ML20090D598
| ML20090D598 | |
| Person / Time | |
|---|---|
| Site: | 05200002 |
| Issue date: | 02/29/1992 |
| From: | ABB COMBUSTION ENGINEERING NUCLEAR FUEL (FORMERLY |
| To: | |
| Shared Package | |
| ML20090D595 | List: |
| References | |
| PROC-920229, NUDOCS 9203060327 | |
| Download: ML20090D598 (45) | |
Text
__-____ __- _ _ _ -
O t DESCRIPTION OF THE HUMAN FACTORS PROGRAM PLAN FOR THE SYSTEM 80+_ (TM)
STANDARD PLANT DESIGN D
COMBUSTION. ENGINEERING, INC.
1 February,!1992' i
9203060327.920221 PDR ADOCK 05200002 J A . P DR :-
j
1, 1
I f a Table cf Contenta 1.-INTRODUCTION............................................ 1 1.1-Purpose and Scope................................. 1 1.2-Approach.......................................... 2 2-HUMAN FACTORS ANALYSES................................... 13 2.1-Systems Analysis.................................. 13 2.2-Function and Task Analysis........................ 13 2.3-Staffing and Configuration Evaluation............. 15 2.4-Information Presentation and Panel Design Evsl.... 16 2.5-Verification and Validation....................... 17 2.6-Alarm Analyses and Evaluations.................... 17 2.7-Halden Reactor Studies................ ........... 18 2.8-Analysis Sumuary.................................. 19 3-HUMAN ENGINEERING OF MMI AND EQUIPMENT................... 21 3.1-Integrated Process Status overview Display........ 21 3.2-DPS CRT Displays.................................. 22 e 3.3-Alarms............................................ 24 3.4-Discrete Indicators............................... 25 3.5-Process Controllers............................... 26 3.6-Hardware for Alarms, Discrete Indicators, &
Process Cantrollers: Electro-Luminescent Dis 3.7-Component ;ontrol............................ plays.27
..... 28 4-MAINTENANCE, TRAINING, AND PROCEDURES.................... 30 4.1-Maintenance....................................... 30 4.2-Training and Procedure Development................ 30 5-TEST AND EVALUATION...................................... 32 5.1-Design Reviews.................................... 32 5.2-Verification...................................... 32 5.3-Further Test and Evaluation....................... 33 6-PLANNED HUMAN FACTORS ACTIVITIES ........................ 35 6.1'-Final HF Standards, Guidelines and Bases.......... 35 6.2-Full-Scale Mock-Up .tctivitics..................... 35 6.3-Prototyping and Soft Features..................... 35 6.4-Verification Activities........................... 36 6.5-Further Task Analysis............................. 36 6.6-Validation Activities............................. 36 6.7-Design Acceptance Criteria........................ 37 7-CONCLUSION............................................... 38
-i--
t 1-1DLIfidRQ.t19D 1.1 PURPOSE AFD SCOPE
!.1.1-Purpose The ilumun Factors .2 0gre Plan (llFPP) for System 80+
describos the humi.n enginocriN p -Jram for the System 80+ standard plant design cortification, Adontifies its olomonto, and explains how the olomonts are managad. The purpose of the document is to dofino, in easily understood terms, both what huraan f actors (llF) activities have boon dono to dato for Nuplex 80+, and what activities will be performed as part of the ongoing human factors enginocring program for the System 80+ Standard Plant Design.
The intent is to provido a consolidated basis for review of C-E's human f actors plans and progress. The purpose of this document is not to reviso or add to those human factors afforts that woro necessary to bring the design to its present stato, rather thic
!!FPP documents what has boon done to dato in tho doulgn process and relates pant activities to those which are planned as the design of System 80+ progressos.
1.1.2-Scopo This document describos a'tivities relating to the design of the nan-machine interfaco (MMI) for ABB-CE's Nuplex 80+ advanced con . col complex to be used un the System 80+ standard plant as well as related MMI considorations for the balance of the System 80+
standard plant design. System 80+ refers to the entirc plant ,
including the Nuplex control complex. Nuplex 80+ refers to the contro) room, the technical support conter, and the remoto shutdown panol.
A doacription of the design team including C-E and its sub-contractors is provided, as well as descriptions of the activities themselves. In addition, the products which have boon generated or are planned as a r m it of future humcn factors activities a; e described. Tha scope of the document includes Organization of IIF personnel and e. -' . ties and. Intoure 4 nn into the Project Fuman Factors Efforts by Subcontractors Human Factors and Systems Analysio Iluman Factors Engineering in MMI (Equipment Detail) Design lluman Factors Tests and Evaluations 1
i
+ e h
- f
m-Other liF Ef forts (incl. personnol, training and procedures)
Both past and future efforts including the resulting products in these areas will be describod.
C-E's approach to the program plan in to describe activition and documents which have boon done previously and will not be altered because they are considorod to represent a good donign practice which will be pursued in the future. If any area is found j
to require changes during the continual re-ovaluacion of the man-machine interface which occurs during the design process, the design 33y be modified but the previous human factors engincoring process will not bo changed. The program plan also describes the futuro IIF program (evaluations, analysos, and design work) based on the design process developed to dato.
1.2 APPROAcil The Systen 80+ standard plant is an e%1utionary plant design, whero plant systema and their operation do not differ substantially from previously licensed plants, specifically System R0. As such, the baselino system and operator fv.ctions of the pannt do not dif f er notably and, thus, the inforne clen and control t oquirements of Huplex 80+ are not significantly different from those of System 80 plants. It is prudent to take credit for information derived from existing plants in llF activities such as task analysis and function allocation. Those will be raferenced and referred to during the description of the seminal liF activities in this program plan.
1.2.1-Organization of Design Team 1.2.1.1-Internal Organization The human factors engineer 1 3 ef fort at Combustion Engineering As an integrated part of the e. Mre desim process. Full time human factors specialists are employew oy C-E and participate in overy stop of the design of the man-machine interface. IIence ,
human factors work for the Huplex 80+ is not performed by outside consultants, nor is it merely an after the fact review function.
An integrated group was chosen because it assured that human factors engineers were participants in the design process and not merely consultants. They belong to what, effectively, is one design organization. This leads to the most officient design process and makes the human f actors specialists more effective because their incremental and continual input enables design modification and development without extensive backfit.
The exact number of human f actors engineers working on huplex 80+ at any given time varies depending on schedules, work in progress, and other projects which require human factors 2
.m-_,____,,__mm 2mu.___.m------u--_.----- - - - - - - - - - - - - - - -- " ' ' " " ' - - - - ^ ' -
- ' - ' " ' ' ' - ' ' ' - ' " ' - ' - ' ' ~ ^
i . o involvement. There are currently two groups at C-E which include hutaan f actors engineers; the Nuclear Services Human Factors Group and the Nuclear Systems I&C control complex Engineering Group. It is this latter group which has the primary responsibility for Nuplex 80+ design with the services group providing support and loan of staff members on an asi needed basts.
There has always beet. at least one human factors engineer working full time on the Nuplex 80+ design. Currently there are two. At certain points in the design, such as during Functional Task Analysis -(FTA) there have been as many as four. The human factors specialists at C-E bring a diverse background to the design including nuclear navy, utility, and architect / engineer experi 4ce. The HP specialists are part of a group of eleven man-machine interface designers dedicated to System 80+ work. These include experienced navy and commercial operatort , individuals with expertise in display development, I&C systems, and control panel fabrication. In summary, tha HP s group dedicated to the MMI design.pecialists are part of a lag ar Minimum requirements for qualified HP specialists on the project include either a Bachelor's degree in engineering or-a human factors related field and five yearn human factors experience in the nuclear industry or a Master's degree in a human-factors related field. All of C-E's current human factors specialists possess significantly more experience than these minimum requirements.
As previously noted, the exact staffing level of human factors engineers dediented to System 80+ and related projects varies, hence no exact number of man-months /yr can be given. However, for comparicon purposes, it can be noted that for the-final 6 months of 1991 there were three human f actors engineers working nearly full-time on NUPLEX 80+ and related projects, with cne additional engineer providing support and supervision.-
The I&C department contains numerous engineers and specialists outside of the human-factors discipline. CESSAR/DC Table 18.2-1 provides design team staffing infortaation. The statf of senior reactor operators and HF specialists'has been expanded since the time this table was prepared. Experienced former LWR licensed operators and navy operators contribute greatly to the MMI design, especially in the walk-through and ~ analysis ~ portions. Software specialiats, experts in control . board design, and I&c. systems engineers also add input. In-short, human factors efforts are part of the larger integrated design team approach to the-entire System 80+ product.
The reporting structure at C-E h'as-varied'over the course of the design of System 80+. Currently, the human factors engineers permanently assigned to the-project report to the manager of ALWR.
design who reports to the Director'of Nuclear Systems I&c. -other 3-(
r i ' O
, designors report to the same manager. HF specialists on loan from
- the Nuclear S9rvices group sinnlarly report to the I&C ALWR J manager. However, when the Nuclear Services group performs f independent HF tasks (such as the PTA) for the design, they remain within their normal Nuclear Services reporting structuret HF specialist to HF group cupervisor, etc. and up the Nuclear Services management chain, which meets the I&C ALWR group's reporting authority at the President of ABB-CE Nuclear Power.
i 1.2.1.2-Design Process The Nuplex 80+ MMI design process is illustrated in Figures 1.2-1 through 1.2.5. These show the relationships among
' conventional' human factors analyses, i.e., functional decomposition, design reviews, rapid prototypes, standardized panel layouts, and other design methods employed in the Nuplex 80+'MMI development.
The Nuplex 80+ design process utilizes other-approaches in addition to conventional human factors analyses. One of the most common and effective is the Design Review Meeting (DRM).- In those meetings, the engineer (s) assigned to a particular aspect of design prosent their work for critique and input from other design -
~
team members. Typically, such meetings include ten to twenty individuals including implementers, system designers, operators, and HF specialists. This procesa is akin to what EPRI calls _the
" boiler room" approach, where design details are " sweated out".
The DRM can also be seen as the ' test' phase of th- $esign-team's hypothesis and test cycle._ Human Factors speciali 2 take advantage of these meeting both to-accure that all aspecto e the
, design receive HF input and to rabject their own work to multidisciplinary scrutiny. This approach is an important means of ensuring that the development of the design proceeds in a.
consistent and feasible fashion. Goals of the DRM include assuring that the design is useable, feasable, and consistent with design practice throughout the project. Further details on ' the DRM
~
process can be found in Section S 1.
4-m
NUPLEX 80+ MMI DESIGN PROCESS _ _ _ _ . .
(
NUCLEAR INDUSTRY REQUIREMENTS x ;
ABB-CE N! aEcutATCRv b;tv :wc=::
TECHNOLOGY'Qss\ ,
/
\ '
EARLY EPR:-URD /
NPX80 - ACC A\ CH.10 E3 R FCCM5 ,- -
N,\
Crug - gggg y g -
BACKFITS 'N Tj7 M i
. . ~, iNE\/ TECHNOLEGY ,
1rso - "um
!> lNUPLEX 80'
! FORSELLE L --
-[ '~ FCSSIL FCVER PLA*.*$
(BIG-BDARD)
M M -,- 1 o
, ses - "em *y C NC PTS C~"I?CUSTRIAL F?DCESS CC'iT:CL
[ -
qq FACTCRY AUTCAT:Oi SAFR - ACC dd d d d i MANt,COeE *i' I?FCRMAT:CN
- / 5 SYSTEMS SMPP - ACC /' ~~
~-
- y
// antAnn
'. i ccRs=l MULTI-DISCIPLINED!
I '
JAPAN FRANCE um g[ggggy DESIGN TEAN
,LC i
- - PECHANICAL NUCLEAR I & C EVOLUTION _ _ . . .
SE"*"
Figure-l 2 1
' lI l lll \lj\! I
) )
3 3
- r 2 2 1 1 Y
(
t \ A 4 D
S T (
t 2
O H N I g IEU IM DT H V I
T A
E M e S Q L
E M R
IEF A M47 R
E R
I r
u g
P M O U S
i F Q F
{ N I
E R
E , )
C \) {
g S
] S I S
T Y R P E
IS ME MP
- d L A
N j_ S P C N
D' IO T Y - A I
S Y
C A RE N N E
. NO OI T N
A
?
G IE '
<' i C R T A C S i:
- A I DN NO G K F G UL RI N S S D ~
FL S a I
L R ES I
T S A VF A A E TT
.[,!4~
LE e L F AA D T NP UD E
T EE M
? TG MC S N UN L J I CO OC a' i ~
A E n , N
&' O N G E C I I !
H N NN I T RS J LO TEE C C EM 1
A I A RA IS N NI T M A M
LU IO O
B R 2
1 n
E EB PX OE P U F
N m" o
NG +
A n UC
+ M i o
s n
F E D
0 8
0 0
+
LN S a p
x
> M 8 8 AOI e E C e - T I T al e NA s S X H U* ,
Y E CL* .
X L P
E A TV E
S E U N
F T3 0 D
E
_ N^0 E
V M V E 3
i N NR E ESE
+GI EE I
MM V 6 0 8S S TC L
N 8 X P
NM E S DA I
I B
AE L U P
E Q D
AC EE 2 9 M M P S
1M M
1 >-
X-P
-:: j!*
'- N I f;Iflj tll1 l l l , ,
l lliIl ',l l
G P OT NO a e
S E
3_
8 , A N S DTI A yC M"E N
Y A nP y I D UAL nnN EgE 1
9 D P p E / IM LM U 4 1yU e r
1 SgQ u
.'m" i
p- :
N VANIT N r S
E g A S S S
i F
C N
S r E .-
. E,.;
.J
~
C R; - . - c :- ~
l.. .'-
^
..I :
A f. S S S L
. W- -
Y .
S L C _
Ic . S A Y O R I
E A ,
P .. F;;
Y -
R S P Y Oc.
A L .'
L P
S S
L P .
R T
N T
N O
^ .f '
~
~
P I -
O C
3 SU T ~S-- D S
. S J I C- .
D C D./
. I RK D T R P CO C T.E- ..
M J
- O T
C I
S S
N E
I IM _ D R- .
R A ^ H .
E N R A- "
P .
O N T C A -
C A AL P O "
P. W L I -
TE .D A ."" D : R R M ::.
G .. G SN O N P -
A -
. Rc . '
I C ~ .
~
P . . A;. -
~
J.:::-
' . H ;.J.
~ *:
' [: :
- . ^
l : : -.-I' . :.. :
S y -
E J T N
A I LM -
A S
R S
+ +
L S SV EE CI J +EN T OV 0 RRN 8 A P E N Qii;!! PEG 8 MLE M A l ,; j l l ,
D VI EOS E E O G T T N y A SD SR A A RU Y T X S O N R C A R
GT EA T T E S -
NS I'
E
_ Y R R U NLS D 3 A N
T A
E O
IRO N TT E T K I
M AN M S
_ MO E A I
L N v^ RC R .} 3 8 E I l
N 8 R P
G I
S
)
2 2
O FD Q NN E U M M
X E P 9 D 1 IA R N 1 _
m o
r f _
tl lIl{l l!ljf c
N3 __ - X BC+ vv~ _
~
.T_ S ~ G N ..
3R~C SS _
EXPAND DYNAMIC
> NUPLEX 80+ > MDCK-UP
"'"$" (to 1.2-5)
PANEL- .
-! MMI RCS v 1.2-3) l REFERENCE DESIGN Cv u S nan 11ga1na DYNAMIC I y IPSO --- CCV 4th QUARTER 1990 1991 1989 cESSaR-Dc 4 CH. 7 & 18 CONSIDERABLE' 7
l
! REDESIGN VERIFCATION
i~:, >M A h0 hb A
E g
a
(/) AL
= -
( ) wa I I Jz w I I ro - JH .a
<T 2 m2 b 4 l.A) u i mx fl >gs Sf 4
o N L! e w n.
n "Sa 3 kd 4 >
]s o x <J e> [t> wa H- Or La w W
F- .3 t p M E$ *1 M t-
/ -
$ U 'd o$
d v a. +3A E, ma o v u. z La m a
/h fh- p i!
$9
(/)
De4H -
esM -
52g x . . . . . . . . . . . . . . . . . . {ty > M, ;2
(. ). M 4 +W Z
_; F lS AoJ[
+ .z .M D o; A.a oM"
- G; 2
- J 00 CL E ! d
tw
'.~.) zg 0 L.
I I >- w W .J p sea r/ [02 4
ma -
p X L, y
,, jg 1.J IQ MzI CL U p
> U" _;
@ Md y p Z is ;
E- Z- Oc
_; ,- :Z A r>M MM qy&H g
,q...................................:y-H-
H I'~ m+
()
/
e- .h 2 LJ Z <[
+ w SEOm "I"U E8 w r-O 5 o: LJ O W e" ZW a po NH CG w >.
CO s -
o Lu
~Z mM W
M j'y . I'L f
- u. .____
g _ _ _ _ _ _ _ . . _ - _ _ _ _ _ _ . _ . . _ _ ._ _ _ _ _ __ __ _ _.._ _ _.._ ._ _
c l
0 zM8 2
A
~ @u O MII
.. o-.l- 4 A n w.O 9M 7- @ M A
k *M
) 5 " ._j n
-> Ed b *t $ ---> M <ti
. n H -a aC X
Ez zl w V
/
/ <TMa w z wI we- o.
o*
J Dys -- > h) M b
Z h1 ! f- m I <I $
- - aA.
-M -
M Q. . g-m . . . mV y hM <
The Huplex 80+ design approach can be soon to be consistent with human factors methodology described in references such as IEEE-3023 in that
-the design is an iterativo process using HF specialists, operators, plant systems engincorn, and maintenanco exports
-prototypes & mock-ups, DRMs, and other technical e"aluations are used to develop a standard MMI design
-the design team develops System 80+ information and control charactoristics to satisfy the operators' need to perform EPGs (safety functions) and other operating tasks
-the analyson' results are provided to the designers for incorporation into their work and the total design of nno panel and the Ipso display
-additional panel sections are being designed using a similar nothodology, with ongoing verification work
, -the entiro product will be validated at the integrated test facility The C<-E design approach utilizes the concept of an engineer or small design team developing a design te) meet a specific design basis and to solve existing control room problems. Elaborate stadios and analyson were not soon as a practical approach to revising and upgrading the information and control interface for known process systems in an evolutionary design. Rather,.the now design focused on solving known problems as well as emergent ones that are identified during the design process. Design flow: not only from human factors analyses but also from individual problem solving offorts, design reviews and experience with previous C-E plant:4.
1.2.1.3-l!uman Factors Efforts by Subcontractors Some balanco of plant work relating to the man-machine interface for Systen 80+ is being performed by Duke Engineering and Services (DE&S) as a subcontractor. C-E retains final design-authority, review, and responsibility for work which has been or may be performed by DE&S or any other subcontractors. This work, to date, has included some of the preliminary BOP-related panel- i layouts and much of the physical plant configuration work that impinges on maintenance and access (human factors) considerations.
The DE&S organization includos individuals with plant operations, maintenance and test experience, many of which have been temporarily loaned from the Duke Power Company. Their input to the design is particularly valuable.
At all milestone stages in the design, work produced by DE&S 10
--__-___._--.__-------~__._---------_.-------
~
comes to C-E for f urther review. At those stages in the design, C- '
E's human factorn spncialists provide further review to the work produced by DE&S. C-E also providos human factors engineering guidance to DE&S by providing human-factors related guidelino documents and Nuplex 80+ design practico documents. This is to assure that DE&S's products not only provido a good human factors inter;,.:o in and of themsolvos but also that they are consistent with thu remainder of the HMI.
Future System 80+ donign work may be performed ?7 other subcontractors. Should this prove the case, the same methods of review, guidance, and control will be used to assure a continued standardized and acceptable man-machino inte face.
1.2.2-Philosophy of Design The philosophy which has boon followed in the development of the System 8')+ man-machino interface begins with the evolutionary nature of System 80+. Inhoront in this philosophy is the critorion of acceptability. The design goal for the Nuplex 80+ advanced control complex human factors effort has boon to assure that the MMI is acceptable based on an established set of performance goals.
Criteria for MMI acceptability includo conformance to existing human factors guidanco, correction of significant human orror concerns that are identified during verification, and demonstration of the opctators' ability to perform required safety functions in a timely, accurato and rollable manner in all casos. In general, the design excoods this goal.
Since there is no unitary, objective measure uf-performanco quality, nor baseline data against which the notion of ' optimal' can be measurod, CE does not claim optimal or near optimal MMI portormanco. Cimilarly, C-E does not claim demonstrablo improvement in the MMI (vs. conventional plants) by a quantitativo measure, though in most casos a qualitative improvement is obvious.
The design process and acceptability critoria are all directed to the practical achievement of the design goals listed in subsequent
, sections of this plan.
The two main philosophics of 1) cvolutionary design and 2) acceptability are supplemented by several subsidiary ones. Those are summarized below:
Accuracy over Spood: The design of the Nuplex contral room is such that operators can perform all necessary actions to control the plant under all conditions and can do ao without violating reasonable operational timo constraints. In general, The Nuplex 80+ design has emphasized the nood for accurato performance and the ability .of the design to withstand operator errors without catastrophic-consequences.
Because of the nature of the nuclear power plant, a rapid operator response time is rarely, if over, required for 11 R
- _ _ _ . - _ 5
, , _ . _ - . . . _ . . ~ .._ _ _ . _ ~ _ _ _ _ . _ _ _ _
safety. Rapid responses aro instead allocated to automation.
Theref ore, the design emphasizes accuracy of performance over spoed. Because no speed-critical tasks exist for the System 80+ plant, no " critical task analysis" was performed.
Evaluation of Design Product by Users: The design team has placed an emphasis on assuring the operator's and other t I user's intimato involvement in the design process.
Information over Data Huplex 80+ presents needed i information, not merely dato, to users: The design philosophy l is to provido sufficient information for operations, _ in a l suitable format for operations tasks, rather than requiring i the user to sort or process raw data.
Critoria and Validation: The design of the man-machine interface is based on accopted industry practice and - human 1 factors criteria. Initially, criteria from these documents were - used directly in the design but as work progrossed, conflicting guidanco, ranges of guidance, and alternato methods of implomontation were distilled into C-E'n own lluman Factors and Guidelines Document. C-E has avoidcd designing before guidance is developed, and subsequently rationalizing the results.
No Backup It is part -of the design philosophy not to provide hardwired indicators and controls as - a ' backup' certifiable MMI.
Certification of Process: _ Suitable detail is being provided and documented on the design of.the RCS panel and system for an evaluation and certification of the generic design process to be made, once the validity of this approach is accepted, design acceptance criteria will be developed so that the rest of the MMI design can be evaluated based on this method. The design provides an integrated MMI design which can ba seen and accepted rather than the more subjective approach of ,
certifying only method and having no samplo product available until later.
1.2.3-Road. map of Iluwan Factors-Documentation Along with CESSAR/DC, a 13-volume set of reference design documentation,- henceforth referred to as the RDD, has been provided. Portions of the RDD which concern the huran f actors program and process include the system descriptions for the RCS and CVCS panels, the generic Panel Layout Standard, the control complex Information Systems system description, the Critical Functions Monitoring description, and the new Alarm Processing Description.
C-E will be adding new revisions and documents to the RDD in the near-term.
During the course of this program plan, reference will be made 12 b .
t to thoso documents along with other C-E documents which have boon mado available to the NRC such as the iluman Factors Standards and Guidelines, the Function and Task . Analysis Report, and the verification Analysis Report. In addition, future docultants slated for production, 1* luding the V&V plan, Validation report, and others as noted in this plan, will be referred to. The liFPP does not attempt to include or summarize the content of those documents, but their existence or scheduled production should be noted as part of the documentation of the C-E human factors program.
1.2.4-Position on Requlations The Nuplex 80+ and all other areas of System 80+ Man-Machine Intorface shall c W 1y with NUREG-0700 whoro it is applicable v.o advanced MMI dosion. In the absence of HRC guidance on advanced MMI design, the pu f;uct has developed its own internal guidelines as a distillation of the bort accepted industry documents as described in Section 1.2.2. Other NRC regulatory-documents which portain to huitan f actors engineering (such as Reg. Guido 1.97) have also boon followed. In addition, offorts have boon made to moot generic industry guidanco auch as EPRI NP-3659 and tho EPPI ALWR Utility Requirements Document.
The design moots the curront human factors design requirements of the Standard Review Plan, HUREG-0800. The exact position on various references is described outside of thir program plan.
k 13-b a - .ih--- - - - . _ _ - - - _ - - - . - - - _- i-__m _a_ _ _ _ _ _ _ _--.-
'V' 1
2-liuman_Einors Analytta Tho design team has performed and plans to perform a number of formal analysos and lors-structured evaluations as part of the i System 80+ MMI design process. These begin with systems analysis and movo on to task analyses and the three other anslysis and evaluation activities which normally flow from TA, namely staffing and configuration evaluation, information and panel design evaluation, and verification & validation. Subsequent to the discussion of these activities, a description of other analyses and evaluations contributing to Nuplex 80+ des! n is presented. These are alarm analyses and the Halden Reactor cudies. ;
2.1-SYSTEMS ANALYSIS A formal systems analysis, such as described in MIL-H-46855B, was not performed for the System 80+ Plant. The analysis was not necessary because the systems for the plant are essentially the esmo as those for previous :y-licensed C-E units. The nature of systems and cp rating proceduros for these units is well-established and documented. Thorofore, a systems analysis would not be beneficial or necessary for System 80+. Analysos from other projects that were applicable to System 80+ 'such as SONGS 2 &3) were referenced but System 80+ takes credit for design experience as its primary justification for not needing a formal systems analysis since System 80+ reprcsonts few changes that affect the anticipated operations based on the previous design.
The results of previous systems operation knowledge have been incorporated into the Nuplex 80+ design in the following areast 1-Allocation and layout of systems in the contr7111ng workspace has been based in part on the number, function and relationships identified between System 80+ systems.
2-Crew sizes and staffing needs have been evaluated with consideration of the activition required for system operation.
2.2-FUNCTION AND TASK ANALYSIS The Function and Task Analysis is the first of four human factors analyses and evaluations which have been done for the System 80+ RCS and which are planned for the other portions of the design which will appear in the advanced control complex. The subsequent three, which will be discussed in tallowing sections, are staffing and configuration evaluation, information presentation and panel design evaluation,'and validation.
A formal function and task analysis (PTA) has been performed for the System 80+ RCS. This analysis and the subsequent report have 14 h
y y ye previously boon mado available to the NRC in the RDD, volumes 7 &
- 8. The plan is to perform similar analysos for all other systens with indications and controls on the main control panel sections during the design pro::ess. The RCS FTA represents the mrthodology which the project team will usu, with refinomonts bas.6 on the completed FTA work as noted in Section 6.5 of this repor'c.
2.2.1-Function Allocation Function allocation, the assignmunt of functions to either man or machino (or a coubination), has boon done for System 80+ by evaluating the function allocation in the baseline System 80 design. The functions which must he performed by the overall plant systets to achieve their objectivos are the same as for System 80.
Changos to function allocation for System 80+ developed over the course of design of many currently. operating power plants. Those
- f. hang were reviewed and evaluated as part of the System 80+
design process in responso to problem areas identified based on operations historios on1 interviews with operators. Those areas includod:
Automatic Load Dispatching Auto.natic Margin Preservation (both dotic via the Mogawatt Domand Setter)
Evaluation and revision to the high level allocation of function is complete. While it is possib30 that further problem areas will be identified during the design process, at which time additional changes would be evaluated, the possibility is viewed as unlikely.
2.2.2-Functional Task Analynis A top-da functional task analysis was performed to identify System 80+ inf ormation and control characteristic requirements and to allow ovaluation of the function allocation. The results of this analysis may be found in CESSAP/DC Section 18.5 and in the Nuplex 80+ Function and Task Analysis Report, in the RDD. In general, three areas voro given design support by the analysis.
They are the aforemontioned function allocation, general panel layout, and RCS panel design.
Functional requirements and controls for System 80+ were based on existing System - 80 power plants. Monitoring tasks were primarily evaluated in the FTA because the monitoring portions of the MMI have the most significant changes, as compared to current plants. The System 80+ control requirements and MMI for controls is essentially the same as for System 80 plants, therefore; tha System 80+ FTA relies heavily on the acceptability of the DORDR process conducted previously for System 80 control rooms. The 15 J
._ _._4 _ _ - _ ._. _ _ .___ _ _ _ _ _ _. __. ._______ _
1 System 80 instrument list and panol components provided the start $ng point of the System 80+ FTA.
l The analysis considorod the four basic operator roles and i broke operator functions down into subfunctions, operations, tanks, task informatloa, und control characterist,4cs, as described in the FTA report. Information and control requirements were then gleaned. >
2.3-STAFFING AND CONFIGURATION EVALUATION 2.3.1-Staffing The staffing and config'.^ ration ovaluation, as described in CESSAR-DC, Section 18.6 is comploto for the entire Nuplex 80+
control complex. The control panol profilos and arrangements were defined based on the results of the FTA and on HP critoria from the industry, as described in Section 18.6 of CESSAR/DC.
Prior to dovoloping and ovaluating the Nuplex 80+ control room
! configuration, potential and likely staf fing lev 31s for Nuplex 80+
were ovaluated. First, a sot of operational requirements was established, based on the EPRI ALWR URD, experience with existing C-E units, and licensing considerations such as Reg. Guide 1.97.
Based on these, Huplex 80+ was configurt d to provide for a variety of operating crow sizes from one to six. The technical bases for these crows is presented below One-person crow: An EPRI requirement. Reactor Trip was looked at as the liniting event for crew sizo (i.e., task loading was highest at this point of operations). Task Analysis found that one operator, at the master control consolo (McC) could handle not only standard Hot Standby to Power operations but also immediate post trip actions.
Thorofore, Huplex 80+ supports this crew size during normal power operations. Note that tho additional crew members are in the main control room but only one operator is in the controlling wockspace (i.e., at the panels).
Throo-Porson Crewt For post-trip and for start-up ovolutions, the 3-person crew size was based on an ovaluation of C-E generic operating guidelinos, on operating experience at
> existing C-E units, and on task analysis.
Six-person crow: An EPRI requirement based on staffing practicos of all utilities with C-E plants .in operation or on order, six is the maximum crew size. This is not a necessary crew sizo but Nuplex 80+ could support such a crew (which 16 t a
l . ,
would include an STA and Control Room Supervisor). Adequate ,
workspace is provided.
Acceptability of those crew sizes can be justified but not confirmed now. However, those crow sizes will be validated in the integration test facility for Nuplex 80+ as part of the human factors program / design process.
2.3.2-Configuration The Nuplex 80+ control room configuration was developed through an evolutionary process, beginning with System 80 control room configuration. This configuration was modified based on post-THI monitoring rsaquirements, the EPRI ALWR URD, plant design changes for System 80+, and industry and NRC human f actors crjtoria and methods. Savoral candidato arrangements were evaluated based on operational and staffing requirements as described in CESSAR/DC Section 18.6. Essentially, problems with existing configurations were taken into considoration first. Design goals, such as the addition of a CRS workstation and redundant controls, addition of an overview mechanism for determining plant status, et. al. were considered next. The current Nuplex 80+ configuration is a result of factoring this evaluation into the design process described in Snction 1 of this plan.
2.4-INFORMATION PRESENTATION AND PANEL DESIGN EVALUATION The information presentation and panel design evaluation, as documented in CESSAR-DC, the RCS and CVCS panol design reports, the control Complex Information Systems design description (RDD vols.
5t:6)and the HF Standards and Guidelines, has been completed for a reference design for the RCS and is being implemented on other panel designs for Nuplex 80+. This svaluation developed standard information and control methodologies and implemented them in panel design, based on the results of FTA. This evaluation practice will undergo additional iterations as it continues to be applied throughout the Nuplex 80+ design.
With the huplex 80+ man-machino interf ace design philosophy as a starting point, methods were developed through evaluation of alarm, display, and control techniques. Refer to.the Figures in Section 1.2 for an illustration of ' this process. This led, simultaneously, to establishing panel design criteria, and allocating information requirements to alarm, dispiny, and control methodology. At this stage, inforF.ation and Control requirements from the FTA wcte a major input, leading to the development of information processing algorithms (algorithmic rules that relato plant data to information displays). The critoria and algorithms led, along with configuration panel arrangement, to the design of
. the Nuplex 80+ control panels.
Generic products resulting from this evaluation were:
17
1-raw data processing algorithm.
2-panel design critoria 3-gonoric design documents such as liuman Factors Standards &
Guidelinos, the Critical Functions Monitoring and Information systems descriptions, and the Alarm Processing description Those products are re-evaluated on an as-needed basis during the detailed layout of other control panels, and are re-verified if changes are made. llowever, no formal analysis is planned at this time. Rather than a formal analysis, engineers and designora define methodologies with a rationalo which must then submit to the DRM process described in detail in Section 1.2.1.2 of this plan.
, Figure 2.4-1 illustrates the proceau.
4 5
18
. t . .
l l I Ni ' !
~
Generic Products l
.# I N System- DESIGN FTA
.j > Specific Design
) REVIEW MEETING lh**[
Product ecs i*
/i\ i N
i i Man-Machine Interface ,i Designers '
Design Feedback frorn
. Project Team Members J l
i-Generic to Specific Design Process Figure 2.4 .
~ . _ _ _ _ _ _ . . _ _ _ _ _ _ _ _ _ _ . _ _ _ _ _ . _ _ _ _ _ . _ . _ _ _ _ . _ _ _ _ _ _ . _ _
2.5-VERIFICATION AND VALIDATION The design team has performed verification for the RCS panol design as documented in the Verification Report (in the Reference Design Documentation) . It is planned to pursuo the same verification methodolmacs and provido similar levels of documentation for othe r control panel designs. This topic shall be discussed further in the ' Test and Evaluation' section (Sec. 5) of this plan. The purpose of V&V of the Nuplex MMI is to demonstrats adequate operator task performance capabn11 ties and the capacity to perform necessary functions in the control room. Verifiestion will be based on the task analysis data as performed for RCS and planned for other panols (soo Section 2.1). Suitability and adequacy of control room inventory will also be addressed in verification.
Note that C-E performs both an availability verification based on-FTA results and a suitability verificati.sn to establial, the acceptability of the interface.
Verification consists of all of the stops necesarry to review and ovaluate the design adequacy of all of the parts of the design. ,
validation consists of a review of the ovocall product or unit at the integration test facility. The validation effort will bo based on a multi-phase approach, to ensure integration to support operational functions. These phases will includet.
1-demonstration of adequate operator comp;ahension and access to indicator and control information 2-adequacy of crew size for tasks 3-ability of crew to perform all required functions This initial validation work will be. performed after the availability of a full-scope, partially dynamic mock-up of Nuplex 80+. This work has boon dono for the RCS system. A similar method is planned for the rest of the Nuplex 80+ control complex, with the work performed in stops as more and more of the design is completed. For instanco, _MCC one-person operation will be validated before the Auxiliary and Safety consoles are completed. ;
Final validation will be pc4rformed on the integration . test facility. This will be a fully dynamic facility with simulation availablo. Validation will be demonstrated as final proof of MMI design acceptability.
2.6-ALARM ANALYSES AND EVALUATIONS A number of power industry studies of pisnt alarm and annunciation systems were used as contributing material in the 20
, - +wr +,~ ,w..- -,nnw. , m , w-m - , , , , . .,-,,,,..,.,,c .,,n., , . - . . - , ,,,n - .., . .
development of the Huplex 80+ alarm system. Based on thoso, and the existing System 80 alarm systems, an ovaluation of potential alarm system MMI features was performed for the Department of Enorgy, as part of the Advanced Instrumentation and Control Milostono B work. During the courso of this work, various NRC and nuclear industry guidelinos on alarm systems were reviewed. Below is a listing of some of those studios and the data they provided to the initial Nuplex 80+ alarm schomot EPRl-NP-3448: Provided list of problems with current schemos and data on prioritization definitions.
NUREG/CR-2776: Provided alternativos for advanced alarm display syLtems.
NUREG CR-2147: Provided recommendations for solving ' classic' annunciator and alarm system problems.
NUREG-07001 Provided guidance on CRT displays, desirable alarm features, MMI characteristics (such as color, response timo, etc.),
and prioritization.
NUREG/CR-3217: Provided details on short-torn improvements which woro possible for existing System 80 plants.
NUREG/CR-3987: Provided guidelines and information used by C-E for an oveluation of computer-based alarm schemes.
NUREG/CR-44638 Provided guidance and prospectivo methodology for a test plan for ovaluating annunciator systems.
EPRI Alarm Seminar (MPR Associates, 1988): Provided bases for incorporating spatially dedicated alarms into the design.
Based on those studios, the team began Nuplex 80+ alarm system
/
design and proceeded according to the design process described and illustrated in the other sections of this program plan.
It is important to understand that in the Nuplex 80+ alarm scheme, the alarm system is not actually necessary for accident mitigation, safe shutdown, or the successful performance of the operators' safety and accident mitigation roles in other design basis operating scenarios. Honco, it is a non-safety system and providos what is essentially a monitoring support- function.
Consistent with this philosophy, the emergency proceduro guidelines require no action to be taken in response to alarms and as a result, the alarm sys: tem is excluded from the FTA process.
2.7-HALDEN REACTOR STUDIES In 1986-8, a number of studies woro performed at the Halden reactor and its simulstion facilities, located in Norway. Those 21
I studios and evaluations provided important input to the design of the Integrate? Process Status Overview (IPSO, i.e., the big screen 6' x 8' display above the MCC) , the critical Functions Monitoring j (CFM) f e a t~ re , and the Success Path Monitoring function (SPM).
What folluws is a brief descriptio' of those studios and how they influenced the devolppment of the Nuplex 80+ MMI design.
2.7.1-CFM In 1987, a study was performed at the Haldon reactor facility to validate the concept of Critical Functions Monitoring on a PWR simulator. Full details on the study may be foulid in Volume 10 of the RDD. Simulator tests were run and it was concluded that the CFM function, which provides on-line assessment of the status of critical functions, is a valuable tool to reduce operator error, especially in conjunction with success path monitoring. This led to a decision to implement a similar CFM feature in the System 80+
design, Additional overviews of the Halden work may be found in subsequent Subsoctions 2.7.2 and 2.7.3 of this report.
2.7.2-SPM The success Path Monitoring featurc for System 80+ is intended to be an advanced computer-based operator support function which provides an on-line assessment of the status of both availability and performance of success paths that mitigato challenges to critical functions. A prototype version of the system was developed and testod at the Haldon reactor PWR simulator. The man-machine interface wau evaluated by having experienced operators cope with a series of realistic simulated transients.
Operator performance was evaluated to judge the efficacy of different information presentation systems. Sporators' response times and accuracy were measured and comments were recorded. The -
results indicated the advantagos of SPM in allowing the operator to better date:t and correct success path problems . before they impinged on critical functions. Based on the results of these studies, a similar SPM feature was included in the System 80+
design.
2.7.3-IPSO As part of an evaluation of whether to provide operators with an overview of plant status, and a determination of the best display method for this information, C-E participated in a study at-l the Halden reactor PWR simulator in 1986-7. IPSO was evaluated for-l the adequacy of its MMI in a- series of studios which included
! experienced operators and simulations of three different phases of 1 (selected to represent different tack loading I
operation I situations).
Subjects es.luated IPSO's uso during normal and abnormal operations, as well as aspects of its MMI such as content and format. Further study investigated the use of IPSO as a focal point for decision making. Results of-the studies supported the 22
usefulness of a largo-scroon plant overview display. Based on those results, the design team clocted to include a large scroon display in the Huplex 80+ control complex design and made modifications to the content and format of the display to improve the man-machino interface based on user comments.
2.8-
SUMMARY
Reference design work from previously licensed and operating System 80 plants has boon used as the basis for datormining:
-function allocation
-information and control requirements
-generic operating sequences
-control s used for the mt n-machine interface Generic industry references and appl.4cablo NRC documents provided further input to the project design philosophy and HF guidelines.
Industry alarm studios and Halden reactor studios contributed to the design of the IPSO, CFM, SPM, and the Nuplex 80+ alarm system.
Operating experience from Duke and System 80 plants nas influenced control complex layout, information and control requirements, and task sequences which woro developed. Functional task analysis has provided direct input to panel layouts by clucidating relationships betwoon controls, indicators, and the functions the panels must perform. As such, it has also served as an input to staffing and configuration evaluation, information presentation, and panol design analysis. Conceptual dorign bases have been founded on both TTA results and a priori judgoments based on design reviews, knowledge of hardware, aforomantioned operating experience, and input from a multi-disciplinary design team.
l l
l I
I l
23
3-Iluman Engineerinu of MMI and Equipment lluman Factors of detailed equipment design has boon and continues to be a major part of the design team's human engineering efforts. Control room interfaces that make up the aan-machino interface include the IPSO, alarms, discreto indicators, procons controllers, data proconsing system CRTs, and component controls.
Equipment to provide tMoo interfaces include one big scroon display and a combination of CRT scroons, electro-luminoscont touch .
screens (flat panel displays, henceforth referrod to as ELDS), and pushbutton controls (henccforth referred to as switchos) . What follows is a description of the evolution of the interface from functional design goals, with a description of design rationale.
The design goals are not intended to be testable critoria wit'.
clear dependent variables but vore intended instead to be objectivos for the system designors and human factors engineers as the Huplex 80+ design developed. Why particular pieces of hardware woro chosen is also briofly explained.
3.1-INTEGRATED PROCESS STATUS-OVr.RVIEW (IPSO) DISPLAY The IPSO, which currently usis a six foot by eight foot rear projection display, in designed to give an understanding of critical functions status, as well as success path availability and performance. It evolved from a'gonorally exprnssed concern that the presentation of information on separate, small-format devices could provent the operators from getting the overall " fool" of plant performanco, and that CRT displays could cau',o a ' tunnel' offect of narrowing operator focus. IPSO provides the overview to any operator in the controlling workspace in a single glance. In addition, it is visible from the Shift Supervisc,r's offico and the Technical Support Contor so that those not directly controlling the plant but still possessing a nood for high-level plant status data, can obtain the information quickly without interrupting controlling workspace activities.
The IPSO display alsc oxists as a display page availablo on any CRT scroon in the control room and at remoto f acilities such as the Emergency Operations Facility. Thus, although the big board display is located behind the Main control Complex (MCL)
~
workstation, IPSO is also available to maintenance and supervisory staff, visitors, and engincoring personnel. In the control room it is particularly valuable to operators who are coming on shift or who wish to rapidly reacquira the ' big picture' after attending to a detailed task or paperwork.
Design goals for IPSO included:
-Reduco quantity of information to an easily understood and recognized auount 24 i
_ __ - _ _ _ ____ _ - - _ A
-Provido a singlo location for quick assessment of key information indicative of critical power plant production and safety functions status as well as major success paths 4
-Compensato for a reduction in dedicated displays by allowing a
' fool' of plant conditions, thereby promoting a critical functions rather than a systems orientation
-Componnato for reduced staffing by providing an overview whilo doing detailed diagnostic tasks
-Bo viewable to not only control room operators but also Control Room and Shift Supervisors and staff in the omorgency facilities Key Design Decisions and Rationale for IPSO included:
-Largo Scroon: The !!alden ovaluations showed that a largo screen display was proforablo for monitoring and obtaining information quickly.
-Loval of Detail The !!aldon studies also showed that highly processed information, not raw data, was preferred by users.
-Spatial and Sorial: Design reviews showed that spatial and serial information woro best left on the panels.
-Mounting, Projection, and Format soo paragraphs below; IPSO uses the same criteria for display design and format as the CRT display pagos. Soo CESSAR/DC Section 18.7.1.1 for details and Section 18.7.1.2.2 for IPSO design criteria portaining to what type of information was chosen for display.
The IPSO MMI was empirically evaluated through visits to hardwaro vendors, trying out different mounting methods and projection techniques, and application of human f actors references to datormino light intensity, ambient conditions,. display size, aw.'
similar. factors. Roar scroon technology was found to interfera least with other control room tasks. A slightly tilted scroon and black bezel were found to enhanco viewability at all viewing locations.
Hardware evolutions for IPSO have included the evaluation of a variety of smaller scroons, projection technologies, mounting angles and heights, ambient light levels, wal1 colors, and adjacent wall and framo colors. TheseLevolutions occurred through design i review meetings, hardware trials, and empirical judgements.
3.2-DPS CRT DISPLAYS Every panel in the Nuplex 80+ control room'has at least one l CRT display (some -have two). In addition, CRT displays are 25 l- .
provided in the Technical Support Cantor, Remoto Shutdown Panol, CRS consolo, the operator's offico, the Shift Supervisor and CRS offico, and the Emergency Operations Facility. Scroons are currently envisioned to be 19 or 20 inch diagonal full color monitors which employ touch-scroon technology for the operator interface.
CRT pages represent the best method of presenting the Data Processing Systen's plant information, which is available to the opurator in a structured hierarchy. There are three levels of displays plus the IPSO overview. Among the functional design goals for the DPS CRT displays worot
-Assure that all information required for following operating b y
procedures is available to the operator with no more than throo lovels of depth
-Annurn ennnintent mn-machine interf ace with othe r control room hardware and internally among display pages through the use of an information systems description document and human factors standards and guidelinos
-Functionally consolidato information traditionally scattered across recorders, motors, status lamps, etc. in one location.
-Provido Level One displays with the most useful general monitoring information
-Provido Lovel Two displays with information that is most useful for controlling plant components and systems
-Provide Lovel Three disolays with information most useful for diagnostic activitios
-Provido alarm mapping and accoca categorization to support alarm acknowledgement and understanding through the CRTs.
Details on paging, menus, etc. may be found in Section 18.7.'. 3 of CESSAR/DC.
Touch scroons were chosen for the CRTs and ELD displays in order to focus operatcr attention and save the excess panol space which keyboards or trac balls would have required. Additionally, touch scroons make use of the human inclination to point directly without those input devices. Touch scroons allow the menu itself to be used for accessing and manipulating the system, which cuts dawn on pago clutter and allows more useful integration of menus and touch areas into the display format. A-full listing of this type of design obcisions and rationale for DPS displays is below:
-The organization of this displays was selected to provide the big 26
$Y$5 1 i
picture and a clear, uncomplicated hierarchy of detail
-Displays must be able to provide both analog and digital data presentation simultaneously
-SPDS function nonded to be integrated into the rest of the DPS displays
-DPS displays needed to be available throughout the Nuplex 80+ MMI (hence CRTs on ovary panel)
-Based on empirical evaluation and suitability verification, a menu chango was mado to provide two-touch access to any screen
-Integration was provided with the alarm system to allow alarm acknowledgement from CRTs The design bases for the CRT screens may be found in the inf ormation systems document. The hardware itself was selected to moet criteria in NUREG-0700 as well as NRC requirements for seismic category II. The actual uncability of the CRT displays and the hardware, i.e. , its adherence to good human enginetring principles, will be checked as part of the aforementioned V&V process.
3.3-ALARMS Details on the characteristics of the alarm system for Nuplex may be found in CESSAR/DC Section 18.7.1.5. These design goals and rationale, as well as system evolution are discussed below without an attempt to fully describo all features associated with alarm and annunciation in Nuplex 80+.
Design bases for the alarm system were described in Section 2.6. Design goals for the alarm system included:
-Reduce the number of generated alarms to minimize information overload
-Display alarms with distinct visual cuing based on priority of response and significance of the alarm for operation, in order to focus operator attention
-Use display techniques which aid the operator jn quickly correlating the impact of the alarm oa plant safety and performance
-Ensure recognition of all alarms while preventing task overload
-Provide rapid, direct access to supporting information to facilitate operator response
-Enhance operator confidence in alarms by providing redundant, 27
diverse, and intelligent processing of alarm inputs
-Employ good human f actors engincoring to enhance organization, and to assuro uscability of all alarm system features Design features and rationale employed to meet those design goals included i
-Providing modo dependency to reduce overload and oliminato nuisance alarms
-providing alarm significanco mappings alarms are mapped to appropriato displays (e.g.-CRTs, IPSO, Alarm Tiles) based on the significanco of the tasks and/or equipment involved
-Grouping alarms with specific messages for plant conditions
-Maintaining spatia; dedication for the most important alarms in order to enhance usetrility and reduce scarch and processing time
-Providing only momentary audiblo indication of cleared and now alarms to provent klaxon disturbanco
-Individual acknowledgoment of changos in alarm status was required to alart operators to changes in status
)
-Setpoints for critical function alarms woro tied to omorgency )
operating procedures to integrate the MMI with EPGs 3.3.1-Alarm Tilos Some alarms are presented on CRT displays and/or the IPSO screen, based on the significance mapping feature. All alarms which appear on the dedicated alarm tile displays are based on alarm prioritization, a three-level scheme developed per HUREG-0700 and EPRI NP-3448. Originally, alarms defined as priority one or two were selected for display on the spatially dedicated alarm tiles but verification of design has led to a more functional approach to this aspect of MMI development.
Alarm inputs are now selected for display on the alarm tilos based on their relation to significant operator action conditions.
Alarms which can recult in this type of operator action, even if the prioritization system classifica them as priority three, will be displayed on the alarm tiles. The alarm presentation scheme ano significant operator action conditions are discussed in the alarm processing document.
A description of the hardware rationale for the alarm system may be found in Section 3.6 3.4-DISCRETE INDICATORS 28
I T e W.
su
?g ',
c- W *w
@gbg..pa. % 3 Aft 4.' Lam . ate indicators, along with the alarm displays, form the
^ D pp *. man-machine interface of the Discrete Indication and Alarm System (DIAS). 'Ihey dif fer from process controllers in that they do not i?'
Provide the ability to control plant parameters from their screens.
control on DIAS displays is limited to the ability to page between related : ta on the discrete indicators and the ability to page through levels of alarms on the alarm screens.
The discrete indicstors are an evolutionary sum;cssor to nalog and digital wate.rs and strip chart recorders. Design goals
.b.' the discrete indicators' MMI were:
-Provide a vali.dt 4 list display of all Reg. Guide 1.97 .ategory I variables
-PrF,ide inforlaation to allow continued cperation without the DPS; a) 1 .ch . spec. monitoring with < 24 hr. surveillance b) info. needed to assess personnel hazards & quipment damage c) Reg. Guide 1,97 Category 1 and 2 parameter s not already on single paraneter displays
-Provide key parameters um to ascess succes:; path performance and status of critical power and safety fur.etions
-Provide ar.coss to individual se -* '"nnele used in procer'a representation values to allow cont c - a operation without thn DW available
-Provide continuous display of all SPM and CFM monitored plant date
-Reduce the quantity i .f data which the operator must process in order to minimize infermation overload
-Provide simple access to support data (Tech. Spec. and keg. Guidu 1.97 information for example)
-Safety-related pedigree to allow use of same spatially dedicated displays for normal and post accident monitoring, to ent,are familiarity
-Enhance operator confidence in display by providing redundancy, diversity (from DPS CRT displays), and intelligence in processing and reliability in hardware
-Provide automatic range changes as appropriate to plant situation The following design decisions and' rationale were employed to
. assure that the design goals were met:
-Spatially dedicated displays were chosen to reduce time to access inf ormanon, improve familiarity of the MMI, and to enhant.a useability 29 m - mens asuam mummmmmmi i mu mm nu m u
. l .- .NAW
-Analog and digital information (e.g.-trends and nunoric data) were presented together when appropriate to allow the replacement of recorders, analog meters and digital meters L
-Access to multiple channels of data was provided to allow the reduction in the number of meters and reduce information overload.
This also facilitated non-DPS operations for 24-hour Tech. rpec.
considerations
-Hardware was selected and the system designed so that operators could use the same indicators for PAMI as normally
-Indicators were chosen and displays formatted to meet MMI portions of Reg. Guido 1.97
-Validated signals were used to improve operator confidence in information display reliability
-No controls or buttons were required external to the ri' splays, to simplify the MMI and save space In hardware considerations, the discrete information was considered for mainly CRT presentation in C-E's ear?.ier Nuplex 80 (as opposed to 80+) design. However, results of discussions with operators, design reviews and the functional task analysis process convinced the designers of NUPLEX 80+ of the operational advantages j w
- spatially dedicated displays. For a disc 1ssion of ha' dware used r discrete indication, see Section 3.6.
9 3.5-PROCESS CONTROLLERS Process controllers, located in the benchboard section of the control consoles, provide the operator with the ability to automatically or manually control plant process loops, such as closed loop controllers. As such, they represent an evolution from the traditional hardwired Manual / Auto conventional cont: ;l rooms.
(M/A) station found in In fact, a design goal of process controllers was to nave the ELD provide an operator interf ace which s was familiar based on the operating conventions of traditional hardware.
)'
Functional goals for process controllers were determined based on operating experience and an examination of vockload, suitability, etc. which resulted from the RCS functional task P analy:is and subsequent vu.-ification. They included:
C
-Process controllers must provide the ability to control all control loops for a process parameter
) -Process controllers must provide the full range of functions currently provided by M/A stations (setpoint control, mode control, 30
1 display of range and channel, display of current parameter value, etc.).
-Digital display of value
-Touch areas allowing swift access to other control loops of the parameter
] -Format, method of operation and human factors conventions g consistent with the rest of the man-machine interface Inc following rationale and decisions were included in the design of the process controllers, in order to mesh with the design goals:
g -Centrol.a were separated frcu discrete indicators and DPS displays to assure operator control actions would be deliberate B -A familiar MMI was chosen that mimics function and operation of conventional M/A stations
-Integr tion of component controla related to the process control, on one controller (e.g.-pressurizer heater and spray controls are E subsystems combined to form the pressure control loop)
-Master and subcontrollers for a process are integrated on one module to facilitate operation
-Controllers were located near appropriate indicatcra to enhance useability A discussion of the hardware used for process controllers may be found in Section 3.6.
3.6-HARDWARE FOR ALARMS, DISCRETE INDICATORS, AND PROCESS CONTROLLERS: ELECTRO-LUMINESCENT DISPLAYS There are three basic types of ELD displays used in the main control complex: alarm displays, process controllers, and discrete indicators. A brief discussion of common features and why this technology has evolved for these portions of the Nuplex 80+ MMI is presented here.
ELD technology was chosen to meet functional design goals of display clarity and reliability as well as the ability to purchase off-the-shelf qualified displays from a number of sources. These displays are not color, but do provide high contrast. Thej employ the samo man-machine interface conventions as the rest of the cor.crol room hardware. The use of color as only a back-up or secondary coding method for information on the CRT displays assuras a one-to-one mapping of data coding and format techniques between 31
the ELDS and the CRT displays.
The ELD technology evolved from traditional analog indicators and alarm systems in an attempt to consolidate volume while improving the man-machine interface. Earlier consideration of plasma displays was superseded by ELDS because of their better visibility and contrast, superior hardware, and more reasonable cout. Much of the design basis was concerned with maintaining a f amiliar man-machine interface while incorporating newer technology to eliminate information overload, unwieldy panel sizes, etc. The key to the selection of this hardware type was that it allowed C-E to maintain the advantages of spatial dedication in the design while still greatly reducing the overall volume of indicators and controls in the controlling workspace.
3.7-COMPONENT CONTROL ,
Momentary type switches, used for component control, comprise the last major man-machine interface component type for Nuplex 80+.
These controls look and feel to the operaters as they would in a conventional power plant, even including the traditional use of red-green for process industries. In size, resistance, luminance, and other man-machine interface features, they adhere to the human factors standards of NUREG-0700, MIL standard 1472, EPRI NP-3659 and similar industry guidance.
Behind the panel switch device, these controls are not conventional. They employ multiplexing with fiber optics back to control systems, thus eliminating cabling under the floor and in ,
the panels tt.aselves. This is an improvement to the man-machine interface in that it simplifies maintenance, a design goal (see Section 4.1). Types of components controlled from these switches include valves, pumps, breakers, dampers, fans, heaters, and spra';s. In addition,, a similar hardware type (but separately labelled and color-coded) pushbutton may be found on every panel section fcr lamp test.
Design criteria used to identify components that should be controlled from momentary switches included:
-The component is in the main floypath of a success path
-The component bears no relation to any process controller A consistent MMI is maintained for color coding, wording and symbology, with the rest of the Nuplex 80+ MMI.
After review of reference design (i.e.-the baseline System 80 design and its evolution through Nuplex 80) and the reu natory requirements for control, the design team interviewed experienced PWR operators r.nd navy operetors. Functional task analysis and a 32 l
L l
review of the control requirements and list of tasks and subtaska convinced the designers to employ an evolutionary approach with some momentary switches, for critical operating paths based on task sequences reflected from the Emergency Procedure Guidelines. Newer technology was used to improve some aspects of the man-machine interface while maintaining a technology of proven reliability and acceptability. :
Main resulting design features were:
-Maintaining the conventional MMI aspects to enhance operator acceptance Provide spatial dedication to co-ordinate the MMI with alarms, discrete indicators, and process controllers 33
__._.. _ , , __ _ ___._ --------J
4-Maintenance. Trainina and Procedures Maintenance considerations have been a continuous influence on the design of the System 80+ man-machine interface. In this section, the MMI design philosophy for maintenance will be explained. The areas of training and procedure development will also be briefly mentioned, although the design team does not consider these areas to be part of the design certification human factors program.
4.1-MAINTENANCE Designers considered maintenance human factors in the design -
of Nuplex 80+ through the application of industry guidance (e.g.-
DOE HF Design Guidelines for Maintainability-DE 85 016790), MIL standards, from operating experience, and from input given by experienced operators. Based on these evaluationa and the team's design review process, the maintenance goals for hardware were developed. The repository for the human factors goals for maintenance is the Human Factors Standards and Guidelines document, '
and the companion Bases document which lists all of the source referencas for each guideline. It is out of the scope of the program plan to list all maintenance goals and rationale pertaining to human factors. However, representative examples are provided below, at a generic level, to aid in evaluating the human factors program: '
-Equipment shall be off-the-shelf, preferably from more than one vendor, to reduce replacement time and interruption of operations
-All equipment replacement at control panels shall be ' front-access', to cut maintenance time.
-All inforuation and controls in Nuplex 80+ are presented on at i least two panels se that maintenance activities on a single panel will never prevent access to information or controls needed by operators 4.2-TRAINING AND PROCEDURE DEVELOPMENT Maintenance and operating procedures will be developed as the ,
System 80+ design progresses but these activities fall outside of the scope of the design certification human factors program.
However, procedures will be validated at some future point during operator training and simulation. Further, the Nuclear Services human factors group provides writer's guides and other tachnical support to in-house professional procedure writers.
Like procedure development, training of operators, maintainers, and other personnel is not part of the. design certification HF program. The System 00+ man-machine interface is designed such that ope ations and maintenance are facilitated by 34
_ _ _ _ _ - _ . _ _ _ _ _ _ - - ~
the use of good design practice.
Training and procedure development are handled by in-house specialists in these areas. Training is dealt with on a generic System 80+ basis. In other words, training will be based on the entire design and the nature of the tasks involved, not merely on human f actors. Likewise, many non-HF considerations are taken into account by procedure writers. The involvement of the human factors -
program plan with these areas may be briefly summarized as:
-The MMI is designed to facilitate maintenance activities while disrupting operations as little as po";c'lble
-once <wegency procedure guidelines sre developed by procedure writers, they will be used in the. validetion of the Nuplex 80+ MMI
-The Nuplex MMI, especially the critical functions alarms, are designed to support the refinement of generic System 80 procedures into System 80+ procedures 35
. t .
5-Igg _t and Evaluati2D The design team employs a test and evaluation program for human engineering aspects of the design which is integrated into the overall design and evaluation process (see Figures 1.2-1 through 1.2-5). Such activities have been described in previous sections, most notably the V & V portion of Section 2 and Figure 2.4-1. In this section, the design reviews, verification, and human factors participation in other disciplines shall be described, along with evaluation objectives. A representative milestone schedule is provided. However, since levels of funding vary over time, the exact schedule is still to be determined at this point. Hence this schedule provides more of an indication of where in the design process these test and evaluation activities are located than actual calendar dates.
5.1-DESIGN REVIEWS One of the design team's principal tools for evaluation of design, from human factors, other engineering discipline, and operations points of view, is the design reviev meeting. MMI aspects of the design review include verifying useability and consistency of the interface, implementation of design goals and bases, and whether or not the design can be implemented successfully.
As described earlier (in Section 1.2.1.2), experts from all of these disciplines work on an integrated design team. Individuals are given assignments for- portions of the design. These individuals, upon completing a draft-of work for their project, are required to conduct a design review meeting at which the rest of the design team, and all cther interested parties may critique, correct, and advise. Minutes and action items from all design review meetings are documented.
These meeting provida early and specific feedback to designers and allow the product - to be reviewed well in - advance - of any finalization. Exact frequency of these meetings _is determined by progress on the design. It is important to emphasize that no system--is designed without design reviews.
5.2-VERIFICATION As described in Section 2.4, verification has been performed for the RCS panel and is planned for the other panels in the control complex. Based on the information and control requirements, and the- results of functional -task. analysis,
-verification addresses the availability aspects of the MMI. Based on NUREG-0700, the HF Standards and - Guidelines, verification addresses the suitability of the man-machine interface. The sum of the two are the acceptability criteria for the verificatio-process. As such, it represents.a systematic.cmpirical test had .
J s
36 D
~%
i evaluation of the design. The design team employs verification evaluations as defined in NUREG-0700 where:
-Suitability is the acceptability of the interface methodology to support generic user tasks. Verification of human engineering suitability is performed to identify human interface problems that may affect. task performance but which are not evident when the MMI is evaluated without regards to the tasks
-Availability demonstrates that all necessary and sufficient indicators and controls to p9rform tasks are available and that they are in a format and configuration which supports the tasks Verification has been performed on the RCS panel design for both of these aspects. See the Verification report in the RDD for details. The actual panel design is necessary for availability verification while only prototypes were necessary to check-suitability since the generic characteristics of the man-machine interface do not change from panel to panel. Verification is an ongoing process in the Nuplex 80+ design. Some has been performed, more is scheduled as work progresses.
Validation, which is the final step in the design process, is described in Section 6.
5.3-FURTHER TEST AND EVALUATION Section 2 of this plan described the human factors analyses and evaluations which have been performed thus far in the design of the Nuplex 80+ advanced control complex. Section 6 lists those activities which are yet to be performed. The design team is pursuing these activities systematically, from a human factors viewpoint. Verification is being pursued on a system by system and panel by panel basis as design progresses, re a are renaining areas-of Function ar.$ Task Analysis. Systems Analysis and Function A)? acation are regarded as complete, along with those areas of the task analysis described as complete in Section 2.2 Table 5.3 provides approxiuate dates as part of the plan for upcoming test . and evaluation. It also lists those evaluations which have been completed.
37
Test and Evaluation Schedule Table 5.1 Comoleted Evaluationg Halden Evaluations:
IPSO CFM -SPM Industry Alarm Evaluations Staffing and Configuration Evaluation Systems Analysis Comoleted Portions of Oncoina Evaluations FTA:
function allocation ' identification of I&C. requirements identification of tasks Verification:
RCS suitability and availability o V:e r a 1 1 ~MMI
, suitability Schedule of Future Evaluations-and Tests Evaluation Approximate Date Further-Verification i MCC (except turbine) 1992:
SC (2SF) 1992 AC SC '1993-19$V CRS Consolo in First-of-a-Kind- )
BOP after commercial sale Validacton at Integration Tect-Facility.
Furthsr Panel by Panel TA ongoing4 from 1992 as design'can supportfit Full Scale Mock-up and Prototyping- ongoing process;from 1991 Revised HF' Standards & Guidelines _ late 1992 (and Bases)
Develop HF. Design Acceptance Criteria '1992-19931 Static' Mock-up Evaluations beginning'1992 38 L-St' e _
i
. s s 6-Eutpro lluman Factors Activities In addition to the ongoing i' 'ardisciplinary de"ign proccas described in the earlier sections of this phn, a number of specific human factors activities and analyses are planned av the design of the System 80+ MMI progresseu. A list of these activities and the approximate schedule for them may be found in Figure 5.1. This section contains a brief explanation of these accivities to enhance understanding of what is planned. Refer sgain to the figures in Section 1.2 for an understanding of the integrated design process. This process is similar to that outlined in IEEE-1023 and a comparison between Figures 1,2-1 k through 1.2-5 and the design process figure of the IEEE document provides a useful insight into the relationship between the generic (IEEE) design process and that pursued for System 80+.
6.1-FINAL 1.UMAN FACTORS STANDARDS, GUIDELINES, AND BASES A complete version of the Nuplex 80+ Standards, Guidelines and Bases has been prepared for the Ileavy Water Reactor Facility.
Slight modification is underway to convert these into applicable System 80+ guidance. The Standards and Guidelines provide all designers on the team with a controlled compendium of human engineering information to assure a standardized man machine interface across the project. The bases are a listing of the source materials from which the guidance was culled.
6.2-FULL SCALE MOCK-UP ACTIVITIES T'ne use of mock-ups of control panel arrangements, a key step in human factors design efforts, is an ongoing process for the Nuplex 80+ design. Currently, a full scale main control complex static panel arrangement exists. Actual layouts on these panels are not yet done, though efforts are ongoing. This static mock-up will provide a location for future analyses and a basis for design reviews pertaining to board layouts.
A dynamic Nuplex 80+ mock-up currently exists for the MCC and one SC panel. This mockup contains functioning CRTs plus some DIAS.
displays, switches, and process controllers. Some controls on this mock-up are static representations and the layouts are not final.
This mock-up serves as an evolving demonstration and design tool for the man-r.achine interface. Future work will include much evaluation and testing of the hardware and layouts plus continuing work to upgrade the static portions to a more dynamic version.
6.3-PROTOTYPING AND PROGRAMMABLE FEATURES Is the work on the dynamic mockup prNresses, the current ELD, CRT, and Switch hardware, as well as the IPSO undergo continuous prototyping upgrade work. New display features are tried to evaluate equipment and operator performance, and the useebility 39 I
aspects will continue to be tested. The Nuplex 80+ Information-Systems Description Document, prepared by human factors specialists on the design team, is used by prototype designers to implement the human enginetering ast ects of display screens. The future will hold further iterations and improvements to incorporate the results of relevant analyses into the integrated design.
6.4-VERIFICATION ACTIVITIES Described as part of the test and evaluation plan, it 10 important 'c o further note that verification activities are an ongoing process. Independeat suitability reviews of individual panels are planned as the panel layouts are developed. This work will comprise the bulk of future verification analyses. See Section 3.2 for additional information on verification. Some design goals of this future verification work include:
-Comparing information and control requirements to actual inventory
)
-Identifying missing or superfluous controls and indicators Basically, this activity will be the panel by panel verification of availability and suitability as described in Section 5.2.
.6.5-FURTHER TASK ANALYSIS A continuation of the task analysis process, using the same methods s those described in the FTA report for Nupl; x 80+ (in the RDD). Each panel section of the control complex will undergo a task analysis prior to final panel layout, in a similar methodology to earlier FTA.
One important difference is based on the experience with the earlier FTA work. A large amount of effort was expended at that 1 time to produce detailed sorts of information. For instance, Grocs Functions, - Task Listings, and Task Elements were all sorted by events. Elaborate process time calculations were performed and detailed parameter usage by parameter was sorted. It was found that overprocessing of the data added little or nothing tc the man-machine interface design and that documenting these sorts added many hundreds of pages of uanceded documentation to the RDD.
Therefore, future FTA activities will modify the amount of sorts performed and the level of documentation archived. The exLct level of sort and documentation which will be employed Las not yet been determined but the basic FTA methodology will remain unchanged.
Design goM3 of this activity are the same as those described in Section 2.2.
6.6-STATIC WoCK-UP EVALUATIONS 40 m.___ ___m_.____-_________.__m__.__.__.______ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ . . _ _ . _ __.______s
A phase of future HP evaluation activities which was not envisioned in the original design is the evaluation of the man-machine interface at a full-scale static mock-up of the Nuplex 80+
controlling workspace. The static mock-up is being developed for Nuplex based on human factors rationale as descrioed in EPRI NP- I 2411 (final chapter). As such it provides a venue for human factors analyses and evaluations and an ability to rapidly an inexpensively prototype caradidate arrangements of the man-machine interface. Activities which are planned for the static mock-up include:
-traffic and motion evaluations
-evaluation of the anthropometry of the MMI
-verification of uscable control panel layouts based on task sequences (operator walkthroughs)
-evaluation of candidate control panel arrangements The availability of the static mock-up in a much earlier stage of the design than the integration test facility will assure that these evaluatior.s can be performed before a stage in the process wh2n it is extremely difficult to make design changes. Fulther, since full panel layouts are not needed to evaluate traffic and motion or anthropometry, some portions of the static mock-up evaluations can begin prior to detailed panei layout work.
6.7-VALIDATION ACTIVITIES The final human factors test activity planned for le Nuplex 80+ design is the control room validation. This analys'. features procedure-based run-throughs, af ter procedure guidelines have been made into draft operating procedures for an actual power plant.
The validation will be done in real time with a full-scale integration test facility.
Among the purposes cf the validation, from a human fectors viewpoint, are the validation of crew sizes and the final check of the overall man-machine interface of Nuplex 80+.
Shortly after the validation activities, the design will be complete.
6.8-DESIGN ACCEPTANCE CRITERIA A key remaining HF acti ity in the System 80+ design is the development of Design Acceg mco Criteria for the Man-Machine Interface.= These criteria wilt be the basis far determining that the MMI has been adequately designed up to that point. The development of the same type of criteria (clear, objective, 41
f testable) as in non-HF areas of the design.is an important design goal. Based on NRC guidance, development of these criteria will begin in the first half of 1992 and reach early agreement on design hcceptance criteria which will evaluate the man-machine interface's adequacy.
0 s
42
7-Conclusion This program plan has provided an overview of human factors engineering activities for the Nuplex 80+ Advanced Control Complex and the overall System 80+ standard plant design. Past, current, and future activities have been described and references provided to project documents which provide further details.
An effort has been made to describe the entire human engineering program, identify it's elements, and explain how they are managed. Thus, it provides a partial basis for review of progress as well as that of product. The program pltn provides infomation to show how and when C-E has satisfied or will satisfy all human factors parformance, design and program requirements specified by the regulatory agency.
It has not been possible to plan to a detailed, month-by-month schedule due to the commercial aspects of the design (i.e., to a great extent future schedule will depend on funding, both internal and excernal). However, wherever possible, the approximate timeline and the sequence or order which activities will follow regardless of the exact calendar date for the work has been shown.
New co-operation with Asian and European ABB entities and-project participants will likely expand the available exp rience and expertise resources available in the-future. For instance-pro totyping assistance is being provided at this time from ABB-At<iit in Sweden.
In summary, human factors is-part of an integrated and wide-ranging design effort, but not -the only driving force in - the
- design. Nevertheless, human factors experts on the design team 4 assure than an adequate man-machlae interface has been and will be maintained throughout the design.
43
,s -+ - -