ML031270105

From kanterella
Jump to navigation Jump to search
WCAP-16076-NP, Rev 0, Requirements Phase Human Factors Review for Common Q Phase 3 Core Protection Calculator System Project
ML031270105
Person / Time
Site: Palo Verde  Arizona Public Service icon.png
Issue date: 03/31/2003
From: Fuld R, Stofko M
Westinghouse
To:
Office of Nuclear Reactor Regulation
References
102-04931-GRO/SAB/TNW, FOIA/PA-2005-0108 WCAP-16076- NP, Rev 0
Download: ML031270105 (69)
v  d  e


Text

Attachment 2 Non-Proprietary WCAP-16076-NP, Requirements Phase Human Factors Review for the Common Q Phase 3 Core Protection Calculator System Project, Revision 0, dated March 2003

Westinghouse Non-Proprietary Class 3 WCAP-16076-NP March 2003 Revision 0 (Reissue of 00000-ICE-37734, Rev. 00)

Requirements Phase Human Factors Review for the Common Q Phase 3 Core Protection Calculator System Project

  • Westinghouse

a Westinghouse Electric Company LLC Westinghouse Non-Proprietary Class 3 REQUIREMENTS PHASE HUMAN FACTORS REVIEW for the COMMON Q PHASE 3 CORE PROTECTION CALCULATOR SYSTEM PROJECT 00000-ICE-37734, Rev. 00 Westinghouse Electric Company LLC Windsor, Connecticut

© Westinghouse Electric Company LLC.

Prepared By: (Signature on File) Date: 09/08/2001 Robert B. Fuld Approved By: (Signature on File) Date: 10/16/2001 Mark J. Stofko Issue Date: 10/16/2001 Total Pages: 56 Requirements Phase Human Factors Review for the Common 0 Phase 3 CPCS Project, OOOOO-ICE-37734, Rev. 00 Page 1 of 56 C Westinghouse Electnc Company LLC file CPCS rq2 doc

O Westinghouse Electric Company LLC Westinghouse Non-Proprietary Class 3 RECORD OF REVISIONS Rev.

No. Date Pages Involved Prepared By Reviewed By Approved By 00 All - Initial Issue R. B. Fuld N/A M. J. Stofko Filename: CPCS rqmt-phas HF rvw 00000-ICE-37734_rOO.doc Files Size: 222720 Bytes Save Date: 09/08/01 12:30 AM Software/version: Microsoft Word /97 SR-2 Requirements Phase Human Factors Review for the Common 0 Phase 3 CPCS Project, 00000-ICE37734, Rev 00 Page 2 of 56 e Westinghouse Electnc Company LLC file CPCS rq2.doc

  • Westinghouse Electric Company LLC Westinghouse Non-Proprietary Class 3 REVISION ABSTRACT Revision 00:

This is the original issue of this document. All future revisions shall be briefly described within this section such that a historical record is kept as to why the document was revised.

Requirements Phase Human Factors Review for the Common 0 Phase 3 CPCS Project, 0OOOO-ICE-37734, Rev 00 Page 3 of 56 o Westinghouse Electnc Company LLC file CPCS rq2 doc

O Westinghouse Electric Company LLC Westinghouse Non-Proprietary Class 3 EXECUTIVE

SUMMARY

This report presents a review of the Human-Machine Interface (HMI) for the Common Q Phase 3 Core Protection Calculator System. The review has been conducted considering human factors regulatory guidance applicable to plant upgrades. The report has been generated to ensure the acceptability of the Common Q CPCS HMI design, and to provide input to plant-specific HMI reviews that may be performed later by the NRC.

Requirements Phase Human Factors Review for the Common 0 Phase 3 CPCS Project, OOOOO-ICE-37734, Rev 00 Page 4 of 56 C Westinghouse Electric Company LLC file- CPCS rq2 doc

  • Westinghouse Electric Company LLC Westinghouse Non-Proprietary Class 3 TABLE OF CONTENTS Title Page ................................. 1 Record of Revisions ................................. 2 Revision Abstract ................................. 3 Executive Summary ................................. 4 TABLE OF CONTENTS ................................. 5 Definitions, Acronyms and Mnemonics ................................. 6
1. Introduction ................................. 7
2. Regulatory Requirements Analysis ................................. 8 2.1 NUREG-0800 Chapter 18..8 2.2 NUREG-0711..9 2.3 NUREG-0700, Rev. 1..9 2.4 NUREG/CR-6637..10 2.5 NUREG/CR-6689..15
3. HMI-related CPCS Design Requirements ................................ 16
4. Review of CPCS Prototype Displays ................................ 16
5. Conclusions1.......................................................................................................................................................................... 19
6. References ................................ 20 Appendix A: List of Findings ................................. 21 Appendix B: Draft CPCS Display Examples ................................. 23 Requirements Phase Human Factors Review for the Common 0 Phase 3 CPCS Project, COOOQ-ICE-37734, Rev. 00 Page 5 of 56 f Westinghouse Electnc Company Lic file CPCS rq2 doc

O Westinghouse Electric Company LLC Westinghouse Non-Proprietary Class 3 DEFINITIONS, ACRONYMS AND MNEMONICS ACRONYM i DESCRIPTION / TITLE MNEMONIC CEAC Control Element Assembly Calculator CDF Core Damage Frequency CFR Code of Federal Regulations Common Q Common Qualified Platform CPC Core Protection Calculator CPCS Core Protection Calculator System CSSW Cumulative Sensor Status Word DCRDR Detailed Control Room Design Review FE Function Enable FPD Flat Panel Display FPDS Flat Panel Display System FSAR Final Safety Analysis Report HFE Human Factors Engineering HMI Human Machine Interface HRA Human Reliability Analysis IPE(s) Individual Plant Examination(s)

LERF Large Early Release Frequency MCR Main Control Room MTP Maintenance and Test Panel NPP(s) Nuclear Power Plant(s)

N/A Not Applicable OER Operating Experience Review OM Operator's Module O&M Operations and Maintenance PAMS Post-Accident Monitoring System PRA Probabilistic Risk Assessment (or equivalent)

PRM Program Review Model (NUREG-071 1)

Ref. Reference RIT(s) Risk-Important Task(s)

Sec. Section SER Safety Evaluation Report SRP Standard Review Plan (NUREG-0800)

SSC Structure, System, or Component TA Task Analysis TBD To Be Determined (later)

USNRC United States Nuclear Regulatory Commission USQ(s) Unreviewed Safety Question(s)

V&V Verification and Validation WEC Westinghouse Electric Company WNA Westinghouse Nuclear Automation. Formerly ABB U. S. Nuclear Automation, other divisions of ABB, and Westinghouse I&C; now part of WEC.

Requirements Phase Human Factors Review for the Common C Phase 3 CPCS Project, OOOOO-ICE-37734, Rev 00 Page 6 of 56 C Westinghouse Electnc Company ILC file CPCS rq2 doec

O Westinghouse Electric Company LLC Westinghouse Non-Proprietary Class 3

1. INTRODUCTION This report presents a review of the Human-Machine Interface (HMI) for the Common Q Phase 3 Core Protection Calculator System (CPCS). The review has been conducted considering guidance offered by NUREG/CR-6637 for the plant modernization process. The report has been generated to ensure the adequacy of the Common Q CPCS HMI design, and to support plant-specific HMI reviews that may be performed in the future on a plant-specific basis by the NRC.

The CPCS design is a Common Q-based implementation of the core protection calculator functionality now provided by installed (i.e. legacy) core protection calculator systems. Given this similarity, the upgrade of an existing system to a Common Q-based CPCS will have minimal impact (i.e. no significant negative impact) on the operators' role and risk-significant tasks.

The NRC reviewed the Common Q CPCS conceptual design (Ref. 2). Results from that review were presented in a Safety Evaluation Report (SER; Ref. 3), including the following:

"The OM and the MTP provide the human machine interfacefor the Common Q platform. Both the CM and the MTP will include display and diagnosticcapabilitiesunavailable in the existing analog safety systems. The Common Q design provides meansfor access control to software and hardware such as key switch control, control to software media, and door key locks. The humanfactors considerationsfor specific applicationsof the Common Q platform will be evaluated on a plant-specific basis. See SER Sections 4.4.1.3, 4.4.2.3, and 4.4.3.3, and4.4.4.3.6. "

The present report provides input for such future, plant-specific human factors evaluations. To place the report in context, the following paragraphs summarize the Common Q CPCS Phase 3 project, and the associated CPCS design team activities to date.

The Common Q Phase 3 CPCS Project is part of the Westinghouse Nuclear Automation (WNA) Common Q Phase 3 Project. The Common Q Phase 3 Project consists of:

  • Common Q Phase 3 CPCS Project
  • Common Q Phase 3 Flat Panel Display System (FPDS) Project
  • Common Q Phase 3 I/O Simulator Project
  • Common Q Phase 3 Control Element Assembly Position Display System Project The purpose of the Common Q Phase 3 CPCS Project is to design and develop a generic CPCS utilizing Common Q platform components. These components are pre-developed, commercial-grade hardware and software which are to be used with custom designed hardware and software to implement the generic CPCS. The CPCS Human-Machine Interface (HMI) employs displays developed by the FPDS Project for the CPCS Operator's Module (OM) and for the CPCS Maintenance and Test Panel (MTP).

Highlights of the CPCS Project to date include the following:

  • The CPCS planning phase was completed.
  • The conceptual design for the generic CPCS was submitted and reviewed by the USNRC
  • Requirements phase documents were prepared and issued.
  • Requirements phase documents were independently verified (Ref. 1), including consideration of human factors issues.
  • Software design documents were prepared and issued.
  • A single channel CPCS prototype was developed.
  • Prototype CPCS displays were developed.
  • Hardware testing was performed.

This report addresses human factors issues for the generic CPCS design. Part 2 provides an analysis of applicable regulatory requirements. Part 3 addresses HMI-related CPCS design requirements and issues. Part 4 presents a review of the CPCS displays implemented on the dynamic color prototype. Issues resulting from this review are recorded in Appendix A. Screen prints of the prototype CPCS displays are shown in Appendix B.

Requirements Phase Human Factors Review for the Common Q Phase 3 CPCS Project, 00000-ICE-37734, Rev 00 Page 7 of 56 C Westinghouse Electnc Company LLC file CPCS rq2 doc

O Westinghouse Electric Company LLC Westinghouse Non-Proprietary Class 3

2. REGULATORY REQUIREMENTS ANALYSIS According to Section 4.4.2.3 of the SER, "The review of human factors considerations for a specific CPCS implementation is a plant-specific action item..." This is consistent with the facts, on the one hand, that specific plant changes are addressed under 10 CFR 50.59 (Ref. 4), and on the other hand, that current human factors regulatory guidance does not yet address plant upgrades.

The 50.59 rule is often viewed as advantageous to industry. As originally defined in 50.59(a)(2), the central issue was whether the change involved either 1) a change in tech specs, or 2) an Unreviewed Safety Question (USQ). If the change involved neither, then it could be performed "without prior Commission approval". In the new 50.59 revision (RG 1.187; November 2000) the substance of the both criteria essentially remain, so that reference to USQs in this report refers to the equivalent text in the current revision.

50.59 still makes no provisions for particular disciplines, and due to its generality, necessary tests or evaluations must be determined on an ad hoc basis. Likewise, in its occasional mention of upgrades, most HFE regulatory guidance finds no reason to cite 50.59.

Human factors guidance became substantial after TMI, primarily to guide the mandated upgrades for existing plants and those under construction. As these upgrades neared fulfillment, a new and expanding wave of HFE guidance was issued under the Standard Plant Licensing initiatives associated with 10 CFR 52. The mainstays of the new HFE guidance (Ref.s 6 & 5.1) were approved in part on the basis of their inapplicabilityto existing plants. Ten years later, as business has turned towards the upgrade and life extension of existing plants, HFE regulation is poised now to expand into the upgrade area as well. The basic approach will likely be to invoke the advanced plant guidance as being applicable to existing plant upgrades. Efforts to impose this change are underway, and the results will likely be reflected in any plant-specific HFE review performed under 50.59 in the future. In anticipation of this, portions of the following four documents are evaluated for their impact on the CPCS design:

1. NUREG-0800 (Ref. 7)
2. NUREG-0711 (Ref. 6)
3. NUREG-0700 (Ref. 5.1)
4. NUREG/CR-6637 (Ref. 8)
5. NUREG/CR-6689 (Ref. 9) 2.1 NUREG-0800 Chapter 18 (1996 draft)

Chapter 18 of the Standard Review Plan (SRP; Ref 7) applies to HFE. Prior to 1996, it addressed primarily the DCRDR and SPDS reviews necessitated by post-TMI regulations. In 1996, a draft revision of Chapter 18 was published, changing its scope and content to follow the PRM framework (see NUREG-0711 below).

NUREG-0711 was approved on the basis that it did not apply to existing plants. Thus, most of Chapter 18 is devoted to telling how NUREG-071 I does apply to existing plants. In the process, despite frequent citation of the CFR, Chapter 18 never mentions 10 CFR 50.59. However, it does mention upgrades in a technical rationale" for the 10-element approach:

"NUREG-0711 ... was originallydeveloped to support NRC reviews of submittalsfor certification ofnew plant designs under 10 CFR Part52. However, because it updates the guidance of Appendix B of NUREG-0700, Revision 0, it should be usedfor HFE reviews ofplant designs licensed underboth 10 CFR Part50 and 10 CFR Part52. Portionsof NUREG-0711 should also be used, as appropriate,to support the NRC in its reviews of redesigns and upgradesof current control rooms. Thus, the HFEreview process incorporatesguidanceform both NUREG-0700, Revision 1, and NUREG-0711. " (Ref. 7,-Section II)

Applicants for a plant change should thus expect to be challenged to meet any portions of these NUREGs that can be argued to be "appropriate" (i.e. applicable). The applicability of specific contents to the CPCS project is discussed further below.

Requirements Phase Human Factors Review for the Common 0 Phase 3 CPCS Project. OOOOO-ICE-37734, Rev 00 Page 8 of 56 e Westinghouse Electnc Company LLC file CPCS rq2 doc

  • Westinghouse Electric Company LLC Westinghouse Non-Proprietary Class 3 2.2 NUREG-0711 NUREG-0711 is the Human Factors Engineering Program Review Model (PRM; Ref. 6). It presents a framework under 10 CFR 52 to guide regulatory review of the HFE design process for Standard Plants, including (but not limited to) the resulting design product. The PRM is based on textbook design principles and Department of Defense procurement guidelines which have been promoted to industry since the post-TMI era (e.g. by Appendix B of the old NUREG-0700, Ref. 5).

In order to integrate all HFE-related licensing activities, the PRM contains 10 elements, each with criteria and deliverables:

2.4. HFE Program Management 2.4. Operating Experience Review 2.4. Functional Requirements Analysis and Allocation 2.4. Task Analysis 2.4. Staffing 2.4. Human Reliability Analysis 2.4. Human-System Interface Design 2.4. Procedure Development 2.4. Training Program Development 2.4. Verification and Validation The PRM does not address plant upgrades. However, a review of the PRM for applicability to upgrades (Ref. 11) suggested that the PRM process should be reduced (i.e. "tailored") to suit the given upgrade activity. Moreover, such tailoring is suggested for upgrades by the previous citation from Chapter 18. Though regulatory guidance for acceptable tailoring has not yet been offered, to tailor NUREG-07 11 under 50.59 might differ only slightly from the old ad hoc process of specifying applicable tests and evaluations. In this case, NUREG-0711 would offer a matrix of elements and activities which should be considered for their applicability to a given upgrade. Another possibility is that regulators will seek to extend their authority for upgrade reviews beyond that mandated by 50.59. This is discussed further in 2.4, below.

A final and promising possibility is that a risk-informed approach can be used to minimize the process-based HFE review that is required. This is discussed in 2.5, below.

2.3 NUREG-0700, Rev. 1 NUREG-0700 Revision 1 is the Human System Interface Design Review Guideline (Ref. 5.1). It replaces the Guidelines for Control Room Design Reviews (Ref. 5) under which existing plants were evaluated for acceptable HFE.

The principal contents of NUREG-0700 are HFE design guidelines, making NUREG-0700 relevant to Element 7 of the PRM. Specifically as to upgrades, NUREG-0700 suggests that:

"The needfor licensees to modify and upgrade existing Human-System Interfaces is expected to increase as I&C systems age, and as vendor supportforsuch systems diminishes. The NRC staff could use the guidance in this document to ensure such voluntary modificationsand upgrades are acceptable." (Ref. 5.1, Section 1.3.1)

However, the formal use of the document for this purpose could be burdensome. One concern is that the suggested review process (Ref. 5.1, Section 1.4.1 through 5.3.2) is extensive and redundant: The Staff review would examine the Applicant's own design review process for acceptability (including, but not limited to, the resulting design product). This is similar to the process requirements of NUREG-07 11, though the relationship between the two documents is unclear.

Another concern is that, with over 1600 guidelines, evaluation in terms of NUREG-0700 will be time-consuming.

However, given the possibly limited relevance of much of its contents to a given upgrade, it would seem reasonable (as for NUREG-07 11) to tailor NUREG-0700 guidance to the application. Indeed, NUREG-0700 Volume 3 is a software application with tools that could support this purpose. AXtailoring evaluation of NUREG-0700 for the CPCS project is provided in Part 4 below.

Requirements Phase Human Factors Review for the Common 0 Phase 3 CPCS Project, 00000-ICE-37734, Rev 00 Page 9 of 56 C Westinghouse Electnc Company LLC file CPCS rq2 doc

O Westinghouse Electric Company LLC Westinghouse Non-Proprietary Class 3 2.4 NUREG/CR-6637 NUREG/CR-6637 (Ref. 8) is a contractor's report titled Human Systems Interface and Plant Modernization Process:

Technical Basis and Human Factors Review Guidance. In it, Section 9 ("Design Process Review Guidance for Hybrid Control Rooms") recommends additions to NUREG-071 1, some of which are specified as guidance for upgrades. It is important to recognize that these issues will likely be raised in the future. However, as the material is lengthy, convoluted and redundant, any independent attempt to summarize and analyze it remains questionable. Nonetheless, in preparation for possible HFE design process review by the Staff, a tailoring evaluation in terms of the PRM for the CPCS project is provided below. This summarizes key points of NUREG/CR-6637, and recommends responses to its main points for a plant-specific CPCS implementation.

2.4.1 General Guidance (Ref. 8, Sec. 9.1)

The general guidance for design process review of upgrades states that:

An HFE review should be conducted if the upgrade of a plant system or the human-system interface affects the role ofpersonnel or the tasks by which their role is performed, and is potentially significantto plant safety.

Upgradesaffect the role or tasks of personnelif they impose new or different demands on them to operate, maintain, or otherwise ensure safety. An upgrade may be consideredpotentially significant to plant safety if it

  • Constitutes an unreviewed safety question, as defined in 10 CFR 50.59, or
  • Is a modification of a structure, system, or component (SSC) that is safety related, or
  • Is a modification of a non-safety SSC that (a) mitigates accidents or transients, (b) is used in emergency operatingprocedures, or (c) could prevent a safety-relatedSSC from fulfilling itsfunction.

Thus, NUREGICR-6637 seeks to extend regulatory HFE involvement in upgrades beyond the mandates of 50.59 (though curiously, it omits the 50.59 issue of tech spec changes). Even if the CPCS upgrade does not constitute a USQ or its equivalent, it can more easily be argued to be a modification of a safety-related SSC. However, this scope extension is not necessarily valid. Alternately, customers may seek to revise applicable tech specs, thus requiring prior NRC approval (but perhaps not human factors review).

Another key issue which will become evident at lower levels is the role of "Risk-important tasks" (RITs). This is a key term in NUREG/CR-6637, but it is not defined. Anticipating risk-informed regulatory decision-making, a similar term is defined in Reference 9. Concern should be raised that RITs may be insignificant to plant risk, yet be used to extend the 50.59 mandate, since from the so-called "relative standpoint", RITs are neither linked to plant risk nor limited by the scope of USQs. Thus, the use of the RIT criterion is a key concern in NUREG/CR-6637 and other YE regulatory guidance.

Finally, these issues are impacted by emerging risk-based guidance (see 2.5, below), which applies different criteria to determine the extent of HFE review.

2.4.2 HFE Program Management (Ref. 8, Sec. 9.2)

a. The licensee should prepare an HFEprogram that is consistent with the scope of the upgrade - Documentation should be available describing how HFE considerations are addressed in CPCS design, development, and implementation. The present report provides one source of information. For functional replacement with minimal impact on operation, the extent of the "program" should be minimal.
b. HFErequirements for the upgrade, including compatibility with existing HMI, should be specified in appropriate sources - Requirements for the CPCS HMI should be verified to exist and to be acceptable. This is done by WEC across project phases and is addressed further in Part 3 below.
c. Evaluations should be performed to identify HFE problems and implement solutions - Besides requirements verification, review of the design product should be performed to confirm that the design is acceptable in terms of Requirements Phase Human Factors Reviewforthe Common 0 Phase 3 CPCS Project. O0000-ICE-37734, Rev 00 Page 10 of 56 C Westinghouse Electnc Company LLC file CPCS rq2.doc

O Westinghouse Electric Company LLC Westinghouse Non-Proprietary Class 3 HFE design guidance. This is done by WEC across project phases and is addressed further in Parts 2.4.11 and 4 below.

d. The input ofpersonnelthat will use the upgradeshould be incorporatedin its design and implementation -

Customer input to the CPCS design has been provided to WEC and should be documented to justify conformance.

This is addressed further in 2.4.3 below.

e. The program should addresspracticalmatters of acceptable implementation, such as temporaryinstallations and users' transitionto the new system - Temporary installations should be assessed and approved by the customer.

Transition issues are covered in 2.4.9 and 2.4.10 below.

f. HFE issues that are identified should be trackedfor resolution - The standard mechanisms of the project should be used in standard fashion for all issues, including HFE. This is done by WEC across project phases and is addressed further in Parts 3, 4, and Appendix A below.

2.4.3 Operating Experience Review (Ref. 8, Sec. 9.3)

a. A system-specific OER should be performed that includes the experience of the plantbeing upgraded - This is a touchy issue. Since the legacy system has long been in operation, and the conceptual design reviewed and found generally acceptable, further OER could be viewed as either a witchhunt for problems, or the solicitation of unnecessary "improvements". Neither is desirable. It is suggested that credit for the OER element be claimed through 1) successive revision of the legacy system, 2) results of the SER, and 3) input from the customer. No additional OER work should be accepted for CPCS.
b. The OER should identify risk-importanttasks (RITs) that have been prone to errors- RITs are a key issue. It is unlikely that the plant PRA (or equivalent) now identifies many CPCS-related human tasks as significant contributors to risk (since tasks that were risk-important and error-prone would already be issues.) However, the list of RITs could be increased by HRA, and related statements (Ref. 8, Sec. 9.7) suggest that an expanded scope will be sought for HRA. However, the CPCS has a long pedigree of acceptable performance, so that HRA, if performed, should not be permitted to drive added OER for CPCS.

2.4.4 Functional Requirements Analysis and Allocation (Ref. 8, Sec. 9.4)

a. Functionalrequirementsanalyses should be reviewed and revised to reflect changes imposed by the upgrade on functions important to safety - The CPCS upgrade has no impact on existing functional requirements analyses.
b. Functionallocationanalyses should be reviewed and revisedto reflect changes to imposed by the upgrade to the allocation offunctions that are importantto safety - The CPCS upgrade does not change the operators role or the allocation of such functions and no upgrade to existing analyses is required.

2.4.5 Task Analysis (Ref. 8, Sec. 9.5)

a. Task analyses (TA) should be reviewed and revised to reflect changes imposed by the upgrade involving "risk-importanttasks" (RITs) - RlTs are a key issue in NUREG/CR-6637, and regulatory mechanisms to enumerate RITs could be used in turn to impose added TA. The benefits of such added TA should be assessed by the customer.

However, apart from RITs, in the unlikely event that the CPCS upgrade impacts any tasks in the existing TA, then the existing TA should be revised accordingly.

b. TA should considercognitive skills, identify user strategies over the expected range of workload and assess the resultingtask demands - This is didactic. Existing plant task analyses are not required to take this approach.

Requirements Phase Human Factors Review for the Common 0 Phase 3 CPCS Project, 00000-ICE-37734, Rev 00 Page 11 of 56 C Westinghouse Electnc Company LLC file CPCS rq2 doc

. Westinghouse Electric Company LLC Westinghouse Non-Proprietary Class 3 Moreover, the upgraded CPCS should tend to reduce task demands. Added TA for the CPCS upgrade is unnecessary and not recommended.

c. TA should identify routine tasks and similaractions so they can be addressedconsistently - This is a generally impractical recommendation. Consistency and compatibility in the HMI neither depend on nor are easily determined by TA. Added TA for the CPCS upgrade is not recommended.
d. TA should identify characteristics of the existing system thatsupport superiorperformance of experienced personnel- TA is not sensitive to which features of a task are good or bad - that is up to the analyst. It is only necessary for the new HMI to be acceptable, and this can be established and confirmed more easily through customer input and phased design product review. Added TA for the CPCS upgrade is not recommended.
e. TA should identify/address tasks that are prone to errors - If additional RITs are identified, then some added TA of limited scope may be justified. However, this TA should be consistent with the approach taken in the existing plant TA. In any case, added TA is not justified simply to find or remediate error-prone tasks.

2.4.6 Staffing (Ref. 8, Sec. 9.6)

Changes to staffing requirements imposed by the upgrade should be addressed - The CPCS upgrade has no impact on existing staffing requirements.

2.4.7 Human Reliability Analysis (Ref. 8, Sec. 9.7)

"Risk-important tasks" (RITs) associatedwith the upgrade should be examined/addressed- This includes 1) previously identified RITs, 2) tasks caused by the change to become RITs, or 3) new RITs added by the change. In the past, HFE guidance has referred to "critical actions of the PRA/HRA" (Sec. 11.4.2 of NUREG-071 1). The use of the term "RIT" now anticipates risk-informed regulatory decision-making, but its lack of definition is a key issue in NUREG/CR-6637. At the same time, a similar term is defined by the same authors in NUREG/CR-6689, as follows:

Risk-important human action - Actions that must be performed successfully by operatorsto ensure plant safety.

There are both absolute and relative criteriafordefining risk-importantactions. From an absolute standpoint, a risk-importantaction is one whose successful performance is needed to ensure that predefinedrisk criteriaare met. From a relative standpoint, risk-important actions constitute the most risk-significanthuman action identified.

Concern exists that RITs may be used to extend the 50.59 mandate, since, particularly from the so-called "relative standpoint", RITs are not limited by the scope of USQs. Thus, the use of the RIT criterion is a key concern in NUREG/CR-6637 and HFIE regulatory guidance. See also Part 2.5 of this report for more on NUREGICR-6689.

For HRA to be technically valid in terms of plant risk, it must be performed as part of a PRA, consistent with the "absolute" criterion and "critical actions" mentioned above. Only PRA is required by law, and though HFE guidance now insinuates that HRA is also required, 10 CFR 50.34(f)(1)(i) speaks to PRA alone. Thus, HRA has no independent standing, either legally or technically, with respect to plant risk.

Alternately, HRA may be used in a stand-alone, qualitative fashion (consistent with the "relative" criterion, above) but such applicationsare by definition unrelated to plant risk (e.g. see Sec. 2.2 of Ref. 10). Thus, to refer to risk-important tasks outside the context of PRA is double-talk: Relative RITs (i.e. those developed apart from PRA) have no established relation to plant risk, significant or otherwise.

It is unlikely that the current plant PRA identifies many CPCS-related human tasks as critical or significant contributors to plant risk. The current PRA also may preclude certain new or existing tasks from adding significantly Requirements Phase Human Factors Review for the Common C Phase 3 CPCS Project, 0OOOO-ICE-37734, Rev 00 Page 12 of 56 C Wesbnghouse Electric Company LLC file CPCS rq2 doc

O Westinghouse Electric Company LLC Westinghouse Non-Proprietary Class 3 to risk. In response, HFE guidance stipulates consideration for the sufficiency of the "existing HRA", presumably in both absolute and relative terms. This implies review of the existing PRA.

In sum, the coming risk-informed licensing era may add HRA effort to design submittals. RITs produced either "absolutely" or "relatively" by added HRA in turn provide a lever with which to extend other evaluative activities (e.g. OER, TA, and interface design review.) Thus, the need for added HRA for the CPCS should be considered cautiously on a plant-specific basis.

2.4.8 Human-System Interface Design (Ref. 8, Sec. 9.8)

The central requirement in 10 CFR 50.34(f)(2)(iii) was to provide for commission review a control room design that reflected state-of-the-art human factors principles. Formerly this was interpreted as meeting or acceptably departing from the DCRDR design guidance in NUREG-0700 (Ref. 5). Though the state of the human factors art has not greatly progressed, "state-of-the-art human factors principles" are now claimed to be manifest by NUREG-07 11, NUREG-0700 Rev. 1, and a supporting hierarchy of contractor reports. Thus, the level of effort that would originally satisfy this post-TMI statute now may not satisfy even one of the ten "recommended" elements of the new and improved HFE process. Other design process elements are called on to define inputs to this one (e.g. function analysis, task analysis, human reliability analysis, test and evaluation). In a sense, this element reiterates the main principle of the whole approach, namely, that acceptable product requires acceptable process. Thus, to delimit the effort on this element to a reasonable level requires consideration of the other elements.

2.4.8.1 Design Methodology

a. Interface design process and product to be used for risk-important tasks (RITs) should be examined/addressed -

Key issue is whether any RITs are identified, as discussed earlier.

b. Address consistency/standardformats across interface design(s) - Consistency is the most repeated recommendation in the new guidance, even though consistency is often not practical, necessary, or even desirable. It is also unclear whether the consistency is being specified within the upgrade or between the upgrade and other (e.g.

interfacing) systems. In any case, the "failure to develop such standard formats" should be acceptable if justified.

Most important is to avoid conflict where inconsistencies exist. After that, consistency may be nice, but it is rarely crucial.

c. Consider users ' existing task strategies as identified in TA - The CPCS design accommodates tasks of the accepted legacy system in similar but more accessible fashion. The existing TA is unlikely to address many tasks in the legacy system. So, unless HRA adds RITs and expands TA, then the current treatment of task strategies should be sufficient.
d. Design requirements should ensure, based on TA, that the interface is compatible with the organizational structure, needs, and capacities of the crew - The CPCS design is unchanged from the accepted legacy system. No new requirements should be needed in this area.
e. The detailed interface design should be consistent with interface design guidance (e.g. for standardformats);

discrepancies should bejustified by test and evaluation - The issue of conformance to applicable design guidance was formerly the central issue for human factors in design. This issue is addressed for CPCS in Part 4 of this report.

2.4.8.2 Design Process Tests and Evaluations An unspoken theme here is that new systems should be, not just compatible with the old, but improvements over the old in terms of human performance. This "benchmarking approach" affords the dual benefit of 1) avoiding discussion of the lack of criteria on which legacy systems were concluded to be safe, and 2) imposing a double-testing requirement, one each for the old and new systems. Eschewed issues include: Why new systems must be Requirements Phase Human Factors Review for the Common Q Phase 3 CPCS Project, 00000-ICE-37734, Rev 00 Page 13 of 56 C Westinghouse Electric Company LLC file CPCS rq2 doc

  • Westinghouse Electric Company LLC Westinghouse Non-Proprietary Class 3 improved over older but acceptable systems; 2) how upgraded and downgraded aspects might tradeoff; and 3) the imprecision and unreliability of human performance measures. In general, it is suggested that there is no need to benchmark the new CPCS system against the existing system for human performance.
a. Evaluationsshould be performed to assess the consistency between the methods of operatingthe old and new products, and to confirm that the new product is better (e.g. lower workload, reducederror) - For CPCS, necessary consistency between the old and new systems should be accommodated by design review and customer feedback. In addition, though common sense suggests that a new system should better the one it replaces, this is not necessarily an acceptance criterion (e.g. for human performance). Criteria are based on the cutoff between acceptable and unacceptable performance. If a legacy system has usable margin to unacceptability, that margin is not erased by an upgrade.
b. Evaluationsshould be performed to assess the workload and consistency between the methods of operatingthe oldproducts and new products, to confirm that the newproduct is compatible andacceptable, including performance-basedmeasures and interviews - This is a more elaborate evaluation than was ever before required of a single equipment, and the proposed acceptance criteria are unclear. It is an HFE principal that new products should be compatible with existing and similar ones. Incompatibility is defined by the emergence of a problem; but since no particular workload level is unacceptable, workload assessment is largely irrelevant. In any case, preliminary evaluation of the proposed HMI by users is desirable, but anything more at the design stage for CPCS is not recommended.
c. Evaluations should be performed to assess the effect of the upgrade on crew interactionas defined injunction and task analysis - The CPCS design is unchanged from the accepted legacy system. If operation of the CPCS was an integral part of real-time emergency operations, then the impact on those operations might be an issue. However, that is not the case, so no significant change to crew interaction is expected, and a special evaluation is not warranted in this area.

2.4.9 Procedure Development (Ref. 8, Sec. 9.9)

a. Proceduresshould addressallpersonnel tasks affected by the upgrade or by its interactions with the rest of the plant - Issue suggests that procedures required or affected by the CPCS upgrade should be provided and kept current.

Issue may further allow that tasks not currently covered by procedures should be proceduralized. The former item is important, but the latter item is discouraged unless a practical impetus is seen for additional procedures.

b. Procedurechanges and additionsshould not create conflicts or inconsistencieselsewhere in the overall set of procedures- Agreed. Thus, plant-specific procedures should be developed from generic CPCS technical input.
c. Proceduresshould be veriftedforform, content, and integration- Agreed, as a standard matter of quality assurance, according to the applicable quality level.
d. Proceduresshould be validated if changes are made to personneltasks that are important-to-safety - Agreed, but it is unclear whether important-to-safety and risk-important are equivalent categories.
e. Proceduresshould be developedfor temporary configurationsthat are used by O&Mpersonnel when the plant is not shutdown - Agreed, but probably unnecessary for CPCS, since the old and new systems must be exchanged prior to operation.

2.4.10 Training Program Development (Ref. 8, Sec. 9.10)

Trainingshould address the purpose of the upgrade, rulesforoperation andfault-recognition,the knowledge and skill requirements ofassociatedjobs, including temporaryconfigurations- Requirements for acceptable training are not unique to upgrades in general or CPCS in particular, other perhaps than for issues of possible 1) temporary Requirements Phase Human Factors Review for the Common 0 Phase 3 CPCS Project, OOOOO-ICE-37734, Rev. 00 Page 14 of 56 X Westinghouse Electnc Company LLC file CPCS rq2 doc

O Westinghouse Electric Company LLC Westinghouse Non-Proprietary Class 3 configurations, and 2) dual (old/new) configurations. Neither is expected to be applicable to CPCS, and in any case, normal training mechanisms will suffice to address the issues.

2.4.11 Verification and Validation (Ref. 8, Sec. 9.11) 2.4.11. 1 General The scope of V&Vshould include all items in CriterionI of Section 11.4.1 of NUREG-0711 that are applicableto the upgrade- This should be limited further to items that affect "absolutely" defined RITs.

2.4.11.2 Task Support Verification

a. Necessary indications and controls should be confirmed as available- For the CPCS, verification of indication and control capabilities installed as compared to design requirements should be straightforward. Added development of indication and control requirements via TA should be avoided.
b. Abandoned-in-place equipment should be addressed- The CPCS is not expected to present the problem of abandoned-in-place equipment. If it does, traditional criteria should be applied to determine the costs and benefits of removing old equipment.
c. Temporary HMI configurationsshould be addressed- CPCS is not expected to present the problem of temporary indication and control configurations.

2.4.11.3 HFE Design Verification

a. UpgradedHMI configurationsshould be confirmedas suitable - For the CPCS, it should be straightforward to verify the suitability of the installed configuration in terms of HFE design guidance, similar to Part 4 below.
b. Old and new products that remain in service together should be confirmed to be compatible - The CPCS should be compatible with the legacy design, but parallel use of old and new equipment is not expected to be an issue.
c. Temporary HMI configurationsshould be addressed- CPCS is not expected to present the problem of temporary indication and control configurations.

2.4.11.4 Integrated System Validation Integrated system validation, in the HFE sense, applies to a large working ensemble such as the Main Control Room.

The CPCS upgrade is not expected to warrant such testing, though the impact of the changout on RITs should be considered. The guidance for this issue is extensive, and it should be revisited if the issue is found to be applicable.

2.5 NUREGICR-6689 NUREG/CR-6689 (Ref. 9) is a contractor's report tided Proposed Approach for Reviewing Changes to Risk-Important Actions. In its overview of the screening process, it states:

"Any changes that affect the licensee's [FSARJ will requirethe licensee to perform a 50.59 evaluation. This evaluationmay result in the identification of changes that requireNRC review and approvalbecause they result in more than a minimal increase in risk, as defined by one of the eight criteriaof the new revised 10 CFR S0.59(c)(2).

The present document provides guidancefor the NRC review of changes to [human actions]that exceed the threshold criteriaof 50.59(c)(2). "

Requirements Phase Human Factors Review for the Common 0 Phase 3 CPCS Project, OOOOO4CE-37734, Rev 00 Page 15 of 56 C Westinghouse Electnc Company LLC file CPCS rq2 doc

O Westinghouse Electric Company LLC Westinghouse Non-Proprietary Class 3 In fact, 50.59 never mentions plant risk, but according to NUREG/CR-6689, exceeding 50.59 thresholds triggers a risk-informed screening to determine applicable HFE review requirements (Note: Tech spec changes are not cited as a trigger for HFE review.) The screening is based on the quantified effects of changes in human actions on plant risk (CDF and LERF) for proposed modifications. Results are addressed categorically: The lowest level (Region III) gets no HFE review. The middle level (Region II) gets an "appropriate" review as suggested in 2.4 above. Changes in the highest level (Region I) typically would not be permitted, but if special circumstances prevail, then a "full Region I HFE review" is needed. All HFE reviews would be based on "applicable" portions of the NUREGs discussed above.

NUREG/CR-6689 defines "risk-important human actions" (including "relatively" risk-important actions discussed in 2.4.7 above). It also refers to "risk-significant human actions" somewhat interchangeably. The term "RIT" used in the present report is also similar and is used interchangeably here. Such actions fall in all three risk Regions, since "actions that have no impact on risk would fall outside of the area depicted in the figures. ..below Region IIrI (Ref. 9, p.13).

Generic examples of risk-important actions are provided in Appendix A of the document.

NUREG/CR-6689 suggests that, "A licensee may want to perform a one-time, plant-specific risk assessment to determine their risk-significant human actions, and to place them in the regions of figure.. .Many licensees have already done so in their [IPEs]" (Ref. 9, p.12). This is no small effort. Though licensees do not need to take a risk-informed approach, to do otherwise threatens more conservative regulatory evaluation.

In sum, the document gives a complex and sometimes unclear set of conditions and alternatives. While it is beyond the scope of the present report to definitively analyze the details of NUREG/CR-6689, licensees will want their PRA specialists to review its impact in detail. However, it is tentatively proposed that the CPCS change will not impact absolute RITs in existing IPEs. It is further proposed that, if the scope of existing analysis is insufficient, added analysis should not produce absolute RITs above Region III. This could preclude much of the review discussed previously.

3. HMI-RELATED CPCS DESIGN REQUIREMENTS HMI-related requirements for the CPCS and FPDS, including applicable Regulatory Guides, are presented in various project requirements documents (e.g. Ref.s 12 through 15). The requirements are verified for adequacy (e.g. completeness, consistency, correctness, etc.) and are traced across project phases to ensure proper implementation. Associated open issues are identified for tracking and resolution in Appendix A of Reference 1. Formal resolution of all open issues is performed by the Common Q Phase 3 CPCS V&V team and the Common Q Phase 3 CPCS design team.
4. REVIEW OF CPCS PROTOTYPE DISPLAYS General HFE guidance for displays is provided by NUREG-0700 (Ref. 5.1). These are not considered to be requirements.

However, an evaluation of the CPCS displays in terms of applicable NUREG-0700 guidelines is provided below. The review process described in NUREG-0700 will not be used, since it may or may not be necessary under 50.59 and risk-informed assessment criteria. No independent HFE guidance document will be generated for the CPCS.

The design object reviewed was a dynamic color prototype of the CPCS displays running on a desktop computer. The display set at the time of review was over 90% complete; its functionality perhaps 50% complete. The CPCS HMI is relatively simple, consisting of 64 pages of menu-driven touchscreens. Examples of the CPCS screens are included as Appendix B.

Essentially, the function of the CPCS HMI is to replicate existing functions of the legacy system, adding a few support functions which are necessitated (or afforded) by the Common Q platform. These functions have no direct impact on normal or emergency plant operations, and do not interfere with such use of the control room. No RITs have been identified for the legacy systems, and no RITs are expected to be introduced by the CPCS upgrade. Thus, NRC review of the following material is not necessarily required.

Requirements Phase Human Factors Review for the Common a Phase 3 CPCS Project. OOOOO-ICE-37734. Rev 00 Page 16 of 56 0 Westinghouse Electric Company LLC file CPCS rq2 doc

O Westinghouse Electrnc Company LLC Westinghouse Non-Proprietary Class 3 The NUREG-0700 guidance consists of eight sections. This material is reviewed below. Applicable items are indicated; inapplicable items are designated "N/A"; material to be reviewed in a future design phase is designated 'TBD"; and resulting open issues are identified for closure. Numbered open issues are contained in Appendix A.

1. INFORMATION DISPLAY 1.1 General Display Guidance - CPCS meets the applicable guidance of this section.

1.2 Display Formats 1.2.1 Continuous Text Displays - N/A 1.2.2 Tables and Lists - See open issue 8.

1.2.3 Data Forms and Fields - CPCS meets the applicable guidance of this section.

1.2.4 Bar Charts and Histograms - N/A 1.2.5 Graphs - CPCS meets the applicable guidance of this section.

1.2.6 Pie Charts - N/A 1.2.7 Flowcharts - N/A 1.2.8 Mimics and Diagrams - CPCS meets the applicable guidance of this section.

1.2.9 Maps - CPCS meets the applicable guidance of this section.

1.2.10 Graphic Instrument Panels - N/A 1.2.11 Speech Displays - N/A 1.3 Display Elements 1.3.1 Alphanumeric Characters - See open issue 1.

1.3.2 Abbreviations and Acronyms - See open issue 2.

1.3.3 Labels - See open issues 3 and 4.

1.3.4 Icons and Symbols - N/A 1.3.5 Numeric Data - CPCS meets the applicable guidance of this section.

1.3.6 Scales, Axes, and Grids - CPCS meets the applicable guidance of this section.

1.3.7 Borders, Lines, and Arrows - see open issue 9.

1.3.8 Color- see open issue 10.

1.3.9 Size, Shape, and Pattern Coding - N/A 1.3.10 Highlighting by brightness and flashing - CPCS meets the applicable guidance of this section.

1.3.11 Auditory Coding - N/A 1.4 Data Quality and Update Rate - CPCS meets the applicable guidance of this section.

1.5 Display Devices 1.5.1 Video Display Units - see open item 11.

1.5.2 Large Screen Displays - N/A 1.5.3 Printers, Recorders, and Plotters - see open items 12 and 13.

1.5.4 Audio Display Devices - N/A 1.5.5 Meters - N/A 1.5.6 Light Indicators - N/A 1.5.7 Numeric Readouts - CPCS meets the applicable guidance of this section.

2 USER-SYSTEM INTERACTION 2.1 General User Input Guidelines - CPCS meets the applicable guidance of this section.

2.2 User Input Formats 2.2.1 Command Language - N/A 2.2.2 Menu Selection - see open items 14 and 15.

2.2.3 Function Keys - CPCS meets the applicable guidance of this section.

2.2.4 Macros/Programmable Function Keys - N/A 2.2.5 Forms - N/A 2.2.6 Direct Manipulation - N/A 2.2.7 Natural Language - N/A 2.2.8 Query Language - N/A 2.2.9 Question and Answer - N/A 2.2.10 Speech - N/A 2.3 Cursors - N/A 2.4 System Response 2.4.1 General - see open item 16.

Requirements Phase Human Factors Review for the Common 0 Phase 3 CPCS Project, OOOOO-ICE-37734, Rev 00 Page 17 of 56 C Westnghouse Electnc Company LLC file CPCS rq2 doc

  • Westinghouse Electric Company LLC Westinghouse Non-Proprietary Class 3 2.4.2 Prompts - N/A 2.4.3 Feedback - CPCS meets the applicable guidance of this section.

2.4.4 Advisory Messages - N/A 2.4.5 Error Messages - - see open item 17.

2.4.6 User Guidance/Help - N/A 2.4.7 System Response Time - see open item 18.

2.5 Managing Displays 2.5.1 Display Selection and Navigation - See open items 5 and 24.

2.5.2 Display Control - N/A 2.5.3 Display Update/Freeze - N/A 2.5.4 Display Suppression - N/A 2.5.5 Scrolling and Paging - CPCS meets the applicable guidance of this section.

2.5.6 Windows - CPCS meets the applicable guidance of this section.

2.6 Managing Information - N/A 2.7 Prevention/Detection/Correction of Errors 2.7.1 Validating User Input - See open items 12 and 19.

2.7.2 Correction Information/Command Entries - CPCS meets the applicable guidance of this section.

2.7.3 Confirming Entries - CPCS meets the applicable guidance of this section.

2.7.4 Protecting Data - See open item 20.

2.8 System Security 2.8.1 User Identification - N/A 2.8.2 Information Access - CPCS meets the applicable guidance of this section.

3.1 General Control Guidelines 3.1.1 Design Principles - See open issue 7.

3.1.2 Coding of Controls - CPCS meets the applicable guidance of this section.

3.2 Input Devices 3.2.1 Alphanumeric Keyboards - See open issue 21.

3.2.2 Function Keys - See open issue 22 and 23.

3.2.3 Trackballs, Joysticks, and Mice - N/A 3.2.4 Touch Screens, Light Pens, and Graphic Tablets - See open issues 6 and 7.

3.2.5 Speech Input Devices - N/A 3.3 Conventional Control Devices 3.3.1 Pushbutton Controls - N/A 3.3.2 Rotary Controls - TBD 3.3.3 Other Controls - N/A 3.4 Control-Display Integration - N/A

4. ALARMS 4.1 General - CPCS meets the applicable guidance of this section.

4.2 Alarm Definition - CPCS meets the applicable guidance of this section.

4.3 Alarm Processing and Reduction - CPCS meets the applicable guidance of this section.

4.4 Alarm Prioritization and Availability - CPCS meets the applicable guidance of this section.

4.5.1 General Alarm Display Guidelines - See open issue 26.

4.5.2 Display of High-priority alarms - CPCS meets the applicable guidance of this section.

4.5.3 Display of Alarm Status - See open issue 27.

4.5.4 Display of Shared Alarms - See open issue 28.

4.5.5 Alarm Messages - See open issue 29.

4.5.6 Coding Methods - CPCS meets the applicable guidance of this section.

4.5.7 Organization of Alarms - CPCS meets the applicable guidance of this section.

4.6 Control - N/A 4.7 Automated, Dynamic, and Modifiable Characteristics - N/A 4.8 Reliability, Test, Maintenance, and Failure Indication - See open issue 30.

4.9 Alarm Response Procedures - See open issue 31.

4.10 Control-display Integration and Layout - CPCS meets the applicable guidance of this section.

5. ANALYSIS AND DECISION AIDS - N/A
6. INTERPERSONAL COMMUNICATION - N/A Requirements Phase Human Factors Review for the Common 0 Phase 3 CPCS Project. ooooo-ICE-37734. Rev 00 Page 18 of 56 0 Westinghouse Electnc Company LLC file CPCS rq2 doc

a Westinghouse Electric Company LLC Westinghouse Non-Proprietary Class 3

7. WORKSPACE DESIGN - N/A
8. LOCAL CONTROL STATIONS - See open issue 32.
5. CONCLUSIONS The conclusions of the Requirements Phase Human Factors Review for the Common Q Phase 3 CPCS project are as follows:
  • Proceed with resolution of the findings identified in this report.
  • Continue with the V&V team and design team coordination and communication throughout the remainder of the Common Q Phase 3 CPCS project.
  • Investigate project-specific licensing strategies for CPCS
  • Use contents of this and future reports to support CPCS review and approval in the HFE area.

Requirements Phase Human Factors Review for the Common 0 Phase 3 CPCS Project, OOOOO-ICE-37734. Rev 00 Page 19 of 56 e Westinghouse Electnc Company LLC file CPCS rq2 doc

  • Westinghouse Electric Company LLC Westinghouse Non-Proprietary Class 3
6. REFERENCES No. Title / Description Document Number 1 Requirement Phase V&V Report for the Common Q Phase 3 Core Protection Calculator System Project a,c 2 Common Qualified Platform Core Protection Calculator System Westinghouse Document No. CENPD-(Appendix to Topical Report, Ref. 2.2.9) 396-P, Appendix 2, Rev. 1 3 USNRC Safety Evaluation Report for (Common Qualified Transmitted via letter dated August 11, Platform) Topical Report 396-P, Rev. 1, including Appendices 1 - 2000, from Stuart A. Richards (USNRC 4, and Software Program Manual CE-CES-195, Rev. 01 NRR) to Phillip Richardson (Westinghouse), Project 692, Accession Number ML003740165.

4 Code of Federal Regulations, Title 10 Energy, Part 50 10 CFR 50 (current) 5 Guidelines for Control Room Design Reviews USNRC, NUREG-0700, September 1981 5.1 Human-System Interface Design Review Guideline USNRC, NUREG-0700, Rev. 1, March 1996 6 Human Factors Engineering Program Review Model USNRC, NUREG-071 1, July 1994.

7 Standard Review Plan, Chapter 18.0 Human Factors Engineering USNRC, NUREG-0800, April 1996 8 Human Systems Interface and Plant Modernization Process: Brookhaven National Laboratory.

Technical Basis and Human Factors Review Guidance NUREG/CR-6637, March 2000.

9 Proposed Approach for Reviewing Changes to Risk-Important Brookhaven National Laboratory.

Human Actions NUREG/CR-6689, September 2000.

10 Technical Basis and Implementation Guidelines for A Technique USNRC, NUREG-1 624, Rev.l, April for Human Event Analysis (ATHEANA) 2000 11 Report to Vattenfall on the HFE Program Review Model [

]ac 12 System Requirements Specification for the Common Q Phase 3 Core Protection Calculator System

]a,c 13 Software Requirements Specification for the Common Q Phase 3 Core Protection Calculator System [ a,c 14 System Requirements Specification for the Generic Flat Panel Display System [ ]a,c 15 Software Requirements Specification for the Common Q Phase 3 Generic Flat Panel Display System

]ac Requirements Phase Human Factors Review for the Common a Phase 3 CPCS Project, OOG-ICE-37734, Rev 00 Page 20 of 56 C Westinghouse Electnc Company LLC file CPCS rq2 doc

  • Westinghouse Electric Company LLC Westinghouse Non-Proprietary Class 3 APPENDIX A: LIST OF FINDINGS This list is a summary of all findings identified and reported as open items during the present Human Factors review.

Guidelines cited by number are references to NUREG-0700, Rev.1. Items / issues which have been resolved prior to the current revision of the report are shaded and dated. Otherwise, entries in the resolution column are only interim comments or suggestions. All issues are to be resolved as part of the completion of the CPCS project.

Discrepancies / Open Items Identified and Reported as of the Requirements Phase Human Factors Review for the Common Q Phase 3 CPCS Project

[

]a,c Requirements Phase Human Factors Review for the Common a Phase 3 CPCS Project, OOOOO-ICE-3T7734, Rev 00 Page 21 of 56 C Westinghouse Electric Company LLC file CPCS rq2 doec

@ Westinghouse Electric Company LLC Westinghouse Non-Proprietary Class 3

[

]a,c Requirements Phase Human Factors Review for the Common 0 Phase 3 CPCS Project. 00000-ICE-37734, Rev. 00 Page 22 of 56 C Westinghouse Electric Company LLC file CPCS rq2 doc

  • Westinghouse Electric Company LLC Westinghouse Non-Proprietary Class 3 APPENDIX B: DRAFT CPCS DISPLAY EXAMPLES Requirements Phase Human Factors Review for the Common 0 Phase 3 CPCS Project, OOOOO-ICE-37734, Rev. 00 Page 23 of 56 e Westinghouse Electrc Company LLC file CPCS rq2 doc

Attachment 3 Westinghouse Authorization letter, CAW-03-1613 (Proprietary Affidavit Pursuant to 10 CFR 2.790 and Copyright Notice)

Q Westinghouse Westinghouse Electric Company Nuclear Services P.O. Box 355 Pittsburgh, Pennsylvania 15230-0355 USA U.S. Nuclear Regulatory Commission Direct tel: (412) 374-5282 Document Control Desk Directfax: (412) 3744011 Washington, DC 20555-0001 e-mail: Sepplha@westinghouse.com Our ref. CAW-03-1613 March 28,2003 APPLICATION FOR WITHHOLDING PROPRIETARY INFORMATION FROM PUBLIC DISCLOSURE

Subject:

WCAP-16076-P, "Requirements Phase Human Factors Review for the Common Q Phase 3 Core Protection Calculator System Project" (Proprietary)

The proprietary information for which withholding is being requested in the above-referenced report is further identified in Affidavit CAW-03-1613 signed by the owner of the proprietary information, Westinghouse Electric Company LLC. The affidavit, which accompanies this letter, sets forth the basis on which the information may be withheld from public disclosure by the Commission and addresses with specificity the considerations listed in paragraph (b)(4)-of 10 CFR Section 2.790 of the Commission's regulations.

Accordingly, this letter authorizes the utilization of the accompanying affidavit by Arizona Public Services.

Correspondence with respect to the proprietary aspects of the application for withholding or the Westinghouse affidavit should reference this letter, CAW-03-1613 and should be addressed to the undersigned.

Very truly yours, H. A. Seppand Lager Regulatory and Licensing Engineering Enclosures cc: S. J. Collins G. Shukla/NRR A BNFL Group company

CAW-03-1613 bcc: H. A. Sepp (ECE 4-7A) IL, IA R. Bastien, iL, IA (Nivelles, Belgium)

L. Ulloa (Madrid, Spain) iL, IA C. Brinkman, IL, 1A (Westinghouse Electric Co., 12300 Twinbrook Parkway, Suite 330, Rockville, MD 20852)

RLE Administrative Aide (ECE 4-7A) IL, IA (letters w/affidavits only)

B. J. Metro (286 Site, 228T) iL, IA W. N. Gardner (Windsor) IL, IA M. Stofko (286 Site) IL, 1A Or/

A BNFL Group company

CAW-03-1613 AFFIDAVIT COMMONWEALTH OF PENNSYLVANIA:

Ss COUNTY OF ALLEGHENY:

Before me, the undersigned authority, personally appeared H. A. Sepp, who, being by me duly sworn according to law, deposes and says that he is authorized to execute this Affidavit on behalf of Westinghouse Electric Company LLC ("Westinghouse"), and that the averments of fact set forth in this Affidavit are true and correct to the best of his knowledge, information, and belief:

H. A. Sepp, Manager Regulatory and Licensing Engineering Sworn to and subscribed before me this day of ,2003 A Ž2 Notary Public

'Notarial Sel Sham L FId,Notary Pubic F 'Monroee Boro, Afleghe Count iw A . My Camisson Expres Januay 29.2007 rMember. Pernsylvania Assodation Of Notries

2 CAW-03-1613 (1) I am Manager, Regulatory and Licensing Engineering, in Nuclear Services, Westinghouse Electric Company LLC ("Westinghouse"), and as such, I have been specifically delegated the function of reviewing the proprietary information sought to be withheld from public disclosure in connection with nuclear power plant licensing and rule making proceedings, and am authorized to apply for its withholding on behalf of the Westinghouse Electric Company LLC.

(2) I am making this Affidavit in conformance with the provisions of 10 CFR Section 2.790 of the Commission's regulations and in conjunction with the Westinghouse application for withholding accompanying this Affidavit.

(3) I have personal knowledge of the criteria and procedures utilized by the Westinghouse Electric Company LLC in designating information as a trade secret, privileged or as confidential commercial or financial information.

(4) Pursuant to the provisions of paragraph (b)(4) of Section 2.790 of the Commission's regulations, the following is furnished for consideration by the Commission in determining whether the information sought to be withheld from public disclosure should be withheld.

(i) The information sought to be withheld from public disclosure is owned and has been held in confidence by Westinghouse.

(ii) The information is of a type customarily held in confidence by Westinghouse and not customarily disclosed to the public. Westinghouse has a rational basis for determining the types of information customarily held in confidence by it and, in that connection, utilizes a system to determine when and whether to hold certain types of information in confidence. The application of that system and the substance of that system constitutes Westinghouse policy and provides the rational basis required.

Under that system, information is held in confidence if it falls in one or more of several types, the release of which might result in the loss of an existing or potential competitive advantage, as follows:

(a) The information reveals the distinguishing aspects of a process (or component, structure, tool, method, etc.) where prevention of its use by any of

3 CAW-03-1613 Westinghouse's competitors without license from Westinghouse constitutes a competitive economic advantage over other companies.

(b) It consists of supporting data, including test data, relative to a process (or component, structure, tool, method, etc.), the application of which data secures a competitive economic advantage, e.g., by optimization or improved marketability.

(c) Its use by a competitor would reduce his expenditure of resources or improve his competitive position in the design, manufacture, shipment, installation, assurance of quality, or licensing a similar product.

(d) It reveals cost or price information, production capacities, budget levels, or commercial strategies of Westinghouse, its customers or suppliers.

(e) It reveals aspects of past, present, or future Westinghouse or customer funded development plans and programs of potential commercial value to Westinghouse.

(f) It contains patentable ideas, for which patent protection may be desirable.

There are sound policy reasons behind the Westinghouse system which include the following:

(a) The use of such information by Westinghouse gives Westinghouse a competitive advantage over its competitors. It is, therefore, withheld from disclosure to protect the Westinghouse competitive position.

(b) It is information that is marketable in many ways. The extent to which such information is available to competitors diminishes the Westinghouse ability to sell products and services involving the use of the information.

(c) Use by our competitor would put Westinghouse at a competitive disadvantage by reducing his expenditure of resources at our expense.

4 CAW-03-1613 (d) Each component of proprietary information pertinent to a particular competitive advantage is potentially as valuable as the total competitive advantage. If competitors acquire components of proprietary information, any one component may be the key to the entire puzzle, thereby depriving Westinghouse of a competitive advantage.

(e) Unrestricted disclosure would jeopardize the position of prominence of Westinghouse in the world market, and thereby give a market advantage to the competition of those countries.

(f) The Westinghouse capacity to invest corporate assets in research and development depends upon the success in obtaining and maintaining a competitive advantage.

(iii) The information is being transmitted to the Commission in confidence and, under the provisions of 10 CFR Section 2.790, it is to be received in confidence by the Commission.

(iv) The information sought to be protected is not available in public sources or available information has not been previously employed in the same original manner or-method to the best of our knowledge and belief.

(v) The proprietary information sought to be withheld in this submittal is that which is appropriately marked in WCAP-16076-P, "Requirements Phase Human Factors Review for the Common Q Phase 3 Core Protection Calculator System Project" (Proprietary),

dated March 2003 for Palo Verde Nuclear Generating Station 1, 2, and 3, being transmitted by Arizona Public Services letter and Application for Withholding Proprietary Information from Public Disclosure, to the Document Control Desk. The proprietary information as submitted for use by Westinghouse Electric Company LLC for Palo Verde Nuclear Generating Station 1, 2 and 3 is expected to be applicable for other licensee submittals in response to certain NRC requirements for compliance with human factors design requirements.

This information is part of that which will enable Westinghouse to:

5 CAW-03-1613 (a) Ensure acceptability of the Common Q Core Protection Calculator System (CPCS)

Human Machine Interface (HMI) with NRC and industry requirements.

(b) Commercial advantage in developing safety system displays and interfaces compliant with NRC requirements.

(c) Provide both design and licensing services that support customer submittals.

Further this information has substantial commercial value as follows:

(a) Westinghouse plans to sell the use of similar information to its customers for purposes of demonstrating compliance with NRC design and licensing requirements safety system displays and interfaces.

(b) Westinghouse can sell support and defense of the HSI design features and product.

(c) The information reveals the distinguishing aspects of a methodology that was developed by Westinghouse.

Public disclosure of this proprietary information is likely to cause substantial harm to the competitive position of Westinghouse because it would enhance the ability of competitors to provide similar system features, interfaces, analyzed plant parameters, displays and alarms, and licensing defense services for commercial power reactors without commensurate expenses. Also, public disclosure of the information would enable others to use the information to meet NRC requirements for licensing documentation without purchasing the right to use the information.

The development of the technology described in part by the information is the result of applying the results of many years of experience in an intensive Westinghouse effort and the expenditure of a considerable sum of money.

6 CAW-03-1613 In order for competitors of Westinghouse to duplicate this information, similar technical programs would have to be performed and a significant manpower effort, having the requisite talent and experience, would have to be expended.

Further the deponent sayeth not.

CAW-03-1613 PROPRIETARY INFORMATION NOTICE Transmitted herewith are proprietary and/or non-proprietary versions of documents furnished to the NRC in connection with requests for generic and/or plant-specific review and approval.

In order to conform to the requirements of 10 CFR 2.790 of the Commission's regulations concerning the protection of proprietary information so submitted to the NRC, the information which is proprietary in the proprietary versions is contained within brackets, and where the proprietary information has been deleted in the non-proprietary versions, only the brackets remain (the information that was contained within the brackets in the proprietary versions having been deleted). The justification for claiming the information so designated as proprietary is indicated in both versions by means of lower case letters (a) through (f) located as a superscript immediately following the brackets enclosing each item of information being identified as proprietary or in the margin opposite such information. These lower case letters refer to the types of information Westinghouse customarily holds in confidence identified in Sections (4)(ii)(a) through (4)(ii)(f) of the affidavit accompanying this transmittal pursuant to 10 CFR 2.790(b)(1).

CAW-03-1613 COPYRIGHT NOTICE The reports transmitted herewith each bear a Westinghouse copyright notice. The NRC is permitted to make the number of copies of the information contained in these reports which are necessary for its internal use in connection with generic and plant-specific reviews and approvals as well as the issuance, denial, amendment, transfer, renewal, modification, suspension, revocation, or violation of a license, permit, order, or regulation subject to the requirements of 10 CFR 2.790 regarding restrictions on public disclosure to the extent such information has been identified as proprietary by Westinghouse, copyright protection notwithstanding. With respect to the non-proprietary versions of these reports, the NRC is permitted to make the number of copies beyond those necessary for its internal use which are necessary in order to have one copy available for public viewing in the appropriate docket files in the public document room in Washington, DC and in local public document'rooms as may be required by NRC regulations if the number of copies submitted is insufficient for this purpose. Copies made by the NRC must include the copyright notice in all instances and the proprietary notice if the original was identified as proprietary.

Retrieved from "https://kanterella.com/w/index.php?title=ML031270105&oldid=2693168"