ML20063D912
| ML20063D912 | |
| Person / Time | |
|---|---|
| Site: | 05200003 |
| Issue date: | 01/27/1994 |
| From: | Higgins J, Ohara J, Stubler W BROOKHAVEN NATIONAL LABORATORY |
| To: | NRC |
| Shared Package | |
| ML20063D895 | List: |
| References | |
| CON-FIN-E-2090 NUDOCS 9402090009 | |
| Download: ML20063D912 (78) | |
Text
-
IM 21 19M.
t L
D Advanced Reactor lluman Factas (FIN E-2(90)
Task No. 4: IIFE Program Review Model
.BNL Technical Rc;wt E2CDO-T4-1-1/94 Uraft Technical Report Human Factors Engineering Program Review Model for Advanced Nuclear Power Plants Prqnredfor:
U.S. Nuclear Regulatory Commission Office of Nuclear Reactor Regulation Washington, D.C. 20555 Preparedby:
John M. O'llara, James C. Higgins, and William F. Stuhler Department of Advanced Technology Brookhaven National Laboratory Upton, NY l1973 January 25,1994 9402090009 940131 kDR ADOCK 05200003 Enclosure PDR
)
L DRAFT FOR COMMENT
' Preface This draft technical repon (DTR) has been prepared by Brookhaven National Laboratory for the Human Factors Assessment Branch of the U.S. Nuclear Regulatory Commission's (NRC's)
Office of Nuclear Reactor Regulation. This repon is submitted under the AdvancedReactor Human Factors Review Project (FIN E-2090) as pan of Task 4 "HFE Program Review Model Revision." The NRC Project Manager is Karen Pulsipher and the Project Engineer is Clare Goodman. The BNL Principal Investigator is John O'Hara.
j l
l Draft PRM (hnuary 25.1994)
Page i l
I
v 1
i DRAFT FOR COh15 TENT Table of Coritents
.... i Preface...
y Acronyms........
.........................................................Ou' G I o s s a ry..............................
1 1.
I n t r od u c ti o n................................................................................
I 1.1 Background.................................................................................
2 1.2 GeneralIssues Impacting the Safety Review of Advanced NPP HSls................
1.2.1 Trends in Advanced NPPs l.2.2 Advanced Technology and Human Performance l.2.3 Advanced HS1 Guidelines issues 1.2.4 Implications for Advanced HSl Review 6
1.3 HFE PRhi Rationale.
8 1.4 HFE PRh1 Development.
1.4.1 Objectives 1.4.2 Technical Scope 1.4.3 Development hiethodology 1.4.4 General HFE PRhi Description 1.4.5 HFE PRh1 Applications and Interpretation 2.
Element 1 - Human Factors Engineering Program 51anagement.....
13 2.1 Background.....
.........................................I3 2.2 Objective...
............................................13
...... 13 2.3 Applicant Submittals..
14 2.4 Review Criteria.
2.4.1 General HFE Program Goals and Scope 2.4.2 HFE Team and Organization 2.4.3 HFE Process and Procedures 2.4.4 HFE Issues Tracking 2.4.5 Technical Program 18 3.
Element 2 - Operating Experience Review.
..........18 3.1 Background.
. 19 3.2 Objective.
. 19 3.3 Applicant Submittals..
19 3.4 Review Criteria...
3.4.1 Scope 3.4.2 1ssue Analysis. Tracking, and Review 4.
Element 3 - Functional Requirements Analysis and Allocation............. 21 4.1 B ack ground..........
..............................................21
......22 4.2 Objective........
4.3 Applicant Submittals.......
...................22 24 4.4 Review Criteria..
4.4.1 General Criteria 4.4.2 Requirements Analysi 4.4.3 Function Allocation Analysis i
.................................27 5.
Element 4 - Task Analysis....
5.I Background.
.................................................27 i
l Draft PRM (January 25,1994)
Pageii
i L
i DRAFT FOR COMMENT 5.2 Objective......
27
..............................................27 i
5.3 Applicani Submitta1s...........
. 27 5.4 Review Criteria..
6.
Element 5 - StafHng.........
.......................................30 6.1 Background......................
................................30
- 6. 2 Objecti ve.......................................
...................................30 6.3 Applicant Submittals..
....................................30 6.4 Revicw Criteria..........
.. 30 i
- 7.
Element 6 - lluman Reliability Analysis.
33
.........33 7.1 Background......
7.2 Objective..........
.............33 7.3 Applicant Submittals.,
35 7.4 Review Criteria.
35 7.4.1 IIRA Methodology 7.4.2 Integration of HR A with HFE Design 8.
Element 7 - Iluman-System Interface Design.....
... 38 8.1 Background....
3 8
.............38 8.2 Objective 38 8.3 Applicant Submittals..
................38 8.4 Review Criteria....
9.
Element 8 - Procedure Development.....
...............42 9.1 Background....
...............42
.... 42 9.2 Objecdvc 9.3 Applicant Submittals..
........................42
..............42 9.4 Review Criteria..........
l 45
- 10. Element 9 - Training Program Development 10.1 Background
. 45
... 45 10.2 Objective..
... 45 10.3 Applicant Submittals.
10.4 Review Criteria.
.45
- 11. Element 10 - Iluman Factors Verification and Validation
. 48 11.1 Background..
.... 48
... 49 11.2 Objective.
11.3 Applicant Submittals..
.................50
.... 50 11.4 Review Criteria..
11.4.1 General Criteria 11.4.2 Human Factors issue Resolution VeriGeation 11.4.3 HS1 Task Support VeriGcation i1.4.4 HFE Design VeriGeation 11.4.5 Integrated System Validation 11.4.6 FinalliFE/HSI Design Verification 12.
References.......
..................................................................54 Appendix A: IIFE Design Team Composition...
.........................A-1 Draft PRM Oanuary 25.1994)
Page iii
t
~L DRAFT FOR COMMENT Appendix B: Operating Experience Review Issues......
B-1' B.1 USI/GSI Issues...............
..........................................................B-1 B.2 TM1 Issues...
B-3 B.3 NRC Generic Letters and Information Notices............................. B-6 B.4 AEOD Studies........
.............................B-6 B.5 Low Powe r an d S h u tdown Iss ues......................................................... B-6 B.6 INPO Documents.........
.......................................................B.6 List of Figures Figure 1.1 IIFE Program Review Model Elements...
10 Figure 3.1 The Role of OER in the llFE Program 19 Figure 4.1 Function Analysis and Allocation
.. 23 Figure 7.1 The Role of IIR A in the llFE Program...
... 34 Figure 11.1 Relationship between V&V Activities
. 49 Draft PRM Oanuary 25,1994)
Page iv
s L
DRAFT FOR COMMENT Acronynis ' '
ACR advanced control rooms ADS automatic depressurization system ALWR advanced light water reactor ANS American Nuclear Society ANSI American National Standards Institute ASLB Atomic Safety and Licensing Board A1WS anticipated transient without scram BNL Brookhaven National Laboratory BOP balance of plant CDF core damage frequency CFR U.S. Code of Federal Regulations COL combined operating license CP/All construction pennit/ manufacturing license CR control room DAC design acceptance criteria DCRDR detailed control room design review DD design description DMS data management systern DOD Department of Defense GSI generic safety issues EOF Emergency Offsite Facility EOP emergency operating procedures EPG emergency procedure guidelines EPRI Electric Power Research Institute FSER final safety evaluation report FW feedwater IIFE human factors engineering IlFE PRM lluman Factors Engineering Program Review Model llRA human reliability analysis 11S1 human-system interface 1&C instrumentation and control IAEA Intemational Atomic Energy Agency lEEE Institute of Electrical and Electronics Engineers INSAG Intemational Nuclear Safety Advisory Group frAAC inspections, tests, analyses, and acceptance criteria LCS local control station LER licensee event report LOCA loss of coolant accident LPCI low pressure coolant injection LWR light water reactor MUX multiplexer NPP nuclear power plant NRC Nuclear Regulatory Commission NRR Of6ce of Nuclear Reactor Regulation NSSS nuclear steam supply system OER operating experience review PGCS power generation control system PRA probabilistic risk assessment PSF perfonnance shaping factor RAMI reliability, availability, maintainability, and inspection RCS reactor coolent system Draft PRM canuary 25,1994)
Pagev
6 b
[
DRAFT FOR COMMENT
'RPV-
- reactor pressure vessel RSS remote shutdown system SA situation awareness Silo station black out SER significant event report SLC standby liquid control SPDS safety parameter display system SRP Standard Review Plan SS shift supervisor SSAR standard safety analysis report SSLC safety system logic and control SRV safety relief valve STD standard TMl Three Mile Island TSC technical support center URD utility requirements document USI unresolved safety issues V&V verification and validation VDU video display unit i
l i
)
1 Draf t PRM (January 25,1994)
Page vi
-l
s l
e L
DRAFT FOR COMMENT Glossary Advanced control room (ACR)- A control room that is primarily based on digital technology.
ACRs typically provide the primary operator interaction with the plant via computer-based interfaces, such as video display units. This is in contrast with " conventional" control rooms which provide the primary operator interaction with the plant via analog interfaces, such as gages.
Applicant - An organization such as a nuclear plant vendor or utility that is applying to the U.S.
Nuclear Regulatory Commission for design certification or plant licensing.
Critical tasks - Tasks which must be accomplished in order for personnel to perform their function. In the context of PRA, critical tasks are those which are determined to be significant contributors to plant risk.
Cognitive error - A human error that results from the characteristics of human information y
processing such as errors in diagnosis due to information overload.
Component - An individual piece of equipment such as a pump, valve, or vessel; usually part of a plant system.
r Function - An action that is required to achieve a desired goal. Safety functions serve to ensure higher-level objectives and are often defined in terms of a boundary or entity that is imponant to plant safety, such as "mactivity control". A high-level objective, such as preventing the release of radioactive material to the environment, is one which designers strive to achieve through the design of the plant and which plant operators strive to achieve through safe operation of the plant. The function is often described without reference to specific plant systems and components or the level of human and machine intervention that is required to carry out this action. Functions are often accomplished through some combination of lower-level functions, such as " reactor trip". The process of manipulating lower-level functions to satisfy a higher-level function is defimed here as a control function. During function allocation the control function is assigned to human and machine elements.
Iluman-centered design goals - HFE design goals that address the cognitive and physical suppon of personnel performance.
i lluman factors - A body of scientific facts about human characteristics. The term covers all biomedical, psychological, and psychosocial considerations; it includes, but is not limited to l
principles and applications in the areas of human factors engineering, personnel selection, training, job performance aids, and human perfonnance evaluation. (see " human factors engineering").
Iluman factors engineering (IIFE)- The application of knowledge about human capabilities and limitations to plant, system, and equipment design. HFE assures that the plant / system /cquipment design, human tasks, and work environment are compatible with the sensory, perceptual, cognitive, and physical attributes of the personnel who operate, maintain, and support it. (see human factors")
lluman-system interface (IISI)- The means through which personnel interact with the plant, including the alarms, displays, controls, and job performance aids. Generically this also includes maintenance, test, and inspection interfaces as well.
Local control station (LCS) - An operator interface related to NPP process control that is not located in the main control room. This includes multi-function panels, as well as, single function Draft PRM Oanuary 25,1994)
Page vii
e L
DRATT FOR COMMENT LCSs such as controls (e.g., valves, switches, and breakers) and displays (e.g., meters) that are operated or consulted during normal, abnormal, or emergency operations.
Mockup - A static representation of an HSI. (see " simulator" and " prototype")
Performance shaping factors (PSFs)- Factors that iniluence human reliability through their effects on perfonnance. PSFs include factors such as environmental conditions, HSI design, procedures, training, and supervision.
Plant - The nuclear power plant in its endrety including all plant systems and components.
Prototype - A dynamic representation of an HSI that is not linked to a process model or simulator. (see " simulator" and " mockup")
Saftty related - A term applied to those NPP structures, systems, and components that prevent or mitigate the consequences of postulated accidents that could cause undue risk to the health and safety of the public (reference U.S. Code of Federal Regulations, " Domestic Licensing of Production and Utilization Facilities," Part 50, Appendix B, Title 10 " Energy").
Simulator - A facility that physically represents the HSI con 0guration and which dynamically represents the operating characteristics and responses of the the plant design in real time. (see
" prototype" and " mockup")
Situation awareness - The relationship between the operator's understanding of the plant's condition and its actual condition at any given point in time.
State-of-the-art human factors principles - Those principles currently accepted by human factors practitioners. "Cunent" is de6ned with reference to the time at which a program management or implementation plan is prepared. " Accepted" is defined as a practice, method, or guide which is (1) documented in the human factors literature within a standard or guidance document that has undergone a peer-review process or (2) can be justined through scienti6c or industry research and practices.
System - An integrated collection of plant components and control elements that operate alone or with other plant systems to perform a function.
Task - a task is a group of activities that have a common purpose, often occurring in temporal proximity, and which utilize the same displays and controls 1
Top-down design - Top-down design refers to a review approach starting at the " top" with -
high-level plant mission goals which are decomposed into functions which are allocated to human and system resources and are decomposed into tasks required to accomplish function assignments.
Tasks are arranged into meaningful jobs and the llSI is designed to best support job task l
performance. The detailed design is the " bottom" of the top-down process.
Vigilance - The degree to which personnel are attentive to their current task.
Workload - The physical and cognitive demands placed on plant personnel.
Draft PRM Oanuary 25,1994)
Page viii
J t
\\
l l
DRAFT FOR COMMENT j
i 1.
INTRODUCTION
1.1 Background
]
The staff of the Nuclear Regulatory Commission (NRC), Human Factors Assessment Branch is currently evaluating the human factors engineering (life) programs submitted as part of the certification process for advanced nuclear power plant (NPP) designs. The NRC has issued 10 CFR 52 (U.S. Code of Federal Regulations, "Early Site Permits; Standard Design Cenifications; and Combined Licenses for Nuclear Power Plants," Part 52, Title 10, " Energy.") in order to encourage standardization and to streamline the licensing process. Nuclear plant designers and vendors have begun the design of advanced standard plants, which are being submitted to the NRC for review and approval under Part 52.
The licensing process of Part 52 consists of a Final Design Approval by the NRC followed by a standard design certification that is issued as an NRC Rule. This will require fonnal rule-making and includes the opportunity for a public hearing before the Atomic Safety and Licensing Board
( ASLB). The certification, when issued, would be valid for 15 years (renewable). During its tenure neither the NRC nor the designer can change or impose new requirements on the standard design certiGeation without a new rule-making.
j in order to ensure that an as-built plant conforms to the standard design certification, inspections, tests, analysa. and acceptance criteria (ITAAC) are speciGed as pan of the standard design certification. After certification, the NRC will ensure that the design has met the ITAAC. A utility desiring to license and operate a nuclear power plant under Part 52, will obtain a Combined Operating License (COL), which authorizes both construction and operation in one step. The COL applicant may propose a new design or reference an existing standard design cenification.
l in order to obtain a standard design eenification under Pan 52, a designer must submit a Standard i
Safety Analysis Report (SSAR) to the NRC for review. The NRC's review of the SSAR is issued as a Final Safety Evaluation Report (FSER) which will fann the basis for the Final Design Approval.
?
Since human-system interface (HSI) technology is continually changing, much of the design will not be completed prior to the issuance of a design cenification for the evolutionary and passive designs currently under review. Thus, for advanced reactors the staff has concluded that it is necessary to perform IIFE reviews of the design process as well as the final design product for reasons elaborated in Section 1.2 of this repon. The NRC is performing its evaluation based on a design implementation process plan which includes the HFE program elements required to develop an acceptable detailed design and the evaluations to be performed to assure that the final design reDects good HFE principles and that operator performance and reliability are appropriately supported in order to protect public health and safety. Along with the ITAAC as discussed above, the NRC requires the applicant to submit Design Acceptance Criteria (DAC) which will ensure that the design process is properly executed by the COL applicant following cenification. The NRC specified hat the design and implementation process should contain descriptions of all required human factors activities that are necessary and suffic ent for the development and implementation of the HS1s.
r In the past, staffIIFE safety determinations were based on detailed plant design reviews. Thus a design process review has not previously been conducted by the NRC as part of the reactor licensing process. Therefore, the evaluation criteria provided in the Chapter 18 of the Standard Review Plan (SRP, NUREG-0800) and in the Guidelines for Control Room Design Reviews (NUREG-0700) provide little information to support this type of evaluation. To support advanced Draft PRM Oanuary 25.1994)
Page1
t b
DRAFT FOR COMMENT reactor reviews, an HFE Program Review Model (HFE PRM) was developed to provide criteria for the evaluation of a design process as well as the final design itself.
1.2 General Issues impacting the Safety Review of Advanced NPP IISIs In addition to the regulatory issues discussed above, additional factors were considered in the development of an HFE PRM. This section provides an overview of the generalissues, considerations,and theoretical factors which provided the technical basis and context for the l
development of the HFE PRM. A more detailed discussion can be found elsewhere (O'Hara, 1993). In order to develop an approach to the review of the NPP HFE,it was necessary to consider the factors which can be expected to impact such reviews. Several sources of infomiation were reviewed to identify significant issues, including:
Research reports and publications on advanced technology being developed for human system interfaces in process control application, Information available on advanced NPP control roam (CR) designs, Advanced instrumentation and controls surveys conducted for the NRC (Caner and Urig,1990), the International Atomic Energy Agency (I AEA, Neboyan and Kossilov, 1990), and the OECD, Kennedy,1988),
General human factors literature on human information processing and the effects of advanced technology on human perfomiance, and
]
Existingliterature on human factors standards and guidelines for advanced human-system interface (HSI).
i
-)
Based upon a review of the above material, many factors were identified which affect the review of the HFE characteristics of new or advanced designs. These factors are organized into three categories: (1) the trends in advanced NPPs,(2) the human factors issues that are associated with advanced technology, and (3) the state-of-the-art of human factors guidelines for advanced llSis.
-l The implications of these factors and their impact on the HFE review are summarized in Secuon 1.2.4.
1.2.1 Trends in Advnneed NPPs I
Diversity in Advanced Reactor Technology: The current generation of commercial NPPs operating in the U.S. numbers more than 100; all of those are based upon light water reactor technology.
Although the next generation of plants will reflect advances on this technology base, the industry has also developed designs based on different technologies, including heavy water reactors, liquid metal reactors, and gas-cooled reactors. One important design initiative to improve safety and reliability has been to move from active safety features (based upon active components such as pumps) toward more " passive" safety features (based upon natural physical processes such as convection flow, radiation cooling, and gravity). This plant diversity and the new passive features introduce new and different systems for operators to control, test, and monitor. There are
' questions as to how the reliable functioning of these passive systems can be verified by the operators during plant operation. Also, the role of the operator during transients and accidents changes considerably with these new passive systems. Important questions include: (1) How can operators verify during normal operation that these systems are ready for emergency operation; (2)
How can proper operation be confirmed when the systems are called upon; (3) What parameters _
should be monitored; and (4) What is the proper operator response when the passive systems do not function properly. Clearly, advanced NPPs will result in different operator roles and tasks, Draft PRM Uanuary 25,1994)
Page 2
r t
b DRAFT FOR COMMENT different CRs, and different operator-control interfaces. The HFE PRM which must be capable of enabling reviews of all possible designs and a great diversity of operator functional roles in the system.
Trends in HSI Evolution: There are several important trends emerging in advanced HS! design concepts in the nuclear industry, including: (1) greater use of automation and a corresponding shift of the operator's role in the system as monitor, supervisor, and back-up to automated systems;(2) greater centralization of controls and displays into " compact" digital work stations: (3) use oflarge display panels that can be seen from anywhere in the CR to present high-level information and critical parameters; (4) a primary operator interface with a data management system (DMS) with little interaction directly with components; (5) use of data integration and graphic displays; and (6) infonnation processing and decision-support aids. As these trends are implemented, they will result in a wide range of technological approaches to HSI and CR types from conventional to j
hybrid to advanced to " intelligent" CRs. In part, this is due to the tremendous flexibility offered by i
software-diiven interfaces to provide for alternative data processing, display and control. An UFE PRM must enable complete and consistent reviews of designs reDecting such diversity in approaches to HSI and control room design.
1.2.2 Advanced Technolour and Humnn Performance j
1 While the use of advanced technology is generally considered to enhance system performance, computer-based operator interfaces also have the potential to negatively impact human performance, spawn new types of human errors, and reduce human reliability (Coblentz,1988; Rasmussen et al.,1987; Wiener & Nagel,1988; Woods, et al,1990). However, since the contributors to unreliability in an advanced control room (ACR) are likely to be different from -
those which are present in conventional CRs, they are less obvious and generally less well understood (O'Hara & Hall,1990). Some of the factors contributing to the problems of i
integrating human operators and advanced systems are reviewed below. The HFE PRM must enable the reviewer to identify such safety concerns and evaluate their resolution.
GeneralState of Knmr/ edge: Despite the rapidly increasing utilization of advanced HS1 technology in complex, high-reliability systems such as NPPs and civilian aircraft, there is broad consensus that the knowledge-base for understanding the effects of this technology on human perfonnance and system safety is in need of further research (National Academy of Sciences Committee on lluman Factors,1983; Moray & Huey,1988). The operating environment associated with advanced systems is very different from that of a conventional CR. Human information processing issues are emerging as more signiGeant than the physical and ergonomic considerations which dominated the design of conventional HSis. While these issues have been recognized for a long time, their full implications for human performance and system safety have only recently begun to be addressed in research, and there is not a long history of operational experience upon which to draw. The National Academy of Sciences, for example, has identined areas such as automation, supervisory control, and human-computer interface as high priority research areas for the human factors community in pencral and for the commercial nuclear industry in particular (Pew, et al.,1983; Moray & Huey,1988).
Allocation of Function and Automation: Many human factors problems originate early in the design process. Historically, functions were allocated to automated systems based largely on the capability of available technology to reliably and safely execute the function, rather than on the human operator's ability to perform as part of the overall system. This was true even though the human factors problems associated with automation had been known for some time (Edwards, 1977) and the emergence of new types of human and system errors had been identiGed (Wiener &
Curry,1980). Increases in automation have been associated with a shift from physical to cognidve workload, with a loss of operator vigilance and a concomitant inemase in vigilance-associated Dran PRM Uanuary 25,1994)
Page 3
s DRAFT FOR COMMENT human errors (Warm & Parasuraman,1987), with difficulty maintaining adequate " situation _
awareness," (Kibble,1988) and with loss of skills to perform the task in the event of automated system failure. In part, many of these issues may be the result of a shift in the operator's role from that of an active, in-the-loop controller to an out-of-the-loop supervisor and monitor, together with a failure on the part of the HS1 and system designers to adequately account for this shift (Moray, Lootsteen, & Pajak,1986; Wickens & Kessel,1981; Ephrath & Young,1981).
Cognitive Factors: Computer-based HSI design requires, to a far greater extent than traditional CR designs, the specification of cognitive requirements and processing resources that the operator must utilize in task performance; i.e., cognitive task analysis. That information is needed for proper design and evaluation of the interface. Four aspects of HSI are primarily responsible for this requirement. First,infomiation is typically presented in " predigested" form; i.e., raw data parameters are processed and integrated into a higher level of information, thus potentially obscur-ing their meaning. Second, the operator typically has much more information available which,if not properly organized and presented, can be overwhelming. Third,information is typically resident in the " virtual" workstation of a computer-based HSI, rather th~an in dedicated spatial locations spread out across control stations. Information is located somewhere in a computer system which provides only a glimpse of its contents (through a display device) at any one time. A poorly designed interface can make location of information and navigation through data difficult.
Fourth, the flexibility of software-driven interfaces can increase the workload associated with managing the interface itself (e.g., accessing displays, moving windows, and setting display modes).
System Complexity and Operator Skills: NPP operations have always demanded a high level of skill and readiness on the part of the operating staff. Rese demands may increase, however, because of the need for operators to understand and evaluate the perfonnance of advanced systems, to know their limitations, and to be ready to assume manual control when appropriate. There is a somewhat paradoxical relationship between these requirements and the day-to-day tasks that opera-tors must perform, which in a highly-automated plant are predominantly monitoring functions.
Thus, there is a risk that these carefully selected and highly trained operators may be required to perform a routinely boring and monotonous job.
1.23 Advanced HSI Guidelines issues in the past the staff has relied heavily on the use of HFE guidelines to support the identification of potential safety issues and their resolution. NUREG-0700 and Chapter 18 - Appendix B of NUREG-0800 are examples of this review guidance. In this section, issues related to the use and sufficiency of HFE guidelines for review of advanced systems is considered.
1 1
Hardware vs. Software Guidelines: For conventional plants, NRC HSI reviews rest heavily on an i
evaluation of the physical aspects of the HSI using HFE guidelines such as NUREG-0700. In an ACR, the physicallayout of the display devices and computer input devices may be less important than the design of the human-software interface; i.e., the information management system and the methods with which information is displayed to the operator. His infonnation can be displayed in i
a complex network of hundreds of computer displays. The difficulty of developing guidelines for human-software interfaces when compared with human-hardware interfaces has been well documented (Smith.1988). Perhaps most significant to the evaluation of human-software interfaces is that the most important design features are often hidden to the reviewer and transparent to the operator, while imponant hardware design features are usually readily observable. For example, the observable display may be an end product of extensive data processing providing higher-level, more abstract displays than was the case in the " single sensor / single display" designs characteristic of conventional CRs. As a result, while hardware review guidance tends to bc relatively clear and specific, software guidance tends to be stated in more general language.
Draft PRM (January 25,1994)
Page 4
a s
i i
'1 DRAFT FOR COMMENT i
Status of Guidelinesfor Advanced Technology: ACRs are based upon relatively new technology which is rapidly changing. Relative to the guidelines available for traditional hardware interfaces, the guidelines available for computer based, software interfaces have a considerably weaker research base, and have not been as well tested and validated through many years of design application. Thus, the human factors guidelines available for the review of advanced CR -
technology are less firm and, as indicated above, are typically stated in more general terms.
j Further, the cognitive task requirements, critical to human software interface design, are typically less familiar to designers and reviewers (Woods, et al.,1990; Karat,1989). These characteristics of advanced technology guidelines can make the reviewers' job more dif0 cult (Reaux & Williges, 1988).
Suitability of Guidelines as a Basis for Review: Another issue related to the maturity af advanced technology guidelines is whether evaluations based only on conformance to HFE guidelines provide a sufficient basis for review. Gould has indicated that, due to the nature of advanced human-system interfaces (as discussed above), a good system cannot be designed by guidelines.
alone (Gould,1988). A similar conclusion resulted from an effort to evaluate a computer-based system using only guidelines (Potter et al.,1990). While HFE guideline-based reviews'for ACRs an a necessary part of safety evaluations, they are not suf6cient as the sole basis of a safety detennination. Safety reviews need to be broader and consider alternative sources of evaluation data.
l t
1.2.4 Implications for Advanced IISI Review j
The issues discussed above have implications for the development of an approach to the safety review of the HFE aspects of advanced reactor designs. These implications are summarized below.
1.
The review approach should provide criteria to support safety reviews to be performed during the design process as weP ts for final designs. Important reasons for this include:
Advanced reactor certification applications may provide CRs designed to conceptual levels of detail only; i.e., detailed designs are not available for review; Many significant human factors issues arise early in design, e.g., initial goals / objectives of the design and allocation of functions to human and automated task performance.
2.
Reviews of the HSis should extend beyond HFE guideline evaluations and should include a variety of assessment techniques, such as validations of the fully integrated system under realistic, dynamic conditions using experienced, trained operators performing the types of tasks the HS1 has been designed for (including various types of failures and transient conditions).
f 3.
Since human-software guidelines have been found to be more difficult to review than traditional hardware guidelines, reviewers must have supplemental information, such as that provided by the outputs of the design process, e.g., the results of trade studies and analyses for HSI technology selection and design.
Draft PRM Uanuary 25,1994)
Page 5
- a
'b i
DRAFT FOR COMMENT 1
-l The factors described above have led to the development of a top-down approach to the review of HSls defined by the HFE PRM. Top-down refers to a review approach starting at the " top" with r
high-level plant mission goals which are broken down into the functions necessary to achieve the mission goals. Functions are allocated to human and system resources and are broken down into tasks for the purposes of specifying the alarms, information, and controls that will be required to accomplish function assignments. Tasks are arranged into meaningful jobs and the HSI is designed to best support job task performance. The detailed design is the " bottom" of the top-down process.
1 The general rationale underlying the PRM's development is that " safety" is a concept that is not directly observed but must be inferred from available evidence. When reviewing a design in order to make a safety assessment, evidence is collected and weighted towards or against an acceptable Gnding. As in the assessment of any inferred concept, different types of data can be collected.
Each has its overall correlation with safety and each has its strengths and weaknesses. The reviewer would like to collect as much data as possible in order to establish " convergent validity" (Campbell and Fisk,1959); i.e., to establish a consistent finding across different types of data, each with its own sources of bias and error. This approach is similar to a " defense-in-depth" l
(INSAG,1988) concept applied to HFE/HSl evaluation.
?
The types of information that can provide assessments of HS1 safety include:
HFE planning (including an HFE design team, program plans and procedures),'
Design analyses and studies (including requirements / function / task analyses, technology assessments, trade-off studies, etc.),
Design speciGeations and descriptions, and Verification and validation (V&V) analyses of the final design (e.g., compliance with a
accepted llFE puidelines and operation of the integrated system with operators perfonning the required tasks under actual (or simulated) conditions).
These categories of information all have their strengths and weaknesses, but are probably listed in an order ofincreasing conelation with safety,i.e., greater reliance on full-mission testing should be made as compared with the make-up of an llFE design team and program plan. It is tempting to view VAV as definitive, but it also is subject to error. There are two principal reasons for this.
First, the criteria used in V&V evaluations are often derived from the analyses performed during the design process. For example,(1) the results of task analysis may be used as criteria in the verifying that all required controls and displays are provided to support human functions: (2) the guidance developed in the design speciGeation may be used to verify conformance to HFE standards and principles; and (3) the performance requirements developed in the system requirements and function analyses may be used as performance criteria in HSI validation. For these criteria to be credible and to establish confidence in the V&V results, safety evaluators must have assurance that the criteria were derived using appropriate and acceptable methods (which should have been laid out in an HFE program plan).
Second,it is not possible to test all possible conditions of HS1 usage during validation tests. In addition, validation will generally be perfonned using a simulator. Simulators cmate a somewhat anificial environment which can modify operator behavior; e.g., (1) with respect to the influence of performance shaping factors (PSFs), and (2) important human information processing parameters.
Draft PRM (January 25,1994)
Page 6
a DRAFT FOR COMMENT With n'spect to PSFs, simulator exercises will not reflect with high fidelity the influence of all important factors (such as stress, noise, and chaos / distractions) that will affect human performance during real-world operations. With respect to human information processing,important aspects of human cognition and performance (such as signal detecdon threshold, event probability estimation, and response selection) are affected by the operating crew's understanding that they are participating in a simulated rather than real situation. For example, when a simulator exercise begins, the operator knows something other than normal operations are likely. Unlike the real world, very low probability events are likely to occur and will be anticipated by the crew. Thus, the operator's attention is aroused and focused on event occurrence and detection. When a situation does occur, the crew's response will be likely be optimized according to established procedures since there are no consequences to responses made on a simulator and no conflict between safety and productivity (power production) goals. There are major consequences to real-world actions which will affect an operator's probability and timing of taking actions. All of these factors require the recognition of uncenainties in the use of simulator data. A good V&V plan can help reduce these threats to the validity of the results, but they cannot be completely eliminated.
Therefore, the generalization from simulation to real world contains uncertainty which limits the "extemal validity" (generalizability) of the results.
Thus, the greatest confidence in a finding that a design is acceptable can be placed in one which has the following characteristics: (1)it was developed by a qualified IIFE design team including all the skills required using an acceptable HFE program plan;(2)it was the result of appropriate HFE studies and analyses which provide accurate and complete inputs to the design process and inputs to V&V assessment criteria; (3) it was designed using proven technology based upon human performance and task requirements incorporating accepted HFE standards and guidelines; and (4)it was evaluated with a thorough V&V test program.
In summary, a HFE PRM was developed to provide a means to:
Review a conceptual design, Review products of process which are important to V&V, l
1 Review and identify HFE issues which arise throughout the design process including early in decisions, and Address potential safety concems more effectively addressed than if the V&V stages of i
the design is complete and more difficult to change.
l i
i e
Draft PRM (January 25,1994)
Page 7
s DRAFT FOR COMMENT 1.4 HFE PRM Development
)
The purpose of this section is to describe the development of the HFE PRM in terms ofits objectives, technical scope, development methodology, and application.
1.4.1 Obiectives Since advanced reactor certification will be based panially on the approval of a design and implementation process plan, the staff must: (1) assess whether all the appropriate HFE elements am included (2) identify what materials are to be reviewed for each element, and (3) evaluate the proposed DAC/ITAAC to verify each of the elements. It is imponant to identify which aspects of i
the process are required to assure that HFE design goals in support of safe plant operation are achieved and to identify the review criteria by which each element can be assessed. Review criteria independent of that provided by the designer is required to assure that the design plan ~flects acceptable human factors engineering practices at the time of the review and that it is a thorough, complete, and workable plan. The HFE PRM was developed to address this need. The specific objectives of the HFE PRM development effort were:
- 1. To develop a rechnicalbasis for the review of an applicant's HFE design process and final design configuration proposed for certification. The HFE PRM requirements are that it be: (1) based upon currently accepted practices,(2) well-derm' ed, and (3) validated through experience with the development of complex, high-reliability systems.
- 2. To identify the HFE elements in a plant / system development, design, and evaluation process that are necessary and sufficient requisites to successful integration of the human component in complex systems.
- 3. To identify the components of each HFE element that an' key to a safety review.
- 4. To specify the review criteria by which HFE elements can be evaluated.
1.4.2 Technient Scope The scope of the general llFE PRM includes 1151 design (including human interfaces with hardware and software), procedures, training, staffing, and human reliability analysis.
1.4.3 Develonment Methodolocr t
A technical review of current HFE guidance and practices was conducted to identify imponant human factors program plan elements relevant to the technical basis of a design process review.
Several types of documents were assessed.
t Systems theory and engineering - general literature providing the theoretical basis for systems engineering, e.g. Gagne and Melton,1988.
NPP regulation - the regulatory basis for NPP review and NRC literature, e.g.,10CFR 50 and NUREG-0700 - Appendix B.
General HFE guidance - HFE guidance developed to be generally applicable to the design and evaluation of complex systems, e.g., Military handbook (MII,H) 46855.
1 Draft PRM (January 25,1994)
Page8
s a
DRAFT FOR COMMENT l
NPP life puidance - standards, guidance, and mcommended practices developed in
+
the NPP industry, e.g.,IEEE STD 1023-1988,IEC 964, and EPRI Advanced Light Water Reactor Requirements (ALWR) Utility Requirements Document.
I From this myiew an HSI development, design, and evaluation process was defined. Once specined, key HFE elements were identified, general criteria by which they am assessed (based upon a review of current literature and accepted practices in the field of human factors engineering) were developed. The HFE PRM was developed based largely on applied general systems theory (Bailey,1982; DeGreen,1970; Gagne, et al.,1988; Van Cott and Kinkade,1972; Woodson, i
1981) and the Department of Defense (DoD) system development process which is rooted in systems theory (DoD,1979a; DoD,1990b; Kockler et al.,1990). Other DoD military standards, guidance documents, and handbooks were utilized as well (DoD 1979h; DoD 1981; DoD 1983; DoD 1985; DoD 1986; DoD 1989a; DoD 1989h; DoD 1991a; DoD 1991b; DoD 1991c).
Applied general systems theory provides a broad approach to system design which is based on a series of clearly defined developmental steps, each with defined goals, and with specific management processes to attain them. System engineering has been defined as "...the management function which controls the total system development effort for the purpose of achieving an optimum balance of all system elements. It is a process which transforms an operational need into a description of system parameters and integrates those parameters to optimize the overall system effectiveness" (Kockler et al.,1990). DoD design requirements reflect the systems approach.
Personnel are identified as a specific component of the total system (DoD,1990a) and all system components (hardware, software, personnel, support, procedures, and training) are given detailed consideration in the design process. Since, the military has been applying HFE longer than I
industrial / commercial system developers, the process is more formalized and contains detailed design process requirements. Thus, the DoD system development process was used as a major input to the development of the HFE PRM based on several factors.
Within the DoD system, the development of a complex system begins with the mission or purpose of the system, and the capability requirements needed to satisfy mission objectives. Systems engineering is essential in the earliest planning period to develop the system concept and to denne the system requirements. During the detailed design of the system, systems engineering assures:
Balanced influence of all required design speciahies, Resolution of interface problems, The effective conduct of trade-off analyses, i
The effective conduct of design reviews, and The verification and validation of overall system performance.
The effective integration of HFE considerations into the design is accomplished by: (1) providing I
a structured top-down approach to system development which is iterative, integrative, interdisciplinary and requirements driven, and (2) providing a management structure which details the HFE considerations in each step of the overall process. A structured top-down approach to NPP HFE is consistent with the approach to new CR design described in Appendix B of NUREG-0700 (U.S. NRC,1981) and the more recent nuclear industry standards (IEC,1989; IEEE,1988) for advanced CR design. The approach is also consistent with the acognition in the nuclear industry that human factors issues and problems emerge throughout the NPP design and evaluation process and, therefore, human factors issues are best addressed with a comprehensive top-down program (for example, see Beattie and Malcolm,1991; Stubler, Roth, and Mumaw,1991).'
Drah IM1 Uanuary 25,1994)
Page 9 1
i
~
+
h DRAFT FOR COMMENT t
The systems engineering approach was expanded to develop an HFE PRM to be used for the ACR design and implementation process review by the incorporation of NRC HFE requirements.
1.4.4 General llFE PRM Descrintion As indicated above, a central foundation of the HFE PRM is that the HSI should be developed, designed, and evaluated based upon a structured top-down system analysis using accepted HFE principles based upon current HFE practices. The HFE PRM decomposes the review process into i
ten elements reflecting four stages of design: planning, analysis, interface design, and evaluation (V&V). The ten elements are illustrated in Figure 1.1. A brief description of the review objectives, acceptance criteria, and applicant products reviewed for each element follows. The HFE PRM is described in more detail in Sections 2 through 11.
Planning Analysis Design V&V Element 2 Operating Experience Review Element 3 inte a e gn Ana ysi & Allocat on Element 1 Element 4 Element 8 Element 10 HFE Program Task Procedure Vermention Management Analysis Development
& Validation Element 9 at ng Training Development Element 6 Human Reliability Analysis Figure 1.1 HFE Program Review Model Elements Each element of the HFE PRM is divided into four secdons: Background, Objective Applicant Submittals, and Review Criteria.
- 1. Background-A brief explanation of the rationale and purpose of the element.
- 2. Objective - The review objective (s) of the element.
- 3. Applicant Submirrals - The set of materials to be provided to the NRC for review of the element is specified. Generally three reports are identified: implementation plan, analysis results, and design team review reports.
An implementation plan is a document providing the applicant's proposed methodology for meeting the acceptance criteria of the element. An implementation plan review Draft PRM Oanuary 25,1994)
Page 10 l
c DRAFT FOR COMMENT provides the applicant the opponunity to obtain staff myiew and concurrence on the applicant's approach prior to conducting the activities associated with the element.
Such a review is desirable from the staff's perspective since it provides the opponunity to resolve methodological issues and provide input early in the analysis or design
=
process when staff concerns can more easily be addressed than when the effon is completed.
An analysis results repon provides the results of the applicant's efforts on an HFE PRM element with respect to the review criteria. A myiewer will utilize the report as the main source of information for assessing the myiew criteria. If an implementation 1
plan had been myiewed and found acceptable, then the review of the results should be a veri 5 cation that the plan had been satisifactorially followed.
A applicant's design team review mpon is the independent evaluation of the activities addressed for the element by the design team. This activity may be part of the applicant's overall quality assurance process.
i It is not a requirement that the submittals literally be in three reports. Rather it is important that all three types of information be available to the reviewer, i.e., methodology, results, and review. In some cases an applicant may choose to provide this information in a single report. It is also possible that, for more complex clements such as HSI design or V&V, more than three repons may be submitted in order to address all HFE PRM criteria.
In addition to reports, the reviewer may review sample work products for earlier elements and i
implemented designs for later elements such as V&V.
- 4. Review Criteria - This section contains the acceptance criteria for design process products and for the final design review. Not all existing NRC detailed final design criteria are duplicated in this document. For example, NUREG-OMO provides HFE guidance for detailed control room design reviews. NUREG-0700 is only referen:cd in the applicable HFE PRM clements. Thus the HFE PRM provides a combination cf detaikd criteria in areas historically not addressed by the staff reviews and " pointers" to the appropriate NRC documents in those areas for which existing NRC guidance is available. Thus the HFE PRM provides a framework for organizing both new and traditional topics of staff HFE reviews.
The HFE PRM requires that the applicant's efforts for each element be govemed by accepted HFE practices as specified by applicable regulatory documents and HFE codes, standards, and guidelines. Each of the HFE PRM clements provides a list of such documents. While these documents contain generally recognized acceptable approaches for the conduct of the HFE activity described by the element, several caveats should be identified:
i There may be inconsistencies or contradictions within and between documents. Such conflicts should be resolved on a case-by-case basis depending upon the specific application under review.
P Each individual document listed 1or a given element does not necessarily address all aspects of that element. In the conduct of a review of each element, a combination of I
the applicable sections of several of the identified documents may be appropriate.
[
It should not be infermd that the listed documents provide complete guidance for each t
and every activity encompassed by the element. HFE is still an evolving discipline, j
l Ihaft PRM Oanuary 25,1994)
Page 11
)
s DRAFT FOR COMMENT therefore, not all HFE activities are adequately covered in codes, standards, and guidelines.
Altemative approaches to those described in the referenced documents may be acceptable if judged by the reviewer to have a firm rationale. Proposed altemative approaches should be evaluated on a case-by-case basis.
1.4.5 IIFE PRM Applientions and Interoretation The HFE PRM was developed specifically to address the programmatic review of HSIs for advanced n' actor designs. The HFE PRM is specified in a somewhat generic form and must, therefore, be tailored to the requirements of each specific review, For example since the elements are iterative and overlapping, a given element technical criterion may be deferred to another element if the applicant provides an acceptable justification. Thus, due to the unique demands of each review, tailored versions of the model may be developed to support the staff reviews ofindividual applicant's HFE programs.
For a 10 CFR 52 review, the HFE PRM does not define which elements must be completed for design certification and which may be deferred to later. It is the responsibility of the applicant for design certification to indicate which aspects of each element are completed and to be reviewed under design certification evaluations. Those HFE PRM criteria not completed should be specifically addressed in ITAAC/DAC or COL action items. All HFE PRM criteria should be met before plant startup.
Draft PRM Oanuary 25,1994)
Page 12
t J
DRAFT FOR COh151ENT 2.
ELEh1ENT 1 - HFE PROGRAh! 51ANAGEh1ENT 2.1 Itackground The overall purpose of the human factors engineering program review is to assun that:
The applicant has integrated HFE into plant development and design.
The applicant has provided HSis which make possible safe, efficient, and reliable i
operator performance of operation, maintenance, test, inspection, and sun'eillance tasks.
The HSI reDects " state-of-the-an human factors principles" [10 CFR 50.34(f)(2)(iii))
+
as required by 10 CFR 52.47(a)(1)(ii)] and satisfies all specific regulatory requirements as stated in 10 CFR.
i State-of-the-an human factors principles are defined as those principles currently accepted by human factors practitioners. " Current" is defined with reference to the time at which a program management or implementation plan is prepared. " Accepted" is defined as a practice, method, or guide which is (1) documented in the human factors literature within a standard or guidance document that has undergone a peer-review process or (2) can be justified through scientific or industry research and practices.
To accomplish these programmatic objectives, an adequate HFE program plan is required which is conducted by a qualified HFE design team. The term *HFE design team" is generically used within the HFE PRh1 to refer to the primary organization or function within the organization that are responsible for HFE within the scope of the life PRM. There is, however, no assumption that HFE is performed by a single organization or that there is an organizational unit called the HFE design team.
2.2 Objective The objective of this review is ensure that the applicant has an HFE design team with the responsibility, authority, placement within the organization, and composition to ensure that the design commitment to HFE is achieved. Also, the team should be guided by an life Program Plan to assure the proper development, execution, oversight, and documentation of the HFE program. This plan should describe the technical program elements assuring that all aspects of HS1 are developed, designed, and evaluated based upon a structured top-down systems analysis using accepted HFE principles.
2.3 Applicant Submittals ne applicant should provide the following for staff review:
Human Factors Engineering Program Plan describing the applicant's HFE i
goals / objectives, technical program to accomplish the objectives, HFE design team, and the management and organizational structure to allow the technical program to be accomplished.
The reviewer may also audit the issue tracking system for compliance with Section 2.4.4 below.
Draft PRM Uanuary 25,199-1)
Page 13 i
o DRAFT FOR COMMENT 2.4 Review Criteria Element I review topics include:
General HFE Program Goals and Scope, HFETeam and Organization.
HFE Process and Procedures, HFE Issues Tracking, and Technical Program.
2.4.1 General HFE Procram Goals nnd Scope 1.
HFE Procram Goals - The general objectives of the program should be stated in
- human-centered" tenns which, as the HFE pmgram develops, should be defined and be used as a basis for HFE test and evaluation 1ctivities. Generic " human-centered" HFE design goals include:
Personnel tasks can be accomplished within time and performance criteria. -
The HS1 will support a high degree of operating crew " situation awareness."
+
The plant design and allocation of functions will provide acceptable workload levels to assure a balance between vigilance and operator overload.
'Ihe operator interfaces will minimize operator error and will provide for error detection and recovery capability.
2.
Assumptions and Constraints - The design assumptions (or constraints) should be clearly identified. An assumption / constraint is an aspect to the design, such as a specific staffing plan or the use specific HSI technology, that is an input to the HFE program rather than the result of HFE analyses and evaluations.
3.
Anplicable Facilities - The HFE program should address the main CR, remote shutdown facility, technical support center (TSC), emergency operations facility (EOF), and local control stations (LCSs).
4.
Annlicable HSIs - The applicable HSIs included in the HFE program should include all operations, accident management, maintenance, test, inspection and surveillance interfaces (including procedures).
5.
Technical Basis - The applicant's HFE program should be developed using the following documents as guidance:
U.S. Code of Federal Regulations, " Domestic Licensing of Production and Utilization Facilities," Part 50 Title 10," Energy."
U.S. Code of Federal Regulations, "Early Site Permits; Standard Design Certifications; and Combined Licenses for Nuclear Power Plants," Part 52, Title 10, " Energy."
U.S. Code of Federal Regulations, " Operator's Licenses," Part 55, Title 10, " Energy."
IEEE Std 1023-1988: IEEE guide to the application ofhumanfactors engineering to systems, equipment, andfacilities ofnuclearpower generating stations,1988, (1EEE).
Draft PRM Uanuary 25,1994)
Page 14 -
]
A; DRAFT FOR COMMENT l
MlL-11-46855B: Human engineering requirementsfor military systems, equipment and facilities,1979, (Depanment of Defense).
AR 602-1: Humanfactors engineering program,1983, (Department of Defense).
DI-HFAC-80740: Human engineering program plan,1989, (Department of Defense).
AR 602-2: Manpower andpersonnelintegration (MANPRINT) in the materiel acquisition process,1990,(Department of Defense).
DOD-HDBK-763: Human engineering procedures guide,1991, (Department of Defense).
2.4.2 HFE Team and Orcani7ation 1.
Responsibility - The team should be responsible (with respect to the scope of the HFE program) for (1) the development of all HFE plans and pmcedures; (2) the oversight and review of all llFE design, development, test, and evaluation activities; (3) the initiation, n commendation, and provision of solutions through designated channels for problems identified in the implementation of the life activities; (4) verincation ofimplementation of team recommendations, (5) assurance that all HFE activities comply to the HFE plans and procedures, and (7) scheduling of activities and milestones.
2.
Organizational Placement and Authority - The primary HFE organization (s) or function (s) within the organization of the total program should be identified, described, and illustrated, e.g., charts to show organizational and functional relationships, reporting relationships, and lines of communication. When more than one organization is responsible for HFE, the lead organizational unit responsible for the HFE program plan should be identified. The team should have the authority and organizational placement to ensun: that all its areas of responsibility are accomplished and to identify problems in the implementation of the HSI design. The team should have the authority to control further processing, delivery, installation or use of HFE/HSI products until the disposition of a non-conformance, deGeiency or unsatisfactory condition has been achieved.
3.
Comnosition - The HFE design team should include the expe:tise described in Appendix A.
4 Team Staf6ng - Team staffing should be described in terms ofjob descriptions and assignments of team personnel.
2.4.3 IIFE Process and Procedures 1.
General Process Procedures - The process through which the team will execute its responsibilities should be identified. The process should include procedures for:
i Assigning HFE activities to individual team members
+
Governing the internal management of the team i
Making management decisions regarding IIFE Making HFE design decisions Goveming equipment design changes Design team review of HFE products 2.
Process Management Tools - Tools and techniques (e.g., review forms) to be utilized by the team to ensure they fulfill their responsibilities should be identified.
1 Draft PRM Oanuary 25.1994)
Page 15
A i
DRAFT FOR COMMENT l
Training Design Human Factors Veri 0 cation and Validation 2.
HFE Requirements - Identify and describe the HFE requirements imposed on the design i
process. List the standads and specifications which are sources of HFE requirements.
l 3.
HFE facilities, equipment, tools, and techniques (such as laboratories, simulators, rapid prototyping software) to be utilized in the HFE program should be specified.
4 i
i
)
i i
I i
1 i
Draft PRM (January 25,1994)
Page 17
s DRAFT FOR COMMENT 3.
Intecration of HFE and Other Plant Desien Activities - The integration of design activities should be identified, i.e., the inputs from other plant design activities to the HFE program and the outputs from the life program to other plant design activities. The iterative nature of the HFE design process should be addressed.
4.
HFE Procram Milestones - HFE milestones should be identified so that evaluations of the effectiveness of the HFE cffort can be made at critical check points and show the relationship to the integrated plant sequence of events. A program schedule of HFE tasks showing relationships between HFE elements and activities, products, reviews should be available for n' view.
5.
HFE Documentation -IIFE documentation items should be identified and briefly described along with the procedures for retention and access.
6.
HFE in Subcontractor Effons - HFE requirements should be included in each subcontract and the subcontractor's compliance with HFE requirements should be periodically verified.
2.4.4 IIFE Issues Trackine 1.
Availability - A tracking system should be available to address human factors issues that are (1) known to the industry (defined in the operating experience review, see Element 2) and (2) identified throughout the life cycle of the IIFE/HS1 design, development and evaluation. Issues are those items which need to be addressed at some later date and thus need to be tracked to ensure that they are not overlooked. An existing tracking system may be adapted to serve this purpose.
2.
Method - The method should document and track HFE issues from identiGcation until elimination or reduction to an acceptable level.
3.
Documentation - Each issue / concern that meets or exceeds the threshold established by the design team should be entered into the system when first identified, and each action taken to eliminate or reduce the issue / concern should be thoroughly documented. The final resolution of the issue should be documented in detail, along with information regarding design team acceptance.
4 Resnonsibility - When an issue is identified, the tracking procedures should spell out individual responsibilities for issue logging, tracking and resolution, and resolution acceptance.
2.4.5 Technical Procram 1.
Identify and describe the general development ofimplementation plans, analyses, and evaluation of:
Operating Experience Review FunctionalRequirements Analysisand Allocation j
Task Analysis StafGng Human Reliability Analysis
+
Human-System Interface Design Procedure Design Draft PRM (January 25.1994)
Page 16
DRAFT FOR COMMENT 3.
ELEMENT 2 OPERATING EXPERIENCE REVIEW i
3.1 Itackground The accident at Three Mile Island in 1979 and other reactor incidents have illustrated signiGeant problems in the actual design and the design philosophy of NPP HSls. There have been many recommendations as a result of these accidents / incidents and utilities have implemented both NRC mandated changes and additional improvements on their own initiative. However, the design change.s were based on the constraints associated with backfits to existing CRs using early 1980s technology which limited the scope of corrective actions that might have been corisidered,i.e.,
more effective fixes can be accomplished when designing a new CR with the modern technology typical of ACRs.
The main purpose of the opera'ing experience (OER)is to identify safety-related issues. The OER provides information regarding the perfonnance of fully-integrated predecessor systems in an analogous way to full-mission validation tests which provide infonnation about the achievemert of HFE design goals in support of safe plant operation and safety concerns for the integrated system under review. The issues and lessons learned regarding operating experience provide a basis for improving the plant design in a timely way, i.e., at the beginning of the design process.
The resolution of OER issues may involve function allocation, changes in automation, HSI equipment design, procedures, training, etc. Thus, problems and issues encountered in previous designs can be identified and analyzed so that they are avoided in the development of the current system or, in the case of positive features, to ensure their retention.
Thus, OER information contributes to other HFE PRM elements. These inputs an: summarized in Figure 3.1. As indicated in the figure, OER can contribute to review and evaluation considerations as well as system design considerations. For example, OER can be used in the selection of specific failure scenarios to incomorate in validation testing and can be used as a basis to select specific performance measures for the evaluation, e.g., to measure an aspect of human perfomlance identilled in OER as being problematie.
The technical basis for inclusion of an OER clemcat in the HFE PRM is founded in nuclear industry regulations, standards and recommended practices.10 CFR Part 50.34 (f)(3)(i) requires that procedures be provided "for evaluating operating, design and construction experience and for ensuring that_ applicable important industry experiences will be provided in a timely manner to those designing and constructing the plant." NUREG-0700 identifies OER as important to the safety review ofIISIs and includes an examination of available documents (such as LERs, outage analysis reports, modifications to technical specifications, and licensee internal memoranda and reports) and operator surveys / interviews. The I AEA in the " Basic Safety Principles for Nuclear Power Plants" (INSAG,1988) indicated that " organizations concerned ensure that operating experience and the results of research relevant to safety are exchanged, reviewed and analyzed, and that lessons learned are acted on" (p.22). OER has also been identified by the IEEE as an important element to NPP design (IEEE: Std 1023-1988, see Section 6.3) and evaluation (IEEE:
Std 845-1988, see Secticn 6.1.2).
The fomial integration of OER into the design of advanced NPPs has been required by EPRI in the
" Advanced Light Water Reactor Utility Requirements Document" (ALWR URD)in Requirement 3.1.3.1 " Resolution of Past Problems." Thus OER is widely recognized as an important activity to safe and efficient plant design. It was, therefore, included in the HFE PRM as a formal element for review.
Draft PRM Uanuary 25,1994)
Page 18
f DRAFT FOR COMMENT I
Functional
= Basis for initial requirements Requirements and allocations i
Analysis & Allocation. Identify need for mod 6 cations Task Analysis
. Critical human actions & errors Human Reliabil!!y
. Prob:ematic operations & tasks Analysis, & Staffing
- Staff!ng shortfalls Operaung HFE Program Experience Management Review HSI, Procedure
. Trade study evaluations
& Training
. Potentialdesign solutions Development
+ Potential des.ign issues y
I HFE lssue l Tracking 4
- Operations & tasks to t'e evaluated System j
g; Event & scenario selection q
& Validation
. Performance measure selection T
i I Issue T
Resolution (Verification j
j
\\
Figure 3.1 The Role of OER in the life Program 3.2 Objective 4
The objective of this review is to assure that the applicant has identified and analyzed problems and j
issues encountered in previous designs which are similar to the current design under review so that they are avoided in the development of the current design or,in the case of positive features, to ensure their retention.
3.3 Applicant Submittals Tbc applicant should provide the following documents for staff review: Implementation Plan, Analysis Results Report, and HFE Design Team Evaluation Repon. For a description of these submittals see Section 1.4.4 The reviewer may also audit the issue tracking system for examination of OER issue treatment.
]
3.4 Review Criteria 3.4.1 Scope 1.
Predecessor Plant and Systems - The review should include information pertaining the human factors issues related to the predecessor plant (s) or highly similar plants and plant systems.
2.
Recognired Industry HFE lssues - See Appendix B for a list of recognized nuclear power industry issues, organi7cd into the following categories:
Draft PRM (January 25, if94)
Page 19
DRAFT FOR COMMENT USI/GSI Issues TMIIssues NRC Generie Letters and Information Notices j
AEOD Studies Low Power and Shutdown Issues INPO Reports f
3.
Related HSI Technoloev - The OER should addmss related HSI technology. For example, 6
if touch screen interfaces are planned, HFE issues associated with their use should be reviewed.
4.
Oncrator Interviews - Operator interviews should be conducted to determine operating experience related to predecessor plants or systems. The following topics should be included in the operator interviews as a minimum:
1 Plant Operations Normal plant evolutions (e.g., start-up, full power, and shutdown),
Instmment failures (e.g., safety system logic & control (SSLC) unit, fault tolerant controller (NSSS), local " field unit" for multiplexer (MUX) system, MUX controller (BOP), break in MUX line),
HSI equipment and processing failure (e.g., loss of VDUs, loss of data processing, i
loss of large overview display),
Transients (e.g., turbine trip, less of offsite power, station blackout, loss of all feed water, loss of service water, loss of power to selected buses /CR power supplies,
- i and SRV transients),
Accidents (e.g., main steam line break, positive reactivity addition, control rod insenion at power, control rod ejection, anticipated transient without scram (ATWS), and various-sized loss of coolant accidents (LOCAs)), and Reactor shutdown and cooldown using remote shutdown system.
HFE/HSI Design Topics Alarm / annunciation, display, control and automation Information processing and job aids Communication Procedures, training, staffing, and job design 3.4.2 1ssue Analysis. Trackine, nnd Review 1.
~ Analysis Content - The issues should be analyzed with regard to the identification of:
Human performance issues, problems and sources of human error should be identified.~
Design elements which support and enhance human perfonnance should be identified.
2.
Documentation - The analysis of operating experience should be documented in an cvaluation report.
3.
Incorporation into the Trackine System - Each operating experience issue determined to be l
appropriate for incorporation to the design (but not already addmssed in the design) should be documented in the HFE tracking system.
b Draft PRM Uanuary 25,1994)
Page 20
l DRAFT FOR COMMENT
.j 4.
ELEMENT 3 - FUNCTIONAL REQUIREMENTS ANALYSIS AND l
ALLOCATION i
4,1 llackground l
i This element has two distinct review activities: functional requirements analysis and function allocation. Functional requiremer.ts analysis is the identification of those functions which must be perfonned to satisfy plant safety objectives, i.e., to prevent or mitigate the consequences of postulated accidents that could cause undue risk to the health and safety of the public. A functional requirements analysis is conducted to: (1) determine the objectives, performance requirements, and constraints of the design;(2) define the functions which must be accomplished to meet the objectives and required perfonnance,(3) define the relationships between functions and plant processes (e.g., plant configurations or success paths) responsible for perfonning the function, (4) provide a framework for understanding the role of controllers (whether personnel & system) for controlling plant processes.
Function allocation is the analysis of the requirements for plant control and the assignment of control functions to (1) personnel (e.g., manual control), (2) system elements (e.g., automatic control and passive, self-controlling phenomena), and (3) combinations of personnel and system elements (e.g., shared control and automatic systems with manual backup). Function allocation seeks to enhance overall plant reliability and safety by exploiting the strengths of personnel and 1
system elements including improvements that can be achieved through the assignment of control to these elements with overiapping and redundant responsibilities. Function allocation should be based upon HFE principles using a structured and well-documented methodology that seeks to provide personnel with logical, coherent, and meaningful tasks. It should not be based solely on technology considerations which allocates to plant personnel every thing the designers can not automate. Such an approach results in an ad hoc set of activities that is likely to negatively impact i
operator performance.
NRC review of function allocation is important to assuring plant safety. One of the major trends in i
advanced plant design is an increase in automation for those tasks traditionally performed by the 4
operator. Increases in automation result in a shift of the operator's function from that of a direct manual controller to a supervisory controller and system monitor. This type of role change may be viewed as positive from a reliability standpoint, since the human operator is considered one of the
{
more unpredictable components in the system. It is pencrally presumed that automation will enhance overall system reliability by removing or reducing the need for human action. However, i
problems arise when functions are automated based largely on the capability of available technol-ogy rather than consideration of the operator's performance as an integral component in the overall system. Basti noted that " data from accident and significant event reports, together with a resiew of past and current design processes, re leal that plant designers often do not demonstrate the use j
of a systematic method for making the necessary series of critical decisions which allocate functions to men or machines, that is to establish the extent and role of automation" (Bastl. et al.1991).
Problems associated with human interaction with automated systems have been attributed to poor situation awareness (SA) (Kibble,1988). Maintaining S A is dif6 cult when the operatoris largely removed from the control loop, i.e., shifting the operator's role from a manual controller to a supervisor and monitor (Wickens & Kessel,1981; Ephrath & Young,1981). With respect to automation in civil aviation, Sexton observed that if " decisions are automatically made without providing the rationale to the pilot, the ability to stay ahead of the aircraft is lost. Complacency and idility to take timely and proper action result" (Sexton,1988). Increases in automation have frequently been associated with loss of operator vigilance and SA resuhing in an increase in Draft PRM Danuary 25,1994)
Page 21 l
- -~
4 i
DRAFT FOR COMMENT vigilance-associated human errors (Warm & Parasuraman,1987). In addition, new types of human enors emerge related to the set-up, raonitoring and interaction with the automated system (Wiener & Curry,1980).
Automadon has been associated with other effects on personnel perfonnance as well, such as a shift from high physical to high cognitive workload (rather than the expected reduction in overall workload), workload transition dif0culties (i.e., going from a low activity monitoring period to a highly active but more unceni a time at the beginning of a process disturbance), and the potential erosion of the sk. ills to perf a the task in the event of automated system failure. Since many -
advanced NPP designs sti equire the operator to assume control under certain circumstances and to act as the last line of d nse, the consequences of poor integration of the operator in the plant design can be quite seri Passive systems iely on natural forces such as gravity instead of mechanical forces such as pumps to nerform their functions. From the perspective of the role of plant personnel, passive systems can be considered a special form of automation because initiation and control of these functions
.i often does not require personnel actions. As with other automatic systems, personnel may bc l
responsible for monitoring the availability and operational status of the passive system. However, due to the passive nature of the phenomena being monitored special burdens may be placed on plant personnel. In addition, activation of a passive system may have important consequences to 2
plant availability or productivity goals, thus the role of personnel may include decisions and actions to prevent or delay the activation of the passive system. These decisions and actions should be addressed in the function analysis.
For many plant designs, the functional requirements and allocations of a new design may be based largely on a predecessor design. Many functional requirements and function allocations of the new plant may be the same as the predecessor. This reflect the evolutionary nature of technology development especially when applied to compicx, high : liability systems. In such cases, OER becomes an essential component to functional requirements and allocation technical basis and rationale. The HEE PRM review methodology accommodates the review of advanced plant designs that are closely linked to predecessor designs as well as advanced plant designs that are more revolutionary.
. Figure 4.1 presents an overview of the functional requirements analysis and function allocation issues and activities. Figure 4.1 indicates that both the nature of the function and the way that it is allocated to personnel and system elements can be considered " modified" with respect to comparisons to predecessor plants.
.l 4.2 ' Objective The objective of this review is to assure that the applicant has dermed the plant's safety functional i
requirements and that the function allocations take advantage of human strengths and avoid allecating functions which would be negatively impacted by human hmitations.
4.3 Applicant Submittals
'Ihe applicant should provide the following documents for staff review: hnplementation Plan, Analysis Results Report, and HFE Design Team Evaluation Report. For a description of these submittals see Section 1.4.4.
Draft PRM Uanuary 25,1994)
Page 22
DRAFT FOR COMMENT 1.
Define Functions and Processes for New
& Predecessor Designs T
2.
Compare Functions and Processes of the New & Predecessor Designs l
1 T
Unchanged Processes Modified Processes Y
3-Describe the Technic'al Basis for Modified Processes 1r p
- 5. Icent!ty Whether Controt 4.
Perform Functional Function Allocation Requirements Analysis is the Same as Predecessor i
V Unchanged Mod 6ed E
Perform Function m
Allocations Allocations Allocation Analysis 7-Evaluate Operating Exper;ence Review (OE R) l I
No OER OER issues issues Justify No Change in Processes or Allocation I
i 8.
Evaluate Operator Role i
Evaluate impad of j
New AAccatons on Unchanged Alkscatons 1I 9.
Document Results i
l Figure 4.1 Function Analysis and Allocation (The numbersin the boxes are identification numbers referenced in the Element 3 criteria)
Draft PRM (January 25,1994)
Page 23
s DRAFT FOR COMMENT f
s 4.4 Review Criteria 4.4.1 General Critetia 1.
Function requirements analysis cnd allocation should be performed using a structured, documented process reDecting HFE principles.
2.
The applicant's analysis should be performed using the following documents as guidance:
1AEA-TECDOC-668: ~ Die role ofmaomation and humans in nuclear power plants, l992, (Intemational Atomic Energy Agency - Intemational Working Group on NPP Control and Instrumentation).
NUREGICR-2623: The allocation offunctions in man-machine systems: A perspective and literature review,1982, (U.S. NRC - Price, H., et al.).
NUREGICR-3331: A methodologyfor allocation ofnuclear powerplant controlfimctions to human and automated control,1983, (U.S. NRC - Pulliam, R., et al.).
1EC 964: Designfor control rooms ofnuclear powerplants, l989, (Bureau Central de la Commission Electrotrotechnique Intemationale).
MlL-H-46855B: Human engineering requirementsfor military systems, equipment and facilities,1979, (Department of Defense).
j ADIA223168: Systems engineering managementguide,1990,(Department of Defense -
Defense Systems Management College - Kockler, F. et al.).
4.4.2 Functional Renuirements Analysis 1.
Safety-related functions (as discussed in the introduction to 10 CFR 50, Appe.' dix B),
l e.g., reactivity control, should be defined. These include functions required to prevent or mitigate the consequences of postulated accidents that could cause undue risk to the heahh and safety of the public. For each safety-related function, the set of plant processes (plant i
system configurations or success paths) that are responsible for or capable of canying out j
the ftmetion should be clearly defined. (See box 1 of Figure 4.1) j 2.
Safety-related functions and processes of the new plant should be compared to the predecessor plant, if any, to document functions and processes that are (1) new, (2) changed, and (3) deleted. These should be refened to as the " modified" processes.
Safety-related processes that have not been modified should be documented as unchanged.
J (See box 2 of Figure 4.1) 3.
The technical basis for modified processes should be documented (e.g., rationale for a passive cooling system). (See box 3 of Figure 4.1) i 4.
A summary description should be provided for each plant process (unchanged or modified) which includes:
Pumose of the process Conditions that indicate that the process is required Draft PRM Oanuary 25,1994)
Page 24
]
?
1 DRAFT FOR COMMENT Parameters that indicate that the process is available Parameters that indicate the process is operating (e.g., flow indication)
Parameters that indicate the process is achieving its purpose (e.g., reactor vessel level returning to normal)
Parameters that indicate that operation of the process can or should be tenninated.
Note that parameters may be described qualitatively (e.g., high or low). Specific data values or setpoints are not necessary at this stage.
5.
Safety functions should be described initially in graphic fonn, e.g., functional flow block
~
diagrams. Function diagramming should be done at several levels, starting at " top level" functions where a very general picture of major functions is described, and continuing to the plant process level and to lower levels until a specific critical end. item requirement will emerge, e.g., a piece of equipment, software, or an operator. The functional decomposition should address the following levels (See box 4 of Figure 4.1):
Iligh-level functions (e.g., maintain RCS integrity) and critical safety functions (e.g.,
maintain RCS pressure control)
Individual plant processes Specific plant systems and components.
6.
Detailed nanative descriptions should be developed for each of the identified modified processes and for their relationship to the overall plant configuration design. Information provided in the summary description for criterion 4 above should be described in greater detail.
7.
The function analysis should be kept cunent over the life cycle of design development and held until decommissioning so that it can be used for design when modifications are considered.
8.
Verify that:
All the processes necessary for the achievement of safe operation are identified.
All requirements of each process are identified.
4.4.3 Function Allocation Analysis l.
Processes that were identified as unchanged should be reviewed to detennine (1) those for which the control function allocation between personnel and system elements is unchanged and (2) those for which the function _ allocation has changed (e.g., through the increased use of automation). This later group should be described as having " modified" function allocations. (See box 5 of Figure 4.1) The level of automation should be briefly described (e.g., fully automatic, fully manual, automatic with manual backup) for each unchanged l
function with unchanged allocation.
2.
Unchanged processes that have modified function allocations should be analyzed in terms of resulting human performance requirements based on the expected user population. A i
rationale for the msulting allocation should be provided. This analysis should reflect, as much as possible at this stage of design, (1) sensitivity, precision, dme, and safety requin ments, (2) required reliability, and (3) the number and level of skills of personnel i
required to operate and maintain the system. (See box 6 of Figure 4.1)
}
Draft PRM (January 25,1994)
Page 25
o l
DRAFT FOR COMMENT 3.
Modified processes (identified in Element 3) should also be analyzed in terms of resulting human perfonnance requirements based on the expected user population. A rationale for the resulting allocation should be provided. This analysis should also mflect, as much as l
1 possible at this stage of design, (1) sensitivity, precision, time, and safety requimments, (2) required reliability, and (3) the number and level of skills of personnel equired to operate and maintain the system. (See box 6 of Figure 4.1) l 4.
The allocation criteria, rationale, analyses, and rules used in the analysis of function allocation should be documented. (See box 6 of Figure 4.1) 5.
The results of analyses and trade-off studies should suppon the adequate configurations of personnel-and system-performed control functions. Analyses should confirm that the personnel element can properly perform tasks allocated to them while maintaining operator situation awareness, workload, and vigilance. Proposed function assignment should take the maximum advantage of the capabilities of human and machine without imposing -
unfavorable requirements on either. (See box 6 of Figure 4.1) l 6.
The OER should be used to address the case of modified processes. Problematic OER issues should be considered during the function allocation analyses for modified functions.
(See box 6 of Figure 4.1) 7.
OER should be used to address the case of unchanged functions that have unchanged comrol function allocations. If problematic OER issues am identified then an analysis should be performed to:(1) justify the original analysis of the function,(2) justify the original human-machine allocation, and (3) identify solutions such as training, personnel selection, and procedure design that will be implemented to address the OER issues. (See box 7 of Figure 4.1) 8.
All function allocations should be reviewed to evaluate the effect of new control function allocations on unchanged control function allocations. (See box 8 of Figure 4.1) 9.
Control functions should be re-allocated in an iterative manner,in response to developing design specifics, operating experience, and the outcomes of on-going analyses and trade studies.
10.
The technical basis upon which the control function alkcation analysis was perfomied should be documented. (See box 9 of Figure 4.1) i i
Draft PRM Oanumy 25,1994)
Page 26
DRAFT FOR COMMENT i
1 5.
ELEMENT 4 - TASK ANALYSIS 5.1 llackground Task analysis is the evaluation of the performance demands on plant personnel to identify the task requirements for accomplishing the functions allocated to them (Drury et al.,1987). It is a very 3
imponant activity since it defines the HS1 requirements for supporting personnel task accomplishment (and by exclusion, what is not needed in the HSI). Personnel perform tasks to accomplish their functional responsibilities. While there is no precise definition of a task with respect to the level of abstraction A task is a group of related activities that have a common objective or goal. The results of task analysis are identified as inputs in many of HFE PRM elements. For example, task analysis also forms the basis for:
j Evaluating function allocations, i.e., for examining the capability for plant personnel to accomplish tasks assigned to them, Providing a basis for staffing and job design, Providing detailed task requirements to support detailed procedure development, Identifying training requirements, and l
Defining Task Support Verification requirements for the HFE PRM Element 10, V&V review.
i 5.2 Objective 4
The objective of this review is to assure that the applicant's task analysis identifies the behavioral requirements of the tasks the personnel subsystem is required to perform. The task analysis j
should:
Provide one of the bases for making design decisions; e.g., determining before hardware fabrication, to the extent practicabic, whether system performance requirements can be met by combinations of anticipated equipment, software, and personnel, j
Assure that human perfonnance iequirements do not exceed human capabilities.
Be used as basic input for developing procedures, Be used as basic information for developing manning, skill, training, and communication requirements of the plant, and i
Form the basis for specifying the requirements for the displays, d. a,nocessing and
~
controls needed to cany out tasks.
~
5.3 Applicant Submittds The applicant should provide the following documents for staff review: Implementation Plan,
'j Analysis Results Report, and HFE Design Team Evaluation Report. For a description of these submittals see Section 1.4.4.
j i
5.4 Review Criteria i
1.
The scope of the task analysis should include selected representative and imponant tasks -
from the areas of: operations, maintenance, test, inspection, and surveillance. The analyses j
Draft PRM (January 25,1994)
Page 27
l
\\
j e
DRAFT FOR COMMENT should be directed to the full range of plant operating modes, including start-up, normal a
operations, abnormal and emergency operations, transient conditions, low power and shutdown conditions. 'Ihe analyses should include tasks performed in facilities applicable to the HFE program (as defined in Element 1). The scope may include tasks identified during staff review.
2.
Tasks should be linked using a technique such as operational sequence diagrams. A review of the descriptions and operational sequence diagrams should idendfy which tasks can be.
1 considered " critical" in terms ofimponance for function achievement, potential for human crror, and impact of task failure. Human actions which are found to affect plant risk via PRA importance and sensitivity analyses should also be considered " critical." All critical tasks shall have specific task analyses performed for them. The detemiination of PRA critical human actions should consider internal and extemal initiating events, and actions affecting the PRA Level I and 11 analyses (see Element 6 for an explanation of PRA analyses). Where e,ritical functions are automated, the analyses should consider all human tasks including monitoring of the automated system and execution of back-up actions if the system fails.
3.
Task analysis should begin on a gross level and involve the development of detailed narrative descriptions of what personnel must do. Task analyses should define the nature of the input, process, and output required by and of personnel. Detailed task descriptions should address (as appropriate):
Information Gathering
+
Information required (parameters, units, precision, accuracy)
Information source (alarm, displays, verbal communication, etc.)
Decision Making Requirements Description of the decisions to be made (relative, absolute, probabilistic)
Evaluations to be perfonned Decisions that are probable based on the evaluation (opportunities for cognitive errors, such as capture error, will be identified and carefully analyzed)
Response Requirements Action to be taken
-. Overlap of task requirements (serial vs. parallel task elements)
Frequency l
- Time available for operator response based upon plant msponse characteristics
- Temporal constraints (task ordering)
{
Toleranec/ accuracy i
Operational limits of personnel performance Operational limits of machine and software Body movements required by action taken Feedback Requirements Feedback required to indicate adequacy of actions taken Workload Cognitive Physical Estimation of difficulty level Draft PRM Oanuary 25,1994)
Page 28
DRAFT FOR COMMENT Task Suppon Requirements Special/ protective clothing
- Job aids or reference matenals required
- Tools and equipment requimd
- Computer processing support aids 1
Workplace Factors
=
Workspace envelope mquired by action taken Work environment (e.g., lighting, beat, noise, and radiation)
Workspace location StafDng and Communication Requirements Number of personnel, their technical specialty, and speci6c skills Communications required, including type Personnel interaction when more than one person is involved Hazard Identification Identification of hazards involved 4.
The task analysis should be iterative and become progressively more detailed over the design cycle. The task analysis should be detailed enough to identify information and control requirements to enable speci5 cation of detailed mquirements for alarms, displays, data processing, and controls for human task accomplishment.
5.
The task analysis should incorporate job design issues such as:
The number of crew members Crew member skills Allocation of monitoring and control tasks to the (1) formation of a meaningful job, and (2) management of crew member's physical and cognitive workload.
6.
The task analysis results should be used to define a minimum inventory of alarms, displays, and controls necessary to perform crew tasks based upon both task and instrumentation and control (l&C) requirements.
7.
The task analysis results should provide input to the HSI design, procedure development.
and personnel training programs.
8.
The effort should be performed using the following documents as guidance:
1 NUREGICR-3371: Task analysis ofnuclearpower plant control room crews,1983, (U.S. Nuclear Regulatory Commission - Burgy, D. et al.).
i IEC 964: Designfor control rooms ofnuclearpowerplants, l989 (Bureau Central de la Commission Electrotrotechnique Intemationale).
-)
i DI-H-7055: Critical task analysis report,1979, (Depanment of Defense).
MIL-STD-1478: Taskperformance analysis,1991, (Department of Defense).
Draft PRM Uanuary 25,1994)
Page 29 1
DRAFT FOR COMMENT 6.
ELEMENT 5 - STAFFING 6.1 llackground Plant staffing is an important consideration throughout the design process. Initial staffing levels may be established as design goals early in the design process based on experience with previous plants, customer requirements, initial analyses, and government regulations. However, staffing goals and assumptions should be examined for acceptability as the design of the plant proceeds.
Other elements of the HS! design process provide information with which staffing levels can be evaluated and modified, as appropriate.
6.2 Objective The objective of this review is to ensure that the applicant has analyzed the requirements for the number and qualifications of personnel assigned to the HSI in a systematic manner that includes a thorough understanding of operator task requirements and applicable n'gulatory requirements.
i 6.3 Applicant Submittals The applicant should provide the following documents for staff review: Implementation Plan, Analysis Results Report, and HFE Design Team Evaluation Repon. For a description of these i
submittals see Section 1.4.4.
6.4 Review Criteria 1.
The staffing analysis should detemline the number and background of operators required during the full range of plant conditions and tasks including operational tasks (normal,'
abnonnal and emergency), plant maintenance, and plant surveillance / testing.
2.
Staffing levels should be based on and analysis of:
Initial HSl staffing goals and their bases including staffing levels of predecessor systems and a description of significant similarities and differences between i
predecessor and current system, Required actions determined from the task analysis, Availability of operators given other activities that may be ongoing, The physical configuration of the control room and control consoles, 1
The availability of plant information from individual operators workstations from i
individual and group view HSI interfaces, Required interaction between operators for diagnosis, planning, and control activities.
=
Regulatory requirements: Staffing requirements described in Section 13.1.2-13.1.3, Operating Organization, of NUREG-0800 and 10CFR50.54.
3.
The staffing analysis should be iterative,i.e., initial' staffing goals should be reviewed and modified as the analyses associated with other HFE PRM clements are completed.
4.
The staffing analysis should consider the issues associated with the following HFE PRM clements and then compare these issues to staffing assumptions regarding the number and -
qualifications of operations personnel. The basis for staffing should be modified to address these issues:
Draft PRM canuary 25,1994)
Page 30 j
DRAFT FOR COMMENT Operating Experience Review
+
Operational problems and strengths that resulted from staffing levels in predecessor systems.
Function Analysis and Allocation Mismatches between functions allocated to the operator and the qualifications of anticipated operators.
Task Analysis The knowledge, skills, and abilities required for operator tasks addressed by the task analysis.
Requirements for operator response time and workload.
Requirements for operator communication and coordination.
The job requirements that result from the sum of all tasks allocated to each individual operator.
Iluman Reliability Assessment The effect of overall staffing levels upon plant safety and reliability The effect of overall staffing levels and the coordination of individual operator roles on critical human actions The effect of overall staffing levels and the coordination ofindividual operator roles on human errors associated with the use of advanced technology liSI Design StafGng demYnds resulting from the locations and use (especially concurrent use) of controls and displays.
The requirements for coordinated actions between individual operators.
Procedures Staffing demands resulting from requirements for concurrent use of multiple procedures.
Skills, knowledge, abilities, and authority required of operators by the procedures.
Training Crew coordination concerns that are identified during the development of traimng.
VeriGeation and Validation
+
Ability of minimum size operating crew to control plant during validation scenarios.
Ability of operators to effectively communicate and coordinate actions during all validation scenarios.
Ability of operators to maintain awareness of plant conditions and operator actions throughout all validation scenarios.
5.
The applicant's staffing analysis should be conducted using the following documents as guidance:
s 10CFR50.54: U.S. Code of Federal Regulations, " Domestic Licensing of Production and i
Utilization Facilities," Part 50, Title 10, " Energy."
1 l
Dralt PRM Oanuary 25,1994)
Page 31
DRAFT FOR COMMENT NUREG -0800, Standard Review Plan, Rev. J., Sections 13.1.2-13.1.3. USNRC, Washington, DC,1984.
Reg Guide 1.114: Guidance on being operator at the controls of a nuclear power plant i
1 l
l t
C I
4 Draft PRM (January 25,1994)
Page 32
DRAFT FOR COMMENT 7.
ELEMENT 6 - IlUMAN RELIABILITY ANALYSIS
7.1 Background
Human Reliability Analysis (HRA) seeks to evaluate the potential for and mechanisms of human error that may affect plant safety. Thus,it is an essential element in the achievement of the HFE design goal of providing operator interfaces that will minimize operator error and will provide for error detection and recovery capability. HRA has quantitative and qualitative aspects, both of which are useful for HFE purposes. HRA should be conducted as an integrated activity in support of both IIFE/HSI design activities and probabilistic risk assessment (PR A) activities. The PRA/IIRA should be initially performed early in the design process to provide design insights and guidance both for systems' design and for HFE purposes. The quality of the HR A depends in large pan on the analyst's understanding of personnel tasks. the infonnation related to those tasks, I
and the factors which inDuence human performance of those tasks. As a result, the HRA could be performed iteratively as the design progresses. At the very least, the initial PRA/HRA should be 6nalized when the plant design and HFEis complete. Figure 7.1 illustrates the relationship between the PRA/HRA and the rest of the HFE program, including the concept of an initial PRA/IIRA and then a final one at completion of design. The discussions in the remainder of this HR A element will have to be judgementally applied in appropriate portions to the earliest PRA/HRA (depending on the amount of design information that is available) and applied in full to the final PRA/HRA.
The development of information to facilitate the understanding of causes and modes of human error is an imponant human factors activity. The HR A analyses should make use of descriptions and analyses of operator functions and tasks as well as the operational characteristics of HSI components. HRA can provide valuable insight into desirable characteristics of the HSI design.
Consequently the HFE IISI design effort should provide special attention to those plant scenarios, critical human actions, and HS1 components that have been identified by HRA/PRA analyses as being critical to plant safety and reliability.
While there are many different approaches to the conduct of HRA, there are several analysis components which are necessary for an acceptable HRA. These include:
Multidisciplinary team to analyze human actions within the cor'nt of the PRA, Availability ofinformation related to those factors which affe aman performance such as task analyses, procedures, and HS1 design details.
-i Detailed analyses of human actions with an emphasis on human error mechanisms, i
Availability of appropriate sources of human error data for the types of human actions
+
that are modelled, Sensitivity and uncertainty analyses to evaluate human error probability estimates, Integration of PRA and HRA activities into plant design activities, and
+
Thorough documentation of the HRA process.
Thus, there are important interfaces between the HFE program and risk analyses. The objective and criteria associated with this element are intended to ensure the acceptability of this activity.
7.2 Objective The objectives of this review are to assure that:
The applicant has analyzed the potential effcce cf human error on plant safety and reliability in a manner that is consistent with current, accepted principles and practices Draft PRM Uanuary 25,1994)
Page 33
DRAFT FOR COMMENT of HFE and HRNPR A and has identified human actions that are important to plant nsk.
The applicant has addressed human error mechanisms in the design of the plant HFE, i.e., the HSis, procedures, shift staffm' g, and training in order to minimize the likelihood of personnel error and to provide for error detection and recovery capability.
The HR A activity effectively integrates the HFE program activities and PRNrisk analysis activities.
O F
3 Key Plant & Systems Non HFE Design Activitios
(
)
y Activities
(
3 Element 3 Emergency Function Procedure / Response Guidelines Analysis & Allocation q
I I
r m
E PRA
(
)
J I
Cntical Actions & Errors m
Element 4 Element 6 Y
Deta4d Task Requirements Analysis Analysis
]
Ah t
Vahdaton of j
y i
Performance I
Assumptions Element 8 Element 9 Element 7 Procedure Training Interface Design Development Development l
l Performance Shaping Factors
- HSis to Review Element 10 d * *' 8'*"*'
Verification
& Validation Figure 7.1 The Role of HRA in the HFE Program Draft PRM (January 25,1994)
Page 34
J t
DRAFT FOR COMMENT 7,3 Applicant Submittals 1
The applicant should provide the following documents for staff review: Implementation Plan and life Design Team Evaluation Report. For a description of these submittals see Section 1.4.4.
The reviewers should also review a PRA/11RA Repon and an Analysis results report that documents the integration of the llRA with the life design as described in this element
~
7.4 Review Criteria i
7.4.1 11R A Methodoloey 1
1.
The analysis should meet all applicable 10 CFR regulatory requirements, e.g.10 CFR 50.34(f)(1)(i).
2.
In addition to the llFE design team skills identined in Element 1, additional skills should be included to support the lira analysis:
IIRA analysis methods and 11EP quantification techniques, I
Plant and system PR A models.
3.
'lle llRA analysis should follow a structured, systematic process to ensure that human reliability issues are addressed consistently and to facilitate reporting ind review of results.
The lira process should address the following topic areas: select a..a train the team,
)
familiarize the team with plant, build initial plant model, semen human interactions, quantify human interactions, update plant model, and review results.
4.
A thorough IIRA documentation system should be established including a description of
(
the analyses, an audit trail for each analysis performed and each human error probability (llEP) derived, supponing rationale, and source materials. The documentation system
-j should be structured to n'Dect the structure of the llRA process such that the outcomes of the various steps of the process are identiGed.-
5.
IIRA analyses should minimally be performed early in the design effort as an input to the life program and again when the detailed design is available to better assess the inDuences of detailed task requirement and performing shaping factors (PSFs).
6.
Iluman actions should be adequately modelled in the PRA event and fault trees to support a j
determination of risk-significant human actions. The PRA/ lira should address a broad diversity of human interactions with the plant systems and components, for exampic:
~
Pre-accident and during accident actions, Errors of omission and commission.
' Miscalibration and component restoration errors, and Recovery actions Events and IISI components identified as problematic by the OER and operator functions that were identiGed as new or modi 6ed by the function analysis should be considered for inclusion in the lira.
7.
The analysis of human actions should include the identification of PSPs,i.e., factors that innuence human reliability through their effects on performance. PSPs include factors Draft PRM Uanuary 25,1994)
Page 35 '
r DRAFT FOR COMMENT such as environmental conditions,11SI desigri, procedures, training, and supervision. The considerations should include the influences of the advanced technologies such as system automation, decision aids, and anincial intelligence upon human performance.
8.
Screening analyses should be used to identify human actions that are imponant to plant risk i
and safety for more detailed analyses.
9.
Human-system analyses should be used to provide an understanding of task requirements including (a) demands placed on plant personnel,(b) interfaces with plant equipment, and (c) time constraints within which critical tasks must be accomplished. Within the constraints associated with the timing of the HR A, information source materials used for defining and analyzing operator tasks should at a minimum include (1) descriptions and analyses of operator tasks developed during the task :malysis (Element 4), (2) emergency procedure guidelines and plant procedures (Element 8), and (3) descriptions and analyses of HS1 design characteristics (Element 7). Materials such as procedural guidance and i
control room design information should be used by the 11RA team to provide an understanding of human involvement in controlling the plant.
10.
Human ciTor quanti 6 cation, including quantification methods (such as TilERP),
performance models (such as action dependency), human error data sources (such as NUCLEAR), and PSFs should be specincally identified and selected based upon their appropriateness to the types of actions being analyzed. When data from PRAs, performed for other plants, are to be used in the HRA, a rationale should be provided to justify its use including any modifications of these data.
I 1.
Due to the inherent uncenainty of numerical estimation, sensitivity and uncenainty analyses should be performed.
12.
The HRA should be conducted using the following documents as guidance:
10 CFR 50.34(f)(1)(i): U.S. Code of Federal Regulations, " Domestic Licensing of Production and Utilization Facilities," Part 50, Title 10. " Energy."
NUREGICR -1278: Handbook ofHwnan Reliability Analysis with Emphasis on Nuclear Power Applications-Final Report,1983 (Swain and Guttmann).
i NUREGICR-2300: PRA Procedures Guide: A Guide to the Performance ofProbabilistic Risk Assessmentsfor Nuclear Power Plants,1983, (U.S. Nuclear Regulatory Commission - IEEE).
]
NUREGICR -2815: Probabilistic Safety Analysis Procedures Guide., l985.
NUREGICR-3485: PRA Review Manual,1985, (El-Bassioni et al).
NUREGICR-3518: SUM-MAUD: An approach to Assessing Human Error Probabilities Using Structured Expert Judgement,1984, (Embrey et al.).
i NUREGICR-4016: Application ofSUM-MAUD: A Test of an Interactive Computer.
Based Methodfor Organizing Expert Assessment of Human Performance and Reliability, 1985, (Rose et al).
Draft PRM Oanuary 25,1994)
Page 36
~
DRAFT FOR COMMENT NUREGICR-4772, Accident Sequence Evaluation Program Human Reliability Analysis Procedure. USNRC, Washington, DC, February 1987.
EPRI NP-3583: Systematic Human Action Reliability Procedure (SHARP),1984, (Hannaman and Spurgin).
Human Reliability Analysis: A Systems Engineering Approach with Nuclear Power Plant Applications,1988, (Daughterty et al.).
7.4.2 Inteeration of IIRA with IIFE Desien l
1.
Critical human actions should be identified from the PRA/HRA and used as input to the HFE design effort. These critical actions should be developed from the lxvel 1 (core damage) PR A and Level 2 (release from containment) PRA including both in'.crnal and extemal events. They should be developed using selected (more than one) imponance measures and HRA sensitivity analyses in order to ensure that an iuponant action is not overlooked due to the selection of the measure or the use of a particular assumption in the analysis.
2.
The details of human performance of critical human actions and their associated tasks and scenados identified through the initial PRA/HRA should be specifically addressed during Element 4 - Task Analysis. This will help ensure that these tasks are within acceptable human performance capabilities, e.g. within time and workload requirements.
3.
Cdtical human actions that are identified via PRA/HRA as posing serious challenges to plant reliability and safety should be re-examined by function analysis, task analysis, HSI j
design, or procedure development to either change the operator task or the control and j
display environment to reduce or climinate undesirable sources of error.
j 4.
The use of PRA/HRA results by the HFE design team should be specifically addressed; i.e., how critical personnel tasks are addressed (through HSI design, procedural development, and training) by the HFE program to minimize the likelihood of operator enur and provide for enor detection and recovery capability.
5.
HRA assumptions such as decision-making and diagnosis strategies for dominant sequences should be validated via walk-though analyses with personnel with operational experience using a plant-specific control room mockup, prototype, or simulator. Reviews should be conducted pdor to the fm' al quantification stage of the PRA (as per item 5 of 7.4.1 above).
Draft PRM (January 25,1994)
Page 37
4 a
J_a DRAFT FOR CON 1h1ENT 8.
ELEh1ENT 7 - IIUN1AN-SYSTEN1 INTERFACE DESIGN 8.1 llackground The HSI design mpresents the translation of function and task requirements to the alarms, displays, controls, and task suppon aids that are available to the crew. The selection of available HSIs and the design of new HSis should be the result of a process which considers function / task requirements, operational considerations (e.g., the full-mission context within which the HSI will j
be used), and the crew's safety and comfort. The HS1 should be designed using a structured methodology. The methodology should guide designers in the identification of what information and controls are required, the identification and selection of candidate HSI approaches, and Snal design of HSIs. It should include the development and use of HFE guidelines and standards and how to resolve cor flicts in guidance that arise. It should also address the use of analysis and evaluation methodologies for dealing with design issues. The availability of an HS1 Jesign methodology will help ensure standardization and consistency in the application of HFE principles, Issues related to the detailed design of HSI subsystems should be resolved at this point rather than at V&V. For example, considerations as to acceptable display formats or alarm system processing
~
should be resolved during the Element 7 activities and reviewed rather than deferring them to V&V at which point making modiDeations to the design is significantly more difficult.
8.2 Objective The objective of this review is to evaluate the process by which HSI design requirements are 1
developed and HSI designs are selected and refined. The review should assure that the applicant has appropriately translated function and task requirements to the displays and controls that am available to the crew. The applicant should have systematically applied HFE principles and criteria (along with all other function / system / task design requirements) to the ident Geation of HSI i
1 requirements, the selection and design of HSis, and the resolution of HFE/HSI design problems and issues. The process and the rationale for the HSI design (including the results of trade-off studies, other types of analyses / evaluations, and the rationale for selection of design / evaluation tools) should be documented for review.
1 8.3 Applicant Submittals The applicant should provide the following documents for staff review: Implementation Plan, i
Analysis Results Report, and HFE Design Team Evaluation Repon. For a description of these i
submittals see Section 1.4.4.
Other design related HSI documents should be reviewed such as applicant developed guidance documents and detailed trade study, technology assessments, or tests / experiment reports developed I
to support the HSl design. In addition, a variety of mockups, prototypes, or similar physical representations of the HS1 design may be available for preliminary review of the design implementation.
8.4 Review Criteria i
l 1.
The scope of the HSI design should include:
The overall work environment j
=
Work space layout (e.g., control room or remote shutdown facility layout)
Control panel and console design Draft PRM Oanuary 25.1994)
Page 38 i
i
DRAFT FOR COMMENT t
Control and display device layout Information and control interface design details, such as graphic display formats, symbols, dialog design, input methods, etc.
i 2.
The HSI should be designed using a structured methodology. The methodology should guide designers in:
l Identification of the information and controls that am mquired, Specification of range accuracy, precision, and measurement units for the display and
- controls, Selection of candidate HSI approaches,
j Final design of H51s, and Use of analysis and evaluation methodologies for dealing with design issues.
i The procedure should be structured in a way that will facilitate its use by designers. The availability of an HS1 design methodology will help ensure standardization and consistency i
in the systematic application of HFE principles.
3.
The HSI design process should include the development and use of HFE guidelines and standards and how to re. solve conflicts in guidance that arise. Generic HFE guidance documents should be tailored to the applicant's specific design and documented in a guidance or specification document. Information on how to use the guidance should be availabic to members of the design team. Design features in contradiction of HFE guidance should be supponed by a documented rationale.
4.
Design problems, issues and areas not well defined by guidelines should be analyzed. The applicant may use many means to resolve these issues including trade studies,literatura based evaluations, demonstrated operational experience, and tests / experiments. For.
- example, Mockups and models may be used to resolve access, workspace and related HFE problems and incorporate these solutions into system design Dynamic simulation and HSI prototypes should be considered for use to evaluate design details of equipment requiring critical human perfonnance or equipment not adequately addressed by guidelines.
5.
The selection of available llSis and the design of new HSIs should be the result of a process which considers function / task requirements, operational considerations (e.g., the full-mission context within which the HS1 will be used), and the crew's safety and comfort (in order to support crew performance). Thus for example,if touch screen devices are utilized at the crew's primary monitoring and control console, the applicant should consider the strengths and limitations of such an approach in comparison to other possible computer input device options. These considerations should include the use of the HSis over the duration of a shift and under extn me but cmdible conditions. The review of non-CR HSis, such as LCSs should address constraints imposed by the environment (e.g., noise, temperature, contamination) and by protective clothing.
6.
.A technical basis should be provided for the HSI elements of the specific design such as large screen overview displays and special display or control devices.
i 7.
The working environment should be adequate for the human performance requirements.
Draft PRM Oanuary 25,1994)
Page 39
J DRAFT FOR COMMENT 8.
The 11S1 design should accommodate human performance in plausible scenarios that may result in reduced visibility and ventilation, as well as, CR evacuation. That is, the 1151 should be capable of supponing operations under the worst credible environmental l
conditions.
9.
The HS1 design should minimize the imposition of secondary tasks associated with interface management, such as navigation, which distract the operator from the primary task of process monitoring, decision-making, and control.-
10.
liSI design elements should be evaluated in an ongoing fashion to assure their acceptability for task performance and their conformance to life, criteria, standards, and guidelines.
Special attention should be given to those 11 Sis that are unique or safety n' lated. This should be done to assure that poor design solutions do not remain undetected until final V&V, at which time design changes become more difficult.
i 1.
The rationale for the liSI design (including the results of trade-off studies, other. types of analyses / evaluations, and the rationale for selection of design / evaluation tools) should be documented and avrilable for review.
12.
The design configuration should satisfy the functional requirements as identified by function analysis, task analysis, and 1&C inventories as well as other technical design requirements. The llSI should include all 11 Sis required for the completion of crew tasks and should be free of infom1ation, controls, etc. which are not required for the accomplishment of any task. This includes individual display and control devices as well as non-functional decorative details such as on graphical displays (e.g., the use of three-dimensional histograms to display two-dimensional mlationships).
13.
The applicant's llSI design should be developed using the following documents as guidance:
Reg Guide 1.22: Periodic testing of protection system actuation functions Rep Guide 1.47: Bypassed and inoperable status indication for NPP safety systems Reg Guide 1.62: Manual Initiation of protective actions Reg Guide 1.81: Shared emergency and shutdown electrical systems for Multi-unit NPPs Reg Guide 1.97: Instrumentation for light-water-cooled nuclear power plants to assess plant and environmental conditions during and following an accident '
Reg Guide 1.108: Periodic testing of diesel generator units used as onsite electric power systems at NPPs Reg Guide 1.105: Instrumentation setpoints NUREG-0696: Functional criteria for emergency responsefacilities,1980, (U.S. Nuclear Regulatory Commission).
1 NUREG-0700: Guidelinesfor control room design reviews, 1981, (U.S. Nuclear Regulatory Commission).
i Draft PRM Oanuary 25,1994)
Page 40 r -
l 3
DRAFT FOR COMMENT NUREG-0800: Standard reviewplan (Rev 1),1984,(U.S. Nuclear Regulatory Commission).
Draft NUREGICR-5908: Advanced human-system inteqace design review guideline, 1992, (U.S. Nuclear Regulatory Commission - O'Hara, et al.).
Draft NUREGICR-6105: Human Factors engineering guidelinesfor the review of advanced alarm systems, 1993. (U.S. Nuclear Regulatory Commission - O'Hara, et al.).
Draft NUREGICR-6146: lxcal Control Stations: Human Engineering Issues andinsights, 1993 (U.S. Nuclear Regulatory Commission - Brown, et al.).
EPRI-ALWR URD: Advanced Light Water Reactor Utility Requirements Document (URD)- Volume # ALWR Evolutionary Plant. (Rev 4),1992 (Electric Power Research Institute).
EPRI NP-3659: Humanfactors guidefor nuclearpowerplant control room development, 1984, (Electric Power Research Institute - Kinkade, R.G., and Anderson, J.).
i EPRI NP-3701: Computer-generated display system guidelines (Vols 1&2),1984, (Electric Power Research Institute - Frey, R. et al.).
EPRI NP-4350: Human engineering design guidelinesfor maintainability,1985, (Electric h
Power Research Institute - Pack R., et al.).
IEC 964: Designfor control roonu of nuclear power plants,1989, (Bureau Central de la i
Commission Electrotrotechnique Internationale).
ANS1 HFS-100: American national standardfor humanfactors engineering ofvisual display terminal workstations,1988, ( American National Standards Institute).
MIL-11DBK-759A: Humanfactors engineering designfor army materiel,1981, (Department of Defense).
MIL-STD-l472D: Human engineering design criteria for military systems, equipment and i
facilities,1989, (Depanment of Defense).
DoD-HDBK-761 A: Human engineering guidelinesfor management information systems, 1990, (Department of Defense).
ESD-TR-86-278: Guidelinesfor designing userinterface software,1986, (Department af
-)
Defense).
1 i
1
>i Draft PRM Oanuary 25,1994)
Page 41
)
l
i DRAFT FOR COMMENT 9.
ELEMENT 8 - PROCEDURE DEVELOPMENT
. t 9.1 11ackground While in the nuclear industry, procedure development has historically been considered the responsibility of individual utilities, the rationale for inclusion of a procedure development element in the HFE PRM is that procedures are considered an essential component of the HSI design and should be a derivative of the same design process and analyses as the other components of the HSI (e.g., displays, controls, operator aids) and subject to the same evaluation processes. In the current Ocet of plants, technically detailed, human-factored procedures were a post-TMI improvement to support safe operations. After TM1 the design organizations (NSSS vendors) developed Emergency Pmeedure Guidelines (EPGs) and then utilities produced emergency procedures based on the EPGs. Thus, procedure development programs were conducted by the individual utilities and have not been part of HS1 design activities, llowever, since procedures were developed after the plant HSI (e.g., CR) design, they were essentially retroStted to suit the existing interface. Further, since procedures were developed by individual utilities, there was great variation in their development and final implementation. As a result, human factors problems exist and identincation, access, interpretation, and validation of procedures remain problems in some plants (as indicated by the NRC EOP inspection series). In addition, inconsistencies between procedures and the HSI have been a source of difficulty for operators.
For new plant designs and advanced reactors, these problems should clearly be addressed and solved as part of the design process. To accomplish this objective, EPGs and,if possible, procedures should be developed as part of the same design process as the other components of the 11S1 to assure their ft.ilintegration as part of the HSI. The same human factors analyses, such as task analysis, should be used to guide control panel as well as procedure development. The same human factor principles should be applied to both aspects of the interface to assum complete integration and consistency. Further, procedures should be evaluated in conjunction with the HSI; i.e., procedures are a significant aspect of system verification and validation (Element 10).
9.2 Objective The objective of this review is to assure that the applicant's procedure development program will result in procedures that support and guide human interaction with plant systems and control plant-related events and activities. Iluman engineering principles and criteria should be applied along with all other design requirements to develop procedures that are technically accurate, comprehensive, explicit, easy to utilize, and validated.
9.3 Applicant Submittals The applicant should provide the following documents for staff review: Implementation Plan, Analysis Results Report, and HFE Design Team Evaluation Repon. For a description of these submittals see Section 1.4.4.
in addition, EPGs and draft procedures should be available for review.
9.4 Review Criteria 1.
The scope of the procedure covered in the element are:
+ ' Plant & system operations (including start-up, power, and shutdown operations),
Dratt PRM Oanuary 25,1994)
Page 42
+
DRAFT FOR COMMENT Abnormal & emergency operations, Preoperational, start-up, and surveillance tests, and Alarm response.
2.
The basis for procedure development should include:
Plant design bases System-based technical requin ments and specifications The task analyses results Critical human actions identified in the HRA/PRA Initiating events to be considered in the EOPs should include those events present in the design bases.
EPGs e
3.
A Writer's Guide should be developed to establish the process for developing technical procedures that are complete, accurate, consistent, and easy to understand and follow. The Guide should contain suf ficiently objective criteria so that procedures developed in accordance with the Guide should be consistent in org.mization, style, and content. The Guide should be used for all procedures within the scope of this Element. The Writer's Guide should provide instructions for procedure content and format including the writing of action steps and the specification of acceptable acronym lists and acceptable terms to be used).
I 4.
The content of the procedures should incorporate the following elements:
Title Statement of applicability References Prerequisites Precautions (including warnings, cautions, and notes)
Limitations and actions Required human actions Acceptance criteria Checkofflists 5.
All procedures should be verified and validated. A review should be conducted to assure procedures are correct and can be performed. Final validation of operating procedures should be perfonned in a simulation of the integrated system as part of V&V activities described in Element 8.
6.
An analysis should be conducted to determine the impact of providing computer-based procedures (either partial or complete) and to specify where such an approach would improve procedure utilization and reduce operating crew errors mlated to procedure use.
7.
A plan for procedure maintenance and control of updates should be developed.
8.
The effon should be performed using the following documents as guidance:
NUREG-0800: Standard reviewplan (Rev 1),1984,(U.S. Nuclear Regulatory Commission).
Draft PRM (January 25,1994)
Page 43
DRAFT FOR COMMENT NUREG-0899: Guidelinesfor the preparation of emergency operating procedures,1982, (U.S. Nuclear Regulatory Commission).
NUREG-1358: Lessons learnedfrom the specialinspection programfor emergency
.l
. operating procedures,1989, (U.S. Nuclear Regulatory Commission),
j NUREG-1358: Lessons learnedfrom the special inspection programfor emergency operating procedures,1989, (U.S. Nuclear Regulatory Commission). SUP 1 NUREGICR-5228: Techniquesforpreparingflowchartformat emergency operating procedures (Vols. 1&2),1989, (U.S. Nuclear Regulatory Commission - Barnes, V. et al.).
NRC Regulatory Guide 1.33 (Rev. 2)- Quality assurance program requirements,1978, (U.S. Nuclear Regulatory Commission).
ANSl N18. 7-1976: Administrative controls and quality assurancefor the operational phase ofnuclear powerplants,1976, (American National Standards Institute).
i l
l j
Draft PRM (January 25,1994)
Page 44
?
DRAFT FOR COh1h1ENT
- 10. ELEh1ENT 9 - TRAINING PROGRAh1 DEVELOPh1ENT 10.1 llackground Training of plant personnel is an important factor in assuring safe and reliable operation of NPPs.
Advanced nuclear power plants may pose demands on the knowledge, skills, and abilities of operational personnel that are different that those posed by trad' ional plants. These demands stem -
from differences in operator responsibilities resulting from advanced plant design features (e.g.,
passive systems and increased automation) and differences in operator task characteristics due to advances in HS1 technologies.
A systems approach to the training of plant personnel is required by 10 CFR 55.4 and other requirements. Training design is to be based on a systematic evaluation of job and task requirements. The HFE analyses associated with HSI design process provides a valuable understanding of the task requirements of operations personnel. Therefore, the traming development should be closely coordinated with the other elements of the HFE design process.
10.2 Objective he objective of this review is to assure that the applicant established an approach for the development of personnel training that:
Systematically evaluates the knowledge and skill requirements of personnel.
Coordinates the development of training with the other elements of the HFE design process.
Delivers training to personnel in an effective manner that is consistent with human factors principles and practices.
10.3 Applicant Submittals ll i
The applicant should provide the following documents for staff review: Implementation Plan, j
Analysis Results Report, and HFE Design Team Evaluation Report. For a description of these u
submittals see Section 1.4.4.
l 10.4 Review Criteria 1.
The training program should be developed in accordance with 10CR55 and other relevant requirements to ensure that operations personnel have the knowledge, skills and abilities to perform their operational duties. Training should address:
The full range of positions of operational personnel including licensed operators and non-licensed persons whose actions may affect the safety of the plant.
The full range of plant safety functions and systems including those that may be different from predecessor plants (e.g., passive systems and functions).
The full range of relevant HS1 components (e.g., MCR, RSP, local control stations) including characteristics that may be different from predecessor plants (e.g., display space navigation, operation of " soft" controls.
The full range of plant conditions.
2.
Training program development shall address applicable requirements of Section 13.2,.
Training, of NUREG-0800 and other applicable regulations.
Draft PILM Oanuary 25,1994)
Page 45
DRAFT FOR COMMENT 3.
A systematic approach to training as def~med in 10 CFR 55.4 shall be used. The Training Development implementation Plan shall be consistent with the following five elements:
Systematic analysis of jobs (and tasks) to be performed.
Learning objectives derived from the analysis which describe desimd performance after training.
Training design and implementation based on the learning objectives.
Evaluation of trainee mastery of the objectives during trairung.
Evaluation and revision of the training based on the performance of trained personnel in the job setting.
4.
The roles of all organizations, especially the COL applicant and vendors, shall be specifically deGned for the development of training requirements, development of training infonnation sources, development of detailed training materials, and the conduct and management of training programs. For example, the role of vendor may range from merely providing input materials such as the EPGs, to participating in the development of training requirements, to conducting portions of specific training programs.
5.
The qualiDeations of organizations and personnel involved in the development and conduct of training shall be defined.
6.
The overall scope of training shall be deGned including:
Categories of operations personnel (e.g., senior reactor operator) to be trained, Specific plant conditions (normal, upset, and emergency),
Specific operational activities (e.g., operations, maintenance, testing /stuveillance), and HSI components (e.g., main control room, remote shutdown panel, local control stations).
The scope of training shall include the training of operations personnel participating in veriGeation and validation of the plant design (Element 10).
7.
Learning objectives shall be derived from a systematic analysis of operator duties based in part on task analyses, plant procedures, and operator duties defined by FSAR and q
applicable regulations. This analysis shall include but not be limited to training issues identiGed in the following HFE PRM elements:
]
Operating Experience Review - Previous training deficiencies and operational problems i
that may be corrected through additional / enhanced training. Positive characteristics of
]
previous trammg programs.
Function Analysis and Allocation - Operator functions identified as New or Modified.
1 Task Analysis - Operators tasks identiGed during task analysis as posing unusual '
demands upon operators including critical tasks identified by PRA/HRA, new/different i
tasks, and tasks requiring high coordination, high workload, or special skills.
Human Reliability Assessment-Requimments for coordination ofindividual operator roles to reduce the likelihood and/or consequences of human error associated with for critical human actions and the use of advanced technology.
HSI Design - Design features whose purpose or operation may be different from the i
past experience or expectations of operations personnel.
Plant Procedures - Operator tasks that have been identified during procedure development as being problematic (e.g., procedure steps that have undergone extensive revision due to safety concerns).
Draft PRM Oanuary 25,1994)
Page 46
~
DRAFT FOR COMMENT Verification and Validation - Training concems identified during V&V includirig HS1
+
usability concerns identified during validation or suitability verification and operator performance concerns (e.g., misdiagnoses of plant event) identiSed during validation trials.
8.
learning objectives shall also be derived from operator knowledge and skill requirements derived from the Final Safety Analysis report, system description manuals and operating procedures, facility license and license amendments, Licensee Event Repons, and other documents identified by the staff as being important to training.
9 The design of the training program shall be defined to specify how learning objectives will be conveyed to the trainee. The use oflecture, simulator, and on-the-job training to convey particular categories oflearning objectives will be deOned. SpeciGe plant conditions and scenarios to be used in training programs should be defined. Training implementation considerations such as the temporal order and schedule of training segments shall be defined. Th: training program specifications should include justifications based on life principles of tmining, training practices, and other criteria.
10.
Facilities and resources such as plant. referenced simulator and part-task training simulators required to satisfy training design requirements shall be defined.
I 1.
Methods f or evaluating trainee mastery of training objectives shall be defined including written and oral tests and walk-through and simp!stor exercises. Evaluation criteria for training objectives shall be defined for individual training modules. Methods for assessing overall pm6ciency shall be de5ned and coordinated with operator licensing argulations, where applicable.
12.
Methods for verifying the accuracy and completeness of training course materials shall be defined.
13.
Methods for evaluating the overall effectiveness of the training programs shall be defined including review of operator perfonnance in tests and walk-through/ simulator exercises and on the-job performance.
I4.
Pmeedures for re6ning and updating the content and conduct of training shall be established including procedures for tracking training course modifications.
15.
The applicant's training develop program should be conducted using the following i
documents as guidance:
10 CFR 55.4.: U.S. Code of Federal Regulations, " Operator's Licenses," Part 55, Title 10 " Energy."
NUREG-0MKh Standard rcview plan,1984, (U.S. Nuclear Regulatory Commission).
i t
-t a
Draft PRM Oanuary 25,1994)
Page 47
1 DRAFT FOR CONlh1ENT
- 11. ELES1ENT 10 - IlUh1AN FACTORS VERIFICATION AND VALIDATION 11.1
Background
i V&V evaluations seek to comprehensively determine that the design conforms to HFE design 4
principles and that it enables plant personnel to successfully perform their tasks to achieve safety and other cperational goals. His element is made up of the five V&V activities shown in Figure 11.1. Although the applicant's performance of these activities shotud generally be in the order shown, it should be recognized that the process is iterative. A major distinction exists between design process V&V evaluations and design implementation verification. Design process evaluations consist are conducted to ensure that ilFE principles and methods are appropriately incorporated into the design process. Dey include:
liS1 Task Support Verification - a check to ensure that ilSI components are provided to address all identified personnel tasks.
HFE Design Verification - a check to determine whether the design of each HS1 component reflects life principles, standards, and guidelines.
Integrated System Validation - perfonnance-based evaluations of the integrated design to ensure that the llFE/HSI supports safe operation of the plant.
t liuman Factors issue Resolution Verification - a check to ensure that the HFE issue a identiGed during the design process have been acceptably addressed and resolved.
The process should begin with liSI Task Suppon Verification to identify missing or potentially unnecessary 11S1 components. Then the llSis should be reviewed by HFE Design Verification to assure the HSI is acceptably designed according to HFE principles. Integrated System Validation should be perfonned on a dynamic, high-fidelity representation of the " final" HSI design,i.e.,
after life Design Verification activities have been completed. Modifications to the design may be required following validation. Major changes may require Integrated System Validation of selective issues. However, relatively minor changes to the design may only require HS1 Task Support VeriGention and IIFE Design VeriGcation.
Since issues can arise during validation, Issue Resolution Verincation cannot be completed until validation issues have been resolved. The "Gnal" design should be documented in a design description document that includes perfonnance requirements. This document can then be used to perform a Final Plant HFE/HSl Design Verification to assum that the Gnal product "as built" confonns to the verified and validated design that resulted from the HFE design process. The main activity should be a check of the actual HSis against the description. However, some e <litional d
V&V activities may be included for those aspects of the design that could not be evaluateo during the design process V&V. Examples of such features include:
Plant specine aspects of the 11S1, and Features that cannot be evaluated in a simulator such as control room lighting and noise.
V&V, as discussed in this element, is not intended as the activity whereby HSI subsystem design concerns and issues (such as the coding techniques employed in the alarm system) are explored and evaluated. These issues should be addressed as pan of HFE analyses, tests, and evaluations conducted earlier in the design process and reviewed as pan of previous HFE PRM clements.
Dralt PRM Oanuary 25,1994)
Page 48 i
DRAFT FOR COMMENT Design Process Design implementation HSITask Support Verification
+
Ah HSis available Y
HFE Design Verification An HSis conform Plant HFE to HFE guidelines Final HFE Var!fication k
Design Description
+
& Performance As-built design conforms to the V&V S ecification validated design P
Integrated System Validation Acceptable personnet perforrnance with integrated HSis Y
lssue Resolution Verification Allissues reso;ved Figure 11.1 llelationship Between V&V Activities 11.2 Objective The objective of this review is to assure that:
The HFF1HSI design provides all necessary alarms, displays, and controls to support plant personnel tasks (HSI Task Suppon Verification),
The HFEMSI design conforms to HFE principles, guidelines and standards (HFE a
Design Verification),
The HFFJHSI design can be effectively operated by personnel within all performance n quirements (Integrated System Validation).
Draft PRM Oanuary 25,1994)
Page 49
~
J DRAFT FOR COMMENT The HFE/HSI design resolves all of the identified HFE issues in the tracking system (Human Factors Issue Resolution Verification).
The final product "as built" conforms to the verified and validated design that resulted from the HFE design process (Final Plant HFE/HSI Design Verification).
11.3 Applicant Submittals The applicant should provide the following documents for staff review: Implementation Plans, Analysis Results Reports, and HFE Design Team Evaluation Reports for each V&V activity. For a description of these submittals see Section 1.4.4. The implementation plans should address all V&V activities including Final Plant IIFE/HS1 Design Verification. For the latter, aspects of the verification that have not been verified in design process V&V activities should be explicitly identified. The HFE issues tracking system should also be reviewed.
r A high-fidelity prototype or simulator of the HSI should be available for staff review to, witness of Integrated System Validation.
Following the V&V activities, the final design should be described in a detailed design description.
This description will serve as the basis for the verification that the actual in-plant HSI confonns to the design that resulted from the HFE design process including the V&V acdvities. The results of the applicant's Final Plant ilFE/HSI Design Verification should be documented.
11.4 Review Criteria 11.4.1 General Criteria 1.
The general scope of V&V should include the following for all applicable facilities as defined in Element l-Iluman Factors Engineering Program Management HSI hardwa' 11S1 software Communications Procedures Workstation and console configurations Design of the overall work environment The scope of Integrated System Validation may be limited to those applicable facilities required for the evaluation of scenarios described in Item 4 of Section i1.4.4 - Integrated System Validation below.
i 2.
The order of V&V activities should be as follows:
i HS1 Task Support Verification i
HFE Design Verification Integrated System Validation Human Factors Issue Resolution Verification Final Plant HFE/HSI Design Verification.
3.
The applicant's V&V activities should be performed using the following documents as guidance:
Draft PRM Oanuary 25,1994)
Page 50
f.
DRAFT FOR COMMENT Documents listed for the following HFE PRM Elements can be used to support V&V activities:
Element 7 - HS1 Design Element 8 - Procedure Development Element 9 - Training Program Development Reg Guide 1.33: Quality assurance requirements.
1EEE Std 845-1988:IEEEguide to evaluation ofman-machine performance in nuclear powergenerating station control rooms andotherperipheries,1988, (1EEE).
AR 602-1: Humanfactors engineering program,1983, (Department of Defense).
TOP l-2-610: Test operating procedure - Parts 1 & 2,1990,(Department of Defense).
l 11.4.2 HSI Task Support Verification 1.
All aspects of the HSI (e.g., controls, displays, procedures, and data processing) that are required to accomplish human tasks and actions [as defined by the task analysis, EOP analysis, and the critical actions of the probabilistic risk assessment / human reliability analysis (PRA/HRA)] should be verified as available through the HSI.
)
2.
It should be veriDed that the HSI does not include information, displays, controls, etc.
which do not support operator tasks. This includes non-functional decorative details such l
as boarders and shadowing on graphical displays.
11.4.3 HFE Desien Verification 1.
All aspects of the HS1 (e.g., controls, displays, procedures, and data processing) should be verified as designed to be appropriate to personnel task requin ments and operational considerations as defined by design specifications, and are consistent with accepted HFE i
guidelines, standards, and principles.
j 2.
Deviations from accepted HFE guidelines, standards, and principics should be acceptably justined based upon a documented rationale such as trade study results, literature based i
evaluations, demonstrated operational experience, and tests / experiments.
11,4.4 Inteerated System Validation 1.
The methodology for integrated system validation should address:
General objectives Personnel performance issues to be addressed (e.g., crew coordination)
Test methodology and procedures Test participants (operators to participate in the test program)
Test conditions (including plant conditions, operating sequences, and accident scenarios)
HSI description Performance measures Data analysis Criteria for evaluation of results Utilization of evaluations Draft PRM Oanuary 25,1994)
Page Si
DRAFT FOR COh151ENT 2.
Validation should be performed by evaluating dynamic task perfonnance using tools which are appropriate to the accomplishment of this objective. The primary tool for this purpose is a simulator,i.e., a facility that physically represents the HS1 configuration and which r
dynamically represents the operating characteristics and responses of the the plant design in real time. The requirement to validate performance at plant HSIs outside the CR will be dependent on the applicant's design. Human actions at non-CR facilities such as remote shutdown panels and LCSs may be evaluated using mock-ups, prototypes, or similar tools.
3.
The evaluations should address:
Adequacy of entire HSl configuration for achievement of HFE design goals.
Confirm allocation of function and the structure of tasks assigned to personnel.
Adequacy of stafling and the HS1 to suppon staff to accomplish their tasks,
+
Adequacy of procedures, Confirm the dynamic aspects of the HSI for task accomplishment, and Evaluation and demonstration of error tolerance to human and system failures.
4.
Regulatory Guide 1.33, Appendix A contains several categories of activities that must be appropriately covered by procedures. The validation should evaluate selected evolutions based upon procedures developed to address this Guide. The evaluation should include selected procedures in each category, i. e.:
Administrative j
General Operations System startup and shutdown Abnormal, offnormal and alarm conditions Emergency Control of radioactivity Test and calibration hiaintenance Chemistry control 5.
Dynamic evaluations should evaluate llSI under a range of operational conditions and upsets, and should include:
j Normal plant evolutions, e.g., start-up, full power, and shutdown operations;
+
Instrument failures, e.g., safety system logic & control (SSLC) unit, fault tolerant controller (NSSS), local " field unit" for multiplexer (h1UX) system, break in h1UX line; HSI equipment and processing failure, e.g., loss of VDUs, loss of data processing, loss oflarge overview display;
.l Transients, e.g., turbine trip, loss of offsite power, station blackout, loss of all feed.
water, loss of service water, loss of power to selected buses /CR power supplies, and SRV transients; Accidents, e.g., main steam line break, positive reactivity addition, control rod l
insertion at power, control rod ejection, anticipated transient without scram (ATWS),
j and various-sized loss of coolant accidents (LOCAs); and Reactor shutdown and cooldown from remote shutdown panel.
6.
The scenarios should be malistic. ' Selected ones should include environmental conditions such as noise and distractions which may effect human performance in an actual NPP.
l Draft PRM Uanuary 25,1994)
Page$2
1 l
DRAFT FOR COMMENT
)
7.
All entical human actions as defined by the task analysis and PRAlllR A should be tested and found to be adequately supponed in the design. The design of tests and evaluations to he performed as part of HFE V&V activities should specifically examine these actions.
j i
8.
Performance measures for dynamic evaluations should be adequate to test the achievement of all objectives, design goals, and performance requirements and should include at a mmimum:
System performance measures relevant to safety Crew primary task performance (e.g., task times, procedure violations) l l
Crew errors Situation awareness Workleid Crew communications and coordination Dynamic anthropometry evaluations Physical positioning and interactions.
11.4.5 Iluman Factors issue Resolution Verification 1.
All issues documented in the Human Factors Issue Tracking System of Element I should -
be verified as adequately addressed.
2.
Issues that could not be resolved until a plant is built should be specifically identified and incorporated into the Final Plant HFE/HSI Design Verification.
11.4.6 Final Plant IIFE/IISI Desien Verification 1.
Following design process V&V activities, a design description should be developed which describes the detailed design and its performance criteria.
2.
Aspects of the design which were not addressed in design process V&V should bc evaluated.
3.
The in-plant ilFE should conform to the design that resulted from the IIFE design process and V&V activities.
3 s
i t
t i
Draft PRM Oanuary 25,1994)
Page 53
[
t
DRAFT FOR COMMENT 12, REFERENCES American National Standards Institute, "American National Standard for Human Factors Engineering of Visual Display Terminal Workstations," ANSI HFS-100, Amedcan National Standards Institute,1988.
American National Standards Institute, " Administrative Controls and Quality Assurance for the Operational Phase of Nuclear Power Plants," ANSI-N18.7-1976, American National Standards i
Institute,1976.
Dailey, R.W., Human Performance Engineering: A Guidefor System Designers, Prentice-Hall, Inc.: Englewood Cliffs, NJ,1982.
Bari, R. et al., "Probabilistic Safety Analysis Procedures Guide," NUREG/CR -2815, U.S.
Nuclear Regulatory Commission: Washington, D.C.,1985.
t Barnes, V. et al.," Techniques for Preparing Flowchart Format Emergency Operating Procedures,"
NUREG/CR-5228. Volumes 1 and 2, U.S. Nuclear Regulatory Commission: Washington, D.C.,
1989.
Bastl, W. et al.," Balance Between Automation and Human Actions in NPP Operation: Results of International Cooperation," in Balancing Automation and Human Actions in Nuclear Power Plants, International Atomic Energy Agency: Vienna, Austria,1991.
Beattie, J. and Malcolm, J. " Development of a Human Factors Engineering Program for the Canadian Nuclear Industry " Proceedings of the Human Factors Society - 35th Annual Meeting, Human Factors Society: Santa Monica, CA,1991.
Brown, W., Higgins, J, & O'Hara, J., " Local Control Stations: Human Engineering issues and Insights," Draft NUREG/CR-6146. Brookhaven National Laboratory: Upton, NY,1993.
Burgy, D. et al.," Task Analysis of Nuclear Power Plant Control Room Crews," NUREG/CR-3371, Volumes 1 and 2. U.S. Nuclear Regulatory Commission: Washington, D.C.,1983.
Campbell, D. and Fisk, D.,
- Convergent and L)iscriminant Validation by the Multitrait-Multimethod Matdx," Psychological Bulletin,56,81-105,1959.
Carter, R., and Uhrig, R., " Human Factors Issues Associated with Advanced Instrumentation and Controls Technologies in Nuclear Plants," NUREG/CR-5439, U.S. Nuclear Regulatory Commission: Washington, D.C.,1990.
Cablenti A., Vigilance and Performance in Automated Systems NATO ASI Series D,49, Kluwer Academic Publishers: Boston, MA,1988.
Committee on Human Factors, "Research Needs for Human Factors," National Research Council, National Academy of Sciences: Washington, D.C.,1983.
DeGreene, K.B., Systems Psychology, McGraw-Hill Book Company: New York, NY,1970.
i Daughterty. E. and Fragola, J., Human Reliability Analysis: A Systems Engineering Approach with Nuclear Power Plant Applications, New York J. Wiley & Sons,1988.
l Draft PRM Oanuary 25,1994)
Page 54
)
I DRAFT FOR COMMENT i
Drury, C. Paramore. B., Van Cott, H., Grey, S., and Corlett, E., " Task Analysis," In G.
Salvendy (Ed.) Hanubook of human Factors, Wiley-Interscience: New York,1987, Edwards, E., " Ar.tomation in Civil Transport Aircraft," Applied Ergonomics,8,194-198,1977.
El-Bassioni e'. al., PRA Review Afanual. NUREG/CR-3485,1985.
Electric Power Research Institute, " Advanced Light Water Reactor Utility Requirements Document 1
(URD)- Volume II ALWR Evolutionary Plant," Revision 4, Electric Power Researth Institute, 1992.
Electric Power Research Institute, " Man-Machine Interface Systems," Advanced Light Water Reactor Utility Reijuirements Document - Volume 11 ALWR Evolutionary Plant, NP-6780-L (Revision 1), Electric Power Research Institute: Palo Alto, CA,1990.
f Embrey, D., Humpherys P., Rosa, E., Dirwin, B., and Rea, K., SUAf ifAUD: An approace o
i Assessing Human Error Probabilities Using Structured Expert Judgement, NUREGICR-3518 1984.
Ephrath, A., and Young, L. " Monitoring vs. Man-In-The-Loop Detection of Aircraft Control Failures," Human Detection and Diagnosis ofSystem Failures, Plenum Pn:ss: New York, NY, l
l 1981.
l Frey, R. et al., " Computer-Generated Display System Guidelines," EPRI NP-3701, Volumes 1 and 2, Electric Power Research Institute,1984.
J Gagne. R.M., and Melton, A.W., Psychological Principles in System Development, Holt, Rinehart and Winston: New York, NY,1988.
4 Gould, J.,"How to Design Usable Systems," Handbook ofHuman Computer Interaction, Elsevier Science Publishers: Amsterdam, Netherlands,1988.
l Hannaman, G., Spurgin, A., Joksimovich, V., Wreathall, J., and Orvis, D., Systematic Human l
Action Reliability Procedure (SHARP), Interim Report, NP-3583. Electric Power Research Institute, June 1984.
INPO, Operating Experience To Apply to Advanced Light Water Reactor Designs (INPO 934KM, Revision 1,1993.
1 1
Intemational Atomic Energy Agency, International Working Group on NPP Control and Instrumentaion, "The Role of Automation and Humans in Nuclear Power Plants," IAEA-TIECDOC-668,Intemational Atomic Energy Agency: Vienna, Austria,1992.
Institute of Electrical and Electronics Engineers, "lEEE Guide to Evaluation of Man-Machine Performance in Nuclear Power Generating Station Control Rooms and Other Peripheries," Std.
845-1988, The Institute of Electrical and Electronics Engineers, Inc.: New York, NY,1988.
Institute of Electrical and Electronics Engineers,"IEEE Guide to the Application of Human Factors Engineering to Systems, Equipment, and Facilities of Nuclear Power Generating Stations," Std.
i 1023-1988. The Institute of Electrical and Electronics Engineers, Inc.: New York, NY,1988.
Draft PRM Uanuary 25,1994)
Page 55
DRAFT FOR COMMENT lnternational Electrotechnical Commission, International Standard: Designfor ControlRooms of Nuclear Power Plants, IEC 964, Bureau Central de la Commission Electrotechnique Internationale:
Geneva, Switzerland,1989.
International Nuclear Safety Advisory Graup, Basic Safety Principlesfor Nuclear Power Plants, Safety Series No. 75-INSAG-3, International Atomic Energy Agency: Vienna, Austria,1988.
Karat, J., "The Relation of Psychological Theory to Human-Computer Interaction Standards,"
Designing and Using Human-Computer Interfaces and Knowledge Based Systems, Elsevier Science Publishers: Amsterdam, Netherlands,1989.
Kaufman, J., Lanik, G., Spence, R., and Trager, E., " Operating Experience Feedback Report -
11uman Performance in Operating Events," NUREG-1275, Volume 8,1992.
Kennedy, W., " Survey of OECD Members on the Use of Computers in Control Rooms cf Nuclear Power Plants," Man-Machine Interface in the NuclearIndustry, International Atomic Energy Agency: Vienna, Austria,1988.
Kibble M., "Information Transfer from Intelligent EW Displays," Proceedings of the Human Factors Society - 32nd Annual Meeting, iluman Factors Society: Santa Monica, CA,1988.
Kinkade, R.G., and Anderson, J., "Iluman Factors Guide for Nuclear Power Plant Control Room Development," EPRI NP-3659, Electric Power Research Institute,1984.
I Kockler, F., Withers, T., Podiack, J., and Gierman, M., Systems Engineering Management Guide Department ofDefense AD/A223168, Defense Systems Management College: Fort Belvoir, VA,1990.
Moray, N. and Huey, B., Human Factors Research and Nucleus Safety, National Research Council National Academy of Sciences: Washington, D.C.,1988.
Moray, N., Lootsteen, P., and Pajak, J., " Acquisition of Proccas Control Skills " IEEE Transactions on Systems, Man. and Cybernetics,.L6,491-504,1986.
l Neboyan, V. and Kossilov, A.. Control Rooms and Man-Machine Interface in Nuclear Power Plants,IAEA-TECDOC-565,Intemational Atomic Energy Agency: Vienna, Austria,1990.
O'Hara, J., " Advanced Human System Interface Design Review Guideline: General Evaluation Model, Technical Development, and Guideline Description " NUREG/CR-5908, Volume 1. U.S.
Nuclear Regulatory Commission: Washington, D.C.,1993.
O'Hara, J., Brown, W., & Higgins, J., " Human Factors engineering guidelinesfor the review of advanced alarm systems," Draft NUREG/CR-6105, Brookhaven National Laboratory: Upton, NY,199? (1993).
l O'Hr a, J. and Hall, R., " Human-Computer Interface and Human Reliability," Proceedings on Adw es in Human Factors Research on Man /Computerinteractions. American Nuclear Society:
i Nashville, TN, 339-345,1990.
Pack R. et al.," Human Engineering Design Guidelines for Maintainability," EPRI NP-4350, Electric Power Research Institute,1985.
Draft PRM Oanuary 25,1994)
Page 56
DRAFT FOR COMMENT
'il otter, S., Cook',' li., Woods, D., and' Mcdonald,i.', "The Role of Hitman F$ctors Gu'idelines in
~
Designing Usable Systems: A Case Study of Operating Room Equipment," Proceedings of the Human Factors Society - 34th Annuct Meeting, Human Factors Society: Santa Monica, CA, 1990.
Price, H., "The Allocation of Functions in Man-Machine Systems: A Perspecdve and Literature i
Review, NUREG/CR-2623, U.S. Nuclear Regulatory Commission: Washington, D.C.,1982.
-l Pulliam, R., et al., "A Methodology for Allocation Nuclear Power Plant Control Functions to Human and Automated Control," NUREG/CR-3331, U.S. Nuclear Regulatory Commission:
Washington, D.C.,1983.
Rasmussen, J., Duncan, K. and Leplat, J., New Technology and Human Error, J. Wiley and Sons: New York, NY,1987.
Reaux, R. and Williges, R., " Effects of Level of Abstraction and Presentation Media on. Usability of User-System InterCaec Guidelines," Proceedings of the Human Factors Soci:ty - 32nd Annual c
Meeting Human Factors Society: Santa Monica, CA,1988.
Rose, E., Humpherys, P., Spettell, C., and Embrey, D.,
Application of SUM-MAUDs A Test of an Interactive Computer-Based Methodfor Organizing Expert Assessment ofHuman Performance and Reliability, NUREGICR-4016,1985.
Sexton, G., " Cockpit-Crew Systems Design and Integration," Human Factors in Aviation, I
Academic Press: New York, NY,1988.
Smith, S., " Standards Versus Guidelines for Designing User Interface Software," Handbook of Human-Computer Interaction, Elsevier Science Publishers: Amsterdam, Netherlands,1988.
5 Stubler, W., Roth, E., and Mumaw, R., " Evaluation issues for Computer-Based Contml Rooms," Proceedings of the Human Factors Society - 35th Annual Meeting, Human Factors Society: Santa Monica, CA: 1991.
Swain, A. and Guttmann. H., Handbook of Human Reliability Analysis with Emphasis on
?
Nuclear Power Applications-Final Report, NUREGICR -1278,1983.
Swain, A., Accident Sequence Evaluation Program Human Reliability Analysis Procedure, NUREG/CR -4772,1987.
U.S. Code of Federal Regulations, " Domestic Licensing of Production and Utilization Facilities,"
Part 30. Title 10, " Energy."
U.S. Code of Federal Regulations. "Early Site Permits; Standard Design Certifications; and Combined Licenses for Nuclear Power Plants," Part 52, Title 10 " Energy."
U.S. Code of Federal Regulations, " Operator's Licenses," Part 55, Title 10, " Energy,"
U.S. Department of Defense, " Human-Computer Interface Style Guide (Version 1)," Of6ce of Management and Budget: Washington, D.C.,1992.
U.S. Department of Defense, " Defense Acquisition (DODD 5000.1) " Of6cc of Management and Budget: Washington, D.C.,1991a.
Draft PRM Uanuary 25.1994)
Page 57
= _ _.
l i
DRAFT FOR COMMENT
.y U.S. Department of Defense," Defense Acquisition Management Policies and Procedures (DODI j
50(XL2)," Office of Management and Budget, Washington, D.C.,1991b.
1 U.S. Department of Defense, " Human Engineering Procedums Guide (DOD-HDBK-763)," Office of Management and Budget: Washington, D.C.,1991c.
U.S. Department of Defense, " Manpower and Personnel Integration (MANPRINT)in the Material Acquisition Process (AR 602-2), Department of the Army: Washington, D.C.,1990a.
U.S. Department of Defense, " System Engineering Management Plan (DI-MGMT-81024)," Office of Management and Budget: Washington, D.C.,1990b.
U.S. Depanment of Defense, " Test Operating Procedure," TOP l-2-610, Parts 1 and 2, Office of Management and Budget: Washington, D.C.,1990c.
U.S. Department of Defense, " Human Engineering Guidelines for Management Information Systems (DoD-HDBK-761 A)," Office of Management and Budget: Washington, D.C.,1990d.
U.S. Department of Defense," Human Engineering Program Pian (DI-HFAC-80740)," Office of Management and Budget: Washington, D.C.,1989a.
U.S. Department of Defense, "Haman ::ngineering Design Criteria for Military Systems, Equipment and Facilities (MIL-STD-1472D)," Of6ce of Management and Budget: Was',hgton, D.C., 1989 b.
U.S. Department of Defense, " System Safety Program Plan (DI-SAFT-80100)," Office of Management and Budget: Washington, D.C.,1986.
U.S. Department of Defense, " Guidelines for Designing User Interface Software," ESD-TR 278, Washington, D.C.,1986.
U.S. Department of Defense, " Technical Reviews and Audits for Systems, Equipments, and Computer Software (MIL-STD-1521B)." Depanment of the Air Force: Washington, D.C.,1985.
U.S. Department of Defense," Human Factors Engineering Program (AR 602-1)," Department of J
the Army: Washington, D.C.,1983.
U.S. Departmem of Defense," Human Factors Engineering Design for Army Material (MIL-i HDBK-759A (MI)." Department of the Army: Washington, D.C.,1981.
l U.S. Depanment of Defense," Human Engineering Requirements for Military Systems, Equipment l
and Facilities," MIL-H-46855B, Office of Management and Budget: Washington, D.C.,1979a.
U.S. Department of Defense," Critical Task Analysis Report," DI-H-7055, OfGee of Management and Budget: Washington, D.C.,1979b.
U.S. Nuclear Regulatory Commission " Guidance to Operators at the Controls and to Senior Operators in the Control Room of a Nuclear Power Unit," Regulatory Guide 1.114.
j U.S. Nuclear Regulatory Commission, " Instrumentation Setpoints," NRC Regulatory Guide I
1.105.
Draf t PRM Oarmary 25,1994)
Page 58
]
DRAFT FOR COMMENT,
U.S. Nuclear Regulatory Commission, " Periodic Testing of Diesel Generator Units Used as Onsite Electric Power Systems at NPPs," NRC Regulatory Guide 1.108.
U.S. Nuclear Regulatory Commission," Periodic Testing of Protection System Actuation Functions," NRC Regulatory Guide 1.22.
U.S. Nuclear Regulatory Commission, " Quality assurance requin'ments," NRC Regulatory Guide 1.33.
U.S. Nuclear Regulatory Commission, " Bypassed and Inoperable Status Indication for NPP Safety Systems," NRC Regulatory Guide 1.47.
U.S. Nuclear Regulatory Commission," Manual Initiation of Protective Actions," NRC Regulatory Guide 1.62.
U.S. Nuclear Regulatory Commission, " Shared Emergency and Shutdown Electrical Systems for Multi-Unit NPPs," NRC Regulatory Guide 1.81.
U.S. Nuclear Regulatory Commission, " Instrumentation for Light-Water-Cooled Nuclear Power Plants to Assess Plant and Environmental Conditions During and Following an Accident," NRC Regulatory Guide 1.97.
U.S. Nuclear Regulatory Commission, " Adequacy of Safety-Related DC Power Supplies,"
Generic Letter 91-06, Resolution of Generic Issue A-30.
U.S. Nuclear Regulatory Commission, " Reactor Coolant Pump Seal Failures," Generic Letter 91-07, Generic Issue 23.
U.S. Nuclear Regulatory Commission, "LCOs for Class lE Vital Instrument Buses," and
" Interlocks and LCOs for Class 1E Tie Breakers," Generic Letter 91-11. Resolution of Generic Issues 48 and 49.
U.S. Nuclear Regulatory Commission," Unrecognized Loss of Control Room Annunciators "
U.S. Nuclear Regulatory Commission, "importance of Engineering Expertise on Shift,"
Information Notice 93-8.
U.S. Nuclear Regulatory Commission, " Clarification of TMI Action Plan Requin:ments,"
NUREG-0737 and Supplements, U.S. Nuclear Regulatory Commission: Washington, D.C.,
1980a.
l i
U.S. Nuclear Regulatory Commission, " Functional Criteria for Emergency Response Facilities, NUREG-0696, U.S. Nuclear Regulatory Commission: Washington, D.C.,1980b.
J U.S. Nuclear Regulatory Commission, " Quality Assurance Program Requirements," NRC Regulatog Guide 1.33, Revision 2, Washington, D.C.,1978.
U.S. Nuclear Regulatog Commission, " Quality Assurance Program Requirements," NRC Regulatory Guide 1.33, Appendix A, Washington, D.C.,1978.
j I
Draft Im1 Uanuary 25,1994)
Page 59 J
- DRAFT FOR COMMENT
' iJ.S'. NuclearIegulatory Comn ission,'"1Nsons Learridd'from the Special Inspection Program'for
~
Emergency Operating Procedures," NUREG-1358, Washington, D.C.,1989.
U.S. Nuclear Regulatory Commission, " lessons learned from the Special Inspection Program for Emergency Operating Procedures," NUREG-1358, Supplement 1, Washington, D.C.,1989.
U.S. Nuclear Regulatory Commission," A Prioritization of Generic Safety Issues," NUREG-0933 (Main Report and Supplements 1-12), Washington, D.C.,1991.
U.S. Nuclear Regulatory Commission, " Shutdown and Low-Power Operation at Commercial Nuclear Power Plants in the United States," Draft NUREG-1449, Washington, D.C.,1992.
U.S. Nuclear Regulatory Commission,' Standard Review Plan," NUREG-0800, Revision 1, Washington, D.C.,1984.
U.S. Nuclear Regulatory Commission, "PRA Procedures Guide: A Guide to the Performance of Probabilistic Risk Assessments for Nuclear Power Plants," NUREG/CR-2300, Washington, D.C.,1983.
U.S. Nuclear Regulatory Commission, " Guidelines for the Preparation of Emergency Operating Procedures," NUREG-0899, Washington, D.C.,1982.
U.S. Nuclear Regulatory Commission, " Guidelines for Control Room Design Reviews,"
NUREG-0700, Washington, D.C.,1981.
Van Cott, H.P. and Kinkade, R.G., Human Engineering Guide to Equipment Design, U.S.
Government Printing Office: Washington, D.C.,1972.
Warm, J. and Parasuraman, R., " Vigilance: Basic and Applied Research," Human Factors, Special Issue,22, 623-740,1987.
Wickens, C. and Kessel, C.,"The Detection of Dynamic System Failures," Human Detection and Diagnosis of System Failures, Plenum Press: New York, NY,1981.
Wiener, E. and Curry, R., " Flight-Deck Automation: Promises and Problems
- Ergonomics,2.1, pp. 995-1011,1980.
Wiener, E. and Nagel, D., Human Factors in Aviation. Academic Press: New York, NY,1988.
Woods, D., Roth, E., Stubler, W., and Mumaw, R., " Navigating through Large Display Networks in Dynamic Control Applications," Proceedings of the Human Factors Society - 34th AnnualMeeting, Human Factors Society: Santa Mr,ica, CA,1990.
Woodson, W.E., Human Factors Design Handbook, McGraw-Hill Book Company: New York, NY,1981.
Draft PRM Oanuary 25,1994)
Page 60
f DRAFT FOR COMMENT
~
Appendix A HFE Design Team Composition The term "HFE design team" is generically used within the HFE PRM to refer to the primary l
organization (s) or function (s) within the organi7.ation that are responsible for HFE within the scope of this report. There is no intent to prescribe any particular organizational structure on the applicant nor is it assumed that HFE is perfomied by a single organization or that there is an organizational unit called the HFE design team.
The life design team should include the following expenise:
+ Technical Project Management s
Bachelor's degree.
i five years' experience in nuclear power plant design or operations, and three years' management experience.
1 Systems Engineering Bachelor's of Science degree, and
,i four years' cumulative experience in at least three of the following areas of systems engineering; design, development, integration, operation, and test and evaluation.
Nuclear Engineering Bachelor's of Science degree, and four years' nuclear design, development, test or operations experience i
Instrumentation and Control (l&C) Engineering Bachelor's of Science degree.
four years' experience in design of process control systems, and experience in at least one of the following areas of I&C engineering; development, power plant operations, and test and evaluation.
+ Architect Engineering Bachelor's of Science degree, and four years' experience in design of power plant control rooms.
- Human Factors Bachelor's degree in human factors engineering, engineering psychology or related
- science, four years' cumulative experience related to the human factors aspects of human-computer interfaces. Qualifying experience should include experience in at lease two of the following human factors related activities; design, development, and test and evaluation, and four years' cumulative experience related to the human factors field of ergonomics.
Again, qualifying experience should include experience in at least two of the l
Draft PRM Uanuary 25,1994)
Page A-1
O
+
i DRAFT FOR COMMENT.
following areas of human factors activides; design, development, and test and evaluation.
- Plant Operations Have or have held a Senior Reactor Operator license, and two years' experience in relevant nuclear power plant operations.
- Computer System Engineering Bachelor's degree in Electrical Engineering or Computer Science, or graduate degree in other engineering discipline (e.g., Mechanical Engineering or Chemical Engineering), and I
four years' experience in the design of digital computer systems and real time systems applications.
- Plant Procedure Development Bachelor's degree, and
- - four years' experience in developing nuclear power plant operating procedures.
Personnel Training Bachelor's degree, four years' experience in the development of personnel training programs for power plants, and
- experience in the application of systematic training development methods.
Systems Safety Engineering Bachelor's degree in Science,
- certification by the Board of Certified Safety Professionals in System Safety, and four years' experience in System Safety Engineering.
Maintainability /Inspectability Engineering Bachelor's of Science degree, four years' cumulative experience in at least two of the following areas of power plant maintainability and inspectability engineering activity; design, development, integration and test and evaluation, and
- experience in analyzing and resolving plant system and/or equipment related maintenance problems.
- Reliability / Availability Engineering Bachelor's degrec,
- four years' cumulative experience in at least two of the following areas of power l
plant reliability engineering acdvity; design, development, integration, and test and -
evaluation, and
- knowledge of computer-based, human-interface systems.
1 Draft PRM Oanuary 25,1994)
Page A-2
DRAFT FOR COMMENT
. ~
The educadon and related professional ex;ierience of'the HFE design team personnel should satisfy the minimum personal qualification requirements speciGed in above, for each of the areas of required skills. In those skill areas where related professional experience is specified, qualifying experience of the individual HFE design team personnel should include experience in the technologies and techniques, of the particular skill area, utilized in the HSI design and implementation activities. Ue required professional experience pmsented in those personal qualifications are to be satisfied by the HFE design team as a collective whole. Therefore, satisfaction of the professional experience requirements associated with a particular skill area may be realized through the combination of the professional experience of two or more members of the HFE design team who each, individually, satisfy the other denned credentials of the panicular skill area but who do not possess all of the specified professional experience. It is recognized that one person may possess multiple skills and that people may have additional responsibilities beyond the HFE design team.
Altemative personal credentials may be accepted as the basis for satisfying the minimum personal qualification requirements specified above. Acceptance of such ahernative personal credentials should be evaluated on a case-by-case basis and approved, documented and retained in auditable plant construction files by the COL Applicant. The following factors are examples of alternative credentials which are considered acceptable:
A Professional Engineer's license in the required skill area may be substituted for the required Bachelor's degree.
Successful completion of all technical portions of an engineering, technology or related science baccalaureate program may be substituted for the Bachelor's degree. The successful completion will be determined by a transcript or other certification by an accredited institution. For example, completion of 80 semester credit hours may be substituted for the baccalaureate requirement. The courses should be in appropriate technical subjects relevant to the required skill areas of the HFE design team for which the individual will be responsible.
Related experience may substitute for education at the rate of six semester credit hours for each year of experience up to a maximum of 60 hours6.944444e-4 days <br />0.0167 hours <br />9.920635e-5 weeks <br />2.283e-5 months <br /> credit.
Where course work is related to job assignments, post secondary education may be substituted for experience at the rate of two years of education for one year experience.
Total credit for post secondary education should not exceed two years experience credit.
Draft PRM Ganuary 25,1994)
Page A-3
DRAFT FOR COMMENT Appendix B Operating Experience Review Issues Many of the issues identified below are broad and involve system design considerations that are t
broader than human factors alone. However, each has a human factors component which should not be overlooked by the applicant during the design and implementation process. Thus for each issue identiGed below, a brief explanation of the HFE aspects of the issue is provided..These explanations are provided as examples only and are not intended to be a complete specification of the HFE components of the issue (which should be addressed by the applicant in the design speciDe treatment of the issue). Each of the issues listed below should be addressed in the Operating Experience Review as part of the applicant's design and implementation process.
The issues are organi/.ed into the following categories, based on the issues source:
- 1. USI/GSI Issues
- 2. TMl Issues
- 3. NRC Generic Letters and Information Notices
- 4. AEOD Studies
- 5. Low Power and Shutdown Issues
- 6. INPO Reports B.1 USI/GS1 Issues
- 1. A-44, Station blackout: This is a large and significant issue with many human factors related i
aspects, including controls, displays, training, and procedures.
i 2 A-47, Safety implications of control systems: This issue relates to the implications of failures of non-safety related control systems and their interaction with control room operators.
- 3. B-17, Criteria for Safety Related Operator Actions - involves the development of a time criterion for safety-related operator actions including a determination of whether automatic actuation is required. This issue also concerns some current PWR designs requiring manual operations to accomplish the switchover from the injection mode to the recirculation mode j
following a L(X'A.
l
- 4. B-32, Ice effects on safety related water supplies: The build-up ofice on service water intakes can occur gradually and can require improved instrumentation to allow operators to detect its occurrence before it causes system inoperability.
- 5. GI-2, Failure of protective devices on essential equipment: A large number of LERs have noted the incapacitation of safety-related equipment due to the failure of protective devices such as fuses and circuit breakers. Operators are not always aware of the failure of the equipment due to the design of the instrumentation.
- 6. Gl-23. Reactor coolant pump seal failures: This is a multi-faceted issue, which includes a number of proposed resolutions. One sub-issue is the provision of adequate sealinstrumentation to allow the operators to take corrective actions to prevent catastrophic failure of seals.
t
- 7. Gl-51, improving the reliability of open cycle service water systems: The build-up of clams, mussels, and corrosion products can cause the degradation of open cycle SW systems. Added j
Draft PRM (January 25,1994)
Page B-1
DRAFT FOR COMMENT instrumentation is one means of providing operators with the capability to monitor tiSis build-up and take corrective action prior to loss of system functionality.
- 8. GI-57, Effects of Grc protection system actuation on safety-related equipment: This issue resulted from spurious and inadvertent actuations of fire protection systems, often resulting from operator errors during testing or maintenance. Design of systems should prevent such en ors to the l
l extent possible.
j
several of which are related to human factors, for example, scram data for post-scram analysis, capability for post-maintenance testing of RPS, and a specific sub-issue titled " review of human factors issues."
- 10. GI-76, instrumentation & control power interactions: This issue raises several concerns, including control & instrumentation faults the could blind or partially blind the operators to the status of the plant.
I1. GI-96. RHR suction valve testing: The design of the RHR suction valves with respect to valve position indication and instrumentation to detect potential leakage from high to low pressure areas is important to the prevention of ISLOCAs. This is important for normal operations and for testing.
- 12. GI-101, Break plus single failure in BWR waterlevel instrumentation: This issue attempts to ensure that robust information is available to the operators for both reactor water level and for plant status during the pmgression of an accident.
- 13. GI-105, Interfacing system LOCA at BWRs: This issue relates to pressure isolation valves for BWRs. Many failures in this area were due to personnel errors. The design should address j
human factors considerations to correct these potential errors. (The NRC work in the ISLOCA area has generally determined that human factors is an area needing considerable attention and which has contributed to a number of the ISLOCA precursor events.)
- 14. Gl-110, Equipment protective devices of engineered safety features: There have been failures and incapacitation of ESF equipment due to the failure or intentional bypass by protective devices.
Both the design of these protective devices and the appropriate indication to control room operators is important.
- 15. GI-l16, Accident management: This issue relates to improved operator training and procedures for managing accidents beyond the design basis of the plant.
- 16. GI-l17, Allowable equipment outage times for diverse, simultaneous equipment outages: A key aspect of this item is providing operators with needed assistance in identifying risk significant combinations of equipment outages. The information needed would include valve alignments, switch settings, as well as components declared inoperable.
- 17. GI-120, Online testability of protection systems: The designs for online testability should be careful to include appropriate human factors to ensun: safe testing.
- 18. GI-125.1.3, Safety Parameter Display System Availability - addresses SPDS availability and the reliability of the information it displays.
Draft PRM Uanuary 25,1994)
Page B-2
DRAFT FOR COMMENT
- 19. GI-128, Electrical po'wer relia $lity: This is' sue iiiclu'd'es power to vital instrument buses, DC
?
power supplies, and electrical interlocks. All of these issues are strongly dependent on proper indication and operator action for high reliability.
l i
- 20. GI-130, Essential service water pump failures at multi-plant sites: This issue relates to the arrangement of SW pumps and piping, including cross-ties at multi-unit sites. Both the arrangement and the operators' ability to monitor the status of cross ties is imponant. This item mentions potential applicability to single unit sites also.
l
- 21. HFl.1, Shift Staffing - This issue is similar to Item I.A.I.4. above.
- 22. HF4.4, Guidelines for Upgrading Other Procedun's - addresses normal and abnormal procedures in the same manner as emergency procedures.
- 23. HF4.5, MMI - Automation and Artificial Intelligence - See llF 5.2.
- 24. HF5.1, Local Control Stations - addresses the MMI of local control stations and auxiliary operator interfaces.
- 25. HF5.2, Review Criteria for Human Factors Aspects of Advanced Controls and Instrumentation - This concem is a combination of HF 4.5 Automation and Artificial Intelligence, the original llF5.2 on Annunciators, HF 5.3 Operational Aids, and HF5.4 Computers and computer displays.
- 26. HF5.3, Man-Machine Interface,(MMI) Evaluation of Operational Aids -involves guidance for MMI for new display and control technologies.
- 27. HF5.4, MMI - Computers and Computer Displays - See HF5.2.
- 11. 2 TMi issues The following issues come from two sources. Items 1-18 are from 10 CFR 50.34 and are identified by the item numbers from that source. The rest of the items are from NUREG-0933 (and its predecessor NUREG-0737) and are identified by the item numbers from the NUREG. It should be noted that there is duplication in the content of some items; i.e., a single OER item may address several of the TM1 issues described below. The items are listed by number and not the technical issue which is addressed.
j
- 1. Iv,llPCI and RCIC separation: the design should consider control room alarm and indication of the initiation levels and low: level restan values.
i
- 2. Ivi, Reduction of challenges to SRVs: the design should consider control room alarm and indication of SRV status and important parameters.
- 3. Ivii, ADS study: determination of the " optimum" ADS for climination of manual activation should consider the operator's need to monitor the system and should include an analysis of the time required for operators to perform manual back:up if required.
4.1 iii, Automatic restart of Core Spray and LPCI: this issue involves allocation of function considerations in temis of automatic restart of a system following manual stoppage by the operators. Considerations of whether automatic restart should be available, how it should be implemented, and what alarm and indications are needed in the control room are required.
Drah PRM Oanuary 25,1994)
Page B-3
o i
L DRAFT FOR COMMENT 1
- 5. lxi, Depressurization by means other than ADS: consideration of depressurization willinvolve the provision of alarms and indication in the control room. Some methods may also require operator actions which should be subject to the full design and implementation process.
e
- 6. Ixii, Alternate hydrogen control systems: the evaluation of design alternatives for hydrogen control systems should include the information needs of the operators to assess the conditions l
t which would require system initiation and the degree of automation of the systems.
- 7. 2iv, SPDS: the selection and display of imponant safety parameters and their integration into the overall design of the control room is a primary HFE issue.
- 8. 2v, Automatic indication of bypassed and inoperable systems: providing operators with the 1
capability to monitor the status of automatic systems is an important function of the control room information display system and an important component to the maintenance of the operators' situation awareness.
f
- 9. 2vi, Venting of noncondensible gases: operator monitoring of the status of noncondensible pases in the reactor coolant system and having clear, unambiguous indication of the conditions under which gas release must be initiated should be evaluated for HFE design implications.
{
should be clear and unambiguous and should be evaluated for HFE design implications.
- 11. 2xii, AFW indication and initiation.
i
- 12. 2xvi, Number of actuation cycles for ECCS and RPS: as part of the specification allowable actuation cycles, the method that cycles will be defined, recorded, and tracked by the operating crew should be evaluated for llFE design implications.
l
- 13. 2 xvii, Control room instrumentation for various parameters: the selection and display of important parameters and their integration into the overall design of the control room is a primary HFE issue.
- 14. 2xviii, Control room instrumentation for inadequate core cooling: the selection and display of important parameters and their integration into the overall design of the control room is a primary HFE issue.
- 15. 2xix, Instrumentation for post: accident monitoring: the selection and display ofimportant
- parameters and their integration into the overall design of the control room is a primary HFE issue.
i
- 16. 2xxi, Auxiliary heat removal systems design to facilitate manual / auto actions: the specification and evaluation of manual and automatic actions should be subject to the function allocation analyses performed as part of the design and implementation process.
- 17. 2 xxiv, Recording of reactor vessellevel: the selection and display ofimportant parameters and their integration into the overall design of the control room is a primary HFE issue.
considerations to assum that the personnel located in these facilities can most effectively perform l
their safety-related functions. Poor HFE design of these facilities may interfere with the performance of operators in a well: designed control room.
1 Page B-4 l
Draft PRM Oanuary 25.1994) i
\\
)
m v
DRAFT FOR COMMENT
- 19. 2xxvii, Monitoring ofin: plant and airbome radiation: the selection and display of important parameters and their integration into the overall design of the control room is a primary HFE issue.
- 20. 2xxviii, Control room habitability: while potential pathways for radioactivity to impact control room habitability may be identified and design solutions developed to preclude such problems may
+
be developed, the control room operating crew should be aware of potential pathways. If warranted, evaluations of methods to monitor in the control room the integrity of the design,
solutions and the presence of radiation in the pathways should be considemd.
3
- 21. l.A.I.4, Long-Term Upgrading of Operating Personnel and Staffing - concems shift staffing with licensed operators, and working hours oflicensed operators. Updates to 10 CFR 50.54 were approved.
- 22. l.A.4.2, Simulator Capabilities - involves the improvement of the use of simulators in the training of operators.
23.1.C.1, Guidance for Evaluation and Development of Procedures - addresses normal, transient, and accident conditions. This is to ensure that procedures are technically correct, explicit, and easily understood.
24.1.C.9, Long-Term Program for Upgrading Procedures - includes emergency operating procedures with particular emphasis on diagnostic aids for off-normal conditions.
- 25. I.D.1 - Addresses general CR design issues.
26.1.D.2, Plant Safety Parameter Display System Console - the need for the provision of an SPDS that displays a minimum set of parameters which define the safety status of the plant.
27.1.D.4, Control Room Design Standard - the need for guidance on the design of control rooms to incorporate human factors considerations.
28.1.D.5.1, Control Room Design - Improved Instrumentation Research Alanns and Displays -
involves the man-machine interface in the control room with regard to the use of lights, alarms, and annunciators to reduce the potential for operator error, information overload, unwanted distractions, and insufficient information organization.
l
\\
- 29. II.F.1 and ll.F.2 - These items address detailed CR design issues related to instrumentation (ll.F.1 " Additional accident monitoring instrumentation" and II.F.2 " Instrumentation for j
Detection of inadequate Core-Cooling").
- 30. Item II.J.3.1, Management Plan for Design and Constmetion Activities
- 31. li.K.I.5, Direct position indication of relief and safety valve position in the control room such that the alarming and indication valve status should be clear and unambiguous and should be evaluated for 1WE design considerations.
- 32. II.K.I.10, Review and Modify P'rocedures for Removing Safety-Related Systems from Service - to ensum that their operability status is known.
Draft PRM Uanuary 25,1994)
PageB-5
\\
'l g,,
I DRAFT FOR COMMENT l
B.3 NRC Generic Letters and Information Notices t
- 1. Generic Letter 91-06, Resolution of Generic Issue A-30, " Adequacy of Safety-Related DC 2
Power Supplies," Pursuant to 10 CFR 50.54(f). In this generic letter, NRC proposes cenam monitoring, surveillance, and maintenance provisions for safety-related DC systems.
l
- 2. Generic Letter 91-07 GI-23, " Reactor Coolant Pump Seal Failures" and its possible effect on Station Blackout. This generic letter discusses the interaction between GI-23 and A-44, both of which have human factors aspects.
- 3. Generic letter 91-11 Resolution of Generic Issues 48, "LCOs for Class IE Vital Instmment Buses," and 49, " Interlocks and LCOs for Class IE Tie Breakers" Pursuant to 10 CFR 50.54(f).
This generic letter addresses several issues related to electrical systems including the reduction of human errors, control of equipment status, and testing.
- 4. Information Notice 93-47: Unrecognized loss of control room annunciators
- 5. Information Notice 93-81 Imp. of engineering expertise on shift B.4 AEOD Studies The NRC's Office for Analysis and Evaluation of Operational Data (AEOD) conducted a program to identify human factors and human performance issues associated with operating events at nuclear power plants. These reports have been summarized in NUREG-1275 Vol. 8," Operating Experience Feedback Report - lluman Performance in Operating Events" (Kaufman, J., Lanik, G., Spence, R., Trager, E.,1992).
B.5 Low Power and Shutdown Issues A current area of active NRC work is that of the risk associated with operation during low power and shutdown. The NRC has identified the operator-centered and human factors issues as particularly important in this area. The most current status of these issues is contained in NUREG-1449," Shutdown and Low-Power Operation at Commercial Nuclear Power Plants in the United States" (U.S. Nuclear Regulatory Commission,1992).
i B.6 INPO Documents INPO published " Operating Experience To Apply to Advanced Light Water Reactor Designs (INPO 93-004, Revision 1) in June of 1993 identifying operating experience issues applicable to advanced light water reactors.
Draft PRM Oanuary 25,1994) -
Page B4