ML20035D862
| ML20035D862 | |
| Person / Time | |
|---|---|
| Issue date: | 08/13/1992 |
| From: | Kerr W, Lewis H Advisory Committee on Reactor Safeguards |
| To: | Advisory Committee on Reactor Safeguards |
| References | |
| ACRS-2807, NUDOCS 9304140064 | |
| Download: ML20035D862 (14) | |
Text
e cm m =
" g: pb snt ru g/pg i'
V h.:0E gGTIFIEDBY:
- n. Lewis - 8/5/92 W. Kerr - 8/13/92 DATE ISSUED: 6/22/92
SUMMARY
/ MINUTES OF THE JOINT MEETING OF THE ACRS SUBCOMMITTEES ON COMPUTERS IN NUCLEAR POWER PLANT OPERATIONS, INSTRUMENTATION AND CONTROL SYSTEMS, AND HUMAN FACTORS MARCH 4, 1992 BETHESDA, MARYLAND Introduction The ACRS Subcommittees on Computers in Nuclear Power Plant Operations, Instrumentation and Control Systems, and Human Factors held a joint meeting on Wednesday, March 4, 1992, in Room P-110, 7920 Norfolk Avenue, Bethesda, Maryland.
The main purpose of this meeting was to discuss contral room designs, the design process, and associated human factors issues.
The entire meeting was open to public attendance.
Mr. Herr.an Alderman was the Cognizant ACRS Staff Engineer for this meeting.
A list of documents submitted to the Subcommittees is included in Attachment A, and a copy of the presentation schedule for the meeting is included in Attachment B.
Attendees:
Principal meeting attendees included:
ACRS H.
Lewis, Chairman Computers in Nuclear Power Plant Oparations Subcommittee W. Kerr, Chairman Instrumentation and Control Systems Subcommittee J. Carroll, Chairman Human Factors Subcommittee r
I.
Catton, Member C. Michelson, Member D. Ward, Member C. Wylie, Member H. Alderman, Cognizant ACRS Staff Engineer ACRS Consultants Principal Speakers t
P. Davis EPRI:
D. Harrison, MPR, Associates C.
Gimmy ABB-CE:
K.
Scarola
(
W. Lipinski Westinchouse:
P. Morris
[
B. Wood SII: W. Wood q
DDICnTD CF.ICIHL 9304140064 920913 PDR ACRS
_ '-t'fied Py 2007 PDR
5-MINUTES March 4, 1992 NRC:
S.
Arndt S.
Newberry J.
Joyce J.
Wermiel F.
Coffman Executive Session Dr. Lewis convened the meeting at 8:30 a.m.,
and stated that this is one of a series of meetings dealing with the impact of computers and digital technology on nuclear power plants.
He noted that during the meeting control room design and associated matters will be discussed. He said that the Subcommittees have received neither written comments nor requests for time to make oral statements from members of the public.
CONTROL ROOM DESIGN AND TESTING Mr.
D.
Harrison, MPR Associates (representina EPRI)
Mr. Harrison pointed out how the control rooms for the Advanced Light Water Reactor (ALWR) plants differ from those for current plants.
The workstations will be compact.
Controls and displays will be predominantly electronic.
An overview of key quantities and alarms will be presented to all the people in the control room.
The operating procedures will be presented electronically.
He discussed the benefits of the new control rooms.
He said it i
vill reduce unproductive and extraneous operator movement around the control room.
It will provide a better way to collect related information for a variety of plant conditions.
It will improve team performance in the control room.
The controls and displays would be arranged in a more logical manner.
The arrangement will assist the operator to integrate and cross-check information.
The operating procedures will be integrated with the control room design.
In response to a question by Mr. Michelson whether the compact workstations are compatible with team performance, Mr. Harrison said that it should improve team performance because the team will be in close proximity to each other.
s In response. to an inquiry by Dr.
Kerr whether the operating procedures were to be written by someone other than the utility, Mr. Harrison said that such procedures came as part of the design..
i
t MINUTES March 4, 1992 Mr. Harrison noted that the functions and tasks are an inherent part of the design.
The functions are allocated between the operators and the control systems.
Mr.
- Lipinski, ACRS consultant, commented on the operating procedures display system.
He talked about the Savannah River system called " diagnosis of multiple alarms."
The most probable sequences were selected.
As alarms come in, they are diagnosed and a display is given to the operator as to a recommended course of action.
i Mr.
- Gimmy, ACRS consultant, discussed another version.
Each operation allows certain menus. The menu specifies things that are legal to do in black and these can be printed.
Things that are not legal to do are in grey and cannot be printed.
This allows the useful information to be retrieved without being bogged down in the entire procedure.
Mr.
Harrison noted that the procedures will contain operating values as well as the operating procedures.
This will save time for the operator who would otherwise look up the values.
He said that substantial testing will be required.
Thir would include mock-ups, simulation, and prototypes.
The technology is new and it is important to do a good job of testing.
In response to a question by Mr. Davis, ACRS consultant, whether the EPRI Requirements Document specifies any
- criteria, or railosophy for use by the designer in deciding whether something should be automaticrlly or manually controlled, Mr.
Harrison replied in the affirmative.
I Mr.
Michelson asked whether his understanding that the EPRI l
requirements were for automatic operation for up to 30 minutes i
following an event was correct.
Mr. Harrison replied that you don't have to count on operator action for the first 30 minutes, which is longer than the current requirements.
Mr. Harrison said one objective is to try to reduce significantly the testing burden on the operators.
This will be done by self-testing of systems and automation of sequences of some testing.
He said that there are requirements on configuring of systems and coping with failures and segmentation and separating systems.
The objective is not to have failures that could turn out to be catastrophic as far as the operator is concerned.
The aim-is to build some flexibility in the systems so they can be changed in the future without tearing up and reconfiguring the system.
In response.to a question by Mr.
Davis if there were any requirements for control and monitoring during shutdown conditions,
\\
I MINUTES
-4 March 4, 1992 Mr.
Harrison said that it would be handled through normal functions.
Dr. Kerr asked how many layers are there between utility people at the working level in the development and monitoring of these requirements.
Mr. Harrison said that the utilities have a steering group consisting of executives of utilities.
They deal directly with their working level people.
The program also has working e
level people from some of these utilities.
NUPLEX 80+ CONTROL ROOM KEY DESIGN BASES & FEATURES Mr.
D.
Harmon, ABB-CE l
Mr. Harmon said that NUPLEX 80+,
an advanced control complex, is being designed for the evolutionary System 80+ plant.
He said that a
]
the NUPLEX 80+ design is evolutionary and not revolutionary.
He said they have tried to take advantage of current technology to improve the design.
l The NUPLEX 63+
System provides validated information to the l
operator to make his decisions so that he doesn't have to verify the information before he uses it.
There are multiple signals for information or multiple inputs for computer information.
The computer validates the information.
.Also, computers are used to validate and eliminate the nuisance alarms.
Information overload is reduced by using selected displays and controls, and using computers to do data reduction and prioritization of both i
information and alarms for the operator.
The operator has a clear picture of the information that he needs to perform the tasks that are required.
Mr. Harmon pointed out that one of the key tenets in NUPLEX 80+ is not to use backup instruments.
Instruments that provide i
information during accidents are the same instruments used during j
normal operations.
The instrumentation that is used normally is also used during equipment failures.
The objective is to avoid having the operator using unfamiliar instrumentation.
There.was a considerable amount of discussion about whether the Design Acceptance Criteria (DAC) approach would be used for l
certification of the System 80+ design.
Mr. Harmon said that they would like to minimize the use of DAC.
He noted that he thought it i
is important to get the design certified without a lot of loose
- ends, i
Dr. Kerr asked if there were concerns about freezing the design.
Mr. Harmon replied that they could accept freezing the design and i
MINUTES March 4, 1992 t
still have the flexibility to incorporate the technology without changing the design.
Mr. Harmon discussed the bases for the control room design.
A single operator is able to control the plant from hot standby to full power in accordance with the EPRI Requirements Document.
The utilities are not expected to use this capability but the design has this provision.
e The minimum number of operating staff during post-trip and emergency operations is three, including one supervisor, and two reactor operators.
Mr.
Harmon noted that one of the bases for NUPLEX 80+ is to validate data before it is displayed or used for control.
Information is provided that the operator needs for his tasks and extraneous data is screened.
This is done through validation algorithms that look at each of the sensors, throw out bad data, then calculate an average based on the remaining valid sensors.
Alarms are also provided so the operator will realize he has a sensor problem as opposed to a process problem.
He discussed the integrated process status overview (IPSO).
This provides a concise display of the alarms related to critical functions.
There are 12 critical functions.
Related to each of the critical functions are plant systems (success paths) which maintain the critical functions.
Indications of the success paths are displayed, along with system operating status and any related alarms.
Also provided are key parameters related to the critical functions.
He discussed computerized procedures.
He noted that CE decided not to use computerized procedures.
Written procedures are used which are supported by the display system.
The decision to use written procedures was based on the requirement to have a hard copy backup in the control room.
Having a computerized procedure would violate the philosophy of no backups.
He mentioned that computerized procedures may be considered in the future if there is sufficient customer interest.
He discussed the design process.
He noted that the man-machine interface was divided into two aspects:
determining how information is going to be displayed or how controls will be managed; and then determining what this information or controls will be.
Multidiscipline reviews of these approaches were performed and this information was fed back into the design.
A functional task analysis was performed on the System 80+ plant where the plant design was decomposed into functions.
These
\\
MINUTES March 4, 1992 functions were looked at from the operators standpoint to determine information and controls requirements.
The task analysis report was used to develop man-machine interface designs.
MAN-MACHINE INTERFACE SYSTEM DESIGN PROCESS Mr.
J.
Carrera. Westinchouse Mr. Carrera discussed some of the goals of the design process.
He noted that the overall role of the man-machine interface is to try to develop an interface which results in fewer human errors.
There were three aspects that Westinghouse focused on in the design process:
e The first dealt with the determination of the knowledge and the skills required for the operator to perform as an expert.
The second goal was to improve the problem solving / decision-e making performance of the operating crew by using effective human factors.
The third goal is to be able to measure the effectiveness of e
the system.
Mr. Carrera discussed "first of a kind engineering" where they identify the system functional requirements and system specifications.
These are used as inputs to a function based task analysis.
The task analysis combines the operating tasks expected of the operating crew with a model of the plant to perform the task analysis.
The task analysis is used to generate functional requirements which the system engineers can turn into implementation documents or specifications.
Mr. Carrera discussed briefly the alarm managemer.t system.
The alarm messages are specific to individual operating conditions.
The alarms are prioritized to present appropriate information to the operator.
The alarm would alert the operator when an instrumentation setpoint is exceeded.
i He discussed team work as defined responsibilities for each team member.
Teamwork arises when they pool their resources whenever there are decision-making tasks that are not clearly identified by the procedures provided in the control room.
Mr. Carrera discussed the computerized procedures (COMPRO) system.
He noted that this system automates-the procedure tracking function; it guides the user step by step through the procedures vhile it monitors the plant data.
The system acquires real time data from the plant information system and presents it to the
~
\\'
MINUTES March 4, 1992 operator with the procedure.
In addition, parallel information is presented about other plant conditionu.
Mr. Carrera said that design reviews would be performed as part of the normal systems engineering process. Testing for validation and verification would be done as required.
The overall design would be validated based on functional requirements.
DEVELOPMENT OF SAFETY CRITICAL SOFTWARE Mr.
W.
Wood, Software Encineerina Institute Mr. Wood said that there are two types of safety critical systems.
One is called ultra reliable systems.
The ultra reliable systems cannot be shut down.
The second is a shut down type.
The shut down system is the final protection.
It has to take care of unanticipated conditions.
He said that large scale systems are not reliable.
They cannot be built so that you really believe they work.
What must be done is to choose some portion of the system that must be trusted.
In most shutdown systems, you use the portion that is going to protect your safety systems and shut down the plar.t if it detects some hazardous conditions.
He noted that this portion must be rigorously developed.
He pointed out that faults cannot be always De detected by tests.
If you don't have the right test at the right time, you might not detect the fault.
He pointed out that yov get safety by doing extensive testing.
There is verification testing of the software, validation of the total system, installation testing, surveillance testing, and testing of the components.
He remarked that formal methods are generally considered the applied mathematics of sof tware engineering. What this attempts to do is to specify what the system should do and what the software should do, using mathematics.
Mr. Newberry, NRR, said that the staff currently does not require formal methods for development of software to be used in safety systems, but it is looking into this issue.
He noted that, for the Advanced Boiling Water, the staff is looking into the use of formal j
methods for the development of the software.
NRC STAFF PRESENTATIONS Overview of Advanced Control Room Simulation, Mr.
S.
Arndt. AEOD i
i i
MINUTES March 4, 1992 i
Mr. Arndt said that the Technical Training Center has three early generation simulators with two phase flow capabilities.
They are procuring four simulators and will have a full-scope simulator for all four reactor vendors.
They are going to use a single workstation simulator that will have thermal hydraulics models and core models to do cognitive training type work.
The next phase will have everything on a single machine that would be in the control room:
balance of plant models, electrical
- models, engineered safety features model, etc.
He noted that they are moving toward a simulator that will be capable of simulating different types of advanced reactors.
He noted that the models will be full scope.
The hardware in the simulator will be limited to how much detail is known about control rooms when it is assembled.
It will be designed so that it can be reconfigured with hardware and workstation displays.
He said the primary purpose of the simulators is to develop a training tool for conceptual and full scope simulation.
A secondary function is to provide support for RES and NRR.
The third purpose is to evaluate advanced control rooms when they are available.
t Stating that in SECY-91-272,
" Role of Personnel and Advanced l
Control Rooms in Future Nuclear Power plants",
dated August 27,
- 1991, the staff states that the vendors have not provided i
sufficient information to permit the staff to judge the extent to which control room prototyping is needed or to determine the i
adequacy of the design of the man-machine interface, Mr. Davis asked what the staff's current position is on whether sufficient information has been or will be provided by the vendors to resolve these issues.
Mr.
- Wermiel, NRR, replied that sufficient information will be provided by the vendors prior to certification i
of their evolutionary plant designs.
i Mr. Davis asked if the need for a control room prototype is still an open issue.
Mr. Wermiel replied that as part of the development of the design acceptance criteria, there will be criteria that staff would use to ask the combined operating license holder to
}
determine what needs to be prototyped.
OVERVIEW OF CURRENT I&C AND HUMAN FACTORS PROJECTS Mr.
F.
Coffman. RES Mr. Coffman discussed the ongoing NRC research activities related I
l to I&C and human factors.
These are divided into three areas, hardware, software, and interface areas.
i
{
\\
MINUTES March 4, 1992 r
Hardware Proiects Mr.
Coffman said that the hardware project is to develop the technical bases for both operability and qualifications for the digital I&C systems.
This will be for both normal and abnormal operations.
It will focus on the identification of failure modes for the
- hardware, including common mode and will include i
considerations of age degradation mechanisms.
In response to a question by Mr. Michelson whether there was any testing involved, Mr. Coffman said no, l
In response to a question by Dr. Lewis if the staff had taken advantage of Department of Defense information, Mr. Coffman said that the staff is doing its best to take advantage of all available information.
P Mr. Coffman said that a project is under way to develop technical bases to establish guidance or a regulatory position concerning 3
conducted and radiated electromagnetic and radio -frequency interferences.
This project involves testing. and will try to establish an acceptance criteria for such things as shielding, grounding, and noise rejection and surge withstand capabilities.
He noted another project intended to look at some selected isolation devices and then test them at less than the maximum credible voltage.
Software Proiects Mr.
Coffman discussed briefly a research project on Class 1E digital computer systems.
The first phase is to determine what is being done in this area.
The second phase is to try to develop a technical basis for regulatory guidance on design development tests and the acceptance criteria for class 1E systems.
He mentioned several other research projects in this
- area, including the following:
A joint project with EPRI to establish guidelines for verification and validation of expert systems.
The Halden reactor project which provides a spectrum of assistance to the staff in developing technical bases for use in the development of regulatory requirements or guidelines.
^
A project to develop a case tool for evaluating the functional e
diversity within the software.
4
MINUTES March 4, 1992 1
e A
project for developing verification and validation I
guidelines for digital protection systems and process control.
A project to study the feasibility of using expert system elements for evaluating diversity and redundancy.
Interfaces Mr. Coffman noted a project to develop guidelines suitable for the performance of the human factors reviews.
He said that it wan an attempt to update the document that was used for the detailed control room design reviews.
He said that this would be used for advanced designs.
He noted an attempt to develop a performance indicator of the effectiveness of human-machine interfaces for NPPs.
Mr. Coffman listed a number of the current projects including the following:
A project to establish a baseline of what is the level of safety at current plants.
The objective is to establish whether advanced systems are improving safety or are just new.
A task network model in the control room.
This will allow sensitivity studies on control room tasks by manipulating the model.
An attempt to establish guidelines for the review of local control stations.
4 e
In the past there have been too many alarms.
With the advent of digital systems, decisions will have to be made on what information shall be annunciated.
A project to develop guidelines for what might be required to upgrade procedures other than EOPs.
i e
A project to attempt to assess how digital technology in I&C systems can change human actions and error rates, thereby-having an effect on system unavailability. The resulting data can be folded into PRAs.
Subcommittee Action Dr. Lewis said the subcommittees had two options, they could have a'round table discussion or since this was one of a series of
- meetings, continue the discussions at future meetings.
The consensus was to continue the discussions at future meetings.
-D
t MINUTES March 4, 1992 i
r Actions. Acreements, Assianments, and Recuests There were no Actions, Agreements, or Requests made at this meeting.
The meeting was adjourned at 5:15 p.m.
a Attachment A:
List of Documents Provided to the Subcommittees
- 1. ALWR Utility Requirements Document Control Room Design and Testing (EPRI)
- 2. NUPLEX 80+, Advanced Control Complex, Control Room Design (C.E.)
- 3. Man-Machine Interface Design (W.)
4.
Development of Safety-Criteria (Software Engineering)
- 5. Current Research Projects on Digital I&C Systems (NRC)
I e
h t
e l
Attachment B
[ eerc,,%,
e FT UNITED STATES 8 ' ' ),, 7 ~j NUCLEAR REGULATORY COMMISSION
.c ADVISORY COMMITTEE ON REACTOR SAFEGUARDS o,
g W ASHINGT ON, D. C. 20555
\\...$
FINAL AGENDA FOR ACRS ?OINT SUBCOMMITTEE MEETING ON CONTROL ROOM DESIGN & TESTING Date/ Location: 4 March 1992/ Phillips Bldg, Bethesda, MD Subcommittees: Computers, I&C, Human Factors
Participants:
}i, SEI, NRC Staff 0830-0835 OPENING REMARKS BY SUBCOMMITTEE CHAIR!dJLN
' ' 'N '11' 0835-0935 PRESENTATION BY EPRI (Ed-Rumble) d, / -
Control room design process Human Factors I&C System Issues 0935-1145 PRESENTATION BY ABB C-E (Ken Scarola)**
(** Portions may be closed to discuss proprietary information)
,(Break NUPLEX 80+ control room key design bases &
1020-1030]
features I
NUPLEX 804 design & verification process 1145-1245 Lunch c #~ /\\ ',
( /f b /' [MJ 1245-1445 PRESENTATION BY WESTINGHOUSE (P M s)**
(**
Portions may be closed to discuss proprietary information)
Control room design process V&V process d445-1500 Break 1500-1545 PRESENTATION BY SEI (Bill Wood)
Use of Applied Mathematics in Software Engineering of Safety Critical Systems 1545-1715 NRC STAFF PRESENTATIONS AND Q&A SESSION AEOD Overview of Advanced Control Room Simulation (Ken Raglin/ Steve Arndt; 30 min)
NRR Q&A Session (Scott Newberry, Joe Joyce, Jared Wermiel; 30 minutes)
RES Overview of Current I&C/ Human Factors Projects (Frank Coffman; 30 minutes) 3-3-92
[-
l 9 Appendix to Acenda:
Areas of Interest to ACPS Subcommittees A.
Control Room Designs and Design Process o
Design concepts (general configuration) o Issues associated with conversion to digital logic and displays o
Use of system-level task analyses for identification of required instrumentation Design basis modes of operation; optimization of display o
and control layout for specific operating modes o
Special topic: Novel design features to support improved shutdown operations o
Special topic: Integration of Safety Parameter Display System (SPDS) functions into control room design Applicability of Design Acceptance Criteria (DACs) for o
I&C and Human Factors requirements.
B.
Human Factors Issues o
Allocation of operating and control functions between I&C systems and humans, with a focus on differences between conventional and advanced control room designs o
Ergonomic engineering of control rooms o
Basis for control room instrument and control selection and layout (e.g.,
cognitive task analyses for key operating modes, if performed)
Plans for and issues associated with computerization of o
operating procedures; specifically, discussion of how existing procedure sets such as the Emergency Operating Procedures can be optimized through on-line computer implementation 1
o Display hierarchy:
Provisions for Critical Safety Function Monitoring and relationship to lower level plant and system displays o
Plans for dedicated displays for upset and accident conditions for expected events (e.g., a dedicated display for steam generator tube rupture recovery for PWRs) i C.
IEC Issues 1
o Quality assurance of software which controls:
-- digital display screens for first level functions
)
-- hierarchy and call-up of sub-level function screens o
Assessment of reliability issues; possible requirement for in-control-room analog backup to fully digital control rooms 3-3-92
\\
1 Appendix to Acenda (Continued)
D.
Testing Issues o
Concept of prototype testing as applied to control rooms; o
Use of limited-scope simulator ir.; tead of full fidelity prototype.
V.
NRC Staff Positions o
" Role of Personnel and Advanced Control Rooms in Future Nuclear Plants";
o Rationale for prototype testing; o
Applicability of DACs.
3-3-92