Text

Rev 2 to Human Factors Engineering Operating Experience Review Rept for AP600 Npp
	ML20133E534
Person / Time
Site:	05200003
Issue date:	01/06/1997
From:	Nydes R, Winters J; WESTINGHOUSE ELECTRIC COMPANY, DIV OF CBS CORP.
To:	;
Shared Package
ML20133E532	List: ML20133E534; NSD-NRC-97-4930, Forwards Five Copies of WCAP-14645 Rev 2, Human Factors Engineering Operating Experience Review Rept for AP600 Npp;
References
	WCAP-14645, WCAP-14645-R02, WCAP-14645-R2, NUDOCS 9701130062
	Download: ML20133E534 (92)
	v • d • e

t , ;'. ,. ,. "; j m,' :' i *, ' . *

.- "g ; .;.' ?~. -

, .;' . '%l ,; 'q ...e.. ',. ,' ' .'.: ...". : \ ; .%,. . . F,; .

...',*:;- ^ ;l : s .n:.: :.. ... '::. .:

i .~ .

'.v: ;

i; ;y .*

. .a.s .;u n. "n3. ,> . .,, - *

;:l,:[,):* %.. ,, . : . ? :": *i.

'.,','%,'y ./. S.. :, a :.. f. ,, n: , V, N Y::il ;i'.. '.

'.. :.;. .,., ".yp '.i pm, . l;i.; .*. .,+;;. '*' O., 1.';; .h.: .. ,i:. c. . .,, ,;;. '::;. .;;. .. :. ., . ?.,A) '*;q.':Q il ., g.i $gj.'.: ,

.~ 'l

. . ,. .: .G; . : ? . .:, : u- V':

s c , . . . . . . ,l ;. ., ,.. ,l

- , . w..,. , j ,, ,. l. ,

.q, f, ,.s.,c.. g .. y f. .,.. t.,3:'

s., 4 .g,,p.y.; ;.

,. . , ., g.

.. - p+9.

.,y,<

...::m

... ' . a.

. , .. . ~ ....)-

..,s.'.,...;...,....,.,n,, .. ;, f..: a ?:, . , . :y. .: s. , .. .. , s . s , ' , . # . . .. . 3,. 4,* ; q . ., ,; -

,3:.. , 'f.'::t g.s:: . , - .c . v

r t .

. . .;.z,.. ..,::,.s .c; e s,

' .... ; . .. .. ;. ..: .* [. ' e . . . . ' . .::

O..

..,'.,.e"'..

e.

-. a. :;.ev<,

- -o . .;!.. :.,: .~:.; * ;- - . l; . ; . .;.

.s .:. ,s*s

.of,f. -e, ..+f . o ,.2

. :., .s .', .:

','.:.'.p

.: .....;,~

r, . ,'W;

'.?;+.s-

"s. ::: . , };. . ... s...

' Y,; .: .l( : ;} .D: . :. .' . ;. - (;,-

' ;6,3:r .;,;-

,;'e. . :[.:,-[,y.l':.b .y.; :p ;;;v .l;[}.i. .J:f. :'.,f.4.k

.~v:..n:<.

. .f.[.< f: :

. .. c

, ?l '. .A :. .:. s . . . - .

. . : .. n .> .. .

l f., :.,. .'. ? ::.*j . ^ vg l *.E.. -

i

'f.,'i ~<'I[*f,I '. ) , . ' J. i .[:.,'*: ~ " .::':l*f .[ f,'f' .;.:i :l.:#. o 3... .. :. e f. g . .- . ,,s N [.h. .

- , '.; : , .;(' l.'l:

l, .: ,' ?, . . ,d., ,, . .',. d .. .. -l f

.q . . ..-

<..:..? ;;. ,;.; ;:: . J: :. . ,H, ,..,zl1 o.

%:.. o.

,i.:,,< ~ . '.;a ,; ..*.g .;w i ' \;

. ..y: . ';:. \ ..,: g'"% : .. . . o:A ' . .. .. . g.:: :) C: ', .HI* .?n ,: . . ..:- ~.

,. : e

',. :M. :i..'i.s.

g .. ::;.).

p'.:v:. l,: . r.:> ,:

' ;s m.Q. ,. :

..s ;;, ;)...;.4. . :. . ;y',

. .. ..': ",'{};, . :. . : . . : n .._ C ::'h, . .?y,

, . ,;l,;. , .u.,_.}; ,, .;p. ... .,.1 ; :: ;q.,::{} . . .

-] ,, . 5;g. .(' [ ", , ; 's ,', 4.

>o. .

_:":.: . T,.,!. *;,..

<}: . :::2: .

- tey ,f. .,'[.g).. .[. , , ,,; s. ,, -

(\a.*'.v,_; g,,

~ .;: . : v:.*

5

.t' ,,,.'-). .: , . : y

. 'q;

i. .

s .v .f.';,: .: . . . , . , -l 1 : - h ,-

, ?.-

\!,,*,,.,,...

... f. ;*.

L:, * ... * * :. AA. ,

.: :.; \ o. f. .. . s u u.:l:.

. N:.: . ' s .!, .&.< ~. 'e

~4 , ..p .r,. . : ".p,: t..,s./.ni..

. ,, ..., .1 s.;. n..'

.v,

g. - ~. , . . , .

. .. .i. . ;. ; . , a,s

.. ..c.~

i

<v ~, .s.cs.s.-;l.4s . - ..:,..#.... .- .. >.:j.,.....

. t, . s., "g:.,A;.s'; ..

y..,... ^6.,.. , '.1.

pr.s..,,. .

. ;., . .. ;. :e ;;;.

. = s. g.g{ ^,.n .

' k.y ") s.- j ,[ [... ,[:,:.y:[., k [A ['.:.:/..'

5A+ E ' . "."'4 ', ; . J;, .'. [;:Os ,'[$ ,{...r,$ N. 'O T, ';.,$., . . '.I, .:.d '? { f, ' [s . *',:p, ;ff[.[s$,,A

' */- . : , \;, ~x ' . , . . j:si-

- .- .n. .r- .'i'#.; . . :, r: . .y . 9 . ' y c. " . . -

.. .: .s ,

, . . . ,h;.; .' f' . .. <h. . ,; b ,. l.. .f . ..,. s; ; .c f .. ' ci, .N?,Y,y.E) ,'

l: {s . .ln fh.f;k.':.h:: ..:' . 'sY,,":t..?.' ,*s?, \'f:#

.4 . . .

,*i i .$.

? ,l{jal . .f.:f1'

, ; e ,'.lyfe s.

- f'<:l .,.' :

. 4.Af. g'?.-l. . .

lt

.g .

..; 4

.N, . :$. ,.,k.*?.*.l..O':':l

, :. 4 % i' d

s. f' .: c<,. .k:l".h'.;i. ';;... ? :(9:als <. . .h3 ,?li. 'E I?,..,. . . l[ Q9;', " ' .*.)' ..':.,

'.! ,, ~.;.

.*.,g . :.. : s ,' \ " y . . ;;, ; :. *:;. it:

'. .; .js :: ?. '

s.a .

,e.lu .f{& W Q ' .;, s. :

, , ,, . . ' . p.

- .: . ; . ..:'* ;y '"r ... \ ', : c .- ' . T . ( . :. < ,

,V) ,*:.;*;., .;* : . , . m.

q ...n.y.~.....' ..*: z ,-;~ ;,. :,,l,,c

.'-> ,: : ., . .:e . . -. cf , ' .> . .g:.' ..%.

. :., . ,.. .j c-:.

< <;- _s . , ;-

- . :,.f., >_ ._ : , ^. -l' > ,., 1,'. ! , :jr! l (p

, . .a . ;

- .-: e .a .

.. +< .e y,, ..

1. ,

n.s.r;a..:..

. :'. t ';! . . : *. e;_- .? ;r. ,:;: -

.,.~:.',.s,.: . .; } t . .s'.;,.~...'.'-..-

: - . '.g

. , .. , . . , p .r, . -.*' Jt , s,.) : ! .<

, ' ;: . '. .,<<.l=- .d ,) W .U..;'ll.: : ,..J.; ..: ., ; .,., , , . . . . J' .-*..; -?; -f : .',: ..... ;. ; ;

s...-*.

. - - * , . : t

-1. e .

s' .*< ..g'"e"'..'

t .3 *

'"*'Q,',..n.-! *.'t ' . s. , ^ s - -

. . n NA $*;', .' . .A . ' ' ' ,*' .',e..e'- d ' *

l ., '. ,;'

.g*

- f;. ';! 's ,y *f., . %} C.I'*,) ' l-

.. .,.. .*:,...,"..,'}*

e i' .g:. %..

/ ;'.. i l . .,

%2, W~ ..;.'. ;

'; ' e.z's' * '.'.'r.%.'.q,

\ +.,

.' . : . aA e"- " % : ' '* ' :, ' ' -e

. ' I s , k,a: :. .. - ;;

. O "a .l.t .."*',,.<..1y.*

.'~,:'*.'.".<\.

e'..- . s .n. . ;< . . s .a

.~i'. ' .1 .*

A.

. > ,A

",\ N ' ',,hI '^:.~...'

~n 3 . s a -

.?sl ***.h". %,{., ;I ,<f ,s ,'.: - * .. h ' ' R 's~' j 'l' ,fI '* ?.' $ , ,,\ *j

),.' ..,t ,..;;.,.-- -

'", p

.f..

p." l. .. . . 'SlA ' ' .ll;

.':?l) $._0.[, 1.,A ?: q:l .' .,l*l;~; l3 4 :.: .~,:...s....:..,.-

~, . . : :n . * -

, .a.# ,*' . gy. f;. . , : . ':, ': . .. . ,T r,.P1.: .s.;. ..s'.

.1.. t- .; . 4 -

f ee)., :.' . ='s , f. _, :j..(*., .

? . .

d.. : -*

.,,.,y'...f. , : -a.., ;a...,...

.; ; .g =. . , . Y : . , , . . . .

,j ..pt :t . .:e .e ..,g.- w- .- .+...: r3. . . .i .,. y ..

o: y.> .,, .,,~g -. . ..m. l * ; . ; ,, ,. f.. .,; Q./.,g ; . ;. c . ;,.

.-.r9

. t

s. .

'.s..,,-. ...:; **

p ,:,

.,c,.-

n

4 Q.ix : ; _. - .<.s.,. % s:,, a . * ;. .y

,; ,,, .; y_ g. .. ,r. .

4 p . Qu .a

. ;^ > -

~r,.,,,,.. . . ;. s . ..4

.'..o

y{ ..,<;'.s ,. R :, ..;, ;.., . , .. J:;; ?q). 3 . , 4..m_ g, . , ?,, . :s_e .y.M;. ..y: ?l y

' e }*,.p ,. . . ", r l; ,.l r;'s a . 6 ?..,,p :,,j';a,_

n,.;,':j [ ,j : .-1:.;- ' .,<w[s- ,._: *

,gv , . ?_ ,' ; . '- .

. f ..'.:;v.ey...e... fc:lV[#s;.;.' , ,

..~;. 7. x. - .: ; ,. :. . ; c, p. .. . . , . . . . . ,- v. ..< , . .' . .4.: . s ..:An :r<.

7 1., . .. . r . ;2,..

=._..a..

s

. ,. a.,; ,

.e,.v .n

.' 7.. .

.'l' .s?jl:,'*l?i). ; ',I'N.: ' $!.'

"liW.T", OrY?.A.{. $oh. ?. .' OD~ * '! l YJ.? E* . . fb. .b 'l. ]?.'-l.\. . .^ Y $"fl. N, f ,Q: .{g , I. ...' . '\'l'$ P.l2. *,l,'%]., ll* ~!s' *!"[Nll:{l,','. .:l' . yL',', Q: l;;*;';$f.').k 1*.hA l..);;.ij;. r b.}

f ,e f '; W : ; j. '

- Q* *a; ,. / . y . ; Q > : 'M;; "': *.,y @' , . -1 :: . 'n..( 'f > '. ; i ' 4 :, .'.

;.l Nie?

'c

s; t*, Y.!

'N *'

-r '

!4 . .'f :_ : . : s ,f" ;a< ' *'r bl e . ' . W. . . ' . 'r. ., :.* ..i :* * ". ' .' .:) .s . *;': .l's:.< '..

'. ?;.s c,1..?l. ;M,hn.. *.f" n". 1* :. " ;.,.;','. y 4,, o ,ll?.v.g

%, . . %c:? * . , . .g*.?'..

<..:n s r ..;;<; ... .'. r..r "f'* e' .e ..;..4. ;. . . * . ~ ,. , ..:.

.. ..8..

s - .,v . ). . . . .

.s. .. ., , -

,m - .- ; ,n . .', . , .,.;:y2 p: 1

..t . .N :.l < i : y p m .q\ ....

e '.

' m."l. ig1..'k'.;: :,p'hg m.;;.; : ., p..: :: . .. . ; e ~. .;.: .. - 1'..... 4:;d:g., n.

. ~ - ::::.y kr.;p:.z g f t w .,;a ;:::. . . :. p'I% r. ;.a,:,h,r a l

.. v . ~ ::. . u u ~. y. ..

, .$e.n:.. , :. ,. o s...;%? ; MN: ,:%h.&s::,

m%.l'.j.l,.

,ll;X.

l4 ,..G;': c .

...C.' : .L V . W.a" .g.. D W ".'.;l2.:,f.::.

... .y.

f..: h; .M

. g:. .

llf.l.k; . . . . , . ; .* :.?~,. , .

.h .. . r.ni; 3 et y:t .,g~l .3

.f.- .A. .~

. , ' . ' . 4*:. . .. 4 , .' i . ' .,..~..s s

J "..o rlI ':..y ...,d.; .wr=;:..' . - -

,. % . ", y golt.. ~, i ~. : . * *

. 's* . ':- l

:.p *-e ., .* * . ?;c v.....

u. e, y

.s.*'

.: y.:. ;. ;"8,*..

4'.- '.

. b :;j' .'s_ .

. + a, .. 4 * , . ** !

. ;'; '. . :.' . . s . ' '

i.: . .:. . : ., *:". : q,.; . , ' '. f : .. * ; : . ", ..*v n' :<n ? . " . . .. - -

. . x.

'" k '..*!, ' j.:lf,:: '.,y V. , ;lJ. * . r u. -l... . g : .l, - l .**", 'l *l 1

. y;.

s. .f 'l-l .*: , - ).g.;. :. %

, ;.. . ..';;L . ;'., . ,:* e . .'<<.

" ,*: ,e# . : ..* ;'s., )' s '

. .% a ,l m. . .; o. . :

t',; _', { '_ r; ';. ' . ; l, -

~.

(). %.. . ,, - . '. -

+ .

. . . t'

. . ,; ,r . * . 4M;Y' *;, . .b +, *;.) : ..,' L. ..'.._'a:,.....e,

. 6-'.'\ *; :

J.

k,.....,,- . . . . . tl : . s . . . ~.

.e

. . .;,;< . - ' s. 'e. ; .s: %.

l ,'x. .:s'.'.s . ' .% ,; , *-

'* ' ' :. . "! '. : '.,q

' . . ..Q'q - c

. ., .. . s, :" .

m,', ,;

. ' 3;p'.. :..:; . ' '.':. '.l. , -l * *7 ...x. ..h:1 ' %;* * .- ' ' . ' . . ?! 's , ' t '. :' e -

.. . ' d 7 . '* _. . ;;'...L

[g;} lh: .f !.'ij';$)l. - !:l" <,f ? ':l.," *...j T: ' '.'l "l *l : . '% 'i.A'

';l h;.';l ?: ..' . -l. '# ,? : " . ,'. 0* : {f, 1 .? *

i 5. ., , 5., _'

'.l. ' .y h, '?.:' ,7 -}.k l'. i] . Y.j. ):!gl$.. .- !.n..

. * : :;: .:. .: . : - .. .; - . 1..;x.::* ".

trM t .. *r -

~. * '

't .,s:

, n . .

. , . .:m.. <. yl;: W. .. . . . r ;f. ..d..::*j.. ' .

... .:,.?.. .. .

k

. k 'v. :.: ..T.'t -. : p, .+ -

n:'

.S, :. ;' ' O *: .,', })f ;'s...

/ <., d

. i,; ./.Y, '0' -l,g.: s:.:% .. . t.:.: . ~r . L': e

..Jv j* .f" '. .,A' v. ' "':\. ;.:^'$ . ' . .=Q;

-. .';'e. .,. . >,',

t ';. a",'.l.R. *ls.':..

tf ".,J. ': : .: .:, Yy'. . . d:., l c.;+%:: < .:;,. ; :. .g,. .:.;. ..t.-

, j. . .

' =::.".- n:.'s; ( .. . . -;:;f. ,s':" .1 .

& :, . l{. .*. . .. . ;? , .-.b; .:' . . ' ' S ;

sNf ,!

'i. 5 .,.'S ,l l. ,' . *

.lb.*."Y h l!? Y:ke;'

i

l s .!:l ;&:' f Y";fl, j:;; '

".*' [*0-g ( .QI:lll.',p.F.* M.

. . *..m.#.g .i f,;b:~c.: . . .l

. '?i a l?;y a.( . . a.. w.ge';.:,

. % y' ..s.. . ..; ]?: 1 hllt .. ;y,li.o

... .?N 9, ,t.,.t,t'_v. :._Qf, < . . r;.'."%. M%'.\

. p . ; , . '. j i 4y .',f.?:k ,!(';.'I";$."..*' f sh. :..O.lll,'.%;.n..y, n&- ' .q,'; a ..

d ; *s .,s.

W>.:3 g,:*%p.

s .a.r : ,1,.. .. ::.. . -

s

. ,,,f :., t -. ,, .

i. . . * .:.n,-:v, .. .. : %'

:' . ~: *.? > ~ L - .. .

. -l ~ c: , . J -

u.:.

':Gjy:. i * ..

ju., s .: ? Y -

Q; , V. . .fe 3:.;, - .y

. 'Ny .. -h,.'eN e: : c .: .f.).l.,$f. ..y .,g&p. ,; ; ,.(, v.g'; ;,:.. .,p ,1 --. . . '..=..".. : . .v %: a .~).' . .gn r J 4 {,; ,?:h. 's ;. fin.Y '.?l:/:::.,;b. th;;' ' . ll,9{ f l l ' *

't.

.v,.

' .~ .,' s;' .._{,,"t::;

~ ',s, ' s .*z 9... i a,?,

.. . s: :k.:.&

.{:':'.;' - C ,; . .o Q ll a o ::.&

.;- q :'.. ..,... '.k:,Gf..

t ,,'l;

,s . . u .+.a . e; Q.9,

. :. i w,.;

..;,.;Ml;_k ; :

jly?:

's.t.

h._:::A p;i.A> g. := , - . %

~D C t;.Y,;.?'",;

. ~ ~..,.; . . . , .'

)*

. , :(

, f;q gi . ';%;.; _f. .:

w - 1 t,; ,

1.:: >?)' :?' .

v;:. .,:;, , $'n' . .! . ."' ; - ,* , ;,f ,v , , , .'m%:. ,.-'p,,~*.c~

yf +8 l. q '.-

.:..m: ,. 3 .c ' . -:>j:,

n ;

g ;r .'.'.ys~r.sz,- ~ -::;. w:.,, p.,.

E{._ln. g .,'

._.s.. . ... y '.y,

. , .Y,.; .: . .. : x.. /;;.f a,fq'v;.y.( .

.J .

U * ..

. ..j . .'e %;g 9 .

.K"'. y...

l.

. . .r . . ~ ..:L. ,? 5l !(.'s l '.: ' '<;.y*,'r, Q . .d'.;ly ;' i. ~; s/ !;; y,d, Q . f,f 'm.;,ip

!!:?..g f. Qf, )'; . j);y:$ i;+.4;;:/ a.a, v. .!q .g . -

.,,..hm.('.?..Y

\hih..

0.h...

.:,.y,.S*. $. ' .**.:.f:..s.$e y,,... .,..e;:

v....

.1vw. f. (. l y? N. .

3_ .

f 'prn .

' '^

r G ,;

m,;pi. ,.c&p[.u.lNW;: v::.:. . : .

i

y. u x: f,m,Q',l ?v.lY.&,w&:::.Ni :n . uy W, e$;,. , 7....p w .. ge .. M'?f y t Yk'. e ,- i

; ~

.p y y , ; .n.::.. :

~". ;p: .y

en; ., .=..: g,.n; .. ..:3.p n ,.s; wp s :.,n m: <.weg ,y! g h..%m.;;Qp.w, ....

~,,;- e

. 3 .L. , .;. .. i,: 6:e:

% *gn:; ::c:;y.glp s.. g . . .eQ;c.

,; .- p.s;g' :g - .

. w. 7< .r.lufjf, .:f..H;..,p,. s Ai% -Q. 3..% .,7,h?.;q::% .;:f<ln..,2.. . .'

QQ.i.w9. ,:qh;%

~ ~

:l. ?.W.H:: , .Q Gl.'d. y g l:ln; ,i m.d, k ?. h mlesm4;ew.~QW e w wu w. p 4 m.m.e a m,

.m.v ~.%:..::@,;w:-}:w(W,.w.)

.l

. o %pm:R.'v"y,;,4 dW 0& : 4 ow ph m. m;a W N MFia Q;R

. m,' &. .n w~b ,@ n Q' g phiq.a O..+: p. .v.e . mp ~h . . s g: ..

%,s eqWMy%w:g?j.hhhf;&q$g.q:,:m.e@m@k a..u r.:

f .

'Q v.; khzo hg ;04;ff.kelg,hi?ifb t ;:

Y'zlm'?NOf$j[?.&. c mMM

,T:f'[Q, a Q m

M:,. a y gu.,3. M p$ 9 ,.T y M, MM w@ @; p@n

,g$ '$ , Dh@y

.[hl@ f Q..~.n.s. NM/ ,M:+([*. @8hdt h(y$ ,m

. _m_sm 4.u&- _,.

w n& u%2.% m % y , ~.

~ *e

'~ w&

AJ%

. N ? n. 4.nm ynw ,a r .

n; ~a ~ _.,. MM n .n a M;Q $h?A W kn w.

n.& .% +~ p.i mW $

L~

1.

i Westinghouse Non-Proprietary Class 3 1.

I v.

1. -

. WCAP-14645

. k. .

.$- $. '(Rev.2 i

l Human Factors Engineering ,

I Operating Experience Review Report for the L

AP600 Nuclear Power Plant -

I, .

1 r

r 4

t i

l o

i i

i 4

8 I i

e j

i !

l-Westinghouse Energy Systems W

=== .

g.

31 1 h )i p '/ ' t '.1 t v

., t ' i '. t ! A l'o n x ii . n 'o . s

. > ) ' , )),

. _ _ ~ _ . _ __ _ _ _ . . _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ . _ _ _ _ _ _ _ _ _ _ _ _ _ __ _ _ _ , _ _ _ _ _ _ . _ _ _ _ . _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ . - _ . . - - . . . - _ -

)'

AP600 DOCUMENT COVER SHEET TDC: IDS: 1 S l Form 58202G(5/94) [t:\xxxx.wpf.1x]

AP600 CENTRAL FILE USE ONLY:

0058.FRM RFS#: RFS ITEM #:

AP600 DOCUMENT NO. REVISION NO. ASSIGNED TO OCS- G3R - 00\ & Page 1 of Pgs h;n Oj k h yg h k '

ALTERNATE DOCUMENT NUMBER: MP NME A 3 WORK BREAKDOWN #: %,3,h,g()

DESIGN AGENT ORGANIZATION l TITLE: M m on E cnc h G b vsted n 3 @ f dQ hdt%CO bitW h h b NM NOCdtOf O\Altr Od ATTACHMENTS: DCP #/REV, INCORPORATED IN THIS DOCUMENT wcq- pb45 % 9. "EV'S' "

e CALCULATION / ANALYSIS

REFERENCE:

ELECTRONIC FILENAME ELECTRONIC FILE FORMAT ELECTRONIC FILE DESCRIPTION M ,M(6 W v g

\b - n.73%

I rM, i 3 ru ots U (C) WESTINGHOUSE ELECTRIC CORPORATION 199&.

E WESTINGHOUSE PROPRIETARY CLASS 2 This document contains informaton proprietary to Westinghouse Electnc Corporaten; it is submitted in confidence and is to be used solely for the purpose for which it is fumished and retumed upon request. This document and such informa*)on is not to be reproduced, transmitted, disclosed or used otherwise in whole or in part without prior wrtten authorizaten of Westinghouse Electric Corporation, Energy Systems Business Unit, subject to the legends contained hereof.

E WESTINGHOUSE PROPRIETARY CLASS 2C This document is the property of and contains Proprietary Informaton owned by Westinghouse Electric Corporation and/or its subcontractors and i suppliers. It is transmitted to you in confidence and trust, and you agree to treat this document in strict accordance with the terms and conditions cf the agreement under which it was provided to you.

YWESTINGHOUSE CLASS 3 (NON PROPRIETARY) dOMPLETE 1 IF WORK PERFORMED UNDER DESIGN CERTIFICATION QR, R COMPLETE 2 IF WORK PERFORMED UNDER FOAKE.

1 DOE DESIGN CERTIFICATION PROGRAM - GOVERNMENT LIMITED RIGHTS STATEMENT tsee page 2)

Copyright statement A license is reserved to the U S. Govemment under contract DE-AC03-90SF18495.

Q DOE CONTRACT DELIVERABLES (DELIVERED DATA)

Subject to specified exceptons, disclosure of this data is restrcted until September 30,1995 or Design Certification under DOE contract DE-AC03-90SF18495, whichever is later, EPRI CONFIDENTIAL: NOTICE: 1 20304050 CATEGORY: A BECEDEEEFE 2 E ARC FOAKE PROGRAM - AFIC LIMITED RIGHTS STATEMENT [See page 2)

Copynght statement: A license is reserved to the U.S. Govemment under contract DE-FC02-NE34267 and subcontract ARC-93-3-SC-001.

@ ARC CONTRACT DELIVERABLES (CONTRACT DATA)

Subject to specified exceptons, disclosure of this data is restrcted under ARC Subcontract ARC 93-3-SC-001.

"E hde .

AP600 RESPON(IBLE MANAGER

'UM SIGrlA URE' ' Q mhib

' APPROVAL DATE J. W. Widers A. {Tode & J W.umw 1/6l97

Approval of the responsible manager signifes that documerf18 complete, all requred reviews are compiete, electronc file is attached and document is retased for use. %

AP600 DOCUMENT COVER SHEET P;gt 2 s

t Form 582020(5/94) LIMITED RIGHTS STATEMENTS DOE GOVERNMENT UMITED RIGHTS STATEMENT (A) These data are submitted with limited rights under govemment contract No, DE-AC03-90SF18495. These data may be reproduced and used by the povemment with the express hmitation that 0,ey will not, without wntten permission of the contractor, be used for purposes of manufacturer nor disclosed outMde the government; except that the govemment may disclose these data outside the govemmen' for the following purposes,if any, provided that the government makes sicch disclosure subject to prohibition against further use and disclosure: ,

(1) This "Propnetary Data" may be dsclosed for evaluabon purposes under the restnctions above.

(ll) The "Propnetary Data" may be disclosed to the Electnc Power Research Institute (EPRI), electnc utility representatives and their l direct consultants, excluding direct commercial competitors, and the DOE National Laboratones under the prohibitions and i restnctons above.

(B) This notice shall be marked on any reproducten of these data, in whole or in part.

4 ARC UMITED RIGHTS STATEMENT:

This proprietary dcta, furnished under Subcontract Number ARC-93-3-SC-001 with ARC may be duplicated and used by the government and ARC, subrect to the hmitations of Article H-17.F. of that subcontract, with the express hmitations that the propnetary data may not be declosed outside the govemment or ARC or ARC's Class 1 & 3 members or EPRI or be used for purposes of manufacture without prior permission of 4 tha Subcontractor, except that further disclosure or use may be mado solely for the following purposes: I 1

This proprietary data may be dsclosed to other than commercial competstors of Subcontractor for evaluaten purposes of this subcontract under th3 restnction that the propnetary data be retained in confidence and not be further declosed, and subject to the terms of a non-disclosure I ggreement between the Subcontractor and that organization, excluding DOE and its contractors. 1 l

DEFINITIONS l CONTRACTIDEUVERED DATA - Consists of docurnents e. . specifications, drawings, reports) which are g:nerated under the DOE or ARC contracts which contain no a!kground proprietary data. j EPRI CONFIDENTIALITY / OBLIGATION NOTICES \

l NOTICE t The data in this document is subject to no confidentiahty obligations.

NOTICE 2: The data in this document is proprietary and confidentid to Westinghouse Electric Corporation and/or its Contractors. It is forwarded to recipent under an obligation of Confidence and Trust for hmited purposes only. Any use, disclosure to unauthonzed persons, cf copying of this document or parts thereof is prohlbited except as agreed to in advance by the Electric Power Research Institute (EPRI) and W;stinghouse Electric Corporaton. Recipent of this data has a duty to inquire of EPRI and/c rWesbnghouse as to the uses of the informabon contained herein that are permitted.~

NOTICE 3: The data in this document is proprietary and confidential to Wesbnghouse Electric Corporation and/or its Contractors. It is forwarded to recipient under an obligation of Confidence and Trust for use only in evaluation tasks specifically authonzed by the Electric Power R1 search inshtute (EPRI). Any use, disclosu o to unauthorized persons, or copying this document or parts thereof is prohibited except as agreed to in advance by EPRI and Westinghouse Electric Corporabon. Recipient of this data has a duty to inquire of EPRI and/or Westinghouse as to the uses of the informaton contained herein that are permitted. This document and any copies or excerpts thereof that may have been generated are to be retumed to Wesbnghouse, directly or through EPRI, when requested to do so.

NOTICE 4: The data in this document is propnetary and confidenbal to Wesbnghouse Electric Corporaton and/or its Contractors. It is being r:vealed in confidence and trust only to Employees of EPRI end to certain contractors of EPRI for hmited evaluation tasks authorized by EPRI.

Any me, disclosure to unauthonzed persons, or copying of this document or parts thereof is prohibited Tbs Document and any copies or Excerpts thereof that may have t:een generated are to be retumed to Westinghouse, threctly or through EPRI, when requested to do so.

NOTICE 5: The data in this document is propnetary and confidental to Westinghor e Electric Corporation and/or its Contractors. Access 13 this data is given in Confidence and Trust only at Westinghouse facilites for limited evaluation tasks assigned by EPRI. Any use, disclosure to unauthorized persons, or copying of this document or parts thereaf is prohibited. Neither this document nor any excerpts therefrom are to be removed from Westinghouse facahbes.

EPRI CONFIDENTIALITY / OBLIGATION CATEGORIES CATEGORY "A"-(See Delivered Data) Consists of CONTRACTOR Fcroground Data that is contained in an issued reported.

CATEGORY "B"-(See Deltvered Data) Consists of CONTRACTOR Foreground Data th1t is not contained in an issued report, except for computer programs.

CATEGORY "C"-Consists of CONTRACTOR Background Data except for computer programs.

CATEGORY "D"-Consists of computer programs developed in the course of performing the Work.

CATEGORY "E"- Consists of computer programs developed prior to the Effectrve Date or after the Effectrve Dats but outside the scope of the Work.

CATEGORY "F"-Consists of administratrve plans and administrative reports.

l

W:stinghousa Non-Propri:tary Class 3 ARPP-33210 WCAP 14645 Rev. 2 l

HUMAN FACTORS ENGINEERING OPERATING EXPERIENCE REVIEW REPORT FOR THE AP600 NUCLEAR POWER PLANT December,1996 AP600 Document Number: OCS GJR-001 l

l i

l S. P. Kerch R. M. Span Westinghouse Electric Corporation .

Energy Systems Business Unit ,

P.O. Box 355 Pittsburgh, Pennsylvania 15230-0355 l

l l

1 m:u265w.wpf:1b/122796 Revision 2 i December 1996

TABLE OF CONTENTS 1.0 I NTR OD UCTI O N . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 1 2.0 SCOPE......................................................2-1 3.0 RESULTS OF REVIEWING OPERATOR EXPERIENCE ISSUES . . . . . . . . . . . . 31 4.0 REl.ATED HUMAN SYSTEM INTERFACE (HSI) TECHNOLOGIES WHERE LITTLE OR NO NUCLEAR PLANT EXPERIENCE EXISTS , . . . . . . . . . 41 5.0 CONTENT AND RESOLUTION OF OPERATOR INTERVIEWS . . . . . , . . . . . . . 51 i

l m.\3265w.wpf:1b/122796 Revision 2 lii December 1996

)

UST OF TABLES AND REFERENCES Table 1 Operat.ing Experience Review for the AP600 Design . . . . . . . . . . . . . . . . . . . . . T-1 References For Table 1, Operating Experience Review for the AP600 Design . . . . . . . . . . . . . . . . . . . . . . . . . . . T-66 Table 2 Related HSl Technologies Where Little Or No Nuclear Experience Exists . . . . . T-67 References For Table 2, Related HSI Technologies Where Little Or No Nuclear Expe rience Exists . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . T-72 Table 3 Operator interview issues .......................................T73 References For Table 3, Operator Interview issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . T-78 f

1 mA3265w.wpf:1b/122796 Revision 2 IV December 1996

~

.~

ACRONYMS ac Alternating Current ADS Automatic Depressurization System ARM Area Radiation Monitor AFW Auxiliary Feedwater ASHRAE American Society of Heating, Refrigeration, and Air Conditioning Engineers ASME American Society of Mechanical Engineers ATWS Anticipated Transient Without Scram BWR Boiling Water Reactors CCS Component Cooling Water System CIV Containment Isolation Valve CMT Core Makeup Tank COL Combined License CPS Computerized Procedure System CR Control Room CRT Cathode Ray Tube CSF Critical Safety Functions CST Condensate Storage Tank CV Check Valve CWS Circulating Water System D-RAP Design Reliability Assurance Program DAS Diverse Actuation System de Direct Current DDS Data Display and Processing System DSER Draft Safety Evaluation Report EMI Electromagnetic Interference EOF Emergency Offsite Facility EOP Emergency Operating Procedures ERG Emergency Response Guidelines ESF Engineered Safety Features FBTA Function-Based Task Analysis FC Function Centralization HFE Human Factors Engineering HSl Human System Interface HVAC Heating, Ventilation, and Air Conditioning HX Heat Exchangers l lA Instrument Air j l&C Instrumentation and Control IRM Intermediate Range Monitors IRWST In-Containment Refueling Water Storage Tank ISLOCA Interfacing System LOCA IST inservice Test LCS Local Control Station LOCA Loss of Coolant Accident MCR Main Control Room MFP Main Feedwater Pump MMI Man-Machine Interface M-MIS Man-Machine Interface System m:\3265w.wpf:1b/122796 Revision 2 v December 1996

ACRONYMS (Continued)

NPP Nuclear Power Plant NSR Non-Safety Related OER Operating Experience Review OSC Operational Support Center PABX Private Automatic Branch Exchange PAR Passive Autocatalytic Recombiners PDP Positive Displacement Charging Pump PHWR Pressuri:.ed Heavy Water Reactor PLS Plant Control System PMS Protection and Safety Monitoring System PORV Power Operated Relief . Valve PRA Probabilistic Risk Assessment !

PRHR Passive RHR )

PWR Pressurized Water Reactor PXS Passive Core Cooling System ODPS Oualified Data Processing System RAI Request for AdditionalInformation RCS Reactor Coolant System RF Radio Frequency RHR Residual Heat Removal RMS Radiation Monitoring System ,

RNS Normal Residual Heat Removal System l RV Reactor Vessel l SART Silence, Acknowledge and Restart Test SBO Station Blackout SFS Startup Feedwater System SG Steam Generator SGL Steam Generator Level SGTR Steam Generator Tube Rupture SPDS Safety Parameter Display System SR Safety-Related SRP Standard Review Plan SRO Senior Reactor Operator SRV Safety Relief Valve SSAR Standard Safety Analysis Report SSC Structures, Systems, and Components SSE Sefe Shutdown Earthquake STA Shift Technical Adviser SWS Service Water System TIP Traveling incore Probe TS Technical Specifications TSC Technical Support Center UPS Uninterruptable Power Supply VBS Nuclear Island Non-Radioactive Ventilation System VDU Visual Display Unit VES Emergency Habitability System VPl Valve Position Indication WPIS Wall Panel Information System m:G265w.wpf.1b/122796 Revision 2 vi December 1996

1.0 INTRODUCTION

As discussed in NUREG-0711 (" Human Factors Engineering Program Review Model"), the purpose of this operating experiecce review (OER) is to identify human factors engineering (HFE)-related safety issues. The objective of this AP600 review is to identify and analyze HFE-related problems and issues encountered in previous designs that are similar to the AP600 so that they are avoided in the development of the AP600 design, or in the case of positive features, to retain these features. Westinghouse will continue to review current plant operating experience and as new HFE-related issues are identified, will address or track to resolution thoor issues applicable to the AP600.

I mA3265w wpf.1b/122796 Revision 2 1-1 December 1996

2.0 SCOPE The scope of this evaluation includes pressurized water reactors (PWRs), at both Westinghouse and non-Westinghouse plants. The issues for boiling water reactors (BWRs) and a pressurized heavy water reactor (PHWR) which are applicable to the AP600 design are also addressed. Other industry man-machine interface (MMI) experience, where limited ,

experience exists in the nuclear industry, is also addressed.

Guidance for this OER is based upon: 1) Appendix B of NUREG 0711,2) the clarification of NUREG-0711 Appendices B.5 and B.6 provided as an attachment, ("HFE Insights For Advanced Reactors Based Upon Operation Experience," BNL Technical Report E2090-4 3-1/95) to NRC letter dated 2/13/95, and 3) comments in Draft Safety Evaluation Report (DSER) Chapter 20 related to the OER for the AP600.

. I l

l l

l I

I m:0265w.wpt:1b/122796 Revision 2 2-1 December 1996 ,

l

3.0 RESULTS OF REVIEWING OPERATING EXPERIENCE ISSUES Table 1 documents the NUREG-0711 Appendix B issues reviewed and how the AP600 design addresses these issues. Table 1 consists of five columns and provides the following information; Column 1 Item Column 2 issue Reference Column 3 issue / Scope Column 4 Human Factors Aspect / Human Performance issue Column 5 Human Factors / Human Performance Issue Addressed by AP600 Design The numbers in column 1 are used throughout this document as a convenient means to reference the various issues. Column 2 identifie.s the reference document that presents the issue to be addressed. Column 3 Identifies the specific issue / scope. Column 4 identifies the human factors aspect / human performance issue of the issue / scope identified in column 3.

Column 5 documents how the AP600 design addresses the aspects / issues identified in column 4.

Tables 1,2, and 3 also document the HFE related issues which are not currently addressed by the AP600 design. These issues are identified in column 5 of Table 1 and in column 3 of Tables 2 and 3 by using the terminology "THIS ISSUE INPUT INTO THE DESIGN ISSUES TRACKING SYSTEM" typed in bold letters. Standard Safety Analysis Report (SSAR) subsection 18.2.4 provides a description of the design issues tracking system which includes tracking of HFE issues.

Column 5 of Table 1 also identifies which HFE issues are not applicable to the AP600 design.

These are identified in column 5 of Table 1 by using the terminology "NOT APPLICABLE" typed in bold letters. Immediately after the bold type, the reason why the issue in not applicable to the AP600 is provided.

Column 5 of Table 1 may identify the issue or part of the issue as "the responsibility of the Combined License (COL) applicant." The following is a list of those items from Table 1 that are identified totally or partially as the responsibility of the COL applicant: 1,7,21,45,48,49, 50,51,58,63,64,65,67 through 70,157, and 170 through 180.

l l

i l

m:0265w.wpf;1b/122796 Revision 2 31 December 1996

4.0 RELATED HUMAN SYSTEM INTERFACE (HSI) TECHNOLOGIES WHERE LITTLE OR NO NUCLEAR PLANT EXPERIENCE EXISTS Soft controls, computerized procedures, and large screen (wall panel) displays are HSI technologies that are not used in currently operating nuclear power plants, but will be used in the HSI/M MIS design of the AP600. Westinghouse has reviewed the operating experience of these technologies or related technologies from other industries in order to identify HFE-related issues that need to be addressed. Issues related to these technologies include navigating through large display networks, implementation of soft controls, and group situation awareness.

The AP600 computerized procedure system (CPS) is dynamic and interactive with the remaining AP600 HSI. Plant parameter values, plant state', and assessment of procedure steps are performed by the system. No system comparable to the capabilities of the AP600 CPS, with relevant operating experience, was found in other industries. If any such experience is published, it will be reviewed and identified human factors issues will be addressed.

The reviewed documents include operating experience from the following industries: fossil power plant, aircraft industry, naval programs, space program, electrical, gas, and oil. These reviews are documented in Table 2. Column 1 of Table 2 identifies the reference document which was reviewed. Column 2 identifies the HFE related issues applicable to the AP600 7

design, and column 3 documents how the AP600 design addresses the identified HFE-related issues. In column 3, some cross-referencing to Table 1 occurs where the identified issue is identical to an issue already documented in Table 1. Where the issue is not currently addressed by the AP600 design, an entry is made in column 3 stating "THIS ISSUE INPUT INTO THE DESIGN ISSUES TRACKING SYSTEM" typed in bold letters. The reference documents in Table 2 (References 2.1, 2.2, 2.3, 2.4, 2.5, 2.6, and 2.7) are identified in the Reference list following Table 2.

Column 3 of Table 2 may identify the issue or part of the issue as "the .*csponsibility of the Combined License (COL) applicant." The following is a list of those items from Table 2 that are identified totally or partially as the responsibility of the COL applicant: Ref. 2.3 item 2; Ref. 2.4 items 3,4, and 8; Ref. 2.6 item 4; and Ref. 2.7 items 3 and 5.

mM265w.wpf:1b/122796 Revision 2 4-1 December 1996

5.0 CONTENT AND RESOLUTION OF OPERATOR INTERVIEWS As part of the OER, Westinghouse has conducted operator interviews and observations during plant operations and after operating events. These interviews / observations are documented in Table 3. Column 1 of Table 3 identifies the reference that documents the operator interviews.

Column 2 identifies the HFE related issues applicable to the AP600 design, and column 3 documents how the AP600 design addresses the identified HFE related issues.

For each of the reference documents, the HFE-related issues were identified. Issues associated with or related to any of the ten elements of the Human Factors Engineering Program Review Model (ten elements defined by NUREG-0711) were identified as HFE related issues and entered into column 2 of Table 3. The reference documents in Table 3 (References 3.1,3.2,3.3,3.4,3.5,3.6,3.7, and 3.8) are identified in the Reference list following Table 3.

In column 3, some cross-referencing to Table 1 occurs where the identified issue is identical to an issue already documented in Table 1. Where the issue is not currently addressed by the AP600 design, an entry is made in column 3 stating "THIS ISSUE INPUT INTO THE DESIGN ISSUES TRACKING SYSTEM" typed in bold letters.

Column 3 of Table 3 may identify the issue or part of the issue as "the responsibility of the Combined License (COL) applicant." The following is a list of those items from Table 3 that are identified totally or partially as the responsibility of the COL applicant: Ref. 3.1 items 1,2, 3,4, and 5; Ref. 3.2 items 2,3, and 4; Ref. 3.4 items 1,2, and 3; Ref. 3.5 item 6; Ref. 3.6 items 1 and 2; and Ref. 3.7/3.8 items 2,4, and 6.

m:0265w.wpf:1b/122796 Revision 2 51 December 1996

E G

TABLE 1 OPERATING EXPERIENCE REVIEW FOR THE AP600

[ issues Addressed By NUREG 0711 Appendia B Issue Item Reference issuerSecpe Human Factors Aspect / Human Performence tasue Human Factors / Human Performance issue Addressed by AP600 Design 8 1 Item B.1 (1) A44. Stanon Trus es a large and sagrvficant issue with many human-tactors- A station blackout (580) es a dessgn basrs event for se AP600. Passne. safety-related blackout (SBO) related aspects, octudog controis, esp 4ays. trarvng. and systems ut: tire one-eme reahgriment of valves to provu$e system rute*non After procedures. rutiaten, these passrve systems do not recure power to sustan tNew operadon. For an S80 event, the valves that abgn the AP600 systems requwed to mrtigate the event are fad-safe or batterytowered vatves Failsafe means that on loss-of power they move to the poseton that rutetes system operabort Refer to SSAR stesecton 7,4.1.1 for a descrphon of the process and p6 ant response that estabhshes safe shutdow9 condrtions for the plant, usmg the safety 4 elated systems ard no operator achon. Ttus escussen orf fconsders the use of safety-retated systems and it assumes loss of offsite electncal power at the staft of the event.

Table 7.5-1 of Secton 7.5 of the SSAR summanzes informaton rm the instrumentaten for post-accident marvtonng The post-accaderit morwtonng instrumentation that es dessgnated m the tabte to be esplayed by the Ouahfied Data Processmg System (ODPS) as powered from a Class 1E dc unmtemptible power system (UPS) with suffoert battery capacrty to provide necessary electncal power for 72 hours8.333333e-4 days 0.02 hours 1.190476e-4 weeks 2.7396e-5 months . As noted n SSAR Section 7.5 4 and notes 4 and 7 of Tabie 7.5-1. there are a few cases where

--( the inst?umentaton is powered from a 24-hour Class 1E battery. Refer to SSAR ,

f. subsectons 81.2 and 8.3 2.1 for a desenpton of te Onsste Power System and the DC l Power System The ODPS cabinets are powered from a Class 1E 72-hour battery.

The AP600 man-machme irderface system (M MtS) tot controts in the mam control room (MCR) consrsts of soft controts at the operator workstations arvi de@cated contrais at the descated safety panel. Reactor operator and servor reactor operator (SRO) workstatens and ther esplays are powered from non-1E urunterruptable power suppbes The workstatens will be avadable for 2 hours2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months into the SBO After 2 hours2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months the operators rely on te OOPS dsplays arid the dedicated controls for control and morvtonng of the plant The CDPS prowdes the Class 1E. qualif ed esplay system and ts powered from the Class 1E UPS. The ODPS and the descated contruis are located at the de6cated safety panel The design of the OOPS esplays, descated controls, and the descated safety panel are aH part of the Human System interface (HSI) and therefore wdl be a product of the AP600 HS3 design process as desenbed n Secton 18 8 of tre SSAR The dedicated controls, located on the dedcated safety panet. are for reactor tnp.

tusbme inp. and systerMevel engmeered safaty features (ESF) actuatons These dedicated co.4 rots are powered for 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months fiorn a Class 1E battery tnrough a UPS.

g following an SBO. Refer to Table 8.3 2-1 for La kst of safety-related loads powered g from the Class tE battenes.

O O

Trarung program developreent and procedure developmert are the responsitukty of the 32 COL applicant as stated n 13 2 and 13 5 of the SSAR tr o O<

m g ag O 3 (O

C) IV I

3 TABLE 1 (Continued) b

$ OPERATING EXPERtENCE REWW FOR THE AP600 t

issues Addressed By NUREG 07f1 Appendia B C ftem issue Reference issue / Scope Human Factors Aspect / Human Performance issue fiuman Factors #tuman N' ..-se issue Addressed by AP600 Desyn

?

M 2 Item B t (2) A-47 Safety TNs assue relates to the -w;e.v.= of fadures of WCAP 14477, *The AP600 Adverse Systems Interactions Report

prendes an evaluation y enphcatons of nonsafety-related (NSR) control systems and treer of potenhal adverse mtaractons between the piart control system and the safety 4etated

$ corerol systems eterachon with control room (CR) operators systerns cesgned to trutgate accdents This report prowdes the justitcahon for mciusson or excluson of controegrade equipment and systems m the Chapter 15 acendert anaryses_

The me.4v.= of fadures of nonsafery-related core =oi systems and their interacbon with control ecom operators es addressed m the AP600 Emeegency Response Guidehnes (ERGS). The ERGS prowde both optimal recovery gudehnes and functon restoration gudehnes using both safety-retated systems and nonsafety-related systems as appropnate Contingencies are provided to account for fadures of eethee sa rety-retated or nonsafety-related systems.

3 Item B.1 (3) B-17 Cntena ! w Trus issue ir volves the developmert of a trne entenon for WCAP 14644,"AP600 Functional Requiremeras Analysrs and Functon Aaccaton,*

safety-related (SR) safety-retated operator actons includog a determmation d prowdes a descriphon of the basis for sutomate actuatons of aadent rrutgaton (entcal operator actions whether automate actuaten is required. This issue also safety) functions and the associated capabdmes for manual operatioru The AP600 concems some current PWR desgns requmng manual provides automate nubgabon of desgn bases accidents including mmation d the torg operations to accomphsh the switchover from ens miection term post-LOCA recrrculation mode Recove schons for vanous emergency scenarms mode to the recirculahon rnode after a loss-of<cotant are speofied in the AP600 ERGS and take operator acton timog into consderatiert j accdent (LOCA).

N 4 Item B 1 (4) B-32. Ice effects on The buddup of Ica on servce water ewake can occur The senice water system (SWS) m AP600 is nonsafety-related RetortoSSAR safety-related water gradually and can require irvoved estrumentaten to anow subsection 9 2.1 for a desenphen of the SWS. SWS water temperature rs rnorutored and suppies operators to detect its occurrence before 4 causes system alarmed m the MCR on low temperature Low temperature alarm is a wammg on noperabihty. potential eing conditons.

5 Item B 1 (5) GI-2, Fadure of A large number of hcensee event reports have noted the The AP600 es desgned to merumize the e'fects of faelure* of protectrve devces on g protective devces incapacitation of safety-related equipment because of the essentiat equiprnent lj on essential fadure of proteche devces such as fuses and circuit equipment breakers. Operators are iot afways aware of the fadure of . The number of active essential devices has been nurumized by the passive desgn equipment because of the desgn of the mstrumentatron of the AP600.

. The AP600 es prowded with an extensrve deshbuted (nonsafety) control system that can be used by the operator to rnorutur the operahon of the plant and gusckfy identify inoperable deuces

. The AP600 conforms with Regutatory Guide 1.106 for the apptcahon of thermal

"* *#*'""d**'**~

O m

O = Redundant motor-operated vatwes are powered by independent evrsons of the Class 1E de system. The four dvisons of the Class 1E de system are compte's sy 7g independert with re prowson for cross <onnect O <

E 6 Item B t (6) GI-23. Heactor This is a multifaceted assue that includes a number of NOT APPLICABLE: The F600 design specrties reactor coolant pumps with canned

'6 coolant pump seal proposed resolutions One subissue is the pronsson of motors that have to seals. Refer to SSAR subsectons 5.t.3.3 and 5 41 3 failures adequate seat instrumentation to allow the operators to l 0) N take cor'ective actions to prevent catastrophec fadure of seats. ;

E TABLE i (Continued) b

$ OPERATING EXPERIENCE REVIEW FOR THE AP600 m

issues Addressed By NUREG 0711 Appendix B 3 Item issue Reference issue / Scope Human Factors Aspect / Human Performance issue Human Factors / Human Performance issue Acressed by AP600 Design T The AP600 servce water system (SWS) and circulatog wa*er system (CWS) as 7 GI-51, improveg The buildup of clams. mussets, and corroson products can G tlem B.1 (7) nonsafety-related systems. The SWS utAres tres%ater m es desyt The CWS is a y the rekatality of cause the degradation of open cycle SWSs. Added rstrumentaton is one means of provdng operators eth sste spec:fC desyt The SWS includes automate self backwashog stramers and mR be

$ opengele servce the capabdtry to morwror this bu* tdt.c and take corrective rnorntored for chlonne resdual. In addibon. hstrumentation as provded mt he SWS and water systems.

acton before loss of system furetionalsty occurs. the CWS to morutor system flow rate pump discharge pressure; and heat excNrnger inlet and oc: tat temperatures The CWS also mctudes estrumentaten to morvier condenser datterential pressure These estruments have readouts and ala*W mt he corvol room and are used to determene system performance at any grven Nne and can, by trendng. also be used to establish penodc mair:tenance plans to preclude loss of system funcuonahty Also.t he SWS rs oesigned wth redurdart pumps, heat exchangers and coolmg tower cens to avod piart shutdemns caused by a sogne component tasture a The COL wil address the specifc chemcats used for water chemespy coreroi, algcide, and tecde a:.phcatons. and m mcro and mad dwiinte forms (SSAR 10 4 ?E1)

The COL wil also devetop plant procedures to mamtam the systems based uport the SSAR and Westmghouse techncal documentaten (SSAR 13 5 and 18 9) 8 hem B.1 (8) GI-57. Effects of This issue resuhed from spurious and inadvertent An exphcst requwement exists to desagn the system such that madvertent operations do j fire protection actuatens of fire protecten systems, often caused by not occur (SSAR 9 5.1.11. Rev. 4). There are no sonnkler systems or automarca!!y ruttated fue protechan systems in areas contaming safety 4 elated components (J system actuaton operator enors during testog or maintenarce Desagn of on safety-related systems should prevent such enors to the extent possete (512.14 - SSAR Rev. 4). Also an evaluatson of the hre protecten syMem integnty ecppment. anaWs is performed for safety-related sy-tems. The system es desegnal to be o comphance w th BTP CSAEB 9 51.

O o

O T Cr tv

$ 3.

_,se.

e8 w

0) '

3 TABLE 1 (Continued) 9

$ OPERATING EXPERtENCE REVIEW FOR THE AP600 E

g Issues Addreesed By NUREG 0711 Appendix B R

R Rem issue Reference issuePScope Human Factors Aspect / Human Performance Issue Human FactorsMuman Performance issue Addressed try AP600 Design

?

9 7 pem D.t (7) GI-51, improwng The buddup of clams, mussels, and corrosaan products can The AP600 sennce water system (SWS) and cuculattng water system (CWS) are 8 the rebatWy of cause the degradation of open cyCf6 SWSs. Ad$ed nonsafeterelated systems. The SWS utdizes treshwater m its desagri The CWS s a

$ open<ycle sennce estrumentation a one means of provieng operators eth see speofic desget The SWS metudes automahc sew backwashng stramers and me be water systems. the capatwity to monnor this buddup and take correcsve rnandored for chlorine resadual. In addrbon. enstrumeritation a prew$ad m the SWS and action before loss of system functionaldy occurs. the CWS to monnor system now rate. pump escha ge pressure. and heat exchanger mlet and Dunet temperatures The CWS also octudes instrumentation to morwtor condenser differenhal pressure. These instruments hava readouts and asiarms m the control room and are used to determme system performance at any given Dme and can, by tren&ng, also be used to establish pow mantenance plans to preclude loss of system funcnonahty Also, the SWS is desgned utn redundant pumps. heat exchangers and cochng tower cens to avoid plant shutdowns causeJ by a sngie corrponent fadure.

The COL wit address the specific chemcals used for water chemistry control, ayicode, and beoode apphcabons. and m macro and mavvL varpi hfe forms (SSAR 10412.1).

The COL ma also develop ptant procedures to mantain the systems based upon the SSAR and Westmghouse technscal documentaban (SSAR 13 5 and 18 9).

8 Item B 1 (8) GI-57 Effects of Ttus issue resulted from spunous and inadvertent An emphcst requwement enests to dessgn the system such that madvertert operahons 00 j fire protection actuabors of Are protection systems often caused by not occur (SSAR 9 5.1.1.1 Rev 4) There are no spnnkter systems or automatcapy CJ system actuation operator errors dunng testog or mantenance. Desgn of mebated fue protection systems in areas contavung safety 4 elated w.ws on safety-related systems should prevent such errors to the extent posstie (5.121.4 - SSAR Rev. 4). Also an evabation of the hre protect'on system integnty equement analysas is per'ormed for safety-related systems. The system a desgned to be m comphance mth BTP CtulEB 9 5 l O i c>

O O

3I er o O 3.

, e.

=8 w

C) f0

3 TABt.E 1 (Continued) b

$ OPERATING EXPERIENCE REVtEW FOR THE AP600 E

lesues Addressed By NUREG 0711 Appendix B C ltem fstue Reference issue / Scope Humars Factors AspectMuman Performance issue Humaa f actorsMuman Performance issue Addressed by AP600 Gesign

?

G 9 ttem B 1 (9) GI-75. Genene Ttus issue has many sutussues, several of whch are The AP600 indudes a DAS that provces a @ verse backup to the protecten system.

$ rnplcatons of related to human factors, for example, scram data br post- TNs system is a nonsa'ery4etated instrumentaSon and contrc: (1&C) system that ts an 8 Antripated scram anatysis, capatxhty for post-mamtenance testmg of expanded verson of the ATWS Mstgation System Actuauon Catwnets in the present Trarment without reactor protection system, and a specdc sutussae htled generabon Westrghouse nucaear power plants. One of the turconal requirements of Scram (ATWS)

Review of human factors issues? the DAS is to mitgate consequences of a fadure to tre keowog an ATWS. The DAS provides a drverse, anemate means of automatcally trppeg the reactor and actuatog specded ESF funcbons for selected events E the Protection and Safety Morwtonng System (PMS) is unable to perform these functions as a result of common rnode faaure.

A more detaded Gescrption of the DAS, inclueng the @ verse nature of the system. es found m SSAR subsecbon 7.7.1.11.

The AP600 I&C systems includes a Data Desplay and Processeg System (DDS) One of the functons provided by the DDS rs a dstrh: led Computer function The dstreuted computer funchon provides data acquistton. data storage, and computatenel funcnons to support operations. engmeerng plart adormation needs and emergency response mformaton needs withm a sogle system. The estnbuted computer functon mteracts enth the plart operators through the operational dtsplay functon and the plant otormation system. The estributed cornputer functon prowdes many compu rational q functionc includmg provisons for pre- and postarp data for review and anatysis, e Nstancat data storage and retneval, and data logging Zn The AP600 PMS 6s a safety system of electncat and mechancat eqapmera that senses gene 2 ting staton conddions, and generates the sgnats to actuate reactor tT and ESFs that provde the equpment necessary to monitor ptara safery4 elated funcbons dunng and following desgnated events (Reference SSAR Secten 7.1). The PMS prowdes a high degree of rehabikty and fault tolerance for both operating and mantenance situations. SSAR subsechon 7.12.10 descrt>es the specife desgn features that provide this capabdsty SSAR subsecton 7.12.12 descrees the PMS test capatnhties and desgn features The AP600 reactor try switchgear has four redundant safety drvissons enth each evivon containing two crreurt breakers of the reactor try switchgear (eight breakers totat) As illustrated in SSAR Figure 7.1-7. the eght circut brukers are arranged in a twwmtof-four logc confguraban (Reference SSAR subsecbon 712 5) 10 item B.1 (10) GI-76 i&C TNs 6ssue raises several concems, including l&C fat.its tNet The desgn of the operator displays is based on an anatysrs whch identifies tre mteractions could t:hnd or partially bhnd the operators to the status of aopropriate drsplay vanables lor monitonng consbons in the reactor coolant system l

the piart (ACS), the secondary heat removat system. the cw 4. .i--.i and the systems used for o attaanog a safe shutdown coneton. TNs analyses also estabbshes the appropncte O desgn basis and quahficahon cntena for the instrumentation whch provides the input to I h[

oq the operator desplays (Reference SSAR Secton 7.5). In aetten to these displays the DAS prowdes separate and drverse indicatons wNch can be used by the operator.

g (D

Refer to the responses of items 59, and 113 through 119 for desgn features of the AP600 dc Power Systems.

03 IO

E TABLE 1 (Condnued) b a OeERAnwG EXPERIENCE REVIEW FOR THE AP900 m

leeuse Addressed By NUREG 0711 Appendia B g

3 Itern leeue Reference leeuetScope Human Factore _^u _ r Performance issue Human Factore44uman Perfonnance Iso Je Addressed by AP600 Dee6gn V

y 11 ftem B.1 (11) GI-96. ResidJat Th3 design of the RHR sucton valves eth respect to vane Based upon a corderence cat of 6ftS95 w:th the NRC Human Factors Brancit R was y heat removal posrhon indcaton and instrumentaton to detect potermat agreed not to octude tras usue as part of the OER (Reference 8).

$ (RHR) sucDon leakage from twpi-to-low pressure areas e irrportart to the vatve testmg prevenhan of interfacog system lossef<:oolars acodents (ISLOCAs). The is important for normal operatons and for testeg 12 trem B 1 (12) Gt-101. Break plus Ttus issue attempts to ensure that reust inforrnation is Based upon a corderence cat of 6/1S95 mth the NRC Human Factors Brancit a was single fadure in availab6e to the operators for both reactor water levet and agreed not to menude this 6ssue as part of the OER (Reference 8).

boilmg water tot plant status dunng the progressen of an acodent.

reactor water level instrumertaten 13 frem B.1 (13) GI-105, treedacmg Ttus issue relates to pressure isolation vetves for BWRs. NOT APPUCABLE: This issue relatmg to pressure isolaton vanes is only applicatAe to system LOCA at BWR reactors.

BWRs 14 Item B.1 (14) Gl.110. Equipment Failures and incapacitanon of ESF equpment have The ESF design is based on the use of four separate safety evisers for the sense and protectrve devices t ccurred because of the fadure or intermonal bypass of command funchon, and two or more evisens for the erect;te function. The system a of engmeered protective devices. Both the design of these protectrve dessgned to accommodate a sogle fadure of a process signal oput by altenng the sense d

U3 safety features devces and the appropnate in$ cation to CR operators are and command logc from a twoout<1 tour votog logc to a twooutel-three voting topc_

rnportant. Adetsonal ladures can be accommodated by altunng the logic from a twocutettiree to a one-outof-two. Any attempt to --. 0date a&bten fadures by an mientional bypass results m actuaten of the protectwe functort Alarms and esplays are provided so that the conhguraton of the ESF can be determoed by the operator at any ame 15 trem B.1 (15) GI-116. Accident Ttus issue relates to improved operator trawung and Based upon a conference ca5 of 6/1995 mth the NRC Human Factors BrancfL R was management procedures for managing accidents beyond the design agreed not to include this issue as part of the OER (Reference 8).

basis of the plart O

u an O' ($

, e.

$m

E TABLE 1 (Continued)

G n

$ OPERATweG EXPERfENCE REVIEW FOR THE AP600 E

Desues Addressed By NUREG 0711 Appendix B C item iss se Reference tasue/ Scope .Nman Factors AspectMuman Performance issue Human FactorsMuman Perforrience issue Addressed by AP600 Design Y

A key aspect of tNs item is providirg operators we For the AP600, the Was Panes Information System (WPtS) w2 esplay for each g4 ant G 16 Item B 1 (16) GI-117. Asowable ti equpment outage nec1ed asserance in identdyng nsk sgnrhcant operatog mode or sursfcant plant operatmg state. a morne esplay that we provde a physcal overvew of the status of the planis sgnifcant systems and key cortponents.

$ times for everse, contenahans of equement outages. The informahon The wa# panet memc esplay me eclude the $ splay of Nghhet denved quantees, e g ,

simultaneous needed would include vane ahgnments, switch settings, as equprient outages web as ww a declared moperable those that depend on a parbcutar logc algovern. An examp6e of a denved quantity rs the avastatulay of safety systems The WP1S we prowde anlomiation to the MCR personnel summanzng those wwwh and systems that are snoperable. The AP600 Wall Panel ovennew alarm esplays. along with the Visual Display t)nst (VDU) esplays, wd automatcally presert mecaton of bypassed or dehberately enduced moperable safety equpment. TNs we mcluda the bypassmg or detteratety Induced inoperatey of any auxAary or supportog system th3t e'tecDvery bypasses or renders enogerable the protecton system and the systems actuated or cont oned by the protecten system.

The CDPS mR contam physcal esplays for the representaten of the performatice of systems and wwe associated we the control of safety-related functions These physcal displays wd contam enough data so that the operator can morutor the operation of the plant hardware. The type of mformation to be put on these dsplays we be denved through a functiontased task analysis process (FBTA). Indcativety, the type of informatson to be shown on the physcal esplays could be of the following types: 1) flow q . path afgnments; 2) valve posthons. 31 pump states; 4) tarA leve8s and capacites.

5) heat exchangers heat balance. 6) avaitabdity status of the support systems (electnC#y.

coolog, etc_.); 7) system or component mteriocks; 8) system or component operating rules; 9) irrportant data with enterfacog systems.

17 Item B.1 (17) GI-120. Orvine The designs for on-6ne testabdity should include The on-hne testng of the protection systems is accomphshed by a senes of tests w th testabihty of appropnate human factors to ensure safe testog sufhcient overtap to test a5 necessary funchons. Must of the test:ng is performed protection systems automatica'ly once inibated by the operator. A descrption of the system fehatety and fault tolerance dunng operatons mantenance. test and bypass, and a descnpton of the built-m test capatAties are provided m SSAR stesections 7.1210 and 7.1212 18 Item B.1 (18) GI-125 8 3. Safety TNs issue addresses Safety Parameter Drsplay System Based upon a conference cat of 6/19/95 wrth the f4RC Human Factors Branch, et was parameter esplay (S?DS) avadathty and the rebatAty of the informaton it agreed not to include ths assue as part of the OER (Reference 8) system avatab&ty esplays.

19 Item B 1 (19) GI-128. Electncal Ths issue includes power to vital instnsment buses, drect Genenc issue 128 was created by combmog issues 48,49. and A 30. Resolution of power rehatAty current (de) power supphes, and electncal intertocks. AB of issue A-30 rs contamed in Genenc Letter 9146. The AP600 response to Genere Letter these issues are strongty dependent on proper indcaton 91-06 is contamed in item 59 below. The resolutons of issues 48 and 49 are contained and operator action for high rehatAty. in Genenc Letter 91-11. The AP600 response to Genenc Letter 91-1; is contames an g item 61 below. The AP600 response to Genenc issue 128 is summanzed m SSAR o

g subsection 19 4 2. item 128.

3T 20 trem B.1 (20) GB-130. Essertal TNs issue relates to the arrangemert of SWS pumps and The AP600 is a sogle4rrut desigrt if two AP600s are placed on the same site. they wm

[@ servce water pump poing includng cross-ties at rnulti-unit sites. Both the failures at muth-not share an SWS. The AP600 SWS is a nonsafety-related system. Cross-bes are arrangement and the operators' abAty to morator the status miemal to the SWS from one train to another. hoper cross-tie abgnment can be g' 6 E plant sites of cross-ties are important Ths item mentions potential detemuned by rnonrtonng the Component Cochng Water System (CCS) heat exchanger g) 3 apphcabehty to singleisrut sdes also. (HX) temperature nse. If the nse is excessive. an alarm we be sent to the MCR Ci IV indcating possible cross-tie mesahgnment.

There rs a tAowdown path from the SWS to the CWS that rs normally open. Closing ins path has no effect on the SWS pumps.

E TABLE 1 (Continued) b

$ OPERATING EXPERIENCE REVEW FOR THE AP600 E!

2

( leeues Adtkoesed By NUREG 0711 Appendia 8 Item Issue Reference leeue/ Scope Human Factors AspectMuman Performance leaue Human FactoraMuman Performance teous Addressed by AP600 Design T

i$ 2i f em B 1 (21) HF11 TNs issue is saniar to item I.A.1.4 in Secton B 2 (item 48 Staffing levets a e the respons.tuhty of the COL apptcant as stated m SSAR y of thrs table). Secton 18 6.

22 Item B.1 (22) HF4 4. Gudennes This issue addresses normal are abrumal procedures in Based upon a conference cat of 6/1995 with the NRC Human Factors Brarm it was for ignyadng other the same manner as emergency procedures agreed not to include tNs issue as part of the OER (Reference 8) procedures 23 hem B.1 (23) HF4 5. M MIS See hV5 2 below. Based upon a corderence cas of 6/1995 eth the NRC Human Factors Branch, a was automaton and agreed not to mctude this issue as pa t of the OER (Reference 6).

artificial mtethgence 24 ttem B.1 (24) HF51, Local TNs issue addresses the M-M1S of local control stations The LCSs are included m the HFEMMIS design process Among the human factors corarol statons and auxikary cperator eterfaces. cntena that are apphed across the AP600 t&C and M MIS desgn is the entena that each (LCSs) workstaten, LCS, or other area of personnet activity. be analyzed and desgned to w.m.va.;e tne fonowng: 1) expected modes of operaton, incluctng martenance and refueling: 2) staffeg levels expected under each of these expected enodes.

Also, refer to the responses of Rems 161 through 169.

25 ttem B 1 (25) HF5.2, Revew TNs concem is a correxnation of HF4.5, the ongmal HF5 2 Refer to SSAR Secton 18 4 and WCAP-14644 for the C,vaa vy and results of the

--l criteria for hurnan on arn.incettrs, HFS 3, and HF5 4. 'unctional requrremerts analysas and functon anocation conducted for AP600. As part of k factors aspects of advanced L&C the existmg Element 7 process, as described m SSAR Secten 18.8, an HFE desgn gudehne document win be created for each of the AP600 HSis.

26 Item B 1 (26) HF5.3, M-MIS TNs issue mvolves gudance on M-Uts for new esplay and TNs issue is addressed by completmg Elemers 7 (HSt Design) of the AP600 HFEMSI evaluation of control technologes desgn process. As part of the Element 7 process as desenbed in SSAR Section 18 8.

operational ads an HFE desgn guideline document wiu be created for each of the AP600 HSas.

27 Item B.1 (27) HF5 4, M MIS See HF5.2 above. This tsrue is addressed by comptenng Elemere 3 (Furictonal Rocp._ c., Analysts and computers acid Functon AEocaton) and Element 7 (HSt Dasgn) of the AP600 HFE!HSI design process.

computer esplays Refer to SSAR Section 18 4 and WCAP-14644 for the ,ce vaavy arvj results of the functional requirements anahsis ard functon atacation conducted for AP600. As part of the existmg Element 7 process as described in SSAR Section 18 8. an HFE desgn gur ashne document wis be created for each of the AP600 HSis.

28 Item B 2 (1) Iv, Hightressure The desgn should consider CR alarm and indication of the NOT APPtJCA8LE: TNs issue is only appbcable to BWR plants.

coolart miechon inmaton levels ard low-ievel restart values.

and reactor core isolation coohng O separation O

O O

3T cr u O,

- g- <

a _.

em l

E TABLE 1 (Contmuod) b

$ OPERATING EXPERIENCE REVEW FOR THE AP600 a

j leeues Addressed By NUREG 0711 Appendix 8 3 Item leeue Reference leeuerScope Human Factore ." . ." 1 _ - Performance leeue Human FactoraMuman Perfonnance issue Addroceed by AP900 Des 6gn T

$ 29 frem B 2 (2) tvi, Reduction of The desgn shoud consder CR alarm and mdcatsort of Status edcation of the pressunzer SRVs and the steam generator (SG) SRVs are y chauenges to SRV status and important pararneters. prended in the MCR. The positen status d these SRVs is Mcluded m the bst of

$ safetytehef vetves vanables ard instrumentanon needed to a!Iow the @erator to monstor and martam the (SRV) safety of the AP600 throughout operating Cordtiors that include accioent and post-accident conditnans. SSAR Section 7 5 provides this Ast of vanables and estrumertanort The pressunzer SRVs arx! the SG SRVs wit have a tua set of abnormahty alarms and status messages m the MCR The abnormahty alarms we appear in the overview of alarms as integrated into the WPtS. For exarrple. alarms alettmg the operator that the vatve is OPEN when a shouw be CLOSED or CLOSED when it shouw be OPEN we east and we appear en the starm ovennew as irwegrated mio the WPtS Status messages for the expected behavior of these SRVs we exist on the starm sumort screens ava4able at the operator's modstanort For example, status messages informing the operator that the valve as OPEN when e should be OPEN or CLOSED when it should be CLOSED we exist and be available on the alafm support screens avadable at the operator's workstanon, q The AP600 Alarm System is desgned fotowmg the HSI desgn process descrbed in g SSAR Section 18 8 as part of the AP600 HFE progrem.

30 frem B 2 (3) Ivii. Automate De*ermmaton of the opernum ADS for ehmmation of The AP600 ADS has been designed to provide a contro#ed depressunzat:on of the RCS depressurization manual acavation should include consideration of the tollowog smat LOCAs. It is automatcally actuated on a low core makeup tank (CMT) system (ADS) study operators' need to monitor the system and an analysis of level whch is indcative of a sgruhcant loss of reactor coolant from the pnmary system.

the tme required for operators to perform manual backup il The ADS funcnons to depressunze the pnmary system to enable gravity 42nven safety requred mjectori The AP600 passrve safety systems (includmg the ADS and the CUTS) actuate automatically to provide core cooling. and to provide the operators sufficient time to take manual actions as presenbed in the AP600 ERGS. The bmeg of the accm%rw sequences is such that, for smet LOCAs. first stage ADS actuation does not occis for at least 20 msnutes after actuation of the CMTs. This provdes the operators sufhesent time to diagnose the event, to property monitor the actuanon of the ADS, and to pertoms manual backup il necessary, as presenbed m the ERGS.

'31 Item B 2 (4) Iviii. Automate This issue involves allocation-of-funchon consioerations in NOT APPUCABLE: Ttus assue is only aplicable to BWR plants.

restart of core terms of automahc restart of a system after manual spray and tow- stoppage by the operators. Consderanons of whether pressure coolant automabc restart should be avadable, how it should be O miection implemerned, and what alarm and irdcatms are needed g in the CR are required CD 5I cr cr a s.

_, t m~

. . __ __ a

E TA8tE 1 (Continued) b E

OPERATING EXPERIENCE REVEW FOR THE APS00 g Issues Addressed By NUREG 0711 Appendia B C leem 1seue Reference leeuetScope Human Factors ? , _ A Performance Issue Human Factore/ Human Performance tesue Addressed by AP600 Design

'T G 32 Item B 2 (5) t ui. Consderation of depressurlzaten wiB mvolve the provissons Manual controned depressunzation of the pnmary sys em es errptoyed to mitigate some y Depressunzaton by of alarms and indicahon in the CR Some methods may accident sequences _ For mstance,in the response to a steam generator tube rupture

$ means other than also require operator actons that should be subject to the (SGTR), the ERGS and backgrourd &cuments (Refe ence 2) instruct the operator to ADS fut dessgn and implementation process. depressunze the primary system to equakre pressure to the secondary system, and thereby stop the re4 ease of pnmary coolant to the secondary system This can be actieved by use of the pressunzer spray. If normal or auxikary spray is not avadable.

then a first stage ADS valve is used to reduce the RCS pressure.

Manual ADS Is also used as a backup to automatic actuate of the ADS. In these estances, the operator manuary actuates ADS on erther 1) low CMT water level tonowed by the failure of the ADS valves to open,2) low hotleg levet as a result of faGure of the ADS and/or subsequert of operator fadure to recogruze the need for ADS, or 3) tagh core exit temperatures indcatrue of a ssgnAcant degradaten m core coedmg These associated parameters we be alarmed by the Alarm System. The ERGS contam optimal recovery guidehnes and functon restoration gudehnes, The ERG background documents contam a descripts of the accident sequences where the use of attemare or manual depressunzation es armcipated 33 Item B 2 (6) trii, ARemate The evaluation of dessgn altematrues for hydrogen control Hydrogen ignitors are prowided to address the possiblesiy of a beyond4esigneasts event d hydrogen control systems should include the information needs of the which results in a rapid production of large amounts of hydrogan, sud that the CD systems operators to assess the coretions that would require contamment hydrogen concentration would exceed the capacity of the Passsve system initiaton and the degree of automation of the Autocata'ytic Recorrtunens (PARS). thereby resu8 ting m the flammatxhty hmet bemg systems. exceeded The igndors are ocorporated in the design to address a lowpobatxhty severe accdent, and a e not rehed upon to mdgito design basts events. The igrutors are actuated manuaRy by the operators, as a result of two conditons: 1) when the core exit temperature reaches 1200 T (atarm). or 2) on recept of a tugh hydrogen concentration starm as detected by the hydrogen morutors. There is no pronson m the design to actuate the igndors automatically.

34 ttem B.2 (7) 2tv, Safety The selection and esplay of important safety parameters The regulatory requirer ients for ao SPDS wis be met by integrating the requiremeras Parameter Display and their integration into the overaR dessgr of the CR is a mio the design requirements for 'he AP600 M-MIS, specshcally mto the portons of the System (SPDS) pnmary HFE issee. system that produce te alarm n. :ssages (Atarm System). the Computenzed Procedure System (CPS) for eme gency proce&res and the process displays (plant informaton system). The integraton of the SPDS mio the AP600 M-MIS ard a desenpton of how the AP600 M MIS desagn satisfies the seguirementstntsna of a SPDS is found in SSAR 18 8.2.

O e

O t$

Bm er e a<

,y _.

mm

E TABLE 1 (Continued)

G h>

@ OPERATING EXPERIENCE REVIE3y FOR THE AP600 a

g issues Addressed By NUREG 0711 Appendix B C Item issue Reference issue / Scope Human Factors AspectHuman Performance Issue Human Factors / Human Performance issue Addressed by AP600 Design

?

G 35 Item B 2 (8) 2v, Automate Providng operators with tne caraL4 sty to monitor the status The WPtS prowdes and martans sitaanon awareness by presentmg ptart rearmation y mecation of of automatc systems es an wrportart function of the CR on a large screen @ splay and possessag desgn teatures 2 address the elements of

$ bypassed and oformaton esplay system . 4 a component emportart to snuation amareness (Refer to the response to nem 66 of this table for more information inoperabie systems tne martenance of the operators'sguaton awareness. on how the APS00 HSt rnartams operator situatonal awareness } System and equpmert avadabesty and status reormaton es presented by the w&2 panet &< plays Also, the status of automate control systems (ronsafety-re8ated) and automate protechan systems (reactor protecten and ESF actuation systems) am provided by the was panel esplays. The wat panet esptays include monstanng of the current state of automate systems (control and protechon). For example, an RCS pressure control funcnonal esplay es meluded on ee wat panel esplay. This funcnonat esplay grow includes the current status and trend of RCS pressure.

Alarm system ovennews are mcorporated into the wa8 panet esplays. These ovennews alert the operator to changes in peart state, inclueng changes m the status of automanc systems (control and protection). Enarrvees: (1) Operators are alerted to the switch from " auto" to " manual" of automate control systems such as the pressaer pressure control system; (2) operators are alerted to bypassed protection mstrument channets; and (3) operators are aterted to protecbon system degradaten such as an out of sennce CLtT actuaton valve.

$ The WPtS provides the means to dwect'y 7:ws the rnost appropnate workstation displays that provide more detaded mforme80s about the Cfnnge that has occurred. ,

These workstaton esplays irciude alarm support @srMays. tunctonal esplays, physcal l

@ splays, and automate system morwtonng esplays.

i o

o i

O 1 M

3I cr o o s.

rn "6 l O

O '3 '

c) F0

E TABLE 1 (Contmuod) b ~

$ OPERATING EXPERIENCE REVEW FOR THE APOOO a

W Issues Addressed By NUREG 0711 Appendix 8 Item issue Reference IssuerScope Human Factors ? , C_. Performance issue Human Factors / Human Performance 12 sue Addressed by AP600 Design V

y 36 trem B 2 (9) 2vi, Venting of Operator moratonng of the sutus of noncondensele gases SSAR sdsection 5 4.12 escusses the AP600 t*ppomt vents retudmg the reacDx y noncondenstle m 1he RCS and havng clear, unamtzguous odcation el the vessel (RV) head ver't The requirements tot tughW vents are met for the AP600 by

$ gases condmons under whe gas release must be inmated. the RV bead went vaives and the ADS valves. The pnmary function of the RV head went should be evaluated for HFE desgn imphcations. ts for use dunng plant f8 and startup to propedy im the RCS and vesset head. Both RV head went valves and the ADS valves may be activated and controlled from the MCA.

The AP600 does not requae use of an RV head went to previos safety 4etated core coohng followmg a postulated accident.

The first stage wahres of the ADS are attached to the pressunzer and provide the capabikty of removmg noncondersible gases from the pressunzer steam space todowng an accident Gas accumulations are removed by remote manual operation of the fast stage ADS vatwes. The escharge of the ADS valves a drected to the rH:ontaavnert refuehno water storage tank (IRWST) Subsechon S 4 6 and Section 6 3 of the SSAR escuss the ADS valves and escharge system.

The AP600 ERGS specified in ERG AE-1. Step 17, states that the plant staff be consutted to determme d the vesset head should be vented The:r decesson would be based on the specife accident sequence and avadabee systems. Operation of the ADS typcally otmates the need for verstog of the head to preserve natural cwcetanon cootng j Although not requred to provide safety-related core coohng to80wmg a postulated accident, the RV head went valves can remove noncondensb6e gases or steara 'vom the RV head to mehgate a posstle condition of inadequate core coolmg or impared natural cuculation throu@ the SGs resulung from tne accumulation of noncondenstie gases in the RCS The desgn of the RV head vert system a in accordance wet the requrements of to CFR 50 34 (t)(2)(vi).

The RV head vent valves could also be used dunng a severe acodent (beyond4essgn-bass) scenanos where multiple failures in the safety 4 elated systems result m fuel damage and the generation of noncondenstte gases that co8ect in the vesset head.

Corrtunabons of multiple fadures in the safety 4 elated systems could make ventog the head to alleviate the buildup of nu. viden tk gases destable O

m O

am oe O<

-s y_.

mm

E TA8tE 1 (Continued) b m

OPERATWIG EXPERIENCE REVEW FOR THE AP600 g toeues Addreened By NUREG 0711 Appendia B C 8 tem Issue Reference issue / Scope Human Factore _^ Xr. Performance issue Human FactoreMuman Performance Issue Addressed by AP900 Design T

$ 37 Rem B 2 (10) 2xi, Dwect The atarrmng ard indcaton of SRV status shoud be clear Status mdcation of the pressunzer SRVs and the SG SRVs are prtnaded in the MCR.

y mdication of safety and unamtsguous and should be evaluated for HFE desgn The vatve positen indcaton for these SRVs is -wWwd through *dwect"

$ rehef valves in CR ms.evia eneasurement of stem posetn The posmon status of these SRVs is mduced in the Est of vanables and instrumentation needed to allow the operator to monnor ard mamtan the safety of the AP600 throughout cperatmg condmons that mclude accdent afd post, accident condmons. SSAR Secton 7.5 prowdes this nst of vanables and mstrumertation The pressunzer SRVs ard the SG SRVs wdl have a tus set of abnormaMy alarms and status messages m the MCR. The abnormality alarms we agpear m the ovennew of atarms as integrated uso the WPIS. For example, alarms alering the operator inat the vatve es OPEN when a should be CLOSED, or CLOSED when a should be OPEN we est and we appear m the alarm ovennew as integrated into the WPtS. Status messages for the expected behavior of these SRVs we exist on the alarm support screens avadable at the operators workstation For example, status messages mformmg the operator that the vau is OPEN when R should be OPEN. or CLOSED when it should be CLOSED we exist and be avadable on the alarm *e screens avadable at the operatr"s workstation.

The AP600 alarm system is desgned foaowmg the HSI desgn process descreed in

$ SSAR Secton 18 8 as past of the AP600 HFE program.

38 Item B 2 (1t) 2xii, Aurdiary The HFE aspects of proveing snecaten and inmatme for NOT APPUCABLE: The AP600 does not have an AFW system. The AP600 Passive feedwater (AFW) AFW should be evaluated. Resdual Heat Removal (PRHR) systerr. functionany replaces the AFW system. Refer to odication and SSAR Secton 6.3 for a descrpton of the Passnre Core Coolog System (PXS) which inmation mciudes the PRHR system. The mdicatons needed to momtor the prtper operation of the PRHR system are identified and ventwxt through the FBTA process as described in SSAR Secton 18 5.

39 Item B 2 (12) 2xvi, Nurnber of As part of the specification, allowabee actuaton cycles and THIS ISSUE INPUT INTO THE DESIGN ISSUES TRACKING SYSTEM.

actuation cycles for the prethod by which cycles wdl t;e defmed, recorded, and the emergency tracked by the operatog crew, thould be evasusted for HFE core coohng system desgn inphcations.

ard reactor protecten system 40 ftem B 2 (13) 2 xvii, CR The selecten and esplay of important parameters ard thew The WPtS prowdes dynarmc @ splays and mimics that present information to onent the instrumentati n f f integraton int the overall desigre of the CR is a pnmary MCR operators and those ertenng the CR (operator shift tumover, techmcal staff, piart O

y vanous parameters HFE issue. management, etc) to the current status of the plant. For each plant mode or ssgnitcant O plant state withm an operating mode, the WPIS mcludes a mumc totay that provides a physical ovennew of the plarit's signifcant systems and respective key -w 6 g CD The wall panet mimic display includes the dynarme esplay of key plant parameters so w that the reactor operator or a person entenng the MCR can estabbsh the plant operating

] S,

10. stasus.

mm

E TABLE 1 (Contmuod) b E

OPERATING EXPERIENCE REVEW FOR THE AP900 issues Addressed By NUREG 0711 Appendia 5 g

3 Item leeue Reference issuerScope Human Factore ? , 2^_ Performance issue Human FactorsMuman Performance Issue Addressed try AP600 Design T

G 41 ftem B 2 (14) 2xvni. CR The seectm and esplay of smportant parameters and theer The regulatory requrements for an SPDS me be enet ty *rnegrahng* the equirements y ristrumentaten for ritegraton irto the overat desgn of the CR is a pnmary rito the desgn requirements for the AP600 M M1S, specahcally rito the portons of the

$ anadequate core HFE issue. system that produce tne alarm messages (Atarm System). the CPS for emergency coolag procedures, and the process VDU esplays (Plant Informaton System). Reter to SSAR subsecton 18 8.2 for a descrecon of the SPDS.

Folloung a reactor inp the CPS provides automate morutonng of the critcal safety funcDons (CSFst alerts the operator b a degraded functon, and suggests the apperpnate funcnon restoraton guidehne Core Couhng s one of the CSFs.

Also, refer to SSAR subsechon 1.9 3.

42 Item B 2 (15) 2xix. The selection and esplay of irnportant parameters and ther The selection and esplay of the parameters whd pertorm the post-accusent morutonng instrumentation for st*praton into the oversa desgn of the CR is a pnmary functon is part of the desgn process. anatyss and results presented in SSAR post accidert HFE issue. Secton 7.5. An analysrs is conducted to sdentdy the agprop9 ate vanables and to monstonng estabbsh the a@ropnate desagrt bass and quahfcaban entena for instrurnentation eenployed by the operator for mondonng conettons in the RCS, the secondary heat removal system. the cortamment and the systems used for attaarang a safe shutdown condrhart Ttwee categones of design and walacanon entena are used (SSAR j subsecten 7 5 2). Category 1 erstrumentaton has the tughest performance a rentaremeres and 6s used for informanon that can not be lost under any cucumstances U The OOPS s the HSt that provides the Class 1E esplays to the operators in the MCR The ODPS displays an include all Category 1 vanables and some Category 2 vanables (Table 7.5-1 of the SSAR). The,specde esplays of the ODPS result hom the comptehon of the HSt Design process (Element 7). The HSI desgn process is desenbed under SSAR Sechon 18 8.

43 ttem B 2 (16) 2xxi. Aummary heat The specifcation and evaluatm of manual and automate SSAR Section 18 4 and WCAP-14644 erument the AP600 tuncnonal regurements removal systems actons should be subrect to the funcDon allocatm anahss and function aHocaton, inclueng the functon eBocaten decisions desgn to facetate analyses performed as part of the design and (manuavaulomate) made for auxihary heat removal systems such as the CCS and the manualrautomate unplementa30n process. SWS. Table 2 of WCAP-14644 reludes the identitcation of meien an auxihary heat actions removal system is used to support a CSF. Table 4 includes an explanaton of the functonal anocaton for eacts auxnary heat removat system 44 Item B 2 (17) 2 xxiv. Recoreng of The wiection and espley of irrportant parameters and ther The requirements for RV4evet indicaton are provided by redundant, safety 4 elated RV level integraton into the overaR design of the CR is a pnmary RV4evet instrumernatiort As shown ri SSAR Figure 51-5. these ristrument channels HFE issue. (LT 160 and LT-170) have one level tap that connects to the bottom of a hot leg. and one levet tap that <xannects to the top of the hot 4eg bend that connects to the SG. This g inshumertaten a used to pmvide RV water level dunng an accident, and is also used to ce O provide hot 4eg levet dunng shutdown operations inclueng und4oop. Ttus er strumentaten provides indcahon of RV water level for a range spannsng from the g c, bottom of the hot leg to apprournately tre elevation of the matmg surface. This CD $ ristrumentaton is tenperature corrpensated and provides accurate levet measurement

[ !e. dunna su modes of operanon. Refer to SSAR subsecten i.9 3.

E cn m

E TABLE 1 (Continued) b OPERATING EXPERIENCE REVIEW FOR THE AP600 m tesues Aodressed By NUREG 0711 Appendix B g

Human Factors Aspect / Human Performance issue Human Factors / Human Mi..- A lesue Addressed by AP600 Design C Item tssue Reference issuerScope V The design of the TSC remote shutdown facihty. and the OSC are owemed by the 45 Item B 2 (18) 2xxv. Techrucal The desagr of the TSC. OSC, and EOF should include HFE G considerations to ensure that the perscnael located in same HFE dessgn program as the MCR desgn. Chapter 18 of the SSAR descrtes the y support center AP600 HFE program. SSAR stesecton 18 8.3 addresses the TSC remote stutdown (TSC). operatonal these facihbes can most effectnre sy per+orm thew safety-

$ support certer related functions. Poor HFE desgn of these facemes may tacihty. and the OSC. The HFE program is desgned around the to elements of the (OSC), and meerfere v.th the performance of operacts e a well- HFE Program Review mode 4 presented m NUREG-0711.

emergency oftsste desgned CR facibiy (EOF) The COL apphcant shall address the desgn of the EOF 85 stared m SSAR subsechon 18 2 6.

46 Item B 2 (19) 2xxvii. Morutormg of The selection and display of smortant parameters and their The radation morutonng system (RMS) prov es plara effluent monitonng. process fluid optant and mtegranon into the overall desgn of the CR is a pnmary monstonng, auberne monitonng, and contem,uus inocanon cf the ra$aton environment sirborne radaten HFE issue. in piars areas where such Mformanon is needect The desgn bases of the RMS includes providmg long term. pcst-accident muutonng (usmg both safety-related and nonsafety-related monnors) and provdmg equipment to meet the apphcable regulatory requirements for both normat operation and transsent events Refer to SSAR Section 11.5 for a desc@ticm of the RMS.

Radation rnorutonng data. bciudog alarm status, are integrated mto the MCR workstaton esplays and, where amropnate, into the WPts esplays. The output of the d HFE task analysis activmes is used as an input to the desgn of the workstation and wall a panet esplays. Refer to SSAR Secten 18.5 tor a desenptson of the task analysis O actrvrbes.

47 2xxvui. CR While potential pathways for raeoactmty to affect CR The nuclear istand -hmGs ventdaten system (VBS) as a nonsafety-related system ftem B 2 (20) habitabity habitatnhty may be adentifed and desgo solutions to atuch supphes the MCR tt includes ra@ahon monitors m the s@ty ducts, with alarms prectude such p oblems may be developed the CR to inocate tugh radhaton levels in the pathway. If the radabon level es above the Hi He operatog crew should be aware of potential pathways. se'pont, the normat beatmg. ventila* ion and air <onetiorung MVAC) system rs l The integnty of the dessgn solubons and the presence of automancally stopped and the Cft is lhen isolated The satery-related emergency radiaton m the pathways should be consdered if habdabiiity system (VES) is irutiated on the same sgnal, and it provides air for evaluahons of monitonng rnethods m the CR are warranted respiration of the CR occupants and pressuriza* ion of the CR pressure boundary The ar is not dehvered through the isolated HVAC duct. but es deirvered through dedicated, separate knes which penetrate the CR pressure boundary. The VES is desgned to mamtam a poseve pressure of 1/8" water gauge in the MCR pressure boundary witn respect to surroundng rooms. The system incorporates redisidare pressure estrumentaten wilh alarms to provide en$caton that this funchon is met.

48 ftem B 2 (21) 4. A.1.4. Long-term Thrs issue concems stuft staffmg with hcensed operators Staffog levels are the fesponsibdity of the COL appiscant as stated m SSAR upgrading f and w riung h urs f meer sed perat rs. Updates to Secnon 18 6. SSAR Secnon 16.1 subsecton 5 2.2 d also addresses uCR stattng and O operatmg persormel 10 CFR 50.54 were aproved. brruts on wortung hours.

e g and staffog 33 49 t A 4 2. Simutator Ttus issue involves the kiva...c.- e of the use of Traming program development is the responsbdny of the COL apphcant as documented Item B 2 (22) in SSAR Sectons 13 2 and 1810.

[@

capabikties simulators in the trarung of operators.

The development of plart proce$nes are the responsibdify of the COL apphcant as a E 50 ttem B.2 (23) I C.1. Guidance for Ttus issue add' esses normal. transsent, and accident the evaluation and condtons to ensure that procedures are tectwucalty correct. documented in SSAR Section 13 5. The AP600 ERGS have been developed and CD h provide the techrscal basis for the development of the emergency operatrg procedures

$g developmert of exphcit. and easaty understood.

(EOPs). Refer to SSAR Sechon 18.9 for more information on

Procedure Development.*

procedures

E TABLE 1 (Continued)

$ OPERATING EXPERIENCE REVIEW FOR THE AP600 4

issues Addressed By NUREG 0711 Appendia 3 C Item issue Referewe issue / Scope Human Factors AspectHuman Performance issue Human Factors / Human Performance issue Addressed by AP600 Design V The developmers of ptant procedures is the responseMy of the COL aspicart as 1 C 9. Long-term Ths issue includes EOPs with paftcular emphasis on G 51 trem B.2 (24) documerged si SSAR Secten 13 5.

y program for eagnoste ads for off11ormal conehons.

$ upgra*g procedures 52 Item B 2 (25) I D 1. CR desup TNs issue addresses general CR desgn asues. TNs issue es ad2ressed by SSAR Secten 18 2 (HFE Program Managemerd), the HSI rewews desgn implemertaten plan (SSAR Section 18 8) and the HFE Venfcaten arv3 Validaten (SSAR Secten 18.11). Desgn rewews s's used as part of the Element 7 (HSt Desgn) process as descreed in Sections 18 2 and 18 8 of the SSAR.

53 ttem B.2 (26) i D 2. Same as stem Ths issue addresses the need for the provison of an The regulatory requeremeras for an SPDS wdl be rnet by ritegratrig the requirements B 2(7) above SPDS that esplays a rrwwnum set of parameters that rito the desgn requirements for the AP600 M-MIS specificalty rito the g:orbons of the define the safety status of the plart system that produce the alarm messages ( Atarm System), the CPS for emergency procedures and the process VDU esplays (Pla11rdormation System) The sitegration of the SPDS into the AP600 M-MIS and a descrphon of how the AP600 M MIS des.gn satisfies the requrements/critena of a SPDS is found in SSAR 18 8 2.

54 Item B 2 (27) t D.4. CR desgn Ths issue addresses the need for gudance on the destyi Ths issue as addressed by C;.4 e a and implementarion of an integrated HFE standard of CRs to ricorporate human factors wn.iw& Desgn Process that cordorms to NUREG-0711. Refer to Cf apter 18 of the AP600 SSAR tor a descrpton of the AP600 HFE program.

a O

u O

O 3m er G U, <

y a 5-D (D

3 CD !O

F I

l i

3 TABLE 1 (Con 6nued) 0 g o,eRAnna exnnience Review FcR 1He A,e00 t

Iseuse Addressed By NUREG 0711 Appendia B g

Human FactorafHuman Portormance leeue Addressed by AP900 Design 3 Itern leeue Reference leeuefScope Human Factors ? -., _ _1_-- . . Portormance leeue i Y Ttus ssue owdves the MM1 in the CR vdth regard to the The funcnon of the AP600 Alarm System is to support the MCR operators with the j G 55 Item B 2 (28) I D.5.1, CR desgn.

y improved use of Ights, alarms, and annunciators to reeze the fonowng actmhes of human cecesaon-makrg (adoo'ed from Rasmussen's modet of l

3 instrumentanon potereal for operator error, information overtoad, unwanted human decrsaarwnalung):

research alarms estractions, and insufreiere orgarszation of informanort and esplays 1) The ALERT actmty, i e., alert the coerator to oftmemai con &tions.

2) The OBSERVE WHAT IS ABNORMAL actmty, L e, ad the user m tocusmg on the importart assue(s);

i

3) Help wrth the process STATE IDENTIFICATION actmty, ie.. ad the user in t,eo.. 69 the abnormal constions and prowde correctwe achon guidance. as far as to guide the cperatng crew into that area of the complete Pfart information Display System in whch the data /information about the abnormahty and its resolunon can be found The AP600 Alarm System addresses the prot 9em of alarm ava'ancrang and operater data overload by managog the presentation of the alarms to the operators in such a manrer as to red. ice the number of alarms presented simultaneously 6.:rrg major esturbances, while mantarung sensttwhr dunng smas esturbances. The Alarm System qe is rot:ust enough tot a) show multple major process problems; b) not be ca-Me

$ by rrunor alarms that are related to, or are consequence of, the process problems (avalanchmg),3rd c) e4evate erunor alarms to a place of attentiormrovolung sigrufcance, when they are the most sagruficam process abnormaltbes_ However, those active alarm messages whch are not current!v esplayed are accesst)le ard avadab4e to the operators, upon request-

,The Alann System aids m directmg the operator to the area in the mformatsonal esplay system of the CR that contains specife da's related to ehmmating. Gagnoseng. and mehgarmg the process abnormality. The Alarm System also prowdes a hnk from a grven alarm to its erphcable computenzed al.stm response procedure.

56 Item B.2 (29) it F.1 and it F.2 These issues address detaded CR design issues rotated to Ttus is addressed by the response to items 40,41, and 44.

Same as item B.2 ristrurnentation (18 F 1, *Ad$tional accdent enorutorrg 13 and 14 above mstrumentation? and il F.2, " Instrumentation for Stection of inadequate core cooling").

O e

i

O M

3m cr m 0

, S.

ag O

O Ci CD f0 i

l s

l l E TA8tE t(Continued b

a OPERATW4G EXPERIENCE REVEW FOR THE AP900 teouse Adegressed 8y NUREG 0711 Appendia 8 C Issue # Scope 5%smen Factors ? , ^# "- - Portormance leeue Human Factora44uman Performerice tesue Adegressed try AP900 Design Item leeue Reference

, 9' Status 6tdcators of the pressunzer SRVs ar-t the SG SRVs are provided in the MCR

$ 57 frern B2 (30) Il K.1.5. Safety- This issue addresses erect mecation of rehef and safety y related valve valve positen in the CR so that the alarmmg and indcaton The posson status of these SRVs is included in the kst of vanables and instnanentaten valve status is clear and unarresguous and should be needed to allow the operator to rnorwtor and mantam the safety of the AP600 throughnut

$ posstion descretson evaluated for HFE desgn consderatiors operatog condibons tha: include accaders and post-acceders conditions. SSAR Section 7 5 provides tNs est of vanables and instrumentatiort i The pressunzer SRVs and the SG SRVs wdl have a full set of abnormahty alarms and status messages in the uCR The abnormatity starms ans amear in the o.ennew of alarms as integrated into the WPIS For exaniple, alarms alertog the operator that the l

vatve is OPEN when e should be CLCSED. or CLOSED when it should be OPEN wie emst and en appear in the alarm ovennew as integrated mto the WPtS. Status messages tor the espected behavior of these SRVs wdl extst on the alarm support

s. Teens avadable at Cie operator's workstatort For exartple, status messages mformog the operator that the valve es (PEN when It should be OPEN. or CLOSED when it should be CLOSED wd extst and be avadabe on the alaan support screens available at the operator's workstaten I

The AP600 Alarm System is desagned toRowng the HSt desgn process described in j

SSAR Sectron 18 8 as part of the AP600 HFE progrant

" 58 ttem B.2 (31) 11 K.1.10. Review TNs issue addresses procedures for ensunng that the The C.4.e4 of plant procedures is the responstwhty of the COL appH: ant as N and modify operaberry status of safety-related systems is knowrt documented n SSAR Secten 13 5

! procedures tor removing safety- The AP600 was panel overview atarm esplays, along with the informatonal system VDU related systems displays, presert indcations of bypassed or deliberately-mduced inoperaDie safety frorn service eque. Ttus mcsudes the bypassed or dehberately mduced moperatWary of any auxihary or supportog system that effectively bypasses or renders incoerable the protecton system and the systems actuated or contro3ed by the protecton syswn.

The WPIS mmc esplays include the esplay of hgNmd denved quant $es, e g , those

~

that depend on a partcular logc algonthnt An example of a hgMevet denved quantity is the avadabihty of a safety system or *.onctiort l

O co O

N 3m cr to cD <

.,}

a --

E

=8 e

C) lV i

E TABLE 1(C_ _ --?,

b o,enAn G excenie,.cc ar- ro T,. A,.00 a

4 Issues Asidroesed By NUREG 0711 Appendia 8 iE

% Performance Issue Human Factore44umen Portormance toeue Addressed by AP900 Design

~a

. Item toeue Reference IssuerScope Human Factore ? . -"

T The foBoung responses are provtjed to the gsestons raised in the attachment to

$ 59 ftem B 3 (1) Generic Letter 91- In tNs generic letter, the NRC proposes certan rnannonng, y 06. Resolution on survedlance, and mantenance provisacns for safety-related Genenc Letter 91-06. The responses are numbered to match the queston numbers in Genenc Letter 91@. SSAR subsecton 83.2.1.1 descrees the features of the Ctass 1E 8 (GI) A-30 de systemst dc and UPS system.

Adequacy of safety-reaaled de power suppbes 1. Unit - AP600 2A The number d independent redundant drvisions d Class 1E de power for tNs piare is 4 .

b. The number d functional safety-related evisons d de power necessary to attan safe shutdown for this unit is 3 3.a. The fotowing alarms are provided for each evision of de powet

1. Battery testresconnect sutch status and battery open circud alarm (open circuit alarm provided by the battery rnannor system)

2. Bacery charger dsconnect switch status and battery charger output breaker

q. status

.,.s CD

3. de system ground detecten alarm

4. dc bus undervoltage

5. Battery over*under voltage {provided by Ine battery morutor system) and battery charger output overfunder voltage

6. Battery charger ac iriput power failure and battery chargee troutse alarm

7. ~ Battery escharge rate c! arm

b. The toiloung inecatons are provided for each deson of de power 1-3. Battery current - used for float. charge, and escharge

4. dc bus voRage O c. Procedures for response to these alarms and indcatens are a COL appbcart issue.

es 8

am cr e '

Q 5. .

s5 D

em

3 TABLE 1 (Continued) b OPERATING EXPERIENCE REVIEW FOsa THE AP600 a issues Addressed By NUREG 0711 Appendix B s

R issue / Scope Human Factors Aspectatuman Performance tesue Human Factors / Human Performance issue Addressed by AP600 Design

'a

. item issue Reference

? 4. The battery chargeN are proveed unei input undervostage alarms and the input G 59 breakers are provided with breaker tnp alarms. In additKvt a spare battery and y

charger are prowded for usa cunng mactenance and testmg of the battenes and

$ chargers-5 Not apphcable 6 Mantenance and testog actrvibes and procedures are a COL apphcant issue.

7. The AP600 Techrucat Specifcatons (TS) are srridar to those found in the Westmghousa Standard TS for mantenance and surved:ance of Class 1E electncal systems.

8 a Capabdefy is mantamed for ensunng contmued and adequate reactor coohng tollowmg the loss of one safety 4 elated de power suppry or bus.

b. PCS integnty and isolation capabday are mantamed tonowing the loss of one safety 4 elated oc power supply or bus.

-4

c. Operatog procedures are a CCW. a@hcant issue.

(D 9 Not apphcable 60 Genenc Letter Ttus genenc lener escusses the ireerschon between GI-23 NOT APPLICABLE: The AP600 desigra moecaes reactor coolart pumps with canned ftem B.3 (2) 914)7. GI-23 and A-44. both of which have human factors aspects < motors that have no seals. Refer to SSAR 63 3 3 and 5 4.1 Reactor Coolant Pump Seal Failures 61 ftem B 3 ( a) Genex Letter 91- Ttus genenc letter addresses several assues related to The three statements below address the three recornmended actons of Genenc 11 Resolution of electncal systems, ircludog the reduction of human errors, Letter 90-11.

Genenc issues 48 control of equipment status, and testng ard 49 1. The time hrnitattore and survedlance typnts for v*.at instrument buses are addressed in TS. SSAn Z.16.1. subsections 3 8 5 and 3 8 6.

2. The trne bnutations and survedlance requiremeras for Class 1E mverters are addressed m TS, SSAR Section 16.1, absections 3 8.3 and 3 8.4.

3. The AP600 design does not contam any tie breakers that can cunnect redundant O Class 1E buses The one-hne diagram for the Class 1E dc and UPS systems are 44 shown in SSAR Figures 8 3 2-1 and 8.312.

O 3m cr co R

, e.

OO e

C) to

E TABLE 1 (Continued) b OPERATING EXPERIENCE REVIEW FOR THE AP600

$E assues Addressed By NUREG 0711 Appendis B Human Factors Aspect / Human Performance lasue Human Factors / Human Performance issue Addressed by AP600 Design C ltem lesue Reference issue / Scope

? The AP600 Alarm System snforms the MCR craw about those fadures unttun the jG 62 Item B 3 (4) IN5347 Unrecogruzed Loss of CR Annunciators.

equement cormnsmg the system, that cuuid degrade to the poot where either system y unrecogruzed Loss performance is reduced or system avadatxhty is threatened _ The AP600 Alarm System

$ of CR Annurdators desen phdosophy is such that the system s preferred fadure mode is through a successon of " gracefully degradeg* states of operataan rather than a

sudden deattt' The abrm overwew displays, integrated mio the WPIS esplays. mclude a @ splay of alarm messages that desenbe fadures or degrasinon of equipment that corynse the Alarra System. Soce the alarm overview Gsplays are integrated mto the WPlS. a dynarruc hidcation that the WPlS is runnmg as used to iaustrate to the CR operators that the system is not " hung

in a froren conditon IN 93-81, impications of Engmeenng Expertise on Shift. As stated in SSAR Section 18 6. COL apphcants will address the staffwig tevets and 63 ttem B.3 (5)

Imphcations of qualifcations of aR plant personnel Engmeenng Expertse on Shift 64 Item B 4 CR Orgaruzation - CR staffing levels had impawed crews m per% ang their Workload analyses is paq of the task analysis (Element 4) to be performed as part of the Staffing and emergency functions. CR personnet wa e os..t)urdened AP600 HFE design process. The wo kload analysts provides an indcation of the Responsbi:hes dunng emergencies. Based upon a review of NUREG- adequacy of CR stattog assumptions. In cases where the anaiysis andcates tugh 1275, WCAP-14t14 (Secten 6.2) discusses casus where operator workload values or insuffcent trne avadable for performance, we wdl evaluate y attematwe CR statfog assumptions or changes to the M-MIS design or task allocaton to operators failed to take a requwed acton due to a mental 4

o lapse because of a high workload sstuaton, reduce operator workload. Refer to SSAR Secten 18.5 for a desenpton of the task analysas implementaten plan which includes workload analysis. As stated m SSAR Secton 18 6. staffing levels are the responsb! sty of the COL appicant.

65 Item B 4 CR Orgaruzaton - The use of the "duarrole" STA-impaired crew performance Workload analysis is part of the task analysis (Element 4) to be performed as part of the Stuft Techrucal because the other SROs were overloaded when one SRO AP600 HFE desgn p ocess The workload analyses provides an indcation of the Advisor (STA) assumed the STA role. Assignment of olher tasks dunng adequacy of CR staffing assumpoons in cases where the analysis andcates tvgh events detracted from the STAS safety functon. orsretor workload values or insuffoent time avadable for performance, we will eva!uate attematwe CR staffing assumptons or changes to the M-MIS design or task allocaten to reduce operator workload. Refer to SSAR Section 18 5 for a desenpton of task anstysis implementation plan whch includes workload analysis. As stated m SSAR Section 18 6.

staffog levets are the responsibdify d the COL appleant.

O ew O

Q 3I cr u O i

,E o8 w

CD TO

g TABLE 1 (Continued) d n

$ OPERATING EXPERIENCE REVIEW FOR THE AP600 a

issues Addressed By NUREG 0711 Appendix B g

C ltem Issue Reference issuetScope Human Factors AspectfHuman Performance issue Human Factors / Human Performance issue Addressed by AP600 Design

'I 66 CR Orgarazaton - Crmcal performance in compieu systems depends on the For the AP600 MMI desgn, the tonowmg elements of $4uaton awareness have been G Item B 4 adopted: a) the awareness of current plant state; b) awareness of charvJas M plant y Teamwork Fodngs coordnated actmty of a group of indmduals, wtuch octudes af factors related to the performance of the state; and c) the links from the wall panet group ovennew dsplays to the endmdual

$ workstaten esplays.

operating crew. Based upon a rewew of NUREG-1275.

WCAP-14114 (Secton 6 t) escusses cases where there were low levels of task awareness, command, control, and As one of the AP600 M-MIS resources available to the MCR operators, the WPIS

w. . . . wiort These events illustrate fadures to mantam provides and masntans sduation awareness by presentog plant informaton on a targe broad awarer".ss of ongomg actmties and their screen esplay and possessmg the dessgn features to address each of the three impications. Of particular concem are failures of elements.

superwsory persormet m martammg awareness of the actrvrties of the personnel under ther erecton. The fonowng provrJes two examples of design features of the WP!S that address the first element of situat!on awareness: t) For each plant mode or each sgnahcant plant state wittun an operatog rnode, the WP1S includes a mme esplay which provujes a physical ovennew of the plant's sgruficant systems and respective key -yv.m.45. and

2) The wall panel mimic dsplay includes the dynarruc 6 splay of key plant parameters so that a reactor operator, supennsor, or a person entenng the MCR can estabhsh the plant operatog status.

To address awareness of changes in plant state, the Alarm System's overwew esplays

q. are ocorporated into the AP600 WPtS ovennew and rnieruc esplays The alarm

$ overwew portion of the WPtS performs the "atertog* actmty in the human decison-malung process.

The links that are provided from the wat panel displays to the indmdual workstaton displays are the third element of situation awareness. For systems of workstation esplays as large as the one required for AP600 askog operators to find and select the most appropnate esplays when unantripated plant changes occur can impose a large mental burders and can be time consuming when other actmties may be time entral, When sigruficarit changes to plant parameters occur, operators need to know which workstaten esplays are appropnate and the most effcient method to locate and select those esplays. Operators wis not be required to coneact lengthy searctes for esplays at the paart when squfcant Changes in plant state have occurred. Operators need to be able to get to any esplay quickty and effc6ently. Therefore, the WPIS esplays provide the abshty to identify and access the most appropnate wor % tun esplay from the wat panet. Specifrally, the WPtS possesses the fonowng desgn *eatures to address the therd element of situation awareness; a) When changes ir. plant state have g occurred as in@cated on the WPtS. operators are not required to conwet lengthy (D searches through the workstatton esplays for more detailed informatiart When a change oCx:urs, as indcated on the trurruc csplay (a changing plant parameter) or the O wait panel alarm overview dsplay, the WPIS identifies the most appupnate workstaton gy CT (D esplays. b) The WPtS provides the capabslety to erectly access from the waN panet the

$5 most appropriate workstation esplay that provides more detailed informaton about the change that is occumng or has occurred a -

O 3 (O

O) IV

- _ _ _ _ _ _ = _. . _ _ _

E TABLE 1 (Continued)

G to OPERATING EXPERIENCE REVIEW FOR THE AP600 E issues Addressed By NUREG 0711 Appendix B Human Factors Aspect / Human Performance issue Human Factors / Human Performance issue Addressed by AP600 Design 3 ttem issue Referer.ce Issue / Scope V Operators acted dun events without usmg a procedure The development of piant procedures, mcludog admirustrative procedures such as G 67 ttem B 4 Procedures -

Procedural content, eae of use, and management pohey procedural compuance, are the responsatMhty of the COL apphcant as documented m y Procedural SSAR Section 13 5.

Adherence and practices influenced procedure use. Based upon a

$ I review of NUREG-1275. WCAP-14114 (Sechon 4.5) l escusses cases where procedures were availatse but not used-Procedures - Operators expenenced efficutty in applyng knowledge to The C.4-..; of piant procedures are the respons6hty of the COL apphcant as 68 flem B 4 Knowledge-Based unusual plant condrhons that resulted m delays in documented in SSAR Section 13 5.

Performance recognaring and responding to events Based upon a Dunng Even revew of NUREG-1275. WCAP-14114 (Section 41) Congletion of Element 7 (HSI Desgn) of the HFE Progrt Peview Model discusses cases where the particular sduation was not fully (NUREGt71t) and the AP600 HFE Desgn Process helps address trus issue. A covered by the procedure requmng knowledge based furu3amental tenet of the AP600 HFE/M MIS desgn process is that in addition to reasonmg to fill m gaps and adapt to the situatiort ensunng that the M MIS supports the task of process equprnent control and operaton, the interface design basis includes consideration of those cogrutive tasks that represent how humans reason assess situations, and make decisions m a real-time process control ec.. v.m i The premese for this desgn basis is that errors of intenten (mcorrect or improper decisioneakog) can be reduced if the set of tasks that the M-MIS is desgned to support encludes those cognitive activities expenenced wtule operahng the d plant. To accomphsh this desgn basis, an input to the task analyss activites es an operator decessoremaking model. This rnodelis uhhred m the M MIS desgn process to IV IV provide a structure for and to help detemune the cogrubve needs of the plant operah0ns personnel The modelis used to defme the set of queshons that are used in the cogrutnre task ar.alysis part of the FBTA. The definition of l&C requirements that resu'ts from answenng this set of questions supports operator performance at all three levels in Rasmussen's deossorHnaking model (i e , skill-based. ruletased. and knowledge-based reasonog). Usmg the output of the FBTAs as an anput to the desgn of the M-MtS.

should result in an MMI that supports the kmd of knowledgetased reasonsng that 6s required to handle unanhcipated events or events where existing procedures may require knowledgetased reasonog to fillin gaps. The FBT A is based on a fundamental analyses of plant goats and funchons and is ettective in desgrung M-MISs to support operator performance in preanatyred situations (executog a procedure) and unanticoated situations. Refer to SSAR Secion 18.5 for the task analysis plan and to 18 8 for the HSt dessgn plan.

O o

O 4

33 cr o O S.

, e.

e8 w

C) 10

M TABLE 1 (Ccntinued)

G OPERATING EXPERIENCE REVIEW FOR THE AP600 E

Issues Addressed By NUREG 0711 Appendix B g

Human Factors Aspect / Human Performance tasue Human Factors / Human Performance Issue Addressed by APE 00 Design 3 Item issue Reference issue / Scope

? The development of ptarit procedures are the responsbhty of the COL applicard as Procedures - Operators expenenced difficulty in applyng knoudedge to

$ 69 ftem B.4 KncwiedgeBased unusual plant corotes, whch resulted en delays m documented m SSAR Section 13 5.

G recognizmg and respon$ng to events. Based upon a

$ Performance rewew of NUREG-1275. WCAP-14114 (Section 4 2) Cortpletion of Eternent 7 (HS1 Desgn) of the HFE Program Review Model (NUREG-Dunng Events escusses cases where operators had to balance multiple 0711) and the AP600 HFE Design Process helps address th:s issue. A fundamental goals in determnng a course of action. Situations arise tenet of the AP600 HFE/M-UtS desagn process as that, o add! tion to ensunng that the where operators need to consider and balance multple M MIS supports the task of process equipment control and operanon. the mterface goals. design basis mcludes consideration of those cogrutive tasks that represent how humans reason, assess situations, and make decessons in a reaFlime process control environmert The prervuse for this design basis is that errors of ritenhon (incorrect or emproper decissorwnaking) can be redsted if the set of tasks that the M-MIS rs designed to support includes those cogrwtive activities e.pe%., ed while operatog the plant "1 accomphsh ttus desagn basis an input to the task analysis activsses is an operato decision-making model. Ttus enodelis utstized m the M-MIS desagn process to pts. e e structure for and to help determme the cognitive needs of the plant operations k personnel The modelis used to define the set of questes that are used en the cogrutive task analysts part of the FBTA. The defation of I&C requirements that results from answenng ttus set of questions supports operator performance at all three levels m Rastrw.rseen's decissonanskmg modet (i.e., skiiltased, ruletased, and knowledgetased

q. reasonog). Usang the output of the FDTAs as an input to the design of the M-MIS.

should result in an MMI that supports the kmd of knowledgetased reasonog that s h required to handle unanticipated events The FBTA is based on a fundamental afulysis of plant goals and functions and is effective in designmg M MISs to support operator performance in preanalyzed sstuarons (executmg a procedure) and unanticoated situations.

70 ttem B 4 Procedures - Operators expenenced eftculty in appW knowledge to Trainmg program development is the responsibahty of the COL apphcant as stated b Knowledge-Based unusual plant cond6tsons, which resulted m delays in Section 13 2 of the AP600 SSAR.

Performance recognizmg and respondog to events. Based upon a Durmg Events review of NUREG 1275. WCAP 14114 (Section 5.0) escusses cases where operator acticns reflected gaps in knowledge (implyng a need for improved trawung). l l

O co O

CD 3 21 cu a s.

, e.

=8

=

0) to

I i

3 '

TABLE 1 (Continued) b

OPERATING EXPERIENCE REVIEW FOR THE AP600 '

un Issues Addrosood By NUREG 0711 Appendia 8 y

,o Human Factors Aspect / Human Perforrnance issue Human Factors 4tuman Performance issue Addressed by AP600 Design 3 Item Issue Ref ..,.e leeuerc~a=

? Preconetons from past expenence. trawwg. or The AP600 HSt/M MIS mciudes a CPS that assasts the plant operators in = s% aruf j y 71 ffem B 4 Procedures -

controneg the executen of plant procedures. For a gnren procedure, the status of each j y Operator management duecton strengty affected how operators proceoure step is cynam.caty determmed and presented to the operator along with the Preconditonog recx>gnized and responded to events and had led some

$ operators to disbeheve vahd indications or take supportmg plant information. To aneviate the annerent fixed kneanty of paper 4)ased inapproprlate actaans. Based upon a review of NUMEG- procedures the CPS performs parallel morutonng activties which are performed by the 1275. WCAP-14114 (Secten 4 4) discusses cases whete operator m paperbased procedures. A parallel morutonng actruey is a plant condtion, the delay h performmg EOP E4 may negatively impact state. or parameter that is moratored by the computer in parallel with the activity of recovery acihty. The inherent fixed kneanty of paper-based guieng the operator through the respective procedure. Types of paraneiinformation procedures means that in some cases operatnrs are placed morutored by the CPS are the status of CSFs, procedure notes and cautions, fondout in satuatons where they have to go through procedural page items, iruteted actons (contmuous acton steps), and contmuously morytored steps that are obviously not relevant to the situation, and parameters. With the CPS dynamacalty determuung the .tatus of each procedure step ;

+

as a consequence delay reachmg procedural steps that are and performmg parallel moratonng activities, the delays caused by the inherent fixed j -

important to perform in an exped.hous manner. The kneanty of executog paper 4)ased procedures are mrwruzed or ehnunated. Therefore, 1

mherent fixed Imeanty of papertased procedures has two the CPS allows the operator to readt the relevant steps for termmatog the incsdent and potential negative consequences. Fwst, in some cases the stabmzmg the p6 ant much quicker and trurwruzes the temptation to jurg to retevant steps delays caused by the need to follow each prtvedure step or to "wmg it" without procedures.

f sequentiapy will resutt m con @ tons becommg more r i

degraded than if operators could reach the re'evant procedure steps more quick!y. Second, because operators qe are able to assess the situaton more quickly 'han the l

$ procedures ailow, and in ' heir expenence they are genNally correct, the tenytation to ganp to what they L

f percerve to be the relevant steps for termmatng the ancident is high. This is hkely to be a cor:tribi.teg factor m cases where operators were observed to wu,g it without Operators mappropnately defeated the automatic operaton The AP600 ERGS (Reference 2) provide specific termanaban critena for the operator to 72 Item B 4 Procedures -

Control of of ESFs during wahd system demands. Somer hcensees twass or ovemde ESF actuatons. These are typicalty provided to termmate safety I

Emergency Safety have not provided sufhcient guidance that hrrits bypassing system operataan once an accident bequence has been diagnosed, and the plant has Features or esablog ESFs, allowed for by TS and emergency or been retumed to a stable, safe condition. [

operatog procedures Based upon a review of NUREG-1275. WCAP-14114 (Sechon 4.3) drst.wses cases where operators bypassed safety features.

A lack of appropnately ranged. drect4eadeg. CR The design of the AP600 has consadered shutdown modes extensivety as documented ;

73 trem B 4 Hurt.an-Madune mstrumentaton to mor 40r reactor pressure, temperature, in the various hcensmg subnuttals: 1) passive safety systems that are desgned to j interface - !

Shutdown and level caused operators to have diftaculty in recognizing mitigate accidents dunng shutdown enot'as (SSAR Secton 6.3) 2) TS that apply to the O and responding to stwtdown events. when cperator actions passive safety systems dunng shutdown modes (3SAR Chapter 16). 3) ERGS !

O Instumertation were required to acromphsh the safety funcbons of (Reference 2) for shutdown modes,4) quantdicaton of the risk of core damage at ;

O disabled, automatic safety systems. Based upon a review shutdown (AP600 shutdown PRA). 5) evaluation of design basis initiatog events dunng j 3D CF G of NUREG-1275. WCAP-14114 (Section 3.1) escusses shutdown modes (AP600 Shutdown Evaluation Report - 6/96). Instrumentaten has cases where there were nuslea$ng indicators (failed been designed to appropnately cover at modes of operation includng shutdown.

, y j A sensors).

3- ;

(D

@ 3 f l

C) f0 ;

i i

?

E TABLE 1 (Conunued)

G .

N i

OPERATING EXPERIENCE REYlEW FOR THE AP900 Iseuse Addressed By NUREG 0711 Appendiu 8 g

3 Item leeue Reference leeue/ Scope Human Factore ? _ m. .._.-. Porto.'< nance leeue Human FactoreA4uman Performance leeue Addroomed by APG00 Design

? The AP600 WPiS prowdes and maintains stuation awareness by presereng plant 74 Item B 4 Human Machme Operators failed to recognize constens that were clearty G oft 41orrnal but which were not alarmed. Based upon a information on a large screen esplay and possessang the design features to address d

y Interface -

each of the three elements d satuation awareness: (1. awareness of current plant state; 8 Operator review of NUREG-1275. WCAP-14114 (Sectum 2 2) escusses cases where the operators taaled to detect an 2. awareness of changes in plars state; and 3, links trorn the wall panel group ovennew Awareness abnormal (but not alarmed) condition. esplays to the lnendual workstation esplays). The WPtS addresses the twst element by providing a dynamic mme esplay that presents a physical overwew d the plant's ssgnificart systems and respectrve key wwe,e,inclu6ng the esplay of key plart parameters. This is done for each plant mode or each sgnitcant plant state unthin an operating mode. To address the second element, awareness of changes in plant state, the Alarm System's overwew esplays are incorporated into the WPIS overview and j mme osplays. The alarm overview portion of the WPtS aterts the MCR operators to develop abnormat or emergency conditions by providing appropriate alarms or alarm 4ke t informatsort ,

d m :

UB t

K 1

O, e

O to 32 cr su

$ S.E aw 0

j

O TABLE 1 (Continued) f5

$ OPERATING EXPERIENCE REVIEW FOR THE AP600 E

g lasues Addressed By NUREG 07t1 Appendix B 3 Item Inst e Peterence issue / Scope Human Factors Aspect / Human Performance issue Human Factors / Human Performance issue Addressed by AP600 Design V

G 75 frem B 4 Human-Machsne Dunng trarments that result in a reaciar inp. a targe The functon of the AP600 Alarm System is to support the MCR operators with the y interface - number of annuncators are actrvated; their usefulness to followmg actrv: Des of human deosson-rnakmg-

$ Operator the operator is dimarushed as the number of low pnonty Awareness annu.ciators increases. Pnontization of annunaators could 1) The ALERT actmty. i e., aient the operator to off mormal conditions improve the effectiveness of this system.

2) The OBSERVE WHAT iS ABNORMAL actmty. i e., ad the user in focusing on the important issue (s);

3) Help with the process STATE IDENTIFICATION actmty, i e., ad the user in b..dmiand s the abnormal conditions and provde corrective action guadance, as far as to gude the operatog crew into that area of the complete Plant Information Display System in wtuch the data /information about the abnormahty and its resolunon can be found.

The AP600 Alarm System addresses the probleri of alarm avalaechmg and operator data overload by managog the gxesentation of thri alarms to the operators in such a menner as to reduce the number of alarms prese Wed samultaneously dunng mapr disturbances, while mairdammg sensatmty dunng sman disturbances The Alarm Sy tem q ts robust enough to: a) show multiple major process problems; b) not be overwhelmed e by mmor alarms that are related to, of are conse pence of, the process problems O) (avalanchmg); and c) elevate mmor alarms to a p' ace of attentan-provolung sign:ficance, when they are the most significant process abnormahtes. However, those achve alarm messages whch are not currentfy displayed are accessible and avantable to the operators, upon request.

Pan of the muh,d u==t to manage the presentation of alarms t0 the operator is the functonal orgaruzation of the aimar:s The overview alarms are orgaruzed by function, such as RCS pressure control, temperature control, and inventory and SG water level control. Withm each function, there a e goal-related alarms and process-related alarms for the respective functiort The alarms wrthin each function are pnontized such that only the highest pnonty, goal-related alarms and process-related etarms for that function are displayed. Ttus functonal orgaruzation and pnontization of alarms provides an effoent way of drectog ard focusmg the operators attention to the transent and its source. The overall importance to plant safety or the urgency of operator action is easdy determened from this method of alarm presentation _

p The Alarm System ads in directog the operator to the area in the informatonal display o system of the CR that contams specife data related to elmiinatmg. diagnosmg. and Q rrutigating the process abnormanty. The Alarm System also provides a link from a given 3y alarm to its applicabe computenzed alarm response procedure.

O CD O <

n g

@g a t.D '3 C) IV

^

E TABLE 1 (Continued) b OPERATING EXPERIENCE REVtEW FOR THE AP600 1E Issues Addressed By NUREG 0711 Appendix B g

Human Factors Aspect / Human Performance issue Human Factors / Human Performance issue Addressed by AP600 Design C ttom issue Reference issuetScope

? Crew response was affected by avastabshty of Complenon of Element 4 of the HFE Program Review Model(NUREG-0711) and the G 76 Item B 4 Human-Mactune y Interface - mstrumentation, appropnaieness of the mstruments to the AP600 HFE dessgn process ocksdes an FBTA as part of the overas task anatysis. The g Instrumentation task, and the relatrve location of the t&C. Based upon a task analysis inplementaten plan is descnbed in SSAR Section 18 5. For each Level 4 review of NUREG 1275. WCAP-14114 (Section 2.1) plant funchon shown on Figure 18 5.1 of the SSAR, an FBTA is performed There are discusses cases where the plant parameter indica' ors four components to an FBTA. First, analysis is done to identify the complete set of required for morwtonng or control were unavailab6e or goals relevant to the function Second, a funchonal h,vw=t.u.. is done. Ttus snadequate. decorrpos4cn adentifies all the vanous processes that have a segrufcant effect on the function Thsrd, a cogrutrve process anatysis is done by appfymg the 11 questens denved from Rasmussen's human decrsion-matung model approach The results of the cogrudve process analysis identify the mdicahons, pararneters, and cont ols that the operator needs to make decisions about the respective funChons. Fmalty, there is a venfcaten that the mdicatsons parameters and controts idenDfej m the cognrbve anatysrs are at included in the AP600 design.

In addshon, as part of the background documentation for the AP600 ERGS. the l&Cs needed to execute each step wr: tun each of the guidelenes (ophmal recovery gtadehnes and function restoration guidehnes) is w1entifei Venicahon that the needed l&Cs.

identified here, are allincluded in the AP600 desagn is part of the AP600 design process f0 N

O m ;

O O '

33 cr O O *G.

, 12.

e8 w

C) f0 i

I i

E TABLE 1 (Continued)

N OPERATING EXPERIENCE REVIEW FOR THE AP600

% Issues Addressed By NUREG 0711 Appendix B i g R issue / Scope Human Factors AsN% -.; . Performance Issue Human FactorsMuman Performance issue Addressed by AP600 Design a item issue Reference

? Inte7ation of Informaimn During unplanned transsents, the The function of the AP600 Alarm System is to support the MCR operators with the

$ 77 Subsecten 2.1.1 MCR - System integmton operators are presented with an overwheimmg vo6urne of followmg actevthes of human deosonanaluny G imrnedate mformation. A better esplay witegraton and

$ mcreased automation rnay help them through these 1) The ALERT activity. t e., alert the operator to off cormal constions; evolutions.

2) The OBSERVE WHAT IS ABNORMAL actrvity. i e.. aid the user in focusmg on the important issue (s);

3) Help with the process STATE IDENTIFICATION actwity, i e , and the user m understandng the abnormal cordtons and provide correctrve acton guidance, as far as to guide the operatog crew into that area of the complete Plant information Display System in whch the datahnformaton about the abnormahty and its resolution can be found.

l The AP600 Alarm System addresses the problem of alarm avalanchng and operator data overload by rnanagog the presentaten of the alarms to the operators in such a manner as to reduce the number of alarms presented sirnultaneously dunng major esturbances. wtute mantammg sensstrvity dunng small esturbances. The Alarm System is robust enough to; a) show multiple mator process problems; b) not be overwheltned q* by rnmor alarms that are related to, or are consequence of the process problems (avaianchmg); and c) elevate mmor alarms to a ptace of attention provolung scrufcance, h when they are the most segruhcant process abnormaktes. However, those actrve alarm messages which are not currentty esplayed are accessible and available to the operators, upon request.

The Alarm System aids m erectog the operator to the area in the mlormational esplay system of the CR that contams speoft data related to ehmanateg. diagnosmg. and rnatigatog the process abnormahty. The Alarm System also promdes a knk from a given alarm to its apphcable computenzed starm response procedure.

The AP600 M-MIS includes a CPS that assists the plant operators an rnorutonng and controlkng the execution of plant proceduras. For a grven procedure, the status of each procedural step is dynamcally determmed and presented to the operator along with the supportog plant informatort To afleviain the inherent fthed kneanty of paper-t:ased procedures, the CPS pedorms parallel morutonng activities versus the operator in paper-based procedures. A paralled moratorir g actnnty is a plant cordtson, state or parameter that is morutored by the computer in paratiel with the activity of guiding the operator g through the respective procedure. Types of paraitet information morutored by the CPS (D

are the status of CSF. procedure notes and cauhons, toldout page items. trutiated Q actions (contmuous action steps) and contmuously rnoratored parameters. With the CPS 3y dynamically determmmg the status of each procedure step and performmg parallel O' (D rnonstonng activities, the delays caused by the inherent fixed kneanty of executing paper-Q h. based procedures are mirurnized or e6mmated. The CPS provides erect kre from

.a g steps to the associated Plant Informaton System Desplays (physcal process, functional.

CD 3

$ro automate monnonng toge or soft antros esplays).

t

[

_ . . - . . _ _ __.m E TASt E 1 (Condnued)

G n

$ OPERATING EXPERIENCE REVIEW FOR THE AP900 E

issues Addressed By NUREG 0711 Appendix B C lesue Reference issue / Scope Human Factors Aspect & lumen Peeformance Issue Human Factors / Human Performance issue Addressed by AP600 Design Item T The otormation integration problems are a31ressed by the AP600 desgn as described

,8 Subsection 2.1.2 MCR - System Change m Control Modes in transient situatons. operators m

y integraton otten have to take manual control of many of the tasks that above in Item 877.

were automatcaRy corarolled This charge in control

$ rnodes by itself is a challenge to the operators, and when The AP600 I&C System desgn incorporates automatic functions not avadable in ll i added in the meddle of a sigiufcant transient, wth Rs prewous plant designs. This is the result of ettotts to rrunimare the operators manual mformahon integration problems, is even more demanding _ workload d/ng rormal plant transsents (such as a startup) and durgig unartcipated transients (such as a reactor inp) The feedwater control system in the AP600 is one example. The AP600 feedwater control system automattany controls SG water levets from power levels low sn the power range (0% to 2% power) to 100% power. In today's plants, operators are required 80 control feedwater flow and SG water level in manual ural they have reached about 20% power. Another example is the use of the AP600 Startup Feedwater System (SFS). Fonowng a reactor try, the SFS flow is automarcalty controtted to mantam the desired SG levels. In today's piants, the operators must rnanually control AFW Sow to mantain desired SG levets.

The cognitive task analysis portion of the FTBAs, answenng a set of questions denved from Rasmusserfs human decesson-makmg model. utentihes the contros and in@ cations needed to actueve the respective functiort. Thes addresses both manual and automate controls The output of the FBTAs es used as input to the desgn of soft control esplays qe and vant information esplays.

N (D

If an automate control system's irput sgnat validation algonthm switches the control system from automate to manual, the operator is alerted to this conostion through the alarm system. The computerized alarm response procedure will provide the operator prompt access to the assocrated soft corcrol(soft automatc/ manual contraster).

79 Subsechan 2.1.3 MCR - System Memontaten Operators have to memonie their inmal Following a reactor trp, the AP600 CPS is acDvated and the operator is Grected to the integration actons after a reactor tnp, and are expected to accor igAsh computenzed reactor tre response procedure. The CPS dynamscany determmes and them pnor to procedural checks. Operator aids may assist provides the status of each procedsral step along with any necessary supportog in the enmal actons. informahon. In today's plants, the operator must tot only memortze the immedate action steps, but must also search the mam control board for the indcations and controts to provide the capability of determmmg the status of the Mte actons.

80 Subsechon 2.14 MCR - System Processed trdorrnation Much informaton has to be The AP600 M-MIS takes advantage of current computer t%.fmology and automatcally integraton cakutated by operators that could be provided erecify with calculates, then preserzts the needed mformaban to the operators. In today's plants. the current technology Computerprocessed and wahdated operator must manualty calculate the needed informatior One exarrple of calculated data and calculated values can be provided to the operator informaton provided by the AD600 Plant information System, are trend esplays. Dunng in an integrated fashon. P plar1 heatup or Cooldown, the AP600 Plara Ir* mation System wit provide heatup and Q cooldown rate trend @ splays at the operator's % stahon.

Q 3m cr cb (b <

u y_.

<o 03 N

3 TABLE 1 (Continued) d u

OPERATING EXPERIENCE REVIEW FOR THE AP600

$ Issues Addressed By NUREG 0711 Appendix B Human Factors Aspect / Human Performance issue Human Factors / Human Performance issue Addressed by AP600 Design 3 ttem Issue Reference issue / Scope T Test and Maintenance Survenaance testng can create The AP600 Insennce Test (IST) Plan (SSAR sAsection 3 9 6) documents the G 81 Subsecton 2.1.5 MCR - System surveittance test requirements for the AP600. In developog ttus plan, Westinghouse has y integration problems such as: number of tests additional operators consdered the diftculty of pertomung each surveinarce test. In some instances. ISTs required. producing spunous alarms madvertent actuations.

8 and potenbal for a plant tnp. The systems should be that would be potentially problema$c atpower are deferred to either cold shutdow t or desagned tr be tested penodacally without creating refuehng condshons. In other cases (such as the ADS valves) a special mtertock tus ocidenty been developed to preclude the possibility of the operators caussng a plant transient due to a misahgnment of the ADS valves dunng testing Other features wtuch faoktate insennce testmg of the PXS are desenbed in SSAR subsection 6.3 6 2.

The onime testing of me protecnon system rs accomphshed t:y a senes of tests with sufficent overlap to test au necessary funchons. These tests are designed to be accomplished without generatog spunous alarms and snadvertent tnps and actuations.

When a protechon caboet is bemg tested, it is placed anto a bypassed state or otherwise removed from sennce to prevent inadvertent actuations and potental for a plant tnp.

Most of the testmg is performed automahcaBy once wutiated by the operator. A descrpton of the protecton system rehabshty and fault tolerance dunng operat.ons, mantenance, test and bypass and a desenption of the buittan test tapabdities are provided in SSAR s9bsections 7.1.2.10 and 7.1.2.12.

-4 Subsection 2.2.1 MCR --Alarms Avalanche of Alarms The smgle beggest issue en the The function of the AP600 Alarm System is to support the MCR operators with the 8"

CJ design of advanced alarm systems is the need to reduce tonowing actwihes of tusman decrsson-malung-O the avalanche of alarms dunng plant upset.

1) ALERT activity, i e., alert the operator to offermat conditons;

2) OBSERVE WHAT IS ABNORMAL achvity, i e., ad the user irt focusmg on the important issue (s);

3) Help with the process STATE IDENTIFICATION achwity, i e., aid the user in understandmg the abnormal condhons and provde correctwe achon gudance, as far as to gude the operatng crew into that area of the complete Ptant Information Display Systern in wtuch the data /informaton about the abnormahty and its resoeuten can be fourd.

The AP600 Alarm System addresses the problem of alarm avalanchrng and opera *or data overload by managmg the presentation of the alarms to the operators in such a manner as to reduce the number of alarms presented simultaneously dunng rna;or disturbances, white maintaming sensstwity dunng smas esturbances. The Ala m System is sobust enough to: a) show multiple rnator process problems; b) not be overwhelmed a by mmor alarms that are related to, or are a consequence of, the process problems O (avalanchmg); and c) elevate ranor ala ms to a place of attention-provokmg sqruficance, when they are the most sigraficant process abnormahties. However, those actrve alarm messages which are not currently displayed are accessible and available to the ui operators, upon request.

V3

's

. 5 U The Alarm System ads in directog the operator to the area in the entormational esplay GM system of the CR that contams specifc data related to ehrrunatmg. diagnosmg. and mitigatmg the process abnormality. The Alarm System also provides a hnk from a given alarm to its apphcable computenzed alarm response procedure.

i

E TABLE 1 (Continued)

G m

OPERATING EXPERIENCE REVIEW FOR THE AP600 E

y lasues Addressed By Nt.lREG 0711 Appendix 8 o

Human Factors / Human Performance issue Addressed by AP600 Design

'3 Item issue Reference issuerScope Human Factors Aspect / Human Performance Issue T Pnontizaton of Alarms When an operator is preserted with The AP600 Alarm System addresses the problem of alarm avalanctung and operator

G 83 Subsecten 2.2 2 MCR -Atarms y an avalanche of alarms, a priontizaten scheme should data overload by managmg the presentaten of the alarms to the operators in such a manner as to reduce the number of alarms preserwed simultaneously dunng mapor present at the alarms to the operator but code them into

$ pnormes such that the overall importance to plant safety or $sturbances, wtu6e mamtainmg sensmydy dunng smaR disturbances. The Alarm System the urgency of the operator action can be determined. is robust enough to: a) show multple mapor procass problems; b) not be overwhelmed by rrunor atarms that are related to, or are a consequence of, the process problems (ava!anchog), and c) elevate trunor alarms to a place of atteritiorgrovokmg sgruhcance, when they are the most sgruhcara process abnormahties. However, those actra alarm rnessages which are not currently @ splayed are accessele and avadable to the operators, upon request.

Part of the rnethod used to manage the presentaten af alarms to the operator is the functional orgaruzation of the atarms. The overview alarms are orgarized by function, such as RCS pressure controt RCS temperature control, RCS inventory, and SG water level control. Withm each function, there are goal-related alarms and process-related alarms for the respective function The alarms within each functon are pnormzed such that only the fughest pnonty, goal-related alarms and process-related alarms for that function are esp *ayed. This functonal orgaruzaton and pnontization of alarms provides an ethcient way of orecting and focusmg the operators attenton to the transient and its q source. The overall smportance to plant safety or the urgency of operator action is easdy e

3 determmed from this method of alarm presentation.

84 Subsecton 2.2.3 MCR -Alarms Loss +f Powaw so Annunciator Panets The loss of power to Power to the alarm system is from a redundant power supply or UPS. The Alarm these panets could result m the loss of the operators' atxhty System also ecludes a " heartbeat"indcaton visele to the operator at all twnes. The to respond to plant wsets, particularly if the operators are "hea:1 beat"inecation alerts the operator to degraded conctons of the Alarm System, l not aware of the loss. includog a totalloss of the system, expenenced as a resuft of loss of the redundant power sources.

The Alarm System ts desgned such that the system's preferred fadure mode is through a success 60n of " gracefully degrading" states of operation rather than a " sudden deattt" l

O c)

O O

3 "U CT O tJ <

m y b' .

t O

(O 3 CD IV

g TABLE 1 (Continued) d v2 t

OPERATING EXPERIENCE REVIEW FOR THE AP600 Issues Addressed By NUREG 0711 Appendix B g

C Item Issue Reference IssuetScope Human Factors A_, _ _ ^" _ - Performance Issue Human Factors / Human Performance lesue Addressed by AP600 Design T The functon of the AP600 Alarm System is to support the MCR operators with the 85 Subsecton 2.2 4 MCR - Alarms Alarm Displays Alarm System research has dentified y multiple use ey operators of the Alarm Systems, narnety; fobowmg actmties of human decision-making:

$ for aiertmg. for status monitonng, and for situation awareness. The selechon of a display technology and 1) ALERT actmty, i e., alert the operator to oft <iormal conditor s; o;sptay methods for the Alarm System can signitcarnty impact these muMiple uses of alarm systems by operators. 2) OBSERVE WHAT IS ABNORMAL actmty, i.e., and the user in tocusmg on the Both conventional fixedlocaton esplays and the newer important issue (s);

Cathode Ray Tube (CRT)tased 6 splays have advantages and esadvantages. 3) Help with the pmcess STATE IDENTIFICATION actuty, i e., ad the user in understaneng the abnormal conditons and provide corrective action guidance, as far as to guide the operating crew into that area of the complete Plant Information Drsplay System in which the dataWiformation about the abnormahty and its resolution can be found.

The AP600 Alarm System addresses the problem of alarm avalanching and operator data overtoad by managog the presentation of the alarms to the operators in such a rnanner as to reduce the number of alarms presented saftuttaneously during major dsturbances, while maintairung sensitivity dunng small disturbances. The Alarm System is robust enough to: a) show multiple major process problems; b) not be overwhelmed qa by mmor alarms that are related t% or are a consequence of, the process problems k (avalanchmg); and c) elevate trunor atarms to a place of attentormrovoking sigrafcarce, when they are the most sigrufcant process abnormahties. However, those active alarm messages whitti are not currently esplayed are accessible and avadable to the operators, upon request from workstation 6 splays.

The Alarm System aids in erectog the operator to the area in the mformatonal esplay system of the CR that contams specifc data related to etenanateg, dagnosmg. and mrbgatmg the process abnorrnahty. The Alarm System also prLvides a knk from a given atarm to its apphcable computenzed alarm response procedure.

The AP600 Alarm System desagn captures the s3<antages of both the conventonal fixedlocaton esplays and the newer CRTeased esplays. The AP600 Atarm System consists of overview atarms and VDU (such as CRT)tased alarms and alarm support inforr : ann. The overview alarms are funchonally orgaruzed wrth each functon havmg goal 4 elated and process related alarms. The alarm overviews are integ'ated into and esplayed by the WPIS, therefore the presentation of the alarm system ovennews is g analogous to the convenhonal fired posmon annunciators AB alarms and associated e supportog information is available at the operator's workstation VDUs. The presentation of alarms on the workstaban VOUs is analogous to CRT based alarm esplays.

Q 3T tr e O 3.

, fe.

e8 e

O) f0

E TABLE 1 (Condnued) :

6 >

OPERATING EXPERIENCE REVIEW FOR THE APE 00 +

l t Issues Addressed By NOREG 0711 Appendia 8 g

3 Item Issue Reference issue / Scope Human Factors A--;- ^~

_ Performance Resue Human FactoraMuman Performance Issue Addressed by AP600 Design Y The AP600 Alarm System provides the means for the AP600 CR operator to be alerted.

l

$ 86 Subsecton 2.2.5 MCR - Alarms Atarm Controls Audtory features of alarm systems have y been problematcal and separate sdence, acknowledge and via both visual and audo alerting technsques, to problems in the processes involved in restart test (SART) controis are m.o.-.4=1 The the plant by-

$ controls for computertased alarm systems win become more complex and need attenDon. a) indcating the abnormatsty by presenting a precisely worded message or a graphc representation of the condton; ;

b) presenhng the abnormality in a context whrf) conveys the empact on plant health; &

c) separahng alarms from other data; and d) generating audstAe tones correspondmg to specife sets of alarms.

The contrats for the audtory features of the AP600 Alarm System win not add to the wortdoad nor wie they be estracting A desacy requaement of the Alarm System is that ,

it wiR not create estractions to the operators, nor win it add to the tatque of its users, by the addtion of norse or visual estorhons. Concept testing (part of the HS1 desgn process. SSAR SecDon 18 8) and the HFE Venicanon ar d Vatidation (SSAR Sechan 18.11) shall ensure that the alarm system aud: tory features are acceptable.

q . I W 87 Subsechon 2.2.6 MCR - Alarms Operator Selectable Alarms The operators may need a THIS ISSUE INPUT WeTO THE DESIGN ISSUES TRACKING SYSTEM.

W towpnonty, operator-selectable alarm to call attent:on to a j component (e g., a valve) that may be out of its normal postliort Alarm systems should have the flexibihty for the operators to easdy add alarms to a screen when a potentraRy deviant situation is identihed that they need caBed to therr attenhort 88 Subsecnon 23.1 MCR - Controts Engineenno Units Displays sometimes use enyneenng The AP600 Plant informaton System presc7ts esplays (physcal process. funchonal.

and Displays units which mean little to the operator, (e g , *lbs- trend, and automate morWtonng and logc dsplays) to the operator. The y.a..,

mass / hour) rather than percentage of futpower tiow. uruts used on these displays wiB be meacungful to the operators. One way that this is 7 ensured is Ihrough the detaded esplay design and implementaten process (SSAR j Sechon 18 8. HSt design). The design process includes a check by operatonal personnel that the displays and the information presented are meanengful. The final .

HFE venicatnn and wahdabon (Element 10) win vahdate the usefulness of displays.

89 Subsection 23.2 MCR - Controls Push Button Lamp Replacement Push-button lamp NOT APPUCABLE: The use of push button lamps are not part of AP600 CR MMI.

. . , and Displays replacement is problemate because the removat and g replacement of the lens or bulb can somebmes cause o inadvertent actuaton.

ca 3 "D 90 Subsechon 2.3.3 MCR - Controts CRT-Based Displays On CRT-based esplays, the The AP600 Plant Information System presents displays (physical process, functional, 3 e

[$

'F and Displays operators are otten restncted to the use of "p;epackaged" dsplays and do not have enough capabihty to select trend and automate monitonng. and toge esplays) to the operator. in addtion to these

" prepackaged' displays, the Piarit Information System provides the capability to the

' 6* parameters for desplay and trendng. operator of being able to create a desired parameter and trend display. In addition, the 3 operator wiD have the capabelity of dtsplaying thes created trend esplay on the WPIS.

m to

i 6

3 TABl E 1 (Continued) '

b OPERATING EXPERIENCE REVEW FOR THE AP900 1E Issume Addressed By NUREG 0711 Appendia B g Human Factors 4fonen Performance issue Addressed by AP600 Design 3 Item Issue Reference toeverScope Human Factors 3 --Ec. Performance Issue

? Corrouter trterfaces Complex or poorty designed it is the trusson of the AP6tV M~ MIS to irnprove the eneans that are providad to the G 91 Subsection 2.3 4 MCR - Controls -

computer mtertaces are supphed, as opposed to nterfaces users of the piart operahon and control centers for acqumng and i,Jmandag plant y and Displays data and in execulmg actions O control the plarfs processes and equipmert [

that are sample and

user-fnendlyt

$ (

Reference:

18.81 of the SSAR). Theretore. a basic design goal of the AP600 M-MIS es to provide an mtegrated ennronmtat that is

user fnerdy* and allows the operator to quckfy and ethcienWy maneuver through the MMI rasources (Atarm System, infctmahon System. CPS and Soft Corarots) to amess needed adormaton and controls.

Upgraena of Computer Systems The efficulty of The distnbuted nature of the AP600 l&C System archtecture includes the robustness 92 Subsechon 2.3 5 MCR ~ Controts and Displays upgraeng computer systems can be a problem, even for and flextwhty to upgrade the system in an eticient manner. The estributed I&C relatively mmor p ant moditcahons. architecture is escussed in Secton 7.1 of the SSAR.

Computer Response Time A common specercaton for The issue to be addressed as the amount of time it takes for the operator to focate a !

93 Subsection 2.3 6 MCR - Controls dested piece of information. How does the operator locate a dested esplay? How !

and Displays maximum delay trne between screens is two seconds.

many desplays must the operator navigate through before he locates the denred i This may be acceptable for routme computer processmg. I however, dunng nuclear power plant (NPP) transients it is mformation? The AP600 Plant information System addresses this issue through its too long and causes unnecessary operator frustraDon and design process and type of dsplays presented 10 the operator. Functonal esplays are delays in information processmg dessgned and used to um6.~.a physcal (system) esplays. Functional esplays are ,

desgned to present to the operator associated goal monstonng and process rnonstoring ,

nformahon for a respechve function. The output of the respective FOTA es used as a q* major iriput to the design of the furctional dsplays. The FBTA includes a cognrhve task CJ anatysis that edenbfies the instrumentation, informatiert, and cartrols that the operator ,

Sm needs to make operatmg deossons for the respective function. Smce the AP600 Plant informaton System includes funchonal esplays (produced from ther associated FBTA) i rather than just physcal system esplays, it is more likely that the operator wdl fnd at the ardormaton that he needs for a grven thought process on one esplay (such as a [

funchonal esplay). Also, the use of denser esplays and more mearungful groupogs of l enformahon on the esplays wdl result in a search witNn the esplay rather than movement between esplays to fod desred information. ;

To support the operator's situatonal awareness in an effeiert and trnely manner. the design of the WPtS requaes that the operator be able to point to and select in one step (from the workstation), a system, corriponent or major parameter displayed on the was panel and recall on a workstaten VDU. a related functional esplay or physical esplay.

One step navigabon from a functonal esplay to an associated physical esplay. and from a physcal esplay to its assocated funchonat esplay, wdl also be available. To add [

flertwhty to the method of navigaton between @ splays a menu or snap of aN available [

espiays, will also be avadabie to the operator. Ths method of navigahon to a desired ,

O esplay will mvolve a maximum of two steps; sele

the map and then select the esplay.

CD 8 The actual delay trnes between screens is driven by be l&C technology and associated 3y O~ 03 hardware. Advances in this technology are anowmg faster responses all the trne. f kIw Ths assue of how long it takes the operator to access needed mformaton well be i

i sg evaluated dunng the rnan-in-the-loop concept testmg The resuits of this concept testng

$3 c) IV wit be used to refine the functional and detaded design of the M-Mts. Ths issue wdt

also be measured and wahdated by the HFE venication and vahdation (SSAR Section 18.11). ;

i f

s

y TABLE 1 (Continued) b o OPERATING EXPERIENCE REVIEW FOR THE AP600 Y issues Addressed By NOREG 0711 Appendim B t ko issuerScope Human Factors Aspect / Human Performance issue 34uman Factors / Human Performance fssue Addressei by AP600 Design

'C Item lesue Reference Y Correter-Based Data Ponts Corwertased data pomts The informaton presented to the operators by the AP600 M Mit. mcludes in6 cation of y 94 Subsection 2.3.7 MCR - Controls data qualty for the data esplayed The otiect.ve is to allow the ope alor to eva'uate the y and Displays should have a provision to indcate to the operators where mformation being esplayed to twn and, eventuaity, discard it or lock for attemative the data for the pont is invald (e g , pont as out of scan).

$ measures !! a parameter measurement as outsde the range o the insNment (note that the data quahiy woukt be good), then this "outdrange" infor%*xrg in&cated on the esplay to the operator. The data quahty of computer calculated points is also addressed and esplayed by the AP600 M-MIS. The data quality of calculated pomts consders the data quahty of the iTut poents and the vahety of the calculaton and its boundary conditons The data quality converlions used are consistent throughout the M-MtS.

For exarnpie the convention used on a workstatton 6 splay to inscate that a data point such as a hot leg terTerature is of " poor" quality is the same as the convenron used to present the same information on the WPIS.

95 Subsection 2.3 8 MCR - Controls Tnp Status indicaton in the CR. the operators need an The function of the AP600 Alarm System is to support the MCR operators wth the and Displays adequate in$ cation for inp status of important local tonowmg actnntnes of hurnan decrsson-making (adopted froen Rasmussen*s rnodet of equipment. human decaworwnalung):

1) The ALERT actrvity, i.e , alert the operator to off eormal cond9ons;

-4 2) The OBSERVE WHAT IS ABNORMAL activity. 4.e. and the user m focusmg on the (a important issue (s);

m

3) Help wth the process STATE IDENTIFICATION actwity, i e , ad the user an understandmg the abnormal conditons and provide correctrve aston gudance. .*.:

far as to guide the operateg crew into that area of the comp 6ete Plant informaton Display System en w+mch the data /mformaton about the abnormaltry and its resolut on can be found The Alarm System includes alarms of tnp status for important local equipment and it clearly estinguishes between alarms that are conveynxj to the operator somethsng about a process abnormahty vs. adwtsing hem of the status of equipment.

96 Subsection 2 41.1 MOR - Communcations Coverage - Dead Spots Auxikary The plant communcation system consists of tM fonowing systems: wireless Communscations operators often cannot be contacted m the plant due to communcaton system,io; apt.v. tpage system, pnvate automate branch endiange their inatMkty to hear pages from the CR sance there are (PABX). sound-powered system. emergency response facihty communcations, and many hard-to-hear or dead spots in the plant. secunty communcation system. The wireless telephone system is the pnmary means of commurucation for giant operations and mantenance personnet The wreless system consists of wireless bett<hp portable handsets, hands-free type portable headsets, a O

CD .,u.,.o r.a antenna system, and a wireless telephone swtctt The telephone /page, O PABX telephone, and sound-powere.s communcation systems are for general plant 3I communcataans and serve as backup to the wireless system. The commurucatens system is described in SSAR subsection 9 5.2.

{$

]E 97 Subsecton 2 41.2 MCR- Commurucator's Coverage - Reto Frequency (RF) The communications system comphes with apphcable codes ard standards, mensmering Electro-Magnetc tres4erence (EMI) ard its potential effects to equipment. "1 ow-to yg]

Commurucations Interference RF mterferes with communcations due to madequate shieldmg. Communcation ra@os also cause powered" type er,Jipnent is used. where possible, which has been derronstrated to unotended actuaten of equipment. have a hmitsaf potential for causang inter *erei:A w3h electronc equipment.

Commurw - n equipment and sensitive 1&C equipment are shreidec. as necessary, from the c . ental effects of EMt.

E TABLE 1 (Continued)

G m

tE OPERATING EXPERIENCE REVIEW FOR THE AP600 lasues Addressed By NUREG 0711 Appendix B 3 Item issue Reference issue / Scope Human Factors Aspect / Human Performance issue Human Factors / Human Performance issue Addressed by AP600 Design

?

j 98 Subsection 2.4.13 MCR - Communcations Coverage - Plugs insufhcient locations in NOT APPLICABLE: The wretess telephore system is the pnmary means of communcaten for plant operatons and maintenance personnel. The wreless system

'i Commurucatons the plant to *piug m* corranurucations equipment.

consists of wireless beltop portabte handsets, hands-free type portable headsets, a y

comprehenssve antenna system and a wreless telephone switch. No "plugan* locations are required for this type of equipment.

99 SubsecDon 2.4.2 MCR - Noise Interference - Ventdation The noise level m the CR The VBS supphes ventilaban flow to the MCR dunng nomial operation and is a Communcations can be so high dunng transents that added stress for the nonsafety-related system. The VBS system serves as a first hne of defense if avadable, operators is created and commurucation is effcult due to and it also performs the safety-related function of isolatirv3 the HVAC ducts that 4 ESF actuated venutanon (especially 2 trains), penetrate the CR pressure boundary. The AP600 desigriincorporates a VES to provide the safety-related function of ventdatmg and pressunzing the MCR. Trus system uses a supply of air for respirabon of the CR occupants as well as for pressurtzmg the room.

The system supphes a lower volumetnc flowrate of breathable quahty att, than the normal HVAC flowrates. The safety-related venhtation system uses no active mv.+.3 wtuch contnbute to noese generaton. The 6 sue of noese level is not a maior cxincem for the VES system because of the relatively low au flowrate, even when both -ams are in operahort

--l The VBS system is used dunng normal operahon as noted previously This system has G2 industnal type air handhng ursts and fan assenibbes eth double-walled panel O construchon to menwnize noise and fan turbulence, while the supply and retum ducts are provided mth anti-sweat insulatiort Centnfugal fans are provided wrth flexible

-.m.i- and veration isolator desagns to avoid sound rumble conditions. The MCR main supply and retum duct layouts require mult'pte 90 elbows and several 20-foot straight duct sectons before entenng the UCR, whch means that low-frequency rose transmitted through ductwork is ehmmated. Thss ductwork arrangement is normalty used lor low rose level HVAC acoustc desgn lor sound studos and theaters Fmatty, the MCR HVAC desgn is a low velocity system desegned spectically for a lower noese level, in that the duct air velocaties are rnuch lower than the rnaarnum velocates described in Amencan Society of Heatng. Retngeration and AirConditorung Engmeers (ASHRAE).

100 Subsection 2.4.2 MCR - Noise interference - Pnnters The noese level m the CR Hgh-speed pnnters used in the AP600 MCR will not sagnitcantty contnbute to the nt se Commumcanons can be so fugh dunng transents that aoded stress for the level even dunng transent situations. Pnnter technology currently exists such that operators is created and communscation is 6tficult due to generated noise es no longer an issue.

hgh-speed conventional pnnters.

101 Subsecten 2.4.2 MCR - Noise interference - Alarms The noise tevelin the CR can The AP600 Alarm System has a design requirement that specifes the system to be Communcatons be so hgh dunng trarwents that ad3ed stre=s for the desgned is not to @stract the operators; not will it add to the fatque of its users, by the o adtton of noise, visual estornons or nuesarre alarms. The functional orgaruzanon.

O operators is created and commurucation is eftcult due to alarms nngmg constantly. pnonSzation ethan eads funchon, and the alarm ingger loges are all des!gn features that gg manage tne presentanon of alarms such that only mearungful alanns are presented to o 5. the operator _

r_.n.

a m8 m

G f0

E TABLE 1 (Continued)

G ro OPERATING EXPERIENCE REVIEW FOR THE AP600 E

y issues Addressed By NUREG 07t1 Appendix B T., Human Factors / Human Performance tasue Addressed by AP600 Design n item issue Reference issues"C = = Human Factors Aspect! Human Performance issue

? The AP600 CPS rs the MMLHSt that the operator wiu use to execute procedures. The G 102 Subsecton 2.51 MCR - Procedures Space Paper-based or harda:opy proceduras m NPP operations can cause the fobowing prothrt Space for reactor operator wdl mterface mth the CPS through his workstaten VDUs. The CPS y automatCaNy evaluates the status of each procedure step and presents this evaluation explanatory mlormaton is hmited and the leve4 of detail m

$ procedure steps is fixed. to the operator along wrlh enough supportmg mformaton (such as actual parameter values and equement status) to give the operator an understardng of how and wily the system produced as evaluaton. The CPS wit provide the capability for the operator to request supplemental information on an ad@ tonal VDU. Thss wiB be information such ss an assacrated physiCat, functonal, trend or soft control display or perhaps a supportog graph, curve. or background information. In wopew6 with the paper-mecum of presantog procedures. space for explanatory mtormation and the amount of detail provided in the procedure steps es not an rssue with the computenzed procedure meeum.

The fua-scale mockup of the AP600 main control area wdl be used to further evaluate the

space" issue. The full-scale mockup is escussed en SSAR Secton 18 8 The AP600 M-MtS includes a CPS that assists the plant operators in morutorng and 103 Subsecuan 2.5 2 MCR - Procedures Norktmear informaton Papertased or hard-copy procedures in NPP operatons can cause the tonowmg controlkng the executon of plant procedures. For a gwen procedure, the status of each problem: Non4near informaton vnust be presented procedure step es dynamscally determined and presented to the operator along with the H sequermany. supporting plant informahon. To aneviate the inherent fixed kneanty of papertased procedures, the CPS performs para 9el morutonng activmes versus the operator, as n 0.)

N papertassid procedures. A paraRet montonry activity is a plant conchon, state, or parameter that is morutored by the computer m paranel with the achwity of guidng the operator through the respectrve procedure. Types of parallel information morutcred by the CPS are the status of CSFs procedure notes and cautons. foldout page dems, rutsated actions (centmucus ac%on steps), and contmoousry morutored perameters. With the CPS dynarrucaily determmmg the status of each procedure step and performog paranel morutormg actwitees, the delays caused by the inherent fixed kneartry of execubng papertased procedures are trurumezed or ehmmated Therefore, the CPS allows the operator to reacn the relevant steps for termmatog the ocident and stabilizng the plant much qucker than papertased procedures.

MCR - Procedures trrelevant information Papertased or harda:opy As descrt)ed m the item above (ttem 103) the AP600 CPS performs parattel morutonng 104 Subsection 2 5 3 procedures n NPP opesations can cause the followmg activmes versus the operator in papertased procedures. A paranel morutonng actncty as problem: trrelevant information regar$ng condmoris that do a plant condition, state. or parameter that is morutored by the computer m paranel with not exist dunng a specshe instarre of procedure executon the activity of guading the operator through the respective procedure Types of paranel must be corwouously esplayed. mformation enorutored by the CPS are the status of CSFs procedure notes and cautions.

foldout page tems, irutsated actions (contmuous acton steps) and contmuousty O morntored parameters. A contmuously monitored parameter es an exampie of a

{D condaten that may not extst at the moment but requires some acton when it does exist.

o The CPS wiR automaticalty monitor this condMon as parauet informaton and only

33) present a to the operator wtten the cordten is met and when the operator needs to

{g execute the respeCDve achon. With the CPS dynamtally determrung the statur of each

,y procedure step and performing paranel morutonng actmties. the mstances of presentog ay wrelevard information to the operator dunng a specife momern of procedure execution

$3 C) to are mmimized or ehminated.

E TABLE 1 (Continued)

G m

05 OPERATING EXPERIENCE REVIEW FOR THE AP600

$ issues Addressed By NUREG 0711 Appendia B g

Human Factors Aspect! Human Performance issue Human Factors / Human Performance issue Addressed by AP600 Design 3 Itern issue Reference is. M ope V The AP600 CPS automatoalty evaluates the status of each procedure step and p esents g 105 Subsection 2.5 4 MCR - Procedures Cross-Referenema Papertased or hard<:opy procedures n NPP operations can cause the tonowing problem this evaluation 10 the operator along with enough supportog information (such as actual y parameter values and equipment status) to give the operator an u,4w4.,4,4 of how Cross-referencog introduces errors and delays in task

$ performance. and v41y the system produced its evaluation. The CPS wdl provide the capabdity for the operator to request supplemental informaton on an a:16 tonal VDU Ttus ma be mformation such as an assocated physcal. functional, trend or soft corerol $ splay or perhaps a supportog graph, curve, or background information. The CPS w:n provide the capabihty for the opera *or to transition to the appropnate locaton in other operatog procedures as requued and to automatically select and esplay the new procedure when requested, whde mantammg a placemark in the onginal procedure MCR - Procedures Multple Procedures Management Paperbased or hard- The AP600 CPS w R provide the capabdify for the operator to transiten te other 106 Subsecion 2.S 5 copy procedures m NPP operatons can cause the followng operatog procedures as required and to automarcalty select and @ splay the new problem Physcal manaprnent of multiple procedures and procedure when requested, wtuia mantanwig a placemark m the onginal procedure.

place 4eepng dunng concurrent execution are awkward. The CPS wO provide for the esplay of a procedure transiten map Ttus esplay wiB indicate transstions out of or er.to the procedures, as wet as enovements mthen the procedures. The CPS mu also provide the capabdefy for the operator to request supplemental otormaton on an additional VDU. This wdl be otornuttion such as an associated physcal, funcnonal, trend or soft control display, or perhaps a supporting H graph, curve. or background mformation.

CO The AP600 CPS ma include the capabdify to rnadfy or edt the procecures in a CD 107 Subsection 2.5 6 MCR - Procedures Mantainmq Proceoures Papertased or hard-copy

& procedures m NPP operations can cause tne following straghtforward manner. That is owvn@hW by useg an off-hne relational database NURt.G4933,1 C.5 protWem: Mantarung the techncal accuracy of procedures management system.

is eftcult. For example a desgn change m a sogle component can invahdate every procedure that references that corrponent Smtarty, a procedure revision that changes the step number in that procedure can anvalsdate every step n other procedures that cross-reference that changed procedure.

MCR - Procedures Procedure Inrecration Paperused or hard<:opy The AP600 CPS mE provide the capabihty for the operator to request supplemental 108 Subsect!on 2.51 procedures n NPP operanons can cause the followng eformation on an ad@ttonal VDU. This mu be information such as an associated protnem. Handhng and reading a paper procedure whde physcal. functional, trend or soft control display or perhaps a supportag graph, curve, or also performmg the actions required to perform the task background information. If a step wthm a procedure, as presented by the CPS. requires desenbed n a procedure are typcalty ancorrpatible. the user to operate a corrponent or system, then the user mit be able to select m a single action from the CPS, the associated soft control esplay for the respective corrponent. The soft control esplays wdl appear on a VDU, at the operator's g workstaten separate from the VDU that presents the CPS. The use of muttipie VDUs at g

O the operator's workstation. (CPS main interface VDU, CPS supplemental mformation VDU. and a sort control display VDt.0, whde execu!ng a procedure through the AP600 7 CPS. rrurwruzes or elmnates the handhng and reaang problems assooated with the CT Q execution of a papertased procedure whde also tryng to perform the actions required Q $, by the procedure.

m 9.

e8 w

CD 19

3 TABLE 1 (Continued)

G m

OPERATING EXPERfENCE REVIEW FOR THE AP600 a issues Addressed By NUREG 0711 Appendix B y

o Human Factors / Human Performance lasue Addressed by AP600 Design

'C Item issue Reference issue / Scope Human Factors Aspect / Human Performance issue

? The AP600 M MtS ocludes a CPS that assasts the plant opera

ors m rnorutonng and

$ 109 Subsection 2.5 8 MCR - Procedures Handhrw3 T onowina Procedures Paper-based or hard<opy controumg the execution of plant procedures. For a grven procedure. ft.s status of each y procedures n NPr* operatons can cause the fonouang precedure step is dynarmcally determmed and preserted to the operator along with the problem. Due to space brutatens and the need for

$ procecoral aids for the operators to follow, procedures are supporting plant rdormaton. To anemate the inherent fixed kneanty of paper-based dithcutt to work with, especiaBy in the CR durug a transent. procedures, the CPS performs pa anel morutonng actrvit es versus the operator in paper-based procedures. A paranel monetonng actmty vs a plant conditon, state, or parameter that is rnorutored by the computer in paraRed with the achvrty of guiding tre operator through the respective procedure. Types of parapet informaton morutored by the CPS are the status of the CSF. procedure notes and cautons, toldrait page items, ruttated actions (contmuous acton steps), and contmuously morutored parameters. With the CPS dynamically determirung the status of each procedure st@ and pertorrnmg parattei morutonng actmnes, the delays caused by the inherent fixed kneanty of executing paper-based procedures are rrwumized or ehrmnated. The CPS proedes direct hnks from steps to the assocated Plant Informaton System Displays (p% cal process, functional, automatic rriorutonng logic, or soft control displays). For example, d a step within a computenred procedure requires the user to operate a conponent or system, then the user mu be able to select. in a single acton from the CPS. the associated soft control display for the respechve component.. The soft control displays will appear on a VDU at the operato(s workstaten separate from the VDU that presents the CPS. The use of q muthpie VDUs at the operators workstaten (CPS man anterface VDU, CPS

+

$ supplemental mformaton VDU, and a soft contro4 display VDU) wtule exectang a procedure through the AP600 CPS, rrur*mies or ehmmates the handimg and reading problems associated with the execution of a paper-based procedure 110 Secten 2 6 MCR - BWR Reactor Shutdown Dunng a reactor shutdown from an NOT APPLICABLE: This issue is only apphcable to BWRs.

Shutdown witial power at 6%, ttat irwolved low-decay heat levets due to a short operatmg history, operators allowed cooldown (due to smat trusceRaneous steam load) to add excessrve posstrve reachwity. Further, by not property mantainog the power in the mid-range of the intermediate Rarge Morutors (IRMs). a reactor trq) occurred.

111 Section 3.1 System-Related Leakage Areas of NPPs, such as esolated rooms, often intemal plant flooding can be attnbuted to piping ruptures, tank tailures, or the actuation insights - Floodmg contam flued systems with the potential for leakage and of fire suppression systems. The corssequences of these events have been evaluated Concem Goodog for the AP600 in u h with Standard Review Plan (SRP) 3 6.1 and SRP 3 6 2.

Water 4evet lttood) desqn featu-es and protechon mechanisms a e desenbed in Sections 3 4 and 3 6 of the SSAR, respecDvely. his protecton rnecharisms related to rrunmze the consequences of intemal flooding include the followng:

O ts

. Structural enclosures O Structural bamers 3D .

. Curbs and elevated thresholds CT$ . Leak detechon systems

,y

Dram systems

'6 0U c) to in appropnate locations, water-level sensors are provided to transtnit water levet indicatons to the MCR and the plant control system Level alarms atert the operator to take CorTective actiort

k TABLE 1 (Continued) fd OPERATING EXPERIENCE REVIEW FCR THE AP600 4 issues Addressed By NUREG 0711 Appendix B g

Human Factors Aspect /Hurnan Performance issue Human FactorsMuman Performance issue Addressed by AP600 Design C ltem Issue Reference issue / Scope

? The AP600 desgn has addressed the possbbty of a stuck open spray valve. The spray y 112 Secten 3 2 System-Related Spray Valve Stuck Open A PWR pressurtzer sprey valve valve is provided with an automahc interlock to close on low RCS pressure that would y insights - stuck open (urAnown to the operators at the time) causeg Pressunzer a contmued drop in RCS pressure to below that recu red by result from an open spray watve. In addition, the remotety<iperated spray block valves

$ TS. As a result, a plant shutdown was requered in order to can be closed from the CR in the event of a stuck open spray watve. Therefore, a isolate the spray kne. forced plant shutdown can be avoided in the event of a stuck < spen spray valve.

Subsection 3 3.1 System-Related Offsite Power A consequent problem on toss of a direct dc system rehatyhty - The dc system ts desgned for a tugh level of rehabahty A 113 Insaghts - Loss of current (oc) bus is partial loss of normal offsite power. noncass 1E battery monitor is provided for each battery to rnorntor and alarm battery de Bus voltage, detect and alarm battery operH:srcuit constion (including blown fuses), and supervise bat:ery avadabdity.

The battery chargers are provided with a trouble alarm for attematog currer't (ac) input fadure, dc output under/over voltage, no charge, input / output breaker trip, and de tugh voltage shutdown tnp.

The de buses are rnorutored and alarrried for undervoltage. The de system currents are morutored and alarmed for overcurrent.

A ground detection alarm is provided d

A The de bus outage time for maintenance and repair will be transmized with the use of the O spare battery and charger.

feitigaton of the effects of the loss of a dc bus - The AP600 is designed to withstand the loss of a sogle dc bus without placing the plant in an unsafe cordtiort.

In the AP600 design, loss of a oc bus will not resuft in a partialloss of offsste power.

The breakers in the AP600 are controlled by the PLS. The PLS system normatly receives power from the noncass 1E UPS system. Upon fadure of the oc bus powenng the UPS. or fadure of the UPS uselt, the loads are automatically transferred to a regulaimg transformer suppty. Therefore, loss of a dc bus will not rest.ft m loss of power to the PLS system.

The ac power system breakers use sond-state control wtuch receives control power from a power suppty intemat to the switchgeer; therefore, loss of a dc bus will not result in loss of control power to a breaker.

O o

O O

32 cr o O, 3.

, 10.

e8 e

C) FO i

i E TABLE 1 (Continued)

' t b OPERATING EXPERIENCE REVEW FOR THE AP600 E

issues Addressed By NUREG 0711 Appendia 8 g

Human Factore/ Human Perfonnance Issue Addressed by AP600 Design 6 3 Item Issue Reference issueScope Human Factors ? _ . ^~ Performance issue T Controt Room Annunciator A consequent protfem on loss de system rehatutty - The de systern is desagned for a Ngh level of reliatzhty.

C 114 Subsection 3.3.2 System-Related y inseghts - Loss of of a dc bus is loss of CR annunoator power.

A battery monitor is provided for each battery to morvtor and starm battery voltage,

$ de Bus detect and alarm battery operw:htui condition (ricluding tAown fuses), and supennse .

battery avadatnhty The battery chargers are provided with a trouble alarm for ac input failure, dL output under/over voltage, no charge, irput/ output breaker inp, and de Ngh voltage shutdown try.

i The de buses are monitored and starmed for undervoltage. The dc system currents are monitored and alarmed for ovetturrert i

A ground detection alarm is provided w The dc bus outage time for maintenance and repair wdl be tranwruzed with the use of the spare battery and charger.

Msbgstion of the effects of the loss of a dc bus - The AP600 is desegned to withstand ,

q the loss of a sangle dc bus unthout placing the plant in an unsafe condihort g f In the AP600 design, loss of a de bus wis not result in a foss of alarm system power.

Alarm system power normally comes from a UPS; however, upon failure of the dc bus powenng the UPS, or failure of the UPS Itself, the loads are automatically transferred to a regulating transformer supply. Tierefore, loss of a de bus wiR not result in loss of I k

alarm system power.

b f

O, e

o es a 3m er e<

e >

, g-a _.

co CD f0 I

i-E TABLE 1 (O _

G to

OPERATW8G EXPERIENCE REVEW FOR TME AP900 E

teauee Addressed By NUREG 0711 Appendix B [

g 3 hem leeue Reference IseuetScope Human Factors ^ , _r Performance locue Human Factornetumen Performance Issue Addressed by AP600 Design V inchcators in Cor. trol Room A consequent problem on loss de system rehabdty - The oc system is desgned for a tagh level of rekatahty i.

G 115 Subsechon 3.3 3 System-Related i

y insights - Loss of of a dr bus es loss of power to indcators in the CR.

A battery morutor is provided for each battery to morvtor and alarm battery voRage,

$ dc Bus detect rend alarm battery open-cucuit contpon (mcludog blown fuses), ano stperwse ['

battery avadabikty.

Tbs battery chargers are provided with a trouble alarm for aC input fadure, dC output [

under!over voltage, no charge, irput/ output breaker trp, and de tugh voltage shutdown j trip.

The dc buses are monitored and alarmed for undervorage. The de system currents are monnored and alarmed for overcu* rent.

A ground detechan alarm 6s proedeci k

?

1 i

The de bus outage time for 6--e==Ee and repair wtil be evnnimized with the use of the spare battery and charger.

L Megation of the effects of the loss of a de bus - The t-P600 is desgned to wahstand t q the lass of a single dc bus without placmg the plant in aq unsafe conditsort g +

n in the AP600 design, loss of a de bus wel not result in a toss of indicaw power. !

Indcator power normany comes from a UPS system. Upon fasure of the de bus [

powering the UPS, or failure of the UPS itself, the loads are automatcally transferred to )

a regulatog transformer suppry. Therefore, loss of a dc bus wdl not result in loss of I indcator power.

5 l

l i

t O .

cs ,

O O e 3x -

cr o 44 <

m g a ~

em :

i l

l b TABLE 1 (Continued)

G ro OPERATING EXPERIENCE REVIEW FOR THE AP600 E

issues Addressed By NUREG 0711 Appendia B if v

5 issue / Scope Human Factors Aspect / Human Performance issue Human Factors / Human Performance issue Addressed by AP600 Design Item las A Reference

? Power to Orcun Breakers A consequent prob.em on loss oc system reliatxhty - The dc system is dasigned for a tugh levet of rehatxtity.

G 116

esection 3.3 4

. System-Related of a oc bus is loss of control power to vanous cucuit

$ insiftts - Loss of A rWtass 1E battery monitor is provided for each battery to morator and alarm battery

$ dc Bus breakers.

voltage, detect and alarm battery open-cucuit condmon (:ncludir g blown tuses), and supervrse battery avadabd:ty.

The battery chargers are provided wth a trouble alarm for ac input fadure dc output underiover voltage, no charge, argut/ output breaker inp. and dc high voltage shutdown tnp.

The de buses are rnoratored and starmed for undervoltage The oc system currents are morutored and aland for overturrent.

A ground detechon alarm ls provided.

The dc bus outage tune for mantenance and repair win be rrvnemized with the use of the spare battery and charger.

Mitigation of the Mects of the loss of a dc bus - Tne AP600 is designed to wthstand q the k>ss of a sogle oc bus wthout placog the plara in an unsate condition.

g (J in the AP600 desegn, loss of a dc bus will not result in a loss of circuet breaker control.

The breakers m the AP600 are cortrolled by the PLS. The PLS system rmrmally receives power from the non-Cass 1E UPS system. Upon fadure of the dc bus powenng the UPS. or fadure of the UPS itself, the loads are automatically transferred to a regulatmg transformer supply. Therefore, loss of a dc bus wiu not result m k,ss cf i circud breaker control.

The ac power system breakers use schdstate contrs' e receives control power from a power supply intemal to the switchgear.- therefore, loss of a oc bus we not result in loss of control power to a breaker.

O O

O (D

3m cr a G,Dg <

=8 e

C) fV

3 TABLE 1 (Continued) b OPERATING EXPERIENCE REVIEW FOR THE AP600

$E lesues Addressed By NUREG 0711 Appendia B Human Factors Aspect / Human Performance issue Human Factors / Human Portormance issue Addressed by AP600 Design C Rom issue Reference issue / Scope V Power to Computers and Displays A consequent problem de system rehatukty - The de system is desgned for a high levet of rehabdity.

117 Subsection 3.3.5 System-Related Insghts - Loss of on loss of a oc bus es loss of power to corrouters and y

mdeo esplay screens _ A battery monitor es provided for each battery to morutor and alarm battery voltage,

$ de Bus detect and alarm battery open-circuit coneton (mclueng blown fuses), and stperwse battery avadatnhty.

The battery chargers are provided with a trouble alann for ac input fadure, de output under/over voltage, no charge, input / output breaker inp. sN de tvgh vottage shutdowft tnp.

The dc busen are monitored and alarmed for undervottage. The de system currents are morutored and alarmed for overcurrent.

A ground detection alarm is prowded.

The dc bus outage time for mantenance and repair mit be trunimized eth the use of the spare battery and charger.

16titgaton of the effects of the loss of a de hus - The AP600 rs dessped to withstand q the loss of a sar.gle dc bus withrd placing the plant in an unsate cordtron.

g A

in the AP600 design. loss of a de bus mil not result m a less of power to cortputers and weeo display (workstation) screens. Power to corrputers and video esplay screens norma 8y comes from a UPS system Upon fadure of the oc bus powenng the UPS. or failure of the UPS stser, the loads are automatatally transferred to a regutating transformer supply. Therefore, loss of a de bus wdl not result in loss of power to computers and video esplay (workstation) screens.

O O

3T cr o O, y <

e8_.

e CD fQ

I l

' 3 TABLE 1 (Con 6nued)

I $ OPERATW8G EXPERIENCE REVEW FOR THE AP900 E

leenas Addressed By NUREG 0711 Appendia B g

u Human FactoreMumen Performance leeue Addreseed try AP600 Design 3 Item Pseue Reference "-T_---- Human Factore _^ , _ ^^^ --- Performance leeue Y Power to Automanc Features A consequert problem on de system rehatahty - The de system is designed for a tugh levet of rehatMhty.

118 Subsecten 3.3 6 System-Related g insghts - Loss of loss of a oc bus as loss of some of the planrs automate y

features, such as tres and interlocks. A battery morutor is provided for each battery to morator and alarm battery voltage,

$ de Bus detect and alarm battery openorcuit condition (mcludmg blown fuses). and supervise battery avastatzkty.

i The battery chargers are provided wth a trouble alarm for ac irput failure, dc output under/over voltage, no charge, irput/ output breaker tnp. and de hgh voltage shutdown i

trp.

The de buses are moratored and alarmed for undervoltage. The dc system currents are morutored and alarmed for overcurrent.

A ground detection alarm is provided.

The de bus outage time for mantenance and repair ma be rninmzed with the use of the spare battery and charger.

Mitgaton of the effects of the loss of a de bus - The AP600 is desgned to withstand q the loss of a smgle de bus wthout placing the plant in an unsafe condition.

g Un in the AP600 design, loss of a oc bus will not result in a loss of automate teatures. The automate features in the AP600 are controNed by the PMS and PLS. The PMS system normally receives power from the Class tE UPS system. The PLS system normally receives power from the non-Class 1E UPS system. Upon fadure of the dc bus powenng any UPS, or failure of the UPS 4tself. the loads are automatcany transferred to a regulatog transformer supply. Therefore, loss of a Oc bus me not result in loss of I automatc features.

O o

O M

3m cr e g-_.

e8 e

C) TV l

E TABLE 1 (Continued)

G m

OPERATING EXPERIENCE REVIEW FOR THE APE 00 E

leeues Addressed By NUREG 0711 Appendia B g -

Human Factore AspectMuman Performance leeue Human FactoraMumen Performance boeue Addressed by AP600 Design 3 Item Issue Reference issuef5 cope

? Cwer.ut Breakers A consequent prob 2em on loss of a de oc system rebat2ty - The oc system is designed tar a tugh level of rebatety

$ 119 Subsechon 3.3.7 System-Retated y insights - Loss of bus as try or selected cwcuit breakers, such as reactor inp A battery morutor is provu$ed for each battery to morutor and alarm battery voltage;

$ dc Dus breakers.

detect and alarm battery operH:ircuit conotion (ulttuding blown fuses), and supervise battery avaitat2ty The battery diargers are provided mth a trouble alarm for ac input fadure, dc output under/over voltage, no charge. input / output breaker trip, and de tugh voltage shutdown tr9 The oc buses are morutored and alarmed for undervoltage. The de system currents are morutored and alarmed for overcurrent.

A ground detechan alarm is provk$ed_

The dc bus outage tune for in e c.ce and repair mil be mwumized with the use of the spare battery and charger _

Minganon of the effects of the loss of a de bus - The AP600 is designed to ethstand q the loss of a single dc bus ethout placing the plant in an unsafe conctiort g

cn in tre AP600 design, loss of a dc bus will not result in a paarit inp. The APS00 has eight reactor tnp breakers arranged for taxiutel-four tnp logc as shown in SSAR Figure 7.1-7. With ttus conhguration, the corrplete loss of power to any sangle train me result in tnppeng the two breakers associated with that traat; however, no single-train patr of breakers can trip the plant if they are the only breakers to trip.

120 Section 3 4 System-Related vessel Overfdl in BWRs dunng transient situations, reactor NOT APPUCABLE: Ttus issue is only appbcable to BWR reactors.

Inssghts - vessel overfdt can be a problem causing masn steamiine Automatic Trip of flooding and possbie damage There is currersty no Conde cate and automate tnp on condensate and condensate booster Condensate pumps on high reactor vessel level.

Booster Pumps 121 Section 3 5 System-Related System Overpressurization Dunng system restoration after NOT APPUCABLE: This issue is only apphcable to BWR reactors.

Insaghts - System maintenance dunng cold shutdown at a BWR, an incorrect Overpressunzation vaMng sequence resulted in overpressunzation of piping and damage to the test terum kne of the Condensate l Q Storage Tank (CST) and Condensate Retum Tank.

g M

Bm er to u<

m g -

.A g*

m:,

l E TABLE 1 (Conenued) h O A exP cc W,0.T te AP

, a '

6 3 teouse Addressed By IIUI.G 0711 AppesuNa B '

] g Huseen FactorefHuonen Portormance leeue Addressed Iny AP900 Design C Item locue Reference leeuerScope Stumen Factors Aspectetumen Performance leeue 7 Control of Feedneter Cor*ot System The controlof PWR In the AP600 design, SG water level as ataomencacy contromed frorn tr> load condmons j g 122 Section 3 6 SystervWklaged Insights - Feedmeter Systems dunng startup and lowpower to 100% piarit-rated thervrmi power by the startup feedwater control subsysterr. and the !

$ operatons has been problemaecal Operators have had main feedwater control subsysterrt The start @ feedwater coreal stesystem rnaritams

$ Feedwater Control difhculty h controthng the feedwater flowrale as necessary a programmed water levet in the shes side of the SGs dunng low-power (below

{

, System to inanntari SG water levels due psrbally to the fact that the approxsmately 10% of plerit<ated thermal power), rio-loed and plant heatup and feedwater control valves and awleral systems are not cooldown modes. Transeon between the main and start @ feedwater control wahres is t i

designed to operate in the low flow regions. There has automatcapycontrolled based on flow measurements within the respectrve coritrot also been dithculty in the switchover from manual lo valves. The startup feedwater control subsystem regstates the flow of feedwater in a !

automatic control that occurs in thes twne frame. manner samilar to the way (inain) feedwater is controRed in the towpower control mode.

Two modes of leedwater control (lowpower modo and highpower mode) are incorporated in the (main) 'eedwater contrat subsysterrt A separate low 4ange feedwater flow measurement is used in the towpower feedwater control rnode. SSAR subsections 7.7.1.8.1 and 7.7.1.8.2 provide a description el the feedwater control and startup feedwater control subsystems.

I 123 Section 3.7 System-Retsted Volume Fins With Water On a BWR, when the scram - DIOT APPLFm F This issue is only appbcable to BWR reactors. j insaghts - Scram discharge volume tills with water,insertson of the control Discharge Volume rods is inhbted.

6

i N l 7

i l

t f

O '

es O i a r 3m cr u I Q 6.SP-a l eO w

0) f0 [

i l

i i

?

+-- .- -..---.-: .

TABLE 1 ("W

}G OPERATING EXPERIENCE REVIEW FOR THE AP900 h

E y looves Addresee6 By NUREG 0711 Apperulix B g -

Human FactoreMumen Performance leeue Addressed by AP600 Doengn a iem leeue Reference issuetScope Human Factore AspectMumen Performance Resue

'T -

The AP600 has incorporated various design features to address ISLOCA challenges.

Secton 3 8 System-Related Overpressurizaton of Low-Pressure Systems g 124 insights - Overpressunzaten of lowpressure systems due to RCS These desgn features have resulted in very low AP600 core damage frequency y

Interfacmg Systems boundary failures may result in rupture of low-pressure correared to currerdty operatog plants. These desup features are pnmanty assocsated

$ piping. Some RCS boundary fadures have occurred due to with the formal residual heat removal system (RNS) as discussed in SSAR LOCA (ISLOCA) operator error. Important operator errors inctode valve subsecton 5 4.7. A Westmghouse design eeport. WCAP-14425, has been prepared to ahgnment **rors during transsons between operaten document the systemate evaluation of the AP600 desgn lor conformance to NUREG/CR-5102. As a result of the study reported n WCAP-14425, additsonal dessgn g:: odes. features have been mcorporated in the AP600.

The following table provides a summary of AP600 design features whch satisfy ISLOCA frequency acceptance enteria.

System 1 Subsystem Major Design Feature Normal Residual Heat Removal 1. Increased design pressure of the outside of the contamment porton of the system, such that the uttsmate rupture strength ci the pipog and ww. 3 are equal to or greater than the RCS desgn pressure.

-i

Chemcal and Volume Control 1. Relief valves were added to mmimize the consequences of pump suction over-h System Makeup Pump Sucton pressunzaton.

2. Hgh-pressure alarm added to pump sucten une to alert operator of overpressunzatiort Chemcal and Volume Control 1. Placement of tJgh-pressure punicaten Systera Letdown Line loop inside contamment elmnates high1 nergy letdown outside of wha. ea. .

2. Letdown onfce brrQs leakage from a letdown kne ISLOCA.

3. Automate isolaton of letdown occurs apon safeguards actuation signal.

4. Rehef valve added to prevent overpressurizaton of letdown line.

Primary Samphng System 1. Most of the Pnmary Sarrpimg System is desgned for full RCS pressure.

g 2. Flow restnctog onfces hmet extent of ISLOCA 1 (D

3. Automatc esolation of Pnmary Sanptog System i Q occurs upon safeguards actuaten synat.

3D !

CT (D

' Demmeralized Water 1. Rehef valve added to prevent overpressunzaton f

$ - System of the inside of contamment porton of the a g- system.

O;

$m 2. Twtomate isolation of Demmeraized Water System occurs upon safeguards actuaton sgnat. !

i I

i TABLE 1 (Continued)

[bc5 OPERATING EXPERIENCE REVIEW FOR THE AP600

$ Issues Addressed 8y 14UREG 0711 Appendix 8 g Human Factors / Human Performance issue Addressed by AP600 Design 3 Item lesue Reference issuert = = Human Factors Aspect / Human Performance issue

'? l&C Systems ProNems Cor=ventonal B&C in f4PPs has The advanced 1&C equipmert used in the AP600 desgn is based on an evolution of G 125 Secten 3 9 System-Related previous d9tal l&C desgns. Each evoluton step incorporates improvements wtuch are y Ins ghts - been associated wth penodic fadures. spunous reactor a result of expenence gamed dic) the use of the previous desgn. Ttus trurwruzes the tnps and plant transaents, operator confusion on instrument

$ Advanced IAC fadure and loss-ofpower, extensive time and effort to likelshood that any particular desgn would have a sgnificant amount of problems that accomphsh testog. and diffcultes m troubleshooting and would irrpact plant operation.

repair. Advanced ISC is subsect to sudden fadure and recovery, due partially to hgh susceptitutsty to EMI.

Interfacing uth the new equipment and software programmmg also afford ogportunebes for operator prottems.

Corrponent- Dessgn Alternatives Seal degradation and failures have NOT APPLICABLE: The AP600 desgn specifes reactor coolant punps with canned ,

126 Subsection 41.1.1 !

Related Insghts - caused RCP leaks. A desgn attematnre wtuch can mitigate motors that have re seals. Re6e to SSAR subsxtions 5.13 3 and 5.4.1.

RCPs - Seals the need for extensrve and complicated fives is the use of carred rotor pumps that do not have seals.

Cornponent- Instrumentation - Moretonng Flow, tenverature, and NOT APPLICA8LE: The AP600 design specihes reactor coolant purrps with canned 127 Subsechon 41.12.1 Related Insghts - pressure data trom the seat system should be contmuously motors that have no seals. Refer to SSAR subsectons 5.13 3 and 5.4.1 RCPs - Seals monitored and should be analyzed for seal pertemiance q needs.

r NOT APPLICABLE: The AP600 design specifies reactor coolant punps with nnned g 128 Subsection 411.22 Corrponent RetPted inssghts -

instrumentation - Ranges on Flow Measunng Devices Prorde increased ranges on flow measunng devces so rnators that have no 3 eats. Refer to SSAR subsectons 5.13 3 and 5.41.

RCPs - Seils that off normal values may be read as well as normal values.

Component- Instrum% ton - Ranges on Temperature Measurma NOT APPLICABLE: The AP600 design specifies reactor coolant punos with canned &

129 Subsechon 4.1.12.3

Related insights - Devees Provide mersased ranges on temperature motors that have no seals. Refer to SSAR subsectons 5.13.3 and 5 4.1.

RCPs - Seals measunng devces up to RCS temperatures.

Component Instrumentation - Addmonal Pressure and Temperature NOT APPLICABLE: The AP600 design specifies reactor coolant pumps w;:h canned {

130 Subsecten 4.112 4 Measurements Provide added pressure and tenverature motors that have no seats. Refer to SSAR subsections 513 3 and 5.4.1. j Related insights -

RCPs - Seals measurements. e g seat leakoff pressures. CCW return [

hne pressure, seat cavity terrperatures, differennat stage ;

pressures, and radiat beanng temperature.

Subsecton 41.1.2.5 Component 6h./ tion - A.%tions! Flow Measurements Provide NOT APPLICABLE: The AP600 desgn specahes reactor coolant pumps with canned I 131 Related insigtts - added flow measurement. e g , seat leakott flows. motors that have re seals. Refer to SSAR subsections 5.1.3.3 and 5.4.1.

RCPs - Seals O Instrumentation - Better Alarrrena Provide better alanning NOT APPLICABLE: The AP600 design specahes reactor coolant punps with canned O 132 Subsection 4.1.1.2 6 Corrponent.

of the need for operator tution. motors that have no seats. Refer to SSAR subsections 513 3 arm 15.4.1. !

h Related Insights -

I 3D RCPs - Seats CT (D ProcedJres and Operator Arts - RCP Trendmg Operator NOT APPLICABLE: The AP600 desgn specifies reactor coctart pumps with canned Corrponent

]1E 44 133 Subsechan 4.113.1 Reiated insghts - aids should te provided that allow the operator to motors that have no seats. Refer to SSAR subsectons 5.13 3 and 5 41. l l

RCPs - Seals appropriate *y trend RCP related parameters rela 9ve to seal cp Q yg performance; cnteria. l

[

l i

.I ,

E TABLE 1 (Continued)

G

+0 OPERATING EXPERIENCE REVIEW FOR THE AP600 E

issues Addressed By NUREG 0711 Appendia B g

3 issue Reference issuerScape Human Factors Aspect / Human Performance issue Human Factors / Human Performance issue Addressed by AP600 Design Item V Procedures and Operator Axis - Emergency Procedure NOT APPUCABLE: The AP600 desgn specihes reactor coolant purrps with canned G 134 Subsecton 41.1.3 2 Component y Related insghts - Guwielmes Ernergency Procedure Gux3elines, procedures, motors that have no seats. Refer to SSAR subsections 5.1.3.3 and 5 4.t.

and trasrung should be provided for a reasonatAe spectrum

$ RCPs - Seals of seal failure events, such as: hgh-seal, leak <)ff flow.

hgh-seat temperature, high vt>raton, loss-of-seat sigection, loss <>f-sea! cochng, SBO. and reactor cootant pump restart enteria These procedures should mcorporate the

.mm.m.e.d.tions of reactor coolant pump and deal vendors.

135 Subsection 4.1.14 Component Functonal Anotation isolation of seat leakoff hnes on hgh- NOT APPLICABLE: The AP600 desgn specihes reactor coolant pumps with canned Related Insghts - flow, which has fusionCally required operator acton, should motors that have no seats. Refer to SSAR subsectons 51.3 3 and 5 4.1.

RCPs - Seals be evaluated as a candidate for automaton smce detecton.

recogruton, and action are time constramed.

136 Subsecton 412 Con,~aent- Comronent Degradaten When reactor coolant pumps or The AP600 employs canned motor reactor coolant pumps that do not contam seats Related insights - motor w.w..&45 degrade, they can eventually result in whose degradaten could lead to a loss of reactor coolant. Reactor coolant pump RCP Morutonng catastrophsc fadure of pump or seals, if the pump is rot ishww.ioton is provided to contmucusly monitor pump performance ancludmg 1) stopped in bme. Due to the location of the reactor coolant beanng water temperature. 2) purrp vt>raton. 3) stator temperature,4) purry speed in pumps inside whW. detecton of degradation must addition. RCS toop flow rates are contmuously measured.

y be accomplished through appropnate instrumentariart 4

o Large failures of the pump or seals can potentsally result in a pnmary system LOCA. .

137 Subsecton 4 2.1 Corrponent Tre Status in a case where the overspeed tnp vatve for NOT APPUCABLE: The AP600 does not have an AFW system. The PRHR system Re'ated insights - the turbine-dnven AFW pump turbme was inadvertently functonalty replaces the AFW systems in current PWR desgns. The PRHR system AFW Pumps tnpped and not properly reset, the CR operators were not does not include pumps. Refer to SSAR Secton 6.3.

aware of the inoperable status of the AFW pump.

138 Subsection 4 2.2 Component- Steam Bo@ng AFW pumps have expenenced steam NOT APPLICABLE: The AP600 does not have an AFW system The PRHR system Related insghts - bmdrig resultog in pump inoperability. This has typically functionally replaces the AFW systems in current PWR desgns The PRHR system AFW Pumps been caused by feedwater back leakage through the AFW does not include pumps. Refer SSAR Section 6.3 discharge check valves, but also by leakage through conplex pathways, working Rs way back to the AFW pump suClon soufces.

139 Subsection 4 2 31 Component- Pump Driver Tnps- Diesel Dnven Pump -- Mmemum NOT APPUCASLE: The AP600 does not have an AFW sys*em. The PRHR system Related insights - Operatmq Speed The diese61$nven AFW pumps have funchonally replaces the AFW systems in current PWR designs The PRHR system AFW Pumps expenericed protAems where the purre drivers have tnpped Joes not include pumps. Refer to SSAR Secton 6 3.

g because the diesel AFW pump had reached nurumum (D

operatog speed (about 600 rpm) which closed the speed Q switch.

gy dk 140 Subsection 4 2.3.2 Component.

Related insaghts -

Pump Driver Tnps- Desel-Driven Pump - Stop Sqnal The Gese642nven AFW pumps have expenenced problems NOT APPUCABLE: The AP600 does not have an AFW system. The PRHR system functionally replaces the AFW systems in current PWR desagns The PRHR system y{

g)

AFW Pumps where the pung dnvers have tnpped twcause the stop sgnal was momentanty generated by the operator and was does not include pumps. Refer to SSAR Secton 6 3.

GM released before the Gesel had come to a full stop.

E TABLE 1 (Continued)

G w

@ OPERATING EXPERIENCE REVIEW FOR THE AP600 a

issues Addressed By NUREG 0711 Appendix B g

C issue Reference issue / Scope Human Factors Aen.- x Performance issue Human Factors &tuman Petformance issue Addressed by AP600 Design ltern T Pump Dnver Tnps: Diesel-Driven Pump ' Auto After NOT APPUCABLE: The AP600 does not have an AFW system. The PRHR system G 141 Subsecton 4 2.3 3 Cor@onent-y Related Insghts - Stop" Posthon The GeseH3nven AFW pumps have functonaily replaces the AFW systems en current PWR desgns The PRHR system expenenced problems where the pump drivers have tnpped does not include pumps. Re ver to SSAR Secten 6.3.

$ AFW Pumps when the control swit$ was aBowed to go to ' Auto After Stop.* an auto-start sgrial was present from loss of the man feedwater pump (MFP).

142 Subsecton 4 2.3 4 Component Pump Driver Tnps' Diesel-Dnven Pump - 0,esel Could NOT APPLICABLE: The AP600 does not have an AFW system. The PRHR system Related insghts - Not Restart The deseksnven AFW pumps have functonally replaces the AFW systems in current PWR designs The PRHR system AFW Pur@s expenenced problems where the purm dnvers have tnpped does not include pumps. Refer to SSAR Section 6 3.

due to the engme steil bemg at greater than 40 rpm, the diesel starter motors were esabled and the sesel could not try to restart.

143 Subsecton 4.2.3.5 Componere Pump Driver Tnps- Diesel-Drive Pump - tow Lube Od NOT APPUCABLE: The AP6(vsdoes not have an AFW systern. The PRHR system Related insghts - Pressure The Gesel<snven AFW pumps have expenenced functionally replaces the AFW systems in current PWR desgns. The PRHH system AFW Pur@s problems where the pump dnvers have tnpped 25 seconds does not include pumps. Refei to SSAR Secton 6.3.

after reconnng the second auto-start. the low-lube od pressure switch tnp was enabled Ttus caused the engme y to lockout due to the low od pressure associated with the 6 ename shutdown.

144 Subsecton 4 2 4 Component- Pump Dnver Tnps- Turtune-Onven Pump - Ermneous Trio NOT APPLICABLE: The AP600 does not have an AFW system. The PRHR system Related insights - of AFW Pumps The turbme-dnven AFW pumps have functionally replaces the AFW systems in current PWR designs. The PRHR system AFW Pur@s expenenced problems where the pump dnvers have does not mclude pumps. He8er to SSAR Secton 6 3.

tngped. because af;er an auto start operators erraneously t@ ped the AFW pur@s. The steam 41nven AFW pump had been restarted from the CR usmg the start valve which opened rapidly (less than 5 seconds) and caused the turbme to overspeed and trip. The auto-start signal opens the tnp and throttle valve on the initial auto-start over a penod of 20 seconds (by desgn, slow stroke time prevents the turbme overspeed). Until reset localty, the inp and throttie valve remains open when the pump is shutdown from the CR by shuting the start vatve. When the faster acting start valve was used to restart the steam <3nven AFW pur@, the pump trwed on overspeed since the Inp and throttte wafve was already open.

Subsecton 4.31.1 installation of Test Connectons for Leak Rate Testmo amt The AP600 systems are designed so that required plant testmg can be performed easily O

145 Cor@onent Related insghts - Check Vaive (CV) Testma- CVs in Senes Current plants and reliably. Chapter 3 9.6 describes the AP600 IST plan _ Table 3 9-16 in the SSAR 3 "D IST of Pumps and have had to devise complex test procedures that have lists valves that require ISTs_ CVs that have a safety back leak function are provu$ed with indnridual connections to allow their leak tightness to be measured

[$W Vatves often cha!Ienged operators and maintenance peronnel due to desgns that make testing very efficult, il possible at all.

'6 One ci the areas where the design can be enhanced:

h3

0) IV When there are two CVs in a senes and both are requered by safety analysas (e g , for redundancy and smgle failure purposes), test w m;- should be installed between the CVs 30 that each can be tested separately.

E TABl E 1 (Continued)

Ci eo

$:E OPERATING EXPERIENCE REVIEW FOR THE AP600 is issues Addressed By NUREG 0711 # ndix B m

u C Item issue Reference issuetScope Human Factors Aspect / Human Performance issue suman Factors / Human Performance issue Addressed by AP600 Design

?

f, 146 Subsecnon 4 3.12 Component- Instattadon of Test Connechons for Leak Rate Testing and The AP600 systems are designed so that required plant testog can be performed easily y Related insaghts - CV Testeg- Category A Vatwes and Contamment isoation s and rehably. Chaper 3 9 6 desenbes the AP600 IST pfart Table 3 9-16 m the SSAR hsts vatves that requere IST. Valves that have a safety seat teak function (ASVE Secton

$ IST of Pumps and Vatves Currers plants have had to devise complex test Valves procedures that have often challenged operators and XI type A valves, mctu@ng wh-. e isolation va!ves) are designed w:th the following maantenance personnel due to desgns that make testmg considerabons' very difcult, if possible at at. One of the areas where the design can be enhanced' Category A valves (per - Valve types that provide ret:able low leakage Secton XI) and at w 6-wiisolaton varves (CtVs) should have adequate test w mi-= such that t!'e

Process isolaton vafves and test w-mi-6 to allow their leak tightness to be valves can be safely leak 4 ate tested to the requerements of eneasured ASME. Secton XI and 10 CFR 50, Apperdx J, utnout excess ve operator reahgnment of systems and valves, Note that in many cases temporary connections are used to make wm^uvid to temporary setups, operator radation exposura, or potentia! pressure supplies and test instruments. Such w. .i-w are designed so that the

'or contammatiort connections can be easily made to portable test equipment with moimum radation exposure.

147 Subsecton 4.3 21 Component Valve Position Indcatorr Disk Posden InGeaten Current The AP600 systems are designed so that required plant testog can be pertcrmed easily Related insights - plants have had to devise compteu test procedures that and reliably. Chapter 3.9 6 describes the AP600 IST plan. Table 3 9-16 in the SSAF IST of Pumps and have often chatlenged operefors and mantenance Irsts the CVs that require tua stroke 13T per ASME Section XI. As descnbed n

-i Vaives personnel due to designs that make testmg very 6tficutt, 8 subsection 3 9 6, such CVs wit have norunt usive esk posrtion sensors to tacihtate such U1 possible at aR One of the areas where the desgn can be testag.

N snhanced Consider external esk position inecation for CVs that are required to be tun stroke tested per Section XL 148 Subser ton 4.3 2.2 Component- Va've Posshon trdca'* ort Local Va?ve Position Indcation The AP600 systems are desagned so that required plant testmg can be performed easily Related inseghts - Current plants have had to devise corrplex test procedures and rehably. Chapter 3.9 6 desenbes the AP600 IST plan. Table 3 9-16 in the SSAR IST of P,,mps and that have often chauenged operators and mantenance hsts the valves that have remote positon mdcaten IST per ASME Secten XI. This Valves personnel due to designs that make testmg very eftcult, d table mctudes solenod vahres, non-risog stem valves. and squib valves.

possible at as One of the areas where the dessgn can be enhanced" Consder extemat positen in@ cation for other types of valves whsch may not have had such indcation in the past, e g , soienoid valves, and non-rismg stem valves.

AR valves wftfun certain categones should be consadered for local va!ve posmon indir.ation. (See Section 5.3 for further discussion.)

O O

3T cr a Q 5.n -

,8 e

e C) N

_ _ ~ - _ _ . . - _ - _ _ - _ _ _ _ - - _ _ _ _ _ _ - - _ . - _ _ - _ _ - _ _ _ _ _ - _ - _ - _ _ _ _ _ _ _ _ _ _ _ - _ _ _ - - - _ _ _ _ _ - _ . _ _ _ _ _ - _ _ _ _ _ _ . - _ - _ _ - _ _ _ _ - - _ _ - - _ - _ _ _ - _ _ - _ _ _ - _ _ _ _

l TA8l.E 1 (Continued)

[b C OPERATING EXPERIENCE REVIEW FOR THE AP600 l

issues Addressed By NUREG 0711 Appendix 8 l s

v 3 Item Issue Reference IssuetScope Human Factors AspectHuman Performance lesue Human Factora#tuman Performance issue Addressed by AP600 Design j

? Capatety for Fue-Stroke Testrn of Vanes- Loss of Safety There are a few spuatons where a vatve es closed dunng IST, that d an accdent G 149 Subsection 4.3 3.1 Cornponent Function Current plants have had to devtse complex test occurred and that valve taded to open. a safety funchon would be lost. This des 6gn y Retated insights -

^j IST of Pumps and procedures that have often chanenged operators and approach is appropnate based on the fonowng"

@ maintenance personnet due to designs that make testing Vatwes TS Irnit the time that the va!ve can be closed f very difficult, if possele at all. One of the areas where the

design can be enhanced. Ensure that a single fadure [

dunng stroke testing at power me not cause a loss of . The test valve is prowded wth 1E power and a corermatory open sgnal !

safety system functon. l

Providing redundant parallel valves sgndicant!y compbcates the pant. increasing ;

the chance of leaks i maritenance / radiation exposure and malung the p@e routing i difficutt >

Probabilistic Risk A*sessment (PRA) resuits show that this design approach does nos increase nsk.

150 Subsection 4.3 3 2 Component- Capabihty for Fun-Stroke Trstrig of Valver loss of The AP600 systems are designed so that required plant testing can be performed easily 4 i Relatea insights - Contariment integnty Currerit plants have had to devise and rehably. Chapter 3 9.6 desenbes the AP600 IST plan. As remotely operated CtVs IST of Pumps and complex test procedures that have often challenged that a.e opened at power to perform ISTs have automatic closure signals. As a resutt. it f t

Valves operators and maritenance personnel due to desgns that an acodent occurred dunng such an IST and a single failure occurred the contarrners

-I make testrg very difficult, if possele at ad. One of the would still be isolated.

U1 areas where the desgn can be enhanced: Ensure that a W stigle tailure dunng stroke testing at-power mH not cause a loss of containment insegnty. ;

151 Subsection 4.3.3 3 Component- Capabety for Fuli-Stroke Testrv3 of Valves- Excessrve The AP600 systems are desgned so that required plant testing can be performed easily Pressures Currerg plaras have had to devise corrplex test arid reliably Chapter 19 6 desenbes the AP600 IST plan. A single ladure during an Retated insights - fp IST of Pumps and procedures that have often chauenged operators and IST wat not sutdect the AP600 systems to pressures beyond ther design pressure Valves maintenance personnes due to desgns that make testrig very detficuit. if possible at as. One of the areas where the i desgn can be enhanced: Ensure that a single fadure y dunng stroke testing at-power wit not sub}ect a system to i pressures in excess of ther design pressure. j 1

152 Subsechon 4 3 4 Component Stroke Trne Testing Current plants have had to devise The AP600 systems are desgned so that requred plant testing can be perto med easdy l Refated Insights - corrplex test procedures that have often chaHenged and reliably Chapter 3.9 6 descrbes the AP600 IST plart Remotely operated valves l j IST of Pumps and operators and martenance personnet due to designs that are stroke trne tested dunng ther penodic stroke IST. The AP600 facihtates this testing ,

Valves make testing very difficult, il possbie at au One of the eth the tonoung: {

areas where the desgn can be enhanced Provisaons g should be made in the desgn to facihtate stroke trne

Few rapid acting valves are used !

a '

O testrg cd Sechon XI Category A valves while the plant is atPower, includrig rapid actrg vafves and control vatwes.

Increased margin as prowded between the design operatrg trne and the safety

] g limits i

. gg 4

e<

]b - Remote position sensors are provided to

@@ As a result. the valve stroke times can be easdy venfied remotely.

C) f0 i

r

TABLE 1 (Continued) ;

E G

to OPERATING EXPERIENCE REVEW l'OR THE AP600 E

g leeuse Addressed By NUREG 0711 Appendia 8 i

1 Issue / Scope Human Factors A.p C..._.. Performance issue Human Factors / Human Performance issue Addressed by AP600 Design l a Item losue Reference )

7 Purre Testma- Testina Durma Plant Operaten Current NOT APPLICABLE: Ttus Rem does not apply to the AP600 because it has no safety- l

,1 153 Subsecten 43 5.1 Corrponera !

ptarus have had to devise complex test procedures that related actrve pumps. Chapter 3 9 6 desenbes the AP600 IST plan. This tatie shows y Related traghts -

that there are no pungs in the IST plan. ,

IST of Purrys and have often chanenged operators and mantenance

$ personne4 due to desups that make testng very dithcult. if Valves possble at as. One of the areas where the design can be enhanced- Ensure that system desup has sutroent flextxttty to anow pump testing dunng plant operatiort The !

system shoukt anow flow to be vaned so that a reference !

valua of flow or differenhal pressure can be established for [

the test without maior system reconhguraton. There j should also be adequate, installed mstrumentaten to run the necessary tests, inchading suction and discharge. [

pressure, differential pressure, and flow 4 ate. One means }

of improvmg flow instrutnantation is to include flow 4 ate .

instrur tents in the mirumum flow recuculation line. l Component Pune Testina Vbration Morutonna Current plants have NOT APPLICABLE: This item does not apply to the APSCO because it has no safety-154 Subsecten 43.5.2 [

Related Insights - had to devise conplex test procedures that have often related active pupps. Chapter 3.9 6 desenbes the AP600 IST plan. This tatte shows p fST of Pumps and chauenged operators and mantenance personnel due to that there are no pumps in the IST plan. t d Valves dessgns that make testing very difricult, il possele at a3. [

One of the areas where the design can be enhanced: !

01

There should be instaaed pump veraton morntonng [

L instrumentation to asow for trending and IST of pumps.

Secton 4 4 Component- Breaker Lock-Out Under vanous conditons targe circuit Circuit breaker control signat block or lock <>ut wis generapy occur when an atterrpt is [

155 '

Related insights - breakers may become locked 4)ut due P jrotection system made to close a breaker in the presence of a trip signal. Note that the trp sgnal can Circuit Breakers actons. These lock 1xsts were not ah.ays alarmed or originate from erther the PMS or from the electric system protective devees (relays). If indicated to the operators. An example is the safety an attempt is made to close a breaker from the CR through the soft control in the (

ingection purrip breaker, wtuch had a lock-out when an presence of a protective system try signal, the controi action wiR be blocked (but not {

attempt was made to close the breaker with the hand locked <sut) arid the operator will be provided with an appropriate message to clarify the ;

switch in the presence of a try sgnal. In this case there system response 11 an attempt is made to close a breaker loca8y at the switchgear in ,

was no indication of the lock-out and the only means of the presence of a inp sagnal, theu' reaker may be locked-out at the switchgear. A3 f cleanng the constion was to remove and reinstat the fuses switchgear lock <xst conditions are indicated and reset capatnisty provided. l 1

at the tweaker or rnanuaty change the state of the relays.

f 156 Section 4 5 Component inflatable Seals Spent fuel pools have innatable seats The AP600 spers fuel pool does not contain any inflatable seats that require the t Related insights - which are typicany pressurtred wrth instrument ear Loss of avartability of auxihary systems to mantain spent fuel pool water inventory Spent Fuel Pool air pressure. among other items, can cause les 2 age or g g Seats fa4ure of these seals and subsequent drairung of the fuel l n

P* '

0 so cr e ,

O< r j ' Gi :

i d

6 t CD CD 3 t m to I

t k

l.

3 TA8l.E 1 (Continued) t OPERATING EXPERIENCE REVEW FOR THE AP600

[E lesues Addressed By NUREG 0711 Appendix B Human Factors ? ; =^ ---- Performance losue Human Factors / Human Performance issue Addressed by AP600 Design 3 Item lesue Reference issuerScope V Befouhng There have been numerous mstances of The RNS HXs transfer heat from the reactor coolant to the closed CCS. The CCS is G 157 Secton 4 6 Component- ,

. y Related Insights - tuotouhng m NPP heat exchangers (HXs), where various chemcally contiolled with corrosen inhibitors and pH adjustment _ The makeup water to the CCS is demineralized water. When the CCS water cherrestry is mantained as j

Heat Exchanges types of clams and mussets have grown inside of pipmg

$ and partcularly HXs This occurs e open-cyde coohng specifed, there is no potenbal for txologcal toutmg of any of the evv. a whch are water systems and has caused sufhcient fouhng so that cooled by the CCS, mcluding the RNS heat exchangers.

pressure drops have increased and flows have decreased. ;

This in tum Imts the abeldy to adequately cool The CCS is m tum cooled by the open service water system whech releases its heat into }

-vv. .;i HXs that have been affected include those the ultimate beat sink via a coohng tower. The SWS is a relatively small open cochng j l

for Component Coohng Water System (CCS). RHR, and system which is chemcally controlled to maintain appropnate concentrations of biocide, I

Emergency Diesel Generators. akycide, pH adpustor, conosen inhibitor, scale inhatxtor, and a sitt dispersant. Refer to the item 7 response for more information on the SWS. (Subsecten 92122) i Flows and ten 1perature instruments on the inlet and outlet of both the process-water side and the coohng-water side of the CCS and RNS HXs, enable the use of thermal performance evaluations to detect degradaton.

The AP600 desel generators use a closed coohng system with air <coled radators; l therefore, twofouhng concems are not apphcable to the desel generators.

-l Procedure development is the responsRxhty of the COL apphcant as stated in I g Sechon 13 5 of the SSAR.

m 158 Section 4 7 Comparient- Destodged Connectors Power connectors have become THIS ISSUE INPUT INTO THE DESIGN ISSUES TRACKING SYSTEM.

Related insights - accsdenity Gslodged resulting in tendesrred transents. One Power Connections example is power connectors tor the feedwater control system, which led to a reactor scram.

159 Sechon 4 8 Coniponent- Design Flaw in BWR IntermeGate Range Monitors A A faded nuclear instrument power s@ ply fuse results tri an instrument output that is *out-Related insights - desagn flaw was identded m BWR Intermedate Range of-range.* If a parameter measurement is outside the range of the instrument (note that the data quahty would be good), then this *outerange* information is indcated on the i Neutron Monitors Monitors whereby the failure of a power supply fuse resuated in inoperabihty but was not annunciated nor did it workstaten esplay to the operator. ,

' create a try situaton from the detector output.

160 Section 4 9 Componer4 Desiccant Carryover Due to a fadure in the Instrument Air The after-tsiter desagn efferenhal pressure capabdity is greater than the maximum Related Insights - (IA) system fdter, the desiccant from the dryer assently ef'erential pressure. Should the fdter become plugged. It is designed not to lad. The instrument Air carried over into the IA system and caused a failure of dryer package wdl have alarms to identify high efferential pressure across the filters.

Dryers solenoid valves. This in tum caused a CfV to become inoperable.

g o

O i O

3 Il cr e e<

".aUi g-l

$3

0) 10 i

a .

i

. _ _ _ _ . _ - _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ . _____ _ _ . _ _ _ _ _ _ _ _ _ - _ _ _ _ _ - . ___ _ , _ _ . . _ _ _ _ _ _ _?

E TABLE 1 (Continued) j G -

i o

OPERATING EXPERIENCE REVIEW FOR THE AP600

[

E i leeues Addressed By NUREG 0711 Appendix 8 is u

3 Issue / Scope Human Factors AspectMuman Performance issue Human FactoreMuman Performance tesue Addressed try AP600 Design Item lesue Reference

? (Me of HFE Pnnceles in LCS Design Local control LCSs in the AP600 wiB be desgned usmg the same HFE design process and ;

y 161 Subsection 5.1.1 Local Control y Stations - General stanons (LCSs) serve as swerfaces between the operators consderatxms as will be used for the MCR and HSt. Re8er to SSAR Secnon 18 8.

Each LCS will be anatyred and desgned to - we the fonowmg- (a) expected

}

and the plant, simRat to the workstahor's in the CR. Hence.

$ Consderations the approach to their desgn should reflect the same HFE modes of geratiort includmg mantenance and refuenng, (b) function identshcation and !

consderations given to the MCR, i e , they should be task analysis; and (c) staffmg levels needed. The desgn process wiR idenhfy the [

desgned using the same methods, standards, gudehne indivdual tasks necessary to perform the LCS's functions Any MMI desgned for the [

and pnnciples. The design of LCSs should be guided by LCS wie fonow the same process, pnnciples. gudehnes. conventaons, and codmgs as ,

the funcpon and task analyses used to analyze Ibe human was applied to the MMt in the MCR. Plant-wde convengons regareng equipment rote in the piart it should be deterrruned that funchons to coding, labeting, and operations of contsols will also be apphed to the design and layout g 6 i be performed at LCSs wiu not be a:ompromised by human of LCSs.

limitations and that the desgn of the LCS meets the needs [

of the cperator for process information, means of effectog j control, feedback on control acDons, and an adequate [

woiiung a, ..,~.ea in additiort the design of each LCS l shocad be consistent with that of other LCSs ard should i conform to plant-wide convenbons regarding codog, tabellog, information esplay, afd operation of contrats

[

Labelhng should be wee-engmeered, consistent, thoroughly apphed throughoet the plant, and appropnatee y desgned to q avoid wrong-unitNvrong4 rain type ermes.

g O 162 Subsection 512 LCSs - General Functonal Acocation Cormderatens in discussmg The LCSs wiu be desgned usmg the same desgn process as that used for the MCR I Consderations problems that mght be antcipated with fuhre LCSs. afd the HSI. Refer to SSAR Secton 18.8. One of the desgn oblecDves for the AP600 [

Hartley et af. (1984) pomted to the allocation of an M MIS is to present informanon to the operator in such a way that the operator is able to 6 increasing number of LCSs to automatic or semi-automatic mantam situation awareness. The WPIS esplays in the MCR will be designed to y systems (as opposed to hurr.an operators). The effcuthe,s accomphsh this objecitve. For LCSs. the respeceve interface wia be desgned to anow !

they anticipated wers the same as those that can anse the local operator to mantam an awareness of the situahon; to effectively morutor and ;

I from increasog autometion in the CR,i.e., the potenhal venfy the status of any automatcany cortroned local functions; and to property execute loss of operators'situahon awareness, and handsen any required local manual actions. [

control slulls (OHara,1993) as their pnmary role becomes [

one of morutonng rather than controlling. A related ;

observation was made during the plart vistts undertaken for NUREGCR-6146. j i

O ,

- e t O

L$ r 3m cr o i Q S, un i

j a-

=

OM ,

i h

E TABLE 1 (Continued)

G m

$s OPERATING EXPERIENCE REVIEW FOR THE AP600

(

,o issues Addressed By NUREG 0711 Appendix B C Item issuefScope Human Factors Aspect / Human Performance issue Human Factors / Human Performance issue Addressed by AP600 Design l Issue Reference

? The workstation m the AP600 remote shutdown room wig be identical to the Reactor

j 163 Subsection 5.1.3 LCSs - General HSI Consistency Wrth Man Control Room The reviews y Consideratons undertaken for NUREGCR4146 uwotved 11 see visits to Operator's workstaten m the MCR. The M-MISs availabic at tne operator's workstation observe LCSs. At aN of the plants, operators m the CR m the MCR wa also be avadable at the remote shutdown room workstation. Therefore.

$ had access to computertased displays in addtion to the @erator will obtam plant information and control the plant from the remote shutdown corwentonal esplays These esplays provided fugh-level workstation in the same manner as he does from the MCR workstatiort mformation, e g , mdrmt ons that rep'esented an mtegraton of several parameters, of the value of a set of parameters The MMI and workstation design for an LCS wig follow the same process, princples, plotted over time. However,in only une of the ptants were guedahnes, converttions and coengs as was appked to the HSI in the MCR.

sucn esplays avadable at the shutdown panet This ssue may become more sgndicant in aavanced plant designs, whees LRs are computer workstaton-basad, whde the LCSs (such as the remote shutdown panet) are based on conventonal HSI. In such a plant, operators at remote shutdown statens might be forced to gather informaton about the status of the plant and the effectiveness of their actions by unaccustomed means.

164 Section 5 2 LCSs - Functional Distnbutm of Safety Funchons Functonal Centrahzaten The AP600 plant design is such that it has a high degree of FC. i e., it has an sa'ety Certrah2ation (FC) refers to the manner m wtuch the safety functons of functions integrated into a smgte panel wtuch contains a5 necessary controls and

-1 LCSs are estrtsuted throughout the plant. Ths embodes displays. Ttus panelis the reactor operator workstatens in the MCR.

Ut many of the systems engmeermg charactenstics of LCSs N and theer functional orgarizatort A plant wth low FC has The AP600 l&C arctutecture we be such that au process informaton that is avadable via a wide estnbuton of safety functions on many local panels the plant control system wG be ava lable througnout the plant. Commurecation ports mil throughout the plant. Such plants also heavily use local be located throughout the plant to allow workstations to be used locany at the equipment control of individual componerts. A plara wtn high FC has for " local contror, morutonng achvces, mantenance actnnties, or other functions. Local aR safe *y functions integrated into a sogle panel wtuch indication and/or controls win not be used except where required by code, regtdatory contams au necessary controls and esp!ays. FC affects requirements. URD or for operaton of the process where portable interfaces with the human performance through its impact on such factors as plant control system would be a hedrance. Through the use of eaher portable or commurucatsun workload, crew coordmation, time to permanentry installed interfaces arxi'or displays, plant personnel can access any complete actons, and requirements for procedural morntored parameter in any locanon in the plant. By usmg this technique, local cortplexity. In NUREGCR-5572. it was shown that indicatmg devices wdl not generally be required and an auxdta'y operator can monitor centralization of functions at multfuncton control panets the whole system from one location.

was assooated with large potential reductons in nsk.

When considered at the desegn stage, the nsk redxton benefit would be hig't 165 Section 5.3 LCSs - Valve Lack of Local Vala D~m Inscaten NUREG/CR4146 The AP600 va've design specdication PV03-ZO-001. ASME Class 1. 2. and 3 safety O Posit on Indcation found that n:any manual valves, cmn those found to be the related gate and globe valves specifies that a local positen indicaton device is requered CD (VPt) most nsk-segraficant manual valves, tackeMval posstion for these valves.

O ndcattort Wahout such expbcr indcatm the positen of 33 the valve is infe' red from stem position (for nsmg stem Manual watves identAed as "nsk-sigruficant" mR have valve position indicaton. The valve desgn speedcahor* wiR specdy the type and details of the valve posit on indcation

{$

- g vatves) or detemuned by checking the valve in the closed directiort Both methods have potential problems, as as a requred design feature for the respective vatve. The cnteria for determuung "nsk-ay discussed in the NUREGCR. OER also identified incidents sgruficant" valves is found in SSAR secton 16 2. ;

@3 c) 10 that were Caused by poor or mrssmg local VPt The nature of the positen indcaton should be a@ropnate to the use of the valve.

I 3 TABLE 1 (Continued)

G eo

$ OPERATING EXPERIENCE REVIEW FOR THE AP600 t

issues Addressed By NUREG 0711 Appendix B g

3 Item issue Reference haue/ Scope Human Factors Aspect / Human Performance issue Human Factors /Humara Performance issue Addressed by AP600 Design

?

166 Subsection 5 41 LCSs - Space at LCSs Ohen there is not enough soom for The workstation in the AP600 remote shutdown room wS be identcal to the Reactor G Operator's worttstation in the MCR. The M-MISs avaAable at the operatofs workstatm y Miscellaneous operators to work at the remote shutdown panel. In

$ items particular, sufficent space for handimg procedures is m the MCR we also be available at the remote shutdown room workstation. This needed at the remote shutdown panel as we8 as at many mcludes the CPS. Therefore, the operhter we obtam piant otormation, and operate and other local panets. control the plant from the remote shutdown workstatson in the same manner as he does from the MCR workstatiert The CPS and its use of multiple VDUs (dyname roadmap screen, mam enterface screen and supplemental information) ehmmates the need to ensure adeqJate laydown space is available at the workstation for handimg paper procedures Task anatysis we be performed for otner LCSs and d laydown space is needed then frus need we be addressed.

167 Subsection 5 4 2 LCSs- Steam Generator Dump VsNes Manual operation of PWR Under nonnat power operation the opera %i of the poweroperated rehef valves Miscenaneous SG atmosphenC dump watves is often very dMicult because (PORVs) rs automatcally controlled by steamune pressure dunng plant operations. The items of comphcated manual arrangements. Very high noise PORVs automatcally modulate open and exhaust to atmosphere whenever the levels, high heat loads and sometimes enconsrsters watve steamhne pressure exceeds a piC..M setpoers The setpomt is selected between operatson with valves in close prorsmity to each other. reload steem pressure and the set pressure of the towest set safety vatves. For their use during plant cooldown, the powereperated atmosphenc rehel valves are au*cmatcally controlled by steamhne pressure, with remote manual adlustment of the pressure setpomt from the CR or the remote shutdown workstatort To effect a plant

-1 cooldown, the operator manually adjusts the pressure setpomt downward an a step-mse Ui fashoort Manual control at the valve is not provded for the PORVs. The PORV

@ discharges are on the roof of the auxthary buildmg and chscharges via a silencer to kmrt noise levets.

The SG poweroperated atmosphenc rehef watves provide a nonsafety4 elated means for plant cooldown by hi.s y steam to the atmosphere when the turbane bypass system ts not available. Under such orcumstances, the relief valves (in corgunction with the startup feedwater system) allow the plant to be cooled down at a controlled cooldown rate from the pressure setpoent of the lowest set of safety valves down to the poant where the RNS can remove the reactor heat. The safety-related means of decay beat removat and piarit cooldown is attamed by means of the passive RHR system and mdependers on the PORVs O

o O

t$

5D cr o

, 12.

e8 e

C) 10

l 2

1 l

i E TABLE 1 (Continued)

G >

ro OPERATitzG EXPERIENCE REVEW FOR THE AP600 j E

y Iseues Addressed By NOREG 0711 Appendix 8 ,

,o 1.._- Performance issue Human Factors 4tuman Performance tesue Addressed by AP600 Design C Stem tesue Reference Isave/ Scope Human Factors ^

V Persormet Overeuposure Vanous areas of the ptart have The AP600 incore instrumentaton does not incturie TIPS or rnovatde detectors. The 168 Subsecten 5 4.3 LCSs -

Miscellaneous the potennat for rugh radation fields that could lead to mcore thatde tubes are mstalled and not moved dunng plard operatiort They do not l pe sonnel overexposure, therefore all plants have instaned present any potential for over-exposure of personnet to radation wtute estalled. These

$ trems radation detectors and alarms. Ad@honalty, however, the thette tubes are withdrawn into the mtegrated head package pnar to head removat rt I

mattuncton of certam equipment can lead to very fugh preparaton tor refuehng. After thette tub' withdrawal, the integrated head is hfted and ,

rasaten levets. Tfus equipment includes incore instrument set down onto a truck bottom sheidng p t The shieleng piste is attached and the thettes and travehng incore probes (TIP). There should head is then hfted irito a stuelded vault. t sti thimble tubes also do not present potenhal be appropnate local warnog devices (and perhaps also CR tor over-exposure of personnet to radaten dunng shutdown, alarms) to alert personnel when equipment, such as TIPS i

and incore ttumbles are not sineided and the potenbal Area radation morutors (ARMS) are provided to supplement the personnel and area exists for tugh radation felds. radiaton survey provisions of the AP600 health physics program desenbed in Secton l

12.5 and to corrpy with the personnel radaten protecton guidehnes of 10 CFR 20. 50.

70, and Regulatory Guides 1.97,8 2,8.8, and 8.12. In additon to the installed detectors, penoec plant envronmental surveeMance is estabhshed.

AP600 normal and accident plant radanon monitonng is desenbed in SSAR Section 11.5. .

169 Subsection 5 4 t LCSs - Emergency Lighnna Emergency tightmg is required in the The AP600 design includes extensrve use of plant automation and estributed control.

f -4 Mrscellaneous plant for personnel safety and for nuclear safety reasons. The esributed control system maurrures the need for LCSs to meet the requirements of ,

Ut items The two key nuclear safety areas requmng emergency erther 10 CFR 50 Appenen R or 10 CFR 50 63 (SBO). Emergency hghting is provided C lighhng are the scenarios of 10 CFR 50 Appen&x R. m the MCR and the remote shutdown workstaten to diummate these areas for [

Section til.J and SBO. Operatog expenence has shown emergency operations upon toss of normal hghtmg See the AP600 SSAR. Chapter 7 f that NPPs have tended to pay less attention to the lightmg for a desenption of the plant control systerrt The emergency hghting system is requirements during an SBO scenario. A common practice described m AP600 SSAR subsecton 9 5.3 2.2 is to depend on auxihary operator use of flashhghts. This can be a problem due to the potential unavailabdity of The AP600 design includes two nor> Class 1E deset generators separated by a fire [

flashhgtys in an emergency and also because the physical bamer. Followng a fire, at least one of the desel generators will be available to provide r

use of one whde operatog equipment and commurncatog power to normal bghting in areas of the plart not damaged by the fire. During SBO the two noncass 1E desel generators are avadable to provide power to normal plant I with the CR may be cumbersone.

tigheng The o'isste noncass 1E desel generators are descreed in AP600 SSAR, subsection 8.31. '

I i

O e

! 1 o t

<D 33 cr o es

=8 w

C) fG h

t I i

E TABLE 1 (Continued)

G ha

$ OPERATING EXPERfENCE REYlEW FOR THE AP600 E

issues Addressed By NUREG 0711 Appendix B g

3 Item lesue Reference issue / Scope Human Factors AspectHuman Performance issue Human Factors / Human Performance issue Addressed by AP600 Design T The Desgn Rehabday Assurance Program, or D-RAP, uses probabihste (and other) y 170 Section 61 Shutdown Outage Management and Ptarnna Due to the unportance y Operatons - of octage managernent and ptarnng to shutcbwn measures to dentify ns>4ignJacant structures. systems and ww ds (SSCs), then operatons, consde'aton should be given to the generates maintenance recommendations and other information for use in the plant

$ Procedures development of scheduhng tools (e g , computertased owner's ' operational rehabihty assurance actwhes. The D-RAP ts presented in outage plannog and n im..,e ans see Shore et af) to Chapter 16.2 of the AP600 SSAR.

assist in outage paarnng scheduhng, and management.

Further, an interactive up-to-date PRA, that allows a The resite specific entical items kst represents the plant SSCs that have been stagged determinaton of the nsk signsficance of removing selected as nsk-skyvfcant based on selected PRA nsk wnpo# tant measurement thresholds. For pieces of equipment from service, would serve to improve these SSCs. Westinghouss develops mantenance icw-. ..azhons that will be outage nsk management ansidered by the COL apphcant in tus plant maintenance program, including his outage plarnng activities. The COL apphcant is responsible for addressmg outage pearng There is no interachve PRA that the COL apphcant receives from Westmghouse to calculate nsk impacts of SSC removal from service. However, the D-RAP cntcal items hst whose selechon basis is nsk-ircrease measures, are those items whose unavadabihty sagnifcantly increases nsk inciuding nsk dunng shutdown operations.

Thus, they should be given special attention m outage plarnng.

t 171 Secton 6.2 Shutdown Operator Traang Operators are etten confrorged with Trainmg Program development is the responsibihty of the COL apphcarW as stated in

-l Operations - untaminar situations dunng shutdown operatons. Tranng Section 13 2 of the SSAR CD Procedures programs should be improved to appropnately consider the O safety emphcations of these cordtions. As an example. The AP600 ERGS (AP600 document number GW-GJR-100) prowde the functon i simulators should be able to model important shutdown restoraton guideknes for shutdown operations, providing gudance to the operators for operations to a greater extent than they currett'y (b. emergency situatons when the plant is shutdown, 172 Subsection 6 31 Shutdown Loss of RHR Capabihty Procedures are an important Procedure development is a COL applicant responsitzhty (SSAR 13.5 and 18.9)

Operatons - aspect of shutdown operations. Appropnate HFE in the CR The AP600 ERGS provde the function restoration gudehnes following the loss of the Procedures anr1 at LCSs that can assist in the implementation of such RNS dunng shutdown. In additon, the AP600 PXS is requered to be avadatSe (via tech procedures should also be considered. Additonally, the specs) through mode 5. See the response to item 73.

effectrve intefaton of the vanous HSls with the procedures is important. A particular area needing clear procedural coverage is- Loss of RHR capabdity, including attemate mearr of removing decay heat such as gravay dram from refuel.ng waste tanks, safety intection, accumulators, or core flood tanks. Procedures should also adtfress operator-induced loss of RHR and restoration of RHR upon loss.

O co O

M 3I cr co M <

m y a -.

w8 w

0) 19

3 TABLE 1 (Continued)

$ OPERATING EXPERtENCE REVtEW FOR THE AP600 E lasues Addressed By NtJREG 0711 Appendia 8 Human Factors Aspect / Human Performance issue Human Factors / Human Performance issue Addressed by AP600 Design 3 Item issue Reference issue W T Procedure development is a COL appicant responsitzhty (SSAR 13 5 and 18 9). As 173 Subsection 6 3 2 Shutet:r. Inadvertent Oranno of Reactor Vessel Procedures are an G described in subsection 5 4 7 ut the SSAR, the AP600 RNS has been designed with y Operations - irnportant aspect of shutdown operations. Appropnate HFE m the CR arw; 9t LCSs that can assist in the features that address Genenc Letter 88-17 regarding rnetoop operations. These

$ Procedures implementation oi such procedures should also be features prevent inadvertent lowenng of RV vessel level below that necessary to cWidered Addits sp , ythe effective integration of the maintam effective decay heat removal.

vant.,4 HSts with the pacedures is important. Clear procedu al coverage should contain adequate guidance for The operataonal procedures mil rely upon RCS instrumentation to provide sufficient lowenng Rv WM ,;en operatog in the RHR coohng mdcations and alarms to determme the status at any time The instrumentation es listed mode. Also, there should be precautions against below-6-eeGy dranng the RV or dranng the RV via multiple palhways at the same time. An exarrple of Hot Leg Level Instrumentation - The AP600 RCS cordams levet instrumentation in madvertent dranng is having the RHR isolation valves each hot leg with indcation in the MCR via an appropnate display In addition, the wide-(from the pnmary) open at the same time as other RHR range pressurtier level instrumentation used dunng cold plant operations is avadable to vahres, which can dram water from the RHR system. measure to the bottom of the hot legs. There is contmucus level mdcation in the MCR (LERs 50-265/87410,50-34t!87436, and 50-382/86-015). from the normal levet in the pressunzer to the range of the two narrow-range hot leg level instrumentation. Atarms are provided to alert the operator when the RCS hot leg level iswe.ua low level. The isolation valves in the Ime used to dram the RCS close on a low RCS level dunng shutdown operations. Operations required dunng rrud-loop are performed by the operator in the MCR The level rnorvionng and cor: trol qe features oyhe, emprove the reliabdity of the AP600 dunng mid-loop cperations.

O) a Reactor Vessel Outlet Temperature - RCS hot teg wde-range temperature ost uments are provided in each hot leg The onentation of the w:de-range thermowell-mounted resistance temperature detectors enable measurement of the reactor coolant flud in the hot leg when in reduced inventory conditions. In ad@ tion, at least two incore thermocouple channels are available to measure the core eut temperature dunng midloop RHR operation These two thermocouple channels are associated with separate electncal divissons.

174 Subsection 6 3.3 Shutdown Reduced Inventory Operations Procedures are an Procedure development is a COL apptcant responsibehty (SSAR 13 5 and 18 9). SSAR Operatons - emportant aspect of shutdown operations. Appropnate HFE subsection 54.7.2.1 provides a descnption of the AP600 design features that have been Procedures in the CR and at LCSs that can assist in the ocorporated to aMress med loop and reduced inventory operations. See the responses implementation of such procedures should also be to items 73 and 172 for more information considered. Ad@tionally, the ettective integration of the vanous HSis with the procedures is important. A partcular area needing clear procedural coverage is: Estabhshmg and mantanng nudloop (in PWRs) or other reduced h

o inventory operations.

O 3m er o

$ 3.

n m

OO w

C) f0 t

E TABLE 1 (Continued)

G eo OPERATING EXPERIENCE REVIEW FOR Tl4E AP600 E

y issues Addressed By NUREG 0711 Appendix B v Human Factors / Human Performance issue Addressed by AP600 Design C ttem issue Reference IssuerScope Human Factors Aspect / Human Performance Issue 7

Subsecton 6 3.4 Shutdown Temporary RCS Boundaws Procedures are an important Procedure development s a COL apphcant responstahty (SSAR 13 5 and 18 9) See G 175 y Operatons - aspect of shutdown operations. Appropnate HFE in the CR the response to RAI 440 55 and items 73.172 and 174.

and at LCSs that can assst in the implementahon of such

$ Procedures procedures should also be considered. Add 4ionally, the The folloung AP600 desgn features reduce the nsks associated eth temporary RCS et'ectrue integraton of the various HSis with the procedures boundanes:

is important. Clear procedural coverage is needed m the use of temporary RCS boundaries such as freeze seats. . SG nozzle dams - the AP600 SG nozzle dams are classified as AP600 Equipment nozzle dams, and thmt4e tube seals, incluung conhngency Class C so that the desgn, manufacture, installaton, and inspection of this plans in case of fadure. boundary (when installed) s controlled by the tosowmg requirements: 10 CFR 21; 10 CFR 50. Apperutx B; Regulatory Guide 126 Quahty Group C; and ASME Boder and Pressure Vessel Code. Secton lit. Class 3. In ad$ ton, this pressure boundary is class!fied as Seestruc Category I so that it is protected from tatfure foltomng a safe shutdown earthquake (SSE).

. Ehmmation of tepary plugs for nuclear instrumentation - The AP600 does not contam bottom-mounted instrumentation that requires temporary pluyyng dunng shutdown and refuehng The AP600 uhhzes a fixed incore system.

. Current plants remove the excore detectors frorn above the encore housmgs qe through the floor of the refuelmg cavity Dunng m uehngr operatons, these holes k are plugged to facshtate floodmg of the refuetmg cavity. The AP600 has ehmoated these temporary plugs by designog the excore instrumentation to be inserted from below the excore housmgs.

. Reduced rehance on freeze seals - the AP600 has reduced tre potenhal apphcatons for freeze seals by reducog the number of lines that connect to the RCS and by provubrg the abihty to perform operatxhty tests on many valves that connect to the reactor coolant pressure boundary. This omroved IST reduces the requirements for disassembly of reactor coolant pressure boundary valves to test their operabibty. The use of freeze seals dunng a forced outage mil typically occur in cold shutdown (Mode 5), when the PXS as required to be avadable.

176 Subsecton 6 3 5 Shutdown LOCAs Dunn0 Snutdown Procedures are an irnportant Procedure development is a COL apphcant responsibihty (SSAR 13 5 and 18 9). The Operations - aspect of shutdown operatons. Appropnate HFE in the CR shutdown PRA has addressed the nsk of LOCA durmg shutdown. SSAR Procedures and at LCSs that can assist in the implementation of such subsecton 5 4 7.22 provides a desenption of the AP600 desgn features that have been procedures should also be considered. Addtonalty, the mcorporated to address mter-system LOCA. See the responses to items 73 and 172 for effective integraton of the vanous HSis mth the procedures more informatort rs important. A particular area needng clear procedural o coverage is. LOCAs dunng shuidown. mclu&ng h intersystem LOCAs ard operatoranduced LOCAs. (Also

<D <

[ see item under subsecton 6.5.3.)

g

=8_.

e C) lV

- . . _m . m I

3 TABLE 1 (Con *deued) d so OPERATING EXPERIENCE REVIEW FOR THE AP600 E

lssues Addressed By NUREG 0711 Appendia B i

l

(

,o Human Factors Aspect / Human Performance issue Human Factors / Human Performance issue Addressed by AP600 Design C Item Issue Reference issue / Scope

? Boron Dduten Accidents Procedures are an important Procedure development is a COL apphcant responsbekty (SSAR 13 5 and 18 9) Such a G 177 Subsecton 6.3 6 Shutdown Operatons - aspect of shutdown operatons. Appropnate HFE in the CR s enano has been postulated for current plants. Fonowng an SGTR event. the

$ and at LCSs that can assist in the implementaten of such operators are instructed that il they must restart the RCPs, they rnust start the RCPs in

$ Procedures procedures should also be consdered. Additonalty. the a loop other than the faulted SG. Ttus also applies to the AP600 and is included in the effective mtegration of the vanous HSis wrth the proce@res AP600 ERGS in the gudebre used for recovenng from an SGTR event Such a is impor* ant. Clear procedural coverage is needed dunng precauton may also be used in recovery procedures where startup of an RCP is rapd boron ddution acedents, such as the startup of an requued lonowog long-term operation wah a stagnant RCS loop that may be at a RCP in an idle loop that has a signefcantty bwer boron sigrufrantly lower boron concentration.

concentninon than the reactor.

178 Subsection 6.3.7 Shutdown Contamment Integnty Dunno Shutdown Procedures are an Procedure development is a COL appucant responsbbty, however the AP600 TSs Operations - important aspect of shutdown operations. Amropnate HFE (Section 161, subsection 3 6) exphettly define whch rnodes of operation and under Procedures in the CR and at LCSs that can assist in the whch specifC Conditons contamment *tegnty is required. The Tases* section of each imp 6ementaten of such procedures sf'ould also be of the 3 6 TSs discusses the rationale for the requirement and includes consderation of consdered. Add!tionally, the effectrve integrahan of the the foRowmg aspects of plant design and operaton for the bases:

vanous HSis with the procedures is important. Clear procedural coverage is needed for control of contamment . Available time for nuttgative actions (mcludog time requwed for such actions) integrity dunna shutdown, including expedtous closure of . Mitigatog features avaalable open hatches and penetrations on a loss of RHR.

Potential and seventy of potential accidents based on erutial coruttons

-i g 179 Subsection 6.3 8 Shutdown Fire Protection Procedures are an important aspect of shutdown operabons. Appropnate HFE in the CR ard at Procedure development is a COL apphcant responsbhty (SSAR 13.5 and 18 9).

G) Operations -

Procedures LCSs that can assist in the irmlemer taten of sudi Tre Fire Protecton System is desenbed in SSAR subsecten 9 5.1 and a fue protect.on procedures should also be consdered Additonally, the analysis is provded m SSAR Secton 9A.

effectrve integraton of the vanous HSIS with the procedures is important Clear procedural coveraga is needed for fire protecten &nng shutdowrt 180 Subsection 6 3 9 Shutdown Spent Fuel Pool Cooling Procedures are an important Procedure development is a COL apptcant responsibility (SSAR 13 5 and 18 9). The Operations - aspect of shutdown operstons. Appropnate HFE in the CR AP600 spent fuel pool cochng system is not requwed to operate to mitigate desgn basis Procedures ard at LCSs that can assist in the implementaten ci such events. In the event the spent fuel pool coohng system is unavailable, the spert fuel procedures should also be considered. Additionally, the coohng is provided by the heat capacity of the water an the pool. Connections to the effectrve integraten of the vanous HSis with the procedures spent fuel pool are made at an elevation to preclude the possbitty of inadvertentty es important. Clear procedural coverage is needed for loss draming the water in the pool to an unacceptable level.

of spent fuel coohng.

Further explanatons of the spent fuel pool coohng system dunng abnormal operations can be found in SSAR subsection 913 43 and accompanymg subsections. Pertment safety evaluation information for the spent fuel pool cochrg system can be fourd m g subsection 913.5.

to O

<D 3m cr <D Q

, e.

$. ~

e8 e

@N -

E TABLE 1 (Continued) b OPERATING EXPERIENCE REVIEW FOR THE AP600 s

~

Issues Addressed By NUREG 0711 Appendia B g

R Human Factors Aspect / Human Performance lasue Human Factors / Human Performance issue Addressed by AP600 Design

Item issue Reference issue / Scope

? inrkpendent Measurements of RCS Level Many current The AP600 has incorporated indepenoent hot leg level mstruments m each hot leg

$ 181 Subsecten 6 4.1 Shutdown Operations - plants do not contan permanentty-mstaned instrumentation These are permanently installed ard a o capable of rneasunng md4oop conditons at Q lo morutor the planrs safety status dunng shutdown. For shutdown. Their range overtaps with the cold <ahbrated wide range pressunfer level

$ instrumentaten new plants, instrumentation that appropnately supports mstrumentat:on to anow for conterw.sous measurement of RCS water level dunng the shutdown operations should be considered for installaton, transiten to reduced inventory operations SSAR subsection 5 4 7.2.1 prowdes a for example: two independent rneasures of RCS level, descr$ con of the AP600 design features that have been incorporated to address rrud-includog permanent instrumentation capable of measunng loop arvj reduced enventory operatons including the hat leg tevel instrumen's. See the mad-loop conditions accurately. There should be adequate respmses to items 73 and 172 for more informaton.

overtap between the RCS level instrument ranges to ensure cortpiete coverage at all levels and to allow i.uny6imO6 between hstruments as level Changes ranges.

Plants should avod dependency on temporary, tygon tubmg type level indicators, which have casused many problems in the past. Add:tionally, one should consider the potential inaccuracies of r:nd-loop level ind:cators that occur when one leg is vented to atmosphere and a shght pressunzation of the RCS occurs. Instances have also occurred where the RCS was under shght vacuum, resulting in levet measurement inaccuracies. Additionally, q there should be avadable displays ansor alarms of water g y level informaton in the refueling area wtule the reactor vessel head is removed 182 Subsecton 6 4 2 Shutdown independent Measurements of Temperature Many current The design of the 3P600 has considered shutdown modes extensiveh as documerted Operations - plants do rot contam permanently ostalied instrumentation m the various hcensing subnyttals: 1) passive safety systems that are desKped to instrumentation to monstor the plant's safety status dunng shutdowrt For merigate accidents during shutdown modes (SSAR Secten 6.3). 2) TS that appfy to the new plants, instrurnentation that agpropnately supports passive safety systems dunng shutdown modes (SSAR Chapter 16), 3) ERGS shutdown operations should be Consdered for mstaBaton, (Reference 2) for shutdown modes,4) ouantification of the nsk of core damage at for example' iwo independent measurements of core exit shutdown (AP600 shutdown PRA), 5) evaluation of design-basis-erntiating events dunng terrperature. shutdown modes (AP600 Shutdown Evaluation Report - 6/96) Instrumentaten has been designed to appropnately cover all modes of operation including shutdowrt RCS loop anstrumentation and :or 6 exit eiermocouples provide independent measurement of reactor cooiant temnratvi, during shutdown opemtions including mid-loop and reduced eventory operatt c O

O O

O 3m cr O O $.

. M.

e8 w

CD f0

E T ABLE 1 (Continued) b OPERATING EXPERIENCE REVIEW FOR THE AP600 4

issues ( Jressed By NUREG 0711 Appendia B g

C ttem issue Reference issue / Scope Human Factors Aspect / Human Performance issue Human Factois&fuman Per+ormance issue Addressed by AP600 Design T Monitonna RHR System Performance Many current plants The AP600 RNS has no safety-related functons dunng shutdown coolog except G 183 Subsection 6 4 3 Shutdow"i y Operations - do not contam permanentry esta ned ostrumentaton to mactenance of the reactor coolant pressure boundary ard contamment isolation if a morutor the plant s safety status durmg shutdown. For new desgn basis event occurs.

$ instrumentation plants, instrumentation that appropnately supports shutdown operations should be consdered for installation. The RNS contams pennanently mstatted eT 6inon to marvtor system performance for exarrple capatn! sty of continuously morutonng RHR as desenbed in SSAR subsecton 5 4.7.7. System parameters and alarms necessary for system performance, inclueng adequate alarm capabiltty system operation are monitored in the MCR including the fonowog-for out of specifcaten temperatures. pressures, and flows.

. RHR pump flow;

. RHR HX inlet and outlet terrperatures; and.

. RHR pump orscharge pressure.

In addaton, the RCS contams instrumentation to control and morutor the operations of ihe RNS. These include the fonowing:

. RCS wde range pressure

. RCS hot leg levei.

Instrumentation is also provded to enable md-loop operations to be performed from the

q. MCR Crs

184 Subsecucn 6 4 4 Shutdown instrument Rances and Accuracy Many current plants do The desgn of the AP600 has consdered shutdown modes extensively as documented Operations - not contam permanenity mstaned mstrumentation to morutnr in the vanous hcenseg submittals: 1) passave safety systems that are desagned to

'nstrumentaton the planrs safet) status dunng shutdown. For new plants, mitgate acceents dunng shutdown modes (SSAR Section 6 3). 2) techrucal estrurnentaten tTat appropnately supports shutdown specshcations that apply to the passsve safety systems dunng shutdown modes (SSAR l operations shou 8d be considered for installation, for Chapter 16). 3) ERGS for shutdown rnades,4) quanticaton of the tcsk of core damage exarnple: instrumentaton contarung appropnate ranges at shutdown (AP600 shutdown PRA) 5) evaluaton of desgn-basas-rstiating events and accuracy to morutor shutdown conditons as weR as dunng shutdown modes (AP600 Shutdown Evaluaton Report - 6/96) Instrumentation power operatmg constions has been designed (including appropnate ranges) to appropnately cover as modes of operation ockdng shutdown.

185 Subsection 6 4 5 Shutdown De6cated Shutdown Annunciators Many current plants do The design of the AP600 Alarm System includes alarms specifc to the special Operations - not contan permanently mstaned instrumentaeon to mon; tor conditions that anse dunng shutdown cond!tions. The alarm engger logics enclude Instrumentation the planrs safety status dunng shutdowrt For new plants, defrung piant coruttons under wtuch the alarm apphes. Appicable trend displays will mstrumentaton that appropnatety supports shutdown be used dunng shutdown cnrdtions, includmg reactor vessef level or equevalent. The opemtons shouki be core,dered for instaDaton, for M-MtS includes trend esplays as part of the Plant Informaton System esplays that are example use of de6cated shutdown annunciators for available b the operator through his workstation. Also, the WPtS will esplay sgnifcant special hazardous cordtions that anse dunng shutdown trends for each plant operatirg mode or sgnifcant plant state,includng the shutdown Q

modes.

g te g . refuehng cavity towevel alarm). Also consder the o use of trend d splays dunng shutdown. such as RV levet hh (4

186 Subsecten 6 51 Shutoown Operatons -

Contamment Equipment Hatch An equipment upgrade that The equipmert hatch will be maintamed closed for operation modes requmng would amprove shutdown safety is: A wh .. a corf.amment integnty or the capabihty of rapid closure wiH be incorpouted into the

]iE Equipment equipment hatch desgn that anows for expedtious closure desgn of the mantenance hatches. An open item win be assgned to fonow the by operators when needed dunng a shutdown abnormal resolution of this itent THIS ISSUE INPUT INTO THE DESIGN ISSUES TRACKING to @

gg event Scular provisaans should be inade for other contamment penetrations that may be open dunng SYSTEM Other contamment penetratens including me...a purge rund personne4 aartocks provde the abdity for rapd closure indeperdent of nonsafety-related support shutdown evolutons. services includmg ac power.

3 TABLE 1 (Continued)

$ OPERATING EXPERIENCE REVIEW FOR THE AP600 E

Issues Addressed By NUREG 0711 Appendix B g

Human Factors /Hurnan Performarce issta) Addressed by AP600 Design 3 Item Issue Reference issue / Scope Human Factors Aspect / Human Performance issue T ~

Fuel HandWM Equemerd An equipment upgrade that The AP600 fuel handhrg equipment design has encorporated industry operatmg data and G 187 Subsection 6.5 2 Shutdown would improve shutdown safety is. wnproved human expenence to develop a desgn that mit vnprove shutdown satey. The use of the y Operations -

operatog expenence es otended to ehmmate eny poor design features that were present Equement engmeenng of fuel handhng equpmert Poorty-desgned

$ equ!pment, m the past, has led to fuel asserrely drops and m prevous desgns in addnion, several of the le&dirg fuel handing equipment desgn damage Ttus equipment should also be addressed by the and maintenance orgaruzatons are involved wnh the desgn and revew of the AP600 HFE pregram. luet handhng equipment. To ensure that operatog plants have the abihty to provide their input into the AP600 fuel handhng equipment desgns, many of the fuel handkng equipment design documents have been renewed and commented on by personnel at operatog plants. Refer to SSAR Secton 9.1 for a desenption of fuel storage and handhng.

Shutdown Overpressurization An equipment upgrade that would The motor-operated valves in the RNS which are connected to the RCS hot leg are 188 Subsection 6 5.3 Operations - improve shu'down safety is: use valve interlockr to prevent mtertocked to preverit thern trorr. opening when RCC pressure exceeds 450 psg. These Equipment ove pressurtraton of lowpressure piping and components, vatves are also interlocked to prevert opening unless the isotahon valve from the IRWST (LER 50-341/86-045).

to the RHR pump sucten header is closed. SSAR stesection 7.6.1 describes this interlock.

SSAR subsection 5.4.7.1.2.5 desenbes how the RNS provides a low temperature overpressure pectection functon for the RCS dunng refuelang. startup. and shutdown H operations. The system is designed to hmit the RCS pressure withm the bm ts specthed C) m 10 CFR 50, Appendix G.

O)

The AP600 has also addressed this issue in the ISLOCA report (WCAP-14425).

189 Subsecton 6.5 4 Shutdown Backup Power Sources An equipenent upgrade that would The ac electncat power ts not needed to mantam a plant safe shutdown condition for Operations - improve shutdown safety is: appropnate use of backup the AP600. Although the diesel generators are not required, generalty, if offsite power is Equipment onsste power sources such as emergency rhesel lost. they mu be available and was automaticalty start and sequence loads that en generators. and portable power uruts. enhance the safety of the plant dunng shutdown conditions. ,

190 Section 6 6 %utdown Commurucations Between MCR and Plant An irnpsttars Tte plant commurucat on system consists of the followog systems: wireless Operations - aspect of mantamog normal shutdown conditions is commurucation system, telephone /page system. PABX, soundpowered system, Communicatons adequate cornmunscations between the MCR and the rest emergency response facddy commurucations, and secunty commurucation system. The of the piart Trus inct^s areas where the tonowmg wreless telephore system as the pnmary means of communication for plant operatons actnnties enay take parett mantenance. testag, local and mantenance personnel. The ureless system consists of mreless belt <hp portable operahons, and monsonng actnnties. Effective handsets, hands-free type portable headsets, a comprehensive antenna system, and a communications are a so very importar't dunng any mreless telephone swactt The telephone /page, PABX telephone, and sound powered abnormal events that occur dunng the shutdown penod. commurucation systems are for general plart commurucations and serve as backup to When desgnmg plant commurucations systems, care the wireless system. These systems are designed for effective commurucation between should be taken to consider shutdown operatons. the MCR and the rest of the plant dunng au modes of operaton, includog shutdowrt O The wm. ions system is desenbed in SSAR subsection 9 5.2.

O m 3D cr a

$1E m

o8 e

C) f0

References To Table 1, Operating Experience Review for the AP600 Design l 1. " Programmatic Level Description of the AP600 Human Factors Verification and Validation Plan," (draft dated 4/13/95), WCAP-14401 (Non Proprietary)

2. AP600 Document No. OCS-TS-001, "AP600 Man in The-Loop Test Plan Description,"

Rev. B, WCAP-14395 (Proprietary), WCAP-14396 (Non Proprietary) l

' 3. WCAP 14644,"AP600 Functional Requirements Analysis and Function Allocation."

4. Electric Power Research Institute, " Advanced Light Water Reactor Utility Requirements Document," Chapter 3, Revisions 5 and 6, issued 12/93

5. AP600 Standard Safety Analysis Report

6. WCAP 14115, Rev. O, " Review of Nuclear Plant Operating Experience and the Application to the AP600 Design," July 1994

7. WCAP 14114

8. McIntyre, B., " Completion of Westinghouse Activities Related to NUREG-0711,"

NSD-NRC-96-4845, OCP/NRC0626, October 17,1996 I

m:0265w.wpf:1tv122796 Revision 2 T-67 December 1996

i 3

TABLE 2 g ,

y RELATED HSI TECHNOLOGIES WHERE LITTLE OR NO NUCLEAR EXPERIENCE EXISTS '

4--

Human Factors / Human Performance Isiue

$ Reference Addressed by the AP600 Design N Document HFE Issues Applicable to the AP600 Design l Ref. 2.1 interviews Conducted at Fossil Plants with Soft Controis.

1) Dunng a startup on a simulator, operators experienced little problem 1) The AP600 M-MIS consists of several resources (subsystems) that will 4

with soft controls as long as events went as antcipated. When work together to alert the operator to the problem, focus his attention problems arose in the startup (such as equipment failing to start, on trouble areas, and provide assistance with diagnostes, planning automated systems failing to work) the operators exhibited and recovery. These subsystems include the Alarm System, Control considerable 6fficulty in understanding the cause of the problem and (soft control display) System, the Plant information System ;

(workstation physical, functional and automatic system monitoring ;

recovering from it.

' displays) and the CPS. See Table 1 response to item 71. l

2) Impcrtance of having redundant methods of calling up the desired 2) See the response to Table 1, items 77 and 93 for a description of t

displays - there should be rnultiple paths for accessing a display or several AP600 M-MIS resource integration and navigation features.

control. Execution of the HS! Design implementation Plan, as desenbed in f SSAR 18.8. address this issue. [

l

3) Importance of pre &ctability: The operators should know where a 3) THIS ISSUE INPUT INTO THE DESIGN ISSUES TRACKING [

1 requested display will appear. In this fossil application, sometimes it SYSTEM.

1 co appeared in an unexpected place and covered entical information.

4) Providing guidance or design features on how to configure /coor$nate a 4) THIS ISSUE INPUT INTO THE DESIGN ISSUES TRACKING multiple VDU display space. SYSTEM.

5) Importance of providing entical/ overview information in parallel to the 5) See Table 1, response to item 66.

task being performed.

6) Supervisory control of automated systems: it is important to detect 6) The Plant information Systtim will present to the operator Automatic i what it did, explain why it did it, predict what it will do in the future, and System Monitoring displays. Automatic system monitoring displays understand why it did not perform as expected. are designed for automatic control systems and automatic protection ,

f j

(reactor and ESF) systems. Each of these displays contain appropriate information, allowing the MCR operators to rnonitor and supervise the respective automatic system. This information includes I what the system did, why, and what is expected in the future. j O

co 8

aD EE a -.

w :

L w

CD f0 k

k i

. . _ _ _ . _. - . . ~ . _ . .._.~ - . - - -. . . _ _ _ . - . - _ _ - . . - . - - . - . . . . . _ _ . - - _ . . _ . . .._

3 TABLE 2 (Continued)

S RELATED HSI TECHNOLOGIIS WHERE (y LITTLE OR NO NUCLEAR EXPERIENCE EXISTS m

Human Factors / Human Performance issue

$ Reference Addressed by the AP600 Design HFE losues Applicable to the AP600 Design

} Document

7) Control task characteristics and soft controis: a) operators question the 7) THIS ISSUE INPUT INTO THE DESIGN ISSUES TRACKING value of touch screens because operators were accustomed to a SYSTEM.

rnouse, and touch poke points were too thick and inaccurate; b) potential problem of multiple individuat3 simultaneously controlling the same piece of equipment from VDUs at different locations.

Ref 2.2 Soft Control Lessons Leamed From Aircraft trdustrf-.

1) Lifting finger off the target area touch logic to actuate is more forgiving 1) THIS ISSUE INPUT INTO THE DESIGN ISSUES TRACKING than when the finger enters the target area to actuate. SYSTEM.

2) " Soft button

to visually depress 2) See response 1) above.

3) See response 1) above.

d

3) Auditory feedback on

soft button

activation has rnerit (i.e., sound equivalent to activating a hardware button)

4) Display colors for normat and off-normal conditions 4) See response 1) above. i

5) Computer / display response tima 5) See Table 1 Item 93.

6) Linking of alerts, procedures, and configuration tasks 6) See Table 1 Item 77 and 102.

7) Navigating through displays 7) See Table 1 Item 77 and 93.

O o l o

to 3D cr o U < ,

' E.-

5 mm .

. _ . _ _ .__ __m _ _ _ . _ _ _m -___ __-_ _______ _ _ < - - _ _ . _ _m- A - w ,

3 TABLE 2 (Continued)

O 8 RELATED HSI TECHNOLOGIES WHERE LITTLE OR NO NUCLEAR EXPERIENCE EXISTS

{a Human Factors / Human Performance issue 3 Reference Addressec by the AP600 Design M Document HFE usues Applicable to the AP600 Design

Lessons Leamed From Naval Training and Airline industry (Human Factors Ref 2.3 Consideratons for Group Overview Display):

1) Situation awareness of crew 1) See Table 1 Items 66. 68. 74 and 75.

2) Commurucation, coordination, and performance 2) See Table 1 tiems 66. 69 and 71.

'l) Error detection and recovery 3) See Table 1 ttem 55. 66. 68. 74, and 105.

Ref 2.4 Lessons teamed From Naval and Airtine industry (Role of Advanced CR Features for Fnhanong Crew Performance):

1) Team performance 1) See Tab!e 1 ftems 66 and 68.

2) See Table 1 Items 66. 68. 96 through 100, and 190.

2) Communacation

3) See Table 1 item 63. 64, and 65.

3) Crew size O 4) SkitVknowledge 4) See Table 1 ftems 67 through 72.

5) See Table 1 Items 64. 66, and 71.

5) Stress / workload

6) CR design features to enhance situation awareness, verbal 6) See Table 1 item 52. 66. 68. 74. 75. 96 Inrough 100 and 190.

commurucaton, and error identification

7) Situation Awareness 7) See Table 1 Items 66. 68. 74 ard 75.

8) Overtap of expertise 8) See Table 1 Items 63,65 and 70.

O e

8 sm er o Q S.

, e.

cn m

3 d TABLE 2 (Continued)

Y RELATED HSt TECHNOLOGIES WHERE j LITTLE OR NO NUCLEAR EXPERIENCE EXISTS C Human Factors / Human Performance issue E Reference Document HFE issues Applicable to the AP600 Design Addressed by the AP600 Design

$ Ref 2.5 Lessons Leamed From Nuclear and Airline industry (Navigation Through Large Display Networks):

1) The large scope of computerized CR applications necessitates large 1) See Table 1, item 77,91 and 93. SSAR Section 18 8 includes the display s*JuCtures involving thousands of displays. Design errors can implementation Plan for the HSI Design that addresses the enteria of result in getting lost in large display networks. Element 7 of NUREG-0711. For each HSi, including the Plant Information System (workstation displays), an HFE design guidelines document is developed that provides guidelines to the HSt designers on the conventions, symbols, color coding and dynamse characteristics to be used in the design of the respective HSI. Issues such as navigation issues will be addressed by the guidelines document. The HSt Design plan also irr*.udes concept testing and design reviews.

2) Overview display? 2) See Table 1. Items 66. 74 and 93.

-i y Ref 2.6 Lessons Leamed From the Space Program.

1) Information display issues include structures that constitute a display, 1) See Table 1. Item 77,91 and 93. SSAR Section 18.8 includes the organization of those structures, and methods of directing the user's implementation Plan for the HSI Design that addresses the enteria of attention to specific display areas. Element 7 of NUREG-0711. For each HSI. including the Plant information System (workstation displays), an HFE design guidelines document is developed that provides guidehnes to the HSI designers on the conventions, symbols, color Wng and dynamic characteristics to be used in the design of the respective HSt. Issues such as navigation issuas will be addressed by the guidelines document. The HSI Design plan also includes concept testing and design reviews.

2) Display response time 2) See Table 1 Item 93.

3) Navigating through displays 3) See Table 1 Item 77,91, and 93. Also, see response 1) above.

4) Procedural errors 4) See Table 1 items 50,51,91,105 and 106.

O 5) Errors of confusion occur when one word, function or command is 5) See Table 1 ftems 55 end 61.

O rrustaken for another.

O

$7

6) Errors in detection and monitoring 6) See Table 1 Items 55,66. 68. 74 and 105.

u<

m y a g-U mw

3 Q TABLE 2 (Continued)

E

? RELATED HSI TECHNOLOGIES WHERE 4 LITTLE OR NO NUCLEAR EXPERIENCE EXISTS c

Human Factors / Human Performance issue

$ Reference Addressed by the AP600 Design M Document HFE lesues ?;, -M-M to the AP600 Design d

Lessons Learned From Electncal, Gas, and Oil industries:

Ref 2.7

1) Performance aids 1) See Table 1 Items 26,69,77. 79,80, and 88.

2) Integrated displays 2) See Table 1 ftems 66,71. 74. 77,80,88 and 102.

3) Unanticipated situations 3) See Table 1 Items 68 and 70.

4)

Openness

of work area and shared information 4) See Table 1 Items 66,74, and 75.

5) Team interaction 5) he Table 1 items 66,69, and 71.

-1 Y

fu i

O to r O

' t@

BI cr e L$ *C

-s g*

a i $ g*3 m ro l

References For Table 2, Related HSl Technologies Where Little Or No Nuclear Experience Exists 2.1 Roth, E. M., and D. G. Hoecker, AP600 Document Number OCS-J1-005 Revision A,

" Human Factors issues Associated with Soft Controls: Design Goals and Available Guidance," Westinghouse Science & Technology Center, dated 2/1/94.

2.2 Degani, A., E. A. Palmer, and K. G. Bauersfeld, " Soft" Controls for Hard Displays:

Still a Challenge," from the Proceedings of the Human Factors Society 36th Annual Meeting -- 1992.

! 2.3 Mumaw, R. J. and E. M. Roth, AP600 Document Number OCS-J1-006 Revision A, I " Human Factors Considerations for the Design of a Group Overview Display (aka Wall l Panel Information System)," Westinghouse Proprietary Class 2, June 1994.

2.4 Stubler, W. F., E. M. Roth, and R. J. Mumaw, "The Role of Advanced Control Room l

Features for Enhancing Crew Performance."

2.5 Roth, E. M., W. F. Stubler, and R. J. Mumaw, " Navigating Through Large Display Networks in Dynamic Control Applications," Presented at the 34th Annual Meeting of the Human Factors Society, October 1990, Orlando, Florida.

l 2.6 " Human Computer Intedace Guide -- Space Station Freedom Program Office,"

document number SSP 30504, National Aeronautics and Space Administration, June 1991.

2.7 Roth, E. M., " Analyzing Decision-Making in Process Control: Multi disciplinary Approaches to Understanding and Alding Human Performance in Complex Tasks,"

Westinghouse Science and Technology (STC) Report, 95-1SW5-CHICH-P1, April 25,1995. j l

I m:0265w.wpf;1b/122796 Revision 2 T-73 December 1996 l

3 TABLE 3 Q

a OPERATOR INTERVIEW ISSUES

.E 4 Human Factors / Human Performance Issue C Reference Addressed by the AP600 Design 3 Document HFE Related issues M Westinghouse-Conducted Operator interview:

Ref 3.1 g

1) Simulated accidents in NPPs resulted in wyGdf G uig 1) See Te $ items 66. 68. 74 and 75.

situations where situation assessment enabled operators to handle aspects of the situation that were not covered by procedures.

2) Cognitive performance in simulated emergencies 2) See Table 1 trems 49. 67 through 72.

3) Crew interaction in simulated emergencies 3) See Table 1 Items 49,66,69, and 71.

4) Training for unanticipated situations 4) See Table 1 items 49,68, and 70.

5) In cognitively ki=Jng situations, the abikty of the operator to form 5) See Table 1 ftem 68.

accurate situation a55.w ts and to generate response plans to cover aspects of the situation that are not fully addressed by the procedures is important

-4 y Ret 32 Westinghouse-Conducted Operator interviews:

b

1) Situation assessment 1) See Table 1 Items 66. 74, and 75.

i

2) Cognitive skills are needed in situations where formal procedures may 2) See Table 1 Items 68,69, and 70.

not exist or may not be as prescriptive as they could be

3) Complex decision-making tasks in NPPs 3) See Table 1 Items 68,69, and 71.

4) Cognitive skill training 4) See Table 1 ftem 70.

5) Performance under stress (wortdoad) 5) See Table 1 items 64 and 66.

i O

t3 t

am 5,E g-a-

e8 w

G f0

i is I . l m

n it o

gd a

- G L ini Oivn l

a i.i N a r

I Ct dn ig K eea v

_ e C hh np u A t t f

oigo s R ot t

_ s T ys a ;n egn i i S i l

t thf ic k

- ci E i gn e r ns U bsisi et ae S nIn vg

. mD r0 S I

o p .En i r

o0 se 2.F u f

r6 N r 3 H d eP G 1 et h n PA I S e 7 h nt a 7 ne ah E

D t

stinl o gic d

icip n

- mt uy E t nSo ewp aL . a, H e. e 1 Hb T v l

l 7 4

. /

sd r e O b o mRoO pA f, C

d n

7

_ os T a l oSe 9 6

t s ) eSlb e a,

. care N I

1 v eiinl t ah 7 8 -

m Fd T to ay 6 6 U D d vb s n d e s aA P s mtea aa eon m e

m m N r t e u

I gsbi t at

. It !!

E H U SM. r m osl r

Pawdee g

ti l

i r n nsp 1

i mb le 1

le b

_ S E e n - aol a a .

I ht S ST n r vcn eo Te T i : _

I e ia e

_ HY e r - or io ve e e _

S TS S T+pf d S S _

E _

U ) )

2

) )

2

)

3 S

1 1 _

)

d S I

e u WE n

a s

d e

_ i t

n I

V es t d lor w s

e t s ine o R anl a t r r i

n e)lo pu inpo u cere t r C E i o d

. ( T s na c f o

f o ec 3 N r e la r. t eo I

tor m ue sr

_ E L R at nt r u nd onWho t up B O T

ee p i o al mse i i t

cgn e d h e -

. A A o c y aino et n i

a s t T t R n wr r a

uh o h t d

nb e ml a m E a ar t si r n wc s ot a yt P t o r i r t o w O ee mityv t r a w cn en r ore t

ae

_ a uiot r

ef s ot cih s t c an pa e

u : meb pa r h ot umr r r e on s

s s w es h e s t

a 6, r a sov t g, o, I e t r 'r e p u v

L. wi i .

fng n r iv met aor d r oub - e r gld er ine v

_ e e oht c, cnuu iae -

ap e t t r t i ot c r a n h n w l

e I

r f

e-

s nu I r

inkeh s e s u r ter o R top r h, y.

m-eo o n sgs

. t to i e t t n w o s-a i

ue a t e 6h t

_ E r t b s r ilo t

yin tal a s F e sEo h o e ia eie ui ir -

H p ne t slc p r ivar r c nt e O oh t ne u/

pn O ast vse r f s sw wt o o

_ pt d

e s o et im ft p e d e herga ts e gte m n o

. t c r oo s

t c t gr t ingo r r it u: n nd

ht du :e aei ui nf u r

. daioe n

o L gtip la c m s. vwr si n o u r

i

. ph

,o6

e. t i

drud

de o c g

C c( a6 t

C v aik

r t ssu er et e n

e egn s a e -

ur st h eec r

sC ut i vnat i

l sl ef o d s i a lsf s

u s t

eeW r i r e x

e m ofo so b i e le et r b L

- r t s e hg S cnn n00 Ecc xoa w

fo k Sa

t s

hg it ow er m n C m a- a e 4 dn W_ % e r rP Ppw r b o

r it s s6 e eP ) ) ) ) )

WA 1 2 W 1 2 3 cet n ne em r

f e uc 3 4 eo 3 3 aD f e

f e

R R meSE8 0f 3dE?4c$g r

dy OoOO3eO m==G

3

$ TABLE 3 (Continued)

S s OPERATOR INTERVIEW ISSUES b

3 Reference Human Factors / Human Performance issue

$ Document HFE iletated issues Addressed by the AP600 Design M

y 4) Planning: operator activities in the amas of planning strategy and 4) See Table 1 ttems 69, and 77.

obtaining feedback about the results of control actons would benefit rnost from new operator aids or CR improvements.

Ref 3.5 Interviews with operators involved with simultaneous reactor trips at the Diablo Canyon units:

Shared CR concems during a dual reactor trip:

1) Noise and confusion existed in the CR. Operators had to Sten 1) NOT APPt.ICABLE: The AP600 design is a singte unit. Even if two carefully and venfy to and from whom each verbal commurucation was units are budt on one site, they wdl be standalone and separate. The directed. Since personnel at both urwts wwe executing the same dual units will not include a shared CR.

procedures, but not exactly at the same rate, they had to be careful that they were responding to the correct procedure step. This event is not modeled in simulator training and presented to operators as a new, unique challenge. This event emphasizes the importance of formal, p repeattack communscatons.

N 2) Plant communications: When a sinole unit tnps, people outssde the CR 2) See the response to 1) above, are instructed to car the other unit to find out what is going on. W:th the loss of both units, not everyone is sure who to call. The result is a high volume of phone calls to a unit that is busy trying to proceed through recovery procedures.

3) Alarms: one source of confusion was fror 4rms on common 3) See the response to 1) above.

systems such as service air. It became confusing as to which urut's personnet should respond.

4) SPDS posstioning 4) See Table 1 ttem 34.

5) Emergency lighting in the turbine txpidsng was dark for some minutes 5) See Tabte 1 item 169.

causing a concem for personnel.

O o

O O

'l I c7 m O S.

, W.

OO w

C) f0

M

!3 f

iE TABLE 3 (Continued)

OPERATOR INTERVIEW ISSUES

}

$ Reference Human Factors / Human Fwformance issue

$ Document HFE Related lasues Addressed by the AP600 Design 8

General CR concems: 6) Procedure developNnt is the resportsibility of the COL apphcant

6) Procedural problems in AFW Row and chargitig pump operations not (SSAR 13.5). The AP600 CVS uses centnfugal pumps only.

related to the dual trips, was a procedural ghtch that impeded the Following a plant trip in the AP600, an excessive cooldown is avcVed operators in throttling AFW Row earty enough to prevent a sigruficant by automatcally controlling the feedwater flow to the SGs.

cooldown and drop in pressurizer level. Dunng a trip with the positrve j disp!acement charging pump (PDP) running, pressurizer level is lost j more rapidly during cooldown than if a centrifugal charging pump is running. Operators at both uruts fett that they should be instructed in the recovery procedures to start a centnfugal pump if the urut had been operating with the PDP.

7) Visibihty of annurciator screen 7) SSAR Section 18.8 includes the implementation Plan for the HSt-Design that addresses the criteria of Element 7 of NUREG-0711 and for each HSI, including the Alarm System, a functional requirements f document. This document specifies functional design requirernents y such as visibihty and legibihty.

8) Muttiple annunciator system alarm states: It was comphcated and 8) See Table 1 ttem 82. 83, and 86.

difficult for operators to respond quickly to alarms that were near their setpoint and came in and out recidly. An operator may not have the bme to analyze eveiy alarm to decide what is the actual condition.

9) CR was crowded with httle room to walk around freely. 9) A fuit scale mockup of the MCR will be used to venfy the layout.

(SSAR 18.8)

10) The location of phones in CR was not conducive to responding to plant 10) See the response to 9) above.

problems.

11) High noise level from computers. 11) See Table 1 Item 100.

O o

8 ao er o O S.

, W.

8 mm

- e n 3

h TABLE 3 (Continued) aE OPERATOR INTERVIEW ISSUES b

C Reference Human Factors / Human Performance issue

$ Document HFE Related issues Addressed by the AP600 Design U

g Ref 3.6 Weshnghouse-Conducted Operator Interviews - Ongoing Activ:ty a

NPP Normal Operatort

1) Operator performance is influenced by cognitive skills as wen as 1) See Table 68,69, and 70.

institutional practices.

2) CR procedures 2) Procedure devebpment is the responsbility of the COL apphcant (SSAR 13.5).

Ref. 3.7 and Wesbnghousetonducted Operator interviews for Feedwater Control during Ref. 3.8 startup (Iow power):

1) One of tt e main reasons that the manual control of feedwater is a 1) See Table 1 ftem 122.

demandmg task in currently operating PWRs is that the control task is inherently difficult. In addibon accurate information on entical process

-.i variables (i.e., steam flow and feed flow)is lacking.

2) Number of operators in CR 2) See Table 1 item 48 and 64.

3) High noise levelin CR 3) See Table 1 ftem 99,100, and 101.

4) Stress / workload 4) See Table 1 ftems 48 and 64.

5) CR displays: A way to facihtate prediction is to provide displays in the 5) See Table 1 Item 88,90,91, and 122. SSAR Section 18 8 includes CR that grve more accurate indicabons of the process state informabon the implementation Plan for the HSI Design that addresses the enteria needed for predicton, such as, a) better steam generator level (SGL) of Element 7 of NUREG-0711. For each HSt, including the Plant informabon, b) low power feedflow and steam flow indicators and information System (workstation displays), an HFE design guidehnes c) predictive displays. Two types of predictive displays are proposed: document is developed that p ovides guidehnes to the HSI designers

1. a predictor which displays SGL with the shrink and swell effects on the conventions, symbols, color coding, and dynamic removed and 2. a predictor of the maximum / minimum SGL to be characteristics to be used in the design of the respechve HSI. Iss.ues reached (due to shrirWsweu) before level tums around such as navigation issues will be addressed by the guidelines document. The HSI design plan also includes concept testog and design reviews.

h 6) Training 6) Training Prog'am development is the responsibihty of the COL g apphcant as stated in SSAR Section 13.2.

h[ 7) Computer-based procedural aids 7) See Table 1 ttem 102 through 109.

$ 5.

, e.

E om

f' References To Table 3, Operator Interview issues i

3.1 Roth, E. M., Mumaw, R. J., and P. M. Lewis, "An Empirical Investigation of Operator Performance in Cognitively Demanding Simulated Emergencies," NUREG/CR 6208, U.S. Nuclear Regulatory Commission, Washington D.C., July,1994 3.2 Mumaw, R. J., D. Swatzler, E. M. Roth, and W. A. Thomas," Cognitive Skill Training for Nuclear Power Plant Operation Decision Making," NUREG/CR-6126, U.S. Nuclear ,

Regulatory Commission, Washington D. C., June 1994 l 3.3 Hoecker, D. G. and E. M. Roth, " Effects of Control Lag and Interaction Mode on Operators' Use of Soft Controls," STC REPORT 94-8SW5 APMMI R1 (or alternate AP600 document number: OCS-J1008 Rev A) Westinghouso Proprietary Class 2, September 23,1994 3.4 Woods, D. D., J. A. Wise, and L. F. Hanes, " Evaluation of Safety Parameter Display Concepts" Westinghouse Report NP-2239 Research Project 891-5, Electric Power Research Institute, Final Report February 1982 3.5 PG&E Letter 225537, " Simultaneous Unit Trip - Human Factors," from P. G. Saraflan to D. B. Miklush, dated 1/17/95 3.6 Mumaw, R. J., Roth, E. M., Vicente, K. J., and Burns, C. M., "A Model of Operator Cognition and Performance During Monitoring in Normal Operations," Westinghouse Report, AECB Project No. 2.376.3, September 1996.

3.7 Roth, E. M., and D. D. Woods, " Improving Skill in Feedwater Control During Startup:

Results of an Expert Panel Session," WCAP-11135, Westinghouse Nuclear Services Integration D; vision, February 1986 3.8 Schaefer, W. F., " Low Power S.G. Water Level Control System improvements,"

WCAP 11126, Westinghouse Proprietary Class 2, May 1986 .

er i

m:u2ssw.wpf:1b/122796 Revision 2 T-79 December 1996 1

- _ _ . _ - _ _ . _

ML20133E534

Contents

Text

REFERENCE:

1.0 INTRODUCTION

Reference:

Navigation menu

ML20133E534

Text

REFERENCE:

1.0 INTRODUCTION

Reference:

Navigation menu

Search