ML20065S170
| ML20065S170 | |
| Person / Time | |
|---|---|
| Site: | 05000605 |
| Issue date: | 12/17/1990 |
| From: | Marriott P GENERAL ELECTRIC CO. |
| To: | Chris Miller NRC, NRC OFFICE OF INFORMATION RESOURCES MANAGEMENT (IRM) |
| References | |
| 152-90, EEN-9076, NUDOCS 9012200121 | |
| Download: ML20065S170 (11) | |
Text
_ - _ - _ _ _ _ _
.r
~
GE Nuclear Energy u_ _ _ _
175 L e v h w lw w U !s' '
December 17,1990 MFN No.152 90 Docket No STN 50-605 EEN 9076 Document Control Desk U.S, Nuclear Regulatory Commission Washington, D.C. 20555 Attention:
Charles L Miller, Director Standardization and Non Power Reactor Project Directorate j
Subject:
Submittal of Responses to AdditionalInformation as Requested in NRC L44ter from Dino C. Scaletti, Dated July 27,1990
)
Reference:
1.
Submittal of Responses to AdditionalInformation as Requested in NRC Letter from Dino Scaletti, dated July 2'.,
1990, MFN No.129 90, dated October 9,1990 2.
Submittal of Responses to Additional Information as Requested in NRC Letter from Dino Scaletti, dated July 27, 1990, MFN No.137-90, dated November 2,1990 3.
Submittal of Responses (Proprietary Information) to Additional Information as Requested in NRC Letter from Dino Scaletti, dated July 27,1990, MFN No.153 90, dated December 17,1990
Dear Mr. Miller:
Enclosed are thirty four (34) copies of the final submittal of Chapter 18 responses to the subject Request for AdditionalInformation (RAI) on the Standard Sawty Analysis Report (SSAR) fer the Advanced Boiling Water Reactor (ABWR). The initial submittals were provided in References 1 and 2.
Responses to Questions' 621.3,621.6,621.7 and 621.11 contain information that is designated as General Electric Company proprietary information and is being submitted under separate cover (Reference 3).
It is intended that GE will amend the SSAR with these responses in a future amendment.
Sincerely, Y
. P.W. M4riott, Manager Regulatory and Analysis Services cc:
F.A. Ross (DOE)
D.C. Scaletti (NRC)
D.R. Wilkins (GE)
J.F. Quirk (OE)
[
9012200121 901217 PDR ADOCK 05000605 P
PDR 1000M i,
ABWR 23AoooAt Ollludfin! Plani Rev h QUESTlUN 620.20 The major driving force affecting control room design appears to be the concept of one person operations during normal condidons. This leads to the requirement to consolidate most of the monitoring and control capability into a single, relatively compact work station in contrast to the traditional analog control boards. This approach then leads to requirements to minimite dedicated controls and displays (because of limited real estate at the work station), utilire soft controls (to replace dedicated controls), utili7e CRT like display devices which only display a limited set of plant data at a time (to replace instrument displays) and to utilire intelligent operator aids based upon expert systems, etc. to assist the one operator to accomplish his tasks.
While these technologies may have merits of their own, we are concerned about the appropriateness of this technology as a design driver fcr U.S. plants. Please discuss your rationale for this concept.
RESPONSE 620.20 The basic ADWR control room design goal is to minimire the burden on the operating staff and promote efficient and correct operator actions. In achieving that design goal, the ABWR control room design provides the capability for operation by either a single operator or multiple operators. This flexibility in plant operation is possible due to implementation of several key design features: the wide display device for overall plant monitoring, plant level automation, system level automation via the sequence master control switches, the compact rnain control console design and implementation of operator guidante functions which display appropriate operating sequences on the main control console CRTs. The role of the operator will primarily be one of monitoring the status of individual systems and the overall plant and the progress of automation sequences, rather than the traditional role of monitoring and controlling indisidual pieces of system equipment.
The rationale for providing the capability for operations by a single operator during routine plant maneuvers is based upon several considerntions. These are discussed below:
- 1. Operator Communleations Errors: Single person operation will climinate errors of communication.
Included in this category of errors are those related to the spoken word qs well as unspoken communications. In writing about the Three Mile Island (TMI) incident, Sheridan states;
' Nuclear plant operators work in teams, based on the premise that two or more heads are better than one. But there is a great deal of interaction among team members, some of it subtle and unspoken.
Such interpersonal communication is little understood but assuredly does affect the reliability of human performance. For example, operators unintentionally could reinforce one another's misimpressions, making the team less reliable than a single operator who would be more likely to think a matter through carefully. This means that human error rates for individuals may differ from those for teams."
2 The Rogovin Report indicates that it took some time for the operating crew at TMI Unit 2 to become organized to the extent that they were stationed at strategic places.
l
- 2. Operator Work lamd: Resuhs of operator work load andyses performed as part of the ABWR I
development program indicate that one person operauon of the plant during normal plant operations l
is not only feasible but may be preferable to two person oper#.c n. This is true because the high i
degree of plant automation which is available during normal plant operations reduces the operator l
work load to a level casily sustained by a single operator but one which may provide a lower level of stimulus if divided between two operators. The characteristic of a very low task load, or stress level,is that there is not enough stimulation to maintain the person at an alert level: his state of arousal is below normal. The subject of appropriate operator work load was discussed in the responses to Questions 620.10 and 620.18.
l
-t-l l
l ABWR
= =r Standard Plant an n
- 3. Coordination of Operator Aethitles: With one operator performing all of the actions, the necessity of coordinating the activities of two or more operators is climinated. This is closely related to the communications problem discussed above.
- 4. Availability of Assistance: The ABWR control room staffmg level conforms to the requirements of 10 CFR 50.54(m), as discussed in the respcmse to Question 620.14. This means that there are always at least two liceraed reactor operators in the control room in addition to the crew member who is actually operating the plart. Such ready availability of assistance significantly reduces the risk that might normally be considered to be inherent in one man operation.
- 1. Sheridan, T. B., *lluman Error in Nuclear Power Plants *, Tech. R.. February,1980,23 33.
- 2. Rogovin, M, and O. E. Frampton, Jr., (cda), Three Mile Island. A Reoort to [ht ommissione1had C
to the Public Vol.1. Special Inquiry Group, U. S. Nuclear Regulatory Commission, Washington, DC, January,1980.
QUFSTlON 620.2i One of the main features of the control tcom is the use of a computer based work station in place of the traditional control boards with dedicated controls and displays. With such an approach, the methods by which information is displayed to the operator via CRTs and other display devices is of critical importance, indeed, the display of information and the methods by which the operator interacts with that information are arguably the most important aspects of the control room design. Yet, most of the information presented by GE thus far concerning control room and work station design has emphastred the hardware, ergonomics and anthropometrics of the design. Little information has been made available on the display design and human software interface. Much more information is needed in order to evaluate the adequacy of the control room to support the operator's tasks. Please describe the approach that you will use to determine the following:
The planning and control of the interaction between the operator and system information; a.
b.
The design basis for the interface (e.g., command language or direct manipulation);
c.
Planning and design of high level data integration; d.
Operator access to information and the parameters that will be optimized in the design of the interface (e.g., speed of data access);
e.
Any data that will not be accessible to operators; f.
Display techniques for various types of data; and g.
Coding methods to be used.
RESPONSE 620.21 The operator interface system design requirements are discussed in Chapter 18. Included in this discussion is a description of the methods of presentation of system and plant summary information to the operator (s). The user software interface devices used in the control room are touch screen CRTs, flat panel display devices and the wide screen. The requirements for each of these interface devices are described in the SSAR. The design basis for the user software interface is direct manipulation; there are no keyboards on the main console.
2-l
ABWR mmu '
Slandard Plarli nev n liigh level data integration is discussed as a part of the description of the wide display desice, which has both software and hardware display modes.
The infortration needed by the operators is determined by task analyses of the system operating procedures, Integrated Operating Procedures and Emergency Operating Procedures. This information will be made available to the operators in the most appropriate manner, as defined during the equipment procurement and detailed design implementation.
Display techniques and coding methods that comply with accepted human factors engineering guidelines (c. g., NUREG 0700, ESD TR 83122, EPRI NP 3701) will be assured through the conduct of appropriate operations analyses as part of the design implementation tests and evaluation.
QUESTION 620.22 Describe how the requirements for: (1) Information/ data display and (2) methods by which the operator will interact with the system will be reflected in hardware design requirements. It appeared from the material presented by GE on March 6-7,1Wo, that hardware requirements were preceding these issues.
RESPONSE 620.22 The requirements for information/ data display and the methods by which the operator interacts with the system are reflected both spatially and functionally by the hardware design requirements.
The spatial configuration of the main control room panels is a logical consequence of the following requirements:
a.
Information/ Data Display Requirements plant surnmary information to be displayed so as to be visible to entire control room safety and NSSS related information to be shown on left side of display panels DOP related information to be shown on right side of display panels computer independent displays availabic for safety and some key non safety systems l
l complete interchangeability required for computer driven display devices l
i b.
Operator / System Method interaction Requirements interaction method to require minimal space interaction method to require minimal time l
spatial dedication to be included for key functions l
For a complete description of the relationship of the hardware design to the underlying user / system l
requirements, refer to Section 18.4.
3
i ABWR maar Standard Plant ny g3 QUESTION 620.23 With regard to the design of the control room:
Was a human factors design guideline developed specifically for the design of the n.
human software /information interface, as discussed in Question 620.21, atac?
b.
Was a human factors design guideline developed specifically for the ABWR to assist in control of the interface design, or were the ABWR human factors design guidelines derhrd from human factors design guidelines available in the literature? If neither, how were the ABWR guidelines developed? If tJsting guidelines were used, please identify them and provide the audit trail, r
c.
How were guidelines developed for those interface characteristics for which there appear to be no existing guidelines in the literature?
RESPONSE 620.23 a, b.
The ABWR human software /information interface design is an extrapolation from previous 1
U.S. and Japanese BWR designs. Existing guidelines contained in Reference 1 have been used, as appropriate. Because of the limitations of Reference 1, guidance has also been obtained from References 2 and 3. In the case of the SPDS function, the requirements of NUREG-0737, Supplement 1, have been made a part of the system design basis.
c.
As discussed in the response to Question 620.28, the design of the touch screen user interface -
is based upon a broad base of experience, in addition, evaluations of prototype main control panels have been carried out with experienced BWR operators and utillring simulator-generated scenarios Data from these evaluations,in the form of videotapes of -
operator actions and diakpe and operator comments obtained in de briefing sessions, were analyzed and used to formulate desiga guidelines.
References:
1.
NUREG 0700,' Guidelines For Ccmtrol Room Design Revicw% NRC, September,1981 2.
EPRI NP 3701,' Computer Generated Display System Guidelines *, ORNL, September,1984 3.
ESD TR 83122,' Design Guidelines For The User Interface To Computer Based Information Systems', Mitre Corporation, March,1983 QUESTl0N 620.24 A significant feature of the ABWR control room design is the use of advanced and intelligent operator aids based upon expert systems and other At technologies. With respect to these operator aids, please descrilm the following:
-a.
The extent of the dependence on intelligent operator aids that is necessary to achieve the single operator design goal; b.
The specific operator aids that are planned and the technology on which they are based; 4
ABWR um.
Standprd Plant un e.
The methods of knowledge enginecting that will be used and the steps that will be taken to assure that all appropriate knowledge will be incorporated into the database; d.
The approach to be taken to develop operator confidence in the systems to assure that they will be appropriately utilized; c.
The approach to be taken to minimize undue reliance on and blind acceptance of these systems; f.
The methods to be used for the verification and validation of the performance of intelligent operator aids.
RESPONSE 620.24 The use of expert systems and artificialintelligent technologies is not a significant feature of the ABWR control room design.
a.
The ABWR has incorporated features which minimite the burden on the operating staff and promote efficient and correct operator actions. Such features enhance the operability irrespective of whether operations are by a single operator or multiple operators. As discussed in Subsection 18.4.4, the ABWR user interface design in ludes extensive plant automation functions.
b.
Other functions may include system / equipment monitoring and maintenance support. Details regarding the implementation of such functions will be determined as part af the design implementation and procurement activities, c.
There are no knowledge-based features in the ABWR operator interface.
d.
Operator confidence in the ABWR plant automation system is bolstered by the following five design features:
- 1. The extent of automatica. implemented in the ABWR has been carefully selected to ensure that the primary control of plant operations remains with the operators.
- 2. The basic architecture and scope of automated functions performed by the ABWR Power Generation Control System (PCCS) is based upon the proven plant level automation design that has been part of the TEPCo standard BWR control room design on all units which have begun commercial operations since 1985.
- 3. The PGCS can never directly control the status of any safety system.
- 4. The operator can completely stop an automatic operation at any time by simply selecting the manual operation mode.
- 5. The operators remain fully cognizant of the plant operational status and can intervene in the operation at any time,if necessary, c.
Undue reliance and/or blind acceptance of the plant automation is avoided by allowing the operator to maintain close control of plant level automated functions. This close control is accomplished by the incorporation of break point controllogic into the design At regular t
{
1 5
l 1
ABWR ammAT SlRIHl.ard Plftut Rev ))
intervals within each automated sequence of operation, break points are established which stop the progreulon of the operation. When each break point is reached, the operator is required to provide permission to proceed to the next break point by activating the appropriate break point control pushbutton on the automation operator interface on the main control console.
This break point control logic assures that the operator remains fully cognirant of the plant status and retains direct control of the progression of an automated operation. In addition, controls are provided which enable the operator to activate a ' hold'in the automation sequence at any time.
f.
The validation of the performance of intelligent operator aids will be accomplished as part of the detailed design implementation by validation testing with the reactor operators participating in a simulated control room emironment. In this way, feedback from experienced control room crew members will be obtained and used to evaluate the effectiveness of th.
detailed implementation of the operator alds.
QUES'110N 620.26 Computer-based work stations can often present data interface management problems to the operator (such as the operator spending too much time managing data windows rather than monitoring plant infortnation) which reflect a shift from task related workload to interface management workload. Describe how the design of the work station controls and displavs will minimize the workload associated with the operator's management of the interface. Discuss any assistance that the operator will have in calling up the appropriate displays via automatic display ' triggers' or an expert system.
RESPONSE 620.26 The ABWR data interface is a touch screen which is characterited by its speed and simplicity of operation, lloth flat panel displays and CRTs are equipped with the touch screens The basic concepts of the CRT display format system are described in Subsection 18.4.2.2.
As discussed in the responses to Questions 620.23 and 620.28. a significant base of experience with touch screens has been accumulated both in this country and in Japan. Advantage has been taken of this experience along with the results of development testing done specifically for the AUWR In addition, extensive prototype testing with IlWR operators was done to validate the interface design.
Comprehensive operations analyses will be performed as a part of the equipment procurement to assure that no significant data interface management problem exists in the ;.orticular hardware implementation selected.
QUESTION 620.27 It appears that alarm information is being presented in three separate locations: on the large display screen, on dedicated alarms and on CRTs. With respect to annunciator warning systems data, please discuss:
a.
Ilow allocation of alarm information to the abose locations is determined and which alarms are located where; b.
Ilow the CRT based alarms will be presented; 6
ABWR ur6imar Standard Plant Rev.11
~
c.
Ilow alarm information will be prioritized; d.
Whether alarm filtering will be used and, if r.o,(1) by what methods, and (2) whether operators will have access to filtered-out alarm data.
RESPONSE 620.27 The requirements for the alarm system are described in Subscetion 18.4.5. This section contains discussions of alarm classification, alarm suppression and implementation of alarms in both hardware and software.
QUESTl0N 621.1 (dentify who performed the ABWR llRA (GE and/or other contractors), and describe the expertisc that was included in the !!RA team.
RESPONSE 621.1 ABWR human reliability analyses were performed by GE personnel. The GE reliability engineering staff has extensive and diverse experience gained through the pctformance of many significant PRA/PSA programs. These have included three major PRAs that have received regulatory agency review and approval; BWR/6 GESSAR II, Limerick, and Alto Lazio. Performance of human error analyses was an integral part of each of these aethitics.
An important outcome of these efforts and accumulated experience is the recognition that basic knowledge of BWR plant design, plant procedures, and accident analysis is a key factor in realistically addressing human reliability analysis.
This GE overall BWR knowledge base and direct access to ABWR design engineers and design documentation, in combination with prior BWR human reliability experience, provided the basis for the reliability engineering staff to realistically address human reliability factors in the ABWR PRA analyses.
QUESTION 621.2 Describe the material and/or analysis that were available and used to support the IIRA, including:
n.
Detailed function and task analysis (utilizing the ABWR staffing goals and staffing philosophy);
b.
Procedures or procedure guidelines (draft or preliminary, etc.);
c.
Controf rcom design; d.
Work station design; e.
Display design; and l
f.
Any other, 7
j Discuss the degree of completeness of each of the materials used in terms of the ABWR design to
^
support the llRA.
7
t
- ABWR au-r i
Standard Plant mn RESPONSE 621.2 I
Results of previous llRAs, which are based upon conventional BWR man machine interface designs, j
were used to provide the human reliability assumptions needed for the ABWR Probabilistic Risk Analysis
]'
(PRA). The previous llRA results are considered to be conservative for the ABWR because of the significant l
improvements in the ABWR man machine interface design relative to the earlier designs.
]
Also, as stated in Subsection 18.5.3.1, the human error probability (IIEP) values assumed for the ABWR PRA are to be validated by an independent ilRA judgement team as part of the acceptance criteria for
- the ABWR main control room detailed design implementation.
QUESTION 621.4 Por those llEPs where TilERP was used, describe how the Swa'n and Guttmann llandbook was actually applied in the following arcas:
a.
Whether the full analysis methodology was followed; b.
Ilow base case llEPs were derived; c.
The data which were used as the source of base case values; i
d.
The performance shaping factors that were applied.
RESPONSE 621.4 i
Application of the Swain and Guttmann llandbook in developing IIEPs for the GESSAR 11 PRA ls l
discussed in Appendix A.5 (lluman Error Prediction) to Appendix 15D.3 (BWR/6 Standard Plant Probabilistic Risk Assessment) of the 238 Nuclear Island General Electric Standard Safety Analysis Report.
As discussed there, calibration of sensorti was the only human activity for which the full analysis methodology was followed, and explicit consideration of performance shaping factors was limited to consideration of stress levels and interdependence of tasks. Base case llEPs as well as performance shaping factors were taken from Chapter 20 of NUREG/CR 1278. For extremely high stress conditions, the large LOCA curve (Fig.17 2) of Swain and Guttmann was applied.
QUESTION 621J
-- Chapter 19 (p.19.31) states that the IIEPs *were taken predominately from the GESSAR 11 PRA' and that "most of these values were derived from the Swain and Guttmann llandbook of Iluman Reliability" which -
- as referenced was published in 1983. Ilowever, the GESSAR 11 PRA was published in 1982, one year prior to the publication of NUREG/CR 1278. In light of this, please identify the version of the Swain and Guttmann llandbook ofIluman Reliability (NUREG/CR 1278) that was used.
j
- RESPONSE 621.5 The 1980 draft report version of the Swain and Guttmann llandbook of 11uman Reliability Analysis
- with Emphasis on Nuclear Power Applications, NUREG/CR 1278, was used in the performance of the GESSAR !! PRA. The 1983 NUREG/CR 1278 final report was inadvertently ideritified la Chapter 19 as a basis for GESSAR II IIEPs.
s-
l ABWR 33meaur Standard Plant x,v n QUESil0N 621.8 As Indicated above, Chapter 19 (p.19.11) states that the ABWR llEPs 'were predominantly taken from the GESSAR 11 PRA for which they were collected from various other sources and modified, as appropriate, for the GESSAR application
- and that their ' application in the ABWR PRA is judged to be acceptable *. With respect to this statement, please discuss the following:
a.
The other sources and methods tlu' were ured to derive those llEPs. (Reference is made to
'the EPRI time reliability correlatiot
- on p.191.41 does this refer to the iluman Cognitive Reliability (l'CR) study?);
b.
If the llCR study was used in support o' the llRA, please provide a report of the study to support the tvaluation; RESPONSE 621.8 a.
The sources and methods used to derive thi IIEPs for the internal analysis arc discussed in the response to Question 621.11. The sources and methods used to derive the llEPs for the I
seismic analysis are given in the table in response to Question 621.3.
The reference to the time reliability correlation on page 191.41 of the PRA refers to the time. reliability curve on page 149 of SilARP.
b.
The time-reliability cortclation on page 3-49 of SilARP was taken from NUREG/CR 3010,
' Post Evt.'t fluman Decision Errors: Operator Action Trec/ Time Reliability Costelation*,
Brookhaven National 1.aboratory, November,1982.
c.
The only moddication to llEPs from previous PRAs identified in the GESSAR 11 PRA is the miscalibration ol' sensors, identified in WASil 1400 and the Limerick PRA analyses as a likely source of common mode failure. Development of this human error probability is discussed in Section 19D.7.
d.
Two types of human errors were considered and incorporated in the GESSAR 11 PRAT 1) those resulting from operator failure to act as directed by normal or emergency procedures, and 2) those leading to failure due to component miscalibration or non restoration of equipment following testing, i
The incorporation of these actions in the GESSAR 11 fault at.d event trees was relatively -
simple and straightforward, representing with the exception of instrument miscalibration, single overt actions required to restore, initiate, or inhibit system functions, q
l Due to the similaritics between BWR/6 and ABWR systems and their functions, as well as comparable manual requirements for instrument calibration, equipment testing, and the Initiation or inhibition of cmergency systems and equipment, their application in the ABWR PRA wasjudged to be acceptable.
c.
The ABWR control room is different from that of previous BWR plant designs, ilurian engineering deficiencies which existed in the older designs have been climinated froir the ABWR. Also, because of the higher degree of automation and the operator aids used l'4 the ABWR, operator burden is reduced compared to previous control room designs. All of this t
9
-4 i
__m._
J i
ABWR nuimr L
Standard Plant am n means that the frequency of operator errors will be reduced in the ABWR control room I
relative to previous designs.
These considerations are the basis for our high confidence that the llEP values derived from GESSAR 11 can be conservatively applied to the ABWR, i
i i
QUESTIDN 621.9 Describe how you accounted,in the llRA, for the use of new, advanced technology in the control room and for the differences in the operator's role in the ABWR vs. a standard control room. That is, how is the l
operator's role change (due to the introduction of compact work stations and advanced I & C with primary reliance on human computer interface technoky,y) accounted for in the analysis, with regard to the following:
4 a.
The appropriateness of the use of numbers from NUREG/CR 1278 for use in the ABWRt b.
The manner in which flRA subjective judgement was used given the advanced (and different) nature of the control room:
c.
The methods anel the experts that were available to modify llEPs for ABWR operations; i
j~
d.
Any design features of the ABWR that were used as a basis to lower llEPs which had been obtained from an earlier PRA and,if so used, a discuulon of which crrors were involved and what technology was auumed to enhance operator performance.
RESPONSE 621.9
. For (a),(c) and (d), please refer to the response to Question 621.2. For (b), please refer to the l
response to Question 621.8, Part (c).
QUESTION 621.10 The introduction of new advanced technology has frequently been associated with the emergence of new human errors. Describe how the ABWR HRA has specifically analyzed the advanced control room, changes in staffing philosophy, etc., to identify potential "new" errors introduced by differences between the ABWR and previous product designs, and which human errors were included in this category. If this has not been donc, please discuss your intentions in this regard.
RESPONSC 621.10 The validation of the human error probability values assumed for the ABWR PRA will include an.
i f'
analysis of potential'new' operator errors. This validation is referred to in the response to Question 621.2 and the analysis of 'new" errors is specified in Subsection 18.53.2.
l w.
+
ww-,.e-,,
,tw
,,c-n e i--
2.--e1-.,-+r
.,r..
w-%~-e--------,
-.rw++
. +-
w-.-
.me,..~r.,.-..-.---e~-.~.ie-
-*~.-+=,,,.-r--,-.----
re-.
we