ML20129E805
| ML20129E805 | |
| Person / Time | |
|---|---|
| Site: | 05200003 |
| Issue date: | 10/17/1996 |
| From: | Kerch S, Reid J WESTINGHOUSE ELECTRIC COMPANY, DIV OF CBS CORP. |
| To: | |
| Shared Package | |
| ML20129E803 | List: |
| References | |
| WCAP-14645, WCAP-14645-R01, WCAP-14645-R1, NUDOCS 9610280171 | |
| Download: ML20129E805 (91) | |
Text
{{#Wiki_filter:a
'4 *
- <; u . .. *; ';, y . , . j .
1 y, :/' - : ;j f.... .., .r.,3,.
.,?.-
,.,.c..'..<;,.-.<,,.g..,..:., . c:
,,,T.;,.i,.,,,.,,,;.'rg.., . ,. ;,
f.n. :. /.. ..,.ic.4. ....,.f.. y ,.
- j. :- , ".'.,.6,+,.s.: .,5.
. - r..
,, 'f*
.<q ,e
.;,...'",,.,.',c.*y m;.f a - ', .e . .. . y,. , .; ,,q s: s *.
,<- , ,, .*-o.
., . .-, .- r., } ,.1j , *., , p.,, . e*...%, . , , g, ,
** . ., , .i,.e ;: , , ; .?.. ; . ' + 1. * ..
.. .* . s. . :, . . s,e,-?.. ,9 44. t .J. .:: , ' . 'e:. .:.*;, . .
- t. t. r
.f. .y 1- *
'y
..;q . .p . =.".e. ' . .;;mn. .r,; % ,. . .* :' ', ; ..:. ,
,- . , s.
;f . % .- l' . n::.:
'* "' a *
- : **a . %s t'
? .= .
e :j t).. .).. , ;; .h;G..
,G . . :
'.s.h...l1 $ ; o' .
',(: \ .* ';* ^' ;.
.l ",, .* .. ;*,*. ..Y. ; '- . . ';*i' f 'l
- 4. '. ' '?l1j'.*:'f
%.lq . :W c.:
. '.: '.: O..;;
'("#Y,h ?c l.s.* .*j:-l* ..? .l;,*riq'. 4 . -
l'f'. .b:;i. .;'.
. .':l* :( e .
.L'.: .: s . , : ' * .: :1 - , n rJ :y . c ;, . .rt s .:R,. + .
; -aVf
, ..0.f:.,$.. "
,f.h.
' hl],k.fl;hh.
,. :. . l 1, ... :
Ef. V f
+
.' . f, .py.:: xL c!...' . f.lN:,:f y::. 3. :Y, I<*: <.,. s;<;;;'U r.* y. .;y z; .- .
.* h' h .h{ MO,;s. h - ':*r . M..'-
; .f.k.,:f,_f:;h. .. .. ,'.YU. h.f. ,
zn e):'%..:y.v'.a.
*f..%.
t.i, ; .
. . .;{'::l w, .,.. . 3.;6 ', . . . . j ;:n. .
i :;_ lng L ~ e , .... f: s.;stc:
,'[j.y',f
; ,-,i . ,.
! ; l':': Y*. h.' r . l* )' .{ . ; l.
y,.m ..,.t;.
...'? , ;.'!.Q).
- ~'.:,;\,...'. .[ *p . ;. . .~.,'.:,; .n'. ;' ?, .' ' ', ;;)3 I : ~l: .,' . ' '.:.'.?'4,"**.',^-. -'.Q )l;*'.;.
. - 2, te 5., _ . g. u c ..f. . ., c; 3 ,.,. 4. .- ., 22
?.*
*
- Y ^* f *,;;:'A a *l' y ,. Y.7l. - ..,,.y! *;_
b *', .^.;q, ^ W; ,*. . y..n: b;(.,. j' ;; )'- ' ,' .;,'..,,,.', .? f* . .
- ,;; :s ,
1.' . .
; V...
n_ , ., j. :,;, .n .I ' d . '. :<, , , . - . .
,y ;, p'. . .%._.. , ,., .+.'**'.,,;.;
,',.;', .,'.. , : .* . ? ). i, r jo .;,.? ;,
r* ;,:';;.,1 y' : *. i s;1 '
-. . .,, '. d' , "'. ,} ' ," y.. ? . .e ;. . - ::,:
v r. .. .;,:. _ g.3
' ' ;. -l f :' . ~ y (. ,?.s ' .Y .q -<..
' ;r .
s...
'+,.'.n W g'av:.ij
.,, A.. f ' i '::: .* ;]' 6 $";, I & w' s,.lY. h'i}; ^l .N?;,:
. . , .. .4..-
f,.? -0..
. .' . .. e.,. . : . '. .'. ,' '. , '. ?;, '? *A, ., ?. .Y . . l r, , y 'y ; *
'.' f ] I, ...?y.- :. :. " l' ;
!;; ;^ ,?,.
k,)*!s & .. . 'f, I. '.* h - l:l: {. r:.I'..
$ .?.v ', h,:: ,e ;; Y.'.,'.;:. . < A '
s
. r,; . . v.. s
. . . .p. . . ......;..:.:.
. ? .4.;....e . . ,e . * .
- s. ..n...
. 4 . .-
. *t, .%a . , . ~.. g ;- . - 'x '.e.. ..: ' .v ,..s,
..s......s :.. ,;
o ,
.?. '*.,*g;.**,.*. ,,L..,,.,,v,*._.,.,. o:: m' . ... . .r s-. t ' .;.i w:p .n. a .( ,.,; 3l;: . ;- ~. . .:. : ., y () '{- ,- , . :. . n..
v':.
. ... . . j:r . .u . .. & ,, . , . .: .t;e.: :: : :;.y& s: . . .. .;. . .:
*. s}.-1;la.d g.*',;'., - ,
,4 .
.; *, 'm . . ;;,a,
. . " ' ' - *.*,...,q... \ . . .k ,. - .
;q- .
' 'l','j ;J. ,:'*t* tu;, .6 ;[:q '. 'j'. g3 . . .;'jq. ,* ,j* ..;.s.,_. . ,'. , 'i._m.. W:.q ;.;' *y. .v g ~ . '" l ', . :.,",f.
. , '_? ...l .;* * *J y , , A; e : \ ,g; . , * . 4. y ',;.._ , : : ,..,,,*.J.'
-; , ' ; %, ., .i. f .:;., _; g i ;s
.%,. s 'l ** ': _ ,*: ..: ; ;'..{
;' ' ,,j. , ' f:, , , ". ; (* . ' ' " '[ll?. , 'l '. *', f ; *y .' %, . :{.. ;: s. . ' :* ,,,.f .c ' , ' . ':. .'.:" )' f
?
, : *' ';. :'; .'.t,% .'.'.c= - , C, . '. 3
-l , $.
- k. i, ".-}. * * .' e',,, . -; -...?. ' ::' ,.,% ? 'qs'; e : .l' ;f . ' ' ..'n '.
.r. - :..
- l ; #
*Q v. .
- h:.:'.,...e'.
. .O .;.;b.'* ,=..l**
4'
,f, '* ~.. .f. - ;l..: .: '; . ** - 'i f'. . . . . c, -,ec .i, "g.l.*. . ,. n. *.*'7_1 .e-
,,'..:, - .'s.sy g .f ' .'
3 ~ ;. .e -
' -t. :. - -
t
.V > ' .;. * >. ' . .- .. - 'v..,u... *.
u-
-v- , p : .' , ..
.."v s
*$ -.. O ' ;;. . . ' t,* e .
' [ ,; , . '
^ '
L , ' ,. t.. A.. ; .. .L. '{ s . ._ ' ,. . a. .:',. . {,;" :.' u :.o..!.,..'..e *4*
*( .,., . , . . '.p.(:'.,.j'. "g[. l - 5 .,... .. _, ..l.,[., ;;;. : )? s,. ,' _ .,..'.)*p ,, ;f g, n , !.,'.... . .
. ', ....,_.Q'*.u.','
..%.).:
4* , _ ,'n.;;.. .. . ' *) , _S
.,e
., . . . . .- . . . . p -
. .Y.^ -; t.g * ' R', * .
, .* . . . A l*, *o
. " ',f .'l*?y ' .. .y_,b.'.'::w
. ; : u "'g '. . , H ' 5; .s :,
.. ; * , .'. ' ' . . , , . . . . 1 r. .
- J. .f ,\ ",,.(;';, , X*' , 3', .;', L ., _ Y '. >, * '.' . '?. l. ,, ,
- 4,,' ; 5 Y " ., 9
' > * . , . , ,ss,*l'y .s ':;. ..g. ,'t
- yo, .; - n
- a . ._ : .::,. . . . . . .., . u... - * .
.......,u
. .h *t
- . ..- *6
- j'- ,.5 :*'.;1',,",..t. * , '- , . f.ll', ' , _ . . . . .' . . . , ' ,
*ho {, ,-l:
<j . , y, :..-s ".;,,"_-)+.,, '.;. *.,,,;;,- a
Q-_L.'- .;.';.c,g'.',..,l'.':.;.^l.',.*';.l
. . ir:.
s r .t'
? r.*
..,'.f,,,,,'*t._ , ;;
,,. ' ..' .'g. ,/ .#;. , , . I),
- f'_ ..',?',.s',_.
- s*
., . g . . . .. ,
,...,,,s.
,; :,..j,....f.,2,.. ,: . e. a. . g.3 ,
. ; , .,..* . . , . & . , .,, j . .; ,; . .l;?
,.,,.; ;g , . . . ; :.,s.,..
',;.,.i,t'.
- . . . . . .:._,., v ,w;
_ .. . . . .3 .. .:,,-
;e',t._.;. . _.......,..;,
-. : *s -..c.'r.,..
. n. '
; - s>
, . ;, g. ,5- -
*r* ..w a,, ..J...- * .. y ;- .
. . . . . . . ,,- , o..,, :. .,
^ , ,, , .
.i ,, ?. . :e . .. . . , . - . ;; v.
n *:. .. . -
^
s
- j.l}j ,; . . _, .,; :. ' n - . .t, ; l. ,p '. . ,l,}.;'(
,h,,'..';:. ';s,>.st e . y;, \ .:Elf. . ( . . ,; . ;* ,
G. L, I ._e ',;n ,.
..?.: .,,'l-):- _ ,
l;;1;. ** , '"] '.$ - [
.. z: S_.,... y. . . . - .,
, k pl.* ,lQ: l. ;} g.'., -
- * : ; ' ,} .*
.r:{y - . .
. ,J f." ,:.". . .;. ':,, ?, ^ :.-.:.h^}.'..,. ?-
s-
.;- l ' ' ' .h"'
, . .s;'] z
... ;,.. ' * ..' , , . :l;^ ' . -; '_v M.:- ' g;:4;..:,: , , :. :;
g...
> .; d.' ^.,,.
.y
, *: l m
.: p r ' !" .' .3.; - r...,.n .. ;- ..!*-- .. Z:,. g.*
..........,.....;..','.3:..'.J:r.;.'.c.,...'.
.:.g -s.n' ;'. ?;.._, e..::. . 's 9. . b. .._,..:,
- n. .. - - m
. mg* ... _.v .
;j s. -
..'.*.-u:,.'.' s.
,' .. !. :; .M ..' r. . . . x ;.,;
+
. ;:, ;,,. y :. J... . :* fly: m , . % t... . " * .: v ;.. .;; ,; . :
- -.. n
. ' y< ;. .). ' L.s...-
... c. : . .f; % , :. ^.
1 ...r;.'
- w. a -
,W . ;,,.
, ro. :
.;;.:r.r.:. s '. '-... .p.,n.. ;.s.. .... ...e ' :?. _. b;:.
. ' . .. _:s.;, , - .' . - ;
.:,.* ;. ,..... . .x. ; . . s .' ... ., , . . . ... c. e ;. ; . . , . . ~. ' ,4.: :. . . . .: ,.tv. ; . . .g y :
...e ; < .::., , , %; . .
..,3..
, ' . . ;
- f.'. .
.. . - ,. , . g,z. .. . . . . . . . . . . ,
. o : *:,' , n *: '. 'f..
.W:-.- .Wl Tn' :.'* j .j -; ,f. ':.4 \'<,l y ..Q .,, ?: W'.\ QY'*'I > .X' '.;:? ..n:-
,.11
.i ,- h, :b .'.:
.t s. . - .v .t*
* ..;.::.%i ^ - ., :
% ~; " .;' %, e.lc_
~ . ' . s.:; ** ;; ';. ;t.;.s ys '. .
..,..,....:..,s'.. o .
;..n. s e; . i.
.n.', ., .,.. . *: ;, .:.=.g..,,s'.., .:.
- n
,.1; r .
.-,.5,,.,eG..,..o.....
.+.,.%.... s.,.. .t ...v.
/. a f . .a....c,-,
. e,
,.;,,,.,..c.. ,
.* r.
. . . . ,. 9.e ' . e .
, .. :g * ,;,. y .a, ..v
.. ,, .' (.,...'...",..,';.S.
'.f,,~,
o . 4 ., . .- .
- }. ; ' _ ;. . ? [,. *
* * [. }s '(.,l' .~ . }'f.Y, ' I. <;?' $. . " ? .ll'-?!I lY f; .$; *il:.;l :i* :' L , [ '.l1,. < E-
. .: ,[,,. s;.i.l, ) . ;', y.. .l .. l '.ll:'l. .
- .g.....:g.,. - -; './,..* .? *:
.- . sL ,f~ - ' .'lr,'..:.**.+;
g'- . . *,u . *: 7;.-:,s.. -.;;, ,".*..;1' Ae.,.* .., ....:,
+
- v. .. .'.*'.: ...',,'4,9.....3
...:;.....,'f.l.I.
. ,.g y ,
* \ l *pe'
.....I i.s, .c ,* '":. . ' ' ' ' , 'g:. ...'. ,, ,...-l..
...." n -) , , , M. . 4 t ;-s
- + a: *. . <. f.4-0
.s.
....7.'
. . ;. .. . r ~. :1. ,. 1. .: . / ....e:
.n .:: ,n .. .. .c. ..<: '
. .,q,>a.,m; .4 s : i - - . i
- : a n..
e;.::. . . . ,,%..s..,.'.'.'., . 3't . . , , . -'..%..'- . . . .
~ .; -: ;-
..- ...,c.......- .....:.
-.. .,'b/. . .-. -
a..,+.v.. ..\'._,.,.......'h; . :..g %. - l.' ; .: .'..,..T.
; - , '.. c...g rt. .. . . :.t,., * :., s. - - . ;: ,- :
3 ': - t
* .' :3. s., +: '. . . . :. . . . , . . . %- ,
, , .- : .a ..;
.:y .p w n...~..,,,.:.-
- ,$y. " ~ . .. e .j . ..
;s
- y _ . - . ': *.
;'...,.- -l . . , .
, .. .- w ~%., ...r-
..;.......s . : .
. . . ~ :
. . . : 3 % ' ; M. . . . ~ . .*.
n:) .. ..,.: ... . . ,v . .: : ?..~.....
. , . . * , . a
- . s:*.* J. - ps':
, r, ..~ < :. < a . . , r
. , l;-3; :.::- u. :i ' , .
. ;s..+. . .' ~ . v' ' . ...s..c.:... ;..s-,,- *,* .s'.*:'.s;. *'.*; .., ;: ; - .' ,.:....: ;., i *.: .
9:: ; o a. s
.s r; ;-~ . '....L.
- - . l.
'~; ' h;.' .; -
- ,c ,
.r ',: a ( ': , :.:.; ,_' .../. '4*.
*;; . . .," \. ,,
,o : y -
..s.. ~ - . , . , . %, _ :: . , , . . .
. s. .r.. .
;.'..,.'..<.,,..:' e%:;. . ,~* :'.e . . , '.' . ;*.
s .! ;* y ., eN.. .. .- . l - . . . _ _ ' ' , . -
^
; , ' q.* C.
- s .k . : ,< *.. -
;...t- . ?.5,',r.:* ', y^g... .f'* _. . I '
,. o s'-
.M' .
, : (.,n. j l . '.
n,...r,.,*-n...... ; 1.- , . :
..$. . . . ..:' t *: l6 ,.
,b. . - " ?
,l.'.,,'.-{.. ' .
., " .* ., ',a ., s ? , :#
..,c...'...1.'-
.;.j._*,.,'. ;
y g :
. . , 3.: e. F
. f . _ - ,.l.#i..... .v.... *< .e.,.. . . . .-
,, ..f*.,..=.;.'.,s.'s"< l > b. .w,. * ,,e- ;. . . ...,
. , , e . , . . . , ...f,.,.s.,..
.4,.,, ; *
.- . . . r,e.6 .
. -'-;..e,- , < ; , " ;' .: . , .. *
'.~ ." , ;4.'....s.,.,* . .: . .
ge .. . .. . '
..e, :. j; .,',. , c . .v . :7 . _ -..,,.,,e.. ..,- 7 .
5* .- .
- ': 3 A; c . ~ . 4 .,. ; ,: : .
e, . .: . . ::
..:' ;, -.. - .e: - .
. '3' .,,,,,,, .,,
.t ' '. *- . . .' ';-; .
. ',, 4. .,g*, ((, /[, ; *' i . , .s .[: .. .'. .. ,. - (". I,' ( . , 6 h,1.l ' . ' h'
- 4. . . ,; . Sc '.y .. " .' ,,,. . ? ,'. ^ j I , 5. .;./ ' '.', f;* [ .' 5.'.,'.', l I" '
I' i, ...'.
. . '. v'- , . .. . . ' .-. ,;,% .-- ll . - -
,,.;.'c*, , . . f. c.; , . ,. - . , , . . . ' .* ; a' ' -
' - . , *- .. ,".. ,. .' ..,' .e,,,.7.;[ ***
...,,..i.,e..,s
- e. .
.5,-
j
',,t..-
e~..<..
- ;q, '... . .-~
, +y , . . . h :. y.. ..*-
4 c. .. . i
,e
- e. ...
s_._. _. - . - ..'. . - ,
. * .,i .' :
- t. '. s . ,, . ; , c,..i, .
,, .; * -; ...y ,' ,
. - . .e . ,
. g.. ,
e.
- ,~
,, . Q %l., '.. W.. .. 4 : .: .:~4)'...' . . ' . .;.
- ' s.'..:. ::['..'..',,',,,*,..'.,'..r... ., *< .. ..,.g,'..;,.'..'l
. ..,.s v ,.,"...:
- r.
- 4 .,l . .
... h . .,
s *: s...- . ', .
> +
s*.... . *;a*; . .i . . *;.* . . ,. a .
.f . . o ,c,. , .: .+/. . .; . . .;
y- .s-
.. . , ;. ,e.y.-A..,
s +:.',,:,,s..,
.s :, .
;s , s.
- s. .- -
- g,
^m.;c'..g,.,4 ."; , &. . . < . "c:, , ;. . . 4..'
. *6 . ..
. . '. : . p.. * .e. e:: .
,.g, :. ,,1.; -; f.:-
. ,;. 3 .,*
L;: :. .'.' . . ' ..;*, ,...;.'../....
. - v .. s .
5.,. ,,.-c r1;."Wr. M ' *:,'._.w ,:. .,p 4 ; M.*'j '; i,k.:g..,,e.")..
- ? s:, ; .-
'. ?'..w. t. 'J'. .p'.; , '. l.!.g;,. , a. .,;.5. . , *,,. g} ! * ', . , , a. ' ;. '. *.. -l;v. , , .?.;'..h.q*: ' , ~. :.. ,g . , , ,: ': . .. %, f, %e . , ' T.;,' i ,, .
. ., ; , . n e . :t J...,p.,.-**,.,s....m, i :f . ;. . .
-,.,n.. . ,. , .. - . a m. .,,. , a, , . . . - . .,'. ., .g - _ .,:,. , :-
.<.,_..y:,,,,:.,... .. - -
t
. . , . r.. .f 4
.. j
- g 3 : , ;, ,, .. ~., . , ,s.: .3.... .. -4. ; . ..% .
s.. ,v, .- . . . ,..,g>..
, g; Y. , . ..,.'..,.,..\i..:'....;:V..,.l'.'.:.'. " * :,: .1 , ,. , , :.'t. r . '
.5.,v*.] h ..g,"
~. y .i: .%. .. !:r :.,.' .*y. .. .->l < . *i.-,. " .;...
-yl s.bi .
., .' ' ; . . . .'. . . ..r.s. ' '.g ' '",';lJ. . " Ys.?..r.'..:._,..*'.',*'..,}.',,~~
,.. ;. , .. ,. .(..<. ,y.,; -
; , , ...y.
p-
., . svy,:g_ , . 2, ,;q _. . -
.C';. +1.- . - 5.' .'r-, ; , .. ; ' , .r*.. ,:. j, : s l '.:.. ; (#, .
. *;,.; ? ;i.t.,r!,... : ll .-l,
;;...,.;,,..._ .s ;;,e , y, : .,. C ., .
1%; q o,, - ( 3, j. -. ; e ....:;,e .,...g.- a; . -
,., q g y, . ,; .,, :s,,c, , y.. , .i, . . ,,,.'. G
,- ,,... t ., ,
. g .. p . .
s, . .. y,. q , ., ; g, ; ,' y . ,
- c. 4,;%.,
,, A .y , . ; .p, *
. g,, ,, ., _ ,
,r. ,1ge ., ;-v. *,,- -d, - .
. : *$ ','.l . $ *
' l '!.
['s-
, ' . . n: .AA
. . . - ;, :.,. ., & : s; */ *M%: ,; ' , k.t . . .g--, ,, .,*s.,
I. .
;..s> v:. ,;. ,.
s
., qs, y";a.,.. ;,:n
.e,..<.. _'. y -*- * . , '
?. .3,.,b ,y ( f g ',*, . ; < }.-.p.. .,. . . .r TP ,i . .,: .;,..?*;. *?. nr s.c. h - u, y,, ; ; 's .,,,*'; . , t ..,A,. . f;,;.' :j Y ;;J. -,. .vs . . .,pg,. J ,;; r ; - . .
;:pa . -4f'< - -.. ..; , ; . < .' , :
n W....
. s .0,,,. ,:fg . ,*. ;jy. . g.,_. <g_ .**44c.%, f ;*g<f A.; ,. V;f ..., . ,". . . -f..,
.'* e ;6;.Y,,l3. ,;.. , . .,,-;... ('.
*,1 .. ,. ....;. .y eg.,
' .. ) 9T g sy:y'; X.y , . '. N. :,. .5%. ,, z . .. ..
\ y7. y, v.,
v-7...',....< . u - .. *j: . ' .. . &u;p;.: - ., ff. .. M; .p';,,,:, '
;'; . lW,i.
.g._n , a'.* mp' ,,,;. , ",,;_,.: . .. . , .. s , ; ?... . .'._. _
- A 'ps c (f * .fy .._., *;9, _ , . .
h -l
,, k' ; , 5 g . . .:/' * ,.
- s h.pgaQj ..:%: . .f qfi_.t.h. '" . gy p ig.9:' R :::s q,
<A.'. g ;1.i ," u . 4 . '
.e+
. : ,. h. 1N. ;i;k .$.Jy;,; < . .;,, (,' h,.g*. ,,,
. . . . .V/r4 ";, y;.. /?'.. ;,\.:. . , .j %st ,.,: : h.y N .1, (t ,.~,h fe [;, ...,.'.g: . . a ,,* :nl;t: . N 4 .lk:
,.r., .
. ,9;Q <pf
- . -(; s.c . s. . 'p hh =ycf,) h'*q Q y;,,,,._ N'*fth,.e,4y' Q. * .q M. - . N io , ) *N", :z ?/f. . .'3. , ' yg+ g.g ,: g b&a.. .*!':.m
- A. p + ~ , . , ry , '
- Jg..! ,, }s,; ;*V* . . - s*'
n. i .:J > ),s.' p'M t- ese j}N,%0;.?p'
- 7
- y;3 f %fi : :: Y.t +
- b. ,W . . s* . n. >. {'n * :' t p fd*'$ * *-ll(A ! th : ; ' j%.'* ;k'd'.l4.4, ?
f .f;%:i l5;fN ,4f,). ' .
%*n -
i:h%RA,, : . ^' - k. ' ' ' t
'. ~ <'
?l s! N@. *: A .: s
~
- 52' j,(6l5,,;,[e. . b ,:
t .
- : %;.5';% !ne:.M %"p.(m'i'q k' \',,d.?V :M).%.M}.:WW 54 y.:l h.Q.i@M.Q.,, ;@; .;,:;.%%.:fh $l,hl%h,&':v,?:f
%,.'.: W .M &D.
-c. '. -; y,;h . ' if Q;y f .'s,.kQ:4 .f1:':'g,W .
. '::'e . I!j-;.:% Jgt ^* j';.g <j' ~ A;$t V !, gfm ll Q:J Q .h :
Rj
,.' ' * \
e.
.f ; k, - , .1
, . .. Y.' , ].
- b. '
W. p'.a;j
- MMM . ' . ' . - h.* ::v : #,n
- W., 9.."h :, n %*: .
!.:s. '.; ,;
s . . .,
) *.WoM .
'.Q~MQ :;f. . r, . '[u,,L3
*,>. dM%: .;*Qe, ,M[, g..v.;g+? [- /s, ,.,q.j.),
; :... ' MQl:%'. f;;,'_
i+
. . . ;. :..,y,r%,
.,. , Qh M,2. v..,c g,f ::.w..;';:l,;,Hl
. . , , C?.%), f. * } .4 d'%._
_ ? . mg*h'.,,';,sa%,% .,y_,n
. . sf-
, . . - ;V
., , ..,,._..9...,..,;.A;.;
. 4(, .... : ..); . t . ~ ,,, .. , ,f, : . .us %.. ..p, f.
so ,.q,p,
..,n ,
4, y.yJ s.,s s y ., m, _ , . . q., ur 1.g.. g;p.
.;q,v. m.y; e ;
q ... s,. . ...- n s
. ..>.,...i.
. . :.y
.:t.. . 9:;;.
.p. A:q. r - e. p. , . .si.,,,1, . . .-o g/ .9 _
y - ' *,,
. .,t r ; .9 ; *,, .., y?.1 . r:E. .m .b ,,f ' <
I'. . - l%, h# [J . ' '- " , I I [."< .f1(;: ,,.[;, 4.,. : r e. : .; . .,
'. n y. . . . y hu. ~W.y y;g.,.ff,,. * : . ' ...*, ? [t w:, _ : .;;%.>[:,Nf.if. k*.* Y3h' ;;', : t : :.. e.,\g'f. J.f s .X .. . .{, , ym
.s.
' 9- p
' .'*:D.o. .sy :r
- t,l R
'q,... .),,'.
- 8.s..V. :,.p:s.' g r . W
.;;tv(. h::%;
s ' , :... _- r.f,. . : Q. , g~y*. l.. ;e g..,.4::aMn,Q,W. ':.3 :. b
.: 't, ,3*; w 4' 'ylWl.';ntg?.N";,l. yl;@:g.;M, ), .O,,.,, . .: ' :k ":
. 'h : . e: : t 9 ;.,y a. -. . ' . . -
.. % :. V"t..v 3, .< .. .f..f.%. . .p i.+ g'+'. :p:. . .;,;y :w*.t . :::' .. ;
v .:y; -t,
.h.n. z- :;'::f ' _' : - {'l..Yb;; llrS A' . ~" 4 u. .. . : . .r . r a.: r.
t - r .. .e p.s.. ....p. i%.. . . s.. s;.. iv. - , .
;)a w.~. M.'f.
f i:. k 4:,O
;. ;.3 ,-:d:y <:t*
h $.e$ j'IllY [" t * ~? . ; ... : ;; 0('.?;':,l. .asf l:.1),N"lp" ~. Yld 4 n . k!..C $..),.
. ?.y?'!^^'[ED
.ll '* :k.y;j$' ^;{. A. T'
?.. ,~
.M:V' T':. ll .
. "; U:;f
- f p r .- ,,_ . .N *q~;.,u; . "iy '!g';.\..f.:s
,7; ;,;! L!,c._.4 y
. . ^ .
- e. ..c('.. ,f *...:i.. :. .?*>_ ... .,~.:' . ;;'.:y;;,3
, f... ,.. .g3...'. ;:.. :.:)......
. . . . , -Q'Q,)[,
v, e#;:., ,J.>:Q, ;:.'Q. pv.:;.] . '.Q, '; <J u. j.,,,:':le,. .,,..f. . ..f.;,. :',._.x. .j* o
,. .,a ...y
-:W p.w. f,. f'- ;.4,. . .;;j4
*y 3 .,: _4:
.h. . . ...L
- n. s. 9 .. q . . c ,;.; ; . ,.., .:, .,u; ; ..q C;s ., 7::y;,3; .'..g. :. . . .;!Q
.,,, ;;; (,. fs,x y:c ,;p, { , :. ; . .;; ,ys,,,, ;;
+. ,'.','.Q',.. ..
s .< ,.m. ., a, . . ,,,
. , y . ::. f. 3 ,. .,. %, a:. . . s j,., . , ".. ' ,,-g:. ,.. p .;.. .
. N. . e: , , q :. -.~. .
- . n . . . . 3. >
aw .. - ~ l: , * ?.* * $_ i.. 5)~h, . . , .,.. )s.. ::.^;;;l... :t ,; ".: .i .,0['(,; .li.Q* " 'i. L1,y:.v.*h ,.9. ': .p.. r]gl y..C: : 2*5.'h!'5; h',,,:!!.':l.. ^. h&<p.t: .,,;y .; . ;, r. . . ,
;.. l:~:
t.q h.' f C.l; .&, . . . . ;Ls 9a @.}* ? : * 'v . . :)
*: - - j'Vll}')
n .; ;j . p. ; \ - ^ u ;.,;Ms . h: .3. u..;Q,7; _.' }:.__:.; H: q -)- _ ; ,%. Q::.(:g a ..
, ;*; . . . n
~ --. .'::,n:. : U.;. .;s;.4 ._' :.q:< ;,l .g... ..: -;; }.l_ .ir s,. . %.,0
- s ', a; . . l. . . ;: . _-*
';re"y' .: 4 ' 21.o f ;.. , . . ' ,:, r:f: ; ;. - s', <*
w e
~c
.n.; ;.l;
+; .: ,. . ..: ',z,.p;. 9, . . . . . g(,, T 1
g :;g *..;y("r.id ypVj.&;'pa 1 ; :s v ,;; .. .' h "' . h.?:*- 3.g. >pc .7: .'.! . -
"; f p:p ;.; .b . .p+ M. . ~ .:r'.V ; *. W.u .c i
J s.
.:.;~;,
.: ! ;d::;.n. ,
! .T , 4:y;r%.:..::x ., M..;;n. :.. e,'&,n.R .,.q,.&,4 3 .f4'W c -Q".:.., . :' .wg elu:
,n * -
<%..Wnr.s.:7+ yn::.
.n g?.w . y' +m' ln 3sM % .;
s:r !< c. JC % ..
.w . . i .
,, w.;l::m~~< .w.;- s jikh.ehb a;. ch.b;-ap ; .+ 4.x. ;;%.%.g*;s; ,i;Fm,@4.l p:.: h k h4~:~.p::j+j;
..C '- i .su. ;.; . 9:y a ; m.m ..y v-u i. : .
v.. hhkhh.h, o.,w:;1:,;.hhk;:k;~hkw.. : If hh :h.v..a 9m
#w. m.h Mw@s.>..p n.< . m...ymmM a u p. fst mu mgg. m w.
cMm h.h',h;hhhhhk. . .hm.~. fw w%w(. .m .. .
; h, _h f
{. ;; Qh;[kh ,a h'% [.'.k,fl h ..h_. . , k :f.h d),% j f. . , .
; [
Westinghouse Non-Proprietary Class 3
+ + + + + + + +
Human Factors Engineering ~ Operating Experience Review Report for the AP600 Nuclear Power Plant l I W e s tin g h o u s e Energy Systems
$$$'2#2EhEd $$$o ,,
A f'I;ii
I . l AP600 DOCUMENT COVER SHEET *
. TDC: IDS: I S Form 58202G(5/94)(m:V1252w-1.wpf)
AP600 CENTRAL FILE USE ONLY: ! 0058.FRM RFS#: RFS ITEM #: AP600 DOCUMENT NO. REVISION NO. ASSIGNED TO OCS-GJR-001 l Page 1 of_._ j ALTERNATI DOCUMENT NUMBER: WCAP-14S45, Rev.1 WORK BREAKDOWN #: . DESIGN AGENT ORGANIZATION: WeStir.ghouSe Electric PROJECT: AP600 l TITLE: Human Factors Engineering Operating Experience Review Report for the AP600 Nuclear Power Plant ATTACHMENTS: DCP #/REV, INCORPORATED IN THIS DOCUMENT ! REVISION: CALCULATION / ANALYSIS
REFERENCE:
ELECTRONIC FILENAME ELECTRONIC FILE FORMAT ELECTRONIC FILE DESCRIPTION m:V3265w.wpf Wordperfect 5.2 m:V3265w-1.wpf i (C) WESTINGHOUSE ELECTRIC CORPORATION 1996 O WESTINGHOUSE PROPRIETARY CLASS 2 This document contains information proprietary to Westinghouse Electric Corporation; it is submitted in confidence and is to be used solei for the purpose for which it is fumished and retumed upon request. This document and such information is not to be reproduced, transmitted, d or used otherwise in whole or in part without prior written authorization of Westinghouse Electric Corporation, Energy Systems Business Unit, subject to the legends contained hereof. . O WESTINGHOUSE PROPRIETARY CLASS 2C l This document is the propony of and cor.:ains Proprietary information owned by Westi house Electric Corporation and/or its subcontractors and ! suppliers it is transmitted to you in confidence and trust, and you agree to treat this urnent in strict accordance with the terms and conditions ! of the agreement under which it was provided to you.
@ WESTINGHOUSE CLASS 3 (NON PROPRIETARY)
COMPLETE 1 IF WORK PERFORMED UNDER DESIGN CERTIFICATION -OR COMPLETE 2 IF WORK PERFORMED UNDER FOAKE. 1 @ DOE DESIGN CERTIFICATION PROGRAM - GOVERNMENT LIMITED RIGHTS STATEMENT ISee page 2) Copyright statement A license is reserved to the U.S. Govemment under contract DE-ACO3-90SF18495.
@ DOE CONTRACT ect to DELIVERABLES specified exceptions, (DELIVERED disclosure of this data is restricted unti DATA)l September 30,1995 or Design Certification under D 90 18495, whichever is later.
EPRI CONFIDENTIAL: NOTICE: 1 M 20 3 4 5 CATEGORY: A G B C D EO F0 2 0 ARC FOAKE PROGRAM - ARC LIMITED RIGHTS STATEMENT [See page 21 Copyright statement A license is reserved to the U.S. Govemment under contract DE-FC02-NE34267 and subcontract ARC-93-3-SC-001. O ARC CONTRACT DELIVERABLES (CONTRACT DATA) Subject to specified exceptions, disclosure of this data is restricted under ARC Subcontract ARC-93-3-SC-001. ORIGINATOR SIGNATU AT S. P. Kerch $ 7, / 7 f[o AP600 RESPONSIBLE MANAGER SIG
~
v APPRO5/AL DATE l i O' B* ROib { ~ k lD/0/Eb
' Approval of the responsible manager signifies that d5cument is complete, all required reviews are complete, electroriic file is attached and oocument is released for use.
cosa.new*n
AP600 DOCUMENT COVER SHEET Page 2
. l Form 58202G(5/94) LIMITED RIGHTS STATEMENTS DOE GOVERNMENT UMITED RIGHTS STATEMENT ,
(A) These data are submitted with limited rights under govemment contract No. DE-AC03-90SF18495. These data may be reproduced and - used by the govemment with the express hmitaton that they will not, without wntien permission of the contractor, be used for purposes of manufacturer nor disclosed outside the govemment; except that the govemment may disclose these data outside the govemment for the following purposes, if any, provided that the govemment makes such disclosure subject to prohibition against further use and disclosure: (1) This " Proprietary Data
- may be disclosed for evaluation purposes under the restrictions above.
(II) The
- Proprietary Data
- may be disclosed to the Electric Power Research insttute (EPRI), electric utihty representatives and their direct consultants, excluding direct commercial competitors, and the DOE National Laboratories under the prohibitions and restrictions above.
(B) This notice shall be marked on any reproducDon of these data, in whole or in part. ARC UMITED RIGHTS STATEMENT: This proprietary data, fumished under Subcontract Number ARC-93-3-SC-001 with ARC may be duplicated and used by the govemment and ARC, subject to the limitabons of Article H-17.F. of that subcontract, with the express hmhatons that the proprietary data may not be dicciosed outside the govemment or ARC, or ARC's Class 1 & 3 members or EPRI or be used for purposes of manufacture without prior permission of the Subcontractor, arcept that further disclosure or use may be rnade solely for the following purposes: This proprietary data may be disclosed to other than commercial competitors of Subcontractor for evaluation purposes of this subcontract under the restriction that the proprietary data be retained in confidence and not be further disclosed, and subject to the terms of a non-disclosure cgreement between fne Subcontractor and that organization, excluding DOE and its contractors. DEFINITIONS CONTRACT / DELIVERED DATA - Consists of docurnents (e.g. specifications, drawings, reports) which are ! i generated under the DOE or ARC contracts which contain no background proprietary data, EPRI CONFIDENTIALITY / OBLIGATION NOTICES NOTICE 1: The data in this document is subject to no confidentiality obligations. NOTICE 2: The data in this document is proprie and confidental to Westinghouse Electric Corporation and/or its Contractors. It is forwarded to recipient under an obligation of Confidence Trust for limited purposes only. Any use, disclosure to unauthorized persons, or copying of thir document or parts thereof is prohibited except as agreed to in advance by the Electric Power Research Institute 'EPRI) and Westinghouse Electric Corporabon. Recipient of this data has a duty to inquire of EPRI and/or Westnghouse as to the uses of the information contained herein that are permitted. NOTICE 3: The data in this document is proprietary and confidential to Westinghouse Electric Corporation and/or its Contractors. It is forwarded to recipient under an obligation of Confidence and Trust for use only in evaluation tasks specifically authorized by the Electric Power Research institute (EPRI). Any use, disclosure to unauthorized persons, or copying this document or parts thereof is prohibited except as agreed to in i advance by EPRI and Westinghouse Electric Corporation. Recipient of this data has a duty to inquire of EPRI and/or Westinghouse as to the uses of the information contained herein that are permitted. This document and any copies or excerpts thereof that may have been generated ! are to be retumed to Westinghouse, directly or through EPRI, when requested to do so. NOTICE 4: The data in this document is proprietary and confidential to Westinghouse Electric Corporation and/or its Contractors. It is being revealed in confidence and trust only to Employees of EPRI and to certain contractors of EPRI for limited evaluation tasks authorized by EPRI. Any use, disclosure to unauthorized persons, or copying of this document or parts thereof is prohibited. This Document and any copies or excerpts thereof that may have been generated are to be retumed to Westinghouse, directly or through EPRI, when requested to do so. NOTICE 5: The data in this document is proprietary and confidential to Westinghouse Electric Corporation and/or its Contractors. Access to this data is given in Confidence and Trust only at Westinghouse facilities for hmsted evaluation tasks assigned by EPRI. Any use, disclosure to unauthonzed persons, or copying of this document or parts thereof is prohibited. Neither this document nor any excerpts therefrom are to be removed from Westinghouse facilities. EPRI CONFIDENTIALITY / OBLIGATION CATEGORIES CATEGORY 'A'- (See Delivered Data) Consists of CONTRACTOR Foreground Data that is contained in an issued reported. CATEGORY *B* - (See Delivered Data) Consists of CONTRACTOR Foreground Data that is not contained in an issued report, except for computer programs. CATEGORY *C"- Consists of CONTRACTOR Background Data except for computer programs. CATEGORY *D* - Consists of computer programs developed in the course of performing the Work. I CATEGORY *E'- Consists of computer programs developed prior to the Effective Date or after the Effective Date but outside the scope of the Work. CATEGORY *F* - Consists of administrative plans and administrative reports. ms.-
I Wcstinghous2 Non-Proprietary Class 3 , WCAP-14645 Rev.1 l 1 I HUMAN FACTORS ENGINEERING OPERATING EXPERIENCE REVIEW REPORT FOR THE AP600 NUCLEAR POWER PLANT j l October,1996 AP600 Document Number: OCS-GJR-001 S. P. Kerch R. M. Span Westinghouse Electric Corporation Energy Systems Business Unit P.O. Box 355 Pittsburgh, Pennsylvania 15230-0355 C1996 WESTINGHOUSE ELECTRIC CORPORATION All Rights Reserved mN3265w.wpf:1b/101796 Revision 1 October 1996
4 TABLE OF CONTENTS l 1.0 I NTR OD U CTI O N . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 - 1 2.0 SCOPE...................................................... 2- 1 3.0 RESULTS OF REVIEWING OPERATOR EXPERIENCE ISSUES . . . . . . . . . . . . 3-1 i 4.0 RELATED HUMAN SYSTEM ltJTERFACE (HSI) TECHNOLOGIES WHERE LITTLE OR NO NUCLEAR PLANT EXPERIENCE EXISTS . . . . . . . . . . 4-1 5.0 CONTENT AND RESOLUTION OF OPERATOR INTERVIEWS . . . . . . . . . . . . . 5-1 4 l. 1 4 $ l 4 i l l 1 l j i l mA3265w.wpf;1b/101696 Revision 1 lii October 1996
l LIST OF TABLES AND REFERENCES l 1 Table 1 Operating Experience Review for the AP600 Design . . . . . . . . . . . . . . . . . . . . . T-1 References For Table 1, Operating Experience Review for the AP600 Design . . . . . . . . T-66 Table 2 Related HSI Technologies Where Little Or No Nuclear Experience Exists . . . . . T-67 References For Table 2, Related HSI Technologies Where Little Or No Nuclear Experience Exists . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . T-72 i Table 3 Operator interview issues ....................................... T-73 ' References For Table 3, Operator Interview issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . T-78 l l i l l 1 i l l. mA3265w.wpf:1b/101696 Revision 1 iv October 1996
k j ACRONYMS i , ac Attemating Current i ADS Automatic Depressurization System i ARM Area Radiation Monitor
- AFW Auxiliary Feedwater
- ASHRAE American Society of Heating, Refrigeration, and Air-Conditioning Engineers ASME American Society of Mechanical Engineers j i ATWS Anticipated Transient Without Scram '
- BWR Boiling Water Reactors l CCS . Component Cooling Water System 1 CIV Containment isolation Valve i CMT' Core Makeup . Tank i COL Combined License
- CPS . Computerized Procedure System i CR Control Room 4
CRT Cathode Ray Tube l CSF Critical Safety Functions CST Condensate Storage Tank CV Check Valve ! CWS Circulating Water System ! D-RAP Design Reliability Assurance Program DAS Diverse Actuation System l dc Direct Current
]
, DDS Data Display and Processing System ; DSER Draft Safety Evaluation Report l EMI Electromagnetic Interference EOF Emergency Offsite Facility EOP Emergency Operating Procedures ERG Emergency Response Guidelines ESF Engineered Safety Features FBTA Function-Based Task Analysis FC Function Centralization HFE Human Factors Engineering HSI Human System Interface HVAC Heating, Ventilation, and Air-Conditioning HX Heat Exchangers IA Instrument Air l&C Instrumentation and Control IRM Intermediate Range Monitors IRWST In-Containment Refueling Water Storage Tank ISLOCA Interfacing System LOCA IST Inservice Test LCS Local Control Station LOCA Loss of Coolant Accident MCR Main Control Room MFP Main Feedwater Pump MMI Man-Machine Interface M-MIS Man-Machine Interface System utD265w.wpf:1b/101696 Revision 1 v October 1996
ACRONYMS (Continued) , NPP Nuclear Power Plant , NSR Non-Safety Related OER Operating Experience Review OSC Operational Support Center PABX Private Automatic Branch Exchange ; PAR Passive Autocatalytic Recombiners , l PDP Positive Displacement Charging Pump-PHWR Pressurized Heavy Water Reactor -
- PLS Plant Control System ;
PMS Protection and Safety Monitoring System PORV Power Operated Relief Valve PRA- Probabilistic Risk Assessment PRHR Passive RHR PWR Pressurized Water Reactor PXS Passive Core Cooling System QDPS Qualified Data Processing System RAI Request for Additional Information . RCS Reactor Coolant System - RF Radio Frequency RHR Residual Heat Removal , RMS Radiation Monitoring System RNS Normal Residual Heat Removal System RV Reactor Vessel SART Silence, Acknowledge and Restart Test SBO Station Blackout SFS Startup Feedwater System ' SG Steam Generator SGL Steant Generator Level SGTR Steam Generator Tube Rupture SPDS Safety Parameter Display System SR Safety-Related SRP Standard Review Plan SRO Senior Reactor Operator SRV Safety Relief Valve SSAR Standard Safety Analysis Report SSC Structures, Systems, and Components SSE Safe Shutdown Earthquake STA Shift Technical Adviser SWS Service Water System TIP - Traveling Incore Probe TS Technical Specifications , TSC Technical Support Center ! UPS Uninterruptable Power Supply i VBS Nuclear Island Non-Radioactive Ventilation System 1 VDU Visual Display Unit l VES Emergency Habitability System 3 VPl Valve Position Indication ( WPIS Wall Panel Information System i j m:saassw.wpt:1b/1oises Revision 1 vi October 1996 ! l
1 4 l
1.0 INTRODUCTION
As discussed in NUREG-0711 (" Human Factors Engineering Program Review Model"), the ' purpose of this operating experience review (OER) is to identify human factors engineering (HFE)-related safety issues. The objective of this AP600 review is to identify and analyze HFE-related poblems and issues encountered in previous designs that are similar to the i AP600 so that they are avoided in the development of the AP600 design, or in the case of j ^ positive features, to retain these features. Westinghouse will continue to review current plant operating experience and as new HFE-related issues are identified, will address or track to resolution those issues applicable to the AP600. a f l A i l i 1 i i i l l E m:W265w.wpf;1b/101696 Revision 1 1-1 October 1996
_ . . . _ _ . _ . _ _ _ . _ . . _ . _ . _ _ _ _ _ . _ . - - - , _ . _ . _ _ _ . . ._._m m..- __ . . . . i 2.0 SCOPE i j The scope of this evaluation includes pressurized water reactors (PWRs), at both Westinghouse and non-Westinghouse plants. The issues for boiling water reactors (BWRs) j and a pressurized heavy water reactor (PHWR) which are applicable to the AP600 design are ) also addressed. Other industry ma-machine interface (MMI) experience, where limitea i j experience exists in the nuclear indust.n!, is also addressed. l Guidance for this OER is based upon: 1) Appendix B of NUREG-0711,2) the clarification
- of NUREG-0711 Appendices B.5 and B.6 provided as an attachment, ("HFE Insights For ArJvanced Reactors Based Upon Operation Experience," BNL Technical Report i
- 52090-4-3-1/95) to NRC letter dated 2/13/95, and 3) comments in Draft Safety Evaluation j
- Report (DSER) Chapter 20 related to the OER for the AP600. I i '
4 i ! ) T e i l l l
- l 1
- I
! l i > j i i i l 4 k i l l i E i mM265w.wpf:1b/101696 Revision 1 i 2-1 October 1996 t
- 3.0 RESULTS OF REVIEWING OPERATING EXPERIENCE ISSUES
)' Table 1 documents the NUREG-0711 Appendix B issues reviewed and how the AP600 design addresses these issues. Table 1 consists of five columns r.nd provides the following
- information; l e
Column 1 Item !
- Column 2 issue Reference i Column 3 issue / Scope
! Column 4 Human Factors Aspect / Human Performance issue i j Column 5 Human Factors / Human Performance issue Addressed by AP600 ! Design i The numbers in column 1 are used throughout this document as a convenient means to reference the various issues. Colurnn 2 identifies the reference document that presents the issue to be addressed. Column 3 Identifies the specific issue / scope. Column 4 identifies the human factors aspect / human performance issue of the issue / scope identified in column 3. Column 5 documents how the AP600 design addresses the aspects / issues identified in l column 4. . Tables 1,2, and 3 also document the HFE-related issues which are not currently addressed by the AP600 design. These issues are identified in column 5 of Table 1 and in column 3 of j Tables 2 and 3 by using the terminology "THIS ISSUE INPUT INTO THE DESIGN ISSUES , TRACKING SYSTEM' typed in bold letters. Standard Safety Analysis Report (SSAR) l
- subsection 18.2.4 provides a description of the design issues tracking system which includes i j tracking of HFE issues.
t i Column 5 of Table 1 also identifies which HFE issues are not applicable to the AP600 design.
- These are identified in column 5 of Table 1 by using the terminology "NOT APPLICABLE" i t/ ped in bold letters. Immediately after the bold type, the reason why the issue in not j applicable to the AP600 is provided.
j Column 5 of Table 1 may identify the issue or part of the issue as "the responsibility of the l Combined License (COL) applicant." The following is a list of those items from Table 1 that are identified totally or partially as the responsibility of the COL applicant: 1,21,45,48,49, 50,51,58,63,64,65,67 through 70,157,168, and 170 through 180. 1 i i i mA3265w.wptib/101696 Revision 1 3-1 October 1996
l l l 4.0 RELATED HUMAN SYSTEM INTERFACE (HSI) TECHNOLOGIES WHERE LITTLE OR NO NUCLEAR PLANT EXPERIENCE EXISTS , l Soft controls, computerized procedures, and large scroen (wall pancl) displays are HSI technologies that are not used in currently operating nuclear power plants, but will be used in l the HSI/M-MIS design of the AP600. Westinghouse has reviewed the operating experience of these technologies or related technologies from other industries in order to identify HFE-related issues that need to be addressed. Issues related to these technologies include navigating through large display networks, implementation of soft controls, and group situation i awareness. The AP600 computerized procedure system (CPS) is dynamic and interactive with the remaining AP600 HSI. Plant parameter values, plant state, and assessment of procedure I steps are performed by the system. No system comparable to the capabilities of the AP600 CPS, with relevant operating experience, was found in other industries. If any such experience is published, it will be reviewed and identified human factors issues will be addressed. l i The reviewed documents include operating experience from the following industries: fossil power plant, aircraft industry, naval programs, space program, electrical, gas, and oil. These i reviews are documented in Table 2. Column 1 of Table 2 identifies the reference document which was reviewed. Column 2 identifies the HFE-related issues applicable to the AP600 design, and column 3 documents how the AP600 design addresses the identified HFE-related issues. In column 3, some cross-referencing to Table 1 occurs where the identified issue is i identical to an issue already documented in Table 1. Where the issue is not currently addressed by the AP600 design, an entry is made in column 3 stating "THIS ISSUE INPUT INTO THE DESIGN ISSUES TRACKING SYSTEM" typed in bold letters. The reference documents in Table 2 (References 2.1, 2.2, 2.3, 2.4, 2.5, 2.6, and 2.7) are identified in the Reference list following Table 2. Column 3 of Table 2 may identify the issue or part of the issue as "the responsibility of the . Combined License (COL) applicant." The following is a list of those items from Table 2 that are identified totally or partially as the responsibility of the COL applicant: Ref. 2.3 item 2; Ref. 2.4 items 3,4, and 8; Ref. 2.6 item 4; and Ref. 2.7 items 3 and 5. mA3265w.wpf:1b/101696 Revision 1 41 October 1996
I 5.0 CONTENT AND RESOLUTION OF OPERATOR INTERVIEWS l As part of the OER, Westinghouse has conducted operator interviews and observations during 3 plant operations and after operating events. These interviews / observations are documented in ! Table 3. Column 1 of Table 3 identifies the reference that documents the operator interviews. i ~ Column 2 identifies the HFE-related issues applicable to the AP600 design, and column 3 l documents how the AP600 design addresses the identified HFE-related issues. In column 3, l some cross-referencing to Table 1 occurs where the identified issue is identical to an issue l already documented in Table 1. Where the issue is not currently addressed by the AP600 design, an entry is made in column 3 stating "THIS ISSUE INPUT INTO THE DESIGN , ISSUES TRACKING SYSTEM" typed in bold letters. The reference documents in Table 3 ! (References 3.1, 3.2, 3.3, 3.4, 3.5, 3.6, 3.7, and 3.8) are identified in the Reference list following Table 3. Column 3 of Table 3 may identify the issue or part of the issue as "the responsibility of the Combined License (COL) applicant." The following is a list of those items from Table 3 that '
)
are identified totally or partially as the responsibility of the COL applicant: Ref. 3.1 items 1,2, 3,4, and 5; Ref. 3.2 items 2, 3, and 4; Ref. 3.4 items 1,2, and 3; Ref. 3.5 item 6; Ref. 3.6 , items 1 and 2; and Ref. 3.7/3.8 items 2,4, and 6. ' l l l m:\3265w.wpf:1b/101696 Revision 1 5-1 October 1996
\
E F5 g TABLE 1 OPERATING EXPERIENCE REVIEW FOR THE AP600 [ Issues Addressed By NUREG 0711 Appendix B
$ Issue 3 Item Reference IssuerScope Human Factors Aspect / Human Performance issue Human Factors / Human Performance issue Addressed by AP600 Design h 1 ftem B.1 (1) A-44, Station This is a large and significant issue with many human-factors- A station blackout (SBO) is a design basis event for the AP600. Passive, safety-related blackout (SDO) related aspects, including controls, displays, training, and systems utilize one-time realignment of valves to provide system initiatiort After procedures. irdtiation, these passive systems do not require power to sustain their operation. For an SBO event, the valves that align the AP600 systems required to mitigate the event are fall-safe or battery 1)owered valves. Fall-safe means that on loss-of power they move to the position that initiates system operation.
Refer to SSAR subsection 7.4.1.1 for a description of the process and plant response that establishes safe shutdown conditions for the plant, using the safety-related systems and no operator action. This discussion only considers the use of safety-related systems and it assumes loss of offsite electrical power at the start of the event. Table 7.51 of Section 7.5 of the SSAR summarizes information on the instrumentation for post-accident monitoring. The post 4ccider4 monitoring instrumentation that is designated in the table to be displayed by the Qualified Data Processing System (ODPS)is powered from a Class 1E de unintemptible power system (UPS) with sufficient battery capacity to provide necessary electrical power for 72 hours. As noted in SSAR Section 7.5.4 and notes 4 and 7 of Table 7.5-1, there are a few cases where --J the instrumentation is powered from a 24%ur Class 1E battery. Refer to SSAR i subsections 81.2 and 8.3 2.1 for a desenption of the Onsite Power System and the DC Power System. The ODPS cabinets are powered from a Class 1E 72-hour battery. The AP600 man-machine interface system (M-MIS) for controls o the main control room (MCR) consists of soft controls at the operator workstations and dedicated controts at the dedicated safety panei. Reactor operator and senior reactor operator (SRO) workstations and their displays are powered from non-1E uninterruptable power supplies. The workstations will be available for 2 hours into the SDO. After 2 hours the operators rely on the ODPS displays and the dedicated controls for control and rnonttoring of the plant. The ODPS provides the Class 1E qualified display system and is powered from the Class 1E UPS. The ODPS and the dedicated controts are located at the dedicated safety panet. The design of the ODPS displays, dedicated controls, and the dedicated safety panel are all part of the Human System Interface (HST) and therefore will be a product of the AP600 HSI design process as described in Section 18.8 of the SSAR. The dedicated controls, located on the dedicated safety panel, are for reactor trip, turbine trip, and system-levet engineered safety features (ESF) actuations. These dedicated controls are powered for 24 hours from a Class 1E battery through a UPS, following an SDO. Refer to Table 8.3.2-1 for the list of safety 4 elated loads powered from the Class 1E batteries. O Q Training program development and procedure development are the responsiblitty of the O COL applicant as stated in 13.2 and 13.5 of the SSAR. a
,as.
e-
n h la d od e it s n n t a ita t w n d ic io a g h y ul a e gr le d it t nso t r m n. d is l e n g lare oei t a le
" ,(0 c0 n o mo e
r e m ey a e t hi e n v -yr 5 itclina r n n6l i ton n d m r t n o r o w a is e wtaer tsk l e etefo1 nf aet r sy - tooP Rio Aogn s e v yc e c D aan er teied s u at e aa cgef it Aht qd S n e is si u ht fow s h s sot n r sf a loih o ms ,i Smim ic s loq fo n it 0 0 eetaa i p iGnms r eoer it AmTn umco l n toia s v e a p r tnn d n io er isa w s1. 6 P idh v t tC ich ie st t e i r ew d e oa io v m p4 od nse t h ncsnyh nt o nst . io r e h ct ta i i A r t dnspfuo sit e nimo ta fe e tua iv t
)ya n lc d e r r
u 5 y pauh d e itcdioiet n s in R mi os tc y ip tny ts pd men jt b "t aed e fo nit ca igug b tep l p e s n r ucr vrm te d fae a d tna d e oehi pts t s sRnta my al ees Fae non pii i d .a o r e sh ne la 3 s e ysm e ec e4 s r dfood n rm e e.la p i z nt e ed p o o3 s ts n ntyl lu vtai tat of ht eE sy reie iu e Rs dte aslac r e fo im no c1 r n leer n r d1 nr oy ss sovl ( r ef fa n i r d gl ed ar is n un f it sinioo yato as s c r-yat a t u s e im d o fo ins s to 5 e wr d o tnr l r teit 6 ya c s A c o it pd omiso r u nf l a umtnna t faSp e iu l n u r a 0 bl a n eor e d Ci eio ct r n tnEgot br ep 1 e a t oa ntcrdit o fa u r e n p e. o0 rynmi Aafoict sWm n b e i t 1 ee m ies r t s ec s scsc c a ra c0 fo iso r h is tnlae pr d6 vnr ed oSe t s e et . i
. i n.w a d e d wf o b
e c s eis p mh h
. ePoae aAc es o t
tntaiteaye e mis rv p isSo ts c h et h vr iu G o ps -w ficu es ob a ise o 0WL s t s n tet T ;u leer mt m et aoe 0S . fe f e is nito y e n s p sR a q e sye s n.e r hl ated yt nmse r qr iua upb anR e ck ta 6 e ic v ten r o r io o asr n A m r o S et e t eii yd oo cy n P her u h e e x no t la svic gS isS f et wned fad tp seodo si v Rf d s .d At ta f t e d er no u ed i r v r of eo P r e s ed a er bicg r ns osht pa er lasa istee d d oea s Inor np e iz la it n at g e la v oo un dt 0 r h or . R s. 0f e v scl t S o m n d n ao r neot e d b er naifcomG e s d f i s
+a . )Wim in ta e h e 6 e r
a s iob o R tpt e s itwr e hei v m Aio tet 0 cao t n fod sadt eysm tce nh ssoo nnE Si ( scwo r i m s e d pv eic iic twve tat r o r p PR A u 0 agc i ee e ut aii0 taa0t o e e oe sd e els H 6 ei f i e isvf r oa icts Ff ohieglu6 mel .s t v d d m p m. o h a Ai rn tmo Pt iu s r s ny ednn iv e r n m n i
/
s d tc e Te laro p 0 n t it cP le r o eet o n f t a stbt h ge nd s 0 6i od n miA r c tsa y sr Ri oo i t e n gt n a oht r pya b oi fn-io o m. u, mtst h
, syi w
- s Eo h sd ios orGoie ceeht f oCnd t
L n f c . s P tpair ise o 0 . b r F a T eel eu r v gx ncsy s eR n pE gol nt a Airc
', s saA t rf e 1 Moc dem r
e0 is d p e ca 0
,et n B ev 0 ",d n nmCi n ta o b P6 0 e s o n id 0 n 7 aiela o o esiCre - 4 o e g 0 n 0 n aEd e Aa Ch 6 B a 7 s i ta mh u et e
.y 4 e i o O. de dt eu t w9oi2. ht e n isiu ic00 eq mA 6 ui P ey 6d P a d1 n 4 lade or an u I P 6 nu sp e Lt A !x m icoT lpro .eia af st 1 ama4ii cnni neh A bit f Ao r a 4 itns on nt 4 f u sh se tsc l
P h E d H 1 inrpn s oe ivid r t l a 6l Pita et en ne ee d s e elad Pt n P- emie imlo )sl P de )y d pp eceit hf h Tciad h v As r H e Aoe sdt t Geo r o Aitv i s sesmne An e T o T o RCi n T p ui d r Cofevm To R A p Cptslc Wfosia yn c c enRipn h oE upr T c( gao Wpspte r aror ea r eb r o hess h ul at T sap T e . * . . Oo Nm t O
) F 1 d 1 w f o fo n lom o r
e u W 7 0 e f n o e e n E u olsl ito lae ht h e n, r I V G s nia ac o s f ofo i t E e ot a uet n t y te fouiaai luito t f o ot r onse n E r d o R R l e i r n ennj a eiuail unt cos s ercf tn eioui r r C ( E U N c n foe ir i t r msme cr s oo ci e otas tosie nu c h e bi vstaa l 1 C N y a st e h et eis gt f h t ntn ua e adt mu v ecnf m oer f ein r aot r ur pi npo a e e ;p r d . ae E E B m luns tmdhi mo c mtc Tiur o s- ab se s L r I R d o ia a r i a eu n B to . qf os h t n sera i I A E e f r f s a a gdre kat r r e he uwe sthht ;.v o mr t e P f oien mla so e swa s w mf ah f T s P e X e st e p dir s mr tnnf di E d r n n yso tnuu ngdt e ir db i e p ps sft miayo u eot a a u lc ul c is la on t d io s) elcqi tee G mn esi a v c e qh a n ins taA R t N A m r ewi fa necwg I T s H u ict ti(C pi o ssds e d wropen e vd ul as i tabt h unv e e le ni onReo e r ee s, t e A u
/
t lpn m iicmr u el tas od t soei r d ciWh nm R c imo c o vi eetap E s le e p o et aaPhto t v r e r c c ee e n e unt s o P s te So h )R rl r er ut spta o eio su n y-ic sr vreht isOnt e s d s.mn O A h carern nlii n eit qs et e af t a tot ceds o e sr oNt t ( n o sr cu
.c. u or en c t
h fae or e inruo teot it o sd eeic wi) fo s itvtaus t c eec tat vpt lo o am e scA r cat e i ce r foc r a ct fauina s c a at h fod d , bnt pee ec e i lol e F n lelew r r i ivdo n tetmot us aeC o r eO L pn oy miroObo lt u s e aMi e e y- n ea sh( u at th ua t p mrd es w a ut o ue al r snt n d lysi r b nt I forse
.tn a eta s eitc l
s r m u isf a ar is tyht - emitoot eaed t e iluatoa b uaer r e - g ek em p sso uq w.s H is s cr isp r : r ne isee nedic e da ep po la - . ulie ai u i a h ot h fah op o r q h rod e kaet e T ni n T swcoma c h r T goin AL f b e a T pat s nr ot e R) s ta e p s r o(Ssn s a e c e c w r s t o c y f o me f ado fed foiv op st iet r c e e el r d t cm S tens fet a
/e faioys tet i laa a lu et ia nn e t
e up u r r er ele iav e R s e S,ic alto C. et
- to ya Icryl s
,t - ip e
F. iect sm sp
.t s 3 an re 7l r r 2 3f pe 4 pnt 7 fap 2t ei u l
1 e - r o nq u 2l - ol Aic- mo Bso Bss
- au f Gpoe I
Gcfa oi _ e c n e r f e ) ) ) ) ) e 2 3 4 5 6 R ( ( ( ( ( e 1 1 1 1 1 u D B B B B s la m m m m m e te te te te It I I I I m 2 3 4 5 te 6 I o E6t$mg3Tggg d01
- ge<E63 '-
O h yo'^ p3 <0
m.
.@ TABLE 1 (Continued) b $ OPERATING EXPERIENCE REVIEW FOR THE AP600 E
g issues Addressed By NUREG 0711 Appendix B 3 Item Issue Reference lasue/ Scope Human Factors Aspect / Human Performance fesue Human Factore/ Human Performance issue Addressed by AP600 Design Y
$ 7 ftem D.1 (7) GI-51. Improving The buildup of clams, mussels, and corrosion products can The AP600 SWS and Circuiating Water System (CWS) are nonsafety-related (NSR). $ the reliability of cause the degradation of cpen cKie SWSs. Added The AP600 uses chemical control in the SWS (SSAR 9.2.1.2.2) and CWS (SSAR $ open-cycle service instrumentaten is one means of prrwiding operators with 10.4.5.2.2). The COL applicant will address the specific chemicats used for water water systems. the capability to monitor this bulidup and take corrective chemistry controt, algicide, and blockle app!Ications, reflecting potential variations in site action before loss of system functionality occurs. water chemistry and in micro and macrobiological his forms (SSAR 9.2.1.6 and 10.4.12.1 respectively). Chlorine residual is monitored in each system in orde* to assure that effective biocide treatment is being implemented.
8 Item B.1 (8) GI-57, Effects of This issue resulted from spurious and inadvertent An explicit requirement exists to design the system suct' that inadvertent operations do fire protection actuations of fire protection systems, often caused by not occur (SSAR 9.5.1.1.1, Rev. 4). There are r 3 spnnkler systems or automatbally system actuation operator errors dudng testmg or maintenance. Design of initiated fire protection systems in areas contehiing safety-related components. on safety-related systems should prevent such errors to the extent possible. (5.1.2.1.4 - SSAR Rev. 4). Also an evaluation of the fire protection system integrity equipment. analysis is performed for safety-related systems. The system is designed to be in compilance with BTP CMEB 9.5-1. 9 item D.1 (9) GI-75, Generic This issue has many subissues, several of which are The AP600 includes a DAS that provides a diverse backup to the protection system. Implications of related to human factors, for example, scram data for post- This system is a nonsafety-related instrumentation and control (l&C) system that is an Anticipated scram analysis, capability for postananntenance testing of expanded version of the ATWS Mitigation System Actuation Cabinets in the present Transient without reactor protection system, and a specific subissue t:tted generation Westinghouse nuclear power plants. One of the functional requirements of { Scram (ATWS) " Review of human factors issue *.* the DAS is to mitigate consequences of a failure to trip following an ATWS. The DAS y provides a diverse, altemate means of automatically tripping the reactor and actuating specified ESF functions for selected events if the Protection and Safety Monitoring , System (PMs) is unable to perform these functons as a result of common mode failure. A more detailed description of the DAS, iix:fuding the diverse reture of the system, is found in SSAR subsection 7.7.1.11. The AP600 l&C systems includes a Data Display and Processing System (DDS). One of the functions provided by the DDS is a distributed computer function The distributed computer function provides data acquisition, data storage, and computational functions to support operations, engineering plant information needs and emergency response information needs within a single system. The distributed computer function interacts with the plant operators through the operational display function and the plant information system. The distributed computer function provides many computational functions, including provisions for pre- and post-trip data for review and analysis, historical data storage and retrieval, and data logging. The AP600 PMS is a safety system of electrical and mechanical equipment that senses generating station conditions, and generates the signals to actuate reactor trip and ESFs that provide the equipment necessary to rnonitor plant safety-related functions during O and following designated events (Reference SSAR Section 7.1). The PMS provides a o 8 "U high degree of reflability and fault tolerance for both operating and maintenance {@ ,y situations. SSAR subsection 7.1.2.10 describes the specific design features that provide this capability. SSAR subsection 7.1.2.12 desenbes the PMS test capabihties and ' -a y design features. c) a The AP600 reactor trip switchgear has four redundant safety divisions with each division containing two circuit breakers of the reactor trip switchgear (eight breakers total). As tilustrated in SSAR Figure 7.1-7, the eight circuit breakers are arranged in a two-outof-four logic configuration (Reference SSAR subsection 7.1.2.5).
E TABLE 1 (Continued) G OPERATING EXPERIENCE REVIEW FOR THE AP600 if lesues Addressed By NUREG 0711 Appendix B C ltem lasue Reference issue / Scope Human Factors Aspect / Human Performance issue Human Factors / Human Performance lesus Addressed by AP600 Design 7
$ 10 item B.1 (10) GI-76, t&C This issue raises several concems, including 1&C faults that The design of the operator displays is based on an analysis which identifies the g interactions could blind or partially blind the operators to the status of appropriate display variables for monitoring conditions in the reactor coolant system $ the plant. (RCS), the secondary heat removal system, the containment, and the systems used for attaining a safe shutdown condition. This analysis also establishes the appropriate design basis and qualification criteria for the instrumentation which provides the input to the operator displays (Reference SSAR Section 7.5). In addition to these displays, the DAS provides separate and diverse indications which can be used by the operator.
Refer to the responses of items 59, and 113 through 119 for design features of the AP600 de Power Systems. 11 Itern B.1 (11) GI-96, Residual The design of the RHR suction valves with respect to valve Based upon a conference call of 6/19/95 with the NRC Human Factors Branch,it was heat removal position indication and instrumentation to detect potential agreed not to include tNs issue as part of the OER (Reference 8). (RHR) suction leakage from high-to-low pressure areas is important to the valve testing prevention of interfacing system loss-of<:oolant accidents (ISLOCAs). TNs is important for normal operations and for testing. 12 Item B.1 (12) Gt-101, Break plus TNs issue attempts to ensure that robust information is Based upon a conference call of 6/19/95 with the NRC Human Factors Branch, it was q single failure in available to the operators for both reactor water level and agreed not to include ins issue as part of the OER (Reference 8). g boihng water for plant status during the progression of an accident. reactor water level instrumentation 13 Item B.1 (13) GI-105, Interfacing This issue relates to pressure isolation valves for BWRs. NOT APPt.!" ABLE: This issue relating to pressure isolation valves is only applicable to system LOCA at BWR reactors. BWRs 14 Item B.1 (14) GI-110 Equipment Failures and incapacitation of ESF equipment have The ESF design is based on the use of four separate safety divisions for the sense and protective devices occurred because of the failure or intentional bypass of command function, and two or more divisions for the execute function. The system is of engineered protecthre devices. Both the design of these protective designed to accommodate a single failure of a process signalinput by altering the sense safety features devices and the appropriate indication to CR operators are arid command logic from a two-out-of four voting logic to a two-out-ofahree voting logic. Important. Additional failures can be accommodated by altering the logic from a two-out-of-three to a one-outef-two. Any atternpt to h.-GMe addition failures by an intentional bypass results in actuation of the protective function. Atarms and displays are provided so that the configuration of the ESF can be determined by the operator at any time. 15 ttem B.1 (15) GI-116, Accident This issue relates to improved operator training and Based upon a conference call of 6/19/95 with the NRC Human Factors Branct , it was management procedures for managing accidents beyond the design agreed not to include tNs issue as part of the OER (Reference 8). basis of the plant. 2 o Il cr o O $. _ m. E cn -
E TABLE 1 (Continued) b
$ OPERATING EXPERIENCE REVIEW FOR THE AP600 E
Issues Addressed By NUREG 0711 Appendix 8 3 Item leeue Reference Issue / Scope Human Factors Aspect / Human Performance issue Human Factors 4fuman Performance Issue Addressed by AP600 Design V
$ 16 Item B.1 (16) GI-117, Allowable A key aspect of this item is providing operators with For the AP600, the Wall Panel Information System (WPIS) will esplay for each plant Q equipment outage needed assistance in identifying risk-significant operating mode or significant plant operating state, a mimic display that will provide a $ times for diverse, corrbinations of equipment outages. The information physical overview of the status of the plant's significant systems and key components.
simultaneous needed would include valve alignments, switch settings, as The wall panet mimic display win include the display of high-level derived quantities, e g-, equipment outages well as components declared inoperable. those that depend on a particular logic algorithm. An example of a dertved quantity is the availability of safety systems. The WPIS will provide infonnation to the MCR personnel summadzing those components and systems that are inoperable. The AP600 WaN Panel overview alarm displays, along with the Visual Display Unit (VDU) displays, will automatically present indication of bypassed or deliberately induced inoperable safety equipment. This wlR include the bypassing or deliberately induced inoperat:llity of any auxiliary or supporting system that effectively bypasses or renders inoperable the protection system and the systems actuated or controlled bw the protection system. The ODPS will contain physical displays fnt the representation of the performance of systems and components associated with the control of safety-related functions. These physical displays will contain enough data so that the operator can monitor the operation of the plant hardware. The type of information to be put on these displays wiR be derived through a function-based task analysis process (FBTA). Indicatively, the type of q information to be shown on the physical displays could be of the following types: 1) flow a path alignments; 2) valve positions; 3) pump states; 4) tank levels and capacities;
- 5) heat exchangers heat balance; 6) availability status of the support systems (electricity, cooling, etc...); 7) system or component interfocks; 8) system or component operating rules; 9) important data with interfacing systems.
17 ftem B.1 (17) GI-120, On-line The designs for on-line testab tity should include The on-line testing of the protection systems is -vim =d by a series of tests with testabihty of appropriate human factors to ensure safe testing. sufficient overlap to test all necessary functions. Most of the testing is performed protection syste ns automatically once initiated by the operator. A descr!ption of the system reliability and fault tolerance during operations, maintenance, test and bypass, and a desenption of the built-in test capabilities are provided in SSAR subsections 7.12.10 and 7.1.2.12. 18 ttem B.1 (18) GI-125.1.3, Safety This issue addresses Safety Parameter Display System Based upon a conference call of 6/19/95 with the NRC Human Factors Brandi, it was parameter display (SPDS) availabliity and the r911 ability of the information it agreed not to include this issue as part of the OER (Reference 8) system avaRability displays. 19 Item B.1 (19) GI-128, Electrical This issue includes power to vital instrument buses, direct Generic issue 128 was created by combining issues 48,49, and A-30. Resolution of power reliability current (dt) power supplies, and electrical intertocks. All of tssue A-30 is contained in Generic Letter 9148. The AP600 response to Generic Letter these issues are strongly dependent on proper indication 91-08 is contained in item 59 below. The resolutions of issues 48 and 49 are contained and operator action for high reliability. in Generic Letter 91 11. The AP600 response to Generic Letter 91-11 is contained in item 61 below. The AP600 response to Generic tssue 128 is summarized in SSAR subsection 1.9.4.2, item 128. O~ 'D 20 item B.1 (20) GI-130 Essential This issue reutes to the arrangement of SWS pumps and The AP600 is a single-unit design. If two AP600s are placed on the same site, they win [Q 'E service water pump failures at multi-piping, including cross-ties at mufti unit sites. Both the arrargement and the operators' ability to monitor the status not share an SWS. The AP600 SWS is a nonsafety-related system. Cross-ties are intemal to the SWS from one train to another. Proper cross-tie alignment can be g6 plant sites of cross-ties are important. This item mentions potential applicability to single 4mit sites also. determined by monitonng the Component Coofing Water System (CCS) heat exchanger (HX) temperature rise. If the rise is excessive, an alarm will be sent to the MCR e 'l G' indicating possible cross-tie misalignment. There is a blowdown path from the SWS to the CWS that is normally open. Closing this path has no effect on the SWS pumps.
3 TABLE 1 (Continued) b
$ OP'" RATING EXPERIENCE REVIEW FOR THE AP800 E
Mues Addressed By NUREG 0711 Appendte B g$ Item leeue Reference leeuerScope Human Factore Aspect / Human Performance leeue Human Factors / Human Performance leeue Addroceed by AP600 Design ! V
$ 21 Item B.1 (21) HF1.1 TNs issue is simitar to item t.A.1.4 in Section B 2 (item 48 Staffing levels are the responsibiHry of the COL apphcant as stated in SSAR g of this table). Section 18 6. i 22 ftem B.1 (22) HF4.4, Guidehnes This issue addresses notmal and abnormal procedures in Based upon a conference caN of 6/19v95 with the NRC Human Factors Branch,it was ,
for upgrad:ng other the same manner as emergency procedures. agreed not to include this issue as part of the OER (Reference 8). ' procedures 23 Item B.1 (23) HF4.5, M-MIS See HF5.2 below. Desed upon a conference call of 6/19/95 with the NRC Human Factors B'anch, it was automation and agreed not to include this issue as part of the OER (Reference 8). artHicialintelRgence 24 ltem B.1 (24) HF5.1, Local This issue addresses the M-MIS of local control stations The LCSs are included in the HFE/M-MIS design process. Among the human factors control stations and auxiliary operator interfaces, criteria that are appBed across the AP600 t&C and M-MtS design is the criteria that each (LCSs) workstation, LCS, or other area of personnel activity, be analyzed and designed to accommodate the following: 1) expected modes of operation, including maintenance and refueNng; 2) staffing levels expected under each of these expected modes. Also, refer to the responses of items 161 through 169. ; 25 Item B.1 (25) HF5.2, Review This concem is a combinathri of HF4.5, the original HFS.2 Refer to SSAR Sectic*t 18.4 and WCAP-14644 for the methodology enj results of the
-.4 criteria for human on annunciators HF5.3, and HFS.4. functional requirements analysis and function abocation conducted for AP600. As part of b factors aspects of the existing Element 7 process, as described in SSAR Section 18.8, an HFE design advanced l&C guideNne document will be created for each of the AP600 HSis.
26 ttem B.1 (26) HF5.3, M-MIS This issue involves guidance on M MIS for new display and This issue is addressed by completing Element 7 (HSt Design) of the AP600 HFE/HSI evaluation of control technologies design process. As part of the Element 7 process as described in SSAR Section 18.8, , operational alas an HFE design guideline document wi8 ts created for each of the AP600 HSis. 27 ltem B.1 (27) HF5.4, M-MIS See HF5.2 above. This issue is addressed by corrpleting Element 3 (Functional Requirements Analysis and , computers and Function ANocation) and Element 7 (HSl Design) of the AP600 HFE/HS! design process. , computer displays Refer to SSAR Section 18.4 and WCAP-14644 for the methodology and results of the functional requirements analysis and function allocation conducted for AP600. As part of the extsting Element 7 process as described in SSAR Section 18.8, an HFE design guideline document wel be created for each of the AP600 HSis. 28 Item B.2 (1) Iv, Highpressure The design should consider CR alarm and Indication of the NOT APPLICA9tE: This issue is only apphcable to BWR plants. , coolant irjection initiation levels and bw-level restart values. t and reactor core Isolation cooling y separation O o . O3 cr u i u< m g-r g-U a~ i
3 TABLE 1 (Continued)
$ OPERATING EXPERIENCE REVIEW FOR THE AP600 t
ip lesues Addressed By NUREG 0711 Appendix B ltem issue Reference issue / Scope Human Factors Aspect / Human Performance issue Human Factors / Human Performance lesue Addressed by AP600 Design V
$ 29 Item B 2 (2) Ivl, Reduction of The design should consider CR alarm and indication of Status indication of the pressurtzer SRVs asi te steam generator (SG) SRVs are
$ challenges to SRV status and important parameters. provided in the MCR. The position status of these SRVs is included in the list of
$ safety / relief valves wartables and Instrumentation needed to allow the operator to monitor and maintain the (SRV) safety of the AP600 throughout operating conditions that include accident and post-accident conditions. SSAR Section 7.5 provides this list of variables and instrumentation.
The pressurizer SRVs and the SG SRVs will have a full set of abnormality alarms and status messages in the MCR. The abnormality alarms will appear in the overview of alarms as integrated into the WPIS. For example, alarms alerting the operator that the valve is OPEN when R should be CLOSED or CLOSED when R should be OPEN will exist and will appear in the alarm overview as integrated into the WPIS. Status messages for the expected behavior of these SRVs wiR exist on the alarm support screens available at the operator's workstation. For example, status messages informing the operator that the valve is OPEN when it should be OPEN or CLOSED when R should be CLOSED wia exist and be svallable on the alarm support screens anilable at the operator's workstation. q The AP600 Alarm System is designed following the HSI desegn process described in g SSAR Section 18.8 as part of the AP600 HFE program. 30 item B.2 (3) 1vil, Automatic Determination of the optimum ADS for elimination of The AP600 ADS has been designed to provide a controlled depressurization of the RCS depressurization manual activation should include consideration of the following small LOCAs. It is automatically actuated on a low core makeup tank (CMT) system (ADS) study operators' need to monitor the system and an ana!ysis of level, which is Irdcative of a significant loss of reactor coolant from the primary system. the time required for operators to perform manual backup If The ADS functions to depressurtre the primary system to enable gravity <$ riven safety required. irjection. The AP600 passive safety systems (including the ADS and the CMTs) actuate automatically to provide core cooling, and to provide the operators sufficient time to take manual actions as prescribed in the AP600 ERGS. The timing of the accident sequences is such that, for small LOCAs, first stage ADS actuation does not occur for at least 20 minutes after actuaticn of the CMTs. This provides the operators sufficient tinw to diagnose the event, to properly monitor the actuation of the ADS. and to perform manual backup ll necessary, as prescribed in the ERGS. 31 ftem B.2 (4) Ivlit, Automatic This issue involves allocation-of&nction considerations in NOT APPLICABLE: This issue is only applicable to BWR plants. restart of core terms of automatic restart of a system after manual spray and low- stoppage by the operators. Considerations of whether pressure coolant automatic restart should be available, how R should be irjection implemented, and whrst starm and indications are needed in the CR are required. O 3 ~D o cr m O ' 3. a M_. m-l
3 TABLE 1 (Continued) [ b
$1E OPERATING EXPERIENCE REVIEW FOR THE AP600 g leeuse Addressed By NUREG 0711 Appendix B f II Item Issue Reference leeue/ Scope Human Factore AspectMuman Performance Iseue Human FactoraMuman Performance leeue Addressed by AP900 Design T
$ 32 Item B.2 (5) 1 xi, Consideration of depressurization wiB involve the provisions Manual controlled depressurization of the primary system is employed to mitigate some
$ Depressurization by of alarms and indication in the CR. Some methods may accident sequences. For instance, in the response to a steam generator tube rupture r
$ means other than also require operator actions that should be subject to the (SGTR), the ERGS and background documents (Reference 2) Instruct the operator to ADS full design and Implementation process. depressurtze the primary system to equalize pressure to the secondary system, and thereby stop It's release of primary coolant to the secondary system. TNs can be acNeved by use of the pressurtzer spray. If nonnel or auxiNary spray is not available, then a first-stage ADS ntve is used to reduce the RCS pressure.
Manual ADS is also used as a backup to automatic actuation of the ADS. In these instances, the operator manuaRy actuates ADS on either 1) low CMT water level followed by the fa#ure of the ADO valves to open,2) low hot-leg level as a result of failure of the ADS and/or subsequent of operator failure to recognize the need for ADS, or 3) high core exit terrporatures indicative of a significant degradation in core cooHng. These associated paramerers wiH be alarmed by the Alarm System. The ERGS contain optimal recovery guidelines and function restoration guidelines. The ERG background documents contain a description of the accident sequences where the use of altemate or manual depressurization is anticipated. 33 ttem D.2 (6) 1xil, Attemate The evaluation of design attematives for hydrogen control Hydrogen ignitors are provided to address the possibility of a beyond4esign-basis event
*;i hydrogen control systems should include the Information needs of the which results in a rapid production of large amounts of hydrogen, such that the O) systems operators to assess the conditions that would require containment hydrogen concentration would exceed the capacity of the Passive system initiation and the degree of automation of the Autocatalytic Recombiners (PARS), thereby resulting in the flammatWity limit being systems. exceeded. The Ignetors are incorporated in the design to address a lowprobability severe accident, and are not felled upon to mitigate design basis events. The ignitors l
are actuated manuaNy by the operators, as a result of two conditions. 1) when the core exit temperature reaches ?200 T (alarm), or 2) on receipt of a high hydrogen I concentration alarm as detected by the hydrogen monitors. There is no provtsion in the , design to actuate the ignitors automatically ! 34 ltem B.2 (7) 2iv, Safety The selection and display of Ir.portant safety parameters The regulatory requirements for an SPDS will be met by integrating the requirements Parameter Display and their integration into the overall design of the CR is a into the % sign requirements for the AP600 M-MIS, specifically into the portions of the System (SPOS) primary HFE issue. syster ,t* produce the alarm messages (Alarm System), the Computertzed Procedure 3 System (CPS) for emergency procedures and the process displays (plant information system). The integration of the SPDS into the AP600 M-MIS and a description of how the AP600 M-MIS design satisfies the 4...~.as/ criteria of a SPDS is found in SSAR 18.8.2.
}
O EL OT tr ts (D < m g "O~
$ "3 ,
m-t
. - -. . _-. _ ~ . _ . - - - .-c . ~ . - - - . ~ . + . . ~ - - - ~ . - _ - - - - - . . - . - _ - - ~ ~ - ~ - -, - -~ . _. . - - - - - ..
4 3 TABLE 1 (Continued) d n
$ OPERATING EXPERIENCE REVIEW FOR THE AP600 E
leeues Addressed By NUREG 0711 Appendix B 3 Item issue Reference issuetScope Human Factore AspectMuman Performance issue Human FactoreMuman Performance leaue Addressed by AP600 Design i V
$ 35 nem B.2 (8) 2v. Automatic Providing operators with the capatsty to monitor the status The WPIS provides and maintains situation awareness by presenting plant informaton 5
indication of of automatic systems is an important function of the CR on a large screen display and possessing design features to address the elements of !
$ bypassed and information display system and a ocmponent important to situation awareness. (Refer to the response to item 66 of this table for more information inoperable systems the maintenance of the operators' situation awareness. On how the AP600 HS! rnaintains operator situational awareness.) System and equipment availability and status information is presented by the waN panet displays.
Also, the status of automatic control systems (nonsafety-related) and automatic [ protection systems (reactor protection and ESF actuation systems) are provided by the wall panel displays. The was panel displays include monitoring of the current state of , automatic systems (controt and protection). For example, an RCS pressure control I functional display is included on the waB panel display. This functional display group includes the current status and trend of RCS pressure. Alarm system overviews are incorporated into the won panel displays. These overviews alert the operator to changes in plant state, including changes in the status of automatic systems (control and protection). Examples: (1) Operators are alerted to the switch from
- auto" to
- manual" of automate control systems such as the pressurizer pressure control system; (2) operators are alerted to bypassed protection instrument channels; and (3) operators are alerted to protection system degradation such as an out of service CMT actuation valve.
The WPIS provides the means to directly access the most appropriate workstation displays that provide more detailed information about the change that has occurred. These workstation displays include alarm support displays functional displays, physcal [ displays, and automatic system monitoring displays. , L f O
$1 om ,
5N
,g i g . - .
e8
?
e mm 1 i I
3 TABLE 1 (Continued) b 0' OPERATING EXPERIENCE REVMEW FOR THE AP800 leeues Addressed By NUREG 0711 Appendia B
- a item Issue Reference leeuefScope Human Factore AspectMuman Performance leeue Human FactoreMumen Performance leeue Addroceed by AP900 Design V
$ 36 Item B.2 (9) 2vi, Venting of Operator monitoring of the status of noncondensible gases SSAR subsection 5.4.12 discusses the AP600 fWghpoint vents including the reactor y noncondensible in the RCS and having clear, unambiguous indicaton of the vessel (RV) head vent. The requirements for high-point vents are met for the AP600 by
$ gases condit6ons under which gas release must be initismd, the RV head vent valves and the ADS valves. The primary function of the RV head went should be evaluated for HFE design implications is for use during plant fill and startup to property flR the RCS and vessel head. Both RV head vent valves and the ADS valves may be activated and contro#ed from the MCR.
The AP600 does not require use of an RV head vent to provide safety-related core cooling following a postulated accident The first stage volves of the ADS are attached to the pr6ssurizer and provide the capabitity of removing noncondensible gases from the pressurizer steam space following an accident. Gas accumulations are removed by remon manual operation of the first stage ADS valves. The discharge of the ADS valves is directed to the in-containment refuehng water storage tank (tRWST). Subsection 5.4.6 and Section 6.3 of the SSAR discuss the ADS valves and discharge system. The AP600 ERGS specihed ir: ERG AE-1 Step 17. states that the plant staff be consulted to determine if the vesset head should be vented. Their decision would be ! based on the specific accident sequence and available systems. Operation of the ADS typically obviates the need for venting of the head to preserve natural circulation cooNng. h Although not required to provide safety-related core cooling follovWng a postulated accident, the'RV head vent valves can remove noncondensible gases or steam from the RV head to mitigeie a possible condition of inadequate core cooling or impaired naturat circulation through the SGs resulhnD from the accumulation of noncondensible gases in the RCS. The design of the RV head vent system is in accordance with the j requirements of to CFR 50.34 (f)(2)(vi). j The RV head vent valves could also be used during a severe accident (beyond-design- ! basis) scenarios where multiple failures in the safety-related systems result in fuel damage and the generation of noncondensible gases that collect in the vessel head. " Combinations of multiple failures in the safety-related systems could make venting the , head to aseviste the buildup of noncondensible gases desirable- l [ t O
" II o
- r e t
4 t i e< g g j a - i a- . t i !
E TABLE 1 (Contineed) b
- OPERATING EXPERIENCE REVIEW FOR THE AP600
)
TL Issues Addressed By NUREG 0711 Appendix B a item issue Reference issue / Scope Human Factors Aspect &fuman Performance issue Human Factors / Human Performance issue Addressed by AP600 Design V
$ 37 ftem B.2 (10) 2xi, Direct The alarming and indication of SRV status should be clear Status indication of the pressudrer SRVs and the SG SRVs are provided in the MCR.
3; indication of safety and unambiguous and should be evaluated for HFE design The valve position indication for these SRVs is accompEshed through " direct *
$ relief valves in CR implications. measurement of stem position. The position status of these SRVs is included in the Est of variables and instrumentation needed to allow the operator to monitor and maintain the safety of the AP600 throughout operating conditions that include accident and post-accident conditions. SSAR Section 7.5 provides this hst of variables and instrumentation.
The pressurtzer SRVs and the SG SRVs will have a full set of abnormality alarms and status messages in the MCR. The atmormality alarms will appear in the overview of alarms as integrated into the WPtS. For example, a' arms alerting the operator that the valve is OPEN when it should be CLOSED, o. CLOSED when it should be OPEN will exist and will appear in the alarm overview as integrated into the WPIS. Status messages for the expected behavior of these SRVs will exist on the alarm support screens available at the operator's workstation. For example, status messages informing the operator that the valve is OPEN when it should be OPEN, or CLOSED when it should be CLOSED will exist and be available on the starm support screens avaltable at the operator's workstation. The AP600 starm system is designed following the HS! design process described in a SSAR Section 18.8 as part of the AP600 HFE program. 38 Item B.2 (11) 2xii, Auxiriary The HFE aspects of providing indication and initiative for NOT APPLICABLE: The AP600 does not have an AFW system. The AP600 Passive feedwater (AFW) AFW should ue evaluated. Residual Heat Removal (PRHR) system functionary replaces the AFW system. Refer to indication and SSAR Section 6.3 for a description of the Passive Core Cooling System (PXS) which initiation includes the PRHR system. The indications needed to rnonitor the proper operation of the PRHR system are identified and venfied through the FBTA process as desenbed in SSAR Section 18.5. 39 item B.2 (12) 2xvt, Number of As part of the specification, allowable actuation cycles and THIS ISSUE INPUT INTO THE DESIGN ISSUES TRACKING SYSTEM. actuation cycles for the method by which cycles will be defined, recorded, and the emergency tracked by the operating crew, should be evaluated for HFE core cooling system design implications. and reactor protection system 40 item B 2 (13) 2 xvii, CR The selection and display of important parameters and their The WPIS provides dynamic displays and mimics that present information to orient the instrumentation for integration into the overall design of the CR is a primary MCR operators and those entering the CR (operator shift tumover, technical staff, plant various parameters HFE issue. management, etc.) to the current status of the plant. For each plant mode or significant O piant state within an operating mode, the We:S inciudes a mimic dispiay inat provides a g physical overview of the plant's significant systems and respective key components. go The war panel mimic display includes the dynarnic display of key plant parameters so (D i that the reactor operator or a person entering the MCR can establish the plant opesating ] M. status. E, O
E TABLE 1 (Continued) G vo
@ OPERATING EXPERIENCE REVIEW FOR THE AP600 E
g issues Addressed By NUREG 0711 Appendix B 3 ftem fssue Reference issue / Scope Human Factors Aspect / Human Performance issue Human Factors / Human Performance issue Addressed by AP600 Design V g 41 Item B.2 (14) 2xviii, CR The selection and display of important parameters and their The regulatory requirements for an SPDS will be met by " integrating" the requirements E
$ instrumentation for integration into the overall design of the CR is a primary into the design requirements for the AP600 M-MIS, specifically into the portions of the $ inadequate core HFE issue. system that produce the alarm messages (Alarm System), the CPS for emergency cooling procedures, and the process VDU displays (Plant Information System). Refer to SSAR subsection 18.8.2 for a description of the SPOS.
Following a reactor trip the CPS provides automatic monitoring of the critical safety functions (CSFs), alerts the operator to a degraded function, and suggests the appropriate function restoration gukfetine. Core cooling is one of the CSFs. Also, refer to SSAR subsection 1.9.3. 42 Item B 2 (15) 2xix, The selection and display of important parameters and their The selection and display of the parameters which perform the post accident monitoring instrumentation for integration into the overati design of the CR is a prirnary function is part of the design process, analysis, and results presented in SSAR post accident HFE issue. Section 7.5. An analysis is conducted to identify the appropriate variables and to monitoring establish the appropriate design basis and qualification criteria for instrumentation employed by the operator for monitoring conditions in the RCS, the secondary heat removal system, the containment, and the systems used for attaining a safe shutdown condition. Three categories of design and qualification criteria are used (SSAR H subsection 7.5.2). Category 1 instrumentation has the highest performance a N requirements and is used for information that can not be lost under any circumstances. The ODPS is the HSI that provides the Class 1E displays to the operators in the MCR. The ODPS displays will include all Category 1 variables and some Category 2 variables (Table 7.5-1 of the SSAR). The specific displays of the QDPS result from the completion of the HSt Design process (Element 7). The HSI design process is described under SSAR Section 18.8. 43 ttem B.2 (16) 2xxt, Auxiliary heat The specification and evaluation of manual and automatic SSAR Section 18.4 and WCAP-14644 document the AP600 functional requirements removal systems actions should be sutject to the function allocation analysis and function allocation, including the function allocation decisions design to facilitate anatyses performed as part of the design and (manual / automatic) made for auxiliary heat removal systems such as the CCS and the manual / automatic implementation process. SWS. Table 2 of WCAP-14644 includes the identification of when an auxiliary heat actions removal system is used to support a CSF. Table 4 includes an explanation of the functional allocation for each auxiliary heat removal system. 44 ltem B 2 (17) 2 xxiv, Recording of The selection and disp!ay of important parameters and their The requirements for RV-levelindication are provided by redundant, safety-related RV level integration into the overall design of the CR is a primary RV-levelinstrumentation. As shown in SSAR Figure 5.1-5, these instrunent channels HFE issue. (LT-160 and LT-170) have one level tap that connects to the bottom of a hot leg, and one level tap that connects to the top of the hot-leg bend that connects to the SG. This instrumentation is used to provide RV water levet during an accident, and is also used to O provide hot-leg level during shutdown operations including mid-loop. This E instrumentation provides indication of RV water level for a range spanning from the h- bottom of the hot leg to approximately the elevation of the mating surface. This u$ instrumentation is temperature compensated and provides accurate level measurement ] M. during all rnodes of operation. Refer to SSAR subsection 1.9.3. O a> -
m . _ . E TABLE 1 (Continued) b
$ OPERATING EXPERIENCE REVIEW FOR THE AP600 tE g lesues Addressed By NUREG 0711 Appendix B 3 Item leaue Reference lesue/ Scope Human Factors Aspect / Human Performance lasue Human Factore/ Human Performance issue Addressed by AP600 Design V
g 45 Item B.2 (18) 2xxv. Technical The design of the TSC, OCC, and EOF should include HFE The design of the TSC, remote shutdown facility, and the OSC are govemed by the
", support center considerations to ensure that the personr*l located in same HFE design program as the MCR design. Chapter 18 of the SSAR descnbes the $ (TSC), operational these facilities can most effective!y perform their safety- AP600 HFE program. SSAR subsection 18.8.3 addresses the TSC, remote shutdown support center related functions. Poor HFE design of these facilities may facility, and the OSC. The HFE program is designed around the 10 elements of the (OSC), and interfere with the performance of operators in a we8- HFE Program Review model presented in Nt> REG 0711.
eme'gency offsite designed CR. facility (EOF) The COL applicant shan address the design of the EOF as stated in SSAR subsection 18.2.6. 46 ftem B.2 (19) 2xxvil, Monitoring of The selection and display of important parameters and their The radiation monitoring system (RMS) provides plant effluent monitoring, process fluid inplant and integration into the overall design of the CR is a primary monitoring, sirbome monitoring, and continuous indication of the radiation environment airbome radiation HFE issue. In plant areas where such information is needed. The design bases of the RMS includes providing long-term, post-accident monitoring (using both safety-related and nonsafety-related monitors) and providing equipment to meet the applicable regulatory requirements for both normat operation and transient events. Refer to SSAR Section 11.5 for a description of the RMS, Radiation monitoring data, including alarm status, are integrated into the MCR workstation displays and, where appropriate, into the WPIS dsplays. The output of the H HFE task analysis activities is used as an input to the design of the workstation and wall a panel displays. Refer to SSAR Section 18.5 for a description of the task ana!ysis W activities. 47 ltem B.2 (20) 2xxvill, CR While potential pathways for radioactivity to affect CR The nuclear island nonradioactive ventilation system (VBS)is a nonsafety-related system habitability habitability rnay be identified and design solutions to which supplies the MCR. It includes radiation monitors in the supply ducts, with alarms prectude such problems may be developed, the CR to indicate high indlation levels in the pathway. If the radiation level is above the Hi-Hi operating crew should be aware of potential pathways. setpoint, the normal heating, ventilation and airweL% (HVAC) system is The Integrity of the design solutions and the presence of automatically stopped and the CR is then isolated. The safety-related emergency radiation in the pathways should be a nsidered ll habitabiliti system (VES) is initiated on the same signal, and it provides air for evaluations of monitoring methods in the CR are warranted. respiration of the CR occupants and pressurization of the CR pressure boundary. The a!r is not delivered through the isolated HVAC duct, but is delivered through dedicated, separate lines which penetrate the CR pressure boundary. The VES is designed to maintain a positive pressure of 1!8' water gauge in the MCR pressure boundary with respect to surrounding rooms. The system incorporates redundant pressure instrumentation with alarms to provide lndication that this function is met. 48 ftem B.2 (21) 1.A.1.4, Long-term This issue concems shift staffing with licensed operators Staffing levels are the responsibility of the COL applicant as stated in SSAR upgrading of and working hours of licensed operators. Updates to Section 18.6. SSAR Section 16.1, subsection 5.2.2.d also addresses MCR staffing and operating personnel 10 CFR 50.54 were approved. limits on working hours. and staffing O 2 49 Item B.2 (22) 8.A.4.2, Simulator This issue involves the improvement os the use of Training program development is the responsibility of the COL applicant as documented [y- capabilities simulators in the tra!ning of operators. in SSAR Sections 13.2 and 18.10. ,a h- 50 ftem B.2 (23) 1.C.1, Guidance for the evaluation and Ttus issue addresses normal, transient, and accident The development of plant procedures are the responsibility of the COL applicant as CD 3 conditKms to ensure that procedures are technically correct, documented in SSAR Section 13.5. The AP600 ERGS have been developed and $a development of procedures explicit, and easily understood. provide the technical bas!s for the development of the emergency operating procedures (EOPs). Refer to SSAR Section 18.9 for more information on " Procedure Development?
E TABLE 1 (Continued) G ro
@ OPERATING EXPERIENCE REVIEW FOR THE AP600 =
W tesues Addressed By NUREG 0711 Append!x B ll a item Issue Reference lesue/ Scope Human Factors Aspect / Human Performance issue Human Factors / Human Performance issue Addressed by AP600 Design T
$ 51 item D.2 (24) t.C.9, Long term TNs issue includes EOPs with particular empfusis on The development of plant procedures is the responsibility of the COL applicant as g program for diagnostic aids for off-normal conditions. documented in SSAR Section 13.5. $ upgrading procedures S2 stem B.2 (25) i D.1, CR design TNs issue addresses general CR design 6ssues. TNs issue is addressed by SSAR Section 18.2 (HFE Program Management), the HSt reviews design implementatkm plan (SSAR Section 18.8) and the HFE Verification and Validaten (SSAR Sechon 18.11). Design reviews are used as part of the Element 7 (HSI Design) process as described in Sections 18.2 and 18.8 of the SSAR.
53 ltem D 2 (26) 10.2, Same as item TNs issue addresses the need for the provision of an The regulatory requirements for an SPDS will be met by integrating the requirements 0.2(7), above SPDS that displays a minimum set of parameters that into the design requirements for the AP600 M-MtS, specificany into the portions of the detine the safety status of the plant. system that produce the starm messages (Alarm System), the CPS for emergency procedures and the process VDU displays (Plant Information System). The integration of the SPDS into the AP600 M-MIS and a desenphon of how the AP600 M-MIS design satisfies the requirements /criterta of a SPDS 5 found in SSAR 18.8.2. 54 ltem B.2 (27) I D 4, CR design TNs issue addresses the need for guidance on the design TNs issue is addressed by development and implementation of an integrated HFE standard of CRs to incorporate huma t factors considerations. Design Process that conforms to NUREG4711. Refer to Chapter 18 of the AP600 SSAR for a descriphon of the AP600 HFE program. a M O o OT tr o s,a g-a =8 w
- 0) a
E TABLE 1 (Continued) b
$ OPERATING EXPERIE*2 PEVIEW FOR THE AP600 t
issues Addressed Sw WREG 0711 Appendix B
'i Item issue Reference issue / Scope Human Factors Aspect /Humart Pedormance issue Human Factors / Human Performance issue Addressed by AP600 Design V $ 55 Item D.2 (28) I D.5.1, CR design, This issue involves the MMI in the CR with regard to the The function of the AP600 Alarm System is to support the MCR operators with the g improved use of lights, alarms, and annunciators to reduce the following activities of human decision-making (adopted from Rasmussen's model of $ instrumentation potential for operator error, information overloac. unwanted human decision-making):
research alarms distractions, and insutticient organization of informction. and displays 1) The ALERT activity, i.e, alert the operator to off awmal conditions;
- 2) The OBSERVE WHAT IS ABNORMAL activity, i.e., aid the user in focusing on the important issue (s);
- 3) Help with the process STATE IDENTIFICATION activity, i.e., aid the user in understanding the abnormal conditions and provide corrective action guidance, as far as to guide the operating crew into that area of the complete Plant Information Display System in which the datalinformation about the abnormality and its resolution can be found.
The AP600 Alarm System addresses the problem of alarm avalanching and operator data overtoad by managmg the presentation of the slaims to the operators in such a manner as to reduce the number of alarms presented simultaneously during major q disturbances, while maintaining sensitivity during small disturbances. The Alarm System
; is robust enough to: a) show multiple major process problems; b) not be overwhelmed m by minor alarms that are related to, or are consequence of, the process problems (avalanching); and c) elevate minor alarms to a place of attention-provoking significance, when they are the most significart process abnormatitles. However, those active alarm messages which are not currentty displayed are accessible and available to the operators, upon request.
The Alarm System aids in directing the operator to the area in the informational display system of the CR that contains specific data related to eliminating, diagnosing, and mitigating the process abnormality. The Alarm System also provides a link from a given alarm to its applicable computerized alarm response procedure. 56 Item D.2 (29) fl.F.1 and ll.F.2 These issues address detailed CR design issues related to This is addressed by the response to items 40,41, and 44. Same as item B.2 instrumentation (11 F.1,
- Additional accident monitoring 13 and 14 above instrumentation," and II.F.2, " Instrumentation for detection of inadequate core cooling").
O 51 oI cr u y s. , W. E e-
3 TABLE 1 (Continued) b
$ OPERATING EXPERIENCE REVIEW FOR THE AP600 E
g Issues Addressed By NUREG 0711 Appendix B 3 Item fssue Reference lesue/ Scope Human Factors AspectAtuman Performance issue Human Factors / Human Performance issue Addressed by AP600 Design V
$ 57 ttem B 2 (30) 11 K.t.5, Safety- This issue addresses direct indication of relief and safety Status indication of the pressurtzer SRVs and the SG SRVs are provided in the MCR g related valve valve position in the CR so that the starming and indication The position status of these SRVs is included in the list of variables and instrumentation $ position description valve status is clear and unambiguous and should be needed to allow the operator to monitor and maintain the safety of the AP600 throughout evaluated for HFE design considerations. operating conditions that include accident and post-accident conditions. SSAR Sectice 7.5 provides this list of variables and instrumentation.
The pressurizer SRVs and the SG SRVs will have a full set of abnormality alarms and status messages in the MCR The abncrmality alanns will appear in the werview of alarms as integrated into the WPtS. For example, starms alerting the operator that the valve is OPEN when it should be CLOSED, or CLOSED when it should be OPEN will exist and will appear in the alarm overview as integrated into the WPtS. Status messages for the expected behavior of these SRVs will er'st on the starm support screens available at the operator's wort (stattort For exemple, status messages informing the operator that the valve is OPEN when it should be OPEN, or CLOSED when it should be CLOSED will exist and be available on the alarm support screens available at the operator's workstation. The AP600 Alarm System is designed following the HSt design process described in SSAR Sectum 18 8 as pa:1 of the AP600 HFE program.
" 58 11 K.1.10, Review This issue addresses procedures for ensuring that the The development of plant procedures is the responsbility of the COL applicant as Item D 2 (31)
O and modify operability status of safety related systems is known. documented in SSAR Section 13.5. procedures for removing safety- The AP600 wall panel overview alarm displays, along with the informational system VDU related systems displays, present indications of bypassed or deliberately-induced inoperable safety from service equpnent. This includes the bypassed or deliberately induced inoperability of any auxiliary or supporting system that effectively bypasses ce renders inoperable the protection system and the systems actuated or controlled by the protection system. The WPIS mimic displays include the display of high4evel derived quantities, e g., those that depend on a particular logic algorithm. An example of a high4evet derived quantity is the availability of a safety system or function. O o O T Cr u u< ig a =8 e C) d
t
! TABLE 1 (Continued) b E
OPERATING EXPE8ttENCE REVIEW FOR THE AP600 g lesues Addressed By NUREG 0711 Appendix B 3 Item lesue Reference issua/ Scope Human Factors Aspect / Human Performance issue Human Factors / Human Performance issue Addressed by AP600 Design 7
$ 59 ftem B.3 (1) Generic Letter 91- in this generic letter, the NRC proposes certain monetoring, The following responses are provided to the questions raised in the attachment to ;;; 06, Resolution on surveillance, and maintenance provisions for safety-related Generic Letter 91-06. The responses are numbered b match the question nunters in $ (GI) A-30, de systems. Generic Letter 9146. SSAR subsection 8.3.2.1.1 describes the features of the Class IE Adequacy of safety- dc and UPS system.
related de power suppnes 1. Unit - AP600 2.a. The number of independent redundant divisions of Class 1E de power for this plant is 4
- b. The nurrter of functonal safety-related divisions of de power necessary to attain safe shutdown for this unit isl 3.a. The following alarms are provided for each division of de power-
- 1. Battery test / disconnect switch status and battery open circuit alarm (open circuit alarm provided by the battery monitor system) q 2. Battery charger disconnect switch status and battery charger output breaker a status N
- 3. dc'syste6a ground detection alarm
- 4. de bus undervoltage
- 5. Battery over/under voltage (provided by the battery monitor system) dnd battery charger output over/under voltage
- 6. Battery charger ac irput power failure and battery charger trouble alarm
- 7. Battery discharge rate alarm
- b. The following Indications are provided for each division of de power-1-3. Battery current - used for float, charge, and discharge
- 4. de bus voltage
- c. er cedures f r resp nse t these ararms and indicati ns are a Col applicant issue.
O Il o Il cr u , .e$. a-
i la d ic d e r r e tn n t d n una t c n e r a a a pa s e e y e n d s ig s n i rye ir u s le L n o a c ic s e e r nm ue e e ete s eE ;v r s a dt D ht i h1 fo h e u s e r ys n 0 t tata db b t a n t in ssa r w s s it w e b n re -s 0 n o s G t n imS 6 P a er e ic dl nC t c lo p fo e . e v .P A sah mpt lp p u a e m m6 in4. .U sf a ofo e , h u s n u8 8 wdn y o r s t p r E 3 b a r a, ng la L O fee sc eu ta br g n t n io t c ts3 indn 1 sd ana d e e ni C on u qo iw a a l s n ced s gitots a ht la l ey lo lo d taa la a taE s e taie dt e toe i dlp lo o1 c 4 e iv 5 C3 h lodd r v ap f r d r 8 r 8 t 1 d r v ana a r d o5 n o3 fo3 ss r ia rus d u e e f r s e d en s n s n tcd m tss tss k la A dI e e lmd ar e e an n n o n n ei o e n . c r o is n ia u ea m aC e
- usn a de w t n r o eit r e u
s tur man d o e r e o op ia s s s3 c e mc e e mt e e c bh . s pa ac a c v m i t ie3 r r s r s ie tr -2 i w ) n n fi1 e iub iub e nlante i i s Sa n a, d e a c e5 e qu qu tyf o2 c h ipa Te wd r a s ic p r e s. e s, nm. 3 n m d ( lp sR ht r r a a 8 snt gt e r n a m itwtr g a nai na ityu l b p a n gS A e e 1 c6 e 1 c6 nr gn d d en s h ia ia a i n1 f r o ek ir d au e it om it ar rur i le s y-b r ao p L O is S eo t s n1 lla
!a n tnd r
ivr ed iv ico nt ay C dt s ie u iei o o e -1 e ob e i f ee cp r e v i. vt c n2 P t 0 e r c n ph u s r c a ficS r fa nu p a 0f d d r u m ue r tol3 i eT p fos e 6 e a sS sS ne8 a eitwr r g n Sd r de n e itosr a r PR dR dR s n os m u a d fo i ts a no ae s A . w o nA nA a e oer e H sed e lad low e ets a S S dh u g r eid ic n ia of Isop r h a le
/s gvd e t na t n s u Te b sS n sS n nTi r
o r arovo i d n ht cS ias o d ne ad d o :s Eon ts n o; itaT S to; iaT S g issR
.F a ee t
c h pr c e p e e Ts ml tyde & le L e it it deeA s a lb seh p b n n uS 0 F yr e r ar a .s a lc c n 0 ov 0 iyt i r ga t g a ic B e Aav m e lmi i d tmi i d 0bS 0 e es e es 0 n te s a 6 ;v s. t g tele n Ch t a . 6En a r r r ip n i
,lp bi n 6 P n -r P B m taeee bk gg p
a te At st o m l i aw I y ita p I Lt ts 11 itms itms e P1 i Ass n A x u e ar aa r n e po Ste r e a Pa h e - e r r e aw E i d H h re hh t o ia e esy al l Cf p t o Pt e0 r 9 ed ed o Rs a h hd hd H n e Tbcc N M TWs Cfo O N As T to r h t r e T a T a hl h TCs T p . et t Oo p a. b c h e R A 4 5 S
- 7. 8 9 Nm TL 1 2
3 O
) F 1 d 1 3 s e W 7 e 2- r u E 0 u o n I G
t r i t n V E E is s G, s, toe r n o R c d C ( R E C U N e c n at
; s e
p ea tamu 1 N B y a m b ea leh r E E s s fo L t d r o nro e B R e f iot c uno . A E s r e tca s T P s af isit g P a dcnt r X E e r n e na l r ui s d a G d m tnm ie u ee vr te N A u e edn - I T s H ht he sht a, A e / s v s eg u t c ea s R s e sh sn s6 u . E s p s edt uh r ut a I P s cc O A i dl c s ish d nt n s r dr w a i, e r s o tefo te t c teh t m pm a l t leei ts u F c o icy qe n a ire b, r s e m n4 n fo e4 e H u gA s
- e. orl gi;mnot id is h
h n T a T ec s er 1 8 e p tnlu 9 fo4 re no eus i o r e aa c t 3 loF t te2 ola euit s t S - s
/e LI Ll ot u
s ic r G, rSCe o icsc r ei9 r is e7 tcp e4 n0 am n ee1R, e nd e1 eu n G9RP G1 Ga e c n e r f e ) ) e 2 3 R ( ( e 3 3 u s B B l e m m ite te I m 9 0 1 e 5 6 6 h 3b$Eg3V$$$ 1aC D 1 3e<g.~ " r ) Oo Oae, eO
E TABLE 1 (Continued) b E OPERATING EXPERIENCE REVIEW FOR THE AP600 g lasues Addressed By NUREG 0711 Appendix B C ltem lesue Reference Issue / Scope Human Factors Aspect / Human Performance issue Human Factors / Human Performance issue Addressed by AP600 Design V
$ 62 Item B.3 (4) IN 9347 Unrecognized Loss of CR Anrmciators. The AP600 Alarm System informs the MCR crew about those failures, wittun the g Unrecognized Loss equipment comprising the system, that couki degrade to the point where either system $ of CR Annunciators performance is reduced or system avaltability is threatened. The AP600 Alarm System design philosophy is such that the system's preferred failure mode is through a sucression of " gracefully degrading" states of operation rather than a
- sudden death.*
The alarm overview displays, integrated into the WPtS displays, include a dsplay of alarm messages that describe failures or degradation of equipment that comprise the Alarm System. Since the alarm overview displays are integrated into the WPIS, a dynamic indication that the WPtS is running is used to illustrate to the CR operators that the system is not " hung
- in a frozen conditiort 63 ltem 0.3 (5) IN 93-81, mykh of Engineering Expertise on Shift. As stated in SSAR Section 18.6 COL applicants will address the staffing levels and impl6 cations of qual:hcations of aN plant personnel.
Engineering Expertise on Shift 64 ltem B 4 CR Organization - CR staffing levels had impaired crews in performing their Wortdoad analysis is part of the task analysis (Element 4) to be performed as part of the Staffing and emergency functaans. CR personnel were overburdened AP600 HFE design process. The wortdoad analysis provides an indication of the Responsibilities during emergencies. Based upon a review of NUREG- adequacy of CR statting assumptions. In cases where the analysis indicates high _.g t275, WCAP-14114 (Section 6.2) discusses cases where operator workload values or insufficient time available for performance, we will evaluate i operators falted to take a required action due to a mental attemative CR staffing assumptions or changes to the M-MtS design or task alfacation to (D lapse because of a high workload situation. reduce operator workload. Refer to SSAR Section 18.5 for a description of the task analysis implementation plan which includes workload analysis. As stated in SSAR Section 18 6. staffing levels are the responsibility of the COL applicant. 65 Item D.4 CR Organization - The use of the
- dual-role
- STA-tmpaired crew performance Workload analysis is part of the task analysis (Element 4) to be performed as part of the Shift Techrncal because the other SROs were overloaded when one SRO AP600 HFE design process. The workload analysis provides an indication of the Advisor (STA) assumed the STA role. Assignment cf other tasks during adequacy of CR staffing assumptions. In cases where the analysis indicates high events detracted from the STAS safety function, operator workload va>Jes or insufficient time available for performance, we will evaluate attemative CR staffing assumptions or changes to the M-MIS design or task allocation to reduce operator workload. Refer to SSAR Section 18 5 for a description of tasu analysis implementation plan which includes workload analysis. As stated in SSAR Section 18.6, staffing levels are the responsibility of the COL applicant.
I i O 51 o 33 cr (n (D < w g a- @ g~ (O 3
- 0) '
d ot r e ns a s y e ht e tcyo s e v ne n et g r et n t lasbt h ast a;ere p lp a n gl r leat m o h a ei ht ae oht he l n e nl a sp e neh n tca ahepd l f r t g bla a itoe itccss i iddes l S a is epd u I e st eni d omt is d io tanlel ito aih ey yoteya tah n ok t ts r apbnt o u wrmis P r r av n vra is s a secwn aosp lalat h r r oR e vnv Wne c ps s i t D orh dco kt r g e )er w a r s ds n o ew e aii ela e h sd n dif r yalpb f r s ise t nht r a n 0 0 s ei s g h ent oe aip t gh n ut ta n iv ad re en ok wr apmo odi min ch t taea stoidd tu alt neWmset eew io 6 P e ne n ath t, s itat h aicc ns ae vh a la wn nboloc e k r eI Snaloepc u nr .a dh a A eh r c to or mfo r oh ht nwepn Sc si h yl k ya oTm s . u d o i uf f a ocydt t e o rpPif aOWt nd tani nip o a wt sigs o tat , mr mo Peae v e c 'm yshe
.- y af taf ay i a e wo sy pof I
r nc vst r .ek s e c b d a sa eia pt e Wroslpif tcoC kR teah s lpt dimsumedsoydh naor cc s n hh e rr t, ow dghdat r eg nor fopt mnla o f npr I e s n sl ep s o na s e ed i e yM ysn ite syrtaoireste9u t e r enceigo ei n ssd se l Rlpe sr h Sidiy t ca cslpa e siomn cot i s ito ni h s epeiat e a red C t d oieph mict t tvtt ecf awnidi r n mct a de ommr f r u aw Mnd gd r iv r o oogcr nt oelr a loe qi u leg ne d d its we i a s t imddg n
!st l amit ic ts F ganar epiec u eewl vh h eaah y e A f av i et n h eo en r n ci r Ama y nh e oid c owr t h t ttc o pe)tod e cs e
,f p
r o) er ula aaimte a s. ik ch r, f nh aT he nd "g t f e st u s b v ;o oes tapss lps st no t u eo cey . aht a n e (a ei ri m f feh ain is e t s:sreroynt d i s cd eman s tne t r e t, n a,l ct lepr ne a nc otoat s t l de0 peo ses d oe t s et a p b yt u nauteyn tewre r nd t n o e s s a naet mtsour ic ms e enrsr s i sdeso tael lea 0 h sr r lpid i iab ae l e igecy c n e t leng l a sf s sr n eois h er s v "a i tn ee r pnwP a 6 de wr aAagt t hie af e enf r t i e s reofoiSityv t dI i r t b p o a gl eal av nige n dFSnt at s p vh n r ipn i md et qulp eht o s aas yi cP at m inpn ses fo1)P t ea a ot R d spwr e amWpad lpSs aioocm ns wtnpa Wfic saanrenia es aeS r er e f apl pi ect r ah e f o r no rel c ad w s le:s inl egc du r o, ntP rmo wtad et uea npeb it n ur ey cPo cI in So, idsmh eyu r e or la ru a he pshi nr s ieWfr hi si r n ot ;e t gk i onc l aWtaI nt e t,hlac yt pco P f e c uw o m e t, si o s t uu cn h n u n etsuP o snt syi g0 e mfo qn el a pnaid ass n eog a e e n0 p e e a hf oh e r i n ea o 't lav vl hcqahiWinlpeids m t, s t S tai tu ss x r d nper as ha6S c P1 fod r r r e e wt o h imp pwt y i il naf llyohy t, f et tao isid sdd vr tonh a u n gesm I Mie o wml i pu wa pds AP de m nos e saep srois t alptnannoa i t t krwpa te ooir H i s nr o - s s Mssno t n g e h. soih n f oeW d le e ybe cie y
/
ivehlangr panar ntaiddfeceowivS fc t ks gy i i md a e ef r sh e r d raks . oo st h d . 0iap eitaft i ic e ehi or d. I r o s d a t eot rod t s cah s e neP Mwny o ;t.a r eintoel I t 0t iue pi rsi yps ntnf asoWw c 6 nd n u r v o et h addc ali a vt eio a pet a t c a oipwl e n F M e ep l Pia a A my r s o e e p s. r adn . s r a egt ee atnp laOm oi tyS rdich mh ta cee c 0 0h s pf nin o tu wteo s s .it l i i d g u s,r 0 6 B n a 0 t h id t e d la g o ar va e pot r a aat e i r a r t ht ainaish ra pe fcd t ywea b l. h n et ior aTi r is P m 6 P )a )c n htnpas . int n nvR c t s s ioc s vpo l h er so r ;d i nlat g n esh r ul caboa ) pt A x u A:d do fo sdts weioa weag p r ts aarpu n opi noh eah at scloe lomh e .wp pt .ptr h i nit ssp b ;.wisot i E H d n H ee ht ;s aa t ee en ne nd lolewt la i ice raaitr n d r v u eg nin knyyal a ttad peel i l t las sd e e r h e nsp g paaya e g e ovem fet te esh d laa t t ns eeb d i vi r sh av iwrer c n lpst n pek a;e t i l T p oe d ur l r ot r yTt e eppsnek caal s rorcle e r v ka l p sah) a p h Toraom h siis oeh oot pt er od R O A F aswtao A pse h i Tf r ts p2t o Tdd mmWwhtab t aoscwd h d ceh mh as o a i c
) F 1 n
d e u W 1 7 0 e e ,e nan di 5 er a, it n E u h _ i I V G s t 7hl a e t n E s n h o E R R I o hh1e2t or m t C ( E U N e c n s ict - et
- o. h foEh Geot r no sr f
os fo C a ow.Rw c,e ie s s . re nio en 1 y E N B g , d r E m ols . Usnuht L B I R d r o J a Nes alladiluet r c c eanaae n e f s du mf a miv ouo A E s r T P s e ws m tasr fead wir X E d e r P n a teit s yi n d r pv eisss ee m, 't r st ie a,ngi r e G d v nih N A m u x o heras sf e cei usllui c t oi i nt r I s ;e pt nsa sta e T e H ! et nd A R u
/
t c guond n ot r o)p1a wv e r n y wia nu E s e e wgdeu6a ;. r e va mt P t p s at ytuin n e O A inf !adnk e o ses vieo r cl n e oer sic a e t e r ns r c ity sBef at t h foa nr t o c ..tv o .S soT .sfs posp
. i r
r e F a o m ccw(t aa e4 f r 1 leon neOe e vit e . pht n f r dl c1 ear syf a e te la g 4 l c anr oo o m 1 wiwisn s neiPicudaticr i e i u pa sntaAe lai n n avi al evt H itcdd ir ol r ur o ncpeCer ur ioppit CcioWwcbimuc sa _ - sg e ni n p iod o t n c ai S zF
/
e inkr u a o gw s r i s Oma Re CT e c n e r f e e R _ 4 e _ u B e - le m tte m 6 te 6 I 3b$E :V$g$
/. qeh gDShU-
-(
hgC$ a oe
Se la n
,t o ne I
Mt h t o ns ltsnd usi s e t n o n - g st io e t n i s n s es Mn ns a er eb sl a ,is mt r d g sd ae a ar r eti a a er c e v - St a o n r sopet leeI gMh ayd npp t Ao epseenh a is hc e n t pr cot eir oh h ed - a a n D e u - ic a e . on o oitt psp t t t eeMg t mu f su a s uid sinh t arpeht n a oe nnish t n r l w is aod lp a lp 0 0 6 s c e r o p a l sd e eid a tsmikhi s elpeell nh viu tnsl eiga a itvi d nt o e set t r n sai t ns doi salok t
.d oS) s y P
A ud d s L Mht nt intr al st o as if ta s dwcad he usmak eta d foaedt eceMr el os -a un oa O sSt ei r y C wst,o f eiI f r ueag n,inr b mt in e ie sac e v er r oocsMoaqc r nly - st end d rpaMda b gce s d pa ht v ehaiar t e eeaMd r t ar saee esg k e s el v icpp fo ed s in Rdia s ngi ae eaee o it nt sir n eht Cmsd r aebtsAg anisno i i r npt a e s rcntoshh pxk h n s&obhteiTi geOegt e itaa mssi f - x ahs r r ity apeu eiosf e sant eofnl rput t e cqs s cii i st i ;nvioel od r d d tsL iO l i b r ge l oeoisd tsn r r, t teer e F d in A n is oh psh es ciheied r te e i eJ io od poh uwehintu fo imC n r s iz yfit c5 sn sefto ed ba uivt t e o P eg r n sen nw Tee 8 . s is u d e aht gf p e s Ecic F o sonko ne agr dt ct i wf i ean at oltu e o fepba fcnpe r si k . ivx 1 ts stc (e n ino r HrPder pi ms eepiush te d ol sd eaf nit i t l so e e seski ani vgfe e nsieoc c duity h e f ta eb iv nl ht r n t ht nSor gI de d n nsa;i. nd i e eneT o s,. A sk e olidi taS l lcb i iMk d oih p ri a e yu a, nr mt eMtasnsta, )g Nc ni r fo s - si e A p e. T h sf niR l u i, s r m n a csi st e iT n t
)
s( F s r
;o uiBt r
f o so ep r s e r . iEnD/e g E h onronesi Ft st cof i sah d ef eDs tv ef toa y sdS sA p e ;. . no r r k ob T d F n oer eS a esr i e u5 sF P d3 eH Hse aeah s lp oeit o vh nft o niyo ee uimt n . e1 D 0 t r dt l. et h pd t ucart t n ouims e n esdgeh d f eg oue s
- i. c 0 0 plc si
. nne .
t a vht on r o l S 0 6 pn sriod eooeount st aauaf m rer pit H ( P 6 P uispsudmt s r qki ut paird pe f e en rRa u e
/H tn a a, tne aS c
7 A eS ehI As is s eccs ssh enwgnsnaipt il di? i d ut a fo at nr ut id h c tne np an . p l
- s r
l pce lpR tnht Mba a,T eo t t k r l se - eis ohMnatacioineMas oI s isne ng s
- t. r r h aod s o fo n . et n t
c t ;;a5 f oAS md nt foMgse op
- n onpplis mf oysit s l ub
- ont e a a n v1 3 tnS le esampsi r u ve rmah notu e antgdeinal i
icgneega g ud 0 F e i
,n e n E )a enh et d ee r nm n vich s n n d d tn mitsS r
0 6 P B n a m p wi ol t c o mi pd oe fo1 1 t n 7 a tae l h c nivod sr r oio t uiu T k i *sUialeao oet s c r s s . at ren .lt n u h wpf l of et ee r dH m to4 tnt raa so rn nt e o ae es we)get A x u ler a e len t d l nopah E i d H v uS ve iGegf e Emitneul ecn egT oe nnia r s s inr d k s r pt H n e ed d eR de mu l pRar nh o ns i
. tad oitvn und moluiiyat eeioir r r st ico uul rf8n r
T p p he roS cA ec mUn d uI s e wtn wet .d n er iv eooa apror s ngms sa oqqaea R A T pS h o Td oNuetnhh coo C(f (iisl poppcfr Rr s r r aou1 eh ee npn8 O
) F 1 d
e u W E 1 7 0 e ey . r ic t o n o ly lu n G u ul a t f i t V I E s s d o n t u g a t o n de n o E R R i e p o )5. b ct p e n1)
;o ss C U e one u4le o winp4 aan.
E N c r ( 1 C y n a pmd n ab ae e onyds u n wbio et E E N B m g gacv si tolta k laet iomgu ckdt a L I o r n naDea ge s B R d is a etaleis A T E P e s s f e r a u m e. (S re s4 e ind l yn BS(i pi tuwe 4 s nt oh e P t ud pd ts1 E X d r n a o n u1 w 1 aen1 e4 la rk o g t ht a r e4 s G d A m i,u1 r w edP
-e inltu s ev1- rui cip nt IN T s t u
ts sucAe e ud ltye r toAaPt qa r a iud A e A oCc ut Cpe u e n c ha gW e r dn v forpWro t R s c i f n d tse,h e a E s e p eesd .p f i r P O i A s ga e 5 e n c7 r d n v7 i 5rteb ps eio ute,n e12 h n e ct g 2 e - a s r o d nuG w nd eG- hw .n ienr i 1 - vi g t c dt ef lnEs e r ode s ec l eniRs pt nRshfe ei l a t o F c c a sUa e ex lan gNaUat c yt o n a s laicNc s spif n sb y m r to e=art cfoes r tol aa z oe sd au ywse u a pws . e u eA.
- r H r e ud r s e
p di vs c e e pnu v. vi s c v a OP in ar eis d u Ourmeioe r d cr d e e s p o a s
- Det n c
S f sl ea r r e c sr e nc ev eg e s u uun dd e eer e dudlem aE r g is cc ewon c ooh r r d o r of i neu r r PPA PKPD e c n er f e e R e 4 4 u D B s is m m te t e f I m 7 8 e t 6 6 I
- 0" 1 )
EGm$Eg3 V$g$ f 3o5W - 1 r O5ot@, , $nc
E TABLE 1 (Continued) b
;t OPERATING EXPERIENCE REVIEW FOR THE AP600 g issues Addressed By NUREG 0711 Appendix B 3 Item issue Reference issue / Scope Human Factors Aspect / Human Performance issue Human Factors / Human Performance Issue Addressed by AP600 Design T $ 69 ttem B.4 Procedures - Operators experienced difficulty in applying knowledge to The development of plant procedures are the responsibility of the COL applicant as g knowledge-Based unusual plant conditions, which resulted in delays in documented in SSAR Section 13.5. $ Performance recognizing and responding to events. Based upon a During Events review of NUREG-1275, WCAP-14114 (Section 4.2) Completion of Element 7 (HS! Design) of the HFE Program Review Model(NUREG-discusses cases where operators had to balance mult:ple 0711) and the AP600 HFE Design Process helps address this issue. A fundamental goais in determining a course of action. Situations artse tenet of the AP600 HFE/M-MIS design process is that, in addition to ensuring that the where operators need to consider and balance multiple M-MIS supports the task of process equipment control and operation, the interface goals. design bas 6s includes consideration of those cognitive tasks that represent how humans reason, assess situations, and make decisions in a real-time process control environment The premise for this design basis is that enors of intention (incorrect or improper decision-making) can be reduced if the set of tasks that the M-MIS is designed to support includes those cognittve activities experienced while operating the plant. To accomplish this design basis, an input to the task analysis activities is an operator decision-making model. This model is utilized in the M-MIS design process to provide a structure for and to help determine the ::ognitive needs of the plant operations personnel. The modelis used to define the set of questions that are used in the cognitive task analysis part of the FDTA. The definition of t&C requirements that results from answering this set of questions supports operator performance at all three levels in q* Rasmussen's decision-making model (i.e., skill-based, rule-based, and knowledgetased reasoning). Using the output of the FBTAs as an input to the design of the M-MIS, A
gg should result,in an MMI that supports the kind of knowledgetased reasoning that is required to handle unanticipated events. The FBTA is based on a fundamental analysis of plant goats and functions and is effective in designing M-MISs to support operator performance in preanalyzed situations (executing a procedure) and unanticipated situations. 70 item B.4 Procedures - Operators experienced difficulty in applying knowledge to Training program development is the responsibility of the COL applicant as stated in Knowledge-Based unusual plant conditions, which resulted in delays in Section 13.2 of the AP600 SSAR. Perfomiance recognizing and responding to events. Based upon a During Events review of NUREG-1275. WCAP-14114 (Section 5.0) discusses cases where operator actions reflected gaps in g knowtedge (implying a need for improved training). O 2 O2 cr u to < m g e8-. m
- 0) '
l. E TABLE 1 (Continued) b
$ OPERATING EXPERIENCE REVIEW FOR THE AP600 E
g leeues Addressed By NUREG 0711 Appendiz 8 3 Item leaue Reference leeuet' cope Human Factore AspectfHuman Performance leeue Human Factorsefuman Performance leeue Addressed by AP600 Design 6 Y g 71 Item D.4 Procedures - P%v. L. from past experience, training. or The AP600 HSl/M4AIS includes a CPS that assists the plant operators in morutonng and [ g Operator many gement direction strongly affected how operators controlling the execution of plant procedures. For a given procedure, the sta'us of each
$ Prmo. .J;;;v..;. .g reaognized and responded to events and had led some procedure step is dynamically determined and presented to the opemtor along with the operators to disbeneve valid indications or take supporting plant information. To afleviate the inherent fixed lineartty of paper-based
;. w.vr6e schons. Based upon a review of NUREG- procedures the CPS performs paraitel monitoring activities which are performed by the 1275, WCAP-14114 (Section 4.4) discusses cases where operator in paperbased procedures A parallel monitoring activity is a plant condition, the delay in performing EOP E-0 may negatively impact state, or parameter that is monitored by the computer in parailet with the activPy of ,
recovery ability. The inherent fixed uneartty of paper-based guiding the operator through the respective procedure. Types of paratiet information I procedures means that in some cases operators are placed monitored by the CPS are the status of CSFs, procedure notes and cautions, foldout in situations where they have to go through procedural page items, initiated actions (continuous action steps), and untinuously anonitored steps that are obviously not relevant to the situation, and parameters. With the CPS dynamically determining the status of each procedure step as a consequence delay reaching procedural steps that are and performing parallel monitoring activities, the delays caused by the inherent fixed important to perform in an expeditious manner. The linearity of executing paper based procedures are minimized or eliminated. Therefore, inherent fixed flnearity of paper-based procedures has two the CPS allows the operator to reach the re!evant steps for terminating the incident and potential negative consequences. First, in some cases the stabiHzing the plant much quicker and minimizes the temptation to jump to relevant steps . delays caused by the need to fotow each proce1ure step or to " wing it" without procedures. [ sequentially will result in conditions becoming mcre degraded than if operators could reach the relevant ' q procedure steps more quickly. Socorid, because operators e are able to assess the situation more quickly than the ! h procedures allow, and in their expenence they are generally correct, the temptation to jump to what they perceive to be the relevant steps for terminating the incident is high. This is likely to be a contributing factor in cases where operators were observed to " wing it" without procedures. 72 ftem D 4 Procedures - Operators ;. w.vr;.iety defeated the automatic operation The AP600 ERGS (Reference 2) provide specific termination criterta for the operator to Control of of ESFs during valid system demands. Some licensees bypass or override ESF ectuations. These are typically provided to terminate safety i Emergency Safety have not provided sufficient guidance that limits bypassing system operation once an accident sequence has been diagnosed, and the plant has Features or disabling ESFS, allowed for by TS and emergency or been retumed to a stable, safe condition. operating procedures. Based upon a review of NUREG-1275. WCAP-14114 (Section 4.3) discusses cases where operators bypassed safety features. . 73 Item B.4 Human-Machine A lack of appropriately ranged, direct <eading, CR The design of the AP600 has considered shutdown rnodes extensively as documented ' interface - instrumentation to rnonitor reactor pressure, temperature, in the various licensing submittals: 1) passive safety systems that are designed to Shutdown and level caused operators to have difficulty in recognizing mitigate accidents during shutdown modes (SSAR Section 6.3),2) TS that appty to the ,
'"'""**"'" ""d ' esp nding i shutdown events, when operator actions passive safety systems during shutdown modes (SSAR Chapter 16),3) ERGS O
o were required to accomplish the safety functions of (Reference 2) for shutdown modes,4) quantification of the risk of core damage at 6 "I} disabled, automatic safety systems. Based upon a review shutdown (AP600 shutdown PRA),5) evaluat!on of design basis initiating events during {g of NUREG-1275, WCAP-14114 (Section 3.1) discusses shutdown modes (AP600 Shutdown Evaluation Report - 6/96). Instrumentat6on has t m g cases where there were misleading indicators (failed been designed to appropriately cover all modes of operation including shutdown. "6 sensors).
j l , l , [t i . w e tewt aen nt e, k l _ st i s sv et st nea to4 nsdnrsram t n g t et e r mnla nr n ad a o lepyit av eaph l tnaol i is l dl t a - D e pap pt u rsh ek ewl pe wo r o m 0 0 gont itnt er n sr r geoys ofit f fo te nv s ee tair i ws m _ 6 ere ul h vRr P A set uf cet nsepnt wla goCla nSMa y r pe aoaev psr el i s a aI e _ b yf ssl evet se nf cWht l d e bnsi gnwd ea r oht p aoh es P e @t _ s s se d lagfic sht rep . a e nd ah er e acnist _ wt Ssdi i ngnt eolap _ e _ ee r n ay r amPhl yuiseiS I _ d r d A ahtg 1(. oWpcnh w r adPI . __ s e a i. acweW ew f e a n _ e ios sinT ne; r. o u ni:sks hts s. ta, e i=-- e G _ e tas e n el. . s ne - _ htEi l Ruso e r 3 )s yr e em _ oyb md -.f e... spad p ole n o ns sd w nla nna ;sh apa t . m de'e. wt r rt o nnaoi
, iaa t
nyot nedtyelyao spdt i f r i aia n ak pcy ewn t t a e al asol mstput ipeh sl pierc yo a desev;n t P s c n a ddinaivtceth n nf s lpk t a s d,i vr m a e o ses! n ro .;sfer . posswoe e g H f u id er t v seea cnslwicd ;.reod nd ereimr el rv am r e s oemguind av ae r o pr r ge nd aima so o er _ t c a Sl e cdn aeh l va siTsh s ol. . 0 F P t a ef o in y m deh e i . 'em T . s y ..w r t 0 n Wot nh she asTd t
.soy st gs ysmSl 9 B a a P
0 nee onitnegmi m p n s L. io r A ;x u 0 oh nt d E H 6 i. f P . A .h oa t t e r siat yv r fc eianr dpJ. H T J e wla oimtaA . oe ppinar l
;l h ;. w ac a. si y ig a. ep e ;. . ve G R
O Z Ti e2db spot h .
.di r
) F 1 -
d e u W 1 7 0 e ty n i n EV G u e r a a a t n E le en o R E lc-pJ M C U t e e E c ( 1 C N n a r u2 n%c ed _ E N E B y m r t weo a ac si t to L I d o hBed B A R E e s f r e t s .Sle (ia T P s e P nd 4f X E r n it io em1 s n. d a d a r 14 roi o G N d A m u nl oa1-tadt P en r i I e ct oApo T H A R s u f t c z in e nCoc) ge r eWed o e h e _ E e p P O t A s e o w5. c 7 r em tr _ s r r o J1 - heala
. 2 o t ; Gwto J.
t c d E se n a ietuRst l F n fabUa Nc( ub a m sl o foe r n s; s u ta r w - n H e pf . u. O of ;; ,;h 'a~. w e p e n o i h c c S a s s te u e Meo - nct n r e _ a faa-e _ le mr r ea _ ut epw HInOA _ e c n e r f e e R e 4 u B s l e m te l
^
_ m 4 le 7 f Eb3Eg3Vgg$ o rA 1 - . 3p<g-c "
))
1 - D a u0 O5oo(,
E TABLE 1 (Continued) b
$ OPERATING EXPERIENCE ftEVIEW FOR THE AP600 m
g issues Addressed By NUREG 0711 Appendia B C ltem issue Reference issue / Scope Hteman Factors Aspect / Human Performance issue Human Factors / Human Performance issue Addressed by AP600 Design
?
$ 75 Item O 4 Human-Machine During transients that result in a reactor trip, a large The function of the AP600 Alarm System is to support the MCR operators with the
$ interface - number of annunciators are activated, their usefulness to following activities of human decision 4nakincy
$ Operator the operator is diminished as the number of low priorfty Awareness annunciators increases. Prioritization of annunciaturs could t) The ALERT activity, i e., alert the opeestor to oftaiormal corrtitons; improve the effectiveness of this system.
- 2) The OBSERVE WHAT IS ABNORMAL activity, I e., aid the user in focusing on the important issue (s);
- 3) Help with the process STATE IDENTIFICATION activity, i.e., a#d the usar in understandng the abnormal conditions and provide corrective action guidance, as far as to guide the operating crew into that area of the complete Plant information Display System in which the data /information about the abnormafily and its resolution can be found.
The AP600 Alarm System addresses the problem of starm avalanching and operator data overload by managing the presentation of the alarms to the operators in such a manner as to reduce the number of alarms presented simultaneously during major disturbances, while maintaining sensitivity during small esturbances. The Alarm System q* is robust enough to: a) show multiple major process problems; b) not be overwhelmed by minor alarms that are related to, or are consequence of, the process problems h (avalanching); and c) elevate minor alarms to a place of attentionprovoking significance, when they arb the most significant process abnormalittes. However, those active alarm messages wtuch are not currently displayed are accesstle and available to the g operators, upon request. Part of the method used to manage the presentation of alarms to the operator is the functional organization of the alarms. The overview starms are organized by function, such as RCS pressure controf, temperature control, and inventory and SG water level control. Within each function, there are goal 4 elated alarms and process 4 elated alarms for the respective function. The alarms within each function are priorttized such that only the highest priortty, goat-related alarms and process 4 elated alarms for that function are displayed. This functional organization and prioritization of alarms provides an efficient way of drecting and focusing the operators attention to the transient and its source. The overall importance to plant safety or the urgency of operstor action is easily determined from this method of alarm presentation. The Alarm System aids in directing the operator to the area in the informational display system of the CR that contains specific data related to eliminating, diagnosing, and mitigating the procesa abnormality. The Alarm System also provides a link from a given gy alarm to its applicable computerized starm response procedure. CT U
$ S.
$g A
U e-
3 TABLE 1 (Continued) d to
@ OPERATING EXPERIENCE REVIEW FOR THE AP600 E
g leeues Addressed By NUREG 0711 Appendix B C ttem lasus Reference lesue/ Scope Human FeO rs AspectHuman Performance issue Human FactorsHuman Performance issue Addressed by AP600 Design V
$ 76 Item B.4 Human-Machine Crew response was affected by availability of Completion of Dement 4 of the HFE Program Review Model (NUREG4711) and the
$ interface - instrus.enta3on, appropriateness of the instruments to the AP600 HFE desPgn process includes an FBTA as part of the overall task analysis. The
$ instrumentation task, and the relative location of the l&C. Based upon a task analysis implementaton plan is described in SSAR Section 18.5. For each Level 4 review of NUREG-1275. WCAP-14114 (Section 21) plant function shown on Figure 18.5.1 of the SSAR, an FBTA is performed There are discusses cases where the plant parameter indcators four components to an FBTA. First, analysis is done to identify the complete set of required for rnonitonng or control were unavaliable or goats relevard to the function Second, a functional decomposition is done. This inadequate. decomposition identifies all the various processes that have a significant effect on the function. Third, a cognitive process analysis is done by applying the 11 questions derived from Rasmussen's human decision-making model approach. The results of the cognitive process analysis identify the indcatons, parameters, and controls At the operator needs to make decisions about the respective functions f% ally, there is a verificaton that the indications parameters and controls identified in the cognitive at:atysis are allincluded in the AP600 design.
In addition, as part of the background documentation for the AP600 EHGs, tte l&Cs needed to execute each step within each of the guidelines (optimal recovery guidelines and functon restoration guidelines)is identified. Verification that the needed l&Cs, identified here, are allincluded in the AP600 design is part of the AP600 design process. FO 0) O o O 3 cr u (D < g -. y e C) '
. .. . . . .- -- . .- . n . . _ .. - . --. - , , -
3 TABLE 1 (Continued) d to E OPERATING EXPERIENCE REVIEW FOR THE AP600 g Issues Addressed By NUREG 0711 Appendix B 3 Item lesue Reference Isove/ Scope Human Factors Aspect / Human Performance issue Human Factors / Human Performance issue Addressed by AP600 Design V g 77 Subsection 2.1.1 MCR - System intmration of information During unplanned transients, the The function of the AP600 Alarm System is to support the MCR operators with the g Integration operators are presented with an overwhelming volume of following activities of human decision-making:
$ immedate information. A better esplay integration and increased automation may help them through these 1) The ALERT activity, t e., alert the operator to off mormal conditions; evolutions.
- 2) The OBSERVE WHAT IS ABNORMAL activity, i.e., aid the user in focusing on the important issue (s);
- 3) Help with the process STATE IDENTIFICATION actMty, i.e., aid the user in understanding the abnormal conditions and provide correcthre action guidance, as far as to guide the operating crew into thst area of the complete Plant Information Display System in which the datalinformation about the abnormality and its resolution can be found.
The AP600 Alarm System addresses the problem of alarm avalanching and operator data overload by managing the presentation of the alarms to the operators in such a manner as to reduce the number of alarms presented s6multaneously during major disturbances, while maintaining sensitivity during small desturbances. The Alarm System q is robust enough to a) show multiple major process problems; b) not be overwhelmed a by minor alarms that are related to, or are consequence of, the process problems (avatanching); and c) elevate minor alarms to a place of attention provoking signiricance, when they arip the most significant process abnormalities. However, those actrve alarm messages which are not currently dsplayed are accessible and available to the operators, upon request. The Alarm System a!ds in drecting the operator to the area in the informational esplay system of the CR that contains specific data related to eliminating, dagnosing, and mitigating the process abnormality. The Alarm System also provides a link from a given alarm to its applicable computerized starm response procedure. The AP600 M-MIS includes a CPS that assists the plart operators in monitoring and controlling the execution of plant procedures. For a given procedure, the status of each procedural step is dynamically determined and presented to the operator along with the supporting plant information. To alleviate the inherent fixed linearity of paper-based procedures, the CPS performs parallet moratoring activities versus the operator in paper-based procedures. A paratiet monitoring activity is a plant condition, state or parameter that is monitored by the computer in parallel with the activity of guiding the operator through the respective procedure. Types of parallelinformation monitored by the CPS O a,e the status of CSF, procedure notes and cautions, foidout page stems, initiated hy ty (D actions (continuous action steps) and continuousty monitored parameters. With the CPS dynamically determining the status of each procedure step and performing parallel Q 5. monitoring activities, the delays caused by the inherent fixed lineanry of executing paper-ah CD 3 based procedures are minimized or eliminated. The CPS provides direct links from steps to the associated Plant Information System Displays (physical process, functional, $a j automatic monitoring logic or soft control displays).
E TABLE 1 (Continued) b 9? OPERATING EXPERIENCE REVIEW FOR THE AP600 E lesues Addressed By NUREG 0711 Appendix B Item lesue Reference issue / Scope Human Factors Aspect / Human Performance issue Humen Factors / Human Fedormance issue Addressed by AP600 Design T
$ 78 Subsection 2.1.2 MCR - System Change in Control Modes in transient situations, operators The inforrrtion integration problems are addressed by the AP600 design as described
$ integration often have to take manual control of many of the tasks that above irt stem #77.
$ were automaticatty controlled. This change in control modes by itself is a challenge to the operators, and when The AP600 I&C System design incorporates automatic functions not available in added in the middle of a significant transient, with its ,
previous plant designs. This is the result of efforts to mirWmize the operators manuat infonnation integration problems, is even more demanding. workload during normal plant transients (such as a startup) and during unanticipated transients (such as a reactor trip). The feedwater control system in the AP600 is one example. The AP600 feedwater control system automaticatty controls SG water levels from power levels low in the power range (0% to 2% power) to 100% power. In today's plants, operators are required to control feedwater flow and SG water level in rnanual until they have reached about 20% power. Another example is the use of the AP600 Startup Feedwater System (SFS). Following a reactor trip, the SFS flow is automaticany controlled to maintain the desired SG leve!s. In today's plants, the operators must manually control AFW flow to maintain desired SG levels. The cognitive task analysis portion of the FTBAs, answering a set of questions derived from Rasmussen's human decision-making model, identifies the controts and indications needed to achieve the respective function. This add. esses both manual and automatic q controls. The output of the FBTAs is used as input to the design of soft control displays g and plant information displays. CD If an automatic control system's ire.it slynal validation algorithm switches the control system from automatic to inanual, the operator is alerted to this condition through the alarm system. The computerized alarm resganse procedure will provide the operator prompt access to the associated soft control (soft automatic / manual controller). 79 Subsection 2.1.3 MCR - System Memorization Operators have to memorize their initial FoHowing a reactor trip, the AP600 CPS is activated and the operator is directed to the Integration actions after a reactor trip, and are expected to accompHsh computerized reactor trip response procedure. The CPS dynamically determines and them prior to procedural checks. Operator aids may assist provides the status of each procedural step along with any necessary supporting in the initial actions. information. In today's plants, the operatur must not only memorize the immediate action steps, but must also search the main control board for the Indications and cont'oh to provide the capability of determining the status of the immediate actions. 80 Subsection 2.1.4 MCR - System Pror essed Information Mu :h information has to be The AP600 M MIS takes advantage of current computer technology and automaticaRy integration calculated by operators that could be provided directly with calculates, then presents the needed information to the operators. In today's plants, the current technology Computerprocessed and validated operator must marnally calculate the needed information. One example of calculated data and calculated values can be provided to the operator information provided by the AP600 Plant Information Systern, are trend displays. During in an integrated fashiort a plant heatup or cooldown, the AP600 Plant information System wi8 provide heatup and O Id wn rate trend displays at the operator's workstation. 3 OT tr a CD <
, y a5 m-
3 TABLE 1 (Continued) b
$ OPERATING EXPERIENCE REVIEW FOR THE AP600 E
g issues Addressed By NUREG 0711 Appendix B 3 item issue Reference issue / Scope Human Factors AspectfHuman Performance issue Human Factors / Human Performance issue Addressed by AP600 Design V
$ 81 Subsection 2.1.5 MCR - System Test and Maintenance Surveillance testing can create The AP600 Inservice Test (IST) Plan (SSAR subsection 3.9 6) docurrents the g integrstion problems such as: number of tests, additional operators ' surveiknee test requirements for the AP600. In developing this plan, Westinghouse has $ required, producing spurious alarms, inadvertent actuations, considered the dimculty of performing each surveiltance test. In some instances,ISTs and potential for a plant trip. The systems should be that would be potentialty problematic atpower are deterred to either cold shutdown or designed to be tested periodically without creating refueling conditions. In other cases (such as the ADS vatwes) a specialinterlock tes incidents. been developed to preclude the possibility of the operators causing a plant transient due to a misalignment of the ADS valves during testing. Other features which facilitate inservice testing of the PXS are described in SSAR subsection 6.3 6.2.
The online testing of the protection system is accomplished by a series of tests with sufficient overlap to test all necessary functions. These tests are designed to be accomplished without generating spurious alarms and inadvertent trips and actuations. I When a protection cabinet is being tested, it is placed into a bypassed state or otherwise removed from service to prevent inadvertent actuations and potential for a plant trip. Most of the testing is performed automatically once initiated by the operator. A description of the prrstection system rettability and fauft tolerance during operations, maintenance, test and bypass and a description of the built in test capabilities are provided in SSAR subsections 7.1.2.10 and 7.1.2.12. H 82 Subsection 2.2.1 MCR -Alarms Avatanche of Alarms The single biggest issue in the The function of the AP600 Alarm System is to support the MCR operators with the IV design of advanced alarm systems is the need to reduce following activities of human decision-making: 0 the avalanche of alarms during plant upset. .
- 1) ALERT activity, i e, alert the operator to off-normat conditions;
- 2) OBSERVE WHAT IS ABNORMAL activity, I e., aid the user in tocusing on the important issue (s);
- 3) Help with the process STATE IDENTIFICATION activity, i.e., aid the user in understanding the abnormal conditions and provkfe corrective action guidance, as far as to guide the operating crew into that area of the complete Plant Information Display System in which the data /information about the abnormatify and its resolution can be found The AP600 Alarm System addresses the problem of alarm avalanching and operator data overload by managtng the presentation of the alarms to the operators in such a manner as to reduce the number of alarms presented s!muttaneously dunng major disturbances, while maintaining sensitiv!ry ouMg small disturbances. The Alarm System is robust enough to: a) show mu!tiple n e)or pecess problems; b) not be overwhelmed Q by minor alarms that are related to, or a,e a consequence of, the process problems 2 (avalanching); and c) elevate minor alarm, to mniace of attention-provoking sigrvficance, h
o< when they are the most significerit process abnomatifies. However, those active alarm messages which are not currentty displayed are accessable and available to the ]E operators, upon request. The Alarm System aids in d6recting the operator to the area in the informational display O" system of the CR that contains specific data related to eliminating, diagnosing, and mitigating the process abnormality. The Alarm System also provides a knk from a given alarm to its applicable computerized alarm response procedure.
E TABLE 1 (Continued) b
@ OPERATING EXPERIENCE REVIEW FOR THE AP900 3E g leeuse Addressed By NUREG 0711 Appendix 8 3 Item leave Reference leeue/ Scope Human Factore AspectfHuman Performance leeue Human Factore%nnan Performance toeve Addressed by AP900 Doolgn T $ 83 Subsection 2.2.2 MCR -Alarms Prioritization of Alarms When an operator is presented with The AP600 Alarm System addresses the problem of alarm avalanching and operator $ an avalanche of alarms, a prioritization scheme should data overload by managing the presentation of the alarms to the operators in such a -$ present all the alarms to the operator but code them into manner as to reduce the number of alarms presented simultaneously during major priorities such that the overas importance to plant safety or disturbances, while maintaining sensitivity during small disturbances. The Alarm System the urgency of the operator action can be determined is robust enough to: a) show multiple major process problems; b) not be overwhelmed by minor alarms that are related to, or are a consequence of, the process problems (avalanching); and c) elevate minor alarms to a place of attentionprovoking significance, when they are the most significant process abnormalities. However, those active alarm messages which are not currently displayed are accessible and available to the operators, upon request.
Part of the method used to manage the presentation of alarms to the operator is the functional organization of the alarms. The overview alarms are organized by function, such as RCS pressure cxmtrot, RCS temperature control, RCS Inventory, and SG water level control. Within each function, there are goal-related alarms and pre, cess-related alarms for the respective function. The alarms within each function are prioritized such that only the highest priority, goal-related alarms and process-related alarms for that function are displayed. This functional organization and priorttization of alarms provides q an efficient way of directin0 and focusing the operators attention to the transient and its e source. The overed importance to plant safety or the urgency of operator action is easily
$ determined from this method of alarm presentation.
84 Subsection 2.2.3 MCR -Alarms Loss-of-Power to Annunciator Panels The loss of power to Power to the alarm system is from a redundant power supply or UPS. The Alarm these panels could result in the loss of the operators' ability System also includes a " heartbeat" indication visible to the operator at all times. The to respond to plant upsets, particularfy if the operators are " heartbeat" indication alerts the operator to degraded conditions of the Alarm System, not aware of the loss. includmg a totalloss of the system, experienced as a result of loss of the redundant power sources. The Alarm System is designed such that the system's preferred failure mode is thfough a succession of "gracefuty degrading" states of operat60n rather than a " sudden death? O o O3 0" o ts < -s g-a _. cn -
.--- _ _ - _ _ _ - - _ _ _ _ _ _ _ _ - _ -. - - - . .- _ . .. -,- ~-
-_ . . , _ ~ . . .. .~ . ._. - - . . - - - . - - . . _ . . - ..~.. - ,. . . . . . . . .. _ . _ ~ . - _ = . . ~ ~~ .. .
3 TABLE 1 (Continued) G ro
$ OPERATtNG EXPERIENCE REVIEW FOR THE AP900 E
g Issues Addressed By NUREG 0711 Appendix 8 Item leeue Reference issue / Scope Human Factors Aspect / Human Performance issue Humor. Factors &fumen Performance losue Addressed by AP600 Design -
$ 85 Subsection 22A MCR - Alarms Alarm Displays Alarm System research has identified The functon of the AP600 Alarm System is to support the MCR operators with the
$ multiple use by operators of the Alarm Systems, namety; following activities of human decisiorkmaking:
$ for alerting for status monitoring, and for situation awareness. The selection of a display technology and 1) ALERT activity, i.e., alert the operator to offcormal conditions, display methods for the Atarm System can significantly impact these multiple uses of alarm systems by operators. 2) OBSERVE WHAT IS ABNOFtMAL activity, i.e., atd the user in focusing on the Both cc ;m..;;u. ; fixed location displays and the newer important issue (s);
Cathode Ray Tube (CRT)-based displays have advantages and disadvantages. 3) Help with the process STATE IDENTIFICATION activity, i.e., aid the user in understanding the abnormal conditions and provide corrective action guidance, as far as to guide the operating crew into that area of the complete Plant Information Display System in which the datalinformaton about the abnormality and its resolution can be found. The AP600 Alarm System addresses the problem of alarm avalanching and operator data overload by managing the presentation of the alarms to the operators in such a manner as to reduce the number of alarms presented simultaneously during major distuttances, while maintaining sensitivity during small disturbances. The Alarm System ! q is robust enough to: a) show multiple major process problems; b) not be overwhelmed ! by minor alarms that are related to, or are a consequence of, the process problems 3 (avalanching); and c) elevate minor alarms to a place of attentiorbprovoking significance, when they ar's the most significant process abnormalities. However, those active alarm messages which are not currentty displayed are accessible and available to the operators, upon request frorn workstation displays. The Alarm System aids in erecting the operator to the area in the informational esplay system of the CR that contains specific data related to eliminating, diagnosing, and 6 mitigating the process abnormanty. The Alarm System also provides a Enk from a given alarm to its applicable computertred alarm response procedure. The AP600 Alarm System design captures the advantages of both the conventional fixed-location displays and the newer CRT-based displays. The AP600 Alarm System consists of overview alarms and VDU (such as CRT)tased alarms and alarm support information. The overview alarms are functionally organized with each function having goal 4 elated and pro::ess-related alarms. The alarm overviews are integrated into and displayed by the WPIS, therefore the presentation of the alarm system overviews is analogous to the conventional fixed position annunctators. All alarms and associated supporting information is available at the operator's workstation VDUs. The presentation of alarms on the workstation VDUs is analogous to CRT-based alarm esplays. o 31 I cr cp
,CDy <
"6U !
m- .
E TABLE 1 (Continued) b
$ OPERATING EXPERIENCE REVIEW FOR THE AP600 E
issues Addressed By NUREG 0711 Appendix B 3 ftem issuo Reference Issue / Scope Human Factore Aspect / Human Performance issue Human Factors / Human Performance issue Addressed by AP600 Design V
$ 86 Subsection 2.2.5 MCR - Alarms Alarm Controls Auditory features of starm systems have The AP600 Alarm System provides the means for the AP600 CR operator to be aterted, $ been problematical and separate slience, acknowledge and via both visual and audio alerting techniques, to problems in the processes involved in $ restart test (SART) controls are recommended, The the plant by-controts for computer-based alarm systems will become more complex and need attention. a) indicating the abnormality by presenting a precisely worded message or a graphic representation of the condition; b) presenting the abnormality in a context which conveys the impact on plant health; c) separating alarms from other data; and d) Generating audible tones ww&v to specific sets of alarms.
The controls fur the auditory features of the AP600 Alarm System wig not add to the workload nor will they be distracting. A design requirement of the Alarm System is that it wlR not create distractions to the operators, nor will it add to the fatigue of its users, by the addition of noise or visual distortions. Concept testing (part of the HSI design process, SSAR Section 18.8) and the HFE Vertfication and Validatic t (SSAR q Section 18.11) shaR ensure that the alarm system auditory features are acceptable. b N 87 Subsection 2.2.6 MCR - Alarms Operator Selectable Alarms The operators may need a THIS ISSUE INPUT INTO THE DESIGN ISSUES TRACKING SYSTEM. towpriority, operator-selectable alarm to call attention to a component (e g, a valve) that may be out of its normal position. Alarm systems should have the flexibility for the operators to easily add alarms to a screen when a potentia!!y deviant situation is identified that they need called to their auention. 88 Subsection 2.3.1 MCR - Controis Engineer!na Units Displays sometimes use engineering The AP600 Plant Information System presents displays (physical process, functional, and Displays units which mean little to the operator, (e 0.. *R)s- trend, and automatic monitoring and logic dsplays) to the operator. The engineering massthour) rather than percentage of fu8-power flow. units used on these displays win be meaningful to the operators. One way that this is ensured is through the deta5ed display design and implementation process (SSAR Section 18 8. HSI design). The design process includes a check by operational personnel that the displays and the information presented are meaningiut. The final HFE vertfication and varidation (Element 10) will validate the usefulness of displays. 89 Subsection 2.3.2 MCR - Controls Push Button L. amp Replacement Pushtutton lernp NOT APPLICABLE: The use of push button lamps are not part of AP600 CR MMI. and Displays replacement is problematic because the removal and replacement of the lens or bulb can sometimes cause O inadvertent actuation. O "U 90 Subsection 2.3.3 MCR - Controts CRT-Based Displays On CRT-based displays, the The AP600 Plant Information System preserds displays (physical process, functional, [y and Displays operators are often restricted to the use of " prepackaged" trend and automatic monitoring, and logic displays) to the operator. In addition to these ' UT displays and do not have enough capability to select " prepackaged" displays, the Plant information System proddes the capability to the y6 q) 3 parameters for display and trending. operator of being able to create a desired parameter and t end display. In addition, the O) ' operator win have the capability el displaying this created trend display on the WPIS.
-- .~-~ m .a ~ ~ ~ - ~ - . . - - -.-- ~ _ - - . ----- -_- -_- ~ ~ ~ ~ ~ ~ - ~ . _- _.. - ~- - .. .
l O TABLE 1 (Continued)
, OPERATING EXPERIENCE REVIEW FOR THE AP900 E
g Issues Addressed By NUREG 0711 Appendix B 3 Item Issue Hoference leeuetScope Human Factore AspectMumen Performance Issue Human FactoreMumen Performance leeue Addressed by AP900 Deelen_ j V *
$ 91 Subsection 2.3.4 MCR - Controls Coneuter interfaces Complex or poorly designed it is the tression of the AP600 M4AIS to improve the means that are provided to the
;; and Displays computer interfaces are supphed, as opposed to interfaces users of the plant operation and control centers for acquiring and understanding plant g that are simple and
- user friendly *, data and in executing actions to control the planra processes and equipment (Reference 18.8.1 of the SSAR). Therefore, a basic design goal of the AP600 M-MIS ,
is to provide an Integrated environment that is " user fnendly" and allows the operator to l quickly and efficiently maneuver through the MMI resources (Alarm System, Information i System, CPS, and Soft Controls) to access needed information and controls. 92 Subsection 2.3.5 MCR - Controls Upo.eding of Computer Systems The difficulty of The dst'tbuted nature of the AP600 l&C System architecture includes the robustness and Displays upgrading computer systems can be a problem, even for and tiewibility to upgrade the system in an efficient manner The estributed t&C relatively rninor plant mod fications. architecture is dscussed in Section 7.1 of the SSAR. 93 Subsection 2.3 6 MCR - Controis Corguter Response Trne A common specification for The issue to be addressed is the amount of time it takes for the operator to locate a and Displays maximum delay time between screens is two seconds. desired piece of information. How does the operator locate a desired display? How , This may be acceptable for routine computer processing, many dsplays must the operator navigate through before he locates the desired ! information? The AP600 Plant information System addresses this issue through Rs I however, during nuclear power plant (NPP) transients it is too long and causes unnecessary operator frustration and design process and type of esplays presented to the operator. Functional esplays are delays in information processing. designed and used to complement physical (system) dsplays. Functional esplays are ; designed to present to the operator associated goal monaoring and process monitoring ! q information for a respective functiort The output of the respectrve FDTA is used as a y major input to the design of the functional displays. The FBTA includes a cognitive task analysis that identifies the bstrumentation, information, and controls that the operator
- 0) ,
needs to melle operating decisions for the respective function. Since the AP600 Plant Information System includes functional displays (produced from their associated FBTA) ' rather than just physical system displays, R is more likely that the operator wiu find a5 [ the information that he needs for a g6ven thought process on one esplay (such as a functional display). Also, the use of denser dsplays and more meaningful groupings of information on the dsplays wiu result in a search within the esplay rather than movement between displays to find desired informattort To support the operator's situational awareness in an efRclent and timely manner, the design of the WP!S requires that the operator be able to point to and select in one step ! (trom the wortistation), a system, component or major parameter displayed on the wall panet and recaN on a workstation VDU, a related functional esplay or physical desplay. > One step navigation from a functional esplay to an associated physical esplay, and from a physical display to its associated functional display, win also be available. To add ! flexibility to the method of navigation between displays a menu or map of aN available displays, will also be available to the operator. This method of navigation to a desired display wiR inv tve a maximum of tw steps; select the map and then select the display. O ; ED O The actual delay times between screens is driven by the l&C technology and assodated {g hardware. Advances in this technology are anowing faster responses a4 the time. Gi t ag This issue of how long it takes the operator to access needed information will be l
@;3 evaluated during the man in-the-loop concept testing. The results of this concept testing
- 0) -A will be used to refine the functional and detailed design of the M-MIS. This issue wilt ,
also be measured and validated by the HFE verification and validation (SSAR Section 18.11). i
E TABLE 1 (Continued) 6 m
@ OPERATING EXPERIENCE REVIEW FOR THE AP600 E
g lesues Addressed By NUREG 0711 Appendix B C ltem issue Reference issue / Scope Human Factors Aspect / Human Performance lesue Human Factors / Human Performance Isrue Addressed by AP600 Design V
$ 94 Subsection 2.3.7 MCR - Controls Computer-Based Data Points Computerbased data points The infonnation presented to the operators by the AP600 M-MIS includes indication of 3; and Displays should have a provision to indicate to the operators when data quality for the data displayed. The objective is to allow the operator to evaluate the $ the data for the point is invalxl (e g., point is out of scan). information being displayed to him and, eventually, discard it or look for attemative measures. If a parameWr measurement is outside the range of the instrument (note that the data quality would be good) then this "out-of-range" information is indicated on the display to the operator. The data quality of computer calculated points is also addressed and displayed by the AP600 M MIS. The data quality of calculated points considers the data quality of the input points and the validity of the calculation and its boundary conditions. Tne data quality conventions used are consistent throughout the M-MIS.
For example, the convention used on a workstation display to indicate that a data point such as a hot leg temperature is of " poor" quality is the same as the convention used to present the same information on the WPIS. 95 Subsection 2.3.8 MCR - Controls Trip Status Indicatkn in the CR, the operators need an The function of the AP600 Alarm System is to support the MCR operators with the and Displays adequate indication for trip status of important local following activities of human decision-making (adopted from Rasmussen's model of equipment. human decision-making):
- 1) The ALERT activity, i.e., alert the operator to off-normal conditions;
-4 2) The OBSERVE WHAT IS ABNORMAL activity, i.e., aid the user in focusing on the important issue (s);
- 3) Help with the process STATE IDENTIFICATION activity, i.e., aid the user in understanding the abnormal conditions and provide corrective action guidance, as far as to guide the operating crew into that area of the complete Plant information Display System in wh6ch the data /Information about the abnormality and its resolution can be found.
The Alarm System includes alarms of trip status for important locat equipment and it clearly distinguishes between alarms that are conveying to the operator something about a process abnormality vs. advising him of the status of equipment. 96 Subsection 2.4.1.1 MCR - Communications Coverage -- Dead Spots Auxiliary The plant communication system consists of the following systems: wireless Communications operators otten cannot be contacted in the plant due to w,o,..o.maion system, telephone /page system, private automatic branch exchange their inability to hear pages from the CR since there are (PABX), sound powered system, emergency response facility communicat60ns, and many hard-to-hear or dead spots in the plant. secunty communication system. The wireless telephone system is the primary means of communication for plant operations and maintenance personnel. The wireless system consists of wireless bett<tip portable handsets, hands-free type portable headsets, a O c mprehensive antenna system, and a wireless telephone switch. The telephone /page, g PABX telephone, and soundpowered communicatiort systems are for general plant oT communications and serve as backup to the wireless system. The communications {y system is described in SSAR subsectkm 9 S.2. )5 97 Subsection 2.4.1.2 MCR - Communications Communications Coverage - Radio Frequency (RF) Interference RF interferes with communications due to The communications system complies with applicable codes and standards, minimizing Electro-Magnetic interference (EMI) and its potential effects to equipment. " Low-CO O y inadequate shielding. Communication radios also cause powered" type equipment is used, where possible, wtilch has been demonstrated to unintended actuation of equipment. have a limited potential for causing interference with electronic equipment. Communication equipment and sensitive I&C equipment are shielded, as necessary, from the detrimental effects of EMI.
s n le, ea n s e d , e e t a d R ese le a r m io b is e a v n ). s h ey , ht s t e a, at v h h C o n t la o em. r so a w m s Mto ioyts u hl e ed i E A io n t ig s os yt c ia v pu oe n e t c eo ynla!y,se b l e R t b bned toe u hf ea s sel atatomr e e ht ts d - T0cm! naior i H hht to s, itor en ut e s ds 'n fo se aegi-a f isihSt h n nv y n cS tohc r a taes ez e _ D a es e, sl e me . 2nr e oir sA ms inf e d setsVsghi Est e _ l y vi t _ 0 0 sl nreh lp u nnt c n t, c let t e is ntub s lau n F e d (s e u h aex nr qs i
.w sr s eu tssggp anr _
a, ef uasir a ve ar T prdf leoe eit l tu . 6 it vr yif ose t r i _ dief n rso iteee br ists P ewl b i zi s A a i e "o meaN n ed sht aol w tod CteTuynelo r ye.d nh - n sweteain ci e olad a er y ht i f
.st sf l ait laywod omar og tnx h enl s yT o .
r r aoAra sl si i r ls cnl ehfeol en oe t uoam l - b a ph r ee V uReaeoiusna r ou -wl pd e atagt lyvE cy sgt eicea i r _ d e im t. e etc pinH pCpquf wo iv lepel sh ndlamg yt l n f ta nr i l eb pu sim udb wt n ltne o sar n npiyw r ol o
;tsht wM olem o n efr b e uy s pnt r v ar r icf f u aa s eose e s .r el oeoub r aimn fc ui ee ecf slu -
e ni h satssl ddh r r na a s ici u ic u ph r h rer e n f g n ;n t ah ys e e t p d leerk ioe x ;u Tu c st hig g - o n d t u aig gl ta si iv oToi n n d s ipf t ht modpa G. r y g g t A sh
-,. s itasi nl een et hl a oilei re n*0 nwh a o9ht u wusme 4 iso at .l r e med p cnle galo inssd ezwbiT t
usf toa .e r r e s s wss el c c tsd ehC t o lon ht dad rse mg ae - en ae - t
,ndl iudnt n et tairgmy l
u e e t syn ae h,ts s t ss r e duvre o0 6 r i 0saoinhr f s etsenot t lt a nl ie eaipt iobmnl cf vu olft u,si ui dngnA o sa ir l l n i. i m ml eil i s tmlno nPpna et vao f iwi r we r i . e c ent e niel o as er Rs iA Cmt o rwd ee r taele r sbf s uuo aa g rnRhC T sr ehd dt n r a Re r c at n hpd mdi Me nh a-c end -
.oens e par t eM d ome .f ewn Cnr t iur qo aah nl a a nw r
a l eu o i r si en;e s et e s t t yf uT _f a ga nt utnnueent oito Mi r _ m e nh at n g._icl - gqht gslai y nsr uhh r h sd n e c laan eietgi ens sh cr ea 0 P . nt c f o r lea t s sblede nnp t oSt eyt r.iRteyisb r 4 ee r df aCse r mf
.dtsnmd tyug 0
6 su
.e go rd istaon us _
e s na a, i r t BlaaiaCnt o wVedt euf nm t r e ond n o r urieei nan B c cimft P ns os e r s apno nrm des a, r P eirot n e Aii n le omu tape q lo e y- r u n eh lo as ot s gs nieltaat aioot yns aeiuer o tsl e e R . ht e tan oioa tey . t a r r f ht o v t v e ituar s epsyofe f t iw pil t nT ebf or i uuin suol r l k cov asg ha htocer it m o o eht s er se nfla f ae n nwTu b Sn n H u eo<s ape itam
.sr u ;u to i ol .iEtto d
d osstnicr nignindf uo oa w w oi ent d i t ng n mtcdf t siuo ho n ht etc Cl c a eioe r Tnlt l aimb oAa Vsl it oH ei
/
s i tnt e hess aa r aestnVer el et z to eal
- lab nt eny sd ie ssl r est e r un.psoch i poee tst ysuaacita r a uno u aisibt nmwr in i vrue;u s.hgld Hie t
o Ep r s e is vys an t c L o s 'n h s m pf ser el whc tr o ish n vf o sr Sdiiset n gi r mto v,ehine i F a Bf eat r Anoivf le e o
;s. eod r Rdr er pl hf i poion r mimtndd a a u eiatyvs r tg is e
tnne s
;pt e et o ann mo r
0 aash leet e f f pl ae el r Ct af ou oi sit e r 0 n r iis lat r Ciwi i sCwmre e d cic r 6 B a I sd ueph er Asea tsy p h uo puor i Anowp . P A x m L Pioer taf c ne s - o t r- amVac r mn s st ynisyt t t townlpudiAe c sCd S d d n 0 s n ne or
.oi n u Stysetyf eo end 0 ie oh t an i
te id H P Autn eq sh iu Bfelaaf t eos H .ca r Slacdi ue- l ut i nVh ic eee 6dcit P en tae a re d opdttmwHtt E n Bir rsi pvt H mipresr r aly syla upr mshg se ar noig p z T e p Tn s Vat sI tesp m . }o h t Vtst , nisoRar hl Agit iria o v - ee n t he du n o h e eisd o n i R p Oruoor nm e hend one n eper o n& pht sT uh at o iant ar arCt nm igv O A Nccca T n mb Tin cp or mtstr foMiA Hleg e Td ediae h apmht r
) F 1 n
d 1 i R n e u E W 0 7 e s n Ce0 h1 eo a c n u o Rht to I G et e R i t n V E E s e ita h r t fo u d Crto eu Ceu e o R R l e c in sl ef d hd C E U c lo s t u ht slt hetr it ( C N n t n n t. leec su t ou 1 a ee vt r i inec inf ic esi ff y r i E N B m im . lesf t f sf f E led d )s i le v ed si L I d r o fc i p n vd d B A R E e s f r e fu s iu q idsodesiia nr led es ed i no letsi s r T P s P ine n aot s ed no s X E er n s s n et h a Cty i2 t a io natai t a iei od t a d a g io Thl t c nd c G na hehi . d A m lu t n e ai n N u P ta ic n ts J. ic t e Ttsn o. rs T h a_. ht a s io n I
- n T e /H e .p .n ne A u t u t is se .t s ts t m e ia r is te n wi R s c g m tt n m(s e r E s p e
a n n a n a p m r n _ e r P i s r o e r d n t no t r r dl a la idly e V P tgar n n A snt O A v c gai ta na n s o *n - n idl - idi n o - a ta C e t e dsn i r r o i e r et n ut e r ent s g c d ae c ut e c gt a o n n d aenv n in e t c n lu rev r cg a iop* e h e h r e r igcd r r igc o e duc n r F t a o e e c f h fe n a c t in n u a t r o ist te sr su n t a t r e h sid o sr se e f f hi s ;w re irgs i m oc n n et op I u m lp et i i h to. s s b a r a e e H m e o io neF e s b ar -s neh s oam s rer C ht apS io apig 4o epla NcoE Ncoh N b oa e p s n s n s s o n n c to i ito o io it S a c a a ta
/ c c a in in in ic n
u - um - um u u e - - e m f Rm Rm Rr m R1 r Co Co Cor Co MC MC MC MC e 3 c 1 . n 2 2 2, e r 4 4 e 2 4 4 2 2 f e n n 2 R io n n t c in r o o
- e e c it c
it c u s a e e s b s s Is u hu b b S S u u S S m 8 9 0 1 te 9 9 0 0 I 1 1 U I ) .. EGn$=g3T$$$ - G* goSr_8 4 " yD ) O gC' eo0
e h g s s h n gi hcg e n h t to h foe ce y it iz nyhl n t h T Sitaeh o yr c r u te ah n eb W t ni it lleo is an n r- n t r det Si i x i a i r h o et ni o l ovwa rit nct a au n .P ou u do n f d d s, . g Pb e g sClut e wta s eo la u a ois htwa e as,t o,tge r mr s s Ct a it it elyst fo se ct s u e o a pm o ae p c y* is r n en toet e e e e amd r v npit a par w v e . gs inugtoadi t t i n i e v o r i t mf en d s mgaf d R oneurpx d see D dT uh ea e .isapwempe h d r aoas e r 8 r tanreasu oem et yt h inr a onls'd a u itoet a e 0 uh r rahtdi ez e 8 ht 1 itot n o sl a p re n,fgmga ri,a ar r et ler i ops f eso'n nr d nt soe f r 0 c sht o e ro apoo npa ar eo ne t oUs t oh r a r i tniytn p e n u 'P e aoes u pDt uflah r fnethnat r 6 P r e funo mh fpnl iyot pdn nfed a t ce A eve ntc ofoipiw e r o oitc n rer t, taoeh Jit t i ud a E r ec i pne orTnn* hoi *wonah t it e t r yao ed nc y t uns esinlt agy b n y t d e isupit eyt s wi tvamldo roe pe dh n s r to .e o* mle vrer c*na p o stspr cx tao pr hadbil on ys o e ixT oa iud dn"t om u i b i oit . eS r c r ot t ie r l r e anmefo l . l i d ei nawlaia v, s uRA ta o r edc eoaut esn a fof insft dt. h c i mde a"afoht eht r f r e ets d ctaps p a mr e i. r ahi e n s,m o er n eg e ape ceco ), ' eint r s e r oh n el n p or s mln ee t, ne s tokr nasr us aispoh b S per pod t h vpt hl leo u r n S Aht rp p p' ee chi T ;d oih mfnt sat lauls ei. he e i. it e l S t i yd r s wo p(d e o nt e . an P .ye s , e '*olsehd sme o i ed ix6te l . d vcyi n n :a Hwyi eft iiv ityep iswr a cau t o iwi o vpee d A uu is en nhteD t siu U e. Inro w ad tnv aitgnnt l i ;. i l
- m. Csb 0 e ivF ts*
r dtc S n'repn ci ' s r ad avmit ih er tand e e p a ee aiaof nih d u c l a h rs l
~ n 0 ue t 6 d r eCo*l l
aici e wh maiV v n.nt esu r s as e r seer cvtcas at nc ty roter eor it s ou u r r olaft o la u r s s r gd oor o c n a pnio sax ef t oipit n s
;vcu h or h sape soabd pece P et cisoc P@aeamafic opf A o ne s ad *e r n t
m ngeyinp i e tar et h r o igeit p r pnpwd r l l orme r a t us t
.i d
s F pn u. gny i ts s.dn e iirTnn v
.ni todfoeis ef d z o d.i.
smp v epmet h d r oru us't ui o sd a o r os a wi seah itn inSitng i ei st h ts u" c r o s i r a, us ais u nti ep . n ddf fon tn"bd t, oS ht i sr t
.. tote
. eu )s t oP i on a
hte PcoePoSann r Cenr t ndci eie rs np aud d et e uioer n vrud at cmt d ne
)
3 st h aagei*eciCni h n not e Caph m ia u nita . o 0 d e r r u r o ept a ps mko taei c .d epts yease s 1 o ut tht r e c '*Y oh oth llled o msn oup h cme!vsmwcos r i f tahfosvh uee n aogss l, 0 t o I ae erect t ea ar letva mereht r ( a s " mt c h a o r igT onr s, te r r 0m or ttept t l r hser le P e h t h sh I itwttugot S nik ot iccr e e 6 e Pl Sptelar Pt e opral laht p ,og Cnda pnt sine d er e ruep ( aerS pmto Pin"eo to" hit r n teiaa t hWpre r t n a o ut Acas aye t al p ly TspbiS t tvFaint cihs, ecdhht ap eor r a H e s n )s i t ubd u .m virn ra a Cac "" t on g p
.n .
U c Ma e euatoa naur m f, r ed toppe ae amhe nio m cr ec t. nr A d c C s m ureireocaah n sf ohd e *t s lywtomed u talu ol r a o, o o hl te lu f eo aif . oo ee b aar t H Mde hht ts afnc epr t i fo e d uno -tae r . r pfo ot sos mpreies ueipet ndid t me r o,h eyta^ib iti 't exl aict r o c i roth ie afr o m
/
s r o hi etne tswt a gn vi el ayr n est h un isv g e p ph uT lci .r nt iu c C, foSu tnr o etuitny v tceo ek r r t epet ota gde n i, ot n =pcd a r eet vpn s i tsiulwl alo pdm i n ep c, tinht a c i et l d t c a i S r v t aiemdh eps en k c oe Se I siCc n P emhts t s ( coll e sm ic .bo a asty ar r taq iu e h ht s,iin d to r s '* a io eitenie y w pa io"e
- r 0 F n P to eroqce u aed i
mus Mex ipner-t ah oih ptaut ghn a ;w e rpeh t in s n ui ogote' u ni m '* m v esp e e .vd o 0 6 B a Cayt r a adulpp ;e. rg r p de eis Meel h t s t,dht p o ein o e apc d u ee d o si t f mi't e 'P aioes laht r . r h lw'h t ;. e n y n g l P la se w, a tcdy mpo m A ix m u 0 pcelar 0 e 6 ot papsnrsi . n d o u w gfo ivo c s c "e 0 0 tgeges r r a mge b rc v oioad tnSit .i z _ r ate1r S d S l inht n isi taner ;tni m scvitat t i .
- a Pl 6 inr '
E d n H P r ao sms aimpm r t nup u ndub eo PePet tu sis eiaa p'nC se uc o. ve m opt eo H e p Aome e tcoh uts qua wd ee en wuiR adiu s Arlo e u d e t c wcopr e re- ar mtaCtaClacwp e l d v t tetnci mu'i r o nt d i _ s ct lpefo d '" e he rex e svee T n R p h rat e uatto vsr layeasmd s u met ee fe h 'e h or ar o aap eierit eo e h i l _ h in h. axll l O A T Tt h T cpspppot p e a t Aaah t Ino* wT pe t pirr ar _ ) F 1 d 1 o _ e W 7 e in dn u E 0 u r o - in I V G s Pf t a oil g gh taitu _ t n E E s P e e n in se t c o R R i e N cd iwd e wnx C E U c af yot looe ( C N n inpo pll n oo es yl poie it a s Sl 1 E N E B y m e .eev < f dee of dnu e od r L B I R d e f r o d r uml le e r h r at p dr<ht aego cec A E s r ebh h ee P s e c ot r sb h snr T o as u t r ud p i X e P or r p dn oar f E d r n p dcu e d cao G d a m y p L d ya sa anm enarec s g e A c ;vwe N u o tcn ac nadn . s r si o I it T A e H dr- ;v hm ent a tsot r nis y e eoa i n a u /t po t c aim R E s a e p h a;s ei . Pao t pit mcp l P O l A s oth o r eix nde r n efn pi aa r id Pr e fof n pney i is c s d st i io ora oi pl e u af r s ta P e tio Pn t s s u o a amis cr P n mP aao Nl i b- nf pos m Negv u n t _ c r - . _ a r e fo n n pc aine w neit ni l F ys t n io . n a as r er Pnto I r a e sNlly i n ir sI r ud oc r n e r :ia e ex : tse t n r in dumt n dumib m u e c a itoa ndu r la e l elee a v el H a epo c n cb u e cbet s p px r o ooq r r e le oot r r uo S oep Npps i r r ppnm s s s er e r e r e p u u o d d d o c e c e c e v S/ or o r v. e P P P u s - - - i s R R R C C C M M M e c n e 1 2 3 r 5 5 5 f e 2 2 2 e n n n R io o e E. tc tc i u e e s -v s s s b b I o u u S S S m 2 3 4 t e 0 1 0 1 0 l 1 o Edt$E CYgg$ d (O 4 ".$yg3a U. - OgO{, A - $m
__.__m. _ _ __ . . _ ,.__m . _ __________.- _ __,_._ - -- ..,_m . . _ _ _ -m__. _ ._.. .. __m. . m m. _ m. m. . f E TABLE 1 (Continued) 0
$ OPERATING EXPERIENCE REVIEW FOR THE AP600 E
g leaves Addressed By NUREG 0711 Appendix B C Item leeue Reference leeue/ Scope Human Factore Aspect / Human Performance leeue Human Factore/ Human Performance leeue Addressed by AP600 Design gr 3 105 Subsect6on 2.5.4 MCR - Procedures Cross-Referencino Paper-based or hard<opy procedures The AP600 CPS automatically evaluates the status of each procedure step and presents g in NPP operations can cause the following problem: ins evaluation to the operator along with enough supporting information (such as actual
$ Cer:ss-referencing introduces errors and delays in task parameter values and equipment status) to give the operator an understanding of how performance. and why the system produced its evaluation. The CPS win provide the capability for the operator to request supplementalinformation on an additional VDU. TNs wal be .
Information such as an associated physicat, functional, trend or soft control display or l perttaps a supporting graph, curve, or background information. The CPS will provide the capabi!!'y for the operator to transition to the appropriate location in other operating procedures as required and to automatically select and display the new procedure when requested, whHe maintaining a placemark in the original procedure. 106 Subsectkin 2.5.5 MCR - Procedures Multple Procedures Management Paper-based or hard- The AP600 CPS win provide the capability for the operator to transition to otter copy procedures m NPP operations can cause the following operating procedures as required and to automaticaHy select and display the new ? problem: Physical management of multiple procedures and procedure when requested, while maintaining a placemark in the original procedure. place-keeping during concurrent execution are awkward. I The CPS will provide for the display of a procedure transition map. TNs display will indicate transitions out of or into the procedures, as well as movements within the procedures. The CPS win also prowde the capabHity for the operator to request supplemental information on an additional VDU. This win be information such as en associated physical, functional, trend or soft control display, or perhaps a supporting
-i graph, curva, or background information.
w N 107 Subsection 2.5.6 MCR - Procedures Maintaining Procedures Paper-based or hard<opy The AP600 CPS will include the capabHity to modify or edit the procedures in a ;
& procedures in NPP operations can cause the foRowing straightforward manner. This is accomplished by using an off-line relational database NUREG-0933, l.C.5 problem. Maintaining the technical accuracy of procedures management system.
is diffcult. For example, a design change in a single component can invalidate every procedure that references that component. Similarty, a procedure revision that changes the step number in that procedure can invalidate every step in other procedures that cross-reference that changed procedure. 108 Subsection 2.5.7 MCR - Procedures Procedure Irwearation Paper-based or hard-copy The AP600 CPS wiR provide the capability for the operator to request supplemental procedures in NPP operations can cause the following information on an additional VDU. This win be information such as an associated l problem: Handling and reading a paper procedure while physical, functional, trend or soft control display or perhaps a supporting graph, curve, or also performing the actions required to perform the task background information. If a step within a procedure, as presented by the CPS, requires described in a procedure are typically incompatible. the user to operate a component or system, then the user will be able to select, in a single action trorr the CPS, the associated soft control display for the respective component The soft control displays win appear on a VDU, at the operator's workstation separate from the VDU that presents the CPS. The use of multiple VDUs at O the operator's workstation, (CPS main interface vDU, CeS supprementai inrarmation g VDU, and a soft control display VDU), while executing a procedure through the AP600 gg CPS, minimizes or eliminates the handling and reading problems associated with the r
]$
CD ro M. execution of a paper-based procedure while also trying to perform the actions required by the procedure. I e@ t C) ' , i I t t
?
L E TABLE 1 (Continued) b
$ OPERATING EXPERIENCE REVIEW FOR THE AP600 E
issues Addressed By NUREG 0711 Appendix B g C item issue Reference issue / Scope Human Factors Aspect / Human Performance issue Human Factors / Human Performance haue Addressed by AP600 Design T
$ 109 Subsection 2.5.8 MCR - Procedures Handleng/Followina Procedures Paper-based or hard-copy The AP600 M-MIS includes a CPS that assists the plant operators in rnonitoring and
$ procedures in NPP operatons can cause the following controlling the execution of plant procedures. For a given procedure, the status of each
$ problerrt Due to space limitations and the need for procedure step is dynamically determined and presented to the operator a!ong with the procedural aids for the operators to follow, procedures are supposting plant information. To alleviate the inherent fired linearity of paper-based difficult to work with, especiaEy in the CR during a transient. procedures, the CPS performs parallel monitoring activities versus the operator in paper-based procedures. A parallel monitoring activity is a plant condition, state, or parameter that is morutored by the computer in parallel with the activity of guiding the operator through the respective procedure. Types of paraltet information monitored by the CPS are the status of ttw. CSF, procedure notes and cautions, toldout page iterns, initiated actions (continuous action steps), and continuously rnonitored parameters. With the CPS dynamically determining the status of each procedure step and performing parallel monitoring activities, the delays caused by the inherent fixed linearity of executang paper-based procedures are minimized or eliminated. The CPS provides direct links from steps to the associated Ptar4 Information System Displays (physical process, functional, automatic monitoring logic, or soft control displays). For exarnple, If a step within a corrputerized procedure requires the user to operate a component or system, then the user will be able to select, in a single action from the CPS, the associated soft control display for the respective component. The soft control displays will appear on a VDU at q the operator's workstation separate from the VDU that presents the CPS. The use of g multiple VDUs at the operator's workstation (CPS main interface VDU, CPS supplemental information VDU, .end a soft control display VDU) while executing a m
procedure through the AP600 CPS, minimizes or eliminates the handling and reading problems associated with the execution of a papertased procedure. 110 Section 2.6 MCR - BWR Reactor Shutdown During a reactor shutdown from an NOT APPLICABLE: This issue is orily applicable to DWRs. Shutdown initial power of 6%, that involved lowslecay heat levels due to a short operating history, operators allowed cooldown (due to small misceRaneous steam load) to add excessive positive reactivity. Further, by not property maintaining the power in the mid-range of the Intermediate Range Monitors (IRMs), a reactor trip o(x:urred. 111 Section 3.1 System-Related Leakpan Areas of NPPs, such as isolated rooms, often Internal plant flooding can be attributed to piping ruptures, tank failures, or the actuation insights - Flooding contain fluid systems with the potential for leakage and of fire suppression systems. The consequences of these events have been evaluated Concem flooding. for the AP6CO in accordance with Standard Review Plan (SRP) 3 6.1 and SRP 3.6.2. Water-level (flood) design features and protection ineinbns are described in Sections 3.4 and 3.6 of the SSAR, respectively. The protection mechanisms related to frdnimize the consequences of intemal flooding include the following-
- Structural enclosures 6D . Structural barners
[N
'E Curbs and elevated thresholds Leak detection systems 4
O 36 . Drain systems (D (n a in appropriate locations, water-level sensors are provided to transmit water level indications to the MCR and the plant control system. Level alarms alert the operator to take corrective sction.
3 TABLE 1 (Continued) b
$ OPERATING EXPERIENCE REVIEW FOR THE AP600 E
g leaues Addressed By NUREG 0711 Appendia B 3 Item issue Reference lesve/ Scope Human Factors AspectMuman Performance issue Human FactoreMuman Performance issue Addressed by AP600 Design T
$ 112 Section 3.2 System-Related Spray Valve Stuck Open A PWR pressurizer spray valve The AP600 design has addressed the possibility of a stuck open spray valve. The spray g insights - stuck open (unknown to the operators at the time) causing valve is provided with an automatic interlock to close on low RCS pressure that would $ Pressurizer a continued drop in RCS pressure to below that required by result from an open spray valve. In addition, the remotely-operated spray block valves TS. As a resutt, a plant shutdown was required in order to can be closed from the CR in the event of a stuck open spray valve. Therefore, a isolate the spray line. forced plant shutdown can be avoided in the event of a stuck-open spray valve.
113 Subsection 3.3.1 System-Related Offsite Power A consequent problem on loss of a direct dc system reliability - The de system is designed for a tigh level of reliability. A insights - Loss of current (dc) bus is partial loss of normal offsite power. non-Class 1E battery monitor is provided for each battery to monitor ard alarm battery dc Bus voltage, detect and starm battery open-circuit condition (including blown fuses), and supervise battery availability. The battery chargers are provided with a trouble alarm for attemating current (ac) input failure, de output under/over voltage, no charge, input / output breaker trip, and de high voltage shutdown trip. The de buses are rnonstored and alarmed for undervottage. The de system currents are monitored and alarmed for overcurrent. A ground detection alarm is provided. (4 The dc bus outage time for maintenance and repair will be rrinimized with the use of the
@ spare battery and charger.
Mitigation of the effects of the loss of a de bus - The AP600 is designed to withstand the loss of a single de bus without placing the plant in an unsafe condition. In the AP600 design, loss of a de bus will not result in a partial loss of offsite power. The breakers in the AP600 are controlled by the PLS. The PLS system normally receives power from the non-Class 1E UPS system. Upon failure of the de bus powering the UPS, or failure of the UPS itself, the loads are automatically transferred to a regulating transformer supply. Therefore, loss of a dc bus will not result in loss of power to the PLS system. The ac power system breakers use solid-state control which receives control power from a power supply internal to the switchgear; therefore, loss of a dc bus will not result in loss of control power to a brea\er. O o OT tr m $1E!. e 8 w CD d
E TABLE I (Continued) b 1E OPERATING EXPERIENCE REVIEW FOR THE AP600 g issues Addressed By NUREG 0711 Appendix B 3 Item issue Reference issue / Scope Human Factors Aspect / Human Performance Issue Human Factors / Human Performance issue Addressed by AP600 Design V g 114 Subsection 3.3.2 System-flelated Control Room Annunciator A consequent problem on loss dc system reliability - The de system is des;gned for a high level of rehability. g insights - Loss of of a de bus as loss of CR annunciator power.
$ dc Bus A battery monitor is provided for each battery to monitor and alarm battery voltage, detect and alarm battery open<:!rcuit condition (including blown fuses), and supervise battery availabli:4y.
The battery chargers are provided with a trouble alarm for ac input failure, dc output under/over voNage, no charge, input / output breaker trip, and de high voltage shutdown trip. The dc buses are monitored and alarmed for undervoltage. Tre de system currents are monitored and starmed for overcurrerd. A ground detect 60n alarm is provided. The dc bus outage time for maintenance and repair wiR be minimized with the use of the spare battery and charger. q Mitigation of the effects of the loss of a de bus - The APG00 is designed to withstand g the Ws of a single dc bus without placing the plant in an unsafe conditert O in the AP600' design, loss of a de bus w11 not resuit in a loss of alarm system power. Alarm system power normally comes from a UPS; however, upon failure of the dc bus powering the UPS, or falture of the UPS itself, the loads are automatically transferred b a regulating transformer supply. Therefore, loss of a dc bus will not result in loss of alarm system power. O o O 2 cr es CD < , g-a3 U m-
E TABLE 1 (Continued) b 4 OPERATING EXPERIENCE REVIEW FOR THE AP600 g lesues Addressed By NUREG 0711 Appendix B C ftem Issue Reference issuetScope Human Factors AspectMuman Performance issue Human FactoraMuman Performance issue Addressed by AP600 Design Y
$ 115 Subsection 3.3.3 System-Related indicators in Control Room A consequent problem on loss de system reliability - The de system is designed for a high level of reliability.
g Insights - Loss of of a dc bus is loss of power to indicators in the CR.
$ de Dus A battery monitor is provided for each battery to monitor and alarm battery voltage, detect and alarm battery operaircuit condition (including blown fuses), and supervise battery availability.
The battery chargers are provided with a trouble alarm for ac input failure, @ output under/over voltage, no chage, input / output breaker trip, and de high voltage shutdown trip. The de buses are monitored and alarmed for undervoltage. The de system currents are morntored and alarmed for overcurrent. A ground detection alarm is provided. The de bus outage time for maintenance and repair will be minimized with the use of the spare battery and charger. q Mitigation of the effects of the loss of a dc bus - The AP600 is designed to withstand g a the loss of a single de bus without placing the plant in an unsafe condition. in the AP600' design, loss of a de bus will not result in a loss of indicator power. Indicator power normally comes from a UPS system. Upon failure of the dc bus powering the UPS, or fa9ure of the UPS itself, the toads are automatically transferred to a regulating transformer supply. Therefore, loss of a dc bus will not result in loss of indicator power. O 2 oI oo asE!. m 8 m-
E TABLE 1 (Continued) G h E OPERATING EXPERIENCE REVIEW FOR THE AP600 g leaves Addreseed By NUREG 0711 Appendix B 3 Item leeue Refecence leoverscope Human Factors AspectMuman Per*ormance leeue Human FactoreMuman Performance leeue Addressed by AP900 Design V
-^
t16 Subsection 3.3.1 System-Related Power to Circuit Dreakers A consequent problem on loss of a dc bus is loss of control power to various circuit de system rettability - The de system is designed for a high level of reliatety. m insights - Loss of
$ dc Bus breakers. A non-Class t E battery monitor 6s provided for each battery to monitor and alarm battery voltage, detect and alarm ba'tery operwircuit condition (including blown fuses), and supervise trmery availability.
The battery chargers are provided with a trouble alarm for ac input failure, de output under/over voltage, no charge, inputfoutput breaker trip, and dc high voltage shutdown trip. The de buses are monitored and starmed for undervoltage. The de system currents are monitored and alarmed for overcurrent. A g ound detection alarm is provided. The dc bus outage time for maintenance and repair will be minimized with the use of the spare battery and charger. q Mitigation of the effects of the loss of a de bus - The AP600 is designed to withstand g the loss of a single de bus without placing the plant in an unsafe condition. fQ in the AP60d design, loss of a dc bus will not result in a loss of circuit breaker control. The breakers in the AP600 are controned by the PLS. The PLS system normally receives power from the non-Class 1E UPS system. Upon failure of the de bus powering the UPS, or failure of the UPS Rself, the loads are automatically transferred to a regulatrig transformer supply. Therefore, loss of a de bus will not result in loss of circuit breaker cortrof. The ac power system breakers use solid-state control which receives control power from a power supply intemal to the switchgear; therefore, loss of a de bus wiR not result in loss of control power to a breaker. O o OT cr es R $. _, e. e8 w
- 0) '
E TABLE 1 (Continued) 0
$ OPERATING EXPERIENCE REVIEW FOR THE AP600 E
issues Addressed By NUREG 0711 Appendix B g 3 Item lasue Reference issuefScope Human Factors Aspect / Human Performance issue Human Factors / Human Performance issue Addressed by AP600 Design V Power to Computers and Displays A consequent problem de system reliability - The de system is designed for a high level of reliability.
$ 117 Subsection 3.3.5 System-Related $ insights - Loss of on loss of a de bus is loss of power to computers and $ dc Dus video display screens. A bettery rnonitor is provided for each battery to rnonitor and alarm battery voltage, detect and alarm battery open-circuit conddion (including blown fuses), and supervise battery availability.
The battery chargers are provided with a trouble alarm for ac input failure, de output under/over voltage, no charge, input / output breaker trip, and dc high voltage shutdown trip. The dc buses are monitored and alarmed for undervoltage. The dc system currents are monitored and starmed for overcurrent. A ground detection alarm is provided. The dc bus outage time for maintenance and repair will be minim! red with the use of the spare battery and charger. Mitigation of the effects of the loss of a oc bus - The AP600 is designed to withstand q the loss of a single de bus without placing the plant in an unsafe conditiort g ta in the AP600 design, loss of a de bus wit not result in a loss of power to compute <s and video display (workstation) scresns. Power to computers and video display screens normal!y comes from a UPS system. Upon failure of the de bus powering the UPS, or failure of the UPS itself, the loads are automatically transferred to a regulating transformer supply. Therefore, loss of a de bus wlB not result in loss of power to computers and video display (workstation) screens. O o O3 cr to Q 5. , f2. E cn -
t f E TA8LE 1 (Continued) N
$l OPERATING EXPERIENCE REVIEW FOR THE AP900 E
g leeues Addressed By feUREG 0711 Appendix 8 3 flem leeve Reference leeue/ Scope Human Factore A-;-f"E._ Performance leeue Human FactoreMumen Performance leeue Addressed by AP600 Design T
$ 118 Subsection 3.3.6 System-Related Power to Automatic Features A consequent problem on dc system renability - The de system is designed for a high level of tellatxhty
;;' Insights - Loss of loss of a de bus is toss of some of the planrs automatic
$ de Bus features, such as trips and Interlocks. A battery monitor is provided for each battery to rnonitor and alarm battery voltage, detect and alarm battery open-circuit condition (including blown fuses), and supervise battery availability.
The battery chargers are provided with a trouble alarm for ac input failure, de output under/ownr voRage, no charge, input / output breaker trip, and dc high voltage shutdown , trip. ! The de buses are monitored and alarmed for undervoltage. The de system currents are monitored and alarmed for overcurrent. A ground detection alarm is provided. The dc bus outage time for maintenance and repair will be minimized with the use of the spare battery and charger. , q Mitigation of the effects of the loss of a dc bus - The AP600 is designed to withstand g the loss of a single de bus without placing the plant in an unsafe condition. A in the AP600 design, loss of a de bus will not result in a loss of automatic features. The , automatic features in the AP600 are contro#ed by the PMS and PLS. The PMS system normally receives power from the Class 1E UPS system. The PLS system normally receives power from the nontlass 1E UPS system. Upon failure of the de bus powering any UPS, or failure of the UPS itself, the loads are automatically transferred to a regulating transformer supply. Therefore, loss of a dc bus will not result in loss of automatic features, t O . R 'D o tr cn Q 5. _, E. e8 e C) ' i m___.-____._.________ ___ _ _ _ _ _ _ _ _ w ---3 ~ - _ ___ . _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ . - - - + _ _ _ _ _ _ _ _ _ _- +
N TABLE 1 (Continued)
$ OPERATING EXPERIENCE REVIEW FOR THE AP600 ft g issues Addressed By NUREG 0711 Appendix B ltem tesue Reference issue / Scope Human Factors Aspect / Human Performance issue Human Factors / Human Performance issue Addressed by AP600 Design $ 119 Subsection 3.3.7 System-Related Circuit Breakers A consequent problem on loss of a de de system reliability - The de system is designed for a high level of reliabihty. $ insights - Loss of bus is trip of selected circuit breakers, such as reactor trip $ dc Bus breakers. A battery monitor is provided for each battery to monitor and alarm battery voltage, detect and alarm battery open-circuit condition (including blown fuses), and supervise battery availability.
The battery chargers are provided with a trouble alarm for oc input failure, de output under/over voltage, no charge, input / output breaker tnp, and de high voltage shutdown trip. The de buses are monitored and alarmed for undervoltage. The de system currents are monitored and alarmed for overcunent. A Oround detection alarm is provided. The dc bus outage time for maintenance and repair wit be rninimized with the use of the spare battery and charger. q Mitigation of the effects of the loss of a dc bus - Tlw AP600 is designed to withstand g the loss of a single de bus without placing the plant in an unsafe condition. 01 in the AP600 design, loss of a de bus will not result in a plant trip. The AP600 has eight reactor trip breakers arranged for two out-of-four trip togic as shown in SSAR Figure 7.1-7. With this configuration, the complete loss of power to any single train win result in tnpping the two breakers associated with that train; however, no single-train pair of breakers can inp the plant if they are the only breakers to trip. 120 Section 3 4 System-Related Vessel Overfill in DWRs during transient situations, reactor NOT APPLICABLE: This issue is only applicable to DWR reactors. Insights - vessel overtill can be a problem causing main steamline Automatic Trip of flooding and possible damage. There is currently no Condensate and automatic trip on condensate and condensate booster Condensate pumps on high reactor vessel level. Booster Punos 121 Section 3.5 System-Related System Overpressurization During system restoration after NOT APPLICABLE: This issue is only applicable to BWR reactors. Insights - System maintenance durtng cold shutdown at a BWR, an incorrect Overpressurization valving sequence resulted in overpressurization of piping and damage to the test retum line of the Condensate Storage Tank (CST) and Condensate Retum Tank O o O T tr (D CD < ,g-. ,g e8 e C) '
3 TABLE 1 (Continued) b g OPERATING EXPERIENCE REVIEW FOR THE AP600 Issuee Addressed By NUREG 0711 Appen Hz B
$ Item leave Reference leeue/ Scope Human Factore AspectMuman Performance leeue Human FactoroMuman Performance leeue Addressed by AP500 Doolgn
'if g 122 Section 3.6 System-Related Control of Feedwater Controt System The control of PWR in the AP600 design, SG water level is automatically controlled from re-load conditions
$ insights - Feedwater Systems during startup and loepower to 100% plant-rated thermal power by the startup feedwater control subsystem and the
$ Feedwater Control operations has been probiernatical. Operators have had main feedwater control subsystem. The startup feedwater control subsystem maintains System difficulty in controlling the feedwater flowrate as necessary a programmed wate hvel in the shell side of the SGs during lowtower (below to maintain SG water levels due partially in the fact that the approximately 10% of plantated thermal power), no-load, and plant heatm and feedwater control valves and control systems are not cooldown modes. Transition between the main and startup feedwater control valves is designed to oper6te in the low flow regions. There has automatically controlled based on flow measurements within the respective control also been difficupy in the swrtchover from manual to valves. The startup feedwater control subsystem regulates the flow of feedwater in a automatic control that occurs in this time frame. manner similar to the way (main) feedwater is controlled in the lowpower control mode.
Two modes of feedwater control (towpower mode and hightower mode) are incorporated in the (main) feedwater control subsystem. A separate low-range feedwater flow measurement is used in the low-power feedwater control mode. SSAR subsections 7.7.1.8.1 and 7.7.1.8.2 provide a description of the feedwater control and startup feedwater control subsystems. 123 Section 3.7 System-Related Volume Fills With Water On a Swn, e.en the scram NOT APPLICABLE: This issue is only applicable to BWR reactors. Insights - Scram discharge volume fills with water, insertion of the control Dischafge Volume rods is inhibited. Y z. c) O R o3 tr o
$ $. 9.
m c -
. _ . - - ~ - - - . . . --~ ~ - . . ~ . - - , .
i l F 3 TAet.E 1 (Continued) 0
$ OPERATING EXPERIENCE REVIEW FOR THE AP900
[ 4 t g losues Addrosood By NUREG 0711 Appendix 8 3 hem issue Reference lesuetScope Human Factors AspectPHuman Performance leave Human Factors / Human Performance issue Addressed by AP900 Design Y g 124 Section 3.8 System-Related Overpressurizat6on of Low-Pressure Systems The AP600 has incorporated various design features to add ess ISLOCA chanenges. I
;;; insights - Overpressurization of lowpressure systems due to RCS These design features have resutted in very low AP600 core damage frequency ; $ interfacing Systems boundary fatures may result in rupture of lowpressure compared to currently operating plants. These design features are primarily associated i LOCA (ISLOCA) piping. Some RCS boundary failures have occurred due to with the normal residual heat removal system (RNS) as discussed in SSAR l operator error, important operator errors include vatve subsection S.4J. A Westinghouse design report, WCAP-14425. has been prepared to afignment errors during transitions between operation document the systematic evaluation of the AP600 oesign for w.;-.- to modes. NUREG/CR-St02. As a result of the study reporteo in WCAP-14425, additional design t features have been incorporated in the AP600.
The following table providas a summary of AP600 design features which satisfy ISLOCA , freque7cy acceptance criteria. ) i System / Subeyetem Major Doolgn Feature Normal Residual Heat Removal 1. Increased design pressure of the outside of the ! containment portion of the system, such that the + ultimate rupture strength of the piping and I components are equal to or greater than the RCS l design pressure. l d Chemical and Volume Control 1. Relief valves were added to minimize the k System Makeup Pump Suction consequences of pump suction over-pressurization.
- 2. Higtypressure alarm added to pump suction hne ,
to alert operator of overpressurization. Chemical and Volume Control 1. Placement of highpressure punfication i System Letdown Line loop inside containment ehminates high-energy [ letdown outside of sma.o. e.
- 2. Letdown orthee limits leakage from a letdown line :
ISLOCA. {
- 3. Automatic isolation of letdown occurs upon ;
safeguards actuation signal .
- 4. ReNel valve added to prevent overpressurization [
of letdown line. j Primary Samphng System 1. Most of the Primary Sampling System is designed for fun RCS pressure. .
- 2. Flow resticting orifices limit extent of ISLOCA >
h gy
- 3. Automatic isolation of Primary Sampling System occurs upon safeguards actuation signal. i O' (D !
$ S. Demineralized Water 1. Relief valve added to prevent overpressurtzation I .a y- System of the inside of containment portion of the ' O 3 system. ha 2. Automatic isolation of Domineranzed Water
- System occurs upon safeguards actuation signal. !
t i i
ee r h at d d n foh c s eht a e e d e n d e n d e n d e d n e d e ig niz t m m n n n m n m s ohi wm s. c a a c a a a a a a e i t s. c c c c c c D u sn lot i i ;o h t h it h it h h h h h v enm Lv iw. w. it t it 0 0 6 e n mip s . s1 w s1. s1 itw. s1 itw. s1 w s1. iw. s1 w s1. h p4 p4 p4 p4 P A aeT n v f o n5 m5 m5 m5 p4 m5 p4 m5 p4 m5 p4 m5 u u u u u u u b y d o yn g.nuot pd n pd n pd n pd n pd n pd n pd n u pd n eL is tna tna tna tna tna tna tna tna d e s s a sem eda ta3 o l a3 o l a3 o la3 o l a3 o la3 o la3 o la3 o s bt o3 o3 o3 o3 o3 o3 o3 o3 - e s ast u an c1 c1 c1 c1 c1 c1 c1 c1 d r i n wo pi ic r o 5 r o 5 r 5 o r o 5 o r 5 r o 5 r5 o r 5 g i vf c s o tc s tc s t d c s c s t t is wpi ein a n a n n tc s tc s tc s _ A e r g eio a a no a n a n a n a n e u dk e s r t r toc ei eito r eit r eio r t eio eio eio s ec c r t r t r t 0pheta s e c c c c c s s e s e s e s e s e s e ies ies ies f s e 0 ts fovea 6 fib cu fic bu ie s f b icu ie s fcu i b i b fcu ies ficu b ies fib cu fes i b ic u c P n Aoi seh es p es p es p es es es es es n p p p p p a et uud sRA sR sR sR sR sRA sR sR n A A A A A n nA l m hl t o eu gS n gS gS n gS n n n gS gS gS gS r o invht e g o w isS eo is eo S isS eo isS eo iS s is S is S i sS _ f r de cig h nr n dt dt dt dt eo dt dt eo dt eo eo _ e r r r r r r dt _ P s a use 0e 0 r r 0f e 0 0f e 0e 0 e _ 0 e 0 e 0 e tuEd i 0f 0f 0f 0f 0f 0f n 6 e 6 e 6 e 6 e 6 e 6 e 6 e 6 e a n . d d .n PR PR PR PR PR PR PR PR m u ese aoit mnnl r A . A . es A . A . A . A . A . A . H pigi au cr a els h a h ta els h a els es ets ets els h a h ta h a h a h a
/
s r o iuqd e esgitap e r c po e Te
- s T e s
T e
- s T e
- s T e
- s T e s
Te s T e s t c C Cn t Eon Eo n Eon Eon E o Eon Eon Eo a &ieyn
&t r na L
Be v L L L L n L L L n F B eal p B ev B ev Be v B ev B ev B ev B ev 0 0 n d lapt Aa Ch Aa Ch Aa Aa Aa A a Aa Aa 6 B a eit cgeh x at c I Ch I Ch Ch Ch Ch Ch P m ndf i t a p ILt Lt a Lt I Lt a I Lt ILt I Lt a I Lt a A x u a v s od Pa h P h Pah P h Pa Pah P h P h oom P h id H Pt P Pt Pt Pt P E H n d ult ou i A t. As r A t. As r As As r Pt As r A t. T e p aishdv el lu i w T to T i To To r i e er e o T iv t To To T iv R p h r T pal w k O . Oo O ivv Oo Oo t Oo t Oo t O v O A i N r. Nm N n Nm Nm Nm Nm N n ) F 1 e d ; y e u W 1 . 7 e d taf go ls e e g r la 0 . e n E I G u sr a o w o ad n n eit vie u . o o s eumg r e d i n to a s it n V E E a le ht cet gn h amsu u dnt in .
. s e s e a.
g n e r tat a u r et s u iv o m r a er p t o o R R sa mtr in a . ne ic ta P r e C ( E U N e c n P P e ;i r fotor I emet r o sah ect n
- a. o;v ec
. v e
ic v w i r r u s u r p e er la mWi s
. te r
O toi v Nsu nf ehi o r p luE ra- a D de r ta C t ts w g 1 y a ni-r o. d s ao w e luhc is r , a a teCnt n te
.s l
E N E B m o p iais u b ee p o ga e e r
. e d Cer m e fo l t
e i n toe r u inlefnyftlto t M d r f d hwxt e s ta n ps nse . n a L i T m t b r s I o Cp;.u. a u eis or o r dl a n ;.lle mer e b B R d e f f e e e er to pt e e el u d aeie n efi ae pue
.w f
& s, s u u teu r r r A E n r eu d, u r u d r s". mtodi s e d ib df os k T oe T P s e P l
mitr nspae ut ns a ntivd ae e s mh eso r a as e ta nra t a r u sst s a iv o P em X E r n la n ec e io v f M md e a r e oe e ser a sseptrerpu e a te e r C a r t, md p s p r P ei v stoct taem;' d. r a d eur it u l r a s n av i wee em M a R ht wpa G d A m tnat f f oiet s i u e dt a v t h lot s r w wae m ge s s r pf f am r e g r ta - o u anl csm lo e ee w s,. n - lo F flor NI ef t i e r d ko pt d vceteujh ipe F yty T nt r T s H w gn e aS lo g i n s lae e gu yp mno P de a mg F m o A odo o, e,fcb nipxi eg s lsa n nb n r C d
/ t u n a la dle tein t r c uiq o o i i tal f i aa o d A h R di la te, la tc s eR s sh v sdd y e Cir sr d so e d e i
E l en e s sa n al ay era n n A a r is p ete edit a b se g gm e so r o dP t wnCye wr fo P s s pn ed a ta e a io r a e b g at eeib e r t SAehv ep ito d v o t a O A deC t n ns m hi i s, c te i hd n i t spo- a,1 r d m t
<anf a d v al r w t lu a ae a n cu e a e t
s le .is d ia d e p iR s A ro g. s snt R dr u a
; r v
r o b itwn fond itg e e k mo R is la d A ru B e O odi era o dt a r h o evla p r r
- e at s v k en - oh - - e e - P s -
o r ne n fr s c - t c r P ie t. s it s c ph la it a exep at u n a n di n ts e,s,d n a n d peit r r a o s la s o e r n s e n eit w ,. l io ta dn ve iv o n a bet ye c s wl t F r ot a u m Pr r it e ito it n ne m te fo al o a rod t a a a a r m a e er u a, m vpd sd h v d Cfoto c r
. t n s d ec a e .
an e A r ic y. g;. n .s te l A R d r t n d d no t n Pg t n m mss ita. w
; ta d n e e luen e in y sd ts e ee e se inr e -e ese e e r o J. a m e n ae p
n . e a .me n d ed r m u 6 s. ef - u m u ur r er e. fo l n u h pm _ u g e ee u s sps us S n ml df s m -. m d r o eu H r wivf u s J d w u s d u e e s vr C 8 eia e s pilu . upct aor ee n . r e vb vo is e ah snm u ea t r s s re we n p .e
. iv otal t r 6c a s e v e r a a ts e e e nre Rs d e t r
s fht o c s r d i vf o r 1 bt f r ar r I pp Dct c I nn W Pt r hv a InDm I n M mlip I n da I n o P isap
,e e
p d s s s s e C hts s t ts o t t h s ht s ht s hts s h s hts s h s c a gl ia - gla g!a gl gl gl gl gt t& ;,ise ia ia - ia - ia i a S le t n se .s e
.i t n se t n se t n s e t
n se t n se
#e R d einS wnS .nS mi eInS einS e. ins- einS einS u
s - s cen md n od pt e s
.i vde - n od - n ude - n od - n od -
e ia te s vt s pt e s e pt e pt se wd vt s tsps s is ts y mlaP aP s. lap mlaP wd yWd v oeC wleC veC oeC nlaP oeC wfeC mlaP oeC mfsP oeC SiA i CRR CRR CRR CRR CRR CRR CRR CRR e 1 2 3 4 5 6 1 c 1 2 2 2 2 2 2 3 n 1 1 1 1 1 1 1 1 e r 1 1 1 1 1 1 1 1 f e 4 4 4 4 4 4 4 4 e 9 n n n n n R 3 i v o e iw io m o e toi
;i it u n c c tc i t c
- t. .
it c io e m e e e e s s s s s m s tc h r Is b b b , S e S u a S u u b u a b u S S S S S S m 5 6 7 8 9 0 1 2 3 2 2 2 2 2 3 3 3 3 te f 1 1 1 1 1 1 1 1 1 3b$mg3Vg$$ yrg y($MQ D . . , OgOC(] TD qy )
, __- __- _- . . . .~. ~ ~ . _ . - - - E TABLE 1 (Continued) 6 to
@ OPERATING EXPERIENCE REVIEW FOR THE AP600 1E s issues Addressed By NUREG C711 Appendix B t$
3 Item lesue Reference issue / Scope Human Factors Aspect / Human Performance lesue Human Factors / Human Performance lesue Addressed by AP600 Design Y Procedures and Operator Aids - Emergency Procedure NOT APPLICABLE: The AP6C3 design specifies reactor coolant putts with canned
$ 134 Subsection 4.1.1.3.2 Component-g Related insights - Guidelinas Emergency Procedure Guidehnes, procedures, motors that have no seats. Refer to SSAR subsections 51.3.3 and 5.4.1.
$ RCPs - Seats and training should be provided for a reasonable spectrum of seal failure events, such as: high-seat, leakoff flow, high-seal temperature, Ngh vt) rat!on, Icss+f-seat injection, loss-of-seal cooting, SBO, and reactor coolant pump restart criteria. These prtaedures should incorporate the recommendations of reactor coolant asmp and dent vendors.
135 Subsection 4.1.1.4 Component- Functional Altocatiun Isolation of sealleakoff Rnes on Ngh- NOT APPLICABLE: The AP600 design specifies reactor coolant pumps with canned Related Insights - flow, wtuch has historically required operator action, should motors that have no seats. Refer to SSAR subsections 5.1.3.3 ard 5.4.1. RCPs - Sea!s be evaluated as a candrdate for automation since detection, recognition, and action are time constrained. 136 Subsection 4.1.2 Component- Component Degradation When reactor coolant pumps or The AP600 employs canned rnotar reactor coolant purTs that do not contain seats Related Insights - motor components degrade, they can eventually result in whose degradation could lead to a loss of reactor coolant. Reactor coolant pump RCP Monitoring catastroptwc failure of pump or seats, if the pump is not instrumentation is provided to continuously monitor pump performance including 1) stopped in time. Due to the location of the reactor coolant bearing water temperature,2) pump vtyration,3) stator temperature,4) pump speed. In y pumps inside containment, detection of degradation rnust addition, RCS loop flow rates are continuously measured. be accomphshed through appropriate instrumentation. E Large fattures of the ptr.1p or seats can potenttalty resutt in (D a primary system LOCA. 137 Subsection 4.2.1 Component- Trip Stahrs in a case where the overspeed trip var ve for NOT APPLICABLE: The AP600 does not have an AFW system. The PRHR system Related insights -- the turbine-driven AFW pump turbine was inadvertently functionalty replaces the AFW systems in current PWR designs. The PRHR system AFW Pumps tripped and not property reset, the CR operators were not does not include pumps. Refer to SSAR Section 6.3. sware of the inoperable status of ttle AFW pump. 138 Subsection 4 2.2 Component- Steam Binding AFW pumps have experienced steam NOT APPLICABLE: The AP600 does not have in AFW system. The PRHR system Related insights - binding resultmg in pump inoperability. This has typically functionalty replaces the AFW systems in current PWR designs. The PRHR system AFW Pumps been caused by feedwater back leakage through the AFW does not include pumps. Refer SSAR Section 6.3. discharge check valves, but also by leakage through complex pathways, working tts way back to the AFW pump l suction sources. I 139 Subsection 4 2.3.1 Component Pump Driver Trips' Diesel-Driven Pump - Minimum NOT APPLICABLE: The AP600 does not have an AFW system. The PRHR system Related insights - Operating Speed The diesel-driven AFW pumps have functionally replaces the AFW systems in current PWR designs. The PRHR system AFW Pumps expertenced problems where the pump drivers have tripped does not include pumps. Refer to SSAR Section 6.3. because the diesel AFW pump had reached marumum h gD operating speed (about 600 rpm) which closed the speed switctt
$N 140 Subsection 4.2.3.2 Component Pump Driver Trips: Diesel-Driven Pump - Stop Sional NOT APPLICABLE: The AP600 does not have an AFW system. The PRHR system 'E Related Insights - The diesel-dnven AFW pumps have expenenced problems functionally replaces the AFW systems in current PWR designs The PRHR system $0 (D
AFW Purms where the pump drivers have tripped because the stop signal was momentarity generated by the operator and was does not include pumps. Refer to SSAR Section 6.3. G" released before the diesel had come to a full stop.
i I l 3 TABLE 1 (Continued) !
. OPERAT --T,IE APO ,
l 8 Nues Addressed By NUREG 0711 AppensIle B
'i
. leem leeue Reference leeuefScope Human Factore AspectStumen Performance Issue Human Factore4tumen Portonsence leave Addressed by AP900 Doolgn T
l f 141 Subsection 4 2.3.3 Congonent Pune Driver Trips: Dieset-Driven Pump " Auto After 90DT APPUCARE: The AP600 does not have an AFW system. The PRHR system ,t i y Related insights - Stop" Posinon The diesel-driven AFW pumps have functioneWy repieces the AFW systems in current PWR designs. The PRHR system I $ AFW Pumps exponenced problems where the pump dr6 vers have tripped does not include pumps. Refer to SSAR Section 6.3. , when the control swfich was stowed to go to
- Auto After I Stop.' en auto-start signal was present from loss of the !
main feedweler pung (MFP). [ 142 Subsection 4.2.3.4 Congonent- Pune Driver Trips: Diesel-Detven Pune - Diesel Could 900T APPUCAKE: The AP800 does not have an AFW system. The PRHR system } Related insights - Not Restert The diesetajrtwen AFW pumps have functiono#y repieces the AFW systems h current PWR designs. The PRHR system i AFW Pungs 3 .a.o protnems where the pump drivers have tripped does not include pumps. Refer to SSAR Sectlon 6.3. ! due to the engine stR being at greater then 40 rpm, the diesel starter motors were disabled and the diesel could not try to restert. r 143 Subsection 4 2.3.5 Component- Purre Detver Trips: Diesel-Drive Pump - Low Lube ON NOT APPUCAKE: The AP600 does not have an AFW system. The PRHR system Related insights - Pressure The dieset<setven AFW pumps have egenonced funcDoneNy replaces the AFW systems in current PWR designs. The PRHR system AFW Pungs problems where the pump drivers have tripped 25 seconds does not include pumps. Refer to SSAR Section 6.3. - after receiving the second auto-start, the low-lube oil pressure switch trip was enabled. This caused the engine !
-j to lockout due to tie low oil pressure associated with the !
di engine shutdown. [ O 144 Subsection 4.2.4 Component- Pump Detver Trtos: Turbine-Driven Pump - Erroneous Trip NOT APPUOARE: The AP600 does not have an AFW system. The PRHR system Related Insights - of AFW Pumps The turtnnewsrtwen AFW pumps have functioneNy replaces the AFW systems in current PWR designs, The PRHR system AFW Pumps expertenced problems where the pump drivers have does not include pumps. Refer to SSAR Section 6.3. l tripped, because efter en auto-start operators enoneously ; tripped the AFW pumps. The steam-detven AFW pump had been resteriod from the CR using the start valve which opened rapidly (less then 5 seconds) and caused the turbine to overspeed and trip. The auto-start signal opens i the trip and throttle valve on Wie initial auto-start over a ' period of 20 seconds (by design, slow stroke time prevents the turbine overspeed). Until reset tocolly, the trip and throttle volve remains open when the pump is shutdown from the CR by shutting the start valve. When the fester i acting stort vetve was used to restart the steemijrtwen AFW pump, the pump tripped on overspeed since the trip i and throtus weeve was atreedy open. Q 145 Subsection 4.3.1.1 Component instano60n of Test Connectons for Leak Rate Tesuno and The AP600 systems are designed so that requwed plant testing can be performed essay g Related insights - Check Valve (CV) Tesent CVs in Sortes Current plants and relletdy. Chapter 3.9.6 describes the AP600 IST plan. TotWe 3.9-16 in the SSAR OT t IST of Pumps and have had to devise complex test procedures that have ilsts volves that require ISTs. CVs that have a safety back leek function are provided f [$is Valves often chagenged operators and meintenance personnel due to designs that make testing very dNficult, if possible et at. with Indhridual amnections to enow their leek tightness to be measured.
'6 One of the areas where the design con be enhanced
, h3 O) ' When there are two CVs in a series and both are requwed i by safety analysis (e.g, for redundancy and single failure purposes), test connectons should be instened between i the CVs so that each con be tested separately
E I TABLE 1 (Continued) I$
@ OPERATING EXPERIENCE REVIEW FOR THE AP800 E
leeues Addressed 8y NUREG 0711 Appendix B 3 ftem lesue Reference I Issue / Scope Human Factors Aspect 4tumen Performance lesue Human Factors / Human Performance leeue Addressed by AP800 Design V
$ 146 Subsection 4.3.1.2 Component Installation of Test Connectons for leek Rate Testing and The AP600 systems are designed so that required plant testing can be performed easily
;;; Related insights - CV Testing Category A Valves and Contamment isolaten and reliably. Chapter 3.9.6 descnbes the AP600 IST plan. Table 3.9-16 in the SSAR g
IST of Pumps and valves Current plants have had to deutse complex test Ests valves that require IST. Valves that have a safety seat leak function (ASME Section [ Valves procedures that have often cha!Ienged operators and XI type A vafves, including containment isolation valves) are designed with the following c maintenance persomel due to designs that make testing considerations: very difficult,5 possible at all One of the areas where the design can be enhanced Category A vafves (per . Valve types that provide reliable low teskage Section XI) and all containment isolation valves (CIVs) should have adequate test txmnections such that the
- Process isolation valves and test connections to allow their leak tightness to be valves can be safely leak-rate tested to the requirements of measured ASME, Section XI and 10 CFR 50, Appendix J, without '
excessive operator realignment of systems and valves, Note that in many cases temporary connections are used to make connections to , temporary setups, operator radiation exposure, or potential pressure supplies and test instruments. Such connections are designed so that the for contamination. connections can be easily made to portable test equipment with minimum radiation exposure 147 Subsection 4.3 2.1 Component- Valve Position Indicattorr Disk Position Indication Current The AP600 systems are designed so that required plant testing can be performed easily Related insights - plants have had to devise complex test procedures that and reliably. Chapter 3.9.6 describes the AP600 IST plan. Tabte 3.9-16 in the SSAR ! IST of Pumps and have often challenged operators and maintenance lists the CVs that require full stroke IST per ASME Section XL As dascribed in
-l Valves personnel due to designs that make testing very difficult, il subsection 3.9.6, such CVs wit have nonintrusive disk position senstes to facilitate such U1 possible at all One of the areas where the design can be testing.
enhanced: Consider extemal disk position indication for l CVs that are required to be full stroke tested per ! Section XL 148 Subsection 4,3 2.2 Component- Valve Position Indication- Local Vafve Position Indication The AP600 systems are designed so that required plant testing can ce performed easily Related insights - Current plants have had to devise complex test procedures and reliably. Chapter 3.9.6 deu:rlbes the AP600 IST plan. Table 3.9-16 in the SSAR IST of Pumps and that have often challenged operators and maintenance lists the valves that have remote position indication IST per ASME Section XI. This Valves personnet due to designs that make testing very difficult, if table includes solenoid valves, rion-rising stem valves, and squib valves. ! possible at all. One of the areas where the design can be enhanced: Consider extemat position indication for other , types of valves which rney not have had such Indication in the past, e.g., solenoid valves, and non-rising stem valves. All valves within certain categories should be considered [ for local valve position indication. (See Section 5.3 for further discussion.) O 2 om tr <D , tb <
~W .A -
L
ll ll O g y f y g n s i, a ly i s 8isVt t a n gt n u e aI u c is a- t s s :t ses n n isro o eCs-c. ee eve d d r -. e ig d . l ty g is tns a epe h c e eaa b d ge en r dac vs t e fa - D e e e d d la r i cp n a o mt r r asn t miu r r s u s i, d h 6 e t i s e 0 ics ch i n i, he p r fo r p eAo c f rod er f vt s r rae h g p e o ls.e er ep t t t 0 6 aT is nt ag a p pun eea d P n yat h l ppi lt n n lpin n el eai i g e oi a A fat i s e g btend g bf s b lyac y p e ka is n oie s rr nle de nef 0 e b t a lo o ht m u am cee u ag m h be y d r a c to0 cni it g r r ucc sd y gePm6 d r i e e t. d to e in is gs h g le in At d n s s Tl S uo m a ae aa h t itn8 Ao so s ,cr e l t s t n IRA s it a t o e Igw yru ta e ncl u .e m te nh r d r ! f h t tet r o n re e r in n n is t at ia i ay t aT p d r o o wo tnlpaf tnlpe nlp . o d A e duitc c a cp ye x h w o a lpT me olg a lp T b s a lp TT n g fe i SS i St r u def nu dI ui n dI Se d d i, n s r dI I is e s s e n o s e0as e9 u s e0 e e v is e oty:g lc fen s o lc a r e f6i ind t ai lt u s r iu0 qP ad 0 ea v iWs ru qPt e r r i0 u6 kor qPt d h e ts i y e c n isawi sb e w o ga ir r e trAh n a e t eAp r e rA c s t n a e a e v a, iof b p s/ ) A aes a o t a eid e d e e m r lan n a E s e v c e R ht sIh SS t TT httshsmt h ht ori e d iv b veh e o c P I t w n o o sepe d f r e apt on e 1 h lav n n a ( t n s bemna r o s bt e e s e s b t e o r p c a d rb ir v it s u P e r oo la w tete e diecfr r oh c dir ec y s ece e d e e s e n a hdet ed v e d e l laia r n m s ns ge idps eu ns ge0 nsh get r a d i r a m m weR s h d am s e s e6 tog id0 s 6 idg s n s o v sr i t e sab a o t H u nf t a i o v p/ tns s s d 9 er inr de6P 9. A de 6.i 9 ru e v r p s n k o
/s o es h r p ak A e r
u er 3 e er 3d la is e r o r ital u av ia v t e d ae k t ar3 owd . stepd etde areth ard v n s ts is si smps e g n e F t c a itst wh a sie wh t m e v la nl uf de o r e ia Ri r tce i s t mpt e haar d c r ulo a st mpt c e hja e e s ht t te aey i t n c a ig r a m io its v ta v 0 0 n a et d o t t v gc n n . ls iiea s sCeci y s tsCu y s . s b tyCei r w id d o p h e fans b cr 0 lyet . no e 6 s s e P B m e ai it m e idhlu at a n pn b 0 lyt o 0 tyt .imlol p a s a e t, A u t 0b to 6 a oeHI r lt lw h i ivc bi 0b 0b eo es a n u l r d c e o r effc f d H dt m i E a e S rot 6 iek w r it s H T n e p err oa recp ur T h T Pthid Pn o Plieis Areracdc 6 leil Pf Ar w l Pl Aretst oe r h F e I cm nil R e e r alu a R A p h cp hedtn a no h ed T nS ed h nr et i h s O T oa . . .
- T at haw T aI T aaw . *
- A
) F 1 y
d 1 e a t e e u W 0 7 e te ts gh e t a aes s e gh t to t a is es n E u fa e n t h V I G s S t e is et au e t x n e h e tnlav it ie m is i v a xd s rer efo tsh nt ht c v tsht sne a t n o E R E R is f o oneh u fo e is wd ts rere e v edeioir ngf pl oniv C J t c e s iav e t wlia ss s togs dd gfoet ei r o s e vneh
.at ewliy ut s d gs
( E N n s . rsk sf lo s nenseun c o si v t ero 1 C N y a L o . wtoaae a o ded Onl 5 E x wisk caae s faas t ne ei dlled nokeh nt a melg L t E B al l E w et amelgt . o o E m er r h ah to aa o Or P r t ic an c e r L I R d r o s iph se at e isane us : s ecel l. r s is v er at isbjersu hh cel t is B e uad : e : shd l. E e f r v v e v e eph e e v A s e e ot h aa c andt e w co v d ot h a u s vndtuade :a w na T P X E s e r P n la V d to gig ds e nfot tat h o V la h e ts e ft l eat a np la V tod s t te n9at s er aeo lenleai hft a ntcas lies ve n onih d gig h op enbn a f d a o f ts e nb h civ G d dalee ns et n o fo a ns et n n n voinf va aal N A m u a n hl dOuw nell r i g la n pavo s sse gn o h lee nel n ea dOuws l r i l ig a a s s se v I T s H s eh it a ot n,ns . it t h er oei ts i vhc ot l. n red s e lph e oetoA g r A e u
/
t e v c eaE - s e nt ea plpb e y
'es a l t
nat plpb grnyn i r utshcnl eint T h n eaEwi R c T ha n ut r n i o c E s Is e p e tsf ed eet ads:
. T e
r t,aei ck g tr e sedadph ut : oe eht r r e c i, asga t P t t us nlt n cee o Cer anigt ut r s k n otel - can nft dt ai d O A n r lae nb o k ty uefifcisn soe n k o la oleleett cafo Cre au uefnigeCa c p S- pv ninsagi r r nb S- pev nin sa gs a et ndfist t s t i i h r dtndegt t aoshintc S i 1 r r o R t h n epe s o nts nu r 4
- g ei cayd ie n n a aoshins s i n ci ayde n i xg u e tu oh repeont e i -
u et F In rome e um nin t c a F r apf et ef r r h t p r vh dm r F i . ha t pli,et e s exc ts e w r me r vhdit eeod u et i,bem o n t s d T t F r fo Cs ut ct k e t ngeea r Cts et b ek e t d t acl e c fo s n e e anr r t m e anr n ie g e m S ni, f a ilty n r e aictn car uny ot s ty t m x stshl o i eun tac ty s e e n fcar ct uno in t ssh eft m i o unf f s s i n er r aics esr t T i x r r e etotewb oe i u dunf l r u b a t i d edngy et i i b ia
;vaeseo totewf f l i
b s edngugn s i d gw H p n c cinyi gnt a t p n i rek algs a et k l paesl sie p s cin yisis o r a uino a u oar eeua s r f a o e pae rins a e r oar r e mek opae hr otst p eeur r r CF pmvdd C C womasl o CPpmvdd r t S comastet a
- d - nd - n d - d e n n p a ts a ts a ts a o hts g s hg s h h s
- p p g s g S 4. ismu teiu n ism n
.i s iv n t
- ip sm
/
e . in . in w
. eI nu u
s i vdefPs n od ptefP s wdefIs n od P s vta oe v ptefoe s i
.wleTia mla oev i-vta oe v mla v CRiV S oeTla wleTla oeTl a CRIS V {
CRIS V CRIS V e c 1 2 3 n 3 3 3 e r 3 3 4 e 3 3 f 4 4 4 4 e n n n n R o o o e to i c itc itc it c u e s e e e s s s Inh b u b u b u S S S S m 9 0 1 2 e 4 1 5 5 5 It 1 1 1 I 1 ke$* 3Y$Q$ "
' 0 7(<N8 D m O &D)ey C
l <I' i ' ys - ys f e v w isna ). I ht in te o te w t n o oy ra g ss fah fah tpcs nfi r ell is oe ss mlaayet h uagA e e nlb oe l t gr h c r. h D sa nb t ai(in( t 0 0 a t h is sa a t h enlet npeok s sl esg bdtoia e lc twe . e. r iuy 6 t h t his aict cg e hd r r qo r P A i e T s . iT e n t eeeol ivnoa sht t ce id wiv et r n b y un aa cl s un. aa hhdcb wttav r eft ob esetas myep o r tave h in d ep cl ep uhtisl i el l l h t sre e ct c cee at ty ot t ewt bT bT s s 0 S 0 S h nriact oai i lat ea e 0 I 0 I yNph ootr o plr tualb sw r 60 60 gt rio e op d P0 P0 lta r l. mu cpk - a lelo d A A P6 heA A P6 nnt ho lapadc eaer o a ree nbc tes k bo ap tal e u t e MAe egst gi y ssrna t r alo e f l e s oht Ioht l pcCoh r inu f is t ct ee yt ilwiir n n t tchethewo ys tys r isb d n e lpb e e t ya ap e c pn lpb >uaet d lc a n a es pi ns a a crs k
<f o le m l, e omde ian m to nd e n. to e n. ce eo igod lon chf r nveadt rt i
ea tna i r nda t r k ic ot n f o r s6 e la p s6p e l r o semkespa pe men r ad ci a e n 9.T o r tom P n d3 IS mre e d3o 9. T S cr f et l isb ei k er ai lopr r b e obml r b t e as r n st e o mre I e o s i a tet h hSa ewph m u ipt s an itetapt hn l nnMe at s ts r ni ytotelao m t, n dm e ihi s ihi i lot H hCs hCs p gir P o s ar tagdt l oy s
/s T . p T isk eec ve enisn ps o
t r : sm Epu : sm Epu loat r h er eeee oipa t tc o f ipco leyr c a L mp L mp tnr obhd toh I.t r u> t fua i l F B uo B uo c aiar tenpdt e sf a< t n ix e pau 0 Apn Apn 0 n ICee r r a na pcl nok c 6 B a v r ICee v r k o eo sf P 0 o Li a A ia m u P c e P a re t Lit e Pc a eesms aooi r ecf r l tp e>r esnr fo )t a 0 ty E H d n H Adet h Par e Ad h b ot m c ao l eniu eoef eh s a elaht s ir. af C a n d aeefup r e at aTihOf i n t l vnth it fo gtimsahc ecmt sf leaka o ae wht isyno 1 y r pans N s . tac .e n l io envd sot ea s h os lae r btneg E B m cot ege st h nni so nn a t E r ta eoeded n eoT s r t i e l n L a nt bt a md tal ui to e epemS tolaht uhht olnee tamei I t B R d o r i r a r n A E e s f r e p tpi atrs nmer inht se n ps hl a oa nr un<nl ca r uth pl i, b nd I io o yi k edt r ta lnuua f si e npss ae c r pl oitwni,ht ns eh r T P X s e P O eggd c igs nloor ort awiuc Cset no ain t dit ae iescad t r t r n fcu car ag cd n o elwl o ekalad vninnt t r t te n of t ic o ecl E d n a n la ;e xd nakehi w siine er r er Ji itd cdis e n imnf u ainb n uama nnvt a hht ae G d P a sd ua u v. n n r givi st toxad egaoe cu e NI A m u g vsma rot emge d vs s su a, oi w e m. alle get ir o iton edi i nye spn d u ounehabst r i mg n u ea ls i s q w,e T A s e u H
/ in vt ar enb crah pmt r
s n r ta f, l o st las i, dn s e u. M sed gt dfh o rvkc w . h ea ct o ca er d ut mre id ro ae enhhiepor r eAct t r - k h o odmb pe zte u s s at e i o wiyelus R s t c e r u et eys tst teniu n n t mvepr i ler iis E s D epsh P i p s a s iont t tnst er c r u n nni ree w d e los sws r
,r oo f los lya al u sured v tapo a tao :etxats c eh ew u t
gf f sh na ea o n e uto l O A i e r anprt J l dedi s oh mfl r oae i tne epr to l ejqo u i,l k s ts egeet uwf sa s seh l Umk - r k oct n n s r eat nf to a l b vo wn tsa r t r e a et i n . p gl o nd nepoimd dr t sntewh SWo neas o r f i e e ocpee e oim o u co i T t
.t ak s t
c dt teoOuwa s o H ae V . we r aar ietn t O bee el or d snd ba er iono r r s am a : o hh u aa t. l. nH d oue tyef r lot : g epmeb to ysh pmpt i i r c e i a,e F n e c d t laEaluwh ob r f f aigin n s ot aldi k la p s n a it s vnl adt nlfoitwl e aee ne eys f
.o o o s s s d, v nt s in ts vd h e ua i i e eet th hote a
n L c a nhi i s een ce o e T ett mc ahh ek pwt Kht ea S e y teut eh r T aee cr ur e o T dg d r r e m u p ts hftonlbnli motsd e spm oi cl ee u p to leg s n nfo e u s m e rs r e e op nt inio gb n lb r sf as o H m n e ssabitslu telun smrts u la v r sh xyah h P ph aeone e o heei u das m l ahcdOTi ee nh i r r et s k a k . tait e a vccmc nie r itc djt twae e i eeisah h r t t l a ta hicpu re r e t o o n hwia r r n l r f ppef s vt st poi l P h n B b aiias nnt wlca f I i af p
- d - d e n n - -
p ts a ts a tss o h r o c - g sy h g sp - gk h e htsl gP o S tn is ii -
/e ei nn u i sm
.n
.iu n eirne t is a t n ne i
sl u n n B eiu s od T s ptef udP ef s od n odF s oev vt oev pteit ptet mla mla cu nts i oeTla wla mla CRIS V veTl S a oeir oepe ea CR I V CRC CRSS e 1 c 2 n 5 5 e r 3 3 e 4 4 fe . n 4 R v 5
. o 4 e it 4 u
s es c e n io n o b s is u b u tc it c S e e S S S m 3 4 5 5 5 5 6 te I 1 1 1 5 1 3b$*g3V$$8 H UW I ID<y._ ( - Onoc(, rD m
i E G TABLE 1 (Continued) i ro a OPERATING EXPERIENCE REVIEW FOR THE AP600 lasues Addressed By NUREG 0711 Appendia B ttom lesue Refw-e issue / Scope Human Factors Aspect / Human Performance issue Human Factors / Human Performance lesue Addressed by AP600 Design 3 157 Section 4.6 Cwi,~.64 Biofouling There have been numerous instances of g Related insights - biofouling in NPP heat exchangers (HXs), where various The RNS HXs transfer heat from the reactor coolant to the closed CCS. The CCS is chemically controlled with corrosion inhibitors and pH adjustment. The makeup water to 8 Heat Exchanges types of clams and mussels havs grown inside of piping the CCS is demineralized water. When the CCS water chemistry is maintained as and particularly HXs. This occurs in open-cycle cooling specified, there is no potential for biological fouling of any of the components which are water systems and has caused sufficient fouling so that cooled by the CCS, including the RNS heat exchangers. pressure drops have increased and flows have decreased. This in tum lirnits the ability to adequately cool The CCS is in tum cooled by the open service water system which releases its heat into components. HXs that have been affected include those the uttimate heat sink via a cooling tower. The SWS is a relatively small open cooling for Component Cooling Water System (CCS), RHR, and system which is chemically controlled to maintain appropriate concentrations of biocide, Emergency Diesel Generators. algicide, pH adjustor, corrosion inhibitor, scale inhhtor, and a sitt dispersant. Refer to the item 7 response for more information on the SWS. (Subsection 9.2.1.2.2) Flows and temperature instruments on the inlet and outlet of both the process-water side and the cooling-water side of the CCS and RNS HXs, enable the use of thermal performance evaluations to detect degradation. The AP600 diesel generators use a closed cooling system with air-cooled radiators; therefore, biofoulmg concems are not applicable to the diesel generators. d Procedure development is the responsibility of the COL appi. cant as stated in A Section 13.5 of the SSAR. t58 S&iei 4.7 Cw.vv. se- Dislodged Connectors Power connectors have become Related insights - THIS ISSUE INPUT INTO THE DESIGN ISStXS TRACKING SYSTEM. accident 1y dislodged resulting in undesired transients. One Power Connections example is power cosmectors for the feedwater control system, which led to a reactor scram. 159 Secton 4 8 Co.ivw 4- Desian Flaw in BWR Intermediate Ranoe Monitors A A failed nuclear instrument power suppfy fuse results in an instrument output that is "out-Related insights - design flaw was identthed in BWR Intermediate Range of-range.' ff a parameter rnessurement is outside the range of the instrument (note that Neutron Monitors Monitors whereby the failure of a power supply fuse the data quality would be good), then this *out of-range"information is indicated on the resulted in inoperability but was not annunciated nor did it workstation display to the operator, create a trtp situation from the detector output. 160 Swiui 4.9 Cv..vw .= 4- Desicennt Carry-Over Due to a failure in the Instrument Air The after-fitter design differential pressure capability is greater than the maximurn Related insights - (IA) system futer, the desiccant from the dryer assembly differential pressure. Should the filter become plugged,it is designed not to fat. The instrument A!r carried over into the IA *vstem and caused a failure of dryer package will have alarms to identify high dderential pressure across the filters, Dryers solenoid valves. This in tun. Nused a CIV to become Inoperable. O o O cr e3,
$ S. , M.
E e-I h ( .
- - _ - _ _ ~
N TABLE 1 (Conhnued) b
$ OPERATING EXPERIENCE REVIEW FOR THE AP600 E
lesues Addressed By NUREG 0711 Appendix B 3 Item lesue Ref se fesudScope Human Factors Aspect / Human Performance issue V Human Factors / Human Performance Issue Addressed by AP600 Design
$ 161 Subsm.timi 5.1.1 Local Control Use of HFE Principles in LCS Design Localcontrol LCSs in the AP600 wit be designed using the same HFE design process and
;;; Stations - General stations (LCSs) serve as interfaces between the operators
$ Considerations and the plant, similar to the workstations in the CR. Hence.
considerstens as will be used for the MCR and HSL Refer to SSAR Section 18 8. Each LCS will be analyzed and designed to au v-nukie the following- (a) expected the approach to their design shotJd reflect the same HFE modes of operation, including maintenance and refueling: (b) function identificat.on and considerations given to the MCR, I e., they should be task analysis; and (c) staffing levels needed. The design process will identify the designed using the same methods, standards, guideline, individual tasks necessary to perform the LCS's functions Any MMI designed for the and pnnelples. The design of LCSs should be guided by LCS will follow the same process, principles, guidelines, conventions, and codings as the function and task analyses used to analyze the human was apphed to the MMI in the MCR. Plant-wide conventions regarding equiprnent role in the plant. It should be determined that functions to coding, tabelling, and operations of controls will also be applied to the design and layout be performed at LCSs wa not be compromised by human of LCSs. limitations and that the design of the LCS meets the needs of the operator for pmcess information, means of effecting control, feedback on control actions, and an adequate working environment in addition, the design of each LCS should be consistent with that of other LCSs and should - conform to plant-wide conventions regarding codng, labelling, information display, and operation of controls. Labelling should be well-engneered, consistent, thoroughly q applied throughout the plant, and appropriately designed to g avoid wrong-unit / wrong-train type errors.
- 162 Subsection 5.1.2 LCSs - General Functional Allocation Considerations in discussing The LCSs will be desioned using the same design process as that used for the MCR Considerations problems that might be anticipated with future LCSs. and the HSL Refer to SSAR Section 18.8. One of the design objectives for the AP600 Hartley et al. (1984) pointed to the allocation of an M-MtS is to present information to the operator in such a way that the operator is able to increasing number of LCSs to automatic or semi-automatic maintain situation awareness. The WPIS displays in the MCR A be designed to systems (as opposed to human operators). The difficulties accomplish this objective. For LCSs, the respective interface will be designed to allow they anticipated were the same as those that can arise the local nperator to makitain an awareness of the situaton; to effectWely monitor and from increasing automation in the CR, i.e., the potential verify the status of any automaticaRy Controlled local functions; and to property execute loss of operators' situation awareness, and hands <m any required local manual actions.
control skills (Ottara,1993) as their primary role becomes one of monitoring rather than controlling. A related observation was made during the plant visits undertaken for NUREG/CR-6146. O o OT tr o Q 5. , 10. e8 e c) a
E TABLE 1 (Continued) b E OPERATING EXPERIENCE REVIEW FOR THE AP600 g issues Addressed By NUREG 0711 Appendix B 3 Stem issue Reference issue / Scope Human Factors Aspect / Human Performance issue V Huraan Factors &tuman Performance Issue Addressed by AP600 Design g 163 Subsection 5.1.3 LCSs - General HSt Consistency With Main Control Room The reviews The workstation in the AP600 remote shutdown room will be identical to the Reactor
& Considerations undertaken for NUREG/CR4146 trwotved 11 site visits to Operator's workstation in the MCR. The M-MISs availatAs at the operator's workstation
$ observe LCSs. At all of the plants, operators in the CR in the MCR wiR also be available at the remote shutdown room workstation. Therefore, had access to computer-based displays in addition to the operator will obtain plant information and control the plant from the remote shutdown conventional displays. These dsplays provided high-level workstation in the same manner as he does from the MCR workstation.
information, e g , Indications that represented an integration of several parameters, of the value of a set of parameters The MMI and workstation design for an LCS win follow the same process, principles, plotted over time. However, in only or,s of the plants were guidelines, conventions and codings as was applied to the HSt in the MCR. such displays avaltable at the shutdown penet. This issue may bec]me rnore significant in advanced plant designs, where CRs are computer workstation-based, while the LCSs (such as the remote shutdown panet) are based on conventional HSI in such a plant, operators at remote shutdown stations might be forced to gather information about the status of the plant and the effectiveness of their actions by unaccustomed means. 164 Section 5 2 LCSS - Functional Distnbution of Safety Functions Functional Centralization The AP600 plant design is such that it has a high degree of FC, Le.,it has aR safety Centralization (FC) refers to the manner in which the safety functions of functions integrated into a single panet which contains 88 necessary controls and M LCSs are distributed throughout the plant This embodies displays. This panelis the reactor operator workstations in the MCR. U1 many of the systems engineering charactertstics of LCSs O and their functional organization. A plant with low FC has The AP600 l&C architecture wiR be such that aR process information that is availatAe v6e a wide distribution of safety functions on many local panels the plant control system wlR be available throughout the plant. Communication ports will throughout the plant. Such plants also heavily use local be located throughout the plant to anow workstations to be used locally at the equipmer;t control of individual components. A plant with high FC has for " local control *, neonitoring activities, maintenance activit6es, or other functions. Local eB safety functions integrated into a single panel whlch indication and/or controls will not be used except where required by code, regulatory contains aR necessary controls and displays. FC affects requirements, URD or for operation of the process where portaole Interfaces with the human performance through its impact on such factors as plant control system would be a hindrance. Through the use of either portable or communication workload, crew coordination, time to permanentfy installed interfaces and/or displays, plant personnel can access any complete actions, and requirements for procedural monitored parameter in any location in the plant. By using this technique, local complexity. In NUREG/CR-5572, it was shown that indicating devices will not generally be required and an auxillary operator can morutor centralization of functions at rnult function control panels the whole system from one locat6on. was associated with large potenital reductions in rtsk. When considered at the design stage, the risk reduction benefit would be high. 165 Section 5.3 LCSs - Valve Lack of Local Valve Position Indication NUREG/CR-6146 Where appropriate for the given manual valve type, the valve design specification will Position Indication found that many manual valve *, even those found to be the specify a local-reading mechanical position indication as a required design feature. Most O (VPI) most risk-significant manual valves, lacked local position valves will show their position by their mechanical properties For example; a " rising g indication. Without such explicit indication, the position of stem" for gate valves may be used, while a 1/4-turn handwheel may be used for ball and oT the valve is inferred from stem position (fJr rising stem butterfly valves. {Q
,y valves) or determined by checking the valve in the closed direction. Both methods have potential problems, as
-4 discussed in the NUREGCR. OER also identified incidents
@6 c) a
'3 that were caused by poor or missing local VPL The nature of the position Indication should be appropriate to the use of the valve.
E TABLE 1 (Continued) b
$E OPERATING EXPERIENCE REVtEW FOR THE AP600 W lasues Addressed By NUREG 0711 Appendix B u
3 Item Issue Reference issuetScope Human Factors Aspect / Human Performance issue T Human Factors / Human Performance issue Addressed by AP600 Design
$ 166 Subsection 5.4.1 LCSS- Space at LCSs Oftan there is not enough room for The workstation in the AP600 remote shutdown room wiu be identical to the Reactor
$ Miscenaneous operators to work at the remote shutdown panel. In Operators workstation in the MCR. The M-MISs available at the operator's workstation
$ Items particular. sufficient space for handling procedures is in the MCR will also be avaliab!e at the remote shutdown room workstation. This needed at the remote shutdown parwJ as web as at many includes the CPS. Therefore, the operator will obtain plant information, and operate and other local panels.
control the plant from the remote shutdown workstation in the same manner as he does frora the MCR workstation. The CPS and its use of multple VDUs (dynemic roadmap screen, main interface screen and supplemental information) eliminates the need to ensure adequate laydown space is available at the workstation for handling paper procedures. Task analysis will be performed for other LCSs and il laydown space is needed then this need win be addressed. 167 Subsection 5 4 2 LCSs - Steam Generator Dump Valves Manual operation of PWR Under normal power operation, the opection of the power-operated relief vatves Miscellaneous SG atmospheric dump valves is often very difficult because (PORVs) is automatically controlled by st amline pressure during plant operations. The items of complicated manual arrangemer is, very high noise PORVs automatically modulate open and exhaust to atmosphere whenever the levels, high heat loads, and sometimes inconsistent valve steamline pressure exceeds a predetermined setpoint. The setpoint is setected between operation with valves in close proximity to each other. no-load steam pressure and the set pressure of the lowest set safety valves. For their use during plant cooldown, the power-operated atmosphenc relief valves are automatically controlled by steamline pressure, with remote manual adjustment of the j pressure setpoint from the CR or the remote shutdown workstation. To effect a plant Ut cooldown, the operator manually adjusts the pressure setpoint downward in a step-wise fashion. Manual control at the valve is not provided for the PORVs. The PORV discharges are on the roof of the auxiliary building and discharges via a silencer to limst notse levels. The SG power operated atmospheric relief valves provide a nonsafety-related means for plant cooldown by discharging steam to the atmosphere when the turbine bypass system is not available. Under such circumstances, the reRef valves (in conjunction with the startup feedwater system) allow the plant to be cooled down at a controlled cooldown rate from the pressure setpoint of the lowest set of safety valves down to the point where the RNS can remove the reactor heat. The safety-related means of decay heat removal and plant cooldown is attained by means of the passive RHR system and pindependent on the PORVs. l l O R 'D o oo O <
, g A
U e-
~
E TABLE 1 (Continued) b
$E OPERATING EXPERIENCE REVIEW FOR THE AP600 g issues Addressed By NUREG 0711 Appendia B 3 Item lesue Reference issue / Scope Human Factors Aspect / Human Performance issue V Human Factors / Human Performance issue Addressed by AP600 Design
, 168 Subsection 5.4.3 LCSS- Persomel Overexposure Various areas of the plant have The AP600 incore instrumentation does not include TIPS or movable detectors. The
$ Miscellaneous the potential for tugh racation fields that could lead to incore tNmble tubes are installed and not moved during plant operation. They do not
$ ftems personnel overewposuru, therefore as plants have installed present any potential for over-exposure of personnet to radiation wNie installed. These radiation detectors and alarms. Additionally, however, the thimble tubes are withdrawn into the integrated head package prior to head removal in malfunction of certain equipment can lead to very high preparation for refusting. After INmble tube withdrawal, the integrated head is Efted and radiation levets. This equipment includes incore instrument set down onto a tNck bottom shielding plate. The shielding plate is attached and the thimbles and traveling incore probes (TIP). Thsre should head is then Rfted into a shielded vault The thimble tubes also do not present potential be appropriate local waming devices (and perhaps also CR for over-exposure of persomel to radiation during shutdown alarms) to aler1 persomel when equipment, such as TIPS and incore tNmbles are not sNeided and the potential Area radiation monitors (ARMS) are provided to supplement the personnel and area exists for high radiation fields. radiation survey provisions of the AP600 health physics program described in Section 12.5 and to comply with the persomel radiation protection guidefines of 10 CFR 20,50, 70, and Regulatory Guides 1.97,8.2,8 8, and 8.12. In addition to the installed detectors, periodic plant environmental surveillance is established.
AP600 normal and accident plant radiation monitoring is described in SSAR Section 11.5. Additional portable monitoring, including that required to meet NUREG4737, item fil.D.3.3, is the responsibility of the COL applicant.
"i 169 Subsection 5.4.4 LCSs - Emergency Lichtino Emergency lighting is required in the The AP600 design inctudes extensive use of plant automation and distributed control.
01 Miscellaneous plant for personnel safety and for nuclear safety reasons. O The distributed control system minimizes the need for LCSs to meet the requirements of ttems The two key nuclear safety areas requiring emergency either 10 CFR 50 Appendix R or 10 CFR 50.63 (SBO). Emergency hghting is provided Nghting are the scenarios of 10 CFR 50, Appendix R, in the MCR and the remote shutdown workstation to illuminate these areas for Section IIlJ and SBO. Operating experience has shown emergency operations upon loss of normal Eghting. See the AP600 SSAR, Chapter 7 that NPPs have tended to pay less attention to the Nghting for a description of the plant control system. The emergency fighting system is requirements during an SBO scenario. A common practice described in AP600 SSAR subsection 9.5.3.2.2 is to depend on auxRiary operator use of flashlights. Ttus can be a problem due to the potential unavailabdity of The AP600 design includes two non-Class 1E dieset generators separated by a fire flashlights in an emergency and also because the physical barner. Following a fire, at least one of the diesel generators will be available to provide use of one while operating equipment and communicating power to normallighting in areas of the plant not damaged by the fire. Du ing SBO the with the CR may be cumbersome. two nonCtass 1E diesel generators are available to provide power to normal plant lighting. The onsite non< tass 1E diesel generators are described in AP600 SSAR, subsection 8.3.1. O R o Il cr u k I. _, e. e8 e 03 6
E TABLE 1 (Continued) h
$ OPERATING EXPERIENCE REVIEW FOR THE AP600 E
g lesues Addressed By NUREG 0711 Appendix B 3 Item issue Reference issue / Scope Human Factors Aspect / Human Performance issue V Human Factors / Human Performance issue Addressed by AP600 Design
$ 170 Smiim 6.1 Shutdown Outaae Manarrament and Plannino Due to the importance The Desip Reliabliity Assurance Progrem, or D-RAP, uses probabilist6c (and other) g Operations - of outage management and planrung to shutdown rneasures to identify nsk-significant structures, systems and components (SSCs), then
$ Procedures operatlons, consideration should be given to the generates maintenance recommendations and other informaton for use in the plant C.4.m. i of Meduhng tools (e g., computertased owner's operational reliability assurance activities. The D-RAP is presented in outage planning and management aids, see Shore er at) to Chapter 16 2 of the AP600 SSAIL assist in outage planning, scheduling, and management.
Further, an Interactive up-to4 ate PRA, that allows a The non-site-specific critical items list represents the plant SSCs that have been fisgged determination of the risk significance of removing selected as risk-significant based on selected PRA risk important measurement thresholds. For pieces of equipment from service, would serve to improve these SSCs, Westinghouse develops maintenance i ,v.. .&.eilons that will be outage risk management. considered by the COL applicant in his plant maintenance program, including his outage planning activities. The COL applicant is responsible for addressing outage planning. There is no interactive PRA that the COL applicant receives from Westinghouse to calculate risk impacts of SSC removal from service. However, the D41AP criticalitems Rst whose selection basis is risk %) crease measures, are those items whose unavailability significantly increases risk including risk during shutdown operations. Thus, they should be given special attention in outage planrung. 171 Section 6.2 Shutdown Operator Training Operators are often confronted with
-'I Training Program development is the responsibility of the COL applicant as stated in Operations - untampiar situations during shutdown operations. Training Section 13.2 of the SSAR.
01 Procedures programs should be improved to appropriately consider the O safety implications of these conditions. As an example, The AP600 ERGS (AP600 document number GW-GJR-100) provide the function simulators should be able to model important shutdown restoration guidelines for shutdown operations, providing guidance to the operators for operations to a greater extent than they currently do. emergency situations when the plant is shutdown. 172 Subswiim 6.3.1 Shutdown Loss of RHR Capability Procedures are an important Procedure development is a COL epplicant responsibility (SSAR 13.5 and 18.9). Operations - aspect of shutdown operations. Appropriate HFE in the CR The AP600 ERGS provide the function reitoration guidelines following the loss of the Procedures and at LCSs that can assist in the irrplementation of such RNS during shutdown. In addition, the AP600 PXS is required to be available (via tech procedures should also be considered. Additionally, the specs) through rnode S. See the response to item 73 effective integration of the various HSis with the procedures is important. A particular area needing clear procedural coverage is: Loss of RHR capability, including attemate means of removing decay heat such as gravity drain from refueling waste tanks, safety injection, accumulators, or core flood tanks. Procedures should also address operator-induced loss of RHR and restoration of RHR upon loss. O o O T o <0
, 9.
e8 w
- 0) "
[ d e s ns _ e d tor gSd
- t n e Ree e h Aes ts in iwe C gl eCi n
_ t sh i . md n Sb n n tns l eb l Met oRr gl n s rutei Se v op g Aitweso ei nh ta etl h enoo t nd g
. a s is ic n io t, iat D
e
)
- 9. deh 8 n y r et fio f i ta nv n hS t u t
h o hi tna i mt eduwt r r i t r su ilu n of inh r i
)
9ht e e r 1 gT a ua t nitoaieCindo eisngRrad cp e r ul-ao nred 8 a st e lelo cnutr ht h 1 0 dn isess . s n d t ee md t ed ed o e uansia 0 r d 6 P ad n e d iv m u r oc toa n w r t touinp
- h q a o taw oit a e o c orac r i ns e ae e -
A nieto c n or tsIni nde yo pmr we o 5 u r S 5 ea t i r t n . tad r nr roh eer
,l -
ps mret ot ps s 3 ta s y 3 er n ss ;d b 1 b e a ph toI i le yei aple an w *r n ;.
.i iv m teht actsma 1 fe n o d
e Rsot Aah pw i r he vl lepo v oont r eio .g u e g e g re let ae ea r Rnit Aga ist e , n las twt al ri a -,i t s s S oo ioT sd nl n net ix S is e r SSol n r e eir e (Nl b- e ta . n e epueeh pl oh pt Ov ed u a r aht r a, eels e S( d e p o - d r tyRil d tem ia t n i. d nf ut o n e0 - eno ef d d r n ty0 y d ;0 me v ii mt i o dlct 0 i ito on 0 r A Ju 60 n ge uy r n c y oioei h s s.le6 net lvoiTA e n hP witwnica ed e h tA6 s Pt n o vgogt i e l gemd h c u . Pid le tsa S p leh naev oe phi n r s varass int a Cpincn eata e t t e nep at le s gege Rar uir asal vr eRt.h of o ruI r uu nas sn. sa oc i eh ev Ss 0 nd npCf h st ef d e r Cu 0 a d et o r c n tnR7 t, r V R Ra t 6 ae eeod itan r ht oMo Soe Cimo e o t n i oe i uc . a ns t Pi sh oeloweity Rt a t Am m a ivd n m r o li c aA1 S8 fo pS8 ga l. p o e ph ut AveRn uTt hCos zoetevid
. r na d
i sot b hi l enaocbe#o l nt h e t r ic ieo lp;d pr ita f r aeeio r nv ye TMigiuph t ta le r r ui h r te t r u uncl e e yatbow p a e mnm e Lt h t te r em lein - ent se Tsor t a Ld pf o ar P r ga t e n OfoL C cl o wer l l i r m nh ot eosre a l.en et n mh r r h e r p
*eotir
- ar lae vs Oa on C oi a wte i aiuepsvi r pe c r.
a 7 nt ta sl e r t s e m he . t ntr h eh rmleud ov o eetg.eiteMeT m 4 ene s a H u is t 5 neh et r y ed
*r _t o n to einfo i st tnAlo eh p lawl e r T l
t d d r r. s .io n ised t -n io mm nGe va c mal vt m t o n u so sr
/s t
r o wisd
.t ncsad o
e
- s
~ ra m t ui c eml . ale yi r nlet d v oen i
v o gS b ly dt eh eelsns ttu ch tad r ceioiv u untad nr i epef m1 p dr 27 r toeinCen c si a :+seen. b r d ie ~la Inh ebl tahRmc i a Oar eer eaea h p o 2. da 1
. ud tniv n mi pnco le7 l
F rz ean oawoi c e l it t l 0 lad r fi 0 6 B n a Cnaef . s taet v e c nn ioa lewt ev gsuthr me es oo up mr lofr eg n
,si sd eniR e e t e J _ H ;m e t u eAto v
d 5, d
<r a
P m e i h pe r f paps .te3 A ta r ns Lt e t n t i Vd eh e 7 ix u r dt r e es r a nes c w :- Re r va uessn gopr ooiv nag _ ptoaer t E d H eo r u ;i. r s n dbeir eea i pit - eh esuht insorare d pm u H T e p ccuun r r t oaw c L h gamleespt e i l u t r cpt a e-io isled nl a e cs m ie eio ost t i o ac neleel ovvooa t v, i t p r e aaa h dle e est p ob R A Pdfeem f TInb Heramf r l oe cif Rar r ehto ms h i e Pr su ;m o O t
) F 1 d
e 1 nE r o ) E r W 7 e aF f 5 F la n u E I 0 G s u eHe r e e c sR 1 4 H ecni ug i t V E at h t r ng eH te t r h4 e hitas= n E R is s ;a a an aol v R m. 86 f ia f o R e e , e foedl i i ar e/ 2 nr opl - apo b no A ib U p C - u os v pnh evet l E c v b nCiot a *r ( C N n A i o gcnVl s8y3 erp .t s ra p oi . eRaRmioos0 oi t 1 y a - i - r N - lstatnt ap lstat n E r E E B m r 4 ear gaaHaht geatxlsR5 eoaa Hd sA ear ga: e L
.ht dl ter u I
B R d e o i P snun t oqRs e .h r t d tet sh r A E s f r e nioipeengnim s eRn u nioi snunpe l oi t o T P s P le dh onARiet a, d ot r X E e r n s tot s as i !s svI h en at n i t i ui n .Heth6 3 eis ct asi svi h emgo) a r G d d a e V re p a e s st i ciisnia aeRmm0 r m eao7 - or s st icisesvR reae N A m u r onaduffestagecd r erennr r tet i h erf sr 8/ P p s onad r uf f ecesoW uot c apo i o s n n c e er I T e H t n c e eVmgh ula P A / c c ed r e41 o wt cohed r n R u t c a e wt roh oa ed p ebRai nt ta3 it oa r t, c d (p eui E P l s e e p R dh p t, yr ocluo od e s vt luh eh n n 5, a aw0 a e r dhtshl pco t plyroe O A s fo htu tshlta c ph n se ot h g ht is ei p hu ca oo s r t r n sS Csoh une eh it t gw i en s n t 1 pra0 0 agod O fsS unerpdl s y Csoht r i n t o c i ia n foL tca fodt n i hrale riai sin) dit ev heaynyna7 r r
- r to oL tcat fodt ihamo i
ndil gte t i a a r e a ac/8 n e nr F D s pd aan i. io A.tsw ol ve
- i. d S lcVottyhtatnphic6 t, d wr di mh 5 r
e pd v s ni n toAwc s gi ne
.inip n t n aRl sn 2 - i aaadSi ao t dt a te t
nR . r eHrugAepeew0
.e d tnRneHeirny er tac .
et rh , 5 t m e r e r e . d so sd i evipv n r aCmde s ea o d ol E meR u .el et ss c H d v oh Liu pniceddl er u i. u eeiu nmt ne so a pt r owoaua t v d e .hlpniaed pt r i n tmni; . cvplonnmi( n oar r i nfr aL v( R ;n iinmoar cvaai n vn I e p o - - c S
/e nns s e nn-s s e s
u wo*_ ot d a= i wo* ot i s r d ra* i tue~ h pr tue~ h pr SOP SOP e c n e 2 3 r 3 3 f o 6 6, t e n -- s io - e tc u e i s s b S s u Wi S m 3 7 4 7 t to 1 t Eb$E 3T$g$ 3 qgO Ecs. o a .s0-OO Oca m$m
E G ro TABLE 1 (Continued) E OPERATING EXPERIENCE REVIEW FOR THE AP600 lesues Addressed By NUREG 0711 Arpendix B
$ Item lesue Reference issue / Scope Human Factors Aspect &fuman Performance lesue T Human Factors / Human Performance issue Addressed by AP600 Design g 175 Subsection 6.3.4 Shu h . Temporary RCS Bounrfaries Procedures are an important g Procedure development is a COL applicant responsibility (SSAR 13.5 and 18.9). See Operations - aspect of shutdown operations. Appropriate HFE in the CR the response to RAI 440.55 and items 73,172 and 174.
$ Procedures and at LCSs that can assist in the implementation of such procedures should also be considered. Additionalty, the The following AP600 design features reduce the risks associated with temporary RCS effective integration of the various HSis with the procedures boundaries:
Is important. Clear procedural coverage is needed in the use of temporary RCS boundanes such as freeze seals, . SG nozzle dams - the AP600 SG nozzle dams are classified as AP600 Equipment nozzle dams, and thimble tube seats, including contingency Class C so that the design, manufacture, installation, and inspection of this plans in case of failure. boundary (when installed) is controlled by the foBowing requirements: 10 CFR 21; 10 CFR 50, Appendix B; Regulatory Guide 1.26 Quality Group C; and ASME Boiler and Pressure Vessel Code, Section 111, Class 3. In addition, this pressure boundary is classified as Seismic Category I so that it is protected from fallure following a safe shutdown earthquake (SSE). Elimination of temporary plugs for nuclear instrumentation - The AP600 does not contain bottom-mounted instrumentation that requires temporary plugging during shutdown and refueling The AP600 utilizes a flued Inc: ore system. q - Cunent plants remove the excore detectors from above the encore housings g through the floor of the refueling cavity. During refueling operations, these holes a are plugged to facilitate flooding of the refueling cavity. The AP600 has eliminated these ternporary plugs by designing the excore instrumentation to be inserted from below the excore housings. Reduced reliance on freeze seals - the AP600 has reduced the potential applications for freeze seals by reducing the number of lines that connect to the RCS and by providing the ability to perform operability tests on many valves that connect to the reactor coolant pressure boundary. This improved IST reduces the requirements for disassembly of reactor coolant pressure boundary valves to test their operability. The use of freeze seals during a forced outage will typically occur in cold shutdown (Mode 5), when the PXS is required to be available. t76 Subsection 6.3.S Shutdown LOCAs Durino Shutdown Procedures are an imponant Procedure development is a COL applicant responsibility (SSAR 13.5 and 18.9). The Operatlons - aspect of shutdown operations. Appropriate HFE in the CR shutdown PRA has addressed the risk of LOCA during shutdown. SSAR Procedures and at LCSs that can assist in the implementation of such subsection 5.4.7.2.2 provides a desenption of the AP600 design features that have been procedures should also be considered. Additionally, the incorporated to address inter-system LOCA. See the responses to items 73 and 172 for effective integration of the vanous HSis with the procedures more information. is important. A particular area needing clear procedural O coverage is: LOCAs during shutdown, including R[ O g QiEL intersystem LOCAs and operator-induced LOCAs. (Also see item under subsection 6.s.3.) m E cn -
I ;' a h ne hf o c n is s c ih an o eal st n n S u st Pn r eoit it c hb ee T nf uh n o e nn g C di sef e a Sd oai r ) gt t lty itatii is . e Re aits s to ) .inton r r d e e n T nu i e n ) D e )9h 8 ed u hPa 0 0d ;i is vd io 9 8 r p e 8d s 9 e e st e pns e r pPu o 1 t. ht l cCe curb y 6 n nn tc 1 r iov .fo dn tnt 1 a s 0 dt eet d tase i nS P o f An*a&c 0 r eas i .n a n d a -_b h n n ah c a ai g t, e ni n 6 o P a vtesit t d eot nf a ma eiee oss c u i it a d n m v a n A s d y 5Rsn 3T u a eph v ht r tasd r au eBlc: fo r n o 5 3 a 5.tmlb 3 1 olaCy i enf oo L
- a. Mc i
b 1 Gm0 ut v o ns e c 1 1 t gC tem e p "e i e t d RSy0 Rt p e6 T ta o r d e l R 5 Re iavlobii .l n ys e s An hPGso wfohd s r ita A 9 Ata a os i i r . y S S ga t,ASeS o n S n u u s i s T n Sr nps aba iu l s S o Seu d v q epo i e e .t p .g r n d d n he ( s ( r n P eneC h. e it c ( s m .n d tyi h r o ty ty oih t e oi d iwCt tWoRomw ahRt lty oeet i r mimr e d i il e s l i tomnhl e ts e vl i io o A b. hu qefo e es i i m b b dt ei t y c i l l t osn i s u r e v e u s so nF hesf ea o ie gugrrn .icein uh r u r qi o it g b a n o R s isesed nr yt ou i saucl e le s gal o o p . t lpnd a pwiets in p pq ywl n dp s ts A i e sretnt srtaprec a i et s . eey r r a d u n e s e S se er . her eba io l o anleu c a s vor a r nie t hep r lc n d r S r t i. vt pt p c n l eooph tne gt i er o t t o
- 3. ft tnprt la sc eyit n n n wfo toec f
a ( i ic a in . lo at adt odn c a oAn m icns eusr er r w . ic nf s n a ic dA e9 icsl otyoanc i lp 3. ep ea u mhi fovn n r lpr lpl pc tyitnlan lp lpmpa oiin l o pr ooio i io ia p ib r
. p ctau e 1 s a c yT.d e ng at el f
r cit tc t n a c p v n fu9e erea ar. alipmos s n t e Lr e i a e se ce aka nt h P r L x L e m L yu tnor n Oot Gsu n pe i.. h Oeiad nie t elet o O d S Osf o eio C dif f S edi o C vb p C nt t a )6ntar ent a i af t s Cgna t t al pcf m aet t adnelie sem . oh a aio l a iR aipht o a o ses n u ilsaht is 3 itga mA is lnee o s e p ebio H ;t u d aie t lud t ue r w t o n ct ss lp i vy m ait se r is 4 t eS sS tn ceh o d e e h ut a t s
/s r ..pc s ef u ot e gb gn v v ninefo ecis t
r eve yn eo t ht y ah l f oRr m mot b mntr i for - Si sAfo e uh e ooL meiua pb sdtos us . nde p pedn e i nsc nSn . t sl p c pnrt t hl m et o s esnt agr o uoi ad ol v er oS en35 J e n a n yin w e a p imen u id e i F cd . f a We tcv i le ue ed at a tano 0 0 n bihi s et s awo lev s.c sa te gl eo vf ev oi low nii1 t La
,t na r et hr o eh aeGmltol 6 a r r i Sg l op ada9 P B m shRnolty d
e16iTn fc bi i laant t d e r Ps dnt en p l h pe l pnu x ula n A ix u oEito l n e1 e6 epi eovo r r vitgeo r iset i r d H uor t da unp 6w iait u es us u0 f i E n dieaap0 r to uec d o s3 l lo AMP d r i d 0 sgf . ee et c r c6 nlint nnina e is H e cnr o0 aifi cui n r eih eo t c F ly e0t hbtye s T p ccchf oeeo6 ea r nf e t p r c pl Preq eig oeit e o oP eoei b R A PsoaApr s r P( Swot h f h * *
- P r h n T a r
PAecsd vopr u aau F css O
) F t s s s d 1 R e nE e R ess e W 7 Ch c r g aF r e Ch c r n
u E I 0 G e u eu e un sh di n. r , eH r e tn fo ee ta he uirdf eu e uo sh dl r i V s tnh f t ceu a v.v ht r mr fodn er t, c o as e. u ht f t, vo t t E tn. i o y, o d fo n E s a i o R i
- i. n ans tca h ;y oinoy vf R
U e u Enapep r d l L i e ;, y e foeiao . pRc e ro df l
.d v Enla pe l
r C E c p u b nCt n lcR l u;. p e ( C N n .Fiton o edertur e d .v o osH sCs ;uhedee yFiton o ed 1 N B y a ;Haih n endht t i t eaw ntslo e c p p oi lstatnf . cur o a t ef i it iHaihit e t e _ E E m r at edi s oAearg aoif it nh odh n nendht n P .ht d te al d o L I d o t y r a t ndit s at edit s a r a emAwiet B R vor es tr in eimAwi e e a i.pl et h n pea toAwi l f A E s e r t snun vt ps o i
.sg e r
a opdl .sg e r pe P s vpdi .sgs a nnioi l T X e r P n s e pmeSa pi r Heh i r ai fc w tot hsveL oeg loa o i is i nx mFt n eSar Her He dl epmeSa r sr E d as r pi e r He v i i n at eme i cg n r r s rstfesoio cis rc nn d v _ G d a d uAe a s o uis tu ea e d s o v duA ed s o N A m u e . th i. .ou c s,a h p onaduferef d aleiu s o c e .t his uo c cs n r. S eipnil n c ec edu ddelc us r r cs onion ar nil I s oniwi la ar ts apmor a _ T e H r o g n r a _ A u
/
t Pir ot s vu n ac st n wt roht. e nio sr oic arvu . r ot c vu R s c taie e ded eh ae oa c e e i,ta epe e dew n Pis e b he co t isb e e d i e s r sb r r ph a duA tnot E s p s h cit r u dh p lyro ps nnt r a re s h c D htu tShl we I P e aot sf rhoch ca s a p n O A e on e .isf od paot r o onl opat ity sSca un e ied e l opu r t li o onl op sf A nw atcd a nr npt s Csoh gu t p cstsa oni nrh o naa g r w nr ioain o atcd r o foL i t r osd ioalegs C A oa lutioa o on it o t t fod he ahd Pi t l eioa t h te ca ndi r gsna t sl ta a )u t lut lelo n dh t t hoaCu d let c r n e n r xr aCin lo dn o graCoc a g o enig . ur o t s nitoAwv .ts ons P hu st h I o u pd F it h s s e t.dl d n t n cir e it pas e t d se e _ n a lu f sSstnn n i io Creia o r ar nta m e aaadS t t uh d tc c oct stnn e nareian u sSstnnt.l le f Ceiaf u toL uert oin-4 i ere s to wh uet r i o r _ m u D n c t divob a ot p d . n ia nRneHh ta ee r C m.o d.u cgn a ih t r ya r P dset ot d pc ivot F t toL c taet uet divon r t pe H o r e pd c.feipCcmiP w t n o hlp-.ir e t uSc ofeio cmt e n e e pd ofc cmp s mnm varotee i pt o s n peirsaR uf . o n p i r hCr p s nr f eis f B aa w C iiic v pi o F sL peip f s r S aapeio e p o - c - - - S s
/e nns esr nnso esr nn s er nns esr u wou wou wk )
u wi* i i s ot d ot ot d ot d is d ar e d ra d ar e d a e r htue proc htuee htue proc pr htue po c r SOP SOP SOP SOP e c n 6 7 8 9 e r 3 3 3 3 f e 6 6 6 6 e n n n n R o o io e i tc it to i u e c c tc s s e s e s e s a b b b b f u u u u S S S S m 7 8 9 0 e 7 1 7 1 7 1 8 1 1 Eb$Eg3Vgg$ H&fo 3c<y_8 a a aewC) ORooD, ( jj'
E G TABLE 1 (Continued) co
$ OPERATING EXPERIENCE REVIEW FOR THE AP600 1E issues Addressed By NUREG 0711 Appendix B 3 Item Issue Reference issuetScope Human Factors Aspect / Human Performance issue T Human Factors / Human Performance lesue Addressed by AP600 Design
$ 181 Subsection 6.4.1 Shutdown independent Measurements of RCS Level Many current The AP600 has incorporated independent hot leg levet instrutnents in each hot leg g Operations - plants do not contain permanently 4nstalled instrumentation These are permanently installed and are capable of measuring mid4oop conditions at
$ instrumentation to monitor the planfs safety status dunng shutdown. For shutdown. Their range overlaps with the coldtalibrated wide range pressurtzer level new plants, instrumentation that appropriately supports instrumentation to allow for continuous measurement of RCS water level during the shutdown operations should be considered for installation, transition to reduced inventory operations. SSAR subsection 5.4.7.2.1 provides a for example: two independent measures of RCS level, description of the AP600 design features that have been incorporated to address mid-includmg permanent instrumentation capable of measuring loop and reduced inventory operations includmg the hot leg level instruments. See the mid-loop conditions accurately. There should be adequate responses to items 73 and I72 for more information.
overtap between the RCS level instrument ranges to ensure complete coverage at a'l levels and to allow comparison between instruments as level changes ranges. Plants should avoid dependency on temporary, tygon tubing type level indicators, which have caused many problems in the past. Additionally, one should consider the potential inaccuracies of midloop level Indicators that occur when one leg is vented to atmosphere and a slight pressurization of the RCS occurs. Instances have also occurred where the RCS was under slight vacuum, q resuittag in level measurement inaccuracies. Additionalty, g there should be available displays and/or alarms of water g level information in the refueling area while the reactor vessel head is removed. 182 Subsection 6.4.2 Shutdown Independent Measurements of Temperature Many current The design of the AP600 has considered shutdown modes extensively as documer*ed Operations - plants do not contain permanently installed instrumentation in the various licensing subrnittals: 1) passive safety systems that are designed to Instrumentaticn to monitor the planrs safety status during shutdown. For mitigate accidents dunng shutdown modes (SSAR Section 6.3),2) TS that apply to the new plants, instrumentation that appropriately supports passive safety systems during shutdown mooes (SSAR Chapter 16). 3) ERGS shutdown operations should be considered for installation, (Reference 2) for shutdown modes,4) quantification of the risk of core damage at for example: two independent measurements of core exit shutdown (AP600 shutdown PRA), 5) evaluation of despbasis-initiating events during temperature. shutdown modes GAP 600 Shut 1own Evaluation Report - 6/96). Instrumentation has been designed to appropriately cover all modes of operation Mctuding shutdown. RCS loop instrumentation and core exit thermocouples provide independent measurement of reactor coolant temperature during shutdown operations including midloop and reduced inventory operations. O o O T tr O O < m y a g D WD CD ^
- - S
. ~
m E TABl.E 1 (Continuee h E OPERATING EXPERIENCE REVIEW FOR THE AP600 g issues Addressed By NUREG 0711 Appendix B 3 Item issue Refwi.e lesue/ Scope Human Factors Aspect / Human Performance issue V Human Factors / Human Performance issue Addressed by AP600 Design
$ 183 Subs iu 6.4.3 Shutdown Monitoring RHR System Performance Many current plants The AP600 RNS has no safety-related functions during shutdown cochng except g Operations - do not contain permanently installed mstrumentation to maintenance of the reactor coolant pressure boundary and containment isolation if a
$ Instrumentation monitor the plant's safety status during shutdown. For new design basis event occurs.
plants, instrumentation that appropriately supports shutdown operations should be considered for installation, The RNS contains permanently installed instrumentation to monitor system performance for erarnple: capability of continuously monitoring RHR as desenbed in SSAR subsection 5.4.7.7. System parameters and alarms necessary for system performance, including adequate alarm capability system operation are rnonitored in the MCR includmg the foNowing: for out of specification temperatures, pressures, and flows.
. RHR pump flow;
- RHR HX intet and outlet temperatures; and,
- RHR pump discharge pressure.
In addition, the RCS contains instrumentation to control and monitor the operatons of the RNS. These include the following
. RCS wide range pressure
. RCS hot leg level.
q Instrumentation is also provided to enable mid-loop operations to be performed from the g MCR. A 184 SubsmJai 6.4.4 Shutdown Instrument Ranoes and Accuracy Many current plants do The design of the AP600 has considered shutdown modes extensively as documented Operations - not contain permanertty installed instrumentation to monitor in the various Ilcensing submittats: 1) passhre safety systems that are designed to Instrumentation the plant's safety status during shutdown. For new plants, mit6 gate accidents during shutdown modes (SSAR Section 6.3),2) technical instrumentation that appropriately supports shutdown specifications that apply to the passive safety systems during shutdown modes (SSAR operations should be considered for installation, for Chapter 16) 3) ERGS for shutdown modes,4) quanter ication of the risk of core damage example: instrumentation containing appropriate ranges at shutdown (AP600 shutdown PRA),5) evaluation of design-basis-initiating events and accuracy to monitor shutdown conditions as well as during shutdown modes (AP600 Shutdown Evaluation Report - 6/96). Instrumentation power operating conditions. has been designed (including appropriate ranges) to appropriately cover ad modes of operation including shutdown. 185 Sut,w tion 6.4.5 Shutdown Dedicated Shutdown Annunciators Many current plants do The design of the AP600 Ata m System includes alarms specific to the special Operations - not contam W.-. air instatied instrumentation to monitor conditions that artse during shutdown conditions. The alarm trigger logics include Instrumentadon the plant's safety status during shutdown. For new plants, defining plant conditions under which the alarm applies. Apphcable trend displays will instrumentation that appropriately supports shutdown be used during shutdown conditions, including reactor vessel level or equivalent. The operations should be considered for installation, for M-MIS includes trend displays as part of the Plant information System displays that are example: use of dedicated shutdown annunciators for available to the operator through hrs workstation. Also, the WPIS will display significant special hazardous conditions that arise during shutdown trends for each plant operating mode or significant plant state, includ6ng the shutdown O (*-8~"*"8**"Y'"*"")^*"d'""*
- d**
o use of trend displays during shutdown, such as RV level. 186 Subsection 6.5.1 Shutdown Containment Equipment Hatch An equipment upgrade that The equipment hatch will be maintained closed for operation modes requiring C 5. Operathons - would improve shutdown safety is: A containment containment integrity or the capability of rapid closure will be incorporated into the
) M. Equipment equipment hatch design that allows for expeditious closure design of the maintenance hatches. An open item wm be assigned to follow the to Q by operators when needed during a shutdown abnormal y, event. Similar provtsions should be made for other resolution of this item. THIS ISSUE INPUT INTO THE DESIGN ISSUES TRACKING SYSTEM. Other contaiament penetrations includog containment purge and personnel containment penetrations that may be open during alttocks provide the ability for rapid closure independent of nonsafety-related support shutdown evolutions, services including ac power.
E G TABLE 1 (Continued) ro 2E OPERATING EXPERIENCE REVtEW FOR THE AP600 y issues Addressed By NUREG 0711 Appendia B U 3 Item lesue Reference lesue/ Scope Human Factors AspectHuman Performance issue Human Factors / Human Performance issue Addressed by AP600 Design V
$ 187 Subsection 6 5.2 Shutdown Fuel Harvilina Equipment An equipment upgrade that The AP600 fuel handling equipment design has incorporated industry operating data and g Operations - would improve shutdown safety is: improved human experience to develop a design that will improve shutdown safety. The use of the
$ Equipment engineenng of fuel handling equipment. Poorty-designed operating experience is intended to eliminate any poor design features that were present equipment, in the past, has led to fuel assembly drops and in previous designs in addition, several of the leading fuel handling equipment design damage. This equipment should also be addressed by the and maintenance organizations are involved with the design and review of the AP600 HFE program. fuel handling equipment. To ensure that operating Olants have the ability to provide their input into the AP600 fuel handling equipment designs, many of the fuel handling equipment design documents have been reviewed and commented on by personnel at operating plants. Re rer to SSAR Section 9.t for a descripton of fuel sto age and handling.
188 Subsection 6.5.3 Shutdown Overpressurtration An equipment upgrade that would The motor-operated valves in the RNS which are connected to 'he RCS hot leg are Operations - improve shutdown safety is: use vatve interlocks to prevent interlocked to prevent them from opening when RCS pressure exceeds 450 psig. These Equipment overpressurization of low-pressure piping and components, valves are also interlocked to prevent opening unless the isolaticn valve from the IRWST (LER 50-341/86-045). to the RHR pump suction header is closed. SSAR subsection 7.6.1 desenbes this interlock. SSAR subsection 5 4 7.1.2.5 describes bow the RNS provides a low temperature overpressure protection function for the RCS during refuetog, startup, and shutdown H operations. The system is designed to limit the RCS pressure within the limits spccified CD in 10 CFR 50, Appendix G. (11 The AP600 has also addressed this issue in the ISLOCA report (WCAP 14425). 189 Subsection 6.5.4 Shutdown Backup Power Sources An equipment upgrade that would The ac electrical power is not needed to maintain a plant safe shutdown condition for Operations - improve shutdown safety is: appropriate use of backup the AP600. Although the diesel generators are not required, generally, if offsite power is Equipment onsite power sources, such as emergency diesel lost, they will be available and will automatically start and sequence loads that will generators, and portable power units. enhance the safety of the plant during shutdown conditions. 190 Section 6.6 Shutdown Communications Between MCR and Plant An important The plant communication system consists of the frMowing systems: wireless Operations - aspect of maintaining normal shutdown conditions is communication system, telephone /page system, PABX, soundpowered system, Communications adequate communications between the MCR and the rest emergency response facility communications, and security communication system. The of the plant. This includes areas where the following wireless telephone system is the primary means of communication for plant operations activities may take place: maintenance, testing, local and maintenance personnel. The wireless system consists of wireless belt <tip portable operations, and monitonng activities. Ettective handsets, hands-free type portable headsets, a comprehensive antenna system, and a communications are also very important during any wireless telephone switch. The telephone /page, PABX telephone, and soundpowered abnormal events that occur during the shutdown period. communication systems are for general plant communications and serve as backup to When designing plant communications systeme, care the wireless system. These systems are designed for effective communication between should be taken to consider shutdown operations, the MCR and the rest of the plant during all modes of operation, including shutdown. O The communications system is described in SSAR subsection 9.5.2. E oI o ca (D < . ,g e8-, w
- 0) "
References To Table 1, Operating Experience Review for the AP600 Design
- 1. " Programmatic Level Description of the AP600 Human Factors Verification and Validation Plan," (draft dated 4/13/95), WCAP-14401 (Non Proprietary)
- 2. AP600 Document No. OCS-T5-001, "AP600 Man-in-The-Loop Test Plan Description,"
Rev. B, WCAP-14395 (Proprietary), WCAP-14396 (Non-Proprietary)
- 3. WCAP 14644,"AP600 Functional Requirements Analysis and Function Allocation."
- 4. Electric Power Research Institute, " Advanced Light Water Reactor Utility Requirements Document," Chapter 3, Revisions 5 and 6, issued 12/93
- 5. AP600 Standard Safety Analysis Report
- 6. WCAP-14115, Rev. O, " Review of Nuclear Plant Operating Experience and the Application to the AP600 Design," July 1994
- 7. WCAP 14114 5
- 8. McIntyre, B., " Completion of Westinghouse Activities Related to NUREG-0711,"
NSD-NRC-96-4845, OCP/NRC0626, October 17,1996 m:u2esw.wpf:1b/101796 Revision 1 T-66 October 1996
3 y TABLE 2 a
?
RELATED HS! TECHNOLOGIES WHERE 4 LITTLE OR NO NUCLEAR EXPERIENCE EXISTS
$ Reference 9 Document Human Facters/ Human Performance issue HFE lssues Applicable to the AP600 Design Addressed by the AP6u0 Design 8
Ref. 2.1 Interviews Conducted at Fossil Plants with Soft Controls:
- 1) During a startup on a simulator, operators experienced little problem 1) The AP600 M-MIS consists of several resources (subsystems) that will with soft controls as long as events went as anticipated. When work together to alert the operator to the problem, focus his attention problems arose in the startup (such as equipment failing to start, on trouble areas, and provide assistance with diagnostics, planning automated systems failing to work) the operators exhibi%d and recovery. These subsystems include the Alarm System, Control considerable difficulty in understanding the cause of the problem and (soft control display) System, the Plant Information System recovering from it.
(workstation physical, functional and automatic system monitoring displays) and the CPS. See Table 1, response to item 77.
- 2) Importance of having redundant methods of calling up the desired 2) See the response to Table 1, items 77 and 93 for a description of displays - there should be multiple paths for accessing a display or several AP600 M-MIS resource integration and navigation features, control.
Execution of the HS! Design implementation Plan, as described in SSAR 18.8. address this issue. d 3) Importance of predictability: The operators should know where a
$ requested display will appear. In this fossil application, sometimes it
- 3) THIS ISSUE INPUT INTO THE DESIGN ISSUES TRACKING SYSTEM. I appeared in an unexpected place and covered critical information.
- 4) Providing guidance or design features on how to configure / coordinate a
- 4) THIS ISSUE INPUT INTO THE DESIGN ISSUES TRACKING multiple VDU display space. SYSTEM.
- 5) importance of providing critical / overview information in parallel to the 5) See Table 1, response to item 66.
task being performed.
- 6) Supervisory control of automated systems: it is important to detect 6) The Plant information System will present to the operator Automatic what it did, explain why C did it, predict what it will do in the future, and System Monitoring displays. Automatic system monitoring displays understand why it did not perform as expected. are designed for automatic control systems and automatic protection (reactor and ESF) systems. Each of these displays contain appropriate information, allowing the MCR operators to monitor and supervise the respective automatic system. This information includes what the system did, why, and what is expected in the future.
O o O T
$0 a 3_.
m-
P g TA8t.E 2 (017 ", k RELATED HSI TECHNOLOGIES WHERE {2 LITTLE OR NO NUCLEAR EXPERIENCE EXISTS 3 Reference . Human Factore4tumen Performance issue 9' Document HFE leaves AppIlcable to the AP600 Design Aeldressed by the AP600 Design
- 7) Control task characteristics and soft controls a) operators question the 7) THIS ISSUE INPUT INTO THE DESIGN ISSUES TRACKING value of touch screens because operators were accustomed to a SYSTEM.
rnouse, and touch poke points were too thick and inaccurat6; b) potenhal problem of multiple indmduals simultaneously controlling the same p6ece of equipment from VDUs at different locanons, Ref 2.2 Soft Control Lessons Leamed From Aircraft industry
- 1) Ufting finger off the target area touch logic to actuate is more forgiving 1) THIS ISSUE INPUT INTO THE DESIGN ISSUES TRAC 90NG than when the finger enters the target area to actuate SYSTEM.
- 2) " Soft button
- to visually depress 2) See response 1) above Y 3) Auditory feedback on " soft button
- activation has merit (i.e., sound 3) See response 1) above.
@ equivalent to activating a hardware button)
- 4) Display colors for normal and off-normal condsons 4) See response 1) above.
- 5) Computer / display response time 5) See Table 1 Item 93.
- 6) Linfung of alerts, procedures, and configuration tasks 6) See Table 1 Item 77 and 102.
, 7) Navigebng through dsplays 7) See Table 1 item 77 and 93.
aa ag. s 5-a, - _ _ . _ . . . . . .-....,w.. . . . . . . -- - - - - - - - ' -
"- - ' ^ ' ~ ~ ~ ' ' '
3
$ TABLE 2 (Continued)
O
.E RELATED HSI TECHNOLOGIES WHERE u
LITTLE OR NO NUCLEAR EXPERIENCE EXISTS
$ Reference Human Factors / Human Performance issue 9 Document HFE Issues Applicable to the AP600 Design Addressed by the AP600 Design E* Ref 2.3 Lessons Leamed From Naval Training and Airline Industry (Human Factors Considerations for Group Overview Display):
- 1) Situation awareness of crew 1) See Table 1 Items 66. 68,74 and 75,
- 2) Communication, coordination, and performance 2) See Table 1 ftems 66,69 and 71.
- 3) Error detection and recovery 3) See Table 1 Item 55,66,68,74, and 105.
Ref 2.4 Lessons Leamed From Naval and Airline Industry (Role of Advanced CR Features for Enhancing Crew Performance):
- 1) Team performance 1) See Table 1 Items 66 and 68.
- 2) Communication 2) See Table 1 ftems 66,68,96 through 100, and 190.
- 3) Crew size 3) See Table 1 Item 63,64, and 65.
- 4) Skill / knowledge 4) See Table 1 Items 67 through 72.
- 5) Stress / workload 5) See Table 1 Items 64,66, and 71.
- 6) CR design features to enhance situation awareness, verbal 6) See Table 1 ltem 52,66,68,74,75,96 through 100 and 190.
communication, and error identification
- 7) Situation Awareness 7) See Table 1 Items 66,68,74 and 75.
- 8) Overlap of expertise 8) See Table 1 Items 63,65 and 70.
O EL o 33 5,$. a a3 cn -
E TABLE 2 (Continued) Y RELATED HSI TECHNOLOGIES WHERE { LITTLE OR NO NUCLEAR EXPERIENCE EXISTS k Reference 8 Document HFE Issues Appilcable to the AP600 Design Human Factors / Human Performance issue Addressed by the AP600 Design k Ref 2.5 Lessons Leamed From Nuclear and Airline Industry (Navigation Through Large Display Networks):
- 1) The large scope of computerized CR applications necessitates large 1) See Tabte 1, item 77,91 and 93. SSAR Section 18.8 includes the display structures involving thousands of displays. Design errors can Implementation Plan for the HS! Design that addresses the criteria of result in getting lost in large display networks. Element 7 of NUREG-0711. For each HSI, including the Plant information System (workstation displays), an HFE design guidelines document is developed that provides guidelines to the HS! designers on the conventions, symbols, color coding and dynamic characteristics to be used in the design of the respective HSI. Issues such as navigation issues will be addressed by the guidennes document. The HSI Design plan also includes concept testing and design reviews.
- 2) Overview displays 2) See Table 1, items 66,74 and 93.
-l y Ref 2.6 Lessons Leamed Frorn the Space Program-0
- 1) Information display issues include structures that constitute a display, 1) See Table 1, item 77,91 and 93. SSAR Section 18.8 includes the organization of those structures, and methods of directing the user's implementation Plan for the HSi Design that addresses the criteria of attentim to specific display areas. Element 7 of NUREG-0711. For each HSt, including the Plant information System (workstation displays), an HFE design guidelines document is developed that provides guidehnes to the HSI designers on the conventions, symbols, color coding and dynamic characteris*,ics to be used in the design of the respective HSI. Issues such as navigation issues will be addressed by the guidelines document The HSl Design plan also includes concept testing and design reviews.
- 2) Display response time 2) See Teble 1 Item 93.
- 3) Navigating through displays 3) See Table 1 Item 77,91, and 93. Also, see response 1) above.
- 4) Procedural errors 4) See Table 1 Items 50,51,91,105 and 106.
- 5) Errors of confusion occur when one word, function, or command is 5) See Table 1 Items 55 and 61.
O mistaken f r an ther. hD 6) Errors in detection and mv ,;iva,v 6) See Table 1 ttems 55,66,68,74 and 105. ng-a g-U m-
e u s s egn i . 2 ci 0 ns ae . 1 8 d mD 8 n m r0 d a f o0 r6 n 8 a, 8 eP PA 0 8 0, 8 ne ah 7, 5 1 9 7 7 mt uy 7 7
. d d 7, 4, n n Hb
/ 7 7 0
7 a a sd r e 9, 1, d , 4 9, os 6 n 7 6 t s 7, a care 6, 6 8 6, 6, Fd 2 6 6 6 6 s s m ms m ms nd s aA m e e e e e m It t t t It u I I I H 1 1 1 1 1 e le le le le S lb b b b b T a a a a a SI T T T T T E X e e e e e RE e e e e e E S S S S S HE C
)
WN S E
)
1
)
2
)
3
)
4
)
5 d E I e I R u GE n OL PX it n OE o NR C ( HA 2 CE E EL L TC B I U n A SN H O g T is : s D e E N D ie TR 0 t r s n AO L 0 u o 6 d it EE L P n a R TT A I l m r e i O f o I L h t d i n o n d t a e r l e s, a b a h s a G c , d i lp la n p ic a A t r s a c e s le n r a e E io u s a t kr l s e m o id s y a itu o w no r a lp s E F f F d e c d is d e
- o cita H e t a s r m
a ma ea n d t ic p s e e n t in e r in n L s f o g r r e an t em p a n o F n e I t U O eT s s ) ) ) e 1 2 3
)
4
)
5 L et cn n e em r e f c u 7 eo 2 RD f e R MQ8E. 39O* ,- 5,5 - _ Y2 oo 1 9 am
' 11
References For Table 2, Related HSI Technologies Where Little Or No Nuclear Experience Exists 2.1 Roth, E. M., and D. G. Hoecker, AP600 Document Number OCS-J1-005 Revision A,
" Human Factors issues Associated with Soft Controls: Design Goals and Available Guidance," Westinghouse Science & Technology Center, dated 2/1/94.
2.2 Degani, A., E. A. Palmer, and K. G. Bauersfeld, " Soft" Controls for Hard Displays: Still a Challenge," from the Proceedings of the Human Factors Society 36th Annual Meeting - 1992. 2.3 Mumaw, R. J. and E. M. Roth, AP600 Document Number OCS-J1-006 Revision A.
" Human Factors Considerations for the Design of a Group Overview Display (aka Wall Panel Information System)," Westinghouse Proprietary Class 2, June 1994.
2.4 Stubler, W. F., E. M. Roth, and R. J. Mumaw, "The Role of Advanced Control Room Features for Enhancing Crew Performance." 2.5 Roth, E. M., W. F. Stubler, and R. J. Mumaw, " Navigating Through Large Display Networks in Dynamic Control Applications," Presented at the 34th Annual Meeting of the Human Factors Society, October 1990, Orlando, Florida. 2.6 " Human Computer Interface Guide -- Space Station Freedom Program Office," document number SSP 30504, National Aeronautics and Space Administration, June 1991. 2.7 Roth, E. M., " Analyzing Decision-Making in Process Control: Multi-disciplinary Approaches to Understanding and Aiding Human Performance in Complex Tasks," Westinghouse Science and Technology (STC) Repor', 95-1SW5-CHICH P1, April 25,1995. m \3265w.wpf:1b/101696 Revision 1 T-72 October 1996
3
$ TABLE 3 3
4 OPERATOR INTERVIEW ISSUES 1a Reference 5 Document HFE Related leaves Human Factore4fuman Performance leave - 2 Addressed by the AP600 Design g Ref 3.1 Westinghouse Conducted Operator Interview-
- 1) Simulated accidents in NPPs resulted in cogrevely demanding 1) See Table 1 items 66,68,74 and 75.
situauor.s where situation assessment enabled operators to handle aspects of the situation that were not covered by procedures.
- 2) Cognitive performance in simulated emergencies 2) See Table 1 Items 49,67 through 72.
- 3) Crew interaction in simulated emergencies 3) See Table 1 Items 49,66,69, and 71.
- 4) Training for unanticipated situations
- 4) See Table 1 Items 49,68, and 70.
- 5) in cognitively demandmg situations, the abitty of the operatcJ to form 5) See Table 1 Item 68.
accurate situation assessments and to generate response plans to cover aspects of the situation that are not fully addressed by the procedures is important
-i y Ref 3.2 Westinghouse-Conducted Operator interviews:
Cd
- 1) Situation assessment 1) See Table 1 Items 66,74, and 75.
- 2) Cognitive skills are needed in situations where formal procedures may 2) See Table 1 Items 68,69, and 70.
not exist or may not be as presenptive as they could be
- 3) Complex decision-making tasks in NPPs 3) See Table 1 Items 68,69, and 71.
- 4) Cogreve skin training 4) See Table 1 nem 70.
- 5) Performance under stress (workload) 5) See Table 1 Items 64 and 66.
O
$1
@3 Nh a g-D 3
\
3
.E TA8t.E 3 (Continued)
{i OPERATOR WTERVIEW ISSUES 3 Reference Human FactoreMumal Performance issue g Der:7 ent HFE Reisted leaves Addressed by the AP800 Design E R3f 3.3 Wesunghouse-Conducted Operator interviews. AP600 Soft Controls:-
- 1) Excessive lag in response tirne from the moment an operator initiates a 1) TMS ISSUE INPUT WTO THE DESIGN ISSUES TRACIONG contromng acGon to the moment the respecuve component responds SYSTERA.
can be an impediment to the operator's atsty to carry out manual control tasks.
- 2)
- Soft slider" vs ' soft pushbutton*, operators carry out manual control 2) See the response to 1) above.
tasks faster with open/close pushbuttons than with the slider. Ref 3.4 Westmghouse-Conducted Operator Interviews
- 1) Crew structure: the vanacons in crew structures and action of crew 1) Training Program Development is the responsit$ty of the COL Y members (i.e., - .. . 'c; seeking information or being passive) applicant as stated in SSAR Secuon 13.2. Insights to the training j indicate that operator traming should give more attention to the roles program wE be available, following the HFE venlication and validation, and responsitelles of crew structure for consideration by the COL appNcant during training program development
- 2) Procedures. during simulator retrainmg, operators made use of printed 2) See Table 1 Items 67, and 71.
procedures during test trials, however, on a few trials the procedures were executed from memory
- 3) Problem recognition 3) See Table 1 Items 68,69,74, and 77.
2 O fl o 33 5 N.
,s a
@3 3-
E TABLE 3 (Continued)
$ OPERATOR INTERVIEW ISSUES b
C Reference
$ Document Human Factors / Human Performance issue HFE Related lesues Addressed by the AP600 Ent.
2 c> E 4) Planning: operator activities in the areas of planning strategy and 4) See Table 1 Items 69, and 77. obtaining feedback about the results of control actions would benefit most from new operator aids or CR Livviaments. t Ref 3.5 Interviews with operators involved with simultaneous reactor trips at the Diablo Canyon units: Shared CR concems during a dual reactor trip:
- 1) Noise and confusion existed in the CR. Operators had to listen
- 1) NOT APPLICABLE: The AP600 design is a single unit. Even if two carefully and verify to and from whom each verbal communication was units are built on one s'te, they will be standalone and separate. The directed. Since personnel at both units were executing the same dual units will not include a shared CR.
procedures, but not exactly at the same rate, they had to be careful that they were responding to the correct procedure step. This event is not modeled in simulator training and presented to operators as a new, unique challenge This event emphasizes the LTvedance of formal, p repeat-back communications. m 2) Plant communications: When a single unit trips, people outside the CR 2) See the response to 1) above. are instructed to call the other unit to find out what is going on. With the loss of both units, not everyone is sure who to call. The result is a high volume of phone calls to a unit that is busy trying to proceed through recovery procedures.
- 3) Alarms: one source of confusion was from alarms on common 3) See the response to 1) above.
systems such as service air. It became confusing as to which unit's personnel should respond.
- 4) SPDS positioning 4) See Table 1 Item 34.
- 5) Emergency lighting in the turbine building was dark for some minutes 5) See Table 1 Item 169.
causing a concem for personnel. O 51 o 33
$E ,g a g-U e-l
3 b TABLE 3 (Continued) k OPERATOR INTERVIEW ISSUES e Reference Human Factorsatuman Performance issue h Document HFE Related Issues Addressed by the AP600 Design General CR concems: 6) Procedure development is the responsibility of the COL applicant
- 6) Procedural problems in AFW flow and charging pump operations not (SSAR 13.5). The AP600 CVS uses centrifugal pumps only.
related to the dual trips, was a procedural glitch that impeded the Following a plant trip in the AP600, an excessive cooldown is avoided operators in throttling AFW flow earty enough to prevent a significant by automatically controlling the feedwater flow to the SGs. cooldown and drop in pressurizer level. During a trip with the positive displacement charging pump (PDP) running, pressurizer level is lost more rapidly during cooldown than if a centrifugal charging pump is running. Operators at bou units felt that they should be instructed in the recovery procedures to start a centrifugal pump if the unit had been operating with the PDP.
- 7) Visibility of annuncietor screen 7) SSAR Section 18.8 includes the implementation Plan for the HSI Design that addresses the criteria of Element 7 of NUREG-0711 and for each HSI, including the Alarm System, a functional requirements d
y document. This document specifies functional design requirements such as visibility and legibility.
- 8) Multiple annunciator system alarm states: It was complicated and 8) See Table 1 Item 82,83, and 86.
difficult for operators to respond quickly to alarms that were near their setpoint and came in and out rapidly. An operator may not have the time to analyze every alarm to decide what is the actual condition.
- 9) CR was crowded with littfe room to walk around freely. 9) A full scale mockup of the MCR will be used to verify the layout.
(SSAR 18.8)
- 10) The location of phones in CR was not conducive to responding to plant 10) See the response to 9) above.
problems.
- 11) High noise level from computers. 11) See Table 1 ftem 100.
O RD o 5? ,w. g m-
3 TABLE 3 (Continued)
$ OPERATOR INTERVIEW ISSUES b
2 Reference
$ Document Human Factors /H'iman Performance Issue HFE Related issues Addressed by the AP600 Design Ref 3.6 Westinghouse-Conducted Operator Interviews - Ongoing Activity NPP Normal Operation:
- 1) Operator performance is influenced by cognitive skills as well as 1) See Table 68,69, and 70.
Institutional practices.
- 2) CR procedures
- 2) Procedure development is the responsibility of the COL applicant (SSAR 13.5).
Ref. 3.7 and Westinghouse-Conducted Operator Interviews for Feedwater Control during Ref. 3.8 startup (Iow power):
- 1) One of the main reasons that the manual control of feedwater is a 1) See Table 1 Item 122.
demanding task in currently operating PWRs is that the control task is inherently difficult. In addition accurate information on critical process p variables (i.e., steam flow and feed flow) is lacking. M 2) Number of operators in CR
- 2) See Table 1 ftem 48 and 64.
- 3) High noise level in CR 3) See Table 1 Item 99,100, and 101.
- 4) Stress / workload 4) See Table 1 Items 48 and 64.
- 5) CR displays: A way to facilitate prediction is to provide displays in the 5) See Table 1 Item 88,90,91, and 122. SSAR Section 18.8 includes CR that give more accurate Indications of the process state information the implementation Plan for the HS! Design that addresses the critena needed for prediction, such as, a) better steam generator !evel (SGL) of Element 7 of NUREG-0711. For each HSt, including the Plant information, b) low power feedflow and steam flow indicators and information System (workstation displays), an HFE design guidelines c) predictive displays. Two types of predictive displays are proposed: document is developed that provides guidelines to the HS! desigr.ers
- 1. a predictor which displays SGL with the shrink and swell effects on the conventions, symbols, color coding, and dynamic removed and 2. a predictor of the maximum / minimum SGL to be characteristics to be used in the design of the respective HSt. Issues reached (due to shrink /swe!!) before level turns around, such as naviDation issues will be addressed by the guidelines document. The HSI design plan also includes concept testing and dcaign reviews.
- 6) Training O 6) Training Program development is the responsibility of the COL Il applicant as stated in SSAR Section 13.2.
O c7 [~ co <
- 7) Computer-based procedural aids 7) See Table 1 Item 102 through 109.
m g-a 5- $U e-
References To Table 3, Operator interview issues 3.1 Roth, E. M., Mumaw, R. J., and P. M. Lewis, "An Empirical Investigation of Operator Performance in Cognitively Demanding Simulated Emergencies," NUREG/CR-6208, U.S. Nuclear Regulatory Commission, Washington D.C., July,1994 3.2 Mumaw, R. J., D. Swatzler, E. M. Roth, and W. A. Thomas," Cognitive Skill Training for Nuclear Power Plant Operation Decision Making," NUREG/CR-6126, U.S. Nuclear Regulatory Commission, Washington D. C., June 1994 3.3 Hoecker, D. G. and E. M. Roth, " Effects of Control Lag and Interaction Mode on Operators' Use of Soft Controls," STC REPORT 94-8SW5-APMMI-R1 (or alternate AP600 document number: OCS-J1-008 Rev A) Westinghouse Proprietary Class 2, September 23,1994 3.4 Woods, D. D., J. A. Wise, and L. F. Hanes, " Evaluation of Safety Parameter Display Concepts" Westinghouse Report NP-2239 Research Project 891-5, Electric Power Research Institute, Final Report February 1982 P 3.5 PG&E Letter 225537, " Simultaneous Unit Trip - Human Factors," from P. G. Saraflan to *"*- D. B. Miklush, dated 1/17/95 3.6 Mumaw, R. J., Roth, E. M., Vicente, K. J., and Bums, C. M., "A Model of Operator Cognition and Performance During Monitoring in Normal Operations," Westinghouse Report, AECB project No. 2.376.3, September 1996. 3.7 Roth, E. M., and D. D. Woods, " improving Skill in Feedwater Control During Startup: Results of an Expert Panel Session," WCAP-11135, Westinghouse Nuclear Services Integration Division, February 1986 . 3.8 Schaefer, W. F., " Low Power S.G. Water Level Control System improvements," WCAP-11126, Westinghouse Proprietary Class 2, May 1986 m:\3265w.wpf:1t/101696 Revision 1 . T-78 October 1996 - - _ _ _ _ _ _ _ _ _ _ _ .}}