a while since the operators SGTR diagnosis and the fact the current procedure still has not led them to E-3, so they decide to go to E-3. This rule has only one branch.
•
B5. The foldout page of Procedure ES-1.1 contains a condition of transferring to E-3. While ES-1.1 is in use, the operators may read and use the foldout page and transfer to E-3, and they may also forget to use the foldout page. In Sequence No. 6 (marked by a brown dot) in the figure, B5 is encountered twice. This simulates a scenario that the operators forget to use the foldout page at beginning but recall it later.
Figure 10-5 Branching points in the complex SGTR simulation
203
E-3 E-0
1
E-3
2
M
ES-1.2
B2
ES-1.1
3
E-3
B5
E-2 E-0, 18
0
J
E-0, 21 E-0, 19
ES-1.1, 5
B3
E-3
4
5
A
B1
B3
E-3
ES-1.1, 5
B1 7 L
B5
ES-1.1
B4
G N C
E-3
E-3
6
8
B
E-3
E-0, 21
E-0, 24
B1
E-3
9
D
E-0, 25
11
K
B1
E-0
B4
E-3
10
Figure 10-6 Procedure progression paths based on simulation results In Figure 10-6, 7 of the 12 procedure progression paths identified in the simulation replicate 10 out of 14 crews’ procedure progression paths, as shown in Table 10-2. The letters in green dots are the codes used for crews in the international HRA empirical study Phase 1 report. The numbers in brown dots are the codes of sequences of ADSIDAC simulation results. The mapping between ADS-IDAC simulation sequences and crews with same procedure progression path is summarized here: ADS Sequence No. 0: Halden Crew J34. The operators transferred to E-2 in the second loop of E-0 based on a misdiagnosis. In the Halden experiments, Crew J incorrectly made a diagnosis of a feed water leakage accident based on two observations: abnormal steam in the turbine building which was actually caused by the MSLB, and water level difference among three steam generators which
34
•
Halden crew J transferred to E-2 and later transferred to E-3 based on their knowledge. In our simulation runs, we only replicated the operator’s misdiagnosis and incorrect transfer to E-2. Procedure E-2 has not been coded yet, thus the simulation truncated after entering E-2. If we have E-2 coded, the operator is expected to transfer to E-3 based on knowledge-based reasoning.
204
was actually caused by the SGTR. In ADS sequence No. 0, the operator incorrectly made a diagnosis of a steam generator fault accident based on several observations: low pressure in steam generators which was actually caused by the MSLB, and SG pressure decrease which was actually caused by the MSLB and the reverse cooling phenomenon. In both these two sequences, the operators made incorrect diagnosis of the situation, due to confusing symptoms and incorrect explanation of the plant phenomena. Though ADS sequence No. 0 doesn’t match Halden Crew J specifically, it demonstrates the capabilities of predicting operators’ misdiagnosis of situation due to symptom confusions and knowledge deficiency.
•
ADS Sequence No. 2: Halden Crew M. The operators transferred to ES-1.1 and went to E-3 guided by the foldout page.
•
ADS Sequence No. 5: Halden Crew A. The operators transferred to ES-1.1 and went to E-3 guided by the foldout page after finishing a few steps in ES-1.1.
•
ADS Sequence No. 7: Halden Crews C, L, G, N. The operators determined that they should not terminate the Safety Injection at E-0 Step 21. Instead of going to ES-1.1, they chose to transfer to E-3 at this step based on their knowledge.
•
ADS Sequence No. 8: Halden Crew B. The operators determined that they should not terminate the Safety Injection at E-0 step 21. They identified the SGTR accident and transferred to E-3 at E-0 Step 24 based on their knowledge reasoning.
•
ADS Sequence No. 9: Halden Crew D. The operators determined that they should not terminate the Safety Injection at E-0 step 21. They identified the SGTR accident and transferred to E-3 at E-0 Step 25 based on their knowledge.
205
•
ADS Sequence No. 11: Halden Crew K. The operators determined that a SGTR has happened and they transfer to E-3 at E-0 Step 19. These two transfers were based on different reasons. Halden Crew K avoided the masking of the secondary radiation. Due to their manual reactor trip action, the SGTR happened when the MSIVs were closed, so they were able to observe the high secondary radiation in the experiment. ADS Sequence 1 represents a fast crew which makes correct SGTR diagnosis early, so they transfer to E-3 directly at E-0 Step 19.
Procedure progression paths of 4 crews are not covered in this simulation results. They crews involved are E, F, H, I. Halden Crews E, F and I: Operators entered ES-1.1 and returned back to E-0. There are no transfer points to E-0 in ES-1.1, these 3 crews did this transfer back to E-0 based on their knowledge. This piece of knowledge was not included in the knowledge base input model. Once added the simulation model can also reproduce the action of these crews.
•
•
Halden Crew H. The operators entered a function recovery procedure FR-H5. However to limit the scope we did not include FR-H5 and entering conditions in this ADS-IDAC simulation.
The simulation results show good coverage of repeating the crews’ procedure progression paths in the Halden experiment. With the newly added reasoning module and branching rules, 10 out of 14 crews’ procedure progressions were replicated in the simulation. By expanding the input case model, ADS-IDAC might be able to cover more of the procedure progressions. 206
10.3
Comparison with simulation result of earlier ADS-IDAC and improvements
A separate simulation of this complex accident was run with an earlier version of ADSIDAC 2.0 (Coyne 2009). We compare ADS-IDAC 2.0 simulation results with results of ADS-IDAC 3.0, and discuss the improvements in this section. An ADS-IDAC 2.0 input model, coded by previous ADS-IDAC developers was used for the complex SGTR accident simulation. The simulation predicted one diagnosis time of SGTR accident and one procedure progression path: the operators entered procedure E-0 and transferred to ES-1.1 at E-0 step 21. The operators reached the diagnosis of SGTR accident at t = 25.5 (minute), and a mental belief was activated correspondingly and led the operators to transfer to procedure E-3. These predictions fit into the operators’ performances in the Halden experiments, but do not provide good coverage of the variance of the 14 crews’ responses. In the input model of ADS-IDAC 2.0, the operator’s knowledge is represented by mental beliefs. The operator’s diagnosis of the SGTR accident is represented by the state of a mental belief—“Possible_SG_Tube_Rupture”. The activation of this mental belief means that the operator believes that a SGTR accident has occurred. A specific logic path was designed for activating the mental belief “Possible_SG_Tube_Rupture”, as shown in Figure 10-7. In this path, there are three relevant mental beliefs: SG_Uncontrolled_Level_Increase Reactor_Coolant_System_Leak High_Secondary_Radiation
• • •
207
Figure 10-7 shows the activation process of these mental beliefs during the simulation.
•“A_SG_A_Hi_Level”, (this alarm was received when SG-A NR level = 50%, at t = 25.5min) •“RATE_SG_A_NR_Level>0.02”, (satisfied) •“SG_A_Level_Deviation>2” (satisfied) •“SG_A_FW_Flow<15”(not satisfied, the operators never scanned this parameter)
3/4 logic
(These 4 conditions were satisfied after SI was terminated ) •“SG_Uncontrolled_Level_Increase” at t = 25.5min) •A_PZR_Level_Lo_Dev •A_PZR_Pressure_Lo_Dev •RATE_PZR_Level<-0.01 •RATE_PZR_Pressure<-15.0 2/3 logic “Possible_SG_Tube_Rupture”
4/4 logic
•“Reactor_Coolant_System_Leak” •“High_Secondary_Radiation”(masked by closing the MSIV)
Figure 10-7 Mental belief activation Paths in ADS-IDAC 2.0 simulation In order to activate mental belief “SG_Uncontrolled_Level_Increase”, at least 3 out of 4 conditions need to be satisfied. One condition (“SG_A_FW_Flow<15”) was not activated through the simulation, because the operators never checked this parameter. This reflects a shortcoming of the mental belief mechanism: it doesn’t guide the operators to actively gather relevant information for the accident diagnosis. This limits the full utilization of the mental beliefs in simulating operator’s knowledge-based reasoning. This shortcoming has been overcome in ADS-IDAC 3.0. The reasoning module guides the operator to actively gather relevant information to explain observations and to gather evidence for the accident diagnosis. In the simulation with ADS-IDAC 3.0, the operator’s top-down attention driven by the reasoning is modeled, so the operator actively checked the SG-A feed flow multiple times. This complemented the mental belief mechanism—in ADSIDAC.
208
The mental belief-activating rule only takes account of symptom presence or absence. It allows the operator to quickly reach a diagnosis by the presence of some salient symptoms and thus mimics heuristic reasoning fairly well. However, the activating conditions are hard-coded. Thus, little variation is generated. Review of the logical activation path of these mental beliefs shows that, in order to activate the mental belief “Possible_SG_Tube_Rupture”, the mental belief “SG_Uncontrolled_Level_Increase” has to be activated and thus “A_SG_A_Hi_Level” has to be activated. The timing of
reaching the diagnosis of SGTR accident is determined by how fast the steam generator water level physically reaches the high alarm level. As a result, ADS-IDAC 2.0 only predicted a single timing for reaching SGTR diagnosis, limiting the ability to capture the variations among crews. In ADS-IDAC 3.0, the reasoning module has improved the capabilities of predicting operators’ variability in terms of diagnosis timing and procedure progressions, by various combinations of operators’ problem solving styles, model parameters (activeness in gathering accident evidence, accident diagnosis confidence threshold, and procedure progression pace), operators’ choices when facing conflict between procedure guidance and knowledge-based reasoning, as discussed in Section 10.1. Furthermore the new ADS-IDAC addresses some of the gaps we have identified in earlier versions of ADS-IDAC, by improving the capabilities of modeling operators’ knowledge-based diagnosis and responses. Corresponding to the gap analysis in Section 3, we briefly summarize the improvements introduced by this research:
209
•
ADS 3.0 added the capability of mimicking top-down attention control mechanism. The reasoning process guides the operators’ attention to actively gather relevant information to facilitate the diagnosis process. In this simulation case, the reasoning module guided the operators to use knowledge to investigate why the water level in steam generator A was much higher than the levels in steam generator B and C. The investigation directed the operators to check the feed water condition. In earlier ADS-IDAC, the user has to add the relevant indicators to the scanning list or to a procedure step to make sure the operators would get the necessary information during the simulation. However, the new ADS-IDAC automatically directs the operators’ attention to the relevant indicators based on the reasoning.
•
Provides a more formal reasoning process in addition to the heuristic reasoning processes. The accident diagnosis confidence is computed based on the confidence of the causal paths between accidents and symptoms, while the heuristic reasoning processes are based on the presence of the symptoms. In the new ADS-IDAC, the calculation of diagnosis confidence also takes account of the explanations of the observations, in addition to the presence or absence of symptoms. For example, one symptom of SGTR accident is loss of inventory in the RCS (reflected as decreasing pressurizer level). In the scenario, even though this symptom was observed by the operators, it contributed only a little to the diagnosis confidence of SGTR, because there was another strong competing explanation—the expected cooling down process after the reactor trip, early in the scenario. Later in the scenario, this symptom is masked by the safety injection
210
(the operator could not see the loss of RCS inventory anymore). In contrast, for a mental belief, the activation is solely determined by the state of its conditions and it does not differentiate the importance of different conditions. Reasoning module in the new ADS-IDAC provides a more structured way to mimic the operator’s diagnosis confidence formation.
•
Provides a continuous representation of diagnosis confidence. The mental belief has only two states, “activated” or “not activated”. In comparison, the reasoning module calculates accident diagnosis confidence level, which is a continuous value between 0 and 1, providing a more flexible way to mimic operator’s subjective diagnosis confidence before declaring an accident and the confidence progression. This improves the robustness of the simulation model. In the previous version of ADS-IDAC, the user has to be very careful in designing the mental belief activation logics in order to get certain mental beliefs activated in the simulation.
•
Provides an improved way to capture crew variations. The reasoning module in ADS-IDAC is parametrically adjustable in many aspects: pace of using procedures, diagnosis confidence threshold, activeness of gathering relevant evidence, cognitive processing speed, routine monitoring frequency, knowledge link weight to represent the strength of a knowledge unit, sensitivity to parameter change, short-term memory decay rate, etc. By adjusting those parameters in the reasoning module, ADS-IDAC could simulate a wide spectrum of crew responses.
211
•
Dynamically generates the operator’s reasoning chain. In comparison, in the previous version of ADS-IDAC, the user has to pre-design the thought train— mental belief activation path (see Figure 10-7).
•
Offers higher flexibility to dynamically allocate memory to store operator’s situation awareness information. ADS-IDAC 3.0 simulation generates the operators’ situation assessment and stores them in the mental representation, which could be flexibly used by subsequent cognitive processes. In earlier ADSIDAC, the operator’s situation assessment is represented by the states of mental believes and the confidence levels in the event-symptom matrix. Each mental belief is a binary-state memory unit, and the total number of these memory units is pre-determined in the input file and could not extent during the simulation.
•
Provides reasoning paths to identify disabled symptoms. In this demonstration simulation case, one key symptom of SGTR accident—high secondary radiation—was absent because MSIVs were closed. The reasoning module provides the capability to lead the operator to figure out that the absence of the symptom is due to closure of MSIV.
In all, the reasoning module has significantly improved the realism of operator performance model. Operator’s performance can be varied by adjusting specific model parameters (e.g. the confidence threshold, cognitive speed). It can capture a wider spectrum of possible operator performances, thus improving the predictive capabilities of the IDAC model.
212
11
Robustness of the Knowledge Base Model
As discussed in Section 4.2.3, knowledge web has been designed to represent the operator’s understanding of the inherent interactions among plant dynamics. Once a knowledge web input is coded, many of its knowledge links represent the generic knowledge of the systems interactions and this could be reused in different accident simulations, thus it helps to make the input modeling effort under control. In the simulation case we coded for the complex SGTR accident, there are 175 knowledge links in the knowledge web. Among these175 knowledge links, 5 directly link to SGTR accident nodes; 3 directly connect to the MSLB accident node; 11 link to LOCA accident nodes; 9 connect to SG fault accident node; the remaining 147 are general knowledge across different accident simulations. Though this knowledge-web has been only calibrated for the complex SGTR accident (calibration is to make sure the important knowledge related to the plant dynamics in the accident is included in the knowledge base), we used the same knowledge model to run some test simulations with other different accident scenarios and examined the robustness of the knowledge web at face validity level—check whether the simulation results make sense. 4 simulations were run with 4 different initiating events respectively: turbine trip, open pressurizer PORV, simple SGTR and Main Feed Water Regulation Valve (MFWR) failure. We present operators’ important observations and explanations in the first several minutes35 of each simulation in this chapter.
35
Most system dynamics and transients happen in the first several minutes of these accident scenarios.
213
11.1
Turbine trip case
The initiating event is a turbine trip. It causes the reactor to trip immediately. There is no more complication in this scenario. This case is for examining the operator’s situation awareness in a normal reactor trip accident. Here we summarize some key observations and explanations generated in the simulation. The operator observed the turbine tripped and the reactor tripped immediately after that. They understood that the reactor trip was caused by the turbine trip. The reason of turbine trip is not provided in the contexts and knowledge base. The operator observed a set of expected plant transients after the reactor trip and successfully explained them: Pressurizer pressure decrease was caused by reactor coolant temperature decrease and the pressurizer pressure level decrease. The operator also thought of a very small chance of LOCA accident.
•
•
Pressurizer level decrease was due to the shrinkage of the reactor coolant. Also the operator considered a very small chance of LOAC or SGTR accident.
•
Steam generator level decreased after the reactor trip. This is expected transient phenomenon after the reactor trip.
•
Tave decrease was also expected. Steam dump was actuated to bring the temperature down to a specific level.
•
With the Tave decrease, the feed water system switched from main feeding to auxiliary feeding.
•
Steam generator level gradually increased back. 214
11.2
Pressurizer PORV stuck open
The scenario starts with an initiating event—pressurizer PORV being stuck open at 33% position. In the simulation, the first dynamic came to the operator’s attention: “control rod move out” alarm. The operator explained it by Tave-Tref deviation, which was correct. He also suspected that there might be some unexpected steam load increase that could cause control rods to move out and thus thought of possible MSLB accident and SG fault accident. In addition to these two possible causes, there is another one that the operator was not aware of: decreasing nuclear power. Due to the depressurization of the reactor coolant system, the voids expanded in the reactor coolant, added negative reactivity, and thus reduced the nuclear power. The reactor power decrease caused the control rods to move out to make compensation. This causal relationship was not included in the knowledge base. It could be added in future. Alarms activated. The operator noticed the pressurizer pressure was decreasing. Soon the safety injection actuated and the operator determined it was due to the low pressurizer pressure. Then he investigated the pressurizer pressure decrease and explained it by Tave decrease and pressurizer level decrease. Moreover, he checked the pressurizer PORV and found it was stuck open. Tave was decreasing due to multiple causes: steam dump after the reactor trip and safety injection. The operator also observed some other expected phenomena after a reactor trip and explained them. For example, the steam generator increased after the turbine tripped.
215
11.3
Simple SGTR accident
The initiating event is a rupture in SG A. In this scenario, the plant doesn’t trip automatically. The simulation started with full power and normal operation state. Alarms activated. The operator observed the pressurizer pressure decreasing and control rods moving out. He checked the pressurizer level and found the level was also decreasing, which explained the pressure decrease. Also he thought of a small chance of steam space LOCA accident. He investigated the possible causes of pressurizer level decrease. The Tave was stable and the makeup flow increased, so these two could not be the cause of pressurizer level decrease. Then he suspected there might be a LOCA or SGTR accident. The air ejector radiation alarm activated. It is a strong indication of a SGTR accident. The operator then found the water level in SG A was increasing. He verified the feed flow and steam flow in SG A. He saw the feed flow was smaller than the steam flow. It meant to him that there was some other source of water coming to SG A, and thus he further confirmed his diagnosis of SGTR accident. The operator noticed the reactor power had decreased but he couldn’t explain this because of his knowledge deficiency. It was due to the negative reactivity added by the expanded voids in the reactor coolant, which was caused by the pressurizer pressure decrease. This knowledge was not included in the knowledge base.
216
11.4
Main Feed Regulation Valve (MFRV) failure
The initiating event is a MFRV failure (stuck at 50% open position) in steam generator A loop. The simulation started with full power and normal operation state. After the initiating event, the operator firstly noticed an abnormal phenomenon: SG A level decrease. Then he checked the feed flow and steam flow. He noticed that the feed water flow had decreased. Further, he looked at the position of MFRV and found it was stuck at half open position.
11.5
Chapter conclusion
Even though the knowledge base was not calibrated and tailored for these 4 accident scenarios, the simulations generated reasonable results in terms of predicting the operator’s attention focus and mimicking that the operator use knowledge to explain his observations. During the simulations, the operator’s attention was naturally directed to some important accident related evidence and his investigation traced back from some observable symptoms to the root problems. The coded generic knowledge of the plant systems showed robustness in applications of different simulation scenarios. Also, through exercises like these, the users are able to identify the places for further developing and expanding the knowledge base in the input model.
12
Summary and Conclusions
This dissertation introduces a methodology for modeling and simulating nuclear power plant operators’ knowledge-based behavior. This research has enhanced the IDAC 217
individual operator cognitive model and improved the ADS-IDAC simulation tool. Predictive capabilities and realisms of ADS-IDAC have been significantly improved in the following aspects: 1) embedded attention mechanism in information perception channels, better capturing cognitive resource limitations and top-down attention control; 2) developed and implemented a reasoning module into ADS-IDAC. It simulates an operator making sense of perceived information, connecting different pieces of information to form a big mental picture of the plant situation, and making accident diagnoses; 3) enhanced decision-making module to integrate procedure-based and knowledgebased operator behaviors; 4) expanded the PSF module by modeling a much larger set of PSFs: several
mechanism PSFs have been rooted in the cognitive processes, assessment
methods of several quantitative PSFs have been proposed and implemented, the effects of quantitative PSFs were manifested via model parameters in cognitive processes; 5) captured more crew variations given same accident contexts. We briefly summarize the new features added to ADS-IDAC in the following sections.
12.1
Information perception channel improvements
This research has improved both the active and passive information perception channels in ADS-IDAC.
218
Top-down attention control mechanism plays an essential role in determining operator responses. It guides operators to actively select information from external environment and it is driven by operators’ intentions. The operator’s intentions of explaining the observed plant phenomena and making diagnosis are newly added to ADS-IDAC by this research. With support of a new knowledge-based reasoning function, the program computes operators’ intentions of information gathering, which guide the operator to actively check indicators on control panels as needed. We also added a routine monitoring information channel to simulate an operator’s routinely monitoring a set of key indicators to maintain overall situation awareness. This routine set (list of indicators and monitor frequencies) can be tailored by the user, thus reflecting operators’ individual habits and preferences. The monitoring task is also subject to dynamic adjustment, determined by several Performance Shaping Factors (PSFs) and the prioritization of routine monitoring task and existing investigation tasks in the working memory. The passive alarm information channel has been enhanced by adding a filter. This filter throttles the passive alarm information flow from moving on to further cognitive processes, to mimic the effects of cognitive resource limitations. It is adjusted by operator preference (openness to interruption), passive alarm load, and cognitive resource limits. We also modeled a proximity feature in order to mimic parallel information perception. The control room panels are designed to group relevant indicators together so that it is natural and easy for the operator to perceive items together as a group. This process was added to ADS-IDAC. During a simulation, perception of one indicator reading 219
automatically triggers perceptions of other indicators in a proximity group. The program offers users the flexibility of tailoring the control panels’ grouping features in the simulation input files.
12.2
Reasoning module
Through this project, we developed a semantic representation of operators’ knowledge of plant systems. In the new knowledge representation, a knowledge web is used to represent an operator’s understanding of the causal relations of system dynamics, and accident event schemas are used to index the causal paths between accidents and observable symptoms in this knowledge web, providing maps for retrieving accidentrelated knowledge during a simulation. Several key components are built into the reasoning module to achieve the knowledgebased reasoning functions. A mental representation is used to link the operator’s ontology concepts of power plant parameters, components or systems, and alarms with the external perceivable indications and then store the operator’s observations. Together with the mental representation, an interpretation module is employed to translate the raw external information into situation statements (e.g. parameter trends, component/alarm state changes, comparisons between parameters, and comparisons between parameters and threshold values). The generated Situation Statements are marked with time information to construct operators’ episodic memories of the plant situation. Memory is represented in semantic form. Each Semantic Unit has an activation level. Activation spreading among semantic units and activation decay are modeled to simulate priming effect and memory retrieval. Combining the activation level of each knowledge unit and its 220
knowledge retrieval strengths (knowledge familiarity and using frequency), the program dynamically calculates the accessibility of each knowledge unit during the simulation. In the reasoning module, some of these observations are selected for further processing, building the explanations and gathering more information from control panel if needed. The investigation item is the basic building block in reasoning chains, which connect different observations in order to form explanations. To simulate the limitations of cognitive resources, the program processes only one investigation item at a time. During the simulation, a prioritization function selects one item to process at current moment. Investigation items could be decayed and moved from the working memory to intermediate memory because of information overflow or being unattended for too long. The reasoning module links relevant information to form explanations. If a generated reasoning path causally connects an observed symptom to an accident hypothesis, it provides evidence for that accident diagnosis. The program calculates a confidence level for this causal path, the value determined by the presence of competing explanations. By putting all the accident evidences (absent symptoms and justification of their absence, present symptoms and their causal path confidence numbers) together, the program generates a confidence level for an accident diagnosis and updates this confidence level over time. This mechanism naturally simulates an operator’s diagnosis progression in the following ways: The operator starts to suspect an accident when he or she first connects an observation to it. The operator updates this diagnosis confidence when he or she receives more evidence (up if it is positive evidence or down if it is negative evidence), and the operator actively checks for other associated symptoms and requests information from control panels. The operator tries to explain one or more missing or negating 221
symptoms and continues this diagnosis line if he or she is successful in justifying such symptoms or rejects the hypothesis if he or she fails to justify it. Finally, the operator declares that an accident has happened if the diagnosis confidence exceeds a userspecified threshold value. This threshold value represents the operator’s prudence of accident diagnosis.
12.3
Decision-making
In the power plant control room, operators are equipped with procedures for operating the plant. An operator typically follows procedure in parallel with knowledge-based reasoning when making a diagnosis. The accident diagnoses generated from the reasoning module is used to support the decisions at procedure transferring points. Several decision-making points are identified where the procedure guidance is not consistent with or in the same place as the operator’s diagnoses. Accordingly, branching rules are added to capture different operator choices. These allow the program to explore different choices in the simulation.
12.4
Performance-shaping factors
More PSFs have been added or extended in ADS-IDAC. This enables models to better capture the effects of contextual and personal factors on cognitive processes. Some of these PSFs, mechanism PSFs, refer to cognitive responses or mechanisms; they are directly modeled as part of the cognitive information processes or knowledge representations. Examples of these PSFs are attention, prioritization, problem-solving styles, expertise, information use, recent effects, and situational familiarity. Other PSFs have quantitative assessments in the model, so they are called quantitative PSFs: 222
expertise, time constraint load, passive information load, cognitive task load, task complexity, stress, and fatigue. The program extracts relevant simulation information to assess the quantitative PSFs and manifest their effects on operator behavior by adjusting seven modeling parameters within the reasoning module.
12.5
Modeling operator variance
Many model parameters in the reasoning module provide flexibility for shaping an operator’s cognitive processes and introducing operator variances. Some of the model parameters are static i.e., do not change during the course of simulated scenarios, and are configured by the user before the simulation; examples would be the confidence
threshold for declaring an accident or activeness in gathering accident evidence. Some
model parameters are dynamically adjusted during a simulation. Variance could be introduced by varying baseline values such as memory span or cognitive processing
speed baseline values and routine monitoring time intervals. Introduction of three
different problem-solving styles brings a major source of variation in operator responses. With different problem-solving styles, the program generates completely different paths for operator responses, mainly in attention direction and information usage, which play crucial roles in accident diagnoses.
12.6
Model calibration and validation
The face validity and content validity of our project have been demonstrated through many simulation results. This research has significantly improved simulation realism in the information perception, information sense-making, and diagnosis phases. The reasoning outputs support decision-making with operators’ procedure usage. The 223
program is able to identify situations when the procedure in use is inconsistent with the operator’s knowledge-based diagnosis, and to generate branches to explore different operators’ choices—transferring to a “proper” procedure according to the knowledgebased diagnosis or following the procedure in use strictly. With this advancement, we have largely increased the coverage of operator-procedure progressions, as shown in our comparison of ADS-IDAC simulation results and Halden benchmark experiments. In addition, we have provided a quantitative calibration channel for some model parameters, including time cost and operator’s task load.
12.7
General Conclusion
This research has further demonstrated that it is possible to model individual operator’s underlying cognitive processes and generate realistic response scenarios through dynamic simulation. The new ADS-IDAC could generates accident diagnosis failures (misdiagnosis and late diagnosis) induced by knowledge deficiency, situation complexity and inadequate use of information. Significant realism has been added by modeling “problem-solving styles” and impact of context through detailed models of performance shaping factors.
224
13
Suggestion for Future Work
This research has also identified some areas where this model could be further improved. 1. Indicator failures involved in several nuclear power plant accidents in history. They have misled operators’ situation assessment and have led severe consequences, an example being the indicator failure of the stuck open pressurizer PORV in Three Mile Island accident. It is valuable to study operators’ performance in a circumstance with indicator failure. An approach was proposed in this research, referring to Section 4.3.7. A possible future research is to implement this approach and to further enhance the memory representation and reasoning functions, in order to capture operators’ diagnosis of indicator failure in ADS-IDAC. 2. The current reasoning module contains necessary infrastructures (memory representation and information processing functions) for a cognitive architecture. It simulates operators’ perception and comprehension of the plant situation, which corresponds with Level 1 and Level 2 in Endley’s situation awareness model (Endsley 1995). Operators’ projection of future situation status (Level 3 in Endley’s model) is not included in the current IDAC model. If modeled by future research, it will also significantly improve ADS-IDAC’s predictive capability. 3. In ADS-IDAC, mental belief model and diagnosis engine simulate patternmatching reasoning process, while the reasoning module generates a more deliberate and rigorous reasoning processes. Both of them play import roles in operators’ situation awareness. A future research area is to integrate these two
225
types of reasoning results and to form a hybrid model. Also, the reasoning module algorithm could be future improved by adding short-cuts in the reasoning paths for some familiar situations that the operator has learned or seen many time. 4. Further calibration and validation of the reasoning module, PSF models, and branching probabilities are needed based on data from actual operating experience and simulator exercises with real operators.
226
Appendix 1: Tiered Classification of PSFs (Groth 2009)
227
Appendix 2: Knowledge-Web Coded in the Complex SGTR Simulation Case36
causal type 2 2 2 2 2 2 2 2 2 2 2 inference type 0 0 0 0 0 0 0 0 0 0 0 familia rity 1 1 0.9 1 1 1 1 1 1 0.9 1 strengt h1 1 1 1 1 1 0.2 0.2 1 1 1 0.8 strengt h2 1 1 0.9 1 0.9 0.9 0.9 1 0.9 1 0.8 delta T1 -5 -10 -10 -10 -10 -10 -10 -10 -10 -5 -5 delta T2 10 10 10 10 10 10 10 10 10 5 20 conditional phenomenon MSI_OFF
upstream phenomenon SG_X_ruptured load_increase Tave_minus_Tref_<_-1 Tave_decrease Tref_increase power_increase power_decrease Tave_increase Tref_decrease Tave_minus_Tref_>_1 Tave_decrease
36
downstream phenomenon air_ejector_radiation_>_10 Control_rod_move_out Control_rod_move_out Tave_minus_Tref_decrease Tave_minus_Tref_decrease Tref_increase Tref_decrease Tave_minus_Tref_increase Tave_minus_Tref_increase Control_rod_move_in Tave_minus_Tref_<_-1
Explanation of the parameters’ meanings: Link A-B, A is the upstream phenomenon, B is the downstream phenomenon. Causal type: 0-no causal relationship between A and B; 1-A is the only cause of B; 2-A is a cause of B but not the only cause. Inference type: 0-no inference relationship between A and B; 1-A true infers B true; 2-B true infers A true; 3-A true infers B true and B true infers A true. Description of familiarity, strength1, strength2 is available in Section 4.2.3. Delta T1, delta T2: if A happens at time t, B is supposed to be observed in the time range (t+T1, t+T2). Conditional phenomenon: the causal/inference relationship is only valid when the condition is met. More description is available in ADS-3.0 input file description document.
228
upstream phenomenon Tave_decrease Control_rod_move_in load_increase reactor_trip_turn_on load_increase SI_ON SG_PORV_open SG_X_PORV_open steam_dump_open_bigger SG_X_faulted SG_A_faulted SG_A_faulted SG_B_faulted SG_B_faulted SG_C_faulted SG_C_faulted MSLB_true Tave_increase
downstream phenomenon power_increase Tave_decrease Tave_decrease Tave_decrease power_increase Tave_decrease load_increase SG_PORV_open load_increase load_increase SG_A_pres_<_SG_B_pres SG_A_pres_<_SG_C_pres SG_B_pres_<_SG_A_pres SG_B_pres_<_SG_C_pres SG_C_pres_<_SG_A_pres SG_C_pres_<_SG_B_pres load_increase PRZ_level_increase
causal type 1 1 2 2 1 2 2 2 2 2 2 2 2 2 2 2 2 2
inference type 4 4 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0
familia rity 1 1 1 1 1 0.8 1 1 1 1 1 1 1 1 1 1 1 0.9
strengt h1 0.8 0.8 0.5 0.8 0.2 0.3 0.8 1 1 0.2 1 1 1 1 1 1 0.8 1
strengt h2 0.5 0.8 0.8 0.7 0.8 0.5 0.5 1 0.5 0.2 1 1 1 1 1 1 0.2 1
delta T1 -5 -5 -5 -5 -5 -5 -5 -5 -5 -5 -60 -60 -60 -60 -60 -60 -5 -5
delta T2 5 5 5 25 5 5 5 5 5 5 10 10 10 10 10 10 20 5
conditional phenomenon
reactor_trip_OFF
MSI_OFF
229
upstream phenomenon SI_ON makeup_flow_>_0.5 Tave_decrease alarm_PRZ_level_high_devi ate_ON makeup_flow_<_-0.5 LOCA_true SG_X_ruptured Tave_increase PRZ_level_increase backup_PRZ_heater_ON Tave_decrease PRZ_level_decrease PRZ_spray_X_ON proportional_PRZ_heater_O N PRZ_PORV_open LOCA_steam_space_true LOCA_inside_containment_t
downstream phenomenon PRZ_level_increase PRZ_level_increase PRZ_level_decrease PRZ_level_decrease PRZ_level_decrease PRZ_level_decrease PRZ_level_decrease PRZ_pres_increase PRZ_pres_increase PRZ_pres_increase PRZ_pres_decrease PRZ_pres_decrease PRZ_pres_decrease PRZ_pres_increase PRZ_pres_decrease LOCA_true LOCA_true
causal type 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2
inference type 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
familia rity 1 1 1.0 1 1 1 1 0.95 1 1 1 1 1 1 1 1 1
strengt h1 0.8 1 0.9 1 1 1 0.7 0.9 1 0.5 0.9 1 1 1 1 1 1
strengt h2 0.8 0.9 1 0.05 0.9 0.05 0.05 0.9 1 0.5 0.9 1 0.6 0.3 0.2 0.15 0.15
delta T1 -5 -5 -10 -5 -10 -5 -5 -5 -5 -5 -5 -5 -5 -5 -5 -5 -5
delta T2 5 5 5 5 5 5 5 5 5 5 5 5 5 5 5 5 5
conditional phenomenon
letdown_isolatio n_OFF
230
upstream phenomenon rue LOCA_outside_containment _true LOCA_steam_space_true LOCA_steam_space_true PRZ_PORV_open LOCA_inside_containment_t rue reactor_trip_turn_on
downstream phenomenon
causal type
inference type
familia rity
strengt h1
strengt h2
delta T1
delta T2
conditional phenomenon
LOCA_true PRZ_pres_decrease containment_pres_increase LOCA_steam_space_true containment_pres_increase turbine_trip_turn_on reactor_trip_turn_on reactor_trip_turn_on OPDT_reactor_trip_turn_on Tave_increase reactor_trip_ON SI_turn_on
2 2 2 2 2 2
0 0 0 0 0 0
1 1 1 1 1 1
1 1 1 1 1 1
0.15 0.15 0.15 0.15 0.15 1.9
-5 -5 -5 -5 -5 0
5 5 5 5 5 5
turbine_trip_turn_on
KN_any_reactor_trip_turn_o n37 power_increase power_increase KN_any_reactor_trip_ON KN_any_SI_turn_on38
1 1 3 0 1
0 0 0 1 1
1 0.9 1 1 1
1 1 1 1 1
1 1 1 1 1
-2 -1 -1 0 -10
5 5 5 5 10
KN_any_reactor_trip_ON is a combination of 10 phenomena with an OR gate: OPDT_reactor_trip_turn_on, OTDT_reactor_trip_turn_on, high_power_reactor_trip_turn_on, low_PRZ_pres_reactor_trip_turn_on, lowlow_SG_level_reactor_trip_turn_on, high_PRZ_pres_reactor_trip_turn_on, high_PRZ_level_reactor_trip_turn_on, low_RCS_flow_reactor_trip_turn_on, MF_MS_mismatch_reactor_trip_turn_on, SI_turn_on. It’s the same of the “KN_any_reactor_trip_ON” 38 KN_any_SI_turn_on is a combination of 2 phenomena with an OR gate: low_SG_pres_SI_turn_on and low_PRZ_pres_SI_turn_on.
37
231
upstream phenomenon load_decrease load_decrease reactor_trip_turn_on steam_dump_close_smaller SG_PORV_close_smaller MSI_turn_on KN_there_is_load_after_MS IV FW_X_flow_<_MS_X_flow reactor_trip_turn_on load_increase FW_X_flow_decrease MFWP_trip AFWP_trip FWRV_X_close_smaller MDAFWP_X_V_close_smal ler TDAFWP_X_V_close_small er
downstream phenomenon Tave_increase power_decrease power_decrease load_decrease load_decrease load_decrease load_after_MSIV_true SG_X_level_decrease SG_X_level_decrease FW_X_flow_<_MS_X_flow FW_X_flow_<_MS_X_flow FW_X_flow_decrease FW_X_flow_decrease FW_X_flow_decrease FW_X_flow_decrease FW_X_flow_decrease
causal type 2 1 1 2 2 2 1 2 2 2 2 2 2 2 2 2
inference type 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
familia rity 0.9 1 1 1 1 0.9 1 1 1 1 1 1 1 1 1 1
strengt h1 1 1 1 0.3 0.3 0.8 0.8 1 1 0.6 0.8 1 1 1 1 1
strengt h2 0.9 0.9 0.9 0.3 0.3 0.2 1 0.9 1 0.9 0.8 0.5 0.5 1 1 1
delta T1 -5 -5 -5 -5 -5 -5 -5 -100 -20 -5 -5 -30 -30 -5 -5 -5
delta T2 20 20 20 5 5 10 5 5 20 20 30 10 10 5 10 10
conditional phenomenon
reactor_trip_OFF
load_after_MSIV _true
232
upstream phenomenon MFIV_X_close_smaller MFWP_X_trip_turn_on MDAFWP_turn_off TDAFWP_turn_off TDAFWP_X_V_close_small er FW_X_flow_>_MS_X_flow reactor_trip_turn_on SG_X_ruptured SG_A_ruptured FW_A_flow_>_FW_B_flow SG_A_ruptured FW_A_flow_>_FW_C_flow load_decrease FW_X_flow_increase MFW_X_flow_increase AFW_X_flow_increase FWRV_X_open_bigger
downstream phenomenon FW_X_flow_decrease MFWP_trip AFWP_trip AFWP_trip AFW_X_flow_decrease SG_X_level_increase SG_X_level_increase SG_X_level_increase SG_A_level_>_SG_B_level SG_A_level_>_SG_B_level SG_A_level_>_SG_C_level SG_A_level_>_SG_C_level FW_X_flow_>_MS_X_flow FW_X_flow_>_MS_X_flow FW_X_flow_increase FW_X_flow_increase MFW_X_flow_increase
causal type 2 0 0 0 2 2 2 2 2 2 2 2 2 2 2 2 2
inference type 0 1 1 1 0 0 0 0 0 0 0 0 0 0 0 0 0
familia rity 1 1 1 1 1 1 1 0.9 0.9 1 1 1 0.9 1 1 1 1
strengt h1 1 1 1 1 1 1 1 1 1 1 1 1 0.8 0.8 1 1 1
strengt h2 0.5 0.5 0.5 0.6 1 0.9 20 0.05 0.5 0.9 0.5 0.9 0.9 0.9 0.9 0.9 0.9
delta T1 -5 -5 -5 -5 -5 -20 -20 -20 -5 -35 -5 -60 -20 -5 -5 -5 -5
delta T2 10 5 10 10 10 10 300 10 10 200 30 200 10 10 10 10 10
conditional phenomenon
233
upstream phenomenon MDAFWP_turn_on MDAFWP_X_V_open_bigg er TDAFWP_turn_on TDAFWP_X_V_open_bigge r SG_X_faulted MSLB_true load_increase load_decrease SG_X_level_increase Tave_minus_Tref_>_5 Tave_increase Tave_decrease containment_pres_highhigh SG_pres_low PRZ_pres_<_2210 PRZ_pres_>_2218
downstream phenomenon AFW_X_flow_increase AFW_X_flow_increase AFW_X_flow_increase AFW_X_flow_increase SG_X_pres_low SG_X_pres_low SG_X_pres_decrease SG_X_pres_increase SG_X_pres_increase steam_dump_open_bigger steam_dump_open_bigger steam_dump_close_smaller MSI_turn_on MSI_turn_on backup_PRZ_heater_turn_on backup_PRZ_heater_turn_off
causal type 2 2 2 2 2 2 2 2 2 2 2 2 2 2 1 1
inference type 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
familia rity 1 1 1 1 1 1 1 1 1 1 1 1 1 1 0.9 1
strengt h1 1 1 1 1 1 0.8 1 0.8 0.5 1 1 1 0.8 0.8 1 1
strengt h2 0.5 0.9 0.6 0.9 0.2 0.2 0.9 0.9 0.3 0.9 0.9 0.9 0.8 0.8 1 1
delta T1 -5 -5 -5 -5 -5 -5 -5 -5 -5 -5 -5 -5 -5 -5 -5 -5
delta T2 10 10 10 10 5 5000 5 5 5 5 5 5 5 5 5 5
conditional phenomenon
MSI_OFF
reactor_trip_ON steam_dump_ope n steam_dump_ope n
234
upstream phenomenon PRZ_pres_>_2335 Tave_low SI_ON SG_level_highhigh SG_X_level_lowlow SG_X_level_lowlow SG_X_level_lowlow KN_MFWPs_trip KN_MFWPs_trip SI_ON SG_X_PORV_close_smaller SG_X_PORV_open_bigger SG_X_NR_level_decrease SG_X_WR_level_decrease SG_X_NR_level_increase SG_X_WR_level_increase SG_A_NR_level_>_SG_B_ NR_level
downstream phenomenon PRZ_PORV_open_bigger MFIV_X_close_smaller MFIV_X_close_smaller MFIV_X_close_smaller MDAFWP_1_turn_on MDAFWP_2_turn_on TDAFWP_turn_on TDAFWP_turn_on MDAFWP_X_turn_on MDAFWP_X_turn_on SG_PORV_close_smaller SG_PORV_open_bigger SG_X_level_decrease SG_X_level_decrease SG_X_level_increase SG_X_level_increase SG_A_level_>_SG_B_level
causal type 1 2 2 2 2 2 2 2 2 2 0 0 0 0 0 0 0
inference type 0 0 0 0 0 0 0 0 0 0 1 1 1 1 1 1 1
familia rity 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1
strengt h1 1 0.8 0.6 1 1 1 1 1 1 1 1 1 1 1 1 1 1
strengt h2 1 0.8 0.7 1 0.8 0.8 0.8 0.8 0.8 0.8 1 1 1 1 1 1 1
delta T1 -5 -5 -5 -5 -5 -5 -5 -5 -5 -5 -5 -5 -5 -5 -5 -5 -5
delta T2 5 5 5 5 5 5 5 5 5 5 5 5 5 5 5 5 5
conditional phenomenon
reactor_trip_ON
235
upstream phenomenon SG_A_NR_level_>_SG_C_ NR_level SG_A_WR_level_>_SG_B_ WR_level SG_A_WR_level_>_SG_C_ WR_level SG_X_level_highhigh SG_X_pres_low MDAFWP_X_turn_off MDAFWP_X_turn_on air_ejector_radiation_>_10 power_>_1.04 MFWP_X_trip_ON SG_X_level_lowlow SG_X_pres_low reactor_trip_ON turbine_runback_ON power_high OPDT_high
downstream phenomenon SG_A_level_>_SG_C_level SG_A_level_>_SG_B_level SG_A_level_>_SG_C_level SG_level_highhigh SG_pres_low MDAFWP_turn_off MDAFWP_turn_on alarm_air_ejector_radiation_ ON turbine_runback_ON alarm_MFWP_X_trip_ON alarm_SG_X_level_lowlow_ ON alarm_SG_X_pres_low_ON alarm_reactor_trip_ON alarm_turbine_runback_ON high_power_reactor_trip_ON OPDT_reactor_trip_ON
causal type 0 0 0 1 1 1 1 1 1 1 1 1 1 1 1 1
inference type 1 1 1 1 1 1 1 2 0 2 2 2 2 2 2 2
familia rity 1 1 1 1 1 1 1 1 0.8 1 1 1 1 1 1 1
strengt h1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1
strengt h2 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1
delta T1 -5 -5 -5 -5 -80 -5 -5 -5 -5 -5 -5 -5 -5 -5 -5 -5
delta T2 5 5 5 5 5 5 5 5 5 5 5 5 5 5 5 5
conditional phenomenon
236
upstream phenomenon OTDT_high PRZ_pres_low SG_level_lowlow PRZ_pres_high PRZ_level_high RCS_flow_low Control_rod_move_out Control_rod_move_in PRZ_level_low Tave_lowlow PRZ_pres_SI_low SG_pres_low SI_ON MS_X_flow_>_FW_X_flow MS_MF_mismatch MFIV_X_close MSI_ON
downstream phenomenon OTDT_reactor_trip_ON low_PRZ_pres_reactor_trip_ ON lowlow_SG_level_reactor_tri p_ON high_PRZ_pres_reactor_trip_ ON high_PRZ_level_reactor_trip _ON low_RCS_flow_reactor_trip_ ON alarm_control_rod_out_ON alarm_control_rod_in_ON alarm_PRZ_level_low_ON alarm_Tave_lowlow_ON low_PRZ_pres_SI_ON low_SG_pres_SI_ON alarm_SI_ON MS_MF_mismatch MF_MS_mismatch_reactor_t rip_ON MSI_ON alarm_MSI_ON
causal type 1 1 1 1 1 1 1 1 1 1 1 1 1 1 0 0 0
inference type 2 2 2 2 2 2 2 2 2 2 2 2 2 0 2 2 2
familia rity 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1
strengt h1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1
strengt h2 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1
delta T1 -5 -5 -5 -5 -5 -5 -5 -5 -5 -5 -5 -5 -5 -40 -5 -5 -5
delta T2 5 5 5 5 5 5 5 5 5 5 5 5 5 5 5 5 5
conditional phenomenon
237
upstream phenomenon Tave_low MFWP_X_trip_turn_on MFWP_X_trip_turn_on SG_X_level_high SG_X_level_highhigh Tave_minus_Tref_<_-1 PRZ_pres_low MDAFWP_X_ON TDAFWP_ON SG_X_level_low SG_X_level_lowlow turbine_trip reactor_trip_turn_on turbine_trip_OFF steam_dump_open SG_X_PORV_open SG_X_faulted
downstream phenomenon MFWP_X_trip_turn_on alarm_MFWP_X_trip_ON alarm_MFWP_trip_ON alarm_SG_X_level_high_ON alarm_SG_X_level_highhigh _ON alarm_Tave_low_deviate_O N alarm_PRZ_pres_low_ON alarm_MDAFWP_aut
N alarm_TDAFWP_autN alarm_SG_X_level_low_ON alarm_SG_A_level_lowlow_ ON alarm_turbine_trip_ON turbine_trip MS_X_flow_>_5 MS_X_flow_>_5 MS_X_flow_>_5 MS_X_flow_>_5causal type 0 0 0 0 0 0 0 0 0 0 0 0 2 2 2 2 2
inference type 2 2 2 2 2 2 2 2 2 2 2 2 0 0 0 0 0
familia rity 0.9 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1
strengt h1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1
strengt h2 1 1 1 1 1 1 1 1 1 1 1 1 1 1 0.5 0.3 0.05
delta T1 -5 -5 -5 -5 -5 -5 -5 -5 -5 -5 -5 -5 -10 -50 -50 -50 -50
delta T2 5 5 5 5 5 5 5 5 5 5 5 5 5 10 10 10 10
conditional phenomenon
MSI_OFF
238
upstream phenomenon MSLB_true
downstream phenomenon MS_X_flow_>_5
causal type 2
inference type 0
familia rity 1
strengt h1 1
strengt h2 0.3
delta T1 -50
delta T2 10
conditional phenomenon MSI_OFF
239
Bibliography
Åkerstedt, Torbjörn, et al. "Mental fatigue, work and sleep." Journal of psychosomatic Research 57.5 (2004): 427-433. Anderson, Alan Ross, ed. Minds and machines. Englewood Cliffs, NJ: Prentice-Hall, 1964. Anderson, John R. "A spreading activation theory of memory." Journal of verbal learning and verbal behavior 22.3 (1983): 261-295. Anderson, John R. "ACT: A simple theory of complex cognition." American Psychologist 51.4 (1996): 355-365. Anderson, John R. How can the human mind occur in the physical universe?. Vol. 3. Oxford University Press, USA, 2007. Anderson, John R., et al. "An integrated theory of the mind." Psychological review 111.4 (2004): 1036. Andrews, Glenda, and Graeme S. Halford. "A cognitive complexity metric applied to cognitive development." Cognitive psychology 45.2 (2002): 153-219. Arend, Isabel, et al. "Quantifying cognitive complexity: evidence from a reasoning task." Personality and individual differences 35.3 (2003): 659-669. Boksem, Maarten AS, Theo F. Meijman, and Monicque M. Lorist. "Effects of mental fatigue on attention: an ERP study." Cognitive Brain Research 25.1 (2005): 107-116. Boring, R. L. "Dynamic human reliability analysis: Benefits and challenges of simulating human performance." Risk, Reliability and Societal Safety 2 (2007): 1043-1049. Broadbent, Donald Eric. "Perception and communication." (1958). Bye, A., et al. "The international HRA empirical study—Phase 2 Report, Results from comparing HRA method predictions to HAMMLAB simulator data on SGTR scenarios, HWR-915." (2010). Cacciabue, P. C. "Cognitive modelling: a fundamental issue for human reliability assessment methodology?." Reliability Engineering & System Safety 38.1 (1992): 91-97. Cacciabue, Pietro Carlo, et al. "COSIMO: A cognitive simulation model of human decision making and behavior in accident management of complex plants." Systems, Man and Cybernetics, IEEE Transactions on 22.5 (1992): 1058-1074.
240
Campbell, Donald J. "Task complexity: A review and analysis." Academy of management review 13.1 (1988): 40-52. Chang, Y. H. J., and A. Mosleh. "Cognitive modeling and dynamic probabilistic simulation of operating crew response to complex system accidents. Part 1: Overview of the IDAC Model." Reliability Engineering & System Safety 92.8 (2007): 991-1013. Chang, Y. H. J., and A. Mosleh. "Cognitive modeling and dynamic probabilistic simulation of operating crew response to complex system accidents. Part 2: IDAC performance influencing factors model." Reliability Engineering & System Safety 92.8 (2007): 1014-1040. Chang, Y. H. J., and A. Mosleh. "Cognitive modeling and dynamic probabilistic simulation of operating crew response to complex system accidents. Part 4: IDAC causal model of operator problem-solving response." Reliability Engineering & System Safety 92.8 (2007): 1061-1075. Chang, Y. H. J., and A. Mosleh. "Cognitive modeling and dynamic probabilistic simulation of operating crew response to complex system accidents. Part 5: Dynamic probabilistic simulation of the IDAC model." Reliability Engineering & System Safety 92.8 (2007): 1076-1101. Chang, Y. H. J., and A. Mosleh. "Cognitive modeling and dynamic probabilistic simulation of operating crew response to complex system accidents: Part 3: IDAC operator response model." Reliability Engineering & System Safety 92.8 (2007): 10411060. Chang, Y.H.J. et al. “A Nuclear Plant Accident Diagnosis Method to Support Prediction of Errors of Commission.” International topical meeting on Nuclear plant instrumentation, control, and human-machine interface technologies, Albuquerque. 2006. Cooper, Joel. Cognitive dissonance: 50 years of a classic theory. Sage Publications Limited, 2007. Coyne, K., and A. Mosleh. "Implementation of a Dynamic PRA Approach for the Prediction of Operator Errors During Abnormal Nuclear Power Plant Events." PSAM-9, Hong Kong (2008). Coyne, K., and A. Mosleh. "Modeling nuclear plant operator knowledge and actions: ADS-IDAC simulation approach." ANS PSA Topical Meeting-Challenges to PSA during the nuclear renaissance. Knoxville. 2008. Coyne, K., et al.. “Nuclear Power Plant Precursor Risk Assessment Using a Dynamic Probabilistic Risk Method.” PSAM-11 & ESREL-2012, Helsinki (2012). Coyne, Kevin. "A predictive model of nuclear power plant crew decision-making and performance in a dynamic simulation environment." Diss. University of Maryland, 2009. 241
DeLuca, John. "3 Fatigue, Cognition, and Mental Effort." Fatigue as a window to the brain (2005): 37. Dhillon, Balbir S. "Human reliability and error in transportation systems."Human Reliability and Error in Transportation Systems, by BS Dhillon. Berlin: Springer, 2007. 1 (2007). Dror, Itiel E., Beth Basola, and Jerome R. Busemeyer. "Decision making under time pressure: An independent test of sequential sampling models." Memory & Cognition 27.4 (1999): 713-725. Duntley, S. P. "Fatigue and sleep." Fatigue as a Window to the Brain (2005): 209. EMILIE, M., D. WOODS DAVID, and E. POPLE HARRY Jr. "Cognitive simulation as a tool for cognitive task analysis." Ergonomics 35.10 (1992): 1163-1198. Endsley, Mica R. "Toward a theory of situation awareness in dynamic systems." Human Factors: The Journal of the Human Factors and Ergonomics Society 37.1 (1995): 32-64. Fischer, Peter, et al. "Selective exposure to information: The impact of information limits." European Journal of Social Psychology 35.4 (2005): 469-492. Forester, John, et al. ATHEANA user's guide. US Nuclear Regulatory Commission, 2007. Gallistel, Charles R., and Adam Philip King. Memory and the computational brain: why cognitive science will transform neuroscience. Vol. 3. Wiley-Blackwell, 2009. Genesereth, Michael R., and Nils J. Nilsson. Logical foundations of artificial intelligence. Vol. 9. Los Altos, CA: Morgan Kaufmann, 1987. Gertman, David I., et al. The SPAR-H human reliability analysis method. US Nuclear Regulatory Commission, 2005. Grant, S. "Cognitive architecture for modelling human error in complex dynamic tasks." Le Travail Humain (1997): 363-385. Groth, Katrina M. "A data-informed model of performance shaping factors for use in human reliability analysis." Diss. University of Maryland, (2009). Hart, William, et al. "Feeling validated versus being correct: a meta-analysis of selective exposure to information." Psychological bulletin 135.4 (2009): 555. Hart, William, et al. "Feeling validated versus being correct: a meta-analysis of selective exposure to information." Psychological bulletin 135.4 (2009): 555-588. Heussen, Kai, Arshad Saleem, and Morten Lind. "Control architecture of power systems: Modeling of purpose and function." Power & Energy Society General Meeting, 2009. PES'09. IEEE. IEEE, 2009. 242
Hintzman, Douglas L. "" Schema abstraction" in a multiple-trace memory model." Psychological review 93.4 (1986): 411-428. Hollands, Justin G., and Christopher D. Wickens. Engineering psychology and human performance. New Jersey: Prentice Hall, 1999. Hollands, Justin G., and Christopher D. Wickens. Engineering psychology and human performance. New Jersey: Prentice Hall, 1999. Hollnagel, Erik, et al. "Analysis of Comair flight 5191 with the functional resonance accident model." Proceedings of the 8th International Symposium of the Australian Aviation Psychology Association. 2008. Hollnagel, Erik. "Reliability analysis and operator modelling." Reliability Engineering & System Safety 52.3 (1996): 327-337. Hollnagel, Erik. Cognitive reliability and error analysis method (CREAM). Elsevier Science, 1998. Iani, Cristina, and Christopher D. Wickens. "Factors affecting task management in aviation." Human Factors: The Journal of the Human Factors and Ergonomics Society 49.1 (2007): 16-24. James, William. "The principles of psychology, Vol I." (1890). James, William. "The principles of psychology, Vol II." (1913). Jerison, Harry J. "Effects of noise on human performance." Journal of Applied Psychology 43.2 (1959): 96-101. Kahneman, Daniel, Paul Slovic, and Amos Tversky, eds. Judgment under uncertainty: Heuristics and biases. Cambridge University Press, 1982. Kim, I. S. "Human reliability analysis in the man–machine interface design review." Annals of nuclear energy 28.11 (2001): 1069-1081. Kirwan, Barry. "Human error identification in human reliability assessment. Part 1: Overview of approaches." Applied Ergonomics 23.5 (1992): 299-318. Kirwan, Barry. "Human error identification in human reliability assessment. Part 2: Detailed comparison of techniques." Applied ergonomics 23.6 (1992): 371-381. Kirwan, Barry. "Human error identification techniques for risk assessment of high risk systems—Part 1: review and evaluation of techniques." Applied ergonomics 29.3 (1998): 157-177. Kirwan, Barry. "Human error identification techniques for risk assessment of high risk systems—Part 2: towards a framework approach." Applied ergonomics 29.5 (1998): 299243
318. Kirwan, Barry. A guide to practical human reliability assessment. CRC, 1994. Klein, Gary, et al. "A data-frame theory of sensemaking." Expertise out of context (2007): 113-155. Knudsen, Eric I. "Fundamental components of attention." Annu. Rev. Neurosci.30 (2007): 57-78. Kolaczkowski, A., et al. "Good Practices for Implementing Human Reliability Analysis." US Nuclear Regulatory Commission NUREG-1792 (2005). Labeau, P. E., Carol Smidts, and S. Swaminathan. "Dynamic reliability: towards an integrated platform for probabilistic risk assessment." Reliability engineering & system safety 68.3 (2000): 219-254. Lachance, Jeff. et al. “Development and Application of a Dynamic Level 1 and 2 Probabilistic Safety Assessment Tool.” PSAM-11 & ESREL-2012, Helsinki. 2012. Langley, Pat, John E. Laird, and Seth Rogers. "Cognitive architectures: Research issues and challenges." Cognitive Systems Research 10.2 (2009): 141-160. Lavie, Nilli. "Distracted and confused?: Selective attention under load." Trends in cognitive sciences 9.2 (2005): 75-82. Lee, Mal-Rey, and Jong-Chul Oh. "Expert system for a nuclear power plant accident diagnosis using a fuzzy inference method." Journal of Applied Mathematics and Computing 8.2 (2001): 413-426. Li, Y., and Mosleh, A. “Simulation of Nuclear Power Plant Operators Reasoning Process for Situation Diagnosis in ADS-IDAC Dynamic PRA Platform.” PSAM-11 & ESREL2012, Helsinki. 2012. Lind, M. "Multilevel flow modelling of process plant for diagnosis and control." International Meeting on Thermal Nuclear Reactor Safety, Chicago, (1982). Lois, E., et al. "International HRA Empirical Study—Pilot Phase Report: Description of Overall Approach and First Pilot Results from Comparing HRA Methods to Simulator Data." HWR-?844, Halden: OECD Halden Reactor Project(2008). Lois, Erasmia. International HRA Empirical Study--phase 1 Report: Description of Overall Approach and Pilot Phase Results from Comparing HRA Methods to Similar Performance Data. Office of Nuclear Regulatory Research, US Nuclear Regulatory Commission, 2009. Maule, A. John, G. Robert J. Hockey, and Larissa Bdzola. "Effects of time-pressure on decision-making under uncertainty: changes in affective state and information processing 244
strategy." Acta Psychologica 104.3 (2000): 283-301. Mosleh, A., and Y. H. Chang. "Model-based human reliability analysis: prospects and requirements." Reliability Engineering & System Safety 83.2 (2004): 241-253. Navon, David, and Daniel Gopher. "On the economy of the human-processing system." Psychological review 86.3 (1979): 214.
NTSB, “Attempted takeo? from wrong runway, Comair Flight 5191,” National Transportation Safety Board, Accident Report NTSB/AAR-07/05. 2007
Nuclear Regulatory Commission, Washington. "Reactor safety study: an assessment of accident risks in US commercial nuclear power plants, app 3-4." (1975). Park, Jinkyun, and Wondea Jung. "The operators' non-compliance behavior to conduct emergency operating procedures—comparing with the work experience and the complexity of procedural steps." Reliability Engineering & System Safety 82.2 (2003): 115-131. Patterson, E. S., E. M. Roth, and D. D. Woods. "Facets of complexity in situated work." Macrocognition Metrics and Scenarios: Design and Evaluation for Real-World Teams. Ashgate, Aldershot, UK (2010). Plaut, David C. "Semantic and associative priming in a distributed attractor network." Proceedings of the 17th annual conference of the cognitive science society. Vol. 17. 1995. Pleskac, Timothy J., and Jerome R. Busemeyer. "Two-stage dynamic signal detection: a theory of choice, decision time, and confidence." Psychological review 117.3 (2010): 864. Prince, Alan, and Steven Pinker. "Rules and connections in human language."Trends in Neurosciences 11.5 (1988): 195-202. Purves, Dale. Brains: how they seem to work. Ft Press, 2010. Rassin, Eric. "Individual differences in the susceptibility bias."Netherlands Journal of Psychology 64.2 (2008): 87-93. Reason, James. Human error. Cambridge university press, 1990. Roth, E. M., R. J. Mumaw, and P. M. Lewis. An empirical investigation of operator performance in cognitively demanding simulated emergencies. No. NUREG/CR--6208. Nuclear Regulatory Commission, Washington, DC (United States). Div. of Systems Research; Westinghouse Electric Corp., Pittsburgh, PA (United States). Science and Technology Center, 1994. Salminen, Simo, and Tuija Tallberg. "Human errors in fatal and serious occupational 245 to confirmation
accidents in Finland." Ergonomics 39.7 (1996): 980-988. Salvucci, Dario D. "Modeling driver behavior in a cognitive architecture." Human Factors: The Journal of the Human Factors and Ergonomics Society 48.2 (2006): 362380. Schneider, Walter, and Richard M. Shiffrin. "Controlled and automatic human information processing: I. Detection, search, and attention." Psychological review 84.1 (1977): 1. Searle, John R. "Minds, brains, and programs." Behavioral and brain sciences3.3 (1980): 417-457. Shen, S. H., C. Smidts, and A. Mosleh. "A methodology for collection and analysis of human error data based on a cognitive model: IDA." Nuclear engineering and design 172.1 (1997): 157-186. Siu, N. "Risk assessment for dynamic systems: an overview." Reliability engineering & system safety 43.1 (1994): 43-73. Smidts, C., S. H. Shen, and A. Mosleh. "The IDA cognitive model for the analysis of nuclear power plant operator response under accident conditions. Part I: problem solving and decision making model." Reliability Engineering & System Safety 55.1 (1997): 5171. Sternberg, Robert J., Jeff Mio, and Jeffery Scott Mio. Cognitive psychology. Wadsworth Publishing Company, 2009. Sundaramurthi, R., and Smidts, C. "Human reliability modeling for the Next Generation System Code." Annals of Nuclear Energy 52 (2013): 137-156. Swain, Alan D., and Henry E. Guttmann.Handbook of human-reliability analysis with emphasis on nuclear power plant applications. Final report. No. NUREG/CR-1278; SAND-80-0200. Sandia National Labs., Albuquerque, NM (USA), 1983. Takano, Kenichi, and James Reason. "Psychological biases affecting human cognitive performance in dynamic operational environments." Journal of Nuclear Science and Technology 36.11 (1999): 1041-1051. Treisman, Anne. "Monitoring and storage of irrelevant messages in selective attention." Journal of Verbal Learning and Verbal Behavior 3.6 (1964): 449-459. U.S. Nuclear Regulatory Commission. (2008). Human Event Repository and Analysis (HERA) Database. Washington DC. Wallsten, Thomas S., and David V. Budescu. "A review of human linguistic probability processing: General principles and empirical evidence." Knowledge Engineering
246
Review 10.1 (1995): 43-62.
Wessely, Simon. Fatigue as a Window to the Brain. Ed. John DeLuca. MIT Press, 2005. Wickens, Christopher D., Sallie E. Gordon, and Yili Liu. "An introduction to human factors engineering." (2004). Williams, J. C. "HEART–a proposed method for assessing and reducing human error." 9th Advances in Reliability Technology Symposium. 1986. Woods, David D., et al. Cognitive environment simulation: An artificial intelligence system for human performance assessment (1/3). Division of Reactor and Plant Systems, Office of Nuclear Regulatory Research, US Nuclear Regulatory Commission, 1987. Woods, David D., et al. Cognitive environment simulation: An artificial intelligence system for human performance assessment (2/3). Division of Reactor and Plant Systems, Office of Nuclear Regulatory Research, US Nuclear Regulatory Commission, 1987. Woods, David D., et al. Cognitive environment simulation: An artificial intelligence system for human performance assessment (3/3). Division of Reactor and Plant Systems, Office of Nuclear Regulatory Research, US Nuclear Regulatory Commission, 1987. Zhu, Dongfeng, et al. "The Use of Distributed Computing for Dynamic PRA: The ADS Approach." Ninth International Probabilistic Safety Assessment and Management Conference (PSAM-9), Hong Kong. 2008. Zio, Enrico. The Monte Carlo simulation method for system reliability and risk analysis. Berlin, Springer-Verlag GmbH. 2012
247
doc_237117194.pdf