ML20106F645
| ML20106F645 | |
| Person / Time | |
|---|---|
| Issue date: | 01/31/1985 |
| From: | Office of Nuclear Reactor Regulation |
| To: | |
| References | |
| TASK-1.D.2, TASK-TM NUREG-0800, NUREG-0800-18.2A1-R0, SRP-18.02-APP-A, NUDOCS 8502140040 | |
| Download: ML20106F645 (46) | |
Text
..
NUREG-0800 (Fermtriy NUREG-75/087)
]
s U.S. NUCLEAR REGULATORY COMMISSION Q;e(e[e i STANDARD REV EW PLAN kw f
OFFICE OF NUCLEAR REACTOR REGULATION o
e e
APPENDIX A to HUMAN FACTORS REVIEW GUIDELINES FOR SRP Section 18.2 THE SAFETY PARAMETER DISPLAY SYSTEM (SPDS)
REVIEW RESPONSIBILITIES Primary - Human Factors Engineering Branch (HFEB)
This Appendix of the Standard Review Plan was Formerly Draft NUREG-0835 l
l 18.2-Al Rev. 0 - November 1984 i
i 8502140040 850131 PDR NUREO l
0800 R PDR l
USNRC STANDARD REVIEW PLAN Standard review plans are prepared for the guidance of the Offi:.e of Nuclear Reactor Regulation staff responsible for the review of applications to construct and operate nuclear power plants. These documents are made available to the public as part of the C*]h jl Commission's policy to inform the nuclear industry and the general public of regulatory procedures and policies. Standard review plans are not substitutes for regulatory guides or the Commission's regulations and compliance with them is not required. The standard review plan sections are keyed to the Standard Format and Content of Safety Analysis Reports for Nuclear Power Plants.
Not all sections of the Standard Format have a corresponding review plan.
Published standard review plans will be revised periodically, as appropriate, to accommodate comments and to reflect new informa-tion and experience.
Comments and suggestions for improvement will be considered and should be sent to the U.S. Nuclear Regulatory Commission Office of Nuclear Reactor Regulation. Washington, D.C. 20565.
O TABLE OF CONTENTS Page 1 INTRODUCTION...........................
A4 2 ROLE OF SAFETY PARAMETER DISPLAY SYSTEMS.............
A6 3 SCOPE OF REVIEW GUIDELINES....................
A7 4 USE OF SPDS REVIEW GUIDANCE A9 5 HUMAN FACTORS GUIDELINES FOR REVIEWING AN SPDS DESIGN.......
A10 5.1 NUREG-0737, Supplement 1, Section 4.1.a........... All 5.1.1 Concise Display................... A12 5.1.2 Critical Plant Variables............... A12 5.1.3 Rapid and Reliable Determination of Safety Status.. A12 5.1.4 Aid Control Room Personnel.............. A14 5.2 NUREG-0737, Supplement 1, Section 4.1.b........... A15 5.2.1 Convenient Location................. A16 5.2.2 Continuous Display.................. A17 5.3 NUREG-0737, Supplement 1, Section 4.1.c........... A17 5.3.1 Procedures and Training............... A18 5.4 NUREG-0737, Supplement 1, Section 4.1.e........... A18 5.4.1 Incorporate Accepted Human Factors Engineering A19 Principles 5.4.2 Information Can Be Readily Perceived and Comprehended..................... A19 5.5 NUREG-0737, Supplement 1, Section 4.1.f........... A20 5.5.1 Sufficient Information................ A20 6 REVIEW GUIDELINES FOR SPDS DISPLAYS................. A22 6.1 SPDS Data Display Formats................... A22 6.2 Display Techniques...................... A24 6.2.1 Graphic Representation of Variables.......... A25 6.2.2 Identification of Displayed Variables......... A26 6.2.3 Perceptual Aids.................... A26 A27 6.2.4 Display Patterns A28 6.2.5 Status Setpoints Ol 18.2-A2 Rev. 0 - November 1984
)
ri
)
TABLE OF CONTENTS (CONT'D) v
- Pa_ge, 6.3 Application to Examples of Displays
............. A28
- 6. 3.1 Ba r Cha rt........................ A29 6.3.2 Deviation-Bar Chart...... -........... :. A29-6.3.3 Circular Profile A32 6.3.4-Chernoff Face......................-A34 7 VERIFICATION AND VALIDATION OF SPDS................. A34 l
8 -NRC -STAFF HUMAN FACTORS ENGINEERING REVIEW OF SPDS......... A35 9. GLOS S ARY OF T E RMS '............
.............. A36 10 -REFERENCES...._.......................... A40 Exhibit 6-1 Simple Bar Chart Representing Nornal Conditions....... A30 Exhibit 6-2 Deviation Bar Chart Representation of Normal Conditions.. A31 1
i Exhibit 6-3 Circular Profile Repres~entation of Normal-Conditions.... A33 i
iC i
l s
l 118.2-A3 Rev. 0 -~ November.1984
REVIEWING THE SAFETY PARA!iETER DISPLAY SYSTEM:
HUMAN FACTORS ENGINEERING GUIDELINES 1
INTRODUCTION The accident at Three Mile Island Unit 2 (TMI-2) and subsequent investigations have demonstrated the need.for improving how information is presented to people who operate reactors. This need becomes especially evident when a condition that could have safety significance occurs at a nuclear power plant.
During such a condition, control room operators must monitor and process large amounts of data to make sure of the operating status and safety status of the plant and to intervene when intervention is needed to maintain the plant in a safe condition.
Supplement 1 to NUREG-0737 (Ref.1) states some basic principles for designing a system that displays a minir.:um set of plant variables critical to safety (safety parameter display system (SPDS)), and describes how to coordinate'and integrate the design of the SPDS with other emergency response facility initiatives as follows:
The design of the Safety Parameter Display System (SPDS), design of instrument displays based on Regulatory Guide 1.97 guidance, control room design review, development of function oriented emer-gency operating procedures, and operating staff training should be integrated with respect to the overall enhancement of operator ability to comprehend plant conditions and cope with emergencies.
Assessment of information needs and display formats and locations should be performed by individual licensees. The SPDS could affect other control room improvements that licensees may consider.
In some cases, a good SPDS may obviate the need for large-scale control room modifications. Installation of the SPDS should not be delayed by slower progress on other initiatives, and should not be contin-gent op completion of the control room design review. Nor should other initiatives, such as upgraded emergency operating procedures, be impacted by delays in SPDS procurement. While the NRC does not plan to impose additional requirements on licensees regarding SPDS, the NRC will work with the industry to assure the development of appropriate industry standards for SPDS systems.
The basic principles for the SPDS are stated in Supplement 1 of NUREG-0737 as follows:
a.
The SPDS should provide a cencise display of critical plant variables to the control room operators to aid them in rapidly and reliably determining the safety status of the plant. Although the SPDS will be operated during normal operations as well as during abnormal conditions, the principal purpose and function of the SPDS is to aid the control 9
18.2-A4 Rev. 0 - November 1984
('
room personnel during abnormal.and emergency conditions in determining the safety status of the plant and in assessing whether abnormal con-ditions warrant corrective action by operators to avoid a degraded
~
core. This can be.particularly important during anticipated transients and the. initial phase of an accident.
- b'.
Each operating reactor shall be provided with a Safety Parameter
' Display System that~ is located convenient to the control room operators. This system will continuously display information from which the plant safety status can be readily and reliably assessed by. control room personnel-who are responsible for the avoidance of degraded and damaged core events.
c.
The control. Eoom instrumentation required (see General Design Criteria 13 and 19 of Appendix A to 10 CFR 50) provides the operators with the information necessary for safe reactor operation under normal, trans-ient, and accident conditions. The SPDS is used in additio'n to the-basic components and serves to aid and augment these components.- Thus, requirements applicable to control room instrumentation are not needed for this augmentation (e.g., GDC~2,- 3, 4 in Appendix A; 10 CFR Part 100;-
single-failure requiremen'.s). The SPDS need not meet. requirements of the single-failure criteria and it need not be qualified to meet Class 1E requirements. The SPDS shall be suitably isolated'from el_ectrical or electronic interference with equipment and sensors that are in'use for safaty systems. The SPDS need not_be seismically qualified, and
'O additional seismically qualified indication.is not required for the h
sole purpose of being a backup for SPDS. Procedures which describe the timely and correct safety status assessment when the.SPDS is and is not available, will be developed by the licensee in parallel with the SPDS. Furthermore, operators should be trained to respond to accident conditions'both with and without the SPDS'available.
s d.
There is a wide range of useful information'that can be provided by various systems. This information. is reflected in such staff documents as_NUREG-0696, NUREG-0835, and Regulatory Guide 1.97. Prompt implementation of an SPDS can provide an important: contribution to plant safety. The selection of specific information that should be provided-for a particular plant shall be based on engineering judgment of indivi-dual plant licensees, taking into account the importance of prompt implementation.
e.
The SPDS display shall be designed to incorporate accepted human factors principles so that the displayed information can be readily perceived and comprehended by SPDS users, f.
The; minimum information to be provided shall be sufficient to
~
provide information to plant operators about [the following critical 4
safety functions]:
i (i)-
Reactivity.. control (ii)
Reactor core cooling and heat removal from the primary d.
system i
l 18.2-A5 Rev. 0 - kovember 1984
(iii) Reactor coolant system integrity (iv)
Radioactivity control (v)
Containment conditions.
The specific parameters te be displayed shall be determined by the licensee.
The documentation needed from applicants / licensees and for planned NRC review is stated in Supplement 1 to NUREG-0737 as follows:
a.
The licensee shall prepare a written safety analysis describing the basis on which the selected parameters are sufficient to assess the safety status of each identified function for a wide range of events, which include symptoms of severe accidents. Such analysis, along with the specific implementation plan for SPDS shall be reviewed as described below.
b.
The licensee's proposed implementation of an SPDS system shall be reviewed in accordance with the licensee's technical speci-fications to determine whether the changes involve an unreviewed safety question or change of technical specifications.
If they do, they shall be processed in the normal fashion with prior NRC review.
If the changes do not involve an unreviewed safety ques-tion or a change in the technical specifications, the licensee may implement such changes without prior approval by NRC or may request a pre-implementation review and approval.
If the changes are to be implemented without prior NRC approval, the licensee's analysis shall be submitted to NRC promptly on completion of review by the licensee's offsite safety review committee. Based on the results of NRC review, the Director of IE or the Director of NRR may request or direct the licensee to cease implementation if a serious safety question is posed by the licensee's proposed system, or if the licensee's analysis is seriously-inadequate.
This appendix proposes no new requirements; it presents guidelines to NRC staff and applicants / licensees on apnlying good principles of human factors engineering to the SPDS function and.tisplay.
It is intended to provide guidance general enough that a reviewir may use it to evaleate the human factors engineering aspects of different SPDS installations.
2 ROLE OF SAFETY PARAMETER DISPLAY SYSTEMS The SPDS helps the contral room operating crew make quick and accurate assess-ments of Ine plant. s safety status during abnormal and emergency conditions.
By this assessment the reactor operator in the control room (control room operator) decides whether abnormal conditions demand corrective action to avoid a degraded reactor core. During normal operations, control room operators rconitor the display in the course of performing their assigned monitoring O
18.2-A6 Rev. 0 - November 1984
I
. [
Y:
tasks. 'This se, ses to integrate the use of the display into normal operations.
!' (_/
During emergencies, the-SPDS should serve as an aid to the control room opera-ting. crew in evaluating.the plant's current safety status and in executing function-oriented emergency procedures.
The SPDS is intended to provide information about the plant from a display
'i system during normal operations as well as when conditions arise that could have safety. significance. The system should continuously display information i
from which the _ control room operator responsible for avoiding. degraded and damaged core events 'can ' eadily and reliably assess the safety status of the r
plant. The SPDS is analogous to the way the basic attitude and flight performance instruments in an airplane provide status information to the
-pilot..The control room oper0 ting crew should be able to use the SPDS to detect conditions that could have safety significance and should.also be able to use the information provided by the SPDS.as an aid in taking corrective action to maintain or re-establish safe plant conditions.
Thus, the SPDS is a control room improvement to enhance the control room operator's ability to:
comprehend plant status during stressful conditions, determine rapidly and reliably the saf~ety status of the plant, and A
intervene in situations that demand human intervention.
]::\\
The SPDS should provide control room ~ operators with a readable, comprehensible and accurate display of critical plant variables, derived variables, or safety functions.
To use the system effectively, the control room operator must be-trained in the use of the SPDS. Using the SPDS the control room. operator should be able to interpret plant operating information, synthesize plant processes, and assess plant functions from the data provided on the display..The displayed data are read and processed by the control room operator to determine plant status. The design of the SPDS display should consider the control room 4
operator's needs and'should serve as a decision making aid to the control room operator.
3 SCOPE OF REVIEW GUIDELINES The SPDS is a control room display device that is most effective when it has been designed to incorporate principles of good human factors engineering.
This appendix presents only those SPDS review guidelines.that are related to human factors engineering.
.The scope of the-staff's review will be limited to' evaluating if the SPDS helps control room operators do their jobs;well -during conditions that have safety significance. The review will be bounded by the minimum set of critical plant variables, equipment display units, and data processing algorithms needed to achieve this goal.
In this appendix, the staff will not provide review guidance.
~
I 18.2-A7
-Rev. 0 - November 1984 m-
-- -.s e-I:
1 m.
m-m
.m
for such functions as the performance monitoricg of plant systems or safety systems and the presentation of data to assist the control room operator with detailed diagnosis of abnormal operating conditions. The applicant / licensee should review these furctions when the Detailed Control Room Design Review (DCRDR) is performed.
The review guidelines in this appendix can be applied generally to all types of SPDS displays; liowever, the trend in the nuclear industry is toward computer-driven cathode-ray tub i (CRT) displays. Because most of the proposed SPDS designs in the technical briefings pecsented to the NRC staff have CRT displays, this docuernt emphasizes review of CRT displays.
Functional criteria for the SPDS do not rule out the use of other types of displays in SPDS designs.
Review guidelines for specific SPDS designs that do not use CRT displays will be developed case by case, as they are needed.
NUREG-0700, " Guidelines for Control' Room Design Reviews" (Ref. 3) provides general guidelines applicable to review of visual displays, process computers, and CRT displays from a human factors engineering standpoint. The SPDS as a display device has specialized functional requirements.
In reviewing an SPDS, the specific device-oriented guidelines in this document should be used to complement the general guidelines in NUREG-0700. These specific guidelines are offered to help the reviewer evaluate the functional effectiveness of the SPDS.
Information in NUREG-0700 is referenced where it is applicable.
Subsection 4, Use of SPDS Review Guidance, introduces major Subsections of this appendix. Subsection 4 also defines and comments on references which contain human factors engineering guidelines appropriate for use in NRC reviews of the SPDS.
In Subsection 5, Human Factors Guidelines for Reviewing an SPDS, the guidelines are tabulated. Generally, examples are provided for each guideline to illustrate acceptable human factors engineering practices.These guidelines and examples are provided to help a reviewer evaluate whether a given SPDS is designed sufficiently well from a human standpoint to serve its intended purpose and function. For SPDS designs not covered by these examples, the NRC reviewer should use the principles embodied in the guidelines to help evaluate the design.
In Subsection 6, Review Guidelines for SPDS Displays, further clarification of NRC guidance is provided for computer-driven CRT displays. Because computer-driven CRT displays offer considerable flexibility in how the data are presented, proposed systems will have a wide variety of display formats.
The information in Subsection 6 will help a reviewer evaluate different displays objectively. Subsection 6 emphasizes important human factors engineering aspects about the use of CRT displays for the SPDS.
In Subsection 7, Verification and Validation of SPpS, the principles of a verification and validation program to ensure a high-quality SPDS are presented.
In Subsection 8, NRC Staff Humn Factors Engineering Review of O
l 18.2-A8 Rev. 0 - November 1984
~.
k v
L SPDS,sthe ^ staff's review of-the SPDS is' discussed.- In Subsection 9, Glossary of Terms,Lterms used in this appendix are defined.,and in. Subsection-10, l
References, documents used in preparing this appendix-are listed.
The use of non-CRT= types'ofEdisplays is not precluded.
These review guidelines should not. eliminate consideration of other.useful displays'that E
are presently ~ avail M or that may be developed as techniques for: data-presentation evolve.
- 4 'USE OF SPDS REVIEW GUIDANCE--
r l
LThe; human factors. engineering g'uidelines.provided in Subsections 5 and 6 of--
this appendix should serve both NRC staff who review systems as well as; applicants / licensees who. design those systems. The guidelines provided in this-appendix should be used together with guidelines provided in NUREG-0700.
NUREG-0700 provides human factors engineering information that may be used.as guidelines for conducting 'a detailed control room design review.(DCRDR). The -
DCRDR examines existing control-rooms with the. objective _of improving the human factors of man-machine interfaces..SRP Section'18.1 (Ref._4) provides j-information that will help a reviewer evaluate a DCRDR.
A reviewer should be familiar with the general _ human factors engineering guidelines in NUREG-0700, especially the following sections:
!O Section 6.5, Visual Displays, which includes principles of display, h
meters, light indicators, and graphic recorders; Section 6.6, Labels and Location Aids. which-includes labeling l
principles,-label location, latal content,.and location aids; Section 6.7, Process Computers, which includes computer access,.CRT-
[
displays, and printers; and Section 6.8, Panel Layout, which includes panel contents,.
recognition and identification enhancement, and layout arrangement factors.
A reviewer evaluating SPDS systems that use CRTfdispl'ays should be familiar-with CRT technology and-its application to nuclear. power systems. < References -
5, 6, and.7 provide general information on the design of CRT-based display systems.
- An NRC contractor has developed a document detailing human. engineering design-data for.CRT-based. display systems. This document (Ref. 8) identifies rele~ ant issues..related to human performance in conjunction with the 'se of' v
u CRT-generated displays. Another recent report by an NRC. contractor'(Ref. 9).
presents many ways of displaying-data incorporating many.-variables within. the -
plant's process.
I 1
18.2-A9 Rev. 0'- November 1984~
5 HUMAN FACTORS GUIDELINES FOR REVIEWING AN SPDS DESIGN The SPDS basic principles and review guidelines are presented here. These SPDS review guidelines address all SPDS display systems and emphasize guidelines applicable to CRT display systems.
The SPDS basic principles from NUREG-0737 Supplement 1, are reproduced here and then broken down into smaller components. Guidelines are provided for each component to illustrate good human factors engineering principles related to that component.
In addition, examples offered for each guideline illustrate acceptable practices. These examples are not meant to be comprehensive, and NRC staff as well as designers'and users of display systems could offer many other examples of good ways to implement the guideline. Also, where appropri-ate, the guidelines and examples are cross-referenced to NUREG-0700, Section 6.0, Control Room Human Engineering Guidelines.
In reviewing an SPDS for its incorporation of good principles of human factors engineering, the NRC reviewer could use the guidelines and examples presented in this SRP section as an aid in evaluating conformance to Section 4.1 of Supplement 1 to NUREG-0737.
For designs not covered by these examples, the NRC reviewer should use those principles embodied in the guidelines as an aid in evaluating the SPDS. Additional clarification of some of the key guidelines and other appropriate human factors engineering principles are provided in Subsection 6 of this appendix, Review Guidelines for SPDS Displays, and in Section 6 of NUREG-0'00, Control Room Human Engineering Guidelines. With regard to NUREG-0700, the NRC reviewer should focus on the guidelines associa-ted with control room workspace, visual displays, labels and location aids, process computers, and panel layout in reviewing SPDS designs.
The nuclear industry has also published guidelines for an effective SPDS implementation program (Ref.10). These guidelines appeared as a Nuclear Utility Task Action Committee (NUTAC) publication.
Publications issued by NUTAC represent a consensus of utilities that participate in NUTAC. These publications are not intended to be interpreted as the industry standards.
The publications are offered with the understanding that individual utilities are not obligated to i the suggestions.
The above-described NUTAC publicatior, was not formally submitted by the industry for NRC review. The NRC reviewed the report informally and found it well structured and providing excellent guidance on program planning, system design, installation, and maintenance of the display. However, the NRC had the following conrnents and suggestions:
The use of an operational control room as a test bed for the SPDS has the potential for misleading control room operators. This is a case where flexibility in display design may reduce safety. The control room should rat be used as a test bed for developing the SPDS.
In addition, it should not be possible to place the SPDS into a test mode from outside the control rean. However, tests of the SPDS in the control room will be needed to confirm correct installation and to confirm that maintenance has been properly performed. For these occasions, the display format of the SPDS 18.2-A10 Rev. 0 - November 1984
'd should be clearly marked to reflect the test-activities. A temporary i
sign should notify control room operators that test activities are taking place, and all members of the control room operating crew should be notified when test activities begin and when they end.
The sole use of status lights--one for'each critical safety function-- is not adequate for an SPDS. The variables associated with each critical
- safety function should also be available for display and operator assess-ment.
.The SPDS should be capable of continuously monitoring the status of critical safety functions.
I The SPDS should also contain trend data for the key variables displayed, because such data enhance:
~
Use of operating procedures, Detection of abnormal operations, r
Prediction capabilities of the control room operators.
The NRC reviewer should consider the above points when reviewing an SPDS p
design which references the subject NUTAC publication.
In the Subsections that follow (5.1 through 5.5) portions of NUREG-0737, Supplement 1, which apply human factors-engineering principles to the SPDS are quoted. A subsection entitled, " Guideline," offers analysis of the component being discussed and gives one or~ more specific example (s) of how the applicant / licensee could apply the guideline.
5.1 NUREG-0737, Supplement 1, Section 4.1.a "The.SPDS should provide a concise display of critical plant variables to the control room operators to aid them in rapidly and reliably determining the safety status' of the plant. Although the SPDS will be operated during normal operations as well as during abnormal conditions, the principal purpose and function of the SPDS is to aid the control room personnel during abnormal and emergency conditions in determining the safety status of the plant and in assessing whether abnormal conditions warrant corrective action by [ control room]a operators to avoid a degraded core..This can be particularly important during anticipated transients and the initial phase of an accident."
l l
a.
Bracketed words were added to clarify the wording in NUREG-0737, Supplement 1.
i.-
18.2-A11 Rev. 0 - November 1984
- ~ _ _,
5.1.1 Concise Display b
"The SPDS should provide a concise display,
o 5.1.1.1 Guideline A concise display of critical plant variables will help the control room operator compare data from related plant functions and assess the safety status of the plant.
Examples (a)
Critical plant variables for the SPDS are presented on the single primary display or on a group of displays at a single location.
(b)
Display formats contain patterns and enhancements that define the critical plant variables.
5.1.2 Critical Plant Variables c
"The SPDS should provide a concise display of critical plant variables
,,,,n 5.1.2.1 Guideline A predetermined minimum set of critical plant. variables will help control room operators evaluate plant safety.
5.1.3 Rapid and Reliable Determination of Safety Status "The SPDS should provide a concise display of critical plant variables to control room operators to aid them in rapidly and reliably determining the safety status of the plant."
d 5.1.3.1 Guideline In order for the control room operator to rapidly and reliably determine the safety status of the plant, the displayed data should represent the current and correct status of critical plant variables.
Examples (a) The sampling rate for each critical plant variable is such that there is no meaningful loss of information in the data presented to the control room operator.
b.
Underlining was added for emphasis.
c.
The variables must be the ones determined by the applicant / licensee to be sufficient to provide the information needed by the control room operating crew to evaluate the safety status of the plant.
d.
This guideline.-(and other guidelines designated "d") will be used in the human factors engineering evaluation of licensee's SPDS safety analysis reports for serious safety questions or seriously inadequate analysis.
18.2-A12 Rev. 0 - November 1984
if 7 '
j The' time delay from.when the. sensor signal is sampled to when it. is V[
-(b)' ' displayed should_be, consistent with other control. room displays and-1 5 should be responsive to control room operators' needs in performing i
assigned tasks.
- For each of ~ the above examples:-
(a) 'Each~ critical plant variable is displayed with an accuracy -sufficient' for the. control. room operator to discriminate between conditions that-impact the plant's safety status and normal operating conditions.
_(b) The~ display does 'not give false indications of plant status.
5.1.3.2: Guideline In order to keep the control room operator current on the safety status of the plant, the display should be responsive to t'ransient and accident sequences.:
Examples-(a).
Operator comprehension of a change in'the safety status of the plant from the SPDS display could be achieved in a matter of seconds.*
O
?
(b)
The display system correctly portrays information about the jD) plant's safety status for a wide range of events and includes symptoms of severe accidents.
d 5.1.3.3 Guideline To prevent misleading the control room operator, displayed data should be validated on a "real time" basis where practical /
Examples (a) Redundant sensor readings'are compared before displaying'the critical plant variable.
(For further guidance, see Section 6.7.2.7 ~ of NUREG-0700.)
The SPDS should provide timely information:to the control room operating e.
crew, which the crew can then use together with other available;informa-tion to help it determine rapidly and-reliably the plant's safety status i-and'to assess whether corrective action is:needed.
f.
This guideline ensures the display of reliable data and information to' control room personnel.
)
18.2-A13 Rev. 0 - November 1984
(b) Analytical redundancy among different critical plant variables is used and models and equations that have been documented and validated.9 (c) Validated data, unvalidated data,h and invalid data are identified and coded where practical.
(For further guidance, see Section 6.7.2.7 of NUREG-0700.)
5.1.3.4 Guideline To instill the control room operator's confidence in the use of displayed data, members of the control room operating crew should be provided with the information and criteria they need to perform an operability evaluation of the SPDS.
In addition, the crew must be able to easily recognize a failed SPDS.
Examples (a)
The SPDS design incorporates an automatic or user-activated operability monitoring feature.
(For further guidance, see Sections 6.7.2.6 and 6.7.2.7 of NUREG-0700.)
(b)
The design incorporates a display of calendar date and time of day such that the display is updated only when the system is operating properly so that a static time would indicate a system failure. The date and time would be located in a corner of the display so as not to distract the control room operator.
5.1.4 Aid to Control Room Personnel "Although the SPDS will be operated during normal operations as well as during abnormal conditions, the principal purpose and function of the SPDS is to aid the control room personnel during abnormal and emergency conditions in determining the safety status of the plant and in assessing whether abnormal conditions warrant corrective actions by control room operators to avoid a degraded core."
g.
Operating conditions in which the equations used by the SPDS are not valid, such as the transition to two-phase liquid-vapor conditions in the primary coolant system of a pressurized water reactor, should be identified and documented. The design of the display hardware, computer hardware, and computer program for the SPDS should provide the capability for correcting identified problems.
h..
It is important that the control room operator know the validity of data, i
so the operator can correctly assess the safety status of the plant.
Under some conditions, unvalidated data on the SPDS may be useful to trained control room operators in determining the safety status of the plant and in determining whether human intervention is needed. When the SPDS design allows presentation of unvalidated data, the SPDS users should be aware of this condition so that they will can exercise judgment on the use of the data.
18.2-A14 Rev. 0 - November 1984 l
-pV
.5.1.4.1 Guideline-To aid the control room-operating crew in evaluating the safety status of the
~
plant during conditions' that could have safety significance, the display should be-capable of presenting magnitudes and' trends of critical plant variables or derived variables.
Examples (a) -The SPDS display format has the_ capability of indicating trends of each SPDS' variable.-(For further guidance, see Sections 6.7.2.1 and 6'.7.2.8 of NUREG-0700.)
(b).The display of time derivatives instead of trends may be acceptable under certain circumstances.'I For ea'ch of the 'above' examples:
Trend data are displayed with sufficient resolution in time and magnitude to ensure. that rapidly changing variables are accurately displayed. _ The frequency bandwidth of the signal measurement system, consisting of sensor, signal processing devices, and trend display devices, should be broad enough to transmit information of the measured variable or derived variable without extraneous background noise.
1 Further guidance may be found in Subsection 6.1, SPDS Data Display Formats.
5.1.4.2 Guideline i
To help control room operators detect abnormal _ conditions which warrant corrective actions, the SPDS, where feasible, should include perceptual cues to alert personnel to the abnormal operating condition.
5.2 - NUREG-0737, Supplement 1, Section 4.1.b l
"Each operating reactor shall be provided with a Safety Parameter Display System that is located [so that it is] convenient.to the control room-operators. This system will continuously display information.from which the plant safety status -can be readily and reliably assessed by control room personnel who are responsible for the avoidance of degraded and damaged core events."
- i. Display of the time derivatives of variables-is acceptable only when the derivatives' unambiguously reflect the trends'in the critical plant variables. The algorithm used for time' derivations must be adequate to track transients or oscillations.of critical plant variables that.may
- exist during severe accident events for the plant. Trend data are-generally the preferred method.
lk 18.2-A15-Rev. 0 - Novembe. 1984
i l
i 1
5.2.1. Convenient Location "Each operating reactor shall be provided with a Safety Parameter Display System that is located [so that'it is] convenient to the control room operators.
5.2.1.1 Guideline To be convenient to the control room,. trating crew, the SPDS may be located on the control board.
If the SPDS is part of the control board, it must be easily recognized and readable.
(See Subsection 5.4.2.2 for additional guidance on SPDS location.)
Examples (a) The SPDS is readily distinguished from other displays on the control board.
(For further guidance, see Sections 6.1 and 6.8 of NUREG-0700.)
(b) The display meets the intent of the appropriate display readability guidelines stated in NUREG-0700.
(For further guidance, see Section 6.7.2 of NUREG-0700.)
5.2.1.2 Guideline The display should be located so that it is convenient to the control room operating crew and where control room operators who are responsible for avoiding degraded and damaged core events can observe the SPDS display.
(See Subsection 5.4.2.2 for additional guidance on SPDS location.)
Examples (a) The display is readily accessible to the following personnel, but not necessarily simultaneously:
Shift Supc* visor Control Room Senior Reactor Operator Shift Technical Advisor One reactor operator (b) Members of the control room operating crew have physical access to the SPDS.
For each of the above examples:
(a) Glare from normal or emergency lighting does not restrict the view of the SPDS from wi.hin the control room, and luminance levels and luminance contrast do not limit viewing the SPDS dispicy.
(For further guidance, see Sections 6.1.5.3 and 6.7.2.1 of iiUREG-0700.)
(b) The control room operating crew, not personnel outside the control room, control images displayed on the control room SPDS.
18.2-A16 Rev. 0 - November 1984
w.<
- (
f d
5.2.1.3- -Guideline
'v
' To_be convenient to the control room operating crew, the display system
~
should not interfere'with the crew's normal movement. The display system-should not interfere with full visual access to other control room operating systems and with displays important for safe operation.
c This guideline is self-evident; however, additional guida~nce'may be found in Sections 6.1.1 and 6.1.2 of NUREG-0700.
5.2.2 Continuous Display "This' system will continuously display information...-."
- 5.2.2.1 Guideline-A' continuous single-format primary display is not necessary. The primary display may be a' continuous indication of individual plant variables or may be composed of a number of measured or derived variables.
The main concern is that the'SPDS users are made aware of important changes in critical safety-related variables when they occur and that the SPDS users can readily obtain information from the SPDS to help them determine the safety status of the plant.
Examples O
(a) A dedicated display, such as a CRT, continuously displays the minimum set of variables necessary to assess the safety status of the plant.
(b) A hierarchical display system is used with control-room operator-controlled means to access all levels of display formats-needed to evaluate the safety status of the plant. -(Further guidance may be found in Subsection 6.1,-Display Formats.)
(c) Perceptual (audible or visual) cues are provided by the system to alert the control room operator to return to the primary display format while viewing secondary information.
(Further guidance may be found in Subsection 6.2, Display Techniques.)
l l
5.3 NUREG-0737, Supplement 1, Section 8.1.c-
"The control room instrumentation required (see General Design Criteria 13 and 19 of Appendix A to 10 CFR 50) provides the [ control room] operators with l-the.information necessary for safe reactor operation under normal, transient,.
I and accident conditions. The SPDS is used in' addition to the basic components and serves to ' aid.and augment these components.. Thus, requirements applicable to control. room instrumentati o are not needed for this augmentation.(e.
2 GDC 2, 3, 4 in Appendix A; 10 CFR Part 100; single-failure requirements)g.,-
~
The SPDS need'not meet requiremen.s of the single-fa~ilure criteria and it need not be qualified to meet C1 ss 1E requirements. The SPDS shall be suitably Llv 18.2-A17 Rev. 0 - November 1984 vw op e-ev-'--W----tv m.
w
isolated from electrical or electronic interference with equipment and sensors that are in use for [the] safety systems. The SPDS need not be seismically qualified, and additional seismically qualified indication is not required for the sole purpose of being a backup for [the] SPDS.- Procedures which describe the timely and correct safety status assessment when the SPDS is and is not available, will be_ developed by the licensee in parallel with [ development of]
the SPDS. Furthermore, [ control room] ope:ators should be trained to respond to accident conditions both with and without the SPDS available."
5.3.1 Procedures and Training
" Procedures which describe the timely and correct safety status assessment when the SPDS is and is not available, will be developed by the licensee in parallel with [ development of] the SPDS. Furthermore, [ control room]
operators should be trained to respond to accident conditions both with and without the SPDS available."
5.3.1.1 Guideline As the SPDS is not a Class IE qualified display, compensatory measures should be provided for control room operators when the SPDS is inoperable.
Example Operating procedures and training are provided to the control room operating crew that will allow timely and correct safety status assessment when the SPDS is not operating.
5.3.1.2 Guideline No additional operating staff other than the normal control room operating crew should be needed to operate the display during normal and abnormal plant operation and during display outages.
Examples (a) The control room operator's training program contains instruction and training in the use of the SPDS in conjunction with operating procedures for normal, abnormal, and emergency operating conditions.
+
(b) An SPDS user's manual _is available for reference in the centrol room.
5.4 NUREG-0737, Supplement 1, Section 4.1.e "The SPDS display shall be designed _to incorporate accepted human factors
[ engineering] principles so that the displayed information can be readily perceived and comprehended by SPDS users."
9 18.2-A18 Rev 0 - November 1984
(V[-
5.4.11. Incorporate Accepted Human Factors' Engineering Principles "The.SPDS shall be designed to incorporate' accepted human factors [ engineering]'
principles..."~
p d-5.4.1.1. Guideline
- The display format has to be designed to incorporate accepted human-factors
- engineering principles. -
Examples
-(a) The display format meets the intent of the applicable display guidelines in Subsection 6.0 of this appendix.
~(b).. The.SPDS display meets the intent of the dispir' guidelines in NUREG-0700.- (For further guidance, see-Sectir 6.7.2ofNUREG-0700.).
(c) The display meets the. intent of other.pertins and compatible g documented human factors engineering guidelines cited by the-applicant / licensee.
~~
Further guidance.on human factors engineering' principles miy be found in Subsection 6,f.eview Guidelines for SPDS Displays.
t f
5.4.2 Information Readily Perceived.and Comprehended 4
(
"The SPDS display shall be designed to incorporate accepted human factors
[ engineering] principles so that the displayed information can be readily perceived and comprehended by SPDS users."
d 5.4.2.1 Guideline Pattern and coding techniques are accepted human factors engineering design.
practices to communicate data ^and information to people from displays. Pattern and coding-techniques should be used in the SPDS to help the [ control room]- e operator detect and recognize unsafe plant operating cononiuns.
(Seealso Subsection 6.3, Display Techniques.)
Examples (a) Color coding is used to indicate the approach to unsafe operation and-to indicate unsafe operation.
(For_ further. guidance,: see - Section 6.7.2.7 of NUREG-0700.')
(b). Limit marks are used for each critical plant variable displayed. The
. limit marks are representative of operational limits established by -
technical specifications, process limits, and safety system actuation setpoints, if applicable.
(
l
.n $
J'r.
4 18.2-A19 Rev. 0 - November 1984'-
7 4
tt 6
1 rr
(c) Patterns are used that noticeably distort when an unsafe condition is approached.
FurtherguidancemaybefoundinSubsection6.2,DisplayTechniques.
5.4.2.2 Guideline To be-readily perceived and comprehended, the SPOS display should be readable from the emergency station of the control room operator responsible for evaluating the tafety status of the plant.
(See Sections 5.2.11 and 5.2.12 for additional guidance on SPOS Iocation.)
Example The display design meets the intent of the appropriate display readability guidelines stated in NUREG-0700, such as viewing distance, viewing angle, flicker, noise, contrast, and screen location for standing and sesced control room operators at the designated control room operating crew member's station.
(For further guidance, see Section 6.7.2.1 of NUREG-0700.)
5.5 NUREG-0737, Supplement 1, Section 4.1.f "The minimum information to be provided shall be suffic?ent to provide infor-mation to plant [ control room] operators about [the following critical safety functions]:
(i)
Reactivity control (ii)
Reactor core cooling and heat removal from the primary system (iii) Reactor coolant system integrity (iv) 93dioactivity control (v)
Containment conditions The specific [ plant] parameters [ variables] to be displayed shall be determined by the licensee."
5.5.1 Sufficient Information "The minimum information to be provided shall be sufficient to provide information to plant [ control room] operators about:...."
5.5.1.1, Guideline To monitor the plant process, the control room operator must be able to evaluate each of the above functicns or their equivalents. Applicants / licensees should ensure that the selected SPDS variable (s) appropriately characterize (s) 5 items (i)-(v) specified above. Supporting analyses should also cover these d
o 18.2-A20 Rev. 0 - November 1984 i
Y
\\*
.d T
. items. The design of the display should have a single primary display format-
~ for. each mode of plant. operation.d Examples (a). The design'has a display format for each mode of plant operation.-
(b). The: design ~provides a primary display supported.by a coordinated set of hierarchical-subordinate displays for-each mode of plant operation.
(c) For each mode:of operation, the displays contain the minimum set of indicators and data needed.to assess the plant functions that are used to' determine-the plant's safety status.
5.5.1.2 Guideline For each plant operating mode, display. formats may either be automatically displayed or manually ' selected.
Examples
.(a) A manually operated switch or input from an alpha-numeric keyboard,-
touch panel, light pen, cursor, or equivalent arrangement is provided.
'/' '
by the design to allow the control room operator to select the display format for the mode of plant operation.
(b) Automatic displaykformat change occurs-with a change in the mode of p,lant operations.
1
- j. Some typical modes of plant operation are power. operation, startup, hot standby, and hot shutdown. Display. formats composed of the same sets of variables or the same sets of hierarchical displays may be used-in common for several modes of plant-operation. A top level display fomat:
that'is plant-mode independent which is supported by mode-dependent-subordinate displays may. be desirable.
k Automatic change of the display format should.be designed so that neither-a gradual 'nor'a rapid ~ change in plant behavior from a condition that may have safety significance:is automatically interpreted as a change in plant mode of operation. ~ Provisions should be included for'the control room operator to override automatic display format changes when.
necessary.
In addition, there-should be provisions in the display.to-indicate to the control room operator that a change. in the acde of_ plant operation has occurred.
O b
l
-18.2-A21 Rev. 0 - November 1984..
l
.\\
j.
.i
.. n
~ '
6 REVIEW GUIDELINES FOR SPDS DISPLAYS The NRC has not explicitly described design specifications of SPDS displays.
Those examples of displays given in this appendix are offered for information purposes only, to help reviewers interpret and use the review guidelines.
This section focuses on the use of computer-driven CRT displays. Several display formats are reviewed and important features of each that are pertinent to the SPDS functions are discussed. The use of SPDS displays other than CRTs is not precluded. These review guidelines are not intended to eliminate consideration of other display designs.
6.1 SPDS Data Display Formats The mechanism for displaying the SPDS's safety information is not rigidly specified in Supplement 1 to NUREG-0737. The primary SPDS display format may be presented on a single display device or on a group of display devices concentrated at a single location specifically designated for the SPDS.
During plant operation, the primary SPDS display should accurately indicate the status of important plant functions. The SPDS should display a minimum set of variables from which the control room operating crew can assess the safety status of the plant. The minimum set of variables and the combinations of variables needed to characterize each plant function were not defined. The staff recognizes that the minimum set of variables is plant dependent and should be determined by the applicant / licensee.
The SPDS may provide a single primary display format, or it may use a system of primary and secondary display formats. When a single primary display is used, all information that control room operators need in order to assess the plant's safety status should be continuously visible to them. When the SPDS is concentrated in a single CRT display, the quantity of information sufficient to evaluate the plant's safety status may be too dense for rapid and reliable use.
A combination of primary and secondary displays may be used for the SPDS.
The primary display format may provide information about a selected set of key variables, derived variables, or plant functions, or it may provide indicators to inform the control room operator about a change in the plant's safety status. With limited information displayed on the primary display fonnat, the SPDS should prompt the control room operator to obtain more detailed data from the secondary display formats. The combined primary and secondary SPDS display formats should provide data on the complete set of variables usea to assess the plant's safety status.
Use of primary and secondary display formats generally means that the control room operator must select a display fonnat and present it on a display device. When a system of primary and secondary display fonnats is used (hierarchical display), the display formats should be ranked one above another in a systematic order of importance to facilitate the operator's access to information and to make it easy for the control room operator to O
18.2-A22 Rev. 0 - November 1984
_.~
I
~
1 bd
< Emanipulate khe. displays.: iComputer-driven CRT display: systems are well. suited.
- to; the.:use of;such. display schemes' -
L
~
gThe top level display? format of a hierarchical SPDS display system could be _
tcomposed ofsstatusiindicators'that.providelinformation-on the state of general-l plant; functions. a These indicators should: provide;the control room operator:
- with enough information.toidetect a changefin the plant's safety status and to
- select appropriatenlower level display formats..A well-designed. hierarchical
-display system allows _ the control: room operator lto readily select all levels of_ display _ formats.
~ In'a _ hierarchical SPDS-' design, the top level display' format may be~ replaced s
Lwith -secondary display fonnats when.the control room operator needs more detailed information.'. If the primary display format is not continuously.
p visible, provisions 2should be. made to ~ notify the control room operator about
~ t important: changes in the-status 'of plant functions that require. attention.:
A11rlowerslevel display _ formats should provide.a simplified presentation'of the status of. general plant-safety functions in. addition-to their detailed information, orithey should ' signal the controli room: operator to return to a, j-
-higher level display format when 'a change occurs in safety. status. The-hierarchical display; system should be able to return quickly, to' the. primary 4
display; format or to' appropriate higher level-display formats.-
i The information di_ splayed on systems that display variables,important to, safety should be organized in formats that-are easy for the control-room operator.to read and interpret. Acceptable fonnats may present informe tion-about the plant's-safety status in combinations of alphanumeric, symbolic, or graphic form, and may'present data about plant variables in analog or-digital form.
Disp 1.ay formats should be-designed so:that each specific element in a display corresponds directly and unambiguously with-a single variable or function.
Generally, each element of the display should have a label or other readily understood identifier that specifically associates' that ' display element:with-the variable it represents.
Quantitative information about the magnitudes and time-dependent trends.of the variables shown on the SPDS should be presented to help the-control room operator assess the severity and dynamics of abnormal. plant conditions.
Magnitude and trend information need not always be presentson=the' primary display format, provided the SPDS design allows the' person:using the. display to readily. acquire this information a_s needed. Magnitude'and trend data may be provided on lower level display-formats.when'a hierarchical display is used.
~
SPDS trend Csplays -that show quantitative-rate.of change of a variable.to-gether with the direction of change:may be;u~ sed..provided the' rate informa.
tion accurately represents the' trend of the variable.1 Trend rates-presented-to the: control room, operator should ~not fluctuate as a-result 'of minor fluct-uations in data 'or oscillatory behavior which _may be ' superimposed-on-a well-defined trend _of the-variable.~-When'a simple:quantitativeirate-of-change' value is used, an indication should be provided-to inform the control room operator when, as a result of minor fluctuations or oscillations, the rate.
L 18.2-A23 Rev.Ol--November 1984~-
u s
value does not accurately represent the trend of the variable.
Time-history data of the most safety-significant variables displayed or used in deriving safety functions should be available to the control' room operating crew. This time history need not be presented on the SPDS if accurate data in a conveniently usable form are readily available in the control room from other data-recording instruments, such as chart recorders or computers that monitor, record, and display the processes of the plant (process computer). A time history of each safety-status variable should be provided; this should cover enough time and be accurate enough to depict the onset and development of condi-tions that vary from the preceding normal operating conditions. A presentation of time history data by the SPDS may appear on either the primary SPDS display formats or on secondary display fcrmats.
6.2 Display Techniques Because the main function of the SPDS is to assist the control room operating crew evaluate the safety status of the plant, the display should provide enhancements to improve the control room operator's perception, comprehension, and detection of operating conditions that may affect the plant's safety status.
The display of these conditions should be distinctly different in appearance from the display of normal cperating conditions. This distinction allews the control room operating crew to readily detect and identify operating conditions that may have safety significance, as soon as they occur.
Computer-driven CRT displays allow use of a wide variety of. techniques to differentiate normal from abnormal conditions. Review guidance is provided for several techniques to ensure that, if used, each technique will provide an acceptable enhancement for the SPDS display. Much of what is contained in this section, however, may not pertain to any one particular display.
The display enhancenent techniques discussed are:
(1) Graphic representation of variables
(?)
Identification of displayed variables (3) Perceptual aids (a) Color (b) Symbols and mimics (c) Graphic overlays (d) Blinking (4) Display patterns (5) Status setpoints 1
Other display enhancement.technioues may also be used.
1 18.2-A24 Rev. 0 - November 1984
y y
~
1 4
4 U
Represen'atioriof Variables.
- Q J6.2.1iGraphicz t
lSPDSdisplaysmayprovidegraphic'representationsof'mhasuredor; derived
! plant variables. When'a graphic: representation is used, a change _in~the-m:
' Evalue of?a: displayed element >should be readily interpreted asta-corresponding
~
1
~
changetin:the magnitudelof the associated measured or' derived variable.
- Generally a user most'readily-understands 'a linear relationship between the' f
- magnitudef of: the measured.or; derived 1valueof the variable 'and the. display i
element used to? depict-the:value.
In some cases,'however, 'a nonlinear relation-1 ship-between the ivariable_ and the' display 'elementtis'more appropriate. Whenfa o
_ nonlinear 3 relationship is'used, it:should 'oe; demonstrated thatLsuch a relation-:
~
i;
. ship is better: understood by control room operators or. that tit will'actually' facilitate their interpretation:of'information.
For example,- a logarithmicj relationship-between-reactors power. level-and 'the magnitude of the-corresponding display ~ element may be; appropriate to display power during.rea_ctor startup,'if-accurate readings of reactor power level. are:needed. over__ many. decades.
Scaling'of variables u' sed fortthe SPDS displayjaffects.both'the usability and-the interpretabilityJof. the display, especially when pattern' recognition is:
-being used.' Scales should be chosen to provide the_ range of: data'and level of..
accuracy that-the control room operator needs inforder to:use the information.-
4
' Displays of magnitude can, in some cases, be scaled to' optimize recognition of, changes.from-normal to abnormal plant conditions.
In ' pattern recognition,--'the '
scale is chosen. to produce under normal conditions 'an undistorted ' pattern that-becomes ~ distorted when an abnormal ' condition occurs.. A reviewer should recognize that it may not be,possible or desirable to apply _such scaling to-all displays. -For example, if such scaling resulted in a display.that'is unaccept-able to control room operators after they have been trained'in its use, then it-a
~ would not be acceptable scaling.
Scaling should also be chosen to allow tracking of variables'over a wide'_
range of abnormal conditions. Therefore,-displays for normal conditions i-should not-fill!the ~ entire display aree. 'These displays.may also provide a s
[
means of. reading values should any variable go'off scale during abnormal' conditions.'Under these circumstances, the SPDS-should alertithe control room L
operator when:a variable-is off scale.
It may be desirable to change the scaling factors used in aldisplay if changes'~in relative. magnitudes occur during plant operations.. For: example, -
L normal: operation' at reduced power.may;resultein'a display that appears
~
distorted relative to the display exhibited during operation.at_100% power.
'Because' reduced power operation:does not necessarily~ represent a condition-l that may'have' safety /significan'ce, a change in'-scale.would be appropriate to provide a display'that remains undistorted.
It is preferable that this.-type >
of change be made by a coninand by the control room operator rather than by--
c automatic action of the' display'signalfor-data processing system. -'This1 ensures that anJabnonnal condition isinot displayed inappropriate 1ylas thei result of'automaticis'caling changes made by theLSPDSJ1A system that-1s n
1 b:
18.2-A?5-Rev. O'- November:1984 V
e j
y s..
c.
s
~
designed to automatically change display scaling should alert the control room operator that the change is being made.
6.2.2 Identification of Displayed Variables The control room operator must be able to readily interpret the information conveyed by the SPDS display. When a display changes, the control room operator must know what variables are changing and how they-are changing in order to assess the nature of an abnormality and identify the system involved.
Displays should include labels, symbols, or other ways of uniquely identifying each variable being displayed. It is unrealistic to rely on the control room operator to memorize the relationships between the display format or the display pattern and the specific variables being displayed.
6.2.3 Perceptual Aids Perceptual aids can be used with all types of display mechanisms to aid the control room operator in evaluating the safety status of the plant. Among the perceptual aids suitable for use in SPDS displays are color, symbols and-mimics, overlays, and blinking. Displays may use one or more of these perceptual aids, or may use none at all.
6.2.3.1 Color Color may be used in SPDS displays to help identify and differentiate between elements of the display and to indicate a change in functional or operating status of a plant variable.
When color changes are used to indicate a change in functional or operating status, no more than three colors should be used, corresponding to two levels of change in severity of status. A neutral color should indicate normal status. - The first color change could alert the control room operator that a variable is outside its normal range but does not represent a serious problem.
A second more noticeable color change would occur when the variable is in a range that indicates a serious threat to safety. To be effective, the colors used in the SPDS display should be consistent with color codes used elsewhere in the control room.
Displays should avoid conflicts between the use of color' coding to enhance selective identification of display elements and the use of color codes to enhance changes in operating status of displays, display elements, or dis-played variables.
6.2.3.2 Symbols and Mimics Graphic symbols and mimics may be used as distinctive ways to present infor-mation in a pictorial format. These should conform to the guidelines of.
1 NUREG-0700, Section 6.6.3.4, Symbols, and Section 6.6.6.4, Use-of Mimics.
O 18.2-A26 Rev. 0 - November 1984
6.2.3.3 Graphic" Overlays
- Graphic. overlays can' effectively enhance' displays by providing a reference-to normal conditions, an indication of nomal limits for individual = variables, or an indication of.abnomal operating ranges. An-overlay of ~a normal-pattern can enhance some graphic' displays by providing innediate' reference to normal:
operating conditions to facilitate pattern. recognition.or.to detect deviation from nomal. conditions. Overlays are acceptable when they improve the control
~
room operator's, interpretation of the displayed information. - Overlays should not distract.the. operator or interfere with ' observation of displayed information
=or interpretation of plant operating conditions.
~
6.2'.3,.4 ' ' Blinking Blinking symbols"or' data on a CRT, blinking-illuminated graphic displays, and blinking indicator lights and annunciator displays are. effective ways to call an operator's attention to an abnormal condition. The use of-blinking visual displays-should conform to the guidelines of NUREG-0700, Section 6.3.3.2, Visual Alam Recognition and Identification, and to Section 6.7.2.7, Graphic Coding and Highlighting.
'6.2.4 Display Patterns-The incorporation of the display of-process variables into a regular pattern can be an effective graphic representation of the plant's safety; status.
When a' pattern is used to enhance the control room operator's assessment of
~
the safety = status of the plant, there thould be a direct association between che display pattern and the status of the plant. The pattern for normal operating conditions should have distinctive characteristics that distinguish it from the patterns produced by other conditions. 'The change from a normal pattern to another configuration should be readily detectable.-
One pattern change that is acceptable when properly designed and implemented e
is a change from a sy metric or regular geometric pattern during normal
~
operating conditions to an asymmetric or irregular. geometric pattern when an abnormal condition occurs. Another pattern change that may be acceptable is a change from a pattern displaying uniform magnitude or length for each variable during normal conditions to a ' pattern displaying urequal magnitudes or lengths for those variables that are in a.different state.
A control room operator is more likely to notice changes from a normally undistorted pattern than te notice changes from an initially distorted-pattern.
}'
Therefore, -it is important tnat the display. pattern for normal conditions be; undistorted; then smaller differences inLthe pattern'are required to detect a-change. Production of an undistorted display pattern is largely detemined by the choice of scaling for the variable. Displays relying on pattern recognition to identify an-abnormal condition should be selected for variables that have small deviations about a steady-state value during nomal operating conditions and that have distinctive variations from the steady state value during abnormal conditions, f
18.2-A27 Rev. 0 - November 1984'
Top level display formats based on shape coding, color coding, or alphanumeric coding of data and information to convey the status of plant safety to the control rocm operator are acceptable. However, top level display formats based only on shape coding or only on color coding or on a combination of these should be augmented with lower level display fonnats which are based on alpha-numeric coding of data and informLtion. Shape coding and color coding of data and information are acceptable display techniques in response to search and identification type of control room operator tasks. Alphanumeric coding of data and information is best for absolute identification of plant status, such as the safety status of the plant. Under these circumstances, a top level display format based on shape coding or color coding enhances the control room operator's perception via pattern recognition. Lower level display formats based on alphanumeric coding of plant variables and their magnitudes, and of trends or rates of variables allow a control room operator to more fully assess the safety status of.the plant.
6.2.5 Status Setpoints Setpoints are used to indicate a change in status of a variable to indicate the approach to unsafe operation. Technical considerations should establish setpoints for variables which are used to initiate changes in display presentation to alert control room operators to changes in operating status.
Poorly chosen setpoints can result in frequent false alarms or failure to recognize e serious problem. Arbitrarily establishing setpoints as some nominal percentage of normal value or of maximum range generally is not appropriate. Setpoints used to indicate a change in status should be chosen specifically for their suitability to perform the desired function.
6.3 Application to Examples of Displays Four convenient examples of displays of multivariate data were chosen for discussing the application of the guidelines developed in this section to specific displays. All of the examples were taken from a recent document prepared for NRC (Ref. 9) that presents numerous ways of displaying multivariats data in nuclear process control. Although this reference draws some conclusions on the applicability of various displays for process control, these conclusions do not necessarily apply to the SPDS functional needs.
The displays discussed in this appendix are to be considered only as examples of display concepts. The staff does not recommend that these specific displays should be adapted.
O 18.2-A28 Rev. 0 - November 1984
[Uf
~6.3.1 ~ Bar Chart
- The'bar chart (Exhibit 6-1) synthesizes-an array 'of analog meters,-where each
% r represents a specific variable. The length of each bar is generally iportional to the. magnitude of the variable it represents. The control room operator can easily understand this type of display because analog meters are used in the control room to display the magnitude of operating variables.
Each bar_ on the display h'as a unique identification label that positively identifies the variable. Although a control room-operator might memorize the positions on the bar~ display, the labels provide ready reference. _ It would not be realistic-to expect a control room operator to memorize the position
. of each variable on the display.
The bar chart in Exhibit 6-1 would not, by itself, allow a quick assessment of the~ plant's safety; status. Each bar has -a different. length, and, as demonstrated in Reference 7, the onset of conditions that may have safety significance may not be obvious to the control room operator.
Color coding the bars can be one effective way. of signaling that a variable is outside its normal range. A'bar color that does not attract attention is -
used while the variable is normal. When a variable exceeds the normal range, an attention-getting color is used on that bar. ~(See NUREG-0700 for a discussion on colors.)- A contrast between each bar and the background may also be used in a similar way as a visual alert cue. A bar for a variable out of range would have much greater contrast with the background than that
<\\
bar would have when the variable is within the normal range.
A blinking label or bar may be acceptable to call attention to an out-of-range variable. When a blinking display element' is' used as a visual alert cue, the blinking must not prevent the control room operator from using the display to obtain information. Blink rates should-conform to NUREG-0700, paragraph 6.7.2.7.C.
A bar chart should provide a reference to the normal operating value of each variable displayed.
It is also desirable to indicate the normal operating range of a variable on a bar chart when the operating range is a significant fraction of the total. range. Such_ indications. help the control room operator interpret the importance of a change.
6.3.2 Deviation Bar Chart The deviatson.bar chart (Exhibit 6-2) is similar to the bar chart discussed above. Hon ver, each displayed bar represents the difference between the measured +alue and the normal value of a variable. Although the magnitude of a variable is generally positive, deviations from a normal value may be f
18.2-A29 Rev. 0 - November 1984-
i i
O l
PRIMARY POWER PRIMARY FLOW COLD LEG TEMP.
DELTA TEMP.
PRIMARY PRESSURE PRESSURIZER LEVEL SECONDARY PRESSURE SECONDARY FD FLOW STM CNTRL VLV POS STM GEN LEVEL CNDS PRESSURE O
20 40 60 80 100 j
PERCENT RANGE 4
i Exhibit 6-1 Simple Bar Chart Representing Nonnal Canditions 0
18.2-A30 Rev. 0 - November 1984
-l
\\
O f
i l
PRIMARY FLOW L
COLD LEG TEMP.
l l
DELTA TEMP.
l PRIMARY PRESSURE PRESSURIZER LEVEL SECONDARY PRESSURE l
SECONDARY FD FLOW STM CNTRL VLV POS STM GEN LEVEL CNDS PRESSURE 1m so a
e 20 0
20 e a
w 1m LOW HIGH PERCENT RANGE l
l l
Exhibit 6-2 Deviation Bar Chart Representation of_ Normal Conditions 18.2-A31 Rev. 0 - November 1984 i
either positive or negative. Therefore, the zero reference should be in the center of the deviation bar chart. With this display, the control room operator can easily detect a significant deviation from a normal value.
There is a direct association between the deviation bar chart display and the safety status of the plant. Under normal conditions the bar chart deviations are small.
In the event of a change, the magnitude and direction of a change in the variable from the normal condition is readily determined from the length and direction of the associated deviation bar.
The choice of scaling for each of the deviation bars is important to ensure that there is a distinct difference between normal and abnormal conditions.
Deviation bars that can vary over the entire display range under normal conditions would be unacceptable. The range of normal conditions for positive or negative deviations should repr'esent no more than 10% of the total range provided to display that variable's deviation. The normal deviation should also be considerably less for a variable that changes little during normal conditions but can vary a large amount when an abnormality occurs. An indication of the norn'al range for each deviation is desirable.
When appropriately scaled, pattern recognition can help to detect an abnormal condition. Like the bar chart, a label should identify each bar. Thus a deviation in one bar can be readily associated with the corresponding variable.
Color coding or contrast may be used as a visual alert indicator on a deviation bar chart in the same way it is used with the conventional bar chart.
Some way to indicate the magnitude of each variable should be provided when the deviation bar display is used as a primary SPDS display format because this information is not included in the deviation bar chart itself. This could be done by a digital readout of the magnitude placed on the deviation bar display or by presenting information about magnitude on secondary display formats.
6.3.3 Circular Profile The circular profile can be considered to be a variation of the bar chart.
In the circular profile display, the lines that define each variable radiate from a common origin with equal angles between lines (Exhibit 6-3). The length of each line is proportional to the measurement of the corresponding variable. The endpoints of adjacent radial lines are generally connected to form the profile. The area within the profile may also be shaded for enhanced contrast.
The circular profile represents a display type where pattern recognition is the primary means of identifying an abnormal operating condition. An operator's attention is focused on the profile around the radial lines rather than on individual lines. Under normal conditions, this profile should be 9
18.2-A32 Rev. 0 - November 1984
O dT PRESS i
-Tc LVL phSS FLOW 1
O l
CNDS FEED PRESS FLOW STM GEN.
STM CNTRL LVL VLV POS Exhibit 6-3 Circular Profile Representation of Normal Conditions O
18.2-A33 Rev. 0 - November 1984 1
circular or regular. When an abnormal condition occurs, the profile would become noticeably distorted, indicating that an abnormal condition has developed. Scaling and variables selected are more important in producing a good symmetric cir ular profile display during normal operating conditions
' than they are for bar Uart or deviation bar chart displays.
6.3.4 Chernoff Face The Chernoff face is a graphic technique that maps multivariate data into facial features. Changes in magnitudes are translated into a change in the-facial expression. Use of this type of display is dependent on pattern recognition to interpret data.
The Chernoff face is a good example of a display in which individual variables cannot be readily identified. This weakness stens from the assignment of variables to facial features. A frowning mouth is a composite of three variables.
It may not be possible to identify which particular variable has changed when the mouth changes shape.
It also is difficult to relate a given change in the apoearance of the face to a specific change in the safety status of the power plant. A control room operator can make no direct association between the facial features observed and the magnitude of plant variables. Many different linear and nonlinear mappings are used to relate the data being displayed to the different facial features. This complexity makes it difficult to evaluate changes in magnitude of the displayed variables. Use of this type of display would require control room operators to not only memorize the associations between variables and facial characteristics but also to memorize many different facial patterns in order to evaluate changes in variables.
Studies using Chernoff faces have shown that certain combinations of changes in the facial characteristics can result in a face that does not appear dis-torted (Ref. 11). Thus, there may not be a noticeable distinction between
~
safe plant conditions'and certain unsafe conditions.
These unfavorable characteristics make the Chernoff face unacceptable for use as the primary display format of an SPDS.
7 VERIFICATION AND VALIDATION OF SPDS For the SPDS to fulfill its function, it is essential that it incorporate the basic principles discussed in Supplement 1 to NUREG-0737 so that it can j
provide reliable information from which the plant's safety status can be assessed. The SPDS user must have confidence in the validity of the information provided by the operational SPDS.
To ensure that a high quality SPDS is implemented, the applicant / licensee should conduct a verification and validation (V&V) program throughout the process of design, fabrication, testing, and installation of the SPDS. A V&V program should include the following:
O 18.2-A34 Rev. 0 - November 1984
y C
A g
[ ',
l(
L(1)l: A review.of; desired system; capabilities to determine that the functional-
?>
'needs"will-be satisfied.--
q b
(2)' ~; A design verification review performed after.the system is initially.-
~ designed to verify that.the-design will : satisfy functional needs.
i h
- 13) Validation tests performed after the system is' assembled to confirm that.-
the.. operating _ system satisfies. functional needs.
+-
I
-(4) -Field verification tests performed after the system is installed ~to
[
verify that the validated system was installed properly.
'(5) LDocuments that contain design: modifications, resolutions to problems, and analyses of problems that still.need:to be corrected. These documents i
r should serve =to record and resolve allLdesign problems identified by the V8V program.' Qualified individuals who.were not directly involved in the design, development,.and installation of.SPDS equipment or software should-l conduct the V&V program.
A V8V program performed by -the-_' applicant / licensee during design, installation, and. implementation.of. an SPDS will facilitate the NRC staff review of the-2
. system. The staff would then evaluate the program for the results of the design i
V&V program. 'On the basis of an effective V&V. program, the staff would reduce.
j.
the scope and detail of the technical audit of the design.-
i The Nuclear Safety. Analysis Center (NSAC) has prepared guidance for the; nuclear. industry on the SPDS.V&V program for the SPDS. - This guidaace is l~
documented in NSAC 39 (Ref.'12). The NRC staff will acceptLa' V&V Program -
Plan which conforms to the guidance of NSAC 39. Other SPDS V&V programs which accomplish the desired goals would be equally ' acceptable to the l
staff.
l l
8 NRC STAFF HUMAN FACTORS ENGINEERING REVIEW OF SPDS-The staff will use the guidance provided in.this appendix in' reviewing the design of the SPDS insofar as incorporating' good principles of human factors engineering. This appendix presents a discussion of ways of incorporating basic principles of a good SPDS as set out in Supplement 1-of NUREG-0737 insofar as consideration of the human factor. For reviews of operating -
license applications _(OL reviews) 'and for operating reactors for which the -
. licensee has requested a preimplementation review'of the SPDS design, the-guidance offered in this appendix'will assist the staff;in evaluations under Supplement l'of NUREG-0737. For such reviews,-the NRC. staff will initially.
evaluate the. applicant / licensee's verification and validatien (V&V) program -
plan'and will audit' the results of. its design verification activities.
-.. Subsequently, the staff will ' audit the' applicant / licensee's design validation
- program,' test plans,.and_testLresults. During'each audit, the staff plans to
~
review safety analysisEdata and-human factors engineering design data j
~
prepared by:the applicant / licensee as well as to review its V&V activities.-
q O
o 18.2-A35'
- Rev. 0 - November 1984 -
i v
-m.
. w.-...
.m
..,s
-w-.
4
,,s
.,-,.--.---__-____.______m_.________
n These reviews will be conducted _using the appropriate guidance provided in Subsections 5, 6, and 7 of this appendix. For preimplementation reviews, the NRC staff intends to conduct the review in two audit meetings with the applicant /licensu. luring the period of SPDS design and design validation tests. The staff w;il document its findings after each meeting. A third audit may be conot.cted following SPDS installations.
Prompt implementation of well-designed safety parameter display systems in operating reactors is a design goal of primary importance. The review process for operating reactors outlined in NUREG-0737, Supplement 1, is designed to avoid delays resulting from the time required for NRC staff review. The NRC staff will not review operating reactor SPDS designs pursuant to Supplement 1 of NUREG-0737 before implementation unless a licensee has specifically' requested a preimplementation review. The licensee's safety analysis and SPDS implementation plan will be reviewed by the NRC staff only to determine if a serious safety question is posed by the proposed system or if the analysis is seriously inadequate. The NRC staff human factors engineering review to accomplish this will be directed at (1) confirming that means are provided to ensure that the data displayed are valid, and (2) confirming that the licensee has committed to a human factors engineering program to ensure that the displayed information can be readily perceived and comprehended so as not to mislead the control room operator.
if, on the basis of this review, the staff identifies a serious safety question or seriously inadequate analysis, the Director of IE or the Director of NRR may request or direct the licensee to correct the deficiency or even to cease implementation. Those guidelines of Subsection 5 of this appendix that would be used in the evaluation of a licersee's SPDS safety analysis report for serious safety questions or seriousl3 inadequate analysis have been footncted.
Although it is unlikely that the SPDS design would raise a sericus safety question or that the analysis would be seriously inadequate, the NRC staff review may identify some human factors engineering problem areas, which if corrected, could enhance ef T2ctiveness and improve control roon operating crew acceptance. Problem areas that are identified by the NRC staff in its safety analysis review should be assessed for correction by the 1icensee during the detailed control room design review.
9 GLCSSARY OF TERMS Many of the terms used in this document are specific to the fields of nuclear engineering and computer-software engineering. This glossary of terms is included to help the reader understand the terms as they are used in this
- document, accuracy - A measure of the degree to which the actual output of a device approximates the output of an ideal device nominally performing the same function (IEEE Standard Dictionary of Electrical and Electronics Terms).
In the control room of a nuclear power plant, the device is the entire measurement system from the sensor to the display of a nuclear power plant.
18.2-A36 Rev. 0 - November 1984
,y~,'
l
~
Y I h ;
analytical redundancy - Intercomparison'of measured variables, through the)
_ use-of mathematical models based upon known: physical relationships, bet'ieen-r variables,1to determine whether there are inconsistencies in-theaalues of-the measured ; variables :(e.g. ', '" reactor. power," " reactor coolant temperate e srise_~through the' reactor core,'! and "reactorL:oolant flow rate" are interrelated variables based upon.the: physical principles'of heat transfer.
~
JA~ measured value for coolant flow should be consistent with the analytically;
! calculated.value for coolant flow derived mathematically from the
~
correspondi.ng measured values of reactor power and coolant temperature. rise.)
F c'athode-ray tube (CRT)' 'An electronic vacuum tube containing a luminescent
- display screen and a controlled beam of-electrons that creates and refreshes Limages on the display screen.-
[
control room operating crew - A group-of individuals assigned.to perform.
[
functions and tasks in a nuclear powe.r: plant control room to operate the-plant. As such, the control room operating crew is'a system within the power n
plant..
~
control ~ room operator -._ An individual, member of the control room operating.
crew including, but not necessarily limited to, ~a licensed reactor operator.
i data - 1.'An individual fact, statistic, or piece of information:or a-group
[
or body of facts, information, statistics, or the like, either historical.or i
derived by calculation or experimentation (The Random' House College Dictionary, Revised Edition, 1980).
2..A general _ term used to-denote-facts, numbers, and symbols -that refer to the state of -the plant process of' the status of systems
~
l and components that are part of.the plant process.
I derived variable - 1. A pla.it process variable derived from mathematical I
calculations that use the values of directly_ measured variables as inputs to.
l-the calculations or a' variable determined by operational manipulation:of the signals from directly measured variables. 2.:A variable that is.not measured-i directly but that can be derived analytically from the values'of-two or more -
l-measured variables (e.g. degrees subcooling can be derived from measured'
[
vaines of water temperature and pressure using the -known. physical.~ properties-of water asia function of temperature and pressure).
I design criteria - Performance requirements and specificationsifor a system established as a goal-prior' to initiating detailed design of-the system.
design validation - A process of system integration, testing, and' evaluation activities. carried.out at the. system / subsystem level to ensure that.the developed operational product satisfies the! system' specifications and the; user's. functional ~ requirements, design verification' ' A process of-iterative evaluation-during the: design process to _ determine' whether, the produ' cts of. each step of the design ' effort -
'are correct andifulfill design criteriai 18.2-A37 Rev. 0'- November? l984 y
j.
A
~ ~. -. ~.
+,
un
~
,.-ca ~ ~
n<w-.-~-
-+, -
..--...n.-.
~--
- -+
- c. - - - --
l display - A visual record that may be of either a permanent or temporary nature (Standard Dictionary of Computer and Information Processing, Revised Second Edition, 1978).
display format - The arrangement of characters, symbols, and visual represen-tations on the display surface of a display unit.
display unit - A unit of hardware that provides, a visual presentation of data and information on a display surface.
function - 1. The purpose for.which something is designed or exists (The Random House College Dictionary, Revised Ed' tion, 1980). 2. The performance that must be accomplished by a system to fulfill its assigned role or purpose.
hierarchical display - A display system having sets of display formats ranked one above another in a specified order of rank or importance.
information - 1. Knowledge communicated or received concerning a particular fact or circumstance.
- 2. Any data that can be coded for processing by a computer or similar data processing device (The Random House College Dictionary, Revised Edition, 1980).
- 3. The results obtained from data processed by pre-specified means or methods, invalid data - Data that have been checked for accuracy and have failed to meet the specified criteria for validity.
measured variable - A plant process variable such as temperature, pressure, etc. that can bt measured by a sensor instrument with the output signal from the sensor manipulated or converted to be displayed or read out on a display device as a magnitude of the variable, expressed in engineering units.
minimum set of critical plant variables - The fewest plant variables sufficient for the control room operators to evaluate the safety status of the plant.
perceptual aid - A display aid that assists the control room operator sense a significant change in the information provided by a display.
primary function - The principal or main purpose for which a system exists.
process computer - A computer that monitors, records and displays the processes of the plant.
process control - The collective functions performed in and by equipment in which a process variable is to be controlled.
process limit - A value of a process variable wherein a significant change in the process occurs; an example of a process limit is zero degrees of subcooling for water in conjunction with the inception of boiling which converts liquid water to a steam vapor.
O 18.2-A38 Rev. 0 - November 1984
.O process variable -~ A term or set of. terms that characterizes a specific q
time-varying property.of the state of-a plant process quantitatively in engineering units (e.g., reactor core coolant inlet temperature, 545'F).
j real time - Relating-to the performance of computing during the specific time in which the related process, event, problem or communication is taking place,-i.e., the computing must be fast:enough.-during the process of the 7
happening of the event for the-results of.this computing to influence the related process or result-(Computer Dictionary and Handbook, Second Edition.
'I 1972)..
time history -. Data that display the magnitudes of a sriable over a specified time-interval, trend data - Information'that depicts whether the magnitude of a variable is changing or remaining constant.
I unvalidated data - Data that have not been checked for accuracy. (Unvalidated data may be determined to be either valid or invalid'if subjected to a data -
l validatit.n process.)
validated data - Data that have een subjected to the data validation process b
and meets the*specified criteria for data validity._
validate.- To substantiate or confirm (The Random House College Dictionary, j,
Revised Edition, 1900).
j validity - The degree to which an event, especially operations, are j
allowable, permissive, logical, complete, and comprehensible.- Validity.is a measure of the extent to which a standard has been met or-a rule followed j
(Standard Dictionary of Computer and Infonnation Processing,-Revised Second Edition,-1978).
variable - A quantity or mathematical function that may assume any given value or set of values (The Random House ~ College' Dictionary, Revised Edition, i
1980).
verification - A formal act or process to ascertain the truth, authenticity, or correctness of something (The Random House College Dictionary, Revised Edition,1980).
y l
i 18.2-A39 Rev. 0 - November 1984 l
u w
c ~ -.
10 REFERENCES 1.
U.S. Nuclear Regulatory Commission, NUREG-0737, " Clarification of TMI Action Plan Requirements," November 1980; Supplement 1, December 1982.
?.
U.S. Nuclear Regulatory Commission, NUREG-0696, " Functional Criteria for Emergency Response Facilities," February 1981, 3.
U.S. Nuclear Regulatory Commission, NUREG-0700, " Guidelines for Control Room Design Reviews," September 1981.
4 U.S. Nuclear Regulatory Commission, NUREG-0800, " Standard Review Plan for the Review of Safety Analysis Reports for Nuclear Power Plants, Section 18.1, Control Room," Rev. 0 - September 1984.
5.
Ramsey, H. R., and M. E. Atwood, " Human Factors in Computer Systems: A Review of the Literature," Science Applications, Inc., SAI-/9-111-DEN, September 1979.
- 6.. Seminara, J. L., and S. K. Eckert, " Human Factors Considervtions fcr Advanced Control Board Design," Electric Power Research Institute, EPRI NP-1118, Vol. 4, March 1980.
7.
Banks, W. W., and M. T. Clark, "Some Human Engineering Color Considerations Using CRT Displays: A Review of the Literature," EG8G -
Inc., Report EG&G-SSDC-5455, May 1981.
8.
Banks, W. W., et al., " Human Engineering Design Considerations for Cathode Ray Tube-Generated Displays," U.S. Nuclear Regulatory Commission, NUREG/CR-2496, EG&G-216, April 1982.
9.
Danchak, M. M., " Techniques for Displaying Multivariate Data on Cathode Ray Tubes With Applications to Nuclear Process Control," U.S. Nuclear Regulatory Commission, NUREG/CR-1994, EG&G-2086, April 1981.
10.
" Guidelines for an Effective SPDS Implementation Program," INP0 83-003 (NUTAC), January 1983.
- 11. Bruckner, L.
A., "On Chernoff Faces," in P. C. C. Wang, Graphical Representation of Multivariate Data, New York, Academic Press, lY78,
- p. 93.
- 12. Nuclear Safety Analysis Center, " Verification and Validation for Safety Variable Display Systems," NSAC 39, December 1981.
O 18.2-A40 Rev. 0 - November 1984
3
-Enclosure ?
\\
1
-Resolution of CRGR Comments on Draft NUREG-0835 a
n CRGR. reviewed draft-NUREG-0835 at its. Meeting Number 57,on February 15,'1984
)
Minutes;of this' meeting issued on~ March 16, 1984,-expressed the CRGR concerns
~
summarized below:
I
- 1. - : Considerable ambisuity and complicated language..
i-
-2.
Use of NUREG document to generate / establish' generic requirements'is L
contrary to NRC policy.
3, t
3..
Does not address when, how"and by whom the SPDS will-be used.
l..
4.
Exceeds design requirements originally intended in Supplement'l to NUREG 0737.
- a..SPDS~ operability is believed to be only required for plant-
- conditions involving power, hot shutdown,-or hot-standby
[
conditions.
L b.
A need for audible alarms has not been previously? identified.
(
c.
Time derivative data display is' believed to have little.
7 l
practical value and should not be: promoted'as an acceptable l
substitute for clear trend information.
5.
Document allows great flexibility on the part of. individual reviewers and acceptance criteria to be defined based upon many.
L l
available industry human factors. documents.. Guidance-is referenced l
.that has=not been reviewed.
6.
Acceptance guidelines are found in at least two sections.. (Sections 5 and 6) and it is. difficult to determine _ minimum system capabilities ~ that are considered necessary for system acceptance.
Since review of this document by CRGR,.it'has ' undergone..a number o.f revisions to address CRGR concerns.
In addition,:both ELD'and our technicalJeditors-have reviewed 'the document-and.their comments have' been, incorporated.- The major change-has:been to make the proposed NUREG into an appendix to Section 18.2 of the Standard ~ Review Plan..OurLresolution of,the: specific CRGR comments that were summarized above is as follows:-
1.
The ambiguity 'and complicated'languace have.been eliminated.
' Redundant: sections have also-been eliminated and we have clarified.
~
that the document is for staff uselin reviewing SPDS' designs. The final version of the document has been reviewed by'both ELD.and ate technical editors.-
ik
._,m,.._
. O 2.
We propose to publish this document as an appendix to Section 18.2 3
of the Standard Review Plan as a result of CRGR and EDO comments.
3.
Supplement 1 to NUREG-0737 describes the SPDS as an operator aid in rapidly and reliably determining the safety status of the plant.
It also explains that the SPDS will display information to control room personnel who are responsible for the avoidance of degraded and damaged core events. We do not believe that a specific user should be specified by the NRC. This is up to the utility and strongly depends on the operating philosophy of a utility.
4a. Although Supplement 1 to NUREG-0737 states that the SPDS will be operated during normal operations as well as abnormal conditions and will continuously display information, we have adopted CRGR's comment and have eliminated refueling and cold shutdown modes of operation as areas of NRC review.
4b. We have clarified the reference to audible alarms as follows:
" perceptual (audible or visual) cues are provided to alert the control room operator to return to the primary display format while viewing secondary information." The main concern is that SPDS users are made aware of important changes in the primary display when they are viewing secondary displays.
4c. We have stressed that trend data are preferred and that time derivatives are acceptable only when the derivatives unambiguously reflect trends in critical plant variables.
5.
The document does allow flexibility because of the variety of SPDS designs. We have tried to allow sufficient latitude for the review of different systems as well as different displays. We have eliminated reference to reviewer use of guidance that has not been reviewed.
Industry can utilize non-reviewed human factors guidelines which the staff will review on a case-by-case basis.
6.
Section 5 presents Human Factors Guidelines for reviewing the SPDS system while Section 6 presents guidelines for reviewing computer-driven CRT displays that may be part of an SPDS. We have clarified the distinction between the two sections. Minimum system capabilities that are considered necessary for SPDS acceptance are defined in Supplement I to NUREG-0737 as being those sufficient to provide information to plant operators about the following critical safety functions:
(i)
Reactivity control (ii)
Reactor core cooling and heat renoval from the primary system O
U
-,!(
(iii) Reactor coolant system-integrity (iv)'
Radioactivity control.
(v)-
Containment conditions; L
The human factors engineering review is directed'at-(1) confirming that means are provided to ensure that the data displayed are.
l
-valid, and (2) confirming that the. licensee.has committed to a.
human factors engineering program to ensure that the displayed i
information.can be.readily perceived and comprehended so as not to i-
. mislead the control room. operator.
l The parameter selection review is directed at. confirming' that the i
plant specificparameters selected as the bases for a critical.
l.
safety function are sufficient to assess the safety status of-that-function for a wide range of events. Justification for the choice of parameters can be provided by reference to analyses supporting approved generic emergency procedure guidelines.. The types of j
scenarios to be considered' include thase which result from events identified in SRP Section 15.0. DHFS-plans to document the process-used for parameter selection review.
l 1
l-L L
L i
I.
i q
I.
L s
1
'l r
L 1
~.
=. -
NRC PORRI 33 U S. NUCLEAR REGULLTORY -.assO"I
- t. AtPORf NuwsEA iAssfied er T'OC. 888 V8' **.,e earJ
$b',7 slauOGRAPHIC DATA SHEET NUREG-0800 sit INSTRUCTIONS ON THE RtVER$$
3 Lt Avt SLANE
- 2. TITLE AND suaisTLE Standard Review Plan for the Review of Safety Analysis
.(
)
Reports for Nuclear Power Plants, LWR Edition.
- s
/
4 DATE REPORT COMPLE'tD Revision No. O of Appendix A to Section 18.2 l
Y An
.O~T.
December 1984
. Aoi,,OR,,,
6 DATE REPORT ISSUED MONTH VEAR January 1985 t,.R.OR..N; naAr.v4 N A.. ANo.A,L NG Adores > <,a.. e. c,
- PaOaciaAsowOax uNa Nu na Office of Nuclear Reactor Regulation
- "~ oa ca^~' au*"a U.S. Nucle.ar Regulatory Connission Washington, D.-C. 20555 10 SPONSOR 6NG ORGANt2ATION NAME AND MAILING ADDRE$5 ffac4astle coms tia TYPE OF REPORT Guide same as above
,,,,,,,,co,,,,,,,,,,,,,,,,,,,,,,
12 $uPPLEWENT ARY NOTis Rev. O of Appendix A to Section 18.2," Human Factors Review Guidelines for the Safety Daramo&or n{en1nu que+nm"
- 13. AGSTR ACf IJdD eerss ar esis ~
- ~
~
This revision incorporates the guideline of Task Action Plan Item 1.D.2 of NUREG-0660 as clarified in Supplement 1 of NUREG-0737.
Appendix A to SRP Section 18.? was A
fornerly draft NUREG-0835, " Human Factors Acceptance Criteria for the Safety
-jN.s)
Parameter Display System, Draft Rer.rt issued for Comment.
l l
l l
14 OOcuwtNT ANALvlis - e RivWORDS'DESCRiPTDRS is Ava As Laiv l
Human factors Safety Paramter Display System (SPDS)
Unlimited Standard Review Plan 16 SECUR fICLAS$1PicAff0N i
"onetassified e IDENilf stRS/OPEN ENDED TERMS Ifne report)
I F NUMBtR OF PAGES lt
...R.Lt i
l l
l i
1
..t.O.,Nu..t..,
rm u Nucu m t:om,omico.....ON 7"c 'a"= 8=
G-0800 sIo'">'E' BIBLIOGRAPHIC DATA SHEET Section 18.2, Appendix A, Rev.0 Sit DNSTRUC? IONS ON TMt RivtRst 2 flitt A40 $utisTLE 3 LE Avi et ANs Standard Review Plan for the~ Review of Safety Analysis -
Reports for Nuclear Power Plants, LWR Edition, aNor!"Rhview^$7hfnhsNobhbbaNOSv ifa N""
l
" ~
December 1984--
- Apisp9ay System (SPDS)"
6 Dait REPORT IS$UED MON 1m
'ka" January 1985
- 7. PE Rf 0RM'NG ORGANA 2Ai#0N Naut AND usstsNG AppRess erars eele casej 5 PNOatcTIT Annenoma UNel NUW8t R w
Office of Nuclear Reactor Regulation
""""6"'"'"""""
U.S. Nuclear Regulatory Commission Washington, D. C.-20555 to SPONSORING ORGANi2 ATaON NAMt AND MacklNG ADDRt55 fraedereeI, Ceses it. TTPt OF RtPORT Guide same as above
,,,,,,,,co,,,,,,,,,,,,,,,,,,,,,
12 SUPPLEMENT ART NOTt5 Rev. O of Appendix A to Section 18.2," Human Factors Review Guidelines for the Safety paramatar nien12v g u e + n,,,a
~ ~ - - -
,a A. i Aci a.
,,,o This revision incorporates the guideline of Task Action Plan Item 1.D.2 of NUREG-0660 as clarified in Supplement 1 of NUREG-0737.
Appendix A to SRP Section 18.2 was formerly draft NUREG-0835, " Human Factors Acceptance Criteria for the Safety Parameter Display System, Draft Report issued for Coment.
- i. A7,Ag,tp-
,, oOcu.6 Ni AN A<Ti.... M t..ORoi,ot.c..,10R.
Human factors-Safety Paramter Display System (SPDS)
Unlimited Standard Review P1an
.. n eU.... ci.ss...e A,,oM "onciassi fied 5 toEN1sHtR$'OPEN $NDRO tt.wg Iras re.orto t) 4WW$t St (56 Pa(pt) is Par (t e