ML20142A120
| ML20142A120 | |
| Person / Time | |
|---|---|
| Site: | Hatch  |
| Issue date: | 01/09/1986 |
| From: | SCIENCE APPLICATIONS INTERNATIONAL CORP. (FORMERLY |
| To: | NRC |
| Shared Package | |
| ML20142A118 | List: |
| References | |
| CON-NRC-03-82-096, CON-NRC-3-82-96 NUDOCS 8603190333 | |
| Download: ML20142A120 (49) | |
Text
_ _ _ _ . _ _ _- _ _ _ _____.___ _ _ _ _ _ . _ _ _ . . _ _ ._ . __, __,- _._ _ __,
N.' 4.we.e < - / re ==5* w ,. . r- r-: . r* - w .* 5 - .cfg,Qy,, ' ---. .a y=u.:( m--9 4* L*-*,. ;.em . .,. . ; ; s'a .m- , , .
-.. n ,,, .
9
-..m.._...
. ~ . . _. . . ..- _ .,
a
_ _.. . . . . . . . . . ~ - -
r*,, --
-- ._ r- a -. _ com a
- r. . . . , a e a.- r - -
r -. - . . .
-- . . ., .. -. f y _
r SPDS PROGRESS REVIEW EDWIN I. HATCH NUCLEAR PLANTS UNITS ~l AND 2 i
_.. . i l
i m...
,. ,p,.7 ,
p _- -
r
........,f p.. . - - -.. . a.-. .
. ~ . _ , 4.. . . . . - . _ . . . . . . . . . .
.. . .s,. .4 - --
...........t x
....-.....p.,,,
ia*M"""T***?"
... . p.... . .s. ,4 . e , . 1_- __ , ; sa = ..ew .==a.4 m .: . '. .-- e s=r, M r.ce oe m...*. + ,**w'.a.ee4.e,.p 6se
. w.-
6 9 w "D' r--~~..".Mi :-~ J i ^;.E , y ~ , *=".c.*WitMFFC*fts a.9%M=setA pte-NMrd**$'tf"at*Pf". **.14st@ *M.'rP"Q* W.*%.5"5
.t ,. .._ , .- , = -
v .. .
'.' '..- .J *
... ..,',, .,.. . .~ , . ....'. . . --
- _......w . -
.'n.,.. 's'.-*, .' .
. i.'
A -* . . . , T *
, . . . - , _ > .. g __. . . . . . . . . ' ' * .;d v ,..; . 'e .Y ..i.
. . , . . . . . , ., . . .. .. .s.. ....,......,..
.. ~.
~
~......s
.2 .
. . c . . g,
. . _ _ . l
..e. ,
. . . . . . .. , . - . . . , . . ,.,,.4.... -...o . ....:..w-.. . . . . . . . . . , . . . . . . ..,,.a,,,,,e. .
. . - - * - -r -s
.-.-*.4**~w.a.e..*--*.c**w.e-.w.x**'....-.e*.-J..-4m.- 1
- . J .. *r . . wv E= ; .. ..- *E rer. E
.. 2 . ,. a.
L.= ...--=--==.7
.. s . w .w ..
. -=== =.=-~ - .=.r----- --= =.:-- .z.w.=:r :.= = = - - := . - =.~.:- = :- :
.m
. . . . ,.L. .. 6.. . ......,......
m .. . . _ . _ . _ . .
... .c ..._.m._, .
. . - . _ .s . .
?, ; ' - . s '~ ..* / ' * * . t. L ., ~ ; ' ' ', , _ t'; .-...,.-,[.,...-'.-...,.. ' ' ' : - .; .) .
', *1 *% , . . .?.. , ~ . , . .; _., *','
~,.
L'agg,g _
.- ... .s > ... u,w_
. ~_..
'. . ~._.._J; _ __ - r t_Ly;po.q?x..gy-
.. --.'.n* * - Q -m-W~- %d4.AL~ g. ..n%M
~
^
s.p,4L.4.c.w~ .
_. .4. sQ..._u__n;.a=.M.. .. 4.~_ .
n
_ --. _ _ _ _ = _. = =____n _-
..s, ,.. ~,,..s. -. , = _ . e. . w .x -m.m.m. m., , ., s ._%. . . ,m. +.3 w.
. w.
. , %.. . . . ,.m. ~
...r;.2 _ ..
a.....,..m .
s_ .._-.n._.=_c===_ .
w -
x w...
~ . . . . . , ~ ~ .
- a .* w: .u :. : ~._ =.= ww.= u :.u.; .=.=.:..<,: .r.:.:x u_,w: .
=- - . . .
-. . ~. - , . .
. . - . _ ...~..._....-......~.,m._~_.._....s....
. - , . .. -~... .... ; ~
. .. .s
....=# , _
_. m =
--.....a... ._ _- -.. _..
,1 ..,,,.,f- . ,.#.,.. y .-
.=
. . . . . - ,~m,~.~..-__.__._._............,~.......
_u.,_ s .~. _ - ..
~_ . . . _ . _ - - , . _ - .
- .= _ _ .- .. . . _
. ._. . ~ . . . .
. . . ~
h.c. :~^; , ,n,. .wu ..--- .n, v,.n.- . _.
r n. ,
w-- w' .^^-
7"~...s.
- W -
=.,e q ,a
.w ...g....n.m"^-._...'..,,e..:
~ _. .. 1 as g.. s.
_ e ,e e
.w.7 .n.<w
..,3,..4.~...w.,.4..-.'-~.~a.,"-.m
- = -_ . p
^ ^ ^
-- , u n , .. -y .m.,.
- - . c ._ ; ,,. .- . . ..
. . . . . , .. . w, h4
. ..k * .e 4 e.s.p o.9 . .,W y r
,. . . . d . .n . ,,
...g
[M c ~. .e~,. :,
I b ,pe.
., . . . A,,~ Mok- . . -
f8@l.,MwsEE..M.W._W".$I('WW%i!C12.W4WR. p
. . _ a. , .. .
- .~. -
y ~~ $' # -n- . 9 ?..f. E.JWM ,
_ _ _m m -..m_+w
- - W
, F - -+ emn m = w _n
., .u . . =.
^-
-.,. n _ - . _
%wHerett%2M%t5#..
w
- =_ . ^'4. .2.+.,h.hi.iV & , 5 N~ % % &,- g &d f % d 4 C' W N m , W V4MW -^ p & n M.
MScience* licationsIntern% ationalCorpor '
,Mgh% .4 yves.x , vwyp.m.< wy.wqs ~a, tion . .c 2 y i h o ADOCK 05000321 O 03U hp gg A
,hzii
- ' ~
'O .
a "- h.kh'h g, " - -
f b'q.%Wh P,DR PDR g e.e . -
.74wu y.- .i .,
76 .
m
.s-M38. M E*@d b N b
- b. .- 7 . bN --
e s t
. i l
SPOS PROGRESS REVIEW -
EDW:N I. HATCH iiUCLEAR PLANTS UNITS 1 AND 2
- i
! i l
January 9, 1986 Prepared for:
U.S. Nuclear Regulatory Comission Washington, D.C. 20555 Contract NRC-03-82-096 i=.G -~~iil 2 iG""iE=
%B255p]
, , - Ie=trh~
Science Applications InternationalCorporation l i
Post Office Box 1303,1710 Goodridge Drive, McLean, Virginia 22102,(703) 821-4300 I
--w,---- ,--_---,-,,-.----w.,----,w--
, , , , ,,.,,,-----,mewm,- ,g.-v-- --_..m.,-- -.,,._n-__r-m,_,_, ,,.,-,.,,.,ye._n-me.-,.,m .g_ ,,,,-
f %
H 1
'}
, TABLE OF CONTENTS
.)
J Section PEtt
}
SUMMARY
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 i 1 1. System Objectives (Initiation Phase) . . . . . . . . . . . . 3
- 2. System Design (Development Phase). . . . . . . . . . . . . . 4
'l 3. Implementation . . . . . . . . . . . . . . . . . . . . . . . 13 J
- 4. Training . . . . . . . . . . . . . . . . . . . . . . . . . . 14 3
J 5. Operation ......................... 15
.i 6. Maintenance. . . . . . . . . . . . . . . . . . . . . . . . . 16 1
ATTACHMENT A - Critical Safety Function Parameters ....... 18
] ATTACHMENT B - SPDS Parameter Displ:ys ............. 21 J
ATTACHMENT C - Sample SPDS Formats ............... 30 m
ATTACHMENT D - Human Factors Engineering Assessment . . . . . . . 37 ATTACHMENT E - SPDS Exit Meeting Attendees ........... 45 2
3 i
s e
1 4
.)
?
j J
l .. . - _ _ - - . . . . . _ _ , - _ , . _, . . - . , . _ _ _ . . - - - - _ _ _ _ _ - - . - - , . -
~
l , s J
l Li
- SPDS Progress Review
'j -
Hatch I and 2
SUMMARY
"I An NRC team visited the Edwin I. Hatch Unit I and 2 site on October 8, J 9, and 10, 1985, to observe the installed SPDS. The team included a member of the NRC's Human Factors Engineering Branch and contractors from Science
' Applications International Corporation, Comex Corporation and SoHar Incorporated. The team reviewed the design, installation, testing, and operation of the Edwin I. Hatch SPDS. A list of meeting participants is provided in Attachment E. This was one of six SPDS progress reviews under-taken by NRC to ascertain, through a representative survey, the general state of SPDS implementation in the industry.
$ The Hatch SPDS is still in the testing and calibration phase and has
'} not been declared operational by the licensee. However, the SPDS is func-tional and is being used to a limited extent. The parameters identified in the licensee's Safety Analysis Report and approved in the NRC Safety Evalua-lJ tion Report are displayed on the SPDS. The functional specifications, software development, verification and validation were thoroughly developed and documented. An appropriate human factors evaluation of the system has
]J been conducted and integrated into the design process.
additional human factors review of the system during the detailed control There will also be room design review activities. The SPDS is integrated directly into the upgraded emergency operating procedures.
With regard to the system hardware, the licensee has implemented possibly the most reliable system reviewed during the six progress reviews.
l All of the SPDS primary and redundant signals are extracted directly from 1 the sensors. Where redundant signals were not available, new sensors were installed. Over one hundred and eighty thousand feet of cable were
] installed to support the SPDS. The computer, signal generator and displays j are all military standard pieces of equipment. This equipment is maintained with built-in test equipment and has guaranteed spare parts support for
, twenty years. In addition, the licensee has made a commitment to acquire j the expert staff necessary to calibrate and maintain the system.
The Hatch SPDS will be fully integrated into control room operations.
}U The system will provide the Shift Technical Advisor with necessary emer-gency, trending, and diagnostic information needed to support the senior reactor operator. The Senior Reactor Operator, whose workstation is less 1 than five feet from the SPDS, will have ready and reliable critical safety j function information available to him during an accident. In addition, the upgraded plant-specific emergency operating procedures used by the Senior
- Reactor Operator integrate specific trending and diagnostic SPDS functions.
" The level of control and procedures for software maintenance is far less stringent than for hardware, so there appears to be a lack of sornisti-
$ cation on the part of the licensee in this area. The most notabh audit 91 team concerns involved inconsistencies in programming some displav formats 1
i BW me.n. --e.-ow~wmgm--gv--~~--v=-vv-, - - m_
s-1 , s 1
3
'J
, and procedures for future perfective and corrective software maintenance.
- Apparently as a result of the use of different programmers, some of the diagnostic alphanumeric displays contain formatting and human factors incon-sistencies. In addition, the licensee did not have a completed set of 1 software maintenance procedures or human factors guidelines for future j system modifications. The licensee was aware of these concerns and is in the process of developing solutions to the problems.
1 j It was the review team's conclusion that the design, implementation, testing and management of this SPDS meets and in'most cases exceeds the requirements of Supplement 1 to NUREG-0737. This is a system that is
' ,s already being used by the plant staff to help analyze accidents, identi fy 3 potential technical specification violations and confirm restart justifica-tions after trips.
3, M
i 2
?
I J
P c
1 y
la b
dlJ
.]
J 1
2
. - - . . .- . = . . - - - . - . --
, s l 1
- 1. SYSTEM OBJECTIVES (Initiation Phase) i 1.1 Plant conditions for which the SPDS is intended to be used.
1 The Hatch SPDS is intended for use in all plant conditions. These 1 include power operations, start-up, hot standby, cold standby, and refuel-ing. The position of the " Mode" selector switch is used to normalize the 3 Primary Display for other than power operations.
1.2 Modes of plant operation in which SPDS is to be available for use.
] The SPDS is maintained in an operable condition and displayed during o all modes of plant operation. The SPDS control room consoles have 3 CRT positions for display of the Primary or one of the 87 sub-level displays
} which are included as part of the SPDS. The primary display is administra-J. tively required to be displayed on one of the 3 CRTs at all times.
, 1.3 Functional requirements t
1.3.1 Critical Safety Functions i The licensee has included coverage of all critical safety functions, j all of which are presented in some fashion on the primary (top level) i display. The sub-level displays which are assessed by use of simple menus '
provide detailed coverage.
~
1.3.2 Intended users l The licensee intends that the SPDS be used by all. control room person-
- nel during normal operations as shown by the training program which involves all of these people. During emergencies, the primary user is intended to be 1 the STA.
' s.2- ..
l.4 Relation to other NUREG-0737 Supplement 1 initiatives. ' [
Was the E0P upgrade program integrated into the SPDS?
. The SPDS has been designed and built ahead of the implementation of the j ,
symptomatic E0Ps. In situations where the SPDS can provide helpful informa-tion toward the solution of a problem, the new E0Ps reference the use of the SPDS as the senior reactor operator sequentially steps through them. This j indicates that the licensee intends to make maximum and realistic use of the j SPDS.
Was the SPDS integrated into the DCRDR? Describe current status of DCRDR relative to SPDS status.
f I The DCRDR is in progress at Hatch and the SPDS will be included in the DCRDR. ,
L 3 l
- _ - . .n.---.. _ . . - , - . - -
, s d
l fj Are Reg. Guide 1.97 parameters used to feed SPDS?
" Yes .
Does emergency response structure necessitate SPDS in TSC or E0F7 The SPDS displays are available in the TSC and in the EOF (on two CRTs
, rather than on 3 as in the Control Room).
Does the SPDS supply a portion of the ERF data acquisition system?
l Yes g
1.5 Verification, Validation and Testing _ Program A V&V program was developed. However, the design of the system was underway at Georgia Tech prior to the development of the plan and its implementation. Further complicating the problem was the business failure i
of the (British) company doing the V&V. The plan was then formalized and J implemented through a contract with Bechtel. The licensee presented evidence that the V&V plan is being followed.
j -
Was the plan executed by the SPDS development group or by an independent party?
The current V&V is being conducted by an independent reviewer in the Bechtel corporation's Gaithersburg office. Documentation indicates that he is operating independently.
1 -
Did the plan include a process for review and analysis of the SPDS requirements?
m j The V&V documentation file indicates that the program does consider the requirements for the system. This was noted in items such as the reviewer's suggestion that there be a requirement for a primary display for each plant f
operating mode.
- 2. SYSTEM DESIGN (Development Phase)
Al d 2.1 Design Requirements i
2.1.1 Events for which the SPDS can be used.
The SPDS is useful in normal operations, infrequent operations such as
_ refueling and during emergencies.
1 2.1.2 Parameter selection T The parameters selected for display are listed in the Georgia Power
& letter of 31 August,1983 from Mr. Baker to Mr. Stolz (NRC), in Tables 1 and L
i ',
P
_ _ - - - _ . , - _ _ , , , . _ - , . , _ . . , _ . ~ , , . _ , - - . . . . - ~ . . . _ , - . , , . . _ _ - - _ , ~ - -_----_,.._-_...v_--. - --_._ -
m- - _ . . - - _ . . -
h j
7
- 2. The SPDS parameters, ranges and display descriptions are provided in Attachment A and in Attachment B, the latter a handout provided Fy the licensee. These parameters appear to adequately display the critical safety functions to the operators. The primary display graphics are clear and uncluttered. Detailed information can be obtained by easily accessed sub-j level displays which support the priaary display with system valve and pump status and trend information. The ECCS systems are not portrayed on the
~
primary display, but the effect of their proper or improper operation is shown (reactor water level, reactor pressure, torus level, torus temp.,
etc.). System pump and valve status are shown on a loser level display.
]:) 2.1.3 Basis for establishing display requirements.
The starting point for the design of the SPDS was the BWR Owners Group q SPDS functional specification, supplemented by NRC documents including NUREG
- 0696 and Reg. Guide 1.97. Detailed functional specifications were prepared to guide the system design. Operators were frequently consulted during the
, requirements phase of the design for their inputs. These consultations
~'
resulted in the inclusion of the ADS, SRV and LLSL status and vessel head
" temperatures on the Primary Display. Georgia Tech was selected as the design contractor early in the program.
j 2.1.4 Basis for logic used for CSFs g The basis of the design of the SPDS is to select and portray the j minimum number of verified parameters to quickly assess the safety status of the plant during all normal and abnormal operating; conditions. The sympto-matic E0Ps were not in place at the time of the audit and their development l has followed the design and installation of the SPDS, so, rather than being J heyed to an E0P by the SP S, the operator is keyed to check the SPDS at appropriate times while executing the symptomatic E0Ps. This appears to be
] a practical and effective method of obtaining the maximum use of the SPDS
- during emergency situations.
2.1.5 Description of SPDS logic SPDS logic is described in software design documents. The verification logic depends on the particular parameter being monitored and the number of signals available.
} .
The displayed parameters are verified by computer calculations or '
a compared to related instruments. The operator is appraised of an unverified I value by a color change and any potentially unsafe condition is indicated by a different color change. The system does not use the plant process
- computer as a signal source. Parameters were obtained from primary signal II sources through Class 1E isolators, and where insufficient signals were available to assure verification, new sensors, and cables were installed.
The designers found that it was often less expensive and less disruptive to jg pull new cables to tho SPDS from near the signal source to the Control Room, 9 than to tap from control room terminals to the SPDS.
I q 5 J
il
] .
- J I.:
2.2 Design Specifications - Software l,
i 2.2.1 Software Design, Programming, and V&V 1 SPDS Desian Staoe E
What was the process used to develop-the system and subsystem q specifications for the analysts and programmers?
?
E The functional requirements were very detailed including the ranges of every input and a detailed discussion of every requirement and inter-3 face. These were then used to generate an equally detailed design O document including flowcharts and a description of each routine suita-ble for programer use.
I 3 How were human factors considerations factored into the SPDS design process? Color stated in functional specs.
l a
The human factors considerations were analyzed by an outside contrac-tor, in studies performed at Georgia Tech, and by Georgia Power. Dur-ing the design there was input from control room personnel. There was
]g also a detailed examination of the human factors by Bechtel as part of the validation and verification process.
What was the process used to define the SPDS program specifica-h tions for the programmers?
The very detailed design documents were used to define the SPDS program
$ specifications to the programmers. In addition, they had at their 3 disposal computer operating system documents, software development standards documents, and computer language reference documents.
a j -
How were the SPDS data base specifications defined for the pro-grammers?
The SPDS data base specifications were defined for the programmers in D the detailed design documents which were the result of the detailed functional requirements document.
Was a Verification / Validation and Test plan developed?
Because of contractor difficulties the V&V plan was implemented late in the development cycle. It was recognized as a deficiency and the plan was very comprehensive. Each stage of the development including the code and the human factors considerations was carefully examined and reviewed. The plan included schedules and responsibilities and appar-i ently had a large budget since Bechtel has spent over 80000 man-hours to date.
k -
6 I
l . i b
n 1
Did the V/V&T team generate design-based test scenarios?
- The test scenarios are being developed by a combination of Bechtel, GTRI, and Georgia Power. The system is being exercised at the present 1 time both in the simulator and during analysis of the tapes from abnor-j mal events.
Did the V/V&T process include the review and analysis of SPDS design? ,
The V/V&T process included a review and analysis of the SPDS design as
- well as a detailed examination of the code itself.
1 SPDS Pronrammino Stace
] -
Was an SPDS Users Manual developed for the SPDS users?
, An SPDS Users Manual is being developed with detailed descriptions of a all displays and parameters. There is no requirement for an under-J standing of data processing or software functions by the user. The system has been designed so that the user need understand only the il displays and a very simple method of calling up menus and displays
- using a very simple keyboard.
.: There is no input data to the system beyond the pressing of a key to
., signify the desired display so there is no requirement for computer
- knowledge.
51 The Users Manual does include simple instructions for restarting the 1 system after failure which requires only reloading a tape.
g -
Operations Manual There is no Operations Manual since there are no computer operations personnel in the classical sense. The system in the control room runs l
from an object module and is automatic requiring only queries to obtain J information from the system. Computer personnel in the simulator building are responsible for preparing object tapes and controlling the 9 data tapes after an abnormal event has been recorded.
1 '
These computer personnel have access to a full set of documentation and 4
are responsible for controlling each version of the SPDS program.
Was an Initial Software Test Case Specification developed by the V/V&T team during this stage?
e Many sets of test cases have used in the software development process.
The results have been documented and those that were done prior to V&V
~
activation have been analyzed by the V&V team.
L
_ . 7 L
l l
- 1
'~
, a a
74 .
Did the V/V&T team review and analyze the User Manual?
3
" Apparently the V/V&T team has not reviewed the Users Manual which is currently being developed. It is not clear whether that is seen as a ;
requirement. ;
a >
Did the.V/V&T team perform a review and analyze the project 7 requirement?
The V/V&T team performed a detailed review for clarity, completeness,
, consistency,< testability and traceability. In the process, many prob-
- lem reports were generated which were answered in writing by Georgia 3 Power.
Program Maintenance Manual
~
The software maintenance area is one of some concern. There appears to
,, be no firm plans for handling this phase of the life cycle and there J
4 appears to be little understanding of the importance of this activity by Georgia Power. It is not clear whether GTRI will be retained to perform maintenance or whether it will be done in-house. There seems
]
J to be the view that the operational SPDS will not be subject to change or modification so planning has been largely lacking. For example, there are no plans to retain a human factors group to analyze changes.
"f The level of can'rol t and procedures for software is far less stringent than for hardware so there appears to be a lack of sophistication on the part of Georgia Power in this area.
Ti -
Did the V/V&T team perform a review and anlaysis of the Program Manual?
1 j Since no Maintenance Manual has been developed at this time no review has been possible.
f 2.2.2 Software development quality control procedures?
The Georgia Tech team that developed the software applied accepted software development practices to the SPDS project. These included software
- standards, peer reviews, inspection teams, and the use of software test cases. In addition, the Bechtel Validation and Verification team also inspected the coding for conformance to the design as well as the conform-ance of the design to the functional requirements.
Georgia Tech.'s internal procedures were evidently satisfactory during
- the software design and development. Ho$ver, no Plant Hatch internal software Q.A. procedures are presently in place. The SPDS is not yet an accepted system.
8
c j . o J
M
, 2.2.3 Software reliability 1
J Software reliability has been addressed to a very limited extent. The input to the system is directly from redundant sensors and has been checked
]j for data validity prior to submission to the SPDS. In case of system failure, the entire program is reloaded. However, it is not clear if infor-mation stored prior to the failure will be available for recording should an 1 emergency or an abnormal situation occur within two hours.
a 2.2.4 Utility of displayed information Define location of each parameter for each CSF.
All parameters identified in the SAR are displayed on the primary pl display and emergency display. In addition the parameters are also dis-J- played on the trending and diagnostic displays. Also these parameters are repeated in the ERF and TSC display screens. Sample displays are provided in Attachment C.
J -
Display indicates departure from normal conditions?
l On the primary display, departure from normal conditions is indicated J by color, digital parameter information and bar chart images.
R. Color is used to describe parameter condition. Green indicates normal.
[]" Yellow indicates questionnable signal problems. Yellow / blank indicates no signals available. Red indicates that the parameter has exceeded the set point.
1 Digital parameter information on the primary display is used to describe reactor power, reactor water level, reactor system pressure, con-1 tainment conditions and radiation. " Thermometer" type displays are used to j describe power level, reactor water level, and torus level.
n Yes, through color changes, graphic indications and messages on the y primary display, and by status tables and trend graphs on sub-displays. The effects of an actual high pressure scram on the primary display were shown to the auditors in a film presentation which illustrated the utility of the hn system in displaying a typical departure from normal conditions, Degree of departure? j
.1 J The SPDS is made up of a primary display and 86 other trend, emergency, and diagnostic displays. The color conventions used are green for normal
, conditions, red for abnormal conditions, yellow with a numerical value for non-verifiable data, and yellow / blank if no signals are available. In addition, the numerical values are displayed on the appropriate scale or mimic display. There is some use of blinking to indicate such occurrences I as scrams. The mimic displays are clear and easy to read and it is very y simple to call up the displays using menus.
9
]
J t
.)
~
. o 7
The degree of departure is indicated by digital values on the primary display. The degree of departure is also indicated graphically and 3
digitally on the emergency display and trend display. The diagnostic dis-play indicates the degree of departure in digitally displayed images.
j The degree of departure from normal conditions is shown on the primary display by means of bar graphs (water levels) and through the presentation
- of actual values (pressures and temperatures). Colors are used to indicate the improper response to commands of some digital values. Actual values of items such as the flows in emergency systems are' shown on sub-level
, di spl ays .
I -
SPDS has capability to store and recall information?
Yes. One useful feature of this system is that any abnormal condition causes the automatic turnon of the system, the recording of the previous two hours of information and the recording of all data until the system is
, manually deactivated. This allows the detailed analysis of each abnormal j event and has already proved its usefulness at Hatch.
The system is capable of displaying 60 minute and 6 minute . trend dis-i plays of many important parameters in the operation of the plant.
J The SPDS archival information can be recalled on the display screens in the form of the primary display, emergency display, trend display, and diagnostic display.
3 .
All archival information displayed on the screens can be printed in q
hard copy.
SPOS has capability to display trends?
lj The SPDS can display 60 and 6 minute trends on 22 trend displays and 11 emergency displays. This is a very valuable advantage of this system.
d l -
Is command structure appropriate to the complexity of the soft-ware? ... to the sophistication of the user?
@, The command structure has been well-designed and is very easy to learn and use. The system has a series of menus and displays can be selected by pressing keys located at the same position as the item location in the menu.
Since the system has three CRTs, it is very flexible in displaying both menus and displays.
. The command structure is simple and appropriate to the sophistication i of the user. Basically the command structure consists of selection of a CRT e (CRT 0, CRT 1, CRT 2), type of display (PRI, TREND, EMER, DIAG, LOG, MAINT) and the specific display within display type. This requires the user to push a minimum of 2 and maximum of 3 buttons.
, 10 J
'I
o -
Upon departure from normal conditions, does the SPDS direct the operator to the appropriate E0P? If not, is this a significant deficiency?
~
In this system it is just the opposite. The emergency operating proce-dures are keyed to the SPDS. The E0P flow charts refer the SRO to specific emergency, trend and diagnostic displays. This is a significant positive aspect of the system.
As stated above, the E0Ps direct the operator to'the SPDS at points in
_. the resolution of an off-normal condition when the SPDS can quickly provide
, valuable information to the operator. This is a plus for the system. The a symptomatic E0Ps have only one entry condition--ANY SCRAM.
1 2.2.5 Potential for misleading operators The system is not yet accepted, and the operators have used it infre-
- quently. Those operators interviewed had received a 4 hour4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> course in the system and seemed pleased. If the system functions reliably as described, then there should be little potential that it will mislead operators. Sig-nals are compensated for off-normal conditions, and situations which might invalidate the displayed data are anticipated and the operators are provided a with messages. (i.e. water level "MAY MISS TRIP" message).
The system updates the primary display every second but may occassion-ally update other displays at a slower rate depending on the selection. Two or three seconds were observed during the demonstrations. The data integ-g rity should be very good since all data comes directly to the ERF/SPDS system and not through the process computer. It is an independent system J and does not have other users.
] The displays are well-designed and include key information but are not j cluttered. The use of yellow for questionable data alerts the STA to non-redundant data.
7
- Parameters are sampled every second, which is adequate to assure detection of significant changes in plant status. The system is dedicated
, to control room operators and therefore not subject to delays caused by demands of other users. Information presented is adequate and little extraneous information is present to distract the operators. The SPDS alerts the user to invalid or questionable data and to systems malfunctions.
2.2.6 Software security
, The software cannot be changed from the operating consoles, and
- password systems are used to prevent unauthorized changes. The problem is
" in software design change control, as no procedures for this important aspect of software maintenance are in place, i
11 1
J
~
The image of the program is loaded into the control room computers.
All program changes are done in the simulator building so it is not possible to make program changes in the control room. All testing is done at the external location.
j Within the control room, the Rolm computer has no editor, no assembler, and no communication lines. In order to install another version of the program a maintenance terminal must be attached to the ERF computer and 3
there is a system of controls and passwords for it use.
, The plant is heavily procedure oriented and proced.res are being
- developed for administrative control of changes of the SPDS when it is J operational.
There is no access to the SPDS from outside the control room, i.e.,
someone outside the control room could not put the SPDS in a test mode without the operators knowledge.
2.3 Design Specifications - Hardware 2.3.1 Design verification and validation
- The design verification and validation program was implemented after the design of the system was in progress and was complicated by a change in
- contractors. At the present time there is a V&V program plan conducted by j' an independent contractor (Bechtel). The documentation reviewed indicates that the review is thorough and does begin at the " requirements" level.
However, because it commenced after many design decisions had been frozen, l it has some of the "back fit" problems noted at other plants, i.e. a reluc-J tance to make expensive changes. Because the system is well designed, this should cause few problems at Hatch. It was difficult to track a change 1 recommended by the V&V reviewer through the approval chain, as this documen-
- tation flow is not procedurized. The V&V plan (letter from H.B. Kassel, Jr.
(Bechtel), to J.R. Jordan (GPC) dated April 25, 1984) is more a scope of work for the reviewer that a plan or procedure. The licensee was able to i
produce documentation showing the status of recommendations, but it took d some doing.
2.3.2 Human Factors Engineering
}
Attachment D provides a human factors assessment of the SPDS displays.
~
The change control procedure does not call for human factors review of changes to equipment or software.
2.3.3 Reliability
]
The system has been well designed and configured to enhance relia-bility. It uses 2 MILSPEC computers, MILSPEC CRTs and other components with
. a long history of reliable operation. The control room installation is F
2 h
u l
Il 1
=_
)'
1
- 1
, designed to withstand the plant design earthquake and class IE isolators have been used. Power supplied to all portions of the SPDS are from a uninterruptable sources. The computers are further backed up from the plant security batteries. As the signals are gathered from primary sources rather 7 than from the process computer, reliability is further enhanced. Signals are multiplexed near their source and are in a loop which can sustain a failure and still provide reliable data to a Cutler-Hammer master multi-
- plexer and then to the SPDS.
2.3.4 Electrical Isolation Class IE optical isolators have been used to isolate the SPDS from the
- signal source. The isolators and the tests to validate their effectiveness are described in Attachment I to the June 7, 1984 letter from L.T. Gucwa m (GPC) to J. F. Stolz (NRC). They appear to be adequate to perform their isolation function, and are another positive example of this well designed (over-designed?) SPDS.
- 3. IMPLEMENTATION
~
3.1 Procurement The use of proven MILSPEC hardware are discussed above. In addition, )
, the plant has a policy of 100 percent spares to support its installed j hardware.
Many documents exist pertaining to the procurement of the equipment.
] t Reliability and dynamic testing were included. .
c 3.2 Installation 1
~
The SPDS is not fully installed and tested. However, the procedures G ...,.
which are being used in the installation of the hardware are exceptional. '
m As each component is installed, it is fully rung out. In some cases, entire vendor supplied racks have been rewired to meet the plant's exacting speci-
= fications. This has resulted in few system bugs during those tests which
.I have been conducted to da.te.
, The SPDS has not been officially accepted but it has been in operation within the control room for some time. It has no official use at the present time but it has been very useful in analyzing scrams and other j
abnormal conditions.
3.3 System Verification and Validation V&V was performed independently by Bechtel, Gaithersburg and included functional validation and verification. It also included design validation and verification.
l
- , 13
+ l 1
1 1
O J,
4
^
l The test program is still under development. Testing has been per-i formed extensively at Georgia Tech, at the Hatch simulator and in the~ con-1 trol room.
~
The V&V plan is being followed. A series of minor problems were iden-
.i" tified such as inconsistent conventions for display and each problem area has been replied to in writing by Georgia Power as to the corrective actions
, taken. This process is ongoing.
- 4. TRAINING .
.J 4.1 Training recipients 3 Training is being provided to all control room personnel. So far, most have received a four hour class which, from interviews, appears to be effec-tive and motivating. TSC and EOF personnel will also be trained, but this program is yet to be formulated.
All control room personnel are being trained in the SPDS as well as other plant personnel and management who would be involved in TSC and E0P.
4.2 Training Program Structure
, Training includes six hours of classroom time and four hours of plant specific simulator time. An exam is also given. The classes have 8-14
} participants and the simulator sessions are limited to four.
l . The four hour SPDS training is a class room course on the design and j use of the system. There are also plans to conduct simulator training.
Training, after the initial indoctrination courses are completed, will be a -
m part d operator requalification training. This will be a one to two hour session.> starting in the 4th quarter of 1985. The simulator training will integrate 'the'SPDS with the use of the E0Ps and involve the operators
., reacting to emergency scenarios. Operating crews are trained as a group, with STAS receiving some extra training.
J, !
4.3 Training Program Content 7
1
~
As stated above, the training program is still conceptual with the exception of the four hour classroom indoctrination. The plan as outlined
- seems adequate. The operator's interviewed seemed knowledgeable and moti-vated.
J 4.4 Performance Measurement
. The trainees are tested during the training; the SPDS will be included in R0/SR0 license examinations as well as in the annual requalification training.
I 14 J
1
- i -
J l
, 5. OPERATION The system has not been declared operational; however, it has been operable in the control room and classroom training has been held. All
, operators interviewed indicated respect for the system and a knowledge of
'j its purpose and operation. They were most pleased with the localization of important plant parameters, and also with the trend information which the
, system provides. The operators also verified their inputs to the system
- design and were happy to see that operator recommended changes to the pri-J mary display had been incorporated. This fact appeared to contribute to their appreciation of the system.
3 There is an operations manual in draft form for the SPDS which appeared to be very comprehensive and usable.
. The SPDS is not intended for use during normal operations but as part of the E0P. However, the operators interviewed felt that it could be used during normal operations since the primary display is visible at all times.
1 It is also capable of displaying trends which are difficult to analyze using J only memory of instantaneous analog displays. It also displays information which is on the back of the control panels and which is normally read by an 1 operator who has left the control room.
3 Readable and comprehensible user manuals are provided.
=
g At the present time the operators do not rely on the SPDS and are aware that the primary user will be the Shift Technical Advisor during abnormal operations.
j The reviewers interviewed an STA, an Operation's Supervisor, a Shift Supervisor, a Reactor Operator, an I&C Engineer and a Training a Representative. Collective highlights from the interviews follow.
1 J
STA. Operations Suoervisor. Shift Supervisor. Reactor Operator The above individuals all received four hours of training on the system. It is not yet operational, and so they had little practical experi-ence. They particularly liked the system schematics, the trending informa-s tion and recall feature and the fact that so much information was available 3 in one place and easily accessible, q One individual wanted a swivel chair installed so he could quickly turn j and look at the control boards (the system requires that the operator have his back to the main control room boards). The others did not consider this
_ a problem. One individual indicated that he would prefer the use of more state-of-the-art computers with more expandability. While the STA is
_ designated as the primary operator during an emergency, the shift supervisor thought he should be the primary operator. The R. O. contributed to the design of the system and said that he would like to see other changes such j
7 as the addition of the status of ECCS systems to the primary display.
. 15
?
a 1
7
- I&C Enaineer The I&C engineer was the Instrumentation Supervisor. He elaborated on his previous presentation and mentioned that GPC policy requires that Instrument Technicians have at least an AA degree. (Navy ETs don't qualify!) .
Trainina
~
The training specialist again described his plans for training which,
, with the exception of the four hour course, are not formalized. No exams on 4
the SPDS have been given. A problem exists in the availability of time to conduct the simulator training, but it is intended to make time during the E0P simulator training. This individual is a G.E. employee. It has not i been determined if GPC or contractor personnel will conduct the follow-on training.
- 6. MAINTENANCE 6.1 Software Maintenance There is a draft formal procedure to control software modifications, but it is not at the same depth as for the hardware. The licensee acknowl-9 edged the need for better procedures and stated his intent to look at Georgia Tech.'s procedures to see if they could be adapted for Hatch use.
- There is an informal process to document observed problems and to track the resolution of them and each revision is documented within each subrou-tine. Each version of the SPDS program is numbered and this number is part of each display and all recorded data. At the present time there is only i
draft documentation of procedures to document specific modifications of the -
SPDS software. This can be viewed as a deficiency and may be compounded if W t GTRI is not retained to perform the software modifications. In a plant 4
where any change to hardware is considered a design change requiring strin-
! gent procedures, it is noticeable that software changes are not given the same level of importance. The proposed procedures will track all changes required by any revision and will control the retesting of the system.
3 At the present time there is no program maintenance manual for program-mers but one is being developed.
) 6.2 Hardware Maintenance a There are procedures for calibration of sensors and for surveillance.
4 J
Present plans are to check SPDS instruments every 24 months until a body of
. knowledge has been developed which would lengthen or shorten this period.
With 13,000 instruments at Hatch, the calibrations must be scheduled otpimally, with plant board instrumentation having the highest priority.
- 16 3
.i
6 Hardware maintenance planning for the SPDS indicates the need for six to eight additional instrument technicians to support the system, and steps are being taken to acquire these individuals.
^
There are 100 percent spares back-up for the SPDS. The spares control and maintenance system is presently being automated. The system was demon-strated by the licensee and appears to be adequate to provide quick support to the SPDS in the event of system component failure.
6.3 Configuration Control '
] 4 The plant change control procedure calls for hardware configuration to be maintained by the use of a formal design change procedure whenever a part is replaced with one which is different even though its function is identi- '
1 cal. This forces a very stringent control mechanism on what might, at other plants, be accomplished using less complex work order procedures. The control procedure requires that all documentation, including operating procedures, be reviewed and revised if necessary.
Software configuration control has not been addressed.
~
There are currently weak procedural controls for identifying and
, approving changes to the SPDS with little planning for future phases of the life cycle. There are currently no plans to include human factors personnel 7 in the approval process. In addition, the process does not provide for-j strict documentation controls.
, Human factors personnel are not included in the review process for
- either hardware or software changes.
1
- %2 .' Q l
a 1
J i
J W'
M Q
17 I
- l. .
1- .
t .
'd 9
-?
S
.)
- s L]
7 i
- J e
ATTACHiENT A CRITICAL SAFETY FUNCTION PARAMETERS
'l 2
7 9
- 4 3
,4 e
il e
I a
18 Il
'e
_ _ . , ---m
9 ATTACHMENT A CRITICAL SAFETY FUNCTION PARAMETERS SAFETY FUNCTION PARAMETER RANGE ,
, Reactivity Control - Source range counts 10-1 to 10+6 counts /sec.
Average power 0 to 125%
- Rod position All rods in Standby liquid control pump pressure
- tank level J
Reactor Core Cooling - Reactor water level -317 in to 383 inches 7 and Primary Heat - Reactor pressure O to 1500 PSIG
~
1 Removal -
Torus water level O to 300 inches
- Torus water temperature O to 250 0F 0 0
- O to 400 F (0 to 500 F i Unit 1)
SRV position Open/ closed Primary containment Demand met / Demand not met Isolation status j - Rod position All rods in Drywell pressure -10 to 250 PSIG
- - Drywell temperature 00 to 4000 (0 to 5000F
_ Unit 1)
.y Reactor Coolant - Reactor water level -317 to'383 inches i System Integrity -
Reactor pressure O to 1500 PSIG
- Torus level 0 to 300 inches
- Torus pressure -10 to 90 PSIG
- Torus water temperature 50 to 250 0F 0 to 400 F (0 to 500 F Unit 1)
, - Drywell pressure -10 to 250 PSIG
- SRV position Open/close
- Primary system Demand met / Demand not met Isolation
. Reactor Coolant - Drywell temperature 0 to 4000F (0 to 500 0F System Unit 1) i a
malie
] 19 J
.4
- - - , - - - - - ,, ----m, - . - - .
l J- -
T SAFETY FUNCTION PARAMETER RANGE j Radioactivity Control -
Drywell pressure -10 to 250 PSIG
- Drywell temperatures 0 to 400 F (0 to 500 0F
~ Unit 1)
Torus pressure -10 to 90 PSIG J -
Torus-level O to 300 inches
- Torus water temperature 50 to 2500 O to 4000 (0-5000F Unit 1)
- Drywell/ Torus H2 - O to 50%
Concentratiog Drywell/ Torus 0 0 to 30%
J Concentration Primary Containment Demand met / Demand not met
]j Isolations
- Secondary Containment Demand met / Demand not met Isolation
- Unit 1 Reactor Bldg normal range 10+I to 10+6 i vent Activity cpmhighgange5x10-3 to 1.0 x 10- ci/cc j Reactivity Control - Unit 2 Reactor Bldg normal range 10+1 t (continued) vent Activity cpmhighgange5x10-3 to 1.0 x 10 ci/ c hn - Main stack activity normal range 10- t cpmhighgange5x10-3 to 1.0 x 10 ci/cc
.)
4 Containment Conditions - Drywell pressure -10 to 250 PSIG
- Drywell temperature O to 4000F j -
Torus water level 0 to 300 inches
- Torus water temperature 50 to 250 0F 9 to 400 0F q - Torus pressure -10 to 90 PSIG J - Drywell/ Torus H2 0 to 50%
Concentration Drywell/ Torus 02 0 to 30%
1 Concentration
- ) -
Containment Isolation Demand met / Demand not met Status 1
J a 20 j
~
l l
a
.- _ _ _ - - -_ =_ _ _ __
7,
- 0 3
'j
-i
,a ATTACHMENT B SPDS PARAMETER DISPLAYS N (Handout Provided by Georgia Power)
W
.j l
1 I
m 1 -
a v
0
- l. 6 J
9
}
. 21 J
e-
,e a
l-1 (1) 1
] SPDS PARAMETER DISPLAYS 1 NOTE: Signal availability is determined by:
i 0 availability of instrument analog input signal O login/logout status -
~
O parameter velue within acceptable range (not out-of-range high or out-of-range low) 3
. (APRM signal not available also if > 12% deviation from average)
(RPV water level signal not available also if > 6 inch deviation from average)
,y (SRM signals have no out-of-range high or low values) 9 3
j Parameter Rance Display Color Rx Power 0-125% average of avail. green - five or J
(6 signals) signals more signals available and I average below A overpower set-point yellow /value -
less than five signals
]
a available and average below overpower 1 setpoint J
yellow / blank - no signals available d
red - average powel above flow biaset setpoint a
b L
22
. : v.
) >.
U
2 3
(2) w Parrmeter Rance Display Color a
10-1 to 106 cps average of avail. green - when all
]SRM (4 signals) signals detectors for sensc not logged out are y , full-in or full-out (i
yellow / blank - no signals available
'l or detectors in 3 -
transit RPV Pressure 0-1500 psig average if difference green - both signal (2 signals) < 50 psig available and
, ~ max. value if difference difference not 001
> 50 psig and both not over-a pressure 1 yellow /value - only J one signal avail.
or both avail. anc j difference is OOR j
yellow / blank - no signal available red - either channel overpressure 3 (average is still d displayed if both signals available)
I J
l N
L
- OOR = out-of-range 3
t b
E l -
s 0 23 P
l
{,
(3)
W d Parameter Rance Display Color q RPV water level -317 to -17 in.(2) average of available green - 2 or more d -317 t +60 in.(2) compensated signals signals avail. r1
-150 to +60 in.(4)
(average of uncompen- difference not C(
, -17 to +383 in.(1) sated signals if (compensated avet
-i corrections not avail) displayed) a yellow /value - onl:
a one signal avail.
j . or no two signals agree within difference toleri d (6 in. )or drywel:
3 temp. or RPV pressure not ava:
h2 (simple average displayed) yellow / blank - no signals availabl, q
h red - at least onc signal avail. bu' 2 value is high or (if an average it g:_ displayed then
- average is compaz to setpoint)
Drywell temp. 0-SG0 0 F weighted average of green - at least 2 q (14 signals for avail. sensors of 3 groups avai'.
. displayed temp. with at least 2 arranged in 3 groups) signals avail, in
, (6 signals used for each group and reference leg temp.
average temp.
d' for RPV level < 135 0 F compensation)
[ yellow /value - any F group has < 2 signals avail.
yellow / blank - none or only one grou; have avail. signz red - average temp.
> 135 0 F s
24 1
1 (4)
Perameter Rance Display Color Drywell pressure -5 to + 5 psig(2) average of both \
$ ~10 to +90 psig(2) green - both signi l h -O to +250 psig(2) signals from any range (narrow in one range avi l and difference r range is preferred OCR and neither y
i then mid range above overpresst 3 then wide range) setpoint (averaq
~
'is displayed) or 1 one signal in a ,
d -
range is avail.
and is confirmed <
signal in next higher range (Ic range signal is displayed) yellow /value - bot signals in one
' range avail. but difference is CC (average is displayed) or on one signal avail yellow / blank - no signals availabl
!]
red - any signal
-being used for display is above overpressure set 3
point (average i j still displayed both signals fro same range avail i
1 b
i s )
i
[ l ke !
i ,
25 b
I e
k
~'
J*
, (5) j Pirameter Rance Display Color
, Drywell/ Torus 02:0-10% and normally one signal green - channels A el H2 &02 0-30% for each area (highest and B both avail value is displayed if and difference n H2 :0-10% and both channels are OOR
] ,
0-50% sampling same area)
(2 channels, each yellow /value - onl:
q of which can one channel avai-sample drywell or or both channels d .
avail. but Torus) difference is 001 1-d yellow-blank - no signals available f red - any available signal above con-1 centration limit i
Torus pressure -10 to +90 psig average of two (2 signals) green - both signa:
signals avail. and J (max. value if s,ignal difference difference not CC el is OOR) -
kJ yellow /value - on13 one signal avail.
or both signals avail. but difference is OOE yellow / blank - no signals available red / blank - both signals OCR high red - either signal l
overpressure
~
(average is still displayed) s il b
26 D
Pt if j
i 3 (6)
Parameter Rance Display Color Torus water 133 to 163 in.(2) average if both green - both sign 3
level o to 300 in.(2) signals from same from one range
" range available avail and (narrow range is preferred) difference not or one narrow r signal avail, a can be confirme 1 one wide range j -
signal (narrow signal is displayed) yellow /value - bo signals from on range avail. bu difference is o (average is displayed) or o L@J avail, signal i one wide range e one unverified narrow range yellow / blank - no signals availab:
red - any signal being used for i'
display exceeds high or low limi (average still 9 --- displayed) 1, \ -2 . Q-a 3
h 27 n
u Il it y
l
T . *
(7) e
'f Parameter Rance Display Color Torus water 50 to 2500F(11) average of avail.
'1., temperature green - 2 or more O to 5000F(4) signals signals availat (15 signals are divided into 3 in each group a 1 groups) average temp
- s 4
<95 0 F yellow /value - 2 1
groups have at j -
least one signa avail., but all
,[ groups do not h d 2 or more signa available 3
yellow / blank - no d signals avail, two or three gr l
red - average ten
>95 0 F 3 Main Stack normal:10-1 to average of signals green - not in radiation 10 6cps (2) if on narrow range
$ wide:S X 10-3 to wide range and :
JJ narrow range 1 x 10-5uci/cc(1) signals avail. i diff erence not (
k yellow /value - no wide range and c narrow range sis not avail. or difference betwe
.; narrow range si; OOR yellow / blank - not
-wide range and t c ~
narrow range signals not avai A
or if in wide ra d and wide range signal not avail
}a red - wide range signal indicated W
0 G
m-u 28 I-}
a 24 i.
1L (8)
Parameter Rance Display Color Rx Building narrow:101 to average of signals same as Main Stack
- Ventilation 10 6 cpm if on narrow range Radiation a Radiation wide:S x 10-3(2) to 1 x'10 5 uci/cc(1) 7 j
w
,i -
N t
s
'i
,b a
l 7
l a
]
J F1
..d n
n+
?b m
'.1 d
F T.
29 a
]
J
3
]'.
.b
?]
o 1
m-t s4 .
, ATTACHMENT C b SAMPLE SPDS FORMATS M..a m
Ak a
'l
- a ad 3
_1 J
l J
n 1
4
- y 30 i
n a
-- w w a Nrw tu c2 aw a uo.. e 23 - ca su tc..a tu.s u._..a .. .a u tih?-2 .-. :. . _i- [4 11 TENT POWER
<j
~
(
'2' g fg] HHP 1 M uci..c
- 30 - -
HNP 2IN35 5 uc ce
'" STACK M ne vee IN se-SRM 23 9- c y,*J g ,
[+ ,
a 2
ISOLATION PRIHANY f 2n 2': 2D 2E N E N*' i iE:
109 1
U2 % SEc0 HOARY g
,e
~ wim
"" g g 4
Y MI w 2M
'm a e
u%m I"s l G H U2 1 g IAA 00 .s.'.
..-4 l
'/
1
O f
d F1 O
i J
7
.I a
k.
5 N M. .
'. 9 La , 9
- h @ g 0
') D i 03 P
Ch N
]
3
' t. =
g b,
v 5' h ^
1 I
us w w
LAJ t oc o
w D
- v.
- w LLJ CK Cr3 C f3 t.n
=* LAJ Cac CL
. =, =>
J L.LJ o_
J Om N
D v 9 Q- .
.2 C.
C' .
t QL E'
Z lT
=
1 L*
N c'i$ 3
"- 3 2 S g 8 9 I e
? - E l s
u- c.,
i e i i
g bh o 2 ";P1 ) "l- i. i#' U' .h..I'"v" n
( .U. .1 h.M h.
J w.
+
L 32 t
i r
4
6- -
j 1
1
~
?
W y M..
, C3 W ..
w N N
~ e 'A*Ne e l
vis = = . =
n (*. l
} f Id
- s d
s e = r
@ E
~ .'2 E 9 -
, G.
' E C
= s- ~
_ s=-
- i
~ - se I
a:
~
. x s f[) -2 -S T O
- l. ' I w
Ct' .
F-y _
'l E '
is j o r-r?
x c ?
O _
I
..1, z. z
. .z -
. w .v w
'E i N b ."
>=
3 3
, 2,
,l 4 L
I i
] l '
I. .
}
.. k "' .
d u r.2 l l i !
cu i 1 Lt "Z. l l
(. 3- i <
l S
l s we .f .Se .S<
1 1
3 .
M 33 2
J
' ~ ' - - ' - - - ~ - - - - - - - - - _ _ _ _ , _ _ . __ _ _ _ _ _
re-b e
)
.1 1
- .}
- J 7
.4 C3 N U
9 ao b
in .J w W
- CD . =
, N ,' C
}? D1 .2 3 L %
CD t
c (N!) 13931 d 8 = s I?
. I o 3 J
4 W - c =
n -
i i
~
3 1 ,
-e
- W ,
't y J
a
% 1 ,
y l- ,
a H C e
- j 2 LA'
_1
) ;
^
.., CL '
ri y _ ~
j r s .2--
1 _-
>I a
lJ M
CL. i
- . rx.
- d, o LA nJ I
Jx cU.. 2 a 34 F1
1
.t s
'i i I
n E
~
I .,##
sa .
~
- g a , s#1_ E.
I i
e t i i i li t ii t i i e, i
- i ; i nes 1 >
C l t i OtG9H
~
$ a z I r_ .
_J 3tSSN u.
e iets9s
-4 -, . m o i v.
> .u,. m u -.
= m otsps J .; ,
,..e. i.' ,
~ .. u. ,eetes
- a. w s g i.etes a 6 i _
e
= 6 D -
8 Ese9s
- W IL
- V J 6 2 l
i =
a
=
c e
o - ose9s
- __) C O C g gl a m ,-
= " = si-:s:
5 1
3
.w o s ai
- _s g
W E l
Lt. O to .
W* A t
i p
.:I IJ C a
C I V 1
.g
~H s Z
6 :
e=2 O E w ,_ z g is
.' y
~?
. Y. n. T%e.
r%= W7 u 3. , K. Xa:
w l s t,,;"I R SS l
88 ===8 l
MMAA M{
z -
c>v
>CZ e I i
I 2 UJ3 a war t - l e sv- ,
I
$35 */ ,
l a
N N
~
b
"* 2 WW ' emus. , m.
. . n. m.6 M. wa ,
- d
$d wI i ! a . .-
y-L g
_' 1 vs-L ;' -
e C =
e e c =
e c c
u.
~
n.
y g C C 4 4 M ".
2 C Ch P P P c c c c 3
2 8
I 2 2 2 Z 2 2 7 f '
2 L
3 1
a li a
35 l
e l'
- - . . . - - _ . _ _ . _ _ , _ . . . , _ _ . _ _ . . . _ _ . , . . , , . - - _ . _ , _ _ ~ - . _ . - . . - _ . - -
d-
]
]
BW9_E_TWlE ,m Ew o_ _ .s . 3 m .. N17 g.
U E .MU i
- M..
a - -
m u m. L I .'
a 3.MJM W' .iWFfMSWe ' , 91 -
- Muehe swas:- -- ,
p
_-.;, _;:~ :
[= ; ,u.
c.
L
.3 gm'i(5,a. jtE. :3,
~
k.,kM [W-- f?
m au J . r. .
- 7,
=- w;;;p Wr meu_q g .
t.
M1 g,
..- j l
n : 'i ., .
[x )g.y,%s.-yv. - &.;n cw : L=
. q '. . ,, ,.
y.
a . ,,, , , : .s
.- I-umeq.sw,
-- 2 Ry n s, j; ,'
a g. .,
-n
- g. g ymy .
b? y 2 1 ,.g-.
~ .y h- ... > x .. Yk ? -
.e ...
y.. 7,n; yn
- 2. ,
% i g-t g7-' -
+. LM W I & a,iC m e 4 >4 -
M il. = m a am p mb% M'H
~
g
- hy+ I" 'm<
'I, P m
!I gpfx,. . g!;;
4 6"gi iPh .
-pu
. . - - i
, ;,g .. . . .
h ,
NI*.' 5 l .,
=
6 in en me.'k :'
v.c Q~ir[ r. ;y*
- u f
d 3 LaKWE i
~ '
q =
J !
-) AsEEE u..m a dh %F"i V .;.44A-fu
" n.
l Il 'g,,,f E '5 I lj .;M
- ffj'M' H ;m%d i
- - r f F P.3 _.
[N n e
.t e1 l
~j 4Sg 3.)
{ le l
- . - '.:T.t...
Q, . ij.
%$' bi)t ~-
M~ .: s.
' l 1 v e m-2 t5 -
.25 g,,hp.~g:&.
Iq ~.1;J,:.-
- jy y
[:
} .
~ . " '{G.gpR',JM@ '
H I
g if h .
% l' pg[fg = ~ k*W'" %
r., . fz. h,, 4 +, .a . .d,c m. t". .. mf
- w -e **
t
. . s, mc.
.r m.
. . =. r -> m#v. ktk *=
b
., 36 li
a i
1
- 1 a
,1 ll a
3 8
a 1,
e w
ATTACHMENT D 1
j HUMAN FACTORS ENGINEERING ASSESSMENT l
lk a
l.
,J m
' s s
'l J
l n
>B J
l
] )
37 l
- l 1 1
1
- HUMAN FACTORS CHECKLIST 2.3.2 -Human Factors Engineering Assessment
~
Evaluation plan to assess human factors principles in VDU designs.
Adapted from " Human Engineering Guidelines for the Evaluation and Assessment of Video Display Units" W.E. Gilmore, May,1985.
Score: OK or NO ,
Visual Displays I.
_j a. Evaluate the display for image quality and legibility (by visual
" observation; adjust brightness control)
] 1.
2.
Flicker Contrast Ratio OK OK
- 3. Brightness OK
- 4. Resolution / Sharpness OK
- 5. Phospher Persistence
~
- 6. Glare Control OK
.., 7. Screen Resolution OK Comments:
] b. Screen structure and content J
- 1. Cursor Design
, 2. Text (Prose) Characteristics (text content evaluated later)
! a. Concrete OK
- b. Organized, grouped OK
- c. Easy to comprehend OK l d. Avoids double-negatives OK
. e. consistent format OK
] 3. Labeling
- a. Concise a
- b. Familiar OK
- c. Visibility / legibility Visibility - OK Legibility - OK
- d. Capital vs. lower case Capital
- e. Size graduation OK 4 f. Distinct from data ,
J 9 Consistency OK l
- 4. Messages l 1
~
- a. Factual OK
- b. Short and meaningful OK
- c. Simple sentences N/A 9
d 38 7,e _ _ _ _ . . . . - - . - . , . _ _ _ ~ . _ . , _ _ _- _ _ - ,
].
a.
l
- d. Stated in the affirmative YES
- e. Useful/ understandable Understandable
- 5. Abbreviations
- 6. Error statements
- a. Entry error is flagged OK yellow signal
- b. Statement is specific
. c. Brief and informative OK
- d. Neutral / polite wording OK
- e. Minimize disruption OK
- f. System response time 1 sec j 7. Al phanumerics ,
, a. Code is consistent / standard OK
- b. Meaningful and short OK
, 8. Data Display (obtain a sample page of displayed data) i
- a. Data presented to reduce search time OK
- b. Directly useful for task OK
- c. Consistent / standard OK
- d. Does not rely on user memory OK
- e. Info limited to user needs NO 7 f. Info perceptually organized. OK
- 9. Data Entry 1 a. Devoted function keys or simple command YES
- b. Distinctive prompts
] Comments:
C. Alphanumeric Characters
! 1. Font or style Caps d 2. Character size and proportion OK
- 3. Character case OK
] .
- 4. Emitter size, shape, spacing OK s Comments:
i j D. Screen Organization and Layout q 1. Screen Size (Inspect from normal viewing distance) a 19" diagonal f
q a. Information is discriminative and legible. YES Il n
39 b
5 t . - _ _ .
1-a
- 2. Grouping
- a. Data is functionally or meaningfully grouped. OK
- b. Grouped data is consistently placed. OK
.1
- 3. Display Density
- a. Info density is reduced. OK
- 4. Display Partitioning
. a. Techniques applied to organize screen elements. OK
, 5. Frame Specs / Info Location N/A j 6. Interframe Considerations N/A E. Visual Coding Dimensions (Identify all coding dimensions) q 5 1. Color (See Attachment D)
- 2. Geometric / Shape Coding YES l 3. Pictorial Coding YES a 4. Magnitude Coding YES
- 5. Visual Number Coding YES
- 6. Inclination Coding (Collect relevant dimensions for evaluation against guidelines.)
Use of Color -
o Identify all uses and contexts of color (See Attachment D)
(Text, background, symbols, lines,etc.)
] o Is color used as a redundant means to attract attention?
J (Ex: redundant to blinking) Yellow / blank o Identify which colors displayed simultaneously 1 and which are adjacent to one another.
~
o Does display have a control to adjust brightness?
Does it affect color contrast?
, o What colors used for fine detailed text? White on Black (On what background?)
} o Does use of color exhibit cognitive fidelity with user expectations? (Look at other uses or contexts of color in control room and particularly displayed information.)
]1 YES o Do any colors appear blurred? N0 q o Is any information difficult to read or perceive because 3 of color? NO
, F. Enhancement Coding Dimensions
- s J 1. Brightness
- 2. Blink Coding
- 3. Image Reversal
- 4. Auditory Coding E
40 l.
.e
J l 5. Voice Coding ,
- 6. Audio-Visual Warning and Signal Devices
- a. Visible Alarms Supplement Audible Ones fo.r high noise conditions. OK.
- b. Visible indication is within 60 degrees of direct line of sight. OK g c. Dimensions applied to visible indication for attention-getting and to distinguish priorities. OK
- d. Dimensions combined for high attention-getting value. OK
_ e. Visible dimensions sensed from long-
, viewing distance. OK
- f. Absence of visual indication denotes normal. OK 1 (Collect relevant dimension and applications for later evaluation against guidelines.)
q G. Dynamic Display Characteristics (Observe screen in a dynamic mode to assure that dynamic features can be detected and that dynamic features do not legibility of critical informa-tion.
a
- 1. Display (animated) motion OK - bar charts, trends e 2. Digital counters OK
- 3. Rate of change is perceivable YES
- 4. Graphic displays are updated at a rate consis-q tent with operator data handling capabilities YES H. Information Formats J
] (Short of a task analysis, assess the formats capability to meet operator information requirements.) 1 l
- 1. Format provides concise information needs OK
- 2. Info is limited to immediate needs and direct to actions OK
- 3. Info is directly usable OK
)J 4. Graphic display techniques are limited in variety OK
- 5. Info is displayed to appropriate limits and 1 precision required for actions / decisions J 6. Redundancy is avoided unless needed for reliability OK
& 7. Operator and maintainer info is not combined on a a single display YES
- 8. Failure of display is clear YES m
- 9. Demand and actual status is differentiated N/A
- 10. Format is most natural or expected OK
- 11. Format is effective for environment and ,
viewing conditions OK a
) 41 i:
c ._ _.- _. - . -_ . _
_- _. .. l
~
'j 4
j 12. Formats exhibit " good" H.F. standards:
- a. Legible OK
- b. Uncluttered '
OK
~
- c. Consistent OK
" d. Labeled OK
- e. Visible OK l f. Conspicuous OK J g. Interpretable ,
OK
~, 13. All parts represent the whole (as in multiple j dimensional formats) and are parameters legible and discriminable '
YES l 14. Do formats that attempt to provide pattern d recognition cues actually aid detection of abnormal events? YES J Comments:
, II. Controls
~!
A. Keyboard Layout and Dimensions J
] 1.
2.
Keystroke feedback Key actuation force YES - LED Displays OK
- 3. Key-rollover
$ 4. Key travel j} 5. Key color / labeling characteristics YES
- 6. Key dimension / spacing OK g 7. Keyboard slope OK
' 8. Keyboard thickness OK
- 9. Special function keys YES (Screen Selection J
l 10.
11.
Auxiliary numeric key set Alternate input device NO NO 1 Comments:
0 1
J II d
F l J
42
.9
.] .
3 III. Control / Display Integration N/A A. User Dialogue 3 1. Dialogue design suited to task.
- 2. Menu design
- 4. Compatible with control action YES
~
- b. facilitates accuracy / speed YES ,
- c. Menu hierarchically organized YES a 3. Command language -
(N/A)
- 4. Query language (N/A) 1 5. Natural language YES U
Comments:
3
.i B. System Feedback to User Actions (Question operators and observe VDU)
- 1. Display Update Rate
- a. Time lag between component and display value YES
]; b.
c.
Parameter values and realtime time Update time 3 s or less YES YES
- n 2. Response Time
- a. Values appropriate for task or 1 sec max
- 3. System Status Indication
- a. Adequacy of indicator YES 7
j 4. Routine Status Information f 1 a.
b.
Error messages, prompts Alarm setting basis given i.e., variables covered OK d
and critical values OK
, c. System gives up to date account OK a 5. Performance Job Aids
~j a. User finds system easy to use and helpful for the task 3 (Assess these features for their effectiveness in
" closing the loop" between the operator-machine inter-face)
J 43 0
n .
N kw IV. Workplace Layout A. Anthropometric Aspects of the VDU Workplace 1
3 1. Keyboard dimensions OK
- 2. Screen height and viewing angle OK 7 3. Viewing distance Good j 4. Screen orientation (tilt) Good
- 5. Chair characteristics None
, 6. Hard copy printer Good
. i 7. Health ar.d safety factors None d ,
Comments:
Y 3
c k
il d
v !
[ t l
2 J
fl 44
? . .
1
- )
a i
J 3
U b
ri .
5 Il ATTACMiENT E A
SPDS EXIT MEETING ATTENDEES 8
3 IF: (,. -
'i r
i e
3 a
45 1;
{
1 1
1 J
1
~
}
ATTACHMENT E SPDS EXIT MEETING ATTENDEES October 10, 1985 Name REP i
T. R. Powers GPC Joseph DeBor SAIC -
. Tom Greent GPC 5
) Zachary Walsh GPC 3 Sam Hart GPC Paul Springer GPC Jimmy Wilkes GPC Peter Holmes-Ray USNRC (Resident Insp) 7
.,' Whitney Hansen NRC/COMEX Joanna Frawley NRC/S0HAR S
Leo Beltracios NRC/HFEB la l
1 1
J j 46 l l
1 J
.a
-- ,