ML18053A746
| ML18053A746 | |
| Person / Time | |
|---|---|
| Site: | Lee  |
| Issue date: | 12/19/2017 |
| From: | Donahue J Duke Energy Carolinas |
| To: | Office of New Reactors |
| Hughes B | |
| References | |
| DUKE, DUKE.SUBMISSION.15, LEE.NP, LEE.NP.1 | |
| Download: ML18053A746 (82) | |
Text
UFSAR Table of Contents 1 Introduction and General Description of the Plant 2 Site Characteristics 3 Design of Structures, Components, Equipment and Systems 4 Reactor 5 Reactor Coolant System and Connected Systems 6 Engineered Safety Features 7 Instrumentation and Controls 8 Electric Power 9 Auxiliary Systems 10 Steam and Power Conversion 11 Radioactive Waste Management 12 Radiation Protection 13 Conduct of Operation 14 Initial Test Program 15 Accident Analyses 16 Technical Specifications 17 Quality Assurance 18 Human Factors Engineering 19 Probabilistic Risk Assessment UFSAR Formatting Legend Description Original Westinghouse AP1000 DCD Revision 19 content Departures from AP1000 DCD Revision 19 content Standard FSAR content Site-specific FSAR content Linked cross-references (chapters, appendices, sections, subsections, tables, figures, and references)
18.1 Overview ..................................................................................................... 18.1-1 18.1.1 References ................................................................................. 18.1-3 18.2 Human Factors Engineering Program Management ................................... 18.2-1 18.2.1 Human Factors Engineering Program Goals, Scope, Assumptions, and Constraints .................................................... 18.2-1 18.2.1.1 Human Factors Engineering Program Goals ............ 18.2-1 18.2.1.2 Assumptions and Constraints ................................... 18.2-1 18.2.1.3 Applicable Facilities .................................................. 18.2-3 18.2.1.4 Applicable Human System Interfaces ....................... 18.2-3 18.2.1.5 Applicable Plant Personnel ....................................... 18.2-3 18.2.1.6 Technical Basis ......................................................... 18.2-3 18.2.2 Human System Interface Design Team and Organization ......... 18.2-4 18.2.2.1 Responsibility ............................................................ 18.2-4 18.2.2.2 Organizational Placement and Authority ................... 18.2-4 18.2.2.3 Composition .............................................................. 18.2-5 18.2.2.4 Team Staffing Qualifications ..................................... 18.2-7 18.2.3 Human Factors Engineering Processes and Procedures ......... 18.2-10 18.2.3.1 General Process and Procedures ........................... 18.2-10 18.2.3.2 Process Management Tools ................................... 18.2-12 18.2.3.3 Integration of Human Factors Engineering and Other Plant Design Activities .................................. 18.2-12 18.2.3.4 Human Factors Engineering Documentation .......... 18.2-13 18.2.3.5 Human Factors Engineering in Subcontractor Efforts ...................................................................... 18.2-14 18.2.4 Human Factors Engineering Issues Tracking ........................... 18.2-14 18.2.5 Human Factors Engineering Technical Program and Milestones ................................................................................ 18.2-15 18.2.6 Combined License Information ................................................. 18.2-15 18.2.6.1 Human Factors Engineering Program .................... 18.2-15 18.2.6.2 Emergency Operations Facility ............................... 18.2-16 18.2.7 References ............................................................................... 18.2-16 18.3 Operating Experience Review ..................................................................... 18.3-1 18.3.1 Combined License Information ................................................... 18.3-1 18.3.2 References ................................................................................. 18.3-1 18.4 Functional Requirements Analysis and Allocation ...................................... 18.4-1 18.4.1 Combined License Information ................................................... 18.4-1 18.4.2 References ................................................................................. 18.4-2 18.5 AP1000 Task Analysis Implementation Plan .............................................. 18.5-1 18.5.1 Task Analysis Scope .................................................................. 18.5-1 18.5.2 Task Analysis Implementation Plan ............................................ 18.5-2 18.5.2.1 Function-Based Task Analyses ................................ 18.5-2 18.5.2.2 OSA-1 ....................................................................... 18.5-2 18.5.2.3 OSA-2 ....................................................................... 18.5-3 18.5.2.4 Task Analysis of Maintenance, Test, Inspection and Surveillance Tasks .................................................... 18.5-4 18.5.3 Job Design Factors ..................................................................... 18.5-4 18-i Revision 1
18.5.4.1 Task Analysis Implementation .................................. 18.5-4 18.5.4.2 Main Control Room Position Scope and Responsibilities ......................................................... 18.5-4 18.5.5 References ................................................................................. 18.5-4 18.6 Staffing ........................................................................................................ 18.6-1 18.6.1 Combined License Information Item ........................................... 18.6-2 18.6.2 References ................................................................................. 18.6-2 18.7 Integration of Human Reliability Analysis with Human Factors Engineering ................................................................................................. 18.7-1 18.7.1 Combined License Information ................................................... 18.7-1 18.7.2 References ................................................................................. 18.7-1 18.8 Human System Interface Design ................................................................ 18.8-1 18.8.1 Implementation Plan for the Human System Interface Design .... 18.8-2 18.8.1.1 Functional Design ..................................................... 18.8-3 18.8.1.2 Design Guidelines ..................................................... 18.8-4 18.8.1.3 Design Specifications ................................................ 18.8-4 18.8.1.4 Man-in-the-Loop Testing ........................................... 18.8-5 18.8.1.5 Mockup Activities ...................................................... 18.8-5 18.8.1.6 Human System Interface Design Documentation ..... 18.8-6 18.8.1.7 Task-Related Human System Interface Requirements ............................................................ 18.8-6 18.8.1.8 General Human System Interface Design Feature Selection ................................................................... 18.8-6 18.8.1.9 Human System Interface Characteristics:
Identification of High Workload Situations ................ 18.8-7 18.8.1.10 Human System Interface Software Design and Implementation Process ........................................... 18.8-8 18.8.2 Safety Parameter Display System (SPDS) ................................. 18.8-9 18.8.2.1 General Safety Parameter Display System Requirements ............................................................ 18.8-9 18.8.2.2 Display of Safety Parameters ................................. 18.8-10 18.8.2.3 Reliability ................................................................. 18.8-11 18.8.2.4 Isolation ................................................................... 18.8-11 18.8.2.5 Human Factors Engineering ................................... 18.8-11 18.8.2.6 Minimum Information .............................................. 18.8-12 18.8.2.7 Procedures and Training ......................................... 18.8-12 18.8.3 Operation and Control Centers System .................................... 18.8-12 18.8.3.1 Main Control Room Mission and Major Tasks ........ 18.8-13 18.8.3.2 Main Control Area Mission and Major Tasks .......... 18.8-13 18.8.3.3 Operations Work Area Mission and Major Tasks .... 18.8-14 18.8.3.4 Remote Shutdown Workstation Mission and Major Tasks ...................................................................... 18.8-14 18.8.3.5 Technical Support Center Mission and Major Tasks ...................................................................... 18.8-14 18.8.3.6 Operations Support Center Mission and Major Tasks ...................................................................... 18.8-15 18.8.3.7 Radwaste Control Area Mission and Major Tasks ... 18.8-15 18-ii Revision 1
18.8.3.9 Emergency Operations Facility ............................... 18.8-16 18.8.4 Human Factors Design for the Non-Human-System Interface Portion of the Plant ................................................................... 18.8-16 18.8.4.1 General Plant Layout and Design ........................... 18.8-16 18.8.5 Combined License Information ................................................. 18.8-18 18.8.6 References ............................................................................... 18.8-19 18.9 Procedure Development ............................................................................. 18.9-1 18.9.1 Combined License Information ................................................... 18.9-1 18.9.2 References ................................................................................. 18.9-1 18.10 Training Program Development ................................................................ 18.10-1 18.10.1 Combined License Information ................................................. 18.10-1 18.10.2 References ............................................................................... 18.10-1 18.11 Human Factors Engineering Verification and Validation ........................... 18.11-1 18.11.1 Combined License Information ................................................. 18.11-1 18.11.2 References ............................................................................... 18.11-1 18.12 Inventory ................................................................................................... 18.12-1 18.12.1 Inventory of Displays, Alarms, and Controls ............................. 18.12-1 18.12.2 Minimum Inventory of Main Control Room Fixed Displays, Alarms, and Controls ................................................................ 18.12-1 18.12.3 Remote Shutdown Workstation Displays, Alarms, and Controls .................................................................................... 18.12-6 18.12.4 Combined License Information ................................................. 18.12-6 18.12.5 References ............................................................................... 18.12-6 18.13 Design Implementation ............................................................................. 18.13-1 18.13.1 References ............................................................................... 18.13-1 18.14 Human Performance Monitoring ............................................................... 18.14-1 18.14.1 References ............................................................................... 18.14-2 18-iii Revision 1
12.2-1 Minimum Inventory of Fixed Position Controls, Displays, and Alerts ......... 18.12-7 18-iv Revision 1
2-1 [Human System Interface (HSI) Design Team Process]* ........................... 18.2-17 2-2 Human System Interface (HSI) Design Team Organization and Relationship to AP1000 Organization ........................................................ 18.2-18 2-3 Overview of the AP1000 Human Factors Engineering Process ................. 18.2-19 5-1 Top Four Levels of the Normal Power Operation for a Westinghouse PWR ............................................................................................................. 18.5-6 5-2 Task Analysis Utilized as Design Input ........................................................ 18.5-7 8-1 Soft Control Interactions ............................................................................. 18.8-24 8-2 Mapping of Human System Interface Resources to Operator Decision-Making Model .............................................................................. 18.8-25 11-1 AP1000 HFE Verification and Validation .................................................... 18.11-2 18-v Revision 1
an factors engineering deals with designing and implementing resources and environments that people perform tasks more reliably. Traditionally, human factors engineering includes the sideration of:
Anthropometric or physical fit of humans to either their task-assisting machines or to their surroundings (for example, height, reach, and visual limitations)
Biomechanical fit of the physical capabilities and limitations of humans relative to the requirements of their tasks (for example, lifting limits and push-pull limits)
Biophysical fit of the physiological capabilities and limitation of humans to their environment (for example, tolerance to heat or cold, harmful chemicals, and noise) e recently, the human factors engineering discipline also models human error. Human errors ude:
Errors of execution or slips Errors of intention or mistakes (Reference 1) s are errors in which a persons intentions are correct, but an incorrect method for executing the on is chosen. Mistakes are errors in which the person forms an incorrect intention but then ectly executes it. Slips tend to be the result of poorly designed physical interfaces (for example, ches on a control board that look or feel alike) or of a poorly designed work environment (for mple, temperatures that cause worker exhaustion). Mistakes are cognitive or mental errors.
an factors engineering includes cognitive systems engineering. This discipline focuses on the ign of interfaces between humans and machines that support the operator decision-making vities that are required by the task. Cognitive systems engineering is particularly important when igning an interface for operators that control a real-time process, such as a nuclear power plant.
rapid changes in digital computer and color graphics display technology offer the AP1000 design m an opportunity to improve the real-time decision support for the AP1000 operating staff. The 000 has a plant-wide network that provides pre-processed plant data to those members of the ts staff who have need of it. The real-time process control interface between the plants staff and plants process equipment is the instrumentation and control (I&C) equipment driving graphical lay devices in an integrated Human System Interface. Cognitive systems engineering is applied e design of the human system interface.
layout and environmental design of the main control room and the remote shutdown room, and supplementary support areas, such as the technical support center, are sites of application of the itional disciplines of human factors engineering.
ign input including decisions made in the design of the AP1000 that affect interfaces is provided.
includes input on the operating staff training program and on the development of the plant rating procedures.
ause of the rapid changes that are taking place in the digital computer and graphic display nology employed in a modern human system interface, design certification of the AP1000 ses upon the process used to design and implement human system interfaces for the AP1000, er than on the details of the implementation. As a result, this chapter describes the processes d to provide human factors engineering in the design of the AP1000.
18.1-1 Revision 1
ineering program. These elements correspond to the elements specified in Reference 2 and erence 10. The organization of this chapter parallels these elements. In addition to the elements e program review model, this chapter includes a description of the minimum inventory of trols, displays, and alarms present in the main control room and at the remote shutdown kstation. The following provides an annotated outline of the chapter. A number of References are tified which were developed for the AP600 Design Certification. Since the AP1000 operating osophy and approach are the same for AP600 and AP1000, the References identified below are licable to AP1000.
tion 18.2, Human Factors Engineering Program Managementpresents the AP1000 human ors engineering program plan that is used to develop, execute, oversee, and document the an factors engineering program. This program plan includes the composition of the human ors engineering design team.
tion 18.3, Operating Experience Reviewand Reference 3 present the results of a review of licable operating experience. This operating experience review identifies, analyzes, and resses human factors engineering-related problems encountered in previous designs.
tion 18.4, Functional Requirements Analysis and Allocationand Reference 4 present the lts of the functional requirements analysis and function allocation process applied to the AP1000.
functional requirements analysis defines the plants safety functions, decomposes each safety tion, compares the safety functions and processes with currently operating Westinghouse surized water reactors, and provides the technical basis for those processes that have been ified. The function allocation documents the methodology used to arrive at the AP1000 level of mation for the plant functions, processes, and systems involved in maintaining plant safety, and uments the results and rationale for function allocation decisions.
tion 18.5, Task Analysispresents the scope and implementation plan for task analysis. The analysis provides one of the bases for the human system interface design; provides input to edure development; provides input to staffing, training, and communications requirements of the t; and ensures that human performance requirements do not exceed human capabilities.
tion 18.6, Staffingand Reference 5 provide input from the designer for the determination of staffing level of the operating crew in the AP1000 main control room.
tion 18.7, Integration of Human Reliability Analysis with Human Factors Engineeringand erence 6 present the implementation plan for the integration of human reliability analysis with the an factors engineering program.]*
tion 18.8, Human System Interface Designpresents the implementation plan for the design e human system interface.
tion 18.9, Procedure DevelopmentReference 7 provides input for the development of plant rating procedures, including information on the AP1000 emergency response guidelines and rgency operating procedures.
tion 18.10, Training Program DevelopmentReference 8 provides input from the designer on training of the operations personnel who participate as subjects in the human factors verification validation.
Staff approval is required prior to implementing a change in this information.
18.1-2 Revision 1
tion 18.12, Inventorypresents the minimum inventory of controls, displays, and alarms ent in the main control room and at the remote shutdown workstation. The design basis and the ction criteria used to identify the minimum inventory are presented.
tion 18.13, Design ImplementationIn accordance with Reference 2, this issue is addressed er Section 18.11 as Issue Resolution Verification and Final Plant HFE Verification.
tion 18.14, Human Performance MonitoringHuman performance monitoring applies after the t is placed in operation.
1.1 References Reason, J. T., Human Error, Cambridge, U.K., Cambridge University Press, 1990.
NUREG-0711, Human Factors Engineering Program Review Model, U.S. NRC, July 1994.]*
WCAP-14645, Human Factors Engineering Operating Experience Review Report for the AP1000 Nuclear Power Plant, Revision 3.
WCAP-14644, AP600/AP1000 Functional Requirements Analysis and Function Allocation, Revision 1.
WCAP-14694, Designers Input To Determination of the AP600 Main Control Room Staffing Level, Revision 0, July 1996.
WCAP-14651, Integration of Human Reliability Analysis with Human Factors Engineering Design Implementation Plan, Revision 2, May 1997.]*
WCAP-14690, Designers Input To Procedure Development for the AP600, Revision 1, June 1997.
WCAP-14655, Designers Input to The Training of The Human Factors Engineering Verification and Validation Personnel, Revision 1, August 1996.
WCAP-15860, Programmatic Level Description of the AP1000 Human Factors Verification and Validation Plan, Revision 2, October 2003.]*
NUREG-0711, Revision 1, Human Factors Engineering Program Review Model, May 2002.
Staff approval is required prior to implementing a change in this information.
18.1-3 Revision 1
Figure 18.1-1 Human Factors Engineering (HFE)
Design and Implementation Process 18.1-4 Revision 1
gram, the technical program to accomplish these goals, the human system interface design team, management and organizational structure that support the implementation of the technical gram.
an factors engineering is the system engineering of human system interfaces. The program agement tools and procedures that govern the design of AP1000 systems apply to the human ors engineering activity. This approach integrates the design of human system interfaces with r plant systems.
2.1 Human Factors Engineering Program Goals, Scope, Assumptions, and Constraints 2.1.1 Human Factors Engineering Program Goals goal of the human factors engineering program is to provide the users of the plant operation and trol centers effective means for acquiring and understanding plant data and executing actions to trol the plants processes and equipment.
objective is to enable personnel tasks to be accomplished within time and performance criteria.
2.1.2 Assumptions and Constraints re are a number of inputs to the human factors engineering design process that specify umptions or constraints on the human factors engineering program and the human system rfaces design.
or design inputs include regulatory guidelines, guidance from utilities and utility representative ups, utility requirements documents, and AP1000 plant systems design specifications. The uirements resulting from these design inputs are captured in human system interface specification uments and functional requirements documents.
le assumptions and constraints specified by design inputs are provisionally treated as design uirements, the appropriateness of these requirements is evaluated as part of the human factors ineering design process. Results of human factors engineering activities such as operating erience review, task analyses, mockup activities and verification and validation activities are used rovide feedback on the adequacy of initial human system interface design assumptions and straints. If results of human factors engineering analyses or evaluations indicate that initial human em interface design assumptions or constraints are inadequate, then the human system interface ign requirements are revised utilizing the standard AP1000 design configuration change control ess.
ed below are some of the major inputs to the AP1000 human system interface design and the umptions and constraints they impose on the AP1000 human system interface design process human system interfaces design.
ulatory Requirements of the requirements for the AP1000 human factors engineering program is that it complies with licable regulatory requirements. [The human factors engineering process is designed to meet the an factors engineering design process requirements specified in NUREG-0711 (Reference 1).]*
Staff approval is required prior to implementing a change in this information.
18.2-1 Revision 1
acity.
mples of utility requirements that impact the human system interface design are:
Operating staff assumptions. A single reactor operator (RO) should be able to control major plant functions performed from the main control room during normal power operations.
Assumptions with respect to human system interface resources. The human system interface design shall include an integrating overview display and mimic in the main control room.
AP1000 design goals with respect to control room staffing are addressed in Section 18.6 and AP-14694 (Reference 3). As noted in WCAP-14694, a number of elements of the AP1000 human ors engineering design process are used to help achieve, verify and validate the control room fing design goal. These include operating experience review, function analysis and allocation, analysis, human reliability assessment, human system interface design, procedures, training, human factors engineering verification and validation.
described in Section 18.8, one of the human system interface resources is a wall panel rmation system. The wall panel information system is intended to meet the utility requirement for ntegrating overview display and mimic in the main control room. A number of design activities blish the basis and functional requirements for the wall panel information system. Design vities include conducting operating experience reviews in nuclear power plants and related stries to examine the requirements for individual and group situation awareness and how these best be supported.
nt System Design Information design of the plant systems is an essential input to the human system interface design process.
physical implementation specifications as well as the systems designers intent with regard to ected systems operation and performance are used as input to the design of the AP1000 human em interfaces. System design data are documented in the individual system specification uments. The input representing the plants physical structure is represented by the piping and rumentation drawings, general arrangement drawings, and equipment drawings.
tem design specifications include specifications with respect to function allocation between mated systems and human operators. The system design specifications indicate which functions to be automated, which are to be manual, and which require joint input of person and machine. In ition, the system design specifications indicate the set of instruments and controls that are lemented in the AP1000.
AP600 function requirements analysis and function allocation document (Reference 4) provides rmation on the approach to initial function allocation and presents the results for AP600 safety tions. The results include a specification of level of automation and personnel responsibility for 000 safety functions, processes, and systems. The results also document the rationale for tion allocation decisions for AP1000 safety functions.
report also describes human factors activities that are conducted as part of the AP1000 human em interface design process to verify the adequacy of function allocation decisions, and establish ability of operators to perform the role assigned to them. Function-based task analyses are used erify that the sensors and controls that are provided are sufficient to enable operators to perform 18.2-2 Revision 1
ulated plant conditions.
hnology Limits ent advances in the technology of digital computing have made it possible and practical to nge the performance and role of the human system interface in a process control application such nuclear power plant. For the AP1000, a position regarding the limits of the implementation nology to be assumed for the human system interfaces is derived from assessment of existing nology and anticipated advancements. An emphasis is placed on utilization of proven, reliable nology. The decision on the specific technology to be employed is made on a case-by-case basis r available technology alternatives are evaluated.
2.1.3 Applicable Facilities ilities included in the scope of the AP1000 human factors engineering program are the main trol room (MCR), the technical support center (TSC), the remote shutdown room, the emergency rations facility (EOF), and local control stations.]*
EOF is designed as discussed in Subsection 18.2.6, including specification of a location, in ordance with the AP1000 human factors engineering program. Communication with the rgency operations facility is also as discussed in Subsection 18.2.6. Section 13.3 discusses the onsibility for emergency planning.
EOF and TSC communications strategies, as well as the EOF and TSC Human Factors butes, are described in the Emergency Plan. Subsection 9.5.2.2.3.1 provides additional rmation related to offsite interfaces.
2.1.4 Applicable Human System Interfaces e scope of the human system interfaces encompasses the instrumentation and control systems ch perform the monitoring, control, and protection functions associated with all modes of plant mal operation as well as off-normal, emergency, and accident conditions. Both the physical and cognitive characteristics of those humans involved in the use, control, maintenance, test, ection, and surveillance of plant systems are accommodated.]*
2.1.5 Applicable Plant Personnel e AP1000 human factors engineering program and the design of the human system interfaces udes the selection, synthesis, and distribution of process data to plant operations personnel as as other plant personnel. These additional users include management, engineering, ntenance, health physics and chemistry personnel.]*
2.1.6 Technical Basis e human factors engineering program is performed in accordance with accepted industry dards, guidelines, and practices.]* The references listed at the end of each Chapter 18 section within any supporting documentation and reports are used to guide the human factors ineering program. [The human factors engineering process specified in Reference 1 is used.]*
Staff approval is required prior to implementing a change in this information.
18.2-3 Revision 1
similar responsibility, authority, and accountability as the rest of the design disciplines.
re 18.2-1 depicts the process used by the human system interface design team members.
re 18.2-2 shows the organization of the human system interface design team and its relationship e AP1000 design organization.
2.2.1 Responsibility e mission of the human system interface design team is to develop the main control room and illary control facilities (such as remote shutdown workstation) that support plant personnel in the operation and maintenance of the plant. The human system interface design team is onsible for coordinating the human factors aspects associated with designing the structures, ems, and components that make up the main control room and ancillary control facilities.
human system interface design team is responsible for:
Development of human system interface plans and guidelines Oversight and review of human system interface design, development, test, and evaluation activities Initiation, recommendation, and provision of solutions for problems identified in the implementation of the human system interface activities Assurance that human system interface activities comply with the human system interface plans and guidelines]*
2.2.2 Organizational Placement and Authority organization of the human system interface design team and its relation to the AP1000 design anization is depicted in Figure 18.2-2. The structure of the organization may change, but the tional nature of the human system interface design team is retained through the change. The an system interface design team consists of an instrumentation and control system manager, isors/reviewers team, core human system interface design team, and human system interface nical lead. The technical disciplines described in Subsections 18.2.2.3 and 18.2.2.4 are anized by function within the core human system interface design team. The core human system rface design team and the advisors/reviewers team report to the instrumentation and control em manager. The human system interface technical lead works within the human system rface design function and reports to the instrumentation and control system manager through the ager of the human system interface design function. The instrumentation and control system ager is responsible for the design of the AP1000 instrumentation and control systems which ude the human system interfaces. The instrumentation and control system manager reports to the 000 project manager.
manager of the human system interface design function, who performs the function of technical ect management for the human factors engineering design process, is responsible for the overall an system interface design and for integration of the human system interface design with the rall plant design. The advisors/reviewers team is responsible for overseeing the general progress e human system interface design, providing guidance within the core human system interface ign team, reviewing and providing comments on documents, specifications, and drawings aining to the human system interface design, and providing supplemental expertise in particular as of design. The responsibility of the core human system interface design team is to produce the Staff approval is required prior to implementing a change in this information.
18.2-4 Revision 1
rmation system, the qualified data processing system, the alarm system, and computerized edures system design and specification. The responsibilities of the human system interface nical lead include coordinating the technical work of the functional engineering groups, providing administrative and technical interface between the functional engineering groups and the isors/reviewers team, and tracking the identification and resolution of human factors engineering ign issues through operating experience review.
2.2.3 Composition e human system interface design team consists of a multi-disciplinary technical staff. The team is er the leadership of an individual experienced in the management of the design and operation of ess control facilities for complex technologies. The technical disciplines of the design team ude:
Technical project management Systems engineering Nuclear engineering Instrumentation and control (I&C) engineering Architect engineering Human factors engineering Plant operations Computer system engineering Plant procedure development Personnel training Systems safety engineering Maintainability/inspectability engineering Reliability/availability engineering]*
responsibilities of the individual technical disciplines include:
Technical Project Management
- Provide central point of contact for management of the human factors engineering design and implementation process
- Develop and maintain schedule for human factors engineering design process Systems Engineering
- Provide knowledge of the purpose, technical specifications, and operating characteristics of plant systems
- Provide input to human factors engineering task analyses
- Participate in development of procedures and scenarios for task analyses, and integrated system validation Staff approval is required prior to implementing a change in this information.
18.2-5 Revision 1
- Provide input to human factors engineering task analyses
- Participate in development of scenarios for task analyses, and integrated system validation Instrumentation and Control (I&C) Engineering
- Provide knowledge of control and display hardware design, selection, functionality, and installation
- Provide input to software quality assurance programs
- Participate in the design, development, test, and evaluation of the human system interfaces Architect Engineering
- Provide knowledge of plant component layout and the overall structure of the plant including design characteristics and performance requirements for the containment building, control room, remote shutdown room, and local control stations
- Provide input to human factors engineering task analyses
- Participate in development of scenarios for task analyses, and integrated system validation Human Factors Engineering
- Provide knowledge of human performance capabilities and limitations, human factors design and evaluation practices, and human factors principles, guidelines, and standards
- Develop and perform human factors analyses and participate in resolution of human factors problems Plant Operations
- Provide knowledge of operational activities relevant to characterizing tasks and environment and development of human system interface components, procedures, and training programs
- Participate in development of scenarios for task analyses, and integrated system validation Computer System Engineering
- Provide knowledge of data processing required for human system interface displays and controls
- Participate in design and selection of computer-based equipment 18.2-6 Revision 1
Plant Procedure Development
- Provide knowledge of operational tasks and procedure formats
- Provide input for development of emergency operating procedures, computer-based procedures, and training systems
- Participate in development of scenarios for task analyses, and integrated system validation Personnel Training
- Develop content and format of personnel training programs
- Participate in development of scenarios for task analyses, and integrated system validation Systems Safety Engineering
- Identify safety concerns
- Perform system safety hazard analysis such as thermal atmospheric analysis, toxicology analysis, and radiological analysis Maintainability/Inspectability Engineering
- Provide knowledge of maintenance, inspection, and surveillance activities
- Provide input in the areas of maintainability and inspectability
- Support design, development, and evaluation of control room and other human system interface components
- Participate in development of scenarios for task analyses, and integrated system validation Reliability/Availability Engineering
- Provide knowledge of plant system and component reliability and availability and assessment methodologies
- Provide input to design of human system interface equipment
- Participate in development of scenarios for task analyses, and integrated system validation 2.2.4 Team Staffing Qualifications hoosing the human system interface design team members, greater emphasis is placed on the viduals relevant experience to the specific discipline than on formal education. Alternative 18.2-7 Revision 1
mbers have the following backgrounds:
Technical Project Management
- Bachelors degree
- Five years experience in nuclear power plant design or operations and three years of management experience Systems Engineering
- Bachelor of Science degree
- Four years of cumulative experience of the following areas of systems engineering:
design, development, integration, operation, and test and evaluation Nuclear Engineering
- Bachelor of Science degree
- Four years of experience in the following areas of nuclear engineering: design, development, test, or operations Instrumentation and Control (I&C) Engineering
- Bachelor of Science degree
- Four years of experience in hardware and software design aspects of process control systems; familiarity with software quality assurance and control
- Experience in at least one of the following areas of instrumentation and control engineering: development, power plant operations, test evaluations Architect Engineering
- Bachelor of Science degree
- Four years experience in design of power plant structures and building services Human Factors Engineering
- Bachelors degree in Human Factors Engineering, Engineering Psychology, or related science
- Four years experience in the following areas of human factors engineering: human factors aspects of human system interfaces (design, development, and test and evaluation of human system interfaces for process control applications) and four years experience in human factors aspects of workplace design (design, development, and test and evaluation of workplaces) 18.2-8 Revision 1
certification
- Two years experience in PWR nuclear power plant operations Computer System Engineering
- Bachelors degree in Electrical Engineering or Computer Science or graduate degree in other engineering discipline
- Four years experience in design of computer systems and real-time system applications; familiarity with software quality assurance and control Plant Procedure Development
- Bachelors degree
- Four years experience in developing nuclear power plant operating procedures Personnel Training
- Bachelors degree
- Four years experience in the development of personnel training programs for power plants and experience in the application of systematic training development methods Systems Safety Engineering
- Bachelor of Science degree or Bachelors degree in Science
- Experience in system safety engineering, such as thermal atmospheric analysis, toxicology, radiological analysis and applicable OSHA limits Maintainability/Inspectability Engineering
- Bachelor of Science degree or Bachelors degree in Science
- Four years of cumulative experience in at least two of the following areas of power plant maintainability and inspectability engineering activity: design, development, integration, test and evaluation, and analysis/resolution of maintenance problems.
Reliability/Availability Engineering
- Bachelors degree
- Four years of cumulative experience in at least two of the following areas of power plant reliability engineering activity: design, development, integration, and test and evaluation.
Knowledge of computer-based, human system interfaces.
18.2-9 Revision 1
umented procedures under the quality assurance program for the AP1000. These procedures ide for control of processes as described below.
2.3.1 General Process and Procedures instrumentation and control system function is responsible for development of the AP1000 rumentation and control (I&C), including human system interfaces, and coordinating and grating AP1000 instrumentation and control and human system interfaces with other AP1000 t design activities. The overall operation of the project instrumentation and control systems tion is defined. The function includes human system interface design of control rooms and trol boards, instrumentation and control design, and control room/equipment design. The function udes definition of an engineering plan, review of inputs, production of system documentation, fication of work, procurement and manufacturing follow-up, and acceptance testing. An iterative ure is built into the process.
uments produced as part of the instrumentation and control and human system interface design ess include:
Operating experience review documents Task analysis documents Functional requirements documents Human system interface design guidelines documents Design specification documents Instrumentation and control architecture diagrams Block diagrams Room layout diagrams Instrumentation lists System specification documents procedures governing instrumentation and control engineering work specify methods for fication of work. The types of verification include:
Design verification by design reviews Design verification by independent review/alternative calculations Design verification by testing tem Specification Documents tem specification documents identify specific system design requirements and show how the ign satisfies the requirements. They provide a vehicle for documenting the design and they ress information interfaces among the various design groups.
tem specification documents follow established format and content requirements. The content of stem specification document includes:
Purpose of the system Functional requirements and design criteria for the system System design description including system arrangement and performance parameters Layout Instrumentation and control requirements Interfacing system requirements 18.2-10 Revision 1
tem specification documents document human factors and human system interaction uirements. This includes specification of task requirements, information requirements, and ipment requirements for operations, surveillance, test, and maintenance activities.
tem specification documents provide specification of instrument and control requirements uding:
System input to the I&C channel list Reference to control logic diagrams Alarm requirements and characteristics Requirements and characteristics of plant status indications stem specification document for the operation and control centers system provides a mechanism documenting and tracking human system interface requirements and design specifications. The ration and control centers system specification document is the umbrella document for capturing eric human factors requirements. It provides a uniform operational philosophy and a design sistency among human system interface resources, including alarm system, plant information em, wall panel information system, and computerized procedures.
ctional requirements and design specifications for the AP1000 operation and control centers em, including the main control room, the technical support center, the remote shutdown room, local control stations are provided in the operation and control centers system specification ument. Functional requirements documents and design specification documents are generated each of the individual human system interface resources (including alarm system, plant rmation system, wall panel information system, computerized procedures, controls). Functional uirements documents specify the applicable codes, standards, and design requirements and straints to be met by the design. These documents are referenced by the operation and control ters system specification document.
ign specification documents provide the design specifications for individual human system rface resources and their integration. Included in these specifications are layout and arrangement wings, algorithms, and display system descriptions, including display task descriptions, display uts, and navigation mechanisms.
operation and control centers system specification document, the functional requirement uments, and design specification documents provide input to the generation of I & C system cification documents such as the system specification document for the data display and essing system.
ign Configuration Change Control Process ign changes are controlled to assure that proposed changes to design documents under figuration control are appropriately evaluated for impacts and that approved changes are municated to the responsible design organizations.
design configuration change control process is used to control and implement changes to the ign. It is used when the design to be changed has been previously released in a document for ect use and placed under configuration control. A design change proposal is the vehicle used to ate and document review of proposed design changes. Design change proposals include tification of impacts of the proposed design change from affected functional groups. In some ances, human factors engineering issues are addressed by the initiation of design change posals. In other instances, they are addressed as a consequence of human factor engineering 18.2-11 Revision 1
ign Review of Human Factors Engineering Products ign reviews by a multi-disciplined review team are established as a verification method.
uirements for the design review process, including selection of the review team, preparation of rmation for review, identification and follow of action items, and documentation of the eedings, are defined.
ign reviews provide a method of design verification consisting of a systematic overall evaluation design that is conducted by an independent design review team. Design reviews are conducted ppropriate stages of design development to provide an objective, independent review of design quacy, safety, performance, and cost. Design reviews are performed by persons not directly ociated with the specific design development, but who, as a group, are knowledgeable in the ropriate technical disciplines.
inal designs, as well as major design changes, are subject to the design review process. For h design review, a design review data package is prepared. It includes checklists, including one cifically addressing human factor engineering questions, which are used by design review mittee members to aid their review. For each design issue identified through the use of checklists therwise, an action item is initiated.
ion items are tracked through the design issues tracking system database as described in section 18.2.4. The responsibility of entering design review action items into the design issues king system database is assigned to the manager responsible for the system reviewed. The onsible design manager is responsible for tracking and addressing open action items.]*
2.3.2 Process Management Tools ls are provided to facilitate communication across design disciplines and organizations to ance consistency. An AP1000 design database enables parties involved in the engineering ign of the plant to access up-to-date plant design data. Procedures define requirements and onsibilities for moving data into the database.
ls are provided to guide the design review process. These include design review checklists that port evaluation of design adequacy, and a database for tracking action items generated as a lt of the design review process. Further details on the process of tracking action items generated esign reviews are provided in Subsections 18.2.3.1 and 18.2.4.
esign configuration change control process is used to control and implement proposed design nges. Design change proposals are maintained in a database that is used to track the status of h design change proposal from initiation through implementation and closure.
esign issues tracking system database is used to document and track design issues that are tified during the plant design process. Further details on the design issues tracking system are ided in Subsection 18.2.4.
2.3.3 Integration of Human Factors Engineering and Other Plant Design Activities AP1000 design process provides for the integration of human factors engineering activities ng the design groups.
Staff approval is required prior to implementing a change in this information.
18.2-12 Revision 1
t design activities is performed by the instrumentation and control systems design function. An tive design process that includes review and feedback from other engineering and design groups e design interface is specified. Subsection 18.2.3.1 describes the responsibilities and design ess of the instrumentation and control system design function.
tem specification documents provide the primary vehicle for transmitting system design data and rface requirements, including human factors engineering and human system interface uirements, to the affected AP1000 design and analysis groups. The system specification uments include a section on interfacing system requirements that describes the support needed and provided to other systems in the plant. Interface control is performed at the design rfaces and design changes affecting the interfaces are coordinated. Subsection 18.2.3.1 provides ils on system specification documents.
sign configuration change control process provides the process and actions to implement design nges. Subsection 18.2.3.1 provides further details on this process.
ineering design databases serve as a repository of AP1000 design data for parties involved in ineering design activities of the plant. A technical document control system is used to track the us of AP1000 documents. By using the engineering design databases and the technical ument control system, parties have access to up-to-date design data to perform their respective ign activities.
tion 18.8 presents the implementation plan for the design of the human system interface.
re 18.2-3 provides an overview of the AP1000 human factors engineering process, including the ign stages of the human system interface. The relationship of other human factors engineering ess elements to the human system interface design is shown.
2.3.4 Human Factors Engineering Documentation cedures address documentation for AP1000, including document preparation, review, retention, ess, and configuration control. These procedures apply to all AP1000 activities, including human ors engineering.
uments refer to any self contained portrayal of the AP1000 design or its basis. These include ign criteria, descriptions, specifications, drawings, analysis reports, safety reports and ulations.
ocedure establishes requirements and responsibilities for the preparation, review, and approval P1000 design documents. The procedure specifies that documents are to be reviewed by ropriate reviewers, and comments are to be resolved prior to issuance of the document.
ropriate reviewers include responsible engineers or managers impacted by the information in the ument.
nges to released documents are reviewed and approved in accordance with the design figuration change control procedure for the AP1000 program.
cedures establish content and format requirements for system specification documents. Other edures addressing documentation requirements include those for design configuration change trol, design reviews, design criteria, and control of subcontractor submittals.
18.2-13 Revision 1
2.3.5 Human Factors Engineering in Subcontractor Efforts an factors engineering and human system interface requirements are passed on to contractors through engineering documents including design criteria and system specification uments.
vities within subcontractor design organizations are performed in accordance with the written edures of those organizations. [The AP1000 Program Procedure Matrix in WCAP-15847 ference 6) identifies the procedures that apply to subcontractor design organizations. The edures of WCAP-15847 that describe the design documentation, apply to these external anizations with respect to content and format requirements. Effective implementation of each anizations quality assurance program is monitored by their respective internal audit programs, by supplier audits.]* See Section 17.3 for quality assurance requirements associated with contractor human factors engineering design efforts.
2.4 Human Factors Engineering Issues Tracking acking system is used to address human factors issues that are known to the industry and/or tified throughout the life cycle of the human factors engineering/human system interface design, elopment, and evaluation. The tracking system enables the documentation and tracking of issues need to be addressed at some later date.
cking of human factors engineering issues is accomplished within the framework of the overall t design process. In this manner, human factors engineering issues are addressed in the same as those for other disciplines.
e design issues tracking system database is used to track AP1000 design issues to resolution, uding human factors engineering issues. This database receives input from the following three rces:
Operating experience review Design reviews Design issues associated with the design of the human system interface and the operation and control centers system]*
each design issue entered into the database, the actions taken to address the issue and the final lution of the issue are documented.
human factors issues in the operating experience review report (Reference 1) that are identified equiring further consideration by the AP1000 design are entered into the design issues tracking em database.
e design review process also provides input to the design issues tracking system database. For h design issue identified through the design review process, an action item is initiated. Action s are entered into the design issues tracking system database. Human factors action items from ign reviews are included in the database. For preliminary and intermediate design reviews, some on items may be deferred to a more appropriate, subsequent design review. The responsibility of ring design review action items into the design issues tracking system database is assigned to manager responsible for the system reviewed.]*
Staff approval is required prior to implementing a change in this information.
18.2-14 Revision 1
base. These are design issues that are identified by the human system interface and operation control centers system designers as issues that need to be addressed by the human system rface design.
AP1000 project manager, as shown on Figure 18.2-2, is responsible for the maintenance and umentation of the design issues tracking system. For each issue entered into the design issues king system database, a responsible engineer field is used to assign an engineer the onsibility for resolution of the issue.
2.5 Human Factors Engineering Technical Program and Milestones e human factors engineering program is performed in accordance with the human factors ineering process specified in NUREG-0711 (Reference 1).]* Figure 18.1-1 shows the elements of AP1000 human factors engineering program. [These elements conform to the elements of the gram Review Model specified in Reference 1, as augmented by Reference 7.]*
an factors engineering Program Management is addressed in Section 18.2. The remaining ments are addressed in Sections 18.3 through 18.11, 18.13, and 18.14.
se sections address the activities conducted as part of the corresponding human factors ineering element, including the accepted industry standards, guidelines, and practices used as nical guidance, the inputs to the element, and the products, including documents that are erated as output. The facilities, equipment, and tools employed are also addressed in the section esponding to each element.
re 18.2-3 provides an overview of the Westinghouse human factors engineering process. The re summarizes the major activities of the human factors engineering program, their relative order, the inputs and outputs for the major activities. The boxes in the diagram indicate major human ors engineering activities. The activities are presented in approximate chronological order, with outputs of each activity serving as inputs to subsequent activities. The items listed below the vity boxes are the document outputs from that human factors engineering activity. The human ors engineering process includes iterations considering the outcomes of subsequent analysis and ign activities, design reviews, and testing. In this approach, design issues are addressed and lved through the iterative stages of the human factors engineering process. Potential points of tion are indicated in Figure 18.2-3. Further details on the activities, inputs, and output documents ociated with the various elements of the human factors engineering program are provided in the ions corresponding to each human factors engineering element.
re 18.2-3 provides a program milestone schedule of human factors engineering tasks showing tionships between human factors engineering elements and activities, products, and reviews.
rnal design reviews are performed at various points throughout the design process.
2.6 Combined License Information 2.6.1 Human Factors Engineering Program execution of the NRC approved human factors engineering program as presented by tion 18.2 is addressed in APP-OCS-GBH-001 (Reference 8).
Staff approval is required prior to implementing a change in this information.
18.2-15 Revision 1
2.6.2 Emergency Operations Facility design of the emergency operations facility in accordance with the AP1000 human factors ineering program is addressed in Reference 9 (APP-GW-GLR-136).
Reference 9 captures the method by which the AP1000 Human Factors Engineering Program Plan (Reference 8) will be applied to TSCs and EOFs that support an AP1000 plant.
EOF and TSC communications, and EOF and TSC human factors attributes are addressed in Subsection 18.2.1.3.
2.7 References NUREG-0711, Human Factors Engineering Program Review Model, U.S. NRC, July 1994.]*
WCAP-14645, Human Factors Engineering Operating Experience Review Report For The AP1000 Nuclear Power Plant, Revision 3.
WCAP-14694, Designers Input to Determination of the AP600 Main Control Room Staffing Level, Revision 0, July 1996.
WCAP-14644, AP600/AP1000 Functional Requirements Analysis and Allocation, Revision 1.
Reason, J. T., Human Error, Cambridge, U.K., Cambridge University Press, 1990.
WCAP-15847, AP1000 Quality Assurance Procedures Supporting NRC Review of AP1000 DCD Sections 18.2 and 18.8, Revision 1, December 2002.]*
NUREG-0711, Rev. 1, Human Factors Engineering Program Review Model, U.S. NRC, May 2002.]*
APP-OCS-GBH-001, AP1000 Human Factors Engineering Program Plan, Westinghouse Electric Company LLC.
APP-GW-GLR-136, AP1000 Human Factors Program Implementation for the Emergency Operations Facility and Technical Support Center, Westinghouse Electric Company LLC.
Staff approval is required prior to implementing a change in this information.
18.2-16 Revision 1
Figure 18.2-1
[Human System Interface (HSI) Design Team Process]*
Staff approval is required prior to implementing a change in this information.
18.2-17 Revision 1
Figure 18.2-2 Human System Interface (HSI) Design Team Organization and Relationship to AP1000 Organization 18.2-18 Revision 1
WLS 1&2 - UFSAR Figure 18.2-3 Overview of the AP1000 Human Factors Engineering Process 18.2-19 Revision 1
ineering-related problems and issues encountered in previous designs that are similar to the 000. Reference 1 documents the results of this review, including descriptions of how the AP1000 ign addresses each identified issue.
3.1 Combined License Information bined License applicant responsibilities identified in Reference 1 are presented in tions 10.4.12, 16.2, 18.2.6, 18.6.1, and 18.10.1.
3.2 References WCAP-14645, "Human Factors Engineering Operating Experience Review Report for the AP1000 Nuclear Power Plant," Revision 3.
18.3-1 Revision 1
ign decisions with respect to level of plant automation.
ctional requirements analysis is defined as the "identification of those functions that must be ormed to satisfy plant safety objectives, that is, to prevent or mitigate the consequences of tulated accidents that could cause undue risk to the health and safety of the public" ference 1).
ction allocation is defined as the "analysis of the requirements for plant control and the gnment of control functions to (1) personnel (e.g., manual control), (2) system elements
., automatic control and passive, self-controlling phenomena), and (3) combinations of personnel system elements (e.g., shared control and automatic systems with manual backup)"
ference 1).
erence 2 documents the methods and results of the functional requirements analysis and function cation conducted for AP600.
report provides a description of the AP600 approach to functional requirements analysis and ents the results for AP600 safety functions. The results include a description of AP600 esses, systems, and components involved in maintaining AP600 safety functions. The report includes a similar analysis for current Westinghouse pressurized water reactor designs to serve reference in identifying areas where the AP600 plant differs from previous designs for which rating experience exists. An explicit comparison of the AP600 design with the reference plant ign is provided that identifies plant functions, processes, and systems that are new or modified tive to the reference plant design. This includes changes in level of automation.
report also describes the AP600 approach to initial function allocation and presents the results AP600 safety functions. A methodology adapted from Reference 3 is used to document the nale for initial allocation decisions and verify the acceptability of the initial allocation from a an factors perspective. The results include a specification of level of automation and personnel onsibility for AP600 safety functions, processes, and systems. The rationale for the function cation decisions for AP600 safety functions is documented.
e AP1000 is like AP600 in its operation and approach to safety functions, Reference 2 is directly licable to AP1000. It is used as is for functional requirements and function allocation analyses for 000.
report includes a description of human factors activities that are conducted as part of the AP600 design process to verify the adequacy of function allocation decisions and establish the ability of operators to perform the role assigned to them. This is applied to AP1000 and includes:
How human factors input is provided early in the design process How the integrated role of the operator across the systems is confirmed for acceptability Mechanisms available for reconsidering, and if necessary, changing AP1000 function allocations in response to operating experience, and the outcomes of ongoing analyses and trade studies 4.1 Combined License Information section contained no requirement for additional information.
18.4-1 Revision 1
July 1994.
WCAP-14644, "AP600/AP1000 Functional Requirements Analysis and Function Allocation," Revision 1.
NUREG/CR-3331, "A Methodology for Allocation of Nuclear Power Plant Control Functions to Human and Automated Control," 1983.
18.4-2 Revision 1
the following objectives:
Provide one of the bases for the human system interface design decisions Match human performance requirements with human capabilities Provide input to procedure development Provide input to staffing, training, and communications requirements of the plant]*
section describes the scope of the AP1000 task analysis activities and the task analysis lementation plan. In addition to Reference 1, References 2 through 12 are inputs to this plan.
5.1 Task Analysis Scope e scope of the AP1000 task analysis is divided into two complementary activities: function-based analysis (FBTA) and traditional task analysis, or operational sequence analysis (OSA). The pe of the function-based task analysis is the Level 4 functions]* identified in Figure 18.5-1. This re is the functional decomposition (goal-means analysis) for normal power operations in a dard pressurized water reactor. Examples of functions at Level 4 are "Control RCS Coolant ssure" and "Control Containment Pressure." This set of functions defines the breadth of functions e analyzed. The function-based task analysis will be expanded in scope to include any additional el 4 functions identified.
e traditional task analysis, or operational sequence analysis, is developed for a representative set perational and maintenance tasks. The following guidelines are applied to select tasks:
Tasks are selected to represent the full range of operating modes, including startup, normal operations, abnormal and emergency operations, transient conditions, and low-power and shutdown conditions.
Tasks are selected that involve operator actions that are identified as either critical human actions or risk-important tasks, based on the criteria in Reference 13.
Tasks are selected to represent the full range of activities in the AP1000 emergency response guidelines.
Tasks are selected that involve maintenance, test, inspection, and surveillance (MTIS) actions. A representative set of maintenance, test, inspection, and surveillance tasks are analyzed for a subset of the "risk-significant" systems/structures/components (SSCs).
set of tasks to be analyzed are not identified as a part of design certification. The OSAs listed w are included in the set of tasks to be analyzed: (Each of these satisfies one or more of the ction criteria described above.)
- Plant heatup and startup from post-refueling to 100% power
- Reactor trip, turbine trip, and safety injection
- Natural circulation cooldown (startup feedwater with steam generator)
- Loss of reactor or secondary coolant
- Post loss-of-coolant accident cooldown and depressurization
- Loss of RCS inventory during shutdown
- Loss of the normal residual heat removal system (RNS) during shutdown
- Manual automatic depressurization system (ADS) actuation Staff approval is required prior to implementing a change in this information.
18.5-1 Revision 1
human factors engineering program review model (Reference 1) indicates that task analysis uld include tasks that are considered to be high-risk and tasks that require critical human actions.
erence 13 defines criteria for critical human actions and risk-important tasks and has identified a of examples of AP600 tasks that meet these criteria. Reference 13 is applicable to AP1000.]*
tion 16.2 identifies the systems/structures/components included in the Reliability Assurance gram. A subset of these systems/structures/components and a representative set of associated ntenance, tests, inspection and surveillance tasks will be selected by an expert panel. This panel be comprised of representatives with expertise from relevant groups in the design process, such ystems engineering, reliability engineering, probabilistic risk analysis, human factors ineering, and human system interface design. The set of maintenance, test, inspection and eillance tasks identified through the expert panel process will be considered to be "risk important" s, and will be included in task analysis activities.
5.2 Task Analysis Implementation Plan re 18.5-2 shows the proposed sequence of task analyses. Figure 18.5-2 provides information cerning the task analysis and human system interface design elements. [Task analysis includes a function-based task analysis and an operational sequence analysis.]* In Figure 18.5-2, the rational sequence analysis in the task analysis box is designated as OSA-1 since two operational uence analyses will be implemented.
5.2.1 Function-Based Task Analyses ction-based task analysis is applied to each of the Level 4 functions. There are four components function-based task analysis. First, analysis is performed to identify the set of goals relevant to function. Second, a functional decomposition is performed. This decomposition identifies the esses that, either individually or in combination, have a significant effect on the function. Third, a ess analysis is performed by applying a set of questions derived from Rasmussens model ferences 6-9) analysis approach. [The set of questions used and basis for the methodology is ided in Reference 12.]* An example of a question from the process analysis is "Are the process valid?" The results of the process analysis identify the indications, parameters, and controls that operator uses to make decisions about the respective function. Finally, there is a verification that indications and controls, identified in the process analysis are included in the AP1000 design.
m the function-based task analyses, the following types of information are obtained:
A completeness check on the availability of needed indications, parameters, and controls.
This includes indications and controls needed for supervisory control of automated systems and manual over-ride.
Input to the specification and layout of functional displays.
5.2.2 OSA-1 operational sequence analysis completed as part of the task analysis process focuses on cifying the operational requirements for the complete set of tasks selected. For each task, an rational sequence diagram of the tasks performance is created that includes the following:
Plant state data required at each step Source of the data (alarm, display, oral communication)
Staff approval is required prior to implementing a change in this information.
18.5-2 Revision 1
Time available for action Other temporal constraints (ordering, tasks that need to be done in parallel)
Task support requirements needed (required tools)
Considerations of work environment operational sequence diagrams are developed from the emergency response guidelines, the babilistic Risk Assessment event sequences associated with critical or risk-important actions, and function-based task analysis. The following potential limitations on task performance are sidered:
Limits on human performance Limits on hardware and software performance Limits on crew communications first operational sequence analysis provides the following types of information:
Frequency and co-occurrence of plant state parameters and controls Display design and organization constraints Performance time constraints Inventory of alarms, controls, and parameters needed to perform the sequences hown in Figure 18.5-2, the function-based task analysis and OSA-1 feed into the human system rface design by providing task performance guidance and constraints. The display and operator kstation design is based on this information.
5.2.3 OSA-2 critical issues for the second operational sequence analysis are:
Completeness of available information - This analysis determines whether necessary information is available to the operator performing the task activities.
Time to perform tasks - A set of performance time assumptions will be established and used to determine the time required for actions to be completed. These assumptions will provide estimates of task performance times that can be compared to performance time requirements.
Operator workload analysis - An evaluation of the effect of the human system interface design and the task demands on operator workload will be conducted.
Operational crew staffing - The workload analysis provides an indication of the adequacy of staffing assumptions. In cases where the operational sequence analysis indicates high operator workload values, or insufficient time available for performance, alternative staffing assumptions or changes to the human system interface design or task allocation to reduce operator workload is evaluated.
second operational sequence analysis is performed for a representative subset of tasks that ude the critical human actions and risk-important tasks and tasks that have human performance cerns (for example, potential for high workload or high error rates).
18.5-3 Revision 1
lyzed using operational sequence task analyses. OSA-1 analyses are conducted on the set of ntenance, test, inspection, and surveillance tasks identified to be "risk-important."
5.3 Job Design Factors tion 18.6 addresses the control room staffing that applies to the AP1000. The staffing level of the n control room, job design considerations, and crew skills are discussed in Subsection 18.6.1.
5.4 Combined License Information Item 5.4.1 Task Analysis Implementation execution and documentation of the task analysis implementation plan presented in Section 18.5 addressed in APP-GW-GLR-081 (Reference 14).
5.4.2 Main Control Room Position Scope and Responsibilities scope and responsibilities of each main control room position, considering the assumptions and lts of the task analysis are addressed in APP-OCS-GJR-003 (Reference 15).
5.5 References NUREG-0711, "Human Factors Engineering Program Review Model," U.S. NRC, July 1994.]*
U.S. NRC Guidance, NUREG/CR-3371, "Task Analysis of Nuclear Power Plant Control Room Crews."
IEC-964, "Design for Control Rooms of Nuclear Power Plants."
Department of Defense Documents: DI-H-7055, "Critical Task Analysis Report," and MIL-STD-1478, "Task Performance Analysis."
NATO Document, "Applications of Human Performance Models to System Design,"
edited by McMillan, Beevis, Salas, Strub, Sutton, & van Breda, New York:
Plenum Press, 1989.
Rasmussen, J., "Information Processing and Human-Machine Interaction, An Approach to Cognitive Engineering," New York: North-Holland, 1986.
Hollnagel, E. and Woods, D. D., "Cognitive Systems Engineering: New Wine in New Bottles," International Journal of Man-Machine Studies, Volume 18, 1983, pages 583-600.
Roth, E. and Mumaw, R., "Using Cognitive Task Analysis to Define Human Interface Requirements for First-of-a-Kind Systems," Proceedings of the Human Factors and Ergonomics Society 39th Annual Meeting, San Diego, Ca., 1995, pp. 520-524.
Vicente, K. J., "Task Analysis, Cognitive Task Analysis, Cognitive Work Analysis: What=s the Difference?" Proceedings of the Human Factors and Ergonomics Society 39th Annual Meeting, San Diego, Ca., 1995, pp. 534-537.
Staff approval is required prior to implementing a change in this information.
18.5-4 Revision 1
Woods, D. D., "Application of Safety Parameter Display Evaluation Project to Design of Westinghouse SPDS," Appendix E to "Emergency Response Facilities Design and V & V Process," WCAP-10170, submitted to the U.S. Nuclear Regulatory Commission in support of their review of the Westinghouse Generic Safety Parameter Display System (Non-Proprietary) (Pittsburgh, PA, Westinghouse Electric Corp.), April 1982.
WCAP-14695, "Description of the Westinghouse Operator Decision Making Model and Function Based Task Analysis Methodology," Revision 0, July 1996.]*
WCAP-14651, "Integration of Human Reliability Analysis and Human Factors Engineering Design Implementation Plan," Revision 2, May 1997.]*
APP-GW-GLR-081, "Closure of COL Information Item 18.5-1, Task Analysis,"
Westinghouse Electric Company LLC.
APP-OCS-GJR-003, "AP1000 Main Control Room Staff Roles and Responsibilities,"
Westinghouse Electric Company LLC.
Staff approval is required prior to implementing a change in this information.
18.5-5 Revision 1
WLS 1&2 - UFSAR Figure 18.5-1 Top Four Levels of the Normal Power Operation for a Westinghouse PWR 18.5-6 Revision 1
Figure 18.5-2 Task Analysis Utilized as Design Input 18.5-7 Revision 1
le 13.1-201 contains the estimated staffing levels for those categories of personnel that are ressed by the Human Factors Engineering program per NUREG-0711, Human Factors ineering Program Review Model (Reference 201), as follows:
Licensed operators Shift Supervisors Non-licensed operators Shift technical advisors Instrumentation and control technicians Mechanical maintenance technicians Electrical maintenance technicians Radiation protection technicians Chemistry technicians Engineering support minimum level of staffing for control room personnel who directly monitor and control the plant is ed in Table 13.1-202 and meets the requirements of 10 CFR 50.54(m). Information about the fing levels of security personnel is contained in the separately submitted physical security plan.
lification requirements of plant personnel listed above are discussed in Subsections 13.1.1.4, lifications of Technical Support Personnel, and 13.1.3, Qualification Requirements of Nuclear nt Personnel, and, for security personnel, in the physical security plan.
baseline level of staffing for the categories of personnel discussed above is derived from erience in current operating nuclear power plants. The number of personnel in operating plants evolved over many years to a level that is safe and efficient and provides adequate personnel to rate the plant under all conditions, including abnormal and emergency, meets regulatory uirements, and supports individual training and personal needs.
ative adjustments are implemented to the level of staffing, as necessary, based on findings and t from periodic reviews and staffing analysis. Input to this analysis includes information derived the other elements of the human factors engineering program, particularly operating experience ew, functional requirements analysis and function allocation, task analysis, human reliability lysis, human-system interface design, procedure development, and training program elopment.
ddition to the regulatory requirements referenced, input to the analyses and the level of staffing is ided by WCAP-14694, Designer's Input to Determination of the AP600 Main Control Room fing Level (Reference 1), AP1000 Combined License Technical Report APP-GW-GLR-010, 1000 Main Control Room Staff Roles and Responsibilities (Reference 202), and EPRI Technical 18.6-1 Revision 1
6.1 Combined License Information Item staffing levels and qualifications of plant personnel including operations, maintenance, ineering, instrumentation and control technicians, radiological protection technicians, security, chemists, and the number of operators needed to directly monitor and control the plant from the n control room, including the staffing requirements of 10CFR50.54(m), is addressed in tion 18.6.
6.2 References WCAP-14694, "Designer's Input To Determination of the AP600 Main Control Room Staffing Level," Revision 0, July 1996.
. United States Nuclear Regulatory Commission, Human Factors Engineering Program Review Model, NUREG-0711, Revision 2, February 2004.
. Westinghouse, AP1000 Main Control Room Staff Roles and Responsibilities, APP-GW-GLR-010, Rev. 2, June 2007.
. EPRI, Program on Technology Innovation: Staff Optimization Scoping Study for New Nuclear Power Plants, Technical Report 1011717, Final Report, August 2005.
18.6-2 Revision 1
re are important interfaces between the human factors engineering program and human reliability lysis. Human reliability analysis makes use of outputs of human factors engineering/HSI design vities including analyses of operator functions and tasks and specifications of HSI characteristics.
an reliability analysis is a source of input to human factors engineering/HSI design in identifying t scenarios, human actions, and HSI components that are important to plant safety and reliability.
e objective of integration of human reliability analysis with human factors engineering is to specify interfaces between human reliability analysis and human factors engineering activities.
erence 1 documents the implementation plan for the integration of human reliability analysis with an factors engineering design.]* Reference 2 documents the execution and documentation of implementation plan.
e objective of the human reliability analysis/human factors engineering integration implementation is to enable:
Human reliability analysis activity to integrate the results of the human factors engineering design activities Human factors engineering design activities to address critical human actions, risk important tasks, and human error mechanisms, in order to minimize the likelihood of personnel error and to provide for error detection and recovery capability]*
an reliability analysis methodology and results are described in Chapter 30 of the AP1000 PRA.
7.1 Combined License Information execution and documentation of the human reliability analysis/human factors engineering gration implementation plan that is presented in Section 18.7 is addressed in Reference 2 P-GW-GL-011, WCAP-16555).
7.2 References WCAP-14651, "Integration of Human Reliability Analysis with Human Factors Engineering Design Implementation Plan," Revision 2, May 1997.]*
WCAP-16555, "AP1000 Identification of Critical Human Actions and Risk Important Tasks," Revision 1.
Staff approval is required prior to implementing a change in this information.
18.7-1 Revision 1
rmation on the human factors design for the non-HSI portion of the plant. The human system rface includes the design of the operation and control centers system (OCS) and each of the an system interface resources.
operation and control centers system includes the main control room, the technical support ter, the remote shutdown room, emergency operations facility, local control stations and ociated workstations for each of these centers. The AP1000 human system interface resources ude:
Wall panel information system Alarm system Plant information system Computerized procedure system Soft controls/dedicated controls Qualified data processing system wall panel information system presents information about the plant for use by the operators. No trol capabilities are included. The wall panel information system provides dynamic display of plant ameters and alarm information so that a high level understanding of current plant status can be dily ascertained. It is located at one end of the main control area at a height such that persons ted at the reactor operator and senior reactor operator workstations can view it while sitting at r respective workstations. It provides information important to maintaining the situation reness of the crew and for supporting crew coordination. The wall panel information station ides a dynamic display of the plant. It also serves as the alarm system overview panel display.
display of plant disturbances (alarms) and plant process data is integrated on this wall panel rmation system display. The wall panel information system is a nonsafety-related system. It is igned to have a high level of reliability.
mission of the AP1000 alarm system, together with the other human system interface resources, provide the operation and control centers operating staff with the means for acquiring and erstanding the plants behavior. The alarm system improves the performance of the operating w members, when acting both as individuals and as a team, by improving the presentation of the ts process alarms. [The alarm system supports the control room crew members in the following s or activities of Rasmussens operator decision-making model (Reference 25):]*
The alert activity, which alerts the operator to off-normal conditions The observe what is abnormal activity, which aids the user in focusing on the important issue(s)
The process state identification activity, which aids the user in understanding the abnormal conditions and provides corrective action guidance. It guides the operating crew into the information display system.
plant information system is a subset of the data display and processing system (non-Class 1E em), presenting plant process information for use by the operators. The plant information system ides dynamic indications of plant parameters and visual alerts so that an understanding of ent plant conditions and status is readily ascertained. The plant information system uses color-phic visual display units located on the operation and control centers workstations to display plant ess data. These displays provide information important to monitoring, planning, and controlling operation of plant systems and obtaining feedback on control actions. The displays provided by Staff approval is required prior to implementing a change in this information.
18.8-1 Revision 1
computerized procedure system has a mission to assist plant operators in monitoring and trolling the execution of plant procedures. The computerized procedures system is a software em. It runs on the hardware selected for the operation and control centers. The computerized edure system is accessible from the workstations in the main control room. A procedure writers e is developed as part of the human system interface design implementation plan for the puterized procedure system. The writers guide is the design guidelines document for the puterized procedure system. Information on the writers guide and on the computerized edure system is found in Reference 31. Application of the computerized procedure system for rgency operating procedures is licensed outside the United States and is being used in an rating nuclear power plant. Additionally, the application of the computerized procedure system for ine-generator startup and shutdown is being used in another operating nuclear power plant ted outside the United States. Human factors engineering review guidance for computer-based edures is presented by Reference 9. The design of a backup to the computerized procedure em, to handle the unlikely event of a loss of the computerized procedure system, is developed as of the human system interface design process. Design options include the use of a paper kup. [The acceptability of the computerized procedure system and its backup will be confirmed as gral elements of the AP1000 design by the implementation of the AP1000 verification and dation program (Reference 24).]* Procedure development is addressed in Sections 13.5 18.9.
mission of the controls in the main control room is to allow the operator to operate the plant ly under normal conditions, and to maintain it in a safe condition under accident conditions. The n control room includes both safety-related and nonsafety-related controls. The types of controls e main control room include both discrete (dedicated) control switches and soft controls. The rete control switches are controls dedicated to a single function. As shown in Figure 18.8-1, the control units are control devices whose resulting actions are selectable by the operator. The rumentation and control architecture uses both discrete control switches and soft control units.
soft control units are used to provide a compact alternative to the traditional control board ches by substituting virtual switches in the place of the discrete switches.
final configuration of these elements is dependent upon the results of the human system rface design process described in Subsection 18.8.1 below.
mission of the qualified data processing system is to provide a Class 1E system to present to the n control room operators the plant parameters which demonstrate the safety of the plant. The lified data processing system provides for the display of the variables as described in Section 7.5 ugh safety-related displays. The informational content of qualified data processing system lays is provided to the remote shutdown workstation through the plant information system.
8.1 Implementation Plan for the Human System Interface Design re 18.2-3 provides an overview of the AP1000 human factors engineering process, including the ign stages of the human system interface. The relationship of other human factors engineering ess elements to the human system interface design is shown.
functional design of the operation and control centers system and the human system interface is activity where the functional requirements for the human system interface resources of the main trol room and related operation and control centers system are developed. The output of the tional design is a set of documents that specify the mission, design bases, performance uirements, and functional requirements for each human system interface resource. These tional requirement documents and the human system interface design guidelines are used to Staff approval is required prior to implementing a change in this information.
18.8-2 Revision 1
following subsections describe the activities conducted as part of the human system interface ign and the documents that are produced.
8.1.1 Functional Design stem specification document for the operation and control centers system documents and tracks an system interface requirements and design specifications. The operation and control centers em specification document is the umbrella document for capturing human factors requirements providing a uniform operational philosophy, and design consistency among the individual human em interface resources.
uded in the operation and control centers system specification document are functional uirements and specifications for the AP1000 operation and control centers system, including the n control room, the technical support center, the remote shutdown room, and local control ions. In addition, functional requirement documents are generated for each of the individual an system interface resources. These documents are referenced by the operation and control ters system specification document.
operation and control centers system specification document and the individual human system rface functional requirement documents include mission statements and performance uirements. The mission statements establish the high level goals and main tasks to be supported he control center or human system interface resource. Performance requirements represent high l design goals and help to clarify the functional designers intent. They are high level uirements that may not be readily verifiable by testing or other quantitative means, but are ortant considerations for meeting the goals defined in the mission statements. The design bases blish the foundation for the design and the rationale behind engineering decisions made and ria established for the design. Functional requirements include requirements needed to meet the ria defined in the applicable codes, standards, and customer requirements.
operations and control centers functional requirements document includes requirements to meet re, diversity, electrical separation, and other applicable criteria. This document establishes uirements related to access control, redundancy, independence, identification and test capability, defines requirements on system inputs and outputs. It specifies the system safety classification defines applicable quality assurance, reliability goals, and environmental qualification uirements. The specification of the cognitive activities in the operator decision-making model that h human system interface resource is intended to support is provided in the operation and control ters functional requirements document.
erence 25 describes the operator decision-making model and associated operator cognitive vities. As shown in Figure 18.8-2, the HSI interface resources are mapped to four major classes perator cognitive activities in the model (detection and monitoring, interpretation, control, and back).
contents of this map are then considered in terms of sources of operational complexity that add rator performance demands. The two general sources of complexity considered are 1) use of tiple as opposed to single HSI resources, and 2) increasing situational or scenario-based plexity. Considering the impact of complexity on the mapping leads to issues; that is, general es where adequate human performance should be confirmed.
le 18.8-1 presents the resulting set of human performance issues. Note that feedback issues e been addressed under control, rather than as a separate activity, because feedback activities 18.8-3 Revision 1
uments. The human performance issues and requirements will be addressed by the verification validation activities described by Reference 24.
8.1.2 Design Guidelines delines for the human system interface design have been developed for the human system rface resources to facilitate the standard and consistent application of human factors engineering E) principles to the design (see Reference 1). Reference 1 contains standards and conventions elines and tailors generic human factors engineering guidance to the AP1000 human system rface design and defines how those human factors engineering principles are applied.
se guidelines enable groups of people to simultaneously develop the human system interface in a sistent manner in accordance with the human factors engineering principles established for the ign. [The guidelines are used to perform the human factors engineering design verification activity e human factors verification and validation plan (Reference 24).]*
an system interface design guideline documents include:
Anthropometric guidelines Alarm guidelines Display guidelines Controls guidelines Computerized procedures guidelines AP1000 human system interface design guidelines document provides:
Statements of their intended scope, references to source materials, and instructions for their proper use.
Specification of accepted human factors engineering guidelines, standards, and principles to which the AP1000 human system interface conforms.
Specification of design conventions (for example, coding conventions) to which the AP1000 human system interface conforms.
Documentation of deviations from human factors engineering guidelines, standards and principles, and justification based on documented rationale such as trade study results, literature-based evaluations, demonstrated operational experience, and tests and experiments.
accepted human factors engineering guidelines documents that were used in compiling the 000 human system interface design guidelines document are found in References 2 through 8.
8.1.3 Design Specifications ign specifications are written for the operation and control centers system and the human system rface resources. The design specification documents are the result of applying the guidelines to functional design. They provide the design for each human system interface resource, including integration of the hardware and software modules, to satisfy the human system interface tional design requirements. Included in these specifications are layout and arrangement Staff approval is required prior to implementing a change in this information.
18.8-4 Revision 1
functional requirement documents are used to define the bases for the system design cifications.
operation and control centers system specification document and human system interface tional requirements and design specification documents provide input to the generation of rumentation and control system specification documents, such as the system specification ument for the data display and processing system. These specification documents are used as ts to the hardware and software system designers to generate implementation documents such ardware and software specifications.
8.1.4 Man-in-the-Loop Testing ntegral part of the human system interface design process is the conduct of man-in-the-loop ineering tests to obtain feedback from prototype design products early in the design process.
use of engineering tests is a good engineering practice, which reflects an iterative design ess. By providing feedback early, before the detailed design is complete, engineering tests can to improve the design and to avoid problems in the final product. Engineering tests also may r concrete insight on questions that cannot be resolved logically (for example, by guidance or lysis). Finally, results from engineering tests provide evidence of design adequacy. Engineering s thus serve to increase confidence and reduce project risk in the design process.
ineering tests are performed to obtain empirical results that can be applied directly to erstanding and improving the design product. More specifically, engineering tests are designed to duce the following types of results for the prototype design:
Design-specific operating experience Confirmation of necessary performance and integration Identification of specific problems Subjective feedback from expert users and observers e man-in-the-loop test plan to obtain feedback from prototype design products early in the design ess is defined and documented in Reference 46.]* The results of the engineering testing are d to refine the design of the operation and control centers system and the human system rface.
8.1.5 Mockup Activities ockup of portions of the main control room working area is constructed as part of the human em interface design process. The partial mockup consists mainly of non-operational esentations of the desks, displays, and panels. The mockups are constructed to the ropometric profiles and arranged in the floor layout intended for the main control room.
partial mockup is used to examine and verify, as needed, physical layout aspects such as ilability of workspace, physical access, visibility, and related anthropometric and human factors ineering issues. It will also be used for walk-through exercises to examine issues such as staffing ls, task allocation, and procedure usage.
Staff approval is required prior to implementing a change in this information.
18.8-5 Revision 1
ration and control centers system, functional requirement documents, design criteria documents, ign review documents, and documentation of design configuration change control.
8.1.7 Task-Related Human System Interface Requirements hown in Figure 18.2-3, the results of other human factors engineering program elements are d as input and bases for developing the operation and control center system and human system rface resources functional design (mission statements, performance requirements, design bases, tional requirements), guideline documents and the design specification documents. Staffing umptions, operating experience reviews, functional requirements analysis and allocations, task lysis, and integration of human reliability analysis provide the bases for identifying the human em interface requirements needed to support human functions and tasks. The resulting human em interface requirements are documented in the human system interface resource functional ign documents (operation and control centers system specification document and the individual an system interface resource functional requirements document), guidelines document and ign specification documents. Subsections 18.8.1.1 through 18.8.1.3 provide descriptions of these uments.
AP1000 task analysis, described in Section 18.5, includes two complementary activities:
tion-based task analysis (FBTA) and traditional task analysis, or operational sequence analysis A). The function-based task analysis identifies the indications, parameters, and controls that the rator needs to make decisions about the respective function. There is also a verification that the cations and controls identified in the process analysis are included in the design. The operational uence analysis, completed as part of the task analysis process, focuses on specifying the rational requirements for the complete set of tasks selected. One of the guidelines used in cting tasks for analysis are those tasks that represent the full range of activities in the AP1000 rgency response guidelines. One type of information provided by the operational sequence lysis is an inventory of alarms, controls, and parameters needed to perform the task sequences.
operational task analysis results include the identification of controls, alarms, and parameters ded by the operator to execute task sequences found within the emergency response guidelines.
se results serve as a cross-check with the function-based task analysis results. Design reviews during the human system interface design serve as another means of verifying completeness identifying and correcting omissions. [The task support verification activity of the human factors fication and validation (Reference 24) verifies that the human system interface design provides necessary alarms, displays, and controls to support personnel tasks.]*
collective results of the task analysis activities identify the tasks and operational information ded by the operator to execute these tasks. For each display, a display task description is written.
display task description includes the identification of the informational needs to be supported by display. The features, dynamic characteristics, calculated values, and supporting algorithms for display are part of the display task description. The design specification of a display includes the ge, precision, and measurement units of the parameters provided in the display. These parametric racteristics are chosen to support the task and the operator informational needs. The parametric racteristics, identified in the design specification, are provided using the guidelines presented in design guidelines document for displays. The basis for the parametric characteristics chosen for displays is found in the design guidelines document.
8.1.8 General Human System Interface Design Feature Selection AP1000 human system interface resources include the wall panel information system, alarm em, plant information system, computerized procedure system, controls, (soft and dedicated)
Staff approval is required prior to implementing a change in this information.
18.8-6 Revision 1
vities to identify the operators information and control requirements.]* The human system rface resources are mapped to the major classes of operator activities identified from this model.
re 18.8-2 illustrates this mapping. The human performance requirements that each human em interface resource supports are identified as part of the design process.
human system interface resources are chosen based upon utility requirements and review of rating experience. The goal of the human system interface design is to provide the operators with ctive means for acquiring and understanding plant data and executing actions to control the ts processes and equipment. Through implementation of the human system interface design ess, the identified AP1000 human system interface resources are developed.
ign alternatives for a feature within a human system interface resource (such as the use of a se, trackball, or touchscreen for soft controls) are evaluated. A decision is made based upon luation methods including human factors/trade-off studies, reviews of nuclear industry operating erience or reviews of other industry experience, experience gained from past projects, and utility
- t. The basis and rationale for the decisions are provided in the functional design documentation.
8.1.9 Human System Interface Characteristics: Identification of High Workload Situations tification of high operator workload situations and their consequent changes in operator onse times or likelihood of operator error is a usability issue. Potential impact on operator kload is a criterion in selecting the human performance issues identified in Table 18.8-1.
tification of high-workload situations through analytic techniques and part-task simulations is part e human factors engineering program (Section 18.5 on Task Analysis).
of Workload Measurement Techniques part of task analysis activities (Section 18.5), analytic approaches are used to estimate workload.
lytic methods include the use of task analysis.
bility Guidance bility guidance is included in the human system interface design guidelines, as discussed in section 18.8.1.2.
rkstation Usage Scenarios physical layout of the AP1000 control room and related control centers follows established onomic guidelines including consideration of fatigue and alertness of operators sitting at kstations.
ironmental Conditions ermination of environmental conditions (lighting, noise, ambient working temperatures, radiation, uality, and humidity) in the control room, the remote shutdown room, and at local control stations loy well-accepted standards from the fields of industrial and human engineering such as erences 14, 15 and 16. Relevant guidance from prior studies in the nuclear power area ferences 17 through 20) is also used.
Staff approval is required prior to implementing a change in this information.
18.8-7 Revision 1
al Control Actions cal human actions and risk important tasks are identified by the probabilistic risk assessment/
an reliability analysis process. [Reference 23 presents the process of identifying the critical an actions and risk important tasks and the implementation plan for integrating human reliability lysis into the human factors engineering program.]* Critical human actions or risk important tasks examined by task analysis, human system interface design, and procedure development, to tify changes to the operator task or the control and display environment to reduce or eliminate rces of error.
8.1.10 Human System Interface Software Design and Implementation Process subsection describes the software design, implementation, and verification process established erify that human system interface functional requirements are implemented by the software. The ware design, implementation, and verification process uses a top-down approach to incorporate system design requirements and the functional requirements into software module design.
ware refers to the computer instructions and information provided to implement a subset of the an system interface functional requirements. The software design and implementation process is bset of the overall human system interface design process. It consists of system software design cifications, software design, software implementation, and software verification.
system software design specification activity takes as its input the system functional requirement specification documents and produces software design requirements documents and the ware verification test procedures. Software design requirements documents list the functions, ormance, design constraints, and attributes of the system software.
software design activity takes software design requirements and produces software design cification documents. Software design specification documents provide the details for the ware design at the module level and assembly level. These documents define the software uage, logical structure, variable names, information flow, logical processing steps, and data cture of the system software programs. They also describe the functions performed, support ware, storage and execution limitations, interface constraints, error conditions, error detection, r response actions, and details of the software operation in the hardware environment.
software implementation activity implements the software design specifications in the form of umented source programs and object code. The source program and associated documentation tain the comments, functional diagrams, external references, and internal module descriptions.
object code is generated from the source program and installed in processor memory to perform functions specified by the software design specifications.
e software verification testing activity, the software is tested to verify that it complies to the em software design requirements. The software is tested according to the software verification procedures.
conformances of the software to the software verification test procedures are documented by ble reports, and changes are made. In the case where the error is a result of an error in the em software design requirements or the software design specifications, these documents are sed. The software test results report presents a summary of the software verification testing lts.
Staff approval is required prior to implementing a change in this information.
18.8-8 Revision 1
lementation plan]* described in Subsection 18.8.1. [The Safety Parameter Display System is grated into the design of the AP1000 human system interface resources.]*
noted in Section 4.1.a of Reference 27 ...the principle purpose and function of the Safety ameter Display System is to aid the control room personnel during abnormal and emergency ditions in determining the safety status of the plant and in assessing whether abnormal conditions rant corrective action by operators to avoid a degraded core. This can be particularly important ng anticipated transients and the initial phase of an accident. Since the main intended use is ng relatively rare occurrences, human-factors engineering suggests that the operators will find the use of data acquisition habits acquired and repeated during the normal operation of the plant be the most successful. A system in the control room that only varies its output during ormalities may require a shift in mental focus and in data acquisition habits and subsequent lysis. An effective means for conveying the safety state of the plant is to provide data and lays for normal operation that employs the Safety Parameter Display System required principles data synthesis, concentration and display. This operator interface is operational over the range of t conditions specified by the Safety Parameter Display System requirements, as well as during mal operations.
operator-interface to the plant is improved by integrating Safety Parameter Display System uirements into the overall human system interface design to avoid the need for another system is infrequently used.
following subsections describe [the approach to meeting the regulatory requirements for a Safety ameter Display System by addressing the Safety Parameter Display System requirements of erences 26 and 27.]*
8.2.1 General Safety Parameter Display System Requirements AP1000 human system interface resources used to address the Safety Parameter Display tem requirements are the alarm system, plant information system (workstation visual display unit lays), and the computerized procedure system. The AP1000 human system interface data lay (alarms and visual display unit displays) is organized around the Safety Parameter Display tem requirement of plant process functions. Expressing plant state in terms of process functions corporated in the AP1000 control room design. This is expected to improve the human interface making the data presentation interface seamless as the plant moves from one operational state to ther.
alarm system which organizes the presentation of alarms by process function and adapts a dark rd approach (for all plant modes) continually indicates the state of each of the functions. By aining dark when the process is performing as expected, the process functions are interpreted as g satisfied. An alarm indication displayed in any function indicates that the function is in jeopardy.
is way, the set of alarms that is active is the minimum set. The alarm system is capable of laying a full range of alarms based on important plant parameters and data trends. The alarms cate when process limits are being approached and exceeded.
tion 18.7 and [Reference 23 present an implementation plan for integrating the human reliability lysis with human factors engineering.]* The critical human actions and the risk important tasks tified through the execution of this plan are used as an input to the task analysis activities and sequently to the design of the human system interface. They are also used to evaluate the Safety ameter Display System functions and parameters selected to monitor these functions. The an system interface, which includes the integration of Safety Parameter Display System Staff approval is required prior to implementing a change in this information.
18.8-9 Revision 1
8.2.2 Display of Safety Parameters functionally organized plant information system displays, including the Safety Parameter Display tem-related displays, are accessed on the workstation visual display units (VDU) using a cursor.
AP1000 operator workstations employ a windowing system which allows a single cursor to cover visual display unit screens. The design allows the operator to recover a specific parameter within or two actuations of the pointing device.
design goal for the AP1000 human system interface is to update the displays every 1 to conds. The process data sampling rate is 1 second or less. Sequence of events (SOE) points be sampled at a rate of once every milli-second and are available within the AP1000 human em interface. The Safety Parameter Display System responds to user commands in less than econds. The design goal for graphical display response time, from user command to developed phical display, in the AP1000 human system interface is 2 seconds.
AP1000 alarm system includes plant overview alarms that are organized around the concept of t process functions. These process functions address the five SPDS functions. The alarm system rviews, including the functional organization, are integrated into the wall panel information system lays.
ing the execution of emergency operating procedures, the computerized procedure system ides a continuous display of the status of each critical safety function.
Safety Parameter Display System data and data display organization are available to the control m staff.
e AP1000 human system interface process display set (from the plant information system) is anized into two hierarchies that are linked together. One is focused upon providing the process from a functional perspective and the other from a physical perspective. Both follow the concept bstraction/aggregation suggested by Rasmussen as described in Reference 25. Top levels in the archy are plant wide summaries, lower levels are component details. The hierarchy is structured s to reflect the plant process functional decomposition performed during the function based task lysis described in Reference 25.]*
cess display presentation for the control room users is organized by functions. The function ed task analysis integrates the functional organization design principles dictated by the Safety ameter Display System requirements into the AP1000 human system interface.
nt process displays and plant controls necessary to operate the plant are located on the reactor rator console. There are a total of six redundant workstations on the reactor operator console.
ause the Safety Parameter Display System requirements are an integral part of the AP1000 an system interface design, the Safety Parameter Display System workstation is the AP1000 an system interface control room workstation, the Safety Parameter Display System displays are workstation displays; and the display accessing controls used to access Safety Parameter play System displays are the same as those used to access any workstation display.
ety Parameter Display System-related information is physically displayed such that the rmation can be read from the Safety Parameter Display System users position. Each reactor rators workstation contains the human system interface operator process displays. The senior Staff approval is required prior to implementing a change in this information.
18.8-10 Revision 1
AP1000 human system interface provides the status of the Safety Parameter Display System tions. The Safety Parameter Display System functions include:
Reactivity control Reactor core cooling and heat removal from the primary system Reactor coolant system integrity Radioactivity control Containment conditions AP1000 alarm system provides overview alarms addressing the five Safety Parameter Display tem functions. These overview alarms, integrated into the wall panel information system displays, continuously displayed. Most of the safety parameters used to monitor the status of each Safety ameter Display System function are continuously displayed on the wall panel information system lays. Those that are not continuously displayed on the wall panel are accessible at the operators kstation. During the execution of emergency operating procedures, the AP1000 computerized edure system provides a continuous display of the status of the critical safety functions.
ety Parameter Display System-related information is physically displayed such that the rmation is readable from the reactor operator workstation. Each reactor operators workstation tains the plant information system process displays. The control room supervisor (shift foreman) an independent workstation that also has the process displays. The wall panel information em is available to the main control room staff.
8.2.3 Reliability AP1000 instrumentation and control (I&C) systems, including the human system interface, have bility/availability design criteria. A description of the instrumentation and control system design ures is found within Section 7.1.
human system interface design includes the capability to build password or key-lock accessibility he human system interface database. In addition, the system carries and displays data quality on data in the system.
alarm overviews integrated into the wall panel information system include indication of the rability of the alarm system itself.
8.2.4 Isolation Safety Parameter Display System as integrated into the overall human system interface is ated from safety systems. Electrical isolation devices are discussed in Subsection 7.1.2.
8.2.5 Human Factors Engineering tion 5 of Reference 28 presents the need for human-factors engineering in the design of the ety Parameter Display System. The Safety Parameter Display System is designed using the lementation plan described in Subsection 18.8.1. [This implementation plan includes the lication of human factors engineering principles that address the criteria of the Human Factors ineering Program Review Model (Reference 29).]*
AP1000 main control room and human system interface design reduces the number of individual puterized operator support systems by incorporating the requirements of the Safety Parameter Staff approval is required prior to implementing a change in this information.
18.8-11 Revision 1
ameter units of measure, labels, and abbreviations displayed by the human system interface urces are consistent with the units of measure, labels, and abbreviations included in the rgency operating procedures.
human system interface displays information is in a form that does not require transformation or ulation. High- and low-level setpoints are consistent with the reactor protection system setpoints.
high- and low-level setpoints are visible in both the messages created by the AP1000 alarm em and on the indications, trends and graphs that appear as part of the process displays of the 000 plant information system.
sistency of calculated values, such as subcooling margin, is maintained. The AP1000 rumentation and control and human system interface architecture shares process data through a base.
technical basis for software specifications are verified with plant data (for example, heat-up and l-down limits, steam generator setpoints and high- and low-level alarm setpoints). The AP1000 an system interface is designed so that the plant data is a separate data file independent of the ware specifications.
8.2.6 Minimum Information AP1000 human system interface resources used to address the Safety Parameter Display tem requirements are the alarm system, plant information system, and the computerized edure system. The AP1000 human system interface displays sufficient information to determine t safety status with respect to the Safety Parameter Display System safety functions. [The safety tions and respective parameters presented in Table 2 of Reference 32 are used as a starting t for the AP1000.]* The human system interface design implementation plan is described in section 18.8.1 and includes the integration of Safety Parameter Display System requirements the human system interface. [The Safety Parameter Display System design issue of minimum rmation is tracked by the human factors engineering issues tracking system.]*
8.2.7 Procedures and Training tion 13.2 and 13.5 describe the development of training programs and plant procedures ectively. Reference 30 describes how training insights are passed from the designer to rations personnel who participate as subjects in the HFE V&V activities. Reference 31 provides t to the development of plant operating procedures.
8.3 Operation and Control Centers System human system interface includes the design of the operation and control centers system. The ign of each of these control centers is conducted using the human system interface lementation plan presented in Subsection 18.8.1. The mission for each of the operation and trol centers in the AP1000 is provided in the following subsections. Coupled with each mission ement is a brief description of the major tasks and design features that are supported by that ter.
Staff approval is required prior to implementing a change in this information.
18.8-12 Revision 1
tion for housing the resources for a limited number of humans to monitor and control the plant esses.
major tasks performed in the main control room include monitoring, supervising, managing, and trolling those aspects of the plant processes related to the thermodynamic and energy conversion esses under normal, abnormal, and emergency conditions. Operating staff can monitor, ervise, manage, and control processes that have a real-time requirement for protecting the health safety of operating personnel. The main control room supports the operators decision-making ess, and promotes the interaction with other plant personnel, while preventing distractions by
-operating personnel. The main control room provides the interfacing resources between the ration of the plant and the maintenance of the plant. Its areas include the main control area, the rations work area, the shift supervisors office, and the operations break room (see Figure 1.2-8).
itability systems are described in Sections 6.4 and 9.4.
8.3.2 Main Control Area Mission and Major Tasks e mission of the main control area is to provide the support facilities necessary for the operators to itor and control the AP1000 efficiently and reliably. Figure 6.4-1 provides a view of the main trol area. The main control area includes the reactor operator workstations, the supervisors kstation, the dedicated safety panel and the wall panel information system. The layout, size and onomics of the operator workstations and the wall panel information system depicted in this figure s not reflect the results of the human system interface design implementation plan]* described in section 18.8.1. The actual size, shape, ergonomics and layout of the operator workstations and wall panel information system is an output of the implementation plan.
e major task of the main control area is to provide the human system interface resources that rmine the plant state and implement the desired changes to the plant state during both normal emergency plant operations. The main control area provides alarms to alert the operator to the d for further investigation. Plant process data displays permit the operator to observe abnormal ditions and identify the plant state. The controls enable the operator to execute actions. The ess data displays and the alarms provide feedback to enable the operator to observe the effects e control actions.
h reactor operator workstation contains the displays and controls to start up the plant, maneuver plant, and shut down the plant.]* Reference 44 presents input for the determination of the staffing l of the operating crew in the main control room. [Each workstation is designed to be manned by operator. There is sufficient space and operator interface devices for two operators. The physical eup of the reactor operator workstations is identical. The human system interface resources ilable at each workstation are:
Plant information system displays Control displays (soft controls)
Alarm system support displays Computerized procedure displays Screen and component selector controls supervisor workstation is identical to the reactor operator workstations, except that its controls locked-out. The supervisor workstation contains both internal plant and external plant munications systems.
Staff approval is required prior to implementing a change in this information.
18.8-13 Revision 1
edicated safety panel is located in the main control area. The qualified data processing system al display units and the dedicated safety system controls are provided in this panel. These visual lay units are the only monitoring display devices in the main control room that are seismically lified and provide the post-accident monitoring capabilities in accordance with Regulatory de 1.97. Dedicated system-level safety system control switches are located on the dedicated ty panel to provide the operators with safety system actuation capabilities.]* A minimum ntory of these dedicated displays and controls are presented in Section 18.12.
ere is storage space for supplies, protective clothing and some spare parts. Cabinets are provided necessary documents, and a drawing laydown area is provided for the operators use. Restroom kitchen facilities are provided for the main control room operations crew.]*
8.3.3 Operations Work Area Mission and Major Tasks operations work area provides an area for personnel who support plant operations to work in e proximity to the main control area, but not in the main control area, in order to minimize ractions to the plant operators. Personnel in the operations work area can access plant data via or more workstations to enable personnel to monitor the current state of systems, major ponents, and equipment. Additional support equipment may be provided as needed.
8.3.4 Remote Shutdown Workstation Mission and Major Tasks e mission of the remote shutdown workstation is to provide the resources to bring the plant to a shutdown condition after an evacuation of the main control room. The remote shutdown kstation resources are based on an assumed evacuation of the main control room without an ortunity to accomplish tasks involved in the shutdown except reactor trip.]* Subsection 7.4.3 usses safe shutdown using the remote shutdown workstation, including design basis information.
8.3.5 Technical Support Center Mission and Major Tasks mission of the technical support center (TSC) is to provide an area and resources for use by onnel providing plant management and technical support to the plant operating staff during rgency evolutions. The TSC relieves the reactor operators of peripheral duties and munications not directly related to reactor system manipulations and prevents congestion in the trol room. At Lee Nuclear Station, the TSC is not located in the control support area (CSA).
TSC location is as described in the Emergency Plan.
munications needs are established for the staff within the TSC, and between the TSC and the t (including the main control room and operational support center), the emergency operations ity, the Combined License holder management, the outside authorities (including the NRC), and public.
design includes adequate shielding as discussed in Chapter 12. Adequate space, resources and ess is provided for maintenance, emergency equipment and storage.
sistent with NUREG 0737, the technical support center is nonsafety-related and is not required to vailable after a safe shutdown earthquake.
size of the TSC complies with the size requirements of Reference 28. [The TSC complies with habitability requirements of Reference 27 when electrical power is available.]*
Staff approval is required prior to implementing a change in this information.
18.8-14 Revision 1
EOF design is discussed in Chapters 13 and 18, including the specification of its location bsection 18.2.6) and emergency planning, and associated communication interfaces among the n control room, the TSC, and the EOF (Section 13.3).
section 18.2.1.2 provides a description of assumptions and constraints, including utility uirements, that are used as inputs to the human factors engineering program and the human em interface design. As stated earlier under Section 18.8, the human system interface design udes the design of the operation and control centers system (main control room, TSC, remote tdown room, emergency operations facility, local control stations and associated workstations) each of the human system interface resources. The main control room design (environment, ut, number and design of workstations) supports emergency operations with a maximum crew pliment consisting of eleven individuals. These eleven include two individuals with senior reactor rator licenses, three with reactor operator licenses, one observer from the NRC, one from the t owners management and one communicator.
e design of the TSCs interfaces is included with the design of the human system interface.]*
section 18.8.1 provides an implementation plan for the design of the human system interface. As wn in Figure 18.2-3, the results of the human factors engineering program elements are used as t and bases for developing the operation and control center system and human system interface urces functional design. This includes task analysis. Section 18.5 provides the implementation for the task analysis activities.
uninterruptible power supply system provides approximately two hours of backup power supply to TSC displays should ac power become unavailable.
8.3.6 Operations Support Center Mission and Major Tasks operations support center (OSC) is not within the scope of the human factors engineering gram, but it is an emergency response facility. The mission of the operations support center is to ide a habitable area for operations support personnel and the resources to coordinate the gnment of duties and tasks to personnel outside of the main control room and the technical port center in support of plant emergency operation. The operations support center and the TSC in different locations. The OSC is being moved from the location identified in section 12.5.2.2 and as identified on Figures 1.2-201, 9A-3 (Sheet 1), 12.3-201, 12.3-202, 12.3-203. The OSC location is as described in the Emergency Plan.
major task of the operations support center is to provide a centralized area and the necessary porting resources for the assembly of predesignated operations support personnel during rgency conditions. The operations support center provides the resources for communicating with main control room and the technical support center. This permits personnel reporting to the rations support center to be assigned to duties in support of emergency operations.
8.3.7 Radwaste Control Area Mission and Major Tasks mission of the radwaste control area is to provide a habitable area and the appropriate resources he operation of the radwaste processing systems. These resources include alarms, displays, trols, and procedures. These resources are located in a control area outside of the main control m.
Staff approval is required prior to implementing a change in this information.
18.8-15 Revision 1
ote shutdown room, and the radwaste control area, for operations personnel to perform itoring and control activities. The capability to access displays and controls (controls as assigned he main control room operators) for local control and monitoring, from selected locations ughout the plant, is provided. Activities that are implemented through local control stations are ewed to verify that their removal from the main control room is consistent with the operator fing and performance considerations. Human system interface locations are provided for single operations such as the operation of a manual valve.
8.3.9 Emergency Operations Facility design of the emergency operations facility, including specification of the location, in accordance the AP1000 human factors engineering program, is discussed in Subsection 18.2.6.
8.4 Human Factors Design for the Non-Human-System Interface Portion of the Plant 8.4.1 General Plant Layout and Design AP1000 design process incorporates a human engineering approach to operations and ntenance. Maintainability design guidelines and human factors and as-low-as-reasonably-ievable (ALARA) checklists are used to meet the requirements of a human engineered ironment. The design objectives include reducing worker exposure and eliminating unnecessary ection and maintenance tasks.
8.4.1.1 Maintainability ign features such as component selection, layout and standardization increase the probability targeted repair times are achieved. These features coupled with a preventative maintenance gram help the AP1000 meet its objectives for operation and maintenance. Design requirements the utility industry and industry design practices establish criteria for layout, changeout, and acement for parts and components; access for major pieces of equipment; and vehicle passage.
cal path outage models are prepared for the AP1000. A typical refueling and maintenance outage edule is used by design engineers. The model indicates maintenance windows for major outage nts. Maintenance and testing of equipment and necessary plant operations (for example, eling, heatup, and cooldown) are scheduled within the outage window.
8.4.1.2 Accessibility and Equipment Laydown Provisions 000 maintainability design guidelines assist designers in identifying top-level layout requirements equipment accessibility. Component engineers specify space requirements for routine ntenance, inservice inspection, testing and component replacement.
quency of inspection and maintenance dictates whether permanent platforms, ladders, and folding are provided.
rhead access is considered when equipment or tooling must be lifted into place or supported by a
- e. Removable floor gratings and plugs are examples of features that provide overhead essibility.
manent lifting devices are provided to enhance maintainability.
18.8-16 Revision 1
eling cavity so that such interferences as light fixtures, tool hangers and personnel ladders are ovable or do not affect the use of the robotic units.
e space enveloping drawings indicate the minimum space requirements. Equipment and module igners locate and arrange the valves to maintain the required space envelope.
turbine-generator contains built-in features to increase accessibility for in-place inspection and ntenance. Access ports in the turbine housings allow routine inspections to be performed without antling the turbine casing. Laydown area is provided in the turbine building to access ponents and to allow for concurrent work.
8.4.1.3 Lighting AP1000 normal and emergency lighting system is designed to provide illumination levels uired for the safe performance of plant operation under normal and emergency conditions.
8.4.1.4 Radiation Protection and Safety AP1000 design process incorporates radiation exposure reduction principles to keep worker e ALARA. ALARA checklists are used in design evaluations. Exposure length, distance, lding, and source reduction are the fundamental criteria incorporated into the design process.
ign features such as readily detachable insulation, as-built smooth surfaces for non-destructive mination, and modular type replacement components reduce worker time in radiation areas.
large AP1000 containment vessel provides laydown space to transfer subcomponents to storage as until needed. The reactor head is remotely located on the operating deck to reduce kground radiation to refueling personnel.
visions for remotely operated tooling are considered during the design process. Space is provided lean and inspect the reactor vessel O-ring grooves using a remotely operated device. Remotely trolled radiation and surveillance equipment is considered for high radiation areas.
cial provisions for radiation shielding are included in the AP1000 design. Permanent shielding into the integrated head package reduces worker exposure resulting from the incore rumentation operation.
erial selection and surface conditioning are important elements in radiation exposure reduction.
tropolishing of surfaces exposed to reactor coolant primary water is considered to reduce crud osits and aid in decontamination.
AP1000 radioactive waste processing facilities are designed to concentrate radioactive waste essing and drumming activities in remote areas to reduce contact with the majority of plant onnel.
8.4.1.5 Communication AP1000 communication system provides voice communication during normal operations, plant ges, and emergency operations. The system includes broadcast of alarm signals in plant-wide rgency situations. The wireless telephone system enables plant personnel to remain in direct munication via wireless, hand-carried telephones throughout the plant. Headset-style telephones 18.8-17 Revision 1
ging system is used as a backup to the wireless telephone system. In the event of a failure of the less system, personnel communicate via a plant-wide broadcast and five party lines. Emergency adcasts are announced through this system.
munication during AP1000 refueling and maintenance outages is enhanced by a nd-powered communication system. Refueling, maintenance, and cold shutdown loops are ided. Jacks are placed in locations where plant personnel are located during these activities.
ivate automatic branch exchange system is capable of duplex voice communication between ions. These telephones are placed in acoustic booths in those areas having high ambient noise ls to improve user interface. See Subsection 9.5.2 for information on the communication system.
8.4.1.6 Temperature, Humidity, Ventilation ioactive and nonradioactive ventilation systems are provided in required areas. The ventilation ems are designed to control the environment within the plant and to protect the environment ide the plant. Requirements for temperature, humidity, and ventilation vary, depending on work tion, frequency of use, and work description.
8.4.1.7 Emergency Equipment ergency equipment for treatment of injured personnel is placed in appropriate locations.
visions for emergency equipment are considered during plant layout.
8.4.1.8 Storage age facilities are identified in the AP1000. Radioactively clean and contaminated storage areas designated.
8.4.1.9 Coding and Labeling ipment located in the AP1000 has a unique identifier and plant descriptive name. The figuration management system includes the identification of the equipment in the plant. Each ponent is assigned an identifier during the design process. The identifier is maintained through ufacturing, construction, and operation. The components are labeled according to the assigned tifier. These labels help avoid errors in operating or working on the wrong equipment and in orting problems or conditions observed in the plant. The labels help reduce the training burden for rating and maintenance personnel.
or, syntax, abbreviations and symbols are consistently applied. The labels are located in an easily ble location on the component and are not hidden by insulation, equipment covers, or surrounding ipment. Labels are fastened to the component to prevent easy detachment of the label.
8.5 Combined License Information execution and documentation of the human system interface design implementation plan that is ented by Section 18.8 is addressed in APP-GW-GLR-082 (Reference 47).
18.8-18 Revision 1
(Westinghouse Proprietary).
CEI/IEC 964, Design for Control Rooms of Nuclear Power Plants, International Electrotechnical Commission, Geneva, Switzerland, 1989.
IEEE Std 1023-2004, IEEE Recommended Practice for the Application of Human Factors Engineering to Systems, Equipment and Facilities of Nuclear Power Generating Stations and Other Nuclear Facilities.
IEEE Std 1289-1998, IEEE Guide for the Application of Human Factors Engineering in the Design of Computer-Based Monitoring and Control Displays for Nuclear Power Generating Stations.
NUREG-0700, Human-System Interface Design Review Guideline, Rev. 2, U.S. Nuclear Regulatory Commission, Washington, D.C., May 2002.
Not used.
NUREG/CR-6105, Human Factors Engineering Guidelines for the Review of Advanced Alarm Systems, U.S. Nuclear Regulatory Commission, Washington, D.C., September 1994.
MIL-STD-1472, Department of Defense Design Criteria Standard: Human Engineering, Revision F, August 1999.
NUREG-0700, Computer-Based Procedure Systems: Technical Basis and Human Factors Review Guidance, U.S. Nuclear Regulatory Commission, Washington, D.C.,
March 2000.
AP600 Document Number OCS-J1-008, Effects of Control Lag and Interaction Mode on Operators Use of Soft Controls, Revision 0, September 1994.
Hoecker, D. G. and Roth, E. M., Man-Machine Design and Analysis System (MIDAS)
Applied to a Computer-Based Procedure-Aiding System, Westinghouse STC Report 1SW5-CHICR-P2, May 25, 1994; also in Proceedings of the Human Factors and Ergonomics Society 35th Annual Meeting, October 1995.
Hoecker, D. G. and Roth, E. M., MIDAS in the Control Room: Applying a Flight Deck Cognitive Modeling Tool to Another Domain, Westinghouse STC Report 1SW5-CHICR-P3, September 26, 1994; also in RAF Institute of Research and Development, Proceedings of the Third International Workshop on Human-Computer Teamwork, Cambridge, UK, September 26, 1994.
Roth, E. M. and Hoecker, D. G., Human Factors Issues Associated with Soft Controls:
Design Goals and Available Guidance, 1994.
Beranek, L. L., Revised Criteria for Noise in Buildings, Noise Control, Vol. 3, Nr.1,
- p. 19ff.
Grandjean, E., Fitting the Task to the Man: An Ergonomic Approach, London: Taylor and Francis Ltd., 1981.
18.8-19 Revision 1
Electric Power Research Institute, Human Factors Guide for NPP Control Room Development, Final Report on Project 1637-1. EPRI NP-3659, 1984.
Electric Power Research Institute, Advanced Light Water Reactor Utility Requirements Document, Vol. III. ALWR Passive Plant, Chapter 10: Man-Machine Interface Systems, Revision 6, December 1993.
International Electrotechnical Commission, Design for Control Rooms of Nuclear Power Plants, IEC Standard 964, 1989.
International Electrotechnical Commission, Operating Conditions for Industrial-Process Measurement and Control Equipment, IEC Standard 654-1, 1979.
Proctor, D. H. and Hughes, J. P., Chemical Hazards of the Workplace, 1978.
29CFR1910, Occupational Safety and Health Standards, 1975.
WCAP-14651, Integration of Human Reliability Analysis With Human Factors Engineering Design Implementation Plan, Revision 2, May 1997.]*
WCAP-15860, Programmatic Level Description of the AP1000 Human Factors Verification and Validation Plan, Revision 2, October 2003.]*
WCAP-14695, Description of the Westinghouse Operator Decision Making Model and Function Based Task Analysis Methodology, Revision 0, July 1996.]*
NUREG-0737, Supplement 1; Requirements for Emergency Response Capability.]*
NUREG-0696, Functional Criteria For Emergency Response Facilities.
NUREG-0711, Human Factors Engineering Program Review Model, U.S. NRC, July 1994.]*
WCAP-14655, Designers Input for the Training of the Human Factors Engineering Verification and Validation Personnel, Revision 1, August 1996.
WCAP-14690, Designers Input to Procedure Development for the AP600, Revision 1, June 1997.
NUREG-1342, A Status Report Regarding Industry Implementation of Safety Parameter Display Systems.]*
Rasmussen, J., 1986, Information Processing and Human-Machine Interaction, An Approach to Cognitive Engineering, (New York, North-Holland).
OHara, J. M. and Wachtel, J., 1991, Advanced Control Room Evaluation: General Approach and Rationale in Proceedings of the Human Factors 35th Annual Meeting, pp. 1243-1247, (Santa Monica, CA, Human Factors Society).
Staff approval is required prior to implementing a change in this information.
18.8-20 Revision 1
Woods, D. D., Wise, J. A., and Hanes, L. F., 1982, Evaluation of Safety Parameter Display Concepts, NP-2239, (Palo Alto, CA, Electric Power Research Institute).
Woods, D. D. and Roth, E. M., 1986, The Role of Cognitive Modeling in Nuclear Power Plant Personnel Activities, NUREG-CR-4532, Volume 1, (Washington, D.C., U.S.
Nuclear Regulatory Commission).
Woods, D. D., Roth, E. M., Stubler, W. F., and Mumaw, R. J., 1990, Navigating Through Large Display Networks in Dynamic Control Applications in Proceedings of the Human Factors Society 34th Annual Meeting, pp. 396-399, (Santa Monica, CA, Human Factors Society).
Reason, J. T., 1990, Human Error, (Cambridge, UK, Cambridge University Press).
Stubler, W. F., Roth, E. M., and Mumaw, R. J., 1991, Evaluation Issues for Computer-Based Control Rooms in Proceedings of the Human Factors Society 35th Annual Meeting, pp. 383-387, (Santa Monica, CA, Human Factors Society).
Woods, D. D., 1982, Application of Safety Parameter Display Evaluation Project to Design of Westinghouse Safety Parameter Display System, Appendix E to Emergency Response Facilities Design and V & V Process, WCAP-10170, submitted to the U.S.
Nuclear Regulatory Commission in support of their review of the Westinghouse Generic Safety Parameter Display System Non-Proprietary, (Pittsburgh, PA, Westinghouse Electric Corp.).
U.S. Department of Defense, 1989, Military Standard 1472D; Human Engineering Design Criteria for Military Systems, Equipment and Facilities, (Washington, D.C., U.S.
Department of Defense).
American National Standards Institute, 1988, ANSI/HF 100-1988, American National Standard for Human Factors Engineering of Visual Display Terminal Workstations, (Santa Monica, CA, Human Factors Society, American National Standards Institute).
WCAP-14694, Designers Input to Determination of the AP600 Main Control Room Staffing Level, Revision 0, July 1996.
AP1000 Probability Risk Assessment.
WCAP-14396, Man-in-the-Loop Test Plan Description, Revision 3, November 2002.]*
APP-GW-GLR-082, Execution and Documentation of the Human System Interface Design Implementation Plan, Westinghouse Electric Company LLC.
Staff approval is required prior to implementing a change in this information.
18.8-21 Revision 1
rator Activity: Detection and Monitoring e 1: Do the wall panel information system and the workstation summary and overview displays support the operator in maintaining an awareness of plant status and system availability without needing to search actively through the workstation displays?
e 2: Does the wall panel information system support the operator in getting more detail about plant status and system availability by directed search of the workstation functional and physical displays?
e 3: Do the HSI features support efficient navigation to locate specific information?
e 4: Do the HSI features effectively support crew awareness of plant condition?
rator Activity: Interpretation and Planning e 5: Does the alarm system convey information in a way that enhances operator awareness and understanding of plant condition?
e 6: Does the physical and functional organization of plant information on the workstation displays enhance diagnosis of plant condition and the planning/selection of recovery paths?
e 7: Does the integration of alarms, wall panel information system, workstation, and procedures support the operator in responding to single-fault events?
e 8: Does the integration of alarms, wall panel information system, workstation and procedures support the operator in interpretation and planning during multiple-fault events?
e 9: Does the integration of alarms, wall panel information system, workstation and procedures support the crew in interpretation and planning during multiple-fault events?
e 10: Does the integration of alarms, wall panel information system, workstation, and procedures support the crew in interpretation and planning during severe accidents?
Staff approval is required prior to implementing a change in this information.
18.8-22 Revision 1
rator Activity: Controlling Plant State e 11: Do the HSI features support the operator in performing simple, operator-paced control tasks?
e 12: Do the HSI features support the operator in performing control tasks that require assessment of preconditions, side effects and post-conditions?
e 13: Do the HSI features support the operator in performing control tasks that require multiple procedures?
e 14: Do the HSI features support the operator in performing event paced control tasks?
e 15: Do the HSI members features support the operator in performing control tasks that require coordination among crew?
Staff approval is required prior to implementing a change in this information.
18.8-23 Revision 1
Figure 18.8-1 Soft Control Interactions 18.8-24 Revision 1
Figure 18.8-2 Mapping of Human System Interface Resources to Operator Decision-Making Model 18.8-25 Revision 1
t for the development of plant operating procedures, including information on the development design of the AP600 emergency response guidelines and emergency operating procedures. It lies directly to AP1000 since AP1000 is operated in the same manner as AP600. The WCAP also udes information on the computerized procedure system, which is the human system interface ugh which operators execute the plant procedures.
9.1 Combined License Information responsibility for procedure development is addressed in APP-GW-GLR-040 (Reference 2).
9.2 References WCAP-14690, "Designer's Input to Procedure Development for the AP600," Revision 1, June 1997.
APP-GW-GLR-040, "Plant Operations, Surveillance, and Maintenance Procedures,"
Westinghouse Electric Company LLC.
18.9-1 Revision 1
dation Personnel" (Reference 1), describes the design and implementation of the training gram for the training of the operations personnel who participate as subjects in the Human tors Engineering (HFE) Verification and Validation. The WCAP also describes the process used evelop the specification of the role of the operator for AP1000 and how this role and training ghts can be passed from the designer to the developer of the training program.
rmation regarding training program development is located in Section 13.2, Training. The training anization and roles and responsibilities of training personnel are discussed in Section 13.1, anizational Structure of Applicant.
10.1 Combined License Information responsibility for training program development is addressed in Subsection 13.1.1.3.2.5 and tions 13.2 and 18.10.
10.2 References WCAP-14655, "Designer's Input to the Training of the Human Factors Engineering Verification and Validation Personnel," Revision 1, August 1996.
18.10-1 Revision 1
dation program is provided by Reference 1. Figure 18.11-1 shows the verification and validation vities conducted as part of AP1000 human factors engineering program. Using the programmatic l description, the development of an implementation plan for the AP1000 human factors ineering verification and validation is executed and documented as discussed in Reference 2.
implementation of the verification and validation activities is detailed in the five documents erences 3 to 7.
verification and validation activities are in accordance with Reference 1. There are a number of eptions in respect to Integrated System Validation. The details of these exceptions and the esponding justifications are provided in Reference 5.
11.1 Combined License Information development, execution and documentation of an implementation plan for the verification and dation of the AP1000 human factors engineering program is addressed in Reference 2 P-GW-GLR-084).
1.2 References WCAP-15860 , Programmatic Level Description of the AP1000 Human Factors Verification and Validation Plan, Revision 2, October 2003.]*
APP-GW-GLR-084, AP1000 Human Factors Engineering Verification and Validation, Westinghouse Electric Company LLC.
APP-OCS-GEH-120, AP1000 Human Factors Engineering Design Verification Plan, Revision B, Westinghouse Electric Company LLC.]*
APP-OCS-GEH-220, AP1000 Human Factors Engineering Task Support Verification Plan, Revision B, Westinghouse Electric Company LLC.]*
APP-OCS-GEH-320, AP1000 Human Factors Engineering Integrated System Validation Plan, Revision D, Westinghouse Electric Company LLC.]*
APP-OCS-GEH-420, AP1000 Human Factors Engineering Discrepancy Resolution Process, Revision B, Westinghouse Electric Company LLC.]*
APP-OCS-GEH-520, AP1000 Plant Startup Human Factors Engineering Verification Plan, Revision B, Westinghouse Electric Company LLC.]*
Staff approval is required prior to implementing a change in this information.
18.11-1 Revision 1
Figure 18.11-1 AP1000 HFE Verification and Validation 18.11-2 Revision 1
inventory of instruments, alarms, and controls for the AP1000 systems is provided in the ective system piping and instrumentation diagrams and/or the respective system specification uments.
AP1000 system design engineers determine the specific sensors, instrumentation, controls, and ms that are needed to operate the various plant systems. The instruments, alarms, and controls each system are documented in the piping and instrumentation diagram and/or the respective em specification documents. An instrument, alarm, and control is specified by the system design ineer if it is needed to control, verify, or monitor the operation of the system and its components.
tem functions and their respective functional requirements are considered by the system igner when determining the need for a specific instrument, alarm, or control.
role of the Human System Interface design team in the determination of the total inventory list is of verification. As described in Section 18.5, human system interface design team has tionally decomposed the plant. The top four levels of this model for the AP1000 are shown in re 18.5-1. Each Level 4 function has a function-based task analysis (FBTA) performed as cribed in the Task Analysis Implementation Plan. Considering the plant operating modes and rgency operations, the function-based task analysis:
Identifies the functions goals Identifies the processes used to achieve each goal Documents the performance of a cognitive task analysis of each process cognitive task analysis of each process answers the monitoring/feedback, planning, and trolling questions. The answers to these questions identify the data for each functional process trumentation, indications, alarms, and controls) needed by the operator to make decisions. The lts of the cognitive task analysis phase of each function-based task analysis are used to verify inventory list of instruments, controls, and alarms developed by the AP1000 system designers documented in the respective design documents.]*
12.2 Minimum Inventory of Main Control Room Fixed Displays, Alarms, and Controls kground e human system interface design includes the appropriate plant displays, alarms, and controls ded to support a broad range of expected power generation, shutdown, and accident mitigation rations. Soft control displays and plant information displays are generated by a computer and can hanged to perform different functions, allow control of different devices, or display different rmation. These displays appear on display devices such as cathode ray tubes, flat panel screens, isual display units. Alarms are used to direct operator attention. Soft controls are provided ugh devices such as a keyboard, touch screen, mouse, or other equivalent input devices. The ority of the operations for both the AP1000 main control room and the remote shutdown kstation are expected to employ soft control displays and plant information displays.
AP1000 human system interface design also includes a minimum inventory of dedicated or d-position displays and controls. The minimum inventory of AP1000 fixed-position rumentation includes those displays, controls, and alarms that are used to monitor the status of cal safety functions and to manually actuate the safety-related systems that achieve these critical ty functions.
Staff approval is required prior to implementing a change in this information.
18.12-1 Revision 1
d-position alarms are designed to direct operator attention to the need to perform safety-related tions for which there is no automatic actuation function. Although not continuously displayed, the d-position displays and alarms are quickly and easily retrievable.
d-position controls provide a means for manual reactor and turbine trip, and safety-related em/component actuation. Fixed-position controls are available to the operator to perform tasks in operation of safety-related systems and components used to mitigate the consequences of an dent and to establish and maintain safe shutdown conditions following an accident. The fixed-ition controls are a manual backup to the automatic protection signals provided by the protection safety monitoring system.]*
ign Basis and Minimum Inventory ystematic process was implemented to identify the minimum inventory of AP1000 fixed-position trols, displays, and alarms, using established selection criteria directly related to the specific 000 accident mitigation operator actions and the critical safety functions identified in the rgency response guidelines.
AP1000 design basis for accident mitigation protects the following three fission product barriers:
Fuel matrix/fuel rod cladding Reactor coolant system pressure boundary Containment refore, the minimum inventory of fixed instrumentation includes those displays, controls, and ms used to monitor the status of these fission product barriers and manually actuate the safety-ted systems that achieve the critical safety functions protecting these barriers.
critical safety functions are identified in the Emergency Response Guidelines (ERGs). These cal safety functions are physical processes, conditions, or actions designed to maintain the plant ditions within the acceptable design basis.
AP1000 critical safety functions are:
Reactivity control Reactor core cooling Heat sink maintenance Reactor coolant system integrity Containment environment Reactor coolant system inventory control minimum inventory of AP1000 fixed instrumentation includes those displays, controls, and ms that are used to monitor the status of these critical safety functions and to manually actuate safety-related systems that achieve these critical safety functions.]*
imum Inventory Selection Criteria e following selection criteria are used to develop the minimum inventory of instrumentation trols, displays, and alarms:
Staff approval is required prior to implementing a change in this information.
18.12-2 Revision 1
engineered safety feature actuation)
Controls, displays, and alarms required to perform critical manual actions as identified from the PRA analysis Alarms provided for operator use in performing safety functions to respond to design basis events for which there is no automatically-actuated safety function Controls, displays, and alarms necessary to maintain the critical safety functions and safe shutdown conditions the main control room, the minimum inventory of displays is provided by the safety-related lays of the qualified data processing system. For the remote shutdown workstation, the minimum ntory of displays is provided by the nonsafety-related displays of the plant information system.
alarm is a device that provides warning by means of a signal or sound. The parameters and ociated alarms, listed in Table 18.12.2-1, identify challenges to the critical safety functions. This imum inventory of alarms is embedded in displays as visual signals. For example, the visual al may involve a change of color, brightness, flashing, or a combination of these. For clarity, e alarms are called visual alerts to distinguish them from other alarms which may include sound.
the main control, the visual alerts are embedded in the safety-related displays. For the remote tdown workstation, the visual alerts are embedded in the nonsafety-related displays.
minimum inventory resulting from the implementation of these selection criteria is provided in le 18.12.2-1.]*
ulatory Guide 1.97 e guidelines in Regulatory Guide 1.97 provide an effective basis for selection criteria to identify minimum inventory of fixed displays, controls, and alarms, since these guidelines are consistent monitoring the status of the fission product barriers and the associated critical safety functions in AP1000 Emergency Response Guidelines.
ulatory Guide 1.97 provides a method to identify the post-accident monitoring (PAMS) rumentation to monitor plant variables and systems during and following an accident. Selected t-accident monitoring instrumentation is required to remain functional over the range of the dent conditions and must be able to survive the accident environment for the length of time its tion is required. The instrumentation helps the operator to identify the accident, to implement per corrective actions, and to observe plant response to these actions in order to determine the d for additional actions. Five types of accident monitoring instrumentation and associated ormance criteria are provided in the regulatory guide.
hin each type of post-accident monitoring instrumentation, there are three categories tegories 1, 2, and 3) that are related to the qualification (seismic and environmental conditions) reliability (safety-related power supply and single failures) of the specific instrumentation.
Category 1 variables are considered as primary variables and meet appropriate qualification, ign, and interface requirements discussed in subsection 7.5.2.2.1 and listed in Tables 7.5-2 7.5-3. These variables provide the appropriate capabilities and reliability that are required for the ameters. Only the Category 1 (primary) variables are included in the minimum inventory selection ria. Category 2 and Category 3 instrumentation are not included in the selection criteria for the imum inventory.
Staff approval is required prior to implementing a change in this information.
18.12-3 Revision 1
ented in Section 7.5.
e A variables are defined in subsection 7.5.2.1. As discussed in subsection 7.5.3.1, Type A ables provide primary information to permit the main control room operating staff to:
Perform the diagnosis in the AP1000 emergency operating procedures Take specified preplanned, manually-controlled actions, for which automatic controls are not provided, and that are required for safety-related systems to accomplish their safety-related function to recover from a design basis accident re are no specific, preplanned, manually-controlled actions for safety-related systems to recover design basis events in the AP1000 design. Therefore, as reflected in Table 7.5-4, there are no e A variables.
e B variables are defined in subsection 7.5.2.1. As discussed in subsection 7.5.3.2, Type B ables provide information to the main control room operating staff to assess the process of omplishing critical safety functions in the emergency response guidelines. The Type B variables identified in Table 7.5-5.
e C variables are defined in subsection 7.5.2.1. As discussed in subsection 7.5.3.3, Type C ables provide the control room operating staff with information to monitor the potential for breach he actual gross breach of:
Incore fuel cladding Reactor coolant system boundary Containment boundary Type C variables are identified in Table 7.5-6.]*
icated Controls e selection criteria of AP1000 minimum inventory include dedicated, fixed-position controls that ide the capability to manually initiate system-level actuation signals for the safety-related ems and components that are used to achieve the critical safety functions. These dedicated trols provide the capability to initiate manual reactor and turbine trip, safeguards actuation, vidual actuation of various safety-related, passive components and containment isolation.]*
babilistic Risk Assessment Critical Human Actions described in Section 18.7 and Reference 1, the human factors engineering design process udes integration of PRA and the associated human reliability analysis insights into the AP1000 ign. The human reliability analysis integration includes the identification of critical human actions ugh the consideration of specific deterministic and PRA criteria. These selection criteria for imum inventory identify dedicated, fixed-position displays, alarms, and controls required to port critical human actions identified from the integration of human reliability analysis into the an factors engineering design process.]*
icated Alarms specified by Criterion 1, the minimum inventory of instrumentation requires dedicated rumentation displays of the Regulatory Guide 1.97 Type A variables so that the operator can tify the need to take preplanned manually-controlled actions to mitigate the consequences of a Staff approval is required prior to implementing a change in this information.
18.12-4 Revision 1
fourth criterion for minimum inventory is included to identify alarms needed to automatically alert operator to the need to take these preplanned manually controlled actions.
of the design goals of the AP1000 is to minimize the need for operator actions to mitigate the sequences of design basis events. As part of the implementation of this design goal, the safety-ted systems required to mitigate the consequences of design basis events are automatically ated. There are no specific preplanned, manually-controlled actions required for the safety-ted systems to mitigate design basis events in the AP1000 design.
ther design goal for the AP1000 is to enhance defense in depth, which includes the use of matically actuated safety-related systems as a backup to other automatically actuated safety-ted systems. For example, if beyond-design-basis failures occurred such that the safety-related sive residual heat removal heat exchanger failed to actuate, other safety-related systems would matically actuate to provide core cooling, without the need for operator action for either group of ty-related components. This design approach enhances overall plant safety.
AP1000 minimum inventory includes a criterion for evaluating the need for dedicated alarms for planned operator actions. However, as a result of these two design approaches, the level of ection available to mitigate the consequences of an accident and to achieve the critical safety tions is provided without the need for preplanned operator actions for either the primary safety-ted systems or the backup safety-related systems. Since there are no specific preplanned, ually-controlled actions for safety-related systems required to respond to design basis events in AP1000 design, there are also no dedicated, fixed-position alarms identified in the minimum ntory list.]*
ical Safety Functions and Safe Shutdown e design basis for the AP1000 requires protecting the three fission product barriers in the plant fuel matrix and cladding, the reactor coolant system pressure boundary, and containment) wing design basis events. The AP600 system/event matrix (Reference 2) identifies four safety-ted, post-accident mitigation functions that are required as part of the design basis for the AP600 rotect the integrity of these fission product barriers. This document is directly applicable to 000. The design basis of the AP1000 requires safety-related systems that can perform these four ty-related functions for design basis events.
AP1000 Emergency Response Guidelines were developed by using the system/event matrix ument as the plant response design basis and following the standardized process for Emergency ponse Guideline development for Westinghouse PWRs. The design approach described in the em/event matrix document organizes the identified safety-related and nonsafety-related tems, structures and components into the appropriate groups that perform the four safety-related ign basis functions. In developing the AP1000 Emergency Response Guidelines, the same ups of safety-related and nonsafety-related systems in the system/event matrix are used to orm their basic design functions, but they are organized somewhat differently from the system/
nt matrix to support development of symptom-based functional guidelines that can be more ctively used by the operators. These four design basis safety functions identified in (Reference 2) expanded into the six critical safety functions in writing the symptom-based AP1000 Emergency ponse Guidelines.
six Emergency Response Guidelines critical safety functions (and the four design basis safety tions that the critical safety functions must satisfy) are physical processes, conditions, or actions n using the safety-related and nonsafety-related systems to maintain the plant conditions within Staff approval is required prior to implementing a change in this information.
18.12-5 Revision 1
ccomplishing the emergency response guideline critical safety functions following a design basis nt, the plant is able to mitigate the consequences of the event and to establish and maintain safe tdown conditions. The minimum inventory list identifies sufficient controls, displays, and alarms to itor and control operation of the safety-related systems to achieve the six critical safety functions tified in the Emergency Response Guidelines and to establish and maintain safe shutdown ditions following an accident.
les 7.5-4, 7.5-5, and 7.5-6 identify the instrumentation and the associated Emergency Response delines critical safety functions that each instrument supports for each of the Type A, B, and C t-accident instrumentation, respectively.]*
imum Inventory Selection Criteria Implementation Process ction 7.5 provides a discussion of the development of the requirements of Regulatory Guide 1.97 the implementation process for the AP1000 (Criteria 1, 2, and 4).
tion 18.7 and Reference 1 provide a discussion of the implementation process for identification of cal PRA operator actions (Criteria 3). Chapter 30 of the AP1000 PRA describes the process for human reliability analysis.]*
12.3 Remote Shutdown Workstation Displays, Alarms, and Controls bsection 7.4.3 discusses safe shutdown using the remote shutdown workstation following an cuation of the main control room.
main control room provides the capability to perform accident mitigation and safe shutdown s for design basis events. The only types of events that would require evacuation of the main trol room and control from the remote shutdown workstation are localized emergencies where the n control room environment is unsuitable for the operators or where the main control room kstations and equipment become damaged.
cuation of the main control room is not expected to occur coincident with any other design basis nts. Subsection 9.5.1 of the Standard Review Plan (NUREG-0800) specifically excludes sideration of other design basis events coincident with a fire.
design capability for the remote shutdown workstation is to provide the capability to establish and ntain safe shutdown conditions following a main control room evacuation, as described in section 7.4.3.1.1. The controls, displays, and alarms listed in Table 18.12.2-1 are retrievable from remote shutdown workstation.]*
12.4 Combined License Information section contained no requirement for additional information.
12.5 References WCAP-14651, Integration of Human Reliability Analysis With Human Factors Engineering Design Implementation Plan, Revision 2, May 1997.]*
WCAP-13793, The AP600 System/Event Matrix, June 1994.
Staff approval is required prior to implementing a change in this information.
18.12-6 Revision 1
Fixed Position Controls, Displays, and Alerts Description Control Display Alert(2) tron flux x x (3) x tron flux doubling tup rate x x S pressure x x e range Thot x e range Tcold x x S cooldown rate compared to the limit based x x RCS pressure e range Tcold compared to the limit based on x x S pressure nge of RCS temperature by more than 5°F x e last 10 minutes tainment water level x x tainment pressure x x ssurizer water level x x ssurizer water level trend x ssurizer reference leg temperature x ctor vessel - Hot leg water level x x ssurizer pressure x e exit temperature x x S subcooling x x S cold overpressure limit x x ST water level x x HR flow x x HR outlet temperature x x S storage tank water level x S cooling flow x ST to RNS suction valve status(3) x x motely operated containment isolation valve x us(3) tainment area high range radiation level x x tainment pressure (extended range) x (1)
T level x 18.12-7 Revision 1
Description Control Display Alert(2) ual reactor trip (Also initiates turbine trip x re 7.2-1, sheet 19.)
ual safeguards actuation x ual CMT actuation x ual main control room emergency x itability system actuation(4) ual ADS actuation (1-3 and 4) x ual PRHR actuation x ual containment cooling actuation x ual IRWST injection actuation x ual containment recirculation actuation x ual containment isolation x ual main steam line isolation x ual feedwater isolation x ual containment hydrogen igniter x nsafety-related) s:
Although this parameter does not satisfy any of the selection criteria of Subsection 18.12.2, its importance to manual actuation of ADS justifies its placement on this list.
These parameters are used to generate visual alerts that identify challenges to the critical safety functions. For the main control room, the visual alerts are embedded in the safety-related displays as visual signals. For the remote shutdown workstation, the visual alerts are embedded in the nonsafety-related displays as visual signals.
These instruments are not required after 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />. (Subsection 7.5.4 includes more information on the class 1E valve position indication signals, specified as part of the post-accident monitoring instrumentation.)
This manual actuation capability is not needed at the remote shutdown workstation.
18.12-8 Revision 1
erence 1. However, it mostly applies to plant modernization. The portions of the added element apply to new plants were formerly addressed under the Verification and Validation element in erence 1. Since these aspects of the Program Review Model are unchanged, AP1000 will tinue to address them under Section 18.11 as Issue Resolution Verification and Final Plant Verification.
13.1 References NUREG-0711, Human Factors Engineering Program Review Model, U.S. NRC, July 1994.
NUREG-0711, Rev. 1, Human Factors Engineering Program Review Model, U.S. NRC, May 2002.
18.13-1 Revision 1
an performance monitoring applies after the plant is placed in operation. The human ormance monitoring process implements the guidance and methods as described in erence 1.
human performance monitoring process provides reasonable assurance that:
The design can be effectively used by personnel, including within the control room and between the control room and local control stations and support centers.
Changes made to the human system interface(s), procedures, and training do not have adverse effects on personnel performance, (e.g., a change does not interfere with previously trained skills).
Human actions can be accomplished within time and performance criteria.
The acceptable level of performance established during the design integrated system validation is maintained.
human performance monitoring process is structured such that:
Human actions are monitored commensurate with their safety importance.
Feedback of information and corrective actions are accomplished in a timely manner.
Degradation in performance can be detected and corrected before plant safety is compromised (e.g., by use of the plant simulator during training exercises).
human performance monitoring process for risk-informed changes is integrated into the ective action program, training program and other programs as appropriate. Identified human ormance conditions/issues are evaluated for human factors engineering applicability.
an factors engineering conditions are assigned specific human factors cause determination es, trended for indications of degraded performance or potential human performance failures and e specific corrective actions identified.
cause investigation:
Identifies the cause of the failure or degraded performance to the extent that corrective action can be taken consistent with the corrective action program requirements.
Addresses failure significance which includes the circumstances surrounding the failure or degraded performance, the characteristics of the failure, and whether the failure is isolated or has generic or common cause implications.
Identifies and establishes corrective actions necessary to preclude the recurrence of unacceptable failures or degraded performance in the case of a significant condition adverse to quality.
18.14-1 Revision 1
nt or personnel performance under actual design conditions may not be readily measurable.
en actual conditions cannot be simulated, monitored, or measured, the available information that t closely approximates performance data in actual conditions should be used.
itoring strategies for human performance trending after the implementation of design changes is able of demonstrating that performance is consistent with that assumed in the various analyses ducted to justify the change.
-informed changes are screened commensurate with their safety importance to determine if the nge requires monitoring of actions. For changes which require monitoring, the appropriate itoring requirements are determined and implemented in the training program or other program ppropriate.
14.1 References NUREG-0711, Rev. 1, Human Factors Engineering Program Review Model, U.S. NRC, May 2002.
18.14-2 Revision 1