ML19308C412
| ML19308C412 | |
| Person / Time | |
|---|---|
| Site: | Crane  |
| Issue date: | 12/13/1979 |
| From: | Cornell E NRC - NRC THREE MILE ISLAND TASK FORCE |
| To: | Finlayson F AEROSPACE CORP. |
| Shared Package | |
| ML19308C407 | List: |
| References | |
| TASK-TF, TASK-TMR NUDOCS 8001230388 | |
| Download: ML19308C412 (1) | |
Text
- _ _
3.t '* "' %
Y, UN!TED STATES E'
3 3
,,jI NUCLEAR REGULATORY COMMISSION f:
WASHINGTON. D. C. 20555 December 13, 1979 In Reply Refer to:
NTFTM 791213-03 Dr. Fred Finlayson Aerospace Corporation P. O. Box 92957 1.os Angeles, California 90009
Dear Dr. Finlayson:
Enclosed is a second draft of the NRC's Special Inquiry Group Staff reNrt on human factors which will form most of the human factors section of Volume II of the report to the Com.ission.
Two sections; evaluation of selection and training, and findings and recommendations, are still being worked en.
Please try to provide any comments you may have by Decenber 20, 1979.
If you have enough time, send them in writing; otherwise call in your comments to either me (301/492-S902), or Gordon Chipman (301/492-8924).
Sincerely, L'
/
L(, 2 m v V-tfLC I CLd6b
'aj
E. Kevin Cornell, Staff Director t
NRC/TMI Special Inquiry Group
Enclosure:
Second draft:
lluman Factors 8 0 0123038fi
o Problems'with procedure consistency include:
Nomenclature used in the procedure is usually different from panel nomenclature, control and display labels and annunciator designators;
- The procedure itself is not internally consistent in at times identifying valves to be monitored and at other times omitting such valves.
o Problems with correctness of procedure:
- Section B symptoms are not correct.
Symptoms for leak or rupture include " rapid continuing decrease of pressurizer level."
o Problems with compliance with ANSI N18.7:
- The procedure includes the reactior.s designated for emergency procedures but totally ignores the sestions required for procedures in general, such as:
statement of applicability prerequisites precautions limitations and actions acceptance criteria The Essex Company found that the emergency procedures failed to identify in clear and concise terms what decisions are required of the operator, the information needed by the operator to make the decision, what actions need to be taken to l
l implement the decisions and how the operator varifies the correctness of his l
decision and actions.
l The Essex evaluation of the use of procedures included the following factors:
. Accessibility of procedures Management of the update of procedures Use of procedures as job performance aids.
It found i: hat there was no aid available to access the procedures.
The operator must depend on his familiarity with the procedures to know which one is applicable to a given situation in the plant. The procedures should specify the condition of the plant which makes them applicable to the situation, this was not the g
g* g, y, #,jL, case at TMI.
l g
4 s f Essex concluded that Met Ed has the attitude that "CRO's and SRO's are not all that important in the operation of the plant, and that engineering and management j,
f N
g/
personnel are better qualified to develop the design aids and took to be used by... (the operators." This conclusion was reached from the fact that there was no formal program for operator input into procedures update or having them identify the problems encountered in their use.
Essex felt, and we agree that a mechanism is needed to identify problems with tae procedures and enable
~
operator input to the solution of these problems.
In an emergency situation the operators has only three aids available to him to cope with the emergency; emergency procedures, training in similar situations and knowledge of the plant operation and status. The operator must detect and isolate the problem by diagnosis.
Essex pointed out that the operator can depend neither on his knowledge of the plant nor his training to make the diagnos.ts or to determine what action is necessary to isolate the problem. He therefore, must rely on the emergency procedures.
For this reason he needs accurate and readily accessible procedures to supplement his knowledge and training.
They should provide him with decision criteria and steps to be taken
to formulate hypothesis concerning what is happening in the plant and to test the hypothesis employing displayed data and test sequences.
The underlying question is were these procedures available to cope with the situation at n!I on the morningof March 28 and did procedures or lack of procedures have an impact on the accident.
Essex found that the procedures were grossly diffico e in assisting the operator in diagnosing the feedwater system, the emergency feedwater system, the OTSG level response when emergency feedwater pumps were initiated.
The procedures were of no help in diagnosing the PORV failure nor did they provide guidance in analyzing the situation of i
increasing pressurizer level while RC pressure decreased.
Furthermore, the procedures gave no guidance regarding overriding the automatically initiated HPI, when to trip the RC pumps while temperature and level are high and pressure is low, and when and how to establish natural circulation.
Perhaps the following statement in the Essex report best characterizes their view of the D1I-2 procedures as compared to the state-of-the-art in this area:
"It seems ironic that in the day of advanced data processing and photographic technology, nuclear power plant procedures have not progressed out of the stone age."
\\
&} $
ov.
(.,
l y/
l 9
i l
l
/2/7/79 2.0 FIUMAN FACTORS CONSIDERATIONS IN Tile T!!I-2 ACCIDENT 2.1 Introduction Analysis of the Three Mile Island accident suggests that certain engineering and deeign aspects coupled with operator training, experience and emergency pr' cedures may have directly influenced the operator actions and inactions o
which significantly af fected the course of the accident.
These types of considerations are forrully referred to as " human factors."(1)
Several of these f actors can be singled oat as directly causing the accident while others can only be identified as possible contributors to the general con-fusion of the operators; confusion which Lapaired their ability to correctly walyze the problem they faced and take appropriate corrective actions.
2.2 Significant Operator " Errors" Two actions or inactions by operators stand out as having had the greatest impact on the accident.
First, they failed to recognize that the pilot-operated relief valve (PORV) on the reactor pressurizer had not autotaatically closed as it is designed to in the course of recovery from a reactor trip.
Consequently, the operators did not close the PORV block valve for over two hours after the events began and the resulting water loss caused significant damage to the reactor.(2)
A second action which significantly af fected the course of the accident was operator throttling (curtailment) of the high pressure injection (HPI) of
2 water into the reactor coolant system. Had the HPI been allowed to function at a high rate, the reactor core would have remained covered and serious core damage would have been prevented.(2)
It is clear that both of these operator actions, failure to clost the PORV block valve, and throttling the HPI, significantly contributed to the acci-dent. There is strong evidence, however, that instrumentation, 1ro-cedures, and training may have led the operators to make both of these mis-takes as will be outlined below.
1.
Failure to Isolate the PORV Failure to close the PORV block valve can be attributed to failure to rec,og-nize the symptoms spelled out in one of the plant's emergency procedures (Pressurizer System Failure) (3), which, as part of their training, the operators memorize and use as a basis for iiagnosing and responding to emer-gencies. According to this procedure, the operator must recognize the fol-lowing symptome.
1.
The PORV v, has failed to close.
2.
Elevated reactor coolant drain tank pressure and temperature; and 3.
Elevated PORV pipe discharge temperature above the 200 F alarm set j
point.
l b
l
l For each, there appears to be a logical " human factors" explanation of why 1
i the operator failed to notice the sympton and take the appropriate correctiv'e action.
First, failure to directly notice the failed open PORV can be traced to the method of indicating the valve's positon, a single red PORV status indicator light.
This light is on when an electr1 cal signal to sent to open the PORV and it is of f when the signal is terminated.
This light does not, as may be inferred by its labeling, "PORV open and closed," indicate the actual position of the PORV.(4) Consequently, at about 13 seconds into the accident the when PORV indicator light went out and the operator was misled into believing the valve had actually closed when, in fa ct, it had stuck open.(5)
Parenthetically, it is interesting to note that the original TMI-2 control room design contained no indicator light.
How-ever, following a Mari:h 29, 1978 trip where the PORV had failed open,(6) the existing light and lat eling were installed.
A valve indicator system which directly sensed the open and closed position
]
of the valve would not lively fail in a manner which would incorrectly indi-cate valve closure.(7)
Taus, it can reasonably be assumed that, had there heen such an indication system directly sensing actual valve position, the operators would have noticed the open valve indication and closed the block valve much earlier, terminating the accident well before any core damage occurred.
The failure of the operators to recognize the second symptom, elevated reactor coolant drain tank temperature and pressure, can also be traced a human engineering and design factors, namely inadequate and poorly placed instru-
.nentation as well as the pre-accident his tory of a leaking. code ss Jety valve.
4
'Jater discharged from the pressurizer through the PORV eventually collects in the reactor coolant drain tank (RCDT). Thus, if the PORV fails open, the temperature, pressure and water level in the RCTD are expected to increase.
However, at TMI-2, one of the code safety valves (or possibly the PORV) which also drains into the RCTD had been leaking since the fall of 1978, and had
~
heen scheduled fer repair during the next reactor shutdown.(8)
Thus, it was not unusual for the operators to observe elevated temperature, pressure and level in the RCDT and, in fact, about once every shift operators had been forced to pump the accumulated water from the RCDT.(8) One can logically surmise that an operator having worked under this condition for several nanths would not have noticed RCDT conditio~ns early in the accident as being abnormal.
Added to this problem is the fact that the instrumenta,
tion for RCDT conditions and the corresponding alarms are behind the cont.rol panel and cannot be, read unless the operator leaves his normal operating area in front of the control panel and walks about 50 feet to read the instruments (see Figure in Section
).
To further compound the problem, the RCDT instrumentation on the back panel only gives instantaneous information.
It does not record the RCDT parameters which would make available to the opera-tors the previous trends of RCDT temperature, level and pressure.
Conse-quently, when the opera tor went to check the RCDT status, he had no way of telling whether the RCDT conditions were a result of a single opening and closing of the PORV in combination with a small leak in the code safety valve, or whether they were a result of a longer continuous leak from a stuck open PORV.
5 In fact, in the period from 10 to 15 minutes into the accident, one operator did check the RCDT and noted that it was fu11.(9) After the RCDT rupture disc had failed (at about 15 minutes), the shif t supervisor from Unit I checked the panel and noted that it was empty.(9)
This was immediately followed by an increase in reactor building pressure and the sounding of an associated ala rm.
The shift supervisor consulted with the CR operators and correctly concluded that the RCDT tupture disc had failed.
However, they incorrectly concluded that the RCDT has been nearly full of water from the previously leaking code safety valve and that the subsequent momentary opening of the PORV (at the time of reactor trip) hat added enough water to overfill the tank, causing its emergency rupture disk to break,(10,11) and result in the tank indicating empty.(12)
If the RCDT monitoring instrument $~ tion had either been located in normal view of the operators or been recorded, it is more likely that they would have noticed the time trend of RCDT parameters and correctly realized the condition of a s tuck open PORV.
The third symptom which the operators failed to notice was the elevated temperature of the discharge pipe from the PORV.
As disc'ussed above, the preisurizer code safety valve adjacent to the FORV had been leaking 'for some months prior to the accident. Because of the proximity of this valve to the PORV, the temperature of the PORV discharge line had been reading high, about 180 F.
Earlier in the day on March 28, (13) the safety valve leakage had incre-ased approximately 40 percent and the discharge temperature of the safety valves had increased above the range of 180 to200)whichhadbeenmain-tatned for some time.
6 As a consequence of this history of operating with a leaky safety valve, the TMI-2 operators were misled into believing that the rise in temperature in the discharge line following the reactor trip was caused by a combination of high t emperatures before the accident and a momentary opening of the PORV.
There is evidence also that the situation leading the operators to this faulty logic was further compounded by their lack of training in basic engin-eeriag.
Apparently, operators believed that the highest expected temperature in the discharge line as a result of a stuck open PORV was over 500 F.(14)
In fact, because of the throttling action of the PORV relief valve, the naximum achievable temperature was closer to 300 F.
The operators were apparently unaware of this fact and the information is not contained in their emergency operating procedures.
Following initiation of the accident, the operators periodically monitored the discharge line temperature and noted temperatures as high as 285 F (15).
However, it was almos t 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> into the accident when the oncoming. shift supervisor noticed the PORV discharge temperature was 229 F, and that it was about 25 F hotter than the code safety discharge temperature, and correctly interpreted the reading which led to closing the PORV block valve (16).
To summarize, there is strong evidence to suggest that the TMI-2 operators' failure to recognize the symptoms of a stuck open PORV valve and to follow l
the emergency procedure of closing the block valve early in the accident, can be attributed to a combination of deficiencies in instrumentation, control l
l l
room layout, emergency procedures and training as well as poor reactor main-tenance prior to the accident. We recognize however that it was theoretically within the
7 within the capability of the operators to recognize the FORV failure fro.n the infor-mation in hand; in fact, the symptoms were eventually recognized.
Ilhile the delay in recognizing these symptoms was a key element in the severity of the accident, the delay can be attributed to human factorc' inadequacies affect-ing the interface between operator and nachine.
2.
Throttling of High Pressure InjeCil#4
- ?!anual throttling or curtailment of the flow of e:nergency core cooling water into the reactor coolant system was a second significant operator action that affected the severity of the TML accider.t.
At approxinately 2 minutes into the accident, operators took manual control of the automatic high pressure injection (MPI) system (which had started when RCS pressure dropped below 1640.psig) and reduced the water flow to the For most of the first hour-and-a-half, the net flow rate was re-reactor.
duced from about 1,000 gpm to only about 25 gpm. (17) Technical analysis indicates that if this throttling had not occurred, core damage would have been avoided (18)
Utk The factors which caused the operators to that this action are complex.
SimilarMki to the stuck open PORV recognition problem, they involve improper training, lack of instrumentation and inadequate procedures, as well as a fundamental misunderstanding of reactor thermal hydraulics by the operator 5, and by portions of 'iet Li's management, the industry and the NRC.
I 13
8 The basic mistake made by the operators during the early minutes which led to their throttling flPI and limitind the flow of emergency water to the reactor coolant system, was the failure to recognize that the reactor was axper-tencing a small loss of coolant accident (LOCA), that could Icad to uncover-ing the core.
The preceding PORV discussion addresses factors involved in their failure to recognize tha stuck open PORV, the basic cause of the LOCA.
However, the question remains; why, having failed to recognize the PORV f ailure, the operstors did not recognize the other symptous of a LOCA and take appropriate action. Several additional human factors issues serve as a logical explan-ation.
First, the TMI plant did not have any neans of directly measuring the water level in the reactor.
If direct water level or water inventory instru-mentation had been available, it is reasonable to expect that the operators would have taken appropriate steps to prevent uncovering of the core, i.e.,
maintain high HPI flow. (19) The TMI design (as well as most PWR's) relied on t
a faulty understanding of reactor behavior which served as a basis for operator training and emergency procedures.
This involves a misconception that water level in the pressurizer serves as a true indication of total volume of water in the reactor coolant system under all accident conditions. (20) Subsequent analysis (refer to
) reveals that for the LOCA which occurred at TMI, previously believed relationships of high pressurizer level signifying that the reactor vessel is full of water are not correct. (21)
Consequently, much I
of the operator training and the emergency procedures ware invalid and led the j
l I
13
9 operators to mistakenly throttle high pressure injection in an attempt to
~
naintain press 'rizer level within the normal range.
For example, the emer-gency procedure dealing with loss of coolant accidents (EP 22021.3) contains two alternative sections, each of which warns the operators to look for a combination of low reactor pressure and low pressurizer level. At TMI, reactor pressure did fall but pressurizer level increased.
Having failed to observe the symptoms applicable to this procedure, it is logical that the operators did not follow the prescribed corrective actions that could have prevented the accident.
Lacking unambiguous emergency procedurec, operators 1,nstead followed other dictates of their training and operating procedures and attempted to control pressurizer level by throttling the HPI system. (22, 23) Not only had the TMI-2 operators been trained to interpret pressurizer ' level as positive indication of the level of water in the reactor coolant system, apparently they also received strong admonition to avoid taking the pressurizer solid.
This admonition was strongly emphasized and reinforced by various documents which clearly define the pressurizer levels to be maintained by the opera-to rs. (24)
In summary, there is strong evidence that the combination of inadequate procedures, inadequate training, the failure to incorporate lessons learned and/or the lack of direct water level instrumentation, misled operators to throttle HPI which stands out as a significant factor in the accident.
Further-more, these inadequacies were a result of a basic misecaception on the part of the operators, industry and the NRC of how the reactor coolant system would behave.
" * - ~ -
10 These actions could be ascribed to " operator error" as was done in NUREG 0600.
However, it is our view that the overall system of training, oper-ating, CR design, and maintenance is the najor problem--a view that has become more evident as the study of this accident has progressed.
2.3 Other Factors Contributing to the Accident In addition to the two preceding examples of how inadequate instrumentation, training and procedures may have directly caused the accident, other similar "hunan factors" had a strong potential for contributing to the general con-fusion of operators and most likely impaired their ability to correctly respond to the problems being faced.
The Essex Corporation's study cratained in describes a number of these factors.
Several examples are illustrative of their findings. First, the confusion of the first hour of the accident was compounded by a discovery that the emergency feedvater block valves were closed. Although technical analysis suggests a closure of these valves did not directly cause the acci-dent, (25) discovery of the closure 8 minutes into the accident and the resultant diverslon of operator attention to feedwater problems may have diverted them away from analysis and reaction to more fundamental causes of the accident. (26)
This failure to discover closure of EFW valves can be directly attributed to several human engineering control room deficiencies. Firs t, there was
11 inadequate quality control of valve lineup, which should have lead the opera-tors to discover the closed valves before the accident.
Second, the control' raos did not contain any direct indication of EFW flow.
Thus, operators were forced to rely on secondary indication of valve position and pump condition to verify flow status.
Third, the indicator lights which tell the operator whether or not the EFW block valves are closed were hidden by one of the out-of-service tags that cluttered the control panel as shown in Figure.
Fourth, the feedwater control panel is not laid out in a logical fashion such as control locations mimicking actual valve and pump positions in the plant.
In fact, the control and display placement on the EFW panel is inconsistent (27) as shown in Figure The absence of any logical panel layout forces operators to rely on memory or random search to locate a partic-ular control.
This panel layout problem existed elsewhere in the control roon and increased operator workload and probability for mistakes, particu-larly during emergency conditions.
A second condition that added to the confusion in the control room was the alarm system which hampered the operators during the early stages of the accident.
For example, the control room contains over 750 alarms. These alarms are not prioritized and nany are difficult to read from normal oper-ator positions.
During the first few minutes of the accident, about 100 of these alarms went off. (28)
In order not to lose important information on which alarms had been actuated and which had cleared, the operators did not acknowledge any alarms (and silence the audible alarm) for some time into the accident. When asked if there was any way to " shut off the horn and the, bell so you can think a little hit," by Representative Carr, Mr. Fredericks said i
no. (29) 1 1
~ ~ - ~
12 This problem with alarm systens pro.npted one operator te write a year before the accident:
"The alana syste:
in the control room is so poorly 1
designed that it contributes little in the analysis of a casualty. The other operators and nyself have several suggestions on how to improve our alarm system--
perhaps we can discuss then somettne--preferably before the syste, as it is causes severe problems." (30)
On turch 28, 1979, the control roma alarm systan had not changed.
The Essex Corporation found other examples of poor control rooa design which contributed to confusion.
These include poor lighting, numerous exanples,of illogical panel layout, confusing use of indicator color coding, and situa-tions where operator's ability to read meters and observe indicator lights were impaired.
In addition, the Essex Report found that several operator errors were caused or influenced by expentancy or set.
Set is a psychological construct defined as a ' temporary but of ten recurrent condition of individuals that orients then toward certain information and events rather than others, and increases the likelihood of certain responses over others.
The influence of set in the TMI incident is evident in the tendency to evaluate indicat?.ons of present plant status in terms of events or conditions occurring in the recent past.
Thu.s the high exhaust pipe temperature of the PORV was not considered excessive due to the fact that the safety valve had been leaking for so:se time prior to
13 the accident.
Operators also seemed conditioned to expect problems in the secondary system and not in the prinary systen due to their prior experience ' ),1 with both syste:ns.d-Such expectancies, combined with the slow response of the_..
r,o..; w ;,
q-l system, had the effect of delayingf the real problems.
Development of these erroneous expectancies, however, does not reflect on the operators themselves but rather on their training.
In the absence of adequate training, operators will use whatever information is at their disposal, including their knowledge of what has been happening in the plant in the recent past, and over the period of their involvement with the systen.
It is the function of training to provide a capability of integrating displayed information to arrive at an understanding of what is happening in the plant and what action is required, independently of what has been happening in the recent past. The training provided the T!!1 operators was obviously deficient in this regard.
The importance of operator set in the T?tI incident is also evident from the fact that several decisions, including the determination that the PORV was open, were reached by personnel who were fresh to the problem, who did not have the recent experience with the plant and who were able to assess available information on its own merits without reference to prior influences.
Essex found that the influence of psychological stress as a determinent in the TMI accident was difficult to determine given available data.
It is apparent that the operators were increasingly under stress over the course of the accident, however, there is no indication that inappropriate actions or inactions were due directly to the stress condition.
L
- - ~..
gg Another operator function in hunan error incidence is inadequate reasoning or problen solving capability on the part of the operators.
No evidence has
~
been obtained in the investigation by Essex or the SIG that would indicate any problems in the reasoning oc n-oblen solving capabilities of any of the operators on duty at the time of the accident. To the coc+rary, when scores of the requalification examination for 1973-79 were reviewed, it was deter-mined that the shif t supervisor on duty at TMI-2 on March 28, scored highest of all TMI operators.
The two control room operators for whom scores are available both scored in the upper 50 percent of the population of operators.
There is then no evidence that human errors were due to intellectual deficien-cies on the part of the operators.
l
- 2. 4 Summary and Conclusions Perhaps the best sunnary of the overall con-clusion reached in this analysis were expressed one year before the accident.
A TMI operator in addressing problems experienced during a,:Ltrch 29, 1978 reactor trip stated in a letter to his supervisor:
"I feel that the mechanical failures, poor syste:n designs and the knproperly prepared control systems were very much more the major cause of this incident that was oper-ator action.
Although training is always essential and welcome--nothing we study or learn to practice could have prepared us for this unfortunate chain of events...You might well remember this is only the tip of the iceberg and the best operator in the world can't compensate for multiple casualties which are complicated by mechanical and control f a il ure s. "
)
15 This seems to be a fairly accurate description of the probleas faced by the operators albeit all of the information necessary for thea to have prevented the accident was available. The point here is that many of the actions they took ware not a result of a lack of information or stupidity, but were a logical result of the inadequate CR design, operator training and emergency procedures.
The Essex Corporation Study (31) reached a similar conclusion by atating:
I "The overall conclusions are: (1) operators did commit a number of errors which certainly had a contributory if not causal influ-ence in the events of the accident; and (2) these errors resulted from grossly inadequate cont _rol room design, procedures, and train-ind rather than fron inherent deficiencies on the part of the operators."
I s
i 1
l 3
2.
a=
n m
<ms
-+w v
REFERENCES AND NOTES J
1.
As used in this report, " human factors" is an interdisciplinary approach to optimizing human performance in the man-machine system.
It includes application of principles relating to psychology, physio-logy, instrumentation, control and workspace design, personnel selection and personnel training.
2.
Section II-D, Alternative Accident Sequences, Subsection II-D-1.1.
r 3.
Three Mile Island Nuclear Station Unit #2 Emergency Procedures 2202-1.5, Pressurized System Failure, Revision 3, dated September 29, 1978.
4.
This design is a specific violation of accepted human factors principles as contained in Mil-Std-1472B, paragraph 5.2.2.1.5:
"The absence or extinguishment of a signal or visual indication shall not be used to denote a 'go-ahead,' ' ready,'
'in' tolerance,' or conple-tion condition... Changes in display status shall signify changes in functional status rather than results of control actuation alone."
5.
ISE Testimony, TMI-278, page 12.
6.
SIG Precursors, Subsection H.
7.
Such indicators are commonly contro11e:1 by microswitches which sense the position of the relief valve stem.
While erroneous position indi-ca tion is possible with such a design, the likelihood of a false indi-cation of the PORV being shut is small.
8.
NUREG 0600, Investigation.into the March 28, 1979 Three Mile Island Accident by the Office of Inspection and Enforcement, Section I-1-3.
9.
ISE Testimony TMI 198, pages 25-28, TMI 278, pages 6-8.
10.
NRC/SIG Testimony, September 11, 1978; Faust, Frederick, Scheimann, Zewe, pages 154 and 155.
11.
Oversight Hearings before the Subcommittee on Energy and the Environ-
" ment, May 9, 10, 11 and 15, 1979. Serial No. 96-8 Part 1, page 170.
12.
It was actually reading off scale low (below 60 inches).
'7 Referencej.
13.
14 NRC/SIG Deposition of Joseph Chwastyk, October 11, 1979, pages 7172.
15.
NRC/SIG Sequence of Events, time 24 minutes, 58 seconds.
16.
NRC/SIG Sequence of Events, 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br />,18 minutes.
17.
Reference
, Section 4.3.
18.
Section II-D Alternative Accident Sequences, Subsection II-D1.1.
NOTE:
A definitive analysis of the reactor coolant system water balance is not possible with the data that is available.
19.
As discussed in Section there had been earlier attempts to require instruments to directly measure water level in the reactor vessel for pressurized water reactors.
20.
The analysis of small break LOCA's by NRC and the industry do not include considerations of the vagaries of operator actions.
21.
This fact was known before the TMI accident but had not been widely.
recognized or incorporated. See Section (precursors).
Had this information been incorporated, the symptoms indicating false reading of pressurizer level wouldhave been known and the operators would likely have maintained a h'igh HPI flow.
l' 22.
Re ference,B, page 123.
23.
Public Hearings Before the President's Commission on Three Mile Island, May 30, 1979, page 194.
24.
These include:
Section 3.4.4 of Appendix A to TMI operating license; OP 2103-1.3 Revision 3 July._19, 1978; Babcock & Wilcox Limits and Precautions for Pressurizer Operations.
25.
Section II-D-2.3.
/l 26.
Reference s, page 124.
s 27.
The negative impact on the operator performance of this inconsistent layout was demonstrated later in the accident. At approximately 90 minutes into the accident, the operator permitted steam generator A to boil dry again because he was trying to add water to the A genera-tor but was actually operating the valve that controls water to the B generator.
28.
Hearings Before Committee on Interior and Insular Affairs, Task Force i
on Three Mile Island, May 11, 1979, page 43, 29.
Reference 25, page 44 30.
Letter, Edward Frederick to James Seelinger TMI-2 SuperinI'endent for Technical Support, March, 1979.
31.
Essex Report l
l
Y 1-l} $(
E [j
~.
U C A, 3.3.2 IMI-2 Control Roma Description Geaeral Layout At the TIII nuclear power plant, the control stations, switches, and indicators necessary to start up, operate and shutdown the nuclear unit are located in one control room.
Controls for certain auxiliary systems are located at remote control stations.
As can be seen fro. Figure 1, and the phot, graph in rigure 2, the 211-2 cantrol' roon is very large and contains a large number of instruments, controls and alarms. The control roms consoles are arranged in a U-shaped pattern with vertical panels following tha sane pattern behind the consoles, separated by a passage aisle. The operator's desh is located in front of the U-shaped conso'.c and panel arrangement.
Figure 1 shows the floor plan and layout of the coatial roca and a perspective on the size and layout can be obtained from the photo in Fi tre 2.
According to the TMI-2 Final Safety Analysis Report (FSAR), the control roma was to be designed so that one man could sapervise operation of the unit during m.r.. u neady-state conditions.
During ibnoraal operating conditions, addi-sional operators are expected to be avai'_aale for assistance.
The coatrol roo:
is arranged to include the operating consoles, which house frequently used controls and indicators, as well as startup and emergency controls and indi-l catars.
The FSAR also notes that the controls and indicators were to be lac ttei in a lo;ical arrangement, na':ing then accessible and readily visible to l
- w o,3erstar.
Record.2 s an ' adiuton unit sria;. equinent, in f requen 1,*
us2d
.s
2
~ ~ ~
control switches, remaining indicators, temperature recorders, annunciators and reactor building isolation valves position indication are mounted on the verti.-
cal panels behind the consoles. Table summarizes the functions of the panels which were during the thrch 28, 1979 accident.
Visible and audible alarm units are incorporated into the control room to warn the operator of unsafe or abnornal conditions.
The control room was supposedly designed such that information readouts contain all the necessary indications that are required by the operator for monitoring conditions in the reactor, re. actor coolant systea, containnent and safety-related process systems throughout all operating conditions of the plant.
Plant Conputer The plant computer systen is usd for monitaring alarns, plant performance, lo33 ng data and performing simple calculations, is located near the center of 1
the control roon on one console.
This systen uses a Bailey 855 computer which is linkel to a smaller NOVA computer.
The NOVA computer was added to the original design to provide more capacity for monitoring the balance-of-plant conditions.
The computer has twa output modes -- an alarn printer and a utility printer.
l These are both automatic typewriters and if either fails, its output is automatically transferred to the other. A small cathode ray tube display is also provided which duplicates the output of the printars or can be used for
- Japeadeat display.
l
.?"
3J For all monitored parameters that have an alarm function, the alara printer antonatically prints an alarm message when the parameter has sone into an alarm condit ion.
The com. pater also sanples each paranater -- ta.nperature, pressure, level, etc. --and compares tha reading to a preset alara value.
If the reading is found to be outside of acceptable limits,'a notation to that effect is typed out on the "alana printer." When the parameter again comes within acceptable limits, another notation is typed. The alarm printer also makes a record of startin3, stopping, or tripping of major equipnent.
The co.: pater alarm printout is capable of typing only one line every four seconds.
Consequently, in s Ltunions where alaras are initiated rapidly, the printer is unable to keep up and alarn printout is delayed.
An operator can bring the printout up to real time, but only at the cost of clearing all alarns awaiting printout f ro:n the computer menory. At one point during the accident, the alar; printer was over 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> behind.
The uitlity printer provides output an request.
The value or condition of any monitored parameter can be requested.
Special subroutines allow the operator to request output values in specific preprogrammed groups called " Operator Special Summaries" or to trend output values in preprogrammed groups called "Jperitar Group Trends."
The computer is also programmed to record automatically all changes in state of a predesignated group of parameters called " Sequence of Events" inputs.
These event inputs are stored in the computer and can be printed on request.
The i
sequence is started by any one of the " Sequence of Events",inpats chan;ing stste and costLmes un:L1 printed by the operator.
0
- 90 *D"U $
1 o
A\\ - w A A 1 a t o\\
4 The plant. computer provides the operator with an efficient neans of keeping lo;s and showing trends on a large number of plant paraceters under normal operating conditions. The computer was not designed to accommodate the data f
needs of the operatar in an accident situation.
Using the computer in an accident situation requires that the operator leave his control panels in order to request computer output; it takes the computer several seconds to supply the requested output; and, as pointed out above, the automatic alarm printout can be several minutes, or even hours, behind real time.
All of these tend to limit the co:npater's usefulness in an necident situation.
If properly desi ned and programmed, the com uter can provide informtion useful for diagnosin; and I
responding to an e:1ergency sitaation.
However, the TMI computer was not pro-3 rammed to establish a hLerarchy of critical paraceters to be monitored in the event of an emer3ency. Thus, during the March 28, 1979 accid ent, the large i
number of unimportant alarms and the resulting backlog made the computer nearly 4
f uselass as a diagnostic tool.
i i
i I
i
+
4 f
y TABLE T:iI-2 C0';T?.0' P00>t KEY PMiCL DESCRIPTIO"S*
?anel Description 2
Computer console 3
Reactor coolant makeup and purification syste.n and the control roon e'quipment related to the safety features actuation system.
4,5,6 Controllers, recorders, and indications necessary for control and supervision of the reactor power output, feedwater, con-densata, stean generators, and turbine generator.
7 Indicates a fire in the unit an.1 the automatic steps being taken to control it.
8 Annunciators and indication for status of the various nuclear and conventional cooling systems of the unit.
10 Records temperatud$s ~of =ajor equipaent, reactor vent valves,
~
control rod drives, a self-powered neutron detector tubes;,
each temperatare conitared is alarmed Lf tha temperature exceeds a preset limit.
13 Status of the engineered safety' features panel.
14 Individual control rad position, f ault lights, and insnrted and nthdrawn limit lights.
15 Graphic panel that shows the position of all reactor building isolation valves.
21 Station ra.liation monitaring equipment and recorders; in-cludin; equipneest required to annunciate and indicate the statu of equipnent and interlacks inte.nded ta prevent any release to the enviranaent that e>:ceeds pr. se st limits.
- Panel numbers refer to those shown in Figure 1.
D**D
- D WY
&o Sl
,n
- e 1.-
7 &Q 6
I L'.
ty w
\\
.Lt
\\'-l3_X t:.vy 5 ',-' ',7 *- Qe u+ t i l Vo % I C:=
+
e v /,. ~
\\.
%j n :
- v. i..
.W o
t i
\\,+(s
/
e
.i
,t l
n.T, /
/
b > '.:.
[;A./p' /
,M.\\
p.,,.=.,
p._._.
.0, l
c i.
g
\\'
u
.e s
r}$v gt p
.- c.
s d
F-s I
t e
q*
~.' '.c '
j d T/.
'Y t
- c, t,u -
5s i
1 y-t,
- s..
-n
,,s r,,.K.
i.
4'.
r
.?<
C ~'
s s s
?. 7 \\
4 i
.m\\i
- w t
.s..
T.
i
- y
. li
=* l r-e s
- I.-
, i Lg g*
e.
1._!
l:;.
s s
.t.
, o.p.,
.c s.u l
,s t
a.
v.
x, 0;.
S.
2 l 1 <
- l,
< 3%
t S
l%,
g e,s
,s-cet
.u l
4 (7 - F N
l Fi l
c
[
A:
8 l
t
.h Q
4 I
i e.
C' h
s I
t 5 - -
I
. c:
,ehjlW l L' -r- "'{
w f
I I
g' l
1 4
~m
~
,,e
\\
'N
' 9pN S
s..\\..,
<n
~
N i-c-
i
... 2 s
N x
G N
N\\
- =
y
~*O( *.Y-
~
i s
s zy
'5
- -.:~
t=: u..: r.w.1. >
~
/
~
s s
l c
o l
<~ u e;.:.:.
, a.w i
F O. c'.u.
c'. r :::~=
/ ya,.c/
n d*.1' t'1 0 c'/
i l
~i. ~) ; i o
- y
' lr, >,.cy O'-
l b
%l
']
i 1
i
[
'e',,, '..,,.j,...,O
.,,,, 9 % ;
l s.
,e a
s.
e.
_.e
.m.,,,
e,
~
["""=~..
~
L.. n
,; :- { Q f,, ' @@== =:* -----.--l g.,
~
" b, 4...z'h... *-
. r.
- c.
. !,;4.rhc
.h..
/ :, ~.= ;
.a'* %.,
A *
.-.. - 4., o.b....
i. tM. -
..,a.
e
.A
,s
~......~..:,.~...:..'
.. s. n..
, n 3;;' A 4
.,s.,
g.
si
~
3,
- (.
- f.,..
2
..i
- '
- s ~...::: *c..v*-*.....z**
/
- e. ". 8...' :r;,,. o.c.;y. ;
.-..,.. k.,
-c g
n.....a 2*. "'3 "t.a.:.D
]
..o.
s 1
.,,-a
.r.
C
.....?...
s./ ;."..i..m,.,.
v g...
,,. ( 4,
..n 3
h....u\\.
.v H. * : ';u,.
n..
A
':.. g
-0.' ; *,
.g s.n L'J
. s.
. 4-
.e i
A N.% D @M $#C0
.% -;,i: '-!.3 ;
D
-.. M d ' &....[..c.' Y f @ 5.:3.b ;e' #
.1
~- -
- . :.] V ;'
- i. 1 L.a D
g * *-
. -y r.~. W
- y.- -
s, z
z./..;
-, - Fm--
iy sa.}y,,l *
.t n { d>5 u. g.
i e.g' i...:.M.p::. *' Q:', -.. v.s v., :.w n
1:t u
.;f 0-
>,.s r-i
,..r;..; ",. ; v:.,.
.e
.:, ; :.-. ;.,cy. x y
/.E~:. t--...,.
h f.- <.;j :,r.r=.
t-
. :.c.e.-
r.
..;. :.... : e%o; ; e.; '..,
.c. -
g- ? {s- %y!
t.
k ]t'.~
.m h
.7
"?
..v d..
w..e
,-A.h 'q t % res :. ;r.. ! %.2." * '..
.&,e,,.'.-- " '.
- + -
\\
"*'i l
. 9.%..
i r:::.
.:.._.i.
'* k..
< p-, n.j g.,5: t.m y,.+q:..
d
(~.
~
A'
%... i *c %. 2 *
.ve
. ?j 2rU 3 -. lI cL.
- /
a..
e-
\\... v.. -
W
.N. n.A s.%
r g.-
p:
1 g
I.,
{"*ht f..;..,
y 1;.'
. %..i; r
f
. A.
s c.
P=.e s
e s
1 !!.%.,,;..
.., 1i *
--T.
i
,f
,f n e.y.
.i N,
/.r
.e r
s$....., i.
s w
x
~r:
i t-es v.. o.~,.M,,
s,. y
.f~~. T. s.'.'.'..'.e,,
- l I I
. :..(;r E-
.'. ~"-
i-i.
... g L.
(-
t j
I Tc
- g. m+.
i-
- s.,.
- v... es..
r e
i-)
..g 5
/
s.
//
l.
s e::s,,N; e >.,)[5. :(;..-g;-E ;;';*.i,. N... '.
'h'. ".. -- r.
r
~
l e'
.~: 4. r
' E 5..y,.
A. s,. 8.i
- e. ' 'y* f r W>. -
t .
~
l
}=
N #~'.*{
f"' _; %' a d.,. e.. 'i t..*
- J t.
I5
/
/
.M
-[.d. y3t m
-e g ~.,.
g-i<
..d.
..y I'..
w g..
. g.
g.
s.
.w e.-
N
.. _..r.
- c..
6,.
. ;p ',
5,,.e.
j
.,.e...
c
.<, [
r 6
..2
.c a.s.. t+-;
t
s g1 si =. l s ~, 1.sU I'
l \\ ;;'::.'.;- :1,..:..:J. 1 1
"l i
i-
.. J i
J_;yg *:-+
m
., re.
s
- r. - ; m....U w
e
- r. s g,
h.&. :.k......, %. \\,e r
g I
~.
':r-
,\\
.s i s.. O y'w.f 4 l
! ?:
. ;;;t [ -f g
q, s
k 17
?!.3'*=4
~ '...
>>* -*C Q
\\ '\\
\\
,n m-8
. fr: ~ en. ~
sL 'e ' :M.
te
\\
i s
- -,. i
.-w*
p>t
. k.... ; pM:.a.
a::
E.
a
- --t
)
a.; g :
s e.
- * *,. R
[
l e
- sm
,d
,L,",.- s g c.I{,.q'...:: +',,s s,
..L,P,/%(
Y
'or p.-V,*;-
t I.
t l
.a
=.
t
..,. 4 pc. f
.s.,. ;..s
-;;' ;.a I ;,'..a, o.
,m.,;
t*
r :gr..'~:";;..*, ;"r,V
-.,.r.,=~ ;,/,
4 e r-
.- =
11 P
e.- r.? -
~.
.~
fI-m.
/
t: +.:
c'. r l
'.ld,lf", L
'?
i
.iy-t:-'
i
,['
. %mr-\\...c:...T
- --,4 :=. ).,.,1,
..=.
.g
}.i. : :g 1
- t. )
..e 1
d,, h;.
=
?
- .g._. j
-g j
~
.fy ps..
3, p a..
e -=
n
. s... M
. =v -
', ~,W
,I:.
c
.. ~. --,
l
.o.
p.L
- c.:
f
,--,Ha
{
" v,..
a-
. J'
=.
u
.u
.g..I
-,..t s
..ff i
e..-
n,a g
e e
(_
f
..G.;
- i. ;
--N _)
j..
l
/
e,,. t,,.m,.
m
,L g'
en*,
.a.m i
1.,
e
- e.,. s...., c.
a.n.
Q : '.w.2% w.,_...
3.
...,n
\\-
- ....:. ~. -
E ~ *.:
../... oe....,m... --
- r... v.
M. ~.
y i
i h.
....J - - ;
. y - M.
~. n.~ 7 9.:,.: W. ? : :.-
ia
- . - ;r
- %
\\
j l ~~,:,' *.'* n-e -s..; 3. *,
..t t.-a-
,./ :.v,..
. u w li
. pg a
Wvr-,-
s
\\
.e.
~
.e n
..~g..**-l u ' ; =. l...
't$og Y. ?
.fy Y-~~
1
.s.
g 6
I
.sL s 8.2.8;s...
\\
~. /
- '. L. : P.- ".*/ '"'. f,y. f.-p*
O l
L-
{~ (c.,
=j V-
~s
- -.a. e
>./
- s%
/
.., ~ -
.,o..
.*"i.-
f'
.s
......s
\\
rg -
)
n t
\\,.
~e
'1'.,-.'.. e.,.?-
L a
.s Q0
.'"A.,ri J-**".!E.. ~ A
.~
..J r
r.
...c..
e
.y r-e,.. s _.._.., :
~
(
,r.
s,. x.. >. 1 s.q--
...s -
.....s.
- i. - -
-~
t.
7 D**D D
T
~*
A m
E\\
cl )
II /:-/7if n cs;W.
v&
Hunan En-:-ineeriac Crit-tria and T'1I-2 T;w t.C" C;PC) reciaw and approcal' of the applicat tr. for a c mstruction pe:.i:,
m:,ni. ted by m t Ed for T::I-2 in April of 1968, was completed and the 2:1 *.
construction per. tit (CP) was issued in Nove :bar 1959.
(1)
The primary cri-teria tiaich ware used in the AEC staff reviaw of that permit ara found in Title 10 of the Code of Federal Ragulations. At the time of the CP revie.i of T'II-2, the criteria cast releiant to control roon design were found in the propoded
.ipmendix i to 1^,
OFR Part.30, " General 'Ms t,;n Crit eria for N'aclear ?ow..
Plants.
(24 Typic al e::a. :les a." th s.+
' - i.t a
'.a ind '_. t t e that Federal resul4:lo u !. r crn:ral roo u
- a vagte, ine'ud specificity a:.1 conta tned '.t:tle, if an.<,
b ! Lc 4:Lon of concera f*r hu: n en;ineering issu.is associa:el with the inter-face between operators and the control roca.
For e::aaple, criterion 12(9 ea"res that "Instranent t:Lan and Controla shall be provided as reqaired to
.e. '. ar a.: i.u ' at t in criables vit't a presnihed opcr < t '.ns ranges. "
-ino t'te r e::anple is crit eria 11(-) which states in part:
"The f acility shall he provided with a coatrol roca fro:
1 which ac:tais : )
=aintain safe operational status of the plant can be coatrolled."
1:hile thesa criteria were only proposed by the AEC at the time, they were pui '.p.te?. with the. nata:ian that they "would nat add any new requireaents, bu:
2..
in trid ri : > de sc c i n rc. 21o : '
presa ::
.a rit u isi r a.i. ire.ie.1:s... "
^
Thus they were in effect AEC reqntrenents.
In addi:Lon to these Federal regu-lations, te industry had also developed standards which could have affected the hu.an engineering of the TiI-2 control room.
One example which was referenced in ::a T:I PSAR applicat Lon, was IEEC standard .79 wnich required that:
",i ae n -
. : : 1.f - : e.: D.
m.- p,...
- f : V sn:
.a.
he:
'.n,c.u i i or
~
'f, e t : P.
rs.c.>:e.! a -er >:'
!3-.. ; p : :;w, >
t..;
S ::..:; =.1; be
~
E c3n in.to
, in.1 l?. :+!
'.a : P e.M ". "al
- hs 1. "
l OO O
1 ll A
._2 oo i
The thrust of this standard was to provide an effective means of warning operatars of an inoperative system.
It should be noted, however, that this staadari applied only to the Renetar Protection Syste; and not to safety systems such as the emergency core cooling system.
Another industry standard (IEEE 603) which exhibited a concc.. for hunan engineering was entitled, " Displays for Protective Actions Initialed by Manual Means."(
This standard did apply to other safety systems and suggested' that the display instrumentstion provided for the nanually initisted protective actions required for a safety systes should be part of the safety systac, and that the dasiga should minimica the possibility of anonalous indications which could be confusing to the operator.
It should be noted, however, that unlike I
17.EE-279, this standard was not required for the control room design and was not ra ferenced in the T: I P3AR.- ~ ~
In addition to these standards, Section 7.4 of the T:iI-2 PSAR outlines the 3eneral philosophy to be used in designing thti T:tI-2 control room.
Shailar to
~
the standards described above, this general design philosophy contains only a vague and general reference to the man-machine interface problem.
Sec t We 7.4 procides t* tat all cont. als anl instruraents were to be locatad in' o n raon.
3 tis raan was to be dasi;ned so that one operator would suffice during normal operations.
During "other than normal steady state operating conditions," other operators were to he available to assist the control operator.
This section also contains general prescriptions for the shape of the contral room, th e relative placenant of vsrious systems, brief descri,ition 0:~ ctn auitale al.tru s;ste;, requir s tent s to e.11ou occupancy during abnor,;s
3 conditions such as fire protection, radiation shielding, and ventilation, provisions related to evacuation of the control roon and provisions for au::titary control stations.
The final portion of Section 7.4 provides. a typical exanple of the general nature of the specifications provided in the PSAR and the limited extent to which they addressed the human engineering problems.
It. stated in part(11):
"7.4.7 SAFETY FEATURES The prbaary objectives in the control roou layout are to proeide the necessary coatrols to start, operate, and shat doan the nuclear unit with sufficient information display and alarm raatttaring to insure safe and reliable operation under normal and accident conditions.
Special e:phasis vill be given to maintainia; coatrol integrity during accide st conditions.
The layout of te engineered safety features ocction of the contral board will be designed to minimice the ti:ne required for the operator to evaluate the system perfonnance under accident conditions.
Any deviations ffan predetermined conditions will
~
be alarmed so that the operator may take corrective action using the controls,orovided on the control panel."
In the tiae period from 1970 to 1978, there was a significant growth in the number of requirements and guida' ace related to control room design within both the NRC and the nuclear industry. As shown in the Essex report, a large number of these criteria were found to be related to human engineering.
While these requirements and guidelines provided more substance than previously existed, tha na*jarity of these crits.rin still suf fer f ron the same deficiency identified preeiously.
Thnt is, they were toa vague and too general to require the direct application of human engineering technology which had been extensively developed in other fields (5).
During this tbae period, the NRC issued a nuabar of documents for use by
- the na:1 ear industry containing recom:aandel practices or guidance in safety natters l
l D**
'3
.y-J Ow t
g starting with Reactor Technolo;y Memoranda folloued by Safety Guides and then Regulatory Guides.
In 1975, the NRC consolidated its criteria in a Standard Re etea Plan (6) ained at providing guidance to its technical staf f 'tho review and approve applications for nuclear power plant licenses.
The more substantive of these criteria include the follouing:
Requirement of IEEE-279 that bypasses he indicated was expaned in o
Regulatory Guide 1.47( } to include safety systens.
Regulatory Gaide 1.97 "Instrunentation for 1.ight Tiater Caoled Nuclear o
Power Plants to assess Plant Conditions Daring and Following an Accident" included a provision for analysis of what instruments ara required.
While not so identified in the R5 del'atary Guide, this provision is similar to the use within the huc.an en;ineerin; discipline' of a task analysis to.
deterinine what needs to be done and what ;nust be provided to the operators so that they can effective 1E acconplish their tasks.
However, without nore specifity, this Regulatory Gilde was not interpreted by the NRC or the industry to cover the use of a task analysis as in some other
(
industries.'13)
(See discussion on the limited implementation of RO 1.97 16 Section on Operatin3 Licensa Review Issues Cancerning TMI-2).
4 A third regulatory guide entitled, " Guidance on Being Operator at the o
Controls of a Nuclear Power Plant"(8) also provides insight into NRC l
regulatory atteinpts to address the nan-machine interface.
The basic
(
thrust of this re3ulatory guide is to place the onus on the CR operator I
far safe nparattan of t% pla"t.
It as<ames, but.loes not establish t*te i
D es D
A es ex
_ Ju u
no l
5 basis for further assuuption, that the control rosa will provide the operator with all the aids needed to perfora his job.
F.>r exa.uple, the,
guide states:
I "The operator of the controls of a nuclear power plant should have nn unobstructed view of and access to the operational control panels, including instrumentation displas and alarms, in order to be able to initiate prompt corrective ac: ion when necessary, on receipt of any indication (instrument movement or alarm) of a changing condition;"
and that:
"The operator at the controls should not nornally leave the area where continuous 4tte1: ion (including visual surveillance of safety-related annunciatars and instrumentation) can be given to reactor operatin; condi:Lons and witure he has access to the reactor controls.
For exanple, the operatar should not routinely enter areas behind co.itrol ganals where plant perfornance cannat be monitared.
In spt:e of this analysis of the control rooa at T'4I and operator actions perforned during the early stages._a_f _ the accident clearly suggest, in fact, that t'te III-2 was not dest ned so that apernors uould have an unobstructed view of instranentation displays and alarms (Sce Section
).
Fur the nsore, operatars had to enter the area.behind reactor controls in order to observe the reac:or drain tank instrumentation cri:ical to an assessaent of the accident.
The detailed review conducted by Essex of these regulations, Reg. Guides, j
3.tadgrd Review Plan, found no examples of criteria which were written with a c'etr in:ent ta include uu.an engiaeertag consi.terations in the licensing and regulatory system.
The expansion in guidance related to hunan factors from pre-1970 to pre-1978, I
l that was experienced by the '!RC also occurred in the codes and standards of the l
l j
i ; '. u s t y.
Es se:t found t'ta a si nificant aufwr of indurtry standards dereloped d. -in; th t4 time period rel4 ting to hnan f actors..As in the ather cases t
y;)
discussed above, however, few of these standards were thought to be important an1 they were too vague to ef fectively require the application of luusan engineering in the design process. Rather they were narrowly draun guidelines addressing a specific component or group of components and did not adequately address the man-machine interface problems.
The cost significant industry guidelines in existence during the operating license review of TMI-2 are found in IEEE Standard " Recommended Practice for the' Design of Display and Control Facilities and Central Control Raoms of
';uclear Power Generating Stations" Standard 566, 1977.(')
'thile this standari.
contains guidance directly relate.1 :o human engineerins, a dataile.1 reiiew of this standard by the Essex Corporation found serious deficiencies.
Essex noted that the standard was incomplete and that it did not include guidance on the use of sa:se very powerful hunan factors tools such as the use of task analyses.
In addition, they found that sone of the specific guidelinas in the standard were contrary to standard human engineering practices.
[ Example]
Essex did find, however, one standard IEEE 338, 1977, " Standard Criteria for the ?driodic Testing of helear Power Generating Stnions Safety Systems" which Lnelaied an c:glicit er. cognition of hacan engiacering by noting that " inter-relationships among the systems components and human factors in each phase of the test activity shall be considered and reflected in the system design and layout."(10) l
7 Nearly all of the industry standards available during this tbne frane, were published af ter the application on the operacing license for TMI-2 had been sabmitted to the NRC in 1974.
Thus, the more recent standar.ls vere not applied to the T;1I-2 design except as deemed necessary by the NRC on the utility to address "significant" safety issues.
Conformance of TMI-2 to Human Factors Criteria and Standards As we p[eviously noted, the CII-2 design was found by the AEC to meet the applicable criteria prior to issuance of the construction permit in 1968.
Furthermore, the design developacat by the utility and its contractors, and the rev iet of this design by the AEC were conducted with essentially no human engineering resources (See Section
).
As will be discussed in the following section, THI-2 was found by NRC to sstisfy the existing criteria even thaugh a review of the current design today by huuan engineering spacialists against these 1Latted criteria would find serious deficiencies, tihen a nuclear power plant application is received by the NRC for an operating license, the practice has been to require conformance of the design to the criteria specified at the time of issuance-of the construction permit and to ad : eu the necessity far acetin; subsequent criterin on a case-by-case basis.
The necessity to coaform to post-CP criteria is detenained by the NRC on the basis of a perceived level of safety improvement which can be achieved by such conformance and on a similar basis by the industry.
(See Section on the Regulatory Requirements Review Committee.)
The absence of any human engincar-ing expertise on the NRC staff suggests that no need aas perceived in this irua.
In sammary, we found a lack of substantive human engineering criteria and guidance, both within the NRO (AEC) and the nacicar industry, 'and core importantly, a lack of appreciation for the importance of human ensiacering ta the safe operation of nuclear power plants.
Furthermore, the resources to enploy the techniques of huuan ' factors engineering that would be required to icplement even the existing criteria did not exist within the NRC and in only a i
E limited way within the nuclear industry.
l i
1 i
4 e
8 49e=w O
l i
i i;
+
s e
t 1
4 m
y p
r+
r-..
+
M
't
-T
- wr
Huntn Engineerine Criteria and TMI-2 References 1.
NIEEG-0380, U.S. Nuclear Regulatary Commission Program Suanary Report, Vol. 3, No. 5, 'by 18, 1979, p. 3-2.
2.
Proposed Amendment to 10 CFR Part 50, " Licensing of Production and Utilization Facilities" to add Appendix A, " General Design Criteria for Nuclear Power Plant Construction Penuits' (32 F.R.10213) July 11,1967.
Pages 10213 through 10216.
3.
Institute of Electrical and Electronic Engineers " Proposed IEEE Criteria for Nuclear Power Plant Protuctive Systems" IEEE 279, August 1968.
Section 4.13 Indication of Bypass.
4.
Institute of Electrical and Electronic Enginears " Displays for Protective Actions Initiated by Manual ' deans" IEEE 603, 1958.
3.
For e:: ample:
U.S. Military Standard 14723, Hunan Engineering Requirenents for *dlitary Systens, Equip.nent and Facilities Dece,ber 31, 1974.
This standard includes detailed design guidelines, principles and requiremetts.
6.
NUREG-75/087 " Standard Review Plant for the Review of Safety Analysis Reparts for Nuclear Power Plants," LWR Edition.
7.
Regulatory Guide 1.47, " Bypassed and Inoperable Status Indication for.
Nuclear Power ?lant Saf ety Systems," 'by 1973.
S.
Regulatory Guide 1.114 " Guidance on Being Operator at the Controls of a Nuclear Power Plant," Rev. 1, Nov. 1976..
9.
IEEE Std. 566-1977, "IEEE Recom.aended Practice for the Design of Displays and Control Facilities for Central Control Rooms of Nuclear Power Generating Stations," Nuclear Power Engineering Committee of the IEEE Engineering Committee, 1977.
10.
IEEE Standard (338), " Criteria for t'ae Periodic Testing of Nuclear Power Generating Station Class IE Power and Protection System, 1975, p. 8.
11.
Dre11.ninary Safety Analysis Report, Three '4tle Island Nuclear Station 'Jni:
2, Se: tion 7.4.
12.
MIL H-46855, Military Specification " Human Engineering Requirements for Military Systems, Equipment and Facilities" thy 2,1972., para. 3.2.1.3.
O
p'/ ;) / 79 p 6e A TMI-2 Control Roan Design Evaluation
\\
The likalihood of operator actions such as those which exacerbated the Ihrch 23 accident can be reduced by the systematic integration of the human factors engineering into the planning and design of a plant. To determine the extent i
to which TMI-2 was designed to prevent or minimize operator errors, the Essex Corparation evaluated the TMI-2 control roma and co:npared it with human factors engineering criteria and guidelines generally applied to other industries; The following discussion of human engineering aspects of the TMI Control Roon
- lesign have been divided into categories which reflect dif ferent aspects of tha desig n.
They summarize the findings of the Essex Report.
ilarkstation Dasing One of the fundanental tenets of huuan factors engineering is that eorkstaYion design should facilitate operator performance and reduce the probability of operat r error.
To accomplish t.iis, controls 'and displays should be logically arganized according to function, sequence, or in relation to the system they control (i.e., nimic).
Furthermore, controls should be placed te minimize the operator's need for reaching and to shorten the visual span between the operatar and the instruments he must read, thus reducing time to locate and natipultte specific coatrols or displays.
Essex found that little, if any, attention was paid to this aspect of workstation layout.
Apparently no analysis was made of the tasks which mast be perforced at the various T'4I-2 workstations, or the capabilities and limits-tiens of the op erators perfornin site's tasks.
The following deficiencies arc indicative of their findings:
O
__l i
In many cases, workstation design appears to maximize visual scan, reach o
and walking requirements.
(Refer to Figure of Section
.)
9 RC pump seal pressure is on panel 10, seal temperature on panel 3, while the pump controls are on panel 4.
Makeup control is panel 3 while makeup flow indication is displayed on panel 8.
See Figure Controls and displays are not logically or consistently sequenced.
o Pressuricer heater controls:
3,5, '4 S"#*
4 Pressarizer narrow range indicators:
B, A Indicator lights are inconsistently placed above, beside, or below their o
associated controls.
~
Reaching over benchboards to actuate switches 'or to manipulate recorders not only obscures the displays under the reaching operator, but it increases the risk that the operator will unintentionally actuate some switch.
Frequently it prevents the operator from monitoring important displays during switch operation.
Essex exanined the benchboards and the attached vertical panels in TMI-2 for reaching requirements.
The levels of excessive reach requirements were defined using the stature of the fif th percentile male (street clothes) as a basis.
Ninety-five percent of all males are taller than the fif th percentile nale.
!! SAT sarveys conducted in the early 1950's were used as a basis
( /*
[
N
- = = 5 EW 11
~,
y r mr.
I h i, f. < (j
[ Q.'
,\\!,:}
,,f
> :y.
.s
-I I
' ',Q r
p a: r
.t;
- J
~
I
, 1: % f
'l
[ }7,}-:
'%.[
},r k;r' y[
i a
i x, o:,
- n
~
7
\\
8 I
.y
\\
4 r'
(
4 i
\\
r
.i I
I.
A k.
~ s
'f l,
as.
/
Y ~" l h
>> {;
~. -
2 s
, $Y,I
.I I
I:
,1 l
)
i5* -
'),
)
- ' h~ i. ' !!
N
- ,L.N, f~
9 rA
}
5
,, mms, ; 2.
,p a,!) QAg' l ',
i
,[
l' !!
=4 r a:
j d,
'fi l! M c
m: :
a 4
4 d
s;
!. t a.,,,,,, 1 1
f-r t=:
h, l,.. ;, f r;
>I M
r, I.
Ej jl j; j; g, L.
1
[lf l,
y.-
ll C'
- 2:
i y
8 tlI-
'h.*
E',* n'
- " I,s, I '
~
hll, I D.
n
'Ik I,7,,
j\\
,[Q
'" n N
,k h l t g.. -
~-
[
!=:; ;p,
.M i' N,ei rih,I d
D it lli r
.x i
]
' s s.
s>
.f
.,...I:
F 4
3 ti, a
l: --
-ls -
't-[ taa
'N,l d',,;.,,..*,,,* tai i
g
-(..ln rs:,=t y.
.n w g,
1;'
lg.g
{-
E--
m
~
- e}6 i
h Il-la :; o : 9 :, 3---1 __ 4 I
h:
' M I f ' C[
E=*
,Qt j (b K
.y
,l' }
_a
- I 7: y w$ } g,,s t
- L.DJj l.i..i,. p ;?
v+
.g i-tit
,~
s 1
-1 l-4
.r. gg;,g-y,
,g,!
^ylg l
ei
~ 't l
f Ill ~ -[
,1.b'h D
7 5
~s
. an"AL. VJ e ? > l B w
@l 3
4
- n r r2 rc c
- :!:gr,p n ;jg u
a.j!citif e
,,9 ll
'h N
{e'j
-t
~ [h.,-
/. W,
/
6
,3 2,
N i
j' 69 e o s se.
Q T1C !~ C.I I; *f ',.,,. W;M S
v M!*,;l it#2)
-.h f
I
/
'e s
1%
n, r r t y% ~ e.w-s
\\sra---Q..:.:
s
.~
L-
~.c a
un e s., ;; ?. [
d g,- %g%--'.:s.
~
~
j g,*
.M Q.
~
- t
.w 7: g; 6
- D,
l t._
e ' '; i
. 1
- a
- ::r.
-- -, 7, ~ ~t $,
-l
-==
-z MD
~ YY l
9'ODc A\\
d ]A\\.
a l. b.h D
k s
A r-i-
/. /
rS
~
w Q*
C;. -d Da
~
,t
~~ ~
- n
& Q Q &:
D C
_ ca - --
~ ~
O O
oO
@ c f. ;.
,T. l
[rf r,
- s. s i
i si*, / {
li
's.
a u
L'. 2 t.Y. :
1-V1 c-c:w, w: - -
r.n y
m O_
- O.,O (C'
.C
'C
)
(
W W h
\\
u u u
^
I
/2-p/
(-
4 1-n V'
V V
V w
c s
i
./,-
t j
N q
2--
(%,w O.
,s
~
g t.
. s I.
D t.... -..
/.
u;a
)
E" ;'.d[
- i.[~;
i
/. 3 i
. %~'
7.~ 7 -
- ~~
- ~
~ ~ ~ ~ ~
i l
s
/
1
+
s D *
- l0 D 'T Y@
g.m n.. n h..A Sha
- ' '** f g.m
- 1.3
?
L, i,, (,,
T D' ~,
" s. r-
'. < s.
f-'.
%,~~
e.,
~s s
a
3 t
They found that 13 chart recorders,10 control stations (10 switches) and 31 s-itches (most with frequent use) required a reach of 10"-14" greater than that of the fif th percentile male standing cract, necessitating him to bend over the panel to actuate the control or switch.
Control and Display Design Poor salection of control and displays can impede the performance of tasks as signe.! to a particular varkstation.
The Essex evaluation of the TAI-2 contral raat identified saveral such deficiencias in the control and display design at Til.
E>:amples include:
kthout regard for the relationship o Controls have been selecte i between size and perfornance.
As a consequence, many controls (e.g., "J-handle" switches) are unnecessarily large requiring extensive panel space to contata them.
i Displays have been selected without concern for the nfornation o
processing requirements of the operator.
As a result, rarely used or noncritical displays (e.g., electrical displays on panel
- 6) are unnecessarily large and prominent in the workspace, whereas critical displays (e.g., pressurizer level) are smaller and less easily seen.
2 o Bulbs are difficult to change in pushbuttos/ legend light cbntrol-indicators --in some cases resulting in shorting out of suitch.
(Note:
CI'.Os s tated tha t the process is so unnanageable that they generally wait until the plant is shat down before attenpting ta replace huraed out bulbs ( }).
o Auditory displays associated with annunciators are not prioritized to assist the operator in discriminating critical alarms.
In some cases for controls having common operating modes (i.e.,
o automatic and manual), control is turned clockwise to place systa.a in maaual, in 0:'ier cases, countercicekvise.
See exanple Lt vigure
6 Disnlavs The single most critical design requirenent for the nuclear pouer plant control r o o-1 is the ef fective display of information to the operator.
This requirement is most pronounced during emergency conditions, Where prompt, accurate diagnosis of a prabica by the operator may be critical.
To' perform tasks effectively, the operator dust have immediate access to information regarding all system parameters reflective of plant status; the information must be easily seen and rea j, well organiced, and t.nanhiguous in its content and neaning.
3 sex fanni that "Tne dasign of the TMI-2 control rooa evidences a patent disregard for the information pr > cessing requirements of the operator."
(Ref.)
The following examples serve to underscore the magnitude of this problem:
In some cases, the status of critical paranetar s must ')e inferred from o
changes in associated parameters.
There is no displayed indication of emergency feedwater flow.
There is no displayed indication of flow through the pressurizer relief valve discharge line.
There is no displayed indication that the system has reached saturation condition.
Displays are incorrectly located, both with respect to their associated o
controls as well as the operator's optimal field of view.
RC pump vibration-occentricity indicators and alarms are on back panel 10, approximately 20 feet fraa the RC pump controls on panel 4.
9
5 ESF indicator board on panel 13 consists of 16 rows of indicator
~
lights.
Due to placement and organization of this panel, a 6-foot operator can see only S roas of lights frot his normal operating position.
See Figure RCDT instrumentation is located on panel 8A which is co;spletely outside the main operating area.
See Figure o
Information is inadequata and/or ambiguous, making precise determination af plant status dtCficult or iapossible.
Strip charts are overloaded, in some cases displaying up to 72 separate channels on the same chart.
Critical controls have no abvious indication of being in manual (e.g., when the pressurizer spray valve is. set to manual, the handle is "up" (out), but the pointer is at "AUT0").
The annunciator system, which includes over 750 annunciator lights (some o
of which are outside the main operating area, e.g., RCDT panel) is poorly organized, both in terms of grouping and relationship 'of alarms to associated subsystens.
In addition, critical alarms have not been color coded or otherwise prioritized to permit immediate identification.
In n.ny cases, legeads are excessi.raly wordy or contain incoasistent abbrevlations, increasing the tLaa requirel to ascertain their meaning.
See Figure for an example of one alarm panel out of some 20 of a similar size.
D:tinguished li; hts are used as positive indication of system status a
(e.g., co : : mate.d).
l D *'40 0~f7]D"PDN)"@r W
aJL A A//L
g
.,.i i r-
~ '
.I.,l t.
'l 71 l'....
'l,
- j r.
j! l 1.'
. :t, *-
o' i
~
c.r, I
.I o
s: J,5.,
a s.; -
,u
,. f s r
.i.
l i
);
i,,. 4 k1,'r., v.1 1-l n;:r: c' m % J_
1
~
- j :;
3 e'
- a, r
J.
u.
- n ei
- t.,
e,n g rf "- :
. ; ir i
s
- ,. *..-,.Mt.-e r.L. '
r
- == l
,j s:r 1.,2; i
s a
s a au :T q
. s112 ;2 Z *
'33 3 c
g e
t_
d.
.s g(
q 3
'~
)
1~a.": "
[]
E) r-p :: n_e
.i. 9,
.s s
s e
4
,.. 4 71. 0 - [ a,
,6
..~
g {y.,;.a,....
. K:
-.,.eg_ 3-em
.=
r
-. a - i : y';; g. -
DG gg
- p * * ;7... * * ;T
.r e
pe 'l g_
l
[' u *I
.. * * "T.-.-.,--C ?
g n
- v. e
. sic O :. ' * - * * * -6 7T
,. w u,-
.9 p
'q-l Er er a
a.~~-
.rG.Qjb:
d b A
- g;,p,,
ti l s.. ~,... y -
i:.i.s,t-i.lj.
r
~
-w
~!
f k.".
d h
r,#
.t
~
n 3
,\\
s..
..n i
Ar s
i a\\
s-
"w L 2 ".;"z,..,
y.
' EO. % -, ~- ---;.:. )
\\fs v
" v f.
L
.== w w e.
-l s,.
h,.r
- /
v.,
v.
1+..~.-- C. n l s F LL.
b
.:..7.
. 'Y-
.. I.,.
,. w.
- u. m,.
- ..--:E.c u. :h a. ;,
f,.
t
.;/.
c
.i s
v- --a,.
t-i.
4 1
-w g.
./>
. c.r-g, g
~
- /
?.
- ___ l
\\
.s-
- n.,
w i
a.
f.$.* r[ _ h*9
[
i-
?,.
/
t
/.
t:1 ::n r=,
i
.. ~
- 3 (. -
N y
p,p
- ~
l 6.
t _:
.. fg d-i e
-s ix. ni p
.g
.q,;
- n x
e y
s, a.-.
a p
s
,,.. ~....: -en 1
l.i n
9 q
. t
=
-::: c.r.
r j
i s
4
.. rt--
.. :,. :, :;,.,(.i j r
i
- s.., a
- :.s :.c
.t
..,I r -.. s -
j,,
s j-
_.p.. <.,.
i.19.,.
(
..rm];
r, r; q :
i 3 i
a 1
l l
D * *
'D')
lDM
~
ao ]% w]\\\\ }~
\\
u a
m 6
I a
e
\\
l a
O 4
,f o?
i bi 1
i
{
e 1
s 3,
8
}
}.
-, <i
.d
).
i e m O
.e 8
{
r _.~,.,-
+
- 7 i
_ 1}
q.
qi f.
... m i
I e
le
.N I
E i
J F. '
f, a
ti
}..'
4 11
- 's i
O, p
r 4.,, ' l y
-)
{-
g-i i
y
L.33 t
r' _.
N B'
s fil g.~
r-
- qd i,
L"
.n r"d iI
.]
]d
}
71 ~.
- 5. t
+
i -
a e.
.g i
- 'q
' : t' 1
i.'
c..
8 s.
t
-i. -
.a
..8*
y f'
s.
1: un =
1
.t ei si i
't g
3 I*
- a. fs_om musumassa-.9-.
~~
a
).J Zv s.
- .a. - 3 0 -~
~
. {,a. 3,...... :
e.;*,'y-I s
- =
S,
.;t
~n n,
8 8 6,-
a
- q-t; I
1.,
i, i
w ar= ~-
c i,
[ir M
-lu:
t ll.* -'
s i ji a
W i
- p.,.
i I
1// /0 D.
s
/j,....:.)e lii D.iFi a
e s.
l-j
-,/
i m
e {/g,
i.k, g..
.s..p'II 1
- h. E.
,--- t c / t j,I
..~
g
,;,,, i,
,i a
f 'i
- d. 3
,1 r
4
- gi 3
C, i
- ~5 I
Il e
j I
. if t ' !!I.
It14'I t
~-
- l "
11
?
.a e
1 r--
./f t
_e,
,,3r ~ -
6 p
.,'O',..
s.
,. i.., ; 1 ',,.; s::
Is I ? *.
- L 3
1 ;,. ~.1
,a ;-in y
t la
' (*
-'t -.-
.!7.-
--.. - -i
} :*,'!.*.
l",, f g'
,1, m
~
s.-
r-
.., t i.-
s
=:._;:
'M r ~.-
G
~
..; L
=.. -
p... p.
.$ e.I'
- .i g.---
,,p, 6
g,=.
I w r== $
-t
^
o Displays on several panels were evaluated against standard hunan engineering criteria.
Some 39 deficiencies were found in evaluating threa systens on Panel 4.
Parallax In the TMI-2 CR there is extensive use of moving-pointer, arc-scale vertical ind ica tors.
Unless these indicators are viewed on a line passing through the pointer and perpendicular to the scale plate, parallax problems will occur.
This parallax prahlen will produce a difference between the actual and the perceived indicator reading.
'4'ita vertical indicators, parallax will occur when the indicatar is placed too high or too lov on the panel.
Aside fron placing the vertical indicator on the panel so it can be read easily, parallax can be r.intsized by using a mirecred backing so that the.
operator can line up the pointer with its scaled image and be confident that his reading is accurate.
The parallax survey done by Essex identified 115 vertical meters in the primary area above the eye level of the fif th percentile male, none of which had
.:frrore.! scales.
l Obscured Displavs To support primary operations, TMI-2 uses vertical panels behind the bench-board, t/aich contain some 190') displays, including indicatar lights.
Depending on tSeir m.ountin; haight, displays on the vertien1 panels can he obscure.1 by
v the vertical portion of the front benchboard, f rou viewing by an operator s tanding at the henchboard.
Essex found a large nuaber of displays below the line of sight of a fif th pe rcentil'e nale standing at the benchboard and looking directly at the vertical panel.
Specifically, the following were obscured:
470 indicator lights 1 Stripchart 24 Le3end Switches
-- 1 Dial
-- 3 C/D Units
-- 1 Counter 3 Vertical Indicators Viewin3 Distance t.~hii.e Essex did not hace the opportunity to conduct a thorough analysis of display viewing distance there are some strong indications that the TMI-2 control panel presents many opportunities for aisreading displays.
For example, Three Mile Island-2 presents at least 250 meters. located on vertical panels which must be viewed from mintnum reading distance is about 10-1/2 feet froa the prinary benchboard.
La, cling Labeling, although actually a subset of information display, has unique charac-teristics and requirements which significantly impact operator performance.. To ensure ef ficient, accurate operator perfornance, labeling must be consistent in loc c iar.
-it': respect to associatal controls.ani displays; characters T.ust be om o'
Q' D
.1-o ee e
O
i f
9 i
Color Coding t
I Esau noted that hanan engineering, growing out of the military and narospace tradition, is somewhat at odds with the color coding practices evidenced at T'G.
The design of the T:1I control roon sharply reduced the value of color codin3 to the operator.
The number of meanings associated with each color as well as te nunbar of colored lights combine to produce considerable anbiguity 1
in the nan /nachine comunicttian link.
De.wlar codin; deficiencies not+! by Esse::, including the following:
N g L nod %
o A large number of meanini;s ware <ttached to each' color.
Specifically, for A
red-14, for green-11, for a aber-11.
i o
kinancia tors, whun alarmins, it:end to draw attention ta the windoe of s
)-
interest.
ThlI-2 uses flashing white on a white background.
Contrast is particularly bad if several lights are on around the alarmin3 windon.
)
i
{
The "Christnas Tree" effect iri the CR is overwhelming to the observer and o
must be distracting, and at times confusins, to the operator.
The number of lights nahes 1: virtually impassihte to detar.aine, seit't confitence, the s tatus of any s. Ltch ar system f ro.1 across the control room, particularly if the component is benchboard-mounted.
5 The T.ssex findings are summarized below:
.1 y
+
-~r t
+
+r
,,-,e v----
,g wv--,, a
.m-y y
y.
., e y
w--=
l l
10 t
b o
TI!I-2 control roon uas designed and built witout an appreciation of the i
needs and limitations of the operator particularly during euergency sitiation.
l o
In the absence of a detailed analysis of information requirenents by 4
operator tasks, some critical parameters were not displayed, so:se were nat j
l inatediately available to the operator because of location, and the i
j operators were burdened with unnecessary infornation.
I Tne control roon panel design at 74I-2 violates a number of haraan o
a engineering principles resulti12 in excessive operator nation, warkload, i
j error probability, and response time.
O i
e l
i e
I e
- I f
e l
i r
e
-,e-
, y m:.,,-
.r---
e n.
.-r-,
-~
4
/
, l:
- ~,;,
V.
App 1_ication of Human factors Principles by the Nuclear Industry A.
Evaluation of Soecific Plants In order to assess the adequacy df the application of human factors principles to control room (CR) design in the nuclear industry and to compare these CR's with the TMI-2 CR, the Essex Corporation studied two additional plants. The plants chosen for the investigation were Calvert Cliffs 1 and Oconee 2.
Both of these plants are pressurized water reactors of approxi-mately the same power output and the same vintage as TMI-2.
However, these plants had different architect-engineers and utilities, and the management philosophy utilized in the CR design were different from that employed at TMI-2.
At TMI-2, the CR's layout was the responsibility of a senior engineer on the staff of the architect-engineers and all decisions were made by him.
On the other hand, Calvert Cliffs 1 and Oconee-1 I
were designed by a management / operator team. No changes were made to the CR or indicator arrangement without management /
orerator team approval after all had an opportunity to cri-ticize the change. Furt hermore, these two CR's were developed l
l with the aid of a mockup.
The comparison between TMI-2 and the other two plants included l
l a hunan factors assessment of features such as reach and 1
visibility, and the placement, the readability of meters and indicators in the control rooms.
2 The ability of the control room operators to easily reach controls and see displays from operational distance is basic to reliable and timely performance.
In comparison, the reach I
survey of the control room indicated that Calvert Cliffs was better than the other two.
It had feuer switches and controls beyond the reach of the fifth percentile male standing at the control boards.
Oconee was the worst of fender with some 22 recorders and 74 switches and controls beyond 10 inches of the reach of the fifth percentile male.
In the TMI-2 control room, 18 recorders and 41 switches beyond the 10 inch measure-ment.
The parallax survey of the three plants focused on vertical meters in the primary area above the eye level of the fifth.
percentile male.
Oconee wc, better than the other tuo having only one indicator above the limit while Calvert Cliffs had 75 indicators above the icval; however, to minimize the parallax problem, all had mirrored scales and 25 of these had limit switches.
TMI-2 had 115 vertical indicators above the eye level, none of which had mirrored scales or limit switches.
Depending on their counting height, displays on the vertical panels can be obscured by the vertical position portion of the bench board from viewing by an operator standing at the bench.
To determine the degree to which displays are obscured, those displays below the sight of a fifth percentile male standing l
l
3 at the bench board looking directly at the vertical panels vere counted. Calvert Cliffs and Oconee were better than TMI-2 in this regard.
Calvert Cliffs had no obscured displays glypay4 -f1*rt. wC+t'.wme. cltsf yS ~ SW rneN 4
and Oconee had only two indicator lights which were obscured, a
In the Three Mile Island Unit #2 control room, there were 470 Andicator lights which were obscured as well as a number of other switches and indicators.
It seems clear that the TMI-2 design gives less attention to the requirements for reach and visibility than either Calvert 1
i Cliffs or Oconee 3.
Under normal conditions, operators are likely to compensate for design inadequacies such as these.
However, under pressure, the operators may take risks with reaching and display reading due to time constraints that could create or compound the problem.
i The three plants were clso compared for the adequacy of the aids provided for the CR0 such as lables, color coding, proce-dures, and the means to display the procedures provided to assist the operator in running the plant.
The Essex survey of control room labeling found significant and comparable deficiencies in all three plants.
For example, labels were left off some components, not attached in any consistent order, and so poorly planned that 34 to 65 percent
(
of the panel components needed backfits.--
i
4 1
For all three plants, the survey study found:
" Deciding where to use colored lights seems to be a matter of tradition rather than reason...The "Christuas Tres" ef fect in the CR is overwhelming to the observer and mus i be distracting, and at times confusing, to the operator. The number of lights makes it virtually impossible to determine, with confidence, the status of any switch or system from across the control room, particularly 1.
the component is benchboard-mounted."
In evaluating the color code practice, it was found that all three i
plants attached several neanings to each color used.
In fact, the operator in many cases would have to know the specific component being observed to know how to interpret the color, since in many instances the colors have contradictory meanings.
A summary of the results of the Essex color survey are shown in
,i Table _.
As can be seen, the TMI-2 control room attached more ~
l meanings to each color than do each of the other two plants.
TABLE NUMBER OF DIFFERENT !EANING
/Itn7rA4 GIVEN TO EACH COLOR Red Gr e e,n, Amber Calvert Cliffs 6
4 5
Oconee-3 4
3 4
i I
TMI-2 14 11 11 I
i j
In summary, the Essex's limited review of the features that aid the l
operator in reliability and timely performance pointed to Calvert
5 Cliffs 1 and Oconee 3 as superior in human engineering to TMI-2.
Despite their good features, however, Oconee 3 and Calvert Cliffs 1 M
Stadte M
- CC had some shortcomi :s and a. detailed na ysis wou d no doubt uncover g
more.--
In light of the advancement in human factors in the aerospace industry at the time that the three plants were being designed, it oppears that none took advantage of the technology available.
The limitations of the Essex study to the two additional nuclear power plants does not permit a conclusive decision as to the state of the nuclear power plant control rooms in general. Therefore, the EPRI study of five additional power plants was reviewed, as well as the Sandia Laboratories analysis of the Zion Nuclear Power Plant.
B.
Evalu,ation of Additional Plants 1.
EPRI Report NP-309 In November, 1976, the Electric Power Research Institute (EPRI) published a report, EPRI NP-309, of a 16-month study of five nuclear power plants.
EPRI had contracted with the Lockheed Missiles and Space Company, Inc., of I
Sunnyvale, California, to conduct the study and write the report. The intent of the study was to uncover general problem areas where humaa factors guidelines could pro-fitably be applied to the next generation of nuclear power plants. A secondary objactive was to identify l
i
6 problems within existing power plants where minor modifi-cations at low cost would upgrade the quality of the man-aachine interface. A review of this study allows 6 better evaluation of the TMI-2 control room design in comparison with the state-of-the-art in the nuclear industry and permits a better evaluation of the nuclear power plant CR design.
The EPRI study made the following findings:
a.
Control Foom Design The report concluded that insufficient attention is paid to the abilities and limitations of the operator in developing the control room configuration.
Serious difficulty in the plants' normal and emer-gency ope ations resulted from the poor positioning of controls and instruments on back or remote panels requiring the operators to leave their primary operating station to utilize these controls or monitor these instruments.
In addition, the study YMhe'n found'eukiationinfourofthefiveplantswas inadequate due to glare and reflections on instru-ce n t s.--
b.
Control Board Design In general, the control board designs were too large requiring too great a visual and-control span for
7 the operators and they were not optimized for minimum nanning. Control boards had arrays of identical components which are not discriminated into clearly identified panels and subpanels containing related elements.
Additionally, closely related controls and displays were often widely separated. Although some mimicing is provided by the designer, there usually is not enough to satisfy the operators so that some operators attempt to modify panels with tape to super-inpose mimic logic.
c.
Control Placement Although no data on the physical dimensions of typical control room operators was available, the placement of instruments was too high or too low for convenience. This problem was predominant on the back panels and peripheral consoles.
Foot stools and ladders were often required to permit the opera-tors ' reach and visual access to these controls and displays.
Placement of controls were found to make them suscep-tible to accidental activation. Adjacent controls naving identical appearance, shape and texture but dif ferent functions can result in inadvertent opera-tion.
Some controls are placed in a manner which make them suscepible to accidental contact and
8 disturbance from operators and visitors to the control room, d.
Meter _s Meters currently. utilized in nuclear power plants have a tremendous potential for human factors improve-ments. The most common problems observed in the five plants examined were improper scale markings in l
association with scale numerals, selection of scale numeral progressions that were difficult to interpret, parallax problems resulting from placing the meters above or below eye level, meters that fail with the pointer reading in the normal operating band of the scale and glare and reflection from overhead illumina-tion.
The most serious problem observed in all of the plants was lack of meter coding to allow the operator to readily differentiate between normal, marginal and out-of-limits segments of the meter scale.
i I
e.
Annuncia tor-k'arning Sys tems j
All five control rooms were provided with an actuation l
warning system consisting of a horizontal band of i
hundreds of indicators spanning the uppermost segment of the control board. These systems were too complex and had become a catch-all for a wide variety of i
I l
1
9 qualitative indicators compounding the difficulty to e
diagne 9 malfunctions as ab' normal situations.
When emergencies occurred, the excessively large number i
of indicators that were illuminated in concert with blaring horns, startle the operator and overload his sensory rechanisms rather than shed light on the problems at hand, f.
Indicator Lichts and Color Codine Indicator reliability is a problem in the nuclear power plant control display. There were a suprising number of burned-out single-lamp indicators at any given time.
The replacement of these lamps was difficult and presented problems for the operator.
There are examples in the plants of negative indica-tions (the absence of indication to convey informa-tion to the operator).
The control room designs under-utilize coding tech-niques that could help the operator discern plant s tatus and prevent misidentification of control elements. Color codes have not been applied symmetric-ally and code meanings vary from panel to panel.
Present coding of indicators tell the operator whether a valve is closed or open but do not convey I
any information as to whether the valve should or should not be closed, i
i
10 g.
Labeling Labels were not placed consistently above or below the panel. elements being identified which could result in misidentification of the panel element.
Some labels were. obscured by adjacent control levers.
The best indication of labeling inadequacies is the extensive handmade labeling that operators add to the consoles to clarify identification of given controls or clarify its operation.
2.
NUREG 766503, October 1975 The NRC contracted with the Sandia Laboratories to conduct a study I
of the Zion Nuclear Power Plant. The scope of the study was limited to the human factors problems associated with engineered safety panels in the control room and associated procedures for coping with a LOCA.
The Sandia report was published as NUREG-76-6503 in October 1975.
i Sandia Laboratories reported that in the Zion situation, as in i
other nuclear power plants stations we have visited, little attention was paid by the designers to the human engineering practices that 1
have maximized reliable human ~ performance in other complex systems.
j The report lists the following design features which deviate from sound engineering practices and are regarding as error likely:
NUREC-76-5503
11 o Poor layout of controls and displays; Poor and inconsistent color philosophy; o
o Too many annunciators; Too many excepticns to the go/no go coding scheme employed for o
rapid assessment of monitor panel status; o Labeling which provides little or no location aid; Misleading labeling due to violation of populational stereotypes; o
and f
o Insufficient labeling of valves.
i 1
l It can be seen that the design problems existing at the Zion Plant are i
similar to those enunerated in the Essex report on TMI-2.
A broader base of investigation might be needed to compare DfI-2 with,
the state-of-the-art in the nuclear industry in the late 1960's, but from the limited study of Essex of three plants, the five plants studied by EPRI and the study of the Zion plant by Sardia Laboratories, it can be concluded that TMI-2 control room is representative of its contemporary nuclear plants, and that there is a serious human factor problem throughout the nuclear industry.
f 4
)
I
Buman_Eactata_Etecutsats In$taduction Prior to March 28, 1979, accident precursors, in the form of reports of reactor instances, Congressional testimony, and correspondence, contained warnings that an accident of the type that occurred at TMI-2 could happen.
Another chap ter of this report addresses precursors relating to the design and function of the TMI-2 reactor.
This section addresses those precursors relating specifically to the " human factors" application in control room design, operator training, emergency procedures and the issue of the man-machine interface.
Thi', discussion and analysis documents the fact that, before the-accident, the NRC and the industry had been alerted to the " human factors" problems, many of whi_ch existed at TMI-2.
Evaluation of Incidents of Primary Coolant Release from Operating Boiling Water Reactors. WASH-1260 In May 1972, the Atomic Energy Commission appointed a seven member study groupi1+ under the auspices of the Office of Operations Evaluation to conduct an evaluation of incidents involving the PAGE I
I l
I DR AFT NO.
l 1
unintentional discharge of significant release of reactor coolant from the primary coolant sys tem operating nuclear power plants.
Of 50 reported inadvertent releases on leakages, the study group identified ~and studied eight.
On October 30, 19T2, the AEC published the study group report WASH-1260.
i The study group made many findings and. recommendations, several of which dealt with control room design, manning of the control room, operator training, operating procedures and feedback of operational experience.
i Control Room Design The study group found that insufficient consideration has beed' given to displaying information on control panels and to the location of controls in relation to each other, particularly when only one operator is required in the control room during operation.72+
The group recommended that the industry develop control panel and control room design standards or guides that-address the human engineering aspects of reactor operation during abnormal operating occurrences.134 The report discussed the need for-further consideration, during the control room design phase, for the instrumentation and controls and their layout, taking into consideration the number of operators, the information required by them to r apidly diagnose and take proper f
l PAGE' 25 l
DR AFT NO.
=.
and other corrective action in response to unusual occurrences,
, human eng'ineering aspects of plant control system design.T4+
The 1
made specific recommendations addressing the
, study group instrumentation needed to provide the operetor with the information essential to reaching proper operating decisions during transients and postulated accidents.T5+
d 1
! Control Room Manning The regulation requir es that only one licensed operator be on duty in the control room during operation.
In view of this requirement and the fact that more than one licensed operator was on duty in each instance, the study groh found that the number of personnel in the control room was not a factor.
It was pointed out that the General Electric Company recommended that the power plant be manned by "a shift supervisor on site and two qualified reactor the main control room."iG+
operators in recommended that a guide be developed to assist The study group in evaluating the number of reactor operators needed to cope with anticipated transients.
They listed the criteria to be taken into' account in determining the size of the control room staff.
They further recommended that utilities of currently operating plants and applicants for new plants should be required to evaluate their control room manning needs based on the enumerated criteria.
n PAGE c
~
DRAFT NO.
y<-
g
4 f
Personnel Training i
I i
l I t was f ound that the training and. experience of the reactor j*
operators in the eight incidents studied appeared to be adequate and l
met the AEC guides and standards.T8+
They also found, however, that the transients studied tended to be aggravated and prolonged by op era tor actions.
The study group felt that one of the causes for i
r
-tois could have been insufficient training.T9+
It was recommended that the licensees and applicants should, to f
the extent practicable, use simule. ions to train and evaluate i
op era tor performance and verify the adequacy of operating grocedures.
Simulators should also be utilized to evaluate opera tor performance and adequacy of training during operator licensing.T10+
i Additionally, the report contained a recommendation that J
licensees and applican ts f or licenses be required.to submit plans and schedules for training of technicians and repairmen engaged in the testing and maintenance of safety related systems and I
components.Illt i
t l
Operating Procedures i
i During the incidents studied, a-number of deviations from PAGE t
DR AFT NO. _
9m,,.
n
--,n...
,.,,a a.-,,
4 i
' ' opera ting procedures and technical specifications were
~
experienced.T12t The report indicated that operating procedures 1
1 were either incomplete or deficient for coping with anticipated transients and although some improvements had been made, further
- mprovements were needed.T13+
1 i
i t
i Feedback of Operational Experience ii!
The report indicated tha t there was insufficient information available to determine whether incident reports were disseminated 3
i between facilities in a timely manner or whether corrective action 1
was token t., r planned to minimize the probability of recurrence in 1I 'the plant where the transient occurred.114+
The study group made a number of recommendations regarding i
reporting and dissemination of operating experience.
It recommended that a system be developed and implemented to fully inform licensees j
of incidents and unusual occurrences.
It further recommended that i
an incident reporting guide be developed by the AEC, and enumerated j
specific information to be reported.T15+
Finally, it recommended that regulatory policies and procedures be revised to identify more l
clearly the resconsibility for review. decision making, i.
i investiga tion and documentation with respect to incidents and t
unusual occurrences.T16+
l On November 28, 1972, the Director of Regulation, in a
~
PAGE b
DRAFT NO.
t
y _
i r
memo r aridu'm to three directors, indicated that the recommendations or
- WAEH-liEO are to be implemented by the appropriate Regulatory i Cirec+.cmates.il7+
Some actions were taken to implement the recommendations of
- WA5H-1E60, including the following
il-l l 1.
The NRC contracted with Sandia Laboratories to conduct a study I
j of human factors problems of the Zion Nuclear Power Plant.T18+
i This will be discussed in Section VI of this report.
1 l E.
T r. e AEC interacted with industry to develop industry standards j
de: control room displays.119+
However, to date these standards l
hace not been endorsed by the NRC.
I
! E.
Incident and abnormal occurrence reporting requirements I,
4 un s went evolutionary changes regarding reporting times and Infarmation requirements; however, the details and mechanism for i
i utility review of events at other facilities do not appear to I
have been addressed by the NRC regulations.
Furthermore, circumstances surrounding the handling of the 1977 incident of 4
the Davis Besse plant indicate the existing process fell short i
a of the recommendation.T20+
a Regsrding information available to the operator at a nuclear j
p cr a alent during and subsequent to a transient or accident, I
f the NRC has written Regulatory Guide 1.97 " Instrumentation to j
Follow the Course of an Accident."
However, as of March'28, 1979 this standard had not been fully implemented in either old i
e i
I PAGE G
DR AFT NO,
I l
I plants or those undergoing licensing review.
5.
Reactor simulators have found widespread use.
However, the i
racemmendations of WASH-12EO in the area of simulators have not i
i been implemented; i.e.,
the NRC has virtually no requirements r
i regarding simulators.
They are not used to evaluate reactor operators' performance; they are not generally used to verify i
j operating procedures for coping with anticipated transients;T21+
the NRC examiners seldom observe and evaluate operators on the simulator for their licensing examination, and receive only etant information regarding specific operators' performance.
A Furthermore, the licensees do not use the simulator as a basis 4
for mo d i t,..., operating procedures or for evaluating the need for operator training or retraining.
Human Performance March 13, 1975, Memorandum from Hanauer to Commissioner Gilinsky On March 13, 1975, Dr. Stephen H. Hanauer, Technical Advisor to 1
the Executive Director for Operations of the NRC, initiated a memorandum to Commissioner Gilinsky to which he attached his views 4 on irap or tant technical reactor safety issues facing the Commission t
and reactor safety policy issues.
1 In his list of technical reactor safety issues, Hanauer addressed the subject of human performance, stating:
PAGE 7
D R A FT NO. __.
"Pete;ent designs do not make esdequate provision for the ticns of people.
Meana must Le found to imp r o're the
.1 :.
'a pert _emance of the people on whom we depend and to improve the ces:tm of equipment so that :L is less dependent on human per'crmances...
'The relative roles of iiuman operation and automation (both with and.ithout on-line computers) should be clarified.
Criteria edee regarding alloweibl. computerized safety-related
.a r u Jun:-ions
_m d c ompu ter hardwere and software requirements for ate
<-r ela ted ap p lications.
- T22+
At u.e time of the TMI-2 accident, no substantive action had tar"n by the NRC as a result of this memorandum addressing the
'unan performance issue.
No criteria have been developed by the NRC essrding the roles of human operation and automation or computer
_s i e e for the operator.
W r:ngs before the Joint Committee on Atomic Energy, Congress of CeLcuar
- 15. E5. ana 24; and March 2 and 4, 1976 L.
5 a' Three former General Electric employees, Dale G. Bridenbaugh, hchar d B. Hubbard and Gregory C. Minor (BH&M) testified before the PAGE
- d..
DR A T NO. _
'I
' Join t Committee on Atomic Energy citing numerous examples of human l
- factor deficiencies in the nuclear power industry.
They pointed to
- numerous examples of incidents resulting from human error which f
I could have resulted in major accidents.
To minimize these errors, they made specific recommendations in the area of control room design, the availability of up-to-date simulators and their utilization for more frequent training of control room operators, l
4 l
l the adequacy of operational and maintenance procedures and the j
training of operators to use these procedures.
The NRC, on March 2, 1976, testified before the Joint Committee, rebutting the testimony of DHSM.
The NisC concluded that nuclear reactors are designed to keep the likelihood of operator errors relatively low and took issue with the 1
statement that the human error which lias occurred "has ser.ously jeopardized plant and public safety," because "... the engineered safety f e a 's u r e s, redundant systems and containment design features have always, singly and in combination, been available to protect i
plan t and public safety."i23+
BH&M testified that improvements in control room design were one 4
method of reducing the likelihood of human error.
They noted the 4
complexity of nuclear Power plant control rooms, the differences in control room layout throughout the industry and the utilization of mirror images in common control rooms for two nuclear uni ts.
They also maintained that " Standardization of control rooms is a vital element of safety..."
4 PAGE 8
DR AFT NO.
r w -
The NRC response supported standardization in general but c1 aimed that standardization of c on tr ol rcoms and contrals and cis, plays had not been demonstrated to have a significant impact on u r er a t c.
p er f ormanc e. T2M The NRC testimony also pointed to studier
- uansu ed by the NRC and industry to evaluate con trol r c om design
-ad inlicated that the IEEE was developing a standard suide for cesign and control facilities for c on tr o l rooms.T25+
In discussing control room design, the NRC stated that due to the au tomatic initiation of the engineered safety features, the consequences of an accident are mitigated and the only function of l
- ie og ator is to assure that 1.h e s e iystems function properly and
.a n y action n ich failed to occur.
It therefore i r. :. s te
.nc lu ] -d that "... the control room design arrangement or c p e r e. _ -process i r. t e r f a e is no t r e critical (or vital) to safety au may be inferred from the February 18, 197E. te s t imony. " T EE.+
The NRC did, however, recognize the importance o' human
_m g i n e c -ing principles, control room design standardization and optional arrangement of design to minimize the probability of human error.727+
BHSM testified that providing up-to-date simulators and more frequent training of operators is another method of reducing the likelihood of human error.
Specifically, they indicated that the e_-
.t simulator _ were ou tdated and did not represent the control philo:aphy which has evolved over the last ten years.
Additionally.
they questioned the ability of the operator to r en, ember the accident c: GE
$D D R A F T N1_ __ _
i procedures through time without very frequent update, indicating 1
tha t retraining periods are too infrequent to keep the operator t
l aware of his special procedures under accident conditions.128+
In response, the NRC disagreed with the contention that the simulstors are outdated for training programs, pointing out shat the design philosophy for data display and plant control for operating
[
plants and those in the operating licensing stage of review are very similar to the design philosophy of existing nuclear power plant simulators.129t The NRC pointed out that there was no requirement for simulator traitang and :f simulators are used the operator is also trained at l
the plant for which he seeks his license.
The NRC testified that it assures that transition from simulator to plant has been made by the trainee through examination at the_. facility for which the individual seeks a license.T3O+
The NRC agreed that it is unrealistic to expect the operator to 1
remember details of accident procedures over.a long period of time.
I In 1973. the NRC promulgated an amendment to 10CFR 55 by adding an Appendix A, EggualifiLali2D_EC2RCami_f2C_LiEED1Ed_CEEEdi2E1_21 Etuductinn_ add _Uliliialinn_Eacilitigs.
This program requires periodic review of all abnormal and emergency procedures.
The NRC ias n r. t conducted any tests nor are they aware of any tests by i
others to determine how long an operator is able to retain procedural details.T31+
BHSM further testified, "Most human-errors in reactor plants PAGE I.l l
DR AFT NO.
-x--.
4 n-.-
+,, -. - -. - -,
=
result from one of two causes:
inadequate procedures or i
i insufficient knowledge of existing procedures."T32+
They 1
reccmmended that the NRC review operational and maintenance l
procedures to ensure adequacy of both scope and content and that it j
step up its surveillance of training processes to ensure that tho l
procedures are fully understood and implemented.T33+
The NRC responded that guidance in the preparation of procedures J
j is provided to the applicant in Regulatory Guide 1.33 which i
incorporates industry standards.
It pointed out that the utility i
p l a ri s are reviewed to assure compliance with this guide and that NRC i
l insse nors conduct an audit of the detailed procedures to assure I
l their completeness prior to the issuance of an operating license.i34+
Review and approval of procedures and amendments ther e to is conducted by utility management according to the NRC testimony.735+
The NRC testified that training programs are reviewed to ensure that all personnel receive satisfactory training on all procedures i
appr;priate to their respective job classification and responsibility.
Additionally, the requalification program includes lectures on procedures, annual written examinations which include a section on procedures, requirements for licensed individuals to r te s aw procedure changes, and an evalustion by supervisors of i
licensed individuals to assure proficiency in plant procedures.T36+'
In reviewing the foregoing testimony, the SIG staff believes that it provides a useful insight into the NRC's attitude towards 1
l PAGE ib i
DR AFT NO.
-.=
- ~ - - -
4 human factors in relation to nuclear reactor safety.
In essence, the NPtC' staff's response is that opera tors are well trained, there have been no serious accidents, and that automated systems can be (depended upon to assure plant and public safety.
Other than the l! fact that there were ongoing studies in the area of human factors
! application to control room design, the NRC did not develop programs ijresponsive to the BH&M recommendation because the agency maintained l
! human error was not a danger to safe operation of nuclear power' l
~
plants.
l Although the NRC stated that it wculd implement the
! recommendations resulting f rom the af or emen tioned studies, virtually inane of these recommendations for in.pr oveir.ent in contr ol r oom design, operator training and procedure improvement have been I implemented by regulations as of March 28, 1979 j
j" Preliminary Human Factors Analysis of Zion Nuclear Power Plant" 4
jNUREG 76-6503, Oc t o t> e r 197E.
i.
l The NRC contracted with the Sandia Laboratories to conduct a
' study of the Zion nuclear plant.
The scope.of.this study was 1
limited to the human factors problems associated with engineered t
safety panels in the con trol room and associated procedures for 4
jcoping with a LOCA.
The-NRC published the Sandia report in October 197E.. T 37+
6 PAGE i0 j.
i..
DR AFT NO.
i
=
e e%,.
-.-9-..
m y
The report contained a number of significant conclusions and recommendations for improvement, from a human factors standpoint, in the Zion plant which are equally applicable to other nuclear power plants.
It was found that the control panels and other man-machine interfaces deviated from accepted human engineering standards and increased the probability of human error.
Improvement in human performance could be achieved by relatively minor and inexpensive changes to the control room, practicing for emergencies, and changes in format and content of written procedures.
The report concluded that industry-wide standards covering all aspects of human reliability could serve to materiallv improve the impact of human performance on system availability and safety.T3S+
The study found that the major human engineering problems fell into seven major areas.
o Poor layout of controls and displays o
Poor and inconsistent color philosophy o
Toe many annunciators 1
o Too many exceptions to the go/no go coding scheme employed for rapid assessment of monitor panel status o
Labeling which provides little or no location aid to controls and displays o
Misleading labeling due to violation of populational sterotypes o
Insufficient labeling on valvesT39+
PAGE
. db DRAFT NO.
s.
1 The report also pointed out that the human factors problems uncovered in the study were not peculiar to the Zion Nuclear Power l Plant.
Previous visits to other plants by the same investigators revealed similar human factors problems in each plant.T40+
l The report contained the following four recommendations for i
consideration by the NRC:
4 i
1.
" Investigate the need f or additional human f ac tors data, and 4
develop, on an exploratory basis, a method for acquiring the necessary information.
Part
<>f the study should be the determination of what level of information is needed.
Whatever level of human error data collection system is deemed necessary, the suggested study should include the procedures and data forms for collecting human performance information.T41+
2.
" Develop the procedures and format for incorporating human
-l Performance information (as determined in above item) into the NPRDS.T41+
3.
" Perform a complete human factors analysis at the Zion Plant (that is, f;xpand the present preliminary analysis) to:
Identify all major error-likely situations related to the safeguards systems.
Estimate the relative likelihood of human errors and associated recovery factors for those errors identified as l
t l
I l_
PAGE I~D DRAFT NO.
1 l
- ~..
important by the reliability models.
Provide recommendations (based on the above) for improving human reliability a t the Zion (and similar) plant (s) and for design of future plants.
Develop a procedure for a' human factors analysis of nuclear Power plants which could be used during all phases of design and development to improve human reliability consistent with other systems engineering requirements.T41+
4.
"Upon satisfactory completion of item 3 above, develop in du s tr y-wide standards for human engineering of equipment, written procedures, operating methods, and onsite training and practice provisions in nuclear power plants to insure the highest levels of human reliabili-ty consistent with other system requirements."i42+
i i
m We found that the human factors problems identified in this study are similar to those identified in other studies that predate the TMI-2 accident
- and those found in subsequent studies by ESSEX Corp.
On August 24, 1976, the Chairman of the NRC, Marcus A. Rowden wrote to the Honorable V1rginia H. Knauer, Special Assistant to the President for Consumer Affairs.
In his letter Chairman Rowden 4
stated in part, "We believe that human error analyses must not be neglected and indeed a special research review group on human error assessments has been established to coordinate and firedite our PAGE 0;
DRAFT NO.
' efforts.
Programs are underway to systematize human error analysis and human error data evaluations through contracts, including that I
wi th Dr. Swain at Sandia Laboratory.
If the results of these j
programs or actual experience with operating reactors indicate situations in which equipment design or operator interfaces should be improved, we will, in accordance with our statutory Pe5ponsibilities and our implementing review procedures, require changes to the design or operation of the plants as required."
i a
i
- Ece Section VIII of shis report.
To date, virtually none of the report's recommendati.
3 have been implemented.
It should be noted that even though 4..e 1976 Sandia report on the Zion plant found that minor inexpensive 4
improvemeats would enhance plant safety and operations, to our 1
l knowledge not one has been implemented, and as of March 28, 1979, none had been planned for implementation.
I a
Plan for Research to Improve the Safety of L'ight Water Nuclear Power i
Plants, NUREG-0438 i.
On April 12, 1978, the NRC made its first annual report to Congress on its recommendations for,research on improving the safety PAGE Q' DR AFT NO.
e---
--,.- ~
w-
,e
-m,p.,
,,m..
9
- T
. of light water nuclear power plants.
Among the recommendations was one dealing with improved in-plant accident response.
The resear.ch recommendation covered operator response during an accident situation, information available to the operator on plant status, operator training and procedures, and human response under s tress conditions.
It was proposed that the research include not only op era cors in the control room, but also personnel involved in the testing and maintenance of the plant.
It was pointed-out that analyses have shown components may be left in an unavailable state by test and maintenance personnel through carelessness, improper training, use of improper procedures or failure to follow crocedures.T43+
The proposed research would encompass computerized processing of data, control room layout and data presentation and attention to human factors in the design o[ nnunciators, warning lishts and display panels.
This research project was assigned a high priority by the NRC
"? Port because of its high potential for risk reduction and its low cost.
The report proposed a project to review studies completed and in process on the following topics to establish the need for further research:f44+'
o Human error in testing and maintenance.
o Monitoring and diagnostic systems to assist the operator under accident conditions.
jQ PAGE v
l DR AFT NO.
m
, Operating and emergency' procedures'for responding _to o
accident situations.
1 Improved use of simulators in studying. operator response to o
a accident situations and for related training.
o Man-machine interface, information presentation, pattern recognition, control-room design, and automatic controls for safet' systems.
4 o
Human initiation of accidents.
4 This research project was scheduled to start up in early FY 1930.
The TMI-2 accident reinforced the need for high priority r
w':ich resulted in accelerating the project initiation to the end of j
j FY 1979.
The SIG. staff noted that the purpose of this research project a
was to 2dentify new areas for research in human factors while i
ignoring the large body of information being utilized by other Iindustrieswhichcouldbereadilyadaptabletothenuclear power
-Pient industry.
i f1978ReviewofEvaluationoftheNuclearRegulatory Commission Sefety Research Program, NUREG-0496 i
In December 1978, the Advisory Committee;on Reactor Safeguards i
sent'to_the Congress 1its evaluation of the NRC safety research l-
.PAGE 1
DRAFT NO.
4
. p r o g'r am.
This evaluation recommended research be conducted on'a
- high priority basis in the area of the man-machine interface.
Such research would include' an examination of the potential for and f
consequences of human errors.
Furthermore, the ACRS recommended exploration of computer-controlled automation in the control room l
and that control room equipment emphasize diagnostic information that would simplify decision making.
The ACRS. indicated that along with development of advanced computers and graphic displays for the contrcl room by industry, independent NRC research.is necessary, i.e.,
research to support the " licensing review" of the advanced control room designs and to develop criteria, guides and standards.
ACRS also recommended that the NRC conduct a more systematic review and evaluation of operational experiences at U.S. and foreign nuclear power plants.
Analysis of the TMI-2 accident, in our opinion, has highlighted the importance of the application of human factors principles to control room design, operator training and procedures.
Although l
additional research in this area may be justified, the time has come I
to write standards and modify existing and new power plant control room design, procedures and training programs.
01h2c_Etecutscci 1
-In addition to the precursors' discussed previously, others
~
e 4
d 4
DRAFT NO.
u -_
should be mentioned.
The Electric Power Research Institute (EPRI) has sponsored a number of research projects to evaluate the application of human factors in control room design.
One such
. report is EPRI NP-309 of November 19T6, which describes a study conducted by the Lockheed Missiles and Space Company, Inc. of Sunnyvale, California.
Lockheed eva1Uated five recently operational i-nuclear power plants using human engineering expertise and standards developed in other industries.T45+
The report discusses various deficiencies found in t.he five plcnts ctudied.
The findings are typical of those in the precursors discussed earlier.
These include lack of attention to control room decian, poor designs of individual control panels, inappropriate placement of instruments and controls, unreliable indicators and use i
of negative indications, complexity of the annunciator-warning systems, underuse of proven coding techniques and incons istenc ies-in labeling.
The EPRI report concluded that:
"As first priority, a detailed set of applicable human factors I
standards must be developed and industry-uide acceptance should I
be promoted...
In addition to a comprehensive set of stanjards, a need is perceived for humen factors engineering design guides-specific to the needs of the nuclear power industry."!46+
Another stud: " Human _Ensinentius_of_Nuclest_Enwet_Elani_Caninni t
i e
PAGE 2I CRAFT NO'.
E22DS_ add _iis_Efferis_nn_DE2 taint _Eetintmance," prepared for the NRC by the Aerospace-Corporation of El Segundo, California, was published during February 1977 as Aerospace Report No.
i ATR-77(EE15)-1.
The Aerospace Corporation evaluated the effects of human engineering on operator performance in the control room.
It
-specifically examined what Aerospace considered to be the three general groups of factors which influence operator performance in fulfilling their responsibilities in the control room:T47+
I' o
Centrol Room and Control System Design o
Operator Characteristics 4
o Job Performance Guides In conducting its study, the Aerospace Corporation's study group visited ten facilities containing eighteen control rooms and three control room simulators.T48+
As a result of its study, Aerospace Corpor'ation made three recommendations to NRC:
1.
Development of a Regulatory Guide to' provide directions to the utilities in human engineering of control rooms; the guide should be designed to encourage an increased rate of incorporation of~ advanced control and display concepts.T49+
)
2.
A thorough analysis of LER data on personnel errors to establish meaningful cross-correlation of results of plant status'in
'PAGE El DRAFT NO.
i
-~
relation to licensing at the time of the accident, operational power levels, equipment and control elements ~ involved, event significance, radioactivity release, etc.T50+
3.
A uetailed study of the programned malfunctions provided in the rof twar e routines of current simulators to determine whether they have the capability to provide student operators with the level of training needed to minimize operator errors under conditions of severe stress.
It was further recommended that the study evaluate the effectiveness of operator training in severe ~ accidents on a simulator that does not realistically
..u d e l the control beurd layout of the plant for which the
- perator is to be licensed or relicensed.T51+
The SIG staff found that virtually no action had been taken by the NGC to implement these recommendations.
b
&V
- PAGE DR AFT NO.
l..
Tit WASH-1260, Appendix A T2+
WASH-1260, page 43 T3+
WAEH-1260, page 44 T4+
WASH-1250, page 29 9
TEi WASH-1260, page 43
)
i T6+
WASH-1260, page 27 i
77+
WASH-1260, page 44 T8+
WASH-1260, page 28 1
T9+
WASH-1260, page 28 1
1
)
110t WAEH-1260, page 43 Tilt WASH-1260, page 42 4
l T120 WASH-1260, page 2B p
T13+
WASH-1260, page 43 T14+
WASH-1260, page 44 T15+
WASH-1260, page 45 T164 WASH-1260, page 46 T17+
Memorandum from L. M. Muntzing, Director of Regulation, F.
E. Kruesi, Director of Regulatory Operations,-J.F..
O' Leary, Director of Licensing, and L. Rogers, Director of Regulatory Standards.
Subject.
Implementation of l
Recommendations of the Regulstory Study Group, dated November 26, 1972.
T1S+
NUREG 76-6503,- October 1976 fi9+
IEEE 566 I
Reference precursor section in S16 T20+
nP
' AGE ud;-
l DRAFT NO.
(.
t.
T21+
iE2F Page 2 of' Attachment " Technical Issues..." to Memorandum 1
from S. H. Hanauer, Technical Advisor EDO, NRC to Ccmmissioner Gilinsky, NRC, Subject Technical Issues, dated March 13, 1975.
123+
Report of J.C. on AEC Hearing, page 913 I:
T24+
Report JC on AEC Hearing, page 929 TE5+
Report JC on AEC Hearing, page 930 l
F TE6+
Report JC on AEC Hearing, page 930 l
I27+
Report JC on AEC Hearing, page 930 l
T 2:07 Report JC on AEC Hearing, page 554 l
T29+
Report JC on AEC Hearing, page 934 l
I]Ch Report JC on AEC Hearing, page 935 1
T314 Report JC on AEC Hearing, page 936 l
T32+
Report JC on AEC Hearing. page 555 i
f f
T33+
Report JC on AEC Hearing, page 556 T34+
Report JC on AEC Hearing, page 937 i
125+
Report JC on AEC Hearing, page 938 T36+
Report JC on AEC Hearing, page 938 e
l T37+
U.S. Nuclear Regulatory Commission:
Preliminary Human.
Factors Analysis of Zion Nuclear Power Plant (NUREG 3
76-6503), October 1975 f
T13+
NUREG 76-6503, page 3 l
'T39+
NUREG'76-6503, page 6 4
T40+
NUREG 76-6503, page 1 l
PAGE DRAFT NO.
'e-n-
~v~a-
,-n-o p( -
m ven-r w
i41+
NUREG 76-E503, page 10 742+
NUREG 76-E.503, page 11 743+
NUREG-0438, page 23 T44+
NUREG-0438, page 42 T45+
EPRI-NP-309, page v.
146+
EPRI-NP-309, pages 1-28 T47+
ATR-77(2815), page 1-1 14E+
ATR=77(2815)-1, Table 1-1 149+
ATR-77(ES15)-1, p i4 9 e 7-13 ISOe ATR-77(2315'>-1, page 7-14 151+
ATR-77(28151-1, page 7-15 O
/p. en PAGE _ _f b..
,