ML20035F929
| ML20035F929 | |
| Person / Time | |
|---|---|
| Site: | 05200002 |
| Issue date: | 03/29/1993 |
| From: | Luckas W, Ohara J BROOKHAVEN NATIONAL LABORATORY |
| To: | Polk H Office of Nuclear Reactor Regulation |
| Shared Package | |
| ML20035F916 | List: |
| References | |
| CON-FIN-E-2090 E2090-T2-4-3-93, NUDOCS 9304230075 | |
| Download: ML20035F929 (7) | |
Text
E i
Advanced Reactor Human Factors (FIN E-2090)
Task Order No. 2: ABB-CE System 80+ Review BNL Technical Report E2090-T2-4-3/93 i
I L
TechnicalReport System 80 Operating Exprience Issues i
Based upon Interviews with System 80 Operators i
4 Prepared for:
U.S. Nuclear Regulatory Commission Office of Nuclear Reactor Regulation Washington, D.C. 20555 Prepared by:
John O'Hara and William Luchas, Jr.
Department of Nuclear Energy Brookhaven National Laboratory Upton,NY 11973 i
March 29,1993 9304230075 930416 PDR ADOCK 0520 2
A
PREFACE This technical repon (TR) has been prepared by Brookhaven National Laboratory for the Human Factors Assessment Branch of the U.S. Nuclear Regulatory Commission's (NRC's) i Office of Nuclear Reactor Regulation. This report is submitted under the AdvancedReactor Human Facrors Review Project (FIN E-2090) as pan of Task 2 " Review of the ABB-CE System 80+ Advanced Reactor Human Factors Program." The TR addmsses Subtask 5 " Product Review" by providing the results of interviews with currently licensed System 80 operators and their senior licensed supervisors. The NRC Project Manager is Harold Polk, the Project Engineer is Clare Goodman, and the Technical Monitor for Task 2 is Garmon West. The Bh1 Principal Investigator is John O'Hara.
l t
P i
1 1
l l
L System 80 Operatorinterviews Pagei
P 1.
BACKGROUND The NRC Human Factors Engineering Program Review Model (PRM) was developed to support design cenification reviews of advanced reactors under 10 CFR Pan 52. An Operating Experience Review (OER) was defined in the PRM as one of eight fundamental elements of a human factors engineering (HFE) program. An OER contributes, along with other HFE program elements, to the successful in'egration of plant personnel and systems, themby supponing public health and safety.
The main purpose of the OER is to identify potendal safety related issues which are followed to disposition by an issues tracking system. The OER provides information regarding the perfonnance of fully-integrated predecessor systems (in an analogous way to full-mission validation tests which provide information about the achievement of safety goals and safety concems for the integrated system under review). The lessons leamed and resolution of OER issues may impact function allocation (changes in automation), system design, HSI design, procedures, training, etc.
Among the data requirements identified in the PRM are interviews with operators of predecessor plants in order to identify operating experience issues that can be assessed in the new design. This is especially significant in the case of an evolutionary design. ABB-CE has stated that:
The System 80+ design philosophy for both the plant and the control complex is evolutionarv. Implicit in any evolutionary framework is the success of preceding generations: evolution is a process of modifying generally successful designs into improved ones. Conservative evolutionary design therefore emphasizes the solution of known problems, and the incorporation of established improvements.
(Fuld,1992, p.7)
However, the review of the ABB-CE operating experience review for the System 80+ revealed that interviews with currently licensed operators of System 80 plants (predecessor to System 80+) were not conducted by the designers (Higgins & O'Hara,1993). Thus a gap in the OER was identified.
2.
OBJECTIVE The objective of this effon was to conduct interviews with cunently licensed operators of System 80 plants to suppon the identification and review of operating experience issues. Several factors should be considered when examining the results of these interviews:
l The main goal was to identify issues for consideration in System 80+ design and l
myiew. However, the time available to accomplish the task was limited, so detailed explanations of all issues wem not obtained. (More detailed evaluations of selected issues should be accomplished following a semening process - see the next item).
No effort to screen issues for applicability to the System 80+ design was made at this time, Therefore, some of the issues raised by operators may have already been addressed in the System 80+ design.
Operators raised issues associated with the secondary side and other non-safety aspects of the plant. While these are not of prime concern to the NRC safety review, they were included in this repon for the benefit of the designers.
As per the PRM,information was sought related to (1) human performance issues, problems and sources of human error, and (2) design elements which support and enhance human performance.
Specific topicsincluded:
System 80 Operator Jr.ierviews Page1
= Function Allocation and Task Design Issues
- Alarms Issues
- Indication and DisplayIssues
- ControlDeviceIssues Computers
- Communication Issues
= ProceduresIssues
. Control Room Layout and Habitability
= Local Control Stations
- 3. METHOD 3.1 Review Team
.i
'Ihe review team consisted of two human factors specialists and one formerly licensed senior reactor operator (SRO) from BNL and the HEC.
3.2 Operators Interviewed Founeen (14) licensed operators and control room supervisors panicipated in the inteniew. Their l
average years holding an operator's or a senior operator's license was 4.6 years (a = 2.2 years) and average time at their plant was 8.7 years (a = 1.4 years). The operators came from three different CE System 80 units.
l l
3.3 Preparation In preparation for the interviews, the myiew team performed a limited oveniew look at the Licensee Event Report (LER) related Sequence Coding and Search Scheme (SCSS) abstracts for System 80 operator event experience. Each SCSS abstract is part of a summary analysis of a particular LER called an LER SCSS DATA" record. Also myiewed was several various sons of the LER database for System 80 units. 'Ihis corsory myiew was conducted to familiarize the team 4
with potential areas ofinterest.
Based on a search made several weeks prior to the interview date, there were 444 LERs related to System 80 units (during their roughly 22 plant-years of cumulative history oflicensed operations and shutdown) for which SCSS summary records were available. From the LERs, a total of 649 human actions (called " steps") had been categorized by personnel field and subdivision. Table I below provides a high level breakdown of selected fields and subdivisions pcrtinent to HFE.
System 80 Operatorinterviews Page 2
^i
l Table 1. Summary of LER Human Action Categories PERSONNEL NUMBER PERCENT
[
FIELD SUBDIVISION OF ACTIONS OF TOTAL TYPE licensed operatorpersonnel 178-27.4 non-licensed operator personnel 30 4.6 unknown utility personnel 287 44.2 unknown personnel and 54 8.4 other/ utility personnel J
ACTIVITY test / calibration activity 192 29.6 operation activity 152 23.4
?
maintenance / repair activity 81 12.5 CAUSE intrinsic human ermr 378 58.2 task descriptioninadequacy 168 25.9 inadequate man-machine interface 13 2.0
'I EFFECT commission of undesired task, 319 49.2 task analysis, or step l
omission within allotted time 156 24.0 omission of task, analysis, or step 115 17.7 r
3.4 Interview Procedure Upon arrival at the site, the team toured the control room training simulator to become familiar with the human-system interface (HSI) and to observe potential topics for discussion (such as modifications made to the control room).
The interviews were conducted in February 1993. Operators were interviewed as shift crews in groups of one to three by the three-member review team. A total of six groups were inteniewed.
Each inteniew lasted approximately 1.5 hours5.787037e-5 days <br />0.00139 hours <br />8.267196e-6 weeks <br />1.9025e-6 months <br />. For many of the interviews other individuals were i
present including the NRC project manager and a utility licensing manager.
Each session staned with an introduction describing the purpose of the inteniew and stating that information collected was not pan of an NRC inspection of their plant. It was explained that the purpose of the inteniew was to support the NRC review of an advanced reactor design (ABB-CE System 80+) by obtaining operating experience of the predecessor plant. A brief description of the l
use of operator input into the design review of the next generation plant was provided. As pan of the introduction, data on each operator's license and years of experience was collected.
i The beginning of the inteniews were left generally unstmetured, thus providing operators with the opportunity to bring up any topics they thought were important. The review team had the list of topics identified above to guide later ponions of the inteniew session.
?
h System 80 OperatorIraerviews Page3
d 4.
RESULTS j
The results of the interviews are summarized below according to the topic areas idendfied above.
Some additional topics are included based upon the data collected. While the objective was to identify issues, many operators offemd solutions to issues they raised. These are included in the j
summary below for information purposes only. Such comments am provided for the designers consideration only. All issues and recommendations below wem provided by the operators alone j
(reviewers opinious are not included in this section).
l While the summary below repmsents a combination of comments for all groups, a great deal of consistency was observed in the comments provided across groups, i.e. the same topics were raised from one group to another. This may have been the result of the short interview time, l
which led operators to focus on main issues. However, this consistency supports the robustness l
and generality of the findings.
4.1 Function Allocation and Task Design Issues
- 1. Plant operations for routine transients (non steady-state plant evolutions), such as start-up, shut-down, and load changes, as well as more severe transients are difficult because of the need to i
integrate much information obtained from a variety oflocations and the need to involve many operators. Some examples ofindividual tasks that contribute to the difficulty are:
Heat-up and cool down rate limitations (this requires one operatorjust to log and l
plot information)
Control element assembly position control and verification Reactor coolant system letdown control Throttling of high pmssure safety injection operadon during its emergency operation t
Tne operators noted that better display integration and inemased automation may help them through these evolutions.
- 2. During unplanned transients, there is too much information presented immediately for operators to process. In addition, operators often (especially after emergency actuation) have to take manual control of many of the tasks that were automatically controlled (such as maintaining pressurizer and steam generator water levels). This change in control modes alone is a challenge to the operators.
- 3. Operators have to remember (memorize) their initial post trip actions and are expected to accomplish them prior to procedural checks. Aids should be available to the operators for this purpose.
- 4. Reactor coolant pump seal leak off retum isolatian - Under loss of seal injection and thennal i
barrier cooling, operators are requimd to manually isolate the seal within about one-minute. This has prompted management to place a relatively large sign on the control panel to remind operators to take this action when indicated. Failum to do so could lead to seal degradation, possibly escalating to a seal loss of coolant accident. Operators indicated that automation of the task of seal i
isolation should be explored.
- 5. Too much information has to be mentally calculated by operators that should be provided i
directly. Examples are:
Heat-up and cool-down rate, i
Primary system leakage, and Calculation of the approach to criticality ("l/rn" plots).
l System 80 Operator interviews Page 4 1
t
~
l
- 6. Operators need a better way to assess the status of the electrical distribution panel during abnormal situations, especially during electrical problems. Because it is infrequently used during such a situation, it is currently a very perplexing panel for many operstors.
t
- 7. Test and maintenance activities are associated with many LERs. Systems should be designed to be tested periodically without cmating incidents. In panicular, surveillance testing is s nroblem:
There are a great many tests and the manpowu required to perforir em is 'a ge-Too many tests require auxiliary operator support for day-to-day sur Nmat.
(These should be capable of being performed from the control nomi Many tests produce spurious alarms and have provided unneeded confusion to operators.
Inadvenent actuation and isolation can and has occurred.
Them is the potential to trip the plant and actuate emergency safety functions.
- 8. Main steam isolation valve (MSIV) operability stroke tests am difficult to perform without tripping them closed. The valves are engineered to too-finc lerances and easily close completely.
- 9. Mid-loop reduced inventory operations during shutdown am a problem. At such times, the ability to maintain forced cooling flow through the core is more difficull Therefom, when the flow is lost, it will heat up quickly since it is hard to restore and there is less water to heat up.
- 10. Positive displacement pumps such as charging pumps are difficult to maintain and increase operator burden when they fail.
I1. Push button lamp replacement is problematic because the removal and replacement oflens can causeinadvenent actuation.
- 12. Several operators independently stated there should be a better way to depressurize RCS l
manually.
i 4.2 Alarms Issues
- 1. The alarm system acts one way during normal conditions and another during transients (which is misicading to operators). For example, the diesel generator (DG) trips am restricted during emergency stan and operation. If a non-emergency t-i) comes in, the DG will not trip, but the 1
"DG Trip" alarm still rings. This is very difficult for tie operators during such busy periods. This occurs because the DG TRIP alarm is set off by any of 17 trip signals. However,in emergency-only actuation, any of 3 (e.g., diesel engine overspeed) will really trip the dieset Yet if any of the remaining 14 signals occur, the alarm still goes off even though the diesel is not tripped.
- 2. Some alarms have default conditions that make them misleading. All emergency actuation alarms can come in from the failure of one train. This is not the "conservativc" thing to do in view of the indications that are obscured when the alarms " default" in. For example, if one channel of 4 channel logic is lost, then the alarm default is on. Yet the alarmed condition may not exist (since actuation, for example, may require 2 of 4 channels).
- 3. Nuisance alarms:
Too many relatively unimportant alarms come in during a disturbance.
No prioritization of alanns is available to assist operators in determining which
-l alarms to attend to first.
i l
System 80 Operatorinterviews Page5 i
r Alann filtedng, such as mode dependency alarm suppression is needed. (For j
example, not having alarms come in which am appropriate to the current plant operating mode, e.g., start-up).
Some of the alarms going off as a direct result of surveillance tests should be eliminated (can bring in up to 100 alarms). Bypass of spurious clarms resulting from surveillance testing is desirable but requires a lot of operator's time.
Vendor spec?: alarms are included in the CR, which have no operational meaning to the operat_
- 4. Master alann tiles, which provide a single alarm for many signals, are present in the CR. The specific alarms for these tiles are provided on cathode ray tubes (CRTs). The alarms are displayed as a scrolling list which makes the evaluation of alanns difficult. Further, no alarm buffer is available so when *rms scroll off the list they are lost from the display. Operators must go the alarm printer to see je alanns.
- 5. Noise resulting from the rnany alarms coming in after a trip is too great. Selective post-trip silencing of alarms should be automated.
- 6. There are many different alarm tones, the number should be reduced.
- 7. Many alarms on the boards are difficult to see. (An eye-level alarm panel might be better.)
l
- 8. The radiation monitoring system alarm system is an example of how to not design alanns:
The alarms are not prioritized.
The feedback on acknowledgement is slow.
The tone is extremely annoying.
4.3 Indication and Display Issues
- 1. There is too much information provided to operators. Some ofit is needed but much is not needed and is distracting.
l
- 2. The use of engineering units which mean little to operators is a problem, e.g., "lbs-t mass / hours" rather than percentage of full power flow.
- 3. Feed flow scales and steam flow scales are side-by-side but do not use the same scale.
- 4. General indicator displays in the control room are difficult to read:
The small, uniform scales are too small to see beyond arm's length.
Scale lines are too fine for the discriminations operators have to make.
=
Indicator arrows are often too wide for the fine scale line.
Meter covers have become scratched and yellowed making some hard to read.
Static on the meter face can affect the reading.
The glare from overhead lighting puts a "bar" across each indicator 2/3 of the way t
up scale - right in the usual indicating range.
Power available LED lights masks readability and must be shielded to be read.
- 5. Need better access to data. The direct meaning of data is not precise enough.
- 6. There is not enough information regarding the secondary side of the plant, for example, an indication for feedwater heater level is not prosided.
1
- 7. Operators do not have enough capability to select parameters for display. Shouldn't have to use i
System 80 Operatorinterviews Page 6
}
i i
-l only " prepackaged" displays.
- 8. Mimics are important aspects of the control board layoul (Operators added mimics where they could.)
- 9. Rapid scanning of boards is essential to get overview of plant status. A selection of significant instruments (or digital readouts) with large, readable indications should be available for a person in the horseshoe (note CR primary boards are laid out in a horseshoe-shaped arrangement) to be able to scan the boards and get a sense of the plant status and where it is andcipated to go. Cunently, the annunciators are the only practical way to obtain an overview of plant status.
4.4 Control Device Issues
- 1. All push buttons look the same so it is easy to push the wrong one.
- 2. Placing identical feel pistol grip controls next to each other (reactor coolant pump and pressurizer heaters) is a problem because you can easily grab the wrong one (shape coding and better separation of controls is needed).
- 3. Large throttle valve (economizer isolation valve - moisture separation reheater steam inlet) switches (round buttons) have to be held continuously for more than a minute for the valve to open. This may restrict an operator from doing other possibly more imponant tasks.
l
- 4. Protection of controls from inadvertent actuation is important. Guards have been placed over several controls as a backfit.
4.5 Computers
- 1. The computer system should be kept simple and " user-friendly."
- 2. The difficuly upgrading the computer system is a problem. The computer system should be state-of-the-art and be designed to be easily upgraded.
- 2. Delays in computer respones is a source of fustration to operators. Response time should be as short as possible.
4.6 Communication Issues
- 1. Auxiliary operators cannot be contacted in the plant approximately one-third of the time due to their inability to hear pages from the CR since there are many dead spots in the plant.
- 2. RF interference degrades communication. (Additional shielding is required.)
- 3. There is a need for additional locations in the plant to " plug in" communications equipment.
- 4. If the plant trips, the amount < icommunication is difficult for operators to deal with. 'Ihe ability to " cut out" unnecessary cammunication lines is needed.
4.7 Procedures Issues j
- 1. The procedure n'imbering system is cumbersome (procedures are designated by long strings of -
numbers and letters)
L System 80 Operatorinterviews Page 7
- 2. Procedures are difficult to work with especially in the CR during a transient. There is no lay down area and portable carts have been used.
- 3. Aids to follow procedures are needed.
- 4. Assuring current versim of procedures is a problem
- 5. Number of procedures for some evolutions is a problem, e.g., turbine start-up requires four i
separate procedures j
- 6. Integration between procedures, interfaces, drawings and equipment is a problem.
- 7. Portability of procedures is very important. (Wouldn't want to see them on CRT.)
4.8 Control Room Layout and Habitability
- 1. The control room is too large. It is easy for operators to become out of position and when in one location, it is difficult to see information on other panels. For example, CRT alarm displays cannot be seen from the rear position of the CR. Too much walking is required to perform tasks.-
- 2. Emergency function displays and controls are not adequately grouped, which requires operators r
to move back and forth too much.
1 The noise level in the control room is too high during a transient and adds a lot of stress and makes communications difficult:
ESF actuated ventilation (esp. 2 trains) is an additional annoyance.
High-speed printers Alarms ringing constantly i
The operators become overloaded during complicated events and let the alanns ring.
- 4. I&C activities in the CR is very distracting (e.g., allow as much testing to be performed outside the CR, or on back panels, as possible).
- 5. There is a need to keep traffic down in CR.
- 6. CR floor is very hard and contributes to operator fatigue. Items such as carpeting would help minimize this problem as well as reduce noise.
4.9 Local Control Stations
- 1. Remote shutdown panel:
There is not enough room to work
'Ihe panel equipment should be similar to the CR equipment
+
The panel equipment should have a mimic like CR.
a
- 2. The need to involve multiple LCSs for individual tasks is a problem. More integration is needed to reduce the number of LCS activities that the operators must coordinate.
- 3. Space for handling procedures is need at local panels.
t System 80 Operator Jr.terviews Page8
I
- 4. Manual operation of steam generator atmospheric dump valves (ADVs) is difficult because of inconsistent valve operation with valves in close proximity to each other.
- 5. The capability for synchronization of the diesel on the bus should be available outside the control room. This can only be accomplished from the control room.
5.
CONCLUSIONS Founeen licensed operators and control room supervisors of System 80 plants (predecessor of the System 80+) were interviewed to identify issues for consideration in System 80+ design and review. Due to the similarity in design between System 80 and System 80+, these issues and any other similarly derived ones, need to be carefully evaluated by ABB-CE to ensure they are addressed,if appropriate,in the 80+ HFE design. Since ABB-CE did not specifically interview currently licensed System 80 operators or include System 80 operations documents in their OER, it is especially imponant for CE to consider these items (and perhaps to further review System 80 operating expenence to identify similar items).
The applicability of a number of these current System 80 licensed operator initiated issues to the System 80+ design needs be evaluated and where appropriate their resolution should be identified.
The issues tracking system should be used to ensure the consideration and resolution of unresolved applicable issues in the design process.
In addition, since the time available to review the SCSS abstracts was limited, a thorough analysis of the LERs could not be perfonned as part of this effon. However, it appears from Table 1 that there were many events related to task design / performance. Twenty seven percent of the actions involved licensed operator personnel,23 percent involved operation activities, and at least 13 causes were identified as HSI caused. A more detailed analysis of at least a select group of the original (full-text) LERs, may be warranted for the System 80+ design.
6.
REFERENCES Fuld,R. (l2/15192). Human Factors Program Planfor the System 80+ Standard Plant Design (NPX80-IC-DP790-01, Rev 01). Windsor, CT: ABB-CE.
Higgins, J., & O'Hara, J. (March 1993). Review of the ABB-CE System 80+ Operating Erperience Review (Draft Technical Repon E2090-T2-5-3/93). Upton, New York: Brookhaven National Laboratory.
1 l
i System 80 Operator interviews Page 9