ML20079H131
| ML20079H131 | |
| Person / Time | |
|---|---|
| Site: | Crane  |
| Issue date: | 11/30/1983 |
| From: | MPR ASSOCIATES, INC. |
| To: | |
| Shared Package | |
| ML20079H129 | List: |
| References | |
| PROC-831130, NUDOCS 8401230337 | |
| Download: ML20079H131 (113) | |
Text
-.
l l
PROGRAM DESCRIPTION AND
SUMMARY
REPORT OF THE DETAILED DESIGN REVIEW OF THE THREE MILE ISLAND UNIT 1 CONTROL ROOM t
1 I
i November, 1983 l
l l
I l
8401230337 e40116 PDR ADOCK 05000289 l
F PDR
M P R ASSOCIATES, INC.
TABLE OF CONTENTS I.
Introduction I.1 II.
Background
II.1 III.
Program Description III.1 A.
Information Sources III.2 B.
Makeup of the Review Team III.3 C.
The Review Process III.7 1.
Review of Operating Experience III.7 2.
Inventory of Control Room Instrumentation and Equipment III.8 3.
Detailed Review of Control Room Components and Environment Survey III.9 4.
Review Based on Operator Responsibilities III.ll 5.
Review Based on Existing Plant Procedures, and Walkthroughs of s
Expected Operational Evolutions and Postulated Off-Normal Events III.13 D.
Documentation of Review Data III.17 l
IV.
Summary Report of the Control Room Design IV.1 Review; Findings and Corrective Actions V.
Program Plan for Review based on Symptom-Oriented Emergency Operating Procedures V.1 VI.
Appendices A.
Resumes B.
Guidelines for Control Room Review C.
TMI Unit 1 Guidelines for Alarm System Review D.
Summary of Findings and Recommended Corrective Actions excerpted from "A Review of the TMI-l Control Room from a Human Factors Viewpoint" l
1
I.
INTRODUCTION This report describes the process by which the human factors cnd other features of the Three Mile Island Unit 1 Control Room have been reviewed and outlines the control room improvements, already accomplished or planned, which were generated by this review.
The report is intended to fulfill the documentation requirements of the Nuclear Regulatory Commission for control room reviews, as set forth in NRC Generic Letter 82-33III.
More specifically, this report fulfills the requirements for:
(1)
A program plan for the already completed portions of the control room design review (Paragraph 5.2.a of the reference).
(2)
A summary report of the completed portions of the control room design review (paragraph 5. 2.b).
(3)
A program plan for one part of the control room design review that has not yet been completed (again, paragraph 5.2.a).
III NRC letter dated December 17, 1982, with attachment
Subject:
" Supplement 1 to NUREG-0737 - Requirements for Emergency Response Capability (Generic Letter 82-33)"
Although the completed portions of the review documented herein (items (1) and (2) above) predate generic letter 82-33, it is considered that the review performed meets the intent of the reference.
It should be noted that the review of the TMI-1 control room tacluded symptom-initiated walkthroughs of a number of eff-normal transients.
The focus of these walkthroughs was to identify the tasks which TMI-1 operators need to perform during emergency operations.
The procedures used by the cperators during these walkthroughs were the emergency procedures then in place.
These procedures were, by and large, event oriented (though, as noted above, the walk-throughs employed symptom oriented scenarios).
TMI-1 is in the process of replacing the event oriented emergency procedures with symptom oriented emergency procedures.
A human factors review of the operator tasks engendered by these symptom oriented procedures is planned.
A description of how it will be carried out and reported is included in this document (item (3) above).
The schedule for the EOP/ Control Room review has been covered by separate correspondence (2) and is not included here.
(2)
Letter dated April 15, 1983, No. 5211-83-118, from H.
D.
Hukill to D.
G.
Eisenhut.
I.2
II.
BACKGROUND In February of 1980, on its own initiative, GPU undertook to review the TMT-1 control room human factors.
The operating record of Unit 1 had been very good, and there was little cvidence of human factors-related problems.
But in view of the widespread criticisms of nuclear plant control rooms in general, and of the TMI-2 design in particular, GPU management considered the review desirable.
A multidisciplinary review team was f ormed -- makeup of the team is described in the next section -- and guidelines for the review were established.
The guidelines included s
criteria by which the control room was to be judged; at the time no regulatory guidance on this subject had been published.
To assist in performing the review, a full-scale control room mockup was constructed in early May, 1980.
Throughout the month of May, intensive walkthroughs of normal operating procedures and off-normal operational sequences were conducted by the review team, with members of the Unit 1 operating staff.
In parallel with this task oriented review, photographic drawings of control panels were reviewed using the human factors criteria of the guide-lines.
Quantitative and qualitative measurements of the control room environment -- lighting, humidity, temperature,
noise, air quality, etc.--were also made.
A detailed review cf the responsibilities of the operators in the control room was also performed; this examines in detai) each fundamental plant control function -- e.g.,
reactivity inventory control, plant energy flow control, primary coolant inventory control, secondary coolant inventory control, cuxiliary power control -- and evaluates the controls, and displays associated with each, as well as their relationship to each other.
In parallel with the review of the control room as a whole, en in-depth review of the alarm system was conducted.
This review examined the alarm requirements of each plant fluid, mechanical and electrical system, and matched these against clarms actually installed.
It also looked at the human f actors of the alarm system -- its visual, audible, and operator interactive (e.g.,
acknowledging) attributes.
On the basis of this review, a program of short term and long term improvements for the alarm system was developed.
In June of 1980, the preliminary findings of the review team were presented to GPU management.
In July of 1980, members of the NRC staff were briefed en these preliminary findings.
NRC also performed its own audit of the control room at this time.
II.2
Results of GPU's review (3) of the control room, as well as the results of the NRC audit I4), were entered as evidence in the Atomic Safety and Licensing Board i aaring on the restart of Unit 1.
This Board found the GPU review thorough, and cndorsed a general program of corrective actions (5)
Design details of these corrective actions were developed in the cpring of 1981.
Results of the Alarm System Review were published in February of 1981,(6) including recommendations for short-term improvements to this system.
These improvements were carried out in parallel with the balance of the control room corrective actions.
Hardware was procured, and extensive improvements to the control room were completed by late fall 1981.
Some longer term improvements, such as enhanced computer displays of safety parameters (i.e., a safety parameter display system) are still in the design or analysis phase.
(3)
GPU review:
"A Review of the Three Mile Island Unit 1 Control Room from a Human Factors Viewpoint,"
December 1980.
(4)
NRC's audit:
NUREG-0752, " Control Room Design Review Report for TMI-1, December 1980.
(5)
Atomic Safety and Licensing Board:
"In the matter of Metropolitan Edison Co.
Three Mile Island Nuclear Station, Unit 1, Docket No. 50-289-SP, Partial Initial Decision, Volume 1, December 14, 1981," pp. 164 -176.
(6)
"A Review of the Three Mile Island Unit 1 Alarm System," February 1981.
II.3
A Schedule for implementing these improvements is contained in separate correspondence.I7)
It should also be pointed out that GPU views the human factors review activity as a continuing one; any and all changes to the plant that affect 4
the interf ace between the operators and the process are cubjected to a human factors review.
This program ensures that the high standards established in the TMI-l control room are maintained when future modifications are incorporated.
(7)
Letter dated July 12, 1983, No. 5211-83-197, from H.
D.
Hukill to D.
G.
Eisenhut.
II.4
i III.
PROGRAM DESCRIPTION The objectives of the TMI-1 Control Room review were essen-tially those stated in NUREG-0700:
"To determine whether the control room provides the system status information, control capabilities, feedback, and performance aids necessary for control room operators to accomplish their functions and tasks effectively" and "To identify characteristics of the existing control room instrumentation, controls, other equipment, and physical arrangements that may detract from oper-ator performance."
The sources of. information for the review, the review team makeup and the review process itself are described below.
The review meets the control room design review requirements of NRC generic letter 82-33 (Op. cit.), including the analysis of tasks related to emergency operations.
- However, as noted above, new, symptom oriented emergency procedures will soon be put in place at TMI-1, and a supplementary review will be performed to confirm that the controls and displays required by the new procedures are present in the control room (or other locations appropriate to their use) and meet applicable human factors criteria.
Table III-1 chows how each of the control room design review require-ments of 82-33 has been treated by the TMI-l review.
The methodology of the TMI-l review also differed somewhat in its organization from that subsequently described in l
l NUREG-0700, but each element of a thorough human factors 1
review was covered.
Table III-2 correlates the elements of a review as described in NUREG-0700, and the elements of the TMI-l Control Room Review.
It should be noted that the separate items described below are not in chronological order and that portions of the various review elements took place in parallel.
A.
Information Sources Three Mile Island Unit 1 was operated for five years (1974-1979).
Consequently its operating procedures were considered to be a relatively accurate represen-tation of how the plant was operated.
These operating procedures were, therefore, a primary source of infor-mation for control room operator activities.
The pro-cedures used were of several types:
Top Level, Normal Operating Procedures (OP-1102 A
Series)
Event Oriented Emergency (Operating) Procedures (EP-1200 Series)
System level, and special situation operating procedures, (R-1100 Series).
This assumption was confirmed by pe rator comments during the walkthroughs.
III.2
i l
Surveillance Procedures (R-1300 Series)
Refueling Procedures (R-1500 Series)
In addition to~the procedures, other sources of infor-mation which were used in the control room review included:
plant piping and instrumentation drawings, and electrical and control diagrams the Final Safety Analysis Report and the plant technical specifications, photographic drawings of the control room and the control panels, licensee event reports and internal plant reports on reactor trips and other events, plant maintenance records and procedures, and the site emergency plan.
In addition the review team had access to the plant operators through interviews and participation in the walkthroughs.
Access was also provided to other members of the plant staff -- operations supervision, maintenance, and engineering.
The review team also was provided access to the actual control room as appropriate for photographs of control panels, surveys, special observations, and specific questions, subject to the normal constraints on control room access exercised by the Shift Supervisor, and Shift Foreman.
B.
Makeup of the Review Team The performance of the human factors review was the III.3 s
responsibility of a team made up of personnel from GPU Nuclear, MPR Associates, and independent outside con-sultants.
The responsibilities and functions of the members of the team are described below; resumes are included in Appendix A.
GPU Nuclear Corporation Overall direction for the review was provided by Mr.
T.G. Broughton, Director of Systems Engineering, and Mr.
P.S. Walsh, Manager of Plant Analysis, of GPU Nuclear. Mr.
R.
Glaviano, of Mr. Walsh's organization was also a member of the team, stationed permanently at the plant.
GPU Project Engineering was represented by Mr.
I.
Feinberg.
Mr. Feinberg participated in the planning of the review, and assured that engineering input from various sources was incorporated.
This included data on other plant modifications in process at the time, and especially obtaining necessary infor-l mation from the architect engineer and other contrac-tors to GPU Nuclear.
Though not formally a member of the review team, Mr.
D.
Strobhar of GPU Human Factors Staff also participated.
Members of the GPU Human Factors Staff also provide human factors input and review of ongoing and future control room modifi-cations.
III.4
Members of the TMI-l operating staff participated in the review in two ways:
l 1.
The operating staff participated in the procedure walkthroughs, the control room ene ronmental l
survey, and in walkthroughs to teit proposed corrective actions.
Their comments on the strengths and weaknesses of the existing control rooms and on the improvements generated by the review were sought and obtained.
2.
A senior shift supervisor served to coordinate the human factors review activities with other activities of the operating staff.
He arranged for walkthroughs and served as clearinghouse for obtaining answers to detailed technical and operational questions from the review team.
Because of his long personal experience at TMI-1, this shift supervisor was himself an extremely valuable source of data on the strengths and weaknesses of the plant control systems.
l III.5 t.
r-l MPR Associates MPR served as a coordinator for the review process.
They cupervised construction of the full scale control room rockup and prepared the photographic drawings of panel faces necessary for the review process.
They conducted walk-throughs of operational evolutions with personnel from the cperating staff and the other members of the review team.
MPR also conducted the environment survey and and performed the detailed reviews of the control panels.
Messrs.
H.
- Estrada, L. M.
Buck and Dr.
D.
H.
Harrison of MPR participated in these activities.
In addition, Mr.
R.
T.
Fink of MPR and Mr. Estrada performed certain specialized evaluations of the plant alarm system.
Human Factors Consultants Dr.
T.
B.
Sheridan, Professor of Engineering and Applied Psychology at the Massachusetts Institute of Technology and Dr. Julien M.
Christensen, now of General Physics Corporation, were also members of the review team.
They provided an overview of the human factors aspects of the review process:
methodology, interpretation of guidelines, l
assessment of potential for error in various control room operations, evaluation of deficiencies, and evaluations of potential improvements.
1 l
III.6
C.
The Review Process 1.
Review of Operating Experience The objective of the review of operating experi-ence was to make sure that problems actually encountered in operation of TMI-l were identified and factored into the review of the control room.
A most useful source of information on operating experience was the detailed comments, solicited as well as unsolicited, obtained from the operating staff in the course of the walkthroughs in the control room mockup.
An opinion survey of control room operators relative to the control room environment was also conducted.
The objective of this survey was to identify strengths and weaknesses of the physical surroundings presented by the control room that had been noted by the control room operators in the course of operations.
A second, f o rmal opinion survey on the merits of certain alarm l
system improvements was also conducted.
The review of experience also included a review of Licensee Event Reports, the Nuclear Power Experi-ence summaries, and a review of plant records.
III.7 l
2.
Inventory of Control Room Instramentation and Equipment The objective of the control room inventory was to identify all instrumentation, controls and equip-ment within the control room.
All components with which the operators interface are included in the inventory.
In the TMI-1 control room review, the construction of a full-scale mockup of all main control room panels (including visual annunciators for alarms) was part of the inventory process.
The displays and controls for the mockup panels were reproduced by a combination of photographic and Xerox repro-ductions of a grid work of high quality photo-graphs.
The actual inventory is contained in a complete set of reproducible drawings of the control panels based on the photographs used for the mockup.
The drawings and the mockup allowed identification and review of the panel components without disruption l
of control room activities.
In addition to their l
use in the detailed review of the human factors of individual controls and displays, the drawings were used extensively in the review of operator functions and responsibilities.
III.8 I
1
3.
Detailed Review of Control Room Components and Environment Surve",
The objective of the control room component review was to identify any characteristics of instru-ments, equipment, layout and aub;.ent conditions that did not conform to good human engineering practice.
The review was performed in three stages:
a detailed control panel review, an alarm system review, and an environment survey:
a.
Panel review This included a review of the following:
- controls, displays,(8) process computer displays, panel layout including anthropometric considerations, and control / display relations.
b.
Alarm system review (1)
Fluid, mechanical and control systems, as well as other functional hardware I
groups that are the responsibility of l
the control room operator, were individ-l ually reviewed to determine what (8)
This included the selectable print alpha numeric displays, trend recorders, and line printers which were used to obtain computer data.
At the time of the review the CRT display of computer information was not operational.
III.9
conditions should be ala rmed.
To facilitate this review, checklists incorporating thermodynamic and operational criteria for alarm conditions were formulated.
(2)
The alarms, incorporated in the system as it then existed, were compared against the alarm conditions generated by the review described in (1) above, to formulate lists of alarms which were unnecessary, and alarm conditions which should have been alarmed but were not.
(3)
An assessment was made of the effect of new alarms to be added to meet new regulatory requirements or as a result of the lessons learned from the accident at TMI-2.
l (4)
The human factors of the alarm system hardware were evaluated, including its l
visual attributes (e.g.,
readability and understandability of alarm legends),
audible attributes (e.g. audibility, distinguishability, and tendency to startle of alarm horns ),
and operator interactive attributes (the acknowl-edgement of incoming and clearing alarms, testing.)
(5)
The performance of the system in multiple ala rm events, such as following a reactor trip was also evaluated.
This evaluation included tests with operators using a specially constructed alarm system simulator.
c.
Environment survey This included reviews of the following:
control room ambient conditions including temperature, humidity, and ventilation; lighting levels; l
sound levels; control room workspace; control room layout, traffic patterns and access control; III.10 t
L _..
communications; and administrative practices such as transfer of information during operator shift changes, control of key-lock switches, etc.
The control panel, alarm system and environmental conditions surveyed were compared to detailed human engineering guidelines prepared for the TMI-l control room.
These guidelines were devel-oped before the guidelines of NUREG-0700 were available and are presented in Appendices B (Control Room Review Guidelines) and C (Alarm System Review Guidelines).
4.
Review Based on Operator Responsibilities The responsibilities of the control room operators at TMI-1, divorced from any specific event, were identified.
An abbreviated listing of these responsibilities, excerpted from Appendix B, i
follows:
a.
Control of the reactivity of the reactor
- core, l
b.
Control of energy flow, including reactor l
power, steam generator power, and turbine power c.
Control of primary coolant inventory, III.11
d.
Control of secondary coolant (working fluid )
inventory, e.
Control of station auxiliary services--
electrical, cooling water, and air, f.
Control of the inventory of radioactive material in the main process systems, g.
Control of fissionable material during refueling, h.
Direction of fire fighting and certain other emergency activities.
i.
Administrative control of in-plant maintenance activities.
j.
Record keeping.
Each operator responsibility involves a number of tasks and each task in turn may require the operator to take a number of specific actions.
The specific actions by which each of these operator responsibilities is discharged in the TMI-l control room were reviewed. This process established the display and control requirements u
for each general operator responsibility (e.g.
control of secondary coolant inventory).
j Requirements developed in this manner may not be obvious from analysis of particular operating events or from existing plant procedures; the operator responsibility review is therefore a useful adjunct to the overall design review III.12
process.
The requirements thus developed were compared with the existing instrumentation.
All discrepancies for each identified responsibility were documented, and appropriate corrective l
actions identified.
5.
Review Based on Existing Plant Procedures:
Walkthroughs of Expected Operational Evolutions and Postulated Off-Normal Events The operational evolutions that were evaluated are tabulated, by procedure number in Table III-3.
For each of the normal evolutions, qualified TMI-1 operating personnel performed the simulated operations on the mockup using the appropriate plant operating procedures, with the evaluations being performed by the review team.
A talkthrough technique was generally used for walkthroughs of normal operational evolutions, such as heatup end startup, or cooldown.
The operator actions in these evolutions are, in large part, deliberate and slow paced.
For such evolutions, real time simulations (a true walkthrough ) were found to be uninformative.
Instead, during each significant task in an evolution, the operator was asked to tell the review team what control action he was taking and what procedural, visual, audible, or III.13
communicated information he was acting upon.
After each such task, the review team would question the operator -- how did he confirm that the control action had actually taken place, had he ever made a mistake in this sequence, etc. --
and on the basis of the information thus obtained, operator tasks were identified for each of the evolutions.
l A slightly different approach was followed for the emergency and abnormal events such as reactor trips, or primary or secondary leaks.
The analysis of these events was generally initiated by postulating a set of symptoms consistent with a plausible off-normal plant condition.
The off-normal conditions analyzed included reactor trips from a variety of causes, turbine trips with and without reactor trips, a variety of losses and partial losses of feedwater flow, as well as other feed system upsets, a spectrum of losses of reactor coolant with a variety of mechanistic causes, and a spectrum of steam and feed system leaks.
The symptoms used for the analyses were in the nature of specific meter readings, alarms, noises, etc. and were described to the operators (without telling them the postulated causative III.14
condition).
The operator then sought information so as to determine what the nature of the upset was, to allow them to ascertain which (if any) of the event oriented plant emergency procedures was applicable to the perceived event.
The operators, if they wished, asked for information on the readings of other meters and the status of other indicators.
For some events, additional symptoms were presented to the operator, consistent in timing with the postulated upset.
In this way, information was elicited regarding the actual operator tasks and decision making processes that are necessary to respond to a spectrum of upsets.
Specific data included the displays which the operator used to diagnose a problem, to l
initiate a course of action and to confinn the results of his action, as well as the controls he used to carry these actions out.
Besides analyzing the controls and displays from a task oriented viewpoint, the walkthrough process described in the preceeding paragraphs clearly exercises the operating procedures themselves.
When the walkthroughs uncovered discrepancies and III.15 i
ambiguities in the procedures, these were doc-umented and forwarded to the operating staff for appropriate action.
The walkthroughs of the plant normal and emergency procedures defined a set of control and display l
l requirements.
These control and display require-1 ments were compared to existing instrumentation and any discrepancies documented.
The criteria used in this evaluation included consideration of questions such as:
Is required input information available?
Is required equipment, e.g.,
controls, tools, charts, lists, communication links, etc.
available?
Is this task physically and mentally practical to perform?
For example, is the control too high to reach easily or does operator need to have memorized too much information?
Is the required system response indication available?
Is the required component response indication l
available?
Does this task conflict with other control l
room operations in progress?
Are there potential errors in this task which have serious consequences?
Would a simultaneous fire or medical emergency have a serious impact on this task?
Do controls and displays used in this task meet appropriate human factors quidelines, III.16
e.g.,
control / display relationships, display units, label / procedure nomenclature consistency?
Is the manning level consistent with the assignment of responsibilities for this task?
As a result of the walkthroughs, a few qualita-tively difficult tasks were identified.
The review team then determined a course of action for further, more detailed evaluations of such tasks.
An additional function of the walkthroughs was to compare the nomenclature of the control console and panel labeling with that of plant procedure and piping and instrumentation diagrams Where discrepancies were found, these were documented and appropriate changes to labeling, diagrams, or procedures were recommended.
D.
Documentation of Review Data During each phase of the control room review, data were recorded in the form most convenient to the particular task, to minimize the fraction of the review effort which was devoted to assembling, programming, recording, and storing data on defi-ciencies.
Emphasis was placed on using existing documents, for example, copies of the procedures, marked up to record problems as they were ob-served.
Special forms were used ; however, in some III.17 e
instances to record data (e.g.,
the environmental l
survey, alarm tone testing).
Notes and raw data 1
were further consolidated so that generic problems could be identified.
1 l
III.18
TA4LE !!!-l pr00!RF*ENT4 OF N90 CFNrRIC 1ETTER 82-3)
AND HOW TilEY hELATE TO THE TMI-1 ElvtrW DESCRIBFD IN THIS REQUIREMENT (SUPPLFRENT 1 TO NUNEC 0737, TREATED IN TM1-1 CONTROL PROGRAM PIAN ENCL. TO hWC CENEWIC LTR. 82-33)
POOM DESIGN HEVIL'W BY:
IN:
5.1.b (1) Establish multidisci-Review team organization Section III.B plinary rewtew team.
and Appendia A 5.1.b. (11) Use 'f unction and task walkthroughs of Existing EOPsSection III.C.5 analysis *, that was basis for developing emergency operattng Review of control room based on procedures, to identify control new, symptom-oriented Emergency room operator tasks ard control Operating Procedures (Planned requirements during emergency not yet performedl Section V.6 operations.
i Inventory: control room mockap and Section III.C.2 panel drawings.
5.1.b. (iii) Compars display and control requirements with a Comparison of requirements to existing control room inventory.
inventory:
Sections:
- Review based on operator responsibilities III.C.4
- Review based on existing plant procedures, walkthroughs of normal and postulated III.C.5 off-normal events
- Review based en symptos-oriented Emergency Operating Procedures V
5.1.b. (iv) Survey control Detailed review of control room componentsSection III.C.3 room to identify deviations and environment survey, laciuding from human factors principles, including:
detailed control panel reviews alarm system review
- control room layout control room environment survey
- usefulness of alarm system
- information recording and recall capability
- control room environment 5.1.c.
Assess significance of Findings and recommended Section IV human engineering discrepancies, corrective action.
determine which should be cor-rected and select improvements to correct them.
5.1.d.
Verify that each Implementation of corrective section IV improvement will provide the actiors.
necessary correction and can be accomplished without introducing unacceptable human engineering discrepancies of its own.
Coordinate with l
changes from other improvement programs.
TABLE III-2 COMPARISON OF TMI-l REVIEW ELEMENTS TO NUREG-0700 REVIEW NUREG-0700 REVIEW PROCESS ELEMENT 1.
2.
3.
4.
5.
6.
REVIEW OP REVIEW OF CONTROL CONTROL VERIPICATION VALIDATION OF OPERATING SYSTEM ROOM ROOM OF TASK CONTROL ROOM TMI-1 EXPERIENCE PUNCTIONS INVENTORY SURVEY PERPORMANCE PUNCTIONS REVIEW
& OPERATOR ELEMENT TASKS
(
A.
REVIEW OF OPERATING EXPERIENCE B.
CONTROL ROOM INVENTORY
)(
- MOCKUP l
DRAWINGS C.
DETAILED REVIEW PANE LS
)(
- ALARMS ENVIRONMENT D.
)
REVIEW BASED ON l
OPERATOR l
RESPONSIBILITIES l
E.
i REVIEW BASED ON v
v v
PLANT PROCEDURES A
A A
AND WALKTHROUGHS P.
l REVIEW BASED ON SYMPTOM-ORIENTED
)(
)(
)(
EMERGENCY OPERATING l
PROCEDURES
- G.
l DOCUMENTATION OP X
'X
)(
X X
X REVIEW DATA
- New symptom based emergency operating procedures have not yet been put in place, but a symptom-oriented review using existing EOPs was performed.
TABLE III-3(A)
TOP LEVEL PROCEDURES WALKED THROUGH OP 1102-1 Unit-1 Plant Heatup OP 1102-2 Unit-1 Plant Startup OP 1102-10 Unit-1 Plant Shutdown OP 1102-11 Unit-1 Plant Cooldown RP 1502-1 Unit-1 Refueling Operations EP 1202-2 Station Blackout EP 1202-3 Turbine Trip EP 1202-4 Reactor Trip EP 1202-6A Loss of Coolant Accident (breaks within capacity of makeup system EP 1202-6B Loss of Coolant Accident (small breaks causing automatic HP injection)
EP 1202-26A Loss of Feedwater to both OTSGs*
EP 1203-24 Steam System Supply Rupture Actuation on both Steam Generators
- A number of postulated casualties were walked through for which these are the most applicable procedures.
TABLE-III-3(B)
SUBSIDIARY PROCEDURES WALKED THROUGH OR DISCUSSED IN SUPPORT OF TOP LEVEL PROCEDURE WALK-THROUGHS OP 1103-2 Filling and Venting Reactor Coolant System OP 1103-5 Pressurizer Operation OP 1106-6 RC Pump Operation OP 1106-16 Once Through Steam Generator, Fill Drain and Layup OP 1104-2 Makeup and Purification System Operation OP 1106-1 Turbine Generator Operation OP 1106-3 Feedwater System OP 1103-15 Reactivity Balance Calculation OP 1105-4 Integrated Control System OP 1102-13 Decay Heat Removal by OTSG OP 1104-4 Decay Heat Removal System RP 1505-1 Core Assembly OP 1106-15 Main and Auxiliary Vacuum System i
I l
7
~ - -
IV.
SUMMARY
REPORT OF TIIE CONTROL ROOM DESIGN REVIEW; FINDINGS AND CORRECTIVE ACTIONS As might be expected, the extensive review process just described generated a large number of findings, both positive and negative.
The negative findings -- deficiencies -- were assessed by the review team and recommendations for their correction were made to GPU management.
Human factors deficiencies can generally be corrected either by operator training and procedures, or by modiftaations to control or display hardware.
Essentially the criterion used to formulate recommended corrective actions for 1MI-1 was :
If a practical hardware modification can be devised which fixes the deficiency, then that modification should be made, whether or not the deficiency is " safety related" in the narrow sense of this term.
By correcting the~ deficiency in hardware the chances of operator error are made lower than they would be by making procedural or training changes.
A deficiency that can plausibly lead to operator error can also lead to the disruption of the mass, energy or momentum flows in some plant systems.
Once any system is out of equilibrium the vulnerability of the plant and its operators to a second and possibly more serious upset is significantly increased.
A summary of the findings and recommended corrective cctions, excerpted from the 1980 report of the GPU Control Room Review, is included as Appendix D.
Table IV-1 sum-marizes these findings and recommendations as well as the cctions taken for each.
As can be seen from the table, an extensive upgrading of the human factors of the TMI-l control room has been accom-plished.
Nor is this all.
Every recent change to the plant that has the potential for affecting the control room has been carefully reviewed for its human factors, and in many instances, significant improvements made.
Also, a number of improvements were engendered after the original review was completed.
Among these latter are:
Repainting of all control panels with non-glare paint, to reduce glare.
The addition of a thermal and hydraulic panel displaying key plant variables in a digital fo rma t.
Variables include hot and cold leg reactor coolant temperatures, reactor coolant pressure, subcooling, and steam pressures.
The data from this panel, along with data from similar digital displays of pressurizer level, makeup tank level and the two steam generator levels allow the control room operator to get a quick overall assessment of plant condition even when his normal instrumentation power is disrupted.
The displays are also large enough for the senior reactor operator and shift technical advisor to read and evaluate, f rom their normal operating stations, without getting in the CRO's way.
IV.2
The addition of numerous operator visual aids to reduce his memory. burden -- tank capacities, valves or dampers activated by radiation instruments, etc.
Variables which may require declaration of some level of site emergency are also distinctively marked, and an emergency plan matrix was prepared to assist the operator in such determinations.
The f:ndings and recommendations of the alarm system review are detailed in the 1981 GPU Report of this review referenced previously.
In summary, the following corrective actions have been taken to upgrade the THI-l alarm system:
(1)
A number of alarm conditions that normally follow in the train of a reactor trip or other major upset or that themselves signal such an upset were located on subsidiary alarm panels.
Recognition of these alarms required the operator to leave his station at the main console during the upset.
All such alarms were relocated on the main annunciator board where they can be recognized and acknowledged from the main console.
(2)
A number of alarms were found to be unnecessary and were deleted.
(3)
Administrative procedures for acknowledging alarms were upgraded, to diminish the chance of an alarm being inadvertently acknowledged (by an operator acknowledging a second alarm in a different field of view).
(4)
All alarm conditions which require additional operators to man the control. board or which require prompt operator action were color coded red.
This coding is used to summon supplementary operators, normally stationed in the control room, but beving interruptable non-control-related duties (e.g.,
blocking and tagging).
(5)
All alarms on malfunctions of the engineered safeguards actuation system were color coded blue.
This measure was taken to facilitate their recognition under conditions where prompt operator IV.3 l
response to them is necessary -- that is, when many non-safety-related alarms are also "up."
(6)
Alarm tiles with poor readability or confusing legends were reworded and replaced.
(7)
Alarm tone generators (horns) for the main process alarm panels and subsidiary alarm panels were replaced.
Special tests were run in which-measurements were made, and tone generators adjusted.to ensure that each tone is audible, and distinguishable from the others, without being startling or disturbing.
(8)
The review uncovered a number of alarm conditions that warrant alarms but that were not.
These alarms were added as part of the plant modifi-cation program which proceeded in parallel with the alarm panel review.
Each improvement involving a relabeling, rescaling, re-arrangement or other modification to existing controls and displays was walked through in the mockup, to ensure that the proposed change was compatible with any operator biases.
Nomenclature for all relabeling was also reviewed and approved by the operating staff.
The findings and corrective actions summarized in Table IV-1 overlap many of the findings of the NRC audit of the TMI-l control room (opus citatus).
It should also be noted that the corrective action program undertaken at TMI-1 has been reviewed by the NRC staff and has been found satisfactory relative to ensuring unit safety upon restarting.I9)
(9)
NRC Region 1 Inspection Report No. 50-289/82-17 and Le tter (Docket 50-289).
IV.4
The NRC' Inspection Report.does require that~certain items be
- addressed in this report; as follows:
"1.0 Annunciators:
The evaluation and final resolution of the alarm. system deficiencies will be addressed in'the licensee's DCRDR."
The engineering' evaluation of the-alarm system and improvements to the' alarm system have been discussed in a preceding paragraph.
This review-showed that with the improvements made, the alarm system is l capable of supporting operations for at least the next several years.
GPU Nuclear is evaluating other improvements for the longer term to allow expansion and to consider possible reformatting if improved performance can be demonstrated.
"2.0 Process Computer:
The licensee.is required to address the standardization of color codes used on the CRT displays. "
A standardized color code, contained in the User's Guide for the new plant computer system, hbs been used in structuring computer displays.
"3.0 Controls:
b.
Set point knobs on Dailey controllers do not lock, and can be accidentally rotated the licensee is required to address this item further in its DCRDR."
lDie. knobs-referred to are for set points and other adjust-ments which are.usually'made~by the operator (as opposed to the. instrument technician).
GPU Nuclear is not aware of any
' power plants which use locking devices on adjustments of this. type.
Operating experience.at TMI-1 was reviewed and noisignificant incident caused by an inadvertent rotation was uncovered.
Based on other experience with locking de-vices, locking the knobs would invite mechanical stripping, with total loss of-adjustment.
GPU Nuclear intends to take no further action on this item.
"3.0 Controls:
d.
Legend switchcovers are inter-changeable the Licensee is required to address this item further in its DCRDR."
IV.5 L-_
This item refers to the engraved lens caps for pushbuttons used to operate valves and other devices.
Prior to up-grading control room human factors, these lens caps contained valve descriptions and numbers.
If the lens caps were inadvertently interchanged, operation of the wrong valve could result.
As part of the control room upgrade, engraved nameplates were added adjacent to and tying
.together all valve operating pushbuttons (as well as other pushbuttons).
The valve descriptor and number is on these nameplates, not on the lens caps.
All lens caps are engraved with the simple words "open" or "close " (or, if appropriate, "on" or "off".')
A consistent positional stereotype is used-for all controls -- valves open to the right or above, closed to the left or below (similarly for on and off).
The operator is instructed to remove only one lens cap at a time.
The chances of an undetected inadver-tent interchange of lens caps are considered to be dimin-ishingly small.
"3.0 Controls:
The licensee is required to e.
investigate systems and techniques for effective communication of indicator and display lamp status information to operators where
" push to test" lamp status information is not already available and report its findings and proposals in its DCRDR."
As noted elsewhere in this report, all indication lights on
'the status panel for the Engineered Safety Features Actua cion System (Panel PCR), which was completely re-arranged and enhanced as part of the human factors
- improvement program, is now equipped with a "pu sh-to-t e s t "
feature.
.The alarm system has always had a test feature whereby burnt out lamps can be identified.
In addition to
-these measures, all indicator lamps in the control room which are normally on or should be on, are now formally
~
checked once a shift.
Also, formal tests of all safety system indicator' lights have been incorporated in the surveillance tests of these systems.
"3.0 Controls:
g.
Bailey controllers indicated demand signal rather than valve position."
Since many of the controllers need the demand signal to determine when controller output matches the demand signal for transfer from one manual to automatic nodes, replace-ment of demand with actual position would not be appropriate.
(
As long as the operators understand that the signals on these l
controllers are demand signals, the chance for error is slight.
i
-This item has been included in the operator training program.
Additionally, improved labels have been added to many of the Bailey controllers to further reduce the chance for error.
IV.6
"5.0 Laboling (Ceneral):
..2.
Color meaning is not consistent....the licensee is required to address this item further in its DCRDR."
As part of the control room upgrade, essentially all label plates have been replaced.
A consistent (color ccde has been used in designing the new label plates.
lui "6.3 HVAC System:
...the licensee will address labeling and domarcation of the remaining HVAC system controls in its DCRDR.
As part of the control room upgrade, (11) the HVAC system controls have been relabeled and demarcated. (12)
"10.0 Communications:
b.
The licensee is studying the overall communications system at 1NI-l to determine improvements that can be made and will report on its findings in the detailed control room design review.
c.
The plant paging system will be included in the in-plant communi-cations study described in item 10.0.b."
An evaluation of the communication system was performed which proposed modification to improve the communications system.
The page system is scheduled to have improvements made on the highest priority.
Other modifications are being evaluated for installation after the page cystem improvements are completed.
(10) GPU Nuclear Engineering Standard, ES-004, " Human (11) Engineering Guide 7MI-1."
ibid.
(12) ibid.
IV. 7
/
T 45r iV-l tien%Y:
l' L W14 U M) IJ AU'.*P.Y.*1!If.I FtMist):t he ett'tmlal Act ivn I!I IMf. evt he Act tul 0,t t ed tw Act t un 1
Kvtey! Mt e"It letters (B%!!:
1AlprsWe Itatt er n t/s, q'lartty.
!!!.D.2 to e nY1atoai sm) J11 o mit rul t a ti nee' t. win c19t tetVantuw adL ?nt k'pla6v t mit *L JtY l nl **1+i.
M ov i*ld D-11 !I.4 8 mile"8
- ttti *sitte natil.it e t1 imi eivt teu tuvnelatures to3urary labels.
Asu tstent level inr.ts scentist
- W t e.:
otlity oatarttivd. liter.u a te.il e.mt m rut.atjoin the relatai enjg.
lx ma tti ma te taaol tt) re=ttav.*1ut tes,
hwnelat arc w. rikle avutztet t =sth i n tib.
2.
Svst emi hite tt iant en tst in)
Ptovide [wel Awarcat tm, group 111-0.1.2 inircat am 1trea, wie aklol to wt tti
[u Et n t'"9tE E not clearly latvla, w1or cntin) to &&ntity D-!!.A.)
t.rsettoral grups.
t identified.
fork:tional grouW.
3, Pushbatten Cmtrolst cmporwnt haltfy laN11N, ineteaw letter
!!1-8.3 Pashttan twls wie enhaxwi tv inviraj T5nitication un wntrol is sa:w. Provik miforn liet D-!!.A.6
- f. net tonal Amerartions fra, ter.4 cv as!
(Lacated ty actuation aM intensity. Stow N ic relation cips D-!!.B.1 plactm an aljutntro la:e1 plato. Icns caps taggtrq: variable Itant in large attays, cuntain m1y ad ion wrc's I ta.e *elme,* Smn,*
intenssty large arrays.
- m,* etc. n latM pidhuttons are t aoi tchlether tr/ latrl plate.
4 6 erd Irdicatof 1.ightst letters 13(rwe labelirn, increase letter III-C.1 bcrd irdicator lichts were enhancvd ty revuvars; arulla variable ligns s t ae. Provide unifor n light 111-0.2 desertptton traternal as on taashbuttons.
- t. tant intensity.
intensity.
C-III.B.2.3 intensity for backlignted 19's aM IMiestors bras aljusttd by wans of 811& wire rosators.
We enjirectal s.aioluards xtuation w,mtee status pnel was empletely rearrawd ard relabeled to prarute the a::111ty of tiw operator, staMiry at the min control concole, to assess actual syston status, af ter one or more features have teen :alled u:un to actante.
5.
vertical Meters: poor scale PrwLe new scales ard Mditional 111-0.4 nailey wters wre wwsded with nw reales curiarcation, ana3 equate labeliry. Evate. ate overncM light B-II.C.2,3 ct:nformirq with accepted hinan factors labeling, glare on neter faces.
bafflirq to redxe glare.
C-III.B.2 stedards.
6.
shape (bding: close proximity Use shape codirg of hardles to III-B.5 Strips were glued on breaker control hardles, to of ptsy controls ard breaker distirguish pxp controls frcan F I.A.5 provide teth. shape ard color codtrr1 Af ter rc.ru controls with identical breaker ccxitrols, c@rmtaticn, satastarry sm way
- handles, at.ieved.
7, thqineered bafec;ards Panelt kde':ign to snatch the new 1cgic ard III-C.1 Irgineered safeguards status panel (PCR) was datf acult to reas fras front of to govide rapid systern diagnosis B-II.A.3 redesionert, rearranged, and relaocial to root consoles Icw trdicator fern front cf console. Imprwe C-III.B.2.3 readability, interpretability recairc-s nts.
bright.nessa not designed for indicator brightness ard prwade Taps on Apply transforaer for 3rdicator lichts new actuaticz) Icgic, push-to-test feature.
c*.anged to increase voltals. Lens caps with irproved transnissivity also Mded.
8.
thergenev Feco* water t.ine';o Proride ccrplete rai le of emergency III-C.2 thergency feedwater Systen controls more scatte ed groups of fescwater feedwater scurces ard ficw B-II.A.8 ccrpletely rearranged in an easy-to-understand valve controls no 12W flow irdicaticm.
simic. Ficw irdications here M3ed.
trdication.
9.
tat &wn Isolations requires Prcuide isolation fmetion with III-C.3 Ee aJtautic letdcun isolatiwn function w:ss operator to leave center valve that is controlled fran L-1.D.1 hvoo to valves ecntrollal fro 3 LLC conLJ10 cansole shortly after reactor console center iPU-V-3)'
center.
trip.
- 10. 'Nrtine t. *9 labe oil check Mcetty pocedare ro cperater ray III-c.3 Procekte was rrodified as rectrre-dM.
on bacs snel reqaires cperator staf at station longer.
B-I.D.2 to leave station.
- 11. Peset of (fw Pressure Provide aJtCr.2 tie reset of bistables III-C.)
Circuit Ws podificd Do that reset is rKW on bi tar,less reset requitad or relocate reust controls to srain B-I.8.1 rain control co cole. All m central renot' Tian control rocri with console in control recun.
f.rsesions were relaneled to clarify t:wir e
limited tase available.
purpcne.
- 12. Annunciator AMitility:
Prchide miform audibility.
III-CC.4 A test was crsdxtrd arrl all aMabile v_rtante alarz emit, titty (too C-III.C annunciatnre milucttd for mifor-ly acenotable 1 cad and tco sof t).
tcricts Irm tras starrmotnt cf:
aMibility ovrir haemrosd rot startitrri or anrofirn distinpishable fran otMr t:nes.
- 13. grLcatrole rr2 cncedisation Conr11nate preter scales for tem:1 I I I.C. *.
mter restes a d otnar visal ai+s waa prwt J.,1 ts twwn r.tctup, <Teratam ard irmeat s ors. SLMy rmarytro nain b-!.A.2 to cn_rhte varitan Iwal natri. Nm1 full rary's 1 erect traiteataror f e fi resplattro valve tv.trolr. tn cmtrol of fem! iter in tte ne artup rarer rra, f Mt regiswas f eMwater in W ve s.ana21 cuntrol tf i m 1,1*:.
mes wide rary lent trntr n nt with regelattrq valve.
Arptvul, wtw u.r.LrtJ 1 r.
(II Inf ers rwi &riagnatevi tr/: *1%,srt fan.t t<si trir te,4sh a ) - r,4 met u,* of prw a<sml/ rt lera rM rMI re p,r t. Firela rs;'s ar,) r es suu ht sum rilitive Les alarnsi.azre gxesntist in a salaarate s ja,rt.
TAlut IV l tRitWn Fitti!M *i tm la u f f t Wit tti 3
Flesliinyt lancs n'embst At ein 1&t. t.s I hu Act u.nl Gee aivt tw, At hn I
14.
Rttiat(.se gneteegetj triting PH muit.b int ter hm ne uesh ten 111 < 86 Katt.it i.es me ntt as i vat emtwly emisept a sl e
- sp'enW'6 4pm4 t' liuins Mwkw w it i.nt monsimelo teptsattut.
si t*-all.J sel sletal to edumv se.mtunt et tiert hu.unt ist timt at gwl Iwa Hwl.t it' wiivatal =ensi t>tti.C
. tate galett, alaim, etc.) inns min smt tol stittiivit tan W.kl tallvhttui shilosang ilietates wplaasia nt.
osmole.
hatirA t10 t itM i%'llLV4 t*191tSle s
^
t w.sitry. =,t visainly miat.o Strip charr recorders still to corn =putiru "Y"*
under study. Soma recorders have
- 15. sr.ic m rt nmg. nw arr tnniini with tunism li 4i.6 been replaced with new models &
munial wiiat,any, emubitity my titt - mnier n-i. A. 2 diffieult ootainuy rate of nnos. Altmute nwnim my ret a-l l.C. s are being evaluated. Upgraded m in p aata.
tm. an twtuuvnt or. tiptatale.
r-int.n computer system with enhanced any tena, ibwel, ami int is, trending ca installed. pability has been tw o,o m.
- 16. tbeat 4*at Cruter Crnemis.
Ptovide catubility m oiinolo to It! C.7 Qmtsul relocation to allw easier nyulatim is sboy Nat smuler taan twtrol supulate decay he.st clinal cyclo B-l.u.)
urshir study.
nmte f rom tssprature (m3thiek cmler ficw itH-V Wit anst til-V-irslicattan in anttui tuin.
6M/bl or inptow T ril onntant ass 3 instru entatnon.
th Orr Displiva current display Ibpair or leplace. Pecessary
!!! C.s C3rr displays have tavn sudo gerational.
not garrattonal.
infonthitton is avaitahlo cn lino B-II.C.6 prirters. Izzy tetis GV is chivolcpirq advars:vd cuo6 mater displag systens.
- 10. Electrical evitem Ccntreite Dqu sled use of mimics, color III C.9, Electrical system avlatarted and tunimiced.
trna.laste munics, araiguous cultry, shaps cnstry, asiitticnt!
B-I.A.5
\\taltatom arms armuters vasually tial to control /disple't relatimships, latultry.
specific tuses and feeders.
inadegaate Ixneliry.
19, Ccrriuntrations t gnje systes Ltgrade gage systern and other
!!I-D.I, A survei of available cxrrunciations equi; rent Tnadvinte, escessive taanden m ormnurdestions ecpalpmnt. leview bl thrugh to trprovo in-plant comunteatturus has Lawn cperatore durirq umrgencies.
twed for requirtry oncessive 11 Earriooimxt ty tin plant statt.
operator /es-plant cerinunications C-!!!.L during erwrgency events.
- 20. Contre 1 mmn Envirrysvnt low Ptuvide minismen hLsnidity oantrol and
!!!-D.2 lissidity seasuruwnts in the control rom are hisuidt'rt unnecesaary rotser dust filtratim. Carpet floor to C-I!!.A,B,C betrq performed nw ard will contintar this duet acessalattant perceptim reduce noise, reduce glatv, ard winter. Iwsults will tm used to decicle on runt of roos As 't:right."
imprwe operator cmfort and morale.
for lusnindit teation. Carpetary installatim as twirq evaluated. M w directtorul light tattles have been ahxi, eliminattrq glare problas.
- 21. Trdicator Licht Test e majority thily tulb inspection and III-D.2.d IJrnp check procedure formlized.
M*w EEAS of sushoutton arma ardtcator replaccent schedule wt!! prwide C-I!!.B.2 status panel is prwided ti6h 1.snpt feature.
lights do not incita3e test inproved indicator reliability.
feature. (Annunciators cxntrol (see 7 also.)
rud drives, at:1 turbine controls do have a larnp test feature.1
- 22. h-nsnettonal ingtruvnt, Prwide annurclators to identify -
!!!-C.10 All Bailey meters provided with a distinctive Detect im e su un,suag mus then Swer supply is lost ard 8-11.A.4 crarge pcaser f att positinn mark. In ad11 tim, scans to distirvpisn fatled include distanctive scale turks at extensive irdication of individual cru. trol arms instru wnts.
- meter aero.*
instruwntation pwir e9ppines status was aated, with latnlity so that, when a s;mettte supply is lost, cperator can tell which instruents and controls tuve been lost.
- 23. cirevit Breakars fnr livrnenry Arrarne breaken foi pep A F-1
' 'Ihe unnecessarily rusundant brvaker antrols Htarms confustrqiy torptther, breakers for ptry 6 were rcriwod, entmirutirq this problun.
r,rrarged.
tojettwr.
- 24. '!hrm 16;ttm enntrnilart peenr brrarne pushtuttrns tr> gut stop r-2 lbshbuttons unsre rearran2od arvi prwided with Q, r t.-l Velvast reversary tutton in center, prwido sprary cwers where a(propriate.
ritructim wattmt ustry stop loa *.=1 owers for gen arvi ciceo tutton caussis tesis of valve smashtaattms.
control.
- 25. fMetnr rmlant Tmerature Ibarrarge s=>ters ard sulectors.
F-3 ~
fteters enre rearraripwl ard rvlatuled to ent.anco ere s T 4A nphy9 441 urylerstarijiry.
te H:t orn a unstuurg
( rrarypresnt.
- 26..%rm arri IMer evitate Rarup, Arrarujo internesitate tarvjo diriplays F-4 Interim 154te rarge rmters terc rearrarrynj.
fme rm 1,-a.
vel e..v..
tres a se as wurw rarnpv <linplays.
lei a.p l ays eJITierwt arrareprents of samilar variar,les.
I J
TN.l A: LVet GattNtt s FLMithhD A%i 14tttt8NMist41 Yletti Me huse4%hl Miint mif. revt tian Maul Gurcetive Adlin D I ki A.uip W. I tu.at Ap ditplayts for F.S M). I anal latsye inth ew=.sl Ap me. ten s wie 27.
r.r )ju (l. mal I.itpinth At*W 64wtd% 1 wit all tu v4 tan'thers likewlee tercaleil, act.its;lui dist risier.arweist.
usept 2
Mie s omit ud6 rag sku[ s.t. ale, labyr& nth Ap's.
suters.
+
1 tg4p'Q e.uT4TIhrtimn~G t'leplays for Iktetor Interdtartge.
F-4 ekters tere interdnarHet!.
u '.id a jisii5Eild15&sia p.
met Duple erst Clarify 1s=1s.
F-7 tatensively relatelal (see also 11, atevels 39, was Meutidi~l.TelFru s n
eat ondusing tiim^iTsE5py.
3 manual otu la io_n buprwe labeling.
F-8 Idboling imprwal, with informtion latels aided
_ t.zi t.sdirmp to descrite actual fuictions inttlatus ty cam ensias W is~i4 ~4 wrating the IU See anno itens 18 aral 29, atawe.
pasahbuttorn unclear.
- 31. ge,65 Amtsoflersect_o. stwitch for Mini-8teters Relatet switch scettions for each F-9 Eadi cuntroller selector witch w.as relateint.
en 1 e,aten controller.
In aklition, a mintrueter latet plate was ablut, position termarul5py misleads as tell as an intosmtion plate to clarify these as to actual meter signal.
functions on eadi controller.
33, Mlant Bleed Tardt neverse harsliriy of selector switch.
F-10 selector owitcle was reorientcil, to prwide A, B, Eelector e7w tfim iTilZE C rotation.
^
- settset punitions are C, ten 11e displays arul other indicettens are A, B C.
- 33. Selector Pushbuttons for Steam leere puelhtton array nest to seter, F-Il Displays and controle rearrarsped.
esnerator st.artup lurine tevet ly interdiarige with another display.
Instruments: does not asjoin the related seter.
- 34. awnshronisina f,tehts: too Asduce light intensity.
F=13 143 actiert osas taken. On reevaluation, light
- bright, brightness considered acceptble.
E Diaolave for 17 Webine tuhaust une cousson units, cusider reversing F-13 sonne is being dienged.
Fri esure arti Main Corsioneer senas of vacuum seter.
3 gge related displays have
' E tectrug units armi are oggesite in se'une.
& Console easters and Recorders:
Ituove if the console space is F-14 A list of smusad, recorders arut irdicators has emme are at astganal utility needed for other, more Laportant been compiled. Ccusonents will be renoved as aparationally.
displays.
apace is required for new additions.
V.
PROGRAM PLAN FOR REVIEW B ASED ON SYMPTOM-ORIENTED EMERGENCY OPERATING PROCEDURES The objective of this review will be to examine the control room from the standpoint of the now, symptom-oriented Emergency Operating Procedures -- to determine whether the control room provides the information and controls necessary to perform the functions and specific tasks called for in these procedures.
The procedures, as required by FUREG-0737, will not be predicated on specific events or malfunctions, but instead will be symptom-oriented, prescribing control actions based on maintaining basic plant variables w' thin prescribed bounds regardless of the initiating event.
Depending on implementation schedule, the finr.1 validation and verification of the control room may come after the procedures have been implemented.
However, the procedures will receive extensive Iluman Factors reviews prior to implementation.
As part of the final review of the symptom oriented Emergency Operating Procedures, for each task that is required of the operators by the procedures, an assessment will be made of:
whether the required controls and indications are available to the operator and can be interpreted as called for (are the indicators of suf ficient accuracy, can the operators get trend or rate information asked for, etc.)
whether the symptoms described and the guidance provided are sufficient to allow the operator to diagnose and respond to the spectrum of plant upsets which might confront him; whether there are any evolutions spelled out for which time may be a controlling factor -- is it reasonable to expect the operator (s) to act in the time required;
whether there are any additional aids required for the operator to be able to carry cut the functions and tasks called for by the procedures.
Scenarios will be devised, based on mechanistic causes, that challenge the symptom-orienced procedures.
Walkthroughs will be conducted, based on these scenarios and designed to uncover any mismatch between the procedures and the resources available to the operator in the control room.
The walkthroughs will be conducted at the control room mockup.
In addition, evaluations of the usability of the procedures from a human factors viewpoint will be performed by observing, emergency procedure training evolutions for TMI-1 operators at the B&W simulator.
l l
1 V.2
VI.
APPENDICES
APPENDIX A RESUMES I
h I
l l
f
- ~,
e e.,
i RESUMES FOR PERSONNEL OF GPU NUCLEAR CORPORATION e
l 1
T. GARY BROUGHTON luminass Address:
GPU Nuclear Corporation 100 Interpace Parkway Parsippany, New Jersey 07054 2d u c,.t i o n :
B.
A., Mathematics, Dartmouth College, 1966 Dxp rience:
Director Systems Engineering, November 1982 to present.
Responsible for Systems Engineering Department activities including nuclear fuel procurement and analysis, risk and reliability assessment, process computer applications, radiological engineering, safety analysis, plant analysis and human factors engineering.
Systems Analysis Director, 1981 to 1982.
Responsible for human factors engineering, nuclear safety analysis and analysis of plant thermal hydraulic performance.
Control & Safety Analysis Manager, GPU Service Corporation, 1978 to 1981.
Responsible for nuclear safety analysis and integrated thermal, hydraulic and control system analysis of nuclear and fossil plants.
Supervised on-site technical support groups at Three Mi}c Island, Unit 2 during the post-accident period.
Safety and Licensing Engineer; Safety and Licensing Manager, GPU Service Corporation 1976 to 1978.
Performed and supervised nuclear l
licensing, environmental licensing and safety analysis for Oyster Creek, Three Mile Island l
and Forked River plants.
Served as Technical Secretary to Oyster Creek and Three Mile Island General Office Review Boards.
Officer, U.
S. Navy, 1966 to 1976.
l Trained at Naval Nuclear Power School, Prototype and Submarine School.
Positions held include Nuclear Propulsion Plant Watch Supervisor, Instructor at DIG prototype plant and Engineering Officer aboard a fast-attack nuclear submarine.
1 i
. Publications:
EPRI, CCM-5, RETRAN - A Program for One-l Dimensional Transient Thermal-Hydraulic Analyses of Complex Fluid Flow Systems, Volume 4:
Applications, December, 1978, Section 6.1,
" Analysis of Rapid Cooldown Transient - Three Mile Island Unit 2",
with N. G. Trikouros and J. F.
Harrison.
"The Use of RETRAN to Evaluate Alternate Accident Scenarios at TMI-2", with N. G.
Trikouros.
Proceedings of the ANS/ ENS Topical Meeting on Thermal Reactor Safety, April 1980, CONF-800403.
"A Real-Time Method for Analyzing Nuclear Power Plant Transients", with P.
S. Walsh, ANS Transactions, Volume 34 TANSAD 34 1-899 (1980).
0 9
\\
l PATRICK S.
NALSH Buainess Add ress:
GPU Nuclear Corporation 100 Interpace Parkway Parsippany, New Jersey 07054 Education:
B. S.', Chemical Engineering, Illinois
- Institute of Technology, 1969.
M.S.E.,
Nuclear Engineering, Catholic University of America, 1978.
U.S. Navy Nuclear Training Program, 1969 to 1970.
Experience:
Plant Analysis Manager, GPU Nuclear Corporation, 1979 to present.
Fesponsible for conducting evaluations of operating experi'ence and technical performance of all GPU system nuclear generating stations.
Senior Engineer, Nuclear Analysis Section, GPU Service Corporation, 1978 to 1979.
Responsible for per forming nuclear fuel thermal-hydraulic analyses and fuel performance analyses.
Senior Eng ineer, Nuclear Fuel Management Unit, Baltimore Gas and Electr ic Company, 1976 to 1978.
Responsibilities included the performance of fuel management analyses; evaluation of safety analyses required for license amendments; and,
supervision of, and preparation of proce-dures for, core refueling, new and ir-radiated fuel inspection and spent fuel shipment.
Engineer, Startup Test Group, Baltimore Gas and Electric Company, 1974 to 1976.
Responsible for procedure preparation and supervision of hot functional, low power physics and power escalation testing of mechanical and instrumentation systems.
l
- Officer, U.S.
Navy, 1970 to 1974.
Held positions of Nuclear Submarine Eng inee r ing l
Department Division Officer and Nuclear Prototype Instructor and Training Of ficer.
Professional Affiliations:
Registered Professional Engineer, New Jersey.
RESUMES FOR PERSONNEL OF MPR ASSOCIATES, INC.
I e
O
M PR ASSOCIATES, INC.
NAME:
Herbert Estrada, Jr.
DATE OF BIRTH:
July 24, 1929 EDUCATION:
BS Electrical Engineering University of Pennsylvania - 1951 (With Distinction)
Graduate Courses in Physics and Mathema-tics, University of Pittsburgh, 1952-1953 EXPERIENCE:
Since 1951, Mr. Estrada has had first-hand experience in engineering of fluid and con-trol systems, twelve years of which were 4
devoted to the
- design, analysis, field installation, test and evaluation of naval r.uclear propulsion plant systems.
1964 MPR Associates, Inc.
present Responsible for technical coordination and direction of projects including
- design, analysis, testing, and operation of nuclear and fossil-fueled power systems, hydraulic, pneumatic, and electronic control systems, and electrical systems, and fluid systems.
Some specific projects include:
- Design, analysis, installation, and testing of propulsion plant instru-mentation and
- controls, to replace controls and instrumentation of ques-l tionable reliability and excessive l
complexity, for a class of five U.S.
Navy (fossil fuel / steam powered) assault ships.
This work included:
analysis of manning skills and levels l
required for effective performance of l
operations manually, under both emer-gency and normal conditions;
- and, I
arrangement of
- controls, displays,
- valves, and the hardware for the effective performance of required tasks.
?
- Design, analysis, and evaluation of instrumentation and control systems
. for power plants and experimental facilities.
l l
l l
Experience continued:
Development of check and alignment procedures, and troubleshooting data, for on-line verification of the opera-tion of automatic combustion and feed-r water control systems.
These proce-dures have been designed for use by semi-skilled personnel and have been successfully applied.
i Analysis of steam power plant opera-tions under cyclic load conditions, for the purpose of developing revised operating procedures and systems to accommodate cycling service.
This
. work included the development and verification of computer codes and other analytical tools for predicting temperature response and estimating fatigue damage and crack propagation in heavy metal parts of turbines and steam generators subjected to cycling service.
Development and verification of modu-
- lar, general purpose computer codes for the analysis of the dynamic re-sponse of steam power plants to tran-sients such as load rejection, loss of circulating water flow, loss (trip) of heat
- source, etc.
Codes have been i
used to design turbine bypass systems, j
predict turbine overspeed, evaluate steam generator
- response, optimize combustion and reactor control system responses, size and set relief valves, etc.
Development of computerized heat balance codes for establishing power plant generation capability with one or more feed heaters out of service, and with other steam and feed system components out of service.
Review of nuclear power plant control j
room human
- factors, and formulation and implementation of design changes to improve human factors.
Work in.
-.m--ew
-,.--_m.#-.--r.
., -,., -. -.., - -.,,... - -. ~., - -
-c,,.,_v-v---,-,
Experience continued:
this area has included testimony before an Atomic Safety and Licensing
- Board, and consulting services and other support of the EPRI development of an alarm system improvement guide.
1963-1964 -- Chief of the Nuclear Systems Engineering
- Section, Allison Division of the General Motors Corporation, 1963 to 1964.
Responsible for engineering and operations research activites on chemical systems for several energy conversion development projects.
1951-1963 -- Bettis Atomic Power Laboratory of Westinghouse Electric-Corporation.
Responsibilities included:
Supervisor of Advanced Surface Ship Control Engineering; Chief Test Engineer for acceptance testing of Bettis-designed reactors for nuclear submarines at Portsmouth Naval Shipyard; Lead Engineer for nuclear plant analysis of Skate Class Nuclear Submarines; Designer of power range instrumentation and reactor protection systems and
- hardware, USS NAUTILUS.
HONORS:
Bettis Distinguished Service Award - April
- 1962, for outstanding contributions in engineering for submarine nuclear power plants and for guidance and effective co-ordination in the shipyard installation of propulsion systems in three classes of nuclear submarines.
Most Meritorious Patent Disclosure Award (with two others),
Bettis Atomic Power l
Laboratory -- 1963 PUBLICATIONS:
l Author of numerous technical papers and reports, published and proprietary, on the following subjects:
0 Measurement of the dynamic responses and characteris-tics of nuclear power plants.
l 0
Transient behavior and control design for nuclear and
~ fossil-fired steam generators.
l.
L
Pub.ications continued:
O Generalized computer codes for calculating nuclear and fossil steam plant responses to normal and upset condi-tions.
Theory of operation and accuracy of flow measurement systems.
0 Descriptions and procedures on the theory,
- checkout, alignment and troubleshooting of control systems, o
Evaluations of control room human factors and descrip-tions of measures for their improvement.
Holder of several patents, in addition to numerous patent disclosures, relating to power plant systems and controls.
e e
l e
e 1,
M PR ASSOCIATES. INC.
NAME:
Robert T. Pink DATE OF BIRTH:
May 10, 1951 EDUCATION:
BS Electrical Engineering Rice University - 1973 Summa Cum Laude 4
Master of Electrical Engineering Rice University - 1974 EXPERIENCE:
1974 MPR Associates, Inc.
present Analysis, evaluation and problem solving in connection with nuclear and fossil-fueled power plants.
This work has included:
Development of checkout: alignment and troubleshooting procedures for on-line verification of the operation of automatic combustion, feedwater and i
feed pump control systems.
Stability and transient analyses, and 1
testing of pneumatic and electronic control systems and components.
Development of mathematical models for dynamic analysis of both nuclear and fossil plant steam generators using digital and hybrid (analog-digital) l computer techniques.
Models have been applied in design and analysis of con-trol
- systems, and in development of control alignment and check procedures.
Dynamic analysis of water reactor primary coolant
- systems, including steam generator,
- reactor, pressurizer and relief valve dynamics for evalua-l tion of plant thermal and pressure transients, control settings and operational procedures.
Human engineering reviews of nuclear plant control
- rooms, including the
. conducting of walkthroughs of normal and emergency operations at a mockup, l
conducting tests and measurements of control room environment, and formulating improvements in human factors of the control room.
I
,--~,_,-,y
,,______._.r_.-~.,,
y_
y
,,_y,_c_
,,_.y,,
,_,_,_,7,.
Experience continued:
Detailer engineering and human factors reviews of nuclear control room alarm
- systems, including formulation of guidelines for alarm system design, and supervision of the design and construction of a full-scale, dynamic alarm system simulator to test and evaluate improvements in alarm system design.
This work included detailed reviews of the plant fluid and electrical systems, applying a formal set of guidelines to determine what conditions should be alarmed in the control room.
Summer 1973 -- MPR Associates, Inc.
Special projects associated with central station nuclear power plants.
1971 1973 Part-time work for the Department of Electrical Engineering, Rice University.
Participated in the assembly,
- testing, and docum9ntation of the central processing unit for a
research computer installation.
MEMBER:
Institute of Electrical and Electronics Engineers HONORARY SOCIETIES:
Tau Beta Pi - National Engineering Phi Beta Kappa - National Scholastic AWARDS:
Rice University Alumni Award for Outstanding Pifth-Year Electrical Engineering Student 1974 l
1 1
9 !
MPR ASSOCIATES. INC.
NAME:
Dwight H. Harrison DATE OF BIRTH:
June 20, 1933 EDUCATION:
BS Mechnical Engineering University of Kansas - 1955
- Graduate, Bettis Reactor Engineering School, Bettis Laboratory, Naval Reactors, U.S. AEC - 1956 MS in Mechanical Engineering California Institute of Technology - 1963 PhD in Nuclear Engineering Pennsylvania State University - 1968 EXPERIENCE:
Dr. Harrison has worked in nuclear engi-neering since 1955, and spent seven years in the Naval Nuclear Propulsion Program headquarters.
This experience has been directly related to the mechanical engi-neering design features of water-cooled and sodium-cooled power reactor cores and their directly associated components.
1966 - present -- MPR Associates.
Respon-sible for the coordination and technical direction of projects involving analysis, design, testing, operation, and manufacture of nuclear power systems and components and other mechanical equipment.
Original anal-ysis for and technical review of other in-house projects have also been performed.
Some specific areas have been:
1.
- Design, manufacture,
- testing, field modification, and operation of reactor refueling equipment for both water and sodium-cooled reactors.
l 2.
Design, analysis, fabrication, assem-
- bly, installation,
- testing, and in-service inspection of reactor internal structures and repair of service fail-urcs in them.
4 9
Experience continued:
3.
Detailed human factors reviews of nuclear reactor control rooms, includ-ing preparation of guidelines, com-parison of configurations to these guidelines, environmental
- surveys, reviews of experience, walkthroughs of procedures, the preparation of detailed plans for the human factor improvements, and the selection of materials and the field instructions to accomplish these improvements.
4.
- Design, analysis, fabrication, and operation of nuclear reactor control and drive mechanisms, reactor vessels, steam generators,
- pumps, valves and other equipment for both water-cooled and sodium-cooled reactors.
5.
Application of analytical methods to various nuclear and non-nuclear struc-
- tural, fluid, and thermal
- problems, involving both the verification of computer analysis methods and the development of original computer pro-both special and general grams purpose.
Headquarters, Naval Reactors, 1955-1962 U.S.
AEC and Navy Bureau of Ships.
Cogni-zant engineer responsible for mechanical, thermal and hydraulic design, fabrication, and testing of reactor
- cores, pressure
- vessels, control rod mechanisms, and re-(
fueling equipment for several reactor types.
These included:
the Seawolf type reactors, the first Shippingport core, the destroyer type reactors, and the large ship type reactor.
Also directly associated with investigation of the effects of radia-tion on reactor pressure vessel materials, preparation of military specifications for reactor mechanical components, operation and testing of prototype reactor cores, and l
prototype and shipboard refueling and ser-vicing operations.
O 2-
MEMBER:
Society of Sigma Xi National Engineering Tau Beta Pi (Honorary)
Sigma Tau - National Engineering (Honorary)
Pi Tau Sigma National Mechanical Engi-neering (Honorary)
Dr. Harrison has served on the Industrial and Professional Advisory Council for the Nuclear Engineering Department at the Pennsylvania State University.
e 9
0 RESUMES FOR PERSONNEL OF HUMAN FACTORS CONSULTANTS
I JULIEN M.
CHRISTENSEN BUSINESS ADDRESS:
General Physics Corporation l
1010 Woodmond Drive Dayton, Ohio 45432 l
Eduention:
B.
S., Accounting, University of Illinois, l
1940 l
M.
A.,
Experimental Psychology, Ohio State University, 1952.
PhD., Experimental Psychology, Ohio State University, 1959.
Exp9rience:
General Physics - 1981 - Present Chief Scientist - Human Factors Director, Human Factors Division, Stevens, Scheidler, Stevens, Vossler, Inc., 1978 to 1981.
Consulting and applied research in areas of human factors, products liability / products safety and systems.
Professor, Department of Industrial Engineering and Operations Research.
Wayne State University, 1977 to 1978.
Research and teaching, primarily in areas of human factors (ergonomics), safety and environmental studies and systems.
Professor and Chairman, Department of Industrial Engineering and Operations Research, College of Engineering, Wayne State University 1974 to 1977.
Director, Human Engineering Division Aerospace Medical Research Laboratory, Wright-l Patterson Air Force Base, 1956 to 1974.
l Planned and managed major interdisciplinary l
human factors research and development program l
of the Air Force.
Programs included visual l
perception and displays, controls and control dynamics, effects of environmental factors (including weightlessness and partial gravity),
human performance modeling, maintainability, human reliability, information processing, h
decision-making, safety and physical anthropology.
l Personnel included a wide range of skills such as experimental psychology, mathematics, physics, statistics, engineering, physiology and anthropology.
Research Scientist through Branch Chief l
Aerospace Medical Research Laboratory, l
Wright-Patterson Air Force Base, 1946 to 1956.
Research and applications in experimental psychology and human factors engineer ir g.
Research on visual perception with simple and complex stimuli, effects of high brightnesses on visual f unc tions,
visual form field expansion, methods of activity analysis, workplace layout, naviga tion plotter design, weightlessness,
and systems.
Applications work included contributions to specifications, standards and handbooks and direct application of human engineering principles of numerous aircraft and command / control communication Centers.
United States Air Force, 1943 to 1946.
Rank:
Captain (Rated Navigator and Radar Observer).
Staff of Air Force Navigation Instructor's School.
Construction and validation of academic and in-fl ig h t measures of proficiency in navigation.
Statistical Clerk and Personnel Technician United States Air Force Training Command, 1941 to 1943.
Development and validation of tests for selection and classification of pilots, bombardiers and nav ig a to r s.
Development of academic and in-fl igh t criteria for navigation.
' Adj unct Professor, Wright State University, University of Dayton, Wittenburg University, and Sinclair University.
Visiting Lecturer, The University of Michigan's College of Engineering Summer j
Conferences, annually since 1960.
l Visiting Lecturer, Air Force Institute of Technology (AFIT) for more than 10 years.
Lecturer and technical adv ise r to Instituto l
Technologico y de Estudios Superiores, l
Monterey, tiexico (one year).
Lecturer, American Psychological Association / National Science Foundation Visiting Scientist Program ( four years).
i l
Gunst Lecturor at numerous other uni-versities, high cchooln, societiec, etc.
A representative sampling includes:
Purdue University, Indiana University, Miami University, University of Cincinnati, The University of Michigan, Southern Illinois University; Tau Beta Pi, IEEE, AIIE, ASME, Dayton Engineer 's Club.
H2nors and Professional Affiliations:
American Men and Women of Science, Who's Who Among Authors and Journalists, Community Leaders and Hoteworthy Americans, Men of Achievement, Notable Americans.
Fellow, Human Factors Society, 1970.
The Franklin V.
Taylor Award (American Psychological Association), 1969.
Honorary Faculty Member, Defense Weapon Systems Management Center, 1969.
Fellow, American Psychological Association.
Air Force Association Citation of Honor, 1966.
Air Force Decoration for Exceptional Civilian Service, 1966.
Diplomate, American Board of Forensic Psychology.
Listed in Forensic Service Directory (1979).
National Science Foundation Fellow, 1957.
Julien M. Christensen Award (Annual award given by the Human Factors Association of Canada for the best student paper).
Designed Air Force D-2 Navigation Plotter (Standard for over 25 years).
Consul tan t :
National Bureau of Standards (NBS); National Institute for Occupa tional Safety and Heal th (NICSU); Air Fo rces Office of Scientific Research; Air Forces Human Pesources Laboratory; U.S.
Army Human.
Engineering Laboratory; Standard 011 of New Jersey; United Air Lines; Ford tiotor Co.; &
others.
Chairman, SAE Human Factors Committee.
Chairman, NASA Behavior / Technology Committee Space Lab II and Orbital Flight Test Program (Evaluation of proposals for experiments in Space Lab I).
Member, NAS-NRC Vision Committee Working Group on Evaluation of Air Force Simulation Program. (1976).
Member, Board of Governors, American Society for Safety Research (1975-1979).
- Member, U.S.
Army :1uman Factors Pescarch &
Development Review Board (1975).
Chairman, Human Factors Committee, Society of Automotive Enginects (1975-1977).
Member, Executive Committee, SAE Automobile Body Activity.
- Member, U.S.A.
Technical Advisory Group for ISO /TC-159 (Ergonomics) (1975-present).
Co-chairman of NATO Advanced Study Institute on lluman Factors / Ergonomics:
Research Methods, Bellag io, Italy, September (1971).
General Chairman, National Safety Council Industrial Safety Performance Measurement Symposium, Chicago, Illinois (1970).
Consultant to the National Safety Council on industrial and traffic safety (1968-1975).
' Editorial Board, The Journal of Systems Engineering (1969).
Editorial Board, Journal of Safety Research (1969).
Manned Orbiting Laboratory (MOL) Evaluation Group (1965).. - -
Consultant to the National Academy of Sciences Working Group on Role of Man in Space Research.
Mr. R.
W.
Porter, Vice President, General Elec tric Company, Chairman (1965).
~
Consultant to the National Academy of Sciences Working Group on Medicine and Physiology, Dr. Loren Carlson, Chairman (1965).
Co-inventor with Dr.
C.
L.
Kraft of "Soloon" (acronym for solar balloon), 1965.
Chairman of the Human Performance Scientific Advisory Committee for the Manned Orbiting Laboratory (MOL) program (1964).
Chairman of NASA /DOD Committee of Crew Performance; Technical Advisor to General Charles Roadman, Chief of eioastronautics for NASA.
Editor and contributor to the initial Crew Performance Plan for Gemini and Apollo for NASA.
Chairman of Air Force Systems Command Behaviorial Sciences Advisory Panel.
Member of Air Force Systems Command Medical Safety and Human Engineering Committee.
Advisor to, or member of, mock-up boards, review boards, and source selection boards for numerous systems, including B-47, B-50, B-52, B-66, B-70, C-97, C-131, KC-135, Long Range Interceptor (LRI), and A/N CPS 6-B, developed procedures for the ef fective inclusion and integration of human engi-neering data during the development cycle of Air Force Systems.
Editor and co-author of Combat Navigatory Proficiency Test for Strategic Air Command.
(Test used to selec t lead crew naviga tors for European thea tre in World War II).
During World War II, developed with Dr.
M.
J.
Warrick first battery of tests for - -
selection and classification of pilots, bombardiers and navigators.
Aerospace Medical Association.
American Association for the Advancement of Science.
American Psychological Association, Division of Military Psychology.
Socie'ty of Engineering Psychologists.
Human Factors Association (Canada).
Human Factors Society (Past President).
International Ergonomics Research Society.
Society of Logistics Engineers.
Systems Safety Society.
American Society of Safety Engineers.
Licensed Psychologist, Ohio.
G A
d e 9
l l
s THOMAS B.
SHERIDAN Business Address:
Massachusetts Institute of Technology Room 1-110 77 Massachusetts Avenue Cambridge, Massachusetts 02139 Education:
B.S.,
Purdue University, 1951.
M.S.,
University of California, Los Angeles, 1954.
Sc.D.,
Systems Engineering and
-Psychology, Massachusetts Institute of Technology, 1959.
Experience:
Professor of Mechanical Engineering and Professor of Engineering and Applied Psychology, Massachusetts Institute of Technology, 1970 to present.
Responsible for the Man-Machine Systems Laboratory; developed interdepartmental graduate degree program in Technology and Policy;
- t. aches a graduate course in man-machine systems and the core Seminars in Technology and Policy; has taught control, design and other engineering subjects.
Has conducted research on mathematical models of human operator and socio-economic systems; on man-computer interaction in piloting aircraft and in supervising undersea and g
industrial robotic systems; and on computer graphic technology for information searching and group decision-making.
Associate Profescor, Massachusetts Insti-tute of Technology, 1964 to 1970.
Assistant Professor, Massachusetts Insti-tute of Technology, 1959 to 1964.
Instructor, Massachusetts Institute of Technology, 1956 to 1959.
Research Assistant, Massachusetts Institute of Technology, 1954 to 1956.
Served as visiting faculty member at the University of California at Berkeley, Stanford University and the Technical University of Delft, Netherlands.
s H:nors and Professional Affiliations:
1977 Recipien't of the Human Factors Society's Paul M. Fritts Award for contri-butions to education.
IEEE Systems Man and Cybernetics Society (past President).
IEEE Committee on Technology Forecasting and s
Assessment (past Chairman).
Formerly Editor, IEEE Transactions on Man-Machine Systems.
Fellow, Human Factors Society.
National Institutes of Health, Study
,s Sections on Accident Prevention and Injury Control.
NASA Life Sciences Advisory Com-mittee.
NASA Study Group on Robotics.
U.S. Congress OTA Task Force on Appropriate Technology.
NSF Automation Research Council.
NSF Advisory Committee on Applied Physical, Mathematical and Biological Sciences.
e 4
8 0
\\
4
\\
h,
.m
I APPENDIX B GUIDELINES FOR CONTROL ROOM REVIEW
i l
TMI UNIT 1 GUIDELINES FOR CONTROL ROOM REVIEW TABLE OF CONTENTS SUBJECT PAGE I. PURPOSE - - - - - - - - - - - - - - - - - - - - -
1 II. OPERATIONAL GUIDELINES 2
A.
Functions Performed in Control Room - - - - -
2 B.
Items Provided to Operators in the Control 3
Room C.
Availability of Personnel - - - - - - - - - -
4 D.
Arrangement Priority 4
E.
Key Process Variables - - - - - - - - - - - -
5 7
III. HUMAN ENGINEERING GUIDELINES A.
General Guidelines 7
B.
Guidelines for Controls - - - - - - - - - - -
10 1.
Location 10 2.
Operation - - - - - - - - - - - - - - - -
10 3.
Protection 11 4.
Identification 12 5.
Maintenance - - - - - - - - - -
12 C.
Guidelines for Displays - - - - - - - - - - -
13 1.
Location 13 2.
Scales 13 3.
Identification 14 4.
Maintenance - - - - - - - - - - - - - - - -
15 5.
Recorders - - - - - - - - - - - - - - - - -
15 6.
CRT Displays 16 D.
Overall Control Room Environment 17 e
TMI UNIT 1 GUIDELINES FOR CONTROL ROOM REVIEW I.
P_URPOSE The purpose of these guidelines is to provide a basis upon which to evaluate the TMI Unit 1 Control Room.
They are intended to assist in the identification of those aspects of the current control room which may need improvement and to provide guidance for any modifications.
Where the existing control room does not follow thece guidelines, it does not necessarily imply that a hardware change must be made.
Judgment on a case-by-case basis must be used.
The potentially negative training aspects of changing an existing configuration, the seriousness of the potential problems, and the practicality of hardware changes must all be weighed in determining what should be done when an existing control room feature fails to meet one of these guidelines.
Some hardware changes may be desirable and practical; however, in many instances the most practical way to meet the concern that the guideline addresses may well be through the use of new procedures and training which would be specifically directed at compensating for the existing configuration.
4 It is to be expected that future system design considerations, as well as operational considerations, will generate changes to the control room over and above those resulting from the control room review.
It is intended that these guidelines would be applied to such changes to ensure that they are compatible with the overall control room design.
II.
OPERATIONAL GUIDELINES A.
Functions Performed in Control Room The control room operators who man the main console should be provided with appropriate controls and displays to perform a set of defined functions.
Controls and displays, including annunciators, which are not needed to perform those defined functions tend to divert the control room operators' attention and should not normally be provided to them.
It should be an objective to move out or keep out of the control room itself those personnel, controls, and displays which are not related directly to the defined functions.
In any case, those other functions which may be done in the control room should be arranged so that they can be done by personnel other than those manning the main console and panels without causing interference or distractions.
The functions of the control room operators manning the main console are defined to be the following:
1.
Maintain control of the reactivity of the reactor core.
~
2.
Maintain control of the energy production by the reactor, its transfer in the reactor coolant system, its transfer in the steam generators to the steam system, its transfer in the steam and feed systems, the conversion of some of it to electricity in the turbine generator, and the rejection of the remainder through the c,ondenser and circulating water system.
3.
Maintain an adequate inventory of thermodynamically and chemically suitable water in the primary (reactor coolant) system.
4.
Maintain an adequate inventory of thermodynamica11y r
l and chemically suitable water in the secondary (steam) system.
I 5.
Distribute electrical power and other necessary services (such as air and cooling water) to the plant auxiliaries and control the production and the distribution of emergency electric power.
6.
Maintain control of radioactive material which may be contained in any of the systems under the control room operators' control.
This includes the.
L responsibility to maintain the leaktight integrity of the reactor _ building.
7.
Maintain control of the. inventory and location of fissionable material during refueling.
(Fuel storage pool activities while the reactor is operating should not be the control operators' responsibility).
8.
Maintain control of and complete entries in the operators' logs, procedures, and checklists.
9.
Maintain administrative control of the maintenance, repair, testing, calibration, etc. in those systems under their control.
10.
Initiate those fire fighting actions which are controlled from the control room, e.g.,
activating deluge valves, starting pumps, obtaining help in fire 4
i fighting.
In addition, the operators are responsible to initiate those actions in the systems under their control which may be needed to compensate for fire damage.
The following are examples of items which should not be the responsibility-of the control room operators' manning the main console or panels:
1.
Security or access control except access which may 5'
affect the leaktight integrity of the reactor building.
2.
Communications not directly related to their responsibilities.
3.
Routine operation of the liquid waste disposal system.
4.
Routine chemical control in support systems.
l l
5.
Control of fissionable material external to the j
reactor when the reactor is cperating.
i B.
Items Provided to Ooerators in the Control Room The controls and displays presented directly to the control room operators manning the main consolo and l
- panels, i.e.
those directly visible to them when they are at their normal stations, should be limited to those for which a clearly defined need can be established.
Additional guidelines which may be applicable to the location of controls and displays in the control room are:
i !
i
1.
A control or display may have to be located in the control room if its location elsewhere would not permit its use in a timely manner.
2.
A control may have to be located in the control room if the only location for the displays needed to operate the control is also in the control room.
3.
A control or display used only for test purposes or only for certain planned plant evolutions may have to be located in the control room if it involves the use of other controls or displays which are located only in the control room.
Note that these guidelines may not require the controls and displays be located so that they are presented directly to the operators stationed at the console.
C.
Availability of Personnel The control room arrangement shall be such that any anticipated off-normal operational evolution can be effectively carried out in the short term with the personnel complement present for the normal evolution then underway.
Specifically, the response to off-normal conditions may not assume that any more personnel are available for the first ten minutes than would normally be present in the control room when the initiating event occurs.
After this time, other on-site personnel can be assumed to be available if they have no other duties in the event.
After two hours off-site personnel who are on call can be assumed to be available.
D.
Arrangement Priority The control room and panel arrangements should provide, in a convenient manner, those controls and displays which are needed for normal planned plant evolutions and i
steady state operation (plant startup and planned shutdown, steady state power, hot standby, and refueling); however, higher priority for arrangement should be given to the controls and displays which are involved with the operators carrying out their assigned responsibilities under those off-normal conditions which are both highly likely and which require timely action.
These events include:
1.
Reactor and turbine trip; 2.
Partial or complete loss of feedwater; 3.
Loss of coolant accidents, particularly those from valve opening or major seal failures; 4.
Partial or complete loss of control or instrumentation power or air; and 5.
Overcooling accidents, particularly those from steam system valves stuck open or excessive feed.
E.
Key Process Variables In addition to the displays provided specifically to achieve redundancy of some information provided to the operators, it should be an objective to provide the operators with the means necessary qualitatively to confirm the reasonableness of the information they are presented on certain key process variables.
These means should preferably be diverse from the normally used displays.
These key process variables fall into three general categories:
reactor reactivity balance, reactor coolant cor.ditions, and steam system conditions.
They include such specific items as:
1.
Reactor Reactivity When critical, the operators should have the process variables necessary to assess whether the reactivity contributions of the following are in the expected relationship:
rod position, boron concentration, power level, coolant temperature, and prior operating history.
When suberitical, the operators should have the l
process variables necessary to assess the shutdown margin of the reactor and whether the following are in the expected relationship:
rod position, boron concentration, coolant temperature, prior operating history, and neutron level.
i 2.
Reactor Coolant Conditions Inventory of reactor coolant (pressurizer level) e ~
Thermodynamic state of coolant (temperature and pressure)
Coolant flow rate Radioactivity in coolant 3.
Steam System conditions Inventory of secondary coolant (hotwell, steam generator, heater shell, and drain tank levels)
Steam pressure Feedwater flow Radioactivity in steam e
9 I
l 6-
I III. _H_UMAN ENGINEERING GUIDELINES The guidelines for the human engineering review of the TMI Unit 1 Control Room will be those contained in MIL-STD-1472B, Human Engineerina Design Criteria for Military Systems, Equipment and Facilities, where they are applicable.
Since the military standard is directed toward military applications and covers types of equipment which are not in the control room, some parts of it are inappropriate.
The guidelines listed below are those which are particularly important to the control room review, amplified and clarified for direct application to the control room.
It is recognized that in the course of the review, situations may be encountered which are not adequately addressed by MIL-STD-1472B and the guidelines included below. _In such cases other human engineering references may be consulted, for example:
Van Cott, H.P. and Kinkade, R.G., Human Engineering Guide to Equipment Design, Government Printing Office, 1972.
Woodson, Wesley E. and Conover, Donald W.,
Human Engineering Guide for Equipment Design, University of California Press, 1964.
A.
General Guidelines 1.
The controls and displays should have compatible locations, that is:
Where timely operator action may be needed, the sources of information from which the operator concludes that he needs to take action, and that action is permissible, should be located close to where the control action is taken.
When a control action is taken, the operator who takes the action should have immediate feedback that the controlled element has responded and, if practical, that the plant or system itself has responded.
This usually involves the location of the related displays close to where the control action is taken.
2.
Consistent and unambiguous methods should be provided to inform the operators of the operational status, e.g., open or closed valve position, and of the conditions, e.g.,
temperatures or flow, in those systems under their control.
Likewise, status and conditions in other systems in the plant which could affect the action the operators may take should be provided in a consistent and unambiguous manner...
b 3.
Where a control or display is intended to provide information to the operators as to whether conditions are "off-normal," this should be done in a consistent and unambiguous manner.
This should include consideration of what conditions are to be defined as
" normal" in a particular system as well as avoiding confusion between indicating status (see item A. 3, above) and indicating " normal" or "off-normal."
4.
There should be some means for the operator to know that a control or display is not functioning properly.
It is particularly important to know when a display or control has lost power.
The most desirable situation would be to have the malfunction evident to the operators without any action on their
- part, e.g.,
by having a unique " power lost position" for a meter.
This may be impractical.
If so, other ways to make the operator aware of failures may have to be used, such as:
Providing means for periodi'c testing of a control or display, Providing the operator with immediate feedback (see A. l. above), or Providing redundant or diverse displays which allow cross checking.
For some critical items it may be appropriate to utilize several ways to make the operators aware of malfunctions and to provide them with special training and guidance in the procedures.
5.
Communication of a control room operator with an auxiliary operator outside the control room shall be considered the same as operating a control or reading a display.
These communications should not require the use of communication links which may involve interference or may be unavailable because of other activities.
The communications should consider the potential for unusual environmental conditions:
noise, respirators, etc.
Voice communications should be carried out in a formal and consistent manner which identifies the initiator and receiver of the message and provides for repetition and confirmation of each transmission.
s - _ _
6.
Tag-out of a control or display should:
Be unambiguous as to which control or display is
- tagged, Not obscure the identification of the control or display which is tagged, and Not obscure any other' controls or displays or interfere with operations.
7.
For any changes to the console and panels, replacement and servicing should be considered.
In that case such guidelines on maintainability as the following should be applied:
Replacement and servicing should not require the removal of other itcms on the panel.
Replacement or servicing of an item should not involve operations which preclude proper operator response to a plausible off-normal event.
This includes putting an excessive number of other items out of service in order to perform the maintenance.
Replacement should involve a minimum risk of improper reconnection.
Replacement or servicing should involve a minimum risk to personnel.
Replacement or servicing should involve a minimum risk of inadvertent actuation of other controls.
If some specific problems with maintenance has been experienced in the TMI-1 control room, these should be considered in the control room review.
8.
The capabilities required of the operators to perform the assigned functions should be reasonable in terms l
of work load, span of mental concentration, physical endurance, aucunt of memorization, and time available to perform a function.
The assigned functions should be consistent with the physical capabilities required of the operators.
9.
Changes to existing arrangements should be sufficiently distinct that when an operator uses the new control or display it is unlikely that previous training and habits will cause errors.
Consideration should be given to using completely different types.-
.s.
of controls in such applications, for example, using pushbuttons in place of a rotary switch rather than changing the direction of rotation of the rotary switch.
B.
Guidelines for Controls 1.
Location a.
The most often used controls should be given priority in location, except where this would conflict with the use of controls or displays for off-normal conditions.
b.
Controls for off-normal conditions should be placed in a readily accessible location but clearly distinguished from controls used for normal conditions, c.
The progression of controls, numerically or alphabetically, should be consistent throughout the panel.
It is preferred that they progress left-to-right and top-to-bottom, d.
All controls for multiple elements should have the same arrangement, that is, either horizontal or vertical.
e.
If controls are operated in sequence, they should be located in a consistent left-to-right or top-to-bottom progression.
f.
Where multiple controls affect the same element, e.g.,
valve control pushbuttons, their relationship should be consistent and readily apparent to the operator without detail comparison of the legends.
g.
Mirror image groups of controls should not be used.
2.
Operation a.
The control should be capable of operation without special aids for the operator, e.g.,
a stool, screw driver, or special tools, except
[
where required to prevent inadvertent actuation.
b.
The forces and motions required to actuate the control must be within the capabilities of all the plant operators.
c.
The direction of operation should follow a consistent set of conventions, for example:
Rotary valve controls should rotate clockwise to close the valve.
I Pushbutton valve operators should have the "open" button on top, if. vertically arranged; if horizontally arranged, the "open" button should be on the right.
Rotary controls for circuit breakers and electrical motors, (except valve operators) should rotate clockwise to turn the item "on,"
i.e.,
close a breaker or start a motor.
The " Auto" position of a rotary control should be a consistent direction of rotation.
"On" or " start" pushbuttons should be above the "stop" pushbuttons.
Rotary controllers should rotate clockwise to increase the controlled quantity.
d.
The direction of motion of the controller should be consistent with the direction of motion of the display which responds to the control.
e.
Key operated controls should follow a standard set of conventions, e.g.,
detents oriented upward and slot vertical is the condition with the key removed.
3.
Protection a.
Adequate distance between controls and between groups of controls to allow the operator easily to recognize the controls and to avoid inadvertent actuation should be provided.
e l
b.
Controls which may be confused and which have serious consequences if actuated, should be l
protected or special steps taken to highlight or l
distinguish them.
This may include such means as covers, separate handles, the use of two hands to operate, or key operated controls.
c.
Controls which may be inadvertently actuated by clothing, cleaning operations, etc., should be relocated or protected.
4.
Identification a.
Each control should be positively identified with both a descriptive name and a particular identifying number for the controlled element, b.
Nomenclature should be consistent with that used in the procedures and system diagrams and that on related displays.
c.
Legend plates should be located over the control to which they apply.
If this cannot be done, some special visual clue of the unusual relation should be provided to the operator, d.
Where special precautions apply to the operation of a control this should be clearly stated and it should be clear to what control (s) they apply.
e.
Legend plates on controls should meet consistent standards of letter size, f.
Legend plates on controls should meet consistent standards of durability.
Temporary label plates should not be used.
g.
The color of legend, plates should conform to a consistent code, for example:
Identification labels should be black letters on a white background.
Precaution labels should be red with white letters.
Information of a reference nature for the assistance of the operator should be white letters on a black background.
5.
Maintenance a.
All light bulbs should be commonly stocked types and should be replaceable from the front of the panel without special tools and without risk of inadvertent actuation of the control.
. l
4 1
C.
Guidelines for Disolays 1.
Location a.
The display should be located properly with respect to its related controls.
(See Criterion II.A.l.).
b.
The orientation of multiple displays should be consistent with normal conventions for progression of numerical or alphabetical quantities, i.e.,
top-to-bottom or left-to-right.
c.
The orientation (horizontal or vertical) of an array of displays should be consistent with the orientation of related controls.
d.
The operation of the control related to a display should not obscure the display.
2.
Scales a.
The graduations on a scale should be consistent with the resolution required by the operator, b.
The scale range should be adequate for all normal and off-normal conditions under which the display is required.
c.
The major scale divisions should be a usual numerical progression.
Scale multipliers should be avoided, but where used should be in a consistent location and easily read.
Only multiples of 10 should be used.
d.
The units of the scales should be consistent between rate and integral displays for related items.
For example, all the flows into or out of a tank should be provided in consistent units of volume and time and the tank contents should be displayed in units which are consistent with the units of the flows.
e.
Where multiple displays are provided of the same parameter, e.g., wide and narrow ranges, these instruments should have consistent scale units and consistent zero points.
For example, steam generator start-up, operating and wide-range level instruments could all be referenced from the top of the lower tube sheet as "zero". _ _ _ _ - _ _ _ _.
f f.
The arrangement and scale design of multiple displays should involve a minimum risk of confusing the readings, e.g.,
erteneously matching the pointer on one instrument with the scale on another.
3.
Identification a.
Each display should be identified with both a descriptive name and, where applicable, an identifying number which relates the indication unambiguously to a particular instrument or sensor.
- b.. The nomenclature should be consistent with that used in the procedures and system diagrams and that on related controls, c.
Legend plates should normally be located over the display to which they apply.
If this cannot be done, some special visual clue of the unusual relation should be provided to the operator.
d.
If the limits or set points of the displayed
+
variable are needed by the operator when the display is used, then they should be presented in a clear and unambiguous manner.
It is particularly important that memorization of numbers by the operators be minimized.
The method of identifying set points and limits should be consistent among the displays.
e.-
Legend plates on displays should meet consistent standards of letter size.
Note that if the display is intended to be read frc= a distance longer than normal, the size of lettering may need to be increased above that normally provided.
f.
Temporary label plates should not be used.
l g.
The color of the legend plates used on displays should follow the same general rules as for i
controls (see B.4.g.).
I h.
Where colors are used as an integral part of the information displayed, a consistent coding should i
be used.
Color codes may include:
Red to show that a component, usually a motor, or breaker is "on" or energized..,. =. -. _ _ _ -.
Green to show that a component, usually a motor or breaker, is "off" or de-energized.
A yellow display to indicate that a system is in a transitional condition or that a
" bypassed" condition exists.
A white display to indicate a status condition.
4.
Maintenance a.
Replacement of bulbs should take place from the front of the panels and all light bulbs should be commonly stocked types.
Special tools should not be required, b.
The risk that a display will be reassembled in such a manner that it gives erroneous information, for example, by switching lighted windows, should be minimized.
5.
Recorders a.
A recorder should meet the-same requirements for visibility, scales, units, etc., as any other display.
b.
Where multipoint or multi-pen recorders are used, the recorded data should be unambiguous.
c.
When different inputs can be selected for the same recorder, switching transients should not be such that they can be mistaken for signal
- changes, d.
When different inputs can be selected for presentation there should be some positive way to determine what specific input the trace represents.
I e.
The amount of the recorded trace which is visible should be adequately long to cover the time span of interest to the operators.
Reference to portions of the trace which are not visible j
should not involve blocking other critical displays or controls or risking inadvertent actuation of controls.
f.
The recorder should provide for a tolerance on the timing for changing paper or ink of at least two hours.
That is, chart paper and ink should.
l
[
be replenished when there is at least two hours of recording left.
This is to insure that if an emergency evolution takes place there will be at least a two hour capability to follow it without servicing the recorder.
g.
It is preferable for charts to have time as the horizontal coordinate increasing to the right, h.
Changing chart paper or ink should require a minimum of time and should not block other critical controls or displays.
6.
CRT Displays a.
A CRT display should not be used simply to repeat information already available to the operator from other console or panel displays.
b.
The loss of any CRT display or other single failure in the associated hardware (power supplies, computer, keyboards, etc.) should not preclude the performance of an emergency procedure, c.
Information orientation and zones, titles, label locations and parameter locations should be standardized.
Standard sets of characters, symbols, and abbreviations should be used.
d.
Color assignments should be consistent from display-to-display and should be consistent with color conventions used on the console and panels.
e.
Mimic displays should be oriented from left-to-right or top-to-bottom unless this conflicts with existing panel mimics or the arrangements of items on the panels.
Procedures steps or decision " trees" should be oriented from top-to-bottom.
Time should be displayed from left-to-
- right, f.
Each display should have a descriptive title.
This title should be in a consistent location and have a consistent color and format.
g.
Display characters should be selected f' rom a standard set (such as ASCII).
The height should be 0.20 to 0.25 inch.
The height to width ratio should be 1:1 to 3:2.
The stroke width should be one-sixth of the character width.
Capital letters should be used. I
h.
The display loading (text and graphical content) should be limited to about 25 percent, excluding the title and any alarm notes.
i.
The refresh rate of the displays should be 60 Hz or more.
D.
Overall Control Room Environment The overall control room environment should be suitable for the operators to carry out their required functions.
This includes consideration of the following:
1.
Adequate temperature
- and humidity
- control should be provided.
2.
Adequate ventilation
- should be provided.
3.
Adequate lighting
- should be provided for both normal and emergency conditions.
In an emergency, lighting should be provided even in the event of temporary failure of the diesel generators to start.
4.
The noise level
- should be adequately low.
There should not be conditions in the plant operation which result in large changes in noise level.
5.
There should be adequate provision for the control of traffic in the control room and accommodating visitors or observers without adversely affecting j
operations.
6.
There should be adequate provision for the storage of personal items.
7.
There should be adequate workspace for the operators to use reference material and to support any on-the job training.
8.
There should be adequate provisions for storage and use of the following without blocking access to any controls or displays:
C l
MIL-STD-1472B values should be used as a basis for judging l
adequacy of these conditions.,
a.
Procedures b.
Manuals c.
Diagram and Drawings d.
Logs e.
Personnel Rosters f.
Other files 9.
There should be direct and defined access to the supervisor's office.
- 10. There should be adequate rest room and kitchen facilities.
- 11. There should be adequate and defined access for maintenance of the control room equipment including availability of technicians, tools, and spares.
- 12. There should be adequate access from the control room to the remainder of the plant.
- 13. The control room and its associated spaces should contain adequate provisions for communications.
This includes particular consideration of the following:
Means for paging in the rest rooms, kitchen and any other associated spaces should be provided.
Communication facilities should be provided for the shift supervisor, shift foreman, and other personnel in the control room so that they do not interfere with or confuse the communication links used by the operators on the main console and panels.
I i
- 15. The control room should be free of personnel hazards such as:
Items which could trip the operators, sour.ces of electric shocks, etc.
- 16. There should be adequate safeguards on the systems which control temperature and ventilation so that, in case of failures in these systems, proper working conditions can be re-established before excessive deterioration occurs.
e l _
iAPPENDIX C TMI UNIT 1 GUIDELINES FOR ALARM SYSTEM REVIEW 9
I l
l 1
l l
TMI UNIT 1 GUIDELINES FOR ALARM SYSTEM REVIEW TABLE OF CONTENTS SUBJECT PAGE I.
PURPOSE- - - - - - - - - - - - - -
1 II.
GENERAL GUIDELINES- - - - - -- - -
1 III. SPECIFIC ALARM SYSTEM GUIDELINES -
2 A.
CilOICE OF CONDITIONS TO BE ALARMED - - - - - - - - - - -
2 B.
PRESENTATION OF ALARMS- - - -
4 6
y 9
TMI UNIT 1 GUIDELINES FOR ALARM SYSTEM REVIEW I.
PURPOSE These guidelines are intended as a basis for evaluating the TMI Unit 1 Control Room Alarm System.
Their purpose is to assist ir, identifying aspects of the present system which may require improvement, and to provide guidance for any modification.
The report of the overall control room human factors review, Reference (1),* provides general guidelines for the control room review.
As discussed in the next section, some of those have applicability to the alarm review.
The purpose of this document is to provide the additional specific guidelines used in reviewing the alarm system.
II.
GENERAL GUIDELINES General guidelines concerning operations in the control room and the responsibilities of the control room operators are contained in Reference (1) *.
l l
" Reference (1)
"A Review of the Three Mile Island Unit 1 Control Room from a Human Factors Viewpoint," December, 1980.
III. SPECIFIC ALARM SYSTEM GUIDELINES Following are specific guidelines for the human engineering review of the alarm system.
A.
Guidelines for Choosing the Conditions to be Alarmed 1.
Alarms should be chosen with the aim of minimizing the number of annunciators provided in the control room, consistent with providing sufficient information to prompt the required operator actions as defined below.
In particular, after the following guidelines have been applied and a set of candidate alarms defined, the candidate alarms should be reviewed to ensure that no alarms require identical operator actions.
2.
Alarms should be chosen so that the process annunciator panels are dark when the plant is operating normally at power.
" Normal" is defined as full power operation, with all systems operating as intended in their most typical lineup for this condition.
3.
Alarms should be chosen so that the following criteria are satisfied:
- s a.
The condition requires operator action as defined below, and b.
The operator's normal surveillance activities cannot be relied on to alert him to the condition, and c.
It is considered plausible that the condition could occur during the life of the plant.
f For the purpose of this guideline, operator action may take any of the following forms:
(1)
Direct manual action (2)
Backup of an automatic action l
(3)
Other modification of surveillance activities.
i.
4.
Candidate alarm conditions for a particulat system should be chosen based on knowledge of the operation and intended function of tbc system.
With respect,to the different types of systems in the plant, the following guidelines should be applied on a system-by-system basis, a.
Fluid systems should have alarms provided for the thermodynamic parameters in the mass, momentum and energy equations, when these parameters have values indicating the system is not functioning as intended.
In particular, inventory, flow rate, temperature and pressure usually will warrant alarm.
b.
Protection systems should have alarms provided for readiness, actuation, problems in actuation and problems in operation.
Alarms for problems in operation should be chosen by application of the appropriate system-specific guidelines (e.g. the guidelines above for a fluid system).
c.
Large machines should have alarms provided for trips and for trip causes that may alter the operator's response to a trip.
Alarms for supporting subsystems should be chosen by application of appropriate system-specific guidelines, d.
Alarms should be provided to alert the operator that action should be taken to avoid equipment damage, system malfunction or a component trip.
e.
Alarms should be provided to indicate that an automatic action has occurred because some problem exists in the. plant requiring attention (i.e., maintenance or repair).
f.
Alarms should be provided for automatically initiated changes in automatic control mode.
e.
B.
Guidelines for Presenting the Conditions to be Alarmed 1.
Alarms should be grouped according to plant system or function.
Within each group, the alarms should be arranged to maximize the operator's ability to assimilate multiple alarm occurrences.
Alarms should be organized to indicate relationships between alarms within the same system.
2.
Alarm groups should be placed in close proximity to the corresponding controls.
3.
Alarms may be combined into one annunciator window in order to meet the criteria of annunciator minimization above.
However, alarms should not be combined if:
a.
The required response time is so short that taking time to consult the control panel or the computer to determine which constituent is alarming would risk an inadequate operator response; b.
Information or protection for the other alarm constituents after any one has activated the combined annunciator is not available to the operator; c.
Operator understanding is improved by annunciating the conditions separately because of similarity to the layout of the l
associated controls; I
d.
The constituents and/or significance are not of a similar nature and are not of the same l
order of importance.
4.
Annunciator windows should be designed and lettered according to the following guidelines:
_4-1
v
[
~
b c
a.
Nomenclatute and abbreviations should be consistent with those used for the corresponding controls and indicators.
[
b.
Abbreviations should be in accordance with I
MIL STD-12C or other commonly accepted usage.
~
c.
Lettering size and type font must be such
[
that the alarm legends are readable by the F
operators when standing at their primary ccatrol stations.
In addition, it is highly
=
desirable that the legends be readable by the I
operator who is acting in a supervisory capacity (e.g.,
shift foreman) when he is at
~
L his assigned station.
2 5.
An operator should be able to acknowledge only those alarms within his field of vision.
E 6.
An operator should be able to acknowledge an alarm only from a station near the controls which are operated in response to the alarm.
7.
Audible tones signifying an alarm should satisfy the following three requirements:
a a.
The combination of tone volume, frequency and r
construction (e.g.,
warble or other
~
g variation) must be chosen such tuat the f
operator is alerted to the alarm under the most adverse anticipated conditions of background noise.
w w
b.
The tone must not be so loud that the E
operator is startled or disoriented, or is unable to effectively communicate with others in the control room, r
c.
The audible tones used for the various annunciator panels should be chosen and directed such that the operator can F
distinguish which annunciator panel or panels require his attention.
I E'
1 I
E5 r
_ 5_
~-
b
A PENDIX D
SUMMARY
OF FINDINGS AND RECOMMENDED CORRECTIVE ACTIONS i
,.y4. a %
' 7.3
.w
. g g
.-e.x.
,. gs. 7 g _,. ;., g.g j4 p.-.'.4
..o 7 >
..?
I"'<*'.3 A.,
..$j};aJ
, f
.*l
.y y, k{. ~ k..
c..
APPENDIX D "My / ~
SUMMARY
OF PINDINGS AND RECOMMENDED CORRECTIVE ACTIONS 5 l. ' ' ', '.
h_.'
s
- 1. - -
-+a'
- r
[. f e c.'>,.
Excerpted from "A Review of the TMI-l Control Room from a a.J i
..' 3.'k.
Human Factors Viewpoint," December 1980.
- s. h 4 p..
9.e "A.
Strengths of the Present Control Room ps
". ', n c.-
[6.. : G,.
,[k 4
This review has concluded that while improvements, some of
J them significant, can be made in the present control room at
/N TMI Unit 1, the room as it exists has significant strengths.
It is therefore of great importance that such
?.I. M*k improvements, as are judged to be warranted, build on theso
.jp (
1 g,gm strengths.
...,4 The specific strengths of the room, as it exists, are as yL ng ;;
follows:
Y.. '- - q p y:- l-r_ ;.
s v:. n 1.
The operating console and associated back panels pq4f are uncluttered, with controls and displays N -- i generally arranged in logical, functional yi,1.) t f i
g/ 9.;, ' ' 4, groups.
This feature, in combination with the M i.
i operator staffing discussed in 2 below, leads to f
orderly and effective operator response in off-
.; "... ;N._
'.3 ag normal (e.g.,
emergency) situations.
The arrangement leads to orderly traf fic patterns and
.3 3. R.l' L
individual operator responsibilities which are
.. i a 4 7
reasonable and logical.
%./j.$7.'. 4
- 4.y..
e
..j's Of b. -
2.
The staffing of the control room with qualified
.g. A ' g personne1, as specified by Meted,* allows EN D 1 e
s effective treatment of off-normal situations.
It Q..
- O
,.W(.h',-
should be noted that this staffing level is in h,'.;- l
?
excess of that currently required by the Nuclear Regulatory.ommission.
Specifically, two quali-(9.j, $/
C
.g;;p:f.'
fied control room operators (CROs) and one shift
..f.
foreman, a qualified senior reactor operator J,g> P.* nf (SRO), are immediately available and can effec-
., e w.?.ij.
fr..s i
(
tively handle most anticipated situations.
But an i
additional CRO is also available, within minutes, 3
and an additional evaluating capability -- either p."
V
~f.v.'.g?
the shift supervisor or shift technical advisor --
is likewise available.
This additional capability
'. ; ;..; :,a f:Y
-4,
.W
%( y..W.
o$
now GPU-Nuclear c
w cyy-l.
'tl
.'.l 4 ;..
} G3 L e 79 k- *- h,,
E y s/. --
.. x..
[. h 5N.g
- l%-
,f
.f..k. '., '
m.
n.
,y.y.w a u :..
.. y -.;
.a.
..o.
, 1.
?: ;T ;,.. (.; n - l.l) f."
. ' 4' W?? ?-!~{
G"..
-3
% 5 '. l _
. ; -j Q. -
A..7e%;..'*;,
?
,, ;. - :: ~
b g
Ty' y
"W' -
w yf v( S r.. v f,
}
y
,%.u
- . is ; t g(,. 9, / '.g v
- s..
is extremely desirable for treating those upsets,
.p
.7 ' '
V less 1ikely but possible, in which additiona1 4$ Gf 4 J
complications occur -- reactor trips coincident
.b, :<S. '. '
T with significant disruptions to the electric y
plant, for examele.
, ;f., Jm
.y..
e.
3)
!, - e 4^..
3.
The functiona1 responsibi1ities of control room ie (O.
c operators, as delineatd in the guidelines, C. ' M?
4.
f,;.ic. ' 7
- ;p de te rm i ne in part the numbers of controls and j
r '
displays which should be in the control room.
But
, s.,.
. 4,iff
$ # l M(
Q the assignment, to local stations, of subsystem i
operational controls also has an important effect, especial 1y on the numbers of controls.
The con-
- s
.Mdp;7
?t.
f-trols which are locally assigned should be those
%.p /
M which lead to more effective and safer equipment d ' ? e-m operation.
If the assignment is made correctly,
- k""[;'
4 it results in uncluttered but effective panels and consoles in the main control room.
.;.3,;.; --.-
/ g.f!y dr, The division of control responsibility between the main control room and local stations appears to W
g..,f.
have been made sensibly for TMI-1.
For the 1 4.ny.\\g g
evolutions covered by the walkthroughs, it appears
?;M that the operations which are assigned to local g.;4.
f.7
,.p panels can generally be e f f ec t ive ly pe rf ormed
.{j.g A
there, in a timely manner, but under the general g, 3a 3., -
b ' y h, j-
.; c supervision of the control room.
Again, within
,j.
the scope of ope ra t i ons covered by the walk-y..'.
.). W,*; '
- e throughs, local control panels and gaugeboards are 1Z generally locatu near the equipment to which they
(.f,i'j /.
i.- Q ],, ;
4--
apply.
The numbers of auxiliary operators (four
'k; g,/ j.
to seven per shifL) and their responsibility
~~
assignments are consistent with effective and
%,.,,..g.
timely operation of these toca1 pancla.
Mf;i - ;', #
n.-
- .; o:
2
.,,%-*~-
a.
p,:
e:,.y.
4.
The displays associated with the use of a M; t 9 /
jj?h7j$
'.I' particular control are usually visible and recog-T i
'c '
nizable from the station where the operator uses 6
s We that control.
~ 8-l. 4 3 7.n :....
p a.
.g.
5.
The al a rm annunciat ors for the display of off-
',/
01 37 normal conditions for a particular system are P..
generally above the console section containing the
[J. : -; f,
controls and displays needed to act on the a l a rm.
2 M ':4
- .g..'.. <., '
~..,
R w ;...
M.Bi
- p... g -
.u, :f., e...,
.a a.:
9.;
.f B
',. 'f
,. S y
",. :. f i* y
.;r r -.
f.
v;",, g y.a t
.>c
[.
.).-,-
,g, {i ' : 0. T,~ ' '. '.
N'S
.[ p.,.,,. E
....y +;
y, ll 4
'. - -,3
.j.,
?.
6.
The alarm panels are essentially " dark" when the plant is operating normally at power.
The ability of the operator to recognize and assimilate an of f-normal condit ion is thereby maximized.
7.
The logic for individual alarm annunciators is such that the operator is given adequate infor-mation on which to base his immediate response.
c Obtaining troubleshooting inf ormation for long term response may require him to utilize the plant computer, or to have an auxiliary operator consult a local control panel.
This design philosophy has resulted in a system in which the principal process alarms -- plant alarms excluding fire detection, heating and ventilating, certain radwaste alarms, and certain domineralized water system alarms -- number less than 350.
As a con-sequence, the alarm panels are significantly less cluttered than those of other units where 700-1000 e
process alarms are of ten provided.
8.
The control and display hardware, particularly push buttons, switches, meters and controllers has proven very reliable.
The disruptive effect of frequent maintenance of components on the main console is avoided.
9.
The environment of the control room -- the temper-ature, humidity, lighting and noise level -- is r
generally within accepted standards (e.g.,
MIL-STD-1472, Van Cott and R.
G.
Kinkade), though further improvements appear feasible as will be discussed below.
=
B.
Generic Shortcomings of the Present Control Room
- = <
"I _'p{y n., [-
., l s.r-
?id s#
As with most nuclear plants designed in the 19609, the RTffu:/ q
+
control room at TMI-1 has a number of generic human IA factors deficiencies.
Virtually all of them are 3;.[g; t. {.;I4 correctable without wholesale panel replacement and without relocating a large number of controls and
?;$g ?.11;9
-J 3; 4 displays.
The generic deficiencies, and the measures 9
which can be taken to correct them, are as follows:
kEs LW. -
$m&'k 4nia s
y =,
.~-s,,
l W'=
~ __ _.. _
L.y j n.: ;-w:- a ; +.
'. ~ :~~:;
e. :;
.s
- e ;.;.
~q+
y,,
'y
~ e ;',y s.
a y.:.
w
- ..,. t..
+. ;;
.,; u r.,.
.o 1.
Although the controls and displays are usually Q I.' [ ;.h
s.
grouped functionally, these groupings are not
,.4 h
,.3k.b emahasized, labeled, or demarcated offectiirely.
+. p t f.. f
+r * *h ~
(-
2.
The name plates ( l a t'e l s ) which identify switches i;
and meters are burdened with verbiage, and utilize "f
letter sizes not easily ead. Nomenclature some-
- cj times does not match that of operating pro-
.' f y. " r.
O cedures.
Content, color, and letter size are inconsistent.
~...c.,y g ;.
,s..
,.,. ) -;;
x g"-
s x-By demarcating and labe1ing functional groups of
,., c.. N F '
- l controls and disiays, and labeling the group as a
=
f 5 '.~ 4,,g whole, the excess words on individual component
' f-labels can be eliminated.
New label plates, with
} }J.,y.'
lettering meeting human factors standards and with
'Q i
consistent nomenclature can replace the old.
?* ~..
'4 ' i 7
Q. h,. 3 +
f, eg,....
'S
,.w,.4 -a y.
3.
Two, and occasionally three, push buttons are used
~[y f^
to actuate many motor operated valves.
Identi-(.
fying valve numbers as well as descriptive names
. F, J C.
'F-are engraved on the push buttons.
In some cases y*
push buttons are mounted in large regular arrays,
~
making it d i f i c u l t to determine which push h-['3'[
.~
buttons actuate a particular valve.
Pu s h button 9
.7,j..
back lights vary in lighting intensity; when the Mf y p
- y lights are dim, it is difficult to dete rmine the 4.', c3 yg b } *# c',fv*
position of a valve.
When a valve is tagged out, "D ' " '
-U to inhibit operation during maint? nance activity, the stick-on tag used for this purpose obscures
, d.
N
[' -lN the number, description, and position of the valve
~ !;.,
tagged.
3 *. q;,<
..y h,f.[-)y These deficiencies can be corrected by:
& gh? %-
a.
utilizing name plates adjoining the push A
y O
v buttons, identifying both function and number e g f.';g.
p.v ;
F 1,
,.y '
^,T.
[
of the valve.
4 g.
4 t;.
b.
operating back 1ights at a voltage level
.. Y. vg A,i p.f?g,l.6 M
h producing idequate light intensity (voltage j'.
,ff
[
adjusting re s i s t o rs are provided for back
- p. 9.
lights, but voltage levols appear to vary).
,.g;),g,&c.
it,
,4. w py h %,
D f.y*}'. h, ; ;_
j p.i ~.
y:f sQ &}.
M W
, =.,
q-
.e
\\'
s L. E., Ae_fm
- i h'-
5 ~
.y f45 gh.h 5 g, y. f.p
'.M yp., s..).'
+
. i.'s
_ b.d s:[ f9lw'.l
.r.
.g.
W: *!?. J ' ? & }hf. - j'. ? fft.) '.i,y : f-4.,? 'kl jf.~ *.A &[ Q,,,- :. --;& ' [ l
- .[ '
- . l ' } [, _ l y._-;, ' ;-l}..'b_
..i
(_
.' 'l'
., 7 4 + ; y.s : l. G V.h ? f. '2.N ? ;
~' '2 LN.N
-nj xy
.. %: J
',% ;t -' L :. :.
.c.. ;
g.c 'y-~',-
i y#
? 1;:p o -.
5-
~, n. 2.
s.'*,-
- f. *41', r.
a 4.
Vertical, edge-type motors are used to display f,[. ':)$.~.' -
$;/ ' '
(?M.'r > '
f most analog process variables. As indicated above, labels for these meters are difficult to read.
In 4
I["?;..yf.1
/,
J addition, meters are often referred to by identi-fying number in operating and emergency pro-3 cedures, but these numbers usually do not appear
? ? :3.,.
on meter labels.
Powers of 10 are frequently
!..W t.. $
employed on meter scales, but the scale factor jf77-'
(i.e.,
x10, x100, x10") is difficult to read.
f. %, 'L. l D
Scale divisions often do not meet human factors w e s....
criteria.
Finally, the units selected for many P,O J meters (e.g.,
- feet,
%, gallons) often make S..l: 4'
)( Cc. "
correlating the indicated process variabic with Yy '. Li.i related indications difficult.
For example, tank Ms -
yk..W levels are often displayed in feet or percent, f
q while incoming and outgoing flow rates are given J
in gallons per minute.
Most of these deficiencies J.J.:.'
n can be corrected by improved labeling, by new,
- 7
,[
j more effectively graduated scales, and by more f.. f,a effective supplementary labels, to give infor-73.c
?
mation such as meter number, scale factor and 3'q.g.,y units.
Further, small additional label plates can
'l.,,
s be spotted to assist in correlating variables
.M f d 1.\\
(such as a small "265,000 gal." opposite the 100%
.yg/9 W./? D R
scale mark).
wt
- p. t,i,2 E ~
)},$'; M W C.
X 5.
Operating controls for the control valves, motor f
operated valves, and other process devices are j
generally distinguishable from one another through i3.,... A j.,
the use of physically dif ferent oporat-ing de-
- .';.,f;-['
,.V vices.
There is one significant deficiency in a
'9 this regard.
Controls for virtually all pumps and
% ~ :',[^
circuit breakers employ General Electric SB
/ y. :j '
JM7 Lii-
switches, with identical pistol grip handles.
(Y @Q c
7 Since the controls for breakers and pumps are
- c. 4 often adjacent, there is some risk of operating
.d!RQ the incorrect control.
This deficiency can be fYV
[
corrected by using effective demarcating and by h.gCE 9f providing tactually and visually different handles t c. #
t Q.75, f.,f.-
for breaker switches than for pump (or fan) motor e
switches.
!..... M
'A 4 - f.cc.g r
).]
$.,U. -Li-y If these generic deficiencies were not corrected, the
,J D. }.l
-(
overall impact on plant safety and reliability would be
,,$,: c. A
',T-difficult to quantify.
Most control operations are
~.
Hi deliberate in nature.
Many of the deficiencies can be
- 4...t im -
p $,I '.
Q.
J..
(and have been) overcome by operator training.
Never-
$Y theless, there is evidence that the generic defi-
[
ciencies have contributed to operational mistakes,
[
t,vr < g. g..
w w:.:
3;+%j~.'-
4 e4
..'{;}
. 7jy,.
<-j,Qy '. '
'p h
- k
'. - $ *,J l 1
.,%#., Jr.-
pp:p :,-
j
- ....,.4,g-
, -,,.. - g
,g y ; g-
- ..._.3 g.,
g.
g.
,,.x
^*
m though none of them placed the plant integrity in jeopardy.
Three examples are cited:
a.
A turbine extraction valve was incorrectly closed when the push button for one stage of extraction steam was mistaken for another.
This led to a sudden chang) in turbine steam demand which dis-turbance in turn reverberated through the steam generators and reactor system.
Turbine and re-actor trips were avoided but with some difficulty.
b.
Makeup pump 1C was operated with an incorrect suction valve lineup (suction valves closed).
Damage to the pump resulted.
Two factors may have contributed to this incident:
The controls for the C makeup pump and the suction valves are separated from one another (the pump controls are apart from the balance of the makeup system to meet regulatory re-quirements for electrical separation, as applied at the time TMI-l was designed ),
and The labeling of pumps and valves does not make clear the suction valve arrangement.
c.
An important feeder breaker on an emergency bus was inadvertently opened by an operator intending to shut off a decay heat pump.
=__.
6.
Another generic shortcoming of the control room, which is shared throughout the utility industry, lies in the design and operation of strip chart recorders.
These recorders serve two important functions.
For the variables recorded, they:
)!!
L provide the operator with rate of change information about the process variable (which will act as stabilizing feedback in manual control situations).
provide a permanent time history record.
(This may be legally required, or may be useful in troubleshooting, or may be used to MMB
l
- m j
.. ~
estimate time dependent parameters such as fatigue usage).
The recorders presently used for these purposes have a number of shortcomings:
l They are mechanically unreliable.
The scales are often difficult to read.
The exposed section of the time scale and the recorder speed often do not allow the rate of change information the operator needs to be inferred from the recording.
Although the recorders exhibit the aforementioned human factors deficiencies and represent a main-tenance burden, the operating staff has adjusted to them.
Accordingly, and because it is necessary to test and prove out any replacement recorders of new design before installing them, the review team recommends that recorder replacement be viewed as a long te rm program.
The review team recommends the following approach:
The prepration of specifications for the various recorders to be replaced (these would cover human factors as well as functional requirements).
The performance of an experience survey to ascertain whether, in the power industry or elsewhere, reliable, effec iua recording e
equipment is currently in service.
The procurement and testing of lead units of the various types needed based on the above specifications and survey.
The installation and use of " pilot" models in various locations in the plant, but not in critical locations such as the control room.
M q
k%.'
- i-WD * '
L-ER5EiBIRbH
C.
Specific Shortcomings of the Present Control Room In addition to the generic deficiencies discussed in the precceding paragraphs, there are certain specific shortcomings of the TMI-1 control room which merit discussion and, in the opinion of the review team, corrective action.
A summary of these findings and the associated recommendations follow.
Details are included in Appendices B* and F.*
1.
In a situation in which engineered safety features are called upon to actuate, the role of the operator is:
to confirm that such features as are called upon actuate correctly, and if a feature fails to actuate correctly, to take appropriate corrective action.
B r..Ev-The status of the Engineered Safeguards Actuation y%:[.)
System (ESAS) is displayed on panel PCR.
The
./
status board uses color coded indicator lights as
?
f2 follows:
4 p
_]
M[.j.U..
[cf.':
blue: the component is in the state require by ESAS actuation.
g,.,p}..[~
g...
yellow:
the component is not in the state
.N-@f/
required by ESAS actuation.
}{.'{ [
If a seriously off-normal situation were to occur, f.. '.c in which all safety features actuated, the status information provided on PCR would allow the q ?p.i$ 7;if operator quickly to confirm satisf actory system
- DMf 4,.. g.4. ; J operation simply by observing that the panel had turned " blue."
But in less severe evolutions,
. f;.
'Qt-p'y when fe,wer safety features are required to operate, confirmation of status is not easy.
g 6,Q
.wr y
& ; k@;%
' @e.. -
'Ot h,(
These appendices appear in the 1980 GPU report
., ~..
referenced at the head of this Appendix.
- s. -
9. '
I,
.,9
-(,
'.Tgg ar gi..
6_i d(
,. - +
h-'-
E % b k_ $,*
+', -' k 4
- m,,
.p..
4 4*,,u
.y,
- {.
f,, l ~,
p'.
4%'*,
- .s
7
.j c.
.-h I
g.
?,
6,,g b-5, o,} %,, #
r.
L p
'.. -_ f,,..
,,r-.
s,_
y - '.y ?.-7.,
..+,.-
- f. *
,q__.-
y..=
y y..
. '. ~.
a.
'14 ;.,
s
-n.
e y*. et
..a
'~"h "A
h..a.,S g.
.-q.x.
.* " W'
.. ~
g u_l.:
M.
.hh(([ ' Y 4
}....,
.)
?.
's,s t
,y
+
4
'.(, f ?.' K-J 4..-.n.
w
.k.-
P
'( -
,..)
g,-1
.h e,
p m
-+
Ae
,.L
.'G y 4 3
'T. a,
M""',*;
f..y e.6' r
.-,,, ~ '.
y
- p,
-l,**
ph.
]*
p z w.J '.'-
g
+ (.., 3 g,
,.-.. z. e.1
- ' x *.:
,w
,,.g}. -
'; p'., ~
- ,?.
. y
,r,. a 3..
- i k
....e),+
it -d J.g
..e ;u
'. g
{ f.' %,
.,,4.:
Q i
e.- *('
M 4
=t*.
y.
$*e *h*
,[.
%i
,. p i
- M, $
,g 4
W
- ..s M
v.. u.%,; f. f.
Q. d k
u*
Y, y-
.jv
,, ['. '. N s_ t g'. ;.
..:,at
'+-.
t'. '- u.
.f
- V.*'%
'.r>.
g.
i.
"h &..x; x
/
\\
a Q-$ S
[#'[ : Tf,m.W
,.[
n y
sp f*_ -), p.~.
- g.,..
rr
,.w
.5 I
..W
- W'
..'y
'.g*.'
S-(p.,
e.
_7 p 8.'
5 My k.**',
y.
',,' v, u ' 4,d,' [,.
8,
',,~
U+'.I kN 4,,,'(r, g3
.N
.g.
g et.
'.'i.'.,
d (F
' )(
i. Ng 'k +
.J
,k g-e i.
4 J
/'
(*
x.,P.
.. 4... a..
~
g :.
e + g?-s g -
- ~
1.55, Y. I
.+
.a g,,-
+
'a [
1,
h, T.
f.,
l'.l 'j',.a
'$.+*
%,,d,.
y.
- t..
-i
.J,-
ei..,,
- 1}
Q;f*j,A..-
.4~-
9 _ _ il.'
.! '.l.,.
, h
.-y.
1
.x -
,r
.,s.'*
- ' a, w.,.
'.,.,f*
+
..n. p;.1.N
'!*.+.
[
_f.,..' '
-a, M-?.
.l.l h.*:%R
.2.,
a m.
4'..q..#
. ; 91
%g
..e
.,5. a.,. -
.$,. f,Q l0,ll}
^f%
n.; p g-y,;
< '.[
,-6.~-
4,.
<x.
NJ
'u
(
.[*'
4.:
...^%
,,,g 1+
a.p
.I- * < -
.y
.k ; ; {4}4 4,,;4 -
s,
%, k.
' g.v.Q
!n.
. i-" J t.
y j
- r
.w-
, gn. c,..
2 5#..
'i.P. '.
h.
5 ' '.. U. 'A Ir.~.h.' ~ ~... ?. ?_,.* b. $$ k. Q
. :. 8r (
a s... NY?* :. N. '. V N,. '.'f
- .., -* ?..i ' ' i ' \\ *' ' Y Y s) ' ' ' '. ^#..'.~ ?*s - *.N. ',
'.,Y #.
s
~
v e.:
?.:, p..- '
3 c....
-4, s., g the probability of a burned out indication leading 46 /f t ~
to erroneous information is small.
bpj;e
' :. W, !.
p e.~. e i 2.
The lineup of valves which connect the suctions of N;.).#47 the emergency feedpumps to various sources of TT ; g' f f[
-S.ll.
water cannot be readily determined from the 4.1 f f p rectangular push button array in which they f.* :..ds curently appear.
Because the valves' functions are difficult to describe, improved labeling will
- " j..
'.3 not substantially alleviate this problem.
The 4 9 ]<}
need to confirm correct suction valve lineup could
- et...- 1.3 arise in a stressful situation (following a loss
? ?.TSI.J
"'-'N of normal f eed ).
A mimic presentation of the feed pump suction piping and valves is recommended.
3.
It is clearly desirable not to require operators at the main console to leave their posts during upsets; displays of the important plant analog variables, and the principal controls are here.
The review uncovered several situations where this
' n A *TP,r.
objective is not met.
These are as follows-
- 'Y "Y 1v
- & h v
't'
@ H. p' :f, M(M2iM, a.
One of the changes to be incorporated prior to restart of Unit 1 is to isolate letdowa (purification) flow automatically following a 9.,
~
y w;71:
?d(s.\\
It has been planned to perform this function with two valves manually oper-
.r*
able from back panel PCR only.
Reinstating letdown flow following a trip would therefore
. /%F, '.
require the reactor operator to leave his
' G."Ar",,
post.
GPU has revised the modification so 9 af
.7 that letdown flow will be isolated by a
...ff; 3;g;; g 1,.
single valve, controllable from the main f,.'-
i,i-%
console.
The review team concurs with this change.
r l? i, ';
j.ib $
b.
Immediately following a turbine trip, it is r%: - af current practice to start certain standby oil
[flffff pumps, controls for which are on back panel y.rm r_.c ;
PLF.
It should be pointed out that startup
'.C ~ g,-
~
of this equipment is not functionally
)Q/J 0;- :
required during the first five minutes A' ::QJ.N ',
?(b ;A foloving a trip.
The turbine coastdown is
, a />3 normally slow enough so that the turbine lubricates itself during this period; in the 3^~f ' '
unusual event it does not, an automatic start feature will start the pumps.
It is recom-mended that the turbine trip procedure be g _ _ _........
6
- i.... -:,,. m..
s.
. eq.9 : ;, g*W,v. r.;.- n.:3 ~ b: l,/ y.
.g
.y
.y
a4~y...., ~ q m, s..
s..
- s...,...
,..i
+
.,.y..:4 % - + m y -
y.. _ r = 2 a.'-
- .c +..
,4
('q a.
+'
..w,....
3 c,, T
, ~.
a,F. g)
.? :..
-. -.~.,
+
3 3
.s _-..
fs.:..<
t 2
$..~.
N (,. ]
O{'
changed to allow the turbine / secondary plant f
ff' 4,.7 j f operator to stay at his post, where he is needed to confirm that the turbine trip
.4 i
functions have executed correctly and that J.~ M i';
.s"..
. c i
the feed water flow to the steam generators c.
u e
.~
is satisfactorily controlled, before going
.l..- :". ;. " "
behind console left to check the lube oil J. 4 '" i.S
.f pumps.
y g y;. 7.y. ;
y%
9,..., t..
W. -
.~
c.
If the engineer-d sateguards are initiated by T.. - p a.
$[ f Yl 7.'., p.)..
low reactor coolant pressure (at 1600 psi),
E and the pressure subsequently rises (which 4'
q.
U will normally be the case), the operator must
/. ;"
manually reset the low pressure bistables
(.O.3 !... "
d
- r. t..... f. M l -)
before coolant pressurt reaches 1700 psi, If
.IN.
he does not, injection cannot be terminated
- y.
- .
in an orderly manner.
The manual resets for ii ".
- e. s's the ( *. h r e e ) low pressure bistables are locked A '. ~.f
' ~
in cabinets at unmanned locations remote from
. gC:,w*..<.
the control room.
It is recommended that re s-this situation be corrected.
(It is under-E..; '.v.., f '
s-5-
E.
stood that reset of the low pressure ESAS j s' S * ';..
f' channels will be relocated to the main cun-f..;,*;(
trol console, which will eliminate the prob-
?.;.S i t ? 1..
x.
f lem.
v.e.
a.
,, %g..s g4
..';~ ;
g
,J.G.-;
f.
4.
As has been described, the alarm system is
.- E ? ~
j erfective in alerting the operator to of f-normal 2
.- +-
p' y '/'
.u vonditions when normal plant operation at power is
_...n
.y f-p'4 1 the initial condition.
However, a significant
- a number of ala rm s -- 20 to 40 -- normally follow in 9.%.?. N,.. I '
~
O the train of a turbine trip and reactor trip.
Gy ;,..a
-L Most of these do not indicale conditions whic.".
O,D.~y ; v w
1-given the tripped state, require action on the
%;- g c-. 2
$@ g.3,' V 2'J
. i.
part of the operator.
But the presence of these s-
'y 20-4 0 a) a rms is detrimental on three counts:
p 5 'i E
% t. W.; a.
s.. :.: q 4..
a.
The continuing audible annunciations and the 8.f.".mq.
N requirement to acknowledge them is a dis-y..'.i a 5,.. ".
Q.Q,+$ L traction to console operators dealing with f.
3 f41 '
the plant, and interferes with their commun-r.4 ications.
. 7.. ~
%.. g.
s%
j u..!.3 g,M. y W
b.
The presence of a leg i t ima tely of f-normal a la rm following a trip tends to be lost in ke s,.-
3
b@if / V g., J.
the array of 1it but less significant f^
- 1. J
- / y,.y.9:.
r y;
' %, %.ypl.
y-p g.
r;.4,
.r
' ^ ~.
y 'd *, ;.
4.,g. g :., -
'a.
1 g.g y..
. n..
m
, 3 +.. ;.;-
- }-
.A J
y
,.r y %-Qn g
' ~
i M[ { '..
p
- .rr y,.
. s.z, ;y.,,.
- i Q ',
m
.,.L:.
.,?:g'.?
- ;g.
?,y 4 &. n..i L. a.?- %.w s. c 9,.%, ;;.2 :-; :q- ;.. ; p,, - ;
t-.y e.
...a
.n.
7,
- L
/
a....
s..:
- ..c,
s
-::m -
c.
An operator, in acknowledging one main process system alarm, can inadvertently acknowledge other, unseen, process alarms (this is because four separate but equivalent acknowledge buttons are provided, and all alarms are not visible from each acknowledge station).
The review team recommends that these deficiencies be corrected.
Corrective actions to be considered should include:
(1)
Providing some means to silence or interrupt the audible tone associated with new ala rms,
without, at the same time, changing them from the unacknowledged (fastflash) to the acknowledged (steady on) state.
(2)
Highlighting or prioritizing, by some method, the alarms occurring in a multiple alarm situation that require special operator action.
(3)
Dividing the acknowledge functions according to operator's responsibility -- essentially separating the console left, center and right acknowledge features.
These recommendations will be expanded in the report of the alarm system review.*
5.
There are several pro'>lems identified with the controls and displays associated with the once through steam generators:
a.
Three different level instruments are
~.
employed for various purposes.
The startup q flf f 4
/P-, L Q (250 inch span) and wide range (630 inch
'3
- bk.[;[
- Of [$..
e.e
';< T Ji3 f$jfj A more detailed discussion of the results of the alarm 3
f;
,d(byi( 1-system review is included in Section IV of the main body of this report.
See also "A Review of the Three Mile Island Unit 1 Control Room Alarm System,"
VJ.Q.,-
February 1981.
.s,. 9...
Ti"%h%f-4!> Q zl-. g.y g.._
-3 933.
--=l=r m
E
=
=
span) instruments share a common zero (six EE(k inchs above the lower tubesheet) and are a==
calibrated in inches.
The operating range
[35I instrument (292 inch span), on the other anEL hand, utilizes a different zero (106 inches ZII above the lower tubesheet) and is calibrated it:E in percent of range.
Any or all of these instruments may be used by the operator in t---
off-normal or potentially stressful con-gyjy ditions during which the differences con-
==t corning the scales could lead to confusion.
-==
The review teams recommends appropriate "9n-instructive illustrations be added to the
?E "Ei panel to allow the operator to correlate casily these displays.
-]'=-
b.
Control of steam generator level during "EI heatup is an arduous task, requiring vir-
- Mk
=
tually full attention from one operator during the entire evolution.
The situation
-diL I
is similar during cooldown.
The problem SI!h arises because the desired steam generator level is near the top of the range (97%) of "53E the display used by the operator for con-55][
trol.
The acceptable control band is set, on
--]
the one hand, by the top of the instrument
==
range (100% of range, about two and one-half
)!!b-feet below the main steam nozzles), and on J2"f the other, by the elevation of the feed gg, nozzles (95% of range).
This corresponds to
.2L a band of one foot.
The review team recom-1 -
mends that this situation be corrected. A functionally satisfactory control band would ME[
allow level to vary from the bottom of the MEI "iEE main steam nozzles to tha feed nozzles, a band of about three and one-half feet.
This
-]!
wider hand would reduce by a factor of about
]jji, four the frequency of control actions by the
]ggp operator tending the steam generator.
It agg would require the use of the wide range level dat instrument rather than the operating range dE[
instrument.
Although this instrument is not ama presently temperature compensated, the review
]!!!
team considers that its use, even with manual i5!
temperature compensation, would be superior
@gg to the present control scheme.
Use of a tem-
_=
jgg perature compensated wide range instrument would be better still, a==
g'-
c.
Manual control of the once through steam generators at power, should the need arise, lll_
m m AH--
B m
is currently viewed by the operators as a control challer.ge.
(It should be noted that, subject to comment b. above, control during startup, cooldown, or shutdown, following a trip is considered much less difficult.)
It should also be noted that the need for manual control at power has not arisen frequently; automatic is the normal control mode.
Pro-cedures and training for effective manual control at power appear less than adequate.
(Again, subject to the above comment, the procedures for startup, cooldown, or shut-down, following a trip are considered satis-factory.)
The adequacy of displays and con-trols provided for this contingency can therefore not be measured against a specific and proven procedure.
The review team recom-mends engineering studies to develop a work-able strategy for manual control at power be perf ormed.
These studies should consider:
Use of turbine first stage pressure as an anticipatory (steam demand) variable against which feed flow could be matched in the short te rm.
Use of steam pressure as a long te rm control variable analogous to level in a recirculating steam generator.
Use of a slower operating speed for the feedwater regulating valve in the manual mode.
6.
Radiation monitoring system outputs are currently displayed on panel PRP.
The electronics for these displays are also located in this panel.
The sys-tem, as is, presents several problems:
a.
Frequent maintenance is required by the electronics, and a technician is therefore often working in the aisle between panel PRF and console CR.
This represents a distraction to the operators, and is an
~
impediment, if access to the back panels is required.
b.
The readings of individual monitors are difficult to distinguish from the operator's
- -sm---m
. pw.
r ge,. w. -
~.-
n L.
+-'.w---
> v +, y 2..- x e e w.-
- ? r.~.c., c m -.
? M, *.g i.
4w
v.
s-l Cy
~
},;vmm normal station at the console.
It should be fg f';'
noted, however, that individual channel
'Y,-".T
,s.
alarms and alerts are visible at the consolo y
station, and, with improved labeling, the CW4 identity and function of these channels
'?. M;
- 4 should be readily discernible.
9.; C-
< :. y.c,.g.
}.
c.
The radiation readings are not visually 4.1:% i le p 'k;*h
{il
~
l connected with the systems with which they are associated.
s-e ;.;..;
h C,y I
None of these shortcomings is considered suffi-Y$O
?
ciently serious to warrant, at present, the if7 I5gh; 7
replacement of the existing radiation monitoring 3'
system.
However, when cbsolescence dictates g.
replacement of the system, a new location for
,. e ;i f ~
(),
system electronics, removed from back panels,
<%?!f f should be selected.
The new system should be W.3.pr provided with remote readouts, which could be Lgpg [
i placed at locations more consistent with their J. 3. 4 -
1, correct interpretation.
.t."YE",
% gg y 7.
Control of decay heat removal during cooldown E
currently requires operation of cooler inlet and
,. W W.
G~1ft.'y.a
..?
bypass valves at a local station.
This station is not equipped with appropriate temperature indi-t.
cations to allow the operator to gauge the results
,.C' f:f 5
of his action.
Instead, temperature indication is R 'N.'.
(
displayed on the main control console.
As a con-D.. C ;.
J sequence, cooldown control is awkward, involving S L iii
,J[Q.e5 two operators, and a telephone link.
This situ-E
/
ation could be remedied by adding appropriate g;.g";
js p
valve controls to the control rocm console, or alternately, providing appropriate displays and y@p.g r-f improved controls at the local station.
A study
$%{.n Kj f
to determine the optimum solution to this short-coming should be performed.
pp p.-
t.. ;i.,.
8.
The CRT for readi'ng out computer information
[(1..
presently inst.alled in the control room is not MN;.
f operational (necessary readouts are obtained via p.
line printers and an alphanumeric display at the
%W computer consolo).
The capability to read out
- ' jr.;.,
?
computer information on a CRT is considered desir-ry.l C f able.
The review team recommends that means for j; '.;; f :
2
~
accomplishing this be provided.
f?<f W6(.
-.u.
~ ; k,8. $..
f5
.h y ( (,,h',."'
- Rd.Q
? :.. -
p::_%.q.;.
.. sm...;I3 f+
Lif3 p
w:e. r g'
,; q. ' i. v? _ '
. ~. ~.; ; s >, _,.y r w y, y
.1 g ; =. \\ : 7 4,;; y,.+ c.; > _
-;. u
.,p. ; - 3 1-;
=
..q, s,_; y..
- 2,.y.s~
r g y- _ 4.. s,...,= 0 a*
-. o,
. 6: a.:.o,
r r e... *. Ao.
- v y1 w.
..- r.
c = 9 s y x. < o 1 >.
t.
..3 e.c y,.
.,r;
.. = [..
3.-
e t ;,) e.
-y
.p W.
yg...
-.n -
. 4 (..N. ('.
l g l.'
)
GPU is developing for the longer term more j./:MJ '
q advanced computational and display systems.
The f.g,f; 1.if review team's evaluation indicated several areas t,
where consolidated display information would be N. "P. ;
'/
desirable.
These include:
) i.,
~
A...;[i-v.
~:......a ;
Primary coolant inventory including flow M ?.e rates between repositories for this
[ l.
f-
~-
inventory.
r ;.; -F T Steam, feed, and condensate system inventory
". i af.:
including time history of condensate makeup
- k 'j.'
~~
,J and dump valve positions (from which to infer J/,9 y%
Icak rate).
. ; g,
,w gi Absolute and relative control rod position
? ' #
indications (on a single display) to allow M
.A more rapid checkout of the rod control system J' ' '. '
d following refueling.
(b h.e:'
.,.,y l
, l.\\
- ..f _
e i
9.
The distribution of electric power to plant equip-g;.1 ff' V.'(j
.? */;
ment is generally arranged in mimics on back panel 7
C,...
PR and console CR.
There are, however, a number
~.
of concerns, since the use of the controls by the dlC C ~
l operators is infrequent, they may not be as
. +.b,4 +
'I.3 familiar with the line-up of these controls as
[i %']'A
?.
a.J with other more frequently used controls.
These concerns include the following:
' ' O -J J.
?..}4 v.,..
w. s.
(;- Qf.y Lack of information describing what specific loads receive power from specific buses.
fy a
~g'.
.:-s.
if
,d.. -. /. ]
x Intermingling of breaker controls on panel CR 1
with makeup and other pump controls.
^
,..m
.; 1.a qi 2
Lack of clear association between ammeters h %;ti M
and related feeders, voltmeters and related
- ,
- ..". : 1.
buses, and synchroscope controls.
V 5. ',.
f tih.
w.;:L 9p Improved mimicing, system demarcation, and more S ff.".
effective labeling can correct these defi-
. (-5.y.R ciencies.
Shape coding for electrical system vec 4 A f
?. i control handles can be employed to distinguish 1,;,.f'..
W them from pump motor controls.
?
g.
.. p -
},p?,.:Q.
o a
- /,%. A1 2
x-I b. der r g.;...
- 8f. k.. ' *
., =.
-/y? T.,
?
.;. g
[
h.8.;.2,s a[
. :g ;
' 9.g:;.',
- w - -
.?..+
- g-_'...;i
._.4W y -, 5 *.y. _1.
- ;vf..,.
- ... g.,. n > n_.,
.. e.e c
c t
z.
.c u e.k ;...'
m
.. J,.
,j.y..g,
..9
.e
~ _,,.
s
l 10.
The control room operator presently has no unambiguous. means to distinguish between functioning and nonfunctioning instruments and controls, particularly when the nonfunctioning situation is brought about by loss of a power supply.
The review team believes that this should be remedied.
The following corrective actions
~
should be considered:
Addition of appropriate power supply annunciators and indications to allow the operator to determine easily that a segment of his instrumentation and control system has lost power.
Addition of distinctive midscale " meter zero"
^
marks to all Bailey meter scales, to assist the operator in detecting a single defective meter.
D.
Conclusions on Related Topics i
In addition to the above conclusions and re commend-ations, the review team has drawn conclusions and made recommendations on several topics more broadly related
.4 to the man-machino interface:
1.
In-plant communications, particularly between control room operators and auxiliary operators, should be improved as outlined in Appendix D.
- 1 2.
Though the control room environment generally y
conforms with the criteria of MIL-STD-1472B* *,
~'
improvements can be made.
Details are provided in Appendix C.
Principal improvements recommended are:
a.
a means of humidifying incoming air to m
eliminate excessive dryness in cold weather, and a means to improve air filtration during These appendices appear in the 1980 GPU report, referencLJ at the head of this Appendix.
o*
Used as a quantitative basis for certain environmental evaluations.
- 15
,.,, en v.
.:., a.,_ e... v.m
..e~
y ~. o.; - s + n
-r -
e:. '-
.-n
, a. : s v.
- , 9,. -
\\'
.w. *N'J G.[
y
-ti f,.:*j..... ~,3. j""
- w f y;..,
i i d ?;.Y-+.'.R
'*.?
f e'I,.;
g NJ.
~
nocmal operation, S
b.
light baffles or other means, to reduce glare on the console from overhead lighting,
~
- .g _
c.
carpeting to reduce noise (to a level such
.G. * " M '..-
,. ?c. Q,
that the day shift ambient is approximately r...
equal to present night shift ambient), to p . '.,f j
reduce glare, and to reduce operator fatigue,
?.
w,Q:
d.
a rigorous, preplanned approach to inspec-
'V-J s
ting, adjusting (for intensity) and replacing
.e
/;
+
light bulbs for console and panel devices, 1 M '..' ' t i
and f V :s. -
?
..s.
e.
revised audible intensities for alarm annun-
-.G
. d$.,... ?: $.
ciators to levels uniformly intelligible to
.'.v.
the operator.
1;c. ;. - re -
A.
.$ 0.
4 Q,:=J' V ;
None of the above is considered crucial to plant g.'.?. j. 4/ ?
safety or reliability, but their implementation 2
would be expected to improve operator alertness
.g!..%," jf
~ '. J and morale."
17$cN m
-4. y 4
s,, ?.
la ;
- .. ' -y-r.a
+
9, J.. -
a
.-.:* ; t
- s.
.,.... r y
+ +
.; :..;.s, ',. -
. / ; % /.'.~
- O ;.
- .... 3 s.
.4i y
- -:...g M ';g..
]
.l.
- 3. ; -. ; w ;:.
79 y
. 6 3 c
,T y
c v - :. z,g%,
a
\\_
[' e{$'. 3l Q
)
,V.>
.e 1, a 9 r a.
.:.1 a..
1
- n,. t.y y.
.. - o.
f.h,.
- q. ;'..- : +... s
. y,.] la' y N ~
.m... ;
t?. :. a vs.. '.
v.
.,,;.., T 1
. m e
-(..7., I.'...
L~A 3
3 3;- c.q s. '
e
.F. J,. c.s. ' s.: :,
a* t,,y*q**N.,
--M-p - g,':i N
..t. f,Q.; -
J f :,
- 3..;.. p..
- .
' k*[.Q-:3l..lc S ? v y. '.b:.;
4, j-W!.
- y%.., ~J.
3-
.s
.?
f -1
.....-r
.. -..... ' c.-'
i Yb'$ri:
n,
. ?. ;.
- :.cy.., w. :,. n, : ;. v.
~ -
.c... ~ :: x;:. a. - w
.v;.., ~ >
+ -
. : ~e
~