Text

_ _ _

July 27, 1990 l

Docket No. STN 50-605 Patrick W. Marriott, Manager y g "~,'

Licensing & Consulting Services CE Nuclear Energy Genera) Electric Company 175 Curtner Avenue San Jose, California 95125 Dear Mr. Harriott

SUBJECT:

REQUEST FOR ADDITIONAL INFORMATION REGARDING THE GENERAL ELECTRIC COMPANY APPLICATION FOR CERTIFICATION OF THE ABWR DESIGN During the course of the review of your applicatien for certification of your Advanced Boiling Water Reactor Design, we r

have identified a need for additional information.

Our request I

for additional information, contained in the enclosure, addresses Chapter 18 of the SSAR relating to human factors engineering.

We request that you provide your responses to this request by September 28, 1990.

If you are unable to meet this date, please provide an alternative one within two weeks of the date of this letter.

If you have any concerns regarding this request, please l

call me on (301) 492-1104.

Sincerely, OrWnal Signed By:

Dino C.

Scaletti, Project Manager Standardization Project Directorate Division of Reactor Projects - III, IV, V and Special Projects

Enclosure:

Office of Nuclear Reactor Regulation As stated cc w/ enclosure:

)

See next page

+

{pISTRInuTIqui)

DocketxFilel Echelliah CMiller JWermiel NRC PDR MCunningham JWachtel JPersensky PDS Reading MRubin RCorreia-SNewberry DScaletti ACRS(10)

REckenrode JStewart PShea OGC-info only EJordan Pb.

PDS()F PDS e b D

etti PShda CMiller 07/g}/90 07f(j/90 07/yV90 9008020005 900727 gDR ADOCK 050006Q5 i

kkl PDU

. ~. -

@ bNQ

/

UNITED $TATES l

['.

y- 'i NUCLEAR REGULATORY COMMISSION i

c..

g

.f nAssisotou, c. c. rosss.

\\....+/

July 27, 1990 Docket No. STN 50-605 i

Patrick W. Marriott, Manager Licensing & Consulting Services GE Nuclear Energy General Electric Company 175 Curtner Avenue San Jose, California 95125

Dear Mi. Marriott:

SUBJECT:

REQUEST FOR ADDITIONAL INFORMATION REGARDING THE GENERAL ELECTRIC COMPANY APPLICATION FOR CERTIFICATION OF THE ABWR DESIGN During the course of the review of your application for j

certification of your Advanced Boiling Water Reactor Design, we i

have identified a need for additional information.

Our request for additional information, contained in the enclosure, addresses Chapter 18 of the SSAR relating to human factors engineering.

We request that you provide your responses to this request by September 28, 1990.

If you are unable to meet this date, please provide an alternative one within two weeks of the date of this 1

letter.

If you have any concerns regarding tnis request, please i

j call me on (301) 492-1104.

Sincerely, l

(

D no C.

Scalet i, ject Manager Standardization Project Directorate Division of Reactor Projects - III, IV, V l

and Special Projects Office of Nuclear Reactor Regulation

Enclosure:

As stated cc w/ enclosure:

See next page

~<

4 l

1o Mr. Patrick W. Harriott Docket No. STN 50-605

{

-General Electric Company

.s cc: Mr. Robert Mitchell i

General Electric Company 175 Curtner Avenue San Jose, California 95114 4

Mr. L. Gifford, Program Manager Regulatory Programs GE Nuclear Energy 12300 Twinbrook Parkway 4

Suite 315

'Rockville,' Maryland 20852 J

Director, Criteria & Standards Division Office of Radiation Programs

11. S. Environmental Protection Agency i

401 M Street, S.W.

Washington, D.C.

20460 F

Mr.' Daniel F. Giessing b

Division of Nuclear Regulation

\\

and Safety -

Office of Converter Reactcc-Deployment NE-12

~

a Office of Nuclear Energ)

Washington, D.C.

20545 h'

,5 i

e

!j i

-J

'Y p,.

[

ENCLOSURE REQUEST FOR ADDITIONAL INFORMATION HUMAN FACTORS ENGINEERING 620.

HUMAN SYSTEMS INTERFACES A.

General Questions 1

620.1.

Describe _GE's human factors design team, the staff's human factors expertise, and its responsibilities for human factors on the'ABWR-design.

620.2.

Both Hitachi and Toshiba are designing main control room 1

workstations (workstations) which, although based upon q

thel" common-engineering" studies, may result in two-

~

different workstation-desiga implementations within-one two-unit control room.

Desctjbe the process that GE will use to actually implement high-level, single-unit workstation requirements and design, selection, including L

the decision process to be followed in selecting.the Hitachi er Toshiba approach, a hybrid, or a different i

design.

620.3.

Describe how the'GE/US'ABWR differs from the Japanese

(

versions in terms of ths human factors / operations considerations.

For example,'it'is our understanding that the Japanese do1not use symptom-based procedures L

which are essential to accident management in U.S.

i plants; this difference will presumably have an influence on workstation design.

620.4.

The control room will make use of many advanced hardwate

- and software technologies for which the nuclear. industry-has little experience.

Describe the process that GE vill use to demonstrate that these technologies are being properly used and-.will not-adversely effect human pcrrormance.

620.5 Tho EPRI AIMR requirements document and several of the GE documents provided during the-March 6-7, 1990 meeting speak about optimizing operator performance.. Describe how operator performance -is ' defined in turms of performance parameters and the measures;to be'used.to quantify these parameters.

Describe how this

(

information will be factored into the design process in i

a timely fashion.

L_

l

,n

^-=

t 620.6.

It appears that the workstation design may precede procedure design (which has historically been the case in the nuclear industry).

Yet, it seems that GE has the opportunity to follow the potentially valuable path of specifying what the operator has to accomplish in the control room to a great level of detail (via detailed.

task analyses and implementing procedures) and,then 3

design a workstation that will'best support-those operator tasks.-

Describe the temporal relationship between the future development of the operating procedures and~the design of the workstation.

620.7.

The PRA can provide insights about.the most significant human errors in terms of their effects on plant safety.

With this knowledge'the human-system-interface can be designed to help mitigate the effect of the errors and to make the system more tolerant to' errors which have

. occurred.

Describe how the.results and-insights varived from the PRA are being used to support the control room design.

620.8.

Describe the content and format of training materials to be provided by GE to purchasers of the ABWR.. Will these materials be offered asscustomized options, or will they be included and standardized?

620.9.

Describe the role of GE in the1 development of normal, i

abnormal and emergency operating: procedures, including the generic technical basis document'and writers guide, the development of.proceduresigeneration documents,Ethe verification and validation process, and the procedures t

l maintenance program. Will GE develop sample procedures or offer a package of procedures to.be modified based on sito-specifim technical considerations?

I B.

Function and Tagh_ Analyses 620.10.

Describo how the analysis of. functions willLdetermine a proper balance of. automated and manual tasks to ensure an appropriate operater workload.

r 620.11.

Describe ~the decision criteria used to select tasks for analysis, and describe how thc task' analyses were-organized.

620.12.

Describe the critelte used for the selection of specific accident scenarios /s quences for which task analyses were performed and id2ntify the scenarios / sequences which were analyzed, i-i

?-

W W

i-

.... a.

.. _ _~ _ _ - _ _ _ _ _

_; ~

O 620.13.

Very detailed procedures for function ~and task analyses l

were developed by the ABWR team (ref. Hitachi Document j

3D-2B-A14B, Rev. A, May 1987). However, the Task I

analysis report provided for the Nuclear Boiler System (ref. PPE Item No. 3.9B, Rev.

O, 9/22/89) supplied p

considerably less detail than.that specified in the L

procedure.

The analysis report specifies'that it was conducted in accordance with a list of reference

[

documents; but this list does not include the procedures document.

While the report does identify monitoring and control requirements and makes recommendations for L

automation, it does not provide'timelines or workload

~

i estimates needed from the task analysis for other design and analysis activities, such as the HRA. _ Discuss 1why the detailed task analysis procedure was not followed, ana the consequences of this decision.

C.

Staffino and Operations 620.14.

Discuss the technical basis for single-operator operations with re.rd to the requirements of 10 CFR 50.54 (m), and the f ollowing-issues:

a.

The control roomLtechnology developments which-would enable this approach; b.

The analyses that will'be performed to assure that safety will not be compromised.

620.15.

Describe how the plant addresses the single-failure criterion with a single operator.

620.16.

Which existing BWR is mest similar to the ABWR with regard to the role of the operations staff?

Discuss any significant differences that exist between ABWR operations and operations at this most similar existing BWR.

620.17.

Describe the implications for operator selection and training based upon the ABWR's use of increased automation, advanced instrumentation and control, and compact workstations.

?

3-

--y-m w

-+gwm-s wM_

w w-eem s

., w

.w w-awe---

we-=MN-m

-eto-g

-w--

g y-w w

e h.

__ _ - -u_______-2,.A_m w-,..

m

4 620.18.

With increases in automation in comp _ax systems which 3

change the operator's role from that of an active 1

"in-the-loop" controller to that of_a systems monitor, human factors practitioners have frequently identified new problems, including:

a.

Maintaining an appropriate level of workload; b.

Maintainingfvigilance in system monitoring; c.

Maintaining-adequate awareness of system status so that the operator can intervene and take over system operation when required; d.-

Maintaining specialized skills.

Discuss how each of the above issues will be addressed.

~

- 620.19.

While the plant is under automated control and'an abnormal condition such as a reactor-scram occurs, the power generation control syy*sm1(PGCS) alerts the operator and drops out of automated mode.

Describe the time period over which this change occurs.

Since the PGCS controls many systems, describe the implications for operator. workload at, and subsequent to, the time of the status change.

L D.

Control-Room 620.20.

The major driving force affecting control' room design appears to be the concept of one-person operations during normal conditions.

This leads to the-requirement to cont.olidate most of the monitoring and control capability into a single, relatively-compact workstation in contrast to the traditional analog control boards.

This approach then leads to requirements to minimize dedicated controls and displays (because of-limited real estate at the workstation), utilize soft controls (to replace dedicated controls), utilize CRT-like display devices which only display =a limited set of plant data at a' time (to replace instrument displeys), and to utilize intelligent operator' aids based upon expert systems, etc. to assist the one-operator to accomplish his tasks.

While these technologies may have merits.of their own, we are concerned about the-appropriateness of this technology as a design driver for U.S.. plants.

Please discuss-your rationale for this concept.

.= -.-. -.... -... ~..

r i

I 620.21.

One of the main features of the control room is the use t

of a' computer-based workstation in place of the traditional control boards with dedicated controls and displays.- With such an approach the motheds by which information is displayed to the operator via CRTs and other display devices is of critical importance.

Indeed the display of information and the methods by which the i

operator-interacts with '.nat information are arguably the most important aspects of the control room design.

Yet most of the information presented by GE thus far concerning control room and work station design has emphasized the-hardware, ergonomics, and anthropometrics of the: design.

Little information has been made 3

available on the display design and human-software i

interface.

Much more information is needed in order to.

evaluate the adequacy of the control room to support the operator's tasks.

Please describe the approach that you will use to determine the-following:

i a.

The planning and control of the interaction between the. operator and system information;-

b.

The design basis for the interface (e.g. command language or direct manipulatior.);

Planning and design of high-level data integration; c.

d.

Operator access to information, and the parameters j

that will be optimized in-the design of the~

interface (e.g. speed-of data access);

Any data-that will not be accessible to. operators; e.

i f.

Display techniques-for variousitypes of. data;-

g.

Coding methods to be used.

I 620.22.

Describe how the requirements for: (1) information/ data display, and (2) methods by which the operator will i

interact with.the system will be reflected in hardware 1

design requirements.

It appeared from the material prestnted by GE on March 6-7,.1990, that hardware.

requirements were preceding these issues.

620.23.

With regard to the. design of the control. room:

Was a human factors design-guideline developed a.

specifically for the design of the-human-software /information interface, as discussed in question No. 2 above?

{

5.]

=.

l l

4 b.

Was a human factors design guideline developed specifically for the ABWR to assist in control of i

the interface design, or were the ABWR human factors guidelines derived from human factors design guidelines available in the literature?

If neither, how were the ABWR guidelines developed?

j If existing guidelines were used, please identify them, and provide the audit trail.

c.

How were guidelines developed for those interface characteristics for which there appear to be no i

existing guidelines in the literature?

1 620.24.

A significant feature of the ABWR control room design is the use of advanced and intelligent operator aids based i

upon expert systems and other AI technologies.

With respect to these operator _ aids,'please describe the following:

a.

The extent of the dependence on intelligmn operator aids that:is necessary to achieve cne.

single-operator design goal; b.

The specific operator aids that are planned and the technology on which they are based;-

c.

The methods-of knowledge engineering that will be used, and the steps that will'be taken to assure that all appropriate knowledge will'be incorporated j

into the database; d.-

The approach to be taken to develop operator confidence in the systems to assure that they will be appropriately utilised; c.

The approach to be taken to minimize undue reliance on, and blind acceptance of, these systems; f.

The methods to be used for the verification and validation of the performance of intelligent operator aids.

620.25.

The workstation will have few dedicated controls and displays (C/Ds).

Describe the rationale and analyses being used to determine which C/Ds will be dedicated and whien-will be " soft."

620.26.

Computer-based workstations 4 can often present data-interface management problems to the operator (such-as the operator spending *too much time managing data windows ratherithan monitoring plant information) which reflect a chate from' task-related' workload'to interfac(-vanagement workload.

Describe'how the design of.the w sstation controls'and displays will minimize the ucri. load scacciated -with the operator's management of the interface.

Discuss any assistance that the operator vill have in calling up the appro displays via automatic display " triggers" priate or an expert, system..

\\

-t L'

620.27.

It appears that alarm information is being presented in three separate locations:

on the large display screen, on dedicated alarms, and on CRTs. With respect to annunciator warning systems data, please discuss:

a.

How allocation of alarm information to the above l

locations is determined, and which alarms are located where; i

l-b.

How the CRT-based. alarms will be presented; c.

How alarm information will be prioritized; d.

Whether alarm filtering will be used and, if so,

'(1) by what methods, and'(2) whether operators will have access to filtered-out alarm data.

620.28.

Describe any trade studies and/or investigations which have been performed to support the selection of the approaches to display and control being planned for the control room, including, for example, the use of touch panel control for specific functions.

620.29.

Describe how data protection and security will be assured.-

620.30..

The control-room will have only a single command i

workstation.

Discuss why there is there no back-up as recommended in the EPRI ALWR Chapter 10 requirements document.

In addition, please discuss the following:

a.

Any loss of monitoring and control functions that have been analyzed, and their initiating events; b.

Whether any single event could cause the loss of a major portion of the workstation and/or the loss of monitoring and control functions; c.

The effects of.the loss of one or two CRTs at the

+

workstation including whether this could require too much information to be displayed at~the remaining display devices; d.

Whether awkward control / display relationships and~

awkward operations could result from the loss of any small section of the_ workstation..

620.31.

Since there is only one workstation, and.it is-typically.

manned by a single operator, describe any analyses that have been performed to assure that the workstation can appropriately accommodate two-person operatior.s during accident scenarios.

Please include the-1:.11cding in the discussion:

a.

How the responsibilities and tasks are laid.out to assure well-coordinated two-person operations; b.

Any function or task analyses that have been performed-to assure that the two operators will not have unintended and unwanted interactions 1 'l

- -~

c.

How emergency operating proceduros (EOPs) will account for one and two-person operations.

E.

Remote Shutdown Panels (RSPs) and Local Control Stations 620.32.

Although an advanced computer-based control room is planned, the design of

(:_-

remote shutdown panels will be based upon conventional hardware (e.g., hard control devices, analog indicators, etc.).

Based upon the March 6-7, 1990 presentation by GE, it appears that this diversity was a design goal.

Discuss the technical basis for this approach, including the human factors implications such as:

2 a.

Likely confusion due to the differences between operations in the control room and at the RSP;-

b.

Increased training burden and operator burden =

associated with the,need to learn two different I

systems, one of which will be used constantly and the other very infrequently, if ever.

620.33.

Describe the design of the-other local control panels, given the dual approach discussed above.

620.34.

Discuss the technical basis for the design of local valve operations, including the determination of local vs. control room position indications.

F.

Test. Maintenance, and Calibration (TMC) 620.35.-

Discuss how TMC operations are changed'in the design of the ABWR when compared with a standard BWR.

620.36.

Discuss the criteria used to determineLwhich i

instrumentation will be manually calibrated.

620.37.

Discuss thet criteria used for the selection of computerized test operations.

i

\\

i,

4 s

621.

HUMAN RELIABILITY ANALYSIS A.

General Ouestions l

621.1.

Identify who performed the ABWR HRA (GE and/or other contractors),-and describe the expertise that was included in the-HRA' team.

621.2.

Describe the material and/or analyses that were i

available and used to support the HRA, including:

F Detailed function and task analyses (utilizing the a.

ABWR staffing goals and operating philosophy);

b.

Procedures or procedure guidelines (draft or preliminary, etc.);

c.

Control room design; d.

Workstation design; e.

Display design;-

f.

Any other.

Discuss the degree of completeness'of each of the '

materials used in terms of-the ABWR design to-support the HRA.

621.3.

As per Chapter 19 of the SSAR, the HRA methods and procedures identified as used in performance of the-ABWR HIUL were THERP (Technique for Human Error Rate Predictions, NUREG/CR-1278) and SHARP (Systematic Human Action Reliability Procedure, EPRI NP-3583).

Identify which HEPs were derived by each HRA method, and. describe any other methods that were used to support these approaches-621.4.

For those HEPs where THERP was used, describe how the Swain and Guttmann Handbook was actually applied in the following areas:

a.

Whether the full analysis methodology was followed; b.

How basecase HEPs were derived; c.

The data which were used as the source of basecase l

values;-

The performance-shaping factors that were applied.

e.

621.5.

Chapter.19 (p. 19.3-1) states that the HEPs "were predominantly taken from the GESSAR II PRA" and that-

"most of these values were derived from the Swain and.

Guttmann Handbook of Human Reliability" which as-referenced was published in 1983.

However, the GESSAR II PRA was published in 1982, one year prior to the publication of NUREG/CR-1278. In light of this, please identify the version of the Swain and Guttmann Handbook of Human Reliability.(NUREG/CR-1278) that was used. '

.4

i, 621.6.

For those HEPs for,which SHARP was used, please provide the documentation called for in the procedure, or, if this approach was not used, please describe how SHARP was-actually applied.

621.7.

Chapter 19 states that "more recent studies su

-these values may be somewhat-conservative" (p.ggest that 19.3-1).

i Discuss those studies that are used to support this statement, and describe how they apply to ABWR operations.

621.8.-

As indicated above, Chapter 19 (p. 19.3-1) states that the ABWR HEPs "were predominantly taken from the.GESSAR II PRA for which they were collected from various other sources and modified, as appropriate, for the GESSAR application"'and that their " application in the ABWR PRA is judged to be acceptable."

With respect to this j

statement, please discuss the following:

a.

The other sources and methods that were used to 1

derive those HEPs'. (Reference is made to "the EPRI time-reliability correlation" on p. 191.4 does this refer to the Human Cognitive Reliability (HCR) study?);

b.

If the HCR study was1used in support of the HRA, please provide a report of the study to support the evaluation; Any modifications to the HEPs from previous PRAs c.

for the GESSAR II application; d.

The rationale-that-supports a generalization-to GESSAR; e.

Your. degree of confidence that the HEP values

~

derived for GESSAR II can be applied to the ABWR.

We noted during the Harch 6-7, 1990 briefing that the GESSAR II HEPs were used because the ABWR-design will be "at leant as good as" previous product lines.

However, as far as the control room is concerned, we view this product as being significantly different from the other, and as being developed in a significantly.different way (through the ABWR team approach).

Discuss'why you believe that such differences won't make the generalization of HEPs from other PRAs difficult.

621.9.

Describe how you accounted, in.the HRA, for the use of new, advanced technology in the control room and for the differences in the operator's role in the ABWR vs.

a standard control room.

That is, how is the operator's role change (due to the introduction of compact 1

-lo-

..c.

4 workstations and advanced I&C with primary reliance on human-computer interface technology) account'ed for in the~ analysis, with regard to the following:

a.

The appropriateness of the use of numbers from:

NUREG/CR-1278 for use in the ABWR; b.

The manner in which HRA subjective-judgement was used given the advanced (and different) nature of the control room; c.-

The methods and the experts that were available to modify HEPs-for ABWR' operations; d.

Any design features of the ABWR that were used as a basis to lower HEPs-which had been obtained from an earlier PRA_and, if so used, a discussion-of which' errors were involved and what' technology was-assumed to enhance operator performance.

621.10.

The introduction of new advanced technology.has frequently been associated with the emergence of new

human errors.

Describe how the ABWR HRA has specifically analyzed the advanced control room, changes in staffing philosophy, etc. to.idsntify potential "new" errors introduced-by differences'between the ABWR and previous product designs, and taich human errors were-included-in this category.

If this has not been done, please discuss your intentions.in this' regard.

621~11.

In summary, given that a variety of source documents were used, please provide-an audit trail for each, describing:

a.

.The task analysis used; b.

The PRA which was. originally used to provide an HEP; c.

The method that was-used to derive the HEP; d.

How the HEP was modified for use in: subsequent PRAs (such as from Limerick to GESSAR to ABWR), and how design, procedures and operations differences were accounted for; e.

For which HEPs screening values were used; f.

Which HEPs were specifically modified for'the ABWR.-

Please provide the HRA documentation to support the review.

-1 r

..u

..