Text

_... _ _..

9 g,0 GENucleuEtwgy ABWR Date 5 A s/9s To Fax No.

C \\ co c Go od ma n This page plus _L~T page(s)

From Jaci f~o x Maii code 175 Curtn6t Avenue San Jose, CA 95125 Phone (408)925-9 9 2 4 FAX (408)925-1193 or (408) 925-1687 C L p h (9

Subject A GW R SSAa_

S Mc..b

s. 4. 3 Lp Message A mw m d.

_ber a ck cLJ o er - u e,w<

hbsc.hwe i 9.h r das L.1

- o e AtrJ a eeo<a mm \\,. A n o_%

pov4 sons uw eduw;g Ac a

etv-t J

a L

h 60{9 6

,2o626o22o 920s25 PDR ADOCK 0520 1

o.

nu it se wcou.3 e nace tuo a r2m l

CHAPTER 18 i

TAllLE OF CONTENTS l

]

a i

18.1 INTRODUCTION

18.2 DESIGN GOAL.S AND DESIGN BASES 18.3 l'IANNING, Dl; vel.OPMENT AND DESIGN 18.3.1 Introduction 18.3.2 Standard Design Features 18.3.3 inventory of Controls and Instrutnentation j

18.3.l Detailed Design Impicnientation Process 18.1 CONTROL ROOM STANDARD DESIGN FEATURES 18.4.1 Intre: duction 18 4.2 Standard Design Features 18.4.2.1 1.isting of Features 18.4.2.2 Main Control Console 18.4.2.3 Proc.,ss Computer Driven VDUs 18.4.2.4 Process Computer Independent VDUs l

18.4.2.5 Dedicated Fus..lon Switches 18.4.2.6 Automation Design i

18.4.2.6.1 Automatic Operation 18,4.2.6.2 Semi. Automated Operation 18.4.2.6.3 Manual Operation

~

TABLE OF CONTENTS J

(Continued) 3 18.4.2.7 Large Display Panel 18.4.2.8 Fixed Position Display 18.4.2.9 Large Variable Display l

18.4.2.10 Supervisors' Console 18.4.2.11 Safc*y Paraineter Display Spiem 18.4.2.12 Fixed Position Alanns i

16.4,2.13 Alann Processing Logic 1

18.4.2.14 Equipinent Alanus 18.4.2.15 Control Room Arrangement 18.4.3 Control Room hihil Technology t

18.5 REh10TE SilUTDOWN SYSTEh!

4 18.6 SYSTEhtS INTEGRATION 18.6.1 Safety Systems 18.6.2 Non Safety Systems i

18.7 DFTAII.ED DESIGN OF TIIE OPERATOR INTERFACE SYSTEh!

i l

l-l

i im !! T 01scoit G t to:t.Em tus 1 P.a 1e 1

i 1

18,1 INTRODUCTION This chapter desenbes the AhWR man machine interface system (MMIS) design goals and bases, il i

l standard MMIS design features and the detailed MMIS design and implementation process, with embedded design acceptance criteria, for the ABWR standard j

plant operator interface. The inventory ofirntrumentation and controls needed by the control roorn staff for the peiformance of emergency operating procedures is also described.

The incorporation of human fators engineering principles into all phases of the design of these interfaces is proiided for as described in this chapter.

l j

Design goals and design bases for the instrumentation and control systems and operator

)

interfaces in the main control room and in remcite locations are established in Section 18.2.

The overall design and implementation approach is described in Section 18.3. Section ISA contains a description of the main control rourn standard operator interface design features.

1 The rernote shutdown system is described in Section 18.5. Section 18.6 discusses how the j

systems which make up the operator interface are integtated together and with the other systems of the plant. Section IM discunes thc detailed design implementation process. The i

ABWR Emergency Procedure Guidelines, which provide the basis for a human factors j

evaluation of ernergent.y operations, are contained in Appendix 18A. Appendix 18B l

discusses the differences between the ABWR ernergency procedure gmdelines and the U.S.

BWROG Emergency Psocedure Guidehnes. Revision 4 Appendix 18C presents a characterization of a main control room cperator interface equipment implementation that

)

incorporates the AP.WR standard design features discussed in Section 18A. The input data and results of calculations performed during the picparation of the ABWR Emergency j

Procedure Guidelines ate contained in Appendix 18D. A general desenption of the design j

and implementation process for the AllWR operator interface and supporting plant systems is presented in Appendix 18E. Appendix 181' w Sins the resuhs of an analysis of 1

information and control needs of ISe main control room operators during emergency operations.

I8.2 DESIGN COALS AND DESIGN BASES The primary goal for operator interface designs is to facilitate safe, efficient and reliable operator performance during all phases of normal plant operation. abnormal events and accident 4

conditions. To achieve this goal, information displays, controls and other interface devices in the l

control room and othet plant areas are designed and shall be implemented in a manner consistent with good human factors engineenng practices. Further, the following specific design bases are adopted; (1) During all phases of normal plant operation, abnormal events and emergency conditions, the 4

ABWR shall be operable bv nvo reactor operat(ns, In addition. the operating crew will include one assistant control room shift supeni>or, one control room shift Supenisor, and two or more auxiliary equipment operators.. During accidents, assistance is available to the operating crew from personnel in the Technical Support Center. Four licensed operators shall be on shdi at all times, consistent with the staffmg requirements of 10CFR50.54m.

1 (2) Prornote eflicient and rehab!c operation thiough expanded applicadon of automated operation l

capabilities, i

(3) The operator interfacc design shall utilize only proven technology, 1

i

.. _. _. ~.. -. - _ _ _ _. - - _. _ _ _.,,, -.. _, - _ _. _ _

im 15 'cc 01:09r11 G E IKLEM R.16 J P. ! - 10 9

(4) Safety related systems monitoring displays and control capability shall be provided in full corrpliance with pertinent regulations rcgaiding divi >ional separation and independence,

($) The operator interface design shall be highly reliable and provide functional redundancy such that sufTicient di> plays and control will be available in the main control room and remote locattuns to conduct an underiv reactor shutdown and to cool the reactor to cold shutdown conditions, even during de sign basis equipment halures, (0) The principle functions of the Safety Parameter Display System (SPDS) as required by Supplement I to NUREG 0737. will be integrated mto the operator interf ace design, (7) Accepted human tactors engineering principles shall be utilized for the operatorinterface design in meeting the relevant requirements of General Design Criterion 19. and (8) The design ba>es for the Remote Shutdoven System shall be as specified in Sec6on 7.4.

l 18.3 PLANNING, DEV110PMENT AND DESIGN 18.3.1

Introduction:

Aii integrated program plan to incorporated human factors engineering principles and to achieve an integrated design of the control and instrumentation systems and operati interf.nes of the AllWP xas prepared and implemented. The program plan presents formal decis!or analysis procedures to facihtate selection of design features which satisfy top evel requirements and goals of indisidual >ptems and the overall plant. Also included is a comprehensive, synergistic design approacii wob pronsions for task analyses and human factors evaluations.

Specific procedure > deseloped as parts of the implementation of the program plan are:

(a) Impicmentanon Procedure for Development of System Functional and Performance Requiremeru (b) Implementation Procedure for Analysis of Tasks and Allocation of Functions, (c) Implementation Piocedure for Evaluation of Human Factors and Man 41achine Interfaces, (d) Implementation Procedure for the Design of Hardware and Software, and r

e a

(c) Implementarinn Procedure for the Verification and validation of Hardware and Software, i

t l

The program plan and the associated procedures provided guidance for the conduct of the AllWR l

control and instrumentation and man machine interface system design development activities j

including:

(a) Definition of the sr ndard design features of the control room MMIS (see Subsections 18.3.2 and f

- 18,4,2),

j (b) Defininon of the inventory of controls n'nd instrumentation necessary for the control room crew i follow the operation strategies given in the ABWR Emergency Procedure Guidelines and to compleo the important operator actions described in the Probabilistic Risk Assessment (see Subsecdon 18.3.3 ar Appendix 18F).

2

e In addition, the program and associated procedures will he transmitted to the team responsible for the definition of the detailtd process by which the control room man machine interface and control and instrumentation systems are implemented; this process includes provisions for NRC conformance reviews where the process or equipment specific design will be tested against specific acccptance criteria and is discussed further in Subsection 1814 Section 18.7 and Appendix 18E).

18.3.2 Standard Design Features The ABWR control room man machine interface design contains a group of standard or basic featur which form the foundaticin for the detailed MMIS design. These feattues are described in Subsection 18.4.2.

The development of the control inom MMIS standard design features was accomplished through consideration of existing control room operating experience: a review of trt.nds in control room desig and existing control room data presentation methods; evaluation of new MMI technologies, alarm reduction and presentation methods; and validation testing o ' two full scale prototypes. The prototype were evaluated using test scenarios especially developed for the purpose and utiliting experienced nuclear plant control room opeiators. Following the completion of the prototype tests and ernploying their results, the basic wntrol room MMIS standard design feature were finalized.

18.3.3 Inventory of Controls and Instr umentation-The ABWR Emergency Procedure Guidehnes (EPGs), presented in Appendix 18A, and the importan operator actions identdied in the Probabilistic Risk Assessment (PRA), presented in Chapter 19, provided the bases for an analysis of the information and control capability needs of the main control room operators based upon the operation strategies This analysis defines a minimum set of fixed displays and a mmimum set of controls which will enable the operating crew to perform the actions that would be specified in the emergency operating procedules. Appendix 18F contains the tabulated results of this analysis. Tables 18F-1 through 18F ll in Appendix 18F contain detailed descriptions of the steps of the EPCs and the information, alarms and controls needed by the operators to perform am vahdate the completion of hose steps Table ISF 12 contains the same type ofinformation for the t

important operator actions identified in the PRA.

Another set of three tables in Appendix ISF provide convenient summaries of the control, display aru alarm listings developed in the previous tables. These latter tables are numbered 18F 13.1,2 and 3.

respectively. The listings in Tables ISF 13.1 through 3 are an inventory of the controls, displays and l

alarms which define the minimum control, information and alarm requirements on any ADWR control room design implernentation.

18.3.4 Detailed Design Implementation Process The process by which the detailed equipmem design implementation of the ABWR control and instrumentation and man machine interface will be mmpleted is discussed in Section 18.7 and in Appendix ISEc This process build, upon the standard MMIS design features which are discussed in Subsection 18.4.2. Embedded in the process, which is illustrated in Figure 18E.11, are a number of NRC conformance reviews in which various aspects and outputs of the process are evaluated against the established acceptance criteria which are presented in Tables 18E.2-1 through 18E.2-x.

3

,,, m J.

l i

18A CONTROL HOOM STANDARD DESIGN Fl%TURES i'

I 18A.1 Introduction I

l This section presents,in Subsection 48A 2. the standard design features of the operator interface i

in the control room. These basic design features are based upon proven technologies and have I

been demonstrated, through broad scope control roam dynamic simulation tests and evaluation, to satisfy the ABWR operator irnerface design goals and design bases as given in Section 18.2.

l The specific technologies utili7ed in the main control ioom operator interface are listed in Subsection 18.4.3. Appendix JSC pic ents an example of a control room operator interface design j

implementation which incorporates these design features VaiH tion nf the implemented main control room design wdl include evaluation of the standard dgn features and will be j

performed as part of the design implementation process as defined by the acceptance criteria presented in Tables 18E Si through ISE.2 4.

l 18.4.2 Standard Design Feature Descriptions l

18 A.2.1 listing of Features l

The ABWR control room operator mterface design incorporates the followi.g standard features:

i l

(a) A single, integrated control console staffed by two operators; the console has a low proille such that the operators can see over the console from a seated position, 4

l (b) The use of plant process computer cy*iem driven on screen control video display units (VDUs) for safety system monitnring and non safety system control and rnonitormg, j

(c) The use of a separ ate >ct of nn-screen control VDUs for safety syt. rem control and l

monitoring and separate on screen control VDUs for non safety system control and j

monitoring, the :peration of these two sets of VDUs is entirely independent of die proces computer system, rNrther, the first set of VDUs and all equipment associated with their funcuon< of safety sssam control and monitoring are divisionally separate and qualified 1

to Class 1-E standards.

t (d) The use of dedicated funcuan switches on the control console.

(c) Operator selectable automadon of pre defined plant operation sequences.

i (O The incorporation of an ope <ator s :lectable semi automated mode of plant operations, i

which provide procedural guidaace on the control t.onsole VDUs.

L (g) The capability to conduct these all plant operanons in an operator manual mode.

(h) The incorporation of a large display panel which presents information for use by the entire control room operating stair.

(i) The inclusion on the large display panel of fixed-position displays of key plant parameters and major equipment status.

4

m tr.

r op finiit loitWit.td.1 P.s le

~

(j)- The inclusion in the fixed posnion displays of both ll> qualified and non lE display

- elem e n ts.

(L) The independence of the fixed pontion displays from the plant process computer.

(1) The inclusion within the large display panel of a large video display unit which is driven by the plant process computer system.

(m) The incorporation of a 'monitormg only" supetvisor's console which includes VDUs on whit.h display formats available to the operators on the main control console are also available to the supewisors.

(n) The incorporation of th: saferv parameter display system (SPDS) function aspart of the plam status summaiy information which is continuously displayed on the fixed-position displays on the large display panel.

(o) The use of fixed. position alarm tiles on the large display panel, a

(m) The application of alarm processmg logic to prioritize alarm indications and to filter unnecessary alarms.

(n) A spatial arrangement between the large display panel, the main control console and the shift supervisors' umsole which allows the entire control room operating crew to -

conveniently view the information presented on the large display panel.

(o) The use of VI)Us m provide alarm mformation in addition to the alarm infortnation provided vu the fixed position alarm tiles on the large display panel.

The remainder of this subsection provides further dcscriptions of these standard design features.

18A.2.2 Main Control Console The main control console comprises the work stations for the two control room plant operators. It is configured such that each operator is provided with controls and monitoring informadon necessary to perform their assigned tasks and allows the operators to view all of the displays on the large display panet (see Subsection 18A.2.7) from a seated position.

The main control console,in concert with the large display panel, provides the controls and displays required to operate the plant during normal plant operations, abnormal events and a

emergencies. These main control console controls and displays include the following:

(1) On screen control VDUs for safety system monitoring and non safety system control and monitoring which are driven by the plant process computer system (see Subsection 18.4.2.3),

(2) A separate set of on-screen control VDUs for' safety system control and monitoring and separate orcscreen control VDUs for non safety. system contiol and monitoring: the operation of these two sets of VDUs is entirely independent of the process computer system. Further, th'e first se of VDUs and all equipment associated with their functions of safety system control and -

monuormg are divisionally separate and qualified to Class 1E standaids (see Subsection 18.4.2A).

5'

im 10 9;; os s imt G c to: Lcm totn.i r.9 le 4

(M Deddated function >wm hes (see Subsection 1843.51.

The main control console is also equipped with a limited set of dedicated displays for selected functions (e g., the standby liq.sid conuol system and the synchionif ation of the main generator to the electrical grid).

In addition to the above equipment. the main contial cvasole is equipped with both intra plant and external comrnurucanons equipment and a lavdown space is provided for hard copics of proceduto and other documents requised by the operators during the performance of their du ties.

18.4.2.3 Process Computer Driven VDUs A set of on-sueen control VDUs is incorporated into the main control console design to support the following actisities:

(1) monitoring of plant >> stems, both safety and non-sifety related, (2) contiol of non-safer) s>> tem components.

(3) presentation of sptun and equipment alarm information, This set of VDUs is driven by the plant process computei system Thus, data collected by the process computer is available for monitoring on these VDUs. All available display formats can be displayed on any of these VDUs.

18.4.2.4 Procca Computer Independent VDUs A set of VDUs which are independent of the process computer are also mstalled an the snain control console. These VDUs are each driven by independent processors. They are divided into two subsets:

The first subset consists of those VDUs which are dedicated, divisionally separated devices. The VDUs in this group can oniv be used for monitoring and control of equipment within a given safety division. The VDUs are qualified, along with their supporting display processing equipment, to Class I E >tandards.

The second subset of process computer independent VDUs are used for monitoring and control of non-Safet'y plant systems. The VDUs in this subset are not qualified to Class IE equipment standards.

18.4.2.5 Dedicated Function Switches Dedicated function switches are installed on the main control console. These desices provide faster access and feeciback compared to that obtainable with soft controls. These dedicated switches are irnplemented in hardware, so that they are located in a fixed position and are dedicated in the sense that each individual switch is used only for a single function, or two very closely related functions (c g. valve open/close).

6

w as 7; cul; wig E00xt w ru w -

~

7;TtrTe The dedicated function switches on the main control console are used to support such functions as initiation of autoinated sequences of safety and non safety system operations, manual scram and reactor operatmg mode changes.

18A.2.6 Automation Desigu The ABWR incorporates selected automation of the operations required during a normal plant startup/ shutdown and during normal power range maneuve:3 Subsection 7.7.1.5 describes the power generation control system (PCCS) which is the primary ABWR system for providing the automation featuses for normal ABWR plant operations.

18A.2.6.1 Automatic Operatiom When placed in automatic mode, the PCCS performs sequences of automated plant operations by sending mode change commands and setpoint changes to lower level, non-safety related plant sy. stem (ontrollero The PCCS cannot directly change the status of a saletv related system. When a change in the status of a safety related system is reqmred to complete the selected operation sequence, the PCCS procides prmnpts to guide the operator in manually performme the change using the appropriate safety related operator interf ace.ontrols provided on the main control console.

The operator can stop an automauc operation at any time. The PGCS logic also monitors plant status, and will automatically resert to manual operating mode when a major change in plant status occurs (e.t;. reactor scram or turbine triph When such abnormal plant conditions occur, PGCS automatic operation is suspended and the logic in the individual plant systems and equipment directs the automatic response to the plant conditions. Similarly,in the event that the operanonal status of the PCCS or interfacing systems thanges (e.g.. equipment failures),

operation reverts to manual operatmg mode. When conditions permit, the operator may manually re iratiate PCCS automatic opeiation.

18 A.2.6.2 Semi Automated Operation. The PCCS also includes a semi automatic operational mode whnh proudes automatic operator guidance for accomplishing the desired normal changes in plant status; however,in this mode, the PCCS performs no control actions. The operator must activate all necessary system and equipment controls for the semi-automatic sequence to proceed. The PGCS monitors the plant status during the semi automatic mode in order to check the ptogression of the semi automatic sequence and to determine the appropriate operator guidance to be acurated.

~

18 A.2.6.3 Manual Operation: The manual mode of operation in the ABWR corresponds to the manual operations of comentional BWR designs in which the operator determines and erecutes the appropriate plant control actions without the benefit of computer based operator aids.

The enanual mode provides a default operating mode in the event of an abnormal condition in the plant. The operator can completely stop an automated operation at any time by simply selecting the manual operatmg mode. The PCCS logic will also automatically revert to manual mode when abnormal conditions occur.

18A.2.7 Large Display Panel The large display panel provides information on overall plant status with real-time data during all phases of plant operation. The information on the large display panel can be viewed from the main control consol and the supervisors' con. sole. The large display panel includes fixed-position displays (see Subsection 18A.2.8), a variable display (see Subsection 18A.2.9) and spatially dedicated alarm windows (see Subsection 18A.2.12).

7

1 s

i i

18.4.2.8 Fixed Position Display The fixed. position portion of the large displav panel provides key plant information for viewing i

j by the entire control room staff. The dynamic display elements of the fixed position displays i

J are driven by dedicated nm roprocessobbased (ontrollers which are independent of the plant l

process computer system.

I Those portions of the large display panel which present safety-related information are qualified

^

to Class 1E standards.

The information presented in the fixed position displa)s includes the critical plant parameter mformation, as dermed bv the SPDS requirements of NUREG-0737, Supplement 1, and the Type i

A post accident monitoring (PAM) instrumentation required by Regulation Guide 1.97,

{

Revisio., 3 (refer to Sectmn 18.4211 for a discussion of the SPDS and to Section 7.5 for a i

discussion of the PAM variables).

i 2

18.4.2.9 !arge Variable Display j

i l

The large variable display which is included on the large display panel is a VDU which is driven b) the plant procen computer system. Any screen format resident in the process computer ssstem can be shown on this large variable display.

i 18.4.2.10 Supervisors

• Console i

j A console is provided for the control room supenisors which is ecguipped with VDUs on which i

any screen format resident in the process computer system and available to the operators at the l

main control console is also available to the shift supenisor. The location of this console in the i

control room is discussed in Subsection 1842.15.

t l

18.4.2.11 SPDS f

NUREG-0737 provided guidance for implementing Three Mile Island (TMI) action items.

NUREG-0737, Supplement 1, clarifies the TMI action items related to emergency response j

capability. including item 1.D.2, " Safety Parameter Display Sy> tem" (SPDS). Ths principa'l 4 purpose of the the SPDS is to aid control room personnel during abnormal and emergency 1

j conditions in determining the Safety status of the plant and in assessing whether abnormal conditions warrant corrective action by operators to prevent core damage. During emergencies, i

the SPDS serves as an tud in evaluanng the current safety status of the plant, in executmg symptom-based emergency operating procedures, and in monitoring the impact of engineered 4

i safeguards or mitigation activities.

The SPDS also operates during normal operation, continuously displaying information from which_ the plant safety status can be readily and 1

reliably assessed. The Al5WR does not preside a separate SPDS, but rather, the principal I_

functions of the SPDS (as. required by NUREG-0737, Supplement 1) are integrated into the overall control room display capabilities. Displays of critical plant variables sufficient to provide information to plant operators about the following critical safety functions are provided on the' j

large display panel as an integral part of the lixed position displays:

E 8

i

,.n

-n

,n,

-n

.-.v.,-,.

n.,

sv

m,--_,-,

nrm, wew~,..,

,,,-v

,e

1 t w P, % vi:leti 6 t' iO:L.t..e td9 1 P.J le (1)

Reactivity control, (2)

Reactor cote cooling and heat removal from the primary system.

(3)

Reactor coolant system integrity.

(4)

Radioactivity control, and (5)

Contamment conditions.

Displays to assist the plant operator in execution of symptom-based emergency operating procedures are availabic at the mam control console VDUs. Examples of these VDU displays are trend plots and operator guidance Infoimation regarding entry conditions to the symptomatie pronded ihrough the hxed poution display of the critical plant emergency procedures n parameters on the large Unplav panel. The crincal plant parameters on the large display panel are also viewable from the control room supersisors' monitoring station, The supplemental SPDS displays on the VDUs on the main control console are also accessible at the control room superosors' momtoring station and may be provided in the technical suppoit center (TSC) and, optionally, in the ernergency operations facility (EOF), which are the responsibility of the applicant referencing the AllWR design to proude.

Entry condinons to the symptomanc EOPs are annunciated on the dedicated hardware alarm windows on the large displav panel The large display panel also displays the ccm:ainment isolation status, safety systems status, and the following (ritical parameters:

(1)

RPV pressure, d) RPV water level, (3) Core neutron flux (startup range and power range invruments),

(4) Suppression pool temperature, (5) Suppression pool water lesel, (6) Drvwell tempei atui c.

(7)

DrTwell pressure, (S)

D:ywell water incl, (9) Controf rod deram status, (10) Primary contamn ent oygen concentration, (11) Primary containment hydrogen concentiation (when monitors are in operation),

(12) Containment radiation levels, (13) Secondary contamment dif f erential pressure, (14) Secondary ( ontamment ar ea teinperaturc>,

(15) Secondar) c.ont.unment HVAC cooler ddlerential temperatute.

(16) Secondary containment HVAC exhaust radiation level, (17) Secondary containment ar ea radiation levels, and (18) Secondary containtnent floor dram sump water level.

The oxygen monitoring instit".entation sv. stem is normally in continuous operation and hence the large display panel also includes continuous Bxed position display of wetwell and drywell oxygen concentiations. The hidrogen monitoring instrumentation is automatically started on a I.OCA signal and hence continuous display i3 not required. Additional post accident rnonitoring parameters, such a3 effluent stack radioactiactisy release (Refer to Section 7.5 for a hst of post acadent monitoring parameters), may be displayed at the large variable displav or at the main control console VDUs on demand by the operator.

The SPDS is required to Se designed so that the displaved mformation can be readily perceived and comprehended by the control room operatmg crew. Compliance with this requirement is 9

im tr '%

ot i tan t G t t o:t.tve t Lt6 )

r'.13 le assured because of the incorporanon of accepted human factors enginecting principles into the overall control room design implementation process (Refer to Subsection 18.7 foi a discussion of the design implementation process).

All of the continuously displayed information necessary to satisfy the requirercents for the SPDS, as defined in NUREU-0737, Supplement I, is included in the fixed position diolays listed in Table 18F lil. Table INF 131 also includes other displavs, beyond those required for the SPDS.

18A.2.12 Fixed. Position Alanus fixed position alarm tiles on the large display panel annunciate the key, plant-level alarm (onditions that potennally allect plant aradability or plant safety, or indicate the need of immediate operator action.

18A.2.13 Alann Procewing logie Alarm pnuritirmg and littering logic is employed in the ABWR design to enhance the presentation of meaningful alarm information to the operator _and reduce the amount of informatior, which the operators must absorb anti process during abnormal events.

Alarm prioritizing is ac,compli.shed in the ABWR through the designation of three categories of alarm signals The first of these is the important alarms. These are denned as those alarms which riotify the operators of 4.hanges in plant status negarding safety and include those items whit.h are to be t heded in the event of accidents, principle events or transients. -The important alarms are displayed on the fixed position tiles discussed m Subsection 18.4.2.12.

The second category is the systern-specific alarms which are provided to notify the operators of system level abnormalities or non. normal spiem statuses. Examples of these are:

(a) mam pump trips caused by system process, power sources or control abnormalities, (b) valve closures in wohng or supply lines, (c) decreases in supply process values, (d) loss of a backup system.

(c) sptem isolation, (0 mafety systerns are being bypassed.

(g) systems are undergoing testing The system-specific alarms are also shown on the Exed position tiles discussed in Subsection 18 4.2.12.

Equipment alarms make up the thir 1 category of alarms in the priorititing scheme and are discussed in Subsection 18A.2.14-10

Im it. T of: lim 4 r to:ttm n,g y p.1, - lo

)

l

)

A) arm suppression in the ABWR is based upon the following concepts:

l (1) Suppression based on the operating mode. The plant operating mode a deuned on the basis of the hardware or proce.w status, and alarms whkh are not relevant to the current operating mode are suppressed For example, alarms which are needed in the "RUN" mode but are

]

unnecessary m the " SHUTDOWN" mode are suppressed.

l (2) Steppression of subsidiary alarms. Alarms are suppreved if they are logically consequent to j

the state of operation of the hardware or to the process status. For example. scram initiation (a plant-level alarrn condition announced with a Oxed position alarm tile on the large display panel) will logically lead to an FMCRD hydraulic control unit scram accumulator low pressure L

(also an alar m condition). Such subsidiaiy alarms ate suppressed if they simply signify logical

{

consequences of the sysicms operation.

f (3) Supprenton of redundant alarm:.. When there are overlapping alarrns, such as "high" and

• high high" or " low" and " low-low". only the more sesere of the conditions is alaimed and the others are suppressed.

Operators may activate or deactimte the alarm suppression logic at any time.

i 18.4.2.14 Equipment Alanus l

Alarms which are not indicated by 6xed-position alarm tiles on the large display panel (i.e.,

those alarms of nominally lower level importance such as those related to speciGc equipment status) are displayed to the control room operating staff via the main control console VDUs. The i

supplemental alarm indications and supporting information regarding the plantlevel alarms j

which are presented on the large display panel are also presented on the VI)Us.

l 18.4.2.15 Control Room Arrangement in the ABWR main control room arrangement, the mam control console is_ located directly in l

front of the large display panel for optimum viewing efuciency by the plant operuso:s seated at i

the main console. The shif t supervisor *$ console is also placed in front of the large display panel, but at a somewhat gre?ter distance than the main control console. The shift supervisor is.

thus,in a position behind the control console operators. This arrangement allows all control oom personnel to view the contents of the large panel displays.

18.4.3 Control Room MMI Technology l

The ABWR main control room standard design features described in Subsection 18.4.2 include equipment which Utilizes a variety of technologies to control and monitor the plant processes. This subsection provides a summary listing and oescription of_ the technologies which arettilizeo to support personnel execution of these control and monitoring functions.

g 1

For this purpose, the term

• technology"is taken to have the following definition:

'the equipment, including both hardware and software, employed to directly accomplish the functions of control and monitoring of the plant i

processes" 11 1

_ _ ~ _ _ - _ _ _ _, _ _ -, _

a s

im it '92 01:1cNt G t to:Lt

• t m.1 r.1F 18 i

i Hardware such as consoles, panels, cabinets, control room lighting and HVAC and plant communication equipment which has a supoorling role but is not directly involved in the control and monitoring processes is excluded t

The scope of this section is limited to tho main control room and the remoto shutdown station areas of the plant and includes all human system" interface (HSI) equipment technologies I

which may be applied, regardless of use in prior designs.

(

1.

Hardware switches such as mulli. position rotary, push button, rocker, toggle and l

pull to+ lock types.

E.

Soft switch, the functions *of which may be changed through the execution of software functions 3.

Continuous adjustment controls, such as rotary controin and thumbwhools-4.

Visual display units with full color screens, including large reverso projection-l screens, cathode ray tubes and flat panel display screens.

5.

On screen control utilized with the cathode ray tubes and flat panel display devices.

I l'

O.

VDU screen formats such as large screen opilcal projection display formats, text displays, includin0 menus and tabular information and graphical displays including Trend Plots,2 D Plots, P & ids and other diagrams and pictorial i

information, 7.

Analog Metors which employ a hardware medium to pictonally or graphically

^

present quanhtative and qualitative information concerning plant process parameters This includes analog meters using digitally controlled LEDs and digital readoutt.

8.

Fixed-Position Digita! Displays which present alphanumeric information in a L

hardware medium. These can be back ht.

9.

Fixed position hardware mimic displays which schematically represent plant systems and components and their relationships utilizing pictorial elements, labels and indicator Cghts.

10.

Fixed Position alarm tiles which use tight to indicate the alarm state.

11.

An Audio Signal system which is coordinated to the fixed position alarm tiles and utikzes priontization and alarm reduction logic and pre defined set points to alert operators to plant status changes, 12 1

.~..~,.%_m.

.,y

.. ~

..,,,,.,_,,,,,,,.,,,,,._m_,,

m,.

t w 1. 'N: 01: 1 crit G t t o:Lt@ titt4 J P.16 le 9

12.

Printers and Printer / Plotters used to providc hard copy output in the form of plots, logs and text.

13.

Keyboards which are composed of alphanumeric andior ussignable function keys and function as computer input devices.

a 18.5 REMOTE S31ULDOWN SYSTEM The remote shutdown system (RSS) provides a means to safely shutdown the plant from outside the main wntiol room, it provide control of the plant systems needed to brim the plant to hot shutdown, wuh the subsequent capability to attain cold shutdown,in the event that the control room becomes uninhabdable.

The RSS sys:em design is described in Subsections 7.4.1 A and 7A.2 4. All of the controls and instrumentation tequited for RSS operation are identified in Subsection 7.4.l AA and in Figure

7. +2.

The RSS uses conventional. hardwired controls and indicators to maintain diversity from the main control room. These dedicated devices are arranged in a mimic of the interfacing systems procesr. loops.

18.6 SYSTEMS INTEGRATION 18.6.1 Safety Systems The operator interfacet with the safety.related systems through dedicated hardware switches for system mitiation and logie reset; hardware switches for system mode changes; safety related VDUs for individual safety equipment control, status display and monitoting; non safety VDUs for additional safety system monitoring and the large fixed.posuion display for plant overview information. Instrumentation and control aspects of thc microprocessor based safety systems and logic control (SSLC) arc described in Appendix 7A.

Divisional separation for control, alarm and display equipment is maintained. The SSLC processors provide alarms signals to their respective safety-related alarm processors and provide display information to the divisionally dedicated VDUs. The SSLC microptocessors communicate with their respective divisional VDU controllers through the essential multiplexing system (EMUX). The divisional VDUs have on screen control capability.

Divisional isolation devices are provided between the safety-related systems and non. safety related communication networks so that failu es in the non safety related equipment will have r

no impact on the ability of the saletv systems to perform their design functions. The non-safety-related communication network is part of the non<ssential multiplex system (NEMS) described

- in Subsection 7.7.1.9.

13

l t m 15 % oli tati G t trxt.ta tt.tc >

r.t? 18 j

Operation controls duough dedicated hardware switches and master sequential switches commurncate nith the SSI.C logic units through conventional hardwire signal transmission (i.e., not multiplexed). Communications between the SSLC logic units and alarm p$.nels and the safety related fixed. position displays is through rnultiplex data links.

Safety system process rarameters, alarms and system status information from the SSLC are communicated to the VEMS through isolation decices for use by other equipment connected to the communication network Selected operator control functions are performed through dedicated hardware contiol switches which are 1 E qualified and dhisionally separated on the main control console. These hardware switthen communicate with the safety related systems logic units through hatchsire transmission lines.

The divisionally dedicated VDUs are classi0ed as safety related equipment. These VDUs provide contiol and display capabilities for indiddual safew systems if control of a system component is required. Normally. such control actions 4: performed for equipment surveillance purposes only, as the normal inethod of system conuol is through the inode-oriented master sequence swathes.

18.6.2 Non Safety Sptems for non safety systems, operation control is accomplished uang master,equence switches, on-screen control via the non saltty VDUs. The hnidware switches for non rafety equipment on the main (ontrol console communicate with the non safety related systems logic units through hardwire transmission lines.

The non safets systems communicate with other equipment in the operator interface through the NEMS network. The non-safety related portion of the large display panel fixed position displays is driven by a controller separate from the process computer system. Alarm processing microprocessor units separate from the process computer perform alarm filtering and suppression and also rhne dedicated alarm tiles on the large display panel. The alarms for enry conditions into the symptomatic emergency opetating procedures are prosided by the alarm processing unks, both satetv and non safety related. Equipment level alarm information is presented by the process computer on the main control console VDUs.

An additional set of non safety related on screen control VDUs are provided on the main control,

console for control and display of non-safety systems. These VDUs are independent of the process computer system. In the unlikely event of loss of the process compt ter system, these independent.VDtJs, in conjunction with the large display panel safety-related displays, have-sufficient information and control capability to allow the follow.. g operations to be performed:

(1) steady-state power operation, (2) power decrease.

(3) plant shutdown to hot standby conditions, and (4) plant shutdown to cold shutdown conditions.

14

t ra 15 'M ou tmi G t t ext.tve it.N, J r,18 to Without the plant process computer system, control is carried out through the master sequendal switcher and the arocess computer. independent. on. screen control YDUs. hionitoring is accomplished wit 1 the independent VDUs and the fixed position display on the large display aanel. Power increases cannot be performed in the ab>ence of the process computer system accause core thermal margin hmit information provided by the process computer to the automatic thermal limit monitor (described in Subsection 7.7.2.2) would not be availalle.

18.7 DETAILED DESIGN OF THE OPERN1 OR INTERFACE SYSTEh!

The standard design features of the AllWR main control room hihilS, discussed in Subsection 18A.2, provide the framewort !br the detailed equipment hardware and software designs that will be descloped following a design and implementation orocess such as that typically described in Appendix 18E. This typical design and implementati]n process is presented in flow chart form in Figure 18E l 1 and described in more detail in Tat 31e ISE.12.

As part of the Appendi.s 18E discussion of typical man-machine interface systerns (hihilS) design an.

implementation activitics, detailed acceptance criteria are specified that shall be t~d to govern and direct all AllWR hihilS design implernentations which reference the Certified Design. These det:uled acceptance criteria, presented in Section 18E.2 of Appendix ISE. encompass the set of necessa and sufficient de. sign unplementatiors relatcd activitics reqtared to maintain thi: implemented h1h11$

design in compliance with accepted human factors principles and accepted digital electronics equipment and software development methods.

As part of the octailed design impleinentation process described in Appendix 18E, operator tast analyses will be performed as a basis for c.aluating details of the design implementadon and hthtIS requirernents will be specined. These hihilS requirements will include the instrumentation and controls listed in Tables 18f 111 through 3 as a subset. The evaluation of the integrated control room design will include the confirmation of the ABWR main control room standard design features.

D e

15 I