SD 142 Solution

Case Study of Three Mile Island

1x1pt 1. When the operators decided to turn off the emergency cooling water, did they make a slip or a mistake?

Mistake

 

 

1x4pt 2. Justify whether it was a slip or a mistake using information presented in the sight passage.

It is a mistake because the operators had the wrong intention (1). It is not a slip because they took the right action (1). Their intention was to turn off the cooling water. This was wrong, the cooling water should have been left on (1). As far as we can tell from the story, the actions they took to turn off the cooling water were correct (1).

1x16pt 3. Using Norman's Human Action Cycle, explain why the operators turned off the emergency cooling system.

1 mark for each stage. 1 for each explanation.

Goal: Restore Plant Safety

Intention: Lower pressurizer (PRZ) level

Sequence of Actions: Turn off emergency cooling water.

Execution of Actions: Actions taken to turn off ECW.

World: the ECW was turned off.

Perceive: ECW was turned off but PRZ level was still increasing.

Interpret: PRZ water was still increasing

Evaluation: Plant still in danger.

 

 

1x4pt 4. Identify the gulf of execution that occurred in the process of turning off the emergency cooling water.

The gulf of execution always occurs between Intention and the Sequence of Actions by definition (see Norman). In this case it occurred because the action (turning off ECW) was not the right way to achieve the intention (lower PRZ level).

1x12pt 5. Identify four examples of missing feedback from the sight passage. Explain what information was missing, why it was unavailable to the operators (if there is enough information) and how this information could have been provided.

There were more than four examples that could have been used. But four easy ones were: Marks are 3 points for each of 4 examples.

  1. No indication that PRZ relief valve was still open. We must assume there was no indicator in the control room. An indicator of valve state would have fixed this problem.
  2. There was no useful alarm feedback on the problem. The information was unavailable because there were so many alarms that the specific information on the problem could not be extracted. Prioritised alarms or higher level alarms would have solved this problem.
  3. Data from the computer was not available. The time delay meant the information was not there when needed, rendering it next to useless. A faster printer, or prioritisation of the data could have helped this.
  4. There was no indication of reactor vessel level. There was no direct indication and reading PRZ level did not map to reactor vessel level. A reactor vessel level meter would have solved this, or a different connection between the reactor and the PRZ.

 

2x6pt 6. The U-shaped pipe connecting the pressurizer to the reactor vessel is described as "a design flaw" in the passage. Actually, this pipe operated completely correctly in the above scenario. Discuss, from a human factors perspective, why the U-shaped pipe is a "design flaw". You may include the reactor vessel and the pressurizer in your discussion. Draw diagrams if needed. A schematic of the pipe has been included at the end of your exam.

The operators held the wrong mental model of how the connection worked (1). They acted as if it were a straight connection, this was their mental model (1). Because of this they believed that PRZ level= reactor vessel level (1) which was an incorrect mapping (1). In reality PRZ level changed because the reactor vessel water was boiling (1). The U-shaped juncture prevented the gas from escaping. The operators did not have a mental model of this situation (1).

1x4pt 7. Propose two design solutions that would solve the design flaw created by the U-shaped pipe. Explain the human factors principles behind your solutions and specifically why they would fix the problem created by the U-shaped pipe. Each solution is worth two marks each.

There are at least two feasible solutions.

  1. Replace the u-shaped juncture with a straight juncture. In this case PRZ level maps to reactor vessel level, matching the operators held mental model.
  2. Measure reactor vessel level directly. In this case operators would have a direct mapping of the level of water in the reactor vessel.