Text

Program Plan for Control Room Human Factors Review at Oyster Creek Nuclear Generating Station
	ML20076K354
Person / Time
Site:	Oyster Creek
Issue date:	06/30/1983
From:	; GENERAL PUBLIC UTILITIES CORP.
To:	;
Shared Package
ML20076K349	List: ML20076K346; ML20076K354;
References
	RTR-NUREG-0737, RTR-NUREG-737 PROC-830630, NUDOCS 8307080426
	Download: ML20076K354 (96)
	v • d • e

- _ _ _ . _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _

PROGRAM PLAN FOR THE CONTROL ROOM HUMAN FACTORS REVIEW AT OYSTER CREEK NUCLEAR GENERATING STATION June 1983 GPU NUCLEAR CORPOPATION 8307000426 830701 DR ADOCK 050002

PROGRAM PLAN FOR THE CONTROL ROOM HUMAN FACTORS REVIEW AT OYSTER CREEK NUCLEAR GENERATING STATION TABLE OF CONTENTS I. INTRODUCTION II. MANAGEMENT AND STAFFING III. INFORMATION SOURCES IV. REVIEW PROCESS I

A. Review of Operating Experience B. Inventory of Control Room Instrumentation and Equipment C. Detailed Review of Control Room Components and Environment Survey D. Review Based on Operator Responsibilities E. Review Based on Existing Plant Procedures and Walkthroughs of Expected Operational Evolu-tions and Postulated Off-Normal Events

e F. Review Based on New Emergency Operating 5-Procedures and Walkthroughs of Eme rge ncy Evolutions G. Documentation of Review Data V. CORRECTIVE ACTION A. Assessment of the Need for Corrective Action B. Establishing Corrective Action C. Evaluating Corrective Action D. Implementing Corrective Action "

')

w ______

TABLE OF CONTENTS (Continued)

VI. APPENDICES A. Oyster Creek Guidelines for Control Room Review B. Oyster Creek Control Room Review Team Resumes

\

I. INTRODUCTION The program to review the human factors of the Oyster Creek Nuclear Generating Station Control Room was initiated in late 1980. A substantial amount of the work has alreaoy been completed. The control room configuration has been documented, a full scale mockup has been constructed, proce-dures have been walked-through in that mockup, and much of the control room has been evaluated against human factors guidelines. Some further work in these areas remains to be completed. Review of the control room based on the new, symptom-oriented Emergency Operating Procedures is still in progress. Assessment of the findings from the review, and the formulation, evaluation, and implementation of correc-tive action has been initiated.

The basic objectives of the review are the same as those stated in NUREG-0700, but because the review was initiated in advance of that document's issue, there are some differ-ences in methodology. However, we consider these differ-ences are in form and not in substance, and that the end result of the Oyster Creek human factors review will meet the intent of the guidance provided in NUREG-0700.

The Oyster Creek control room design review meets the requirements of NRC Generic Letter 82-33, supplement 1 to

NUREG-0'i37. Table I-l illustrates how each of the control room design review requirements in 82-33 is treated in the Oyster Creek review, and references are given to the appro-priate section of this program plan.

The schedule for completion of the control room review at Oyster Creek is summarized in Table I-2. The review began with the construction of a control room mockup to facilitate the evaluation process. In early 1981, guidelines and objectives were formulated to provide a formal basis for the review. The review process itself began in mid-1981 with walkthroughs, in the mockup of several plant operational evolutions.

Shortly after the review began, work on the evaluation of the control room as a whole, was temporarily deferred and the effort was focused on the evaluation of the human factors of about twenty modifications affecting plant con-trols and displays which were planned at that time for implementation in the near future.

The most extensive modification planned was the replacement of the entire control room alarm system, primarily to improve reliability and to provide space for the addition of new alarms. A major review of the alarm system was undertaken with the objective of making human factors improvements in this system as part of the hardware upgrade already planned.

i I -2

In parallel with the continuing human factors effort on control room changes, work was resumed in mid-1982 on the review of the control room as a whole. The objective was to make a preliminary assessment of the control room design, and to identify any short-term improvements that might be made during the refueling outage of 1983. Work is continuing on evaluation of short-term improvements, and on review of the control room from the standpoint of new, symptom-oriented Emergency Operating Procedures that are being developed for Oyster Creek.

h I -3

TAHLE l-1 ptrp Ipt M vis ia sur (.)*,>wtr ItIrta g2-3 AND Mw 1HLY PLLAll 10 iht O Y b l t is CPLEk R E V ! t.h DF SCR I H F:D RFQU l kD MENT IN THIS (SUPPlJMENT I TO NUMEG 0737 TREATED IN OYSTEN CHEEK CONTNUL PHOORAM PLAN ENCL. TO NRC CEhERIC LTR. 82-33) ROOM DE S IGN REVIEW RY: IN:

5.1.b (1) Establish multidisci- Review team organization Section 11 plinary review team. and Appendix B 5.1.b. (11) Use "tunction and task Revtew of control room based on Section IV.F analysts", that was basis for new. symptom-ortented Emergency develnping emergency operat ing ope ra t i ng Froceduras procedures. to identsty control room operator tasks and control requirements during emergency operations.

I Inventory control room mockup and Section IV.B panel drawings.

5.1.b. (iii) Compare display and control requirement s wtth a Cceparison of requirements to estating ,

control room inventory. Inventory: Sections:

- Review based on operator responstbnitties IV.D

- Review based on estating plant procedures and walkthroughs IV.E

- Review based on new Fmargensy Operating Procedures and walkthroughs IV.F 5.1.b. (iv) survey control De t a i led review of control room componentsSection IV.C room to identify deviations and environment survey, including and from human factors principles, Appendix A including: detailed control panel reviews alarm system review

- control room layout

control room environment survey

- usefulness of alarm system

- information recording and recall capability

- control room environment 5.1.c. Assess signatteance of Plan for corrective action. Section V human engancering discrepancies, determine which nhnutd be enr-rected and select i mp rove ment s to correct them.

5.1.d. Verify that each Plan for corrective action. Section V improvement will provide the necessary correction and can be accomplished without introducing unacceptable human engineering discrepancies of its own. Coordinate with changes from other improvement programs.

l i,

TABLE I-2 ESTIMATED SCHEDULE FOR OYSTER CREEK CONTROL ROOM REVIEW Estimated Task Completion Date Begin Development of Control Room DEC 1980 Mockup and Guidelines for the Review Complete Guidelines and Begin Review JUN 1981 First Walkthroughs of Control JULY 1981 Room Operations Begin Detailed Alarm System Review JULY 1981 Identify Short-Term Improvements NOV 1981 to Alarm System Begin Review of Other Short-Term NOV 1981 Control Room Modifications, to Identify Human Factors Improvements Implement Short-Term Improvements 1983 REFUELING to Alarm System and Improvements to OUTAGE Other Control Room Modifications Begin Review and Walkthroughs of MAY 1983 New Emergency Operating Procedures Submit Program Plan to NRC JULY 1983 Complete Control Room Review, MAR 1984 Including Review Based on New Emergency Operating Procedures

TABLE I-2 (continued)

ESTIMATED SCHEDULE FOR OYSTER CREEK CONTROL ROOM REVIEW Complete Assessment of Review MAR 1984 Findings, and Identify Short-Term and Long-Term Improvements Submit Summary Report of Control APR 1984 Room Design Review to NRC Implement Improvements Identified SUBSEQUENT from Review OUTAGES

l II. MANAGEMENT AND STAFFING The performance of the human factors review is the responsi-bility of a team made up of personnel from GPU Nuclear (both engineering and operations), MPR Associates, and independent outside consultants. The responsibilities and functions of the members of the team are described below; resumes are included in Appendix B of this plan.

GPU Nuclear Corporation Overall direction for the review is provided by Mr. T. G. Broughton, Director of Systems Engineering, and Mr. P. S. Walsh, Manager of Plant Analysis, of GPU Nuclear.

Plant operations is represented on the review team by Mr. J. Young. Mr. Young is a former Group Shift Supervisor and holder of a senior reactor operators license at Oyster Creek. He is currently a member of the Oyster Creek Training Staff. Mr. Young reviews results, assures that plant operations input is provided, and provides detailed knowledge of plant systems and operations. Individual licensed operators participate in several aspects of the review, including for example the procedure walkthroughs and environment survey. GPU Project Engineering is represented on the review team by Mr. A. Hertz. Mr. Hertz participates 4

in the planning, reviews results, and assures that engineering input from various sources is incorporated.

This includes other ongoing plant modifications and obtaining necessary information from the architect engineer and other contractors to GPU Nuclear. Personnel from the GPU Human Factors Staff also participate -- specifically, Mr. D. Strobhar and Ms. B. Rusinek, who provide human factors input and participate in review activities, including the walkthroughs, environment survey and reviews of ongoing and future control room modifications.

MPR Associates MPR serves as a coordinator for the review process. They supervised construction of the full scale control room mockup and prepared the photograhic drawings of panel faces necessary for the review process. They conduct walkthroughs of operational evolutions with personnel from the Oyster Creek operating staff and the other members of the review team. MPR also conducted the environment survey and detailed reviews of the control panels. Messrs. H. Estrada, R. T. Fink and J. Betlack of MPR participated in these activities, o

II -2

Human Factors Consultants Dr. T. B. Sheridan, Professor of Engineering and Applied Psychology at the Massachusetts Institute of Technology and Dr. Julien M. Christensen, General Physics Corporation, as members of the review team, provided human factors input early in the review by reviewing the guidelines, and the methodology that were to be used in the review. As the review progressed, they also participated in walkthroughs of control room operations, and assisted in evaluating results of the walkthroughs. They have also reviewed, from a human factors standpoint, the initial results from the review and the short-term improvements that were proposed.

7 h

II - 3

III. INFORMATION SOURCES The Oyster Creek Nuclear Generating Station has been oper-ating since 1969. Consequently its operating procedures are considered to be a relatively accurate representation of how the plant is operated. These operating procedures are, therefore, the primary source of information for control room operator activities.

In addition to these procedures, other sources of informa-tion which have been or will be used in the control room review include:

plant piping and instrumentation drawings, and electrical and control diagrams operator training manuals and other training material, the Final Safety Analysis Report and the plant technical specifications, photographic drawings of the control room and the control panels, licensee event reports and internal plant reports on reactor trips and other events, plant maintenance records and procedures, and symptom-oriented Emergenc'y Operating Procedures and the Technical Guidelines on which they are based.

In addition the review team has access to the plant oper- ,

ators through interviews and participation in the walk-throughs. Access is also provided to other members of the plant staff - operations, maintenance, and engineering. The review team also is provided access to the actual control room as appropriate for photographs of control panels, surveys, special observations, and specific questions sub-ject to the normal constraints on control room access t

exercised by the Shift Supervisor.

n III - 2

)

i l

IV. REVIEW PROCESS The objectives of the Oyster Creek control room review are essentially those stated in NUREG-0700:

"To determine whether the control room provides the system status information, control capabilities, feedback, and performance aids necessary for. control room operators to accomplish their functions and tasks effectively" and "To identify characteristics of the existing control room instrumentation, controls, other equipment, and physical arrangements that may detract from oper-ator performance."

The review process being used in the review of the Oyster Creek control room is described below. The methodology differs somewhat in its organization from that described in NUREG-0700, but each element of a thorough human factors review is covered. Table IV-1 correlates the elements of a review as described in NUREG-0700, and the elements of the Oyster Creek Control Room Review described below.

It should be noted that the separate items described below are not in a time sequence and portions of the various review elements take place in parallel.

A. Review of Operating Experience The objective of the review of operating experience is to make sure that problems actually encountered in operation of the Oyster Creek plant are identified and factored into the review of the control room.

~

f.most useful source of information on operating expe-

,rience is the detailed comments, solicited as well as unsolicited, from the operating staff obtained in the course of the walkthroughs and talkthroughs on the control room mockup.

A formal opinion survey of control room operators also was conducted. The objective of this survey was to identify strengths and weaknesses of the control room that have been noted by the control room operators in the course of operations.

The review of experience also includes a review of Licensee Event Reports, the Nuclear Power Experience summaries, as well as a review of plant records.

B. Inventory of Control Room Instrumentation and Equipment The objective of the control room inventory is to identify all instrumentation, controls and equipment within the control room. All components with which the operators interface are included in the inventory.

IV - 2

In the Oyster Creek control room review, the construc-tion of a full-scale mockup of all main control room panels (including annunciator alarms) used by the oper-ator is part of the inventory process. The displays and controls for the mockup panels were reproduced by a combination of photographic and Xerox reproduction of a grid work of high quality photographs. Figures IV-1 and IV-2 are photographs of the mockup as assembled at Oyster Creek. The mockup is being used actively for training operators as well as for the control room review.

The actual inventory is contained in a complete set of reproducible drawings of the control panels based on the photographs used for the mockup. The drawings and the mockup have allowed identification and review of the panel components without disruption of control room activities.

C. Detailed Review of Control Room Components and Environment Survey The objective of the control room component review is to identify any characteristics of instruments, equip-ment, layout and ambient conditions that do not conform to good human engineering practice. The review is IV - 3

l i

performed in three stages: the detailed control panel review, the alarm system review, and the environment survey, as described below:

1. Panel review This includes review of the following:

controls, displays, process compu.ter displays, panel layout including anthropcmetric consid-erations, and control / display re lations.

2. Alarm system review This includes review of the following:

selection of the alarms; and vir;ual and audible presentation and arrangement of alarms.

3. Environment survey This includes review of the following:

overall ambient conditions including temper-ature, humidity, and ventilation; lighting levels; ,

sound levels; -

control room workspace; ,,

control room layout, traffic patterns and access control;

communications; -

emergency equipment and clothing; and a

IV - 4

administrative practices such as transfer of

, information during operator shift changes, control of key-lock switches, etc.

The control panel, alarm system and environmental conditions surveyed are compared to detailed human engineering guidelines prepared for the Oyster Creek control room. These guidelines wcre developed before l

the guidelines of NUREG-0700 were available and are presented in Appendix A.

D. Review Based on Operator Responsibilities The responsibilities of the control room operators at Oyster Creek, divorced from any specific event, have been identified. These responsibilities include:

l.. Maintai'n control of the reactivity of the reactor cere and the shape of the neutron flux profile therci' n.

2. Maintain centrol of the energy production by the reactor, the transport of this energy by means of the stcam and feed systems to the turbine, the conversion of some of it to electricity in the turbine generator, and the rejection of the rstainder through the condenser and circulating water system.

3. Maintain an adequate inventory of thermodynam-ically and ch'emically suitable water in the reactor coolant and condensate systems. Maintain an adequate reactor water level ano recirculation pump and valve operating configuration" consistent with power production requirements and reactor core capability.

4. Maintain the inventory, temperature, quality and boron concentration of the liquia in the standby liquid control system.

IV - 5

5. Maintain control of liquid inventory on the secondary side of the isolation condenser.

6. Distribute electical power and cther necessary services (such as air and cooling water) to the ,

plant auxiliar.es and control the production and distribution of emergency electric' power.

7. Maintain control of radioactive material which,may be contained in any of the systems which are the control room operators' responsibility. This includes the responsibility to maintain the leak-tight integrity of the primary and secondary containment. Also included is monitoring and isolation, if necessary, of the off-gas discharge.

8. Maintain an adequate' pressure, temperature and atmosphere (nitrogen content) in the drywell and an adequate water inventory and temperature in the containment pressure suppression system (torus).

9. Monitor the inventory and. location of fissionable material during refueling.

10. Provide surveillance and administrative control over bypassed safety interlocks during refueling

, and normal operations.

11. Maintain control of, and complete entries in, the operators' logs, procedures and checklists.

12. Maintain administrative control of the blocking and tagging, maintenance, repair, testing, cali-bration, jumporing, etc. in those systems under their control.

13. Initiate those fire fighting actions which are controlled from the control room, e.g., activating deluge valves, starting pumps, obtaining help in fire fighting. In addition, the operators are responsible for initiating those actions in the systems under their control which may be needed to compensate for fire damage.

14. Recognize conditions requiring implementation of the Emergency Plan, declare the appropriate action level for the emergency, and initiate appropriate corrective actions and communications.

e IV - 6

I

15. Maintain security and control access for the con-trol room.

16. Monitor effluent temperature and chemistry and initiate dilution as required.

It should be noted that each operator responsibility involves a number of tasks and each task in turn may require the operator to take a number of specific actions.

The detailed manner, i.e., the specific actions by which each of these operator responsibilities is dis-charged in the Oyster Creek control room, is reviewed.

This process establishes the display and control requirements for each general operator responsibility (e.g. control of secondary water inventory) which may not be obvious from analysis of particular operating events or from e,xisting plant procedures. These requirements are compared to the existing instrumenta~

tion. All discrepancies for each identified responsi-bility are documented.

E. Review Based on Existing Plant Procedures, and Walkthroughs of Expected Operational Evolutions and Postulated Oft-Normal Events The operational evolutions that have boon or will be evaluated include:

S IV - 7

1 Normal Operational Evolutions l heatup and startup shutdown and cooldown operation at power (including automatic and manual operations of reactor and main turbine) control of radioactive gaseous and liquid effluents selected surveillance tests (e.g., diesel gener-ators) and miscellaneous system operations (e.g.,

condenser backwash).

Transient and Emergency Turbine Trip and Reactor Scram (from a variety of mechanistic causes)

Reactor Isolation Scram Loss of of fsite Power Failure of Diesel Generator to Start Loss of Instrument Power Loss of Feedwater Loss of Coolant Inside Drywell Small Steam Leak Outside Drywell Unintentional Safety / Relief Valve Blowdown Secondary Containment Isolation and Operation of Standby Gas Treatment System Loss of Instrument Air Reactor Water Level Control Malfunction For each of the normal evolutions, qualified Oyster Creek operating personnel perform the simulated oper-ations on the mockup using the appropriate plant oper-IV - 8

ating procedures, with the evaluations being performed by the review team. A talkthrough technique is gener-ally used in these procedure walkthroughs. On the basis of the information obtained from the walk-throughs, operator tasks are identified for each of the evolutions considered.

.A similar approach is being followed for the emergency and abnormal events with the following exceptions: the analysis of these events is initiated by postulating a set of symptoms consistent with a possible plant condition, including system or component malfunctions. The symptoms are in the nature of specific meter readings, alarms, noises, etc. and are presented (described) to the operators. The operator then makes a determination of what specific event is in progress, and which (if any) plant procedures are applicable to the perceived event. The operator, if he wishes, asks for information on the readings of other meters and the status of other indicators. For some events, additional symptoms are presented to the operator, consistent with the postulated event. In this way, information is elicited regarding the actual operator tasks including the displays which the operator uses to diagnose a problem, initiate a course of action and confirm the results of his action.

IV - 9

The plant normal and emergency procedures define a set of control and display requirements. These control and display requirements are compared to existing instru-mentation and any discrepancies are documented. The criteria used in making these evaluations will include i

consideration of questions such as:

Is required input information available?

i Is required equipment, e.g., controls, tools, charts, lists, communication links, etc.

available?

Is this task physically and mentally practical to perform? For example: is control too high to reach easily? Does operator need to have memorized too much information?

Is required system response indication available?

Is required component response indication available?

Does this task conflict with other control room operations in progress?

Are there potential errors in this task which have serious consequences?

Would a simultaneous fire or medical emergency have a serious impact on this task?

Do controls and displays used in this task meet appropriate human f actors guidelines, e.g.,

control / display relationships, display units, label / procedure nomenclature consistency?

Is manning level consistent with the assignment of responsibilities for this task?

As a result of the walkthroughs, those tasks which are difficult to perform are identified. The review team IV - 10

l then determines the course of action for further, more detailed evaluation of the particular task involved.

An additional function of the walkthroughs is to com-pare the nomenclature of control console and panel labeling with that of plant procedures and appropriate piping and instrumentation schematic diagrams. Where

' discrepancies are found, these are documented for further evaluation.

F. Review Based on New Emergency Operating Procedures and Walkthroughs of Emergency blolutions

'l The objective of this review is to examine the control room from the standpoint of the new, symptom-oriented Emergency Operating Procedures -- to determine whether the control room provides the information and controls necessary to perform the functions and specific tasks called for in these procedures. The procedures, as required by NUREG-0737, are not predicated on specific events or malfunctions, but instead are symptom-oriented, prescribing control actions based on main-taining basic plant variables within prescribed bounds regardless of the initiating event.

As part of the review, for each " task" that is required of the operators in the procedures, an assessment will be made of whether:

t IV - 11

l

)

the required controls and indications are avail-able to the operator and can be interpreted as called for in each task (are the indicators of sufficient accuracy, can the operators get trend or rate infocmation asked for, etc.)

the symptoms described and the guidance provided are sufficient to allow the operator to diagnose and respond to the spectrum of plant upsets which might confront him; there are any evolutions spelled out for which time may be a controlling factor -- is it reason-able to expect the operator (s).t.o act in the time required; there are any additional aids required for the operator to be able to carry out the functions and tasks called for by the procedures.

Scenarios will be devised, based on mechanistic causes, that challenge the symptom-oriented procedures. Walk-throughs will be conducted, based on these scenarios, and designed to uncover any mismatch between the pro-cedures and the resources available to the operator in the control room. The walkthroughs will be conducted at the control room mockup, in a manner similar to that described in IV.E above. In addition to the task-oriented questions posed above, the walkthrough evaluations will also cover the criteria listed in Section IV.E.

G. Documentation of Review Data During each phase of the control room review, data are recorded in the form most convenient to the particular IV - 12 L

task, to minimize the fraction of the review effort which is devoted to assembling, programming, recording, and storing data on deficiencies. Emphasis is placed on using existing documents, for example, copies of the procedures, marked up to record problems as they are observed. Special forms are used, however, in some instances to record data. These initial notes and raw data are further consolidated so that generic problems are identified.

Examples of specific types of documentation which have been or are expected to be used are as follows:

Drawings of the control room panels are produced from detailed photographs of the existing control room and are used as part of the record of the control room inventory. A grid work is overlaid on the drawings, giving a coordinate system for unique identification of each control and display.

Forms are used for recording results of the detailed control panel reviews, listing each com-ponent by its unique identifier (from the drawings), noting which guidelines were applied in reviewing the component, and recording any dis-crepancies.

Tables will be prepared for findings that are generic, e.g., for differences from a guideline which occurred for several control room components.

Reduced-size copies of procedures are placed on forms that are annoted with observations noted during the walkthroughs. The forms are designed to aid in identification and documentation of spe-cific tasks, control actions, displays used, etc.,

and to record whether further analysis is required. These are augmented by collected notes IV - 13 L

-_ . - - _ _ =

after a walkthrough session. These data are further reviewed and evaluated to identify partic-ular problems, and generic deficiencies.

Forms for recording control room light measure-ments and sound measurements were prepared to plan the data taking, minimize the disruption of the control room, and document these measurements.

Control room operator survey forms have been pre-pared and used in conducting interviews with the control room operating staff.

Results of detailed analyses, for those tasks which present particular difficulties (as identi-fled by the walkthroughs ) will be prepared.

4 IV - 14

NUREG-0700 REVIEW PROCESS FLEMENT

1. 2. 3. 4. S. 6.

REVIEW OF REVIEW OF CONTROL CONTROL VERIFICATION VAIIDATION OF OPERATING S YSTEM ftOOM ROOM OF TASK CONTROL ROOM OYSTER CREEK EXPERIENCE FUNCTIONS INVENTORY SURVEY PERFORMANCE FUNCTIONS REVIEW & OPERATOR ELEMENT TASKS A.

REVIEW OF OPERATING N EXPERIENCE B.

CONTROL ROOM INVENTORY

MOCKUP X

DRAWINGS C.

DETAILED REVIEW PANELS

ALARMS X ENVIRONMENT D.

REVIEW BASED ON OPERATOR X X RESPONSIBILITIES E.

REVIFh* nASED ON PLANT PROCEDURES X X .X AND WALKTHROUGHS F.

REVIEW BASED ON SYMPTOM-ORIENTED X X X EMERGENCY OPERATING PROCEDURES G.

IXX'UMENTATION OF X X X REVIEW DATA X X X COMPARISON OF OYSTER CREEK REVIEW ELEMENTS TO NUREG-0700 REVIEW TABLE IV-I

l L

~

~ " ~ ~

l w -\( '

'[liCNx.,

l l

l l i858 5 i ilit sere a e a

/Jij/;,;

,e.

l 1

l amee fm

, MtOg OM

f $ ***Z _ _ ..

i 6

FIGURE IV-1 CONTROL ROOM MOCK-UP

. - - - - - .. . . . - , ,.. -, . . - - . - - . , _ - - _ _ . _ _ _ _ . _ _ . _ , . . _ ~ . . _ . , _ . - . - . _ _ _ _ _ . . - - _ . - _ - . . - . . . . . - _ _ . . . _ .

a - . _ - - - - . - - - a _ .--_4_ -_ _.a_ _ _ _ .- - - - - - - - - - - - -

h I

i I

\

l m

~7

~%

% CZ 2_7Q% ;~ C. 7- ::T

~ ~

%_" 3

__~,-;,...

.~

~~ ~.- _

9e x

- .E '.!

_ . _ , _ ;:p L % 'j* 4

. . J+ .. - . .

't + ,

. J e

+4 I,

s s a

4 .

s

.. s

- -G. --

e 9

FIG URE IV-2 CONTROL ROOM MOCK-UP i

V. CORRECTIVE ACTION The most important objective of the Oyster Creek control i room human f actors review program is to identify improve-ments in the control room configuration and operating practices, which will mitigate or eliminate deficiencies uncovered by the review process. The findings and obser-vations, i.e., items where the control room review has established that there are departures from the guidelines, are assessed by the review team to determine whether correc-tive action needs to be taken. If action is required, specific recommendations will be established. Establishing the recommended action will include an evaluation to ensure that the action corrects the original problem and does not introduce others.

A. Assessment of the Need for Correction Action The fundamental criterion used in the assessment is whether the deficiency would likely lead to an operator error. Each deficiency item is addressed by the best collective judgement of the review team (and others that they may call upon).

Generic groupings of deficiency items are used wherever applicable. This addresses the concern that the cumulative effect of numerous minor human factors prob-t

[

w -e.c. -

- . - - , .-. . - - ,4 - - - - , - - , - . .% - , , . - , --.------,r -

-,.---,r-

lems can have a major negative impact even though no one of them would appear serious. The review does not rely on " safety" or "non-safety" as a classification scheme. Obviously, a human factors problem which has a credible impact on the safety of the plant staff or the public must be resolved. However, human factors prob-lems which impact on plant availability or wnich could lead to damaging equipment are also.important, and are covered by the review.

Where there is a consensus of the review team that hardware changes should be made to bring the control room into agreement with the guidelines, detailed assessment of errors and consequences of a particular departure from the guidelines is not needed except as would be useful in establishing and evaluating correc-tive action. Detailed assessments will be made for those items for which the review team concludes:

no corrective action is needed, no hardware changes are needed, or the action will not be implemented during the next plant refueling outage.

B. Establishing Corrective Action For those human factors findings for which the con-sensus of the review team is that some action is needed, a basic approach will be identified. The V-2

_~

action to resolve a particular human factors problem may or may not involve physical changes to the existing configuration. Some hardware changes may be desirable and practical; however, in some instances the most practical way to meet the concern that a human factors guideline addresses is through the use of m'odified

, procedures and training which is specifically directed at compensating for the existing configuration.

In selecting a corrective action the review team will consider a number of factors. The most important of these are:

the relative effectiveness of the action in cor-recting the problem; the potential impact, of the human factors finding, on plant safety; the relative practicality and ability to implement the action promptly; the potential for the action to introduce other human factors problems; the impact of the action on the operator's training, practices, and habits; the compatibility of the action with other requirements, e.g., fire protection and separation; and coordination with other control room modifications.

V- 3

C. Evaluating Corrective Action All corrective actions are subjected "to a human factors review and are, of course, subject to the normal plant approval requirements for changes to the existing con-figuration, documentation, and training. All those corrective actions which involve changes in configura-tion will be incorporated on the full scale mockup. In most cases, some abbreviated procedure walkthroughs will be conducted to confirm that the operator's response has been improved and new problems have not been introduced. Procedure changes may also be evalu-ated by the walkthrough technique.

D. Implementing Corrective Action Corrective action, after evaluation and appropriate approval, will be implemented as promptly as practical consistent with:

not disrupting the control room;

not complicating operator training by performing piecemeal changes to the control room configuration;

relative priorities of the changes, including priorities of other plant modifications which need to be made.

V- 4

VI. APPENDICES t

i I

l l

f l

l l

L L

I 1

l l 6

ur APPENDIX A OYSTER CREEK GUIDELINES FOR CONTROL ROOM REVIEW I

i l

l l

l I

OYSTER CREEK GUIDELINES FOR CONTROL ROOM REVIEW TABLE OF CONTENTS SUBJECT PAGE I. PURPOSE------------------------------------------l II. OPERATIONAL GUIDELINES---------------------------l A. Functions Performed in Control Room---------l B. Controls and Displays Provided in the Control Room----------------------------4 C. Availability of Personnel-------------------4 D. Arrangement Priority------------------------S E. Key Process Variables-----------------------S

1. Reactivity-----------------------------6

2. Reactor Water Conditions---------------6 III. HUMAN ENGINEERING GUIDELINES---------------------7 A. General Guidelines--------------------------7 B. Guidelines for Controls--------------------Il

1. Location------------------------------11

2. Operation-----------------------------12

3. Type----------------------------------13

4. Protection----------------------------13

5. Identification------------------------14

6. Maintenance---------------------------15 C. Guidelines for Displays--------------------15

1. Location------------------------------15

2. Scales--------------------------------15

3. Identification------------------------16

4. Type----------------------------------18

5. Maintenance---------------------------18

6. Recorders-----------------------------18

7. C RT Di s p l a y s -------------------------- 19 D. Process Computer Guidelines----------------20 E. Overall Control Room Environment-----------21 F. Guidelines for Alarms----------------------23

1. Selection-----------------------------23

2. Presentation--------------------------26 IV. REFERENCES--------------------------------------30

o I

MPR AOsoCIATES. INC.

OYSTER CREEK

, GUIDELINES FOR CONTROL ROOM REVIEW.

I. PURPOSE The purpose of these guidelines is to provide a basis upon which to evaluate the Oyster Creek Control Room. They are intended to assist in the identification of those aspects of the current control room which may need improve-ment and to provide guidance for any modifications. Where the existing control room does not follow these guidelines, it does not necessarily imply that a hardware change must be made. Judgment on a case-by-case basis must be used.

The potentially negative training aspects of changing an existing configuration, the seriousness of the potential problems, and the practicality of hardware changes must all be weighed in determining what should be done when an existing control room feature fails to meet one of these guidelines. Some hardware changes may be desirable and practical; however, in many instances, the most practical way to meet the concern that the guideline addresses may

. well be through the use of new procedures and training which would be specifically directed at compensating for the existing configuration.

It is to be expected that future system design considerations, as well as operational considerations, will generate changes to the control room over and above

. those resulting from the control room review. It is intended that these guidelines would be applied to such changes to ensure that they are compatible with the overall control room design.

II. OPERATIONAL GUIDELINES A. Functions Performed in Control Room

. The control room operators, including their supervisors, who man the main console and panels

should be provided with appropriate controls and displays to perform a set of defined functions. Controls and displays, including annunciators, which are not needed to perform those defined functions tend to divert the control room operators' 3 attention and should not normally be provided to them. It should be an objective to move out or keep out of the control room itself those personnel, controls, and displays which are not related directly to the defined functions.

In any case, those other functions which may be done

See Figure 1. Operators manning the operating

area are said to be "at the controls".

. s 3 . .

m 1

fisi 17a I Il l l 12R 12XR 13R Panel Front Panel Front

/_-.

6R fXR 7 F. $A 9R 1C3 11R l

\ SK I

/\

gg ,

g 57 / 6F 77 ST ST ,

,e - , - -

, t. T *

r. N .

M

7._ .' ? ~ . e

, ,00. _, ' 7G 'yT I . e 3F -~

(,

,,AT THE . .

2R C0ilTROLS" i er .

/

),

IF \ -

s ire Protection AN, \ \ .~ RC. i . 'e::.

i 1:F 11T 10T J

9 .

8 e

$ =

FIGURE 1 *

s

e e 9 e

,. r- , , , , ,- - - - - - , r, - = - - = ,--e---------n-- m .

in the control room should be arranged so that they can be done by personnel at the controls, without causing the interference or distractions.

The functions of the control room operators and their supervisor at the controls are defined to be the following:

1. Maintain control of the reactivity of the reactor core and the shape of the neutron flux profile therein.

2. Maintain control of the energy production by the reactor, the transport of this energy by means of the steam and feed systems to the turbine, the conversion of some of it to electricity in the turbine generator, and the rejection of the remainder through the condenser and circulating water system.

3. Maintain an adequate inventory of thermody-namically and chemically suitable water in the reactor coolant and condensate systems. Maintain an adequate reactor water level and recirculation pump and valve operating configuration consistent with power production requirements and reactor core capability.

4. Maintain the inventory, temperature, quality and boron concentration of the liquid in the standby liquid control system.

5. Maintain control of liquid inventory on the secondary side of the isolation condenser.

6. Distribute electrical power and other necessary services (such as air and cooling water) to the plant auxiliaries and control the production and distribution of emergency electric power.

7. Maintain control of radioactive material which may be contained in any of the systems which are the control room operators' responsibility. This includes the responsibility to maintain the leak-tight integrity of the primary and secondary con-tainment. Also included is monitoring and isolation, if necessary, of the off-gas discharge.

8. Maintain an adequate pressure, temperature and atmosphere (nitrogen content) in the drywell and an adequate water inventory and temperature in the containment pressure suppression system (torus).

9. Monitor the inventory and location of fissionable material during refueling. (Fuel storage pool activities should not be the control operators' responsibility while the reactor is operating).

10. Provide surveillance and administrative control over bypassed safety interlocka during refueling and normal operations.

31. Maintain control of, and complete entries in, the operators' logs, procedures and checklists.

12. Maintain administrative control of the blocking and tagging, maintenance, repair, testing, calibration, jumpering, etc. in those systems under their control. -

13. Initiate those fire fighting actions which are controlled from the control room, e.g., activating deluge valves, starting pumps, obtaining help in fire fighting. In addition, the operators are responsible for initiating those actions in the systems under their control which may be needed to compensate for fire damage.

14. Recognize conditions requiring implementation of the Emergency Plan, declare the appropriate action level for the emergency, and initiate appropriate correction actions and communications.

15. Maintain security and control access for the con-trol room.

16. Monitor effluent temperature and chemistry and initiate dilution as required.

The following are examples of items which should not be the responsibility of the control room operators at the controls:

1. Security or access control except access to the control room.

2. Communications not directly related to their responsibilities, e.g., routine plant telephone calls.

3. Routine operation of the radwaste treatment and p disposal system.

i 4. Routine chemical control in support systems, e.g.,

l chromate control in the torus.

l S. Control of fissionable material external to the l

reactor when the reactor is operating (except for the traveling incore fission chambers which r.my contain small amounts of uranium, and for which operators are responsible) .

~

B. Controls and Disolays Provided in the control ncgm Those controls and displays presented directly to the control room operators at the controls, i.e.,

those directly visible to them when they are at their normal stations, should be limited to those for which a clearly defined need can be established. Additional guidelines which may be applicabic to the location of controls and displays in the control room are:

1. A control or display may be located in the control room if its location elsewhere would not permit its use in a timely manner.

2. A control may be located in the control room if the only Iccation for the displays needed to operate the control is also in the control room. ,

3. A control or display used only for test purposes or only for certain planned plant evolutions may be located in the control room if it involves the use of other controls or displays which are located only in the control room.

Note that the above guidelines do not necessarily require controls and displays to be directly visible to the operators stationed at the controls.

C. Availability of Personnel The control room arrangement shall be such that any anticipated off-normal operational evolution can be effectively carried out in the short term with the personnel complement present for the normal evolution then underway. Specifically, the response to off-normal conditions may not assume that any more personnel are available in the short term than would normally be cresent in the control room when the initiating event occurs. Other on-site personnel can be assumed to be available in a time period consistent with the travel time from their normal

, location if they have no other duties in the event.

After 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> off-site personnel who are on call can be assumed to be availabic.

-4

1D. Arrangement Priority The control room and panel arrangements should provide, in convenient locations those controls and disolays which are needed for normal planned plant evolutions .

-and steady-state operation (plant startup and planned shutdowns, power generation, hot standby, and refueling);

however, higher priority for arrangement should be given to the controls and displays which are involved with the operators carrying out their assigned responsi-bilities under those off-normal conditions which are both likely and which require timely action. Such off-normal conditions include:

1. Turbine trip and reactor scram including those caused by loss of load and loss of condenser vacuum

2. Partial or complete loss of feedwater flow

3. Recirculation flow perturbations

4. Loss-of-coolant accidents, particularly those from valve opening or major seal failures

5. Partial or complete loss of control or instrumentation power or air

6. Rapid depressurization accidents, particularly those from steam system valves stuck open

7. Upsets resulting from excessive feed or fluctuations in feedwater temperature

8. Control red motion accidents

9. Electrical power upsets, including loss of all or a portion of the site AC system or the site DC system.

The center desk / console should give the operator a clear unobstructed view of the control boards.

Operator movement and communication should be unobstructed.

E. Key Process Variables

] . .

It is a requirement that certain displays be provided to make redundant certain important information provided to the operator. In addition to these displays it should be an objective to provide the operators with 9

th3 m2ans necessary to confirm qualitatively the reasonableness of the information they are presented on certain key process variables. These means should preferably be diverse from the normally used displays.

These key process variables f'all into primarily two general categories: reactor reactivity balance and reactor coolant conditions. They include such specific items as:

1. Reactivity

When critical, the operators should have the process variables necessary to assess whether the reactivity contributions of the following are in the expected relationship: rod position, recirculation flow, power level, power (flux) shapes, reactor pressure, moderator temperature and feedwater temperature.

When suberitical and preparing to startup, the operators should have the information necessary to assess t.he shutdown condition of the reactor.

2. Reactor Water Conditions .

Inventory of reactor water, i.e., level Steam pressure

Feedwater flow and temperature '

Concentration of radioactive material in the steam Hotwell level

3. Recirculation flow -

4. Reactor Thermal Power

5. Other Miscellaneous Parameters

Pressure-suppression system (torus) water level

Pressure-suppression system pressure and 7

temperature l

Off-gas radiation level and characteristics g

o 1

III. HUMAN ENGINEERING GUIDELINES The guidelines for the human engineering review of ,

the Oyster Creek Control Room will be those contained in MIL-STD-1472B, Human Encineering Desien Criteria ~fcr Military Systems, Ecuic=ent ana Facilities, wnere tney ard '

applicable. Since tne military stancard is directed toward military applications and covers types of equipment which are not in the control room, some parts of it are inappropriate. The guidelines listed below are intended to identify those which are particularly important to the control rocm review and to amplify or clarify them for direct application to the control room review. Quantitative guidelines to be used are in general not repeated. These can be obtained directly from either MIL-STD-1472B or the other references listed herein, as appropriate. Specific references are also noted in the following guidelines to aid in identifying appropriate quantitative measures to be used for given guidelines. It is recognized that in ,

the course of the review, situations may be encountered which are not adequately addressed by MIL-STD-1472B and the guidelines included below. In such cases o*_her human engineering references may be consulted, for example:

Van Cott, !! . P . and Kinkade, R. G.,

Human Encincerina Guide to Ecuirment Design, Government Printing 0:ilce, 1972 Woodson, Wesley E. and Conover, Donald W.,

Human Encineerinc Guide for Ecuicment Desien, University or Calitornia Press, 1964 A. General Guidelines

1. The controls and displays should have compatibla locations, that is:

Where timely operator action may be needed, the sources of information from which the operator concludes that he needs to take ' .

action, and that action is permissible, should be located close to where the e control action is taken. g

, When a control action is taken, the operator

, who takes the action should have immediate feedback that the controlled element has responded and, if practical, that the plant.

or system itself has responded. -This usually involves the location of the related displays close to where the control action is taken.

,7-

Functionally related controls and displays 3ccated in different planes should have an apparent and consistent relationship.

- Preferably, functionally related controls and displays should be located in close proximity to each other, yet far enough apart'that operation of the control does not interfere with observation of the -

display.

Location of recurring functional groups should be cimilar from panel to panel.

Related controls and displays should be easily distinguishable by the operator.

In every case, the following relationships should be immediately apparent to the operator:

t

- The display (s) asscciated with g each control.

- The anticipated direction of movement of the control and display, i'q - The functional results of activating the control.

e

^ ~

Control-display relationships involving either multipla displays or controls should be

_ apparent. Preferred arrangements are provided

- in NUREG-0659, Reference 6.

'2. Consistent and unambiguous methods should be provided to inform the operators of the operational status, e.g., open or closed valve y position, and of the conditions, e.g., tempera-tures or flow, in those systems under their control. Likewise, status and conditions in k other systems in the plant which could affect the action the operators may take should be Provided in a consistent and unambiguous manner.

e

-g-

3. Where a control or display is intended to provide information to the operators as to whether conditions are "off-normal", this should be done in a consistent and unambiguous manner. This should include consideration of what conditions are to be defined as " normal" in a particular system as well as avoiding confusion between indicating status (see item A.2, above) and indicating " normal" or "off-normal". In general, the extinguishing of a light should not be used to convey important normal or off normal information feedback to the operator.(Under certain circum-stances, for example, " power off" conditions, an extinguished light, in combination with other, active indications may be used effectively to convey information).

4. There should be some means for the operator to know that a control or display is not functioning properly. It is particularly important to know when a display or control has lost power. The most desirable situation would be to have the malfunction evident to the operators without any action on their part, e.g.', by having a unique

" power lost position" for a meter. This may be impractical. If so, other ways to make the operator aware of failures may have to be used, such as:

Providing means for periodic testing of a control of display (including status lights),

Providing the operator with immediate feed-back (see A.1. above), or Providing redundant or diverse displays which allow cross checking.

For some critical items it may be appropriate to utilize several ways to make the operators aware of malfunctions and to provide them with special training and guidance in the procedures.

5. Communication of a control room operator with an auxiliary operator either within or outside the control room shall be considered the same as operating a control or reading a display. These 9

_9_

communications should not require the use of communication links which may involve inter-ference or may be unavailable because of.other

, activities. The communications should consider the potential for unusual environmental conditions:

noise, respirators, etc. Voice communications should be carried out in a formal and consistent manner which identifies-the initiator and receiver of the message and provides for repetition and confirmation of each transmission.

6. Tag-out of a control or display should:

Be unambiguous as to which control or display is tagged Not obscure the identification of the control or dispicy which is tagged, and Not obscure any other controls or displays or interfere with operations,

7. For any changes to the console and panels, replacement and servicing should be con-sidered. In that case such guidelines on maintainability as the following should be applied:

Replacement and servicing should not require the removal of other items on the panel. ,

Replacement or servicing of an item should not involve operations which preclude proper operator response to a plausible off-normal event. This includes putting an excessive number of other items out of service in order to perform the maintenance.

Replacement should involve a minimum risk of improper reconnection.

Replacement or servicing shbuld involve a minimum risk to personnel.

Replacement or servicing should involve

, , a minimum risk of inadvertent actuation of other controls.

9 O. Displays (lights, etc.) used only for maintenance and servicing should not be visible, e.g.,

covered, during normal operations.

. If some specific problems with maintenance have been experienced in the Oyster Creek control room, these should be considered in the control room review.

8. The capabilities required of the operators to perfora the assigned functions should be reason-abic in terms of work load, span of mental concentration, physical endurance, amount of me.morization, a= cunt of information to be processed and time availabe to perform a function. The assigned functions shculd be consistent with the physical capabilities required of the operators.

9. Changes to existing arrangements should be sufficiently distinct that when an operator uses the new control or display it is unlikely that previous training and habits will cause

- errors. Consideration should be given to using completely different types of controls in such applications, for example, using

. push buttons in place of a rotary switch rather than changing the direction of rotation of the rotary switch.

10. Control panel sections containing functionally related controls and displays should be prominently labeled.

B. Guidelines for Controls

1. Location

a. The most often used controls should be given priority in location, except where this would l

conflict with the use of controls or displays for off-normal conditions. Control placement '

should comply with the anthroponotric standards (5 - 95th percentilo male statu o and arm reach given in Van Cott and Kinkade).

I

b. Controls for off-normal conditions should be placed in a readily accessible location but clearly distinguished from controls used for

. normal conditions. -

c. The progression of controls, numerically or alphabetically, should be consistent through-out the panel. It is preferred that they progress left-to-right and top-to-bottom.

d. All controls for multiple elements should have the same arrangement, that is, either horizontal or vertical,

e. If controls are operated in sequence, they should be located in a consistent left-to-right

. or top-to-bottom progression.

f. Where multiple controls af fect the same element, e.g., valve control push buttons, their rela-tionship should be consistent and readily apparent to the operator without detailed com-parison of the legends.

g. Mirror image groups of controls should not be used.

2. Operation

a. The control should be capable of operation without special aids for the operator, e.g.,

a stool, screw driver, or special tools, except where required to prevent inadvertent actuation.

b. The forces and motions required to actuate the control must be within the capabilities of all l

the plant operators. This applies under normal operating conditions and when emergency clothing is being worn.

c. The direction of operation should follow a consistent set of conventions, for example:

Pushbutton valve operators should have the "open" button on top, if vertically arranged. If horizontally arranged, the "open" button should be on the right.

e 9

l l

l t

Rotary controls for circuit breakers and electrical motors should rotate clockwise to turn the item "on", i.e., close a breaker or start a motor.

The " Auto" position of a rotary control should be a consistent direction of rotation.

"On" or " start" pushbuttons should be above "off" or "stop" pushbuttons.

Rotary controllers should rotate clockwise to increase the controlled quantity.

d. The direction of motion of the controller should be consistent with the direction of motion of the display which responds to the control.

c. Key operated controls should follow a standard set of conventions, e.g., detents oriented -

upward and slot vertical is the condition with the key removed.

f. Control position should be easily identifiable.

3. Type

a. Each control type should be readily identifiable.

Control coding, e.g., size, shape and color should be consistent throughout.

b. Consistent types of controls should be used for similar functions.

4. Protection

a. Adequate distance between controls and between groups of controls to allow the operator to easily recognize the controls

'and to avoid inadvertent actuation should be provided. MIL-STD-1472B guidelines fcr separation distance should be utilized.

b. Controls which may be confused and which have serious consequences if actuated, should be protected or special steps taken to highlight or distinguish them. This may include such means as covers, separate handles, use of two hands to operate, or key operated controls.

c. Controls which would otherwise be subject to inadvertent actuation by clothing, cleaning operations, etc. should be suitably protected.

Protective measures should not interfere with control operation. ,

5. Identification

a. Each control should be positively identified with both a descriptive name and particular identifying number for the controlled element.

b. Nomenclature should be consistent with that used in the procedures and system diagrams and that on related displays. System diagram terminology should be used in correcting inconsistencies. The use of abbreviations should be minimized.

c. Legend plates should be located over the control to which they apply. If this cannot be done, some special visual clue to the unusual relation should be provided to the operator. In no case should a location convention be the only means of telling to

, which control a label applies. Legend plates should be readily visible from the station at which they must be read.

d. Where special precautions apply to the operation of a control this should be clearly stated and it should be clear to what control (s) they apply.

e. Legend plates on controls should meet consistent standards (Van Cott and Kinkade) of letter size.

f. Legend plates on controls should meet con-sistent standards of durability. Temporary label plates should not be used.

g. The color of legend plates should conform to a consistent code, for example:

Identification labels should be black letters on a white background.

Precaution labels should be red with

. White letters.

Information of a reference nature for

. the assistance of the operator should be white letters on a black background.

h. The legene plate should be readable from the location at which such reading is necessary, i.. Labels should be oriented horizontally.

j. Redundant identification techniques, e.g.,

size, shape, location, color, texture, should be used for similar controls, where feasible.

6. Maintenance

a. All light bulbs should be commonly stocked types and shculd be replaceable from the front of the panel without special tools and without risk of inadvertent actuation or damage of the control.

C. Guidelines for Displays

1. Location

a. The displav should be located properly with respect to its related controls. (See Criterion'II.A.1). Display placement should comply with appropriate visibility standards of Woodson and Conover, Reference 4.

b. The orientation of multiple displays should be consistent with normal conventions for progression of numerical or alphabetical quantities, i.e., top-to-bottom or left-to-right.

c. The orientation (horizontal or vertical) of an

, array of displays should be consistent with the orientation of related controls, d .- The operation of the control related to a display should not obscure the display.

2. Scales

a. The graduations on a scale should be consistent with the resolution required by the operator.

Woodson and Conover, Reference 4, guidelines should be followed.

s l

b. The scale range should be adequate for all normal and off-normal. conditions under which ,

- the display is required. .

c. The major scale divisions should be a usual numerical progression. Scale mutipliers should be avoided, but where used should be in a consistent location and easily read.

Only multiples of 10 should be used.

d. The units of the scales should be consistent between rate and integral displays for related items. For example, al] the flows into or out of a tank should be provided in consistent units of volume and time and the tank contents should be displayed in units which are consistent with the units of flows.

c. Where multiple displays are provided of the same parameter, e.g., wide and narrow ranges, these instruments should have consistent scale units and consistent zero points. For example, reactor fuel zone, operating and wide range water level instruments could all be referenced from the top of the active fuel as "zero".

f. The arrangement and scale design of multiple displays should involve a minimum risk of confusing the readings, e.g., erroneously matching the pointer on ona instrument with the scale on another.

g. The scale graduations and labels should be adequate in size, 1cgibility and readibility.

Van Cott and Kinkade, Reference 3, should be used for guidance.

3. Identification

a. Each display should be identified with both a deceriptive name and, where applicable, an identifying number which relates the indication unambiguously to a particular instrument or sensor.

The nomenclature should be consistent

~~

b.

with that used in the procedures and system diagrams and that on related controls. The use of abbreviations should be minimized. .

c. Legend plates should normally be located over the display to which they apply.

If this cannot be done, some special .

. visual clue of the unusual relation should be provided to the operator. Legend plates should be readily visible from the station at which they must be read. Id no case should a location convention be the only means of telling to which display the label applies.

d. If the limits or set points of the displayed variable are needed by the operator when the display is used, then they should be pre-sented in a clear and unambiguous manner.

. It is particularly important that memorization of numbers by the operators be minimized.

The method of identifying set points and limits should be consistent among the displays.

e. Legend plates on displays should meet consistent standards (Van Cott and Kinkade) of letter size.

, Note that if the disol.av is intended to be read from a distance longer than normal, the size of lettering may need to be increased above that normally provided,

f. Temporary label plates should not be used.

g. The color of the legend plates used on displays should follow the same general rules as for controls (see B.5.g.)'.

h. Where colors are used as an integral part of information displays or status indicators, a consistent coding should be used. Color codes may include:

Red to show that a component, usually a

- motor, or breaker is "on" or energized.

Green to show that a component, usually a motor or breaker, is "off" or de-energized.

A yellow display to indicate that a system is in a transitional condition or that a

" bypassed" condition exists.

A white display to indicate a status condition.

e G

i. The legend plate should be readable from the

. location at which such a reading is necessary.

j. Labels should be oriented horizontally.

x. Redundant identification techniques, e.g.,

size, shape, location, should be used for similar displays, where feasible.

4. Type

a. Display type, e.g., quantitative, qualititative, analog or digital, should be suitable for its intended application. For example, digital displays minimize time and error in reading an exact numerical value, but provide limited rate information and are ineffective for check reading ("is it in the band?").

b. Consistent types of displays should be used for similar functions.

5. Maintenance

a. Replacement of bulbs should take place from the front of the panels and all light bulbs should be commonly stocked types. Special tools should not be required.

b. The risk that a display will be reassembled in such a manner that it gives erroneous information, for example, by switching lighted legend lens caps, should be minimized.

6. Recorders .

a. A recorder should meet the same requirements for visibility, scales, units, etc. as any other display.

e F e

~18-

b. Where multipoint or multi-pen recorders are used, the recorded data should be unambiguous.

. c. When different inputs can be selected for the same recorder, switching transients should not be such that they can be mistaken for signal changes,

d. When different inputs can be selected for presentation there should be some positive way to determine what specific input the trace represents.

e. The amount of the recorded trace which is visible should be adequately long to cover the time span of interest to the operators.

Reference to portions of the trace which are not visible should not involve blocking other critical displays or controls or risking inadvertent actuation of controls.

f. The recorder should provide for a tolerance on the time for changing paper or ink of at least two hours. That is, chart paper and ink should be replenished when there

, is at least two hours of recording left.

This is to insure that if an emergency evolution takes place there will be at least a two hour capability to follow it without servicing the recorder.

g. It is preferable for charts to have time as the horizontal coordinate increasing to the right.

h. Changing chart paper or ink should require a minimum of time and should not block other critical controls or displays. There should be little possibility of the inadvertent actuation or damage of nearby controls.

7. CRT Displays

- a. The loss of any CRT display or other single failure in the associated hardware (power supplies, computer, keyboards, etc.) should not preclude the performance of an emergency procedure.

9 8

_19_

l

b. Information orientation and zones, titles, label locations and parameter locations should be standardized. Standard sets of characters, symbols, and abbreviations should be used. *

c. Color assignments should be consistent from display to display and should be consistent with color cdnventions used on the console and panels.

d. Mimic displays should be oriented from left-to-right or top-to-botton unless this conflicts with existing panel mimics or the arrangements of items on the panels. Procedure steps or decision " trees" should be oriented from top-to-bottom. Time should be displayed from left-to-right.

c. Each display should have a descriptive title. This title should be in a consistent location and have a consistent color and format.

Display characters shou'd be selected from

f. l a standard set (such as ASCII) . The letter size and height-to-width ratio and stroke width should meet consistent standards (van Cott and Kinkade) for the distance at which they are used. Capital letters should be used.

g. The display loading (text and graphical content) should be limited to about 25 percent, of the CRT screen area, excluding the title and any alarm notes.

h. The refresh rate of the displays should be 60 11z or more.

D. Process Computer Guidelines .

Process computer access and interaction should adhere to the guidelines provided in NUREG-0659, Reference 6.

These are in summary:

1. Only authorized personnel should be able to alter the computer data base.

2. Data base changes should require a positiva command action by the operator. The operator should be automatically provided with information describing the implications of the data base change before he makes the change. The system should then require him to acknowledge this information before the data base change is executed. The system should provide confirmatory feedback when the data base change has been accomplished. .

3. The process computer command language should be logical and consistent. Language words and abbreviations should be consistent with operating procedures and system diagram terminology.

4. Command entries should require a minimum number of keystrokes. Single keystroke function keys should be used for important control inputs.

5. The process computer operating system should aid the operator by providing prompting and assistance in recovering from an error.

6. Command entry keyboards should be standardized and readily usable under all operating conditions.

The operator should receive positive feedback of each keyed entry.

7. Computer output devices, e.g., line printers and typewriters should present information in a readily usable and readable format. Output devices used to list alarm messaces should have adequate output speed to list alarm messages in real time with no significant backlog or loss of information.

E. Overall Control Room Environment The overall control room environment should be suitable for the operators to carry out their required functions.

This includes consideration of the following items.

Quantitative limits for each item, e.g., temperature, humidity, and lighting are provided in MIL-STD-1472B, Reference 1, unless otherwise stated.

i

. 1. Adequate temperature and humidity control should be provided.

2. Adequate ventilation should be provided.

I

3. Adaquate' lighting should be provided for both normal and emergency conditions. Lighting arrangements that minimize glare and shadows should be selected. l In an emergency, lighting should be provided even in the event of temporary failure of the diesel generators to start. Reflectance, luminance 1 and illumination levels should comply with MIL-STD-1472B, Reference 1, standards.

4. The background noise level, including reverberation should comply with MIL-STD-14723 for operational areas. There should not be, conditions in the plant operation which result in large changes in noise level.

5. There should be adequate provision for the control of traffic in the control room and accommodating -

. visitors or observers without adversely affecting operations.

6. There should be adequate provision for the storage of personal items and emergency equipment. ,

7. There should be adequate workspace for the operators to use reference material and to support any on-the-job training.

8. There should be adequate provisions for storage and use of the following without blocking access to any controls or displays:

a. Procedures -

b. Manuals -

c. Diagram and Drawings

d. Logs

c. Personnel Rosters

f. Other Files

9. There should be direct and defined access to the l supervisor's office. A good visual and voice contact with the control room should exist.

[ 10. There should be adequate rest room and kitchen j facilities.

11. There should be adequate and defined access for L maintenance of the control room equipment including availability of technicians, tools and spares. Such maintenance should not interfere with nonnal operation.

l l

l -

l l . . _

12. There should be adequate access from the control room to the remainder of the plant.

13. The control room and its associated spaces should contain adequate provisions for communications.

This includes particular consideration of:

Means for paging in the rest rooms, kitchen and any other associated spaces should be provided.

Communication facilities should be provided for the shift supervisor, shift foreman, and other personnel in the control room so that they do not interfere with or confuse the communication links used by the operators at the controls.

14. The control room should be free of personnel hazards such as: items which could trip the operators, sources of electric shocks., etc.

15. There should be adequate safeguards on the systems which con:rcl temperature and venti-lation so that, in case of failues in these systems, working conditions can be re-estab-lished before they deteriorate excessively.

16. Emergency equipment including operator protective equipment, fire extinguishers suitable for electric fires, radiation equipment and rescue equipment as required should be readily available.

17. Access openings normally used by the control room operator should be clearly and consistently labeled. Labels should be readable with access door open. Labels should contain prominent warnings if access area possesses a danger, e.g.,

high voltage. -

F. Guidelines for Alarms

1. Selection The following guidelines and criteria should be used in evaluating alarm selection.

a. Candidate alarm conditions include: (1) con-ditions within a system which cause, or may q

cause, the system or its components to mal-function, or to function in a manner different from that intended for the existing mode of 4

plant operation, and (2) conditions which cause, or may cause damage to plant equipment.

Candidate alarm conditions should be chosen

. based on knowledge of the operation and intended function of the system or component. In deter-mining what is " normal" or " intended" operation for a given system, Guideline b., below, should be applied.

With respect to the different types of systems in the plant, the following guidelines should be applied on a system-by-system basis in order to identify candidate alarm conditions.

(1) Candidate alarm conditions for fluid systems are values of the thermodynamic parameters in the mass, momentum and energy equations which indicate the system is not functioning as intended.

In particular, inventory, flow rate, temperature and pressure usually are candidate alarm conditions.

(2) Candidate alarm conditions for electrical distribution syst. cms ar'e breaker trips, improper paralleling of generators, batteries or inverters, and inverter failure or malfunction. Candidate alarm conditions for transformers are high temperature, high gas pressure, presence of combustible gas, and other conditions for their support systems which are determined by application of the appro-priate system-specific guidelines (e.g.,

the guidelines above for fluid systems) .

Candidate alarm conditions for batteries and diesel generators should be determined by reference to the guidelines below for protection systems and large machines.

. (3) Candidate alarm conditions for control systems are loss of power, automatic transfer to manual. control, automatically

' initiated changes in automatic control mode and symptoms of control loop malfunctions.

1 (4) Candidate alarm conditions for protection systems are a lack of readiness, actuation t of the system, problems in actuation and problems in operation. Candidate alarm conditions for problems in operation

should be chosen by application of the appropriate system-specific guidelines (e.g., the guidelines above for a fluid system). .

(5) Candidate alarm conditions for large machines are trips, and trip causes that may alter the operator's response to a trip. Alarms for supporting subsystems should be chosen by application of appropriate system-specific guidelines.

b. Candidate alarm conditions should be chosen so that the process annunciator panels are dark when the plant is operating normally at power.

" Normal" means full power operation with all systems operating as intended in their most typical lineup for this condition.

c. In order to warrant an alarm in the control room, each candidate alarm condition must satisfy the following criteria:

. (1) The condition requires operator action as defined below, and (2) The operator's normal surveillance activities cannot be relied on to alert him to the condition, and (3) It is considered plausible that the condition could occur during the life of the plant.

For th'c purpose of this guideline, operator ,

action may take any of the following forms:

Direct manual action

Backup of an automatic action Other modification of surveillance activities.

Any condition not meeting these criteria should be eliminated from the list of candidate alarms.

d. After a set of alarms has been defined, these alarms should be reviewed to ensure that each alarm requires unique operator action, in order to minimize the number of annunciators in the i control room. Alarms which require identical

operator action may be candidates for combination.

1 .

l .

l

2. Presentation

a. In order to minimize the number of annunciators within the control room, several types of alarms should be considered for combination into a single annunciator, whenever doing so would not interfere with timely operator response to the alarm. If alarms are combined, a reflash*

capability should be provided. The following types of alarms should be considered for combination (subject to the restrictions listed in the next paragraph) :

Alarms for the same parameter on the same component, e.g., tank level high/ low:

Alarms for the same condition on redundant components, or logic trains, when each has a separate indicator and the indicators are placed in close proximity on the console, e.g., pump A/B trip, safeguards actuation A/B;

Alarms for several conditions relating to one component or seyeral redundant components, which require the operator to obtain further diagnostic information either by sending an auxiliary operator out to the component (s) or checking the computer (if applicable),

e.g., pump A/B trouble.

Candidates for combination should not be combined if: ,

(1) Different actions are to be taken depending on which constituent is alarning and i,nformation is not available to the operator to identify which constituent is alarming; (2) The required response time is so short that taking time to consult the control panel or the computer (if applicable) to determine which constituent is alarming would risk an inadequate operator response; i

"Reflash" is the capability to cause an annunciator combining a number of alarm conditions to recommence flashing and sound a tone on the existence of a second alarm condition occurring after a first has been received and acknowledged (but has not cleared). .

9 O

e

(3) Information or protection for the other -

alarm constituents after any one has activated the combined annunciator is not

. available to the operator; (4) Operator understanding is* improved 'by annunciating the conditions separately because of similarity to the layout of the associated controls; (5) The constituents and/or significance are not of a similar nature and are not of the same order of importance.

b. Alarms should be grouped according to plant system or function. Within each group, the alarms should be arranged to maximize the operator's ability to assimilate multiple alarm occurrences. Alarms should be organized to indicate relationships among alarms within the same system.

c. Alarm groups should be placed in close proximity to the corresponding controls.,

d. Annunciator windows should be designed and lettered according to the following guidelines:

(1) Nomenclature and abbreviations should be consistent with those used for the corresponding controls and indicators.

(2) If no precedent has been set on the controls and indicators or by other commonly accepted usage, abbreviations should be in accordance with MIL-STD-12C.

(3) Lettering size, type font and viewing angle must be such that the alarm legends are readable by the operators when standing at their primary control stations. In -

addition, it is highly desirable that the legends be readable by the operator who is acting in a' supervisory capacity (e.g., shift foreman) when he is at his assigned station. The standards in Van i Cott and Kinkade, Reference 3, should be used in making these evaluations.

Annunciator panels should be positively identified. Label plates used for panel identification should meet standards for

~ letter size that are consistent with those used for similar labels on the control

. panels (Van Cott and Kinkade).

e. An operator should be able to acknowledge only those alarms within his field of vision.

f. An operator should be able to acknowledge an alarm only from a station near the controls which are operated in response-to the alarm and from which the alarm is easily read.

g. Audible tones signifying an alarm should satisfy the following requirements:

(1) The combination of tone volume, frequency and construction (e.g., warble or other variation) must be chosen such that the operator is alerted to the alarm under the most adverse anticipate,d conditions of background noise.

(2) The tone must not be so loud that the operator is startled or disoriented, or is unable to effectively communicate with others in the control room.

(3) The audible tones used for the various annunciator panels should be chosen and directed such that the operator can distinguish which annunciator panel or panels require his attention.

h. Flash rates used for annunciator lights should be within the range of 1 to 5 flashes per second.

Equal amounts of on and off time should be used.

Flash rates which nust be distinguished one from another should differ in rate by at least a factor of two.

i .. Annunciator lights should be bright enough to stand out clearly against the panel on which 3

they ap' pear under all expected lighting <

conditions, but they should not be so bright as to be annoying or distracting.

j. The capability to reconstruct the sequence of events in a multiple alarm situation should be provided. In particular, the operator should have a means of identifying the first alarm that occurred.

k. Annunciator ringbacka should be provided whenever the operator requires in' formation on clearing of an alarm, particularly if he must take action

- (or stop the action he took in response to the alarm) when the condition returns to normal.

Ringback should not be used if the operator docs not require the information (and takes no action) and therefore the ringback becomes a distraction. Where ringback is used, a separate control sculd be provided to " reset" the annunciator -- acknowledging the ringback.

1. The annunciator system should be designed to ninimize the nuisance associated with leaving an audible signal sounding continuously until alarms can be assimilated and acknowledged in a multiple alarm situation. One means of addressing this is the provision of a silence control for the audible signal, separate from the acknowledge control for the visual tiles.

Other means may also be acceptable.

m. Annunciators should meet the requirements of paragraphs III.A.4 and III.A.6 for indicating nalfunction or tag-out of annunciators.

O "Ringoack" in an annunciator sequence provides a second visual and auditory indication that an alarm which was previously received and acknowledged has now cleared--gone back to normal.

A separate " reset" control is typically provided.

IV. REFERENCES

1. Military Standard MIL-STD-1472B, Human Engineering Design Criteria for Military Systems, Equipment and Facilities, 31 Decembe r 1974, Depa rtme n t ot Defense, Washington, D.C. 20301.

2. T. B. Malone, M. Kirkpatrick, K. Mallory, D. Elke, J. H. Johnson, and R. W. Walker (The Essex Corporation), Human Factors Evaluation of Control Room Design and Operator Performance at Three Mile Island-2, NUREG/CR-1270, January 1980, U.S. Nuclear Regulatory Commission, Washington, D.C. 20555.

3. H. P. Van Cott and R. G. Kinkade, Editors, Human Engineering Guide to Equipment Design, Revised Edition, 1972, Superintendent at Documents, U.S. Government Printing Office, Washington, D.C. 20402, Stock Number 008-051-00050-0/ Catalog Number D 4.10:EN3.

4. W. E. Woodson and D. W. Conover, Human. Engineering Guide for Equipment Designers, University of California Press, 1973.

5. E. J. McCormick, Human Engineering and Design, McGraw-Hill, Inc. 1976.

6. NUREG-0659 Draft Report, Staff Supplement to the Draft Report on Human Engineering Due to Control Room Evaluation, April 1981, U.S. Nuclear Regulatory Commission, Washington, D.C. 20555.

7. K. Mallory, S. Fleger, J. Johnson, L. Avery, R. Walker, C. Baker, T. Malone (The Essex Corporation), Human Engineering Guide to Control Room Evaluation, Draft Report NOREd/CR-1580 July 1980, U.S. Nuclear Regulatory Commission, Washington, D.C. 20555.

9 APPENDIX B RESUMES

RESUMES FOR PERSONNEL OF GPU NUCLEAR CORPORATION I

I

T. GARY BROUGHTON Business Address: GPU Nuclear Corporation 100 Interpace Parkway Parsippany, New Jersey 07054 Education: B. A., Mathematics, Dartmouth College, 1966 Experience: Director Systems Engineering, November 1982 to present. Responsible for Systems Engineering Department activities including nuclear fuel procurement and analysis, risk and reliability assessment, process computer applications,. radiological engineering, safety analysis, plant analysis and human factors engineering.

Systems Analysis Director, 1981 to 1982.

Responsible for human factors engineering, nuclear safety analysis and analysis of plant thermal hydraulic performance.

Control & Safety Analysis Manager, GPU Service Corporation, 1978 to 1981.

Responsible for nuclear safety analysis and integrated thermal, hydraulic and control system analysis of nuclear and fossil plants.

Supervised on-site technical support groups at Three Mile Island, Unit 2 during the post-accident period.

Safety and Licensing Engineer; Safety and Licensing Manager, GPU Service Corporation 1976 to 1978. Performed and supervised nuclear licensing, environmental licensing and safety analysis for Oyster Creek, Three Mile Island and Forked River plants. Served as Technical Secretary to Oyster Creek and Three Mile Island General Office Review Boards.

Officer, U. S. Navy, 1966 to 1976.

Trained at Naval Nuclear Power School, Prototype and Submarine School. Positions

. held include Nuclear Propulsion Plant Watch Supervisor, Instructor at DIG prototype plant and Engineering Officer aboard a fast-attack nuclear submarine.

Publications: EPRI, CCM-5, RETRAN - A Program for One-Dimensional Transient Thermal-Hydraulic Analyses of Complex Fluid Flow Systems, Volume 4: Applications, December, 1978, Section 6.1,

" Analysis of Rapid Cooldown Transient - Three Mile Island Unit 2" with N. G. Trikouros and J. F. Harrison.

"The Use of RETRAN to Evaluate Alternate Accident Scenarios at TMI-2", with N. G.

Trikouros. Proceedings of the ANS/ ENS Topical Meeting on Thermal Reactor Safety, April 1980, CONF-800403.

"A Real-Time Method for Analyzing Nuclear Power Plant Transients", with P. S. Walsh, ANS Transactions, Volume 34 TANSAD 34 1-899 (1980).

e u

-- ,~ -

1 Name: ARTHUR F. HERTZ Date of Birth: August 21, 1949 Education: BS Electrical Engineering - 1971 Newark College of Engineering Newark, New Jersey EX PERIENCE:

January, 1981 Project Engineer; (0yster Creek Technical Functions Engineering to Present Projects), GPU Nuclear Corporation, 100 Interpace Parkway, Parsippany, New Jersey 07054 Project Engineer for Nuclear Power Plant modifications includina the following: Reactor Protection System Analog / Digital Upgrade, Isolation Condenser Pipe Break, Excess Flow Check Valve, Primary Containment Temperature Monitor, 125 VDC Battery System 'C' Upgrade, Degraded Scram Air Header Modification, OC Drawing Verification, Emergency Service Water dp and Flow Indication and Torus Water Clean-up.

Responsibilities included managing in-house activities (engineering and design, licensing, quality assurance, and purchasing) and outside A/E services, budgeting, scheduling, all instrumentation and control, mechanical, and structural phases. Provided field supervision as required during instal-lation and test activities.

May, 1975 to Project Engineer; (Generation Engineering) Jersey Central December, 1980 Power & Light Company, Madison Avenue at Punchbowl Road, Morristown, New Jersey 07960.

Lead engineer for nuclear power plant modifications to the Rod Worth Minimizer Shutdown Mode Switch, Reactor Protection Instrumentation for Seismic Upgrading, Computer Relocation, Dilution Plant Trip Circuit. Provided electrical engineering support for the following modification - Post Accident Sampling, Control Rod Drive Rebuild facility, Intake (Screen Wash and Cathodic Protection) and Core Spray Electrical Cross connect modification.

Responsibilities included as appropriate budgeting, scheduling, plant training, and preparation of all engineering and procurement documents.

Arthur F. Hertz Page 2 June,1971 to Non-Nuclear - Worked for Architect Engineer, Engineers Inc. -

April, 1975 Newark, New Jersey, perfonning field engineering activities in support of re/amping existing chemical process. Companies included: Union-Carbide, Mobile and Exxon.

Associate Engineer for Jersey Central Power & Light Company at Gilbert Generating Station researching and implementing a preventative maintenance program.

Additional Training 1976 GE BRW Reactor Training 1977 Instrumentation and Controls (General Physics Corp.

1978 Project Management (Project Management Association) 1980 to 1981 As part of STA Training had the following Plant specific training courses. Reactor Protection System, Recirculation System Flow Control, Basic Nuclear Reactor Theory, Nuclear Steam Supply System, Feed and Condensate System, Secondary Containment and Standby Gas Treatment System, Nitrogen Inerting System Core Spray System, Automatic Depressurization System, Isolation Condensers Shutdown Cooling, Control Rod Drive System, Nuclear Instrumentation, Shutdown Cooling Containment Spray, Energency Service Water, Standby Diesel Generator and Plant Electrical Distribution.

June, 1980 to Participated in the Site Technical Advisor Program.

December, 1980 1

NAME: Bonnie R. Rusinek Date of Birth: January 18, 1955 Education: B. A. Psychology, Drew University, 1976 M. A., A. B. T., Engineering Psychology, New Mexico State University, 1981 Experience: Human Factors Engineer, September 1981 to present. Responsible for human factors activities at Three Mile Island and Oyster Creek, including human factors review of control rooms, control room modifications, development of symptom oriented emergency operating procedures, review of TMI-l Process Computer Operator Interfaces, development of an Oyster Creek Human Engineering Handbook, design of Oyster Creek " Basic Principles Training" simulator, and development of a Validation and Verification Program for Oyster Creek and TMI emergency operating procedures.

Systems Engineer:

Linzer Products Corporation (March 1981 to June 1981). Analyzed and evaluated work procedures, modified workspaces, and restructured assembly lines in order to improve work efficiency. I also counseled employees.

Research Assistant:

Behavioral Engineering Laboratory (Jan. 1980 to Feb. 1981). Designing and performing experiments in visual accomodation, writing a technical report.

Solar Energy Institute (September 1979 to February 1980). Worked as a technical writer /

editor in charge of producing final technical reports. This included: proofreading, writing, editing, producing tables, graphs and pictures, reproduction, collating, copying, binding and contact with audio-visual department.

Human Performance Laboratory (Jan. 1979 to July 1979). Designed, completed and reported experiments on the Stroop effect.

1

l 1

Research Projects and Reports: I was part of a two-man team from New Mexico State University that studied and made recommendations on work space design to Southwest Mental Health, Las Cruces, N.M. A draft of the final report entitled "The Denison Building: A Human Factors Evaluation of the Work Environment", was given to the Director.

I wrote a grant propocal to study " bumping" and " tripping" accidents in industry.

I presented a paper at the American Nuclear Society 1983 Annual Meeting, entitled " Human Factors Design Affiliations and of the Oyster. Creek BPT Simulator" Awards: Human Factors Society Research Assistantships, New Mexico State University American Nuclear Society

l l

DAVID A. STROBHAR EDUCATION: B. S. Human Factors Engineering, Wright State University 1980.

EXPERIENCE: Human Factors - Engineer for GPU Nuclear Corporation from July 1980 until April 1982. Involved in control room design reviews for Three Mile Island Unit 1 and Oyster Creek Nuclear Generating Station.

Developed standards for Human Engineeirng and performed Human Factors reviews for plant engineering modification.

j PATRICK S. NALSH Business Address: GPU Nuclear Corporation 100 Interpace Parkway Parsippany, New Jersey 07054 Education: B . S .' , Chemical Engineering, Ill ino is-Institute of Technology, 1969.

M.S.E., Nuclear Eng ineer ing , Catholic University of America, 1978.

U.S. Navy Nuclear Training Program, 1969 to 1970.

Experience: Plant Analysis Manager , GPU Nuclear Corporation, 1979 to present. Responsible for conducting evaluations of operating experience and technical performance of all GPU system nuclear generating stations.

Senior Eng ineer , Nuclear Analysis Section, GPU Service Corporation, 1978 to 1979.

Responsible fo r pe r fo rm ing nuclear fuel thermal-hydraulic analyses and fuel performance analyses.

Senior Eng ineer , Nuclear Fuel Management Unit, Baltimore Gas and El ec tr ic Company, 1976 to 1978. Re spo n s ib il i tie s included the per formance of fuel management analyses; evaluation of safety analyses required for license amendments; and, supervision of, and preparation of proce-dures for, core refueling, new and ir-radiated fuel inspection and spent fuel shipment.

Engineer, Startup Test Group, Baltimore Gas and Electric Company, 1974 to 1976.

Responsible for procedure preparation and supervision of hot functional, low power physics and power escalation testing of mechanical and instrumentation systems.

Officer, U.S. Navy, 1970 to 1974. Held positions of Nuclear submarine Eng inee r ing Department Division Officer and Nuclear Prototype Instructor and Trainina Officer.

Professional Affiliations: Reg is te r ed Professional Eng ineer , New ~

Jersey.

RESUME OF JOHN YOUNG TO BE PROVIDED LATER I

1 l

l l

RESUMES FOR PERSONNEL OF MPR ASSOCIATES, INC.

l M P R ASSOCIATES, INC.

NAME: Jess Betlack DATE OF BIRTH: June 27, 1943 EDUCATION: BS Electrical Engineering University of Kansas - 1966 (With Distinction)

MS Electrical Engineering University of Kansas - 1967 Additional graduate studies in Electrical Engineering and Computer Science at the University of Kansas and the University of New Mexico s

EXPERIENCE: Mr. Betlack has worked in the fields of electrical engineering and computer science full-time since 1968 and part-time while in school since 1964. Specific activities have included design, analysis and development of computer systems, instrumentation, electro-mechanical devices and power plant equip-ment.

1973 -

present --

MPR Associates, Inc.

Design and analysis of computer systems and components (both hardware and software),

electrical and electro-mechanical systems and components. Specific projects have involved data acquisition, processing and control computer systems, data bank systems, test facility and power plant instrumenta-tion, and modeling and simulation of power plants and power plant equipment including pumps, steam generators, turbines and instrumentation.

1968 - 1973 --

Sandia Corporation. Member Technical Staff, Data Systems Department.

Mr. Betlack's work at Sandia consisted pri-marily of design, development, and imple-mentation of on-line computer systems.

These systems were used in support of flight, environmental, and full-scale test-ing. Specific activities included feasibil-ity studies, systems and analysis and design i

l

Experience continued: systems software development, component and system specification, component and system procurement, data acquisition and reduction, j instrumentation and control design and development, PERT studies, preparation of functional specifications, acceptance tests, and benchmark tests, and system and com-ponent evaluations.

1964 -

1968 --

Part-time work at the University of Kansas including research on pattern recognition, teaching assistant in logic design and computer science, and programming. -

1 AWARDS: N.T. Veatch Scholarship l Texaco Scholarship National Science Foundation Traineeship l HONORARY SOCIETIES: Tau Beta Pi - National Engineering Eta Kappa Nu -

National Electrical Engi-neering MEMBER: Institute of Electrical and Electronics Engineers PUBLICATIONS:

Master's Thesis - "A Preprocessor for Multi-Spectral Images" SC-DR-21-0419 - " Area III Automated Data Processing System" SC-TM-69-509 --

" Operations and Maintenance Documents for Program FIXCAM" Many other reports, software documentations and internal documents at MPR, Sandia Corporation, and CRES (University of Kansas Research Center)

OTHER: Kansas Engineer-in-Training Certification

i M P R ASSoCI ATES, INC.

NAME: Herbert Estrada, Jr.

DATE OF BIRTH: July 24, 1929 EDUCATION: BS Electrical Engineering University of Pennsylvania - 1951 (With Distinction)

Graduate Courses in Physics and Mathema-tics, University of Pittsburgh, 1952-1953 EXPERIENCE: Since 1951, Mr. Estrada has had first-hand experience in engineering of fluid and con-trol systems, twelve years of which were devoted to the design, analysis, field installation, test and evaluatien of naval nuclear propulsion plant systems.

1964 - present -- MPR Associates, Inc.

Responsible for technical coordination and direction of projects including design, analysis, testing, and operation of nuclear and fossil-fueled power systems, hydraulic, pneumatic, and electronic control systems, and electrical systems, and fluid systems.

Some specific projects include:

Design, analysis, installation, and testing of propulsion plant instru-mentation and controls, to replace controls and instrumentation of ques-tionable reliability and excessive complexity, for a class of five U.S.

Navy (fossil fuel / steam powered) assault ships. This work included:

analysis of manning skills and levels required for effective performance of operations manually, under both emer-gency and normal conditions; and, arrangement of controls, displays, valves, and the hardware for the effective performance of required tasks.

Des ig n , analysis, and evaluation of instrumentation and control systems for power plants and experimental facilities.

i Experience l continued:

Developmen t of check and alignment procedures, and troubleshooting data, for on-line verification of the opera-tion of automatic combustion and feed-water control systems. These proce-dures have been designed for use by semi-skilled personnel and have been successfully applied.

Analysis of steam power plant opera-tions under cyclic load conditions, for the purpose of developing revised operating procedures and systems to accommodate cycling service. This work included the development and verification of computer codes and other analytical tools for predicting temperature response and estimating fatigue damage and crack propagation in heavy metal parts of turbines and steam generators subjected to cycling service.

Development and verification of modu-lar, general purpose computer codes for the analysis of the dynamic re-sponse of steam power plants to tran-sients such as load rejection, loss of circulating water flow, loss (trip) of heat source, etc. Codes have been used to design turbine bypass systems, predict turbine overspeed, evaluate steam generator response, optimize combustion and reactor control system responses, size and set relief valves, etc.

Development of computerized heat balance codes for establishing power plant generation capability with one or more feed heaters out of service, and with other steam and feed system components out of service.

Review of naclear power plant control room human factors, and fornalation and implementation of design changes to improve human factors. Work in

Experience continued: this area has included testimony before an Atomic Safety and Licensing Board, and consulting services and other support of the EPRI development of an alarm system improvement guide.

1963-1964 -- Chief of the Nuclear Systems Engineering Section, Allison Division of the General Motors Corporation, 1963 to 1964. Responsible for engineering and operations research activites on chemical systems for several energy conversion development projects.

1951-1963 -- Bettis Atomic Power Laboratory of Westinghouse Electric Corporation.

Responsibilities included: Supervisor of Advanced Surface Ship Control Engineering; Chief Test Engineer for acceptance testing of Bettis-designed reactors for nuclear submarines at Portsmouth Naval Shipyard; Lead Engineer for nuclear plant analysis of Skate Class Nuclear Submarines; Designer of power range instrumentation and reactor protection systems and hardware, USS NAUTILUS.

HONORS: Bettis Distinguished Service Award - April 1962, for outstanding contributions in engineering for submarine nuclear power plants and for guidance and effective co-ordination in the shipyard installation of propulsion systems in three classes of nuclear submarines.

Most Meritorious Patent Disclosure Award (with two others), Bettis Atomic Power i Laboratory -- 1963 PUBLICATIONS:

Author of numerous technical papers and reports, published and proprietary, on the following subjects:

Measurement of the dynamic responses and characteris-tics of nuclear power plants.

Transient behavior and control design for nuclear and fossil-fired steam generators.

Publications continued:

Generalized computer codes for calculating nuclear and fossil steam plant responses to normal and upset condi-tions.

Theory of operation and accuracy of flow measurement systems.

checkout, Descriptions and procedures on the theory, alignment and troubleshooting of control systems.

Evaluations of control room human factors and descrip-tions of measures for their improvement.

Holder of several patents, in addition to numerous patent disclosures, relating to power plant systems and controls.

1 i

M P R ASSOCIATES, INC.

NAME: Robert T. Fink DATE OF BIRTH: May 10, 1951 EDUCATION: BS Electrical Engineering Rice University - 1973 Summa Cum Laude Master of Electrical Engineerin'g Rice University - 1974 EXPERIENCE: 1974 -

present --

MPR Associates, Inc.

Analysis, evaluation an'd problem solving in connection with nuclear and fossil-fueled power plants. This work has included:

Development of checkout, alignment and troubleshooting procedures for on-line verification of the operation of automatic combustion, feedwater and feed pump control systems.

Stability and transient analyses, and testing of pneumatic and electronic control systems and components.

Development of mathematical models for dynamic analysis of both nuclear and fossil plant steam generators using digital and hybrid (analog-digital) computer techniques. Models have been applied in design and analysis of con-trol systems, and in development of control alignment and check procedures.

Dynamic analysis of water reactor primary coolant systems, including steam generator, reactor, pressurizer and relief valve dynamics for evalua-tion of plant thermal and pressure transients, control settings and operational procedures.

r Human engineering reviews of nuclear plant control rooms, including the conducting of walkthroughs of normal and emergency operations at a mockup, conducting tests and measurements of control room environment, and formulating improvements in human factors of the control room.

Experience continued:

Detailed engineering and human factors reviews of nuclear control room alarm systems, including formulation of guidelines for alarm system design, and supervision of the design and construction of a full-scale, dynamic alarm system simulator to test and evaluate improvements in alarm system design. This work included detailed reviews of the plant fluid and electrical systems, applying a formal set of guidelines to determine what conditions should be alarmed in the control room.

Summer 1973 -- MPR Associates, Inc. Special projects associated with central station nuclear power plants.

1971 -

1973 --

Part-time work for the Department of Electrical Engineering, Rice University. Participated in the assembly, testing, and documentation of the central processing unit for a research computer installation.

MEMBER: Institute of Electrical and Electronics Engineers IlONORARY SOCIETIES: Tau Beta Pi - National Engineering Phi Beta Kappa - National Scholastic AWARDS: Rice University Alumni Award for Outstanding Pifth-Year Electrical Engineering Student -

1974 1

l RESUMES FOR PERSONNEL OF IlUMAN FACTORS CONSULTANTS

1 1

JULIEN M. CHRISTENSEN BUSINESS ADDRESS: General Physics Corporation 1010 Woodmond Drive Dayton, Ohio 45432 Education: B. S., Accounting, University of Illinois, 1940 M. A., Experimental Psychology, Ohio State University, 1952.

PhD., Experimental Psychology, Ohio State University, 1959.

Experience: General Physics - 1981 - Present Chief Scientist - Human Factors Director, Human Factors Division, Stevens, Scheidler, Stevens, Vossler, Inc., 1978 to 1981. Consulting and applied research in areas of human factors, products liability / products safety and systems.

Professor, Department of Industrial Engineering and Operations Research. Wayne State University, 1977 to 1978. Research and teaching, primarily in areas of human factors (ergonomics), safety and environmental studies and systems.

Professor and Chairman, Department of Industrial Engineering and Operations Research, College of Engineering, Wayne State University 1974 to 1977.

Director, Human Engineering Division Aerospace Medical Research Laboratory, Wright-Patterson Air Force Base, 1956 to 1974.

Planned and managed major interdisciplinary human factors research and development program of the Air Force. Prograr.is included visual perception and displays, controls and control dynamics, effects of environmental factors (including weightlessness and partial gravity),

human performance modeling, maintainability, human reliability, information processing, decision-making, safety and physical anthropology.

Personnel included a wide range of skills such

' as experimental psychology, mathematics, physics, statistics, engineering, physiology and anthropology.

4 Research Scientist through Branch Chief Aerospace Medical Research Laboratory,

l Wright-Pa tterson Air Force Base, 1946 to 1956. Research and applications in experimental psychology and human factors engineering. Research on visual perception with simple and complex stimuli, effects of high brightnesses on visual functions, visual form field expansion, methods of activity analysis, workplace layout, navigation plotter design, weightlessness, and systems. Applications work included contributions to specifications, standards and handbooks and direct application of human engineering principles of numerous aircraft and command / control communication centers.

United States Air Force, 1943 to 1946.

Rank: Captain (Rated Navigator and Radar Observer). Staff of Air Fo rce Nav ig a tion Ins tr uc to r 's School . Construction and validation of academic and in- fl ig h t measures of proficiency in navigation.

Statistical Clerk and Personnel Technician United States Air Force Training Command, 1941 to 1943. Development and validation of tests for selection and classification of pilots, bombardiers and navigators.

Development of academic and in- fl ig h t criteria for navigation.

Adj unc t Professor , Wright State University, University of Dayton, Wittenburg University, and Sinclair University.

Visiting Lecturer, The University of Michigan's College of Engineering Summer Conferences, annually since 1960.

Visiting Lecturer, Air Force Institute of Technology ( AFIT) for more than 10 years.

Lecturer and technical adviser to Instituto Technologico y de Estudios Superiores, 7

Monterey, t'ex ico (one year).

Lecturer, American Psychological r

Association / National Science Foundation Visiting Scientist Program ( fo ur years).

Guest Lecturer at numerous other uni-versities, high schools, societies, etc. A representative sampling includes: Pu rd ue Univcrsity, Indiana Universi ty, Miami University, University of Cincinnati, The University of Michigan, Southern Illinois University; Tau Beta Pi, IEEE, AIIE, ASME, Dayton Engineer's Club.

Honors and Professional Affiliations: American Men and Women of Science, Who's Who Among Authors and Journalists, Community Leaders and Noteworthy Americans , Pen of Achievement, Notable Americans.

Fellow, Human Factors Society, 1970.

The Franklin V. Taylor Award (American i Psycholog ic al Association), 1969.

Honorary Faculty Member , Defense Weapon Systems Management Center, 1969.

Fellow, American Psychological Association.

Air Force A sociation Citation of Honor ,

1966.

Air Force Decoration for Exceptional Civilian Service, 1966.

Diplomate, American Board of Forensic Psychology. Listed in Forensic Se rv ic e Directory (1979).

National Science Foundation Fellow, 1957.

Julien H. Christensen Award (Annual award given by the Human Factors Association of Canada for the best student paper).

Designed Air Force D-2 Nav ig a tio n Plotter (Standard for over 25 years).

, Consul tan t : National Bureau of Standards (NBS); National Institute fo r Occupational Safety and Heal th (NIOSH); Air Fo r c es Office of Scientific Research; Air Fo rc es Human Pesources Laboratory; U.S. Army Duman

l t

Engineering Laboratory; Standard Oil of New Jersey; United Air Lines; Ford Motor Co.; &

others.

Chairman, SAE Human Factors Committee .

Chairman , NASA Behavior / Technology Committee Space Lab II and Orbital Flig h t Test Program (Evaluation of proposals for experiments in Space Lab I).

Member, NAS-NRC Vision Committee Working Group on Evaluation of Air Force Simulation Program. (1976).

Member, Board of Governors, Amer ican Society for Safety Research (1975-1979).

Member, U.S. Army Human Fac to r s Pescarch &

Development Review Board (1975).

Chairman, Human Factors Committee, Society of Automotive Engineers (1975-1977).

Member, Executive Committee, SAE Automobile Body Activity.

Member, U.S.A. Technical Advisory Group for ISO /TC-15 9 (Ergonomics) (1975-presen t) .

Co-chairman of NATO Advanced Study Institute on Hdman Fac to r s/ Ergonomic s :

Research Me thods, Bellag io , Italy, September (1971).

General Chairman, National Safe ty Council Industrial Safety Performance Measurement Symposium, Chicago, Illinois (1970).

Consultant to the National Safety Council on industrial and traffic sa f e ty (1968-1975).

Editorial Board, The Journal of Systems Eng in ee r ing (1969).

Editorial Board, Journal of Safety Research (1969).

Manned Orbiting Laboratory (MOL) Evaluation Group (1965).

l Consul tan t to the National Academy of Sciences Working Group on Role of Man in Space Research. Mr. R. W. Porter, Vice President, General Elec tr ic Company, Chairman (1965).

Co nsul tan t to the Na tional Academy of Sciences Working Group on Medicine and Phys iolog y , Dr. Loren Carlson , Chairman (1965).

Co-inventor with Dr. C. L. Kraft of "Soloon" (acronym for solar balloon), 1965.

Chairman of the Human Pe r fo rm anc e Scientific Advisory Committee for the Manned Orbiting Laboratory (MOL) program (1964).

Chairman of NASA /DOD Committee of Crew Performance; Technical Advisor to General Charles Roadman, Chief of Bioastronautics for NASA.

Editor and con tr ib uto r to the initial Crew Performance Plan for Cemini and Apollo fo r NASA.

Chairman of Air Force Systems Command Behaviorial Sciences Advisory Panel.

Member of Air Force Systems Command Medical Safety and Human Eng ineer ing Committee .

Advisor to , or member of, mock-up boards, review boards, and source selection boards for numerous systems, including B-47, B-50, B-52, B-66, 9-70, C-97, C-131, KC-135, Long Range Interceptor (LRI), and A/N CPS 6-8, developed procedures for the ef fec tive inclusion and integ ration of human engi-neering data during the development cycle of Air Force Systems.

Editor and co-author of Combat Nav ig a to r y Proficiency Test for Strategic Air Command.

(Test used to select lead crew navigators for European thea tre in World War II).

During World War II, developed with Dr. M.

J. Warrick first battery of tests for selection and classification of pilots, bombardiers and nav ig a to r s .

Aerospace Medical Association.

American Association for the Advancement of Science.

American Psychological Association, Division of Military Psychology.

Society of Engineering Psychologists.

Human Factors Association (Canada).

Human Factors Society (Past President).

International Ergonomics Research Society.

Society of Logistics Engineers.

Systems Safety Society.

American Society of Safety Engineers.

Licensed Psychologist, Ohio.

Y

THOMAS B. SHERIDAN Eusiness Address: Massachusetts Institute of Technology Room 1-110 77 Massachusetts Avenue Cambridge, Massachusetts 02139 Education: B.S., Purdue University, 1951. N.S.,

University of California, Los Angeles, 1954. Sc.D., Systems Engineering and Psychology, Massachusetts Institute of Technology, 1959.

Experience: Professor of Mechanical Engineering and Professor of Engineering and Applied Psychology, Massachusetts Institute of Technology, 1970 to present. Responsible for the Man-Machine Systems Laboratory; developed interdepartmental graduate degree program in Technology and Policy; teaches a graduate course in man-machine systems and the core Seminars in Technology and Policy; has taught control, design and other eng inee r ing subjects. Has conducted research on mathematical models of human operator and socio-economic systems; on man-computer interaction in piloting aircraft and in supervising undersea and industrial robotic systems; and on computer graphic technology for information searching and group decision-making.

Associate Professor, Massachusetts Insti-tute of Technology, 1964 to 1970.

Assistant Professor, Massachusetts Insti-tute of Technology, 1959 to 1964.

Instructor, Massachusetts Institute of Technology, 1956 to 1959.

Research Assistant, Massachusetts Institute j of Technology, 1954 to 1956.

Served as visiting faculty member at the University of California at Berkeley, Stanford University and the Technical University of Delft, Netherlands.

e

s Honors and '

Professional Affiliations- 1977 Recipient of the Human Factors Society's Paul M. Fritts Award for contri-butions to education. IEEE Systems Man and Cybernetics Society (past Presi_ dent). IEEE Committee on Technology Forecasting and Assessment (past Chairman). Formerly Editor, IEEE Transactions on Man-Machine Systems. Fellow, Human Factors Society.

National Institutes of Health, Study Sections on Accident Prevention and Injury Control. NASA Life Sciences Advisory Com-mittee. NASA Study Group on Robotics.

U.S. Congress ~OTA Task Force on Appropriate Technology. NSF Automation Research Council. NSF Advisory Committee on Applied Physical, Mathematical and Biological Sciences.

_ _ _ _ _ _ .

ML20076K354

Text

Navigation menu

Search