ML20141K184
| ML20141K184 | |
| Person / Time | |
|---|---|
| Site: | 05200003 |
| Issue date: | 05/07/1997 |
| From: | Kerth S, Roth E WESTINGHOUSE ELECTRIC COMPANY, DIV OF CBS CORP. |
| To: | |
| Shared Package | |
| ML20141K158 | List: |
| References | |
| OCS-GEH-002, OCS-GEH-2, WCAP-14401, WCAP-14401-R03, WCAP-14401-R3, NUDOCS 9705280358 | |
| Download: ML20141K184 (23) | |
Text
if' 3
51b s
L
" - {.
?( % '
h , I
'1 7 . 3.1 9
( ,; ' .
k d
[,' -+ -
. (gyg '
. , ,. s 1 y
- s _ G, ,
U 1 -
' Q hk g, mse .w l
g ne y g gag.
a 9 ;3g4 "ed
-a
, ; q p;;
y y 3
a.
y '
j;,
l e a
g a
ggh t I . F,UI, f
j,^
,3iwa $W i an .
k if7j%~ ,
d
$E8'283!!$?83$$o3 c eon
'.~
i yw:ff a M mg6$' >
"[ihkhkfyhh?hfbfhk{hhhd?f.mzl_ bjfh. fg,, . ;
1 Westinghouse Non-Proprietary Class 3 '
l WC AP-14401 !
$$$ $ $$ $$ Revision 3 l
\
i Programmatic Level Description of the AP600 Human Factors Verification -
and Validation Plan
~
e
'O
\
Westinghou s e E n e rgy S yste m s W== .
~
[. ., din'. '
AP600 DOCUMENT COVER SHEET TDC: IDS: 1 S Form 58202G(5/94) AP600 CENTRAL FILE USE ONLY:
0058.FRM RFS#: RFS ITEM #:
AP600 DOCUMENT NO. REVISION NO. ASSIGNED TO OCS-GEH-002 2- Page 1 of ALTERNATE DOCUMENT NUMBER: WCAP-14401, Rev. 3 WORK BREAKDOWN #: 3.3.2.4.5 DESIGN AGENT ORGANIZATION: WESTINGHOUSE TITLE: Progrommatic Level Description of the AP600 Human Factors Verification and Validation Plan ATTACHMENTS: DCP #/REV. INCORPORATED IN THIS DOCUMENT REVISION:
CALCULATION / ANALYSIS
REFERENCE:
ELECTRONIC FILENAME ELECTRONIC FILE FORMAT ELECTRONIC FILE DESCRIPTION 3639w.wpf Wordperfect (C) WESTINGHOUSE ELECTRIC CORPORATION 1992.
O WESTINGHOUSE PROPRIETARY CLASS 2 This document contains information proprietary to Westinghouse Electric Corporation: it is submitted in confidence and is to be used solely for the purpose for which it is fumished and retumed upon request. This document and such information is not to be reproduced, transmitted, disclosed or used otherwise in whole or in part without prior wntten authorization of Westinghouse Electric Corporation, Energy Systems Business Unit, subject to the legends contained hereof.
O WESTINGHOUSE PROPRIETARY CLASS 2C This document is the property of and contains Proprietary information owned by Westinghouse Electric Corporation and/or its subcontractors and suppliers. It is transmitted to you in confidence and trust, and you agree to treat this document in strict accordance with the terms and conditions of the agreement under which it was provided to you.
@ WESTINGHOUSE CLASS 3 (NON PROPRIETARY)
COMPLETE 1 IF WORK PERFORMED UNDER DESIGN CERTIFICATION 28 COMPLETE 2 IF WORK PERFORMED UNDER FOAKE.
1 O DOE DESIGN CERTIFICATION PROGRAM - GOVERNMENT LIMITED RIGHTS STATEMENT [See page 2)
Copyright statement: A license is reserved to the U.S. Govemment under contract DE-ACO3-90SF18495.
@ DOE CONTRACT DELIVERABLES (DELIVERED DATA)
Subject to specified exceptions, disclosure of this data is restricted until September 30,1995 or Design Certification under DOE contract DE-ACO3-90SF18495, whichever is later, EPRI CONFIDENTIAL: NOTICE: 1E 2O a 40 5 CATEGORY: A N B C D EO F0 2 O ARC FOAKE PROGRAM - ARC LIMITED RIGHTS STATEMENT [See page 2)
, Copyright statement- A license is reserved to the U.S. Government under contract DE-FCO2-NE34267 and subcontract ARC-93-3-SC-001.
O ARC CONTRACT DELIVERABLES (CONTRACT DATA)
Subject to specified exceptions, disclosure of this data is restricted under ARC Subcontract ARC-93-3-SC-001.
ORIGINATOR SIGNATURE /D TE S. P. Kerch ,f k, jfy 7 f fff j
AP600 RESPONSIBLE MANAGER SIGNATURE
- APPROVAL DATE D. J. Vaglia g '
py gf gy
" Approval of tne responsible manager signifies tnat document is coiEplete, all required reviews are complete, electronic file is attached and document is released for use.
I
1 l
1 l
AP600 DOCUMENT COVER SHEET Page 2 )
Form $8202G($S4) UMITED RIGHTS STATEMENTS DOE GOVERNMENT UMITED RIGHTS STATEMENT (A) These data are sutmtied with Irnhed nghts under government contract No. DE-AC03-90SF18495. These data may be reproduced and used by the govemment with the express Imtabon that they wdl not, without written permosen of the contractor, be used for purposes of manufacturer nor declosed outsde the goverrvnent, except that the govemment rney dsclose these data outsde the government for the folk 1wrig purposes, if any, provded that the govemment makes such dadosure subject to prohibition agamst further use and dadosure.
(I) The 'Propnetary Data' may be deciceed for evaluebon purposes under the restncbons above. '
(II) The 'Propnetary Data" may be disclosed to the Electnc Power Research Inshtute (EPRI), electric utility representatives and ther drect consultants, exdudrg direct commercel competitors, and the DOE National Laboratones under the prohibebons and restnctons above.
(B) This nobce shall be marked on any reproducten of these data, in whole or in part.
ARC LIMITED RIGHTS STATEMENT:
Thir propnetary data, fumshed under Submntract Nurnber ARC-93-3-SC 001 with ARC may be duplicated ard used by the govemment and ARC, subject to the limitatons of Article H-175. of that subcontract, with the express Imtabons that the propnetary data may not be declosed outsde the govemmert or ARC, or ARC's Dass 1 & 3 members or EPRI or be used for p.rposes of manufacture without prlor permsson of the Subcontractor, except that further dociosure or use may be made soldy for the following purposes: j This propnetary data may be dadosed to other than commercial competitors of Subcontractor for evaluation purposes of this subcontract under the restnchon that the l
propnetary data be reta:ned in con 6dence and not be further disclosed, and subject to the terms of a norxtr, closure agreement between the Succontractor and that I organizabon, exduding DOE and its contractors-DEFINITILWS CONTRACTIDELIVERED DATA - Consists of documents (e.g. specifications, drawings, reports) which are generated under the DOE or ARC contracts which contain no background proprietary data. )
EPRI CONFIDENTIAUTY / OBUGATIONNOTICES NOTICE 1: The data in tNs document is subject to no confidenhailty obligabens. .
1 NOTICE 2: The da'a in this doctanent is propnetary and confidential to Weshnghouse Electric Corporabon and/or ts Contractors. It is forwarded to recipent under an I obilgabon of Confidence and Trust for limited purposes only. Any use, dsclosure to unauthonzed persons, or copying of the document or parts thereof is pronibited except as agreed to in advance by the Electric Power Research Institute (EPRI) and Westinghouse Electne Corporatert Recipent of the data has a duty to inquire of EPRI and/or Westinghouse as to the uses of the informahon contained herein that are permitted.
NOTICE 3: The data in this doctanent is proprietary and confidential to Westinghouse Electne Corporaten and/or ts Contractors. It is forwarded to reopent under an obignbon of Con 6dence and Trust for use only in evaluation tasks speedically authortzed by the Electric Power Research Institute (EPRI). Any use, dadosure to unauthonzed persons, or copyim ".is document or parts thereof is prohibited except as agreed to in advance by EPRI and Wesbnghouse Electric Corporabort Recipent of the data has a dJty to inqui.d of EPRI and/or Westinghouse as to the uses of the informahon contained herein that are permted. The document and any copes or excerpts thereof that may have been generated are to be retumed to WeshnghousP., threctly or through EPRI, when requested to do so.
NOTICE 4: The data in this document is propnetary and confidential to Wettingtcise Electric Corporshon and/or its Contractors. t is being revealed in confdence and trust only to Employees of EPRI and to certain contractors of EPRI for limil'd saluaton tasks authorized EPRI. Any use, disclosure to unauthorized persons, or copying of this document or parts thereof is prohibned. The Doctrnert and any copies or excerpts that may have been generated are to be retumed to Westinghouse, drecGy or through EPRI, when requested to do so.
NOTICE 5: The data in the document is proprietary and confidential to Westinghouse Electric Corporshon and/or its Contractors. Access to this data is given in Confidence and Trust only at Westnghouse facilibes for lanned evaluabon tasks assigned by EPRI. Any use, dadosure to unauthorized persons, or copying of this document or parts thereof a prohibited. Neither the document nor any excerpts therefrorn are to be removed from Westinghouse facihtes.
EPRI CONFIDENTIAUTY / OBUGATION CATEGORIES CATEGORY *A* -(See Delivered Data) Consats of CONTRACTOR Foregmund Data that is contamed in an issued reported.
CATEGORY "B" -(See Delivered Data) Consists of CONTRACTOR Foreground Data that a not contained in an issued report, except for computer programs.
CATEGORY *C" - Consists of CONTRACTOR Background Data except for computer programs.
CATEGORY *D"- Consats of computer programs developed in the course of pe' forming the Work.
CATEGORY *E" - Conssts of compder programs developed prior to the Effective Date or after the Effective Date but outside the scope of the Worit CATEGORY *F" - Consats of admrustrative plans and administrative reports.
WESTINGHOUSE NON PROPRIETARY CLASS 3 WRAP-14401 i Revision 3 PROGRAMMATIC LEVEL DESCRIPTION OF THE AP600 HUMAN FACTORS VERIFICATION AND VALIDATION PLAN I April 1997 E. Roth S. Kerch AP600 Document No. OCS-GEH-020 WESTINGHOUSE ELECTRIC CORPORATION Energy Systems Business Unit P.O. Box 355 Pittsburgh, Pennsylvania 15230-0355
@1997 Westinghouse Electric Corporation All Rights Reserved 3639w.wpf.t>050797
- . ~ . - . . - . . . . . - - . . - . _. - . . - . . . - - . _ . - - . . - . - . - ~ . - . - . ~ . . - - , .
J 1
I. I l'
l-p l TABLE OF CONTENTS ;
I.
l Section I!1Le East l
L
1.0 INTRODUCTION
1-1 l' 1.1 AP600 V&V Activities and Objectives 1-1
- 1.2 General Scope of AP600 V&V - 1-4 l 1.3 Guidance Documents for Development of V&V Implementation Plans 1-5 j i
l 2.0 HSI TASK SUPPORT VERIFICATION 2-1 -
(
f 3.0 HFE DESIGli VERIFICATION 3-1 :
4 4.0 - INTEGRATED SYSTEM VALIDATION 4-1 ;
4,1 Methodology 4-1 i
- l. 4.2 Tools Used for Evaluating Dynamic Task Performance 4-1 r l 4.3 Integrated System Validation Evaluations 4-2 !
t l 4.4 Risk-Important Tasks 4-2 4.5 Compliance with Regulatory Guide 1.33 4-2 4.6 Criteria for Selecdon of Test Scenarios for Dynamic Evaluations 4-3 :
j 4.7 Realistic Validation Scenarios 4-4 l l 4.8 ' Performance Measures and Acceptance Criteria 4-4 l 1 1 :
- 5.0 ISSUE RESOLUTION VERIFICATION 51 !
l i
I 6.0 PLANT HFE/HSI VERIFICATION 6-1
7.0 REFERENCES
7-1 i l: ?
l l t
?
I
{
l
- I I
I i h I
i
.L 3639w.upf b-050797 jii
'- r - ~ , _ , , , _
q LIST OF FIGURES Figure Title Page 1-1 AP600 Concept Testing and Verification and Validation Activities 1-3 3639w.wpf.t> 050797 jy
i
1.0 INTRODUCTION
i This document provides a programmatic level description of the AP600 Human Factors Verification
, and Validation (V&V) plan. It specifies at a high-level the activities to be performed as part of the AP600 V&V. Individual implementation plans that provide more detailed descriptions of the tests to be performed, and acceptance criteria to be used, will be developed for each V&V activity specified in ,
this report. Individual V&V implementation plans will be developed after design certification.
i 1.1 AP600 V&V Activities and Objectives The Human Factors Engineering Program Review Model (PRM) developed under the sponsorship of l the U. S. NRC (NUREG-0711) specifies that an HFE V&V program should include five activities with a the following objectives:
1 1. Task Support Verification: Verifies that the human system interface (HSI) design provides all necessary alarms, displays, and controls to support plant l
personnel tasks '
I 2. HFE Design Verification: Verifies that the HSI design conforms to human factors engineering (HFE) principles, guidelines, and standards 1 3. Integrated System Validation: Validates that the HSI design can be effectively operated by personnel within all performance requirements l
l 4. Issue Resolution Verification: Verifies that the HSI design resolves all identified HFE issues in the tracking system l
l 5. Final Plant HFE Verification: Verifies that the plant HFE/HSI (as designed at the time of I plant stanup) conforms to the verified and validated design that I resulted from the HSI design process The AP600 V&V willinclude all five of these activities. Figure 1-1 presents the AP600 V&V activities and sequence in which these activities shall be performed. The sequence for completing these V&V activities will be as follows:
I 1. HSI Task Support Verification
- 2. HFE Design Verification
- 3. Integrated System Validation
- 4. Issue Resolution Verification 1 5. Plant HFE/HSI (as designed at the time of plant startup) Verification 3639w.wpf;b-050797 11
I Figure 1-1 shows that additional Man-in-the-Loop concept tests will be performed as part of the HSI I design process. Concept testing is performed as part of the functional design phase of the HSI design I process. It is during the functional design phase that the core conceptual design for an HSI resource and corresponding functional requirements are developed. An integral part of this phase is rapid ,
prototyping and design concept testing. Concept testing during the functional design phase serves two purposes. It:
- Provides input to help designers resolve design issues that have no well-established human factors guidance Establishes the adequacy of the design concept and functional requirements that are produced in the functional design stage. Concept testing establishes that the conceptual design resulting from the functional design stage is adequate to support operator performance in the range of situations anticipated to arise.
I Concept tests slated to be performed as part of the AP600 HSI design process are described in WCAP-14396. While these concept tests are not part of the formal AP600 V&V, they provide early I feedback on the adequacy of AP600 HSI design elements.
l i
3639w.wpfh-050797 1-2
M w
I
.4-.
$ 5 a il 3 a 7
F
>- , i 1 . '
M-MIS Verification and Vandation !
O j
M-MIS Design
~--
& Inegranon
+!s M. MIS Task 3
yeg,ppo,, Final Plant IIE l
g (llardware & Software) ! ,c,;o, Issue o
., . Integrated System + Resolution + Venfication: l Yh h ~w-
+
Venrication . Factory l g ~~=
. e mg.i : um oesian accep ce =st .
- . ve s.cmion a . n,.co.i r a ia
- e cr * : A . siie l S
8"I""amesh d7 e f -mce test l T y . -
l w < l AlWD specific e 3, e near full-scope, l Concept Tests high fidelity, o
l e training simulator e
y Man-in-the-loop est of concretc exampic d fm design:
i a ,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,e E
- Rapidprwaypes s
+ Part-tasksimulations 4
m ,
- Near full-scope, bi fidelity
$" simulator f *similarplant i C. '
o I U i 2 : ,
c.
l
__. ___ _ _ _ _ .m.. _ _ . _ __ _____ _ _ _ _ . _ . . _ _ _ _ _ _ _ _ _ . _ . _ _ _ _ _ _ _ _ _ _ _ _ _ . _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ . _ _ _ _ _ _ - .
1.2 General Scope of AP600 V&V 1 The AP600 V&V scope is defined with respect to HSI resources included in the V&V. The PRM scope description includes trained personnel and communication. Personnel training requirements and communication requirements will be addressed in the integrated system validation.
The scope of the AP600 V&V willinclude:
I = HSI hardware 1 - HSI software
= Procedures
. Workstation and console configurations
+ Design of the overall work environment Specifically included in the AP600 V&V is verification and validation of the AP600 Emergency Operating Procedures (EOPs).
The AP600 EOPs will be computerized. A backup will be available to handle the unlikely situation where the Computerized Procedure System is lost. Verification and validation will be conducted primarily on the computerized procedures. The back-up will be evaluated as part of the integrated system validation by including test scenarios that examine the use of the back-up following the simulated loss of the Computerized Procedure System.
A set of representative and important tasks will be identified as pan of task analysis activities, Element 4 (Task Analysis). This set of tasks will define and bound the scope of the AP600 V&V activities. Tasks will be drawn from the areas of:
- Operations
- Maintenance
- Test, inspection, and surveillance Tasks for inclusion in the task analysis and V&V will be identified based on consideration of the imponance of human actions for function achievement, and the impact of task failure on safety. Tasks in the areas of maintenance, test, inspection, and surveillance, will be limited to those determined to be risk-important based on the probabilistic risk assessment (PRA) threshold criteria specified in the ,
Implementation Plan for Integration of Human Reliability Analysis (HRA) and HFE Design.
Selected tasks will cover the full range of plant operating modes, including:
Staitup Normal operations Abnormal and emergency operations 3639w.wpfb-050797 ]-4
l l
Transient conditions l
Low-power Shutdown conditions The V&V scope will be limited to those facilities required for scenario evaluation that involve risk-important tasks as defined by the PRA threshold criteria. Facilities included in the V&V scope are:
Main Control Room Remote shutdown workstations Technical Support Center (TSC)
The AP600 design does not require risk-important actions to be taken from local control stations, so local control stations are not included in the V&V scope. If, as a result of funher analysis, l risk-important tasks or critical actions are identified at local control stations, those stations, with respect to the identified tasks or actions, will be included in the V&V.
1.3 Guidance Documents for Development of V&V Implementation Plans Implementation plans providing detailed test procedures and acceptance criteria will be developed for each of the five V&V activities identified in Figure 1-1.
V&V implementation plans will be developed using accepted industry standards, guidelines, and practices. Documentation to develop the V&V implementation plans will include:
CElllEC 964 Designfor Control Rooms of Nuclear Power Plants. International Electrotechnical Commission,1989.
IEEE Std. 845-1988 IEEE Guide to Evaluation of Afan-Afachine Performance in Nuclear Power Generating Station Control Rooms and Other Peripheries. Institute of Electrical and Electronics Engineers,1988.
NUREG.D899 Guidelines for the Preparation of Emergency Operating Procedures. US Nuclear Regulatory Commission, Washington, D. C., August 1982.
NUREG-1358 Lessons Leamedfrom the Special Inspection Programfor Emergency. US Nuclear Regulatory Commission, Washington, D. C , April,1989.
\-
l NUREG-0711 Human Factors Engineering Program Review Afodel. US Nuclear Regulatory Commission, Washington, D.C., July,1994.
l 3639w.wpf.b-050797 ]-5
. _ _ . . _ . .. ._ - . . ._ _ _.. _ __. _ _..._......_..~._____-. ..._..._. _ _ . , .
L i
NUREG-0700 Human-System Interface Design Review Guideline, Rev.1, Draft Repost. US Nuclear i Regulatory Commission, Washington, D.C., February,1995. ,
Regulatory Guide 133, Quality Assurance Program Requirements. Revision 2 US Nuclear ,
j Regulatory Commission Washington, D. C. [
l
\
l i
t I
l !
l l- 4
! I l
, t I
I l
l l
l t
I i-i
! l i
I !
l l 0
1-l i
i l h I i
i 3639wSpfb-050797 . ]-6
i I
I 2.'0 HSI TASK SUPPORT VERIFICATION I An implementation plan shall be developed specifying a methodology for HSI task suppon i verification. The HSI task suppon verification objective will be to verify all aspects of the HSI design (e.g., controls, displays, alarms, procedures, and data processing) that are required to accomplish personnel tasks and actions as defined by task analyses, EOPs, and risk-important human tasks identified by the PRA.
I The HSI Task Suppon Verification implementation plan will include a methodology description by I which the HSI design will be checked against the information and control requirements identified by the:
l
+
Function based task analyses !
+
Operational sequence task analyses performed for important and representative tasks as I defined in Element 4 (Task Analysis)
+ I Operational sequence task analyses performed for risk-important personnel tasks as defined by the PRA l
+
Operational sequence task analyses performed for the complete set of EOPs
! The HSI Task Suppon Verification methodology will describe how, in each case, the HS1 resources I will be verified to ensure that all alarms, displays, controls, procedures, and data-processing required i for task performance are available, and that the characteristics of the HSI (e.g., units of measure, accuracy, precision, and dynamic response) match task requirements.
I The HSI Task Support Verification implementation plan will also describe a process by which the HSI I design will be verified to ensure that the HSI does not include information, displays, or controls that I do not support operator tasks. The information and controls provided on the HSI resources will be checked against display and control requirements generated from the function-based and operational I sequence task analyses. Any information, display, or control appearing on an HSI resource not identified as required by any of the task analyses, will be flagged, requiring further analysis and review. If the information, display, or control is shown to be necessary to suppon operator performance, it will be documented, and the task analyses will be revised accordingly. If, after review, no explanation can be found for how the information, display, or control suppons operator performance, it will be removed and the documentation will be revised accordingly.
3639w.wpf.b.oS0797 2-1
3,0 HFE DESIGN VERIFICATION An implementation plan that specifies a methodology for HFE design verification will be developed.
I The objective of the HFE design verification will be to verify that all aspects of the HS! (e.g.,
controls, displays, procedures, and data processing) are consistent with accepted HFE guidelines, standards, and principles.
The HFE design verification implementation plan will specify a process by which deviations from accepted HFE guidelines, standards, and principles will be identified and acceptably justified based on a documented rationale, such as trade study results, literature-based evaluations, demonstrated operational experience, and tests or experiments.
I The HFE design verification will include all HSI in the control room, remote shutdown workstations, and the TSC. Local control stations will be reviewed to the extent that they are required for risk-important human actions as defined by the PRA.
I The HFE design verification specification plan will describe a procedure by which HSI resources will I be verified, ensuring conformance to AP600-specific HSI standards and convention guideline I documents that will be prepared to cover all HSI resources and their integration. The AP600-specific standards and convention guidelines will include:
Alarm guidelines Display guidelines Controls guidelines j Computerized procedures guidelines 1 Anthropometric guidelines l
l The AP600-specific HSI standards and convention guidelines will provide:
l l
l A specification of accepted HFE guidelines, standards, and principles to which the HSI will conform A specification of particular design conventions (e.g., particular coding conventions) to I which the HSI will conform Documentation of any deviations from accepted HFE guidelines, standards and j principles, and justification based on documented rationale such as trade study results, l literature-based evaluations, demonstrated operational experience, and tests and i experiments 3639w wpf.b-050797 3-1
An illustrative subset of accepted HFE guideline documents that will be used in compiling accepted HFE guidelines, standards, and principles to be included in the AP600-specific standards and ,
convention guideline documents are:
American National Standards Institute, ANSI HFS-100-1988, American Standardfor Human Factors Engineering of Visual Display Terminal Workstations. Santa Monica, California,1988.
CEI/IEC 964 Design for Control Rooms of Nuclear Power Plants. International Electrotechnical Commission, Geneva, Switzerland,1989.
NUREG-0899 Guidelinesfor the Preparation of Emergency Operating Procedures.
U. S. Nuclear Regulator Commission, Washington, D. C., August 1982.
l 1
1
. NUREG-1358 Lessons Learnedfrom the Specialinspection Program for Emergency. US Nuclear Regulatory Commission, Washington, D. C., April,1989.
NUREG-0700 Hwnan-System interface Design Review Guideline, Rev.1, Draft Repost. US Nuclear .
Regulatory Commission, Washington, D.C., February,1995. l NUREGICR-5908 Advanced Human-System Interface Design Guidelines. US Nuclear Regulatory Commission, Washington, D. C., July,1994. l l
NUREGICR-6501 Human Factors Engineering Guidelines for the Review of Advanced Alarm l Systems. US Nuclear Regulatory Commission, Washington, DC., September,1994.
US Department of Defense, DOD-HDBK-761 A Human Engineering Guidelinesfor Management Information Systems. Office of Management and Budget, Washington, D.C.,1990.
I All aspects of the HSI, including information, displays, controls, data processing, navigation mechanisms, and workstation and console configurations, will be verified against the standards and conventions specified in the applicable AP600-specific guideline documents. >
The HFE design verification implementation plan will specify procedures for identifying, reviewing, and correcting deviations from the standards and conventions specified in the guideline documents.
Included in the scope of the HFE design verification will be the identification of nonfunctional ,
decorative details (borders and shadowing on graphic displays) not specified in the guideline documents that do not support operator task performance.
4 All deviations from standards and conventions specified in the guideline documents will be flagged for review. If there is adequate justification for the deviation, the justification will be documented.
I Otherwise, a change will be made to bring the HS1 resource into compliance with the guideline documents. l 3639w wpf.b-050797 3-2
l 1
4.0 INTEGRATED SYSTEM VALIDATION i l An implemer.tation plan will be developed specifying a methodology for integrated system validation.
The objective of integrated system validation is to ensure that the functions and tasks allocated to the I
I plant personnel can be accomplished with the HSI design implementation. Explicitly included in the integrated system validation is validation of the AP600 EOPs.
j 4.1 Methodology '
< 1 fi The integrated system validation implementation plan will include a methodology section that addresses: i i l a
J Objectives j -
Personnel performance issues Test methodology and procedures Test participants Test conditions (including plant conditions, operating sequences, accident scenarios) j i .
HSI description Performance measures
) .
Data analysis j .
Acceptance criteria i I Process by which results will be used to determine whether changes to the HSI are
- required, and the process by which change requirements are tracked and verified i
f 4.2 Tools Used for Evaluating Dynamic Task Performance
- Integrated system validation will be performed using an AP600-specific, near full-scope, high-fidelity, i traitaing simulator that satisfies the general requirements of Sections 3 and 4 of ANSI /ANS-3.5-1993.
- The near full-scope, high-fidelity simulator of the AP600 control room will display high physical l fidelity (the testbed will physically resemble the actual hardware to be implemented in the AP600 control room), as well as high-fidelity with respect to information content (containing AP600-specific
) displays and controls), and underlying process dynamics (it shall be driven by an AP600-specific plant simulation). Near is used to indicate that features of the simulation not relevant to the test being made
) may not be full-fidelity.
I t-
{ Operator actions at non-control room facilities, such as remote shutdown panels, and the TSC, may be evaluated using static mock-ups, or prototypes.
i*
s l'
l i
i 3639w.wpf.t>050797 4-1
m 1 a- .m m_A_-., - 4h--. -D. 4JJ+>* 4++eu. 4 - G.--' d4& A 4.3 Integrated System Validation Evaluations The implementation plan will specify the objectives of the integrated system validation to:
=
I Establish the adequacy of the integrated HSI for achieving HFE program goals j
=
Confirm allocation of function and the structure of tasks assigned to personnel j
=
Validate the EOPs 1
- Confirm the dynamic aspects of the HSI for task accomplishment Evaluate and demonstrate error tolerance to human and system failures
=
I Establish the adequacy of staffing and the HSI to suppon staff to accomplish their tasks The implementation plan will specify how the integrated system validation will fulfill these evaluation objectives. )
4.4 Risk Important Tasks I The integrated system validation will include test scenarios designed to validate the adequacy of I staffing and the HSI to support personnel performance for: !
l Important and representative tasks as defined in Element 4 (Task Analysis)
Risk important tasks as defined by the PRA threshold criteria Design-basis and beyond-design-basis accident scenarios covered by the EOPs 4
4.5 Compliance with Regulatory Guide 1.33 Regulatory Guide 1.33, Appendix A lists categories of activities that should be covered by written ;
procedures, such as administrative procedures, general plant operating procedures, procedures for control of measuring and test equipment and for surveillance, procedures for performing maintenance, and chemistry and radiochemical control procedures. As indicated in Reg. Guide 1.33, the procedures may be combined, separated, or deleted to conform to procedure plans.
Complete validation of all classes of procedures identified in Regulatory Guide 1.33 is beyond the scope of the integrated system validation. As stated in Subsection 1.2, the V&V scope in the areas of maintenance, test, inspection, and surveillance, will be limited to tasks determined as risk-important based on PRA threshold criteria Integrated validation will include test scenarios simulating situations governed by sample procedures from selected Regulatory Guide 1.33 categories, for the purposes of increased realism, and to ensure that the AP600 control room design, in conjunction with such procedures, can achieve their intended functions without interfering with plant operations. Test scenarios will be developed that include select maintenance, test, and surveillance activities conducted in the main control room while the plant :
3639wspf.b-o50797 4-2
is being operated to show that these tasks can be accomplished without interfering with operator tasks
, necessary for monitodng and controlling the plant 4
4.6 Criteria for Selection of Test Scenarios for Dynamic Evaluations A multi-dimensional set of criteria will be used to define a set of test scenarios to be included in the integrated system validation. Dimensions to be considered will include covering: ,
A range of operational modes including normal plant evolutions (startup, full power, :
and shutdow 1)
Transients (reactor tdp, turbine trip)
Design-basis and beyond design-basis accidents covered by the EOPs 4
i AP600-specific design features (the Automatic Depressurization System, the Diverse Actuation System)
Scenarios that include human performance actions identified to be risk-important by the PRA Instrument failures I HSI equipment and processing failures, including failure of the computerized procedure system, establishing the ability to use the back-up Reactor shutdown and cooldown from remote shutdown panel Situations that produce cognitive challenges, including situations that complicate:
Situation assessment by providing degraded or conflicting plant state information Rmponse (require balancing of multiple goals, require manual takeover of automatic systems) ,
Performance by increasing personnel communication / coordination requirements or 3639w.wpf.b-050797 4-3
i l
Increase workload by introducing additional tasks or distractions l (Subsection 4.5 & 4.7) ,
l The set of test scenarios specified will be sufficient to validate the EOPs as implemented in I computerized procedures or by an alternative procedure implementation method.
They will also include scenarios to validate key HRA modeling assumptions for event sequences that involve risk-important human actions. Examples of assumptions to be confirmed are that panicular human actions that need to be performed are satisfactorily completed within the time-window specified in the PRA.
The set of test scenarios included in integrated system validatma will be defined by a i multi-disciplinary team that includes input from EOP developers, HSI designers, human factors I specialists, and human reliability analysis /PRA analysts. The test scenarios listed below will be I included in the complete list of scenarios identified by the multi-disciplinary team: (Each of these I scenarios satisfy one or more of the selection criteria described above.)
i I
- Normal plant heatup and stanup to 100% power i
I = Normal plant shutdown and cooldown to cold shutdown I
I a Transients - reactor trip and turbine trip I
I = Accidents 1 -
small-break loss of coolant accident I -
large-break loss of coc'. : vcident 1 -
steam line break I -
feedwater line break 1 -
steam generator tube rupture 4.7 Realistic Validation Scenarios The implementation plan will specify how test scenarios will be realistic with respect to plant conditions that are likely to hold for the situations being represented (number of personnel in the control room, communication requirements with personnel outside the control room, requirements for ,
notification to outside organizations, noise level and temperature).
Selected scenarios will inclu le environmental conditions, such as noise and distractions, which may affect human performance in an actual nuclear power plant.
3639w.wpf.b-050997 44
For actions outside the control room that are within the scope of the integrated system validation,
, performance impacts of potentially harsh environments that require additional time will be realistically simulated (for example, time to don protective clothing and access hot areas).
4.8 Performance Measures and Acceptance Criteria The implementation plan will specify performance measures used to establish that mission goals and operator perfonnance requirements are achieved. Performance measures will include:
System measures relevant to plant safety Personnel primary task performance
- Personnel errors Situation awareness
. Workload Personnel communications and coordination Dynamic anthropometry evaluations (such as reach and dexterity)
I
- Physical positioning and interaction with HSI For each measure, the measurement approach and instmment to be used will be specified, and objective acceptance criteria will be defined. Measurement approaches may range from objective measures of crew performance to subjective measures of performance obtained through post-scenario questionnaires and rating forms administered to test participants, to evaluations made by an evaluation team participating in the validation exercises as expert observers.
3639w.wpf.b.050797 4-5
5.0 ISSUE RESOLUTION VERIFICATION An implementation plan will be developed specifying a methodology for human factors issues resolution verification.
The implementation plan will specify a procedure to ensure that all issues documented in the human I factors issue tracking system are verified to be adequately addressed in the final HSI. The implementation plan will include a procedure for identifying and tracking human factors issues that cannot be resolved until a plant is built. The procedure will specify how verification of these human factors issues will be incorporated into the process for final plant HFE verification.
l f
3639w.wpf.b-050797 5-1
1 1 6.0 PLANT HFE/HSI (as designed at the time of plant startup) VERIFICATION
'1 l
I An implementation plan will be developed specifying a methodology for verifying that the plant i HFE/HSI (as designed at the time of plant startup) conforms to the HSI design that resulted from the HFE design process and V&V activities.
In the Westinghouse design process, mechanisms for insuring that systems conform to the final functional requirements and design cescriptions, are factory acceptance tests conducted on the actual system hardware at the factory, and the site acceptance test conducted after the hardware is installed at the plant site.
I The implementation plan for the plant HFE/HSI verification will specify the verifications that will be I conducted as part of the factory acceptance test, and site acceptance test, ensuring that the plant
'I HFE/HSI (as designed at the time of plant startup) conforms to the HSI design that resulted from the HFE design process and V&V activities.
! The implementation plan will include procedures for identifying aspects of the HSI that were not addressed in the design process V&V, and procedures for evaluating them using appropriate V&V l methods. Aspects of the HSI design that fallin this category include design features that could not be I evaluated in a simulator, and design modifications that occurred subsequent to the HSI design V&V, such as hardware upgrades.
1 l
3639w.wpf:b-050797 6-1 I
1
7.0 REFERENCES
ANSI HFS-100-1988, American Standardfor Human Factors Engineering of Visual Display Terminal Workstations. American National Standards Institute, Santa Monica, California,1988.
1*
CElllEC 964 Design for Control Rooms of Nuclear Power Plants. International Electrotechnical Commission, Geneva, Switzerland,1989.
DOD-HDBK-161 A Human Engineering Guidelines for Afanagement Information Systems.
US Department of Defense, Office of Management and Budget, Washington, D.C.,1990.
LEEE Std. 845-1988 IEEE Guide to Evaluation of Afan-Afachine Performance in Nuclear Power Generating Station Control Rooms and Other Peripheries. Institute of Electrical and Electronics Engineers,1988.
OCS-TS-Dol Roth, E. & Mumaw, R. J. Afan-in-the-Loop Test Plan Description Rev. B.
March,1994.
NUREG-0899 Guidelinesfor the Preparation of Emergency Operating Procedures. US Nuclear Regulatory Commission, Washington, D. C., August 1982.
1 I
NUREG-l358 Lessons Learnedfrom the SpecialInspection Program for Emergency. US Nuclear Regulatory Commission, Washington, D. C., April,1989.
i NUREG-0711 Human Factors Engineering Program Review Afodel. US Nuclear Regulatory l Commission, Washington, D.C., July,1994. l NUREG-0700 Human-System Interface Design Review Guideline, Rev.1. Draft Report. US Nuclear Regulatory Commission, Washington, D.C., February,1995.
NUREGICR-5908 Advanced Human-System Interface Design Guidelines. US Nuclear Regulatory Commission, Washington, D. C., July,1994.
NUREGICR-6501 Human Factors Engineering Guidelinesfor the Review of Advanced Alarm
- , Systems. US Nuclear Regulatory Commission, Washington, DC., September,1994.
l Regulatory Guide 1.33, Quality Assurance Program Requirements. Revision 2, US Nuclear
[' Regulatory Commission Washington, D. C.
ANSI /ANS-3.5-1993, Nuclear Power Plant Simulators for Use in Operator Training and Examination, approved March 29,1993.
3639w.wpf.b-050797 7-1