ML20117G510
| ML20117G510 | |
| Person / Time | |
|---|---|
| Site: | 05200003 |
| Issue date: | 05/10/1996 |
| From: | Kerch S, Span R WESTINGHOUSE ELECTRIC COMPANY, DIV OF CBS CORP. |
| To: | |
| Shared Package | |
| ML20117G501 | List: |
| References | |
| WCAP-14645-DRFT, NUDOCS 9605210329 | |
| Download: ML20117G510 (86) | |
Text
,
Westingnouse N:n-Proprietrry Class 3 WCAP-14645 l
l l
HUMAN FACTORS ENGINEERING I
OPERATING EXPERIENCE REVIEW REPORT l
FOR THE AP600 NUCLEAR POWER PLANT i
Draft 5/10/96 l
AP600 Document Number: OCS-GJR-001 Revision 0 S. P. Kerch R. M. Span Westinghouse Electric Corporation P.O. Box 355 Pittsburgh, Pennsylvania 15230-0355 C1996 WESTINGHOUSE ELECTRIC CORPORATION All Rights Reserved 9605210329 960514 PDR ADOCK 05200003 A
PDR mA2927w.wpt:1b/051396
TABLE OF CONTENTS Section Title Page 1.0 I NTR OD U CTI ON................................................
1 l
l 2.0 SCOPE.......................................................2 3.0 RESULTS OF REVIEWING OPERATOR EXP.ERIENCE ISSUES....
3 4.0 RELATED HUMAN SYSTEM INTERFACE (HSI) TECHNOLOGIES WHERE LITTLE OR NO NUCLEAR PLANT EXPERIENCE EXISTS...........
5 5.0 CONTENT AND RESOLUTION OF OPERATOR INTERVIEWS..............
6 l
l i
l l
l 1
\\
l l
i l
l j
l l
l I
1 I
t mA2927w.wpf:1b/051396 ll
LIST OF TABLES AND REFERENCES Title Page Table 1 Operating Experience Review for the AP600 Design.....................
7 References For Table 1, Operating Experience Review for the AP600 Design........
68 Table 2 Related HSI Technologies Where Little Or No Nuclear Experience Exists.....
72 r
References For Table 2, Related HSI Technologies Where Little Or No Nuclear Experlence Exists....................................................
77 Table 3 Operator interview issues.......................................
78 References For Table 3, Operator Interview issues............................
83 m:\\2927w.wpf:1b".)51396 lii
ACRONYMS ac Alternating Current ADS Automatic Depressurization System ARM Area Radiation Monitor AFW Auxiliary Feedwater ASHRAE American Society of Heating, Refrigeration, and Air-Conditioning Engineers ASME American Society of Mechanical Engineers ATWS Anticipated Transient Without Scram BWR Boiling Water Reactors CCW Component Cooling Water CIV Containment isolation Valve CMT Core Makeup Tank COL Combined License CPS Computerized Procedure System CR Control Room CRT Cathode Ray Tube CSF Critical Safety Functions CST Condensate Storage Tank CV Check Valve CWS Circulating Water System D-RAP Design Reliability Assurance Program DAS Diverse Actuation System dc Direct Current DDS Data Display and Processing System DSER Draft Safety Evaluation Report EMI Electromagnetic interference EOF Emergency Offsite Facility EOP Emergency Operating Procedures ERG Emergency Response Guidelines ESF Engineered Safety Features FBTA Function-Based Task Analysis FC Function Centralization HFE Human Factors Engineering HSI Human System Interface HVAC Heating, Ventilation, and Air-Conditioning HX Heat Exchangers IA Instrument Air l&C Instrumentation and Control IRM Intermediate Range Monitors IRWST In-containment Refueling Water Storage Tank lSLOCA Interfacing System LOCA IST inservice Test LCS Local Control Station LOCA Loss of Coolant Accident MCR Main Control Room MFP Main Feedwater Pump MMI Man-Machine Interface M-MIS Man-Machine Interface System m:\\2927w.wpf:1tv051396 iv
I ACRONYMS (Continued) l NPP Nuclear Power Plant l
NSR Non-Safety Related OER Operating Experience Review OSC Operational Support Center PABX Private Automatic Branch Exchange PAR Passive Autocatalytic Recombiners PDP Positive Displacement Charging Pump l
PHWR Pressurized Heavy Water Reactor l
PLS Plant Control System l
PMS Protection and Safety Monitoring System l
PORV Power Operated Relief Valve PRA Probabilistic Risk Assessment PRHR Passive RHR PWR Pressurized Water Reactor l
PXS Passive Core Cooling System QDPS Qualified Data Processing System l
RAI Request for Additional Information RCS Reactor Coolant System RF Radio Frequency RHR Residual Heat Removal RNS Normal Residual Heat Removal System RV Reactor Vessel SART Silence, Acknowledge and Restart Test l
SBO Station Blackout SG Steam Generator SGL Steam Generator Level SGTR Steam Generator Tube Rupture l
SPDS Safety Parameter Display System SR Safety-Related SRP Standard Review Plan SRO Senior Reactor Operator SRV Safety Relief Valve SSAR Standard Safety Analysis Report SSC Structures, Systems, and Components SSE Safe Shutdown Earthquake STA Shift Technical Adviser SWS Service Water System l
TIP Traveling incore Probe TS Technical Specifications TSC Technical Support Center UPS Uninterruptable Power Supply VBS Nuclear Island Non-Radioactive Ventilation System VDU Visual Display Unit VES Emergency Habitability System i
VPl Valve Position Indication W PIS Wall Panel Information System m:\\2927w.wpf:1tWO51396 V
9
1.0 INTRODUCTION
As discussed in NUREG-0711 (" Human Factors Engineering Program Review Mode!"), the purpose of this operating experience review (OER) is to identify human factors engineering (HFE)-related safety issues. The objective of this AP600 review is to identify and analyze HFE-related problems and issues encountered in previous designs that are similar to the AP600 so that they are avoided in the development of the AP600 design, or in the case of positive features, to retain these features. Westinghouse will continue to review current plant operating experience and as new HFE-related issues are identified, will address or track to resolution those issues applicable to the AP600.
t l
1 i
I l
m:\\2927w.wpf:1b/051396 1
2.0 SCOPE The scope of this evaluation includes pressurized water reactors (PWRs), at both Westinghouse and non-Westinghouse plants. The issues for boiling water reactors (BWRs) and a pressurized heavy water reactor (PHWR) which are applicable to the AP600 design are also addressed. Other industry Man-Machine Interface (MMI) experience, where limited experience exists in the nuclear industry, is also addressed.
Guidance for this OER is based upon: 1) Appendix B of NUREG-0711,2) the clarification of NUREG-0711 Appendices B.5 and B.6 provided as an attachment, ('HFE Insights For Advanced Reactors Based Upon Operation Experience", BNL Technical Report E2090-4-3-1/95) to NRC letter dated 2/13/95, and 3) comments in Draft Safety Evaluation Report (DSER) Chapter 20 related to the OER for the AP600.
1 mA2927w.wpf:1b/051396 2
1 J
I l
i 3.0 RESULTS OF REVIEWING OPERATING EXPERIENCE ISSUES Table 1 documents the NUREG-0711 Appendix B issues reviewed and how the AP600 design addresses these issues. Table 1 consists of five columns and provides the following i
information; i
i Column 1 Item l
Column 2 issue Reference Column 3 lssue/ Scope Column 4 Human Factors Aspect / Human Performance issue i
Column 5 Human Factors / Human Performance issue Addressed by AP600 Design The numbers in column 1 are used throughout this document as a convenient means to reference the various issues. Column 2 identifies the reference document that presents the i
issue to be addressed. Column 3 identifies the specific issue / scope. Column 4 identifies the human factors aspect / human performance issue of the issue / scope identified in column 3.
Column 5 documents how the AP600 design addresses the aspects / issues identified in column 4.
I Tables 1,2, and 3 also document the HFE-related issues which are not currently addressed j
by the AP600 design. These issues are identified in column 5 of Table 1 and in column 3 of Tables 2 and 3 by using the terminology "lNPUT THIS ISSUE INTO THE DESIGN ISSUES TRACKING SYSTEM" typed in bold letters. Standard Safety Analysis Report (SSAR)
Subsection 18.4.4 provides a description of the design issues tracking system which includes tracking of HFE issues, i
Column 5 of Table 1 also identifies which HFE issues are not applicable to the AP600 design.
l These are identified in column 5 of Table 1 by using the terminology "NOT APPLICABLE" l
typed in bold letters. immediately after the bold type, the reason why the issue in not applicable to the AP600 is provided.
Chapter 20 of the DSER also makes reference to DSER Section 18.3 open items. The following table identifies the open item number and the DSER Chapter 20 page number, the l
Issue, and how the issue is addressed.
1 I
l l
1 i
i 4
mA2927w.wpf:1tWO51396 3
I
Open item Number DSER Page Number lasue identification Disposition of lasue 01: 18.3.3.1 2 HF1.1, Shift Staffing This issue is addressed in DSER Page: 20-187 Table 1 of this report. See item 21.
01: 18.3.3.1-2 HF4.4, Guidelines for This issue is addressed in DSER Page: 20-188 Upgrading Other Procedures Table 1 of this report. See itsm 22.
01: 18.3.3.1-2 HF5.1, MMI - Local Control This issue is addressed in DSER Page: 20-189 Stations Table 1 of this report. See item 24.
01: 18.3.3.1-2 HF5.2, Review Criteria for This issue is addressed in DSER Page: 20-190 Human Facters Aspects of Table 1 of this report. See Advance Controls and item 25.
Instrumentation Ol: 18.3.3.1-2 l.C.5, Procedures for This is a training program DSER Page: 20-113 Feedback of Operating issue. Training program Experience to Plant Staff development is the responsibility of the Combined License applicant as documented in SSAR Section 13.2.
k
[
mA2927w.wpf:1tV051396 4
l 4.0 RELATED HUMAN SYSTEM INTERFACE (HSI) TECHNOLOGIES WHERE LITTLE OR NO NUCLEAR PLANT EXPERIENCE EXISTS Soft controls, computerized procedures, and large screen (wall panel) displays are HSl technologies that are not used in currently operating nuclear power plants, but will be used in the HSI/M-MIS design of the AP600. Westinghouse has reviewed the operating experience of '
these technologies or related technologies from other industries in order to identify HFE-related issues that need to be addressed. Issues related to these technologies include navigating through large display networks, implementation of soft controls, and group situation awareness.
The reviewed documents iriclude operating experience from the following industries: fossil power plant, aircraft industry, naval programs, space program, electrical, gas, and oil. These reviews are documented in Table 2. Column 1 of Table 2 identifies the reference document which was reviewed. Column 2 identifies the HFE-related issues applicable to the AP600 i
design, and column 3 documents how the AP600 design addresses the identified HFE-related issues' In column 3, some cross-referencing to Table 1 occurs where the identified issue is identical to an issue already documented in Table 1. Where the issue is not currently addressed by the AP600 design, an entry is made in column 3 stating "lNPUT THIS ISSUE INTO THE DESIGN ISSUES TRACKING SYSTEM' typed in bold letters. The reference documents in Table 2 (References 2.1,2.2,2.3,2.4,2.5, 2.6, and 2.7) are identified in the Reference list following Table 2.
e I
m:\\2927w.wpf:1tv051396 5
8 l
(
i 5.0 CONTENT AND RESOLUTION OF OPERATOR INTERVIEWS As part of the CER, Westinghouse has conducted operator interviews and observations during plant operations and after operating events. These interviews / observations are documented in Table 3. Column 1 of Table 3 identifies tha reference that documents the operator interviews.
l Column 2 identifies the HFE-related issues applicable to the AP600 design, and column 3 l
documents how the AP600 design addresses the identified HFE-related issues. In column 3, some cross-referencing to Table 1 occurs where the identified issue is identical to an issue already documented in Table 1. Where the issue is not currently addressed by the AP600 design, an enty is made in column 3 stating "lNPUT THIS ISSUE INTO THE DESIGN ISSUES TRACKING SYSTEM" typed in bold letters. The reference documents in Table 3 i
l (References 3.1,3.2,3.3,3.4,3.5,3.6,3.7, and 3.8) are identified in the Reference list l
following Table 3.
l i
)
mM927w.wptitWO51396 6
.-._m.
m m-____
m_
1 3
TABLE 1 y
a OPERATING EXPEfMENCE REMW FOR THE APGse j
g C
essues Adeseeed By NUREG 9711 Appenes 5 h.
emeue Item Reference leeuef5 cope Hu,sen Factere AspeeWHuman Portermente leeue Human FeetereMumen Performance leeue Adesseed Ipy AP900 Design j
1 stem B.1 (1)
A-44, Station This is a targe end signeticent issue with many human lectors-Station biecteut is a design basis event for the AP900. Paesive selety reisted systems I
i blackout rotated espects including controls, dlepinys, treening, and utilize one time reeugnment of volves to provide system initiation. Atter initation, those procedureu.
pesolve systems do not respire power to sustein their operanort. For a stemon blackout event, me volves met engn sie AP800 systems required to mitigste the event are lee-sete velves, i.e on toes ofposer moy move to me posigon that inilletes system operellort Post accident monitortng instrumentellon required to seHefy Reg Guide 1.97 is powered by tE bettenes. After 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> timNed ellelle eselstence may be required to extend his monitoring The AP900 merHnechine interface system (M-MIS) for controls in the main control voor-(MCR) consists of soft controls et me operator wartistellons and dedicated coravais at me descated sessly penei. Reactor operator and senior rescior operator (SRO) workstations and their esplays are powered from now1E urenterruptable power surpiles (UPS). The workstacons will be aveRoble for 2 haurs into the station blechout.
After 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> the operators rely on the QueNNed Data Processing System (ODPS) disploys and the dedated conhols for control and monnoring of the pient. The ODPS pmvides the Class 1E, queNNed esplay system and is powered from the Class 1E UPS. The OOPS and the Amerated conkois are located at *he descald safety penei.
The design of the QDPS deploys, descated coreols and the descated safety panel q
are sa part of the Human System Interfeca (HSI) and therefore um be a product of element 7 (HS1 Design) of me AP900 HFEJHSI delyt process as descre>ed in Subseccan to.8.2 of me SSAR.
Training program development and procedure developmert are me responsibilNy of the Combined ucense (CL) anpe=W as stated in 13.2 and 13.5 of the SSAR.
2 Item B.1 (2)
A-47. Safety This lesuo reintes to the irrylications of fatures of nonsafety-The plant antrol system is designed to be a high reuebelly system using UPS and impilcations of reisted (NSR) control systems and their interaction with control redundant control processors. Segmentellon of control functions is provided to control systems room operators.
decrease the eNoct of controt system equipment lature.
Mumple process conhoe verteble channels are used to decrease the Irreact of instrumentellon feNures. Where the protection system and conhol system share common process coreral v table inputs, inciamon devices, and a signet selection function are used. This prevents control system leeures from affecting the performance of the protection system, as wen as prevenung signalladures (caused by a failure of me protection channeQ from inilleung a mnert* accon met could toed to a plant andluon reguletng that protecGwe actiert An independent dverse actuaton system (DAS) is also provided in the AP900 design to reduce the per*=wety of e severe eatdent that potenuesy resuas form the unakeer coinddence of possuieted Ironsients and postulated common made secure in the protocuan and contros systems. The CAS provides automouc and menuel control casebany. es wee as providing dherse operator depisy ar=wwy
3 bn M
TAeLE 1 (Cenunued) k 3
ONMG EXPEIWDeCE REVtEW FOR THE Are90 seeues AdWessed Dy NUREG 9711 Appendia B l
item teous Reference geometbeepe Human Feeters AspectfHuman Perfennance leeue Human FactereStuneen Portennonce Issue Addressed by AP900 Design g
l 3
nem B.1 (3) 817, Creorie for TNs leeue involves the developmert of a time critadon for WCAP 14644, *AP900 Funceonel Requirements Analysis and Function Anoceton?
safety-related (SR) safety-related operator actions induding a determinetton of provides e descr$ son of me tmis for automalle actuosons of accident mitgelion (critical operator oceans whether automase actuation is required. This leave also selety) funcuons and me sesociated cap = Nee== for manuel operosens The AP900 cancems some cunent PWR designs repletng manuel provides automesc mittgeson of design beels accidents inclutsng initiation of to long operations to accorglish the switchover from the Ingschion term poet 10CA recirculation mode. Recovery accons for verlous emergency scenerlos mode to me recirculemon modo eller a toescleocient are specNied in me AP800 ERGS and take operator ocean timing into considerseon.
accidert (LOCA).
4 Item B.1 (4)
B-32. Ice effects on The bulldup of ice on service water intake con occur 900T APPs arsas o The sorwice water system in AP900 is,
_,-related. Refer to safety-related water gradually and can require irgroved hatrumentetlon to esow SSAR Sibeetton 9.2.1 for e desertpean of me service motor system (SWS).
suppaes operators to detect as occunence before a causes system inoperabluty 5
Item B.1 (5)
GI-2 Feture of A large nunter of licensee event reports have noted the The AP600 is desagned to minimize the ellects of latures of protoceve devices on protoceve devices Ir-=p-*= tion at __ r, equipment because of the essensei equipmert.
on essensel feaure of protoceve devices, su::h as fuses and circuit
. The number of aceve essensel devices has been rninimlred by the passive design of 03 squipment breakers. Operators are not shueys aware of the fesure of me AP900.
equipmere because of the design of the instrumentomon.
. The AP900 is provided wim en entonalve distreuted (noneelety) control system that con be used by me operator to monitor the operemon of the plant and quickly identihr Inopersbee devices.
. The AP800 conforms with Reguistory Guide 1.106 for the appucation thermal overtoed protocean devices.
. Redundert motor-operated velves are powered by inoependerd t9 visions of the Ceses 1E de system. The four t9 visions of me Class 1E de system are completely Independent unh no provleian for cross-connect.
i 6
Item B.1 (6)
GI-23. Reactor This is a multilaceted leeue, that includes e number of NOT APPLICA8LE: The AP900 design specilles reactor coolent pumps with conned
(
cocient pump seal proposed resolusons. One subissue is the prowlsion of motors that have no seats. Refer to SSAR thereans 5.1.3.3 and 5.4.1.
failures adequate seat instrumentation to enow the operators to take correcuve actions to prevent ceteatrophic femuro of seats.
7 Item B.1 (7)
GI-51, Improving The bulldup of clams, mussels, and corrosion products con The AP900 service water system is.~. -_ _, -
The AP900 uses chernical the reelebulty of cause the degradellon of open cyde SWS systems Added control h me SWS (SSAR 9.2.1.2.2) and Circulating Water System (CWS) (SSAR open-cycle service instrumentellon is one means of prowl 9ng operslors with 10.4.5.2.2). The Combined Ucense (COL) appecent we address me specMic chemicals weler systems.
the capabety to montor this hame and take conoceve used for water chemismy consul, algicide, and blacide apper= eons, rensenng potennet l
acWon before loss of system funcuannuty occurs.
vedemons in sue water chemistry and in micro and macrobiological NIe forms (SSAR 9.2.1.6 and 10.4.12.1 respecovely).
8 tiem B.1 (8)
GI-57, Ellects of This issue resulled from spudous and inadvertent An eglicit rosysirement selets to design me system such met inadvertent operations du are protocean acquemons of are protection systems, citon e=a==rr by not occur (SSAR 9.5.1.1.1, Rev. 4). There are no spdneder systems or automaticeuy system actueuon operator errors dudng teseng or maintenance Desip of initiated are prosecuan system in areas containing selety related components 5.1.2.1.4 -
on i,
systems should provert suam enors to the entent posoitte SSAR Rev. 4). Also en evalueNon of the Are protocean system integrey onelysis is equipment.
performed for estely-reisted systems. The system is designed to be in compuence wah STP CMES 9.5-1.
l
3M i$
TABt E 1 (Continued) b3 OPERATING EXPERIENCE REVIEW FOR THE AP900 b.
leeues Addressed By NUREG 0711 Appendla 8 u_.
item leeue Reference leeuetScope Human Factors AspecttHuman Performance teous Human FactoratHuman PerformanceIseue Addressed by AP900 Design g
9 Item B.1 (9)
GI-75, Generic TNs issue has many subissues, several of wNch are The AP600 includes a DAS that provides a dverse backup to the protection system.
Ir@lications of related to human factors, for exarmle. scram data for post-TNs system is a nonsafety-related instrumentation and control system that is an
/eticipated scram analysis, capability for post-maintenance testing of expanded version of the ATWS Mitiganon System Actuation Cabinets in the present 1 ransient without reactor protection system, and a specific subissue ll5ed generaten Westinghouse nuclear power plants. One of the functional requiremerf5 of
! cram (ATWS)
" Review of human factors issues?
the DAS is to mnigste consequences of a failine to trip tonowing an ATWS. The OAS provides a diverse, allemate means of automatica#y tripping the reactor and actuating specifled En0meered Safety Features (ESF) functions for selected events N the Protection and Safety Monitoring System (PMS) is unable to perform these funcuans as a result of common mode failure. A more detailed description of the DAS, including the diverse nature of the system, is found in SSAR Stbsection 7.7.1.11.
The AP600 instrumentation and control systems inc!udes a Data Display and Processing System (DOS). One of the functions provided by the DOS is a dstributed computer function. The dstributed computer function provides data acqutsition, data storage, and computattorial functions to support operations, engineering plant information needs and emergency response information needs within a single system. The estributed to cormuter function interads with the plant operators through the operational display function and the Plant Information System. The estributed computer function provides many computational functions, including provtsions for pre-and post-trip data for review and analysis, Nstorical data storage and retrieval, and data logging.
The AP600 PMS is a safety system of electrical and mecharacat equipment that senses generating station conditions, and generates the signals to actuate reactor trip and ESFs that provide the equipment necessary to monitor plant safety-related functiorts durt1g and fotowing designated events (Reference SSAR Secean 7.1). The PMS provides a high degree of regatAtty and fault tolerance for both operating and maintenance situations. SSAR Subsection 7.1.2.10 describes the specific design features that provide this capabluty. SSAR Subsection 7.1.2.12 desert)es the PMS test capebutties and design featsres.
The AP600 reactor trip switchgear has four redundant safety dvisions with each dvision containing two circuit breakers of the reactor trip switchgest (eight breakers total). As illustrotnd in SSAR Figure 7.1-7, the eight circuit breekers are arranged in a two outel-four logic configuration (Reference SSAR Subsection 7.1.2.5).
10 ftem B.1 (10)
GI-76, TNs issue raises several concems, including control and The design of the operator displays is based on en analysis which identifies the instrumentatbn and instrumentation (t&C) faults that could bHnd or partially blind appropriate drplay variables for monNoring mnditions in the reactor coolant system control power the ope stors to the status of the plant.
(RCS), Wie secondary heat removal system, the containment, and the systems used for Interactons attaining a safe shutdown condition. TNs analysis also estabRshes the appropriate design basis and quaNfication criteria for the instrumentation which provides the l@ut to the operator displays (Re'erence SSAR Section 7.5). In addition to these displays, the DAS provides separate and dverse indications which can be used by the operator.
Refer to the responses of items 59 and 113 through 119 for design fealthes of the AP600 DC Power Systems.
r i
I g
i w
5 TABLE 1 (Continued) f Iu O,.R
. m l C.
vi. u ORTo.
I h Addressed By NUR.G SF11 Appendia B h
nem Isous neforence Iseuemcope Human Factere AspectMuman Perfennonce Issue Human FactereMinnen Portennonce locus Addressed try AP900 Design 11 nom B.1 (11)
GI-os. Residual The design of the residual heet removal (RHR) sucton Based upon a corderence ces of W1995 wNh the NRC Human Factors Branch, R was heet removal velves w4h respect to volve poolgon intScoton and agreed not to indude this leeue as part of the OER.
sucson velve instrumentoson to deced potenuei leakage from Ngh-to-lour tesung preneure areas is important to the prevennon of irnedecing
[
system nossel-coolant accidents (tsLOCAs). This is irmortere for normal operemons and for teenry 12 nem s.1 (12)
Gs-101, ereek plus This issue attempts to ensure : net robust informenon is sesed upon a conference ces of W1995 milh the NRC Human Factors Branch,it was single fatiure in ave to the operators for both reactor water level and agreed not to include ins issue es part of the OER.
boang water for piert status during the # m_.
of an accident.
i reactor water levee instrumentenon 13 leem B.1 (13)
GI-105, Interfedng This leeue rotates to pressure leottilon vetves for BWRs.
NOT APPUCABLE: This leeue rotating to preneure leointHn velves is only appucebie to
[
BWRs b
14 Item 8.1 (14)
GI-110. Equipment Fogures and incepedtetion of ESF equipment have The ESF design is bened on the use of four separate safety t9 visions for sie sense and protoceve devices occurred because of the failure or kitentional bypass of commend funcelon and two or more divisions for the execute function. The system is of engineered protecHvo devices, Both sie design of these protective designed to accommodate a single failure of a process siipielinput by altering the sense safety features devices and the appropriele indlcaton to control room and command logic tmm a twoout-of four voting logic to a two-outer-three voting logic.
operators are Irmortant.
Adtstonal fetures con be accommodeled by altering the logic from a tweeutef-three to e oneeutef-two. Any atterript to accommodele addition failures by en intenhonal l
bypees resuns in actueWon el the protecWwe function. Alarms and displays are provided t
so that sie conRguration of the ESF con be determined by the operator et any eme.
15 Item B.1 (15)
GI-116. Accident This issue relates to improved operator training and Based upon a conference ceR of W1995 e9i Wie NRC Human Factors Branch, it was managemere procedures for meneging accidents beyond the design agreed not to include this leeue as part of the OER.
beels of the plant.
(
L s
. ~.
--.n..-.--.
~ -
v- - - - - - - -
---a--
m a
w
=
w
_~m._
._.___o
_mm
_. -_ _.. _ - m
__mm_m
._m-.
____.--___.m I
i I
l t
3 I
m 3
TA8LE 1 (Conenued) k M
OPERATWIG EXPERE*0CE REVEW FOR TIE APSOS
[
Issues Addrosaed By NUREG Oy11 Appendiu 5 i
Item teous Reference IsometScope Human Factere AspecWHuman Portonnance lesse Human Factere40mmen Performance Inous Addressed try AP900 Design
+
16 Item B.1 (16)
G1-117, ABonable A toy espect of this item is prm4 ding operators unh For tw AP900 Wie Well Penal Hormaton System (WPIS) ulu deploy for each piere I
equipment outage needed assistence in identWymg reek-styillicant operating mode or signWicard plant operating state, a mimic deplay tiet wel provide a Umes for everse, combinatioris of equipment oulogos. The Informenon physical overview of Wie status of the pionrs signecert systems eret key cormonents.
[
simuneneous needed would include veeve magnments, sanch setunge, es The wet panel mimic dopiny we include to dopiny of high-level dortved quantines, e g,
equipmere outages was as cormonents deciered inoperstde.
those that depend on a parecutar logi: esgoethnt An exempio of a derived quensay is the sweembaty of seemly systems The WPBS we provide irWormeWon to the rnein control j
mom (MCR) personnel summedring those components and systems lhet are Inoperable t
The AP900 We8 Penal overview sierm dopinys, e'nng unh the visual Display UnN (VDU) Suplays, we automaticaey present indiceuon of twessed or douberately induced inoperstdo sessly equipment. This we include the bypassing or desberateer induced inoperetsuy of any muumiery or supparung system that specWwely bypeseos or renders inoperable the protocean system and the systems actueled or controsed by the pmtecuan system.
The ODPS wel contain physicot depimp for the representoson of the performance of systems and components eneociated wth the cordvol of selety reinted funcuans These physical dispinys we conomin enough data so tiet sie operator can monitor the operation a
os sw plant hardware. The type os insomwson to be put on ewee deponys we be dortved through a funcuan based task enelysis process (FBTA). Indiceevely, the type of informenon to be shown on em physical depisys could be of the loRowing types: 1) flow path segnments; 2) verve poemons; 3) purg sestos; 4) tank levels and cepecities,
- 5) heet exchangers heet belence; 6) eveuebaty status of Wie support systems (electridtv, cookng, etc ); 7) system or component intertocks; 8) system or component operating i
rules; 9) Irgortant date with intertecing systems.
17 Item B.1 (17)
GI-120. OrWine The designs for on-line testability should include The on-line testing of the protocuan systems is accompaahed by a sortes of tests with testabimy of appropriate human tectors to ensure sete tesung.
suedent overtep to Isot se necessary funcuana. Most of the tesang is performed prosecuan systems automanceur once inmated by em operator. A descripean at em system reuebaty and fault tolerance during operations, maintecence, test and bypass, and L description of the bust-in test cepeteises are provided in SSAR Samarearis 7.1.2.10 and 7.t.2.12.
18 nem e i (18)
GI-12s.t.3, Sessly This issue edeesses Selely Parameter Display System Besed upon a cordwence ces of 6f1995 wth the NRC Human Factors Branch, R was parameter deplay (SPDS) evenetdley and to reenbety of the informadon R agreed not to include this leeue as part of the OER.
system eveembilny displays.
19 Item B.1 (19)01-128, Electrical This issue includes power to vital Instrument buses, drect Generic Issue 128 was created by contdning leeues 48,49 and A-30. Resolullon of power reenhaoy current (de) power supptos, and electrical htedocks. AE of leeue A-30 is contained in Generic Letter 91M The AP900 response to Generic Letter these leaves are strongly dependent on proper indceWon 91-08 is centained h leem 50 below. Resoluuan of leeues 48 and 49 la contained in and operator acHon for high reRebuity Generic Letter 91-11. The AP800 response to Genede Leser 91 11 is contained in Item 81 below. The AP900 response to Generic issue 128 is summarized h SSAR i
Subsecten 1.9.4.2. Item 128.
20 Item B.1 (20)
GI-130, Essential This leeue reintes to the arrangement of SWS pumps and 9007 APPUCA8LE: This leeue concoming the Isilure of SWS cross-ties et mulu-unit l
service weier pump piping, including croes4es et muni-unit enes. Both the ones does not apply to the eingle unR AP800 desiyt secures et mum-arrangement and sw operators ebimy to monnor the status piant snes of cmse4es are important. This nem mennons poterent appucebaty to singloenn enes also.
. ~
i t
i E
b i
i N
5 TABI.E 1 (Conthuwd)
I k
OPERATWEG EXPEfuENCE REVW'W FOR THE AP000 i
Issues AdWeemed By NUREG ST11 Appendia B esem issue Reference issuescope Human Facters AspecWHuman Perfonnance Issue Human Factere4tinnen Portermance teous Adheseed by AP900 Design g
21 Mem B.1 (21)
HF1.1 This inwe is simmer to item I.A.1.4 in SecNon B.2 (IIsm de SteHing leeues are addressed ty cargleting Elemere 5 (Stelling) of the HFE/HSI design of mis table).
twocess. Stemng levels are the moponsibuir of the cot. appecert weih the encopean of the MCR stemng. See SSAR Secuan 18.7 lot a doecrgnion of the AP800 seaning i
analysis plan for the MCR. SSAR Section 16.1, Sad-r11on 5.2.2.d also addresses MCR i
siemno and umies on wortdng hours.
22 nem B.1 (22)
HF4.4, Guidennes TNs leeue addreseos nonnel and atmormal
' ah Based upon a corderence cet of 8/1Bif5 weih the NRC Human Factors Branch, R was f
7-.-.
l for morading omer the same menner as emergency procedures.
agreed not to include this leeue as part of me OER.
p W res 23 Ilom B.1 (23)
HF4.5, M-MIS See HF5.2 below.
Based upon a conference ceR of 6/1tW95 wlm me NRC Human Factors Brandt R was t
automegon and agreed not to include this tosue as part of me OER.
i f
artlRcles inteNigence 24 learn B.1 (24)
HF5.1, Local This leeue addresses he M-MIS of local control stellons The local control stations are included h the HFE/M-MIS doelp process. Among the
[
control stesons and ouuNiery operator interfaces.
human lectors creerte that are oppmed acmos me AP9001&C and M4AIS design is the
[
criterte met each workstation, local control alston, or other area of personnel activity, be l
a analyzed and doelped to acmmmodate me lonominqr 1) expected modes of operation, 30 including maintenance and resueang: 2) seemng levels egoceed under each of these ogeded modes.
i Also, refer to sie responess of items 161 tuoupi 16g.
25 llem B.1 (25)
HF5.2, Review This concem is a continellon of HF4.5, the original HF5.2 This leeue is addressed by completing Elemort 3 (Funcuonal,
_27 Analyses and creerte for human on annundstors, HFS.3, and HF5.4.
Funcson Atocollon) and Element 7 (HSI Design) of me AP900 HFE/HSI design process.
l factors espects of As part of me exiseng Element 7 process as doecreed in SSAR Subsection 18.8.2, an t
advanced controls HFE design guldeene document we be created for each of the AP800 HSis. Refer to i
and instrumentenon WCAP 14644 for the AP900 Functioned Requirements Analysis and Function Asoceson.
t Refer to WCAP 14644 for Sie AP600 Funcilonel Requirements Analysis and Function 26 hem B.1 (26)
HF5.3, M-MIS This leeue involves pidence on M4AIS for new dleplay and This issue is addressed by corgleting Element 7 (HSI Design) of the AP600 HFE/HS1 evalueton of conhol technologies design process. As part of Wie Elemert 7 process as deserted in SSAR
, - ; aids Sim-com 18.8.2, en HFE design guidenne documert we be created for each of the AP900 HSIs.
l 27 Item B.1 (27)
HF5.4, M4AIS See HF5.2 above.
This leeue is addressed by cargleung Elemert 3 (Funcdonal"n ' _._;. Analysis and cargulers and Funcilon Apocation) and Element 7 (HSI Design) of gio AP900 HFE/HSI design process.
cargular qReploys As part of tie enleting Element 7 process as doecebed in SSAR S@soction 18.8.2, en HFE design guldsene document wEl be created for each of the AP900 HSIs.
28 leem B.2 (1) tv, :";. r The design should conalder control room (CR) alarm and NOT APPe nr ans er This leeue is only apper=mee to BWR plants.
moenre inlecuan inecesan of me inneson levees and now.sevel ressort and mector com values.
l Isoisson cooung esperoman
,.~
3 bu 5
TABLE 1 (Continued) 1 3
OPERATING EXPERIENCE REVEW FOR THE AP900 feeves Addressed By NUREG 0711 Appendia 8 g
y Issue Reference leeuafScope Human Factore _^,
Z__. Performance leeue Human Factore40umen Performance leeue Addressed Ipy AP900 Design 29 Rem B.2 (2)
Ivt, Reduction of The design should consider CR alarm and indicamon of Status indication of the pressurtzer safetyheRef valves and the steem generator challenges to SRV status and important parameters.
safetyhelief valves are provided in the MCR. The position status of these safety #elief safetyhenet valves valves is included in the Est of verlebles and instrumentation needed to atow the (SRV) operator to monitor and mainteen the safety of the AP600 throughout operating conditions that include accident and post accident conditions. SSAR Secnon 7.5 provides this Est of variables and instrumentatlan.
The pressurtzer safetyhellet valves and the steam generator safetyhelief valves wel have a fut set of abnormall'y alarms and status messages in the MCR. The abnormality alarms wlR appear in the overview of alarms as integrated into the WPIS. For example, alarms alerting the operator that the valve is OPEN when R should be CLOSED or CLOSED when R should be OPEN win exist and wig appear in the alarm overvieve as integrated into the WPIS. Status messages for the expected behavior of these safety reRef valves wel exist on the alarm support screens evaliable at the operator's workstattort For example, status messages informing the operator that the valve is OPEN when R should be OPEN or CLOSED when R should be CLOSED will exist and a
G be avatable on the alarm suppwt screens avaliable at the operator's workstation.
The AP600 alarm system is designed fonowing the HSl design process descrRied in SSAR subsection 18f 2 as part of the AP600 HFE program.
30 item B.2 (3) tvil. Automatic Determination of the optimum ADS for elimination of The AP600 ADS has been designed to provide a controlled depressurization of tt e RCS depressurization manual activation should include consideration of the following smas LOCAs. It is automaticacy actuated on a low core makeup tank (CMT) system (ADS) stuoy operators
- need to monitor the system and an analysis of levet, which is indicative of a signincent loss of reactor coolant from the primary system.
the time required for operators to perform manual backup if The ADS functions to depressurize the primary system to enable gravity <$rtwen safety required injectiort The AP600 passive safety systems (including the ADS and the CMTs) actuate automatica#y to provide core cooNng, and to provide the operators sufficient time to take i
rnanual actons as prescribed in the AP600 Emergency Response Guidelines (ERGS).
The tir94ng of the accident sequences is such that for smeN LOCAs, first stage ADS i
actuation does not occur for at toest 20 minutes after actuation of the CMTs. This provides the operators sufficient time to diagnose the event, to properfy monitor the actue6on of the ADS, and to portrm manual backup N necessary, as prescrt>ed in the ERGS.
31 Rem B.2 (4)
Ivlil. Automatic This issue involves anocation-of-function considerations in NOT APPUCABLE: This issue is only appNcable to BWR plants.
restart of core terms of automatic restart of a system after manuel apray and low-stoppage by the operators. Consideranons of whether pressure cooient automatic restart should be avelloble, how R should be injecilon implemented, and what alarm and intNestions are needed in the CR are required.
1 L
3f w
?
TAeLE 1 (Conunued)
Iu DP Anl fc.. - - R = A l
smoues addressed my leUREG Crit AppendIn B seem issue neforence eseuerscope Human Factere AspectHuman Perfonnanceleeue Human FactoreMumen Portonnance locus Addressed by AP900 Design g
32 nem B.2 (s) t si, Considersuon of 4
".:enon we involve em provisions Manuar corecaed 4
'-- 1-, of me primary system is employed to mitigste some Depreseudzenon by of storms and Indicamon in the CR. Some methods may accident sequences. For hetence,in the seapones to a steem generator tube rupture l
means other then also require operator ac9ons that should be subject to the (SGTR), the ERGS and bactiground documents (Reference 2) instruct the operator to i
ADS fue design and implementanon process deposeurtze the primary system to -y=e= pressure to me somndary system, and thereby stop the reisese of primary coolant to the secondary systent This can be edileved by use of me pressorizer aprey. If nonnel or euuNiery sprey is not aveRoble, men a first stage ADS volve k. used to reduce the RCS pressure.
Manuel ADS is also used as a haraaf to automenc we=sian of the ADS. In these instances, the operator merumny actuales ADS on oNher 1) low CMT water level logoned by the fadure of Wn ADS volves to open,2) lour hot leg level as a reeut of l
Isilure of the ADS and/or sutmoquert of operator tenure to recognize the need for ADS, f
or 3) high core exit terryeratures indiceeve of a signincent degredoton in core cochng.
I These eseociated parameters wul be eiermed by the Alarm System. The ERGS contain optimal recovery guidelines and function testoration guidelines. The ERG background documeres cordain a description of the accident sequences where the use of altomate or
_a A
manuel J,._.La,,,is enticipated.
33 nom B.2 (6) 1xe Anemate The evolustion of design aNomeuves for hydrogen control Hydrogen ignNors are provided to address the posetally of a beyond<jesip4:esis evert hydrogen control systems should include the information needs of the which results in a rapid production of large amounts of hydrogen, such that the f
systems operators to essess the conditions that would require containment hydrogen concentration would onceed the caparty el WWessive system inleetion and the degree of automation of the Autocatalytic Rommbiners (PARS), thereby resulung in the llemmebH'*y timR being systems.
encoeded. The ignitors are ;,- _-- _ted in the design to address a low 9tobabikty severe accident, and are not reRed upon to mNigste design basis events. The ignitors are achseted menuety by the operators, as a result of two cxant5tions. 1) when the core entit temperature reaches 1200 *F (atorm), or 2) on receipt of a high hydrogen concereration alarm as detected by tie hydrogen monitors. There is no provtsion in the design to actuate me 10nitors automaticesy l
34 Item 8.2 (7) 2tv, Safety The selection and display of kriportant selety parameters The regulatory requirements for an SPDS wlE be met by integrating me 4
._,n f
Parameter Display and their Integrounn into the overas design of me CR is e into the design requirements for the AP800 M-MIS, specincecy into the portions of the System (SPOS) prime *y HFE lesue.
system that produce me alarm mesenges (Alarm System), the Computedzed Procedure System (CPS) for emergency procedures and me procoes VDU diepinys (Plant Information System). The integration of the SPDS Into the AP800 M44tS and a description of how the AP800 M-MIS design settenes the requirements /crRette of a SPDS is found in SSAR 18.8.2.
35 Item B.2 (8) 2v, Automatic Providing operators with the capability to sponitor the status Alarms and (Seplays (both wJrkStellon and WPIS depisys) are provided so that the int 5 cation of of automatic systems is en irrportant function of the CR conNguration of me protection system can be determined by the operator at any time.
bypessed and iniormamon supony system and a component importere to This indiceNon includes IndiceWon of bypassed and inoperable hems.
inoperable systems the maintenance of the operators snusson enerenees.
i
kkt:
5 TABLE 1 (Cenenued) k
'i OPERATING EXPERIENCE REVIEW FOR THE AP900 i
7 l
8 Issues Addressed By NUREG 0711 Appends 8 Item Issue Reference
_7-_-_,--
Human Factors A C".
Performance locue Human FactoraMuman Performance locue Addressed by AP900 Doolgn g
36 Item B.2 (9) 2vl, venting of Operator monitoring of the status of noncondensible gases SSAR Sthsection 5.4.12 docusses the AP600 high point vents including the reactor i
noncendensble in the RCS and having clear, unentiguous indication of the vessel (RV) heed went The requirements for high point vents are met for the AP600 by i
gases conditions under which gas release must be initiated should the RV heed went ve!ves and the ADS vehes. The pr!mery funchon of the RV head went be evaluated for HFE design impacetions.
is for use during plant fis and startup to property IIll the RCS and vessel head. Both RV head verit vafves and the ADS vetves may be activated and controped from the MCR.
The AP600 does not require use of an RV head went to provide safety 4eisted core cooling Iollowing a postulated acciowit.
The erst stage valves of the ADS are attached to the pressurtrer and provide the capabluty of removing noticondensible gases from the pressurtzer steem space foNowing en accident. Gas accumulations are rer ioved by remote manual operation of the $rst stage ADS valves. The discharge of the ADS vetves is directed to the irs:ontainment refueling water storage ter* (IRWST). Subsection 5.4.6 and Section 6.3 of the SSAR discuss the ADS volves and discharge system.
The AP600 ERGS specify in ERG AE-1, Step 17 that the plant staff be consulted to a
01 determine if the vesset head should be vented. Their doosion would be based on the specific accident sequence and evallable systems. Operation of the ADS typicapy obviates the need for venting of the head to preeerve natural circulation cooling.
Although not required to provide safety 4eleted core cooung following a postulated accident, the RV heed vent vetves can remove noncondensbie geses or steam from the RV head to mitigate a possible condition of inadequate core coonng or impaired natural circulation through the steem generators (SGs) resulting from the accumutation of noncondensible gases in the RCS. The design of Wie RV heed went system is in accordance with the isc.:....~.e, of 10 CFR 50.34 (f)(2)(vi).
The RV head vent volves couki also be used during a severe accident (beyond-design-basis) scerwrlos where mumple failures in the safety 4eleted systems result in fuel demoge and the generation of nontsndenstle gases Viet collect in the vessel head.
Coneinstions of multiple faHures in the safety 4eisted systems could make venting the head to oneviate the bundup of noncondenstie gases desir.bie.
i i
l 3
I e
1 5
TABLE 1 (Centnued)
- a OPERATW8G EPPERE90CE REVEW FOR TIE APOSS g
--,RE..,,,_.
g Item Iseue Reference leeuemcepe Human Factors AspectStumen Perfonnance leeue Human Factore40mmen Perfornience leeue Addressed try APOOO Doolgn j
37
- em 8.2 (10) tut, Dweet The alarming and Indice4cn of SRV status shoukt be t$ser Status indication of the pressurizer solelyhehof volves and Wie steem generator IndiceWon of selety and unemtWguous and should be evskasted for HFE tiesign solelyheest volves are pmvided in sie MCR. The poellion status of tiese seletyhe#ef
}
relief volves in CR irgilcetons.
valves is induded in the het of variebtes and Instrumentellon needed to aNow the l
operator to monnor ano meinism the seesty of the ape 00 vuoughout opereung l
contRelons that indude accident and poet==*emnt conssons. SSAR Sedion 7.5 provides Wils tiet of variables and instrumorenson.
E The presourtzer solelyhenet valves and Gio steem generator seletyheest valves wel have a fur set of abnormeuly alarms and status enesenges in the MCR. The abnormeNIy l
einems we appear in the trarview of alarms as integrated into the WPIS. For energte, elorme alerung the operator that the volve is OPEN when R should be CLOSED or CLOSED when a should be OPEN wEl exist and alR sppear in Wie alarm overview as hoograted into tie WPIS. Stelus messages for the egocted behavior of Wiese selety retet velves wut enlet on the sienn support sessens aveAmble et the operator's L
workstation. For energie, sistus meseeges IrWorming the operator Wiet Wie velve is f
OPEN when R should be OPEN or CLOSED when R should be CLOSED wel exist and a
03 be avegable on Wie alarm ogport screens evne=Na at Wie operator's workstemon.
The AP900 atsim system is designed following Wie HSI design process descreed in SSAR Sdeschon 18.8.2 as part of the AP900 HFE program.
L r
38 Item B.2 (11) 2ril Auxellery The HFE espects of providing Indicsson and initimeve for NDT APPLICABLE: The AP900 does not have en AFW system. The AP900 Possive Isedwever (AFW)
AFW should be evalueled.
Residual Hoot Removal (PRHR) system funcueneRy replaces Wie AFW system. Refer to IndiceWon anit SSAR Secton 6.3 for e description of the Paeolve Core Cootng System (PXS) which initogon hcludes tio PRHR system. The indications needed to monitor the proper operemon of the PRHR system are identilled and verWied Wuough tie FBTA process as descreed in SSAR Seescuan 18.8.2.
b se nem B.2 (12) zuwt, Nunter of As part of the spedeceNon, showeble actuaton cycles ar.d INPUT THIS ISSUE INTO THE DESIGN ISSUES TRACMNG SYSTEM.
metumuon cycles for the method by which cycles we be denned, vocarded, and sie emergency tracked by the opersens crew, should be evalueMd for HFE l
core cooling system design armacomons, j
and rosetor l
protecWon system j
40 nom s.2 (13) zuve, CR The selecuan and display of important parameters and their The WPIS provides dynamic dleploys and mimics that present infomioWon orteneng MCR l
inenumerneson for integreWon into the overeE design of the CR is a petmery operators and those entodng the CR (operator shNt tumover technical stelf, plant j
various parameters HFE issue.
management, etc.) to the cunere status of the plant. For eam plant mode or signficant i
plant state unNn an opereung mode, the WPIS Indudes a mimic display that provktes a physicer overview of the planrs signskant systems and respecove key components.
The was penet mimic tsapley indudes the dynamic tsapiny of key plant paramehws so that the vuodor operator or a person ereering tus MCR can estabesh the plant operating l
~..
k w
3 ro U
TAtt.E 1 (Conensed) r
+
I oPER E.R cE RaiE.,oM THE u
[
leeuse Addressed By NUREG 9711 Appendia B Item teoue Reference leeuef9eope Human Feetere Aspect l Human Portennonce Issue Human Facteremumen Performance Issue Addressed try AP900 Denga g
41 hem B.2 (14) 2rvlil, CR The selection and dispisy of irgortent parameters and their The regidatory requirements for en SPOS udl be met by 7. :, JJ./ the n;_' _.24.
Instrumentation for integration into the overes design of the CR is a primary into the design requirements for the AP900 M-MIS, speelRcesy kilo the poruons of the inadequate core HFE issue.
system that produce the eterm messegos (Atarm System), me CPS for emergency procedures and the process VDU displays (Ptent InformeWon System). Refer to SSAR cooNng Subsecton 18 8.2 for e descripilon of the SPDS.
Foetrying a reactor trip the CPS pmvides automatic #90nitoring of the critices safety 1
func9ans (CSFs), sierts me operator to e dopoded function, and suggests the appropriate funceton restorneon guidenne. Core Cocung is one o the CSFs.
r Also, refer to SSAR Subsec4on 1.9.3.
r 42 Item B.2 (15) 2xhr.
The seleciton and esplay of irgortent parameters and meir The sehr:: tion and depiey of the parameters ishich perform the post-etx:ident e~.ava.,
Instrumentation for integremon into the overet desip of the CR is a primary functon is port of me design process, onelysis, and pseults presented in SSAR post accident HFE issue.
Secuan 7.5. An analyels is conducted to identWy the appropetote verisbles and to estatimeh the appropriate design beats and queencsson ernerfe for instrumenimuon monnoring y
ergeoyed by me operator for monnoring condsons in the RCS, me secondary heet removat systm the containment, and the eyelems used for attaining a sale shutdown condman. Three colegories of design and queenceeon creerte are used (SSAR Subeschon 7.S.2). Category 1 instrumentegen has me hipiest performance requirements and is used sor hiformenon est een not be ioet u user any circumstances The OOPS is me HSI met provides the Ctess 1E iseplays to the operators in the MCR.
The OOPS dispinys we include as Cologory 1 veristdes and some Category 2 verlobios; (Tetse 7.5-1 of the SSAR). The spedRc deponys of the CDPS result from the cargleton of the HSI Design procoes (Element 7). The HSI design process is described urder SSAR Subseemon 1e.8.2.
43 Pom B.2 (16) 2xxi. AuxNiery heat The specification and evetuation ci manuel and autome#c This leeue is addr====r8 by Elemerit 3 (Funceonel Requirements Analysis and Function i
remov-l systems ecuans should be subject to the funcWon eBoceMon AsoceWon) of the AP900 HFE/MMI design process. Delmas of Element 3 are found in design to facmete ennsyses personned as part of me design and SSAR Sdescuon 18.8.2.
manuevoutomatic implemmisson process acWons
[
44 Item B 2 (17) 2xxhr, Recording of The selecHon and essplay of important parameters and their The requirements for RV4evel trde are proAdod by redundant, safety-related stV sevet integremon into the overen desip of the CR is a primary RV4evel instrumorenson. As shown in SSAR Figure 5.1-5, these instrument channets HFE lasue.
(LT-teo and LT-170) have one leal top that connects to the bottom of a hot leg and one level top that connects to the top of the hot tog bend met connects to the steem generator. This Instrumentation is used to provitte RV water level during en accident.
I and is sino used to provide hot seg level during shutdown opereHons including midloop.
This instrumentadon provides in&ston of RV water level for a range sporviing from the l
bo tom of the hotleg to approrhiely the eleveuen of me mating surface. This r
instrumentagon is L..r._..a
.m_M and provides securate level measurement during at modes of operettorL ReW to SSAR Subsection 1.9.3.
i
_ - - _ ~ -. -.,
3 4
9 M
TAeLE 1 (Cenenued)
Iu O--
Ex CE RE.E pOR THE m Issume Addressed my esUREG SF11 AppentAs 3 g
asm toeve Reeerence seemelsespo Human Factore AapostMuman Portenaance leeue Human FactoreMuman Perfonnance Iseue Addressed by Apese Design as nem 8.2 (18) 2xxv. Technical The design of the TSC, OSC and EOF shoukt trusude HFE The design of the TSC remote shutdown Inday, and me OSC are govemed by the support corner consideremons to enswo that me personnel located in some HFE design program as the MCR deoiyt Chapter 18 of me SSAR descrites me (TSC) operatonal these facilities can most eNec9vely perlorm their safety-AP900 HFE progrant This program is designed around me ten elements of the HFE support center related functions Poor HFE design of mese facemos may Program Review modoi presorted h NUREG4711.
(OSC), and ireertere wnh me performance of operators h a was.
emergency oflotte dos.gned CR.
The COL ap se=nt sher eddress Wie doelen of tie EOF.
facimy (EOF) 46 Item 8.2 (19) 2xxvu, Monitoring of The selection and dleplay of irryottant parameters and their The main control eres is the location wlmin the MCR from whitti the overam operation of inplant and integration into me overed desiyt of 9te CR is a primary the plant is aczompeched. Within this ares are operator worksteuons and wee panel eWome redeHon HFE losue, esplays.
i The types of informenon screens eveRoble to tie operators include:
- Functionaldisplays
'i Physical mimic displays
- Procedure (Seploys g
- Assem support espinys
- Special pu,ose ssplays.
AR redeuon monlioring alarms are Indicated in the MCR and the instrument reedlngs are evne=Na for tSeplay. An arripuhed descrpelon of the rneln control area is in Subsection 18.9.1. A descrfpuon of the HFE design procoes is found in SSAR Subsecuan te.e.2.
I 47 ftom 8.2 (20) 2xxvill, CR While potentled pathways for resoectivity to eNect R The nucteer letand norwedioeceve venitation system (V8S) le a,~. _ _
i habitabimy habitablBly may be Idonellied and design solutions to system which supptes the MCR. R includes redlauon monliors in sie supply ducts, with preclude such problems may be developed, the CR sen.wo to inecate IWgh toeston levels in the pathney. N the redemon level is above the operating crew should be aware of polonuel pathways. M HMu seapoire, the normal hosung, venulation and airw ', (HVAC) system is werranted, evaluemons of memods to montor in the CR the autometcany stopped and the CR is then footsted. The soloty-related emergency integrWy of the doelen solusons and sie presence of hebtsbimy system (VES) is innisted on Wie some signal, and R pmvides air for redletion in the pomweys should be considered.
roepiremon el the CR cocupants and presourtanton of Wie CR pressure boundary. The air is not de5vered tuough me lealeted HVAC duct, but is clonvered tuough dedicated, separate lines which penetrate me CR preneure boundary. The VES is designed to vneintain a posuve pressure of 1/8* water gauge in me MCR pressure boundary witi respect to surrountBng rooms. The system incomorates redundant pressure instumonteson wipi sierms to pmoitte inetsuon Wief Wils function is met.
48 Item 8.2 (21) 8.A.1.4, Long-term This leaue concems shNt eleAlng with Ilconsed operators Stemng leeues are addressed by congleung Elemort 5 (StelNng) of the HFE/HSI design upgrading of and working hours of beensed operators. Updates to 10 procoes. Stelhng levels are the responetEty of Wie COL appucert with me excepeon of opereung personnel CFR 50.54 were approved.
We MCR stelRng. ' See SSAR Secuan 18.7 for a desculpson of the AP900 stening andstemng ennsynes pean for me MCR. sSAR Secuan 16.1. s.% s_2.2.d also addresses MCR steens and umns on working hours.
49 hem 8.2 (22) 1.A.4.2. Simulator This issue invoivos the N._.
...; of me use of This teoue is addressed by corripteeng Element 9 (Training Program C_.,..;) of cap =hmuss simuloints in the training of operators.
the HFE Design Pmcose Training pmgram development is the responsib8My of the COL
==per-e as documorned in SSAR Secuan 13.2 and 18.9 9.
i
-m.
s e nn nt h
e sh iiog t
t s
edwf nt ya e 0
s n
o r
E0 ef s
d n oc gd F6 g
t n e
ngn ren is r s eteS HP n
a, i i e ;a t
s e
r nI giM A
n r
ed r or c
, p uiee -
d
- m. ;De i
D lp e
}
i yi:y lc ee
.g ip
.s qt
.t eomhM aht r
t 0
n 0
p r
pet r
e r
.t o
u 9
o". a p
v 0
gf s
e er ys o ).6 2 t
o t t
-0 P
L e
.r e e h hf
,e goS
. A 8 in8 A
O CpC L
n: cd
.P 1
y C
o*
O
- . o s E
nr r
nt nye C
F po P',h b
e e ch 8
ae e nt e
H Cn s i
n e1 tp taiC d
ht bef h
(
f s
r y St R oa g
e eie gp e f
t r sc teoh nwA nh s
oego 1
u eo s
r n fo td dr e
cE) ycmis fhS itoC c t, i
o n i tooS e
tyv e r
a o
r e
p in) d eh ml i
es ily o
a d
t s W
moF n be emoh tnrt s
u leP g
pt ee r
A nGe E(Hi t
sond c
t s, S I yf o n mfe.
s e
h e
ort e s
n s u e e mS u
pef S n
leRm o
f 8 h ipo e 0 ;o t
p ot t D r a c f p
a s
s n nf t bMmt eI nr s
a
,r
- al sis im1 g s
r 0
. r e
o eoS t Ml Pe I
1 o e
e8
. o r
t H
f r
lm )n (
d7 r A(d S c
hP
.f n4p e
a0(
8 h
ise n
t A D
o s a a
n7 S0 s t P
G E a
e e t
mEd m
ah^._9 is 9 ecdS
- E F r
8 r
et D
n P
o )n n e P Aapn
.R H ge r
T 1
c s aa oU0 s
e s
gem S
si f
yN e.
e.
n eiv t
u 5. C a *s e s d S o.
- _t A 0
le nh s
ru5 h
r r
eu e
I 8
e edE et MUM:
oP c e d3 t
P d3 ht e u h Dn r r D -
e1 r
e1 n
c r
gI aeR.
oo e
on obed on uSnt A
- f. mVM :.
. s h
f
- mhe C
c pe r
S s
es0' oHof r
._ yoft r af e
r a m
tne*
r t e t 7:st e
p9 u
- . i s 0 ^
r u
cisSo c
h(it oS t
n e e6 b d o M
lpRl Sn e cP ;
r r e aSeRP eS dt nmpt m
- ht p s
dw ah oA
- esn e
bA lpR se e fo u
e e
st ito e
e r
g r
w:
e foA smVas oAaSe f
t r le q-,c eh e ap t
e c
Si e
S o
r hir uht ;.
dt c c
tnSnor nS d E Ed 2 e Z d *t a
tn-,
dss ht e e
d F e8 r
F e
ot nc r p 0
n ynr ni-e ase feO mi a ).Hs8 r
0 n
mie gpe ed u1 e
pd is;
(
oi t st isc s e a ;_ S e 9
8 a
pd t oe
- 0e Dh oa loeeRcy le t e. 1 r n P
m er t h e
_ t a ito a
iudh A
i H
r
. Pt uPo ent
.n v e s
u n
u t
w, S s d
v e e
e
, nsc ge s
le sn f M
n dmde )s g dm is
, ewe eh m' igR et i
uiP e u
r v
r b
e t te e
.- m6es h s a
issA T
p ec oOm ec is os wt it h eS E
h o h
. lev u htny vfos TDS R
p h or O
A Tdp(E Td T ^^. E reS Ti s
)
F 1
A.
d 1
n W
7 e
u g
0 e
is u
M G
s n
w n
na d.
t e
en E
E s
t o
aht e n i
r y s
e R
R eB is fos h io C
U e
d e c
s r
(
E M
n icic a
s ne t t C
na M
y a
cn h
e ism ed ot or 1
e ai p
u iv a ci E
E 9
m t
e t
m s
d e
L N
d o
nl e
is r
or n s B
I e
f T
P s
P ta, e las is ef lu n
r a e n A
E s
e r
r g
p p d o r
n a n
c u o X
e es ci e
h o.
gr s r
E d
n iae it d
ter r o t i t
t a
d r
G d
nru re n R
dmp fot osin N
A m
ed.
hc te e mht n
c po f
u t e C
a r
df t
l, c n f
e M
e u e e n s
ao o it J.
r ni f e u r o w
e a A
u t
c mpt e
m R
e e
rotae s
s e
n n
eio E
e r
Ow P
h ms ht h l
p P
s nhd g
t u
O A
s n
Eff s
sat se t
eeu o
e e
a e t.
e l
s s st s
s sr o
s uy e ro s
sys s
r ns r ay r
w si df e
el e
t e
a d e a u
r d
pte d
c r
s d
sf d
e lcd d
di a d
w F
o ini a
ad s a
at d s
t n
es n ec e
eae e o a
un e uit s
st t s
u uhh ut m
so ss it iso i
iSe is s sh*
s s
u n
R
% n *=
isg is H
n d
6sDn isC h o hia h
hPe hf T ce Td T
TSd T o m
r od e
f n e
n h
n p
e af m
is o e is cn o r
g s
g o
n e ;
t e
ev e
e e
al r
t d
o d
S d s - s go gu mb e
nf re iuu,yd o
n-,
R o a, Rd ru L,m i G, l s
u e
e :. c 9 gr w C, e S, 7 D. B(
C, d o
r ad a a
e w
v
)
r a e
22 4 n 1
1 l
e
_ r Crog u
i o
Dta v
1D. r C. h p
e 1 t C p 1 pu r
1 1
s ecne re
)
)
)
)
)
f 3
4 5
6 7
2 2
2 e
2 2
(
(
(
R
(
(
e 2
2 2
2 2
v B
B B
B R
ae m
m m
m m
l e
e e
e e
t h
h N
R l
m 0
1 2
3 4
e 5
5 5
5 5
It 3be{E'd g
1 3
r TASL.1 (Cenenued) u ex,
- c. Rev T,t.
i emeuse Addressed Dy NUR.G 0711 Appends 5 t
seem tenue noserence seemetscape Human Facture AapoeWHuman Perfoneenee teous Human FacterefHuman Performenee teous Addrerood by APOOO Doolgn
{
g ss nem s.2 (2e) 1.D.5.1, CR design.
This issue involves the MMI in the CR wth regard to the The func#on of the AP900 Alarm System is to support me MCR operators wlm the improved use of Nghts, sierms, and annuncistors to reduce tie following acuveles of human N (adopted frorn Roomussen's modet of i
instrumentenon polonnet for operator error, MIormoeon overtood, unwonted human decision <nelurig):
research alarms distractions, and insufhesent orgentration of InformatorL
- 1) the ALERT aceMey, Le., alert the operator to oll-normal condhions, and esplays
- 2) Wie OBSERVE VIfHAT IS ABNORMAL actMay, Lo., aid the user in focusing on Wie hvortant issue (s);
- 3) help whh the process STATE IDENTFICATION octMty, Le., sid the user in i
understanding the atmormat condicons and provide conective ecuan guidance i
as for es to guide the operating crew into tot area of me complete Plant Informellon Olsplay System in which sie esteArformation about the abnormelley and as resolunon can be found.
The AP900 Alarm System addresses the problem of eterm evolenching and operator date overtoed by managing the presonestion of the alarms to me operators in such a menner as to reduce to number of alarms presented simuhaneously durbg mejor
[
disturbances, while meintaining eensitMey during smeE disturbances. The Aleem System is robust enough to: a) show multiple major process problems; b) not be overwhelmed
{
m O
by ininor asenne that are related to, or are consequence of. the process problems (evolendeng); and c) sievete minor alems to e piece of anonson,voveedng i
sigillicence, when moy are me most signllicent procoes abnormalities However, those active sleem messages whidt are not currerely deployed are accesetnis and avallable to
[
me operators, upon request.
l The Aleem System olds in dirocling the operator to the area in the infomietonal dleplay i
system of the CR met contains specibe dele related to eliminetmg, diagnosing, and f
mengsung the process abnormellty The Alarm System also provides e enk from a given
^ larm response procedure sleem to its applicable =
a 56 Item 8.2 (29)
N.F,1 and II.F.2 These inoues address deteRed CR design issues reisted to This is addressed by the response to hems 40,41, and 44.
i Same as item B.2 Instrumentation (ll.F.1, "Adtpuonal accidert monnoring 13 and 14 above instrumentomon ' and N.F.2, h for detection of inadequate core cootng")
1 i
i i
m a
w
+- i-~
r irm
f il{fj(h$
f a f~
E 3ha jf!!i151 f
i I
8 l lj![:]a33!!lj{j i li fl I
8 i
[
I la ilhh g i dly,1!illli!de_! !p!t i
I 1!19i!
l dl19 i
{liilliijliph lj j 'llid li wl l
l;
,,n I
in d
-n l
)=
5 i
Ej i "l d lill
[i g
lill lJ 8 !il 1
j l lii!
11
,lItsf I *! 1 l
si L
mis al E
E 1 1 i
f 3
mA2927w.wpf:1b 051396 21 l
l t
3 w
F TAel.1 (CenenuesQ 1
2 o--
,o m A, I
G.,,, _.
g flom leeue Reference IssueScope Human Feeters AspectMumen Portonnance teous Human Facternatamen Perfonnance Issus Addressed by AP900 Doolgn 59 stem 8.3 (1)
Germic Letter 91 In this generic loner, NRC proposes costein monnoring, The fotowing responses are provtted to the quessons releed in the attadimers to 06, Resolution on survesence, and rneireenance provisions for selety.related Geneste Letter 9146. The responess are riuntered to match tie quesmon nurfters in (GI) A-30, de systems.
Generic Letter 9146. SSAR Subesceon 8.3.2.1.1 descrees the foetures of the Class Adequacy of selety-1E de and UPS system.
related DC power 1.
Unit-AP900 supphes 2.e.
The number of Independent redundant dMelons of Class 1E de power for this l
plant isl.
b.
The number of funcuonal selety-reented dMelons of de power necessary to otteln este shutdoom for this unit is 3.~
3.e.
The following eierms ero provided for eech (Svtalon of de power-
{
1.
bettery testMisconnect sullch status and bonary open circuit sleem (open circuit aimmi provided by the banery monnor system) 2.
bettery charger es==inoct switch status and bettery chaqper output breeter status i
3.
de system ground detecean storm 4.
de bus undonenage f
p N
5.
bellery overfunder vanage (provided by Wie bettery monitor system) and bettery dierger culput over/under voltage 6.
benery dierger oc Input power fesure and bettery charger trouble eierm 7.
banery dischaqpe rete eierm i
b.
The fotowing intAcetions are provided for each (Buteion of de power:
l
- 13. bemery cumme - used for nost, disqpe, and discharge t
4.
de bus voltage c.
Procedures for response to these eierms and incications are e COL apphcent leeue.
1 4.
The bettery chargers ero provided wift input undervollege storms and the Irput brookers are provided wNh brecher trip eierms. In addition, a spare bettery and charger ero provided for use during rneintenance and tesung of the
[
baneries and diergers.
t 5.
Not opptcetWo.
6.
Maintenance and testing actMess and procedures era e COL appucent issue.
[
7.
The AP900 Technical SpeciRestions (TS) are simmer to those found in the wesenghouse Standmed TS for meirmenence end survesence of Class 1E
[
elecnical systems.
r% =hamy is maintained for ensuring conunued and adequate reactor cooung i
e.e.
f fogowing Wie loss of one seletydeleted de power supply or bus.
[
b.
RCS Integrity and locention ref=my are rneintained fotowing the loss of one f
^ de power supply or bus, t
c.
Operating procedures ere a COL oppscent issue.
9.
Not appHcable j
80 itern B.3 (2)
Generte Letter This generic letter t9ecusses the Interaction betwoon G8-23
.00T APPLICABL.: The AP900 design spednes reactor coolant pungs with conned I
9147, GI-23 and A-44, both of which have human factors espects.
motors that have no seats. Refer to SSAR 5.1.33 and 5 4.1 Reactor Coolant i
Pump Seal Failures a
t i
....~.~.-----i b
l h
?
M S
TABLE 1 (Candnued) l 4
- 1 OPERAftNG EXPERIENCE IEPEW FOR THE APOOO Iseuse Ademesed By NUIMB g711 Appendu 3 Item leeue Reference Issuergeope Husnan Facters AspectMuseen Portonnenen Issue Human FactorelMumen Portensence locus Addressed by AP900 Doolgn k
61 h6m B.3 (3)
Genede Letter 91-TNs genede let er addresses severalissues related to The three etstements below address the fuse remmmended actions of Genede i
- 11. Resolution of electrical systems including Wie seducson of human errors, Letter 90-11.
Genede leeues de criterol of equipment mestus, and tenang.
- 1. The sme amnemons and survemence requirements for veel instrument buses are and 49 eddressed in TS: SSAR Section 16.1 Subsecuans 3.8.5 and 3.8.6.
- 2. The time timitesons and survesence requirements for Claes 1E inverters are addressed in TS; SSAR Secuan 16.1 Subsections 3.8.3 and 3.8.4.
- 3. The AP900 design does not contain any to breehors that een connect redundert Class 1E buses. The one4ne diagram for sie Class 1E de and UPS systems are shown in SSAR Figures 8.3.2-1 and 8.3.2-2.
62 Item B.3 (4)
IN 93-47 Unrecogrdzod Loss of CR Annunctators The AP900 Alarm System Informs the MCR crew about those failures, witNn the Unrecognized Loss equipment compdeing the system, that could degrade to the point where either system
}
of CR Annuncistors performance is reduced or system evenabluty is tweetened. The AP600 Almem System design pheosophy is oudi that the system's prelened feaure mode is evough a succession of "gracefusy degreding states of operation rather then e sudden death".
1 The alarm overview dispinys, integrated into the WPIS displays, include e display of i
eierm mesenges that desenbe smuures or degredmoon of equipment that corgdoe the Aimem System. Since the almem overview displays are integrated into the WPIS, e
[
dynamic indication that the WPIS is running is used to Hlustrate to the CR operators that f
the system is not hung"in a frozen condman.
63 Item B.3 (5)
IN 9341,
- .W of Enginsedng Expertise on Shilt.
This issue is addressed by corgleting Element 5 (Stelling) of the HFE Program Review IrnpHeations of Model(NUREG 0711) and the AP900 HFE design process Refer to SSAR SecWon l
Engineering 18.7 (Anoceeon and Determinetton of Stemng) for a doecriptkr of Wie AP900 Stefling
[
Egersee on ShNt implementeWon plan. COL appecents we address the stemng levels and quemicssons d I
en peern personnel.
i 64 Item B.4 CR Organization -
CR elemng levels had Impelred crews in ps.1oming their This issue is addressed by cornpleting Element 5 (Staffing) of the HFE Program Review i
Stemng and emergency funceans. CR personnel were overbuntened Model (NUREG4711) and sie AP900 HFE deelyt process Wortdoed analysis is part of Responolbmuss during emergencies Based won a review of NUREG-the took enelysis (Element 4) to be performed as past of the AP900 HFE design process 1275, WCAP-14114 (Secton 6.2) ee-cases where The woridood analysis provides en Irwormann of the adequacy of CR stafRng operators famed to take a mquired acuan due to a mentet assumpuans. In cases whom the enssysis indicates Ngh operator woddood values or impse because of a Ngh wondeed unusson.
Insumetent tbne evenable for performance, we we evaluate enemeeve CR elemng eseumpaans or dienses to the M4stS doeien or teek = mar = man to reduce operator woddood. Refer to SSAR Secnon 18.7 for e desenplion of the stemng irgiementation plan and refer to SSAR Subsecdon 18.8.2 for a doecripean of task enelysis implementenon pian which inctudes wondeed enseyess.
65 hem B.4 CR Organironon -
The use of the du* ole STA-tmpaired crew performance TNs leeue is addressed by corgleung Element 5 (Stelling) of the HFE Program Review f
SNft Technical because the other senior reactor operator (SRos) were Model (NUREG 0711) and the ape 00 HFE design procoes.. Woridoed analysis is part of
[
Advisor (STA) owedonded when one SRO eseumed the STA role.
the took emelysis (Element 4) to be performed as part of the AP600 HFE design process.
- ...; of other toeke dudng events detracted from the The wondood analysis provides en int 5 cation of tio adequacy of CR eleffing STA's eefety function.
soeur9pNons. In cases where the snelyels Indicates Ngh operator workeoed values or 1
i insumcient time eveNeble for performance, we we evaluate allemative CR staffing esausgeons or changes to the M. MIS dosipi or task allocation to reduce operator woddood. Refer to SSAR Section 18.7 for e descripeon of the stemng irnplementet on plan and ruler to SSAR Subsecuen 18.8.2 for a doecdpuon of teek enetye6s implemorsagen plan which includes wondoed analysis.
3 N
TAELE 1 (Conlinued) k 3
OPERATING EXPERIENCE REVEW FOR THE AP900 teouse Addressed By NUREG 0711 Appensa S g
item lesus Reference leeuerSeope Human Factere AspectMumen Portermance locue Human FactoreMumen Performance leeue Addressed by AP900 Design 66 Dem B 4 CR Organizegon -
Crmcel performance in compter systems depends on the For sur AP900 MMI design, the fogowing elements of situst on awerwass have been Teemwork Findings coon 9neted actMey of a group of IndMduals whim includes adopted e) the awareness of current plant state; b) awareness of changes in pied ou factors related to performance of the operating crew.
state; and c) the links from the well penal group overview deplays to the inevidual Besed upon a review of NUREG-1275.WCAP-14114 workstopon deploys.
(Secton 6.1) escusses cases where there were low levels of task sweroness, commend, control, and communiceton.
As one of the AP900 M-MIS resources evemable to the MCR operators, the WPtS These events lilustrate fatures to maintain brood provides and maintains situation awareness by presenting plant Mlormation on a large awareness of ongoing ac9vities and their irryncations Of screen deplay and posesseing the design features to address each of the three particular concem are failures of supervisory personnelin elements-maintaining awareness of the eclMiles of the personnel under their dlrection.
The following provides two exemples of design features of the WPIS that address the first elemers of situation sworeness: 1) For each plert mode or each signihcant plant state wMhin en operating mode, the WPIS includes a mimic deploy which provides a physical overview of the plert's signmcent systems and roepecWwe key components; and
- 2) The weR panel mimic tseplay includes the dynamic display of key plant parameters so to that a reactor operator, suponrisor or a person entering the MCR can establish the plant A
operating status.
To address swoveness of changes in plant state, the Alarm System's overview displays are incorporated into the AF000 WPIS overview and mimic displays. The eierm overview porean of the WPIS performs the "siergng" actMty in the human dec'skm-making pmcess.
The third element of situm9an awareness le the Nnks that are provided fram the wen panel displays to the intsvidual workstation deploys.. For systems of workstation displays as targe as the one required for AP900, asking operators to find and select the most appropriate espinys when unenticipated plant changes occur can impose a isege mental burden and can be eme consuming, when other actMues may be eme crmcat.
When signecent changes to plant parameters occur, operators need to know which workstemon espisys are appropriate and the rnoet emetent method to tocate and select those $ splays. Operators we not be required to corduct lengthy searches for esplays et the point when signacere changes in plant state has occuned. Operators need to be able to get to any espiny they need quickey arvs emceeney Therefore, the WPtS deploys provide the atsley to idenINy and to access sie most appropnote workstation display from the weg penei. SpecMically, the WPtS possesses the following design lectures to address the third element of situellon 11
. e) When changes in plant state have occurred as Indicolod on the WPIS, operators are not required to conduct lengthy searches through the worksteHon deplays for more detailed information. When a change occurs, es Indicated to the mimic display (a changing plant parameter) or the well panel storm overview display, the WPIS Identmos the most appropriate workstation espieys. b) The WPtS provides the capablity to dirscGy access from the well penet the most appropriate workstation deploy that provides more detailed information about the change that is occuning or has occurred-
M k
N TABLE, (CorFmuod) ku o,
AT C.
viWpo.Tn g
G.,,,_.
lism toeve asserence toeversempe Human Feetere AspectMuman Persermance teous Human FeetereMumen Portenuance teous Addressed by APGSS Design g
67 Item B.4 Procedures -
Operators acted during events methout using a procedure The developmere of ptert r _ __1 x, including administrouve procedures such as Procedural Procedure centent, esse of use, and management policy procedural comptance, are me responetiinty of me COL oppucent as documented in Adherence and practicos influenced procedure use. Boeod tpon e SSAR Secean 13.5.
review of NU.EG-1275. WCAP-14114 (Secton 4.5) m-- cases where procedures were evenetse but not used.
68 Mem B.4 Procedures -
Operators egertenced deculty m opplying knowledge to The developmert of plant r -_- - a are me responetsuty of the COL oppacent as Knowledge-Based unusunt plant conditions, which resulted in deleys in documented in SSAR Secton 13.5.
Performance recopizing and responding to events. Based upon a During Events review of NUREG-1275. WCAP-14114 (Sec9on 4.1)
Corsvilellon of Element 7 (HSI Design) of the HFE Program Review Model discuseos cases where the pefWcular situation was not fuNy (NUREG4711) and me AP900 HFE Design Process he$s address this issue. A covered by the procedure requiring knousedge4:esed fundamental tenet of the APG00 HFEJMMS design process is that, in addmon to reasoning to fu m gaps and edept to me sauenon.
ensuring that the M-MIS supports the teek of process equipmere coneral and operation, the interface design bests includes consideranon of those cogneve tasks that represent how humors reason, essess ohuseons. and make swekww in a real-Mme procese conhos envienment. The promise for ese desip beels is that enors of Intenson (incorrect or improper decision-making) can be reduced u the set or tasks that the mms is desired to support indudes those coyWwe scGwmes egertenced whNo operaung the plant. To semmpmeh ins deste basis, en input to the teek ennsysis acewmes is en operator *=*k=Hnsking model. TNs modelis uWired in me MMS design process to provide a structure for and to he$ determine me cognieve needs of the plant operseons personnet. The modelis used to deline the set of queellons that are used in the cognlWwe task onelysis part of the FBTA. The dennlilon of Information and control requirements that resuns from enowering ins set of quesmons supports operator performance et au # wee levels in Reemuseon's deciotorwneking model (i.e., skm4:esed, rule 4:eeed, and knowledge 4:eoed reasoning). Using the output of the FBTAs as en input to the design of the MMS should result in a MMI met supports the kind of knowledge 4:eoed reasoning that is required to handle unenticipated events or events where outeeing pmcedures may require knousedge4:eeed reesoning to fu in gaps. The FBTA is bened on a fundamental snelysis of plant goals and functions and is ellecWwe in designing MMSs to support operecor pedormance in preenelyzed stustions (execueng a procedure) and unenactponed snussons.
l i
I t
~
nL l
1 p
[l l
!l l Il l
- lIhil, l!!!!
l illi Illi ii i i
l I!!II{'
M h;j!!!
!!O L!llullllli iI a !!ii m
w n M I
lil!!lIll!!!
,B i
l l11!'ll'!!
rldlijl (I i!!!!
i i l lilij p !
m!!Eii!Imk i
l i i 11l 1 41
-]pui si a1 li k I!q' l i
.li!!
i 1
I 11111 Oill 1
l i i 1
=
(
m:\\2927w.wptib 051396
3 9
.E TABLE 1 (Conenued)
Iu O,.RAn,
.m
- e. Re-,OR n.a A, Iseuse Addroceed By 98UREG 0711 Appendia 3 item tosue Reference leeuetScope Human Factore AspectMumen Performance teous Human FactoreMumen Performance leem Addressed by ape 00 Design g
75 flem B 4 h MecNne During transients that result in a reactor trip, a large The function of the AP600 Alarm System is to s@ port the MCR operators enth the Interface -
number of annuncistors are ocWwated; their usefulness to following activiges of human decision-making-Ope stor the operator is diminished as the number of low priority 1.)
the ALERT actMty, Le, siert the operator to off-normel conditions.
Awareness ennuncistors increases. Prto Itization of annuncistors could 2-)
Wie OBSERVE WHAT IS ABNORMAL ectivity, Le., aid the user in focusing on Irgrove the elleceveness of this system.
the important issue (s);
3.)
help with the process STATE IDENTIFICATION octMiy. Le., aid the user h t
understanding the abnormal condinons and provide correcWwe ecGon guidance, as for as to guide the operating crew into that eroe of the complete Plant Information Display System in which the dete/Information about the abnormeHey I
and as resolumon con be found.
The AP900 Alarm System addresses the probiern of storm evelenching and operator
{
date overtoed by managing the presentation of the eierms to the operators in such a L
menner as to reduce the number of sierms presented simuneneously during major disturbances, while meintaining senellMty durtnD smeE disturbances The Alarm System y
is robust enough tm e) show multiple major process problems; b) not be overwhelmed i
ro by minor eierms that are reisted to, or are consequence of, the prccess problems i
W (avelandiing); and c) elevate prenor alarms to a place of attention-provoking signinconce, when they are the most signlRcont process abnominileios However, those active eierm messages which are not currently esplayed are accessible and avaliable to the operators, upon request.
Part of the method used to manage the presentation of storms to the operator is the funcilonel organization of the alarms. The overview storme are organized by function, y
such as RCS pressure control, RCS temperature control. RCS inventory and SG water loved control Within each function, there are goal-related alarms and process related eterms for the respective function. The sierms within each function are prioritized such that only the highest priority, goal-reisted alarms and.,,& - --
meneme for that i
Smetion are deployeo. this functionet organization and priorturellon of alarms provides i
eft efRCiert way of droCling and focusing Wie operefors ellention to the transient and Rs source. The overall trmortance to plant selety or the urgency of operator action is essay determined from this method of storm presentation The Alarm System sids h directing the operator to the eroe in the informational display system of the CR that contains specille dele estated to eliminating, degnoeing. and mitigating the process abnormatty. The Alarm System etso provees a link frorn a given sleem to its applicable cormutertzed storm response procedure i
m 4
5 TA8LE 1 (Cononued) 43 OPERATING EXPEfMENCE REVIEW FOR THE AP900 b,
leeuse Addressed By NUREG 0711 Appendia 8 o
item leeue Reference lesue/ Scope Human Factors Aw. :_ _ - Performance leave Human Factors / Human Performance leone Addroceed by AP900 Design g
76 ftem B.4 Human-Machine Crew response was affected by ava#atWity of Corgletion of Element 4 of the HFE Program Review Model (NUREG 071t) and the Interface -
instrumentatioit appropriateness of the instruments to the AP600 HFE desip process includes an FBTA as part of the overaN task analysis. The Instrumentation task, and the relative location of the instruments and task analysis irgismentation plan is descrtyed in SSAR Subsection 18.8.2. For each controls. Based upon a review of NUREG-1275.WCAP-Level 4 plart function shown on figure 18 6.7 of the SSAR, an F8TA is performed.
14114 (Section 2.1) discusses cases where the plant There are tour w.vu,a to en FBTA. First, analysis is done to identify the corglete parameter inticators required for rnonitoring or control were set of goals relevant to the function Second, a functional decomposition is done. This unavegable or inadequate.
decorgosition identifies all the various processes that have a significant effect on the function. Third, a cogniWve process analysis is done by applying the 11 questions dertved from Rasmussen's human decistorwnaking model approach. The results of the cognitive process analysis identify the indicatlons, parameters, and controis that the operator needs to make decisions about the respective functions. FineWy, there is a verffication that the indications parameters, and controls identflied in the cognitive analysis are at included in the AP600 design.
In addition, as part of the background documentation for the AP600 ERGS, the instrumentation arvj controls needed to execute es& step within eacf' of the guidelines g
O (optimal recovery guldennes and function restoration guidelines) is identified Venfication that the needed instrumentation and controls, identified here, are aR included kt the AP600 design is part of the AP600 desigri process.
I E
i k
w S
TABLE 1 (Cenenued)
I t
u o,
e.
viaW po iMa 5
,0.o.,,, _.
Item loose Reference leeuefScope Human Factere Aspect 4tumen Portennonce leeue Human FactereMumen Portennonce leeue Addressed by APete Desten g
77 Subsecton 2.1.1 MCR - Syelem inesorellon of Informamon During urgdenned transients, the The functon of me AP900 Alarm Syalam is to support the MCR operators wNh Die Integranon operators are presented uth an 6._-, volume of topouing acIMiles of human tiociatorwneldng-immedlete informenon. A better tSeplay integropon and 1.)
Wie ALERT aceMiy, I.e., alert the operator to olf-riormel condsons; increened automellon may beh tiem through tiene 2.)
Wie OBSERVE WHAT IS ABNORAML ac5vity, Le., eid tie umor in focusing on evolutions.
the bmortant leeue(s);
3.)
he$ with sie process STATE IDENTIFICATION actMey,i.e., aid the user in understanding the abnormal centsilons and pnnede correceve action guidance, as for as to guide the operating crew into that area of the complete Pters Inlormagon Dispiny System in which Wie dete/Irdormaton about tie atmormeNty and its resoluson con be found.
The AP900 Alarm System addresses the problem of eterm avelanching and operator dets overtoed by managing the presortation of the alarms to Wie operators in such a enenner as to reduce me number of alarme presented "- J- _ :- -- durtig mejor 19elurbances, whee trisintaining seneNMty sluring emot tseeurbances. The Alami System is robust enough to: a) show mulkple major pmcess problems; b) riot be overwhelmed g
by minor alarms that are related to, or are consequence of. Wie process protdems (avelenching); and c) elevate minor alarms to a piece of attention provoidng signWicence when they are the most signWicent process abnomielMes. However, those acWwe alarm messegos whidt are not currently displayed are massette and swellable to the i
operators, upon request.
The Almem System sids in directing the opermeor to the area in the informenonal isspicy eyelem of Wio CR that contains specmc date rotated to suminmung, tSegnosing, and rniugeung the procoes atmormesty The Alarm System also provides a Enk from a given alarm to its appucable computertzed alarm response pmcedwe The AP900 M. MIS Includes a CPS Wiet assists Wie plant operators in monNorir.g and cartromng the execusan of plant - ---- ^ _ For a given procedure, the status of each pecedure soap is c, z -5 desermined and presented to the operator stonr an the soporeng peant Ireormoson. To aseviate the inherert Rued EneerNy of paperbosed the CPS portorms perenet monNoring actMees versus the operator in paper-bened procedures A parassi montoring acIMty is a plant condson, state or parameter that is monNoved by the oormuser in paramel ath eie aceuty of guiding the verator thmugh the respeceve pecedure. Types of peregelinfonneton monNored ty the CPS are the samIus of CSF, procedwo notes and coupons, foldout page tems, inma'ed oceans (cenunuous action steps) and congnuously monliored paramethrt. With 3te CPS dynamiceny deseemining the samous of each pecedure step and performing perenel enonNoring actMuss, the delays caused by the inherent Emed Eneerty of execunng paper-bened proemdures are nenimized or semineled. The CPS provides sproct unks from steps to the associated Piers Information System Displays (physical pmcess, functonal, autommac enantorens logic or son conisol dispesys).
~
O bw 5
TABL.1 (Cenenued) ku o
Avi
.xP IC.
W con Tn AP esemos Addressed my 91UREG 0711 Appense B seem issue noperence toeverscope Human Factere AspectMument Portonnance issue Humer *ectoreMuman Portonnance soeue Addressed try APOOO Design g
78 Subsecuan 2.1.2 MCR - System Chenes in Control Modes in transient stueuons, operators The iniormenon irnogramon protdems are addressed by me AP900 design as doecreed integreson onen have io take menuel coreral of many of the teoks that above in hem 877.
were automancesy coraroned_ TNs change in cornros modes by noes is e co snongo to me operators, and when The AP900 l&C System design incorporelos automouc funcuons not evenetdo in added m the midse of a signecent transiert, unh as previous plant designs. TNs is the reeut of enorts to minimize the operators menues informenon integrouan problems, is even more demaneng-wondoed during nonner plant transients (such as e etertup) and during unenudpeted trenaients (such as a reactor titp). The seedmeter contros system h me AP900 is one exempio The AP900 feedwater contrat system automaticeNy controls SG water levels from power levels low in me power range (0% to 2% power) to 100% power. In toders piores, operators are required to connes feedweler now and So water sevel in manues une they have reached about 20% power. Another exemple is the use of the AP900 Startup Feedwater Syelem. Fonowing a reactor trip, me SFS How is automaticeNy controsed to maintain me desired SG levels. In today's plants, the operators must monummy control AFW now to maintain desired SG ieweis.
7e
- Subsecuan 2.1.3 MCR - System Memortzemon Operators have to enomorize meer inilles Following a reactor trip, the AP900 CPS is acWweled and me operator is drocted to the integreson ecuans ener a reactor trip, and are expected to accornpash computerized reactor trip response procedwo The CPS dynamice#y determhos and them prior to procedural escks. Operator sids may assist provides the status of each procedure step along wah any necessary supporang in me inmal sceans.
Insormenon. In today's plants, the operator must not only memorize the immodete ecuan steps, but must aseo eserch the main conkoi board for the hdiceuons end controls to provide me cepetWNty of determining the status of the immodate actions.
80 Subsecuan 2.1.4 MCR - System Processed enconnellon Much inkwmenon has to be The AP900 M-MIS takes adveninge of cunent computer technology and automaticagy integration conculated by operators that could be provided direcay wNh conculates and then presongs the needed Inlormenon to the operators. In today's plants, current technology Cormputertrocessed and vandsted the operator must menuesy ceiculate the needed irdormenon. One exemple of dets and calcuented weiues can tm provided to the operator calculated irdormeWon provided by the AP900 Plant Informeson System, are trend in en integrated feehion.
dleploys, During a plant heetup or cocidown, the AP900 Plant trWormemon System we provide heetup and cooedown rate trend dopinys et the operator's wortaleson.
81 Subsection 2.1.5 MCR - System Test and Maintenance Survemance testing can create The AP900 inservice Test Plan (SSAR Subsec5on 3.9.8) documents the survemence Integrouan protWomo such as: number of tests, adeuonal operators test requirements for the AP900 (IST). In developing this plan, Woounghouse has required, producing a spuntous sierms, inadvertent considered the duncuny of performing each survemence lect. In some instances. ISTs actueuons, and potensel for e peers trip. The systems met would be potenseu prendemose et,ower are defened to enhor cold shutdown or r
should be aeogned to be tested pertoeceey without refueling consuons. in omer cases (such as me ADS valves) e specialintertock has cresung incideres been developed to precsude the poesmety of the operators cousing a plant transiers due to e --
..a of the ADS velves during toseng. Olhor Isotures which teemiete inservice teaung of the PXS are descreed in SSAR Subsection 6.3.6.2.
The on-ane testing of the protocuon system is accompushed by a series of tests with sumceent overtop to test au necessary tunesons. These tests are designed to be accompushed without genereung spunous sierms and inadvertent trips and actuanons When a protecton cetWnet is being tooted, R is pieced into e bypassed state or othenvloe removed from sorwice to prevent inadvertent actuasons and potenmal for a peert trip.
Most of the teaung is performed automencee once inittened by the operator. A r
descripson of the pnWecean system reestday and taust tolerance during operemons, maintenance, test and tnpese and a denedpuon of me bum-in test cepehmoes are provided in SSAR Subsections 7.1.2.10 and 7.1.2.12.
I i
h E
u 5
TABL.1 (Consnued) d i
u op
.-l e.Revi.W poR nl.
leemse Addreened By NUR.G 0711 Appendle 3 Ilom Issue Reference teouetScope Human Feeters AspectlMuman Personnance leeue Human FactorefHuman Performance Inoue Addressed by APOSS Deelyn 82 Subsecton 2.2.1 MCR -Alarms Avalanche of Alarms The single tdggest leaue in the The luncson of the ape 00 Alarm System is to support the MCR operators weth the y
design ce advanced eierm systems is the need to reduce sononing ecovises ci human decision 4nsidng the evolenche of alarms during plant upset.
- 1) ALERT activby, Lo., stort tie operator to cif4memel contpeons,
- 2) OBSERVE WHAT IS ABNORMAL. aclMty, Le., old the user in focusing on the f
importerd leeue(s);
i
- 3) h@ with the process STATE 10ENTIFICATION netMey, i.e., aid the user in
/
understanding the abnormal con Allons and provide corrective ac9on guidance, as ter as to guide the opere8ng creer into met eroe of the congdete Plant Information Oluplay System in which the deleArdormalbn about the abnormeINy and as resoluson can be sound.
The AP900 Alarm System addresses the problem of storm evolenching and operator
[
date overtoed by managing me presentation of the alarms to the operators in such a menner as to reduce the number of sienne presented simulleneously during makr k
disturbances, whee snelnlolning seneIIMty dudne smeR diolurbances. The Alarm Systen is robust enough tot a) shour muillpie major process problems; b) not be overweielmed o
by minor storme met are veieled to, or are cor==ry-ice of, the process protdems W
(evolenchingh and c) elevale minor storms to a piece of allention provoldng signWicance..
when they are the most signlRcert process abnormeRuss. However, those achve einem messegos which eve not currenpy displayed eye auseatile and avatable to the operators, upon recluent.
l The Alarm Syelem sids in directing the operator to the area in the Wormenoned tReplay system of me CR that cr.4 mins spedile date related to esmineling, diagnosing. and i
mingsting the process abnormouty. The Alarm System eleo provides e Onk from o given l
elarm to tis appelceblo computerized sleem response procedure t
83 Subesction 2.2.2 MCR --Alarms Prior 46zellon of Alarms When en operator is presented alth The AP900 Alarm System addresses me problem of storm -.._ _& and operator en avaienche of alarms, e priortleration scheme should date overtoed by managing the preenntenon of the einems to the operators in such a present ed me alarms to the operator but code them into manner as to reduce the nutriber of alarms presorted simuneneously during major priortlies sudi that the overeE importance to plant safety or disturbances, while molnisining senellMiy during smeR diolurtences. The Alarm System the urgency of the operator acean can be determined is robust enough to: a) show mullspie mehr process problems; b) not be overwhelmed by minor storms that are related to, or are <mnestpsence of, me process protdems (avelenching); and c) elevate rednor alarms to e piece of enention provoidng signinconce when mer are the most signiscent process abnormouges, However, those acWwe eterm messegos whidi are not curnmey displayed are acceselbee and avanoble to the operators. upon reclueet.
Port of me malhed used to manage the presentonon of alarms to tie operator is the lunc9 anal organizanon of tie alarms. The overvlow storms ata organized by funcWon, such as RCS prosauro control. RCS temperature control RCS inventory and sleem generator water level control. Wuhin each funcilon, there are gd M etorms and process-related alarms for me respecthe funcelon. The alarms within each function are i
petorured such that ordy the highest priorty, goal 4eleted slamis enr1 procoes4eleted esmems for that funcean are displayed. This funceanal oegenizemon and pdorieremon of j
eierms provides en emcient way of carecung and socusing the operators anenmon la the trenaient and as source. The overes inewtones to plant selety or the urgency of operator acuan is sessy determined froen tNs momed of storm presentenon.
A E
N i
e
.I TABLE, (Conenued) k u
or
.=,
caRview,oMTur m g
.o A
_ y
.y,, _.
g Item Issuo Reference leeuerScope Human Facters AspectMuman Per9ermance teous Human FactereMumen Performance leeue Addressed by AreOS Design 84 Subsection 2.2.3 MCR --Alarms Loss of Power to Annuncistor Penets The loss of power to Power to the eierm system is from a redundant or UPS. The Alarm System also these pensis coued result in the toes of the operators' abully includes a "heartpast* IndiceWon vietslo to the operator at at times. The "heartboot*
{
to respond to plant upsets, pereculo4y N the operators are intScotton sierts the operator to degraded contRuons of the eierm syMem, including a not swere of the toss.
totalloss of the system espertenced as a result of loss of tie rechndent power sources.
The Aleem System is deolytod such that the system's prolened leNure mode is through a sucroseion of "grocefully degreding" sentes of operouon rather then a ' sudden death?
j 85 Subsecton 2.2.4 MCR - Alarma Alarm Disclaws Aleem System reeeerch has identilled The function of tie AP900 Alarm System to to support Wie MCR operators wilh the i
multepes use by operstors of the Alarm Systems, nomsey; lonowing ocIMess of human decision 4nsking-I for sierung. for status monitoring, and for esiumeon
- 1) ALERT actMey, I e., alert the operator to all4tormal contAllons; L
awareness The selection of a display technology and
- 2) OBSERVE WHAT IS ABNORMAL actMey, Lo, eid the user in incumang on the display methods for tie Alarm Syelem can significongy important leeue(s);
inipets teses enuluple uses of storm systems by operaksrs.
- 3) help witi tio pmcess STATE IDENTIFICATION acIMiy, to., aid the user in
(
Both conventional Due:Hocation tSeploys and the newer understandlng the abnormel txmtBIlons and provide correctrue action guidance l
Cathode Rey Tube (CRT)4eced displays have advantages os for as to guide the operaung crew into that area of tie congslote Pters I
and c9sedventages.
Informellon Display System in which tie deteAnformegon about the abnormouty and as resoluson can be found.
The AP900 Alarm System addresses the problem of alarm avaienching and operator date overtoed by managing the preseresson of the asenne to tie operators in such a menner as to reduce the number of alarms presented F1 _-_ i during major
[
disturbances, whee maintelrdng senellMey during smes disturbances. The Alarm System i
is robust enough to; a) show mulNple major procoes problems; b) riot be ovensheimed I
by minor storms tiet are related to, or are consequence of, Wie pmcess problems (evolenching); and c) stevete minor alarms to a piece of asenHon provoidng significance, when they are the most signlRcard procoes atmormeilhos However, those active alarm
(
mesenges which see not currener dispinyed are accesense and evensbee to tie i
operators, upon meiueet from workstemon taapiers.
i The Aserm Symem eies in direcsng the operator to the seen m the informosonal tospiny i
system of the CR that contains spedlic date related to eRminsung, tSegnosing, and mitigating the process abnormality, The Alarm System also psovides a link from a given l
storm to Na afTur=* computertzed alarm response procedure t
The AP900 Alarm System design captures tie advantages of both the conventional
[
limetHocellon displays and the newer CRT4esed (Esplays The AP900 Alarm System
[
consists of overview alarms and VDU (such as CRT)4ened sierms and alarm support information. The overview alarms are functionsuy organized with each function having
{
gomi-reisted and process-reisted sienne. The eierm overviews are integreied into and tseployed by the WPIS, therefore the presenteWon of the alarm system overviews is enseogous to the convengonal Amed posMion annuncistors.. AR etenns and associated supporang informoson is avesable et the operator's workeisson VDus. The presentaeon t
of storms on the workeasson vDUs is analogous to cRT4 seed eierm tasplays-1 i
I i
.l
f 3
$n
!E TAel E 1 (Cendnued) ku op.R -.e. - R C.R.-
poRTHa m toeuse Addressed erI.uRee sytt Appense e nem toews Reference leeuemcepe Human Factere AspectStamen Porteneance toous plumen Factoremtumen Porteneence issus Addressed try APOOS Doelgn g
86 SubsecWon 2.2.5 MCR - Alanns Alarm Corecio Audmory features of einem symems have The AP900 Alarm Syelem provides tw means for the AP900 CR operator to be stoned, been problemoscal and seperate eNonce, actoiouledge and via both visual and audo rioveng techniques, to problems h Wie processes involved in resiset test (SART) contrais are recommended. The sw piera by-corarois for carguteressed eierm syenema we become e) indiceung the abnormemy by presoneng a preciessy worded messege or e more compson and need enenson.
graphic represenesson of sw condmon; b) presenGng the abnormemy in a conleut which convoys the impact on plant heenh; c) seperegng elvms from other dete; and d) genereung audtile tones corresponding to specille mots of sierms.
The corenIs for tio suelory leasures of Wie AP900 Alarm Syelem wlE not add to tie wortdood nor we they be t9stracthg. A design requiremert of to Alarm System is that R wel not create (Setractions to Wie operators, nor we It add to the fougue of its users, by Wie edegon of noise or visual t9stortions.
87 Subsection 2.2.6 MCR - Alarms Operator Salemham Aserms The operators may nood a low INPUT THIS ISSUE INTO THE DESIGN ISSUES TRACIGNG SYSTEM.
priorny operator sesecieme eierm to ces alienmon to a cor,oner. (e g, e,.Ivoi erwy be mri of o norrei.,
poemon. Alarm syneems should have the noidbety sor the opersoors to essey odd sierms to a screen when a paienessy devient sauenon is idenuned that they need cased to their seenson.
88 Subesceon 2.3.1 MCR - Controls Ennineertna Units Displays somellmos use engirieering The AP900 Plant Informogon System presents q9eploys (physical process, functional, and Displays unns which mean use to the operator, (e g., "Ibe-trend and automesc monnoring and logic esploys) to the opersoor. The engineering messeiour) rather then percentage of fus power flow.
unas used on those dispinys wlE be meaningful to the operators. One way that this is ensured is Wiet Wie deleted tsspley design and Imptomercation pmcess (Element 7, HSt l
design). This provides a check by operational personnel tint to despioys and the inIormaeon presented are meeningful The Ikiel HFE vertilcocon and voedstion (Elen.ient l
- 10) alt vandale tie usefulness of dispinys-se Subsecuan 2.3.2 MCR - Controls Push Bunon t.ene 7
- _ Push buuan Immp IIOT APPe nem s The use of push bulton lamps are not port of AP900 CR MMt.
and Displays replacement is problemaWe because the removal and replacement of the lens or bute con sometimes cause inodvertent actuellort 90 Subsection 2.3.3 MCR - Controls CRT-8 meed Dieslove On CRitened displays, Wie The AP900 Plant Informston System presents espisys (phyelcol pmcess, funcilonel,
.j ond Displays operators are often restricted to Wie use of "propeclogett' trend and automesc vnonstoring and logic espesys) to tie operator. In edslion to these j
espesvs and do not have enough capabWly to select i.
. _ esplays, the Plert infonnegon System pmvides the capabWty to the i
^
parameters for men ey and ironene opersior of being able to creele a desked parameter and trend aspisy. In edamon, the i
s operecer alg have the capabety of tRepteying ties creoled trend display on Wie WPIS.
91 Subsection 2.3.4 MCR - Controls Correuter ledertacos Corgeon or poorly designed it is the mission of Wie AP900 M-MIS to improve too means that are provided to the end Dispinys cormuler insertacos are suppeed, as opposed to interteces usere of the peere opersson and consol corners for seguiring and undereieneng piant that are simple and ' user-friener.
data and in execuung sesons to connel sw pienrs processes and equipmers l
(Reserence te.a.1 of em SSAR). Theresore, a besic design goal of the AP900 M-hMS is to provide en ineagrated environmort that is " user hiens( end sAows the operator to quicidy and ellidener maneuver Weough the MMI resources (Aterm System, Information System CPS, and Soft ConbcIs) to access needed irdarmenon and controls.
i
-. _._ ~,_._
n-
,. -,, -. - - ~ ~.
-.-,.--,-..~.-n__.-n..-n,_,
---.-.v
~~ -. - -
E i
k i
y 5
TABLE 1 (Continued) f l
. k
- .a OPERATWIG EXPERE90CE fM4r FOR THE APEOS I
- - -.. m App.n.e.
Rom toeue fleforence IssuetScope Human Factere AspeeWHuman Portonnance teous Human FacterefHuman Pertennonce teous Addressed by AP900 Deelgn 92 Subsecuan 2.3.5 MCR - Controls Upgreena of Conyuser Systems The dlRiculty of The tSetreputed nature of me AP900 I&C System er@ilecture irdness me schuettees l
end Displays upgreeng conyuter systems con be a problem, even for and Routputy to upgrade me erstem in en eNicient menner. The disertiuted 14C reimeveey minct plert moencellons.
en:hltecture is a====d in Section 7.1 of Sw SSAR.
{
93 Subsecuan 2.3.6 MCR - Controls Conguier Romeones Time A common specinostion for The losus to be addressed is the amount of #me it tehos for me operator to locate a and Displays maximum deley sme between screens le two seconds.
deelred piece of Irdormellon. Hour does Wie operator locate e desired display? How TNs moy be ecceptable for roudne conyuler procesehg.
many esplays must the operolor navigets through before he kcetes the desired
[
however, during nuclear power plant (NPP) transients it is informouon? The APOOO Plant Informaeon System addresses tes issue through Rs too long and causes urg operator frustration and design pecess and type of displays presented to the operator Funcuonal displays are deisys in informoson processing.
designed and used to cor9plement phyelcel (system) dispesys. Funcuanel dispinys are
-t designed to present to the ccorm or esenciated good monnoring and process monitoring a
MIormecon for a respeceve function. The output of the respec9ve FBTA is used as e major Irgut to the design of the functional tSeploys. The FBTA includes a cognitive teek I
enelysis that idenWiles me Instrumentellon, informe90n and contrais that the operator needs to make operaung decisions for the respecthe function. Since the AP900 Plant t
Informagon System k=*=e== functonal displays (pen *==d imm meir eseodeled FBTA) remer men just physical system tSepinys, R is more tihely that me operator we find og r
Sie Inlormation met he needs for a given mougit process on one tSeploy (such as e functional display) Also, the use of tienser esplays and more meaningful groupings of j
information on the espesys wm roeust in e sees @ wMNn the espiny rather then movemere between tSeploys to find desired iniormamon.
l To steport me operator's situasonal sworeness in en enicient and timely menner, the design of the WPIS requires met the operator be able to point to and select in one step i
(from the workstation), e system, component or maior parameter dispinyed on the won i
panel and receu on a workstanon VDU, e related functonal espiny or physicet esplay.
One step navigeson frorn a funemonal esplay to en===~*4ed physical ereier. and from a physicei esplay to as associesed funesonst,empany, um eleo be evensbes. To add nenibsty to the memod of nevigeson between employs a menu or enep of as evenetse
(
enciers, we sino be avesetze to te operator TNs meihod of navigneon to e desired espiny we involve a monimum of two steps; essect the map and then select the espisy.
I The actual delay umes between screens is elven by the ISC te@nology and escocated hardnere. Advances in ins technology are eBowing laster responses eE me time.
TNs issue of how long R takes the operator to access needed informeWon we be
[
evaluated &ning the men 4rHhe4oop concept teeNng. The resuns of this concept tesWng l
we be used to venne me funceanal and detened design of the M.ams. TNs issue we t
eleo be moosured and veEdeled of the HFE verthesuon and vendation (Element 10 of
+
the HFE desipi prv===).
i f
I i
I
-~
l l
j 3
9 5
TA.L.1 (Congnued)
Iu o,. RAT ex, e.Rens. poRTn A,
5
- A.dre ed.-.,,, A ori.l..
Item I teous Reference loomerScope Human Feetere AspectMusnan Perfonnance teous Hennen Factoremuman Portonnance locus Addressed try AP900 Doolgn 94 Subsedian 2.3.7 MCR - Controls Cor9puter-Based Data Points Corgimer4 meed dele points The informellon presented to the operettps by Wie AP900 M44tS includes Indicaton of and Dispieys should have a prowlsion to indicate to Wie operators when dele queWy for Wie dets tSeployed. The obloctive is to enow Wie operecor to perceive the the date for vie point is invand (e g., point is out of scan).
goodness of a pleos of irdormation bekig tSeployed to !*n end, eventueny, spacerd R or bok for suomeeve measures. N e paramotor measurement is outside the range of em instrumem (note that the tiene queety would be good), then this "out-of4enge-information is Indicated on Wie tSeplay to tie operator. The date quelley of carguter calculated points is steo addressed and displayed by tie AP900 M-MIS. The date queely of calculated points wielders the dele queRiy of tie input points and the valicSty of the <=hmson and as boundary condmons. The deia quauty conversons used are consistent ihmughout #ie M-MIS. For example. Wie convenson used on a workstaton display to intScale that e date point such as e hot leg teniperature is of
- poor
- queNty le Wie same as Wie convenson used to present the some information on the WPIS.
95 Subsection 2.3.8 MCR - Controls Trip Stelue indemnon in the CR, the operators need en The func9on of Wie AP900 Alarm System is to support Wie MCR operators wth the and Displays adequate indication for trip status of irgottert local following adMiles of human dociolon<nehing (adopted from Roomussen's model of ecpipment human decision <neldng):
1.)
the ALERT actMey, te., stort sie operator to on4iormal condWons.
2.)
Wie OBSERVE WHAT IS ABNOPMAL acevity, Lo sid tie user h focusing on the important issue (s);
3.)
he$ weih sie process STATE IDENTIFICATION actMiy,i.e., aid the user in understentsng the abnormai conssons and provide correceve ccean guidance.
as for as to guide the opereeng crew into inst eres of the complete Plant Information Display System in which the deletinformegon about the abnormeNty and its resoluson een be sound.
The Alarm System includes alarms of trip status for important local equipment and it cleerty distinguishes between eierms that are conveymg to the operator something about a process atmonneuly vs. etMeing him of Wie status of equipment.
98 Subseccon 2.4.1.1 MCR -
Commur*= mans Coverene - Dead Scots Aussiery The plant communication system consists of the fonowing systems. wireless Communications operators oHen cannot be contacted in the plant due to -
communication system, telephone $ege system, private automanc branch exchange their inabiWy to hear pages from the CR since there are (PABX), soundpowered system, emergency response facAly communiceWons, and many hard-to4iser or tiend spots in Wie plant.
escurty communicellon system. The wireises telephone system is the primary means of i
communiceuon for plant operemons and maintenance personnet The wwetess system consists of winvloss bett<:Hp portable handsets, hands-free type portable headsets, a corgrohensive entenne system, and a wireless telephone sutch. The telephone $ege f
PABX telephone, and n.
_ J communication systems are for general plant t
g communicentna and serve es bedup to the wiresses system. The communications system is eleocrtied in SSAR %% 9.5.2.
97 Subsection 2.4.1.2 MCR -
Communications Coverage - RF Interference Radio The communications system cargiles witi anpor=*h codes and standards, minimiang Communications Frequency (RF) interferes atti communicanons due to Electro Mayisce Interference (EMI) and us potengel eNocts to equipment. " Low-ir=* y-le shisk9ng Communiceuon radios also cause poweretr type equipment is used, where poemass, which has been demonstrated to unintended actuseon of equipment.
have a ummed polonued for cavoing interference unh electonic equipment.
Communiceman equipmert and seneuve lac equipment are shielded, as necessary, srom the detrimentes eMeets of EML l
3 ha 5
TABLE 1 (Congnued) 4c oPERAT a ExPERenCE REvew FoR TwE AP.O.
h leeues Addressed By NUREG 0711 Appendia B g
item leeue Reference IssuerScope Human Factore ? m X-Performance locue Human Factore4tumen Portonnance leaue Addressed I y AP900 Doolgn 98 Subsecten 2.4.1.3 MCR -
Communicesions Coversoe - Pluos insufficient locations in NOT APPUCABLE: The wireiess telephone system is the primary means af Cv..... a ;;,.
the plant to " plug in* communice#ons equipment communication for plant operagons and maintenance personnet.. The wireless system consists of wireless belt <Np portable handsets, hands-free type portable headsets, a coniprehensive antenne system, and a wireless telephone ulich. No " plug 4n* toca5ons are requwod for this type of equipment.
99 Subsec9an 2.4.2 MCR -
Noise Interference - Venmation The noise level in the CR The VBS sgplies ventilation flow to the MCR during normel operation, and is a Cm..._ a ;;.
can be so tWgh dunng transients that added stress for the a._L, -':ted system. The VBS system serves as a first line of defense if evanoble, operators is created and communication is dificult due a and it also performs the safety-related func5an of isoleung the HVAC ducts that ESF actuated ventilation (especie#y 2 trains).
penetrate the CR pressure boundary. The AP600 d'oign incorporates an VES to provide tie selety-related function of ventNeeng and pressurtzing the MCR. This system uses a supply of air for respiration of the CR occupants as wet as for pressurtzing the room. The system suppues a lower volumetric flowrote of breathable quenty air, than the normel HVAC llowrotos. The safety-related venstation system uses no acWve components which contrbute to noise generettort The issue of noise levet is not a mejor concem for the VES system because of the reimevely low air flowrote, even when both trains are in opersoon.
The VBS system is used during normal operation as noted previously. This system has Industrial type air handing unRs and fan essembtes with double-wated panel construction to minimize noise and fan turbulence, whue the supply arul retum ducts are provwsed with anti-swtet insulation. Centrifugallens are provided with tienible connections and vibration isolator design to avoid sound rumble constions. The MCR main suppsy and retum duct anyouts require mumpie 90 elbows and seversi twenty-foot straight duct seccons before entering the MCR, which means that low-frequency noise transmitted through ductwork is eGminated. This ductwork anangement is rmrmeNy used for low noise level HVAC acoustic design for sound studio and theaters. Fine 8y, the MCR HVAC design is a low velocity system designed specNically for a lower noise levet, in that toe duct air veloci5es are much lower then the maximum velocities descrbed in American Society of Hosting, Rehtgeration and Air-Condlioning Engineers (ASHRAE).
100 Subsection 2.4.2 MCR -
Noise Interference - Printers The noise levelin the CR High speed printers used in the AP600 MCR wlB not significan9y contribute to the noise Communications can be so high durtng transients tot added stress for the level even dusing transient situeWons Prhder technology currently entsts such that operators is created and communication is dithcult due to generated noise is no longer en issue.
high-speed conventional printers.
t 101 Subsection 2.4.2 MCR -
Noise interference - Alarms The noise levelin the CR con The AP600 Alarm System has a design ;ag/.-.; that specmes the system to be Communications b:s so high during trans4nts that added stress for the designed in such a way as to g creato dstracWons to the operators; nor wul it add to operators is created ano communicemon is orncun due to the fatigue of Rs users, by the addMon of noise, visual dstortons or nuisance alarms.
elarms ringing constanpy The functoned organization, priortization within each function, and the alarm trigger logics are as design features that mensge the presentmeon of alarms such that ordy meerengful elenns are presented to the operator
-~m-m._._~m___
m m ~ m m.m
.._m._._m m.
o..
___m.
l 3
I 3
9 5
TAet.E 1 (Continued) 4 3
OPERATWIG EXPERIENCE REVEW FOR TM f P900 Iseuse Addressed By NUREG 0711 AppendIn B f
Ilom Issue Reference poouef5 cope Human Factore AspectMumen Perfonnance Issue Human FeetereMumen Perfonnance Inous Ar.dreened try APege Design t
102 Subsection 2.5.1 MCR - Procedures g Paper-based or hard copy procedures in NPP The AP900 CPS is the MMIMSI that me operator wN use to suecute procedures. The operations con cause the IcGowing problem. Space for reactor operator we interface with me CPS suough his worksteson VDUs. The CPS L
espionatory informenon is Ilmited and the level of detag in automesco#y evolueles the status of eedi procedure step and presents this evaluation procedure steps is thred.
to the operator along with enough supportng informoson (such as actual parameter values and equipment status) to give the operator en understanding of how and why the system produced as evalueton. The CPS nel provide the mf=helqy or the operator to y
j request supplemental informaeon on en addluonal VDU. This we be information such i
es an associated physical, funcuonal, trend or soft control tSeplay or perhaps a y
supporeng graph, curve, or background information. In curmedeon with the paper-medium of presenung pecedures, space for eginnetory ineormenon and the amount of l
deteE provided in me procedure steps is not an issue wim the., _ _ L d procedure medium.
The fun-scale mockup of the AP800 mein control esse wlR be used to further evaluate me *epece* issue. The fun-acale mot *g is part of the HSI design process (Element 7 ta pmcoss).
l
=
103 Subsection 2.5.2 MCR - Procedures Non-unser informagon Paper-based or hard-mpy The AP900 M-MIS includes a CPS that seatsts the plant operators in morutoring and procedures in NPP operagons can cause the following controlling the enemtion of plant procedures. For a given procedure, Wie status of each i
problem. Norpanser informello i must be presented procedure step is C,.__L determined and presented to the operator along with the sequenumey.
ogporeng plant irdormoson. To eseviele the kiherent Sned hneesty of paper-based i
procedures, the CPS pedorms peranel morulodng actMees versus the operator in paper-beoed procedures. A perseet monitoring actMiy is a plant concpilon, state, or parameter that is monitored by the cormuler in peregel wHh the acevey of guiding the cperator
{
through the respeceve procedure Types of paranelinformeson monitored by the CPS are the status of CSFs. pmcodure notes and cautions, loktout pogo items, Irutisted i
accons (continuous action steps) and conunuously monitored parameters. Wilh the CPS dyremLasy determining the sestus of each pmcedure step and poderming peronet monitortng actMiles, the delays caused by vie inherent Reed lineesty of execugng paper-based procedures are minimized or eEminated. Therefore, the CPS auws the operator to reach tie relevant steps for terminoling Wie incident and me=Neshyg lhg plant much quicker then papertened <--.
2 104 Subsecton 2.5.3 MCR - Procedures irrelevert informenon Papertesed or herdapy As descdbed in me item above (Item 103), Wie AP900 CPS performs paratet me iltoring procedures in NPP operadons can cause the loWowing actMpos versus the operator in poportened procedures. A perallet monitonng actMty is protsem. Instevent infomionon regarding condnions met do a plant condson, state, or parameter that is monnored by the computer in paramel wem not exist during a specllic instance of procedure execution wie actMty of guitsng the operator through tie respective procedure Types of paragel I
must be congnuously (Seployed.
Informellon montored by the CPS are the status of CSFs. pecedure notes and coutons, foldout page llems, inlusted acdone (continuous action steps) and continuously
{
rnonitored parameters. A contmuously monitored poremotor is an exaniple of a condluon that may not exist at the moment but requires como action when it does exist.
The CPS wE 1 - ^ -; monitor this condition as parallel Irdormation and only present a to the operator when the condson is met and when me operator needs to -
execute the respec8ve action. Wim the CPS dynamiceBy ^
__., the status of each I
pecedure step and pedorming peramel monhodng actMties, the instances of presenhng irrelevant iniormenon to the operator during a specWc moment of procedure execugon t
are minimized or eEminated.
i m
m m
m.m
-.,_n
~.
3 be 5
TABLE 1 (Conenued) k
- 1 OPERATING EXPERIENCE REMW FOR THE APOOO Issues Addressed By NUREG 0711 Appendht B Rom leave Reference leeuerScope Human Fackere AspeeWHuman Perfonnance leave Human Factorestumen Performance Issus Addrosood by AP900 Dooien 105 Subsec50n 2.5 4 MCR - Procedures Cross-Referencing Peper4 esed or hardcopy r_ _ ^n The AP900 CPS automotesty evaluates the status of each procedure step and presents in NPP opere#ons can cause the fonou ng problent his evolustion to me operator along with enou@ sipporeng Irdormedon (such as actuel s
Cross _.. 4, introduces enors and deleys in took parameter values and equipment status) to give the operator an understancsng of how performance and why the system produced as evetuation. The CPS wW provide the cepetmy for the operator to request supplemental informeeon on an addhional VDU. This wW be i
information such as on associated physical, funcuanel, trend or soft control display or perhaps a supparung graph, curve, or background biormation. The CPS we provide the l
cepetmy for the operator to transluon to the appropriato location in other operating procedures es required and to automancesy select and depisy the new procedure when requested.whlie maintaining a placemerk in the original procedure 106 Subsecean 2.5.5 MCR - Procedures Mullble Procedures Management Paper-based or hard-The AP600 CPS wm provide the cepetmy for the operator to transition to other j
copy r--
_ __ in NPP operatons can cause the fonowing operating procedures as required and to automaticeny select and dispiey the new l
problent Physical management of muluple procedures and procedure when requested, while meintaining a placemerk in the origine! procedure.
f place-keepinD during concurrent execution are swimord.
The CPS wiu provide for the deplay of a procedure troneition map. This deplay wW indicate trenemons out of or into the crocedures, as wee es movemeres wMhin the h
-. The CPS wlE also provide the capabNity for the operator to request r- --
supplementalirdormellon on an additional VDU. This we be information such as en 6
associated physicot, funceonet, trend or soft control depisy, or perhaps a supporting graph, curve, or background informatiort l
107 Subsection 2.5.6 MCR - Procedures Maintaining Procedures Paper-based or hardtopy The AP900 CPS we include the capabWty to modWy or est the procedures in a procedures m NPP operadons con cause the foNowing straightforward manner. This is accortyGshed by using an off-line reistional detsbese NUREG-0933, l.C.5 problent Maintaining the technicet occuracy of procedures management system.
is difficult. For exerrple, a design change in a single r
component een Irwelidate overy procedure that references that congsonant. SimNorty, a procedure revision that
)
changes the esop number in that procedure can invalidate r
every step in offer proegdures that cross-reference met I
changed procedure.
108 Subsecton 2.5 7 MCR - Procedures P ocedure Integration Peper-based or hard<cey The AP900 CPS wul provide the rap =Nesy lor the operator to request supplemental procedures in NPP opershons can cause the topowing information on en adtSilonel VDU. This win be information such as an associated problem. Handhng and reet5ng a paper procedu's whHe physical, functional, trend or so t control deplay or perhaps a supporting graph, curve, or r
steo performing the actions required to perform N task bach 0round informenort if a step within a procedure, as presented by the CPS, requires descreed in a procedure are typice#y Incompetties me user to operate e component or system, then the user wW be able to select, in a single action from the CPS, me associated soft control (Reploy for the respeceve e
conponent. The soft control dispinys wW eppear on a VDU, et the operator's workstadon seperate from the VDU met presents the CPS. The use of multiple VDUs at the operator's worksteeon, (CPS main intertece VDU, CPS suppiomental information VDU, and a soft control display VDU), while executing a procedure through the AP800 CPS, minimizes or eliminates the hentsing and reetIng problems associated wth the execullon of a paper 4 meed procedure whlie also trying to perform the actions required by the procedure
m i
3 D
E TABL.1 (Cendnued) 4 2
o-A, ex=. C. Rev pon n. AP V$
tenuee Addressed By NUf G 0711 Appendia S Item Issue fleforence Issuer 8 cope Human Factere AspecWHuman Performance Inous monen Facternetumen Performance teous Addrenood by AP900 Design 109 Subsecean 2.5.8 MCR - Procedures HondunofFonowing Procedwes Paper-based or hard-copy The AP600 M-MIS irwh a CPS tiet asetels the plant operators in monitoring and procedwes in NPP operemons can cause the loAowing contraigng the suscuton of plant --
- . For a given procedure, the status of sech problent Due to space Hmitellons and tie need for procedure step is dynamiceAy determined and presented to tie operator along with the procedure mids tot the operators to fogow, p.--
_ _ x are supportng plant inforrnation. To amoviele tie therent fixed anearny of paper-based dellicult to work with especie8y in the CR during a trenelent procedures, the CPS performs paramel monnoring actMuss versus the operator h paper-beoed procedwes A persest monitoring actMey is a piant contstion, state, or parameter that is montored by #te computer in pareRet with the acevity of guiting the operator through tio respec9ve procedure. Types of parasolInformaton monitored by the CPS are the status el CSF, procedme notes and couMons, foldout page hems, hidated acilons (conenuous action steps) and continuously monitored parameters. With the CPS dynamicacy determining the sistus of each procedure step and perfomeng paronet morWtoring actMiles, the delays caused by the inhetert thied Hneertly of executng paper.
based procedwes are minimized or eEminated. The CPS provides direct links from steps to the associated Plant information System Displays (physical process. functional..
automage monitoring logic, or soft control espinys). For example, il a step wthin e conputertred procedure requires the user to operale a component or system, then the a
user wNI be able to select in a single scilon from tio CPS the associated soft control dispiny for the respec9ve component. The soft control #Asplays win appear on a VDU at the operator's workstellon separate from the VDU tiet presents the CPS. The use of multiple VDUs et tie operator's workstellon, (CPS main intertece VDU, CPS
+
supplemental informellon VDU, and a soft control dleplay VDU) wh5e executing a procedure through tie AP600 CPS, minimizes or eHminates the hentSing and reading problems associated witi tie execulian of a paper-based procedure ~
k 110 Secton 2.6 MCR - BWR Reactor Shutdown During a reactor shutdoum from en NOT APPLICABLE: This leeue is only appRcebte to BWRs.
Shutdown infuse power of 6%, that involved low decay heat levels due to e short opernung history, operators eBowed cooldoun (due to smed misceGeneous steem toads) to add excessive poeleve reactMey Furthe', by not property maintaining the power in the mid. range of the insomtediate Range Monitors y
(IRMs), a reactor trip occuned.
111 Section 3.1 System-Related Leekage, Areas of NPPs, such as isolated rooms, often intemet plant Hooding can be attributed to piping ruptures, tank faAures, or the actuation insights - Flooding conteen fluid systems witi the poterelei for lookege and of Dre suppW systems. The consequences of these events have been evolueted Concem Hootsng-for the AP600 in accordance with Standard Review Plan (SRP) 3.6.1 and SRP 3 6.2.
Water sevel (nood) design teatures and protection mechanisms are desertbed in Secnoce 3A and 3.6 of the SSAR,,
The proteccan mochenisms related to minimize the consequences of Intemsi nooding include the tonowing-Structural enclosures Structural barriers Curbs and elevated thresholds
=
Leak detection systems Drain systems in appropriate locomons, water levet sensors are provided to transmit water level intScotions to the MCR and tio plert conhol system. Level storms alert the operator to take conoceve action.
. i.
3 e
M TA9t.E 1 (Cendnued) k I
u o-An ex es Raw poRTn AP
%euse Addressed By NUREG 0711 Appendts B Nem teous Reference Issuemcope Human Factere AspectMumen Perfennonce Inoue Hamnen FactoreMumen Perfonnance leeue Addressed Ipy AP900 Doolgn g
112 Sec#on 3.2 System-Related Spray vehe Stuck Open A PWR presourtzer sprey vehe The AP900 desip has addressed the possibsty of a stuck open sprey valve. The spray insights -
stuck open (unknown to the operators at the Ilme) causing velve is provided with an autome9c interlock to close on lour RCS pressure that would Pressurtzer a continued drop in RCS prosaure to below that required by result from an open spray volve. In addlion, the..C, _, _ _ : spray block valves TS. As a result, a piere shutdown was required in order to can be closed from the CR in the event of a stuck open sprey vahm. Therelore, e isolete the sprey line.
forced plert shutdoum con be avoided in to event of a stuckgen spray vehe.
t 113 Subsection 3.3.1 System-Related Offsite Power A consequent problem on loss of a drect de system rollebWly - The de system is designed for a high level of raanNety. A insigles - Loss of current (dc) bus is pertal loss of normel offsite power.
non-Class 1E bettery monitor is provided for see bettery to rnonitor and alarm bettery i
de Bus voltage, detect and alarm bettery w
,4T. condition (including blown fuses), and supervise bettery avenobimy The bettery chargers are provided with a trouble alarm for ellemating current (ac) input tallure, de output underfover voltage, no chargo, input /butput breaker trip, and de high voltage shutdown trip.
de buses are monitored and atsemed for undervoltage de system currents are k
monitored and alarmed for overcurrerd.
A ground detection alarm is provided.
oc bus outage time for maintenance and repair wul be minimized with the use of the spere bettery and @erger l
Mlugetion of the effects of the loss of a de bus -The AP900 is designed to withstand the loss of a single dc bus without placing the plant in an unsafe condition.
in the AP900 design, toss of a de bus we not result in a portiet loss of offsite power.
The brookers in the AP600 are controsed by the PLS. The PLS system normally recohres power from the non-Class 1E UPS system. Upon failure of the de bus powering the UPS, or focure of the UPS ItseN, the loads are automatica#y transferred to a reguisting transformer supply. Therefore, loss of a de bus wel not result in loss of power to the PLS system.
+
The ac power system breakers use solid-stato control which recohes control power from a power stq) ply inlemal to the switchgeer 1herelore, loss of a de bus wm not result in loss of control power to a breaker.
1
3 b
ra TABLE 1 (Continued) 43 OPERATING EXPEf4ENCE REVIEW FOR THE AP900 toevee Addressed 8y NUREO 0711 Appendix B g
Item leaue Reference leeuef5 cope Human Factore A-,-
_^^_-._. Performance Issue Human Factore40umen Performance Iseue Addressed try AP900 Doolgn 114 Subsection 3.3.2 Systemaeleted Control Room Armuncistor A consequent prob 6mn on loss de system reRetsity - The de system is designed for a high level of rensbuity insights - Loss of of a de bus ts loss of CR annuncistor power.
oc Bus A battery monMor is provided for each banery to monitor and alarm battery voltage, detect and alarm bettery operx:ircust condNinn (inclueng blown fuses), and stpervise bettery avanabairy The battery chargers are provided with a trouble alarm for ac input faNure, de output under/over voltage, no charge, irput/ output breaker trip, and de high voltage shutdown trip.
de buses are monitored and alarmed for undervoltage. de system currents are monitored and o! armed for overcurrent.
A ground detection alarm is provided_
w de bus outage time for maintenance and repair we be minimized with the use of the W
spare battery and charger.
Mit6getion of the aftects of the loss of a de bus - The AP600 is designed to withstand the loss of a single de bus without placing the plant in an unsafe conditsort in the AP600 design, loss of a de bus wiu not result in a loss of alarm system power.
Alarm system power normeg comes from a UPS; however, upon failure of the de bus y
powering the UPS, or fanure of the UPS Itself, the loads are automaticaNy transferred to a reguisting transformer steply. Therefore, loss of a dc bus win not result in loss of alarm system power.
3
-4 E
TASLE 1 (CenenuesQ k
.2 OPERATW88 EXPEfuENCE REVWF FOR THE AP900 g
- A ee
. l.EO.,, _.
item Issue Reference teouarscope Human Factere AePecWHuman Performance leeue Human FactereMuman Portennonce leeue Addressed Ipy APtet Design g
,15 SubescWon 3.3.3 System-Related indcolors in Control Room A - - _ ; problem on loss de system reenbety - The de system is designed for a high level of repsbally Insights - Loos of of a oc bue is loss of power to indcators M the CR.
j de Ilus A bettery monllor le provided for sech bettery to monitor and eierm bettery voltage.
'[
detect and eterm bettery operH:lecult condson (inclueng bloem fuses), and supervles bettery evensbany The hemory chargers are provided unh a trouble eierm for oc input fauure, de output under/over vollege, no chage, imutbutput tweeker trip, and de high voltage shutdoum trip.
de buses are monitored and elsemed for undervoltage. de system currents are monitored and stormed lor overturrent.
i A ground detection eierm is provided.
de bus outage uma for meineenence and repair we be minineed wth the use of the spare bettery and charger neltIgeWon of the ellects of the loss of a de bus - The AP600 is designed to withstand the loss of a single dc bus without placing the plert in en uneele condittort in the AP900 design, loss of a de bus wNI not result in a loss of Indicator power.
Indcator power normally comes from a UPS syseent Upon failure of the de bus powering the UPS, or failure of the UPS IlseH, tw loeds are automouceny transferred to a reguloung trenelormer supply. Therefore, loss of a de bus wls not result in loss of Indicator power.
y 1
b 3
$u I
TABLE 1 (Continued) k
'i OPERATING EXPERIENCE REVIEW FOR THE AP900 lesues Addressed By NUREG 0711 Appendix 8 e.
L Item leeue Reference leeuef5 cope Human Factore AspectMumen Performance leaue Human FactoreMuman Perfonnance leeue Addressed by AP900 Design g
116 Subsectkm 3.3A System-Related Power M CWcuR Breshers A consequent problem on loss de system rellability - The oc system is designed for a high level of reliability.
Insights - 1 oss of of a de bus is loss el control power to various circun de Bus breekers.
A nortClass 1E bettery monMor is provided for each bettery to monitor and storm battery voltage, detect and storm bettery open<:ltcut condition (including blown *uses), and supervise bettery availabilRy.
t The battery chargers are provided with a trouble alarm for ac input fa#ure, dc output under/over voltage, no charge, input / output breaker trip, and d; high voltage shutdown trip.
de buses are monitored and alarmed for undervoltage. de system currents are monMored and alarmed for cvercurrent-A ground detection alarm is provided g
dc bus outage time for maintenance and repair will be minimized with the use of the Ut spare bettery and charger.
Mitigation of the effects of the loss of a de bus - The AP600 is designed to withstand the loss of a single dc bus wittout placing the plant in an unsafe condition.
In the AP600 design, loss of a de bus win not resun in a loss of circuit breaker control.
The breakers in the AP600 are contro9ed by the PLS. The PLS system normany receives power from the nor> Class 1E UPS system. Upon failure of the de bus powering the UPS, or failure of the UPS Rself, the lomos are automaticaWy transferred to a regulating transformer supply. Therefore, loss of a dc bus wiR not result in loss of circuit breaker control.
The ac power system breakers use soud-state control which receives control power from a power supply intemal to the switchgear, therefore, loss of a de bus wiB not result in loss of control power to a breaker.
3 bt:
-I TABLE 1 (Continued) 43 OPERATING EXPERIENCE REVIEW FOR THE AP900 b
toevee Addressed By NUREG 0711 Appendix 8 g
{
Item leeue Reference IssuarScope Human Factors AspectMumen Performance leaue Human FactoreMuman Performance leeve Addressed by AP900 Deelga 117 Subsection 3.3 5 System-Related Power to Corrouters and D6 splays A consequent problem de system rtliebety - The de system is designed for a high level of rettatsty.
Insights - Loss of on loss of a de bus is loss of power to computers and de Bus video display screens.
A battery rnonitor is provkfed for each battery to rnonitor and alarm battery voltage.
l detect and eterm battery operWrcuit condition (including blown fuses), and supervise g
battery availability The battery chargers are provided with a troubts alarm for ac trput failure, de output under/over voltage, no charge, irputfoutput breaker trip, and de high voltage shutdown trip-de buses are monitored and alarmed for undervoltage de system currents are monitored and alarmed for overcutawt A ground detection alarm is provided 4
de bus outage time for maintenance and repair will be rninimited with the use of the G
spare battery and charger.
Mitigation of the e9ects of the loss of a de bus - The AP600 is designed to withstand the loss of a single de bus without placing the plant in an unsafe condition.
In the AP600 design, loss of a de bus will not result in a loss of power to computers and video display (workstation) screens. Power to computers and video display screens normany comes from a UPS system. Upon faiure of the de bus powenng the UPS, or faHure of the UPS Rself, the loads are automaticeWy transferred to a regulating transformer supply. Therefore, loss of a de bus we not result in loss of power to computers and video deplay (workstation) ecreens.
E G
c:
5 TA8LE 1 (Con 6nued) 4 C
OPERATWiG EXPERIENCE MEVIEW FOR THE AP900 Issues Addressed By NUREG 0711 Appendqu B item feeue Reference IssuerScope Human Factore AspecWHutaan Performance leeue Human FeetoreMumen Performance locue Addressed by AP600 Design g
118 Subsection 3.3 6 System-Related Power to Automatic Features A consequent probiern on de system reRebility.- The de system is designed for a high level of reliability.
Insights - Loss of loss of a dc bus is loss of some of the plant's automatic de Bus features, such as trips and interlocks.
A bettery monitor is provided for each bettery to monitor and alarm battery voltage, detect and alarm battery open-circuit concRhon (includng blown fuses), and supervise battery evallebally The battery chargars are provided with a trouble alarm for oc input failure, de output under/over voltage, no merge, input / output breaker trip, and de high voltage shutdown trip.
de buses are gnonitored and stormed for undervoltage. de system currents are monitored and etermed for oveicurrent.
A ground detection alenn is pnMded.
4 de bus outage time for maintenance and repair will be rninimized with the use of the N
spero bettery and charger.
Mitigation of the effects of the loss of a de bus - The AP600 is designed to withstand the loss of a single dc bus without pladng the plant in an unsafe conditon.
In the AP900 design, loss of a dc bus will not result in a loss of edemstic features. The automatic features in the AP600 are controGed by the PMS and PLS. The PMS system nonna#y receives power from the Class 1E UPS system. The PLS system normasy receives power from the nonClass 1E UPS system. Upon failure of the de bus powering any UPS. or faRure of the UPS Itself, the loeds are automatically transferred to e regulating transformer supply. Therefore, loss of a de bus will not result in loss of automatic features.
3 b
~
tt 5
TABLE 1 (Continued)
,5 3
OPERATING EXPEfWENCE REVIEW FOR THE AP900 leeuse Addressed By NUREG 0711 Appendhr 8 g
Item Issue Reference leaverScope Human Factore AspectMumen Performance leeue Human Factore49umen Performance Issue Addressed try AP900 Doolgn 119 Subsection 3.3.7 System-Related Circuit Breakers A consequent problem on loss of a de de system reRebaty - The de system is designed for a high novel of rellebaty insights - Loss of bus is trip of selected circuit breakers, such as reactor trip de Bus breakers.
A bettery monitor is provided for each bettery to monitor and alarm bettery voltage, detect and eierm bettery opermircuit condition (including blown fuses), and supervise bettery availatmey The bettery chargers are provided with a trouble alarm for oc kiput failure, dc output under*over voltage, no charge, inputfoutput breaker trip, and de high voltage shutdown trip.
de buses are monitored and alarmed for undervoltage. de system currents are monflored and alarmed for overcurrent.
A ground detection storm is provided.
4 de bus outage time for maintenance and repair wlN be eninimized with the use of the CD spare bettery and charger.
Mitigation of the effects of the toss of a de bus -The AP600 is designed to withstand the toss of a single de bus without placing the plant in an unsafe condition.
In the AP600 design, loss of a de bus we not result in a plant trip. The AP600 has eight reactor trip breakers arranged for twoeutef-four trip logic as shown in SSAR Figure 7.1-
- 7. With this configuration, the complete foss of power to any single train will result in tripping the two breakers associated with that train; however, no single-train pair of breakers can trip the plant if they are the only breakers to trip.
120 Section 3.4 System-Reisted vessel Overfm In BWRs during transient situations, reactor NOT APPUCABLE: This issue is only applicable to BWR reactors.
Insights -
vessel overfM can be a problem causing rnein steamline Automatic Trip of flooding and possible damage There is currentty no Condensate and automatic trip on condensate and condensate booster Condensate purnps on high reactor vessel levet.
Booster Purrgm 121
' Section 3.5 System-Reteted System Overpressurization During system restoration efter NOT APPUCABLE: This issue is only applicable to BWR reactors.
Insights - System mentenance dunng cold shutdown at a BWR, en incorrect Overpressurtzetion valving sequence resulted in overpressurtzstion of piping and damage to the test retum line of the Condensate Storage Tank (CST) and Condensate Retum Tank.
3 99 TABL.1 (Congnued) k o,AT exP e.
viW in..p g
g issues addressed By nun.o er11 Appens 8 item Issue Reference InouerScope Human Factere AspecWHuman Perfonnance leeue Human Facterestienen Portennonce teous Addressed by Areet Design g
S..~^_
Control of Feedwater Control Svetem The cxmtrol of PWR in the AP900 destri. SG water level is automsecelty contromed from rm.Aoed conditons 122 Section 3 6 i
insights -
Feedweter Systems duetnB startie and lowfower to 100% plant rated tiermal power by the startup feedwater control subsystem and tie Feedwater Control operations has been problematical. Operators have had main feedwater control stesystem. The startup feedwater control subsystem maintains System duncuNy in contromng the feedweler Howrote as necessary a y _, _._. " water level in the sheE eide of the SGs during lowpower (below to maintain SG water levels due partlety to the fact that Wie oppmmimately 10% of ptert rated themini power), no-lood, and plant hootup and feedwater control volves and control systems are not cooldown enodes. Transition between Wie main and startup feedwater control volves is designed to operate in the low flow regions. There has automaticety contrated booed on 90w measurements wilhin the respective mntrol eleo been deculty in the swNchover from manuel to velves. The startup feedwater cortrol subsystem regt4stes the How of foodwater in e automatic control that occur in this time frame.
menner simAer to the way (main) feedwater is contre 8ed in the lowtower control mode.
Two modes of feedwater cortrol (lowtower enode and high9ower mode) ero j
- .---- _ _ ^ in the (meln) feedwater control subsystem. A separate low range feedwater Row measurement is used in the lowpower feedwater control mode. SSAR Subseceans 7.7.1.8.1 and 7.7.1.8.2 provide e description of the foodwater cortrol and startup feedwater contml subsystems 123 Section 3.7 System-Related Volume FNs With Water On a BWR, when the scram NOT APPUCABL.: This issue is only oppNcoble to BWR reactors-h insights - Scram discharge volume les with water, inserson of the control otecharge voeume rods is inNbited.
3
$e 5
TA8t.E 1 (Continued) k
'a OPERATING EXPERIENCE REVIEW FOR THE AP900 loovee Addressed By NUREG 0711 Appendix 8 y
item tenue Reference leeuerScope Human Factore AspectMuman Performance leeue Human FactoraMumen Performance leeue Addressed by AP900 Deelgre 124 Section 3 8 System-Related Overpressurization of Low Pressure Systems The AP600 has incorporated vernous design features to address ISLOCA challenges.
Inssghts -
Overpressurtzetkm of ow pressure systems due to RCS These design features have resulted in very low AP800 core damage frequency Interfacing Systems boundary faaures may result in rupture of low pressure cortpared to curren9y operating plants. These design features are primer #y assodated LOCA (ISLOCA) piping. Some RCS boundary faaures have ocx:urred due to with the normal residual heat removat system (RNS) as discussed in SSAR operator error. Irrportant operator errors include valve Subsection 5.4.7. A Westinghouse design report, WCAP-14425, has been prepared to alignment errors during transitions between operation document the systematic evaluation of the AP600 design for conformance to modes.
NUREGCR-5102. As a result of the study reported in WCAP-14425, additional design features have been incorporated in the AP600.
The following table provides a summary of AP600 design features which satisfy ISLOCA frequency acceptance criteria.
System i!
Major Design Feature Normal Residual Heat Removal increased design pressure of the outside of containment portion of the system such that the tyi ultimate rupture strength of the piping and O
mg G are equai to or greater than the RCS design pressure.
Chemical and Volume Control 1.
Relief valves were added to minimize the System Hakete Purg Suction consequences of pump suction over-pressurizattort 2.
Hightressure alarm added to pump suctior, me to alert operator of overtressurization.
Chemical and Volume Control 1.
Placement of highpressure purification System Letdown Line loop irside containment eliminates higtunnergy letdown outside of containment.
2.
Letdown orifice limits leakage from a letdown line ISLOCA.
3.
Automatic isolation of letdown occurs upon safeguards actuation signal.
4.
Roller vatve added to prevent overpressurization of letdown line.
Primary Sampling Systum 1.
Most of the Primary Sampling System is designed for fut RCS pressure.
2.
Flow restricting orifices Rmit extent of ISLOCA 3.
Automatic isolation of Primary Sarnpling System occurs upon safeguards actuation signal.
Domineralized Water 1.
Resef watve added to prevent overpressurtzation System of the inside of containment portton of the system.
2.
Automa'ic isolation of DomineraRzed Water System occurs upon safeguards actuation signal.
3 w
G TASLE 1 (Cenenued) k 3
OPERATW8G EXPEf4ENCE REVIEW FOR THE APOOO teouse Addressed oy NUREG 0711 Appendia 5 nem seeue Reserence eseuerscope Human Facters AspectMumen Performance teous Human FactoreMuman Portermance leeue Addressed by APeet Doolgn g
125 Section 3.9 System-Reisted R&C Systems Probioms Convenponall&C in NPPs has The advanced l&C equipment used in the AP900 design is beood on en evoluhon of insights -
been associated wMh periodic leNures, spurtous reactor previous digitall&C designs. Each evoluuon step inmsporelos ;.,_.2..;e whldt are Advanced l&C trips and plant trenoients, operator confusion on instrument a result of egertence gained during the use of the pewous desagrt This minwrdzes the feaure and toss of power. extenelve time and effort to Nkoghood that any partcular design would have a signEcont amount of problems that accompush testing, and dilliculties in troubleshooting and would irgect plant opewgort repair. Advanced I&C are subject to sudden tellure and recovery, due pertesy to high suscepubulty to EMI.
Interfacing with the new equipment and sollware programming also efford opportunities for operator problems.
126 Subsection 4.1.1.1 Corripor*ent-Doolen Allematives Seal degredoton and failures have NOY APPUCASLE: The AP800 design specilles reactor coolere pumps with canned Related Insights -
caused RCP leeks. A design algemeeve whicft een misgate motors that have no seals. Refer to SSAR Subsecuans 5.1.3.3 and 5.4.1.
RCPs - Seats the need for entensive end compucated hos is the use of conned rotor purgs that do not have seats.
Ut 127 Subsecton 4.1.1.2.1 Corgonent-Instrumentellon - Monlloring Flow, terriperature, and NOT APPUCABLE: The AP900 design speclRes reactor coolard purgs with conned Related insights -
pressure dets frorn the seal system should be congnuously motors that have no seals. Refer to SSAR Subsections 5.1.3.3 and 5,4.1.
RCPs - Seels monitored and should be snelyzed for seal perfomw1ce needs.
128 Subsecean 4.1.1.2.2 Corgonent-Instrumengselon - Ranges on Flow Measurino Devices NOT APPUCABLE: The AP900 design specines reactor coolant purnps with conned Reisted Insights -
Provide increased ranges on flow measurtng devices so motors that have no seals. Rofer to SSAR Subsections 5.1.3.3 and 5.4.1.
RCPs-Seals that off4tormal values may be reed as wen es normel values.
129 Subsechon 4.1.1.2.3 Corgonent-Instrumentellon - Ranges on Tn _ i-- Measuring NOT APPUCASLE: The AP900 design specilies reactor coolant purgs with conned Related insights -
Devices Provide increased ranges on temperature motors that have no seats. Refer to SSAR Subseceons 5.1.3.3 and 5.4.1.
RCPs-Seels moosuring devices e to RCS targeratures.
130 Subesceon 4.1.1.2.4 Corgonent-tre - Additional Pressure and T_ _ _ _ _;
NOT APPUCASLE: The APCO design specNios reactor coolant pumps with conned Related Insights -
Measurements Provide added pressure and termerature motors that have no seals. Refer to SSAR Subseccons 5.1.3.3 and 5.4.1.
1 RCPs-Seels nessurements, e.g., seelleshoff presouros, CCW retum ilne pressure, seal cavity torgeratures, dliterential stage pesemures, and radial bearing toegerature 131 Subsecean 4.1.1.2.5 Cormonent-Instrumentellon-AdstionalFlow Measurements Provide NOT APPUCABLE: The AP900 design specinos reactor coolant pumps with canned Related Insights -
added flow measurement, e.g., seal toehoff flows.
motors Wiet have no emain Refer to SSAR Subsections 5.1.33 and 5.4.1.
RCPs-Seals 132 Subsecean 4.1.1.2.6 Corriponent-Instrumenteelon - Better Alarmino Provide better eierming NOT APPUCASLE: The AP900 design specWes reactor coolant pumps with conned Related insights -
of the need for operator acuon.
motors that have no seals. Reier to SSAR Subsectons 5.1.3.3 and 5.4.1.
RCPs - Seels 133 Subsecuan 4.1.1.3.1 Corriponent-P ocedures and Operator Aids - RCP Trendinn Operator 900T APPUCASLE The AP900 design specines reactor cooient pumps with conned Related Insights -
eids shoued be provided that enow Wie operator to motors tiet have no seals. Refer to SSAR Subsections 5.1.3.3 and 5.4.1.
RCPs - Seels appropriately trend RCP related parameters releeve to seed performance criterte.
I 3
i 9I TABLE 1 (CeneW k
OPERATWIG EXPff4ENCE REVEW FOR THE AP900 J
5
-,_E.,,_.
Item Issue Reference leeuergeope Human Factere AspectMuman Portonmence leaue Human FactoreMumen Portermance leous Addressed by AP900 Design g
134 Subsec50n 4.1.1.3.2 Corgonent-Procedures and Operator Aide - Ememency Procedure 900T APPUCASLE: The AP000 deelgn spedRes reactor coolant purgs uutch conned Rolsted heights -
Guldennes Emergency Procedure Guidennes, procedures, motors that have no seals. Refer to SSAR Sd==rmans 5.1.3.3 and 5.4.1.
RCPs-Seels and training should be provided for a reasonstdo spectrum of sealloture events, such as: high-seal.lenkeff flour.
hiWi-seal temperature, high verstion, toessf-seat inloctirm, loosef. seal cochng, stopon blechout (SBO), and reactos cocient purg restert criterte. These procedures should Incorporate the recommendemons of reactor content pump and deel vendors.
135 SubsecWon 4.1.1.4 Corgonent-Funcelonel Anotadon leotation of sealleekoff Hnes on high-IIOT APPs m ur' The AP900 design spedRos reactor coolant purgs with conned Related insights -
flow, which has testorically required operator action, should motors tiet have no seals. Refer to SSAR Subeectons 5.1.3.3 and 5.4.1.
RCPs - Seels be evolueled as a condidate lor automaton since detocuan, recoqpillion, and action are time constrained.
136 Subsecilon 4.1.2 Component-Coniponent Degradsson When roector coolant pumps or The AP900 employs conned motor toector coolant purgs Wiet do not contain seats Ut Reisted insights -
motor components degrade, they can eventue8y result in whose degradehon could feed to a loss of reactor coolant. Reactor coolant purg M
RCP Monitonng cetestrophic tellure of pump or seals, N the pump is not instrumentagon is provided to continuously monitor purg performance bicluding 1) stopped in time. Due to tie locanon of the reactor coolant bearing water temperature. 2) purg verstion. 3) stator temperature,4) pump speed. In pumps heide contomment, detection of degradeson must addluon, RCS toop now rates are conenuously measured be accompashed #wough appropriate instrumenteWon Large failures of the pump or seals can potenueSy result in a primary system LOCA.
137 Subsecuan 4.2.1 Component-Tetp Status in a case where the overspeed trip velve for HOT APPUCASLE. The AP900 does not have en AFW system. The PRHR system Related insights -
the turbine-driven AFW pump turbine was C _._.;,
funcelonsby replaces the AFW eyelems in cunent PWR t$eeigns. The PRHR system AFW Pumps tripped and not propedy reset, the CR operators were not does not include pumps. Refer to SSAR Secton 6.3.
euere of the Inoperable status of the AFW purnp.
138 Subsecuan 4.2.2 Component Steam Binding AFW purgs have egertenced steem 900T APPUCABLE: The AP900 does not have en AFW system. The PRHR system Related insights -
tHnding resulung in pump inoperabluty. This has typice#y functionsgy emplar== the AFW systems in current PWR designs. The PRHR system AFW Purgs been caused by feedwater back toekogo through the AFW does not include pumps. Refer SSAR Section 6.3.
discharge check vehms, but eleo by seekage enough complev posiwevs. moddng as way back to the AFW pump sucuan sources.
13g Subsecuan 4.2.3.1 Component Pune DM Trips: Diesel-Ddven Purg - Minimum NOT APPUCABLE: The AP900 does not have en AFW system. The PRHR system j
Reisted Insights -
Opereung Speed The tSeeeHidven AFW purgs have functionety repieces the AFW systems in cupent PWR designs. The PRHR system AFW Purgs egedenced problems where Wie pump drivers have tripped does not include pumps. Refer to SSAR Section 6.3.
because the diesel AFW pump had reached minimum i
operating speed (about 800 rpm) which closed the speed
'""Ch-140 Subsection 4.2.3.2 Component-Pung Ortver Trips: Diesel-Delven Purre - Stop Signef NOT APPUCABLE: The AP900 does not have en AFW system. The PRHR system Retsted Insights -
The diesel-drtwen AFW pumps have expedanced protdems funegonesy replaces the AFW systems in cunent PWR designs. The PRHR system AFW Purgs where Wie pump drfvers have tripped because Wie stop does not include pumps. Refer to SSAR Section 6.3.
signal was.. _ _ _.;, generated by tie operator and was released before the tSesel had come to e fus stop.
l i
f
?
E k
s 5
TABL.1 (Condnued)
O u
op.R xP-C. R.W.W R ut. AP g
..m APPen.s.
Item Inoue Reference IssuetSeepe Human Factere AePectMurnen Portonnance leeue Human FactureMuman Personnance Issue Addressed by AP900 Deelgn g
141 Subeecton 42.3.3 Corgonent-Pump Detver Trbs: Diesel-DNven Pune ' Auto After DIOT APPs em r. The AP900 does not have an AFW system. The PRHR system Related Insights -
Stop* Postuon The doest-drtwen AFW pumps have funcuaneNy repieces the AFW systems in current PWR designs. The PRHR system AFW Pumpe egenonced problems ushere the pump drivers have tripped does not include pumps. Refer to SSAR Secean 6.3.
when the control switch was stowed to go to
- Auto After Stop". en auto stort signal was presort from toes of the main feeduster purg (MFP).
142 Subsection 4.2.3.4 Cormonent-Pune Driver Tebs: Diesel-Driven Pune - Diesel Could 9007 APPE em 8: The AP900 does not have an AFW system. The PRHR system Related insights -
Not Restert The dieselifrtwen AFW purgs save functioneity replaces the AFW t,ystems in current PWR designs. The PRHR system AFW Purgs egenenced problems where me pump ditvers hsive tripped does not include pumps. Reser to SSAR Section 6.3.
due to the engine edB being at greater meer 40 rpm, the diesel starter motors were dioebled and the diesel could nct try to restert.
143 Subsection 4.2.3.5 Component-Purre Driver T@s: Diesel-Dr6ve Pump - Low Lube OE 800T APPLICAOL.; The AP900 does not have an AFW system. The PRHR system Related insights -
Pressure The diesela$nvert AFW purgs have _
_W functionally reptoces the AFW systems in current PWR designs The PRHR system Us AFW Purgs probsoms where the pump drivers have tripped 25 seconds does not include pumps. Refer to SSAR Secean 6.3.
W aner receMng the second auto start, the low lube OR pressure ownch trip wee ensbied This caused the engine to lockout due to 3to low oE pressure associated wist me engine shutdown.
144 Subesc8on 4.2.4 Corgonert-Pump Driver Trips: Turbine-DNven Pune - Erroneous T4 900T APPUCABLE: The AP900 does not have an AFW system. The PRHR system Related insights -
of AFW Purves The turbine.dnven AFW pumps have functioneRy rugda-the AFW systems in current PWR designs The PRHR system AFW Pumpe empenenced problems where me purg detwers have tripped does not include pumps. Refer to SSAR Secton 6.3.
because efter an auto start, operators enoneously tripped the AFW purgs. The steam-dnven AFW purg had boon restarted from the CR using the stort volve whkfi aponed repksy (less Wien 5 seconds) and caused Wie turbine to oversposd and trip. The auto stort signet opens the trip and throtje velve on me iniGel auto etert over a period of 20 second=. (by desl ps, slow stroke 9me prevents me i
turbine cr,orspeed). Una reset loceny, sw trip and swetse veeve remains open when the pump is shutdown hem the CR by Miusting the start valve. When tie faster acting slett ve!ve was used to restert sw steem49 riven AFW pump, me pump tripped on overspeed since the artp and throtse volve was already open.
. ~
!Ualli
!!f!
e!ji!$
m,j it
!I!ll!
illilill i!!!ll!
l i!!
i Ilii
!!!!!!!li!
lii'i li!!
11i lj
!!,1 idi !!!!! !!,l i
i i!!,
i!!,
i!!,
i!!,
p i i l
I I
mA2927w.wpt:1t>051396 54
..m_
i igi is ii f I!
! }Ili l,![
ll,l il J{i il i tt i nI I
1
'1 1j it ip t
11 1
1 1
t 11 In 1
I i i I Ii 41 [
lli li li g
2 g
}lh
}i
}
}
L l1 S
11 1
. f ri t t
,=k! IIj IIj!]hl!
I I
g l li i l ill-
!! i
,i h
9
!Q,I l!!!l
!!}!I!
l Ii e
i l 1
i
=
i l i i
i g
I 4 I
i i
l 1 1
}
II.
I i
llllIl rl lli il 1
l !! Iltrl ill!!II 11Ill IInNr!
Il!!i II!i l!!i l!!i L
p i
e i
i i l l
l l
e e
m:\\2927w.wpf:1b451396 55
9 5
TABLE 1 (Condnued) k
'a OPERATW8G EXPERIENCE REVEW FOR THE AP900 leeues Addressed By NUREG ST11 Appendia 5 Ilom leeue Reference loomerScope Human Factere AspecWHuman Performance leave Human Feeteremtumen Performance leeue Addressed by AP900 Design g
153 Subsection 4.3.5.1 Component-Pump Teenngr Teeung Durtna Ptert Operemon Current NOT APPLFm O This Rom does not apply to me AP900 because R has no safety-Related insights -
plants have had to devtse compier test procedures met reisted active pumps. Chapter 3.9.6 descrbes me AP900 inservice test (IST) pion. This IST of Pumps and have often cheRenged operators and maintenance table shows that there are no pumps in the IST plan.
Velves personnel due to designs that make tesung very dWRcult. N posseis at all. One of the eress where the design can be enhanced-Ensure that system design has aulilcient nozibliny to snow pump tesang during plant operemon. The system should eBow flow to be verted so that a reference value of How or differential pressure can be estabtshed for the test without mejor system reconfiguratkwt There should eleo be adequete instelled Instrumentation to run the necessary tests, including sucson and discharge pressure dWieronitet pressure, and now rete. One means of improving flow instrumentation is to include now rate instruments in me minimum tiow recirculation Ene.
154 Subsecuan 4.3.5.2 Corgonent-Purre Teodngr Veration Monitortna Current plants have NOT APPUCASLE. This item does not apply to me AP600 because R has no safety-Reinted Insights -
had to devise arrvices test procedures that have often related active purops. Chapter 3.9.6 descitbes the AP900 IST plan This table shows IST of Pumps and chapenged operators and maintenance personnel due to that there are no purgs in the IST piert vetves designs that make toseng very duncut, a posseio et es.
One of the areas where the design can be enhanced There should be insteNed pump vtration monitoring instrumenteuon to enow sor trending and inservice tesung of pumps.
155 Section 4.4 Component Breaker Lock-Out Under vertous conditions large cheuG Circuit breaker control signet block or lock-out wit generesy occur when en attempt is Related insights -
breakers may become lockedeut due to protec#on system made to close a breaker in the presence of a trip signal. Note that the trip signet can Ckcult Brookers acWons. These lockouts were not always siermed or originate from alther the PMS or from me electric system protocevo devices (releys). If indicated to the operators An example is the selety en ettergt is made to close a brooker from the CR twough the soft controlin the miscIlon purup tweeker, which had a lock-out when en presence of a protecIlve system trip signal, me control action wlR be blocked (but not ettergt was made to close the breaker with the hand lockedeut) and the operator wlR be provided with en appropriate message to clarity the switch in the presence of a trip signet. In this case there system response, if an attempt is made to close a breaker locally at the switchgear in was no indication of me lockout and the ordy means of me presence of a trip signet, the tweaker may be loded-out at me switchgear. AN clearing the condNion was to remove and relneteE the fuses swechgear lockout condicons are indicated and reset raPahally provided.
et the breaker or rnenuelly charge the sente of the relays.
156 Section 4.5 Cormonent-Inflatable Seels Spent fuel pools have inRetable seels The AP900 spent fual pool does not conlein any inlistable seats that require the Related insights -
whidi are typically pressurtred uth Instrument air. l.oss of eveRebluty cl suuNiety systems to mainlein spent fust pool water Irwentory.
Sport Fuel Pool air presouve, among other items, can cause leakage or Seals feNure of these seals and subsequent dretning of the fuel pool.
9
+
r 3
i n
TABLE 1 (Continued) a OPERATW8G EXPE14ENCE REVIEW FOR THE APete t
j
- Adme
-G.m A s.
hem Issue Reference IseuetScope Human Factere AspectMumen Perfonnance leeue Human FactereMuman Perfonnance teene Addressed try AP900 Design i
g 157 Sec9on 4.8 Corryonent-Blodouang There have been numerous instances of The RNS HXs transfer heet from me reactor coolant to the closed CCS. The CCS water s
Related insights -
biolouang in NPP heet exchangers (HXs), where verlous is chemiceBy controsed wilh conceton lnhbliers and pH orquelmert. The makeup water Heat Exchanges types of clams and museets have grown inside of piping to the CCS is dominereAred water. When the CCS water chemistry is maintained as and particulerty HXs. This occurs in open cycle cootng speellied, there is no potenliel for biceogical foutng of any of me components whitti are i,
I water systems and has caused sullicient fouling so that cooled by the CCS, including the RNS heet euchangers.
preneure drops have Increased and nows have decr====a This in turn limits the ebeny to adequately cool The CCS is h tum cooled by the open service water system whitti releases its best into congonents. Heat exchangers that have been ellected me ultmete heet sink wie a cooling tower. The SWS is a reisevely smet open cooling l
Indude those for CCW, RHR, and Emergency Diessi system which is dierriicany controued to meintain oppropdate concentrations of biocide, Generators.
algicido, pH =@e, concelon inhblior, scale inhbitor, and a silt dispersent.
(Subsection 9.2.1.2.2)
The AP900 desel generators use e closed cooHng system with airi:ooled redletors:
therefore, biofoutng concoms are not appecewn to the desel generators.
158 Secean 4.7 Congonent-Dialodged Connectors Power connectors have become INPUT THIS ISSUE INTO THE DESIGN ISSUES TRACKING SYSTEM.
Reinled Insights -
acciden8y re**pareresulung in undesired trangierts One Powe, Core,ec.ons e.e,rpio is - core,ec ors Ior me Imedwater cor syslem, which led to a reactor scram.
150 Section 4.8 Congonent-Deelen FInw in SWR Intermediate Renee Monitors A A felled nuclear instrument power steply fuse results in an instrument output that is *c,ut-
[
Reieled insights -
design flew was identlhed in SWR Intermedisse Range of4enge*, if a parameter measurement is outside the range of the Instrument (note that Neutron Monitors Monitors whereby the failure of a power simply fuse me date queAly would be good), then this *out<W-range
- Information is Indicated on the reeuned in inoperabany but was not annunciated nor and a workstemon depier to me opersior.
i create a trip silustion from the 1etector output.
t 180 Secean 4.9 Component-Desiccant Canyh Due to a tailure in the instrumore Air The efter-futer design diferential pressure cap.haity is greater then the maximum t
Related Insights -
(IA) system filter, the deeltzent from the dryer assently dNierential pressure Should he INtor become plugged, R is designed not to fat. The f
Instrument Air cented over into two IA system and caused a leaure of dryer package wlE have eterms to idengly high diferordini pressure across the filters.
I Dryers solenoid velves. This in tum ceuesd a CN to become inoperable 4
~.---.--n.
4
+
t r
1 3
-4 5
TABLE 1 (Condnued) t.
u o,
c.
view T,t t
Item locue Hoference IseumfScope Hurnen Factere Aspectmuman Performance leeue Human FeeteralHuman Pertennonce leeue Addressed Ipy APOOO Design g
161 Subsection 5.1.i Local Conhol Use of HFE Princeses in LCS Desien Lncelcontrol LCSs in the AP600 we be designed using the some HFE design process and Stations - Genovel stemons (t. css) serve as intertecos between the operaters consideremons as elR be used for the MCR and M-MIS. Each LCS we be analyzed and j
Considerations and be plant, simBer to me work stesons in the CR.
designed to accommodate the loslowing- (a) expected modes of operm including Hence, the approach to their desip should reRed the maintenance and refusing; (b) funcuon idengReason and task analysis: and (c) stemng same HFE consideraWons given to the MCR,i.e may levels needed. The dosip process we identWy the individual toeks necessary to perform should tie designed using the same methods, slenderds, the LCS s functions Any MMI designed for the LcS we sonow the same process, guidenne, and principles The design of LCSs should be principles, guidennes, convensons and codine as was anped to me MMI in the MCR.
guided by the tuneman and task anstyees used to analyze Ptert-wide convengons regarding equipment mding, lebeAng. and operatons of controls ihe human role in the plant. n should be determined that we sino be apped to the design and layout of LCSs.
l funcuone to be portormed at LCSs we not be m_ - z 2
by human amitations and that the design of the LCS meets the needs of the operator for process information, means of effecung control, fen on antrol actions, and an adequate woridng environment in addman, the design of i
eedi LCS should be consistent wilh that of other LCSs and I
should conform to plant-wide converelons regarding coding.
g,n CD labeans, infonnetton display, and operamon of mntrols.
Lebeang should be weg engineered, consistent, thoroughly
}
appmed throughout me pient, and appropriately designed to evoid wrorgunnhnong-train type enors.
162 subsecdon 5.1.2 LCSs - General Funcuonal ABccation Considerations in discussing The LCSs udt be designed using the same desip process as that used for the MCR Consideremons probeams that might be anecipated with future LCSs, and the M-MIS. One of the design otgec9ves for the AP600 M-MIS is to presert y
Her9ey et al. (1984) pointed to the agoceton of en informe90n to the operator in such a way that the operator is able to maintain situation 6
increasing number of LCSs to automatic or semiautomatic sworeness. The WPtS dispieys in the MCR wul be desired b acconiptsh this systems (as opposed to human operators). The disculties objeceve. For LCSs, the respecGwe interface wsH be designed to allow the local operator they enticipated were the some as those that can arise to maintain en awareness of the situation; to eRec9vely monitor and verWy the status of from increasing automation in the CR, l.e., me polonlist any automaticacy controsed local functons; and to property execute any required local l
loss of operators'situason muereness, and hands <>n manuel actions.
conteel skies (Otters,1993) as their primary role becomes one of monitoring rather men controNing. A related observagon was made during the plant visits undertaken for i
i NUREG/CR4146.
i 3
8 a
l 4
i' 3l r
n 5
TABL.1 (Congnued) k
[
u o,RATi
.XP C. R.V poR 1 AP leense Addmosed By NUR.G 0711 Appenda B f
Item Issue Reference leeuefScope Human Feeters AspectfHusen Portermance locus Human FactorefHuman Performenee leeue Addressed try APSOS Design g
163 Subsection 5.1.3 LCSs - General HSI Consistency Wuh Main Control Room The reviews The workstemon in the AP900 remote shutdown room wW be identical to the Reactor Considerations undertaken for NUREGCR4146 involved 11 elle vielts to Operator's workstaton in the MCR. The M-MISs evetable at the operator's workstation observe LCSs. At ad of the plants, operators in the CR in the MCR wiu also be evenable at me remote shutdown room workstation. Therefore,
{
had access to computerbeeed dleplays in addMon to 90 operator wlB obtain plant information and control the plant from the remote shutdown corwentional dleploys. These dispinys provided high-level workstemon h the some menner as he does from the MCR workstation.
Inlormagon, e.g., indications that represented on integration of several paramotors, el the value of a set of parameters The MMI and workelstion design for en LCS we fotow the same process, principles, plotted over time. However,in only one of the plants were guidelines, conventions and codings as was appued to the MMI in the MCR.
}
such thsplays evetable at the shutdown panel. This leeue rney become more signlRcent in advanced plant designs, j
where CRs are corguter workmsed, while the LCSe (such as me remote shutdown panel) are based on convengonal HSt. In such a plant, operators et remote
[
shummwn stemons migre be forced to seeier informenon l
about me status of me plert and me ellec9veness of meir j
UI actions by unar==enened moons.
(O 164 SecWon 5.2 LCSs - Functional Desertiudon of Selety Functions Functional CentreRzeton The AP900 plant design is such that R has a high degree of FC,l.o.,it has aN safety Centreuze lon (FC) refers to the menner in which the oefety functions of functions integrated into e single panel whitdi conleir e aE rwaneery controls and a
I LCSs are distreputed throughout the plant. This embodies displays. This penet is me reactor operator workstellons in the MCR.
many of the systems engineering characterlatics of LCSs and their funcuonal oogenizoWon A plant wem low FC has The AP900 l&C architecture wlE be such that e5 process informeWon that is avallebte via a wide detribullon of selety func#ons on many local panels the plant control system wWI be aveanNa puoughout the plant. Cw._ _.;oe,,, ports wiu throughout the plant. Such plants also hoeve use local be located throughout the plant to enow workstatone to be used locoty at the equipmert r
i control of individual components, A plant with high FC has for " local control", monitoring activilles, maintenance activaios, or other functons Local as seesty funcuans integrated into a single penet which indlceman encyor corarois we not be used escept where required by code, regulatory I
contains aE necessary controls and dispinys FC effects t -_.-.; URD or for operation of the process where portable interfaces with the human performance through Rs impact on such factors as plant control system would be a hindrance Through the use of either portable or communication worMoed, crew coonsnanon, sme to permanene inelened interteces enew dispinys, pient personnel can access any r
complete actions, and requirements for procedural monitored parameter in any locanon in tio pienL By using this technique, local corgleulty In NUREGCR-5572. R was shown that intScegng devices um not genereAy be required and an suusiery operelor can monitor
- entranzamon of funcsons et mumiuncuan control pensis the whole system from one loceson.
was aseodeled with large polongel reductions in rielt When considered at tie deelyt stage, the elsk reducilon benent would be high.
165 Section 5.3 LCSs - Velve Lack of Local Valve Pooleon Irweemaan NUREGCf06146 Manuel volves Wiet have been found to be elsk signlRcent have been provided with Poenlon IntScoton found met many manuel velves, even those found to be the remote poemon sensors. Manuel velves with remote postion indicators inclusie the CMT (VPI) most risk signllicent menuel volves, Incked local poeNion ouget isolation velves (PXS-V013A/B) and the PRHR HX ouest isoleton valve (PXS-Indicamon. Wuhout such egnen indicsson, the poellion or Vtoo).
the velve is Infened from stem poeWon (for steing elem volves) or determined by checking the velve in me cdosed direcean. Both memods have potennel problems, es sherue=ed in the NUREGCR. OER also identmed incidents that were couesd by poor or missing loced VPl. The nature of the posigon Intscetion should be appropriate to me use 7
of the velve.
I m.
m m-
-m m.
m-
I
^
m N
TABL.1 (Conunued)
Ia 0-An x
R pOR nt. A, 5
- - -.m App Item leeue Reference teouef5 cope Human Factosa AspectMmeen Portennonce teene Huomen FactereMureen Portennonce leeue Addressed try APOOO Doolgn tes Subsecean s.4.1 LCss-soace et LCas Onen there is not enough room for The woestapon in the AP900 remote shutdown room wW be Idontcal to Rio Reactor l
visceneneous operators to work at the remote shutdown penet in Operators woestemon in the MCR. The M-MISs avseetdo at the operators workstason
- lems paracular sumcient space for hendung,,,-__ '_ x is in the MCR wE eleo be avatable et the remote shutdown room woestsuon. This needed at the remote shutdown pensi as won as at many includes the CPS. Therefore, the operator we obtain plant inkwmenon, operate and other local panels.
antrol Wie plant from tie remote shutdown wo4 station in the same menner as he does from the MCR worksteWon. The CPS and Rs use of mul4de VDUs (dynamic roadmap screen, main interface scroon and supplemental irdormellon) etminoles the need to ensure adequate inydown space is aveashes et the workstenon for hendung paper procedures. Task analysis wel be performed for other LCSs and N laydown space is needed then this need wlE be addressed.
167 Subsecuan 5.4.2 LCSs -
Steam Generator Dump Velves Manuel operston of PWR Under normal power operemon, sie operation of the power-operened relief volves i
Misceneneous SG stmospheric durry velves is chen very 19fficult becsues (PORVs) is automaticeBy controlled by steemune pressure durirg peant operations The j
Items of compecated menuel.... _ _ c., very high noise PORVs A.
-5 modulate open end euhaust to atmosphere whenever the 4
levels. high heet toads, end sometimes kiconsistert velve steerrinne pressure exceeds a predetermined solpoire The setpoent is selected between operemon with valves in close proximmy to each other.
no-toed steem pressure and the set pressure of the lowest set safety valves. For their 3
h uso during plant cooldown, the power-operated atmospheric relief volves are
- - contromed by steemune pressure, wth remote menuet adlusemert of the
^
pressure sopoint from tie control room or Wie remote shutdown workstation. To effect e piant cocidown, the operator manueNy =9* the pressure seapoint dowmeerd in a I
step
- fashkwt Manuet control at the valve is not provided for the PORVs. The PORV distfierges are on the roof of the auxmery bubding and discherges wie a stencer to limit noise levees.
l The steem generator power <perated atmospheric relief valves provide a
. -- _, reisted means lor plant cooldown by dimmerging steem to the menosphere i
when the turtine bypass system is not evenetde. Under such circumstances, the relief volves (in cortuncuon wth the startup feedwater system) eBow the plant to be cooled down at a contromed cocidown rate from the pressure setpoint of the lowest set of safety vetves down to the poirt where the RMS can remove the reactor heet. The sesseneinted means of decay heet removat and piant cooldown is attained by means of Wie pesolve RHR system and Independent on the PORVs.
f i-l
3 TABLE 1 (Congnued)
Iu OPoiAT cE R vi PORT AP leeuse Addreened By 90UR.G 9711 ApperuAs B g
nem issue Reserence IsometScope Human Factere AspectMumen Portennonce leeue Human FeetereMumen Portennonce locus Addressed Ipy AP900 Doolgn 1es subsecuan s.4.3 LCSs -
Personnel C._ _ _ _ _ T Vertous stees of to piers have The AP900 incore inetumereogon does not include traveeng incore probes (TIPS) or Miscetoneous the potongel for high redation IIsids Wiet could lead to movable detectors. The incore Wilmble tubes are hetened and not moved during plant seems personnel overeigiosure there8ere mR plants have InsteRed operoNon. They do not present any polennel for over-eignoeure of personnel to redation redation detectors and eierms. Addleonelly however, Wie whee kistened. These thimble tubes are wifulraum hoo sto integrated head package meNunction of certain equipment can lead to very high prior to head removal in proporneon for refueung. After thimble tube withdreumoi, the radiation levels. This equ%:mont incluries incore instrument integrated head is Hfted and est doum onto a 9 tick bottom shleidng plate The shielding thimbles and travegng intore probes (TIP). There should piele is seisched and tie heed is then afled trWo a shielded vault. The thintile tubes be appropetete local woming devices (and perhaps also CR elmo do not present potential for over-engsoeure of personnel to redeWon during eierms) to alert personnel when equipment, sudi e TIPS shutdoum.
and incere thimtses are not shieksed and the potenuet eulsts for high redation fields.
Area redation enonitors (ARMS) are pmvided to supplement sie personnet and eran redelion survey provleions of the AP900 heeNh physics program descreed in Section 12.5 and to corrgdy with the personnel redegon protection guidennes of 10 CFR 20, 10 CFR 50,10 CFR 70, and Regulatory Guides 1.97,8.2,8.8, and 8.12. In addition to vie instened detectors, periode piant environmernet survenance is esteedshed On AP900 nomial and accidert plant redanon monitoring is described in SSAR
^
Secuan 11.5. Adduonal po. table monnoring. Inclueng that required to meet NUREG-0737. Item III.D.3.3, is the responetely of Wie COL appecent.
169 Subsection 5.4.4 LCSs-Emergency Lighling Emergency lighting is required in the The AP900 deelyiincludes entensive use of plant automation and distributed control.
Mioceneneous plant for personnel safety and for nudeer sateiy reasons.
The esttuted control system minimizes the need lor LCSs to meet the requirements of items The two key nuclear selety eroes requiring emergency eltier 10 CFR 50 Appendht R or 10 CFR 50.63 (S80). C..
y Nghling is provided ligheng are the scenerlos of 10 CFR 50, Appendix R.
In Sie MCR and the remote shutdown workstation to IBuminale those areas for Seccon ulJ and S80. Operoung emportance has shoum emergency operations upon loss of normal agheng. See the AP900 SSAR, Cheprer 7 that NPPs have tended to pay less attent6on to the ughung for a description of the piere cxmtrol systerrt The emergency Ilghting system is rg_' _.- during en SBO scenerlo. A common procece doecreed in ape 00 SSAR Sd==*=i 9.5.3.2J2
^
is to depend on austiary operator use of flashegfts. This con be a problem due to the potengel unevetebaty of The AP900 deetyi includes two nortClass 1E desel generators separated by a fire fleshnghts in en emergency and eleo because vie physical benter. Fotowing e Ilre, et loest one of the rSesel generators wiE be eve 8eble tr* provkie use of one whpe operating equipmert and communicogng power to normal Egleing in areas of the plant not damaged by the fire. During SBO the with the CR may be cuntersome two non41ess 1E desel generators are avetable to provide power to rummet plant l
lighting. The onene non-Class 1E diessi generators are descreed in AP600 SSAR, Subsecean e.3.1.
l tyd d
e e
g.
mb o o
ee sil h
n gr a
i u r
c l
t g n
) e go u n i l h
laF oi toteah i
f t
r
. h f
ht s
) t ia n
e t, ia fn s. e isn lavy t
nt n
is n
a d
. o
- 8. fo (v g
e to )s p e cae is D
nSh boegla n
ed bh si a
a 9 s e e
dCei t nh t
r el p
o i u t, r
s e
8 sl v c p
1 lob wo aSt d h wine
@Psu es s
la 9
((int es d g e
a d ei vetaua 0
hhlcu sR hT t
f e
nh a t
eAoh e
s n
9 ar n
eh at v
- a. ee h
h P
e
- w a
ht a
ss t
no A
. ue t te s i, g g
c t o 5 ne e D s s.
r a
h et 3 wb W
r n h
.r i
y a
v op h uomi emn p
ivc oo d e 1
n o
p b
h
. ni saar s t
vf s sit as mh tei a
r a Afod on RM t
t d
n mtoP Ced ge r t.i o
a r
L e
p r
- x. o sp O
pM.
Seiu S m. m nor e e Ssr e i A f
s r d epd s
a S
s s
)
e ednmR e a e
o C
0 ?
h 0
nq
(
t r
s ro a
v a
D n 6, m c r icLt n
e 1 g i a r
tya e
u, s d d
e ew h
- n ono d
r e A
Pmih lp y ene e
a o t
Ri d
o i
bM is3 l
c af r
J d i
f 7
AerT e vr es r
. st Gv is ?S e
t t e hts: nan t
t e e u r n onXm yt s
. etns n cr h ty
- o.
n u
4sh.
. ci r
i ein lc v e
Wpw aius ploPt e
s D s, d it tns amp ip ea g.
t oe k
o r s G, o ea0 i Is sl n
s s
o s nv r
r nd r w 0t e
p seig n
e o, e i
s et s r at eAtnar amr ui o
>o tu 6
ne nr n c
. u tn* Pe c
r n
sa pRilapis L oed n p
tit h s
r n
s na s
- a. = A n a
. tcn r
uo e ePmst Of sk e
u
$ r.
m yr it c e o r
asla es n
Claeip e
tnpi r
p r
d i a Gh o
vtsa n tse5h r
ot s
t, e 4-nc e vr f
i d a h
n n
g h o cge t
ena a
P ea e sR.
E tc r
Pt n u se:
r nr
- iu nng e
n p
t miia n
nfi m aS ies caa er isluu is mwlp L
ioe
.tnp t ek d t t
cd e ccmsA mle u o Oft ih it h
Ced t t
nciL mCr co n
a an lc o tut igoyS la o epO ASsin
- e..
0 s e de aht n
d h n ae r
m uicm0 isen S s p RSs k i R
uaC i
n e
h e
a r
- 4. S u
sseb0 i e r
tyric ia6 itcd s - r s
0 rh dI H
Pf A
6 o w
- 4. iv
.5 k
r s ole o isi ito Asel P c ahgO T la f
S P
.ron
- e. p w d sn nrA i*
b ss e
v ee Aen a
ane nh fcb o
afyal i eitnC.
nst d e no t
(
in a e i t
4.Rhh a= tcr a af o o t
c oaa h
sE c
t sd n t
t ccses e=iel mt Ga it Gt F
n et of eneh e r
a e
u pa i e ci i
h n
nc r o RM.itu n
0 edinita f
, bt I
k leie g
E ?s d
scWtym t
o 0
n Ria
. Esg 0
8 a
ome 2 r
eis o2 u
n e
oissyp r 3 l
s P
0 n y 0go nt p6 0
t P
m s gC d m nr et i
nr c
e0 giss o1 A
ix r
- i e
n 1
6io n u6 r
ih u
see nsSr g es rut E
d H
er t s e ck di ist o a n g
u a
'r t
Se n a
e i
n n ec i iv init Arag d P hic e n n Pt e el o
eA d )s n
Ds r ep ns ein r uwfng H
e s
or c
et e c
Sc T
p e a n na er s o e R
p he ewh h s ol h lasige ia e h
e h Np sm e
a t
r h
r e
O A
T mgoC T at cp T cR sb TS T r e PTRs
)
F 1
o e
R s
n d
1 e
e t
e W
7 d e gh Ch o
m p
r c
)
nt c ebl e or u
n I
u a
d an tev inr 0
e n
l t u
E r
hi ele,n eu at r o, R
c o w
h sht r af e
V G
a tr et e lep iad p t t a
t mnis H
n f
n E
E e
o semaem r i o o a in o y,rr d. t wTsmd l
o R R
m
-a ee s d
.nat ox uy oEo ap-tea osR r
d t
N si C
U e
r n b r r
n r taef c
gwgo e s cehlt s
oad
(
E N
n iwer o a
pFit n e C
a eohteh nlo int tnn i
t r o sn t ito pgylud ao v oioynt e imHaiht r N
y hdt aSal v e 1
nimd n L
I B
m r
r aeanr endht eur c t
v o
r o tut vemt me n tat E
E t
i o
r ad auai f
a nt edi oe!
r u aa e
a e s r ast B
R d
o t h
. s, dnht,frd cppAo c i mAwl l
gc oa e
f sn m, d cc r
r r
r e
e s
a, A o u noo
.p y eple.
A E
s e
uov nsal o s g i, a W d n l
e a
r s
at T
P s
P D t ig o@dt s
g o
e r smht e pI e n
eSi r
X e
g gia i ne nRe w ft npni i
spr Hdtyh lu r
E d
wpol r
i c Pc o oaien eli s h n o i b (etl seb u od n
t r Aed G
d in n r u lsedtea e, edodid a u
oh d
.hi u na n
nd NI A
s icc r t sa r
la t
o n
aluomeaf i aut n niaptaI t
omt es n
l r
v hd T
e a
sR cniorae pooehf i re r se c n
chteyeH gs0c<gs n
s s
o oot c vr A
u P d ht vet e r it sb e R yfeuR s
a r
togose n sga 4is P
l e
Paie R
e tx E
e d
an nngp mtn tnr aHaad fo r
a e
r pel e r
s h
n a nuk n
pdi tye aot e
o reumt a e N
onl ocf dsos h b uRec s,c to l
niumi t
a r
p sf s r m O
A t
meh d
neir f ea naiet e Ose l et ib ed i
k r s nv n a a t o n
r e
a nr gnPo t
n b e a
cd e
e ch eg nbs s apat g
o p wt ioas na l
ro m
ed c l
r gis r f ma i
dnld g a oa lut psi
.d ovt s e n
n i
l t
e a nf ge eopa ia iou aAL oek c c
g n o ongt i
n tsut o a C dh o r
t t h g mt n u a
a uoah o R h s s e annum r
ah cst u
s a c imt F
n m
,4 tad niek T
ssR H sSst 4.:s ea ioq u
- a c aaf is r
pss n
a
- 6. i r wdI n
n t
s s
r n R iCreI a
M en
. ipn nor ta r a ylat fo tcL ue efo g o r-mitmoo r
a 4.ait go m
e aita r, i o
g v
noo eI ems e e
i di v asil ta sr teca e
r a
c taet vr nle fer u
g gtsh r eg H
ta tur oe
. usueietu p tapte ur s
e c c. e a u e s r
of m e s pd ofe ;. v ef ops r
u p ; t aip o s nr f s
colo nr o
O food oaFd po O upsso L
aapeicmre epoc S
s s s s s s f
nn e nn re nn e a
r r
u woo wou wou i
i i d.
ot d ot d ot e
d a e d a e e
d ar r
r h p h pro t
e c l
tue.
tue c u
o h pr S O r.
SOP SOP ecn 1
e 3
re 6
fe 1
2 n
R 6
6 ito e
n n
c u
it io e
o s
s I
c t
b s
c e
e u
S S
S m
0 1
2 te 7
7 7
I 1
1 1
3$e5b3 g
mIV
3 w
5 TASLE 1 (Continued) ku OP.RATi
.-R.RC. R.Vi yOR T. AP g
- -.,,,Appen g
hem leeue Reference leeuefScope Human Factere AspectMuman Portennonce Inous Human FactoreMumen Portenmence leeue Addressed by APOOO Doolgn 173 Subsecuan 6.3.2 Shusdown inadvertent Draining of Reactor Vessel Procedures are en Procedure development is e COL spptcent responetely (SSAR 13.5 and 18.9.8). As OpereHons -
Important aspect of shutdown operatons. Approprtene HFE descraped in Subsection 5.4.7 of me SSAR, ce AP900 RNS has been designed with Procedures in the CR and at LCSs that can assist in the features that address Generic Letter 88-17 regardng mid-loop operations. These inglemente#on of such r-_-
^ :: should eleo be features prevent inadvertent lowering of RV vessel level below that necessary to canaldered. Adelionedy, the eHec9ve Irdegranon of me maintain ellecGwe decay heet removel.
vertous HSes wilh the procedures is important. Clear procedural coverage should amteln adequate guldence for The operoNoned r-_-
'- ; wHI rely upon RCS instrumentellon to provide sullicient j
lowering RV level when operoung in the RHR coonng indcatons and eierms to determine the status et any time. The instrumentation is hated mode. Also, there should be preceu8ons against beloec j
Inadverteney draining the RV or draining the RV vie mumple pomweys et the same time. An exemple of Het Leg Level Onetnenentegen - The AP900 RCS amlens level instrumentenon in inadvertent draining is having the RHR isolellon valves each hot leg with Indcation in me MCR via en appropetato deploy. In addleon, the wide-(from the pranary) open at the some smo es omer RHR range pressurtzer level Instrumentation used during cold plant operadons is evenable to volves, which can drain water from the RHR system.
measure to the bottom of the hot legs. There is congnuous level Indcation in the MCR (LERs 50-265/87 010,50-341/87438, and 50-382/98415).
from the normallevelin the
. % to the range of me two nanow-range hot leg r_
m levelinstrumentation. Alarme are provided to alert me operator when the RCS hot tog Cd levelis approecNng a loor level. The toolston valves in me une used to drain the RCS close on a low RCS levet during shutdown operellons. Operations required during mid-loop are performed by me operator in the MCR. The loved monitortng and control seetures signateener improve the recebany of the AP900 during mid-loop operadons.
9 Reactor Wessel Outlet Temperature - RCS hot log wide-range temperature instruments een provided in each hot leg. The orientation of me wide-range thermowell-mounted reelstance temperature detectors enable measurement of the reactor coolant Ruid in the het tog when in reduced inventory condillons In addthon, et toest two incore mem-w=f e channe's are svedeble to moneure the core exit terryerature during d
i midoop RHR operellon. These two thermocouple charmels are associated with seperate elecateel divletons.
i 174 SubescWon 6.3.3 Shutdown Reduced Inventory Operemons Procedures are en Procedure development is a COL sppecent responetely (SSAR 13.5 and 18.9.8).
i Operations -
importare espect of shutdown opere90ns. Appropriate HFE SSAR thar*an 5.4.7.2.1 provides a descripilon of the AP600 design features that Procedures h the CR and at LCSs het can seeist in the have been incorporated to address mid-loop and reduced Inventory operations. See the implementemon of such procedures snound eino be responses to noms 73 and 172 for more informenon j
considered. m c,, the eneceve irsegranon of the vertous HSts with the procedures is important. A particular esos needing deer pmudurst coverage is Estebashing and malensining midhop (in PWRs) or other reduced inventory operamons.
l
w t
t 3
9 5
TABLE 1 (Condnued) f ku OP.Rc exP.R
g Item Iseue Rogerence leeustScope Human Factere Aspect 40umen Portennonce teous Human FacterefHuman Portennonce teous Addreened try AreOS Design I
175 Subsecten 6.3.4 Shutdown Tenoorary RCS Boundarios Procedures are an important Procedure development is a COL oppecent responstiaRy (SSAR 13.5 and 18.9.8). See f
Operations -
espect of shutdown operemons Appropetete HFE in the CR me response to RAI 440.55 and items 73,172 and 174.
l i
Procedures and at LCSs that can assist in the implementation of such procedures should also be considered Adtstione8y, the The fotowing AP900 design features reduce the rteks associated with temporary RCS eNocuve integretton of the various HSIs with me r--
bounderlos.
is important Clear procedures coverage is needed in the use of terrporary RCS boundaries such as freeze seals.
SG nonce dams - the AP900 SG nozzle dams are classNied as AP800 Equipment nozzle dems, and thimble tube seals. Including contingsmcy Cines C so that the design, manufacture. InsteRetion, and inspecWon of this 6
plans in case of lailure.
boundary (when insteRed) is controted by the osowing requirements 10 CFR 21;
[
s 10 CFR 50. Appendhr B. Regulatory Gule 1.26 Quauty Group C; and ASME t
BoNor and Pressure Vesses Code, Sec#on Ill. Cines 3. In addition, this pressure boundary is classined as Scismic Category I so that R is protected from leilure fonowing a eslo shutdown earthquake tSSE).
Elimination of terrporary plugs for nuclear instrumentation - The AP600 does not g
cortain bottom mounted instrumenention that requires temporary plugging during shutdown and refueung The AP900 uGBros a thied incore system.
Current piants remove the encore detectore from above the encore housings twough the floor of me refueung cavay. During refusung operagons, these holes
[
i are plugged to tocainte nooding of the refusang cavay. The AP900 hos eNmmated these temporary plugs by designing the escore instrumenianon to be inseriod from beeow the socore housings Reduced reNance on freeze seeis - the AP900 has reduced the potential
{
appNcations for freeze seats by reducing the nunter of lines that connect to the
[
RCS and by providing the abety to perform operabENy tests on many velves that connect to the reactor cooient pressure boondary. This Irrgnoved IST reduces the cc...._ for disassember of reecsor cooient pressure boundary vesves to test
[
meir operabnity. The use of freeze seeis during a forced outogo wig typicag occur y
in cott shutdown (Mode 5), when the PXS is required to be aveamble
?
176 Subsection 8.3.5 Shutdown LOCAs Durina Shutdoum Procedures are an important Procedure development is a COL appucent responstulty (SSAR 13.5 and 18.9 8). The I
Operemons -
espect of shutdown operemons. Appmpriate HFE in the CR shutdoum PRA has addressed the stak of LOCA during shutdown. SSAR Procedures and at LCSs that con assist in me implementaton of such Subeection 5.4.7.2.2 provides a description of the AP900 design features that have been j
procedures should sino be canaldered. Addmonesy, the incorpormed to address inter-system LOCA. See me responses to nome 73 and 172 for i
eNecove integranon of the vertous HSis wth me procedures more informatort is irrportant. A perucular area neetIng clear procedural i
coverego is: LOCAs during shutdown, hcluding intersystem LOCAs and operator-Induced LOCAs. (Also see item under Subsecdon 8.5.3.)
[
l
.e 4+
-t, -
--.--aw e-e 4.-
e m-e-c.. -
m w
ew---+
-s---
--w---err-1.-+
n
--e?
w 1.-
I u
?
TASLE 1 (Condnued) 4c OPeRATmG axPeR==CE Revew EOR THe AP 9r S
Iseuse Addressed By NUREG 8711 Appenen 5 hem Iseue Reference Iseuerscope Human Factere AspecWHuman Portennonce Iseue Human FeetorefHuman Portonnance leeue Addressed try AP900 Design g
177 subsecean 6.3.6 Shutdown Boron Deuton Accklonts Procedures are an important Procedwo development is a COL apptcent responetsluty (SSAR 13.5 and 18.9.8). Such Operations -
espect of shutdown operemons. Appropnote HFE in the CR e econnelo has been reand for current plerts. FoRowhg an SGTR ovent, the Procedures and at LCSs that con assist en he irglementagon of such operators are instructed that N they must restart he RCPs, moy must start the RCPs in l
procedures should also be considered. Adtglionagy, the a loop cher then the teufted SG. This also appRos to me AP900 and is included in the ellective integration of me various HSIs weih the procedures AP800 ERGS in me guidenne used for recovering from en SGTR event. Such a is important Clear procedural coverage is needed during precouson may aino be used in recovery procedures where startup of an RCP is l
rapid boren dBution acckleres, such es the startup of an required logowing long-term opere90n wim a stagners RCS toop that may be et a RCP in an idle loop that has a signlRcendy lower boren signdicantly lower bon,ri corweration concentroNon men the reactor.
178 Subsection 6.3.7 Shutdown Conleinment Intoortiv Durtne Shutdoom Procedures are en Procedure development is a COL appecent responseselty, however the AP900 TSs Operations -
impostant aspect of shutdown operemons Appropriate HFE (Section 16.1 Sul;section 3.8) expedey deline which modes of operation and under Procedt.m in the CR and at LCSs that con essist in the which specNic conditions containment integrity is required The "Beses" section of eam m_.m of sudu--
^ - should also be of the 3.6 TSs discusses the resonale for the ;, _a vnd inosudes consideration of considered Additionesy, me effective integration of the the fotowing aspects of plant design and operellon for the bases:
verlous HSts with the procedures is irgortant. Clear Avatable time for miugeeve scilons (including sme required for sucn actions) procedural coverage is needed for control of containment Integrey dwing shutdown, inesuding expedieous closure of smugeting feelures avanabia Potoneel and severity of potential accidents bened on inluel conditions open hatches and penetrations on a loss of RHR.
179 Subesceon 6.3.8 Shutdown Fire Protection Procedures are enirgortant espect of Procedwe development is a COL appecent responodsulty (SSAR 13.5 and 18.9.8).
Operations -
shutdown operations. Appropriate HFE in the CR and at Procedwes LCSs that can assist in the M.
Efv.. of such The Fire Protocean System is desertsed in SSAR Subsecdon 9.5.1 and a fire protection procedures should also be considered. Additionsey, me snelysis is provided in SSAst Secilon 9A.
effeceve integration of he various HSie with the procedures is important. Clear,m-
^ 1 coverage is needed for fire protection during shutdowrt 180 Subsecuan 6.3.9 Shutdown Spent Fuel Pool CooEng Procedures are en irgortere Procedure development is a COL appecent responsesluty (SSAR 13.5 and 18.9.8). The Operations -
espect of shutdown operegons. Appropriate HFE in the CR AP900 spent fuel pool coonng system is not required to operate to miugate design basis Procedures and at LCSs that con seeist in me irglementomon of such events. In the event me spent fust pool coonng system is unevesable, the spent fuel procedures should also be considered. Additionspy, he cooRng is provided by the heat cepedly of the water in the pool. Connections to the enecuve ireogrouan of the verlous HSie wNh the procedwee spent fut pool are made at an eleve90n to produde me possibWty of inadvertenPy is important. Cieer procedural coverage is needed for loss draining me water in the pool to an unacceptable levet of spent fust cooung.
Further eigstenseons of the spent fuel pool coonng system during strormal operations een be found in SSAR Subseccon 9.1.3A.3 and accompanying subsecuans. Pergnent selety evalue90n informagon for the sport fuel pool cooNng system con be found In
%mantenn 9.1.3.5.
4 B
b ro TABLE 1 (Conenued) 1 M
OPERATW8G EXPEIWENCE REVIEW FOR THE APese leeues Addressed By NUREG 0711 Appenden B h
nem Iseue Reference leeuerscope l Human Factere AspectfHuman Perfonnance Inous Human Factorettumen Porteneance leeue Addressed Ipy Apese Design tot Subsecnon s.4.1 Shutdown
- .--__ _ _ Measurements of RCS Level Many current The AP600 has incorporated independent hot log levelInstruments in each hot leg.
Operations -
piants do not conteen permaneney-inslosed instrumentonon These are pennenenny instamed and are rep =No of measuring mid4oop condmons at inst'umsntation to monitor the plants safety status during shutdown.. For shutdown. Their range overteps with the coldi:albrated wide range pressurtzer level new plants, instrumentation that appropriately supports instrumentellon to anon for continuous measurement of RCS water levet during the shutdown operations should be conaldered for hetensson, treneWon to reduced irwentory operogons. SSAR Std section 5.4.7.2.1 provides e i
for exempts: Two independert measures of RCS level, description of the AP000 design features met have been L _-_, -. _2 to address mid-1 Including permanent instrumentation capable of measuring loop and reduced Inventory operspons inclutSng the hot leg level Instruments. See the
. j mid-loop condmons occurately There should be adequate responses to items 73 and 172 for more Irdormation.
overtep between the RCS level instrument ranges to ensure congdete cmverage et eA levels ar d to enow congstoon between Instruments as level changes ranges.
Plants should avoid dependency on temporary, tygon tubing type level Indicators, whidt have caused many pretsoms in the past. Addmonomy, one should consider the potentialinaccurselos of mid400p levelincBeators that occur o>
when one tog is vented to atmosphere and a saght 0) preneurtretion of eie RCS occurs. Instances have also occurred where the RCS was under slight vacuum, resumng in level..
_ _- ;inaccurecies. Addmona#y there should be evenetse dispears endfor eierms ce water level information in the refueling eres while the reactor vessel heed is removed.
182 Subsecuon 6.4.2 Shutdown a Measurements of T_ _
- Many current The design of the AP900 has considered shutdown modes extensively as documented Operations -
plants do not contain -p.u,;;y4tetened instrumentation in the vertous licensing submittets. 1) passive selety systems that are designed to Instrumentation to monitor the planrs selety status during shutdown. For mitigste accidents dunng shutdown modes (SSAR Secolon 6.3). 2) TS that apply to the new piants, instrumentoaan that appropriately supports possive sesely systems during shuidown modes (SSAR Chapter 16),3) ERGS I
shutdown operemons should be conaldered for instensson.
(Reference 2) for shutdown modos,4) quenunceuon of the risk of core damage et for exengde.: Two independent measurements of core exit shutdown (AP900 shutdown PRA),5) evolueton of decipvbesisMusting events during temperature.
shutdoom modes (AP900 Shutdown Evoluogon Report - 6/96). Instrumentation hos i
been designed to
,.__, cover og modes of operseon including shutdown. RCS l
loep instrumerenton and core exit thermocouples provide Indepsndent measurement of reactor coolert terryerature during shutdown operations including mid-loop and reduced inveneory opermeons.
~
- - - - - - _ - ~ ~. ~
~-.
i t
i M
9 TASI.E 1 (Cendnued) 1
- 1 OPERATW80 EXPERIENCE REVIEW FOR THE ape 00 f
k_.
imeuse Aesmesed my nuREa em A,,enes a stem issue Reserence issuefscope Human Facters AspectMuman Performance leeue Human FactereMumen Portonnance Inous Addmoned try AP900 Design g
183 Subsection 6.4.3 Shutdown Monitortna RHR Svelem Performance Many cunert pieres The AP600 RNS has no selety.related funcilons during shutdown cootng sucopt l
operations -
do not contain permanercy-instoned instrumentation to maintenance of the reactor cocient pressure boundary and certainment teoleton N e Instrumentation monitor the planrs safety status during shutdown. For now design bests event occurs.
r piants, instrumentenon that appropriately supports r
shutdown operanons should be ceneidered for insannation.
The RNS contains pe,nenently insteSed instrumentation to monitor systerr. performance i
for exemple: Capability of congnuously monitoring RHR es desertied in SSAR Subsection 5.4.7.7. System paramotors and storms necessary for system pedormance, IndutSng adequale eierm capablety system geration are monllored h the MCR hclutsng the loHowing-for out of specmcation temperatures, pressures, and news.
RHR purry flour, RHR HX inlet and cumet tenporatures; and.
RHR pump dlemerge pressum I
in addluon, the RCS cantains inerrumentation to control and monitor the operations of me RNS. These include the following.
I RCS wide range preswre 03
- J RCS hot tog level Instrumentellon is eleo provided to enable mid4aap operations to be performed from the f
MCR.
7 I
184 Subsecuan 6.4.4 Shutdown Instrument Rennes and Accuracy Many current plants do The design of me AP600 has considered shutdown modes L Z, es documented Operations -
not contain perrnenenpy-instened instrumentation to monitor in the various Econsing submitteis, 1) pesolve safety systems met are designed to Instrumentation the planrs safety status during shutdown. For new plants, mlugate accidents during shutdown modes (SSAR Section 6.3),2) technicet
[
instrumentation that appropriately supports shutdown speclNcedons that apply to the possive selety systems dustreg shutdown modes (SSAR operations should be considered por inetsenWon, for Chapter 16), 3) ERGS for shutdown modes,4) quenenesson of the risk of core damage example: Instrumenteuon cordaining appropriate ranges et shutdown (AP900 shutdown PRA),5) ovaluenon of design beeis insegno events and accuracy to monitor shutdoum conditions as wee es during shutdown modes (AP900 Shutdown Evolueton Reiport - 6/96). Instrumentation power operetng condmons.
has been designed to appropriately cover as modes of opereton Irdme g shutdown.
n 1es Sub=eeson 6.4.5 Shutdown owe =e-t Shutdown Annuncistors Many cunent plants do The design of me AP900 Alarm System includes alarms specmc to the special f
opereuons -
not contain permanenny-ir-e=d inewumentomon to monnor condsons that artes during shutdown condmons The sienn trigger logies include l
Instrumentation the planre selety status during shutdoum. For now plants, dennng plant condmons under which the alarm =npean Apper w. trend displays wit instrumernemon met appropriately supports shutdown be used aning shutdown condsons, including reactor vessel level or equivalent. The l
opereHons should be considemd for insteHmWon, for M-MIS Mctudes trend displays as part of the Piant Informaton system espinys met are Use of d-ar a-s hutdown ennuncistors for avanoble to the operator through his worksteWon. Also, the WPIS wiE display signmcent exemple:
s er=cw hemordous conomons that arise during shutdown irands for each plant operoung mode or signecert plant state, including the shutdown (e.g., resueang covny low 4ever alenn). Aino consider the modes.
une of trend displays during shutdan, such as RV level 186 Subsection 6.5.1 Shutdown Contelnment Eeulomont Heim An equipmert upgrade that The equipmert hatch we be maintained closed for operemon modes requiring operations -
would improve shutdown seesty is A containment corneinment integrey or the capabeny of rapid closure um be incorporated into the Equipment equipment hatch design tiet agows for emph closure design of me maintenance hatches. Open Rom _ _ is assigned to fonow the resoluson by operators when nr1ded during a shutdown abnormal of this hem. Other contelnment penetragons including containmeri purge and personnel event. Simmer provisions should be made for omer eartocks provide the abaty for rapid closure independent or nonostety.reisted sipport I
conseinment penetrolions that may be open during services including oc power.
shutdown evoludons.
{
i p
?
TAeLE 1 (Consnued) k i
1 m
o,ERAn Ex,-
cE REVIEW poR T E A Iseuse Astierosood By NUREG 8711 Appendha B hem Iseue Reference IssuetSeepe Human Factere AspecWHuman Portennonce leeue Human FettereStumen Portennonce leeue Ashiressed try AP908 Doolen 187 Subsecten 6.5.2 Shutdown Fuer Hanenn Equipment An equipmert upgrade met The AP900 fuel haneng equipment design les incxwporated Indu;try operating data and j
operations -
would improve shutdown sesslyis: % proved human eqpedence to develop a desip that wM improve shutdoun selety. The use of the Equipment enginsedng of fuel honeng equipment LVJ... J operaung emportance ts Intended to etminato any poor design foetures that were present equipment, in the post, hee led to fust essently drops and in provera designs in addman, several of the leading fust hanSng equipment design
?
damage. This equipment should also be addressed by the and maintenance organizamons are involved with the design and review of the AP900 HFE program.
fust hondung equipmert To sneurs that operating plants have the abluty to provide their trput into me AP900 fuel henang equipment designs, many of the uel fianding equipment design documeras have been reviewed and commersed on by personner at operaung plants. Reser to SSAR Section 9.1 tor a descrtpeon of fuel storage and
[
honeng 188 Subsection 6.5.3 Shutdown Overpreseudaemon An equipment upgrade that would The motor operated velves in the RNS wNch are connected to the RCS hot leg are Operations -
improve shutdown selety is: Use velve intertocks to interlocked to prevent mem from opening when RCS pressure enceeds 450 psig. These Equipment proverd %
Z. of low pressure piping and wolves are also interlocked to prevent opening unises the leciation volve from the tRWST l
components (LER 50-341/86445).
to the RHR pump suction header is cloeod. SSAR Subsection 7.6.1 descrees this I
05 i
03 SSAR S@eecuon 5.4.7.1.2.5 describes how the RMS provides a low temperature overpressure protocean funcuon for the RCS during refustng, starte and shutdown operations. The system is desiped to Emit the RCS pressure unhin the Ilmits specNied in 10 CFR 50 Appendla G.
The AP900 has also addressed this issue in the ISLOCA report (WCAP-14425).
l 18e Subseemon s.5.4 Shutdown ama Power Sources An equipment upgrade that would AC electrical power is not needed to maintain a piare sete shutdown condilion for the operations -
improve shutdown salsty is: Appropriate use of backup AP900. Allhough the diesel generators are not required, genersty, N offsite power is t
Equipment onsit3 power sources, such as emergency diesel toet, moy wiu be available and will automatically stort and sequence loeds that will generators, and portable power units.
enhance me selety of the pient during shutdown condmons.
t90 Secean e.s Shutdown Communications Betwoon MCR and Plant An important The plant cwrununication system conelets of me ollowing systems wireless r
operanons -
espect et mnenteening normat shutdown conditions is communics' ion system, telephone 5ege system, PABX, soundpowered system, Communiceuona edequate communicamons between the MCR and the rest emergency response factly commuruceeons, and escurty communicadon system. The os me piant. This Induces areas where me sonowing wireless seisphone system is me primary means of ecmmuniceman for pient operemons 6
activeues may take piece: maintenance, teeung, local and maintenance personnet. The wereises system consists of wireless ben cap portable operations, and monitoring activides Ellective handsets, hands-free type portable headsets, a comprehensive ardenne system, and a communiceuons are also very importers during any wireless telephone swledt The telephone %:ege, PABX Issophone, and soundpowered abnormat events met occur during me shutdown portocL communiceuon systems are for general plant communicatons and serve as backup to When designing plant commurdcations systems, care the wireises system. These systems are desired for seiscWwe communiceuon between shoukt be taken to consider shu8down operatons.
the MCR and the rest of the plant during mE modes of opereuon, including shutdown.
The communicsWons system is descrbed in SSAR SubsecWon 9.5.2.
i 1
l
i References To Table 1, Operating Experience Review for the AP600 Design
- 1. " Programmatic Level Description of the AP600 Human Factors Verification and Validation Plan," (draft dated 4/13/95), WCAP-14401 (Non-Proprietary)
- 2. AP600 Document No. OCS TS-001, "AP600 Man-in-The-Loop Test Plan Description,"
Rev. B, WCAP-14395 (Proprietary), WCAP-14396 (Non Proprietary) l
- 3. WCAP 14644, "AP600 Functional Requirements Analysis and Function Allocation."
- 4. Electric Power Research Institute, " Advanced Light Water Reactor Utility Requirements Document," Chapter 3, Revisions 5 and 6, issued 12/93 l
l
- 5. AP600 Standard Safety Analysis Report l
l
- 6. WCAP-14115, Rev. O, " Review of Nuclear Plant Operating Experience and the Application to the AP600 Design," July 1994
- 7. WCAP 14114 l
l l
l l
1 i
m:\\2927w.wpt:1b/051396 69
L; 4
3l rt r
p j![j!I 1[
((![t[
I!
I R
g iwn
- o w
eg i
oug&.
g or t
t s n
- 2. a n
ani y
ai n
f ei ud
- 8. l ms W on o i nt e n
p u
nnC o
r 8 s t
)
oab G
df l
o saa 1 i m s p m.
it t ei N
d u
o i
e n
Ane ei
.e.n pf r c
O oU
.o lans
- m H h
I r gp t
s uWS pm m h md oe C
tD oiy t
s s
ys s
c t
e y
a A
eV ae t
u r dis bc e
gs R
s e e
e u f, mSet o
bl peh a i a, T
up e
t v
ns i s
n S
Sm ob t l
n r a r
sm laoyo
(
n eg i st on a E
u eEia ci ee Atac e dl f
Rm h wt ns l
s 3n P U
A t
n ae cbh emn mD u otihr a n 9an S
Se oso r
r o
h t yc opwt omp dn o S
St f
u I
t a r0 s
e nos n o nf nl o o0 eeedI e
aia N
pt io e
t f
t t r0 r h c ut ur s) si2 an G
dn ed r
nlad, Ugme.
t nl na eP PA la oac r e I
1 S
eo r
bs pe 8 et tsiPne se u E ie l
s8 s ne vri al mInl s D cn 6
ue1 m m
t e r
ah etoss e t,l b
ps e
e si 6
wh Rt smhaT mt saa a
e emi T
N, c i s E ed r
i H do m
uy f r r
n As m.Ss 4 b oeet s
o 1 unh T s o e
y oiymie pd 4
s e s t
t vsecS e og a /c i
t e e s O
,n o
ya(d ed s yS t
t l
s s s r e ieobt n be s
r u s t
l e
os ee T so Spst s h p s yfu.
arDr N s6 e
t s nt S
,S s sa T
c e ot d e S I d eo s
niem I
ar aP oI l
d cr n
odc crle n s )y c C MSa E ou o
ngroo Fd t
d Sa a, h i s eH U
e I
ei r g p
t a npu n
e p#
aA M o s T p yh sMe W S n
e w
mi a
s r
u Mere dpd p0 t 2, S
n o n isht n
h go r,
ot m
t a r
o0 r
igo I
c r
f i nn s6 S
is 1
nnsf yl oa eP o8 I
d h e
inMDo f
H 0 hareo it e e oen H
t r
0eevt rAn8 TM I
lb t
t S
6 olb o n a )s I n io1 S
At orec sy hatuR T E Fs. T lamSm T
Pou cot el a
s a
ecA U T Hee PeHr k la t r r c I
k ve P S ed a e es o
t r
t r
df op e E X er t o
s e e xS Y
hdp e h yef h onn T w o a (s w i(d SsES N S Tas S TSt i RE h n E
I H F C
)
)
)
)
W N
)
)
3 4
5 6
1 2
SE I
E R IGE a
d O P e
n 2
L X d
it t
e a,
m n
r a
ht t
E O E o
s ey a en.
in c e le a
d d
o er L
NR b
t, m
islp r t mo t u r
t r a et B HA onra lb e s ein o
e et a o le d u r
A CE phs ee f
o di h m m
/c a
t e N
o T
EL lteWodr d
woo e r
h TC r
ep e
t t
r a
nt U
n l d nb h pn noa fg an it
. gt ha w
,f u
p i
s l
n SN g
d i e t
g onl i
t i
H R h ui n
in i
ei i r
O s
et oo t
e
- caa xf s
ki D N s n pf e o gs d am c it t e o n
pd E
D lo i
imW o
eit:
e u ns e n:
ce TR 0
tr r t er s Mx luuc o
a w.
m is AO 0
n op t
e n ou e a h pd w
c d
pamt a c
sae It it L
9 o
r e
E E P
C esir x
pa c f
t l
r o
o t
r t
r sv n
. ac L
A a ue e ofo sie h
f R
f s
qph ss oso n i
sh e T
mwp T
e o
r t U
h S on eot dh eseg ot afoc o w
t x
et p
i n e ie t
c e t
t r
d s
a wahn ha es o
h r
si v
yd s i
t t
it e s h )td e
ph a u e
s ea r
r w
pt ckn mio ot r
o on ur a p
en dpm t
v d
t r,e s o lm nM h I e a o
s t
c t
e u
e
,w v(
e f
t t a
n o wr au T.i a
a ik c
ep e
i la t
r p n.
n r
e mde a sutod dm
- a g
i P
luat n
n yed lp ie pe sc n
odp ue r
s m gtagu db epc ea e
uio t
t t
p H
t t n
A s
s o
o ld b ae dp g
ayn insmin e
s r
s r
n f h o ep oy e
F al eay gu ic d
owd id i
t f
x sh lt no we el e
d a
i m lon u
t n
t s u ih d
n cp ov a
e a o simii n
ct v s ey t
r iai u ns r r a
r apn ad pfo tnl y e
d pl em he pl i
o ph l
e u oetsdm r
sa d f
r E
r s iU o e c x t
f e
f o
w t
oy c
r t
ser oh oi e, d F
u a n u
p y
i f dn gD e
r r
H d
t et e i cg n scoadb g d
se a i n-oin c
cd d gV nn o
af mtaer a
at n
ne e sda r
t n
i s
ie ae i
t C go vt s y l.
t sr d e r e a d lp r b r i e t
t ao s
in slemiv r
r o
et r
o u e ivm pk pad ol r h b o s o p pt p q p o u w
n ie uirot n c s
s uh n t
uoe mio dc Imep Pm Ima Swu r
Dwpacr r a t
I v
r e
)
)
)
t
)
)
)
4 s
6 n
I 1
2 3
etc n n e em r
e u 1
f c 2
eo RD fe R
3 w4 {
.I aO
O gil
. h Srt en I
n r nit HFe bo o
t w
r oe
.m otu n
t d
ef ns e
u et d sol h
b a
1 ch s n epro t
1 ot cf sg uc t
imt o7 dnio e n r
m t
dv o x
- s f 0 ossit ni ee cc i
le e n G e s r 's d t s
bd e
la nr ee t t Eietcai r
e eumht.
P Rle n u
spat nUdgrahgu ;y
+
en i ac
)
s d i s a*t oNuis ue
~
s geh I
(f er u i
sh t
dc n
eg n ohoo af yw t
onI c s t
t ci last ad n
no Pune e e 7 gS i emubs egr a.s nsl pc mt i m.
i k
sHasde ne s ed oio oo e edenI su sl o
a et e*l lpmEmd I.slc y
r.
it r
meFodSri t h nnn l
en w
f e
nt ooo r
I EHt nHd o c
ee sti e
sa d
PA mlvsa a hf s
o ne eal l
t t
eoahs angv a
ne i nie lpsut k sa
,l i
ah t
eisedcbn ed pr mi r
o oio e a
mrMcw lc cngr e n
0 3
del d
l e
l uirt ucpelp 2
uy t
i M,
sw nidn r
gwnoO n
e.
is)i cR i2.h c eoeos e
e n n r.
e o slor sg 1
9 r i oe e 2.le nS d c. h o e e
d d t t l
c.
D 8.ituah 8
po 8 soi f
t v
cD v
v v
7 7
a a it e t
a.e I 8l esoMf o
o o
3 s
r oyI S1 1
F.
Hn mt t
sg p aS b
b b
9 7 7 st nl a
a a
n n
k a
.gpH m m m neit aA ein ols od
)
)
)
r or d a
,i ssie 1
1 1
e e le t d uh m
htcawo cdl
.edhs t
t t
t eacndsd d T w e e
e I
I l
u e
r s
s s
H fos
.tnnt st e
1 1
1 n
n n
i, e nen.i nu dreo be b
poh at v o
o o
le le le umSl ne p
p p b b
b c
S I
oi t S
0S ar t
ser s
s s
T 9
uft nHennveiemn e e
e a a a S
uR uco Rg cat e s Aih evduuig r
r r
T T T r
I s cdnet cs e e
e e e e EX exSf he Se a os oe e e
e e e e a
RE ESs(oTh SDeicufedd S S
S S S S s
E t
H E C
)
)
)
)
)
)
)
)
W N 7
1 2
3 4
5 6
7 SE
).
E R I
e I
u GE e
n OP m
gn t
L X g
i n O E n
i M
n v
l g
d oC NR
- s a lo r
n o
u
. A eo r
(
t f
2 CE ut, ns o
s EL qdeon i
s, E
TC s eta u
m ie.
co o
L U
n o mr y r
ul a I
B S
g at c uo is t o sc
(
H. N A
r oi ete it sc O
e eua T
r s
o et le a k
e N
pcn n n u
m s
s E
o oci a e ut n
a TR adt r
AO ae nl e tc c s
o t
)
u n y a a a
t n
r a E E
- e md i
t o
h d
o r
i L
ki s
ot lswcst u
n n
g t
R L A
i a
d c a o) o a
o sh s T
r e
in c
u e
t r t la s n
igr ao la ig r
t T
m no o uU i
t f
t a loa vt IL ot tf t
5 u m
n craodD he cb t e eMV r
o rc cg a
o c
fopr r
ur e
n c
s oe dm i o a "n
.o r
- e n d
n de wio A
t a
f t
tow fo m a ef m a e s
r s
n s sl tud d
it eh e
,c a anin ut pt o
r r
b a n
s, t
r as p
h a e e s t
r sc iolu e F
r e
t f
s r
y t
m eepmp d
ete d
oa la n u a t b A
s o d lp e gn ly
- g m
p e s
e iu m a la n n r
s c
is isk f
r e
e r
o en o q
s.
e e e e u
og o e o d t r a
epme a
n r
tc r
s k v p h e
arhef L
hg iv cit o
lp r
r g
r y
, u o
i ac f
t n
e r c clb s
f f i
a s u oe n foe a s h
o b a t
o E
chor c t
s r
c pe o
t r
is le h
k udl i s
rh do o
s onap s e t
- n et o
d a
t e gn o
et lo r
f
/
g at atie L
fgw b
nm ine t
f n c e o n t
t h
u ye t
g f
y u
g a lo o,
a la e
lo t
hi la p i iv et r
v n
g r es os p
m k
t ftnn t
nuup n
f i a o
=
u o i h S
A'_ eq is o i N ola o) e n a Cvmbt C
Lt h
D C L tf
)
o
)
)
)
)
)
)
)
1 2
3 4
5 6
7 7
S etc n n e em r
u e.
2 feo 2
Ro feR 3$!?
d 3
09 1
d e
n u
a s
0 o
0 0
l n
9 1
eg 1
ci h
n s d
g e e n
u a
o mD r
o0 0,
ht
- 0 50 0
fr6 1
6 eP 1
9 PA 5
d h
75 7
n g
5 ne u
. 7 1
eh d
a, o
7 4,
d 0 1
r 5
2 n
n 7
mt a
7 6
d h
d.
7, 7
4 ht 6
7 a
uy d
8 d
b 4
r 4
M 7
n 8
6 n
g n
a 8
7 9,
ed a 6 a u a
8 r
6, 6
, 5 o
r e 8,
9 d
8 6
4, h
6 6,
6, os 6
6 6
n 6
t s 6,
6 a
, G Fd 6
6 5,
6 6
3.
7 4,
6 t
ce 6
3, ar 6
6 6 6 6 6
6 2 5
6 5
d s
s s
s s s s
s naA m m m m m m m m m m m e e e e e e e e e e e m
l' I
I I
I I
I It It It I
t t
t t
t t
t u
1 1
1 1
1 1
1 1
1 1
1 H
le le le le e e le le le le e
S b
b b
b lb lb b
b b
b lb T
a a a a a a a a a a a S
T T T T T T T T T T T I
EX e e e e e e e e e e e RE e e e e e e e e e e e E
S S S S S S S S S S S H E C
WN
)
)
)
)
)
)
)
)
)
)
)
1 2
3 1
2 3
4 5
6 7
B SE
)d E R I
e I
u GE n O P s
r it L X o
R n O E tc C
NR a
C o
F d
HA
(
e 2
CE n
c a
EL n
E TC m
a la L
u v
U n
H d
b I
B SN r
A e
T O
ly
(
A H v
s y
f e
o D N s
E D
m e
s e
TR 0
A lo n
AO 0
r R
e L
6 I
~
(
r E E P
e y
a T
r s
a L
t r
w R
A in i
T e
i w
d :
n u
L h
A ):
n )w itaita I
d y o n t
o o
nla e
I p
e-~.
t ap n
u e
s d
i i.
it c r r i
gi l
a A i si lb nD n
i g ot f
a d
n w
c r
m e r i n,
y df ic iae w
it v
r o
r ne od lp c
Trv e
e aP
- no
.i p
r r
a e c n o A
la v i c ve law er v
f r
s aO o d e
ar oe r
e Np s o NC d
s e r
t u
u s o d e
s s
s y
n s
mo e c n m
c e
e it r a n
n r
o r
n
, a o d.
l o
r a n
. d u, e e rG e mn t
n r
p m o v a a
E F
r F
ia o a x
r a
5 o
r it J
a eit w e F
do w a it d
. o a M
a f
H e
a in 4o f
c c
e J.
r n c A f
c f
e ms r
n e
gi o
mE e z
t ao o a.
e ar p ai
~ w in n
n n s
/
s u, o
p d
eo
% s e it lr ei it a
La a mr Lf m
- w t
s d
. a G
r u
o s a e
R. u e nd n e e w e I
t se it w
r s
r it v
r oi S C E ou T C C S S CwS O r
r s
st ss n sa e o
)
)
)
)
)
)
)
)
)
)
)
1 2 3 ee 1
2 3 4
5 6
7 8
LC LF et c n n e em r u f c 3
4 e
eo 2
2 RD f
f e
e R
R o
3$tM g.
Nt i
l 3
TABLE 2 (Continued)
!3 RELATED HS1 TECHNOLOGIES WHERE
{
LITTLE OR NO NUCLEAR EXPERIENCE EXISTS Reference Human Factors / Human Performance leeue g
Document HFE lesues Applicable to the AP600 Design Addressed by the AP600 Design Ret 2.5 Lessons Leamed From Nuclear and Airline Industry (Navigation Through Large Display Networks):
- 1) The large scope of computertzed CR applications necessitates large
- 1) See Table 1, Item 77. 91 and 93. SSAR Subsection 18.8.2 includes display structures involving thousands of displays. Design errors can the implementation Plan for the HSI Design that addresses the criteria result in getting lost in large display networks.
of Element 7 of NUREG-0711. For each HSI,inchding the Plant information System (workstation displays), an HFE design guidelines document is developed that provides guidehnes to the HSI designers on the conventions, symbols, color codmg and dynanic characteristics to be used in the design of the respectve HSI. Issues such as navigation issues will be addressed by the guidelines document. The HSI Design plan also includes concept testing and design reviews.
- 2) Overview displays
- 2) See Table 1, items 66,74 and 93.
y Ref 2.6 Lessons Leamed From the Space Program:
- 1) Information display issues include structures that constitute a display,
- 1) See Table 1, Item 77,91 and 93. SSAR Subsection 18.8.2 includes organization of those structures, and methods of directing the user's the implementation Plan for the HS1 Design that addresses the criteria attention to specific display areas.
of Element 7 of NUREG-0711. For each HSt, including the Plant information System (workstation displays), en HFE design guidelines document is developed that provides guidehnes to the HSI designers on the conventions, symbols, color coding and dynarnic characteristics to be used in the design of the respective HSI. Issues such as navigation issues will be addressed by the guidelines document. The HS1 Design plan also includes concept testing and design reviews.
- 2) Display response time
- 2) See Table 1 Item 93.
- 3) Navigating through displays
- 3) See Table 1 ftem 77,91, and 93. Also, see response 1) above.
- 4) Procedural errors
- 4) See Table 1 Items 50,51,91,105 and 106.
- 5) Errors of confusion occur when one word, funcbon, or wm.s.-J is
- 5) See Table 1 Iteins 55 and 61.
mistaken for another.
- 6) Errors in detection and viuan;.9
- 6) See Table 1 Items 55,66,68,74 and 105.
.m._
.m.
......-m
. _ ~. _.. _..
-._m 3
TABLE 2 (Continued)
!3
.E RELATED HSt TECHNOLOGIES WHERE
{
UTTLE OR NO NUCLEAR EXPERIENCE EXISTS a
Reference Human Factore/ Human Performance leaue g
Document HFE leeves Applicalde to the AP900 Doolgn Addressed by the AP600 Design N
Ref 2.7 Lessons Leamed From Electrical, Gas, and Oil Industries-
- 1) Performance side
- 1) See Table 1 Items 26,69,77,79,80, and 88.
l 1
- 2) Integrated displays
- 2) See Table 1 Items 66,71,74,77,80,88 and 102.
- 3) Unanecipated situasons
- 3) See Table 1 ftems 68 and 70.
- 4)
- Openness
- of work area and shared informa60n
- 4) See Table 1 llems 66,74, and 75.
- 5) Team interac50n
- 5) See Table 1 Items 66,69, and 71.
Nb L
L
O References For Table 2, Related HS1 Technologies Where Little Or No Nuclear Experience Exists 2.1 Roth, E. M., and D. G. Hoecker, AP600 Document Number OCS-J1-005 Revision A,
" Human Factors issues Associated with Soft Controls: Design Goals and Available Guidance," Westinghouse Science & Technology Center, dated 2/1/94.
2.2 Degani, A., E. A. Palmer, and K. G. Bauersfeld, " Soft" Controls for Hard Displays:
Still a Challenge," from the Proceedings of the Human Factors Society 36th Annual l
Meeting - 1992.
2.3 Mumaw, R. J. and E. M. Roth, AP600 Document Number OCS-J1-006 Revision A,
" Human Factors Considerations for the Design of a Group Overview Display (aka Wall Panel Information System)," Westinghouse Proprietary Class 2, June 1994.
2.4 Stubler, W. F., E. M. Roth, and R. J. Mumaw, "The Role of Advanced Control Room Features for Enhancing Crew Performance."
2.5 Roth, E. M., W. F. Stubler, and R. J. Mumaw, " Navigating Through Large Display Networks in Dynamic Control Applications," Presented at the 34th Annual Meeting of the Human Factors Society, October 1990, Orlando, Florida.
l 2.6
" Human Computer Interface Guide -- Space Station Freedom Program Office,"
document number SSP 30504, National Aeronautics and Space Administration, June 1991.
2.7 Roth, E.
M., " Analyzing Decision-Making in Process Control:
Multi-disciplinary Approaches to Understanding and Aiding Human Performance in Complex Tasks,"
Westinghouse Science and Technology (STC) Report, 95-1SW5-CHICH-P1, April 25,1995.
1 l
m:\\2927w.wpf:1bmS1396 75
l
- i ii!!
esoo l
n ee clne a e mD r 0 o0 fr9 eP 1
PA 5
2 7
7 7
ne d
eh d
h 0
5 0
1 n
n g
7 7
7 7
mt a
u a,
d d
d d
uy o
9 n
n n n
6 ib 4
r a a a
6 m
7 h
6, a,
ed t
r e 8,
7 6 8 4,
9, 9,
dn os ar 6
9, 9,
6, 7,
6 6,
6, 6
6 a
t s c e 9
6 8,
8 4
Fd 6
4 4
4 8
6 6
6 0 6 6
7 d
s s
s s
s s
s s
n aA m
m m m m m m m m m e
e e e e e e e o e m
It It I
It It t
I I
t I
t t
t t
t I
u 1
1 1
1 1
1 1
1 1
1 H
e le le le e
e e e
le e
lb b
b b
lb lb b
lb b
lb l
a a a a a a a a a a T
T T T T T T T T T e
e e e e e e e e e e
e e e e e e e e e S
S S S S S S S S S SE
)
)
)
)
)
)
)
)
)
)
U 1
2 3 4 5
1 2
3 4
5 SS I
W y
E m
a I
3 V
m E
t le oo r
f t s
f d
L E
n os e e
B T
ga nh r
t t
u inhs A
N r a ol y d
T d
I pb e
oe t
R nt r a
c ed o
a u
r O
mrsd es o r
e oe pn o pe T
t c oo s b
A dao po led R
e sr r r ep t ed ml yep u
i E
l r
rd o o P
itvoy s
f b
e oe a f c O
in ed ic tyay ey t
d e
gl e n r N r
u c ae l
eu ei N
s ob r g s b nf ws e
ht e
ineo e ie aet s
nv r
o a s gn w
s P
e w
c e
c m n h o o
e d nt e e t t e ie ne P t
l 0 v
)
d iv tum e e n nt e
ep a
e r
v
- e N d
e e
l e o g s
,da r
r n d r
s n
n aa n
c i lo t
uir t
t sse t
o i
i r e e la m
6 llet r
e k
o s
n esr sh i
it o
ss s k
e u e e t
r r
sw u
R o s st m d it u nn o
nr s
eo ip a
w t
t Pau is t
t e s E
a a
d t
(
imG s
r e
e e
g s
P r
s H
p No i
la d
gssu p
da i e
F e
nt n n
s u e t t n ein O
ee k
r nin e m ta ds s a t
O tao c
p ns et d
n nt n i e eb e g
t d
isut n
is ic aeho e e n s i
r e
t t a a in H
mnt p c
m r
t e o H
ia d
n i
m n
nsu t
n r
c e
it r
u s a eof i n e u des y
o r
n r
n e dion d
s sa ts u
d ir o
it t
o n t
n cee f
as i C
ut o s imig e
~
s e
o chi u
C awt re c
c i f; i e s c
s k
e k
t a
o d s
c p
a r
s r f
r o
n
- s dso ; e f
pe r
e n et x
e e e e n s t
es u s
s t
n g ;
vs e i i v
u n
ya ad u
g t
o ai lp it m
o laot
- i i x
b c ;
r r e o o ne n
uec h
u g
m g lo w n h
uee wcvo n imup mr e
ia t
r g
oo o o e g
it s r
it i Ssa C C T in cor n S Cn C C P acp t
ts s
e e
)
)
)
)
)
)
)
)
)
)
1 2 3 4
5 W
W 1
2 3
4 5
et c n n e em re u f c 1
2 eo 3
3 RD f
t e
e R
R E.1:g y
a 3
E
W
$-fr
}911]. lull fyi E
I d
i 11 1,
J ll >))'I!!liI "g;l i
l i
.]
!y!i 9]15 11s1:
l "1 ;
1ye 5
- !$agli,jf;g }. s iti ti t
9 I-
!N s
diill.
ia 1a a
G 7
R E
'5 m
I
!p)]1 111 ja t
1 ei 18
%lli i
Ii g
=11 li 1
3l l lff lI 53 E
i lid D
il
- 1,1, 3 r 5 ];.
i t 1
9 lq
$3 51 1I E
l,
- l ii zi
~=!Ifje;i y
J U81
($
f1 $$ mii I f3$I$}
35 h
7 R
$7 R
R ll a a
E 5
mm27w.wpf:1t#JS1396 T/
e n
i 11 be l
i l]i ill e
j 1 !
"1 a
1 !
8!
i ih
[
[
ii a
m a
a q
?
R 6
T 3 l!
I i
Ilp %t y!
gi l }I!!!n}
lj!! 11hthwlli
$liI i
1 jj!
I jhlill!h {lyl1 l1 ii ti, i
1,1d 11b h III O
R 6
T E p
11
=
m \\2927w.wpf:1bm51396 78
9 I
d S
e d
d Hnts s io eant n
tn v
h e e 1
m m u
t t
a a
1 r
h
. s o7 e e o
c r
plyi f 0i r y
pn n.
aGq q la n
uiu ao ws l
e Ee e h
oG P Rl r
e Lsd S r
t v
O pl nUan y
o a
Cm o e oNng r
f e
i 0i uch it s
l e
n ep af 6 e t
t oc v
eg h
eo cl t laivt n
nd e7 ul o
no f
t a o ogsw mt f a us o n
n d
mD a
yf el e e o
e i cf l
t r xr ym,tmc u
r0 s
o0 At n ee r
t r le i
e n fr9 t
e eP is cn a Et u e
w e
sf b
n s a, d hf ys iw PA o
l oSe l
e t
ne ps0e sa i
6 s u0e eimfic ah e
f r
mt rS Pe 6
der e 8
R a
un eV Ah lc cast n
M v
uil py d C
e t
r i
o Hi ht C t
l eg n
et
/
i h nh a,
ed e
i e
b is0hn
!2. h r e eg 3 h
a 0t l t
os t
- a. P i t
.G nlo 8 sgme 8 t s
)
r l
f 9
0 c e
. Apt 8enu o
ar aA ir n se cd 2
o 0
Fd o
sm on 8
p t
1 1
d et c u
nedda m k
e m
n
.ht or s
r itsy c
e
.Tny d
e al tc d i, T thM It o) n It m
l o
a m2 p
C ).lpc eaI u
1 st S 1
8 s
5 ait baht is H
e 8 e
a
.i e la1 b
b le e3 uh n v l
c e
a r
u1 igm r
n St h es a o
cAo a Aieuh e
lisR m
T dRwt Rgancma T e
u A
l s
cc uS e e
oSl Ser t
S e
e rSoy SDfo ou e (Fb ds S A(
S S
$t SE
)
)
)
)
)
)
0 1
U 6
7 8
9 1
1 S
)d S
I eu W n
t n
n E
e e
iee lp r
vt ine a
t t
it I
o nll ss b
hh n
V n
ai soid s eiol pted dt n.
o t
o R
c a
nr e o t
C E
nhM psmch a a vi g
(
T o
n i u u eai t
dnh d in idget I
3 W
aesh v s it r
t i
ept n e
n d
et E
t t
r d egnu ar o o n
L R
e e ahl ni e lp c
o m nwegeh icen 8 O p pt it ri l
p wya e
A T
o s
r bt au y
T A
pi e z a mtemt le r
f vpi di r
R mt eiuhl ot a e o
i c
a cup c
r t
r E
uhpaal om so e f
r t s r
pt s
e PO gho gwgsahu amtah d
iv p
wures u u
t ct npu yl n
nt c
iihi f
hs pi o
d r
i ea t
e gl r g gugt r
u i
I oDietnntg ot r
e cr n n
fu
- o a a n
s al st nh o
u h a e
uet.n cui e yA w k
c r
t t
la t
l dd euafn ai
.e w
e d
nelyvr e
t c
sic yd n
f lt d
acr e) i e
o al Pnfe udic o
a m qipe t
s wr erDa t
a s
la e
lop wzP htst r
e n
ad ad w
-w r
r t in a n
a ot t nr o e
l R
t a iot (
r n uts e
R o
t Wsl upw mpuom C
v.
e s
a smoho E
AwWseudo s
s e
r F
t t c
eed r
F n
t a
lt i
w
,F r plobs r
i s
H s
nl yoa a lt insAp eP r
got r
o p
n ncauD t
st y h e
nr M
n m
sigi iggsdP ia r sie w
o o
rt in ml lt p
or r e c
t oev h
r r
n at eat o aioce n
icr ae d o
v f
oh u ame d p
le sl r
r t uod h uar mbodr c
r e
t n
ne f
h er dt deph n
up y
w cz cpet n n y p yi a
nodl o
n le t
h n
w iaedOre o
aoan c h.
s na nl t r
o e
f n r o a osnmi r
p vg s
r f
a a
c ut owe on y
t s
cm io et n Rddt n cragci t
ipuio a
loe n
l Ccteeai la eiea A l
ot w
lb h
t n
a e *r pr nr r t
lt icpe e o ig r
e i ol t
R epaimruh p is uf sone i emi hr lar f
ocd t o V Mdst C Tp H rPr e
n
)
)
e)
)
)
)
G6 7
8 9
0 1
1 1
etc n n e em r
e u f c eo RD 5$UMkug q
e
L
[
l
[
[
a 9
d A
e h
I s
st S
e eg Hc=_
d sn t
i n
s e em4 a
- 2. e = _ g tnha n
ica
- 8. d e is o yS e n O
nI.sg L
r 8 dw et d nt lp 1
r i
p a i, d s His C
a mt lae e
I ed x aS Enn e t
e L
t h Flia vM h
i t
u O
ct H He
,5
- 9. p e -W f
ce o
e nh d
s C
sgc niu e
s y
bi i
n e
usa agJ. sh ilt et w
i eg h
S e e ), s ci t
wr y b
Dr se ebs is n s f
a e o
RI o yd r
e n
ASFaioh dd o.
mD ly vl t lpoof eu p
SH r0 e
S 1.sr 1 i o sl s2 e
dp c, n e ic o0 is s n e3 t
fr6
.h 7 t
s r
gr 1
eP n
2tr0 oh b sds hn nal oido e
PA o
ne p
1.
2 oGtt e
t d nEta d. ymd ala io 9
1 f
s 0
st 0
ah e
1 e n ic naRs
,seba 1
mt e
l k
r l l t
d a, P U r
,h l
nS h uy e
. a 6 1
o st i p e
g n
4 n N w :. n n w n mR u H b ht 4
- c. o i 9, #
ad 6
/
of (
id=ig pA o
os 7
is 0,
d o
r e 0
d t
s r
0a7mcne=
oS h 0
n n
a 9 tnt es esa_e leS t
t t s n
a 1
d v n 2
ce d
e 2
8
, ens i v u==
I d d t
Fd a
m 2
8 9.
4 t n ei 0
ar n
88meynoei S
1 1
4 9
emSecbn d
p s
nA 9,
o m
m m m ml enmeo6oH mte m pl a
6 le e
e e e emEouh t
e aa te a
s gh s gs I
m e ).
I I
f It t i f r t v
t t
t h ct ciTw f
u 8
ao niv 1
1 1
1 1 e o mdot e os 1
6 d5 H
sa
.irPa e
e e3 e
e le e lehar s sintnev lb u1 lb lb b
lb bsennet se i o r
t lb r
r l er e r
gn na a a
a a a aet i
a dR ncamn ic T
T e
T T T T Td r I l i
u ct egarhui g
nl cA i
ndi ap e el i
e oS e
e e e r p e
e e e e eceaisaccs nh l ueh uoe e
r S
Sit P gd c s d d Ta S S
P(
S S S S SE
)
)
)
)
)
)
)
)
)
U 1
2 1
2 3 4
5 6
7 S
)
d S I
e u W n
it I
i iss e o g
n E
n s
h g )L d
t e
r k e aG n
V u
ss nmS a sc o R d
ao so(dotnpce i
r C E s
lo i;p yf l a ofeb st r a
(
T l
t e
r r
v l lane r f o
3 N
le n
i i vspet
.a peer
- i. c I
y t
oell L E
w o
a t
ist l L
R M
C w
wiit t r e dar aawG B O r
o t
s d
c t
ic ssS A
T A
e ee e st r
c a
d ds ad ydmn eh n iv sena n u u T
A s
t r
o a
f t R
g R
n d
w oang o enI lpamro f t c ews E
io is d
l ho n rpogodnis r
l iki a P
e t it d i n g
e e
o opmf er n O
n F
t isai r
c O
L.
n ma eamvh4 m t
r o srl sih eaesmtu ni nf steieul e
o cRo s e
-y t t c
f f
laWi) oo sdhme u
s v,
s r
et i v e
w w
uPew 9
i c s ed r
nphxe o
ie y
ie ngt o int t
ial t
al d 0 e af l
b a nr f
v v
miud e9b o wme d
r r
d e
ace pa) w sLefo t
r r
e e
e t
t tn n
er c e i
lo eGhe id la I
c I
heaf edc a, f s
n t
an sd psf b p
t e
t r
e r
y a
R o
lu o
t o nd it t
t a
on iaet o) la s
R e
6it ehf oyr e E
a f
a hyi a R lict r
n r
wlao w u
r
- t. nd w C a ac r F
e i
e t
r u i /s d
u s, e T p c O
is p
.ed o f
H p
w s
wcI in oc r al idk e
O R
r f
cn o. den c
e t
un s
d c*
d m s C ya r i o
ee p
yhpr r
n*
e r
a wlac h
p e
. m *r a o in n
a t
t a
l d
wr o phi a. s c
,i
.e t
n t
r n
a o a s
d ): ink lt c
d o E, u
o u
u s, r
a o
isw2t e
v l
A m e )l c
e e o d
it r
r e
nr a s rb d s
i p
p r
oe mtaf. o le k
. ep wde a
fi e.
r fr o
e el u
, e nu b
r vr n v *r a(
C p
pa d Cw e g d (i o
- i.iooi d
f e
r
- o ny o s w
. g t a O
n e f
e ep hi9 s io
/
/,.
g c,d d g
t e
le t itu r
s oo c s
t d re
.tadacee e i
m f n nle r
n u
u o
uw o areb b n s Jhemopvoh ia o
p o
n a r
n r
p o o a
s t d r
h n
eU hl emei m h e
r c
t RRefeopama g
o ps R g(
n eh a u ig t
t r
r n
n).ee r r T
C n
np Odiv N H S CCnic1 n N OI C
it u es P
st r
e a e
P
)
)
)
)
)
)
)
)
)
1 2
Wt W N s
1 2 3 4
5 6
7 et c n d
n e n
em a
r u 78 f c 6
e 33 eo 3
. f f
f RD e
ee R
RR kagO8 8
3$tI l
E
\\
References To Table 3, Operator interview issues 3.1 Roth, E. M., Mumaw, R. J., and P. M. Lewis, "An Empirical Investigation of Operator Performance in Cognitively Demanding Simulated Emergencies," NUREG/CR-6208, U.S. Nuclear Regulatory Commission, Washington D.C., July,1994 3.2 Mumaw, R. J., D. Swatzier, E. M. Roth, and W. A. Thomas, " Cognitive Skill Training for Nuclear Power Plant Operation Decision Making," NUREG/CR-6126, U.S. Nuclear Regulatory Commission, Washington D. C., June 1994 3.3 Hoecker, D. G. and E. M. Roth, " Effects of Control Lag and Interaction Mode on Operators' Use of Soft Controls," STC REPORT 94-8SW5-APMMI-R1 (or altemate I
AP600 document number. OCS-J1-008 Rev A) Westinghouse Proprietary Class 2, I
September 23,1994 i
3.4 Woods, D. D., J. A. Wise, and L. F. Hanes, " Evaluation of Safety Parameter Display j
l Concepts" Westinghouse Report NP-2239 Research Project 8915, Electric Power 1
l Research Institute, Final Report February 1982 3.5 PG&E Letter 225537, " Simultaneous Unit Trip - Human Factors," from P. G. Sarafian to D. B. Miklush, dated 1/17/95 3.6 Observations and interviews with Authorized Nuclear Operators (ANOs) at the Pickering Nuclear Generation Station-B during normal operations. (Pickering is a pressurized heavy-water reactor (PHWR)). The draft report is not available for NRC review at this time. Pending Canadian AECB review and release, if desired, Westinghouse will provide the report for NRC review.
3.7 Roth, E. M., and D. D. Woods, " improving Skill in Feedwater Control During Startup:
Results of an Expert Panel Session," WCAP-11135, Westinghouse Nuclear Services Integration Division, February 1986 1
3.8 Schaefer, W. F., " Low Power S.G. Water Level Control System improvements,"
WCAP-11126, Westinghouse Proprietary Class 2, May 1986 1
mm27w.wpt:stestaos 81 t