Office for Nuclear Regulation An agency of HSE … Generic Design Assessment – New Civil Reactor Build Step 4 Human Factors Assessment of the EDF and AREVA UK EPRTM Reactor Assessment Report: ONR-GDA-AR-11-028 Revision 0 11 November 2011 Office for Nuclear Regulation Report ONR-GDA-AR-11-028 Revision 0 An agency of HSE COPYRIGHT © Crown copyright 2011 First published December 2011 You may reuse this information (excluding logos) free of charge in any format or medium, under the terms of the Open Government Licence. To view the licence visit www.nationalarchives.gov.uk/doc/open-government-licence/, write to the Information Policy Team, The National Archives, Kew, London TW9 4DU, or email [email protected]. Some images and illustrations may not be owned by the Crown so cannot be reproduced without permission of the copyright owner. Enquiries should be sent to [email protected]. Unless otherwise stated, all corporate names, logos, and Registered® and Trademark™ products mentioned in this Web site belong to one or more of the respective Companies or their respective licensors. They may not be used or reproduced in any manner without the prior written agreement of the owner(s). For published documents, the electronic copy on the ONR website remains the most current publically available version and copying or printing renders this document uncontrolled. Page (i) Office for Nuclear Regulation Report ONR-GDA-AR-11-028 Revision 0 An agency of HSE PREFACE The Office for Nuclear Regulation (ONR) was created on 1st April 2011 as an Agency of the Health and Safety Executive (HSE). It was formed from HSE's Nuclear Directorate (ND) and has the same role. Any references in this document to the Nuclear Directorate (ND) or the Nuclear Installations Inspectorate (NII) should be taken as references to ONR. The assessments supporting this report, undertaken as part of our Generic Design Assessment (GDA) process and the submissions made by EDF and AREVA relating to the UK EPRTM reactor design, were established prior to the events at Fukushima, Japan. Therefore, this report makes no reference to Fukushima in any of its findings or conclusions. However, ONR has raised a GDA Issue which requires EDF and AREVA to demonstrate how they will be taking account of the lessons learnt from the events at Fukushima, including those lessons and recommendations that are identified in the ONR Chief Inspector’s interim and final reports. The details of this GDA Issue can be found on the Joint Regulators’ new build website www.hse.gov.uk/newreactors and in ONR’s Step 4 Cross-cutting Topics Assessment of the EDF and AREVA UK EPRTM reactor. Page (ii) Office for Nuclear Regulation Report ONR-GDA-AR-11-028 Revision 0 An agency of HSE EXECUTIVE SUMMARY This report presents the findings of the Human Factors assessment of the UK EPR reactor undertaken as part of Step 4 of the Health and Safety Executive’s Generic Design Assessment. My assessment has been carried out on the Pre-Construction Safety Report (November 2009) and supporting documentation submitted by EDF and AREVA during Step 4. My assessment has followed a step-wise approach in a claims-argument-evidence hierarchy, corresponding to Generic Design Assessment Steps 2, 3 and 4 respectively. In the technical area of human factors, no assessment was undertaken in Generic Design Assessment Step 2, and my Generic Design Assessment Step 3 Assessment Report was more aligned to a Generic Design Assessment Step 2 Assessment Report; focusing on consideration of EDF and AREVA’s claims, with very limited consideration of the available arguments. As a result my assessment has been back-loaded to Generic Design Assessment Step 4, during which I have examined in detail the arguments and supporting evidence for the human based safety claims. It is seldom possible or necessary to assess a safety case in its entirety, therefore sampling is used to limit the areas scrutinised, and to improve the overall efficiency of the assessment process. Sampling is undertaken in a focused, targeted and structured manner with a view to revealing any topic specific or generic weaknesses in the safety case. To identify the sampling for the human factors area an assessment plan for Generic Design Assessment Step 4 was developed in advance. The following items have been agreed with EDF and AREVA as being outside the scope of Generic Design Assessment (Phase 1) for human factors:  Team organisation.  Staffing.  Operating and maintenance procedures.  Use of State Orientated Approach.  Display breakdown.  Training. It has been necessary for EDF and AREVA to make assumptions with regard to these aspects in the Generic Design Assessment risk assessment, but finalisation of them will not occur until Generic Design Assessment Phase 2 (site licensing); where they will largely be the responsibility of a prospective licensee organisation. However several notable elements have been embedded within the substantiation of human based safety claims for Generic Design Assessment Phase 1, hence any future licensee wishing to adopt alternative approaches would be required to justify the changes. These elements are:  The application of the State Orientated Approach and procedures for abnormal operations.  The main control room staffing philosophy comprising a strategy operator, action operator and supervisor/safety engineer. My assessment has focussed on five key work streams that address the breadth of human factors within a Pre-Construction Safety Report. These are: 1 Substantiation of Human Based Safety Actions This work stream focused on ensuring that the risks from human actions have been reduced to As Low As Reasonably Practicable. It is the foundation for my risk informed Page (iii) Office for Nuclear Regulation Report ONR-GDA-AR-11-028 Revision 0 An agency of HSE assessment and supports the Generic Design Assessment, assessment strategy of considering the claims, arguments and evidence. The overriding aim of this area of assessment is to ensure the adequacy of the substantiation1 of important operator actions. Subsidiary to this, the work stream aimed to provide a judgement on the:  Completeness of the statement of ‘claims on the operator’.  Adequacy of the justification, or process intended to ensure, that claims are reasonable and will be achievable by the realised design.  Recommendations on any key area of follow-on work and assessment that is required to ensure that key claims are substantiated. By addressing these aims, my assessment intended to judge whether all key areas of reliance on operator actions or vulnerability to human errors have been identified and sufficiently considered for this stage in the overall development of the design and its assessment. 2 Generic Human Reliability Assessment Work Stream 2 aimed to look generically at particular aspects of the Human Reliability Assessment across the safety submission; and particularly the Human Reliability Assessment methods and their application adopted by EDF and AREVA. Further to this I assessed the general suitability of the techniques applied in light of the digital nature of plant and equipment control systems and interfaces. 3 Engineering Systems This work stream principally sought to address the maintainability and maintenance reliability of the UK EPR from a human factors perspective. The work stream was important to ensure that the claims and assumptions regarding the reliability of systems and components were adequately underpinned by the evidence produced. 4 Human Factors Integration Work Stream 4 focussed on the general processes and mechanisms in place to deliver quality human factors input to the design of the UK EPR and its safety case for the UK. This work stream was particularly important given ND’s sampling and targeted approach to assessment. As this approach does not assess the entirety of a safety submission, this element of the assessment sought to provide me with a level of confidence that the human factors analyses and design input not assessed during the Generic Design Assessment are of suitable quality to inform the design and safety submission, and ultimately to support reliable human intervention. 5 Plant-wide generic Human Factors assessment This work stream complements Work Stream 1 and assesses generic human factors issues that would not necessarily be highlighted as part of Work Stream 1. Whereas Work Stream 1 Substantiation is a composite of the veracity of the underlying evidence and a judgement regarding the validity or proof of an assertion, statement or claim. Page (iv) Office for Nuclear Regulation Report ONR-GDA-AR-11-028 Revision 0 An agency of HSE 1 considers the depth of human factors analyses, Work Stream 5 aims to assess across the breadth of human factors analyses in order to provide a judgement on the adequacy of the overall plant design, and how well it meets modern standards and adopts recognised good practice. It is an important area to ensure that the design meets As Low As Reasonably Practicable requirements. The main conclusions of my assessment in each area are: Substantiation of Human Based Safety Claims Overall I judge that EDF and AREVA have not provided an adequate substantiation of the human based safety claims at the end of Generic Design Assessment Step 4. The main deficiencies are:  The incompleteness of the identification of human based safety actions; particularly for pre- fault (Type A) activities.  Inadequate detailed task analysis to support the significant human based safety claims (these are primarily post-fault operator actions). Only four human based safety claims have been analysed. This gap was highlighted in my Generic Design Assessment Step 3 assessment conclusions, and identified early on in my Generic Design Assessment Step 4 assessment process. The lack of substantiation I judge to be significant, and has the additional consequence that I consider that EDF and AREVA are not in a position to meet As Low As Reasonably Practicable requirements from a human factors perspective. As a result, I propose a Generic Design Assessment Issue (GI-UKEPR-HF-01 refers) to address both the incompleteness of the identification of human based safety claims, and provision of proportionate supporting evidence to support those claims. This also captures my regulatory observations in the areas of pre-fault actions, misdiagnosis, violation potential, and post-fault action substantiation. The complete GDA Issue and associated actions are formally defined in Annex 2 of this report. I have collaborated with Probabilistic Safety Analysis colleagues and I judge that the Human Reliability Assessment and Probabilistic Safety Analysis model does provide an acceptable basis for determining the overall risk contribution from human actions at a Pre-Construction Safety Report stage. I have identified areas where more evidence is required to justify the Human Reliability Assessment claims and these are cited as Assessment Findings, to be addressed as routine business as the safety case for the UK EPR progresses beyond the design stage. I have aligned these findings with the expectation from my Probabilistic Safety Assessment colleagues that the Human Reliability Assessment will be updated post the Pre-Construction Safety Report phase. Generic Human Reliability Assessment The current UK EPR Human Reliability Assessment is essentially an ‘assumptions based’ analysis that lacks adequate substantiation from appropriate task analysis of pre and post-fault operator actions. However my examination of the Human Reliability Assessment for both Level 1 and 2 Probabilistic Safety Analysis indicates that an acceptable consideration of the contribution from operator error to the overall risk has been made at this point. The Human Reliability Assessment method applied to the Level 1 Probabilistic Safety Analysis Human Reliability Assessment is generally satisfactory, although a greater consideration and inclusion of pre-fault human actions (both Type A and B) will be required in the proposed Human Page (v) Office for Nuclear Regulation Report ONR-GDA-AR-11-028 Revision 0 An agency of HSE Reliability Assessment revision, as will an improved consideration of human error dependency. The consideration of human failure initiating events, particularly for low power and shutdown states appears to be incomplete, and this could be significant for these plant states. I will take these observations forward as Assessment Findings; to be addressed in line with the update of the Probabilistic Safety Assessment. Engineering Systems EDF and AREVA have undertaken work related to maintenance, which has the potential to support human reliability, and there is some evidence of the application of operational experience and design input to support their claims in this area. However there appears to have been strong reliance on the implementation of human factors by designers and contractors without adequate human factors specialist support. In recognition of the uncertainty I have over the adequacy of EDF and AREVA’s approach, I propose to take my assessment observations forward in two ways; via Generic Design Assessment Issue Action GI-UKEPR-HF-01.A2; relating to the consideration of pre-fault human actions, and via Assessment Findings relating to the detailed design and verification requirements for the UK EPR equipment. Human Factors Integration In general I judge that EDF and AREVA have evidence of aspects of a Human Factors Engineering programme of work; but not of an overall Human Factors Integration plan that meets my expectations. What has been provided is ‘piecemeal’ and is focused on the Main Control Room design. There has been an over-reliance on the use of operational experience, rather than formal safety analysis, and on design guidance provided to engineers. This does not provide me with confidence that the risk from human error has been reduced to As Low As Reasonably Practicable. However as Human Factors Integration is process based, this will be taken forward via an Assessment Finding; to be addressed by a prospective licensee. Plant-wide Generic Human Factors Assessment I consider that in general the quality of the design based human factors aspects across the wide range of areas assessed (Allocation of function; Workplace and workstation design; Working environment; Control and display interfaces; Procedures; and Staffing and work organisation) appear to be adequate and will not significantly undermine human reliability. The Main Control Room design supports the design basis operating organisation (Flamanville 3) and the use of State Orientated Approach procedures well. I note many minor observations across the assessment area and these are cited as Assessment Findings to be addressed post Pre-Construction Safety Report. However due to the limited evidence provided in Generic Design Assessment Step 4, there will be a requirement for a future licensee to undertake detailed studies to confirm the adequacy of the design, particularly for non-Main Control Room locations. Overall Conclusions EDF and AREVA have not presented an adequate safety case for human factors for the UK EPR, and the position has not moved on significantly from the end of Generic Design Assessment Step 3. EDF and AREVA have provided some additional evidence relating to their design process, but much of this was received late in my assessment. They have only been able to provide a very small part of the required substantiation for their key human based safety claims. This results in a substantial gap in their safety submission for Generic Design Assessment remaining at the end of Page (vi) Office for Nuclear Regulation Report ONR-GDA-AR-11-028 Revision 0 An agency of HSE Generic Design Assessment Step 4. I accept that there is a significant difference in the regulatory approach to human factors between the United Kingdom and France, and I consider that this has contributed to the position. In consequence I have raised Generic Design Assessment Issue GI- UKEPR-HF-01 to reflect the significant gap in the safety submission that remains at the end of Generic Design Assessment Step 4. The material that I have assessed to form my judgements has largely been extracted from the considerable amount of documentation provided from the Flamanville 3 design. EDF and AREVA have not provided a consolidated human factors safety case based on appropriate human factors analyses aligned with United Kingdom expectations. For the UK EPR, the only targeted human factors analysis offered has been the qualitative substantiation of four human based safety claims. This is inadequate for a Pre-Construction Safety Report. Furthermore, the timing of documentation supplied, predominantly in response to regulatory questions and observations, was delivered very late in the Generic Design Assessment Step 4 process, and I have not been able to assess it in its entirety. However, I do not object to progression of the UK EPR design on human factors grounds principally due to the fact that it is an evolution of a standard Pressurised Water Reactor; which benefits from significant operating experience (particularly relating to N4 and Konvoi plants), and detailed fault studies. The EPR Probabilistic Safety Analysis model shows that the importance of human error to public and worker risk is limited. Furthermore, should subsequent human factors assessment reveal further deficiencies in the design or safety analysis, human factors solutions can typically be developed and implemented without undue effect on the design of major civil or pressure system components or their layout. On this basis it is unusual for gross disproportionate arguments to be made relating to human factors solutions. I therefore consider that progression post Pre-Construction Safety Report will not result in the foreclosing of options associated with human factors. Page (vii) Office for Nuclear Regulation Report ONR-GDA-AR-11-028 Revision 0 An agency of HSE LIST OF ABBREVIATIONS ACRS Advisory Committee on Reactor Safeguards AD Automatic Diagnosis AF Assessment Finding ALARP As Low As Reasonably Practicable AoF Allocation of Function ANS American Nuclear Society ASEP Accident Sequence Evaluation Program ASME American Society of Mechanical Engineers ASN Autorité de Sûreté Nucléaire (French Nuclear Safety Authority) ATHEANA A Technique for Human Event Analysis BMS Business Management System BS British Standards C&I Control and Instrumentation CAD Computer Aided Design CAHR Connectionist Assessment of Human Reliability CBDT Cognitive Based Decision Tree CCWS Component Cooling Water System CDF Core Damage Frequency CESA Cognitive Error Search and Assessment CHRS Containment Heat Removal System CNEN Centre National d’Etudes Nucléaire COL Combined Operating Licence COTS Commercial Off The Shelf CREAM Cognitive Reliability and Error Analysis Method DAC Design Acceptance Confirmation DG Diesel Generators DRI Installation Rules Datasheets EBS Extra Boration System EDF Electricité de France EDG Emergency Diesel Generators Page 104 EFWS Emergency Feed Water System EOP Emergency Operating Procedures EPR European Pressurised Reactor EPRI Electric Power Research Institute EPRI-HRA Electrical Power Research Institute Human Reliability Analysis Calculator FAP Forward Action Plan Page (viii) Office for Nuclear Regulation Report ONR-GDA-AR-11-028 Revision 0 An agency of HSE LIST OF ABBREVIATIONS FA3 Flamanville 3 FLIM Failure Likelihood Index Methodology FO Field Operators FSCD Fast Secondary Cooldown FSER Final Safety Evaluation Report FV Fussell-Vesely GDA Generic Design Assessment HAZOP Hazard and Operability (Study) HCI Human Computer Interaction HCR Human Cognitive Reliability HCR Human Cognitive Reliability HEART Human Error Assessment and Reduction Technique HED Human Error Dependence HEI Human Error Identification HEP Human Error Probability HF Human Factors HFE Human Factors Engineering HFE Human Failure Event HFI Human Factors Integration HFIP Human Factors Integration Plan HFIR Human Factors Issues Register HFPFMEA Human Factors Process Failure Modes and Effects Analysis HMI Human Machine Interface HPLV Human Performance Limiting Value HRA Human Reliability Assessment HSE Health and Safety Executive HTA Hierarchical Task Analysis IAEA International Atomic Energy Agency IDAC Information, Decision and Action in Crew IEC International Electro-technical Commission IEEE Institute of Electrical and Electronic Engineers IRWST In-containment Refuelling Water Storage Tank ISA Instantaneous Self Assessment ISO International Standards Organisation LHSI Low Head Safety Injection LOCA Loss Of Coolant Accident Page (ix)