ML20078L385
| ML20078L385 | |
| Person / Time | |
|---|---|
| Issue date: | 09/19/1983 |
| From: | Office of Nuclear Reactor Regulation |
| To: | |
| References | |
| NUREG-0835, NUREG-0835-DRFT, NUREG-835, NUREG-835-DRFT, NUDOCS 8310210152 | |
| Download: ML20078L385 (53) | |
Text
~
T//9/B3 NuREa-Osas w
KUMAN FACTORS REVIEW GUIDELINES FOR THE SAFETY PARAMETER DISPLAY SYSTEM
~
FINAL REPORT
/Nuaeg
% hoa 6
1 i'
jZa/6L-w
~ /fe5OWS bWV{
f p A/82ri d c b F Se?' r,8 /f 8 3 k
I
- BAT 68182830m 0835 R PDR
A8STRACT This report contains human factors engineering review guidelines developed by the Human Factors Engineering Branch (HFEB) of the Nuclear Regulato y Commis-sion (NRC).
These guidelinas will be used by the NRC staff in evaluating designs of the Safety Parameter Display System (SPOS).
These guidelines were developed for interpreting the requirements in Supplement 1 to NUREG-0737 that pertain to human factors engineering aspects of the SPOS.
These guidelines do n:t establish new requirements.
This report is a guidance document that presents review guidelines on the application of human engineering principles to the SPOS function and display.
Use of computer driven cathode ray tube (CRT) displays is anticipated for most General review guidelines for displays of plant safety status informa-plants.
?1ines.
tion by the SPOS are developed as well as specific SPOS review guid The information collection requirements covered by this document were approved 3150-0065 for by the Office of Management and Budget under Clearance No.
1 ip
- I
'l
?
'd s
TABLE OF CONTENTS Pagg iii Abstract.
vii Foreword................................
1 1
Introduction...........................
4 2
Role and Function of SPDS.....................
5 3
Scope of NUREG-0835 7
4 Use of SPOS Review Guidance 9
5.
Review Guidelines fo,r SPDS Requirements...............
11 5.1 Requirements, NUREG-0737, Supplement 1, Section 4.1.a..
11 5.1.10 Sub-Requirement (Concise Display).........
11 5.1.11 Guideline.....................
5.1.20 Sub-Requirement (Critical Plant Variables)..
11 12 5.1.21 Guideline.....................
5.1.30
' Sub-Requirement (Rapidly and Reliably Determing Safety Status)................:. '.
12 12 5.1.31 Guideline. l...................
5.1.32 Guideline.... $...........
7...
12 13 5.1.33 Guideline....jr................
14 5.1.34 Guideline...
.g.
14 5.1.35 Guideline.... p.
15 5.1. 40 Sub-Requirement (.W d Control Room Personnel)..
15 5.1.41 Gui del i ne.... F.................
16 5.1.42 Guideline..'...................
17 5.2 Requirement, NUREG-0737, Supplement 1, Section 4.1.b.
17 5.2.10 Sub-Requirement (Convenient Location)....
17 5.2.11 Guideline...............
17 5.2.12 Guideline.......
is 5.2.13 Guideline.....................
18 5.2.20 Sub-Requirement (Continuous Display).
18 5.2.21 Guideline.....................
i 20 5.3 Requirement, NUREG-0737, Supplement 1, Section 4.1.c..
20 5.3.10 Sub-Requirement (Procedures and Training).
20 5.3.11 Guideline...
21 5.3.12 Guideline.....................
22 5.4 Requirement, NUREG-0737, Supplement 1, Section 4.1.e..
5.4.10 Sub-Requirement (Incorporate Accepted Human 22 Factors Prir.cipios).
j 22 5.4.11 Guideline.....................
v
CONTENTS (Ccntinu:d)
.P, age 5.4.20 Sub-Requirement (Information can be readily 22 perceived and comprehended)............
22 5.4.21 Guideline.....................
5.4.22 Guideline............... r.....
23 24 5.5 Requirement, NUREG-0737, Supplement 1, Section 4.1. f 5.5.10 Sub-Requirement (Sufficient Information).
24 24 5.5.11 Guideline.....................
25 5.5.12 Guideline.....................
26 6
Review Guidelines fo'r SPOS Displays................
26 6.1 SPOS Data Display Formats...................
28 6.2 Display Techniques......................
6.2.1 Graphical Representation of Parameters..'.......
29 30 6.2.2 Identification of Displayed Parameters.........
30 6.2.3 Perceptual Aids....................
6.2.4 Display Patterns 31 32 6.2.5 Status Setpoints *..
32 6.3 Application to Examples of Otyplays
.....}................
32 6.3.1 Bar Chart.
34
- 6. 3. 2 Deviation Ba'r Chart. [................
36 6.3.3 Circular Profile F................
36 6.3.4 Chernoff Face......
Figure 1 Sicple Bar Chart Representation at Normal 33 Conditions Figure 2 Deviation Bar Chart Representation at Normal 35 Conditions Figure 3 Circular Profile Representation at Normal 37 Conditions Figure 4 Chernoff Face Representation at Normal 38 Conditions 40 7
Verification and Validation of SPOS 41 8
NRC Staff Human Factors Review of SPOS.......
42 9
References..................
Appendix A Glossary of Terms 4
vi
~.
FOREWORD The Nuclear Regulatory Commission's (NRC's) initial guidance on functional criteria for system performance of the Safety Parameter Display System was developed and published in NUREG-0696 (Ref. 1).
Subsequently, these guide-lines on functional criteria were reviewed and distilled into basic require-monts that have been published as Supplement 1 to NUREG-0737.
This report is a guidance document on the application of human factors cngineering principles to Safety Parameter Display Systems.
As a guidance document, it is not to be used as a source of requirements.
Rather, it is to be used as a source of guidance for NRC reviewers and licensees regarding teceptable means for meeting the basic requirements.
This report was prepared through the joint effort of personnel from the NRC, Division of Human Factors Safety, Human Factors Engineering Branch, and from the Lawrence Livermore National Laboratory, Nuclear Systems Safety Program.
Work was supported by the NRC. under a Memorandum of Understanding. with the United States Department of Energy.
The Human Factors Engineering Branch )cknowledges the efforts of Vincent G.
McGevna and L. Rolf Peterson of Lawreyce Livermore National Laboratory for their contributions to the 6evelopmert{ of these review guidelines.
Should there be specific questions rehrding the guidelines, the Chief of the Human Factors Engineering Branch may We contacted by calling (301) 492-4813 or by writing to the following address:
Division of Human Factors Safety Office of Nuclear Reactor Regulation U.S. Nuclear Regulatory Commission Washington, DC 20555 Attn:
Chief, Human Factors Engineering Branch ll I
1
- - = ~ =-- - -,. -
- e HUMAN FACTORS REVIEW GUIDELINES FOR THE SAFETY PARAMETER DISPLAY SYSTEM 1
INTRODUCTION The accident at Three Mile Island Unit 2 (TMI-2) and subsequent investigations have demonstrated the need for improving the presentation of plant and process information to reactor operators.
This is especially true when a nuclear power plant undergoes a major transient.
During a major transient, reactor operators are required to monitor and process large amounts of data to cscertain the operating status and safety status of the plant and to take cetions needed to maintain the plant in a safe condition.
Supplement 1 to NUREG-0737 (Ref. 2) states the requirements for an SPOS and describes the process to be used in coordinating and integrating the design of the SPOS with other emergency response facility initiatives as follows:
The design of the Safety Parameter Display System (SPOS), design of instrument displays based on Regulatory Guide 1.97 guidance,' ' control room design review, development of function oriented emergency oper-ating procedures, and operating gtaff training should be ifitegrated with respect to the overall enhahcoment of operator ability to compre-hand plant conditions and cope @th emergencies.
Assessment of infor-mation needs and display formatsiand locations should be performed by individual licensees.
The SPOS gould affect other control room improvementsthatlicenseesmaypnsider.
In some cases, a good SPOS may obviate the need for large-scale control room modifications.
Installation of the SPOS should not be delayed by slower progress on other initiatives, and should not be contingent on completion of the control room design review.
Nor should other initiatives, such as upgraded emergency operating procedures, be impacted by delays in SPOS procurement.
While the NRC does not plan to impose additional requirements on licensees regarding SPOS, the NRC will work with the industry to assure the development of appropriate industry standards for SPOS systems.
The requirements for the SPOS as stated in Supplement 1 of NUREG-0737 are:
l The SPOS should provide a concise display of critical plant a.
variables to the control room operators to aid them in rapidly and reliably determining the safety status of the plant.
l Although the SPOS will be operated during normal operations as well as during abnormal conditions, the principal purpose and l
function of the SPOS is to aid the control room personnel during abnormal and emergency conditions in determining the safety status of the plant and in assessing whether abnormal i
conditions warrant corrective action by operators to avoid a L-
_1___________,__
degraded core.
This can be pr.rticularly importtnt during anticipated transients and the initial phase of an accident.
b.
Each operating reactor shall be provided with a Safety Parameter Display System that is located convenient to the control room operators.
This system will continuously display information from which the plant safety status can be readily and reliably assessed by control room personnel who are responsible for the avoidance of degraded and damaged core events.
The control room instrumentation required (see General Design c.
Criteria 13 and 19 of Appendix A to 10 CFR 50) provides the operators with the information necessary for safe reactor opera-tion under normal, transient, and accident conditions.
The SPOS is used in add.ition to the basic components and serves to aid and augment these components.
Thus, requirements applicable to control room instrumentation are not needed for this augmentation (e.g., GDC 2, 3, 4 in Appendix A; 10 CFR Part 100; single-failure requirements).
The SPDS need not meet requirements of the single-failure criteiia and it need not be qualified to meet Class 1E requirements.
The SPOS shall be suitably isolated from electrical or electronic interference with equipment and sensors that are in use for safety' systems.
The SPOS need not be seismically qualified, and additional seismically qualifi'ed indication is not required for the sole pyrpose of being a backup for SPOS.
Procedures which describe tRe timely and correct safety status assessment when the SPOS is* rand is not available, will be developed by the licensee it parallel with the SPOS.
Further-more, operators should be t ained to respond to accident condi-tions both with and withou he SPOS available.
d.
There is a wide range of useful information that can be provided by various systems.
This information is reflected in such staff documents as NUREG-0696, NUREG-0835, and Regulatory Guide 1.97.
Prompt implementation of an SPOS can provide an important con-tribution to plant safety.
The selection of specific information that should be provided for a particular plant shall be based on engineering judgment of individual plant licensees, taking into account the importance of prompt implementation.
The SPOS display shall be designed to incorporate accepted human e.
factors principles so that the displayed information can be readily perceived and comprehended by SPDS users.
f.
The minimum information to be provided shall be sufficient to provide information to plant operators about:
(i)
Reactivity control (ii)
Reactor core cooling and heat removal from the primary system (iii) heactor coolant system integrity (iv)
Radioactivity control (v)
Containment conditions
~
' = ~ ' ' -
Tha specific parameters to bn dispicycd shn11 ba datormin:d by the licensee.
The documentation requirements and planned NRC review are stated in Supple-ment 1 to NUREG-0737 as:
The licensee shall prepare a written safety analysis describing a.
the basis on which the selected parameters are sufficient to assess the safety status of each identified function for a wide range of events, which include symptoms of severe accidents.
Such analysis, along with the specific implementation plan for SPOS shall be reviewed as described below.
p b.
The licensee's proposed implementation of an SPOS system shall be reviewed in-accordance with the licensee's technical specifi-cations to determine whether the changes involve an unreviewed safety question or change of technical specifications.
If they do, they shall be processed in the normal fashion with prior NRC review.
If the changes do not involve an unreviewed safety ques-tion or a change in the technical specifications, the licensee may implement such changes without prior approval by NRC or may request a pre-implementation review and approval.
If the changes are to be implemented without prior NRC approval, the, licensee's analysis shall be submitted to NRC promptly on completion of review by the licensee's of{ site safety review committee.
Based on the results of NRC reviet, the Director of IE or the Director of NRR may request.or direef the licensee to cease implementation if a serious safety questioq is posed by the licensee's proposed system, or if the licensee' analysis is seriously inadequate.
This report is a guidance document'th'It presents review guidelines on the application of human factors engineering principles to the SPOS function and display.
These SPOS review guidelines prnvide guidance and information for both licensee and NRC staff reviews of an SPOS.
This report is intended to provide specific information that a reviewer may use to evaluate the human factors aspects of different SPOS installations.
Information also is provided on the two types of review that the NRC may conduct:
pre-implementation or post-implementation.
These review guidelines do not impose any new requirements.
3
2 ROLC AND FUNCTION OF SPDS The primary role of the SPOS is to help control room operating personnel make quick assessments of the plant safety status.
The principal purpose and func-tion of the SPDS is to aid control room operating personnel during abnormal cnd emergency conditions (1) in determining the safety status of the plant and (2) in assessing whether abnormal conditions warrant corrective action by operators to avoid a degraded reactor core.
During normal operations, the display should be monitored by the operating personnel in the course of per-faming their assigned monitoring tasks of plant operation.
This serves to integrate the use of the display into normal operations.
During emergencies, the SPOS should serve as an aid to control room operating personnel in evalu-cting the current plant safety status and in executing symptom-oriented emer-gency procedures.
In its primary function $ the SPOS should provide plant status infomation from an integrated display.
The SPDS will function during normal operations as well as during abnormal operations.
The system will continuously display informa-tion from which the plant safety status can be readily and reliably assessed by control room personnel who are responsible for the avoidance of degraded and damaged core events.
As an aid to control room personnel, the SPOS is analogous to the way the basic attitude and flight performance instruments of an aircraft provide status information to the pilot.
Control room operating personnel should be able to use the SPDS to detect abnomal conditions that could have
- safety significance.
Control room opgrating personnel should also be able to use the information provided by the SPOS as an aid in taking corrective action tomaintainorre-establish.safeplan} conditions.
Thus, the SPOS is a control room imor vement to:
enhance operator ability to comprehend plant conditions, aid operator ability to determine rapidly and reliably the safety status of the plant, and enhance operator ability to interact in situations that require human intervention.
The SPDS should provide a display of critical plant variables, derived variables, or safety functions to the control room operators.
W To use the system effectively, the operator must be trained in the use of the SPDS.
The human operator is the key subsystem in the plant that can inter t
plant operating information, synthesize plant processes, and assess p1 func-tions from the data provided on the display.
The displayed data ar read and processed by the operator to determine plant status.
The design f the SPDS display should consider the operator's needs and should use p ceptual aids
^
that assist in his plant synthesis and decision-making tasks A functional qualification program " - D " 4.c s.i t: # 'y emonstrate/ *nsumused operator performance in correctly assessing the safety status of t'ha plant wia&1 m7._
73 m - y.
4 g
,7 n
)
4
3 SCOPE OF NUREG-0835 The SPOS is a control room display device designed to incorporate human factors principles.
This document presents only SPDS review guidelines that tre related to huma'n factors engineering.
NRC review of the other SPOS
)
characteristics will be in accordance with existing NRC guidance.
The scope of the staff's review will be limited to the principal function of
)
The review will be bounded by the minimum set of plant variables, the SPOS.
equipment display units, and processing algorithms needed to achieve this Secondary functions, such as the performance monitoring
)
principal function.
of plant systems or safety systems and the presentation of data to assist the operator with detailed diagnosis of abnormal operating conditions, will not ba reviewed by the staff during this effort.
However, the review of secondary functions will be done by-the licensee under the Detailed Control Room Design R: view (DCRDR).
The review guidelines in this report can be generally applied to all types of SPOS displays; however, the trend in the nuclear industry is toward computer-driven cathode ray tube (CRT) displays.
Because most of the proposed SPOS d; signs in the technical briefings presented to the NRC staff have CRT dis-plays, this document emphasizes review of CRT displays.. Functional criteria for the SPDS do not rule cut the use of other types of displays in.SPOS
~
d: signs. Review guidelines for specific SPOS designs that do not use CRT displays will be developed case by casa, if needed.
f NUREG-0700 (Ref. 3) provides. general $i'elines that are applicable for human d
factors engineering review of visual displays, process computers, and CRT The SPOS as a display devic & has specialized functional require-displays.InreviewinganSPOS,thespe4ficdevice-orientedguidelinesinthis ments.
document should be used to complement Ehe general guidelines in NUREG-0700.
These specific guidelines are intended to help the reviewer evaluate the i
in NUREG-0700 is referenced where it is applicable;jhuman factor functional effectiveness of the SPOS.
The general.
In Section 5, Review Guidelines for SPOS Requirements, the guidelines are tabulated under applicable requirements.
Generally, examples are provided These for each guideline to illustrate acceptable human factors practices.
guidelines and examples are provided to aid a reviewer in evaluating if a given SPOS display is human engineered sufficiently to serve its intended For SPOS designs not covered by these examples, the
~
purpose and function.
NRC reviewer should use the human factors principles embodied in the guide-lines as an aid in evaluating if the design meets the intent of the requirements.
In Section 6, Review Guidelines for SPDS Displays, further clarification of Because computer-NRC guidance is provided for computer-driven CRT displays.
driven CRT displays offer considerable display format flexibility, proposed The information in systems will have a wide varidty of display formats.
Section 6 will aid a reviewer in examining each individual display objectively.
This section emphasizes important human factors aspects of the use of CRT dis-plays for the SPOS. Appendix A provides a gicssary of terms used in this report.
5
The use of n n-CRT typ;s of dispitys is not prsclud:d.
Thsse rsview guidslinss are not intended to be so restrictive that they eliminate consideration of other useful displays that are presently available or that may be developed as tech-niques for data presentation evolve.
r O
7
-f 6
4 USE OF SPOS REVIEW GUIDANCE The review guidelines provided in Sections 5 and 6 of thi; report should be used to evaluate an SPDS for incorporation of accepted human factors principles in the display of plant safety status by the SPOS.
The human factors review guidelines provided in this document should be used in conjuction with guide-lines provided in NUREG-0700, " Guidelines for Control Room Design Reviews" (Ref. 3).
NUREG-0700 provides human factors information that may be used ts guidelines for conducting a detailed control room design review (DCRDR).
The DCRDR examines existing control rooms with the objective of improving the human factors of man-machine interfaces that have safety implications.
NUREG-0801 provides information that may be used as an aid in evaluation of a DCRDR by a reviewer.
A reviewer should be familiar with the general human factors guidelines in NUREG-0700, especially the following sections:
Section 6.5, Visual Displays, which includes principles of display, meters, light indicators, and graphic recstders; Section 6.6, Labels and Location Aids, wiiich includes labeling principles, label location, label content, and location aids; Section 6.7, Process Computers, which includes computer a& cess, CRT displays, and printers; and,
y Section 6.8, Panel Layout, qich includes panel contents, recognition and ide'ntification enhancement, and layout arrangement factors.
(
SPDS reviewers may use and cite other sources of human factors evaluation guidelines that they consider applicable to the particular SPOS installation Section 9 references other useful sources.
All of these being reviewed.
references contain extensive bibliographies of specific information.
l A reviewer evaluating SPOS systems that use CRT displays should be familiar References with CRT technology and its application to nuclear power systems.
5, 6, and 7 provide general information on the design of CRT-based display systems.
A document detailing human engineering design data for CRT-based disolay sys-This document (Ref. 8) identi-tems has been developed by an NRC contractor.
fies relevant issues related to human performance in conjunction with the use of CRT generated displays.
Another recent NRC contractor report (Ref. 9) presents numerous ways of displaying multivariate data in nuclear process Reference 9 draws some conclusions on the suitability of various control.
displays for monitoring the status of process variables in reactor control However, those conclu.aions do not necessarily apply to the special functional requirements for SPDS displays that are designed to aid the control rooms.
room operators detect abnormal plant conditions and determine plant safety Neither Reference 8 nor Reference 9 have been reviewed in detail by status.
the NRC staff.
7
When oth;r saurc;s of human fcctors guid311ncs cro uscd, ths reviewer shsuld v;rify that they are pertinent to evaluation of an SPDS and that the SPOS functional requirements are met.
t e-f.
I s
. - - ~. -,., -. _
5 REVIEW GUIDELINES FOR SPOS REQUIREMENTS The SPOS requirements and review guidelines are presented in tabular form in this section. These SPOS review guidelines address all SPOS display systems with emphasis on guidelines applicable to CRT display systems.
The SPOS requirements from NUREG-0737 Supplement 1 are repeated here and then broken into sub-requirements.
Guidelines are provided for each sub-requirement In to illustrate human factors principles related to the sub-requirement.
tddition, examples are generally provided for each guideline to illustrate These examples are not meant to be compre-acceptable human factors practices.
hensive, and other examples of acceptable human factors practices are possible.
Also, where appropriate, the guidelines and examples are cross 4 eferenced to NUREG-0700, Section 6.0, Control Room Human Engineering Guidelines.
1 In the human factors review of an SPOS, the NRC reviewer could use the guide-lines and examples presented as an aid in evaluating conformance to NUREG-0737 For SPOS designs not covered by these examples, the Supplement 1 requirements.
NRC reviewer should use the human factors principles embodied in the guidelines Additional clarifica-as an aid in evaluating conformance to the requirements.
tion of some of the key guidelines and other appropriate human factors principles q
are provided in Section 6, Review Guidelines for SPOS Displays, of this report and in Section 6, Control Room Human Engineering Guidelines, of NUREG-0700.
With regard to NUREG-0700, the NRC reviewer should focus upon the-gdidelines associated with control room workspace, visual displays, labels and location aids, process computers, and panel laygut in reviewing SPOS designs.
Y^
ffec-
_The nuclear industry has also' generate ( and published guidelines for an eThe gu tive SPOS implementation program (Refefence 12),
Publications es a Nuclear Utility Task Action Commiitae (NUTAC) publication.
issued by a NUTAC represent a consensuF of utilities represented in the NUTAC.
These publications are not intended to be interpreted as industry standards.
Instead, the publications are offered as suggested guidance with the under-standing that individual utilities are not obligated to use the suggested guidance.
The above described NUTAC was not formally submitted by the industry for NRC l
The NRC conducted an informal review of the report and found both review.
For positive points, the report is well struc-positive and negative points.
tured and it provides excellent guidance on program planning, system design, installation, and maintenance of the display.
However, the negatives points consisted of:
The use of an operational control room as a test bed for the SPOS This is a case where has the potential for misleading operators.
The control display design flexibility may be detrimental to safety.
room should not be used as a test bed for the SPOS in its development f
In addition, it should not be possible to place or its maintenance.
the SPOS into a test' mode from outside the control room.
The sole use of status lights--one for each critical safety function--is not adequate for an SPOS.
The parameters associated j
with each critical safety function should also be available for display and operator assessment.
t 9
The SPDS should be capablo of monitoring tho status of critical safety functions for all operating modes, including refueling and cold shutdown.
As a minimum, the SPDS should have the capability of mor.itoring the reactivity control function during refueling and cold shutdown.
The SPOS should also contain trend data for the key parameters displayed.
The reasons are it Enhances use of operating procedures, Enhances detection of abnormal operations, Enhances operators prediction capabilities.
The NRC reviewer should consider the above points when reviewing an SPOS d; sign which references the subject NUTAC publication.
y j
r h-b s
l I
. ' NUREG-0737, Suppl. 1, Recuirements & Review Guidelines 5.1 Requirements, NUREG-0737 Suppl.1, Section 4.1.a "The SPOS should provide a concise display of critical plant variables to the control room operators to aid them in rapidly and reliably determining the safety status of the plant. Although the SPOS will be operated during normal operations as well as during abnormal conditions, the principal purpose and function of the SPOS is to aid the control room personnel during abnormal and emergency etnditions in determining the safety status of the plant and in assessing whether abnormal conditions warrant corrective action by operators to avoid a degraded core.
This can be particularly impor-tant during anticipated transients and the initial phase of an tecident."
5.1.10 Sub-Requirement "The SPOS should provide a concisa display 5.1.11 Ghideline A concise display of parameters will aid the operator in comparing #
information from related plant functiops and in assessing the safety status of the plant.
)1-Some examples
- of how this gu'ideling c5uld be achieved are:
the SPOS parameters are presente 4on the single primary display or a group of displays at a sing 1F location, or the display formats utilize patterns and display enhancements which contain the parameters.
5.1.20 Sub-Requirement "The SPOS should provide a concise display of critical plant variables.
5.1.21 Guideline A set of critical plant variables minimizes the number of plant variables needed in the operators task of evaluating plant safety.
The basis for selection of the minimum set of parameters in the primary display should be documented as part of the design.
"The parameters must be the ones determined by the licensee to be provide the information needed by the operating crew sufficient to to evaluate the safety status of the plant.
~--~-----------u
NUREG-0737, Suppl. 1, Requirements & Review Guidelines An example of how this guideline could be achieved is:
the licensee prepares a written safety analysis describing the basis on which the selected parameters are sufficient to assess the safety status for a wide range of events, which include symptoms of severe accidents, and takes into account human factors considerations.
5.1.30 Sub-Requirement "The SPDS should provide a concise display of critical plant v riables to control room. operators to aid them in rapidly and reliably determinina the safety status of the plant."
5.1.31 Guideline In order for the operator to rapidly and reliably determine the safety status of the plant, the displayed data should represent the current and correct :tatus of plant variables.
Some examples of how this guideline could be achieved are:
thesamplingrateforeachparamekerissuchthatthereisno meaningful loss of information frirthe data presented to the operator, or
_ )
the time delay from when the senshe signal is sampled to when it is displayed should be consistmnt with other control room displays and should be responsive to operator needs in per-
.l forming assigned tasks, and i
For each of the above examples:
each parameter is displayed with an accuracy sufficient for the operator to discriminate between abnormal conditions which ct safety and normal operating conditions.
5.1.32 Guld i
In order to keep the operator current with the status of the plant, the display should be responsive to transient and accident saquences.
k
NUREG-0737, Suppl. 1, Recuirements & Review Guidelines An example of how this guideline could be achieved is:
operator comprehension of a change in the safety status of the plant from the SPOS display could be achieved in a matter of seconds,* and the display system correctly portrays plant safety status information for a wide range of events and includes symptoms of severe accidents.
GuidelineI 5.1.33
~
To prevent misleading the operator, displayed data should be validated en a real time basis where pract Some examples of how this guideline could be achieved are:
comparing redundant sensor readings prior to the display of the parameter.
(For further guidance, see Section 6.7.2.7 of NUREG-0700) or using analytical redundancy 'among,different parameters and,
using models and equations that have been documented and validated,*** or J-
. j r
- The SPDS should provide timely information for the operating crew I
to use in conjunction.with other information available to support j
knowledge-based behavior in rapidly and reliably determining safety status and assessing whether corrective action is needed.
- This guideline ensures the display of reliable data and information to control room personnel.
The display of faulty data and informa-tion may mislead control room personnel.
- 0perating regimes or conditions where the equations used by the SPOS are not valid, such as the transition to two phase liquid-vapor conditions in the primary coolant system of a PWR, should be identified and documented.
The design of the display hardware, computer hardware and computer program for the SPOS should provide This feature the capability for future upgrading snd additions.
allows for future improvements in the design, should it be neces-sary to do so.
e e
,g 4/A SP:P5(A teccc s, su
%Kw M sk y &DSX
NUREG-0737, Suppl. 1, Reauirements & Review Guidelines validated data, unvalidated data *, and invalid data are identified and coded where practical.
(For further guidance, see Section 6.7.2.7 of NUREG-0700) 5.1.34 Guideline To instill operator confidence in the display of reliable data, the control room operations staff should be provided with sufficient information and criteria for performance of an operability evalua-tion of the SPDS, such that an SPOS system failure is easily recognized.
Some examples of how thii guideline could be achieved are:
designing an automatic or user-activated operability monitoring feature.
(For futher guidance, see Sections 5.7.2.6 and 6.7.2.7 of NUREG-0700) or, designing a display of calendar date and time of day.
The display would be updated only when the system is operating properly so that a static time would indicate a system failure.
The date and time would be located in a corner of the display l
soasnottodistracttheoperat)r.
9 5.1.35 Guideline-
.{
t To ensure' the display of reliable dath a functional qualification program should be established to demd a trate SPOS operational confor-mance with the functional design criteria.
Some examples of how this guideline could be achieved are:
a test plan is available for the display system.
The test plan should define a minimum of one test case for each major func-tional criterion of the display system.
The object of the test case is to illustrate the correct performance of the implemented design, and a test report containing the results of the test l
cases is compiled, and L
- 0perator knowledge of the validity of data is important in correctly assessing the safety status of the plant.
Under'some conditions unvalidated data on the SPOS may be a useful cognitive aid to trained operators in determining the safety status of the plant and determining s
When the SPOS design allows whether human intervention is needed.
presentation of unvalidated data, the SPOS users should be aware of this condition so that they will not be misled by the data.
l 14
NUREG-0737, Suppl. 1, Recuirements & Review Guidelines a trained control room operating crew can effectively use the y
SPDS to rapidly and, reliably assess the safety status of the O 7 plant e p 4 A
[A a+%,, me A 4
- v W
a human factors review of the SPDS in accordance with appropriate portions of NUREG-0700.
5.1.40 Sub-Requirement "Although the SPDS will be operated during normal operations as well ts during abnormal conditions, the principal purpose and function of the SPDS is to aid the control room personnel durina abnormal and esercency conditions in determinina the safety status of the plant rnd in assessina whether abnormal conditions warrant corrective I
tctions by operators to avoid a dearaded core."
5.1.41 Guideline To aid control room personnel in evaluating the safety status of the plant during transients and accidents, the display should be capabl,e of presenting magnitudes and trends of parameters or derived' variables.
~
Someexamplesofhowthisguidelinesdhuldbeachievedare:
-y.
thedisplayoftimederivativesplieuoftrendsmaybe acceptable,* or
~
The SPDS display format has the pability of indicating trends of each SPDS parameter.
(For further guidance, see Sections 6.7.2.1 and 6.7.2.8 of NUREG-0700) l l
l l
1
" Display of the time derivatives of variables is acceptable when the derivatives unambiguously reflect the trends in the variables.
The algorithm used for time derivations must be adequate to track transients or oscillations of plant variables that may exist during severe accident events for the plant.
m
NUREG-0737, Suppl. 1, Recuirements & Review Guidelines And for each of the atieve examples:
trend data is displayed with sufficient resolution in time and magnitude to ensure that rapidly changing parameters are ac-curately displayed.
The frequency bandwidth of the signal measurement system, sonsisting of sensor, signal processing devices, and trend display device should be broad enough to transmit information of the measured parameter or derived variable without extraneous background noise.
Further guidance may be found in Section 6.1, SPDS Data Display Formats.
5.1.42 Guideline To aid the operators in the detection of abnormal conditions which warrant corrective actions by operators, the SPDS, where feasible, should include some audible notification cue to alert personnel of the abnormal operating condition."
An. example of how this guideline.could be achieved is:
the display system emits a distikt audible sound, such as the beeper available on compute.rter$n'als,upondetectingan abnormal operating condition, (Fcr further guidance, see Sections 6.2.2 and 6.3.2 of NUREG-0700) and the SPDS alarm system has provishns to silence, acknowledge, reset, and test these functions, as appropriate.
(For further guidance, see Sections 6.3.4 of NUREG-0700)
Q Su
.A Y
sC4t.l.d p-f, sab4d~ &/ Ar "
\\
p Qf y
&f2&
- An audible cue from the SPDS need not meet the sound level intensity requirements given in NUREG-0700.
SPDS audible cues should be inde-pendent of the annunciator system and should not result in the gener-Audible ation of the same audible alarms as the annunciator system.
cues for SPDS users should not be confused with annunciator alarms.
At the licensee's option, abnormal conditions of SPDS parameters may be used to initiate annunciator alarms.
~ - - - - -
is,_, _ __ _
NUREG-0737, Suppl. 1, Recuirements & Review Guidelines 5.2 Requirement, NUREG-0737, Supol.1, Section 4.1.b "Each operating reactor shall be provided with a Safety Parameter Display System that is located convenient to the control room oper-This system will continuously display information from which ators:
the plant safety status can be readily and reliably assessed by c:ntrol room personnel who are responsible for the avoidance of degraded and damaged core events."
5.2.10 Sub-Requirement "Each operating reactor shall be provided with a Safety Parameter Display System that is located convenient to the control room operators."
5.2.11 Guideline To be convenient to control room operators, the SPOS may be located en the control board.
If'the SPDS is part of the control board, it must be easily recognized and readable.
An example of how this guideline 'could be achieved is:
theSPOSisreadilydistinguishe$ce,motherdisplaysonthe fro control board, (For furf.her guidan see Sections 6.1 and 6.8 of NUREG-0700) and the display meets the intent of e appropriate display readability guidel'ines stated in NUREG-0700.
(For further guidance, see Section 6.7.2 of NUREG-0700) 5.2.12 Guideline The display should be located convenient to the control room operators and where control room personnel who are responsible for the avoidance of degraded and damaged core events can observe the SPDS display.
Some examples of how this guideline could be achieved are:
The display d 5: readi_1y accessible to the y
y
./w.,f-W
~ x & ' ! M y A k,,n w.,8 Shift Supervisor
/
Control Room Senior Reactor Operator Shift. Technical Advisor l
One Reactor Operator 27/
NUREG-0737, Suppl. 1, Requirements & Review Guidelines members of the control room operating crew have physical access to the SPDS 1--
... Z. : '.; t;t L.. _ - _
e w
For each of the above examples:
glare from normal or emergency lighting does not restrict viewing of the SPDS from within the control room and luminance levels and luminance contrast do not limit viewing of the SPOS display.
(For further guidance, see Sections 6.1.5.3 and t
6.7.2.1 of NUREG-0700) control of images displayed in the control room SPOS resides with the control room operations crew and not with personnel outside of the control room.
5.2.13 Guideline To be convenient to control operators, the display system should not interfere with the normal movement of the control room operation The display system sh'ould not interfere with full visual.
e crew.
access to other control room operating systems and displays impor-tant for safe operation.
This guideline is self-evident; howev$, additional guidance may be found in Sections 6.1.1 and 6.1.2 of RUREG-0700, t
5.2.20 Sub-Requirement h
"This system will continuously display information...."
1 5.2.21 Guideline 4
The primary display may be a continuous indication of individual plant parameters or may be composed of a number of measured vari-ables or derived variables.
The main concern is that the SPOS users are made aware of important changes in safety parameters when they occur and that the SPOS users can readily obtain information from the SPOS to aid in determining the. safety status of the plant.
A continuous single format primary display is not required.
--,-a,
NUREG-0737, Suppl. 1, Requirements & Review Guidelines Some examples of how this guideline could be achieved are:
a dedicated display, such as a CRT, continuously displays the minimum parameter set necessary to assess the safety status of the plant, or a hierarchical display system is used with operator-controlled means to access all levels of display frames needed to evaluate the safety status of the plant.
(Further guidance may be found in Section 6.1, Display Formats), or audio or visual cues are provided by the system to alert an operator to return to the primary display frame while viewing secondary information.
(Further guidance may be found in Section 6.2, Display Techniques) 8 O
y.
T
~
O
-w-----w.-
-,--v,-
NUREG-0737, Suppl. 1, Requirements & Review Guidelines 5.3 Requirement, NUREG-0737. Suppl.1.
Section 4.1.c "The control room instrumentation required (see General Design Criteria 13 and 19 of Appendix A to 10 CFR 50) provides the oper-ctors with the information necessary for safe reactor operation under normal, transient, and accident conditions. The SPOS is used in addition to the basic components and serves to aid and augment these components.
Thus, requirements applicable to control room instrumentation are not needed for this dugmentation (e.g., GDC 2, 3, 4 in Appendix A; 10 CFR Part 100; single-failure requirements).
The SPOS need not meet requirements of the single-failure criteria cnd it need not be qualified to meet Class 1E requirements.
The SPOS shall be suitably isolated from electrical or electronic inter-forence with equipment and sensors that are in use for safety system.
The SPOS need not be seismically qualified, and additional seismically qualified indication is not required for the sole purpose of being a backup for SPOS.
Procedures which describe the timely and correct safety status assessment when the SPOS is and is not avaialable, will be developed by the licensee in parallel with the SPOS. Furth9r-more, operators should be trained to respond to accident conditions both with and without the SPOS avail le."
5.3.10 Sub-Requirement 7
-1 '
" Procedures which describe the timelyland correct safety status tssessmentwhentheSPOSisandisno{DS.Furthermore,operatorsavailatle, will be dev by the licensee in parallel with the WP should be trained to respond to accident conditions both with and without the SPOS available."
5.3.11 Guideline As the SPOS is not a 1E qualified display, compensatory measures should be provided for the operators when the SPOS is inoperable.
An example of how this guidance could be achieved is:
operating procedures and training are provided to the control room operating crew that will allow timely and correct safety status assessment when the SPOS is not operating.
5.3.12 Guideline No additional operating staff other than the normal control room operating staff should be needed for operation of the display.
20.
NUREG-0737, Suppl. 1, Requirements & Review Guidelines An example of how the guideline could be achieved is:
the operator training program contains instruction and training in the use of the SPDS in conjunction with operating proceduras for normal, abnormal, and emergency operating conditions, and an SPOS user's manual is available for reference in the control room.
I 7'
h I
l 21
NUREG-0737, Suppl. 1, Requirements & Review Guidelines 5.4 Requirement, NUREG-0737, Supol. 1, Section 4.1.e "The SPDS display shall be designed to incorporate accepted human factors principles so that the displayed information can be readily preceived and comprehended by SPOS users."
5.4.10 Sub-Requirement "The SPOS shall be designed to incorporate accepted human factors principles...."
5.4.11 Guideline The display format shall be designed to incorporate accepted human factors principles.
Some examples of how this guideline could be achieved are:
the display format meets the intent of the applicable display guidelines in-Section 6.0 of this document, and the SPOS display meets the inten of the display guidelines.in NUREG-0700, (For further guidanc, see Section 6.7.2 of NUREG-0700), or 1
r the display format meets the int t of other pertinent and compatible documented human fact s guidelines cited by the licensee for displays.
j Further guidance on human factors principles may be found in Section 6, Review Guidelines For SPDS Displays.
5.4.20 Sub-Requirement "The SPOS display shall be designed to incorporate accepted human factors principles so that the disolayed information can be readily perceived and comorehended by SPOS users."
5.4.21 Guideline I
Pattern and coding techniques are accepted human factors design f
practices to communicate data and information to humans from displays.
l Pattern an coding techniques should be used in the SPOS to assist operator detection and recognition of unsafe plant opei ating conditions *.
I i
- Also see Section 6.3, Ofsplay Techniques.
h l
I
/w& sf & 6 7 b s (wSe <& 8 N4L
.n4,
LT?
A-
=
l
- i.. 'NUREG-0737, Suppl. 1, 1
\\ Recuirements & Review Guidelines
.h Some,cxamples of how this guideline could be achieved ara:
the use of color coding to indicate the approach to unsafe operation and to indicate unsafe operation, (For further guidance, see Section 6.7.2.7 of NUREG-0700), or the use of limit marks for each parameter displayed.
The Ifmit
)
marks should be representative of operational limits estab-lished by technical specifications, process limits, and safety system actuation setpoints,- if applicable, or the use of patterns..which noticeably distort when an unsafe f' ^
condition is approached.
t a
,Further guidance may'be found in Section 6.2, Display Techniques.
5.4.22 Guideline To be readily perceived and comprehended, the SPOS display should be readablefromthelemergencystationofthepersononthecontrol room operating crew responsible for evaluating the safety status of the plant.
An example of how this guideline couldFbe achieved is:
E the display design meets the intakt of the appropriate display
~
I readability guidelines stated in UREG-0700, such as viewing distance, viewing angle, flicker noise, contrast, and screen location for standing and seated operators at the designated l.
operating crew member's station.
(For further guidance, see Section 6.7.2.1 of NUREG-0700) e s
t n
s* * ' ' -
.re-.,,,--.
'[g t
9I NURECN0737, Suppl.-1, g
g Requirements & Review Guidelines 5.5 Requirement. 'NUkEG-0737. Supp 1. Section 4.1. f 3
"The miniaum information to be provided shall be sufficient to l\\
provide information to plant operators about:
(i)
Reactivity control i
u 3
(ii) Reactor core cooling and heat removal from the primary 1
system 8
(iii)Reactorcoolantsysteminteg[rty b
G h,u (iv) Radioactivity control R
1 yk (v)
Containment conditions
%i The specific parameter to be displayed shall be determined by tne R
licensee.
N I 5.5.10 Sub-Requirement e
M "The minimum information to be o'rovided shall be sufficient to y
provide information to plant operatort about:"
5.5.11 Guideline gf[us
- h *Z'"""#
4g g To operate the plant safely during a of plant o eration, the 4
oper r must be able to evaluate ts.
rocess functio important to-j ety.4 The design of the display s ld have a single primary sdisplay _ format for each mode of plant operation.*
?
Some examples of how this guideline could be achieved are:
k the design has a display frame for each mode of plant
^
L operation, or the design provides a. primary display supported by a coordinated set of hierarchi. cal subordinate displays for each mode of plant operatio,n, and
- Display frames composed of the same sets of parameters or the same sets of hierarchical displays may be used in common for several modes of plant operation.
Top level displays that are plant mode independent and supported by mode dependent subordinate displays may be desirable.
i r:,, -
s j
i.
w
NUREG-0737, Suppl. 1, Requirements & Review Guidelines for each mode of operation, the displays contain the minimum set of indicators and data needed to assess the plant functions that are used to determine the safety status of the plant.
Some typical modes of plant operation are:
1.
Power Operation 2.
Startup 3.
Hot Standby 4.
Hot Shutdown 5.
Cold Shutdown 6.
Refueling 5.5.12 Guideline For each plant operating mode, display formats may either be
.tutomatically displayed or manually selected.
I Some examples of how this guideline could be achieved are:
a manually operated switch pr input from an alpha-numeric.
keyboard, touch panel, light pen, cursor, or equivalent interface is provided by the destgn to allow the operator toadjustthedisplayformatforJthemodeofplantopera-tions, or
. j automaticdisplayformatchange.jpeurswithachangeinthe mode of plant operations.*
-l t
- Automatic change of the display format should be designed so that neither a gradual nor a rapid change in plant behavior due to an abnormal condition is automatically interpreted as a change in plant mode of operation.
Provisions should be included for the operator to override automatic disniay format changes when necessary.
There should be provisions in the display to indicate to the operator that a change in the mode of plant operation has occurred.
-y.
_,.,,r
.__,-_.,,,,,._.,__,___m,
,....,,__.__......__......__..._,_.._-.m_,.
6 REVIEW GUIDELINES FOR SPOS DISPLAYS Design specifications of SPOS, systems and displays are not explicit in the NRC requirements.
Those examples of displays given in this report are provided for l
information only, to help reviewers interpret and use the review guidelines.
The primary function of the SPOS is to assist the control room operating personnel who are responsible for safe plant operation in their assessments of the safety status of the plant.
Assessment of the plant safety status is a i
continual repetitive task during all conditions of plant operation.
In its primary function, the SPOS should provide plant status information from an integrated display during normal, abnormal, and emergency conditions.
The SPOS should be designed to enhance the functional effectiveness of control room personnel.
The human operator trained in the use of the SPOS should be able to readily use the information provided by the SPOS to assess important plant functions and determine plant safety status.
The design of the SPOS displays should consider the operator's needs and should use perceptual aids that assist the operator in the plant synthesis and decision'-making tasks.
This section focuses on the use of computer driven CRT displays.
Reviews of several display formats are' provided with a discussion of important features of each that are pertinent to the SPOS functions.
The use of SPD.S displays other than CRTs is not precluded.
These review guidelines are not' intended to be so restrictive that they eliminate consideration of other display designs.
~
I 6.1 SPOS Data Display Formats
+.
[
The mechanism for displaying the SPOSIsafety information is not rigidly speci-presented on a single display device p[he primary SPOS display fo fied in Supplement 1 to NUREG-0737, r.a group of display devices concentrated at a single location specifically designated fo'r the SPOS.
During plant operation, the primary SPOS display should contain information to accurately indicate the status of the plant functions important to plant safety.
The SPOS should display a minimum set of plant parameters from which the safety status of the plant may be assessed.
The minimum set of parameters and the combinations of parameters needed to characterile each plant function were not defined.
The staff recognizes that the minimum set of parameters are plant dependent and should be determined by the licensee.
Plant functions important to the evaluation of plant safety status include, but are not limited to:
Reactivity control Reactor core cooling and heat removal from primary system Reactor coolant system integrity Radioactivity control Containment integrity The licensee may determine what information about other plant functions is also important to assess plant safety status.
The SPOS may provide a single primary display format, or it may use a system of primary and secondary display formats.
When a single primary display is 26
used, all information needed for the operators to assess the plant safety status should be continuously visible to the operators.
When the SPOS is concentrated in a single CRT display, the quantity of information sufficient to evaluate plant safety status may be too dense for rapid and reliable use by the operators.
A combination of primary and secondary displays may be used for the SPOS.
The primary display may provide information about a selected set of key parameters, derived variables, or plant functions, or it may provide safety indicators to inform the operator of a change in plant safety status.
With limited informa-tion displayed on the primary display, the SPOS should prompt the operator how to readily obtain more detailed data from the secondary displays.
The combined primary and secondary SPOS displays should provide data on the complete set of pcrameters used to assess plant safety status.
Use of primary and secondary displays generally involves operator interaction with the SPOS to select a display and present it on a display device.
When a system of primary and secondary displays is used, the displays should be organized in a hierarchy to facilitate operator access to infomation and manipulation of the displays.
C~omputer-driven CRT display systems are well suited to the use of hierarchical display schemes with operator interaction.
The top level display cf a h'ierarchical SPOS display system could be composed of status indicators that provide information on the state of general plant functions.
These indicators should p vide the operator suffici. ant information to detect a change in plant safety s us and to selectively access appropriate lower level displays.
A well-designe hierarchical display system allows the operator to readily access all levelsjof displays in the hierarchy.
l In a hierarchical SPOS design, the to level display may be erased when the operator is seeking more detailed inf
' tion provided by a lower level dis-play.
If the primary display is not continuously visible, provisions should be made to notify the operator of important changes in the status of plant
. functions that require attention.
All lower level displays should provide a simplified presentation of the status of general plant safety functions in addition to their detailed information, or they should signal the operator to The return. to a higher level display when a change in safety status occurs.
hierarchical display system should have means to quickly return to the primary display or appropriate higher level displays.
The information displayed by SPOS displays should be organized in formats that are easy for the operator to read and interpret.
Acceptable SPOS display for-mats may present plant safety status information in combinations of alpha-numeric, symbolic, or graphic form and may present plant parameter data in analog or digital form.
Display formats should be designed so that each j
specific element in a display corresponds directly and unambiguously with a single parameter.
Generally, each element of the display should have a label l
or other readily understood identifier that specifically associates that dis-play element with the parameter it represents.
l Quantitative information about the magnitudes and time-dependent trends of the parameters used for the SPOS should be presented to help the operator assess the severity and dynamics of abnormal plant conditions.
Magnitude and trend l
_y
information need not always be present on tha primary display provid:d that the SPOS design allows the person using the display to readily access this in-formation as needed.
Magnitude and trend data may be provided on lower level displays when a display hierarchy is used.
SPOS trend displays that show quantitative rate of change of a parameter to-gather with the direction of change are acceptable provided the rate informa-tion accurately represents the trend of the parameter.
Trend rates presented to the operator should not fluctuate as a result of minor parameter fluctuations or oscillatory behavior which may be superimposed on a well defined trend of the parameter.
When a simple quantitative rate of change value is used, an indication should be provided to inform the operator when that rate value does not accurately represent the trend of the parameter as a result of minor fluc-tuations or oscillations.
Time history data of primary parameters displayed or used in deriving safety-functions should be available to the control room operating crew.
This time l
history need not be presented on the SPOS if accurate data in a conveniently usable form are readily available in the control room from other data recording instruments, such as chart recorders or process compute'r records.
A time history of each safety status parameter sufficient.in time length and accuracy to depict the onset and development of abnormal conditions from the preceding normal operating conditions should be provided.
A presentation of time his-tory data by the SPDS may be made on either the primary SPOS display or on secondary displays.
~
I
[
6.2 Display Techniques
_ i Because the primary function of the SPDS is to assist control room operating personnelinevaluatingthesafetysthtusoftheplant,thedisplayshould provide enhancements to improve the operator's perception, comprehension, and detection of abnormal operating conditions significant to safety.
The display of abnormal operating conditions significant to safety should be distinctly different in appearance from the display of normal operating conditions.
This distinction allows the control room operating crew to readily detect and identify abnormal operating conditions when they occur.
Computer-driven CRT displays allow use of a wide variety of techniques to differentiate normal from abnormal conditions.
Review guidance is provided for several techniquas to ensure that, if used, each technique will provide an acceptable enhancement for the SPDS display.
Much of what is contained in this section, however, may not pertain to any one particular display.
The display enhancement techniques discussed are (1)
Graphical Representation of Parameters (2)
Identification of Displayed Parameters (3)
Perceptual Aids (a) Color (b) Symbols and Mimics (c) Graphic Overlays (d) Blinking and Flashing (4)
Display Patterns (5)
Status Setpoints 28
Display enhancement techniques other than those listed may also be acceptable.
6.2.1 Graphical Representation of Parameters SPDS displays may ;'rovide graphical representations of measured or derived plant parameters.
When a graphical representation is used, a change in the value of a displayed element should be readily interpreted as a corresponding change in the magnitude of the associated measured or derived parameter.
Generally a user most readily understands a limear relationship between the magnitude of the measured or derived value of the parameter and the display olement used to depict the parameter.
In some cases, however, a nonlinear relationship between the parameter and the display element is more appropriate.
When a nonlinear relationship is used, it should be demonstrated that such a relationship is more meaningful to the operators or that it will actually facilitate interpreting information.
For example, a logarithmic relationship between reactor power level and the magnitude of the corresponding display olement may be appropriate to display power during reactor startup if accurate readings of reactor power level are needed over many decades.
Scaling of parameters used for the SPOS display affects both the usability and the interpretability of the display, especially when pattern recognition is being used.
Parameter scales should be' chosen to provide the range of data and level of accuracy needed by the operator to use the infomatica.
The dis-plays of parameter magnitude can, in some cases, be scaled to optimize re-cognition of changes from normal to agnormal plant conditions. _In pattern recognition, the parameter scale is cRosen to produce under nomal concitions an undistorted display pattern that comes distorted when an abnomal con-dition of any parameter occurs.
Ar iewer should recogiiize that it may For not be possible or desirable to apply such scaling to all displays.
example, if such scaling resulted in.
display that is unacceptable to the operators after they have been train in its use, then it would not be desirable.
Parameter scaling should also be chosen to allow tracking of parameters over a wide range of abnormal conditions.
Therefore, parameter displays for normal conditions should not fill the entire display area.
These displays may also provide a means of reading parameter values should any parameter go off scale during abnomal conditions.
Under these circumstances, the SPOS should alert the operator when a parameter is off scale.
It may be desirable to change the scaling factors used in a display if changes For in relative magnitudes of the parameters occur during plant operations.
example, nomal operation at reduced power may result in a display that appears distorted relative to the display exhibited during operation at 100%
Because reduced power operation does not necessarily represent an ab-power.
nomal condition, a change in display scale would be appropriate to provide a display that remains undistorted.
It is preferable that this type of display scaling change be made by operator command rather than by automatic action of the display signal or data processing system.
This ensures that an abnormal condition is not displayed inappropriately as the result of automatic scaling changes made by the SPDS.
A system that is designed to automatically change display scaling should alert the operator that the change is being made.
92 8
_ _. _ _. _ ~ _ _ _, _ -
6.2.2 Identification of Displayed Parameters The operator must be able to readily interpret the information conveyed by the SPDS display.
When a display changes, the operator must know what parameters Ere changing and how they are changing in order to assess the nature of an abnormality and identify the system involved.
Displays should include labels, symbols, or other means to uniquely identify each parameter being displayed.
It is unacceptable to rely upon the operator to memorize the relationships b3 tween the display format or the display pattern and the specific variables being displayed.
6.2.3 Perceptual Aids Perceptual aids can be used with all types cf display mechanisms to cid the operator in evaluating the safety status of the plant.
Among the perceptual aids suitable for use in SPDS displays are color, symbols and mimics, everlays, and blinking and flashing.
Displays may use one or more of these perceptual aids, or may use none at all.
6.2.3.1 Color Color may be used in SPDS displays 'to help identify and differentiate between olements of the display and to indicate a change in functional or operating status of a plant parameter.
Whencolorchangesareusedtoindicadbachangeinfunctionaloroperating status,nomorethanthreecolors'shoyldbeused,correspondingtotwolevels of change in severity of status.
A. nautral color should indicate normal status.
The first color change could lert the operator that a parameter is cutside its normal range but does not. epresent a serious problem.
A second more noticeable color change would oc r'when the parameter is in a range that indicates a serious abnormality.
Td be effective, the colors used in the SPDS display should be consistent with color codes,used elsewhere in the control room.
Displays should avoid conflicts between the use of color coding to enhance f
selective identification of display elements and the use of color codes to enhance changes in operating status of displays, display elements, or l
displayed parameters.
6.2.3.2 Symbols and Mimics Graphic symbols and mimics may be used as distinctive means of presenting information in a pictorial format.
These should conform to the guidelines of NUREG-0700, Section 6.6.3.4, Symbols, and Section 6.6.6.4, Use of Mimics.
G.2.3.3 Overlays Graphicaloverlayscaneffectivelyenhancedisplaysbyprovidingareference to normal conditions, or an indication of normal limits for individual param-An overlay of a normal eters, or an indication of abnormal operating ranges.
pattern can enhance some graphic displays by providing a reference to normal operating conditions to facilitete pattern recognition or to detect deviation from normal conditions.
Overlays are acceptable when they improve the operator's J
W61
interpretation of the displayed information.
Overlays should not distract the operator or interfere with observation 'of displayed information or interpreta-tion of plant operating conditions.
6.2.3.4 Blinking and Flashing Blinking symbols or data on a CRT, blinking illuminated graphic displays, and flashing indicator lights and annunciator displays are effective and acceptable means of calling operator attention to an abnormal condition.
The use of bibking or flashing should conform to the guidelines of NUREG-0700, Sec-tion d.3.3.2, Visual Alarm Recognition and Identification, and to Section 6.7.2.7, Graphic Coding and Highlighting.
6.2.4 Display Patterns The incorporation of display parameters into a regular pattern can be an offective graphical representation of plant parameters.
When a pattern is used to enhance the operator's assessment of the safety status of the plant, there should be a direct association between the display pattern and the status of the plant.
The pattern for normal operating conditions should have distinctive characteristics that distinguish it from the patterns produced by abnormal conditions.
The change from nomal to abnormal pattern configuration should be readily detectable.
One pattern change that is acceptablepwhen properly designed and implemented is a change from a symmetric or regul tr geometric pattern during normal operat-l ing conditions to an asymmetric or ir;1 gular geometric pattern when an abnormal condition occurs.
Another. pattern-change that may be acceptable is a change l
from a pattern displaying uniform ma itude or length for each parameter l
during normal conditions to a patter isplaying unequal magnitudes or lengths for those parameters that are in an normal state.
An operator is more likely to notice changes, from a normally undistorted pat-
'q tern than to notice changes from an initially distorted pattern.
Therefore, it is important that the display pattern for normal conditions be undistorted.
Producing Then significant changes are not required to detect an abnormality.
an undisorted display pattern is largely determined by the choice of parameter scaling.
Displays relying on pattern recognition to identify an abnormal con-dition should use parameters that have small deviations about a steady-state value during normal operating conditions and that have distinctive variations f
from the steady state value during abnormal conditions.
Top level display pages based on shape coding, color coding, or alphanumeric coding of data and information to convey the status of plant safety to the operator are acceptable.
However, top level display pages based only on shape l
coding or only on color coding or a combination theroof should be augmented i
with lower level display pages which are based on alphanumeric coding of data and information.
Shape coding and color coding of data and information are acceptable display techniques in response to search and identification type of Alphanumeric coding of data and information is best for absolute operator tasks.
Under identification of plant status, such as the safety status of the plant.
these circumstances, a top level display based on shape coding or color coding enhances operator perception via pattean recognition.
Lower level displays pages es
btsed on alphanumeric coding of plant process variables and their magnitudts, trend or rates allows an operator to independently assess the safety status of the plant.
With the operator's independent assessment of plant status, common mode errors are minimized and the operator retains control rather than the plant or the display controlling the operator.
6.2.5 Status Satpoints Tech-Setpoints are used to indicate a transition in the status of parameters.
nical considerations should establish parameter setpoints that are used to initiate changes in display presentation to alert operators to changes in operating status.
Poorly chosen setpoints can result in frequent. false alarms or failing to deter-eine a serious problem.
Arbitrarily establishing setpoints as some nominal percentage of normal value or of maximum range generally is not appropriate.
Setpoints used to indicate a change in status should be chosen specifically for their suitability to perform the desired function.
6.3 Application to Examples of Displays Four convenient examples of display.s of multivariate data were chosen for discussing the application of the guidelines developed in this section to specific displays.
All of'the examples were taken from a recent NUREG/CR.
document (Ref. 9).that presents' numerous ways of displaying multivariate data in nuclear process control.
Although this reference draws some conclusions on the applicability of varicus displays for process control, these conclusions do not necessarily apply to the SPDS Iunctional requirements.
3..
Examples of displays in this' report. a{e not intended as an endorsement of any one of them.
Many acceptable SPDS designs will utilize none of these display types.
6.3.1 Bar Chart The bar chart (Figure 1) synthesizes an array of analog meters, where each bar represents a specific parameter.
The length of each bar is generally pro-The portional to the magnitude of the measured parameter it represents.
reactor operator can easily associate with this type of display because analog meters are used in the control room to display the magnitude of operating parameters.
Each bar on the display has a unique identification label that positively identifies the parameter.
While an operator might learn the positions of each paramater bar, the labels provide a reference identification that is always available.
It would not be acceptable to expect an operator to memorize the position of each parameter on the display.
The bar chart in Figure 1 would not, by itself, allow a quick assessment of the plant safety status.
Each bar has a different length, and, as demon-strated in Reference 7, the onset of abnormal conditions may not be obvious to the operator.
Color coding the bars can be one effective way of signaling that a parameter is outside the normal range.
A bar color that does not attract attention is
4 I
PRIMARY POWER l
PRIMARY ROM COLD LEG TEMP, DELTA TEMP.
PRIMARY PRESSURE PRESSURIZER SECNDARY PRE l
SECNDARY FD FLOM 1
STM CNTRL VLV STM GEN UNEL CNDS PRESSURE 8
29 48 68 88 108 l
I PERCENT RANGE l
Figure 1 Simple bar chart representation at normal conditions i
J
used while the parameter is normal.
When a parameter goes outsida of tha normal range, an attention-getting color is used to color that bar.
(See NUREG-0700 for a discussion on colors.)
Variable contrast between each bar tnd the background may also be used in a similar way as a visual alert cue.
A bar for a parameter out of range would have much greater contrast with the background than that bar would have when the parameter is within the nomal range.
A blinking label or bar may be acceptable to call attention to an out-of-range parameter.
When a blinking display element is used as a visual alert cue, the blinking must not prevent the operator from using the display to obtain information.
Blink rates should confom to NUREG-0700, paragraph 6.7.2.7.C.
A bar chart should provide a reference to the normal operating value of each parameter displayed.
It. is also desirable to indicate the nomal operating range of a parameter on a bar chart when the operating range is a significant fraction of the total range.
Such indications help the operator-interpret the importance of a parameter change.
6.3.2-Deviation Bar Chart The deviation bar chart (Figure 2) is similar to the bar chart discussed above.
However, each displayed bar represents the difference between the peasured value of the parameter and the normal value of that parameter.
'Although the l
magnitude of a measured parameter is generally positive, the deviations of that parameter from its normal value, tan be either positive or iiegative.
Therefore, the zero reference should le'in the center of the deviation b'ar chart.
With this display, a paramete6 that deviates significantly from its normal value is easily detected by th6 operator.
There is a direct association of the eviation bar chart display with the,
status of the plant.
Under normal conditions the bar chart deviations are small.
In the event of an abnormality, the magnitude and direction of a parameter change from the normal condition i's readily determined from the length and direction of the associated deviation bar.
The choice of scaling for each of the deviation bars is important to ensure that there is a distinct difference between normal and abnormal conditions.
Deviation bars that can vary over the entire display range under normal conditions would be unacceptable.
The range of normal conditions for positive or neq1tive deviations of a parameter should represent no more than 10% of the total range provided to display that parameter's deviation.
The normal deviation should also be considerably less for a parameter that varies little during normal conditions but can vary a large amount during an abnormality.
An indication of the normal range for each deviation is desirable.
When l
appropriately scaled, pattern recognition can help to detect an abnormal i
condi tion.
Like the bar chart, a label should identify each parameter devlation bar.
Thus a change in one deviation bar can be readily associated with the corresponding parameter.
Color coding or variable contrast may be used as a visual alert indicator on a deviation bar chart in the same way it is used with the conventional bar chart.
PRIMARY R0W CDLD LEG TEMP.
' DELTA TEMP.
PRIMARY PRESSURE PRESSURIZER LEVEL SECEARY Piu5URE I~
SECEARY FD FLOW
.)
STM CNTRL U POS i
STM GEM LEVEL CNDS PRESSURE l
188 88 68 48 29 g
29 48 68 88 188 LOW W
HIGH FERCENT RANGE Figure 2 Deviation bar chart representation at normal conditions
y Some meats of indienting ths magnitud3 of occh psrametsr shculd ba provid:d when the deviation bar display is used for a primary SPDS display because this information is not included in the deviation bar chart itself.
This could be done by a digital readout of parameter magnitude on the deviation bar display or by presenting parameter magnitude information on secondary display formats.
6.3.3 Circular Profile The circular profile can be considered to be a variation of the bar chart.
In the circular profile display, the parameter lines radiate from a common origin with equal angular spacing between lines (Figure 3).
The length of each line is proportional to the magnitude of the corresponding parameter.
The endpoints of adjacent radial lines are generally connected to fom the profile.
The crea within the profile may also be shaded for enhanced contrast.
The circular profile rep' resents a display type where pattern recognition is the primary means of identifying an abnormal operating condition.
An operator's attention is focused on the profile around the radial lines rather than on individual lines.
Under nomal conditions, this profile should be circular or regular.
When an abnomal condition occurs, the profile would become noticeably distorted, indicating that an abnomal condition has developed.
Parameter scal-ing and parameter selection are more important in producing a good symmetric circular profile display during nomal operating conditions than they are for bar chart or deviation bar chart displays.
6.3.4 Chernoff Face 5
.The'Chernoff face is a graphic technigue which maps multivariate data into facial features.
Changes in parametet magnitudes are translated into a change in the facial expression.
Figure 4
'ows a Chernoff face, together with the assignment of facial features to par ters.
Use of this type of display is dependent on pattern recognition to interpret data.
The Chernoff face is a good example of a display where individual parameters cannot be readily identified.
This weakness can be seen from the assignment of variables to facial features in Figure 4.
The frowning mouth shown in Figure 4 is a composite of three parameters.
It may not be possible to identify which particular parameter has changed when the mouth changes shape.
It also is difficult to relate a given change in the appearance of the face to a specific change in the safety status of the power plant.
An operator can make no direct association between the facial features observed and the magnitude of plant parameters.
Many different linear and nonlinear mappings are used to relate the data being displayed to the different facial features.
This complexity makes it difficult to evaluate changes in magnitude of the displayed parameters.
Use of this type of display would require operators to not only memorize the associations between parameters and facial characte-ristics but also to memorize many different facial patterns to evaluate magnitudes of parameter changes.
Studies using Chernoff faces have shown that certain combinations of changes in the facial characteristics can result in a face that does not appear dis-torted (Ref. 10).
Thus, there may not be a noticeable distinction between normal plant conditions and certain abnormal conditions.
36
1 dT PRESS Te SEC FLO"
' PRESS CNDS
\\
FEED i
PRESS
\\
FLOW
\\
CNTRL sty a
VLV POS LVL l
s Figure 3 Circular profile representation at normal conditions e n we
---,-o--_
_w-w,~m-e em w--
- - - - - - - - - - - - - - - = - - - - - - - - - - - - -
~
\\
O' i
O i
(
O n
V V
\\
i i
t t-r t
Assignment of variables facial features for Chernoff faces Variable Facial Feature i
Size (half length) of eyes Power Prunary Flow Slant of eyes Cold Les Temperature Eccentricity of eyes Position of pupils Delta Temperature Primary Pressure Separation of eyes Pressurzzer Level Height of center of eyes I
Secondary Pressure Length of nose Secondary Feed Flow Nose width l
Steam Control Valve Position Curvature of mouth Steam Generator Lhel Length of mouth Position of center of mouth Condenser Pressure l
Figure 4 Chernoff face representation at normal conditions l
l l
_ _. ~. _. _,. _ _. _...., _ _-
These unfavorable characteristics make the Chernoff face unacceptable for use as the primary display of an SPDS.
O e
O 6
1,.
r If
7 VERIFICATION AND VALIDATION OF SPDS For the SPOS to fulfill its function, it is essential that the SPOS meet the requirement in Supplement 1 to NUREG-0737,- that it provide reliable information from which the plant safety status can be assessed.
The SPOS user must have con-fidence in the validity of' the information provided by the operational SPOS.
To ensure that a high quality SPOS is implemented, the licensee should conouct a verification and validation (V&V) program throughout the process of design, fabrication, testing, and installation of the SP05.
A V&V program should include the following:
(1) a system requirements review performed prior to the design of the system to determine that the system functional requirements will provide a system that meets system objectives, (2) a design verification review performed after the system is initially designed to verify that the design will satisfy system functional requirements, (3) validation tests performed after the system is assembled to confirm that the operating system satisfies system functional requirerwents, field verification tests performed after system installa$ ion to (4) verify that the validated system was installed properly, and
~
I (5) display system design confijut ation control documents that contain display design modificati.onf, resolutions to problems, and reasons for uncorrected defined pro 61 ems.
These documents should serve to record and reco1ve a'11 desi problems identified by the V&V program.
The V&V program should be conducted by qualified individuals who were not directly involved in the design, development, and installation of SPOS cquipment or software.
A verification and validation program performed by the licensee during design, installation, and implementation of an SPOS will facilitate the staff review l
of the system.
The staff would then evaluate the program for the results of the design verification and validation.
1 1
The Nuclear Safety Analys.is Center (NSAC) has prepared SPDS V&V program guidance for the nuclear industry.
This guidance is documented in NSAC 39 (Reference 11).
Licensee performance of an SPDS V&V program conforming to the guidance of NSAC 39 is acceptable for submittal for staff review of the SPDS.
Other SPDS V&V programs which accomplish the desired goals should be equally I
acceptable to the staff.
40
ff9 94 8.
NRC STAFF HUMAN FACTORS REVIEW OF SPOS The guidance provided in this report (NUREG-0835) will be used by the staff in its review of the human factors design of the SPOS.
Herein, we have discussed acceptable ways of complying with the human factors requirements of Supplement 1 of NUREG-0737.
For reviews of operating license applications (OL reviews) and for operating reactors for which the licensee has requested a pre-implementation review of the SPOS design, the guidance of NUREG-0835 will assist the staff in evaluating For compliance with the requirements of Supplement 1 of NUREG-g737.
such reviews, the.NRC staff wi 1 initially evaluate the applicant's/ licensee's verific ion and validation (V&V) program plan and audit the results of the licant's/ licensee's design verification Subsequently,. the staff will audit the 8
activities.
applicant's/ licensee's design validation tests.
During each audit, the
~
staff plans to review safety analysis data and human factors design data prepared by the applicant / licensee as well as review its V&V activities.
These reviews will be conducted using the appropriate guidance provided in NUREG-0835 in Section 5, " Review Guidelines for SPOS Requirements,"
Section 6, " Review Guidelines for SPDS Displays," and Section 7,
" Verification and Validation of SPDS."
For pre-implementation reviews, the NRC staff intends to conduct the review in two audit meetings with the applicant / licensee during the period of SPOS design and design The staff will document, following each meetingf, its validation tests.
positive and negative findings.
A e/ays tesa/Nny from N f
for operst;y re<ebrs s Hed t;m, repared fu kn c.
pi,,,, NoA n e m s m ksentf s hW 1 eview.
j 2-1 Prompt implementation of the SPOS i perating reactors is a design goal of primary importance.
The review process, is designed to avoid 4Hte
- r+?** 4-terd d y.
The NRC staff will not review operating reactor SPOS designs for compliance with the requirements of Supplement,1 of,
_z,,0 :r ~.i v.*i....:i; 59 n?,
,; w sw e l p j : w : v NUREG-0737 prior to implementation unless specifically requested by A
licensees.
The licensee's safety analysis and SPOS implementation plan will be reviewed by the NRC staff only to detennine if a serious safety question is posed,by the proposed system or if the analysis is seriously inadequate.
The NRC staff review to accomplish this will' be directed at (a)confirmingtheadequacyotitheparametersselectedt$bedisplayed to detect critical safety func ions, (b) confirming that means are provided to assure that the d a displayed are valid, and (c) confirming that the licensee has consnitted to a human factors program to ensure that the displayed information can be readily perceived and comprehended so as not to mislead the operator.
If, based on this review, the staff l
identifies a serious safety question or seriously inadequate analysis, l
the Director of IE or the Director of NRR may request or direct the licensee to cease implementation.
l f/4./c l
ft is unlikely that the SPOS design would raise a serious safety "c'^"a" question or that the analysis would be seriously inadequatej j
l the NRC staff review may identify some human factors engineering prooiem areas, which if corrected, could enhance effectiveness anc improve l
Problem areas that are identifiec by the NRC operating crew acceptance.
1
. staff in its SAR review should be assessed for correction by the e"""
i; ::..;;dcr:d ;:rt ce 'he licensee during the DCROR,9e-the
- =t=?
D
(
4.
l l
9 REFERENCES (1)
U.S. Nuclear Regulatory Commission, NUREG-0696, " Functional Criteria for Emergency Response Facilities," February 1981.
(2)
U.S. Nuclear Regulatory Commission, NUREG-0737, " Clarification of TMI Action Plan Requirements," November 1980; Supplement 1, December 1982.
(3)
U.S. Nuclear Regulatory Commission, NUREG-0700, " Guidelines for Control Room Design Reviews," September 1981.
(4)
U.S. Nuclear Regulatory Commission, NUREG-0801, " Evaluation Criteria for Detailed Control Room Design Review," October 1981.
A (5)
Ramsey, H. R. and M. E. Atwood, " Human Factors in Computer Systems:
Review of the Literature," SAI, Inc., SAI-79-111-DEN, September 1979.
(6)
Seminara, J. L. and S. K. Eckert, " Human Factors Considerations for Advanced Control Board Design," Electric Power Records Institute, EPRI NP-1118, Vol. 4, March 1980.
(7)
Banks, W. W. and M. T. Clark, "Some Human Engineering Color Considerations Using CRT Displays:
A Review of the Literature," EG&G Inc., Report
~
50-B-81-001.
(8)
Banks,W.W.,etal.,"HumanEng)neeringDesignConsiderationsforCathode Ray Tube-Generated Displays," U.1.~ Nuclear Regulatory Commission, NUREG/CR-2496, EG&G-216, Apri1 1{82.
t (9)
Danchak, M. M., " Techniques forjisplaying Multivariate Data on Cathode Ray Tubes with Applications to NWclear Process Control," U.S. Nuclear Regulatory Commission, NUREG/CR-1994, EG&G-2086, April 1981.
(10) Bruckner, L.
A., "On Chernoff Faces," in P.C.C. Wang, Grachical Reoresentation of Multivariate Data, New York, Academic Press, 1978, p. 93.
(11) Nuclear Safety Analysis Center, " Verification and Validation for Safety Parameter Display Systems," NSAC 39, December 1981.
(12) " Guidelines for an Effective SPDS Implementation Program," INPO 83-003 (NUTAC), January 1983.
-- M
,W-p 2
APPENDIX A GLOSSARY OF TERMS Many of the terms used in this document are specific to the fields of nuclear cngineering and computer software engineering.
In some cases different terms have a common definition and are used interchangeably.
This glossary of terms is included to reduce misinterpretation of the use of terms in this document.
recuracy - A measure of the degree to which the actual output of a device ap-proximates the output of an ideal device nominally performing the same function (IEEE Standard Dictionary of Electrical and Electronics Terms).
In a nuclear power plant control room, the device is the entire measurement system from the sensor to the display.
snalytical redundancy - Intercomparison of measured variables, through the use of mathematical models based upon known physical relationships, between variables, to determine whether there are inconsistencies in the values of the measured variables (e.g.
Reactor power, reactor coolant temperature rise through the reactor core, and reactor coolant flow rate are interrelated variables based upon the physical principles of heat transfer.
A measured value for coolant flow should be consistent with the analytically calculated value for coolant flow derived mathematically from the corresponding measured values of reactor
~
power and coolant temperature rise.)
cathoderaytube(CRT)-Anelectroni): vacuum tube containing a-luminescent display screen and a controlled beam pf electrons that creates and refreshes images on the display screen.
[}
control room operatinc crew - A groukof individuals assigned to perform functions and tasks in a nuclear powe plant control room to operate the plant.
As such, the control room operating crew is a system within the power plant.
control room operators - Individual members of the control room operating crew including, but not necessarily limited to, licensed reactor operators.
I data - 1. An individual fact, statistic, or piece of information or a group or body of facts, information, statistics, or the like, either historical or derived by calculation or experimentation (The Random House College Dictionary (RHCD), Revised Edition, 1980).
- 2. A general term used to denote facts, numbers, and symbols that refer to the state of the plant process of the status of systems and components that are part of the plant process.
data validation: data validation orocess - 1. The checking of data for correc-tions or for compliance with applica01e standards, rules, or conventions2. The (Standard Dictionary of Comouter and Information Processing (SDCIP)).
process by wnicn the output of a measurement system is tested for accuracy.
Tests may include, but need not be limited to:
electrical interrogation of all or part of the measurement system to detect flaws or anomalies in the system, comparison of two or more measurements of the same variable for con-sistency in the observed values of the variable, (generally referred to as redundancy),
_ _ _ _ _ _ _. _A - 1_ __ _ _, _ _
uso of analytical exprsssions to establish consistency among a group of different variables by use of measurements of inter-related vari-ables and use of mathematical calculations, (generally referred to a analytic redundancy).
data validity - A measure of the permissiveness or the extent to which data has been subject to specific tests to ensure that operations performed on the data were performed properly and that the test results have verified the reliability of the data.
Data validity refers to whether or not certain criteria have been met (SDCIP).
derived variable; derived process variable - 1. A plant process variable derived from mathematical calculations that use the values of directly measured variables as inputs to the calculations or a variable determined by operational manipulation of the signals from directly measured variables.
- 2. A variable or parameter that is not measured directly but that can be derived analytically from the values of two or more measured variables, (e.g. degrees subcooling can be derived from measured values of water temperature and pressure using the known physical properties of water as a function of temperature and pressure).
desian criteria - Performance requirements and specifications for a system established as goals prior to initiating detailed design of the system.
design validation - A process of system integration, testing, and % valuation activities carried out at the system / subsystem level to ensure that the developedoperationalproductsatisfigsthesystemspecificationsandthe user's functional requirements.
}
F desian verification - A process of itarative evaluation during the design process to determine whether the pro cts of each step of the design effort are correct and fulfill design criteria requirements.
direct variable; measured variable - A plant process variable that can be measured by a sensor instrument with the output signal from the sensor manipulated or converted to be displayed or read out on a display device as a magnitude of the variable, expressed in engineering units.
display - A visual record that may be of either a permanent or transient nature (SDCIP), Revised Second Edition, ' Martin H. Week,1978.
display format - The arrangement of characters, symbols, and visual representa-tions on the display surface of a display unit.
display cace; display frame - A fixed quantity of data, arranged in a predeter-that can be displayed at one time upon a display surface.
mined display format, visual disolay unit - A unit of hardware that provides a visual disolay unit:
presentation of data and information on a display surface.
function - 1. The purpose for which something is designed or exists (RHCD).
- 2. The performance that must be accomplished by a system to fulfil its assigneo role or purpose.
A-2
' functicnni critsria - Tha sttndards that a system must m2st to fulfill its assigned role or purpose.
future function - A function that may be assigned to a system at some future ti me.
hiararchial display - A display system having sets of displays ranked one above (nother in a specified order of rank or importance.
information - 1. Knowledge communicated or received concerning a particular fact or circumstance.
- 2. Any data that can be coded for processing by a computer or similar data processing device (RHCD).
- 3. The results obtained from data processed by pre-specified means or methods.
invalid data - Data that have been subjected to the data validation process and has failed to meet the specified criteria for data validity.
minimum set of plant safety variables (parameters) - That minimum set of plant variables.or parameters sufficient for the control room operators to evaluate the safety status of the plant.
perceptual aid - A display aid that assists the operator sense a significant change in the information provided by a display.
primary function - The principal or main function of a system.
process variable; plant process varia le - A term or eet of terms that characterize a specific time varying property of the state of a plant process quantitatively in engineering units, {e.g.
reactor core coolant inlet temperature - 545'F).
These terms ar also commonly called plant parameters.
real-time data validation; real time Validation - The process of data validation performed with no significant time delay in the display of the data being validated so that the displayed data are known to be both time current and tested for validity, safety variables; eafety parameters - Plant process variables or parameters used to evaluate safety functions and to determine the safety status of the plant.
secondary function - A non primary function in a system that performs more than one function.
time history - Data that displays the magnitudes of a variable over a specified time interval.
time history craoh; time history clot - A graph that depicts the magnitudes of a variaole versus time.
trend data - Information that depicts whether the magnitude of a variable is changing or remaining constant.
i l
l A-3 l
unvalidtted data - Octa thnt havs not bs:n subj1cted to a validation process.
(Unvalidated data may be determined to be either vaiid or invalid if subjected to a data validation process.)
validate - To substantiate or confirm (RHCD).
validity - The degree to which an event, especially operativns, are allowable, permissive, logical, complete, and comprehensible.
Validity is a measure of the extent to which a standard has been met or a rule followed (SDCIP).
valid data - Data that have been subjected to the data validation process and meets the specified criteria for data validity.
variable - A quantity or matematical function that may assume any given value or set of values (RHCD).
verification - A formal act or process to ascertain the truth, authenticity, or correctness of something (RHCD).
(
}
cr l
A-4