Change 1,Rev 1 to SAIC-86/1797, Summary of Human Factors Activities Related to Cooper Nuclear Station Plant Mgt Info Sys & Spds

ML20151F950
Person / Time
Site:	Cooper
Issue date:	06/27/1988
From:	Lobner P SCIENCE APPLICATIONS INTERNATIONAL CORP. (FORMERLY
To:
Shared Package
ML20151F938	List: ML20151F950 ML20265F479 NLS8800365, Forwards Responses to 880422 Request for Addl Info Re Spds. W/One Oversize Drawing
References
SAIC-86-1797, NUDOCS 8807280038
Download: ML20151F950 (22)
v • d • e

Text

~

. / 1

~

s, . . /

/

,/

S AIC.86/I797

/

/ iQQhh goWW Summary of Iluman Factors Activities Related to the .

Cooper Nuclear Station (CNS) Plant Management Information System (PMIS) and Safety Parameter Display System (SPDS)

Peter Lobner ,

l August 20, 1986 l l

1 l

21 ODf ff k'EE*

, /

Attachment 3 l

S AIC.86/1797 1 ,

i r

b l.

i n i i

d i

i

. t Summary of Iluman Factors Activities Related to the i Cooper Nuclear Station (CNS) Plant Management Information System (PMIS) and Safety Parameter Display System (SPDS)  !

i >

f

, i

! )

1  !

i .

J >

j 2

i 1

Peter Lobner f I .

i L 4

5, i

i  !

i i

1 June 27,1988

)

1 i I i

1

' i i-  ;

5 I k

. ~ . . . , . , , . . - , . _ . . . . - - . . . , . ,

. . . - _ . . . . _ . - - - _ - . . . . . . - , - - - . _ . -i

o .

i RECORD OF REVISIONS RE ION DATE PAC,ES INVOLVED CIIANGE NU51BER Rev.1 # 27/88 Page 8 and 14 Change No.1 l

l l

l l

1 I

l' i

l l

REV LTR PAGE NO, SAIC-86/1797 1 iii 4

P00R QUM DOCUMM Summary of Iluman Factors Activitics Related to the Cooper Nuclear Station (CNS) Plant Management Information System (PMIS) and Safety Parameter Display System (SPDS)

Table of Contents l

Section Page

1. INTRODU CTI ON. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .I . . . . .

2. EVOLUTION OF THE SAIC PMIS AND SPDS FOR BOILING WATER RE A CTORS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2. . .

2.1 Grand Gulf Emergency Response Information System (ERIS)........ 2 l 2.2 Dynamic Screening Project for EPRI/BWR Owners Group............ 2 l 2.3 Perry Simulator Testing for EPRI/BWR Owners Group............... 4 l 2.4 Fermi 2 Emergency Response Information System (ERIS)............ 4 l 2.5 Shearon Harris and H.B. Robinson Emergency Response l Facility In forma tion Sys tem (ERF1S). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 l 2.6 Cooper Nuclear Station Plant Management Information i

Sys t e m (PM IS ). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

3. HUMAN FACTORS OF THE CNS PMIS..... .............................. 6 1

4. HUMAN FACTORS OF THE CN S S PD S. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7 i I '

4.1 Pre.de sign Hu man Fac tors. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 4.1.1 H u man Fac tors Plan. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7. . . . .

4.1. 2 SPDS User De finition. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7. . . .

! 4.1.3 SPDS Safety Analysis Process forIntegrating the SPDS with Normal and Emergency Operating Procedures............ 7 1

4.2 Human Factors During SPDS Design and Development................ 8 j 4.2.1 SAIC SPDS Design Team Human Factors Activities.......... 8 1 4.2.1.1 Human Factors as Part of the SAIC Design Team... 8 l 4.2.1.2 SPDS/ Control Room Interface Requirements........ 8  !

A. Preliminary Human Factors Review of l Cooper Control Room. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 B . Ins tru ment Range s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 C, Waming and Alarm Limits. . . . . . . . . . . . . . . . . . . . . . . . . 8 i

D. SPDS Console Design Human Factors...........

9 j

4. 2.1.3 S PDS Man. machine In terface. . . . . . . . . .. . . . . . . . . . . . . . . . 9

)

A. PMIS Support for SPDS Man.machinc I n terfac e. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9. . . . . . .

B. SPDS Display Format and Content............... 10 C. SPDS Display O xra tion. . . . . . . . . . . . . . . . . . . . . . . . . . . 1I I

D. SPDS Data Valic ation and Indication of l

Valida tion Sta tu s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .I1 .... l l 4.2.1.4 SPDS Design Documentation.. . .. . .. ...... ... . .. ... . . . I1 '

4.2.2 Ongoing NPPD Involvement in the SPDS Design Process.... I1 4.2.2.1 Operator Review of Prototype SPDS Displays Prior to CD R. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . I1 l l

i

P00n QUAUR DOCUMENT ,

Table of Contents (continued)

Section Page 4.2.2.2 Critical Design Review (CDR).... .... ...... .. ......... I1 i 4.2.2.3 Operator Review of Prototype SPDS Displays I

Foll owi n g CD R. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 4.2.2.4 NPPD Engineering Review of SPDS................. 12 A. Detailed Review of Display Features and Sys te m Opera tion. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 B . Gree n B oard" Conce pt. . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 C. Plan t. specific EOP Limit Cun'es. . . . . . . . . . . . . . . . . . I2 4.2.2.5 Factory Acceptance Testing (FAT).................... 13 4.2.2.6 Site Acceptance Testin 13 4.2. 3 SPDS Traini ng. . . . . . . ..................................

. . .. . . . . . . . . .g (S AT). 13 . .............

4.2.3.1 Training Managerne nt. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 4.2.3. 2 Training Program. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 4.3 Fu ne tion al Validation of SPDS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 4.3.1 Pre validation Training of NPPD Operators..................... 13 4.3.2 Man in the loop Testing of SPDS. .. .. . . . . .. . . .... . . . . .. . ... . .... 14 4.4 Pos t In s talla tion Reviews. . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . .. . .. . . . 14 4.4.I NPPD Engineering Review Prior to Declarin Operational. . . . . . . . . . . . . . . . . . . ................... . . . . . . . . . . . 14 . . . . . . . . . .g th e S 4.4.2 Post installation liuman Factors Plan Compliance Ch ecklist R eview of S PDS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14 4.5 CNS S PDS Reac hes Opera tional S ta tu s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

5. INDEPENDENT VALIDATION AND VERIFICATION V&V OFTHE C N S PM I S/S PDS . . . . . . . . . . . . . . . . . . . . . . . . 15. . . . . . . . . . . . . . ,

6. RE FE REN C ES . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16 ..............  ;

4 k

i f

l i

l'UUn yunu s :-

' DOCUMENT i

- INTRODUCTION The Plant Management Information System (PMIS) and the Safety Parameter Display System (SPDS) designed by Science Applications Intemational Corporation (SAIC) and ,

installed at the Cooper Nuclear Station (CNS) are mature, evolutionary products that incorporate human factors engineering features derived from many sources. This report

,rovides a summary of the various human facters inputs and reviews that led to the

? MIS /SPDS configuration as installed at CNS. This reportis not intended as a stand alone document. The reader must conutt the various references in this report for specific details regarding the implementation o1 human factors engineering in the design and development of the PMIS/SPDS for the Cooper Nuclear Station.

1 J

i i

l 1

.P00R QUE DOCUMENT

2. EVOLUTION OF Tile SAIC PMIS AND SPDS FOR BOILING WATER REACTORS The PMIS/SPDS installed at the Cooper Nuclear Station is an evolutionary SAIC product that benefitted from human factors design and development activities and human factors reviews on prior orojects. The basic evolutionary cycle of the CNS SPDS is shown in Figure 1. Major e ements of this development cycle are discussed in this section.

2.1 Grand Gulf Emergency Response Information System (ERIS)

The Grand Gulf ERIS, which included the SPDS, was developed while NRC requirements for the SPDS were stillin the formative stage. This early system was built by SAIC using dual SEL 32/27 CPUs, Ramtek terminals and a Validyne data acquisition system. This project led to the development of the original architecture for the SAIC PMIS for use with SEL computers and the Validyne data acquisition front end. Basic features of the man-machine mterface were developed to meet requirements established by the users of the system.

The Grand Gulf SPDS displays were developed largely by the utility (Mississippi Power and Light Co.) with support from SAIC in the areas of: (a) parameter selection, (b) specification of basic operating capabilities of bar, trend, and tabular data displays, (c) basic display design, and (d) human factors review of prototype displays. The monitoring requirements of the SPDS were developed based on a review of the accident analysis in the Grand Gulf Final Safety Analysis Report (FSAR), the actual control room monitoring capabilities, NRC guidelines in the July 1980 draft Rev. 2 version of Regulatory Guide 1.97 (Ref 1), and other NRC guidelines related to the planned Nuclear Data Link (NDL).

Working meetings with plant engineering and operating staff members led to the definition of the initial set of SPDS displays implemented at Grand Gulf. These working meetings provided important insight into the general types of display features and operating characteristics needed to create a reasonable man machine interface environment.

2.2 Dynamic Screening Program for EPRI/BWR Owners Group In the Dynamic Screening Program, SAIC took basic SPDS display concepts developed by the BWR Owners Group (BWROG), developed detailed SPDS display designs which included some features from the Grand Gulf SPDS, and developed man machine interface software and other software to drive these displays in simulated real time using data from the Browns Ferry Simulator. The types of displays evaluated in this project included: (a) bar charts, (b) trend plots, (c) x y plots, (d) rm,mics, (e) Safety Function Indicator (SFI) )

boxes, (f) equipment status indicator boxes, and (g) iconic Using review developed by human factors specialists from Sandia National Laboratories, all SPDS procedures t displays were "screened" by operating and engineering personnel from BWR utilities. The l

cesults of these technical and ht. man factors reviews were incorporated by SAIC in the '

design of an improved Graphic Display System (GDS) that was tested at the Perry simulator. Details of the Dynamic Screening Program and the program results are described fully in ALO-1003 (Ref 2).

The hardware for the Dynamic Screening Project included a single PDP 11/23 and multiple Ramtek terminals. All plant data to drive the SPDS displays was collected on tape during  ;

simulated accident conditions at the Browns Ferry simulator, and transferred to disk for use during the actual screening. There was no data acquisition system.

l 1

2

m. .. .

t~,_g.

=

c -

d1H c A

w Sc H es

c. .

- ~ M

&.m i

u t.i.

e " .n.

~

r

- i.3 s

n .

.u,-

L eS !

e E ,!

s. _

t e~

a-

- M "' ,- .

~ ,

c t c

"u

~ .

.. l

~

e e

i n

. L

- 4 c-

="

t c

- u C'"a<

c  : _ d o - o

.c J~ P r

e_ _

_~

~ y=.

S D

7 1 P S

d n

a s

o. .c ~ S I

e u

c e -

. M

~e

=

.n e

s)

P -

P

,~

O P

C I

~ A

.... e m p S cF s

e e

s u.

h t

, M f N o

, n i

o t

l u

o v

~- c s

E _

e. 1 4~-

- =

=

=

e r

u g

N =p= -

i -

F

- l,=1 -

u "m.

w s .

e _

~ _

snF e

N

. .^

m v.I o,

c, L e

.{

u r.

g u--

s.

a s

ae., :M r

t r = ,

u c-

.I T pmB ,cu

~ .

R ,L l

~

c

. w 0

0n. o.

F

% 1[b

[ gWEM l

r This particular project led to the definition of the three level hierarchy of BWR SPDS [

displays which included Safety Function Indicators (SFIs) at the bottom of all SPDS displays. In SAIC's present BWR SPDS design these SFIs actually constitute the SPDS  ;

"overview" display required by the NRC His basic philosophy was validated by results of the Dynamic Screenmg Program.

The basic three level display hierarchy developed in the Dynamic Screening Program has carried through to SAICs present design of the BWR SPDS displays. For example, the  :

1 Level 1 displays contain general plant data that is most useful during normal plant i operations. The Level 2 displays are related directly to the safety functions identified in ,

NUREG 0737, Supplement 1 (Ref 3) and to the entry conditions from normal plant j operation into the symptom oriented BWR Emergency Operating Procedures (EOPs). The  !

Level 3 displays support the detailed implementation of the EOPs and contain the x y plots and other information needed by the operator at key decision points in the EOPs.

Other human factors design features carried over into the,present SAIC design of the BWR SPDS include: (a) use of both bar chart and trend plots m the Level 2 displays, (b) use of  :

a reactor vessel mimic to show the dynamic relationship between reactor vessel water levd and the reactor core, and (c) use of equipment status indicator boxes, r t

i 2.3 Perry Simulator Testing for EPRI/BWR Owners Group

• In this program, SAIC installed the hardware from the Dynamic Screening Program at the l' Perry simulator and updated the GDS displays to reflect the design and human factors f lessons learned during t.he screening of the earlier displays. This time the GDS displays ,

were installed in a control room environment, and were driven directly by the Pc,rry simulator. The updated GDS displays were again evaluated by operating and engineering 4

personnel from BWR utilities and tests were conducted of control room crew efficiency r with and without the GDS. Details of this program are reported in ALO 1019 (Ref 4).

a Included in this report are human factors considerations and guidelines that were developed J from the results of the GDS simulator evaluation program. These basic human factors j guidelines were factored into the design of SAIC's next BWR SPDS project at the Fermi 2

nuclear plant.

i l 2.4 Fermi 2 Emergency Response Information System (ERIS)

The Fermi 2 ERIS includes an SPDS subsystem that was designed to meet current NRC

requirements. The ERIS hardware included dual SEL 32/7780 CPUs, Industrial Data .

Terminal (IDT) consoles and a Validyne data acquisition system, nis particular system represented a great improvement over the SAIC system installed at Grand Gulf, and included the capability for automatic fail-over to the backup computer in the event of a failure of the primary computer. PhilS architecture was updated to incorporate greater 4

flexibility in the static and dynamic display editors, a more powerful data base, and improved man machine interface (hihil) features. The Pht!S software was revised to  ;

incorporate mature routines from the SEL POWERPLEX software. Further PhilS charges 4 l were necessary to interface with and take advantage of features of the IDT consoles. The IDTs included several improvements over the Ramtek terminals, including

(a) local bubble memory for storing display statics, and (b) greater resolution. De bubble memory reduced the amount of communications needed between the host CPU and the terminal in order to bring up a new dis 31ay, and hence, improved the responsiveness of the PhilS and SPDS.

The resulting Pht.S configuration served as the baseline for the CNS PhilS and the systems installed at the Shearon liarris and II.B. Robinson PWR plants.

4 )

)

I

T'JUD """ S '

'10CSBh The SPDS displays for Fermi 2 were developed based on the results of the BWROG displays that were tested at the Perry simulator. These displays retained the three level display hierarchy and Safety Functions Indicators at the bottom of all displays. Display development was supported by SAIC, but final display design was largely role of the utility engineering staff. Final display design incorporated improvements based on: (a) the current versions of the plant-specific symptom-oriented Emergency Operating Procedures, (b) cunent NRC human factors guidelines, and (c) reviews by the Fermi 2 operating staff.

Fermi 2 SPDS displays thus represented a further maturing of the BWROG displays in areas ofinterfacing with EOP3 and the control room environment, and user involvement in '

the design and humen factors engineering process. A unique new display included in the Fermi 2 SPDS was a suppression pool mimic Level 2 display. This particular display consisted of a plan view of the suppression pool, eight sector water temperature rear'ings, and status indicators for safety relief valves and turbine-driven pumps that discharge steam to the suppression pool. This display was incorporated in the CNS SPDS because it was judged by the Fermi 2 operators to be useful in evaluating the status of the reactor coolant system integrity and containment integrity safety functions.

2.5 Shearon Harris and II.B. Robinson Emergency Response Facility Information Systems (ERFIS)

The ERFIS installations at Sheamn Hanis and H.B. Robinson were the first such systems delivered by SAIC to a PWR plant. A riew data acquisition / data concentrator front-end from Computer Products Inc. (CPI) was introduced in these projects, and was carried over to the CNS and other PMIS projects. This new front end provided the opportunity to unload certain dat: handling and communications tasks from the host CPU and improve the performance of the PMIS and SPDS. In these projects, the SAIC SPDS design team gained further experience in implementing current NRC human factors guidelines and working with utility engineering and operating staff to develop an effective man machine interface to suppon PMIS and SPDS ope ation.

2.6 Cooper Nuclear Station Plant Management Information System (PMIS)

The baseline for the CNS PMIS was the SEL-based ERIS installed at the Fermi 2 nuclear plant. Significant changes were required to transport the SEL based PMIS to the dual VAX computers used for the CNS PMIS. Complete lists of data acquisition, computer and display hardware for the CNS PMIS are included in Section 1 of the Functional Specification (Ref 5). Major changes also were made to improve the data base as a result of experience gained at Fermi 2. The CNS data base became the baseline for subsequent SAIC PMIS projects. Other evolutionary changes were implemented on the CNS PMIS to improve the man-machine interface, the flexibility of display editors, and the speed of the SPDS.

' The CNS SPDS displays were developed by SAIC by starting with the Fermi 2 dispir ys, developing prototype displays for CNS with the aid of direct human factors input on the S AIC project team, and then working with CNS engineering and operating staff to produce the final displays which were tailored to the CNS application.

Independent validation and verification (V&V) activities during PMIS/SPDS development,  ;

man in the-loop SPDS testing at CNS, and a final human factors review of the SPDS displays at CNS completed the evolution of the design as well as the human factors and engineering development of the CNS PMIS and the SPDS subsystem.

5 l

,- l

l'00it.fiUliUIY DOCUMENT

3. IIUMAN FACTORS OF Tile CNS PMIS Basic human factors consideration for the CNS PMIS involve to the design of the man-machine interface (MMI). These considerations are defined in Section 3.1 of the Functional Specification (Ref 5), where basic requirements for the Human Factors Plan (Ref 6) are estcblished. As an evolutionary product, many general features of the PMIS, including the basic MMI and the non SPDS displays, reflect the results of an on-going product improvement process by SAIC that considers both formal and informal human factors reviews by users of the system. The CNS PMIS is a third generation product (i.e.

Grand Gulf, Fermi 2, and CNS).

The SPDS is a major application that operates under PMIS, and it uses the basic MMI features available on PMIS. The Human Factors Plan was implemented in detail on the CNS SPDS (see Section 4) and included a review of relevant portions of the PMIS MMI.

A separate human factors engineering review of the CNS PMIS consoles was conducted in 1984 prior to installation (Ref 7). Outstanding items identified during this review were reexamined in 1986 during the post-installation human factcrs review of the SPDS (Ref 8).

No major outstanding human factors discrepancies were identified during this review. The independent review activities of the V&V team provided further assurances that human factors considerations were satisfied in the design of the CNS PMIS.

(

4 6

~

EPO0R QUAL.lTY DOCUMENT

4. IIUMAN FACTORS OF TIIE CNS SPDS The SPDS is a major application that operates under PMIS. Basic guidelines for the human factors design considerations to be included in an SPDS are found in NUREG 0700 and NUREG-0737, Supplement I and, NUREG-0835 (Refs 9,3 and 10, respectively). These guidelines have been satisfied in the design of the CNS SPDS and the relevant portions of the PMIS that support SPDS operation.

4.1 Pre design Human Factors 4.1.1 Iluman Factors Plan At the start of the CNS PMIS/SPDS project, the Implementation Plan (Ref 11) was developed to describe at a high level how the various project activities, including human factors were to be integrated in the SPDS development process. The Human Factors Plan (Ref 6) also was developed early in the CNS PMIS/SPDS projed - ~- % sed on NRC requirements and guidelines established in NUREG-0700 and NUR ,wun 1, Supplement 1 (Refs 9, 3 and 10, respectively). This Human Pactors Plan s.sved as the basis for the human factas design and review activities performed during this project.

4.1.2 User Definition The SPDS user is defined in Section 2.1 of the iluman Factors Plan. 'Ihis user definition was developed based on discussions with NPPD engineering and operations staff, and

~

reflects the plant specific implementation of the SPDS at the Cooper Nuclear Station.

4.1.3 SPDS Safety Analysis Process for Infecratine the SPDS with Normal and Emergency Ooerating Procedures (EOPs)

An SPDS safety analysis (Ref 12) was performed to establish basic SPDS monitoring requirements that were compatible with the CNS user definition. The safety analysis considered information needed to: (a) support the determination of safety function > tus as i required by NUREG-0737, Supplement 1 (Ref 3), and (b) support use of the symptom-oriented EOPs being developed for CNS. The safety functions supported by the CNS l SPDS are the following:

Reactivity Control Core Cooling i

Coolant System Integrity '

Containment Integrity Radioactive Release The portions of the EOPs supported by the CNS SPDS are the following:

All two parameter (i.e. x-y) limits Other selected decision pomts involving particularly complex decision logic The safety analysis served as a starting point for the design of the prototype displays for CNS by identifying the particular relevant variables that would be availabic in the PMIS data base for use by the SPDS. The Fermi 2 SPDS and the prior work by the BWROG served as the primary ~ oasis for partitioning the identified data points among the various SPDS displays.

7

To enhance the usefulness of the SPDS during normal operations, the Level 1 display presents narrow range data on key plant variables, and also includes the Safety Function Indicators which are common to all SPDS and PMIS displays.

The Level 2 displays present wide range instmment data and additional variables' related to individual safety functions. The Revision 3 version of Regulatory Guide 1.97 (Ref 1) was reviewed to help define which variables related to each safety function. The Level 3 displays present x-y graphic plots and other data intended to support implementation of the EOPs. Development of the Level 3 SPDS displays included several iterations to reflect EOP development activities undertaken by NPPD. The inherent flexibility of PMIS/SPDS software enables the Level 3 displays to be easily revised when changes to the EOPs are made in the future.

4.2 Human Factors During SPDS Design and Development Development of the CNS SPDS included human factors inputs from both SAIC and NPPD. This section provides an overview of the major human factors activities during design and development of the CNS SPDS.

4.2.1 SAIC SPDS Desien Team Human Factors Activities 4.2.1.1 Human Factors as Part of the SAIC Desien Team The SAIC design team included human factors specialists, ensuring that human factors considerations ware included in the design and development of the CNS SPDS from the start of the project.

4.2.1.2 SPDS/ Control Room Interface Reauirements A. Preliminary Human Factors Review of Cooper Control Room The results of the preliminary human factors review of the CNS control room (Ref 13) were provided to the SAIC design team by NPPD. There were no significant findags in this review that had an impact on the design of the CNS SPDS.

B. Instrument Ranges The instrument ranges available to the SPDS are the full instrument ranges of the respective instruments. An analog PMIS input / output list prepared by Burns and Roe, Inc. (Ref 14) for NPPD was the original source document used in defining instrument ranges for use in the PMIS data base and in the SPDS display design process. Inspection of control room instruments provided confim1ation where necessary.' The PMIS data base now has been completed and reviewed by NPPD and is the authoritative reference for analog instrument i range specifications.

l C. W1rning and Alarm Limits l

Eelevant warning and alarm limits are specified in the PMIS data base for each I data point. A maximum of four limits can be specified.

j Alarm High l Warning High 8

l l

. 'p()gi{ Quidi DOCUMER Warning Low Alarm Low Any alarm or warning that is not applicable to a particular data point is set to "NA"in the PMIS data base.

NPPD has chosen to set warning and alarm limits for SPDS data points to the operating limits actually set on control room instruments. This will ensure that control room instrumentation and the SPDS will have similar alarm response.

The operating limits at CNS are set to more conservative values than those defined in CNS Technical Specifications (Ref 15), and the CNS Updated Safety Analysis Report (Ref 16).

D. SPDS Console Design Human Factors De human facte review of the PMIS consoles described in Section 3 included a review of the JPDS consoles.

4.2.1.3 SPDS Man Machine Intmace A. PMIS Suppon for the SPDS Man Machine Interface The IDT terminals and associated keyboards are the basic points of interface between the user and the SPDS. A summary of th: major features of an IDT terminal are presented in Section 1 of the Functional Specification (Ref 5). The keyboard design, the basic layout of the display console CRTs, and the cor.si operating philosophy are defined in Appendix B of the Functional Specification.

Operation of the SPDS is dependent on the following PMIS software subsystems:

PMIS Executive Subsystem Inter-CPU Communications Subsystem Data Base Subsystem Data Acquisition / Archiving,Uhsystem Data Retrieva1 Subsystem Man Machine Executive Subsystem Man Machine Support Software Subsystem Log / Report Subsystem  !

Display Compiler Utility Sub,ystem SPDS Subsystem )

i Software Support Services Sub3ystem '

Software Utihties Subsystem Most of these software subsystems are "transparent" to the user and therefore are not directly involved in the issue of man machine interface design. The man machine executive and support subsystems,8:id the SPDS subsystem are related to the MMI design, and are described below.

The Man Machine Executive Subsystem is that portion of the PMIS responsible for the outputs to and inputs from the workstation CRTs, including SPDS terminals. That is, it controls the presentation of displays which repr.:sent the current operating status r J point values.of the system, and the opera;or console 9

'{J00bkUN occusa functions which allow selection of requested displays. The Man Machine Executive package is directly responsible for the following:

Process and verify IDT security levels Control display task flow (Man-Machine Support Software flow)

Update tim and date fields every second to each IDT Update SPDS safety function indicator blocks on each SPDS display every second Respond to IDTinputs from users

'Ihe MMI support software consists of all IDT displays in the system, including SPDS menu, bar, trend, x y plot, and other displays.

The SFDS subsystem includes software specially written to support those SPDS functions and calculations that are not supported by coutires available within PMIS. Every effort has been made in the design o' the CNS SPDS to maximize the use of PMIS routines to support SPDS opera ion. As a result, the SPDS subsystem includes only software associated with:

Calculation of SPDS External Real Values anc' Quantities (Module SPCALZ)

Data for x-y limit curves (file SPDSCURVS.D)

An 7verview of the other PMIS software subsystems listed above is presented in Section 1 of the Functical Specifration (Ref 5).

B. SPDS Display Format and Content As noted previously, basic CRT display format conventions for PMIS and SPDS displays are defined in the Functional Specification (Ref 5). All CRT displays are divided into the following areas:

Current Date and Time Area (CDTA)

System Alarm Area (SAA)

SPDS Status Area (SSA)

- General and Graphic Display Area (GGDA)

Operator Communication Area (OCA)

Function Key Area (FKA)

ColorGun Area (CGA)

The Safety Function Indicators (SFIs) appear in the SPDS Status Area on all PMIS and SPDS displays, thereby providing an immediate overview of the functional safety status of (1 e plant. The SPDS menu, bar, trend, and x y plots are presented in the genecal and graphic display area. The SPDS format and content is described fully it. Sections 7 to 9 of the project report 503-8500000-78 (Ref 17). Operation of '.he other CRT areas listed above is described in Appendix B of the Functional Specification (Ref 5).

The use cf consistent PMIS and SPDS display format is a key human factors design convention that helps the operator to rapidly focus on the desired information when a new display is called up.

10 y e w-e e

P00R WAUU DOCUMENT C. SPDS Display Operation Operation of the SPDS displays is thoroughly documented in Sections 7 to 9 of project report 503 8500000-78 (Ref 17). Operator interface with the IDT consoles is described in detail in the PMIS Opentors Manual (Ref 18).

D. SPDS Data Validation and Indication of Validat' ,a Status SPDS data validation and methods ofindicating validation status are thoroughly described in Section 2 of project report 503-8500000-78 (Ref 17).

4,2,1,4 SPDS Design Documentation The CNS SPDS design is thoroughly documented in project report 503 8500000-78 (Ref 17). The scope of this report has been significantly expanded through four revisions based on input from the SAIC design team, NPPD, and the independent V&V team. Design documentation for the PMIS is provided in separate project reports.

4.2.2 Ongoing NPPD Involvement in the SPDS Desien Process The NPPD engineering and operatirg staff has taken an active role in design and human factors engineering of the CNS SPDS. Lead engineers at the CNS site and the NPPD corporate engineering offices monitored the SAIC SPDS design progress and served as the principal source of engineering review by NPPD. On many occassions the plant operating staff reviewed the developing SPDS design to ensure that the system would meet user needs.

Major NPPD contributions to the human factors design of the CNS SPDS are defined below.

4.2.2.1 Onerator Review of Prototvoe SPDS Disolavs Prior _lo CDR It was important both to NPPD and the SAIC design team to get early feedback from the CNS operating and engineering staff on the prototype SPDS displays. To assist in this matter, photographs and slides of BWR SPDS displays from pnor projects (Dynamic Screening, Perry Simulator GDS, and Fermi 2 ERIS) were shown to the operating staff at CNS in March 1984. Input from the operators was collected with the aid of the SPDS Display Characteristics Questionnaire in the Human Factors Plan (Ref 6), which then was I in final draft form. Input from the operating staff was primarily of value in def'ming gross display features for the CNS SPDS (i.e. horizontal bars rather than vertical bars). The inputs were factored into the prototype CNS SPDS displays presented at the Critical Design Review (CDR).

4.2.2.2 Critical Design Review (CDR)

The CDR was held in April 1984 and involved a presentation to NPPD by SAIC of the l major features of the PMIS/SPDS which were then in the early stages of development. i Subjects covered in the CDR included: (a) PMIS man-machine interface, (b) SPDS, (c) test I plan, (d) training, (e) human factors, and (f) verification and validation (Refs 19 and 20). )

Demonstrations of the MMI features were included in the CDR. Also available at CDR i were the Human Factors Plan (Ref 6), the SPDS Safety Analysis (Ref 12), and the first draft of the SPDS detailed description document (Ref 17). Comments received from ,

NPPD following CDR led to refinements in the SPDS design to reflect considerations I related to: (a) priority of information needed by operators during accident conditions, (b)

EOP development, and (c) user preferences.

I1 I

. =. -

110RflUld.M DOCUMEM 4.2.2.3 Ocerator Review of Prototvoe SPDS Disolavs Followine CDR The IDT terminals used in the CNS PMIS/SPDS have local bubble memory that normally is used to store all display static features. To get additional input from the CNS operating ar d engineering staff, a full set of static SPDS displays were loaded into bubble memory of IL T terminals placed in the CNS control room and the NPPD corporate offices. These stat displays included all nwmal color-coded features in bar, trend, mimic, and x y plots.

Agair the SPDS Display Characteristics Questionnaire in the Human Factors Plan (Ref 6) was u .ed to collect operator and engineering input on the prototype SPDS displays. The use of ee IDT terminals provided a relatively realistic presentation of how the actual SPDS displays would appear in the CNS control room. Therefore, the operators were able to pnvide many useful and detailed comments regarding the format, content, color, and scaJng of features in the individual SPDS displays. Dynamic operation of the displays coulo not be assessed at this point.

4.2.2.4 NPPD Engineering Review of SPDS A. Detailed Review of Display Features and System Operation The display review process used with the CNS operating staff was al.co applied to the NPPD engineering staff. In addition, the NPPD engineering staff conducted detailed reviews of all SPDS design documentation, and contributed to the overall quality of the CNS SPDS.

B. "Green Board" Concept The NPPD engineering staff developed the "Green Board" concept which was applied to the color-coding of various features of the individual SPDS displays.

In principle, the "Green Board" concept requires that an SPDS display show GREEN color coding for all features related to variables that are in the normal range or are in a normal state for the current plant operatir.g mode.

The PMIS supports the extensive color coding of display features, including the following GREEN  : Normal l

YELLOW  : Waming

)

RED  : Alarm {

MAGENTA  : Validation failure '

Completed details of PMIS color coding conventions are included in the  ;

Functional Specification (Ref 5), and the specific application to the SPDS is I described in project report 503-8500000-78 (Ref 17).

To implement the "Green Board" concept, relatively minor changes were made to certain status indicator boxes in the SPDS displays. The resulting displays made it easier for the operators to identify unusual plant conditions at a glance.

C. Plant-Specific EOP Limit Cunes NPPD was developing plant specific Emergency Operating Procedures in parallel with the SPDS. The Level 3 SPDS displays were updated when necessary :o reflect the most current versions of the x y limit curves in the CNS 12

=

POOR WM ,

DOCuimT l EOPs. The SPDS thereby was consistent with the training that the plant l operators were receiving on EOPs. l 4.2.2.5 Factory Acceotance Testine (FAT)

The Test Plan (Ref 21) defines the PMIS and SPDS testing activities that were conducted during FAT. These tests were monitored by NPPD and by the independent verification and validation (V&V) team. The FAT demonstrated proper integration of the PMIS/SPDS, and  ;

proper dynamic response to test inputs. Discrepancies that were noted during FAT were l documented for later resolution. I 4.2.2.6 Site Acccotance Testing (SAT)

The SAT repeated tests conducted during FAT following installation of the PMIS/SPDS at the CNS site. Many of the discrepancies noted during the FAT had been corrected prior to SAT, and the related discrepancy documentation was cleared. Resolution of outstanding discrepancies continued as action items for SAIC and NPPD.

4.2.3 SPDS Training l 4.2.3.1 Trainine Management NPPD has responsibility for overall training management related to the SPDS.  ;

Recommendations for management of SPDS training were provided by SAIC in Section '

2.5 of the Human Factors Plan (Ref 6).

4.2.3.2 Trainine Program An overview of the SPDS' training program is presented in the Implementation Plan (Ref 11). Detailed PMIS/SPDS training courses were presented by SAIC to NPPD personnel to prepare them for acceptance and operation of the PMIS/SPDS. Content of the SAIC training courses was reviewed and approved by NPPD prior to the actual training sessions.

NPPD supplemented the SPDS training with other courses related to emergency response, emergency operating procedures, and control room upgrades.

4.3 Functional Validation of SPDS

)

l The functional validation of the CNS SPDS was performed in late 1985 using simulated  !

plant transient data to drive the SPDS displays during a man in the loop review process mvolving the plant operating and engineering staff. The plant data to drive the SPDS displays during the man in-the-loop test was adapted from the Browns Feny simulator data used by SAIC in the Dynamic Screening Program described in Section 2.2. The reviewer comments were documented on Display Characteristics Questionnaires from the Human Factors Plan (Ref 6).

4.3.1 Pre validation Trainine of NPPD Ooerators Prior to the functional validation test, all NPPD participants had been through the PMIS/SPDS training program described in Section 4.2.3. Additional training was provided relevant to the goals of the functional validation test and the operation of the SPDS viith simulated plant transient data.

13 l

4.3.2 Man in the-loon Testing of SPDS Details regarding the man-in the-loop testing process and results are documented in Ref 22 and 23. Results of the man-in the-loop testing of the CNS SPDS were submitted to the NRC. The key finding of this testing was that none of the reviewer comments reflected serious SPDS deficiencies. The comments generally reflected operator preferences or were recommendations for minor enhancements that could be candidates for inclusion in a future update of the SPDS displays. Many of these enhancements have already been implemented.

4.4 Post installation Reviews 4.4.1 NFPD Eneineerine Review Prior to Declarine the SPDS Onerational Following installation at CNS, and during the warranty period, NPPD identified, and SAIC corrected PMIS/SPDS deficiencies, including some related to the human factors engineering of the SPDS displays. In particular, certain improvements have been implemented related to: (a) dynamic operation of the SPDS displays, (b) speed of SPDS operation, and (c) refinement of selected display static features.

4.4.2 Post-Installation Human Factors Plan Comoliance Checklist Review of SPDS A comprehensive post-installation human factors review of all SPDS displays was conducted by SAIC and NPPD. This review process utilized the Compliance Checklist and Non-compliance Explanation forms in the Human Factors Plan (Ref 6) to document the .

review of each SPDS display. Consistency between instrument ranges displayed on the  !

SPDS and on corresponding control room instruments is being checked as part of the CRDR effort and displays will be revised if necessary. SPDS displays can utilize all or l part of a sensor's range and can be easily modified to suit the operator's future needs. The SPDS displays as they currently exist were reviewed and approved by CNS Operation's i personnel. In addition, outstanding human factors discrepancies noted in previous human I factors reviews (Refs 7 and 24) were examined. The results of this post-installation review '

are thoroughly documented in Ref 8. No major outstanding human factors discrepancies were identified. NPPD has reviewed and concurred with these findings (Ref 25).

4.5 CNS SPDS Reaches Operational Status The CNS SPDS was declared operational in July 1986. The inherent flexibility of the l PMIS/SPDS design will allow NPPD to implement evolutionary improvements to the system. The Human Factors Plan (Ref 6) provides the basis for an ongoing program to maintain the high standards of human factors engineering built into the CNS PMIS/SPDS.

1 14

.T00ll.UMulY

' DOCUMENT

5. ' INDEPENDENT VALIDATION AND VERIFICATION (V&V) OF TIIE CNS PMIS/SPDS An overview of the V&V program is presented in the Implementation Plan (Ref 11), and detailed V&V procedures are defined in report SAI-84/1024-2641 (Ref 26). The V&V team maintained an independent oversight of PMIS and SPDS activities and maintained an independent system for tracking discrepancies and their resolution. Although not a fonnal human factors review entity, the V&V team review did identify some human factors design deficiencies, and contributed to the overall human factors engineering of the PMIS and SPDS.

The scope of the V&V review went far beyond human factors engineering. Results of the V&V process are documented in Refs 27 to 29. Summay conclusions from these reviews were the folhwing:

"The V&V Team considers that the SPDS problems have either been resolved or they have been adequately documented by NPPD and are currently undergoing resolution. In summan, the V&V Team has identified no major problems with the SPDS" (in regard to validation and field installation verfication)(Section 23, Ref 27).

"The SPDS and other related emergency response capabilities received added scrutiny and were found to be well designed and tested" (Section 6.2, Ref 29).

The final V&V Team concern regarding docum..,tation of the CNS SPDS human factors design and review activities has been resolved by this report (Ref 30).

l 1

1 i

15

J.PDDB QllAulY DOCUMRT

6. REFERENCES

1. USNRC Regulatory Guide 1.97,"Instruments for Light water Cooled Nuclear Power Plants to Assess Plant and Environs Conditions During and Following an Accident".

2. Buckley, D.W., Lobner, P.R., Hope, E., and Roy, G., "BWR Graphic Dispaly System Dynamic Screening Program", ALO 1003, Sandia National Laboratory, February 1982.

3. NUREG-0737 Supplement 1,"Requirements for Emergency Response Capability" (Generic Letter No. 82-33), USNRC, December 17,1982.

4. Mullee, G.R., and Aburomia, M.M.,"Simulator Evaluation of the Boiling Water Reactor Owner's Group (BWROG) Graphic Display System (GDS)", ALO-1019, /

Sandia National Laboratories, May 1983. /

5. 501-8500109-26,"Functional Specification - Rev B", December 30,1985

6. 503-8500000-77,"Human Factors Plan", April 6,1984. ,

7. S.T. Almodovar memo, "Human Factors Engineering Review of the Cooper Nuclear Station Consoles", SAIC, November 2,1984.

8. S.T. Almodovar letter to J.C. Murphy (NPPD), "Human Factors Plan Review of the Cooper Nuclear Station SPDS Displays" and Appendix, SAIC, June 16,1986.

9. NUREG-0700, "Guidelines for Control Room Design Reviews" USNRC, September 1981.

10. NUREG-0835,"Human Factors Acceptance Cn aria for SPDS", USNRC, October 1981.

11. 503 8500000-27, "Safety Parameter Display System .lmplementation Plan",

January 1984.

12. 503-8500000-76, "Safety Parameter Display System Safety Analysis", March 1, 1984.

13. "Human Factors Design Review of Cooper Control Room - Summary Report",

BWR Owners Group Control Room Improvemen Committee, May 1981.

14. Nebraska Public Power District Cooper Nuclar Station PMIS Input / Output List -

Analog Points.

15. Radiological Teclinical Specifications, Appendix A to Operating License No. DPR-46 for the Cooper Nuclear Station, Nebraska Public Power District, Docket Number 50-298, Revised 9/1/83.

16. Nebraska Public Power District, Cooper Nuclear Station, Updated Safety Analysis l Report, Docket Number 50-298, July 22,1983.

17, 503 8500000-78 (Rev 4),"Detailed Descriptions of the Displays for the Cooper Nuclear Generating Station Safety Parameter Display System (SPDS)".

16 .

l

. . i

~poshus

. cocp1 1

18, 502-8500107-72,"PMIS Operators Manual", July 16,1985.

19. 505 8500000 02,"Critical Dcsign Review", April 1984.

20. "Minutes of Critical Design Review Meeting for NPPD/CNS PMIS Project". April 1984.

21. 501-8500102-01, "Test Plan"

22. SAIC-86/3006,"Man-in-the-loop Testing for the Safety Parameter Display System at the Cooper Nuclear Station", January 17,1986,

23. M. McWilliams memo to J. Skinner (SAIC), "SPDS Man in the-loop Testing",

SAIC, January 20,1986.

24. S.T. Almodovar letter to J. Skinner (SAIC), which transmitted results of M.

McWilliams October 1984 human factors review of CNS SPDS displays, SAIC, March 10,1986.

25. J.C. Murphy (NPPD) letter to J. Skinner (SAIC), "Human Factors Evaluation of Safety Parameter Display System (SPDS)", CNSS865908, July 31,1986.

26. SAI-84/1024-264-1,"Verification and Validation Procedures for Nebraska Public Power District Cooper Nuclear Station Plant Management Information System",

July 11,1984.

27. SAIC 86/1500-264-0, "Validation / Field Installation Verification Test Report for Nebraska Public Power District Plant Management Information System", March 12, 1986.

28. SAIC 86/1687-264-0, "Final Discrepancy Reports for Nebraska Public Power District Plant Management Information System", May 5,1986.

29. SAIC-86/1097-264 0, "Final Verification and Validation Report for Nebraska Public Power District Plant Management Information System", May 301986.

30. A. Lexa (V&V Team) memo to P. Lobner (SAIC), "Draft Report Summary of Human Factors Activities Related to the CNS PMIS & SPDS', August 12,1986.

i l

l l

l 17 l l

-