ML20062D403
| ML20062D403 | |
| Person / Time | |
|---|---|
| Site: | 05000605 |
| Issue date: | 11/02/1990 |
| From: | Marriott P GENERAL ELECTRIC CO. |
| To: | Chris Miller NRC OFFICE OF INFORMATION RESOURCES MANAGEMENT (IRM) |
| References | |
| MFN-137-90, NUDOCS 9011130179 | |
| Download: ML20062D403 (16) | |
Text
-
GE NucIcar Energy Genusi [Wtu 5$h y - November 2,1990 -
MFN No.137 90 Docket No. STN 50 605 EEN 9066 i
Document Control Desk ,
U.S. Nuclear Regulatory Commission 4 Washington, D.C. 20555 Attentiom Charles L. Miller, Director Standardization and Non Power Reactor Project Directorate
Subject:
Submittal of Responses to AdditionalInformation as Requested in NRC Letter from Dino C. Scaletti, Dated July 27,1990 Referencei 1. Submittal of Responses to Additional Information as Requested in NRC Letter from Dino Scaletti, dated July 27, [
1990, MFN No.129 90, dated October 9,1990
- 2. Submittal of Responses (Proprietary Information) to AdditionalInformation as Requested in NRC Letter from
. Dino Scaletti,' dated July 27,1990, MFN No.138 90, dated November 2,1990
Dear Mr. Miller:
- Enclosed are thirty four (34) copies of the second submittal of Chapter 18 responses to the subject -
Request for Additionallnformation (RAI) on the Standard Safety Analysis Report (SSAR) for the - ;
Advanced Boiling Water Reactor (ABWR). The initial submittal was provided with Reference 1.
. . Response to Question 620.28 contains information that is designated as General Electric Company s proprietary information and is being submitted under separate cover (Reference 2).
- Responses to the remaining questions will be provided at the end of November 1990. i It is intended that GE will amend the SSAR with these responses in a future amendment.
- Sincerely, y
. 1>
P.W. M!rriott, Manager -. ;
Regulatory and Analysis Services ,
cc: . F.A. Ross (DOE)
D.C. Scaletti (NRC)
D.R. Wilkins (GE) .
. J.F. Ouirk (GE) ,
9011130179 901102 '
PDR A
ADOCK 03000605 PDC 360 f 4i
GENERAL ELECTRIC COMPANY QUESTION 620.2 Both IIitachi and Toshiba are designing main control room workstations which, although based upon the " common engineering studies, may result in two different workstation design implementations within one two unit control room. Describe the process that GE will use to actually implement high level, single unit workstation requirements and design selection, including the decision process to be followed in selecting the Hitachi or Toshiba approach, a hybrid, or a different design.
RESPONSE 620.2 The control room design definition documented in the ABWR Standard Safety Analysis Report (SSAR) is specifically independent of any particular equipment vendor's details of design implementation. The main control room panels provided to a plant referencing the ABWR SSAR will be procured per the design implementation requirements as discussed in Section 18.5 of the SSAR.
QUESTION 620.4 -
The control room will make use of many advanced hardware and software technologies for which the nuclear industry has little experience. Describe the process that GE will use to demonstrate that these technologies are being properly used and will not adversely effect human performance.
RESPONSE 620.4 A description of the criteria for the verification of the adequacy of the control room design implementation is contained in the ABWR Standard Safety Analysis Report, Section 18.5. This section contains discussions of System / Operation Analysis; Human Reliability Analysis Requirements and Inspection, Tests and Acceptance Criteria for the plant controls and instrumentation.
I i
D:\ow\amendl6: respond 2 -1/15 11 2-90
GENERAL ELECI'RIC COMPANY QUESTION 620.5 The EPRI ALWR requirements document and several of the GE documents provided during the March 6 7,1990 meeting speak about optimizing operator performance. Describe how operator performance is defined in terms of performance parameters and the measures to be used to quantify these parameters. Describe how this information will be factored into the design process in a timely fashion.
RESPONSE 620.5 Optimum operator performance is defined as the timely and error free performance of his duties by the operator. If an operator performs his or her tasks at the time required and does so without any mistakes, this coratitutes optirnum operater performance.
Therefore, the measures used to quantify the quality of operator performance are time and number of errors.
Recognizing that timely and error free operator actions constitute optimum performance, the control room design process has as goals, the promotion of efficient and correct operator actions through the fol owing means:
(a) Simplification and streamlining of plant monitoring and control by providing an improved arrangement and organization of control room modules, (b) Optimization of plant data presentation se that the data which control room personnel must survey, analyze and comprehend results in an improvement in response time and a reduction in the number of operator errors relative to previous designs, and (c) Integration of operator interface functions to provide a uniformity in function and appearance for simple and efficient execution of control functions.
These design goals have been achieved through the adherence to human factors engineering guidelines in all phases of the control room design.
D;\ow\amendl6: respond 2 -2/15- 11-2-90 l
, GENERAL ELECTRIC COMPANY QUESTION 620.8 -
Describe the content and format of training materials to be provided by GE to purchasers of the ABWR. Will these materials be offered as customized options, or will they be included and standardized?
RESPONSE 620.8 The ABWR Standard Safety Analysis Report (SSAR) is based upon plant system design definitions and equipment requirements. Personnel training, which is highly dependent upon the particular vendor's equipment selected for implementing the ABWR design, will be the responsibility of the applicant referencing the ABWR design.
QUESTION 620.10 Describe how the analysis of functions will determine a proper balance of automated and manual tasks to ensure an appropriate operator work load.
RESPONSE 620.10 Relative to previous BWR designs, the ABWR design provides an increased scope of automation of operator monitoring and control functions. This extended scope of ABWR plant and system level automation, discussed in Section 18.4.4 of the ABWR Standard Safety l
Analysis Report (SSAR), was defined based upon evaluation of the operator's work load during normal plant operations. An objective of incorporating the extended sco,e of automation in the ABWR was to achieve an appropriate operator work load by se ectively automating operator functions, particularly those operations which were tedious or repetitive and contributed to periods of peak operator work load activity.
In the implementation of the ABWR design, tests and analysis will be conducted, as defined in ,
Section 18.5 of the SSAR, which will ensure that the particular design implementation provides an appropriate work load.
l l
l l
D:\ow\amendl6:rcspond2 -3/15- 11 2-90 l'
1
1 GENERAL ELECTRIC COMPANY I
. c 4
QUESTION 620.11 Describe the decision criteria used to select tasks for analysis, and describe how the task analyses were organized.
RESPONSE 620.11 In developing the man machine interface requirements for the major plant systems, system level task analyses were done for each of the individual systems. These analyses were comprehensive in that all system functions were broken down into tasks and analyzed to determine the operator information and system control requirements for accomplishing each task. The tasks were characterized in these system level task analyses using a consistent taxonomy. Task data collection forms were used to collect the information and control requirements, as well as other data pertinent to each task, which was than summarized in tabular form in the reporting of the individual system task analyses.
In the implementation of the ABWR design, the tests and analyses discussed in Section 18.5 of the ABWR Standard Safety Analysis Report (SSAR) will be conducted. As discussed in the design implementation requirements of that Section 18.5 text, task analyses will be conduc'ed which cover the full range of normal and off normal plant operations. Details regarding the
- development of particular accident scenarios and task selection criteria will be established, as appropriate, as part of those design implementation activities. The organization, conduct and documentation of those task analyses, will be in conformance with the established ABWR procedures, discussed in Section 183 of the SSAR.
t D;\ow\amendl6: respond 2 -4/15- 11 2-90
' , GENERAL ELECTRIC COMPANY
=
QUESTION 620.12 Describe the criteria used for the selection of specific accident scenarios / sequences for which task analyses were performed and identify the scenarios / sequences which were analyzed.
E RESPONSE 620.12 See the response to Question 620.11. As part of ABWR design implementation, documented in Section 18.5 of the ABWR Standard Safety Analysis Report (SSAR), task analyses will be L performed on all integrated operating procedures and emergency operating procedures. These L analyses will envelope both normal and off normal events including consideration of the following:
-single equipment failure single operator error loss of electric power 1 -double equipment failures double operator error
? combination of equipment failure and operator error e
M D \ow\amendt6:rcspond2 -5/15- 11-2-90
. GENERAL ELECTRIC COMPANY QUESTION 620.14 Discuss the technical 5 asis for single-operator operations with regard to the requirements of 10 CFR 50.54(m), and ihe following issues:
- a. The control room technology developments which would enable this approach;
- b. The analyses that will be performed to assure that safety will not be compromised.
RESPONSE 620.14 The ABWR Standard Safety Analysis Report (SSAR) defines the operating crew for the single unit ABWR to include four people normally stationed in the main control room. These crew members include one licensed reactor operator, one licensed senior reactor operator, an assistant shift supervi:.or and the shift supervisor Both the shift supervisor and assistant shift supervisor are licensed senior reactor operators. Therefore, the ABWR is considered to be in compliance with the requirements of 10CFR 50.54(m).
b~
In providing the ABWR with the enhanced man-machine interface capabilities, which enable normal llant o)erations to be conducted by a single operator, the ABWR control room staff has adcitiona flexibility in performing their functions. Working as a team, with the first operator performing the normal plant monitoring and control functions, the second operator may assist the first operator, perform broader scope and more detailed monitoring of the plant systems and equipment status and trends or perform evaluations relative to plant operation.
Chapter 18 of the SSAR describes the technologies that will be employed in the ABWR control room. Key design features include: the wide display device for overall plant level automation via application of sequence master control the compact mam functions; plant mo control console and operator guidance, which displays the proper operating sequences on the main control panel CRT screens
= _ The tests and analyses conducted as part of the ABWR design implementation, (See SSAR Section 18.5) will assure that safety is not compromised.
m k
1 D:\ow\ amend 16: respond 2 6/15 11 2-90 1
=m- = i i - --umm-- - --- - - - ----um -- -
. GENERAL ELECTRIC COMPANY QUESTION 620.15
! Describe how the plant addresses the single failure criterion with a single operator.
RESPONSE 620.15 (See response to Question 620.14). The ABWR control room is staffed, for normal operations, 7 with four peopic~ This level of staffing is similar to previous BWR plants. Although the ABWR provides capability for operation by a single operator, the function of the entire operating staff-
-remains that of assuring safe and stable plant operation. In the event that the single operator,
[ who may have the responsibility for operating the plant, commits an error oc for some reason becomes unable to perform his duties, the other three licensed personnel in the control room, 5 who will be monitoring th,e plant status and the actions of the operator at the control console, will intervene as the situation warrants.
i-QUESTION 620.17 Describe the implications for operator selec, tion and training based upon the AB)VR's use of increased automation, advanced mstrumentation and control and compact workstations.
RESPONSE 620.17 F
It is anticipated that operator selection, in terms of educational requirements, general m_ intelligence and temperament, will be relatively unaffected by the technologies employed in the ABWR control room. Although it may req uire more skilled technicians to service and maintain the advanced technology equipment in t ae ABWR control room, the user (i. e., operator) interface features (e.g., touchscreen CRTs) are comparatively familiar to the general
- population. Furthermore, the operator interface data processing functions are specifically designed to be simple and straightforward so that the operator can easily comprehend the status of the plant and the system operation. Therefore, the advanced designs and technologies employed in the~ABWR design are not expected to impose any significant constraints on the
- selection and training of operators.
E LL\ow\amendl&rcspond2 -7/15- 11290
. GENERAL ELECTRIC COMPANY
' QUESTION 620.18 With increases in automation in complex systems which change the operator's role from that of an active "in the-loop" controller to that of a systems monitor, human factors practitioners have frequently identified new problems, including:
- a. Maintaining an appropriate level of work load;
- b. Maintaining vigilance in system monitoring;
- c. Maintaining adequate awareness of system status so that the operator can intervene and take over system operation when required;
- d. Maintaining specialized skills.
Discuss how each of the above issues will be addressed.
RESPONSE 620.18 l
(a) With reference to Item (a), regarding maintenance of an appropriate level of work load, ,
please refer to the response to Question 620.10.
(b) Although the' ABWR design does include an expanded secpe of automated functions, the operator is still a necessary element and in the-loop of the plant control functions. Even in its most automated mode of operation, as discussed in Chapter 18 of the ABWR Standard Safety Analysis Report (SSAR), the ABWR design requires that the operator remain an active part of the plant monitoring and control function.
E Even during automated plant operations, the operator must take action to effect any changes in l safety system status, to operate selected non safety systems which have been purposefully omitted from the scope of plant automation and to intermittently acknowledge that the 1 automated plant operations may proceed from one predetermined breakpoint to the next
,. breakpoint in the normal sequence of operations. One of the objectives of this ABWR plant L automation system architecture, which requires continual operator actions in order to proceed,
. is that it helps assure that the operator remains attentive in his duties of plant and system monitoring even when the plant is under the automated mode of operation.
L
'(c) System status information is available to the operator on both the main control console
, displays and 'on the wide display device panels, agatn, as discussed in Chapter 18 of the SSAR.
To further assist in assuring that the operator can readily determine plant / system status,
[ automated system operation logic is kept simple and follows the same sequences as if the
. operator were performing the operation manually per the established system procedures. Also, the progress of automated sequences of operation are displayed to the operator such that the
. operator may discontinue automated plant operations at anytime and assume full control under the manual mode of operation.
(d) The maintenance of specialized skills is an area to be considered during the course of the design implementation through the development of the operator training requirements.
l Options which may be considered to maintain important specialized skills that are less used f with the broad scope application of plant automation include specific plant simulator sessions I or occasional operation of the plant in the full manual mode for the specific purpose of maintaining the necessary high level of operator skill in such manual operations'.
D:\ow\amendl6: respond 2 -8/15- 11-2-90
, OENERAL ELECTRIC COMPANY l
1 QUESTION 62030 l The control room will have only a single command workstation. Discuss why there is no back up as recommended in the EPRI ALWR Chapter 10 requirements document. In addition, please discuss the following:
- a. Any loss of monitoring and control functions that have been analyzed, and their initiating i events;
- b. Whether any single event could cause the loss of a major portion of the workstation and/or the loss of monitoring and control functions;
- c. The effects of the loss of one or two CRTs at the workstation including whether this could require too much information to be displayed at the remaining display devices;
- d. Whether awkward control / display relationships and awkward operations could result from the loss of any small section of the workstation.
RESPONSE 62030 <
The EPRI ALWR Chapter 10 requirements specify triply redundant, compact operator work stations. The design basis for this approach is the 3ostulated loss of a work station due to equipment failure or maintenance. In the event of a .oss of one work station, the operator can move to the backup work station and continue operation.
The ABWR control room design provides multiple levels of control and display redundancy within an integrated main control console. This design, coupled with the redundancy and diversity of the plant instrumentation and control architecture,ansures a high availability of controls and displays. No single component failure or maintenance activity can result in a loss M control or display capability which will adversely affect plant operations. Thus, the availability of the ABWR design is at least equal to the availability of the design endorsed by
- the EPRI ALWR requirements.
Figure 18C.71, in the ABWR Standard Safety Analysis Report (SSAR), depicts an overall hardware configuration for the operator interface system in the main control room. For the safety systems, divisional system controllers communicate with the main control console and the wide screen display device. System control is organized ir an hierarchy consisting of the system's automatic initiation logic with dedicated hardwar, switches for backup system initiation on.the main control console, the system master sequential switches for control of different modes of a system, and control of individual equipment on the flat display panels.
Display redundancy is provided by the dedicated large display panel (fixed mimic) which is safety qualified, the touch screen flat display panels for each division and a CRT for safety system monitoring. Furthermore, the overall plant safety is provided by four separate divisions of essential systems. An entire division of equipment can be taken out of service for maintenance D:\ow\ amend 16 respond 2 -9/15 11 2-90
. GENERAL ELECTRIC COMPANY RESPONSE 620 30 (Continued) without compromising the capability of the other systems to respond when required. In the remote possibility of failure of all four divisions of safety control equipment at the main control console, the plant can be shutdown at the remote shutdown system panel. The remote shutdown system utilizes conventional, hardwired, analog instrumentation and control to provide complete diversity from the advanced microprocessor control systems available in the main control room.
For the non safety systems, the hierarchy of control structure is similar to that of the safety systems. The systems operate normally according to their designed automatic functions.
System mode control is provided by the master sequential switches. Individual control of system ec uipment is possible on the touch control CRTs and the non safety flat display panels.
System c isplay capability is provided on these CRTs (which have a control mode and a monitoring mode), flat display panels, and on the large variable display panel. The plant process computer drives all the CRTs and the variable display panel. The normal method of plant control such as startup and shutdown is provided by an automation mode of plant process computer. The operator interfaces with the plant automation system through dedicated master sec)uential switches. When operating in the semi automatic mode, the master sequential switches are used. The touch control CRTs are utilized only when control of individual equipment is required. Plat panels driven separately from the process computer provide backup control and display capability for the non safety systems in the unlikely event of failure of the entire process computer system. The process computer system itself has redundant processors so that a single 3rocessor failure will not result in loss of all CRTs and the variable display. In case of indivic ual CRT failure, other adjacent CRTs can be used because any display can be accessed on any CRT. Awkward control / display relationships and awkward operations are avoided because of the touch control capability on the CRTs and the flat panels.
In addition, any CRT display can be displayed on the large variable display panel.
In summary, the integrated main control console and large display panel are not one system driven by one system controller Any single failure will not result in loss of a!! functions of the main control console nor the wide screen display panels. Control and monitoring redundancies are provided for both the safety systems and the non safety systems at the main control console.
The fixed mimic for the safety system and the variable display panel for the non safety systems provide additional,lant momtoring capability which compliments those provided by the CRTs and flat panels at t ie main control console Control redundancies are provided by the master sequential hardware switches for system mode control, touch control capability on the CRTs, and touch control capability on the flat panels. Furthermore, plant shutdown capability is provided by the remote shutdown system outside of the main control room. Therefore, a redundant control console for the ABWR is not appropriate nor required.
D:\ow\amendl6: respond 2 40/15- 11290 1
. GENERAL ELECTRIC COMPANY QUESTION 620.31 l
I Since there is only one workstation, and it is typically manned by a single operator, describe any analysis that have been performed to assure chat the workstation can appropriately I accommodate two-person operations during accident scenarios. Please include the following in l the discussion: ;
- a. How the res i operations; ponsibilities and tasks are laid out to assure well coordinated two '
- b. . Any function or task analyses that have been performed to assure that the two operators will not have unintended and unwanted interactions;
- c. How e,mergency operating procedures (EOPs) will account for one and two person i operations.
RESPONSE 620.31 The ABWR has only a single control console. However, this console is configured such that it will support operation by either one or two operators. The validation tests referred to in the response to Question 620.28 included tests to demonstrate the capability of the workstation to accommodate two operators. During these tests, it was demonstrated that two operators are able to work together in a well coordinated team effort.
During two person operations, the operators are normally assigned one to the NSSS and plant summary controls and displays and the other to the balance of plant controls and displays.
Some flexibility in these assignments will, of course, be designed into the operating procedures.
With this basic division of responsibility between the two operators, the interactions of functions are generally minimized. In the implementation of the ABWR design, function and task analyses for both one and two person operation will be developed as part of the design implementation tests and evaluations to be performed, as discussed in Section 18.5 of the ABWR Standard Safety Analysis Report (SSAR).
The plant Emergency Operating Procedures will also be developed as part of the ABWR design implementation. -Similarly, design implementation tests and evaluations to be performed, as discussed in Section 18.5 of the SSAR, will establish the necessary procedures to be implemented depending upon the particular number of operators stationed at the control console (if relevant).
D;\ow\ amend 16: respond 2 -11/15- 11 2-90
1
. GENERAL ELECTRIC COMPANY ;
, 1 l
1 QUESTION 620.32 :
1 Although an advanced computer based control room is planned, the design of the remote -
shutdown panels will be based upon conventional hardware (c. g., hard control devices, analog indicators, etc.). Based upon the March 6 7,1990 presentation by O. E., it apoears that this diversity was a design goal. Discuss the technical basis for this approach, including the human factors implications such as:
- a. Likely confusion due to the differences between operations in the control room and at the RSP;
- b. Increased training burden and operator burden assodated with the need to learn two different systems, one of which will be used constantly and the other ery infrequently, if ever.
RESPONSE 620.32 The ABWR Remote Shutdown System (RSS) employs conventional, hardwired, analog monitoring, control and logic devices to maintain complete diversity from the main control room. In addition to providing an alternate shutdown station in the event of a control room evacuation, the diversi yt provided by the RSS protects against the improbable event of a common mode hardware or software failure in the plant instrumentation and control systems.
This difference between the RSS and control room man machine interface (MMI) designs is typical of all BWRs. Even if control and display devices were incorporated into the RSS which were similar to those used in the main control roor.., the overall MMI design would be quite different because of the limited scope of operations performed at the RSS panels.
Operation of the RSS will be confirmed as a part of the plant Power Ascension Test Program.
This testing willinclude a review of the human factors aspects of the RSS design. During plant operation, appropriate training and periodic drills will maintain the operators' proficiency in RSS operation. This training would be required regardless of the type of display and control devices employed in the RSS design. Furthermore, since the RSS operations are relatively simple, this tratning should not be an undue burden on the operator.
D:\ow\amendl6:rcspond2 12/15- 11 2-90
i
. GENERAL ELECTRIC COMPANY QUESTION 62033 Describe the design of the other local control panels, given the dual approach d!scussed above.
RESPONSE 62033 The primary user of other local equipment control panels will be the plant equipment operations and maintenance staff and not the control room operations staff. The man machine interface design of these other local equipment control panels will be defined as part of the ABWR design implementation equipment procurement activities. Depending upon such factors as the user interface needs and equipment requirements, these local control panels may contain a mixture of software driven and conventional displays and controls.
i i
QUESTION 62034 Discuss the technical basis for the design of local valve operations, including the determination of local vs. control room position indications.
RESPONSE 62034 The ABWR design philosophy regarding locai valve operations is similar to previous BWR designs. Operated valves will be provided with local position indication and parallel control 1 room position indications will de provided, as determined to be appropriate, based upon !
operator interface task analyses.
b s
D;\ow\amendM:rcspond2 13/Is- 11-2-90
. GENERAL ELECTRIC COMPANY QUESTION 0035 Discuss how TMC operations are changed in the design of the ABWR when compared with a standard BWR. _
RESPONSE 0035 The ABWR has extensively incorporated the use of advanced digital electronics in the design of the plants instrumentation and controls, as described in Chapter 7 of the ABWR Standard Safety Analysis Report (SSAR). With the use of such advanced digital equipment, standard s test, maintenance and calibration operations are significantly enhanced. Automated equipment calibration, self test and diagnostic functions can be performed very quickly and at great 3recision. Equipment maintenance and repair activities are made easy through the use of the 3uilt in equipment diagnostic function and use of field replaceable electronics based modules which can be simply slipped in and out of ti.e equipment chassis.
j QUESTION 0036 Discuss the criteria used to determine which instrumentation will be manually calibrated.
RESPONSE 0036 As discussed in the response to Question 62035, the ABWR has extensively incorporated _
advanced digital technologies. One of the benefits of utilizing this advanced digital design is that many calibration functions can now be automated. The ABWR design philosophy is to apply automated calibration functions wherever practicable. No specific criterion has been developed which defines instrumentation that must be manually calibrated. Examples of instrument calibration functions which are required to be automated in the ABWR design include calibration of the in core Local Power Ran data acquisition and signal conditioning channels. ge Monitor and calibration of pr Examples of instrumentation which may need to be manually calibrated include standard process instruments such as pressure transducers. A complete definition of which calibration functions will be done manually and which are automated will be obtainable as an output of the ABWR design implementation.
D.\or\amendl6:rcyond2 14/15- 11290
. GENERAL ELECTRIC COMPANY QUESTION 620.37 Discuss the criteria used for the selection of computerized test operations.
RESPONSE 620.37 Referrinj; to the res,onses to Questions 620.35 and 620.36, another of the significant benefits of advanceo digital tecinologies is that surveillance and diagnostic tests can be automated. Again, the ABWR design philosophy is to apply automatei.' test functions to the maximum extent )
practicable. The decision to incorporate automated self test functions is made on a case by case basis and no generic criterion is applied. Chapter 7 of the ABWR Standard Safety Analysis Report SS/,R) contains a discussion of the particular automated self test functions i which have been (incorporated in the ABWR design ( c. g., See Section 7.1.2.1.6 of th J discussion of Protection System testing,includinE automated self test functions). In general, systems which perform functional logic by means of programmed digital logic (i.e., .
l microprocessors) will inherently contain self test functions.
Other automated self test functions (i.e., at the level of equipment specific design detail) will be considered as part of the ABWR design implementation, i
l
[
l l
l l
l J
D.\ow\emendl6: respond 2 15/15 11290