Text

January 9,1997 Mr. Nich31as J. Liparulo, Manager Nuclear Safety and Regulatory Analysis Nuclear and Advanced Technology Division Westinghouse Electric Corporation P.O. Box 355 Pittsburgh, PA 15230

SUBJECT:

COMENTS ON AP600 RELATED OPEN ITEMS ASSOCIATED WITH ELEMENT 3 0F THE HUMAN FACTORS ENGINEERING PROGRAM IiEVIEW MODEL (HFEPRM)

Dear Mr. Liparulo:

In a letter to Westinghouse dated August 8,1996, the Nu:: lear Regulatory Commission staff provided comments on a draft version of the AP600 funct onal requirements analysis and function allocation report (WCAP-14644). WCAP-14644 addresses Element 3 of the HFEPRM which involves the definition and assignment of functions to human and automatic control systems. Westinghouse revised the report to address the staff's comments and submitted Revision 0 of WCAP-14644 in a letter dated October 9, 1996. The staff has provided an update on the current status of the human factors review of the AP600 design certification relateu to Element 3 of the HFEPRM based on the revised WCAP-14644 and Section 18.4 of the AP600 standard safety analysis report as an enclosure to this letter.

If you have any questions regarding this matter, you can contact me at (301) 415-1141.

Sincerely, 1

original signed by William C. Huffman, Project Manager i

Standardization Project Directorate Division of Reactor Program Management i

Office of Nuclear Reactor Regulation Docket No.52-003

Enclosure:

AP600 DSER Open Item Resolution of Element 3 l

Functional Requirements and Function Allocation cc w/ enclosure:

See next page 130023 m m avT ms:

Docket f.le PDST R/F THartin PUBLIC DMatthews TRQuay fp ?

TKenyon BHuffman JSebrosky 1

i DJackson JMoore, 0-15 818 WDean, 0-17 G21 ACRS (11)

BBoger, 0-10 H5 CThomas, 0-10 D24 JBongarra, 0-10 D24

\\}

DOCUMENT NAME: A:EL-3REV1.LTR T) eseelve e copy of this decisnient, inancese in the ben: *C' = Copy without attachment / enclosure "E" = Copy with attachment / enclosure

• N" = No copy 0FFICE PM:PDST:DRPM BC:HHFB:DRCH-4.- D:PDST: DRPH l

l NAME WCHuffman: t, f.A-GT4tomtiis /

TRQuay Wh DATE 01/T/97 01/3/97 01/9 /97 ~

Y N ICIAL RECORD COPY 9701130000 970109

"#88 NM RLE CENTER COP

l l

i l

l Mr. Nicholas J. Liparulo Docket No.52-003 Westinghouse Electric Corporation AP600 cc: Mr. B. A. McIntyre Mr. Ronald Simard, Director Advanced Plant Safety & Licensing Advanced Reactor Programs Westinghouse Electric Corporation Nuclear Energy Institute Energy Systems Business Unit 1776 Eye Street, N.W.

P.O. Box 355 Suite 300 l

Pittsburgh, PA 15230 Washington, DC 20006-3706 Mr. John C. Butler Ms. Lynn Connor i

Advanced Plant Safety & Licensing Doc-Search Associates Westinghouse Electric Corporation Post Office Box 34 Energy Systems Business Unit Cabin John, MD 20818 Box 355 Pittsburgh, PA 15230 Mr. James E. Quinn, Projects Manager LMR and SBWR Programs Mr. M. D. Beaumont GE Nuclear Energy Nuclear and Advanced Technology Division 175 Curtner Avenue, M/C 165 Westinghouse Electric Corporation San Jose, CA 95125 One Montrose Metro 11921 Rockville Pike Mr. Robert H. Buchholz Suite 350 GE Nuclear Energy Rockville, MD 20852 175 Curtner Avenue, M7,-781 San Jose, CA 95125 Mr. Sterling Franks U.S. Department of Energy Barton Z. Cowan, Esq.

I NE-50 Eckert Seamans Cherin & Meliott 19901 Germantown Road 600 Grant Street 42nd Floor Germantown, MD 20874 Pittsburgh, PA 15219 Mr. S. M. Modro Mr. Ed Rodwell, Manager Nuclear Systems Analysis Technologies PWR Design Certification Lockheed Idaho Technologies Company Electric Power Research Institute Post Office Box 1625 3412 Hillview Avenue Idaho Falls, ID 83415 Palo Alto, CA 94303 Mr. Frank A. Ross Mr. Charles Thompson, Nuclear Engineer U.S. Department of Energy, NE-42 AP600 Certification Office of LWR Safety and Technology NE-50 19901 Germantown Road 19901 Germantown Road Germantown, MD 20874 Germantown, MD 20874 i

AP600 DSER Open Item Resolution Element 3 Functional Requirements Analysis and Function AHacannq Element 3 of the HFE PRM provides criteria for the staff's review of an applicant's functional requirements analysis and function allocation; i.e., the definition and then assignment of functions to human and automatic control systems. In the AP600 DSER review of Element 3,14 open items were i

identified.

1 As part of a meeting held between the staff and Westinghouse Electric Corporation in Monroeville, Pennsylvania, on March 8 through 10, 1995, Element 3 open items were addressed. At that meeting the staff committed to clarify its position concerning the Element 3 open items. To meet this commitment, the staff developed a document entitled Review of the Westinghouse AP600 Functional Requirements Analysis and Function Allocation which was transmitted to Westinghouse on May 15, 1995. The staff's report identified the information needed to address issues related to function requirements analysis and functional allocation for the AP600. As a result of the staff's effort, the DSER open items were recast into four new open items (OITS nos. 2465, 2466, 2467, 2468). It is these four items which serve as the i

basis for completing the Element 3 review. The new open items were developed from tailoring the generic HFE PRM criteria to app!y to the specific circumstances of the AP600. Since the open items are being used in place of the PRM criteria, the new open items are referred to as criteria in the evaluation below, i.e., Criterion 2465, 2466, 2467, and 2468.

To provide the information requested by the staff in the May 15, 1995 letter, Westinghouse submitted draft WCAP-14644, AP600 Functional Requirements Analysis and Function Allocation in May 1996. In addition, a meeting was held between the staff and Westinghouse in Rockville on May 21 and 22,1996, during which Westinghouse provided a briefing on their approach.

The staff reviewed the Element 3 open items based on the draft WCAP provided by Westinghouse. The level at which the Element is being evaluated has been changed from an implementation plan review to a complete element review. The staff agrees that this is justified on the basis that the results of the functional requirements analysis and function allocation are available and documented in the WCAP.

This is acceptable even though the function allocations may be somewhat modified as a result of later HFE analyses and evaluations. As with any HFE activity, it is necessary to provide a methodology that accommodates modifications as a result of new firxiings or later design activities. This reflects the iterative nature of design.

The results of the review of the draft WCAP-14644 were documented in the letter from the NRC to Westinghouse dated August 8,1996. This letter also provided a Table showing the relationship between j

the HFE PRM criteria, DSER open items, May 151995, open items, and the staffs assessment of the l

current status of the items.

By letter to NRC dated October 9,1996, Westinghouse responded to the open items and transmitted Revision 0 of WCAP-14644, "AP600 Functional Requirements Analysis and Function Allocation."

Also, in August,1996, Westinghouse submitted Revision 9 to the SSAR, which contains substantial revisions to Chapter 18.

l This current document describes the status of the staffs review of HFE PRM Element 3 and the status of the Element 3 open items. Table I below provides of summary of the open item status.

Enclosure

Table 1 Relationship & Status of PRM Criteria, DSER Open Items, and New Opes items PRM Criteries DSER Status New Iteen (OITS #)

CurreM Status General Criterion i Satisfled (Reopened)*

Open item (2465)

Resolved General Criterion 2 Open item 18.4.3.1-1 Open item (2M5)

Resolved Fun. Req. Anal.1 Open item 18.4.3.2-1 Open item (2466)

Resolved Fun. Req. Anal. 2 Open Item IS 4.3.2-2 Open Item (2466)

Resolved Fun. Req. Anal. 3 Open item 18.4.3.2-3 Open item (2466)

Resolved Fun. Req. Anal. 4 Open Item 18.4.3.2-4 Open Item (2466)

Resolved Fun. Req. Anal. 5 Satisfied Not Applicable Satisfied l

Fun. Req. Anal. 6 Open item 18.4.3.2-5 Open hem (2466)

Resolved

)

Fun. Req. Anal. 7 Open item 18.4.3.2 4 Open item (2466)

Resolved Fun. Req. Anal. 8 Open Item 18.4.3.2-7 Open item (2466)

Resolved l

Fun. Allocation 1 Open item 18.4.3.3 1 Open item (247)

Resolved Fun. Allocauon 2 Open item 18.4.3.3-2 Open item (247)

Resolved Fun. Allocation 3 Open Item 18.4.3.3-3 Open item (247)

Resolved i

Fun. Allocation 4 Satisfied (Reopened)*

Open item (247)

Resolved Fun. Allocation 5 Open item 18.4.3.3-4 Open hem (2468)

Resolved Fun. Allocation 6 Open item 18.4.3.3-5 Open item (247)

Resolved Fun. Allocation 7 Open Item 18.4.3.3 4 Open item (247)

Resolved l

Fun. Allocation 8 Open item 18.4.3.3-7 Open item (2468)

Resolved l

Fun. Allocation 9 Satisfled (Reopened)*

Open item (2468)

Resolved l

Fun. Allocation 10 Satisfied (Reopened)*

Open item (247)

Resolved l

• On the basis ofinfo.mation obtained following the publication of the DSER, several PP.M criteria that had been identified as " Satisfied" were reopened and their substance was incorporated into the new items.

Note that the four items below were slightly modified from their description in the staffs May 15, 1995 document. These changes included: (1) removal of material that served as reference to the technical basis for the staffs information request (that is part of the detailed technical discussion contained in the May document and is not needed in this documerd); (2) cross references to other parts of the May document were changed to be correct for the present document; and (3) slight editorial modifications.

This recasting of the items was transmitted to Westinghouse in the August 8,1996 letter and is i

l unchanged below here.

l l

2 1

Open item 2465 I

Crfterka 2465 A) A description should be provided of the " methodology" that was used by Westing-i house to arrive at the current AP600 level of automation, including function definition and allocation assignments already made. 'Ihe application ofindustry standards, guidelines, and practices should be identified. B) The description should seek to revise or clarify the documented material already reviewed by the staffin the SSAR and RAI responses.

Proposed ResoAurkm-1he discussion below addresses separately each of the two subitems of Criterion 2465.

+

j Subitem A. A description should be provided of the "mednialogy" used to date by Westinghouse to arrive at the current AP600 level of automation, including function definition and allocation assignments already made. The application of industry standards, guidelines, and practices j

should be identified.

j In Section 1.2 of WCAP-14644, Revision 0, an overview of the AP600 functional requirements and J

allocation methodology is provided. Detailed treatment of both aspects of the methodology is presented

]

in Sections 2.1 and 3.1 respectively. In general, the approach is quite similar to that found acceptable in

]

the DSER with several added clarifications provided. These clarifications are summarized below.

j 1he initial set of functiona: requirements and allocations are hami upon operating experience with the reference systems that make up the AP600 predecessor or reference plant (see discussion under Open j

ltem 2466 for a discussion of the AP600 reference plant). The discussion in the WCAP provides j

significantly improved documentation of the initial allocation basis as compared to that provided in the

{

SSAR. The initial analysis is made by system designers based on knowledge of the operational perfor-j mance of the systems and on a consideration of the relative capabilities of human and system resources, i

E i

Westinghouse has developed a methodology to " document the th& male for initial allocation decisions" 1

(p.1-3). This methodology is based on NUREG/CR-3331 and provMes a structured approach conducted by an interdisciplinary team that includes HFE and systems expertise. NUREG/CR-3331 is identified as s

I an appropriate source of function allocation methodology in the H/' E PRM. (Note also that it has been l

adapted by the International Atomic Energy Agency (IAEA) for fSnction analysis in IAEA TECDOC-66-8).

1' l

The detailed review of HFE PRM Element 3 criteria 1 and 2 were presented in the DSER. The DSER evaluations have been modified to reflect the new information provided by Westinghouse.1he modified l

discussion is presented below.

i j

As indicated in Section 2.1 of WCAP-14644, Revision 0, functional requirements analysis is initially i

performed by system engineers. The WCAP sought to document the requirements analysis. In i

summary, the objective of the analysis was to identify the functions that must be performed to satisfy plant safety objecdves, i.e., to prevent or mitigate the consequences of postulated accidents that could cause undue risk to the health and safety of the public. The secae of Westinghot.se's functional i

requirements analysis included both design-basis and beyocGdesign-basis accidents but not severe accident events.

1

)

For each AP600 critical safety function (CSF), the success paths for function achievement were defined, J

i.e, combinations of safety-related and nonsafety-related, dt.Nvie-in-depth structures, systems, and j

components (SSCs). In Table 1 of WCAP-14644 the CSFs are identified. In Table 2 the success paths to j

satisfy each of the CSFs of the AP600 and the generic reference plant are described. While the CSFs are 3

3

the same for both, this comparison enables the identification of the differences between the SSCs that achieve the functions (in Table 3). The information and action requirements for each CSF success path were identified and documented in the WCAP.

Ranul on this analysis, the differences between the AP600 and the reference plant were identified.

Differences were considered for (1) the overall system design configuration or system arrangement, and (2) allocation of function. The success paths were identified (in Table 3) as unchanged, modified, or new (consistent with the definition used in NUREG-0711). Where a success path was unchanged, operating experience became a technical basis for the functional requirements (and their allocation).

A related, supporting functional requirements analysis activity (" goal-means decomposition") is performed by the M-MIS design team. In Revisions of the SSAR prior to Revision 9, this was described in SSAR Sections 18.6,18.8, and 18.9. In SSAR Revision 9, Section 18.4 covers Function Require-ments Analysis and Functional Allocation and refers to WCAP-14644. Section 18.5 generally covers task analysis, but also now briefly addresses the goal-means decomposition. This process is based on a decision sets model that involves decomposition of plant functions from global, abstract functions, such as " prevent radiation release" to lower level decision sets, such as " control reactor coolant system (RCS) boron concentration." For each decision set, questions are addressed that provide information for accomplishing the goal of the decision set, such as what information is needed, what decisions need to be j

made, and where the results must go. The results are presented in both graphic and tabular form with t

the aid of a computer-aided software engineering tool. At the lower levels, cognitive task analysis is performed to provide the requirements for the HSI design (the cognitive task analysis is reviewed in Section 18.5 of the DSER). Westinghouse states in WCAP-14644, Revision 0, that this analysis is consistent with the functional requirements analysis described in the WCAP. They intend however to address the details as part of Element 4, Task Analysis, which is only being reviewed at an implementa-tion level for AP600.

SSAR Section 15.8.2.1.2.4 previously provided Westinghouse's general approach to function allocation.

Westinghouse expanded this approach in their response to RAI 620.72 (Revision 1, February 7,1995).

WCAP-14644, Revision 0, Section 3.1, further clarifies the analysis methodology. Currently SSAR Revision 9, Section 18.4 provides the overview and WCAP-1464 provides the details. As indicated above, the preliminary allocations were performed by the system engineers. Westinghouse then developed a structured approach based upon the methodology developed in NUREG/CR-3331.

Applying the methodology (illustrated in Figure 1 of WCAP-14644), Westinghouse first identified those function assignments that are mandatory for automatic control and whether automation is technically feasible. Mandatory allocations were identified based on a review of documents such as 10 CFR Part 50 (especially GDC 20, Protection System Functions), the Standard Review Plan, and the URD (e.g. to meet time criteria). Following these assignments, the allocations are made based on preference for human or automatic control. Preference may be derived from different bases, such as operating experience, PRA sensitivity, operator workload, the inherent nature of the process (passive systems are inherently automatic), or the need for operator judgement prior to actuation.

If the allocation cannot be clearly identified based on these considerations, the function is further broken down to smaller units for which the allocation process is performed.

When this initial allocation is completed, the allocations are subject to further analysis, such as analyses to determine the M-MIS requirements for successful operator interaction with automated systems, e.g.,

to manually preempt an automated function or to successfully monitor and, if necessary, manually back up an automated function.

4

Because of the dynamic and interactive nature of human performance, the methodology provides for the allocation to be reevaluated during the design process.

De discussion of AP600 functional requirements and allocation methodology provided in WCAP-14644 acceptably clarifies 'he staff's concerns about functional requirements analysis and allocation methodolo-gy identified in the staff's open item.

Subitem B. De description should seek to revise or clarify the documented material already reviewed by the staffin the SSAR and RAI responses.

he following updated documents have now been issued by Westinghouse: Revisioa 9 of the SSAR, Revision 0 of WCAP-14644, and RAls 620.91, 620.92, 620.93, and 620.94. Dese documents are consistent and acceptably address Element 3 and the open items.

Based upon this information, the two PRM general criteria for Element 3 are considered technically satisfied and the open item is resolved.

STATUS OF OPEN ITEM: Resolved Onen Itern 2466 Criscrion: 2466 A) A description should be provided of the AP600 functions, processes and systems and a comparison made to the reference plants / systems so that one can identify areas of difference that exist.

B) De response should address the staff's specific concerns identified in the evaluation section of DSER Section 18.4.3.2, Criterion 1 (repeated below). C) De response should also address how the results of functional requirements analysis are verified and how the results are updated as the design process proceeds.

Proposed Resoluilon De review focused on the three subitems of Criterion 2466.

Subitem A. A description should be provided of the AP600 functions, processes and systems and a comparison to the reference plants / systems so that one can idmtify areas of difference that exist.

Information addressing this criterion has been provided in Section 2 of WCAP-14644, Revision 0. ne AP600 CSFs are identified in Table 1 of WCAP-14644, Revision 0, and include: suberiticality, core cooling, heat sink, RCS integrity, containment, and RCS inventory. Table 2 provides a comparison of the AP600 CSFs and their ::uccess paths with those of the reference plant. De reference plant for the AP600 is the generic PWR design for currendy licensed Westinghouse nuclear power plants. Sec-tion 2.1.3 and Table 3 provide a comparison of the design of the SSCs and their function allocation between the AP600 and the reference plant. De table indicates whether each of the success paths for each CSF are unchanged, modified, or new.

He CSFs for the AP600 are the same as those for the reference plants, but the success paths and SSCs are different. De major differences in the AP600 are (1) the use of safety-related, passive systems for safety injection and decay heat removal, (2) the use of advanced digital I&C, (3) automation of certain SSC actuation and control functions that help reduce operator workload, and (4) design changes that were identified through a review of operating experience.

5

l WCAP-14644, Revision 0, provides a detailed and acceptable description of the AP600 functions, j

prncesses, and systems and a comparison to the reference plants / systems so that one can identify areas of difference that exist.

Subitem B. 'Ihe response should address the staff's specific concerns identified in the evaluation section of DSER Section 18.4.3.2, Criterion 1. The DSER stated " Safety functions (e.g., reactivity control) should be defined. These include functions required to prevent or mitigate the consequences of postulated accidents that could cause undue risk to the health and safety of j

l the public. For each safety function, the set of plant processes (plant system configurations j

or success paths) should be clearly defined that are responsible for or capable of carrying out the function."

1he DSER Evaluation of this criterion stated:

High-level safety functions have been defined and are displayed in Figures 18.6-9 and 18.6-10 of the l

SSAR. These include the functions required to prevent or mitigate the consequences of postulated I

accidents that could cause undue risk to the heal!b and safety of the public. Figures 18.6-9 and 18.6-10 of the SSAR show the top four levels L.he functional decomposition. For example, l

t level 1, containing " Prevention of Radiation Release," is decomposed in level 2 into " Fuel Integrity," "RCS Boundary Integrity," etc. In level 3, " Fuel Integrity" is decomposed into

" Reactivity Balance" and " Fuel Clad Heat Balance." In level 4, " Reactivity Balance" is decom-posed into " Control Gross Reactivity" and " Control RCS Boron Concentration." The following examples demonstrate the staft's concern with completeness:

i level 1 of these figures only includes ' Prevention of Radiation Release," and not other safety e

functions such as site personnel protection (e.g., from exposure to high radiation sources) or protection of the environment from various releases such as toxic chemicals. It is not clear whether these safety functions are covered in the decision sets in Figures 18.6-1 through 18.6-8 of the SSAR.

At level 2, the box for radioactive waste management is not developed, and it is not clear if this e

will include monitoring routine radmactive releases. These items should be considered because they also contribute to the specification of requirements for controls, displays, and alarms, At level 4 in Figure 18.6-10 of the SSAR, it is not clear why there are no functions identified e

for " steam generator (SG) water inventory" and " control containment temperature."

It is not clear, based on the methodology presented, how the results are verified for completeness and accuracy.

As the focus of WCAP-14644, Revision 0, was not on the decision sets model or the goal means decom-position, these issues were not addressed. However, these are related functional requirements activities, that are conducted by the M-MIS design group to support the Westinghouse function-based task analyses and display design. As such, the details of this item have been transferred to Element 4, Task Analysis and are addressed there. It is important to note that while Element 3 is being reviewed at a complete element level, Element 4 is being reviewed at the implementation plan level.

Subitem C. The response should also address how the results of functional requirements analysis are verified and how the results are updated as the design process proceeds.

WCAP-14644, Revision 0, Section 2.3 discusses the verification and updating of functional requirements analyses. Severa! different analyses contribute to the evaluation of functional requirements including 6

l SSAR Chapter 15 safety analyses, PRA analyses, and function-based task analyses. SSAR safety analyses address the ability of the plant functions, systems, and processes to cope with design basis events. PRA analyses address the acceptability of plant functions, systems, and processes for coping with beyond-design basis accidents. The function-based task analyses performed by the M-MIS design team provides verification of the detailed sensor and control specifications for CSF-related requirements.

WCAP-14644, Revision 0, Section 2.3 also describes the mechanisms for modifying functional requirements if the analyses described above identify a need to do so. Modifications would be accomplished through the formal procedures described in the AP600 design configuration change control process (discussed in the Element I review). 'Ihe procedures assure that the change is properly implemented, documented, and verified.

This information provides an acceptable explanation of the process by which functional requirements will be verified and the requirements can be changed, if required.

in summary, WCAP-14644 and SSAR Section 18.4 acceptably address this open item and satisfy the PRM criteria on Functional Requirements Analysis.

STATUS OF OPEN ITEM: Resolved Onen Item 2467 Criterion 2467c A) A description should be provided of the human role in AP600 functions, processes and systems (as defined in Item 2466 above) in terms of personnel responsibility and level of automation.

Since it is our understanding that the technical basis for allocation was largely based on operating experience (e.g., successful allocations were not changed and problematic allocations were changed), a comparison to the reference plants / systems should be documented so that differences in allocation can be identified. Where allocations have changed, the basis for the change should be identified. Passive systems should be considered a special form of automation because initiation and control of these functions often do not require personnel actions.

B) A description should be provided as to how the functional allocation process for the AP600 will accommodate the need for thorough HFE input early in the design process. This is particularly important for those areas identified above that are "different" from the predecessor plants / systems.

Proposed Resolutionc 'lhe review focused on the two subitems of Criterion 2467.

Subitem A. A description should be provided of the human role in AP600 functions, processes and systems (as defined in item 2466 above) in terms of personnel responsibility and level of automation. Since it is our understanding that the technical basis for allocation was largely based on operating experience (e.g., successful allocations were not changed and problematic allocations were changed), a comparison to the reference plants / systems should be documented so that differences in allocation can be identified. Where allocations have changed, the basis for the change should be identified. Passive systems should be considered a special form of automation because initiation and control of these functions often do not require personnel actions.

1 WCAP-14644 Section 1.3 provides an overview of the role of the operator. in Section 3, the specific role of the operator with respect to CSF success paths is described (the details are presented in Table 4) and the basis for the allocation is documented (the details are presented in Table 5). Comparisons between the AP600 and the reference plant with respect to allocation of functions are provided in Table 3.

7

1 j

De role of the AP600 operator is described at a high-level as including the monitoring of plant states l

.nd automatic operations, controlling the operation of non-safety systems, and terminating the safety-j systems when plant conditions have been stabilized. The overall difference between this role and that of i

8 operators in current plants is not significant. De specific detailed differences relate to the specific actiors performed by operators due to differences in safety-related systems and the increased automation of the AP600. For example, while the AP600 uses passive safety systems, from the perspective of the 3

i operator these function like automatic systems. He operator's role at a high level with respect to these 1

systems is essentially the same as with other automatic systems, e.g., to verify their operation and

{

terminate them when EOP criteria are met. A detailed comparison between the AP600 and the reference plant of the function allocation for actions within the CSF success paths is provided in Table 3. De

}

table indicates whether the allocation is unchanged, modified, or new (for new actions). Explanatory notes are provided for each action. For example, Startup Feedwater under Core Cooling is identified as j

a modified allocation because SG level control has been automated, while its control was manual in the i

reference plant. Dus operators do not have to throttle back feedwater flow to prevent SO overfill or j

RCS overcooling in AP600.

1 j

Table 4 in WCAP-14644, Revision 0, breaks down each CSF success path into actuation and control j

actions. Each is classified as to the level of automation provided: Passive, automatic (only), parallel (actuation and control can always be accomplished manually or automatically), selectable (the operator selects whether actuation and control are accomplished manually or automatically), complementary (actuation and control responsibilities are shared), and manual.

i j

De technical bases for the allocations identified in Table 4 are documented in Table 5. The bases l

provided stem from the function allocation methodology discussed in item 2465 above and illustrated in l

Figure 1 of the WCAP.

WCAP-14644, Revision 0, provides a detailed audit trail from function allocations in the reference plant i

to how those allocations were represented in the AP600. De technical basis for each allocation is l

documented based on the methodology developed from NUREG-3331. De staff finds this approach acceptable, i

l Subitem B. A description should be provided as to how the functional allocation process for the AP600 will accommodate the need for thorough HFE input early in the design process, his is particularly important for those areas identified above that are "different" from the predeces-sor plants / systems.

WCAP-14644, Revision 0, Section 4.1 describes the HFE input provided early in the design process.

When making initial allocations, " explicit considerations of limitations in human capabilities" were given hanM on knowledge of operating experience and HRA analyses. For example, tasks were not allocated to human resources: when personnel could not preform a task quickly enough to accomplish critical safety actions within required time, when the tasks were complex or not routinely performed, or when the combination of tasks would lead to high workload, ne information provided in WCAP-14644, Revision 0, acceptably addresses the staffs concerns in this open item. Therefore, this item is resolved and the PRM criteria are satisfied.

STATUS OF OPEN ITEM: Resolved 8

Open item 2468 Criterka 2468 A description should be provided of how the integrated role of the operator across all systems is confirmed for acceptability. If function allocation was performed by individual system designers, will the IAEA process described in the RAI responses be used at all, and if so how?

The process should be described by which functions are re-allocated in an iterative manner, in response to developing design specifics, operating experience, and the outcomes of on-going analyses and trade studies.

Proposed Resolarkw WCAP-14644, Revision 0, Section 4.2 describes the evaluation of the integrated role of the operator and Section 4.3 describes the mechanisms for modifying function allocations.

WCAP-14644, Revision 0, Section 4.2 describes the evaluation of the integrated role of the operator j

using task and workload analysis, M-MIS design and evaluation, and verification and validation.

l WCAP-14644 indicates that due to the dynamic and interactive aspects of human performance, the allocations are evaluated through subsequent HFE analyses throughout the design process. Following the initial allocations by systems designers, the integrated role operators is assessed during task analyses 4

where workload analyses will be conducted. Since the task analyses will address a full range of operating modes, they provide an opportunity to identify operational phases in which workload can be i

expected to be high. The M MIS will be specifically designed to support the operator's functional role 4

in the plant (tlarough the support of the functional decomposition analyses) which will be evaluated in verification activities. The final allocation will be evaluated as part of integrated system validation.

Since validation will use dynamic simulation, the tests will provide an opportunity to adjust allocations should problems he identified.

WCAP-14644, Revision 0, Section 4.3 describes the mechanisms for modifying function allocations. If problems with respect to allocation are identified, a process is in place to address the problem Options include modifications to the M-MIS to better support the operators tasks, modifications to system design to change the level of automation, or ;nodifications to the staffing assumptions. Once the problem has been addressed, modifications would be accomplished through the formal procedures described in the AP600 design configuration change control process (discussed in the Element I review). The procedures assure that the change is properly implemented, documented, and verified.

Westinghouse has described an acceptable approach to evaluating the functional role of the operator and to developing design changes to modify the function allocations should it become necessary as the design develops. Therefore, this item is resolved and the PRM criteria are satisfied.

STATUS OF OPEN ITEM: Resolved 4

9

_,