Discusses Redirection of Matl Previously Considered Proprietary to Pdr.Revs 0 & 1 Removed & Matl No Longer Considered Proprietary Encl.Encls Originally Submitted as Part of File Packages 9207160108 & 9401250172

ML20151W222
Person / Time
Site:	05200003
Issue date:	09/09/1998
From:	Joseph Sebrosky NRC
To:	Ted Carter NRC
References
NUDOCS 9809150222
Download: ML20151W222 (220)
v • d • e

Text

. _ _ _

September 9,1998 NOTE TO: Tajuan Carter

~

FROM: Joe Sebrosky

SUBJECT:

Redirection of Material Previously Considered Proprietary to the Public Document Room 4

in a series of letters Westinghouse submitted to the staff revisions to the standard safety analysis report (SSAR) for the AP600 Portions of the early SSAR revisions were considered proprietary by Westinghouse. Although the staff agreed that some portions of the early SSAR revisions were proprietary, it documented in a September 8,1998 letter (attachment 1) that other portions were not considered proprietary. The staff stated that the portions no longer considered proprietary would be release to the Public Document Room.

The material that is no longer considered proprietary from SSAR revision 0 can be found in attachment 2, and the material no longer considered proprietary from SSAR revision 1 can be found in attachment 3. The proprietary markings have been removed from attachments 2 and 3.

Westinghouse transmitted SSAR revision 0 in a 6/26/92 letter (ET-NRC-92-3710). The file package for SSAR revision 0 is 9207160108. Could you please place attachment2' on the AP600 docket and update NUDOCs to reflect the change.

Westinghouse transmitted SSAR revision 1 in a 1/13/94 letter (NTD-NRC-94-4039). The file package for SSAR revision 1 is 9401250172. Could you please place attachment 3 on the AP600 docket and update NUDOCs to reflect the change.

cc w/o enclosures: TRQuay BHuffman TKenyon JWilson M/

l D Sed <'l AM. d'*

n MPS ih

\

]4K25 9809150222 900909 PDR ADOCK 05200003 A PDR

• * 'l%

p 4 UNITED STATES j

I g NUCLEAR REGULATORY COMMISSION o, f WASHINGTON, D.C. 20066-0001 l

September 8, 1998

%, . . . . . / )

l Mr. Brian A. McIntyre, Manager Advanced Plant Safety and Licensing Westinghouse Electric Company P.O. Box 355 Pittsburgh, PA 15230-0355

SUBJECT:

REQUEST FOR WITHHOLDING INFORMATION FROM PUBLIC DISCLOSURE FOR THE WESTINGHOUSE AP600 STANDARD SAFETY ANALYSIS REPORT (SSAR) AND PROBABILISTIC RISK ASSESSMENT (PRA)

Dear Mr. McIntyre:

In an August 23,1995, letter, the staff informed Westinghouse that it had reviewed the AP600 SSAR through Revision 4, and the PRA through Revision 5 and determined that in nine areas the information sought to be withheld did not contain trade secrets or proprietary commercici information. The letter requested Westinghouse to reevaluate the SSAR and PRA materials to ensure that the information that it was requesting to be withheld from public disclosure met the criteria set forth in 10 CFR 2.790(b)(4). This request was reiterated in a letter sent to you on July 1,1998.

Westinghouse responded to the staffs requests in letters dated July 22.1998, (NSD-NRC-98-5741) and August 17,1998 (NSD-NRC-98-5759). In these letters Westinghouse provided additional information for why some of the material should still be considered proprietary and also indicated that some of the material was no longer considered proprietary. 1 The enclosure to this letter provides the proprietary disposition for the nine areas.

1 We have reviewed your submittals in accordance with the requirements of 10 CFR 2.790 and, .

on the basis of Westinghouse's statements, have determined that the submitted information I sought to be withheld as documented in the enclosure contains trade secrets or proprietary commercialinformation.

Therefore, we have determined that the proprietary materials documented in the enclosure, which when submitted to the NRC were marked as proprietary, wil' be withheld from public disclosure pursuant to 10 CFR 2.790(b)(5) and Section 103(b) of the Atomic Energy Act of 1954, as amended.

Withholding from public inspection shall not affect the right, if any, of persons properly and directly concerned to inspect the documents. If the need arises, we may send copies of this infomtation to our consultants working in this area. We will, of course, ensure that the consultants have signed the appropriate agreements for handling proprietary information.

If the basis for withholding this information from public disclosure should change in the future l such that the information could then be made available for public inspection, you should promptly notify the NRC. You should understand that the NRC may have cause to review this Q -

hV 14%

n Eyww 5y

? , .

Mr. Brian A. McIntyre September 8, 1998 determination in the future, for example, if the scope of a Freedom of information Act request includes your withheld information. In all review situations, if the NRC makes c determination adverse to the above, you will be notified in advance of any public disclosure.

The material that is no longer considered as proprietary, as documented in the enclosure, will be released to the NRC Public Document Room.

Sincerely, original signed by:

Joseph M. Sebrosky, Project Manager Standardization Project Directorate 3

Division of Reactor Program Management Office of Nuclear Reactor Regulation Docket No.52-003

Enclosure:

As stated cc w/ encl: See next page QlSTRIBUTION:

Docket File PDST R/F TOuay PUBLIC TKenyon WHuffman JSebrosky DScaletti JNWilson ACRS (11) JMoore. 0-15 B18 MPSiemien,0-15 B18 DOCUMENT NAME: A:SSAR-PRA.PRP To receive a copy of this document, indicate in the box: "C" = Copy without attachment / enclosure "E" = Copy with attachment / enclosure "N" = No copy t, OFFICE PM:PDST:DRPM l f OGC @j lQ PDST:DRPM l l l~

NAME JMSebrosky:sg @) MPSiemib'n TRQuRL '

l DATE 09/ 8/98 09/ %/98 09/{ /63 OFFICIAL RECORD COPY

d

5. SSAR Chapter 10 - Figures 10.1-1 and 10.2-1 As noted in Westinghouse *s July 22,1998, letter these figures are not considered proprietary. Therefore, this information found in SSAR Revisions 0 through 4 will be released to the NRC Public Document Room.

6. SSAR Chapter 15 - Appendices 158,15C, and 15D These appendices contain details of the methodology used in the LOCA and transient analyses. The information was subsequently moved to WCAP-14601 and a nonproprietary version of the report was provided to the NRC. In addition, nonproprietary general descriptions of the safety analysis computer codes are provided in the current Revision of the SSAR. Westinghouse submitted WCAP-14601,"AP600 Accident Analyses - Evaluation Models" in a letter dated July 14,1997, (NSD-NRC-97-5232) and submitted a revision in a letter dated June 16,1998, (NSD-NRC-98-5712). The staff found these submittals contained proprietary information as documented in letters dated June 22,1998, and July 30,1998, respectively. In your July 22,1998, letter you indicated that Westinghouse still considers the detailed information provided in Revisions 0 through 6 of the SSAR contains proprietary information.

Therefore, the staff has determined that Appendices 15B,15C, and 15D provided in Revisions 0 through 4, which were designated as proprietary, contain trade secrets or proprietary information and will be withheld from the public.

7. SSAR Chapter 18 In the August 23,1995, letter the staff stated that it believed the following portions of Chapter 18 should no longer be treated as proprietary:

. Table 18.5-1 and 18.5-2 Section 18.6 - decision model discussion

. Section 18.8 - model of human decision making and evaluation approach Section 18.9.2.4 - alarm system architecture Section 18.9.8.1 - development of emergency operating procedures Section 18.9.8.6.3 - computerized procedures

. Tables 18.9.01 through 18.9.8 emergency response guidelines (ERGS)

In your July 22,1998, letter you indicated that some of this matenal was no longer considered proprietary by Westinghouse. You also requested that other portions be withdrawn from the docket. The staff indicated to you that this information helped to form the basis of Chapter 18 of the AP600 Final Safety Evaluation Report (FSER). Therefore, withdrawing the information from the docket would r s . nossible without an extensive rewrite of Chapter 18 of the FSER. Based on this ( ^ Mion with the staff you stated in an August 17,1998, letter that Westinghouse no lor . Ansidered the above information proprietary. Therefore, the above information found in SSAR Revisions 0 through 4 will be placed in the NRC Public Document Room.

'4

/Pcooo $ SAL 2 Vl3 /od C3 Y E l

l

3. DESIGN OF STRUCTURES, COMPONENTS, EQUIPMENT AND SYSTEMS

~ ~ ~ ' '

=

• Revision: O i l

/'

i N  :

i

- 1

$Q 50 -

n m

v 40 -

b 30 -

sm 20 "

l 10 0

O 2 4 6 8 10 12 14 18 18 20 STRAIN CPERGNT) l l

l Figure 3B-1 True Stress True Strain Curve for SA376 TP316LN Stainless Steel at 528* F l

3 Westinghouse

3. DESIGN OF STRUCTURES, COMPONENTS, EQUIPMENT AND SYSTEMS  :

e: 06/26/92 J

70 60 -

50 -

O

!@ 40 -

v 30 -

sm 20 -

10 0

O 2 4 6 8 10 12 14 16 18 20 STRAIN CPERE NT)

Figure 3B-2 True Stress True Strain Curve for SA376 TP316LN Stainless Steel at 597* F P3B-6

[ WeStingh00$8

-e -

- i 2 5 6 1

12 E "1z i _

r I,j ,

l I

. l....

ripe

' ;f5- . ..

I -

g t _ _ _.e f t E ,

h-]l.l.. I!l :'l!

l:

1:

! .. .. 95

[1j *  ! I.

i G E: l ir l._ l 9= c fEi p'. .

r - s

(

-~

'lQ , ..

l g-/ ii Y I  :

[ ,;

u.

gr I r- . . . .

f'/y 8

n<r ...

-, _J l I .-

h-- a: x-  ;  ;

e  :: ,  :"

'^N _ _ _w,

• r[% r!li lI< i .

5 1 1 l

' El ~ ~j ll

l

ig:

s zl: j$;g l

1; l-

- J /f;m  ;

e O-  ! it T--- ..,

sy a r .

I i sup k g

~

l l . I E I

.l .i.

r

. .. n .

r i r., r'

) clp :

a .*a

. t-3lis t

/.--

j i 8

. e i .

_i e._. , . .

i e-  : :  :  ; .

i l-! u l :5:

ae sl: rl, l s a 1

! I - i,/ e I

i t I r.f

• 8 -%p... lJ ; 6 hit;- Ii lr----;:V:;..E..

i

o. , ... .-

r. -

r n 2- n l :, v., g l lI -t- . .

v-ll

!! t r -

5

• i_---

e/

ll / ~m/

~ f r

_ _ _ _ _ _ _ _ .J rs i

l- .. ... o s 8L./  ; ,

a ;r \ #

I =

l r I-* . .

e 1 LC

_--_____I l 3

t s 1 i

4 1

• l s I ...

I / ;iJ I s .g-n

=

w r_.._..._d,.S .;

! h2  ; = _ _ _ _ _ _ __ _ _ _ __. _ _I eHge-s 8

l ':6 8 a;  ; ; .  :

[ Si s

lE

..- . . . . . Ieg tra; w e

- , Kr - e. eg . . ] -3 g-

/N

~

g $ f K!l N j -. g y g

3 I

l b "~ ~~ ~~ ~ ~ , , N E [h Es-dr IN

.)...

5 } club g

) i; _

..a.

n-ep :y: u __- 7 u D4 ba 6- p Iy .s .

-a Q 5 d 8 .2 3 u 5 32 a e

si

-a 15 r1

! e j a =

=

a E{

l

-i ___ _.!.i! '

(

i f I  !

l i l

o p--+e- g o -

T

..i 14 m, l

5

>7 .,.-.n_._._

j .

_t____g e,l i

.!. g

, , . _ . _ .L i

i c!d_ _._,q g *N Arr_.___;  :

8

_t2 _ _. ._.4 j _

L. "[f M--vmy .' d'M.

I

'-- J i

_ . t 3 1 ! i i , _. f -$+-N:h d ___ L __Q.d. .O._.l 4. . i.

. i h)-

._ _L _ _ _ p O _ _? ~ = , e,,s i ' -- J l , i_.._.._.J..._..J  ; g QT ' s

.i*

f l-Q(} jfCFlm  ! f, r-- '; Y Q i 4___ . _____. ,__._. ., O -v {l i f M_b i i I t e .g y;PQ-A QgPup I p.s or o _19 TL-+- ll i R..noi e p: . u _l -@ t i i h u-&  ! ! M, l ' g[ " l] ! QI~ - e , . !, ! I

U l s

i ' il g 3 1 1 P !j h ' ' 8 . _g _,h _I d. . _. .  ! . . _ . ]_ ___j-. __ ..___._. g __.g ' 5 W ! j f .gn ' . i g! J 't 4..q. g.. ... &.!._.; j .. 7, t, . , __k -_ ,;i . , '] y, 8, + . .Is _ ;_ _ _ .. ,!_ .

; i __ ; _ _ _ _ _L . _ ._;

!. igs i  ! L.._.._..._- .._..._.._.._i ., l,il1 '

-t t!

, l /: -u i!: , e i ,,g E i  !! g dj' ig l 1'

. H '

gl I a as 3 o E i 1 'd I j s s* . hl sa - s- A- - - A. .a & , - - . - L,, .A m --m - p L AEm , a,-e---- - + - aa.--,- ,n. ,,x_ ,,,n 8- e.. a4 i I i ~ T - " l l " O l 4 a 4 t D i

n (1 5

a 3

fu ci, r' i

c - ".sf $ h l f f g.,_.._...._.. g E C -f.r p _ka ,s .E [e f ir 1 g p*9 _ . . _ . _ . _ . . . < f -- - ~y N. . ~ l f n , 9 -,7, d f 7 = m,%$Y~~~~ m usen .v J;/\, = f '.x) \. B f 3 4( ) t , dli _ a, - , c M s \ \, = o 4 i .o.. _____._L. e ! - 5> m .. g 'N-h b N __.. . _ . . . . . _ . I - i r u m IN i . gfg Jg i ~E- ~  ! i  ! !5 ((0 l U '.5 . . e_ .1. . . "4$ F52 ' u ,,' n a .),,s ,t. _ _ .s. _ _ _i' __ _ r_ . ___.. ____. _ !i- .gb{ g ,, i ! pp g -g . -_. - r/ - .

• • 0 e p f, , . :g i >

(El _ i l TS,,= i ' i 1 st  :  ! i  !. y 559 ,- l l,1-g bM8- i. ,8._.__.  :  : E, do r l ^~7 g n[ is le i '  %  : u t W w .

e1--

e h4 n

• gi <

xi ..; e- sI .)v - .L_s %- ' , l,l#) = s e .._i_.g._. e . _ _ _ _ -I :: i i n l._.._. f., we c

• <; }

n of . _ . _ __( c-' _ '

L__.

.~s S I ~ "B, Yl-4 9l 8 ?5 3 Y E . -_V' o5'A E 30 9 g (E r u or 5s E 2i! I 0 Es e 33 m h e n> m.-- e .. ah. .d--_ _ m . - - - - _ _ . - - _ J +4 48 -'O - . . , . . . , ,_ i  ! A ?-c  ? % c1

• \ 9

)a -a =

1

• O l i

= ! l i ml ! i 11 i i i,! H, - pf , __ 'M% M + 3 __ .._ g y 0 Ni ~~'-~~-'-' l - - ra e I.; , w l I - !!! kW El ['i, y ,, 4,' g i rg-+g- 4 l i,i L li n 2Qg H e i a, . lla 55 m i- ' l' i li i t, f f , "I i , l -.,E: d;;.-  ! ..L.Lg- g.:_f g / ' m

y. . . , .

} l 's # !i e N  ! } 0Il N 9%, t ..c:R %+  ; u gr hig%  ! /5  !! s d $i?TE-3 pgg, j n . s i l7":w.chz_C . .. Wop f sia' i ..c4. i b.=1 t .,..,/* , 3 ,j ad  %-5 2 't ; i jl .. 7 t, g l' e255[a # g-c ar..,eqim ly. gi o g [ !L 57 l l p Aqge; _. l,l gf gg$;_sj bf' g i O ;i ,,=u.u .w , ~; v =ic-. _2 _. g i i I 3 gm. pen - r -e, a 2_. +i.i l 3 i..._O_..r! _C. ._. . ! ,l  : n. , ,. t. __.init _; r D!c $10 r e-,! u r r-__.. . p. h.;; ..q y ,- J ..,:: CD __-Q.I.- I- - 4ll  ! V 's . . . . .. f. _ . . . . ! ' ( h .l.f. -- ; L 0iC C l  ; i !O!' =q I iN' "3-N!![-f$$$ 8- hl Mf:c l .<d;iH ij

r. -;' a i. s 8

M t, 5 U at 8 2E a 9 G I o8 B s !!! $ m l l l

18. HUMAN FACTORS ENGINEERING Revision: 0 I

d Effective: 06/26/92 g Table 18.5-1 Design Acceptance Testing: Verification Tests 1 Near Full-Scope. Part-Task High-Fidelity Simulator Siraulator2 Evaluation 1.i. Human engineering design guidelines snformance to human engineering guidelines a - Review of design attributes of the operations and control centers related to physical characteristics, such as acous- X4 ties, lighting, comfort, communications, and general layout against human engineering design guidelines. b - Design attributes of the individual M-MIS components, ^ such as alarm warning systems, panel and workstation layout, visual displays, controls, labels, locating aids, and legibility. X3 The human engineering design guidelines used to establish acceptance criteria include the following: - NUREG4700, Guidelines for Control Room Design Re-views (Reference 1) MIL-STD-1472 (Reference 2) - American National Standard for Human Factors Engi-neering of Visual Display Terminals and Workstations (Reference 3) ASHRAE Standard for Thermal Comfort (Reference 4) EPRI NP-3659 Human Factors Guide for Nuclear Power Plant Control Room Development (Reference 5). 1 Performance requirements are indicated with a **" Performance measures are indicated with a " " 2 Not to be completed for design certification 3 Design ITAAC 4 Construction ITAAC W Westinghouse

18. HUMAN FACTORS ENGINEERING

^ ,_,. _ Revision: 0 I Effective: 06/26/92 ,./ Table 18.5-2 (sheet 1 of 8) Design Acceptance Testing: Validation Tests 1 Near Full-Scope, Part-Task High-Fidelity Simulator Simulator 2 Detection and Monitoring Evaluation 1. Passise monitoring of wall panel information station X3 and workstation displays

• Prompt and accurate overall assessment of plant state and condition

- Successful identification of plant state and important indications of plant condition - Task completion time Evaluation 2. Directed search for information with the work- X3 s station displays based on wall panel information sta-tion displays

• Retrieval of detailed information from workstation d; splays after a cue from wall panel information station

- Number of displays accessed before retrieving correct display - Success in accessing the required '.nformation Task completion time l Evaluation 3. Directed search for information within the work- X3 ) station displays based on a request , a Retrieval of requested information in response to plant condi- ) 1 tions - Number of displays accessed before retrieving correct display - Success in accessing the required information Task completion time 1 Performance requirements are indicated with a "** Performance measures are indicated with a " " 2 Not to be completed for design certification 3 Design ITAAC 4 Construction ITAAC P18.5-2 W westinghouse

18. HUMAN FACTORS ENGINEERING Revision: O

./ Effective: 06/26/92 g Table 18.5-2 (sheet 2 of 8) Design Acceptance Testing: Validation Tests 1 Near Full-Scope, Part-Task High-Fidelity Simulator Simulator 2 Evaluation 4. Maintaining crew awareness of plant condition X3

• Crew awareness of plant condition Accurate operator assessment of plant conditions rele-vant to own responsibilities Accurate operator assessment of plant conditions rele-vant to other's responsibilities

• Effective and efficient shift tumover Shift turnover completion time Review of required plant parameters Accurate operator assessment of plant condition

• New person awareness of plant condition Time to review wall panel information station and workstation displays Accurate operator assessment of plant condition Interpretation and Planning Evaluation 5. Detecting and understanding disturbances using X3 alarms

• Prompt and correct interpretation of alarm messages Operator report of fault and implications Task completion time

• Prompt and correct selection of response: procedure or btrategy Successful retrieval of procedure / strategy Procedure / strategy selection time

• Prompt and correct selection of appropriate workstation display Successful retrieval of displays Display selection time 1

Performance requirements are indicated with a "*" Performance measures are indicated with a "

• 2 Not to be completed for design certification 3 Design ITAAC 4 Construction ITAAC P18.5-3 W westinghouse

18. HUMAN FACTORS ENGINEERING

^ _ _ Revision: 0 Effective: 06/26/92 W_ Table 18.5-2 (sheet 3 of 8) Design Acceptance Testing: Validation Tests 1 Near Full-Scope, l Part-Task High-Fidelity J Simulator Simulator 2 Evaluation 6. Interpretation and planning using workstation dis- X3 plays

• Prompt and correct determination of fault causes Identification of equipment misalignments / failures Task completion time l

• . Prompt and correct determination of fault implications l Assessment of potential consequences to operational goals l i

Task completion time Evaluation 7. Interpretation and planning during single-fault X3 events using alarms, workstation, wall panel infor-mation station and procedures l

• Prompt and correct interpretation of alarm messages 1 Operator report of fault and implications Task completion time l

• Prompt and correct retrieval of detailed information from workstation regarding alarm message Successful retrieval of required information Information retrieval time ,

i Correct operator assessment of cause of fault

• Prompt and correct selection of procedure Successful retrieval of procedure Procedure selection time

• Prompt and correct selection of controls and displays Successful retrieval of controls and displays Control and display selection time

• Prompt and correct assessment of goal threats and goal achievement Operator assessment of goal threats and goal achieve-ment Task completion time 2

Performance requirements ne indicated with a "*" Performance measures are indicated with a " " 2 Not to be completed for design certification 3 Design ITAAC 4 Construction ITAAC P18.5-4 W - Westin ouse

18. HUMAN FACTORS ENGINEERING Revision: O

.> Effective: 06/26/92 En Table 18.5-2 (sheet 4 of 8) Design Acceptance Testing: Validation Tests 1 Near Full-Scope, Part-Task High-Fidelity Simulator Simulator 2 Evaluation 8. Interpretation and planning during multiple-fault X3 events using alarms, workstation, wall panel infor-mation station and procedures

• Prompt and correct identification of immediate actions Successful identification of immediate actions Task completion time

• Prompt and correct diagnosis of faults Successful retrieval of required information Information retrieval time Operator assessment of cause of fault

• Prompt and correct management of automatic control sys-tems Correct assessment of automatic system performance relative to operational goals Correct identification of requirements for and future implications of overriding automatic systems Task completion time

• Prompt and correct prioritization of conflicting operational goals Operator assessment of goal conflicts and priorities Successful selection of proper procedure or strategy Procedure or strategy selection time relative to plant dynamics

• Prompt and correct selection of controls and displays to initiate response Successful retrieval of controls and displays Control and display selection time

• Prompt and correct assessment of goal status and goal achie-vement

- Operato'r assessment of goal threats and goal achieve-ment Task completion time 2 Performance requirements are indicated with a **" Performance measures are indicated with a " " 2 Not to be completed for design certification 3 Design ITAAC 4 Construction ITAAC W Westinghouse ,

18. HUMAN FACTORS ENGINEERING Revision: 0

• 7 Effective: 06/26/92 Table 18.5-2 (sheet 5 of 8)

Design Acceptance Testing: Validation Tests 1 Near Full-Scope, Part-Task High-Fidelity Simulator Simulator 2 l Evaluation 9. Interpretation and planning by crew during X3 multiple-fault events using alarms, workstation, wall panel information station and procedures

• Effective coordination and communication of plant status information between crew members Successful communication of operator monitoring as-signments

- Accurate communication of data regarding plent condi-tion Operator assessments of plant condition

• Prompt and correct diagnosis of multiple faults

- Correct identification of inoperable equipment and as-sessment of causes - Task completion time relative to plant dynamics

• Prompt and correct prioritization of goal challenges Operator assessment of goal conflicts and priorities

- Task completion time

• Prompt and correct selection of procedure or strategy

- Correct selection of procedure or strategy - Procedure selection time relative to plant dynamics - Task completion time Evaluation 10. Interpretation and planning by crew during severe X3 accidents using technical support center, alarms, workstation, wall panel information station and procedures

• Prompt and correct diagnosis of plant condition

- Successful diagnosis of plant condition - Time to diagnose plant condition

• Prompt and correct evaluation of consequences of alternative recovery paths

- Successful assessment of consequences of recovery paths - Time to assess consequences of recovery paths i Performance requirements are indicated with a *** Performance measures are indicated with a " " 2 Not to be completed for design certification 3 Design ITAAC 4 Construction ITAAC P18.5-6 W Westinghouse

18. HUMAN FACTORS ENGINEERING l'; Revision: O d Effective: 06/26/92 {

Table 18.5-2 (sheet 6 of 8) Design Acceptance Testing: Validation Tests 1 Near Full-Scope, Part-Task High-Fidelity Simulator Simulator 2

• Timely and accurate communication of information between main control room and technical support center

- Accuracy of communicated information Currentness of communicated information relative to decision requirements Controlling Plant State Evaluation 11. Simple operator-paced control tasks X3

• Prompt and accurate execution of control actions specified by procedures

- Successful retrieval of procedures, displays and con- ^ trols, and execution of actions Time to execute control actions Evaluation 12. Conditional operator-paced control tasks X3

• Prompt and accurate identification of preconditions, side effects and post-conditions

- Operator assessment - Task completion time

• Prompt and accurate execution of control actions

- Successful execution of control actions - Time to execute control actions Evaluation 13. Control using multiple, simultaneous procedures X3

• Efficient and effective use of nested procedures Operator identification of procedures and steps that are in progress

- Successful execution of nested procedures Time to complete nested procedures 1 Performance requirements are indicated with a *** Performance measures are indicated with a * " 2 Not to be completed for design certification 3 Design ITAAC 4 Construction ITAAC P18.5-7 W Westinghouse

18. HUMAN FACTORS ENGINEERING

_ _ Revision: 0 f Effective: 06/26/92 Table 18.5-2 (sheet 7 of 8) Design Acceptance Testing: Validatiori ests1 ~ Near Full-Scope, Part-Task High-Fidelity Simulator Simulator 2

• Efficient and effective use of independent, concurrent proce-dures Operator identification of procedures and steps that are in progress Successful execution of concurrent procedures Time to complete concurrent procedures Evaluation 14. Event paced-control tasks X3

• Correct execution of control tasks in pace with event ,

- Completion time for control actice < 1ative to require-ments of plant dynamics Successful execution of procedure Evaluation 15. Control tasks requiring crew coordination X3

• Awareness of control actions of others Operator assessment of operator actions l I

• Effective coordination of multiperson control tasks Successful completion of control task 1 Task completion time

• Effective coordination of control actions for independent, concurrent procedures Successful completion of control tasks Task completion time

• Effective allocation of crew member responsibilities in re-sponse to exceptions

- Successful communication of responsibilities to opera-tors - Successful completion of task Task completion time 1 Perfctmance requirements are indicated with a **" Performance measures are indicated with a " " 2 Not to be coupleted for design certification 3 Design ITAAC 4 Construction ITAAC P18.58 W Westinghouse

18. HUMAN FACTORS ENGINEERING Revision: 0

- Effective: 06/26/92 , Table 18.5-2 (sheet 8 of 8) Design Acceptance Testing: Validation Tests 1 Near Full-Scope, Part-Task High-Fidelity Simulator Simulator 2 Validation of Integrated M-MIS Evaluation 17. Integrated M-MIS and crew performance X4

• Effective and efficient control of plant - normal operating conditions (normal includes startup and shutdown)

Task completion time Successful completion of task

• Effective and efficient control of plant - abnormal operating conditions Task completion time Successful completion of task

• Effective and efficient control of plant - emergency operat-ing conditions Task completion time Successful completion of task i

l l 1 Performance requirements are indicated with a "*" Performance measures are indicated with a " " 2 Not to be completed for design cer:ification l 3 Design ITAAC 4 Construction ITAAC P18.5-9 W Westinghouse

18. HUMAN FACTORS ENGINEERING Revision: O v Effective: 06/23/92 E 18.6.4 The Decision-Sets Organization his model is not totally independent of the type of Model decision maker. His is because the nature of the decision maker (human versus automation) and how his modelis a map of sets of cognitive tasks that many of them there are, causes other supporting tasks to are demanded by the plant. His map acts as an aid to be required. Rese must also be included because the the human engineering design team, helping them to decision makers have their own effect on the various systematically consider, and to include in their design task loading analyses and on the M-MIS scope determi-efforts the determination of the appropriate scope of nation that come later in the human engineering process.

AP600 operations and to examme the differences The human engineering process is an iterative one, between decision sets. His is reflected in the answers depending on the structure or organization of humans, to crucial questions, such as: and the results of the human / automation task allocation activity. His model is the first place in the design

• Does a given decision set require execution in mal. pmcess where the iterative nature becomes apparent.

time, near-real-time, or non-real-time? One of the first places that the effects of the user

• What data must be available to effectively execute behavior / decision maHng model can be seen in the the decision set? decision-sets organization model is in the use of aggre-

• Where must the results of the decision set go? gation/ abstraction as a means of dealing with the com-

• What are the circumstances that cause the activation P l exity (both in quantity and content) of the decision sets or need for a given decision set? (Reference 4). He decision-sets organization model is

• How is the decision maker made aware that deci. a "decon position" model. It begins with a high level of sions are required? aggregation / abstraction and then allows the designer to decompose the aggregation / abstraction to see the more Using this decision-sets organization model to elicit detailed decision sets that comprise the lower levels in these kinds of questions is the beginning of a cognitive the model. Rese two ideas, the need to capture the task analysis, decisions that need to be made and their relationships He modeler tries to create a model that is not with each other, and the need to organize these deci-interested in whether the decisions are made by humans sions into decomposable rets for easier comprehension, or by automation. It is only interested in capturing the led to the use of a computer-aided software engineering nature of the required decisions, what inputs are n. (CASE) tool to develop the model in a graphical form.

quired to make them, and where (or to what other AP600 depicts the decision sets and the associated decision sets) the results of the decision must go. data graphically. Specifically, the nature of the labeled he model is also independent of the scope of the decision set is captured in the form of the numerical M-MIS. Once the decision mapping process is com. algorithms and comparisons that are required to success-plete, the M-MIS designers determine which decisions fully execute the decision set. He dehnition and and which communication links are supported by the contents of the communication links are captured by the M-MIS. The M-MIS may support certain decisions, but label given to the link in the graphical depiction. the output may not be electronic, tlat is, the M-MIS The graphical interface being used has a limited set may simply print an appropriately formatted form of icons for creating a decomposable model. Specifi-containing the required data for communication by other cally, circles are used for representing a decomposable means Derefore, the decision sets organization model decision set. He label that the modeler gives to the set attempts to be as complete with regard to the requisite is automatically recorded as an entry for later def'mition decisions as possible. and the tool assigns a unique number to each circle. He P18.6-1 W Westingt100se l

18. HUMAN FACTORS ENGINEERING Revision: 0 Effective: 06/26/92 1

1 tool also checks to see that the decision sets have Here are tasks that the Combined license holder must  ; descriptive labels. likewise, the communication or data perform to cany-out these communications. l transfer links are represented by directed lines with he circle in Figure 18.6-1 represents the decision ) either uni-or bi-directional arrows. He labels given to sets that are usually by the Combined License holder l these links are automatically entered into a " data diction- relative to plant operations. Decision sets such as those I ary", with similar checks for completeness. of a commercial or financial nature, including communi- 1 ' In the course of building the model, the modeler cations with outside parties interested in these subjects, i focuses on the decision sets required by the plant are not included since they are outside of the scope of  ; design. Here are, however, places in the model where the AP600 design. i the decision sets are the result of the fact that humans Figure 18.6-2 further shows that this decision set, , are involved in the operations of the plant. The staffing is made up of five decision sets related to the five states requirements for the AP600 are discussed in of AP600 operation. He dashed lines in Figure 18.6-2 Section 18.7. It is expected that current operating indicate that a " control" action needs to take place. In experiences support decision sets resulting from human this case, the control actions are the result of plant , involvement and are applicable to the operational tasks conditions being such that the next indicated plant state j of the apt >00 he following example is a piece of the is the appropriate one. He model symbol (vertical bar) model that represents the decision sets and data commu- labeled "Sg" indicates that a matrix or truth table exists nications of the AP600 He complete model for the that defines the criteria under which the control action AP600 is not included in this report. Included here is is required. The execution of one of these control a portion of the model. It is intended to provide a sense actions implies a major shift in the operational objec-of what is included in the model and a sense of how the tives for the plant and, therefore, an implied shift in the model is used in the AP600 human engineering activi- decision sets, in the decision results receivers, and in the ties. need for and the content of their communications; that Figure 18.6-1 is the highest level diagram in the is, in the cognitive tasks that must be accomplished. model. It shows the external communications context in Imoking further into the decision set decomposition, which the XYZ utility operates its AP600 Very few of Figure 18.6-3 shows that the "AP600 Emergency these communication links are currently direct electronic Operation" decision set in Figure 18.6-2 is composed of data links or are planned to be so in the near future. several interrelated decision sets. Included is an in-With the exception of the link to the NRC as described stance of the interrelationship betweet this decision-sets in Clarification of the TMI Action Plan Requirements organi7mtion model and the user behavior / decision (Reference 5), these external communications are mnbng model. The user behavior / decision mahng performed via the traditional methods of written letter or model has a component in it related to the anticipated memo, or by telephone, either verbal or electronic and proven need for two separate sets of cognitive tasks facsimile. Rese communications are usually very to be on-going in the control and management of a structured. He two communicating parties have complex real-time process, particularly when the process , reached an agreement about the content and, in a is in a crisis as discussed in Challenges in Socio-Techni-general way, what the content means Often the order cal Systems; Design for the Individual Operator, and in or structure of the data of the communications is includ- Human Factors Evaluation of Control Room Design and ( ed in the agreement. The communications are so well Operator Performance at TMI-2 (References 6 and 7). predefined and structured that a form or table is often %ese two sets of cognitive tasks are usually used to allow the completeness of the data and to make discussed from the perspective of human performance in the processes of gathering and reading the data efficient. real-time process control. Major portions of the de-P18.6-2 W W85tiflgt100Se

18. HUMAN FACTORS ENGINEERING Revision: 0 v Effective: 06/26/92 N"5 mands of these two sets of cognitive tasks could be Figure 18.6-4, a closer look at the 'AP600 Systems accomplished or at least highly supported by modern Management (Emergency Ops)* decision set found in computer systems. Figure 18.6-3. The post-TMI-2 requirement (Refer-he decision sets organization model looks at these ence 5) of providing additional technical help in evaluat-as decision sets without any bias as to the nature, human ing the plant state and in developing a strategy for or automation, of the decision maker, even though the improving that state during a plant emergency are recognition of the need for the sets is found by examm- recogmzed in this figure. He figure also shows the ing the break down of human operator performance. need to communicate, in a very reliable manner, certam The purpose of this model is to simply examme and plant process data as is suggested in Instrumentation for document what decisions are involved in each decision Light-Water-Cooled Nuclear Power Plants to Assess

set, so that later in the human engineering design Plant and Environs (Reference 8) to the 'AP600 Emer-process a more informed allocation can be made relative gency Systems Management, Control Room" decision to the execution of the decision sets to humans or to set. He discussion of the specific systems management automation. decisions that comprise this decision set is found in the ne first of these sets of tasks results from the main control room task analysis section, traditional behavioral role of equipment operation. In Subsection 18.9.1.3. In addition, the main control room this role, the operator, either human or automation, task analysis subsection derives, from the decisions in manipulates the plant's equipment in order to achieve an the decision set, the list of plant process data that must objective. He objective, though, is usually only be communicated as the QUAL _ DATA (RG_,1.97) data.

implied in the control constraints within which the Figure 18.6-5 shows that the 'AP600 Shift Techni-operator performs. In the case of a human operator, cal Advice (NUREG-0737)* decision set of these constraints are in the form of procedures and the Figure 18.6-4 is made up of two smaller decision sets. operators' activities are paced by the procedures. In the These decision sets are the 'AP600 Shift Technical case of automatic operation, they appear as control Advisor (NUREG-0737)' decision set and the 'AP600 algorithms and setpoints, another form of prcmdures. Technical Support Center (NUREG 06%)* decision set. In either case, the operators are not expected to fully He requisite communications are also shown. understand the overall objectives or reasons why a Figure 18.6-6 further defines the 'XYZ Utility particular procedure is appropriate. management (Emergency Ops)" decision set from . The second of these sets of tasks is described as the Figure 18.6-3. He important decision set here is the systems management behavioral role, as described in one that involves the Emergency Off-site Facility and its l , NUREG/CR-1270 (Reference 7). His behavioral role communication needs, i is charactenzed by an awareness of the current plant Figure 18.6-7 takes an even closer look at the state. It requires ajudgement as to the appropriateness 'AP600 Equipment Operation (Emergency Ops)* of that state, and, if inappropriate, the setting of a decision set from Figure 18.6-3. Here, the emphasis is course to get to an appropriate state. R ese tasks are on the communication needs and decisions that are made driven by the pace of the system being controlled. in the main control room and in the plant (field) regard-These two behavioral roles represent different cognitive ing the detailed operation of the reactor and of the tasks. These different cognitive tasks are illustrated in balance-of-plant equipment. Figure 18.6-3 by the 'AP600 Systems Management Figure 18.6-8 highlights the 'AP600 Plant Process 4 (Emergency Operations)* and "AP600 Equipment Data Presentation (Emergency Ops)* decision set from Operation (Emergency Operations)" decision sets. Figure 18.6-3. Here, the focus is on the data communi-cation ne.ds and requisite decisions that need to be 4 P18.6-3 W Westinghouse +

18. HUMAN FACTORS ENGINEERING Revision: 0

~. . . . . . Effective: 06/26/92 made in the main control room or in a remote shutdown well defined, the model needs to be a living model. It room. documents the scope as a clearer understanding of the This modeling provides benefits to the human plant details, the man versus computer allocation, and engineering activity of the AP600 In spite of the fact the scope of the AP600 M-MIS as it evolves. that the model is very subjective, because it is highly Similarly, the depth of the detailis also a modeler's dependent upon the views and biases of the modeler, it decision. With regard to those decision sets related to pmvides several benefits: the real-time control of the AP600 processes, another model needs to be joined with this one at about the level

• It provides, early in the project, a mechanism for of detail described in the previous example. The seeing the scope of the project. discussion of this model can be found in Subsection 18.6.5. For othe fpes of cognitive tasks,

• It suggests, but does not derive, a logical grouping such as those nemary for piant administration, engi-of cognitive tasks. neering, and field eqtJpment operation, the traditional industrial engineering techniques, as typified in Task

• It focuses design attentior upon the decision set Analysis (Refer nee 9), are used to determine the design relationships, sometimes called the operational requirements of the M-MIS and other supporting philosophy, that need to exist in the successful interfaces.

operation of the AP600 18.6.5 The User Behavior / Decision Making

• While time is not a dimension in this model, time Model differences can be seen in decision sets between the various operating regimes. Differences involve ne user behavior / decision making model helps the getting new or additional decision makers (either human engineering design team explore, in considerably human or automation) synchronized with the exist- more detail, some of the decision sets itemized in the ing operational situation. The recognition of this decision sets organintion model. Specifically, t's need early in the human engineering process pro- cognitive tasks that need to be executed in real tin-, in motes the eventual successful integration of these concert with the dynamics of the AP600 plant processes, additional resources into the on-line decision-mak- can be more fully analyzed by this model.

ing process. His model is described by Rasmussen (Refer-ence 4). It is a model of the process being controlled 'Ibe major question about such a model is the onc expressed in terms of the functions or purposes that the of completeness. How does the modeler know when t designers intended their equipment design to accomplish. quit constructing either the breadth (scope of plant nis model is also a decomposition model, looking first operation, management, and maintenance) or the depth at the plant as a single system and determining its (level of detail) of the model? Dere is no rigorous way overall objectives or goals. He decomposition then to define the limits. To a large degree, the breadth of takes place by.looking at the purposes of the equipment the model includes, as a minimum, those decision sets that is designed to meet the overall goals. His equip-and communication links that will be included in the ment, in turn, has needs, such as lubrication or cooling M-MIS. His is necessary to clearly define, for the that must be met by yet another set of equipment. computer system designers, the algorithms (including the Rasmussen calls this structured representation of equip-graphics displays) that t.re processed and the amounts of ment purposes a "means-ends' model. He process of data that r e communicated. Because the limits are not creating such a model is called a means-ends analysis. P18.6-4 W-Westillgt10USS

18. HUMAN FACTORS ENGINEERING Revision: O

d. Effective: 06/26/92 He top four levels of such a model for a Westinghouse tration = 1500 ppm' for the reactivity balance node as PWR, including the AP600, is shown as Figure 18.6-9. the goal, these predicates become the operating " targets

• Lower levels of the model become more design specific. for the "means', (the equipment). One of the benefits For the AP600, some of the lower levels, particularly as of this model is that it shows, early in the human engi-they relate to the purpose of controlling RCS inventory neering design process, those operational conditions that are exammed in Subsection 18.9.1.3. have small or possibly imagmary operating envelopes if he benefit of such a model to the design of the such exist.

M-MIS is that it sets the operating objectives and, there- Unh that tend to be in a horizontal direction fore, defines the operators' cognitive tasks at the various indicate that a commodity, such as temperature, pres-levels of plant operation. For example, if reactor sure, or energy, or fluid mass, " communicates" be-coolant system pressure needs to be reduced, this model tween, or flows from, one node to another. shows that there is a connection between system pres- He goal-means model in Figure 18.6-9 shows that sure, system temperature, and system coolant mass under normal power operations, attention is directed to inve tory. He two cognitive tasks are, choosing which both the commercial electricity production and to plant one to work with and selecting the means (such as safety. As noted in the model, these two goals are met which valves to open or pumps to start) for effecting his by controlling the nuclear and thermodynamic processes. desired changes. His model also shows that there is a ne difference is in the targets and tolerable control potential conflict in satisfying both the goals of the bands that each goal demands, that is, in the predicates overall objectives of generating electricity and prevent- passed to the processes. From the penpective of the ing radiation release. Similar conflicts show up at lower M-MIS design team, the mental model of the process levels. Sometimes these are the result of the conflict of that the AP600 M-MIS supports is the one that begins the overall objectives; other times they are simply the with the reactivity balance and ends with the environ-result of the way that nature behaves. He result is that ment. He difference between normal power operation one may not, under certain circumstances, be able to and emergency operation is that certain goals and their satisfy or achieve the required multiple objectives supporting means become either ineffective, such as simultaneously. turbine control, or unavailable. Herefore, they are " cut his model, too, attempts to remain independent of away" in the model. His model makes apparent the the allocation of the cognitive tasks to man or automa- logical, degradation of the goals. It also shows which tion. His model only maps the decision space required process resources are available to achieve the goals as by the plant processes. It is a normative model since it an abnormality makes the processes deviate or degrade defines normal conditions. Abnormality is defined as farther and farther from normal. any state or set of conditions that is contrary to those Figure 18.6-10 shows the model after a reactor trip. described by the model. He consequences of process equipment degradation are he links that terid to be in a vertical direction, pass reflected in the changing definition of goal satisfaction the requirements that the upper nodes place upon the that is carried by the predicates. This model, then, lower nodes. In this way, the ' goals' pass their defini- provides the AP600 M-MIS design team with the tion of satisfaction on to the "means" for accomplish- support it needs to design those interfacing resources ment. Rese goals are expressed as predicates, that is, that are to be used by humm to accomplish a smooth, a binasy, pass-fail statement of the process conditions seamless transition from normal to emergency opera-that define satisfaction of the goal. With the appropriate tions. language translation, such as, from ' reactivity balance To complement and make effective those resources, = 1.0" to " control rods at 215 steps and boron concen- this model of the processes needs to be the mental [ WB5tiflgt10llSe l l

18. HUMAN FACTORS ENGINEERING Revision: 0

~"7 Effective: 06/26/92 model that is possessed by the operators. Herefore, the elaborations only serve to draw out aspects of operator mental model must be reinforced in the interfacing performance that are ofinterest for a particular analysis. resources and taught in the training program as dis- Hey do not represent fundamental changes from the cussed in Subsection 18.9.9. model as modified by Woods. Figure 18.6-11 shows This modeling process satisfies the requirements in the original Rasmussen model. Figure 18.6-12 is the NUREG.0700, Appendix B (Reference 11) and in model as modified by Woods. IEC-964 (Reference 17) for a function analysis of the ne modified model of Woods (Figure 18.6-12) plant's processes. His process is used by Westinghouse shows that Rasmussen's model can be further aggregat-in the design of computerized operator support systems ed ano abstracted to reduce it to the four, high level that the NRC has reviewed. Specifically, the process cognitive tasks of monitoring, planning, controlling, and was applied by Westinghouse to the design of the safety feedback. In this form, documented research, such as parameter display system. He NRC reviewed this Models of Cognitive Behavior in Nuclear Power Plants effort and issued a safety evaluation report (SER) Personnel, A Feasibility Study, and in Mapping Cogni-(Reference 12) confirming the acceptability of this tive Demands in Complex Problem Solving Worlds methodology. (References 15 and 16) have noted that by mapping this The psychological or cognitive interest in this model model back onto the "why, what, how" hierarchy as a means for directing the cognitive task analysis is associated with the plant purpose or function decomposi-that it stmetures the plant's processes in a way that the tion model, the cognitive tasks that make up the cognitive systems engineer can see why a control action operator's real-time decision-making process can be is necessary (the goal statement as formulated by the more clearly understood as the continual task of seeking l predicates); what must be done to achieve the goal (s) the answers to a set of questions. Hat set of questions (the choice of available alternatives); and how the is reproduced in Figure 18.6-13. choices are to be implemented, what control actions are In addition, the cognitive systems engineer consid-necessary in order to achieve the goal using the chosen ers the impact of automation. Research (Reference 2) alternative (s) (the means) (Reference 4). His is a has shown that automation changes the role of the recursive hierarchy. Hat is, the control actions re- human operator and, therefore, the tasks for which the quired, themselves, may become explanations of why operator is responsible. He role change that is appro-other choices need to be made and other actions need to priate is to view the automation as part of the process be taken, and so on. He model of cognition that helps being controlled. He operator becomes more of a to further organize and structure the cognitive task systems manager, assessing the performance of the analysis activities is described in the following para- process under automatic control and deciding whether to graphs. intervene. He followup question in the cognitive task A supplementary model is one that adequately analysis is: If intervention is necessary, what are the represents the cognitive activities of real-time process appropriate human operator actions? control operators. Rasmussen's model (Reference 4) Much of the moment-to-moment operational has been modified by D. D.1" cods, Reference 13, to activity is guided and constrained by procedures. He make explicit the role of feedback in the decision- impact on the cognitive task analysis is for the AP600 making process. More recently, in An Analytic Tech- human engineering design team to realize that it is the nique for Framing Control Room Evaluation issues responsibility of the operators to continually evaluate the (Reference 14) further elaborations have been made to operational success or failure of executing the current make explicit other components of performance, such as procedure. It is a fundamental assumption in the design normal operations or crew coordination. H ese later of the computerized operational support systems (the P18.6-6 W.- Westingt100se

18. HUMAN FACTORS ENGINEERING Revision: 0 v Effective: 06/26/92 .

M-MIS) of the AP600 that the human operators have a To be mentally ahead, a operator must have a qualita-thorough understanding of the functional purpose or tive understanding of these relationships. This set of objective of each of the procedures. He operator relationships becomes a mental model of the functional-understands what the procedure is intending to accom- ity of the process controlled. %e operator, in real-plish, such as, cooling the core or improving the water time, maps the process variable values, changes in those mass inventory. Providing the operators with a thor- values, and rates of change of those values, as provided ough understanding of purposes and objectives is a by the process instrumentation onto that model and requirement of the AP600 Operator Training Program, through the model interprets their meaning (the current discussed in Subsection 18.9.9). He cognitive systems state of the process). engineering activity then provides the resources that help %e second characteristic is that an opeator who is the human operators assess the effects that the procedure mentally ahead of the process that he controls questions execution has on the plant processes and seeks validation of the information received. He Finally, operators of real-time processes are contin- operator is continually evaluating and validating the ually plagued with the problem of data validity. An instrument indications to determine that they are accu-operator cognitive task is to continually assess the rate about that portion of the process that they sense. A validity of the process data upon which the correctness competent operator does this in a number of different of their decisions depends. ways. For example, the operator uses his mental model to seek corroboration of a change in one part of the 18.6.6 Role of the Operators in the AP600 process with related changes in other parts of the Main Control Room process. %e operator also uses this mental model to anticipate the consequences of control actions (initiated he AP600 design is based upon the position that by either automation or by himself), and is determimng the ultimate responsibility for successful plant operation, if those actions are accomplishing their purpase. In from both a commercial and a safety perspective, Process control situations, where much of the control resides in the hands of the main control room operators action is initiated either by automatic control systems or and their immediate management. For the design cf the is stimulated by operator procedures, the competent AP600 M-MIS, a competent operator is defined as: Operator is exercising skepticism by continually demand-ing to know if the automatic action is effective or if the "A competent operator is one who is mentally Procedure is the appropriate one. Unquestioning ahead of the processes that he controls. Ideally, for acceptance of either the automatic control or the proce-this operator, there are no surprises.= dure is unacceptable to a competent operator. There are two characteristics that contribute to a 18.6.7 Summary successful operator. %e first is that to be mentally ahead of a real-time process, the operator must have an %e preceding discussion has exammed three excellent mental model or image of the behavior of that models that are used for various task analyses. Hey process As noted in Subsection 18.6.5, processes are are especially useful for that portion of the task analyses coupled and connected by more than just flanges and that is known as a function based or cognitive task welds. Rese couplings are the dynamic relationships analysis. %is type of task analysis is significantly that are intrinsic in the nature of the processes involved, different from the task analyses that are traditionally such as, energy flow / transfer, chemical influences, performed in the nuclear power industry. He two relationships between voltage, impedance, and current. major differences are: P18.6 7 .s Wm W65tiligt10USB

18. HUMAN FACTORS ENGINEEP.lf4G Revision: O O Effective: 06/26/92 s./

~ h

1. He cognitive task analysis includes an exammation uses in acquiring and evaluating the necessary input data of decision-making or mental activity that is based prior to taking any action. Herefore, while the deci-upon an engineering analysis of the plant's process- sion sets model is focused upon the decision mmhrg es, and aspects of plant operation, it is reasonable to assume

2. Because of difference 1, the cognitive task analysis that there are actions that will follow, even if the action can be used to derive the operating procedures and is only to pass on the results of one or more of the verify that they are consistent and are coordinated decisions in the decision set. These associated action with the design of other decision-supporting sets can be similarly segmented and grouped. %e esources. implicat ion is that the decision sets organization model is consulted in the design process when decisions are In the traditional approach, the formal task analysis made about the organization, structure, and content for begins only after the procedures have been completed. the various procedures.

He procedures are then used as the means for defining he decision sets organization model, to the extent the operating tasks for the analysis, possible, is independent of the type of decision maker A brief summary of what these models are and how (human or automation). It is dependent, to a large they interact with each other to guide the AP600 human degree, on the results of the purpose or function analysis engineering design activity is provided. that is captured by the function decomposition model. He human engineering activity needs a method for his model exammes the purposes behind process building a foundation that can be used to guide, coordi- systems and equipment. It captures the goals for nate, and integrate subsequent work. He models form operation and defines the envelope of normal operation - that foundation. through the use of predicate statements that reflect the Traditional industrial engineering time and motion demands of one purpose upon another. For example, a l studies, as a method of task analysis have their place in pump whose purpose is to produce fluid flow demands l areas of plant operation that are very repetitive and, in that it be cooled such that its beanng temperatures do Rasmussen's terminology, are " skill" based (Refer- not exceed XX degrees. His function decomposition ence 4). However, they are of little or no use in those model further refines and defines the AP600 operational areas where effective decision mahng is the essence of decisions that are included in the decision sets organi-the task. He human engineering activity that focuses zation model. on designing effective decision support resources is a To define the data to support the real-time process relatively new discipline known as cognitive systems control decision mahng, Rasmussen's model provides engineering. Rese models form the foundation for the the basis for a set of questions that are continually cognitive systems engineering activity. answered by the decision maker. The cognitive task A way to define the activity is to establish and analysis maps these questions into each node of the organize the decision sets that the plant requires either function decomposition model and uses plant design data as a result of plant control or as a result of the political to determine the answers. He human engineering team and social environment in which the plant is operated. forms a data base that shows what plant process parame- %e decision sets organization model helps show which ters need to be measured so as to provide the decision decision sets are related to the problem of real-time maker with the data needed for decisions. Data reveals control of the AP600 and which can be done off-line. if the goal of a function is achieved or if the currently An assumption is made that decisions come before operating process equipment is performing as the actions. Here is, as Rasmussen's model (Reference 4) designers expect it to perform. suggests, some period of time that the decision maker P18.6-8 W-Westillgt10USe e l l l l 18. HUMAN FACTORS ENGINEERING l Revision: 0 ~~ v Effective: 06/26/92 [ l The core, then, of the function based or cognitive

• CONTROLIJNG task analysis is the cognitive tasks associated with l answenng the following questions: 11. Process Initiation, Tumng, Termmation - How is a l process or subprocess controlled? j l

• MONITORING / FEEDBACK The function based or cognitive task analysis is ,

completed when a data base is created that contains the i 1 - Monitoring: answers [such as, what process data should be exam- i l ined, what synthesizing technique or algorithm should be I

1. Data Validity - Is the process data valid? applied, or what system or piece of equipu-cat (tag num-ber) to execute actions upon) to the set of questions for

2. Process Assessment - Where is the mass? each node in the function decomposition model. This Where is the energy? data is orgamzed according to that model. ' Ibis data What is the reactivity level? base identifies the decisions, the cognitive tasks, that the Where is the radiation? real-time processes require and the data necessary to make the decision (s). Putting the decisions from this Feedback: data base back into the decision sets orgamntion model

! begins the process of identifying the decision makers

3. Goal Satisfaction - Is the goal being satisfied? (task allocation, crew structure, and job responsibility),

l and how those decision makers are to be organized and

4. Process Performance - Is the process that is are to interact with each other.

l currently deployed performing correctly? I

5. Procedure Adequacy -Is the current procedure achieving the desired purpose?

• PLANNING

6. Goal Selection - Which goal has the highest priority?

7. Choices Among Alternatives - Should a process be working?

8. Process Availability - Can an alternative process or subprocess by deployed?

l 9. Over-ride Automation - Is intervention currently l required?

10. Required Manual Actions - If intervention is required, what manual actions must be taken?

W Westinghouse l l 18. HUMAN FACTORS ENGINEERING ' ' - ' R; vision: 0 Effective: 06/26/92 , 1 d l l I MEDICAL l l MED6A (RADIATION) POPULATION NUCLEOPHCs WEEK NEWS ATA POP RAD, P, DATA DEPA MMT NUC, , DATA VEDR , FIRE A NRC NSS$. ATA (Hagulators) MAJOR COM , ATA COMPONENT SUPPUER , ATA ~ NRC . DATA i a l LOCAL XYZ UTILITY j AP600 POP _EV AC_DAT A EMERGENCY CITY _ MANAGEMENT l RAD. PLUME, DATA OPERATIONS j EMERGENCY CENTER CENTER 0 FUEL Y , TA GO , M I COUNTY & STATE , FUEL i GOVERNMENT lSUPPUERS WAN ATA WO D O A INPO, ATA VESSEL, CODE, MPL DATA p INSTITUTE OF NUCLEAR POWER OPERATIONS AMERICAN SOCIETV OF MECHANICAL ENGINEER $ l l l l Figure 18.6-1 Context Diagram for AP600 Operations W Westinghouse P18.6-10 1

18. HUMAN FACTORS ENGINEERING .

I ffec e: 06/26/92 'N < '. 1 1 i l i l l l FIRE ATA POP RAD. -DATA POP.E C., DATA O . ATA NSSS COMPL. DATA _ j EMERGENCY por_ CPS, DATA OPERATIONS INPO. ATA RAD _PL s ..~_ gogPL, ATA ~~~..... ygssEL CODE, COMP ,' ,8 8 s , , COMPL, ATA ' CtekEJA$'0PS i' ' . e e' s1' 's .

• g i MTW o' *

(NORMAL DECL.EMRG.f %TM an~PwR. OPS ,8 .1 , . HEAT-UPr$ TART # DECL.EuR9.OM DECL.5HYD/, OPS j,' , VESSEL. CODE. n,DM s , o ' 91 's * ,e r DEnf-UP.OP6

• s

~# o m,e cog DATA ,# p DECL.EbR% OPS ' OVTAGE 's ,# O,PERATO O '% i un toADe COMPT ... APee .3 ' 'ECCNM'? D ...A g,TO OPEMTO W W. TA yggsEL, COO NE. e vgssEL,COct.C . DATA l Figure 18.6-2 XYZ Utility Operations,0 W# T Westinghouse P18.6-11 I I l =:

18. HUMAN FACTORS ENGINEERING ffee e: 06/26/92 w'

l { l l l AP400 CoasMWATY MANTENANCE MEDICAL EMRG MAINT,MGMT DATA l (EMERGENCY pg py, ' OPERATIONS) ,y COMMIMTV XY2 U11UTV RRE MED ATA DEPT. MANAGEMENT EMRG MAINT, ST (EMERGENCT .if OPERATIONS) TA RRE AP500 WQMT, E TA ,... WTE ACTIVATE MED',og MEDICAL ," DEPT. RAD &C EM ~ ~== AE" MGMT, ATj SYSTEMS ~ 11 i ' MANAGEMENT RADFON (EMERGENCY

• AtTWAU*RRE OPERATIONS) =.g

CREW R ~ AP600 .1 AP600 CHEMasTRYr M .RAE- SITE HEALTN PLANT , ATA ASNDN,CNTRLM RRE Pe#SCS s -g DE PT. C.JTRL_BD D A 9 EQ OPR, j 'psRG. T 11 s AP900 '% ' PROCESS Se =1 **\ E g PLANT- ' OPERATION t PROCESS, A ENTATION qqt3P,gTATE_CettG_DEas40

EMRG_tET,DA TA pgggggy BD_ DATA t (EMERGENCY DATA-1 STORAGE OPERATIONS) 19 g

OPERA M ) .16 *. , * * , *'.' si s MET TA PLNT PR CS_ DATA 's, # AP600 APese EQtAPMENT METE .* 4 LOGICAL AP600 CONTROL I DATA PROCESS PLANT EQUIP _ STATE,$ ATA (EMERCdNCY GATHEfilNG DATA l GATMEfHNG OPERATKXdS) i l .16 i .14 l 1 1 l l [ Figure 18.6-3

AP600 Emergency Operation,4

.s ! W- h ! @ 0Use P18.6-12 1

18. HUMAN FACTORS ENGINEERING  !=i h e: 06/26/92 ,

t, A RO_EMR3 fNST OPS _INJUR DATA MOE E 0 DATA ABNDN CNT,RL RM CSF_TRE , ATA BOP _EM _ INST s ps  % ,o* /  %, K ,o" ACTIVA %STA ,o'

• AP600 AP600 SHIFT EMERGENCY FIELD _EMRG_ INST TECHNICAL  : SYSTEMS ADYlCE OPS _STRTGY_ DATA MANAGEMEhT. I (NUREG-6 '37) CONTROL ROOM PLANT _CH _ TA j

,o ' .1 * ,o .2 DECL_E%_ OPS RE _ TDN RM, NON. DATA i CNTRL, _ ' RAD _ ZONE AT% NON, QUAL ATA SECUR DATA QU L DATA (RG E- 7) Figure 18.6-4 AP600 Systems Management (Emergency Ops),4.1 W~ Westinghouse P18.6-13

18. HUMAN FACTORS ENGINEERING .. i Effec e: 06/26/92 _

s I v# 1 l l l l l MGMTJ RG DATA FlR DATA NRC_EMRG DATA \ l NATA RAD,20N SECURt ATA MG _EMRG_ DATA AP600 fEC NICAL TSC_STA_COMWN SUPPORT TE NtCR CENTER ADVISOR OPS,lNJURY. DATA (NUREG-0696) (NUREG-07371 PLANT C , M o %, ACTWATE/b ,% TGY, DATA s1 s,s',- j l OPS. ACTNATE_5 A / C5 TREE _ DATA t I 1 l l l Figure 18.6-5 AP600 Shift Technical Advice (NUREG-0737),4.1.1 l ._. l W Westinghouse P18.6-14

18. HUMAN FACTORS ENGINEERING 'i = ii Revision: 0 Effective: 06/26/92 ,

^%) BOP _ OPS _ ,$TA NSSS. OPS _ DATA POP AC_ DATA RAD _PL DATA NEf A XYZ UTILITY AP600 POP _ RAD _ EXPOSURE _ DATA EMERGENCY OFF-SITE FACILITY MGMT_EM _ TA (NUREG-0737) .1 COMRCL_ TA XYZ UTILITY COMMERCIAL MANAGEMENT EMRG_M _ DATA (EMERGENCY RAD CHE _ DATA OPERATIONS) .2 NOTE: NOT IN WESTINGHOUSE'S SCOPE Figure 18.6-6 XYZ Utility Management (Emergency Ops),4.15 3 Westinghouse P18.6-15 l

18. HUMAN FACTORS ENGINEERING n -- i; R vision: 0 Effective: 06/26/92 l k l ,

/

• • • • • • • CN LD, RX_ QUAL _ EQUIP _

ST ATE _CNNG,DEMND, e , # NON MMEl_TE EQUIP _STA , CNNG e et # RX,COM DATA ,e ,s e RX_NON-QUAL, , , .

• EQUtP. STATE _

, .

• C&G_DEMND $1 EMERGENCY FIELD EQUIPMENT M GENCY IEL L TiONS REACTOR EQUIPMENT RO FIELD EMRG_ INST AIN hLROOM FIEL . G_ INST 3

.1 QUAL A (RG A7) SOP FIELD,E RG,1NST % INST RO_EM CNTRL NOH I._ DATA DOP_ L_ DATA AP600 EMERGENCY DOP_ QUAL Q#,,.* BALANCE OF PLANT , $TfJ&_ G. j

1. 1 EQUtPMENT )DEMND CNTRL_RM L_ DATA OPERATION, MAN CONTROL ROOM

' bE_NON-QUAL, S EQUIP _31AIE,CNNO, QUA ATA DEMND *.., (R .t.97) BOP E RG,1NST REMT_SNTD RM '80 N20AL_ DATA Figure 18.6-7 AP600 Equipment Operation (Emergency Ops),4.18 v 3 W65tingh0USS P18.6-16 I

18. HUMAN FACTORS ENGINEERING  ::=ii Revision: 0

( l w/ J l l i REMT,$HTON RM N QUAL, DATA l I i QUA I AP600 l REMOTE SHUTDOWN i ROOM PLANT P ESEN AT ON l .1 QUAL TA ,f 4 ACTVT REM SbTDN,RM CNTRL,R H UAL_ DATA AP600 MAIN ,# CONTROL ROOM s PLANT PROCESS # ,,. "",,, DATA PRESENTATION (E'.JEROENCY f OffCDfi,CitT(RM OPERATIONS) .2 ,.~~ ABNDN.CNTRl'RM b*'Till,P , DATA l l Figure 18.6-8 l l AP600 Process Data Presentation (Emergency Ops),4.18 l ~ 7 l T Westinghouse P18.6-17 1 i ]E iE 1]

h.  !

5 i U b llIl /s O, 1 -/A / / ii L,i j 37 _N _\ \ lli ,I n 19 l lie i pcp' - - .i Iv , K jf Ii t ID Q@ y9 i x! is \\!ix y $ lil f EN i; wNbili @ g ./ l.' i l 58 - i1 l j.i 3 Ill @

18. HUMAN FACTORS ENGINEERING  !=E Revision: 0 Effective: 06/26/92 s

l l l i f i l I , LEVEL 1 // _N _ _ _ , _ _ . _ _ _r _ _ stramury erreaarry stravery erreamy wasyluour. LEVEL 2 l - - - _ _=. _ i =, m fi 1 um c i 6 FEEDWATL3 MAS $ 4 ENEn$, eALAmes / 9 VEW __ co or MAS $ & ENEROW == f / \ cournot con _t cournot conrnos e,,,,,, ,,,,,,, eposs putt a CLAD nes cocuwt nes e synAM CoNTAMBtr LEVEL 4 mEACMrV j WP- TEMP. MSSME gygygg gggygg a n 1 - hh "' Figure 18.6-10 ! Top Four Levels of the Function Decomposition of Emergency Operation for a Westinghouse PWR l T Westinghouse P18.6-19 l ._ . . . . _ . - _ . -.. .- - . . - . . -= .- _ -- _ _ .- - - . . _ _ . -

18. HUMAN FACTORS ENGINEERING = :i Revision: 0 Effective: 06/26/92 I l

.~ d l l

• Goal /Means Structure Decision-Making Steps Monitor Plannirig Control P(x) - - - - - - - - - - - - - -

• Goal Satisfaction

I Function A

• Process Performance

, (IS process working f Subprocess 1 Subprocess 2 \ ,.._. correctly?) l

• Choices Among  !

Alternatives (SHOULD a process be working?)

• Process initiation,

• T rtni ting P(y) - - - - - - - - - - - - - - Process Avaliability fH 'o c'o su pr ess ork?) process or subprocess?)

Figure 18.6-13 1 Structure of the Real-Time Analysis - (From Woods, D.D. and Holinogel, E.,1985) [ Westingliuuse P18.6-20

18. HUMAN FACTORS ENGINEERING

. Revision: 0 l d Effective: 06/26/92 L=E, 18.8.2.1.1.4 Model of Human Decision understand what the operator's tasks are relative to Making controlling the process. In the M-MIS design process, the function based task analysis provides the mechanism l In addition to providing M-MIS support of process for creating this unde standing and creating the docu-equipment control and operation, the interface design mentation to guide the design of the M-MIS. As shown basis includes consideration of certain cognitive tasks. in Figure 18.8.2-2, the inputs to the function based task Rese cognitive tasks represent how humam reason, analysis are the design basis described above. %e assess situations, and make decisions in a real-time output from the function based task analysis is a set of process control environment. He premise for this cognitive and physical tasks that defines the operational design basis is that errors of intention (incorrect or 8 pace of the plant, a mapping of these tasks to each improper decision mahng) can be reduced if the set of plant function orgamzed in a goal-means structure, an tasks that the M-MIS is designed to support includes allocation of these tasks to man or to automation, and an those cognitive activities experienced while operating the identification of the data to perform the tasks. %e plant. To accomplish this, an input to the function activities which comprise the function based task analy-based task analysis is an operator decision making sis are described in Subsections 18.8.2.1.2.1 through model. 18.8.2.1.2.4. The model of human decision making used in the M-MIS design process is adapted from that proposed by 18.8.2.1.2.1 Definition of Applicable Rasmussen, (Reference 1), modified to include feed. Tasks back. Figure 18.6-11 shows the basic cognitive tasks s that comprise the model, and their relationships to one ne M-MIS design process addresses the require-another and to the higher level issues of monitoring, ments of the plant. Rese requirements are charac-interpretation, control, and feedback. A discussion of terized as sets of decisions, actions, and interfaces with this model is provided in Section 18.6. His model is both internal and external persons and organintions. used in the M-MIS design process to provide a structure To identify, organize, and document the operations for establishing the cognitive needs of the plant opera- requirements a decision-sets organizational model is tions personnel. He approach used is to derive a set of created. His model is a decompositional model. It questions and answers which form the task analysis, represents collections of decisions performed by the ne use of a model of human decision rnabng in operations personnel consistent with the operational I i performing this process increases the designer's confi- philosophy and staffing structure for the AP600. In this dence that the task analysis adequately addresses the model, the decision sets are defined at various levels of cognitive activities expected of an operator in a real-time abstraction to deal with the types of operational deci-process control situation. Examples of the questions and sions made for the plant operating states. A discussion a discussion of the use of the decision makmg model is of the creation and meaning of the operational task provided in Section 18.6. model is provided in Section 18.6. Section 18.6 also describes how the model is used in the M-MIS design 18.8.2.1.2 Function Based Task Analysis process to map data and resource requirements to the expected processing fc,. plant operational decisions. In %e key to designing an effective interface is to this model, the required data stream, M-MIS compu-present the plant data from the perspective, and in the tational resources, decision criteria, and the possible context, of the decision and action problem space of the output states (decisions) are determined for each opera-process controlled. He interface designers need to tional activity. Since the modelis one of decomposition P18.8-1 W Westinghouse

18. HUMAN FACTORS ENGINEERING '

Revision: 0 l- = Effective: 06/26/92 E. i 9 ' 1 (with operations at the highest level), intermediate 18.8.2.1.2.3 Determination of Tasks by , groups of decision sets suggest appropriate aggregations Plant Function l of data and resources which correspond to the opera-tions and management structure of the plant. His Once the goal-means structure is created, showing model is then used as input to the task analysis of plant the relationships between goals, processes, and alterna-operations. tive processes, then the task analysis can be performed. The objective of the task analysis is to determine the 18.8.2.1.2.2 Goal.Means Structure of process plant data needed to support the decisions by a l Plant Functions decision maker, to make the plant equipment achieve Ps i designed purpose. He task analysis involves superim-He goal-means structure of the plant is used to posing the questions derived from the decision-making , provide a normative model of the plant processes con- model onto each node in the goal-means structure to  ! trolled. The model provides representation of the physi- define the plant process data necessary to answer the l cal plant and of the plant designer's intent. It takes the questions. Rese data are then grouped to provide the form of a graphical representation of the physicallaws requisite context. His goal-means based task analysis that govern the behavior of the process modeled. His represents plant systems and equipment control data representation is based on the concept of describing the requirements. plant's functional processes in terms of the goals to be ne output of this exercise is a determmation of: achieved and the means or mechanisms available fo-achieving them. High level goals, such as controlling

• What process data is necessary? What sensors are primary coolant temperature, are accomplished by required? What are the required accuracies, and performing dermiblevel procedures, such as maintaining what algorithms are appropriate for combining j adequate powee or providing heat removal capability sensor data into more abstract and meamngful data?  !

from specific cctyonents. He objective of performing this analysis is to develop a structure that links the

• He relationships among the process data. The purpose (s) of individual components or controllable context in which each data element is presented to entities with the overall purpose of the plant. His convey its meaning.

includes knowledge of the plant's physical structure, and the purposes or functions of the equipment. His

• The relationships between data entities and the representation organkes the knowledge to enable the definition and o.ganization of the plant process data M-MIS design team to identify and answer process base.

contrM questions. The inputs to the goal-meaa model-ing activity are the AP600 design documents coreining

• He physical actions that are taken to control the plant information, such as the piping and instrumentalon plant, whether by humane or automation.

diagrams, system descriptions, and control and protec-tion logic diagrams. A description of this model is Rese task analysis results are documented in task provided in Section 18.6. descriptions. His task analysis process is used to express both l the purpose and the process of an operation activity. He task analysis methodology is applicable to both the systems manager and equipment operator behavior roles, as shown in Section 18.6. P18.8-2 W - WB5tillgh0US8

18. HUMAN FACTORS ENGINEERING Revision: O d Effective: 06/26/92 M" 18.8.2.1.2.4 Allocation of Tasks Between and control philosophy. The task analysis does not Man and Machine invalidate these considerations. Instead, it adds to them to point out that there are cognitive consequences, and He AP600 tasks are allocated to either human that these consequencea affect user tasks, interface operators or to automation. The task allocation step in requirements and, therefore, the allocation decisions the human engineering process consists of two iterative themselves.

activities. These activities are: For operations tasks not identified for automation, the M-MIS provides assistance to reduce operator

• Allocating the results of the task analysis as pre. mental workload in a number of other ways:

sented in the task descriptions to either humans or to automation. An example of a list of capabilities

• Synthesizing plant parameters from raw sensor of each is provided in Appendix B of NUREG-0700 outputs that are more representative of process (Reference 2). As automatic systems technology is Performance improved and as a better understanding of human capabilities aad limitations develops, particularly in

• Collecting and organirmg related data in a way that the area of decision-makmg the potential benefits of eases the operator's search for data for diagnosis automation increase. and for other decision-mabng activities

• When a task is automated, additional human tasks

• Accessing plant data from previous operational

~ are added to the task descriptions. Subsequently, situations that have been stored in the system _ an assessment is made of the operator's ability to accomplish these tasks. Typically, these added

• Providing. graphic presentation of plant data to tasks deal with addressing such issues v whether or enhance the operators understanding of that data not the automatic system made the correct decision, whether or not to switch to MANUAL control from

• Collecting related control devices to create system AUTOMATIC and, particularly in the case of the level controls that more accurately parallel the automatic protection systems, whether or not the Operator's intention for a change in plant state.

full capability of the system is needed. The first issue is an attribute of the design decision to auto. 18.8.2.3.1.5 Integrationof theVerification mate or not. The second is a result of the design or and Validation Programin the decision-mnhng strategy used in the automatic M-MIS Design Process controller. He consequences of both attributes are included in the final task descriptions so that the Figure 18.8.2-6 depicts the relationship of the proper " knowledge" is active and available to the human factors test program to the M-MIS design operator. process. He figure orgamzes information in six hori-zontal rows. He second row displays an abbreviated In summary, the task allocation step cannot be done version of the M-MIS design process. He design independently of the other steps in the human engineer- process starts with a mission statement that defines the ing process There are a variety of factors that can purpose and goals of the M-MIS. His leads to the influence a particular allocation decision or the choice of establishment of human paformance requirements, a general philosophy about human / automatic system which are operator behaviors that are supported to roles in a system, including cost, available technology, achieve the mission statement. Functional requirements 4 P18.8-3 W Westinghouse

18. HU.*:!AN FACTORS ENGINEERING

-.- Revision: 0 I Effective: 06/26/92 are developed to guide the development of the M-MIS testing clarifies human performance issues and refines design to support the human performance requirements. functional requirements for the M-hDS. Performance Rese functional requirements are implemented in the testing verifies that the functional requirements have design of M-MIS components. M-MIS components are been satisfied in the design and provides evidence that built as prototypes. First, they exist as individual and the final design satisfies the human performance goals. partially integrated M-MIS prototypes. Finally, they Two types of evaluations are conducted during the exist as an integrated M-hDS hardware prototype after concept testing phase to guide the development of the components have been assembled and interfaced. functional requirements. The first is conducted to he design process includes maay intermediate steps identify important general theodes and principles of tbn are not depicted in the figure. man-machine interaction. His may take the form of ne row above the M-MIS design process repre- literature reviews, case studies, and experiments. The sents the points in the design process in which human M-MIS functional requirements are reviewed and factors and cognitive psychology theory are applied to modified based on the findings from these evaluations. the design process. He human performance require- his research is not explicitly addressed by the AP600 ments are derived from a model of human performance M-MIS verification and validation program. (Subsection 18.8.2.3.2.2), an analysis of major classes A second type of test is conducted during the of operator activities (Subsection 18.8.2.3.2.3), and a concept testing phase with M-MIS breadboard designs. model of support (Subsection 18.8.2.3.2.4). He Breadboard designs include design concepts represented derivation of these human performance requirements is through drawings, rapid display prototyping software, discussed in Subsection 18.8.2.3.2 Phase 1: issue defini- and mockups. Plant dynamics may be represented tion. Next, human factors and cognitive science theory through scripted scenarios, a series of static representa-are applied to the development of functional require- tions or computer-based simulations. Computer-based ments. Inputs include M-hDS design principles and simulations are not necessarily specific to the AP600 guidelines that are obtained from the human factors and The purposes of these tests are to: cognitive science disciplines. Examples include results of research on human-computer interaction and

• Explore and clarify human performance issues human-centered design requirements found in associated with specific design concepts References 4 and 5, and internal design guidelines such

• Contribute to the development of functional require-as the display design guidelines. ments for the M-MIS Functional requirements development is also guided a Contribute to the development of criteria for human by man-in-the-loop studies designed to test M-MIS performance requirements of the M-MIS.

design concepts. %e design and analysis of these man-in-the-loop tests are guided by human factors and Qualitative information gathered through protocol cognitive science methods described in References 3, 7, analysis, debriefing discussions or other means are and 8. Finally, human factors and cognitive science analyzed to identify design features that lead to confu-theory is applied to the design and analysis of design sion, errors and slow or awkward actions by the sub-acceptance tests, which use individually and partially jects. Rese performance problems are evaluated in integrated M-MIS hardware prototypes and integrated terms of their effect on the successful completion of a M-MIS hardware prototypes (Reference 9). task. Functional requirements can then be developed to The third row depicts the types of evaluation tests address those design characteristics that have significant that are included in the evaluation program. H ey are effects on system performance. He intention is not to concept testing and performance testing. Concept develop superficial enhancements of the design concepts. P18.8-4 W85tiflgh00S8 _ 18. HUMAN FACTORS ENGINEERING Revision: O s Effective: 06/26/92 " " "

• k Instead, the intent is to understand the mental burdens performed for those evaluations that test man-machine that specific design features impose on the users with interface system response to postulated plant failures.

respect to perception, anention, and memory and then to Criteria for the validation tests are based on the develop functional requirements to systematically technical data of the plant design and an understanding address these demands Quantitative measures of of the dynamic response of the plant during postulated performance are judiciously used as baselines to com- failures. Criteria for operator performance are devel-pare altemative designs and to evaluate performance oped during the functional requirements phase of the benefits achieved through refinements of design con- M-MIS design process as the design of plant compo-cepts. nents are finali7ed, better roodels of plant response are Two types of tests are conducted during the perfor- developed, and the M-MIS design concepts are more mance testing phase - verification and validation. completely specified. Problems identified during the Verification tests are conducted to determine whether validation tests are investigated using protocol analyses the final design satisfies the previously established and other techniques to determine their root causes. functionalrequirements. Verification tests are analytical Solutions are implemented and the test is repeated studies in which each feature of the M-MIS design is Potential solutions include mo::ifications to the M-MIS compared to its functional requirements. Deviations design, operating procedures, and requirements for from the functional requirements are documented, rated personnel trammg (Subsection 18.9.9). for severity in terms of their potential effect on perfor- For some verification and validation tests, a high mance of the man-machine system, and addressed by a degne of test bed fidelity is required, including realism review process. For each deviation a decision is made of plant dynamics and completeness of the M-MIS. to: bring the deviation into compliance with the fune- Rese tests use e near full-scope, high fidelity simula-tional requirements by modifying the design; reduce the tion. ney are performed later in the design process, potential negative effects of the deviation through such such as during the factory performance testing phase. means as procedure modifications and training; or allow %ese tests include verification of functional require-the deviation to exist without change if it is determined ments for the integrated M-MIS. Other tests to be that it has negligible negative effects on the performance performed encompass more traditional human factors of the man-machine system. concerns including room layout, lighting, heating and Validation tests are conducted to provide evidence ventilation. %ey also include validation of that the man-machine system performs as anticipated by man-machine system performance, including crew the original human performance requirements. He response to a variety of accident conditions. validation tests provide evidence that the M-MIS fune- Other verification and validation tests do not require tional requirements are appropriate and adequate for the same high degree of fidelity. hey can be per-demonstrating operation. Validation tests are formed with part-task simulators consisting of individual man-in-the-loop expenments in which subjects perform and partially integrated sets of the M-MIS's prototype operational tasks that demonstrate man-machine system components and dynamic simulations of selected aspects behaviors that are critical to the effective operation of of plant behavior. Rese tests are performed earlier in the plant. Rese tests are performed with equipment the design process, as soon as production prototype that emulates production prototypes of the M-MIS components and adequate simulations are available. resources, such as alarm presentation, procedures hese tests include verification of functional require-presentation or process data displays and subjects who ments for individual M-MIS components and validation are representative of the potential operators of the of some aspects of man-machine system performance. AP600 Dynamic simulations of plant performance are Efforts are made to perform these tests as early in the P18.8-5 W Westinghouse 1 1 1

18. HUMAN FACTORS ENGINEERING l Revision: 0

• Effective: 06/26/92 design process as practicable, to help muumim the

• Functional fidelity refers to the degree to which the effects that design modifications may have on the design prototype behaves like the actual system.

of the total M-MIS. Physical fidelity refers to the degree to which the 18.8.2.3.1.7 Model of Test Bed Fidelity physical form of the test bed resembles the actual system. Form can be characterized in at least three l It is a goal of the verification and validation categones. l I pmgrain to conduct tests as early in the M-MIS design process as is practicable. His allows design changes

• Abstract - A representation that has little resem-that result from the tests to be incorporated earlier into blance to the actual system (such as, a drawing).

the M-MIS with minimal effect on the overall M-MIS design schedule. The availability of a test bed, a

• Representative - Some relevant physical characteris-representaticn of the M-MIS, is a major requirement for ties are presented (such as, a three-dimensional conducting evaluations. In addition, many types of mockup of a console that is constructed with foam evaluation do not require near full-scope, high fidelity core).

coresentations of the control room. Herefore, a set of  ; principles guides the specification M-MIS test bed

• Actual - Actual hardware (such as production proto- l fidelity when defining evaluation requirements. A type equipment).

rnodel of test bed fidelity provides this guidance. Fig-ure 18.8.2-10provides a graphic summuy of the dimen- Functional fidelity has two characteristics: infor-sions of this model. mation content and dynamics. Information content he following is a discussion of terminology: Pertams to the data and text provided in the M-MIS test bed. For example, a display system test bed can contain  !

• Prototype characteristic consists of two parts - real- aarnes of actual plant components and realistic values or l ism and completeness. just strings of random alphanumeries. %e fidelity of information content can be characterized in three levels:

• Realism refers to the degree to which the prototype

• Low - Random data or characters are used as place resembles (looks and behaves like) the actual system. holders to fill the data fields of interest. Data are neither accurate nor complete. His level of fidelity

• Completeness r9fers to the degree to which the pro- is used for tests of legibility, totype represents the total system.

• Medium - Relevant data fields do not contain accu-A part-task simulator is an example of a prototype rate and complete data. Data fields are partially that has limited completeness (it represents a small filled. Data is random or fictitious. His level of portion of the entire system) but often has a high degree fidelity is used for studies of display space naviga-of realism. Realism can be further broken down into tion, in which subjects use menu headings and other the following two components: aids to locate a specific position in the display 8 Pace.

• Physical fidelity refers to the degree to which the prototype looks and feels like the actual system.

• High - Relevant data fiehls contain accurate and

- complete data. His level of fidelity is important P18.8-6 W Wes1inghouse

18. HUMAN FACTORS ENGINEERING Revision: O d, Effective: 06/26/92 -

+ for evaluations that address complex decision tion of operator performance is specified. Based on the makmg. model, three major classes of operator activities are defined: Dynamics refers to the behavior of the M-MIS as represented in the test bed. At least four levels of 1. Detection and monitoring representation are possible as follows: 2. Interpretation and planning

3. Controlling plant state.

• Individual static presentation

• Sequential static representation (sometimes called a For each major class of operator activity, the types slide show) of conditions are mapped out that can increase task

• Continuous dynamic, not real time (such as, sbw, complexity, the cognitive demands posed by these situa-fast) tions, and the potential types of human errors that can

• Continuous dynamic, real-time. result. His analysis draws on analyses of operator performance during actual and simulated emergencies Tasks that mquire physical skills such as reach and described in References 10,11,12, and 13, and on dexterity require a high degree of physical fidelity in the cognitive task analyses of NPP operator performance prototype. For example, operation of soft controls discussed in References 4,11,12,13,14,15, and 16 requires dexterity, speed, and accuracy. Evaluation of and models of human decision-malmng in complex alternative soft control methods (such as, mouse-driven, systems and human error (References 19 and 20).

poke points, touch screens, and keyboard commands) ne analysis of operator activities and cognitive requires high physical fidelity. Functional fidelity (how demands define: it actually operates) is less important in this instance. Cognitively demanding tasks require a high degree

• Re major classes of operator activities that M-MIS of functional fidelity to provide a valid test case for needs to support operator decisions. Important considerations include:

provision for a sufficient data set so the operator's a ne types of complex situations that need to be problem is validly represented; the data set updated at a sampled in evaluating the effectiveness of the sufficient rate to simulate valid system dynamics; time M-MIS in supporting each of these three classes of constramts; and so forth. operator activity. 18.8.2.3.2 Phase 1: Issue Definition ne M-MIS features intended to support each of these operator activities are then identified. His defines %e objective of Phase 1 of the verifiestion and the model of support evaluated as part of the verification validation test plan development methodology is to and validation program. identify the major evaluation issues that are tested. His ne set of issues tested are derived, based on joint involves several activitics as shown in Figure 18.8.2-5. consideration of the M-MIS features intended to support First, the main M-MIS features to be included in the each operator activity class and the dunensions of evaluation are identified. %ese are used as a startmg complexity that can arise (References 21 and 22). point to define how the M-MIS is intended to support %e f' mal set of issues are orgamzed into three operator perfonnance and to bound the evaluation issues categories corresponding to the three major classes of considered. Next, a human performance model(adapted operator activity. Within each class, an attempt is made from Reference 1) that enables a psychological descrip. to start with issues that examine the role of a single P18.8-7 W-Westinghouse

18. HUMAN FACTORS ENGINEERING Revision: 0 7 Effective: 06/26/92 e

M-MIS feature and then progress to studies that assess information about plant state through active manipulation the joint effect of multiple M-MIS features A second of the display system interface. Passive monitoring theme in defining the set ofissues is to start with studies refers to maintaining an awareness of plant state with that test the ability of the M-MIS to support operator mmimal (if any ) manipulation / navigation of the display performance on straightforward tasks and then to pro- system. It is analogous to the practice by operators in gressively test the ability of the M-MIS to support traditional control rooms of maintaining an awareness of operator performance in cognitively complex situations. changes in plant state from their desks in the control Rese issues are described in greater detail in room by observing subtle changes in equipment and Subsections 18.8.2.3.2.1 - 18.8.2.3.2.4: process status indicators on the control board. Tradi-tional control rooms provide a broad field of view of

• The M-MIS resources considered plant status indications. He AP600 control room, through the wall panel information station, provides a

• The human performance model used high resolution view of the plant at a different (higher) level of abstraction (such as, dynamic safety and pro-

• ne major classes of operator activities identified ductivity goal displays). Important status information and the cognitive processes that are involved in per- present in traditional main control rooms is provided in forming these activities some form in the AP600 main control room.

• How the M-MIS features are intended to support Dimensions of Task Complexity - ne following the cognitive processes involved in performing the factors contribute to the complexity of this activity:

operator activities identified (the model of macy plant indications are available at different levels of support), abstraction (such as equipment status, process status, function status and goal status); normal parameter values Subsection 18.8.2.3.2.5 presents a list of major vary with plant conditions; appropriate parame ws for evaluation issues that result from this process. determmmg plant status vary with plant conditions; some plant parameter values are difficult to determine 18.8.2.3.2.3.1 Detection and Monitoring: (such as, maccurate or unreliable sensors; long lags or Main Characteristics - unstable behavior); some expected plant parameter behavior is difficult to assess; relevant parameter information needs to be immediately available and to be his class of operator activities encompasses tho e which are concemed with obtaining information about called up; relevant data may be distributed across plant status. It includes the periodic active and passive individuals; and some goals and status of automated monitoring that operators do to determme current systems are difficult to observe. status and availability (such as, assessing plant status for power level, temperature, pressure, and systems avail- De following are potential types of human error: able); periodic monitoring needed to detect malfunctions or trends that are too small to activate an alarm; the

• Failure to detect / observe relevant plant parameter more proceduralized monitoring that accompanies shift values (an error of omission) turnover; and monitoring directed by queries about specific plant parameter values.

• Misreading relevant plant parameter values (an A distinction is made between actiw and passive error of commission) monitoring. Active monitoring refers to obtaining P18.8-8 Westingt10USS

1 1 . 18. HUMAN FACTORS ENGINEERING Revision: O s/, Effective: 06/26/92 E

• Failure to identify or misinterpreting plant state or

• Multiple fault accidents - these disturbances require implications of plant state identification of multiple faults that can maa each I other and/or require consideration of multiple  !

• Failure to identify goals and activities of other constraints (side-effects) in formulating recovery agents (person or machine) strategy.

l

• Failure to communicate to other personnel (for

• Severe accidents - these disturbances are more l example, during shift turnover) plant state or difficult in that they require additional personnel to system information (either an error of omission - diagnose and handle (that is, a need for coordina-not mentioning information, or an error of com- tion of multiple personnel and engineering exper-mission - mentioning incorrect information). tise) and they are not addressed by formnined procedures (therefore, a need for knowledge-based i 18.8.2.3.2.3.2 Interpretation and Planning: behavior).

Main Characteristics -- The M-MIS evaluation covers the types of distur-He interpretation and planning class of operator bances described above. Included are cases that involve activities encompasses those activities concerned with malfunctions in automated systems requiring the opera-situation assessment and response planning. %e focus tor to identify a need for manual override. is on situations that require responding to plant distur-bances. He emphasis in exploring this class of activi. Dimensions of Task Complexity - He following _,- ties is on identifying plant disturbances, assessing their factors contribute to the complexity of this activity: implications for plant functions and goals, and on multiple faults may produce large numbers of alarms, selecting / formulating a response plan. Hat is, the focus mahng the detection of a particular alarm difficult (due is on the cognitive activities underlying intention forma. to attention overload); evidence of plant disturbance may tion, rather than response execution. be missing or obscured (that is, masked or altered by While response execution is an important part of another fault); changes in plant state may make familiar handling emergencies, it is also central to controlling the cues inappropriate (such as, sensors may become unreli-plant during normal operation. Herefore, response able; sensor values may have different significance execution is covered as part of the controlling plant state under different plant conditions, for example, during clos of activities. severe accidents); multiple faults may place constraints In evaluating the extent to which the M-MIS on appropriate response plans (that is, the response plan supports operator intention formation during plant that is the most familiar or that is dictated by procedures disturbances, the range of plant disturbances that may may have undesirable side effects); multiple faults may arise is considered: create goal conflict situations requiring tradeoffs among competing goals; and information on the goals and status

• Small upsets - these disturbances do not lead to a of automated systems may be difficult to assess plant trip and can include disturbances that lead to alarm response procedures. The following are potential types of human error:

• Controllable upsets - these disturbances lead to a

• Failure to observe or recognize an abnormal plant Pl ant trip but are the result of a single malfunction state or system malfunction

' hat is recoverable using emergency procedures. 8.8-9 - T Westinghouse

18. HUMAN FACTORS ENGINEERING Revision: 0 g Effective: 06/26/92

• Failure to develop a correct system understanding A second distinction can be made between maneu-(perhaps due to a failure to correctly interpret the vers that can be performed by a single individual versus evidence) maneuvers that require the coordmation among multiple individuals and/or automatic systems. Manual plant

• Fixation errors (ignoring evidence that is inconsis- startup is an example of an activity that is both event-tent with the hypotheses that are being entertained) paced and requires coordination of multiple operators.

Automatic plant startup is an example of an activity that

• Overreliance on familiar cues or response plans is event-paced and requires supervisory control of (such as, taking stereotypical shortcuts in autonomous systems.

Rasmussen's model) He simplest case of control execution occurs when there is ample time, control actions are discrete (all-or-

• Missing negative side effects associated with a resp- -none actions such as tummg on a pump), control

onse plan; missing goal conflicts actions can occur in any order, little or no coordmation is required, and control actions have no side effects that j

• Making inappropriate goal tradeoffs. impact other plant processes or plant operability. Com-plications set in as this simplest case is altered: time ,

18.8.2.3.2.3.3 Control Plant State: Main becomes short; controls are used in a fixed order; ' Characteristics .. controls are at physically disparate locations; or control , actions are continuous and require small tuning adjust- l He controlling plant state class of activities is con. ments; there are lags between the time a control action cerned with makmg changes in plant state, including is taken and when an indicator reflects the change or tuning plant parameters; mahng changes in plant mode control actions require strict coordmation between (such as, startup, shutdown, intermediate power Operators or between an operator and an automated i changes), performing switch overs (from one Process source / train to another), performing surveillance tests, An important aspect of control execution is the need and taking systems out of operation (switching out or to obtain feedback from the system that the action has f i tagging out). For this class of activities, the emphasis been successfully executed. His feedback can occur at of the evaluation is on the planning and the execution of several levels. First, there is an indication from the responses, control itself that an action is taken. In the hard-wired A distinction can be made between operator-paced environment, a light changes state or a toggle switch (procedure-paced) control activities and event-paced changes position. With soft controls, the change may be more transient and less noticeable. Next, there must be (plant dynamics-paced) control activities. Operator-paced activities are activities where the rate at which a maneu. an effect on the parameter or display that is manipu-ver is performed is determined primarily by the opera. lated. Time lags may exist that make this detection tors performing the task. Event-paced control activities more difficult. Finally, the plant process or system that are activities where the rate at which a maneuver is the operator is intending to control shows a response to performed is primarily determined by the process the control action to close the feedback loop. dynamics of the event controlled (such as, maneuvers With supervisory control of automated systems, where the operator responds rapidly to keep up with fast there is a need to assess what goal the automated system changing processes dynamics or, conversely, maneuvers is attempting to achieve. Hat is, whether the automated with long lags that place a limit on operator perfor- 878'em is performing correctly or whether intervention inance rate or force the operator to work open-loop). is required and if so, what manual actions are taken. 1 P18.8-10 W-W85tirigt100Se , l l l l

18. HUMAN FACTORS ENGINEERING Revision: 0 . . . .

d Effective: 06/26/92 I Dimensions of Task Complexity - he following

• Failure to observe feedback of actions (that is, factors contribute to the complexity of this activity: monitor that the action was properly executed; monitor that the action had the desired effect on the

• Complex process dynamics (such as, rapid process plant parameter, plant process, and goal hierarchy) changes or long lags) may speed constraints on operators and/or require open-loop responses

• Failure to keep pace with process dynamics

• Plant parameter values may be missing or obscured

• Failure to coordmate and/or , communicate with (such as those due to inaccurate sensor readings or other crew members long process lags)

• Failure to monitor automated systems and take

• Actions of multiple operators may be interdepen- manual intervention when required, dent, requiring communication / coordination among multiple individuals (such as, assessing plant state, 18.8.2.3.2.4 Mapping of M-MIS Resources anticipating future plant state or preventing working to Operator Activities (Model at cross-purposes) of Support)

• Actions may have negative side effects requiring Subsections 18.8.2.3.2.3.1 through 18.8.2.3.2.3.3 assessment of preconditions before action is taken, describe three classes of operator activities that are and assessment of post-conditions and execution of supported by the M-MIS and the major cognitive additional actions after the original action is taken. processing stages that underlie these activities. %ese For exarrple, when tagging out a train or system, subsections identified the scope and boundaries of the the operator must be cogmrant of preconditions that tasks to la included in the evaluation of the M-MIS.

must be satisfied before the train or system is taken ney also identified the dunensions of task complexity out of operation, such as plan *. specification require- and human error. His foundation allows one to tie the ments for plant operability. He operator must als various M-MIS features to tasks. Har is, each M-MIS be cogmrant of post-conditions that result from feature is intended to support human performance in taking the system out of service, such as limits on simple and complex tasks and to reduce error. In this plant operation and constraints on which addi:ional section, links are drawn between the M-MIS features systems can be taken out of service and automated and the operator activities to show how the M-MIS systems may malfunction or fail to keep up with features support control room performance. %is process dynamicJ. supports the development of evaluation issues for testing those relationships. More specifically, the evaluation ne following are potential types of human error: issues link an activity, one or more M-MIS features, and a performance measure. %ese are discussed in

• Failure to check preconditions, anticipate side Subsection 18.8.2.4, Design Acceptance Criteria.

effects and post-conditions The mapping of AP600 M-MIS features to operator activities is accomplished by reviewing the rationale for a Failure of execution (that is, either an error of each M-MIS feature. An understandmg of each omission - not taking a required action, or an error feature's ratiocale provides a means for relating it to the of commission - taking the wrong action or taking human performance model, and through that model, to actions in wrong sequence) the operator activities. Because the design of the P18.8-11 v W W85tiflgh00S8

18. HUMAN FACTORS ENGINEERING Revision: 0 O Effective: 06/26/92 )

M-MIS features is not complete, there are limits on the Plant Communications System - He plant com-detail that can be assigned to the model at this time. munications system aids detection and monitoring by The following subsections capture the primary links linking crew members. Communication about current between the operator activities that are important for plant status and monitoring of the effects of control supporting the development of evaluation issues and the actions is facilitated by providing easy and direct M-MIS features. communication among crew members. He remammg major M-MIS features - hard-18.8.2.3.2.4.1 Detection and Monitoring wired and soft controls, the procedures, and the compact workstations - are not tied to supporting detection and Wall Panel Infonnation Station - He wall panel monitoring. information station provides high level information about the status of safety and availability goals, allowing 18.8.2.3.2.4.2 Interpretation and Planning operators to quickly identify violations. He wall panel information station also indicates plant operating mode Functionally Organized Alann Systan - he alarm and a set of plant parameters that are most important to system aids the operators in selecting appropriate views monitor for that plant mode. This aids operators in of the plant and appropriate procedures for mitigating monitoring by bringing together the most meaningful the abnormal event. The alarm system, therefore, data in a centra! location. focuses attention on the abnormalities that are the most useful in selecting a procedure or response strategy. Functionally Og;anized Alarm Systan - The value of ne alarm system reduces confusion by subordinating ~ the functionally orgammd alarm system for detection alarms that are misleading or secondary to the primary ~' and monitoring lies in focusing attention on the most disturbance. It also cues operators to multiple fault significant alarms. %erefore, data overload is reduced. situations and/or situations where multiple safety goals ne alarm system removes redundant or less meaningful are compromised. alarms from the set of alarms that are activated. Workstation Functional and Physical Displays - he Workstation Functional and Physical Displays - he functional and physical displays aid situation assessment overview or summary displays found on the compact and planning by encouraging operators to take a fune-workstation serve a role similar to that of the wall panel tional view of the plant that is tied to the physical view. information station. He functional and physical dis- he functional view makes explicit information about plays, on the other hand, support operators in monitor- the current goal, goal violations, processes required to ing plant data not found on the wall panel information satisfy the goal, and potential side effects. The intent is station or overview displays. He functional and physi- to provide a tool for plannmg activities that reduces the cal displays provide detailed information by allowing likelihood that the operator loses sight of the Inger access to any parameters through a network of displays picture when engaged in control activities, that can be obtained by the operator. Rese displays provide the best indication of data quality (such as failed Procedures - The procedures created for main control or unreliable sensors) and the most complete context for room operators formalize the set of appropriate control plant data by Imbng the physical views with the func- actions that are available to achieve safety and availabil-tional views. Rey also support the monitoring of ity goals. Rese are the set of actions operators should automated systems. take. The difficulties in using procedures is in selecting the most appropriate procedure and in periodically P18.8-12 3 Westinghouse ,

18. HUMAN FACTORS ENGINEERING Revision: O d Ef ?octive: 06/26/92 ~

~I e evaluating that it continues to be appropriate. He Wall Panel Infonnation Station - he wall panel procedures aid the operators in makmg these decisions. information station provides an overview of plant status to control room personnel in the main contml area, Wall Panel Infonnation Station - He wall panel including those with no access to a compact workstation. information station maintains a high-level view of safety he wall panel information station is the primary infor-and availability goals sa that operaton can assess how mation source for control room personnel that do not well the current response plan is achieving its intended have access to a workstation. purpose. He wall panel information station reflects significant changes in plant status that are tied to the Procedures - The procedures are the specific instruc-appropriateness of the procedure. His overview system tions for execution of the control activities. Rese are also lets crew members in the main contml area share clear and concise, avoiding confusion or underspeci-information about current goals and responses. fication of control actions or their criteria. He proce-dures also clearly indicate their intent so that operators Plant Communications System - Information that is can more easily determine whether the procedure is shared by crew member and that is not conveyed i~ he appropriate. wall panel information station is communicated vercall/ or through the communications system. Interpretation IIard-Wired and Soft Controls - he control devices and planning activities require substantial coordination clearly communicate to operators the available control that is facilitated by direct communication. actions. Aey also provide feedback to the operator %e remaming major M-MIS features - hard-wired indicating that a control action is successfully per-and soft controls and compact workstations - are not formed. For example, a control should pmvide a strongly tied to supporting interpretation and planning. visual, auditory, or tactual cue to indicate a change in setting. Operators should not become confused when 18.8.2.3.2.4.3 Controlling Plant State locating, selecting or executing a control action. He remammg major M-MIS resources (functbnally Compact Workstations - De compact workstations orgamzed alarm system and functional and physical provide a means for each operator to view the activities Pl ant displays) provide feedback about the success of of other operators involved in coordinated or related control actions. control activities. He value of this viewing is related to error detection, control action timing, and feedback 18.8.2.3.3.2 Evaluation Approach on the effects of multiple control actions. Because the compact workstations physically separate the operators, he second activity of test development is to define the workstations include mechanisms to .etain the the evaluation approach. For each testable hypothesis operators' abilities to coordinate their activities. and performance requirement, an evaluation approach is defined to guide the develop:nent of concept testing and Plant Communications System - Coordination performance testing evaluations. %e following factors functions that cannot be achieved through workstation are considered: mechanisms are dealt with through the communications system and the wall panel information sta:im. %e

• Dimensions of task performance to be addressed communications system provides a means for operators including types of scenarios and dimensions of task to coordinate control actions among themselves and with complexity personnel in other parts of the plant.

v WB5tiligt10US8

18. HUMAN FACTORS ENGINEERING Revision: 0

- Effective: 06/26/92

• Types of performance measures to be collected

• Evaluations of conformance to human factors including errors, response time and operator under- engineering design guidelines standing of plant condition

• Evaluations for validation of the integrated M-MIS.

• Evaluation method to be used including expert re- Each evaluation contains a description of the mejor view, walk-through, simulation, protocol analysis evaluation issue.

and decision tracing 18.8.2.3.5.1 Evaluations for Detection and

• Evaluation criteria including absolute and relative Monitoring measures of performance

%e purpose of evaluations in this subsection is to

• Implications of the results including selection of de- provide confidence that the design of the M-MIS sup-sign alternatives, clarification of performance is- ports the operators in maintaining an awareness of plant sues, refinement of functional requirements and condition. It includes periodic active and passive M-MIS design criteria. monitoring by operators to determine current status and availability of plant systems; periodic monitoring needed Subsection 18.8.2.3.5 provides descriptions of each to detect malfunctions or trends that are too small to evaluation of the verification and validation test plan. activate an alarm; the mon procedurahzed monitoring He factors that are considered during the definition of that accompanies shift tumover; and monitoring directed evaluation approach factors are addressed in Subsee- by queries about specific plant parameter values. Rese tion 18.8.2.3.5 under the headings of Approach, Experi- issues are relevant to individual operators as well as to mental Manipulations, Dependent Measures and Evalua- crews of operators.

tion Criteria, Implications of Results, and Performance %e following set of evaluations are designed to test Measures and Performance Criteria. the ability of the M-MIS to support four categories of detection and monitoring. Rese categories increaw in 18.8.2.3,5 Evaiuation Issues and complexity in terms of the level of detail of plant data Descriptions and the degree of interaction between operators. He first category, addressed in Evaluation 1, tests the Subsection 18.8.2.3.2 describes the process that is ability of a single operator to develop a high level used to identify the 17 major evaluation issues. %ese .mderstanding of plant condition from the wall panel issues are listed in Table 18.8.2-1, describing the information station and workstation without excessive process that is used to develop concept testing ar.t manipulation of the M-MIS to retrieve data. performance testing evaluations for each of these 27 %e second category, which is addressed in Evalua-major evaluation issues. tion 2, tests the ability of a smgle operator to use the his subsection provides a description of each cues provided by the wall panel information station to evaluation. He total of 17 evaluations are organized obtain more detailed plant data from the workstation. under five headings: This evaluation tests the coordination of data presenta-tion between the wall panel information station and the

• Evaluations for detection and monitoring workstation.

• Evaluations for interpretation and planning The third category, addressed in Evaluation 3, tests

• Evaluations for controlling plant state the ability of a single operator to obtain detailed plant data from the workstation based on a request from a P18.814 W W85tiligh00S8

18. HUMAN FACTORS ENGINEERING Revision: 0 . _ _ .

s Effective: 06/26/92 - a supervisor or a procedure. His evaluation tests the

• Do the wall panel information station and work-ability to use the navigation aids of the displays pre- station summary displays help reduce the likelihood sented on the workstation to find detailed data. of omitting critical information in plant state assess-The fourth category, addressed in Evaluation 4, merit?

tests the ability of operators to coordinate information to maintain crew awareness of plant condition. Three Approach situations are addressed: the informal transfer of information to a new person entering the control room, He wall panel information station and workstation 1 the formal transfer of information to a new crew enter- summary displays provide plant condition overview ing the control room during shift turnover, and the information to operators. He wall panel information  ; coordination of information among crew members station display presents a summary of plant condition via ' during ongoing detection and monitoring. a group-view display. He workstation contains detailed functional and physical presentations of plant condition. 1 18.8.2.3.5.1.1 Evaluation issue 1: He workstation summary displays are those displays that are presented by default on the workstation if the , Passive Monitoring of Wall Panelinfortnation Operator takes no action to choose another display. This Station and Workstation Displays verview information is used by the operators to ascer-tain plant state and current status of operating equip-Do the wall panel information station and the ment, to anticipate alarms and disturbances, to identify workstation summary and overview displays support the Pl ant systems or components that have become un- -- operator in maintaining an awareness of plant status and available for use and generally to stay "in touch" with system availability without needing to search actively the plant conditions. The wall panel information Station through the workstation displays? di8Pl ay and workstation summary displays must be complete, correct and well designed to depict an over- l Relevant M-MIS Resources: view of the plant. His is necessary to allow operators to maintain an awareness of plant status and system l

• Wall panel information station (plant parameter data availability. Ideally, operators can obtain this overview from a passive monitoring of these displays. Hat is, and alarm data) the operators should not have to select and browse

• Workstation summary displays end display navi- within a set of workstation displays.

gation features Concept Testing Specific Concertis: Hypothes.is

• Do the wall panel information station and the .

He wall panel infonnatiou station and workstation workstation summary displays present sufficient information about plant state and system availabil- summary displays provide operators with an accurate verall understanding of plant state and system availabil-ity? try.

• Do the overview displays eff:ctively call more attention to more important information7 P18.8-15

~& Wm Westinghouse ' 18. HUMAN FACTORS ENGINEERING Revision: 0 7 L Effective: 06/26/92 Experimental Manipulations well as characteristics that leads to confusion and errors by the subject. His eveluation includes reviews of the display con- He following objective measures are collected tent of the wall panel information station and default during the review and reconstruction tasks: workstation displays to determme whether they contain sufficient information to allow operators to assess

• Number of plant conditions correctly identified overall plant condition. Subjects are shown static views

• Correct identification of implications of plant of these displays and asked to infer the condition of the conditions plant. Rese reviews occur very early in the design

• Trme required to complete the task.

process with low fidelity test beds to refine functional requirements regarding the types of data and data format Rese measures provide performance baselines for that must be provided for various plant modes. comparing alternatives and for evaluating the benefits of Next, the effectiveness of these displays is evaluated display modifications, empirically. Subjects are shown overview displays for a brief period, and then the displays are removed. hnplications of Results Subjects are then be asked to describe current plant state and conditions as thoroughly as possible. Subjects are He purpose of this evaluation is to contribute to the asked to describe the implications of plant conditions development of functional requirements for the design of including potential future problems and parameters that overview displays for the wall panel information station are approaching alarm conditions. Following this " free and wor!. station. Reviews are used to assess and refine recall" session, subjects are asked to reconstruct, either functional requirements for information content. He verbally or with sketches the arrangement of plant data guidelines define the key plant parameters that are from the workstation and wall panel information station displayed during various plant states, the types of displays. Well-designed displays organize plant data in supporting information that is provided to support the meamngful groups that facilitate operator understanding operator information needs when a plant disturbance and recall. occurs. He display reconstruction task is used to identify display arrangements that support operator Dependent Measures and Evaluation Criteria understanding. ne display arrangements are used to develop general guidelines for grouping and highlighting his evaluation uses breadboard designs consisting data in the overview displays. of static drawings and computer-based rapid display pro-totypes. He evaluation investigates human factors Required Stage of Development of the M4US issues related to the ability of operators to extract summary-level infonnation about plant conditions from his test is conducted during the functional re-overview displays. During the display reconstruction quirements phase of the M-MIS design process. He task, evaluators observe which groups of plant data the M-MIS design is at a phase where the information subjects are able to recall easily and which they have content for wall panel information st. tion and work-difficulty recalhng. His leads to better understanding station default displays is identified through cognitive of effective data display formats. Protocol analysis and task analyses. Tests begin when early design concepts debriefings are used to identify characteristics of the are developed for display formats and continue through design concepts that support operer understanding as the refinement of these concepts. P18.8-16 T Westirigt10tise I

18. HUMAN FACTORS ENG!NEERING l

i Revision: 0 d Effective: 06/26/92 r l Minimum Test Bed Requirisnents: Validation

• Physical form: Test beds may be drawings or com- His test is a validation of the ability of trained puter-based rapid display prototypes. Displays have operators to assess plant state and condition based on the formats that are representative of altemative display wall panel information station and workstation default concepts for the plant M MIS. displays.

• Information content: Information developed for dis- Requirement: Prompt and accurate overall assessment plays is sufficient to assess plant conditions for a of plant state and condition measures.

number of normal, abnormal and emergency state *. Measures: Display contain realistic, meaningful values; not

• Successful identification of plant state and im-random values. He display parameters and values portant indications of plant condition do not have to be specific to the AP600

• Task completion time.

l

• Dynamics: Static displays are used. If rapid he criterion for this test is successful identification l display prototypes are used, display animation, such of the plant state and importat indications of plant as bHnking and flashing, may be used. condition. This test is developed for scenarios repm-senting normal, abnormal and emergency conditions.

Minimum Subject Characteristics Indications of plant condition that the operator is re- 1 ^ quired to identify are predefined for each scenario. l Subjects must include persmel who are familiar Criteria for task completion times are based on analyses l with important pressunzed water reactor plant operating of required operator response times that are derived parameters, including operator trainers, operators, and from plant dynamics for the specific test scenarios. knowledgeable engineers and designers. Experimental Manipulaticus Performance Testing Subjects are presented with displays that portray the Verification following plant states and conditions, including: l Design features of the hardware and displays are

• Normal states, plant maneuver in progress exammed and evaluated against functional requirements

• Normal states, with equipment indicated as un-using a checklist-type procedure. This evaluation available focuses on the functional requirements that are defined

• Normal states, with regular changes in actuation during the concept testing phase to support operator and termmation of automated systems assessment of plant state and condition. His assessment

• Normal states, with parameters trending toward is based on the wall panel information station and abnormal workstation default displays, including information

• Outage state, with equipment tag outs or tests in content and formattmg. His test is conducted with progress equipment that emulates production prototype hardware

• Abnormal states for the wall panel information station and workstation.

• Emergency states.

Deviatiras from the functional requimments are docu-mented and evaluated. l l l 1 l P18.8-17 l . ._ _ - W Westinghouse 1

18. HUMAN FACTORS ENGINEERING Revision: 0 N L Effective: 06/26/92 e 0 Required Stage of Development of the M-MIS Does the wall panel information station support the operator in getting more detail about plant status and His test is conducted after the designs of the wall system availability by directed search of the workstation panel information station displays and the default dis- displays?

plays of the workstation has been completed. Detailed workstation displays are not necessary for this test. Relevant M-MIS Resources: His test is conducted using a part-task simulator consisting of equipment that emulates the wall panel

• Wall panel information station information station and workstation hardware.

• Workstation displays and display navigation features Minimum Test Bed Requirements: Specific Concerns:

• Physical Form: He displays used in this test are

• How accurately and efficiently can operators, when representative of the plant display system in terms given a wall panel information station, cue for more of appearance, including display format, coding detailed monitoring, locate and select this informa-schemes, and use of windows. Hardware emulates tion from the workstation displays?

M-MIS equipment in the relevant characteristics in-cluding display size and resolution.

• What types of confusions are caused by the wall panel information station display when it indicates

• Information Content: %e information content of the need for active search of the workstation?

the displays is representative of actual AP600 dis-plays

• What types of navigation errors are made with the workstation displays?

• Dynamics: Static displays may be used. Due to the brief dumtion of the tasks, a dynamic simulation Approach l of the plant is not required. Display animation, such as blinking, is used. He wall panel information station and the workstation displays work together to support the Minimum Subject Characteristis (Validation) operator in actively obtaining a picture of plant condi-l tion. His active monitoring, or browsing, is driven by I Subjects are experienced operators who have a basic cues on the wall prnel information station that indicate understandingof the AP600controlrequirements. Hey a potential problem such as a plant parameter trending also have a familiarity with the organization and with toward an alarm condition. From this cue, the operator the presentation of data in the wall panel information navigates through the displays to locate more detailed l station and workstation displays. information about the status of a particular process or

parameter. (Operator response to plant alarms is ad-l 18.8.2.3.5.1.2 Evaluation issue 2

dressed by a set of experiments under evaluations for interpretation and planning, Subsection 18.8.2.3.5.2.)

l Directed Search for information Within the ne intent of this experiment is to test operators' Workstation Displays Based on Wall Panel ability to do this display navigation and selection efficiently with the AP600 display systems. Subjects are Information Station Displays given a plant state scenario that indicates the need for [ W65tiflgh0US0 I l \ , \ l l 18. HUMAN FACTORS ENGINEERING l Revision: O d Effective: 06/26/92 l more detailed menitoring. Hey are asked to use the Dependet Measures and Evaluatlon Criteria j workstation to find the functional or physical display (s) that are most useful for more detailed monitoring. His evaluation uses breadboard designs to inves-tigate human factors issues related to directed search Concept Testing through large sets of displays. Qualitative information is gathered through protocol analysis or debriefing Hypothesis discussions with the subjects. The intention is to identify characteristics of the design concepts that led to ne wall panel information station display and confusion, errors, and slow or awkward actions by the workstation display system support the operator in subject. l efficiently locatmg and selecting the display (s) that con-tain greater detail about plant parameters required for he following objective dependent measures are , maintaining awareness of plant state. also collected: l Experimental Manipulations

• How many displays are accessed before selecting l the correct display or displays?

His experiment addresses a majority of plant

• Which displays are selected and in what order (the conditions that require or cue the operator to obtain navigation path)?

additional information from the workstation displays.

• He degree to which the relevant information is

~ %ese conditions may include: located

• He success in returmng from search to a desig-

• Improvement or deterioration of power generation nated location goals as indicated by the wall panel information

• Time required to complete the task.

station Implications of Results

• Improvement or deterioration of plant safety as indicated by the wall panel inforntion station ne purpose of this evaluation is to contribute to the development of functional requirements for the design of

• Changes in the operating status of plant equipment display navigation aids that support the operator in such as activation / deactivation of automatically finding detailed information within the workstation. He controlled systems) as indicated by the wall panel qualitative information gathered through protocol analy-information station or other information sources in sis or debriefing discussions are analyzed to identify the main control room. design features that lead to confusion, errors, and slow or awkward actions by the subjects. Functional require-Expenmental manipulations address the full range ments are developed to address those design characteris-of M-MIS display devices (with the exception of alarms) ties that had significant effe-ts on the subjects' perfor-that cue operators to seek additional information about mance of the display navigation task, including display plant state. navigation aids that:

• Mform the operator via the wall panel information

• ation that detailed ir.fo.mation can be retrieved from the workstation s [ W85tiflgh00Se

l

18. HUMAN FACTORS ENGINEERING Revision: O O e Effective: 06/26/92 - l

l. i i

• Direct the operator via the wall panel information do not have to be realistic because the subjects are Station to relevant categories of information or required to retrieve but not interpret the data.

display space locations in the wall panelinformation station

• Dynandes: Static displays used. In some cases, display animation such as blinking and flashing may l

• Support the operator in scannmg through potential be used. He workstation display selection mecha-information fields and selecting the required data. nisms are operational.

Quantitative measures of the subjects' performance, Minimum Subject Characteristics such as number of displays accessed and task completion time, are used as baselines to compare alternative Subjects include designers, engineers, operator designs and evaluate performance benefits achieved trainers and operators. Subjects have familiarity with through subsequent refinements of design concepts. the operation of the wall panel information station and the workstation displays. Required Stage of Development of the M-MIS Performance Testing This test is conducted during the functional re-quirements phase of the M-MIS design process. He Verification M-MIS design is at a phase where design concepts exist for display formats, navigation aids, and display selec- Design features of the wall panelinformation station tion mechanisms. A set of detailed workstation displays and workstation displays and hardware are exammed are needed to provide meaningful display navigation and then evaluated against functional requirements using tasks. Prelimmary decisions regarding workstation a checklist-type procedure. His evaluation focuses on display system hardware are made prior to these evalua- the functional requirements that are defined during the tions. concept testing phase to facilitate directed search of the displays. His test is conducted with equipment that Minimum Test Bed Requirernents: emulates production prototype haniware for the worksta-tion. Deviations from the functional requirements are

• Physical Form: he displays are representative of documented and then evaluated.

the style of displays used in the AP600 M-MIS in terms of appearance, including display format and Validation use of windows. The workstation displays are computer-based. His test is a validation of the ability of trained operators to find and retrieve specific plant data in

• Information Content: Information developed for response to summary information about plant conditions displays is sufficient to generate a significant displayed via the wall panel information station.

number of workstation displays, since subjects have Requirement: Retrieval of detailed information to navigate through a substantial set of displays to from workstation displays after a cue from wall panel establish a fair test. The plant parameters presented information station measures on the displays do not have to be specific to the AP600. He values presented for plant parameters

• Number of displays accessed before retrieving correct display P18.8-20 W Westinghouse

I ! 1 1 1 l l . 18. HUMAN FACTORS ENGINEERING l l Revision: 0 l d Effective: 06/26/92 ~% l l I J l

• Success in accessing required information ment that emulates the wall panel information station  ;

j

• Task completion time and workstation hardware. Prototypes of the work-l station displays and wall panel information station ,

he criterion for information retrieval is that the displays are used. j required information be successfully retrieved. He  ! ! acceptance criterion is retrieval of information rather Minimtun Test Bed Requirements: l that displays because a given plant paramet r may be l presented on more than a single display. He criterion

• Physical form: ne displays used in this test are I for task completion time is defined by the control representative of the AP600 display system m terms response requirements for each of the specific test of appearance, incluQ display format, coding scenarios. Criteria for task completion times are based setemes and use of ut v Hardware emulates on analyses of plant dynamics for the specific test M-MIS equipment in the re:evant characteristics. in-scenarios. He criterion for number of displays ac- cluding display size and resolution and config-cessed is either a maximum number of displays or a uration of the display selection controls.

number of displays compared to the shortest possible display navigation path. Ri criterion is determined by

• Information content: he information content of the design of the workstation display navigation system individual displays is representative of AP600 and is defined upon the completion of the functional displays for actual plant conditions. A sufficient set

~' requirements for the workstation displays. of d'aplays is provided to generate realistic and representative display navigation tasks for the test ,, Experimental Manipulations scenarios. His test evaluates display n:.vigations of varying

• Dynamics: Static displays are used. Due to the i degrees of complexity for normal, off-normal and brief duration of the navigation tasks, a dynamic emergency conditions. This is accomplished by varying simulation of the plant is not be required. Display the operator's starting point in the display space, the animation, such as blinking is used. He work-type of data that is to be retrieved and the amount of station display selection mechanisms, such as menus time allowed for retrieval. He operstor's starting point and display selection buttons, are operational.

in the display space is defined using scenarios which Response time for display retrieval is accurately represent normal, abnormal, and emergency conditions. simulated. The complexity of the navigation task is a function of the location of the required information relative to the Minimum Subject Characteristics (Validation) startmg point. Acceptable limits for infortnation retriev-al time are defined for each scenario. Subjects are experienced operators who lave a basic ! understaedingof the AP600controlrequirements. Hey Required Stage of Development of the M-MIS also have familiarity with the operation of the work-station display system and the wall panel information l His test is conducted after the design of the station. l workstation hardware is completed, the workstation l display hierarchy is defined, and a major portion of the l workstation displays are developed. This test is con-ducted using a part-task simulator consisting of equip-

• • ~*'

. T westinghouse

18. HUMAN FACTORS ENGINEERING Revision: O 3

Effective: 06/26/92 18.8.2.3.5.1.3 Evaluation issue 3: Concept Testing Directed Search for Information Within the Hypothesis l Workstation Displays Based on a Request He workstation display system supports the opera-tor in efficiently determmmg the current value of plant Do the workstation displays support effi *ent Parameters and processes not represented in the default navigation to locate specific information? displays. Relevant M-MIS Resources: Experimental Manipulations

• Workstation displays and display navigation features . .

Mam.pulations mvolve the complexity of navigatm.g through the display system. In some cases, the required Specific Concerns: navigation is brief, and in other cases, the most complex navigation is required.

• How accurately and efficiently can operators, when given a specific request, locate and select the Dependent Measures and Evaluation Criteria correct workstation display?

his evaluation uses breadboard designs to inves-

• What types of navigation errors are made with the tigate human factors issues related to navigation through workstation displays?

large sets of displays Qualitative information is gath-cred through protocol analysis or debriefing discussions Appach with the subjects. The intention is to identify character-istics of the design concepts that led to confusion, ne workstation fanctional and pbysical displays are err rs, and slow or awkward actions by the subject. intended to support the operator in searching for specific He f 11 wing bjective dependent measures are parameter values and other indicators of plant status that als conected: are not part of the default displays. His is the case of directed search of the works'.ation displays. In many .

• How many displays are accessed before selecting cases, this search is directed by a request from a the correct display or displays?

supervisor or other technical staff or by a procedure. ,

• Which displays are selected and in what order (the From this request, the operator navigates through the navigation path)?

displays to determme the status of the requested process ,

• Re degree to which the relevant informat,on i is or parameter. His directed search rtust be efficient and not detract from other duties. De intent of this experi-I ated

• The success in returmng from search to a des,ig-ment is to test operators' ability to do this display nated location navigation and selection task efficiently with the work-

• Time required to complete the task.

station display system. Subjects an given a parameter or process name and asked to use the workstation displays to determine the current value and then return IInPlications of Results to the display from which they began. He purpose of this evaluation is to contribute to the development of functional requirements for the design of P18.8-22 W Westinghouse l l

18. HUMAN FACTORS ENGINEERING Revision: O s Effective: 06/26/92 ~"

display navigation aids for the workstation displays parameters presented on the displays do not have to including display hierarchy / network structure, menu be specific to the AP600 or realistic; or design, cross-references between displays, audit trails of display navigation paths, display space ' landmarks" and

• Dynamics: Static displays are used. In some orientation aids, content overlap of related displays, and cases, display ammation, such as blinking and user interface mechanisms for display selection. flashing, may be used. He workstation display he qualitative information gathered through proto- selection mechanisms are operational, col analysis or debriefing discussions is analyzed to ,

identify design features that lead to confusion, errors, Minimum Subject Characteristics ) and slow or awkward actions by the subjects. Function-al requirements are developed te address those design Subjects include designers, engineers, operator characteristics that have significant effects on the trainers and operators. Subjects have familiarity with subjects' performance of the display navigation task. the operation of the workstation displays. The quantitative measures of the subjects' perfor-mance are used as baselines to compare altemative Performance Testing designs and evaluate performance benefits achieved through subsequent refinements of design concepts. Verification Required Stage of Development of the M-MIS Design features of the hardware and displays are exammed and then evaluated against functional require- ~, his test is conducted during the functional re- ments using a checklist-type procedure. This evaluation quirements phase of the M-MIS design process %e focuses on the functional requirements that are defined M-MIS design is at a phase where design concepts exist during the concept testing phase to facilitate directed for display formats, navigation aids, and display selec- search of the displays. His test is conducted with tion mechanisms. Prelimmary decisions regarding equipment that emulates production prototype hardware display system bm! ware is made prior to conducting for the workstation. Deviations from the functional this evaluation. requirements are documented and evaluated. Minimum Test Bed Requirements: Validation

• Physical form: he displays are representative of His test is a validation of the ability of trained the style of displays used in the AP600 M-MIS in operators to find and retrieve specific plant data in terms of appearance, including display format and response to a request or plant procedures in response to use of windows. He workstation displays are plant conditions.

computer-based. Requirement: Retrieval of requested information in

• Infonnation content: Information developed for response to plant conditions.

displays is sufficient to generate a significant Measures number of workstation displays, since subjects must

• Number of displays accessed before retrieving navigate through a substantial set of displays to correct display establish a fair test of the display system. He plant

• Success in accessing required information

• Task completion time.

P18.8-23 W-Westinghouse i 1

18. HUMAN FACTORS ENGINEERING Revision: 0 _\

Effective: 06/26/92 .' l The criterion for information retrieval is that the of appearance including display format, coding required information is successfully retrieved. He schemes, and use of windows. Hardware emulates criteria for task completion time are defined by the M-MIS equipment in the relevani characteristics in-i control response requirements for each of the specific cluding display size and resolution and config- , I test scenarios. Criteria for task completion times are uration of the display selection controls. l l based on analyses of plant dynamics for the specific test l scenarios. %e criterion for number of displays ac-

• Information content: ne information content of cessed is either a maximum number of displays or the individual displays is representative of actual plant number of displays compared to the shortest possible displays. A sufficient set of displays are provided display navigation path. His criterion is determined to to generate realistic and representative display some degree by the design of the workstation display navigation tasks.

navigation systems.

• Dynamics: Static displays are used. Due to the Experimental Manipulations brief duration of the navigation tasks, a dynamic simulation of the plant is no' required. Display This test evaluates display navigations of varying ammation such as blinking is used. %e work-degrees of complexity for normal, off-normal, and station display selection mechas i ms, such as menus l emergency conditions. His is accomplished by varying and display selection buttons are operational.

i the operator's starting point in the display space, the Responw time for display retrieval is accurately l type of data that is to be retrieved and the amount of simulated. time allowed for retrieval. He operator's starting point in the display space is defined using scenarios which Minimum Subject Characteristics (Validation) represent normal, off-normal, and emergency condi-tions. He complexity of the navigation task is a Subjects are experienced operators who have ? basic function of the location of the required information understanding of the AP600 control requirements. %ey relative to the starting point. Acceptzble limits for also have famiharity with the operation of the work-information ttrieval time are defined for each scenario. station display system. Required Stage of Development of the M-MIS 18.8.2.3.5.1.4 Evaluation issue 4: 1 nis test is conducted after the design of the Maintaining Crew Awareness of Plant Condi- l workstation hardware is completed, the workstation tion display hierarchy is defined and a major portion of the workstation displays is developed. His test is conduct- Do the M-MIS features effectively support crew l ed using a part-task simulator consisting of equipment awareness of plant condition? I that emulates the workstation hardware and prototypes of the AP600 displays. Relevant M-MIS Resources: l l Minimum Test Bed Requirements:

• Main control room layout

• Compact workstations

• Physical form: %e displays used in this test are . Wall panel information station representative of the AP600 display system in terans

• Workstation displays t

P18.8-24 W Westingh00Se

18. HUMAN FACTORS ENGINEERING 3 Revision: 0 V Effective: 06/26/92 l

h ,

• Procedures: Paper-based and computer-based

• Identifying parameters that are relevant to other operating and administrative crew members

• Logs

• Checking that those parameters that are relevant to other crew members are being addressed.

Specific Concerns: In this evaluation subjects cany out the activities Does the M-MIS support the operating crew in associated with a new person entering the main control maintaining arvareness of plant conditions and their room, shift turnover and ongoing detection and moni- , implications? toring using defined plant scenarios. A part-task simula-tor is used during concept testing and a near full-scope, Does the M-MIS support the crew in mainemining high-fidelity simulator is used during performance awareness of each others' actions, intents and testing. l I information needs? Concept Te. sting j

• Does the M-MIS support effective and efficient shift turnover? Hypothesis

• Does the M-MIS support new personnel entering The M-MIS supports the crew in maintaining the main control room to develop an awareness of awareness of the plant condition.

^ plant conditions and their implications? y Expmmental Manipulations Approach Tests are conducted for normal, abnormal, and This evaluation addresses three situations for crew emergency plant states using defined scenarios. Plant awareness: conditions include:

• Orientation of a new person entering the main

• Normal states, plant maneuver in progress control room

• Normal states, with certam equipment indicated as

• Shift turnover unavailable

• Ongoing detectio and monitori g by the crew.

• Normal states, with regular changes in actuation and termmation of automated systems Ongoing detection and monitoring by the crew re-

• Normal states, with parameters trending toward quires that the crew members maintain awareness of abnormal plant conditions and the implications of these conditions

• Outage state, for tag outs or tests in progress to operational goals. It also requires that crew members

• Abnormal states be aware of information that is relevant to other opera-

• Emergency states.

tors' responsibilities. The design of the M-MIS sup-ports each operator in: Subjects walk through these scmarios using a test bed that consists of static displays and mockups of the e Detecting and monitoring parameters relevant to his workstation consoles and the wall panel information own task station. Altemative design concepts are tested for displays, workstation console, wall panel informadon l l i i P18.8-25 t . W Westinghouse l l l l

18. HUMAN FACTORS ENGINEERING Revision: 0 '

Effactive: 06/26/92 station and the relative position of these components in

• Identification of plant parameters that are relevant the main control area. Factors that affect crew aware- to one's own responsibilities ness include:

• Identification of plant parameters that are relevant to the responsibilities of other crew members.

• Display content and format

• Operator's view of the wall panel information Implications of Results station

• Operator's view of other operators and their work- The primary purpose of this evaluation is to contrib-stations ute to the development of functional requirements for:

• Operator's abili+y to communicate data verbally

• Operator's ability to communicate data by other

• He design of the workstation and wall panel mee.ns. information station displays

• Re design and layout of the workstation consoles Arrangements of workstation consoles and the wall and the wall panel information station.

panel information station may affect the operators' ability to view the wall panel information station, other Functional requirements related to the design of the operaton and their workstations and to communicate workstation and wall panel information station displays verbally. He effect of these arrangements on crew address the orgamration and format of plant data for awareness of the plant are evaluated. He effect of w pting crew awareness of plant condition. R ese alternative display concepts on crew awareness of the functional requirements address the design of the sum-plant is also evaluated. mary and default displays and the presentation order of the data for shift turnover. Functianal requirements Dependent Measure and Evaluation Criteria related to the design and layout of the workstation consoles and the wall panel information station address Qualitative information is gathered using protocol design characteristics that support the communication of analysis or debriefing discussions with the subjects. He information. %ese functional requirements address , l intent is to identify characteristics of the design concepts operator headphones to facilitate communication, design that lead to confusion, errors, and slow or awkward use. of workstation consoles to support use by two cc more in addition, subjects assess plant conditions at the end cf people and mechanisms for coordinating views of the each trial to evaluate their degree of understanding of data among operators. plant condition. His evaluation also contributes to the development he following additional measures are collected for of functional requirements for the operating and admm-the tests of shift turnover: istrative procedures and logs that contribute to coordi-nating information among crew members.

• Time to complete shift turnover

• Number of required plant parameters addressed Required Stage of Development of the M-MIS

• Number and types of omission errors made

• Accuracy errors made in reviewing plant parame- His test is conducted during the functional require-ters. ments phase of the M-MIS design process. He M-hBS design is at a phase where design concepts exist for The following additional measures are collected for display formats and content, workstation console design, ongoing detection and monitoring: wall panel information station design and main control P18.8-26 W Westinghouse

s 18. HUMAN FACTORS ENGINEERING ) Revision: 0 V Effective: 06/26/92 , [ room layout. Pnlimmary decisions regarding display with equipment that emulates production prototype system hardware are made prior to conducting this hardware for the workstation. Deviations from the evaluation. functional requirements are documented and then evaluated. Minimum Test Bed Requirenents: Validation

• Physical form: he displays are representative of the style of displays used in the plant M-MIS in This test is a validation of the ability of a crew of terms of appearance, including display format and trained operators to coorrhnsta information to maintain use of windows. He workstation displays are plant awareness:

computer-based. Requirement: Crew awareness of plant condition

• Information content: Information developed for Measures:

displays needs to be sufficient to generate a sig-

• Operator assessment of plant conditions relevant nificant namber of workstation displays. The plant to own responsibilities parameters presented on the displays do not have to

• Operator assessment of plant conditions relevant be specific to the AP600 he values presented for to others' responsibilities.

plant parameters must be rdistic. Requisement: Effective and efficient shift tumover ^

• Dynamics: A dynamic simulation of plant behavior Measures is not required. Static displays are used. Fo tests

• Shift tumoux completion time of ongoing plant monitoring a series of static

• Review of required plant parameters displays may be used. Display ammation such as

• Operator assessment of plant condition.

blinking and flashing may be used. The work-station display selection mechanisms is operational. Requirement: New person awareness of plant condition Measures: Minimum Subject Characteristics

• Time to review wall panel information station and workstation displays Subjects can include designers, engineers, operator

• Operator assessment of plant condition.

trainers and operators. Subjects have familiarity with the operation of the workstation functional and physical Performance testing is conducted in a near full-displays. scope, high-fidelity simulator. He criterion for shift turnover is the review of the required plant parameters. Performance Testing he criteria for completion time is determined from a review of operator tasks. Shift tun over should not Vecification interfere with other operational activi t.es. Following each shift turnover exercise, operators are to complete Design features of the hardware and displays are a written test to evaluate their understanding of relevant exammed and then evaluated against functional require- plant conditions and the implications to operational ments using a checklist-type procedure. His evaluation goals. The performance criteria are the proper identifi-focuses on the functional requirements that are defined cation of important plant conditions and the implica-during the concept testing phase. His test is conducted tions. ,, Westingt10USB

18. HUMAN FACTORS ENGINEERING Revision: 0 'D Effective: 06/26/92 d The performance tests related to ongoing detection Emergency conditions include design-basis events.

and monitoring are not conducted within plant events Tests are conducted with the recommended staffing of specifically designed to address this activity. Instead, crew members in a near full-scope, high-fidelity simula-acceptance testing is conducted during simulated plant tor. events that are designed to address a larger range of crew coordination issues such as Evaluations 9 and 15. Required Stage of Development of the M-hnS: nese events include situations that require operators to consider each other's information needs and share he M-MIS design and integration is complete and information. Acceptance is based on the crew's ability fully implemented with a dynamic plant simulation. to respond appropriately to the simulated plant event. Crew awareness of plant condition and coordination of Minimum Test Bed Requirements: information is assessed through protocol analysis of operator actions and communication. Time require-

• High fidelity with dynamic plant simulation ments are determined by plant dynamics for each event.

Operator assessment of plant conditions is demonstrated Minimum Subject Characteristics (Validation) by the crew's ability to identify relevant plant conditions and respond appropriately. Subjects are experienced operators who have a ne performance tests also address a new person suitable understanding of the AP600 control require-entering the main control room, such as sn additional ments. Prior to this test they are trained in the use of operator or a shift technical advisor. He acceptance is the M-MIS including the organization and operation of ' based on the person's ability to develop an appropriate displays, procedures, and controls. understanding of plant condition in sufficient time to respond to the simulated plant event. 18.8.2.3.5.2 Evaluations forInterpretation Experimental Manipulatiors ne purpose of evaluations in this section is to Test scenarios create situations in which a wide provide confidence that the design of M-MIS supports range of plant information is needed by the operators situation assessment and response planning. He focus and substantial communication of information is nec- is on situations that require responding to plant distur-essary to address plant condition. Test scenarios bances and significant plant accidents. While rapond-address the following types of conditions: ing to plant disturbances covers the stages of cognitive processes, the emphasis of this set of evaluations is on

• Normal states, plant maneuver in progress identifying plant disturbances, assessing their implica-

• Normal states, with certain equipment indicated as t6ns for plant functions and goals, and selecting, unavailable emating, and, if necessary adapting, a recovery Normal states, with regular changes in actuation prredure.

and termmation of automated systems The following set of evaluations are designed to test Normal states, with parameters trending toward whether the M-MIS features, singly and in combination, abnormal support operator response to single fault, multiple fault,

• Outage state, for tag outs or tests in progress and severe accident events. ney test the ability of the

• Abnormal states M-h0S to support both rule-based and knowledge-based

• Emergency conditions. performance, including supervisory control of automated P18.8-28 W W8Stingt10USB

1 1

18. HUMAN FACTORS ENGINEERING Revision: 0 d Effective: 06/26/92 e

l l systems during emergencies. In addition they address Relevant M-MIS Resources: the ability of the M-MIS to support crew problem solving and coordination during plant t'isturbances.

• Overview alarm system l

Evaluation issues are the following:

• Alarm support displays Evaluation Issue 5: Does the alarm system convey Specific Concerns:

information in a way that enhances opvator awareness and understanding of plant conditions?

• Does the alarm system overview organize alarm messages in a way that facilitates the operator's Evaluation Issue 6: Does the physical and functional understanding of the alarmed state and its implica-organization of plant information on the workstatior, tions for the plant operational goals?

displays enhance diagnosis of plant condition and the planning / selection of recovery paths?

• Does the presentation format, including salience coding, enable rapid detection and interpretation of Evaluation Issue 7: Does the integration of alarms, alarm messages?

wall panel information station, workstation and proce-dures support the operator in responding to single-fault

• Does the alarm system prioritization scheme facili-events? tate the operator's understanding of the relative importance of alarm conditions?

Evaluation Issue 8: Does the integration of alarms, ~ wall paael information station, workstation and proce-

• Does the alarm syste.n enable operators to identify dures support the operator in interpretation and planning and interpret the implications of lower priority during multiple-fault events? alarms?

Evaluation Issue 9: Does the integration of alarms, Approach wall panel information station, workstation and proce-dures support the crew in interpretation and planning 'Ibe assumption of this experiment is that a well-during multiple-fault events? structured alarm system presents the most important alarm messages and orgamzes alarms in a way that is Evaluation Issue 10: Does the integration of alarms, meamngful to the operator. Redundant and less im-wall panel information station, workstation and proce- portant messages do not appear. Subjects are able to dures support the crew in interpretation and planning perceive the alarm messages in patterns related to types during severe accidents? of plant faults, recognize high-priority goal violations and are aware of the number and general content of 18.8.2.3.5.2.1 Evaluation issue 5: lower priority alarms. A time-step sequence of alarm patterns correspond-Detecting and Understanding Disturbances ing to an evolution of an accident scenario is presented Using Alarms to a subject. The subject is asked to indicate the alarm messages that are presented, and their priority for resp use (from most to least important). The subject is Does the alarm system convey information in a way aho asked to describe the implications of the alarms to that enhances operator awareness and understanding of plan safety and productivity goals and any causal plant condition? P18.8-29 a W Westinghouse I

18. HUMAN FACTORS ENGINEERING

=. _ Revision: 0 7 i MN Effective: 06/26/92 interrelationship among alarms. Next, the subject is Dependent Measures and Evaluation Criteria asked to identify other alarm conditions that may have existed but were not displayed because they were not his evaluation uses breadboard designs to inves-shown by the prioritization scheme. %en the display of tigate the effectiveness of the alarm orgamzation and lower priority alarms is presented, and the subject is prioritization scheme in supporting operators in identi-l asked to describe the implications of these alarms. fying alarms, prioritizing them, and assessing their implications. He intentionis to identify characteristics Concept Testing of the design concepts that lead to confusion, missed I alarms, misinterpretation of alarm messages, misinter. Hypothesis pretation of interrelation among alarms, or incorrect /- l incomplete understanding of alarm priorities. He alarm system supports identification and his is assessed through objective performance prioritization of alarm messages. measures as well as the participant's subjective assess-ment obtained during debriefing interviews. Experimental Manipulations he following objective dependent measures are collected: l In the concept testing phase, the alarm pattem for l each time step is presented for a fixed length of time

• Number of alarms correctly identified and then removed. He premise is that if the alarm system is well orgamnd, it results in meamngful alarm a Subject's assessment of alarm priorities compared l pattems. An individual rapidly identifies the alarms to the priorities that are assigned during the devel-l present and recalls them once they are removed. opment of the test scenario.

Underlying plant upsets vary in severity from single malfunction events to multiple failure events. Alarm

• He extent to which the implications of the alarms messages vary in number and level of abstraction (such for present and future plant state are correctly as, from equipment state to goal state). Upsets include: assessed

• Cases where a single fault leads to a cascade of * %e extent to which the causal inter-relation among alarms, where the objective is to determine whether alarms is recogned i

the subject can correctly assess the interrelation l between the original fault and the consequent

• He ability to infer lower priority alarms l disturbances l

• %e ability to interpret displayed and lower priority

• Multiple fault cases, where the objective is to alarms.

determme the ability of the object to identify, prioritize, and track the implications of multiple Implications of Resuhs i functionally unrelated alarms he purpose of this evaluation is to contribute to the l

• Cases where lower priority alarm queues of varying development of functional requirements for the alarm l

l types and number exist. system. Quantitative measures (such as the number of alarm messages identified and successful identid.:ation of alarm implications) are used to evaluate and refine 1 P18.8-30 gg g l l 1

18. HUMAN FACTORS ENGINEERW.i Revision: 0 V Effective: 06/26/92 = -

( alarm organi7stion and prioritization concepts. Issues io may be used. A dynamic plant simulation is not include organintion of alarms, number of slots available needed to drive the alarm system. e in parallel for alarm messages, alarm prioritization mies used and meamng of alarm messages. Participants' Minimum Subject Characteristics comments regarding lower priority alarm messages are used to assess the alarm prioritization schemes. For Subjects can include designers, engineers, operator example, if operators indicate that the lower priority trainers and operators. Subjects have familiarity with alarms contain important information, which needs to be the alarm system concept, more available, then the alarm prioritization scheme may be revised. Qualitative results (such as, comments Perfonnance Testing regarding salience coding, alarm message format and lower priority alarm queue format) are also used to Verification refine display format functional requirements. Design features of the hardware and alarm system Required Stage of Development of the M-MIS organintion, message content, and application of prioritization are verified against the functional require-his test is conducted during the functional re- ments defined during the concept testing pl.a.<e using a quirements phase of the M-MIS design process. He checklist-type procedure. Functional requirements M-MIS design is at a phase where preliminary design related to alarm organintion, prioritization, and mes-concepts, with respect to alarm system organization and sage content and format are verified. His test is con-alarm priority rules, exist. ducted with equipment that emulates are alarm system. Deviations from the functional requirements are docu. Minimum Test Bed Requiranents: mented and then evaluated.

• Physical form: The alarm display test bed accurate- Validation ly reflects the spatial organization of alarm messag-es, message wording and alarm prio-itization rules. His test is to validate that the alarm rystem sup-he alarm display may be presented on cathode ray ports identification and prioritization of alarm messages.

tubes (CRTs), plasma panels or on paper. , Requirement: Prompt and correct interpretation of

• Information content: The information content is alarm messages essential for evaluating the usefulness of the alarm Measures messages and prioritization schemes. Only a subset

• Operator report of alarms and implications of the alarm mess.ges are required for this test to

• Operator report of existence of lower priority be perfotmed. However, a complete set of alarm alarms and their nature messages must exist for each plant upset condition tested. The information content need not be from Concept testing of the alarm system leads to a the AP600, but representative of the AP600. specification of the types of conclusions with respect to plant status and implications for safety goals that an

• Dynamics: A series of static displays correspond- operator reaches based solely on the alarm system. He ing to discrete time steps during an accident scenar- criterion is the ability of operators to draw these conclu-sions.

P18.8-31 W Westinghouse i i i l 18. HUMAN FACTORS ENGINEERING Revision: O Effective: 06/26/92 - For each scenario used in the validation study, a Minimum Subject Characteristics (Validation) description is created specifying what interpretation and l implication of alarms an operator should make without Subjects are experienced operators who have a basic ( the need for procedural guidance. Operator interpreta- understanding of the AP600 control requirements. Rey l tion and implication of alarms r e compared against this also have familiarity with the operation of the alarm sys-l description. He criterion is the correct interpretation of fem. alarms and their implications. 18.8.2.3.5.2.2 Evaluation issue 6: Experimental Manipulations interpretation and Planning using Workstation j In the validation study, the emphasis is on the displays l ability of operators to identify and interpret patterns of alarms. Alarms activate and are replaced by higher Does the physical and functional organization of pnonty alarms at the pace that would occur in an actual plant infennation on the workstation displays enhance l plant event. He types of plant upsets presented are the interpretation of plant condition and the planning / same as used in the concept testmg phase. selection of recovery paths? l Required Stage of Development of the M41IS Relevant M-MIS Resources: l His test is conducted after the design of the alarm

• Phywcal and functiond displays of operator work-system hardware is completed and the alarm orgamza- station tion and prioritization scheme is developed for the entire plant scope.

Specific Concerns: l Minimum Test Bed Requirements: . Do the functional displays support the operator in i assessing goal satisfaction? l . Physical form: His test is conducted with equip-ment that emulates production prototype hardware . Do the functional displays support the operator in for the alarm system. The visual format and assessing whether currently active processes are auditory alarm cues are representative of the AP600 performing correctly? alarm system.

• Do the functional displays support the operator in l

• Information content: The actual AP600 alarm assessing whether automated systems are perform-messages for the test scenarios are used ing correctly?

• Dynamics: He alarm system displays dynamic

• Are the implications of plant state for operational

, characteristics relative to the onset and offset of goals effectively conveyed via functional displays? l alarm messages over time. He alarm system need not be driven by a dynamic plant simulation.

• Do the displays support the operator in identifying the plant condition that caused an alarm 7 P18.8-32 W-W85tingt10!!Se I

l l l 1 1 I l

18. HUMAN FACTORS ENGINEERING I Revision: O d Effective: 06/26/92 M i l

• Do the displays support the operator in understand- Initial plant conditions are described to the subject.

ing inter-relations among systems and processes? He subject is then presented with an alarm message, either verbally or via a static dispisy. %e subject is )

• Do the displays support operator understanding of then taken through a series of discrete time steps inter-relation among observed disturbances due to through the evolving plant upset. At each time step the process interactions 7 subject accesses physical and functiorel displays to answer a set of questions about plant state and its

• Do the displays support the operator in assessing implications.

validity of data? Concept Testing

• Is equipment status effectively conveyed via the physical displays? Hypothesis

• Do the functional displays support the operator in he functional and physical displays support the assessing the availability of alternative processes for operator in interpreting plant state and picnning recovery achieving a given goal (success path monitoring)? action.

• Do the functional displays support the operator in Experimental Manipulations makmg choices among alternative processes (suc-m cess path choice)? Underlying plant upsets vary in sever from 1 single-fault events for which diagnosis and pL aing is

• Do the displays support the operator in assessing straightforward, to multiple fault events for which the effect of the selected recovery path on other diagnosis and recovery planning is complex.

plant goals (side effects)? Upsets involving complex diagnosis include multiple failure mode accidents in which important plant indica-

• Are operators able to effectively coordinate physical tions are disguised or obscured. Upsets involving and functional displays? complex recovery path planning require monitoring of side effects to evaluate undesirable effects on other parts l

Approach: of the plant (conflicting goals). Cases include sensor ' failures and invalid data, as well as automated system i De purpose of this evaluation is to determine failures that require decisions regarding manual inter-whether operators can efficiently extract nccessary vention. Alternative display concepts are tested and information from the physical and functional displays of compared the operator workstation. An individual is asked to interpret, track, and indicate a response strategy for an Dependent Measures and Evaluation Criteria evolving plant upset by erammmg workstation displays. In the concept testing phase, the displays are static Als evaluation uses breadboard designs to inves-representations that correspond to discrete time steps tigate the ability of the physical and functional displays through the evolving upset. In the validation testing, to support interpretation and planning. Qualitative dynamic displays are used. A set of probe questions is information is gathered thmugh protocol snalysis of used to test the ability of subjects to extract information participants comments during the test ud debriefing from the displays. interviews following the test. Responses to questions 8

• W Westinghouse

l l l

18. HUMAN FACTORS ENGINEERING A

'_ Revision: 0 Effective: 06126/92 about the plant state and status of operational goals are as missing side erfects). nese are used to test and also evaluated, revise the functional requirement = for the display ne subject is specifically asked to indicate: system.

• Existing plant disturbances Required Stage of Development of the M-MIS

• Causes and interrelations among these disturbances

• Consequences of these disturbances for plant opera- nis test is conducted during the functional re-tional goals quirements phase of the M-MIS design process. ne

• Alternative processes available to achieve plant M-MIS design at this point is at a phase where prelimi-operational goals nary designs for content and layout of the functional and

• Status of automated systems and whether manual physical displays are available.

intervention is required

• Competing goals that need to be satisfied (such as, Minimum Test Bed Requimnents:

side effects)

• Appropriate recovery actions that must be taken.

• Physical form: He plant displays are generated on a CRT screen using rapid display prototyping He subject's responses are compared to a prede- software. Some animation is displayed. However, fined set of correct responses. other static media, such as color drawings, could be used. Display representations convey display Implications of Results design features such as salience coding and group-ing of data.

He purpose of this evaluation is to contribute to the development of functional requirements for the work-

• Information content: Displays for the plant fune-station functional and physical displays. He philosophy tions and systems that are relevant to the plant behind the functional and physical display system is upsets used in the study need to be prepared. For based on Rasmussen's abstraction hierarchy. A major the issues being tested, the displays need not be goal of the display system is to support functional AP600 specific.

reasomng and knowledge-based decision malmg. He objective is to reduce errors such as fixation effects, in

• Dynamics: Because plant upsets are presented as a which operators concentrate on one set of symptoms to series of discrete time-steps, a near full-scale simu-the exclusion of other more relevant symptoms; ar;d lation of plant dynamics is not required.

missing side effects, in which operators fail to notice that their chosen recovery strategy may have negative Minimum Subject Characteristics consequences for other plant systems. A primary focus of the concept testing is to provide feedback on the Subjects can include designers, engineers operator effectiveness of the display system in fostering a broad trainers and operators. Subjects have familiarity with view and supporting knowledge-based reasoning. the operation of the workstation functional and physical Specific attention is paid to cases where operators make displays. errors in plant state assessment (such as fixation errors); cases where operators fail to understand the status of antamat~i system and/or anticipate automatic system j action; and cases where they make plamdng errors (such 1 i P18.8C g_ Westinghouse l 1 ,, 18. HUMAN FACTORS ENGINEERING , Revision: O d Effective: 06/26/92 2 l ummmmmmmmmmmmen IE l Performance Tesing guidance. Operator performance is compared against this description. He performance criterion is the Verification correct response. He task completion time is deter-mined at a later point as discussed previously in Sec-He AP600 functional and physical displays are tion 18.8. verified against the functional requirements defined l during the concept testing phase using a checklist Experimental Manipulations procedure. Functional requirements relate to content and layout of information on the displays. His test is he types of plant upsets presented are the same as conducted with equipment that emulates production in the concept testing phase. prototype hardware for the workstation. Deviations from the functional requirements are documented and Required Stage of Development of the M-MIS l then evaluated. l This test is conducted after the design of the Validation workstation hardware is completed and the functional his test is to validate that the functional and physical displays support interpretation and planning. Minimum Test Bed Requirements: , 1 l Requirement: Prompt and concet identification of plant

• Physical form: This test is conducted with equip- l state ment that emulates production prototype hardware

~ Measures: for the workstation. l

• Identification of process disturbances '

• Task completion time

• Information content: He AP600 functional and physical displays are used.

l Requirement: Prompt and correct determination of fault i I implications

• Dynamics: %e display system exhibits dynamic Measures ammation but need not be driven by a dynamic

• Assessment of potential consequences to opera- plant simulation.

tional goals

• Task completion time Minimum Subject Characteristics (Validation)

Requirement: Prompt and correct determmation of Subjects are experienced operators who have a basic response plan understanding of the AP600 centrol requirements. They i Measures also have familiarity with the operation of the work-

• Identification of appropriate recovery actions station functional and physical display system.

• Task completion time For each scenario used in the validation study, a description is created of the process disturbances,

implications for operational goals, and recovery actions j that the operator selects without needing procedural l

P18.8-35 W Westi ouse

18. HUMAN FACTORS ENGINEERING l Revision: 0 Effective: 06/26/92 18.8.2.3.5.2.3 Evaluation issue 7: control room mannmg assumptions for handling emer-gency events. He subject is presented with an alarm or Interpretation and Planning During set of alarms. %en the M-MIS is used to select the l Single-Fault Event Using Alarms, Work- *PPmPriate procedure, select the appropriate plant station, Wall Panel Information Station and displays and execute the procedure.

Procedures Concept Testing l Does the integration of alarms, wall panel infor- Hypothesis mation station, workstation and procedures support the ope ator in msponding to single-fault events? ne ntegrated M-MIS supports operators in han-Relevant M-MIS Resources: . . Experimental Manipulations

• Wall panel information station

• Alarm system Test scenarios are based on a variety of plant faults

• Workstation displays for a variety of plant conditions (normal, abnormal and Computer-based and/or paper-based procedures emergencyb Specific Concerns:

Dependent Measures and Evaluation Criteria Does the integration of alarms, displays, controls This evaluation uses a breadboard design to inves-and procedures support the operator in: tigate the effectiveness of the integrated M-MIS in .. supporting operator response to single-fault plant upsets. Obtammg detailed information concerning alarm his is assessed through objective performance measures messages? as well as the participant's subjective assessment ob-

• Retrieving the appropriate procedure in response t tained during debriefing interviews.

Pl ant condition? Subject decisions and actions are analyzed using

• Performing actions indicated in procedures?

decision tracing and analysis of task completion time. Assessing goal threats and goal achievement? ne evaluation focuses on errors ofintent and execution for both control / display navigation and plant contml. Approach he subject's performance in responding to the plant upset is compared to an ideal response path he purpose of this test is to provide confidence defined by experts. Performance is assessed in terms that operators can use the alarms, procedures, displays of. and controls as intended to respond to straightforward, aingle-fault plant upsets. Operator response is primarily

• Succes-ful task completion (such as selection of procedure based. In Rasmussen's termmology, this proper procedures and displays and the proper corresponds to rule-based behavior. His experiment execution of procedure) focuses on the performance ofindividual operators (such as a reactor operator) and does not focus on the interac-

• Task completion time tion of multiple operators. He study is performed l using a crew size consistent with the AP600 main l

i l P18.8-36 g ngh l l

18. HUMAN FACTORS ENGINEERING  !

Revision: 0 v Effective: 06/26/92 ..4m&.- M M- l Errors (such as incorrect intentions and incorrect for example the wall panel information station and execution of actions) alarm system could be simulated on a CRT.

• Inefficiencies (such as delays or wasted actions,

• Information Content: A set of displays is developed such as excessive transitions between displays, to cover the set of faults included in the test, as induced by M-MIS design). well as to provide a set of realistic displays to test the adequacy of navigation.

Implications of Results

• Dynamics: Static displays may be useo. %e He purpose of this evaluation is to contribute to the displays need not be AP600 specific.

development of functional requirements to support the integration of the different M-MIS features. He focus Minimum Subject Characteristics is on the points of interface among the different M-h0S features and how effectively they work in combination Subjects can include designers, engineers, operator to support rule-based performance. trainers, and operators. Subjects have familiarity with he results are analyzed to identify design features the AP600 M-MIS features, that lead to confusions, errors, and slow or awkward actions by the subjects. Functional requirements are Performance Te. wing developed to address those design characteristics that Verification ~ have significant effects on the subject's performance. ~ Required Stage of Development of the M-MIS Design features of the hardware and displays are exammed and evaluated against functional requirements His test is conducted during the functional re- using a checklist-type procedure. This evaluation quirements phase of the M-MIS design process The focuses on the functional requirements that were defined M-MIS design is at a phase where prelimmary design during the concept test phase to support integration of concepts exist for the wall panel information station, the M-MIS features, especially those developed during the alarm system, workstation displays and procedures. concept testing phase of this evaluation. Histestis conducted with equipment that emulates production Minimum Test Bed Requirements: prototype hardware for the workstation. Deviations from the functional requirements are documented and

• PhysicalForm: he wall panelinformation station, then evaluated.

alarm system, workstation displays and computer-ized procedure displays are representative of the Validation AP600 M-MIS in terms of appearance. His in-cludes display format, use of windows, display his test is a validation of that integrated M-MIS navigation mechanisms and links among the differ- supports trained operators in responding to single-fault ent M-MIS resources (for example, mechanisms events. linking alarm messages to particular workstation displays or procedures). He M-MIS features need Requirement: Prompt and correct interpretation of not be high-fidelity with respect to physical scale, alarm messages Measures: P18.8-37 -_ W Westinghouse

18. HUMAN FACTORS ENGINEERING ^

. . . . . . . Revision: 0 Effective: 06/26/92

• Operator report of fault and implications Experimental Maniptdations

• Task completion time he types of plant upsets presented are the same as Requirement: Prompt retrieval of detailed information in the concept testing phase.

from workstation regarding alarm messages Measures: Required Stage of Development of the M-MIS i e Successful retrieval of required informatica  ;

• Information retrieval time His test is conducted after the design of the wall panel information station, alarm system and workstation Requirement: Prompt and correct selection of proce- hardware, software and information content have been dure completed. This test is conducted using a near full- )

Measures scope simulator covisting of equipment that emulates e Successful retrieval of procedure the M-MIS hardware.

• Procedure selection time Minimum Test Bed Requirements:

Requirement: Prompt and correct selection of controls and displays

• Physical form: %e hardware emulates M-MIS Measures: equipment in the relevant respects.

• Successful retrieval of controls and displays

• Control and display selection time

• Information content: He information content of the M-MIS is representative of AP600 interfaces in Requirement: Prompt and correct assessment of goal content and format.

threats and goal achievement Measures

• Dynamics: A high-fidelity, near full-scope AP600

• Operator assessment of goal threats and goal main control room simulator is used, achievement

• Task completion time Minimum Subject Characteristics (Validation)

For each scenario used in the validation study, a Subjects are experienced operators who have a basic description is created of how the operator must respond understanding of the AP600 controlrequirements. %ey to the event. It includes a description of the alarms that also have familiarity with the operation of the AP600 are identified, how they are interpreted, what work- M-MIS. station displays are accessed, what conclusions about plant state and implications for operational goals are 18.8.2.3.5.2.4 Evaluation issue 8: drawn, what procedures must be accessed, and what control actions are taken. Operator performance is interpretation and Planning During compared against this description. The performance Multiple-Fault Events Using Alarms, Work-criterion is the correct response. Criteria for task station, Wall Panel Information Station and completion time are determined at a later point. Procedures Does the integration of alarms, wall panel infor-mation station, workstation and procedures support the P18.8-38 Westingtl00Se

18. HUMAN FACTORS ENGINEER lNG Revision: O . _ .

d Effective: 06/26/92 f operator in interpretation and planning during quired for interpre'ing plant status indications, evaluat-multiple-fault events? ing performance of automatic control systems, evaluat-ing the validity of process data, evaluating altemative Relevant M-MIS Resources: response paths and evaluating the effectiveness of the current procedure. i

• Wall panel infonnation station his experiment focuses on the performance of

• Alarm system individual operators (such as reactor operator) and does e Workstation displays not focus on the interaction of multiple operators. He

• Computer-based and/or paper-based procedures, study is performed using a crew size consistent with the AP600 main control room mannmg assumptions for Specific Concerns: handling emergency events. He subject (s)is presented with a complex alarm condition and selects and executes Does the integration of alarms, displays, and proce- she appropriate response using procedures and dispicys dures' support the operator in: of the M-MIS.

• Diagnosing multiple-fault plant conditions Concept Testing

• Planning / selecting the most appropriate recovery Hypothesis path when multiple safety goals need to be con-sidered he integrated M-MIS supports operators in han-  ;

dling multiple-fault events.  !

• Assessmg the effect of the selected recovery path on i' other plant goals (side effects) Experimental Manipulations

• Supervising automated systems and determmmg A variety of multiple fault plant conditions are when annual intervention is required? included to test:

Approach

• System understanding in diagnostically complex j cases (such as masked symptoms and obscured l

He purpose of this test is to provide confidence evidence) that operators can use the alarms, procedures, displays, and diagnostic aids to select and maintain the appropri-

• Success path planning in complex cases (such as ate response path in multiple fault situations. He test complex constraints, side-effects and conflicting assesses: goals)

• System understanding for diagnostically complex

• Ability to provide supervisory control of automatic cases control systems, to assess when intervention is

• Success path planning for cases where the recovery required, and to have them take over effectively.

path is complex. Operator response is guided by emergency response procedures, although knowledge-based skills are re-P18.8-39 a W-Westinghouse l l

18. HUMAN FACTORS ENGINEERING N

Revision: 0 Effective: 06/26/92 ] - Dependent Measures and Evaluation Criteria actions by the subjects. Particular attention is paid to the interpretation of plant state and response planning by his evaluation uses a breadboard design to inves- the subjects. Instances of errors of intention are ana-tigate the effectiveness of the integrated M-MIS in lyzed in detail to determme M-MIS characteristics that supporting operator response to multiple-fault plant might have contributed to the error and improvements upsets. Panicular attention is focused on the ability of that could be made to the M-MIS to reduce this type of the integrated M-MIS to support knowledge-based error. reasoning. His is assessed through objective perfor- his evaluation lesas to the following types of mance measures, think-aloud protocol during task recommendations: performance, and the participant's subjective assessment obtained during debriefing interviews.

• Ways of presenting alarm and procedure informa-Subject decisions and actions are analyzed using tion that assist operators in determuung the appro-decision tracing and analysis of task completion time. priate priority of multiple alarm messages ne subject's performance in responding to the plant upset ir compared to an ideal response path

• Ways of presenting information on the wall panel defined by experts. Performance is assessed in terms information station, the workstation displays, and of: the procedures, to reduce the likelihood of operator fixation on a single fault

• Successful task completion (such as, selection of proper procedures and displays, proper execution of

• Ways of presenting information on physical and the procedure) functional plant displays, the wall panel information station and procedures to assist operators in deter-

• Task completion time mimng the cause and consequences of plant compo-nent malfunctions Errors (such as incorrect intentions and incorrect execution of actions)

• Ways of presenting alarm and procedure informa-tion that assist operators in determimng appropriate

• Inefficiencies (such as delays or wasted actions, goals for plant recovery including excessive transitions between displays,

• Ways of presenting information on physical and induced by M-MIS design). functional plant displays, the wall panel information station and procedures to maintain operator aware-Implications of Results ness of side effects (consequences of plant recovery path that may violate other safety goals)

De purpose of this evaluation is to contribute to the development of functional requirements for the integrat-

• Ways of presenting information on physical and ed M-MIS to support operator response to multiple-fault functional plant displays, the wall panel information events. He focus is on the points of interface among station and procedures to support operator supervi-the different M-MIS features and how effectively they sory control of automated systems, and identifica-work in combination to support knowledge-based tion of when manual intervention is required, performance.

He results are analyzed to identify design features that lead to confusions, errors, and slow or awkward l I ! W W8Stillgh0USC i l l i i

18. HUMAN FACTORS ENGINEERING l Revision: O i V Effective: 06/26/92 -

e Required Stage of Development of the M-MIS Performance Testing , l Lis test is conducted during the functional re. Verification j quirements phase of the M-MIS design process ne i M-MIS design is at a phase where prelimmary design Design features of the hardware and displays are concepts exist for the wall panel information station, the cynmmed and evalnated against functional requirements alarm system, workstation displays and procedures, using a checklist procedure. His evaluation focuses on the functional requirements that are defined during the Minimum Test Bed Requirements: concept test phase to support integration of M-MIS features. His test is conducted with equipment that

• Physical form: He wall panel information station, emulates production prototype hardware for the alarm system, workstation displays, and computer- workstation. Deviations from the functional require-ized procedure displays are representative of the ments are documented and then evaluated.

AP600 M-MIS in terms of appearance. His in- I cludes display format, use of windows, display Validation I l navigation mechanisms and links among the differ-ent M-MIS resources (such as mechanisms linking This test is a validation that the integrated M-MIS alarm messages to panicular workstation displays or supports trained operators in responding to multiple-fault procedures). The M-MIS features need not be high events. ~ fidelity with respect to physical scale. For exam- ~ ple, the wall panel information station and alarm Requirement: Prompt and correct identification of  ; system could be simulated on a CRT. tmmediate actions Measures

• Information content: A set of displays is developed

• Successful identification of immediate actions to cover the set of faults included in the test, as

• Task completion time well as to provide a set of realistic displays to test the adequacy of navigation. Requirement: Pmmpt and correct diagnosis of faults Measures

• Dynamics: Static displays may be used. The

• Successful retrieval of required m

• formation displays need not be AP600 specific.

• Information retrieval time

• Operator assessment of cause of fandt Minimum Subject Characteristics Requirement: Prompt and correct management of Subjects can include designers, engineers, operator automatic control systems trainers, and operators. Subjects have familiarity with Measures:

the AP600 M-MIS features.

• Correct assessment of automatic system perfor-mance relative to operational goals

• Correct identification of requirements for and future implications of overriding automatic sys-tems

• Task completion time W85tkighouse

18. HUMAN FACTORS ENGINEERING Revision: 0 O

Effective: 06/26/92 '

l l Requirement: Prompt and correct prioritization of Required Stage of Development of the M-MIS conflicting operational goals Measures His test is conducted after the design of the wall

• Operator assessment of goal conflicts and priori- panel information stanon, alarm system, and workstation ties hardware, software and infonnation content have been

• Successful selection of the proper procedure or completed. This test is conducted using a near full.

strategy scope simulator consisting of equipment that emulates

• Procedure or strategy selection time relative to the M-MIS hardware.

plant dynamics l Minimum Test Bed Requirements: Requirement: Prompt and correct selection of controls and displays to initiate response

• Physical form: He hardware emulates M-MIS Measures- equipment in the relev.mt respects. l

• Successful retrieval of controls and displays

• Controls and display selection time

• Information content: he information content of the M-MIS is representative of AP600 interfaces in  ;

Requirement: Prompt and correct assessment of goal content and format. status and goal achievement Measures

• Dynamics: A near full-scope, high-fidelity AP600

• Operator assessment of goal threats and goal main control room simulator is used.

achievement

• Task completion time Subject Characteristics (Validation)

For each scenario used in the validation study, a Subjects are experienced operators who have a basic description is created of how the operator responds to understanding of the AP600 control requirements. Rey the event. It includes a description of the alarms that also have familiarity with the operation of the AP600 are identified, how they are interpreted, what M-MIS. workstation displays are accessed, what conclusions about plant state and implications for operational goals ~0.8.2.3.5.2.5 Evaluation issue 9: are drawn, what procedures are accessed, and what control actions are taken. Operator performance is Interpretation and Planning by Crew During compared against this description. He performance Multiple-Fault Events Using Alarms, criterion is the correct response. Criteria for task Workstation, Wall Panel Information Station completion time are determined at a later point, as and Procedures dixussed previously ,m Section 18.8. Does the integration of alarms, wall panel infor-Experimental Manipulations mation station, workstation and procedures support the crew in interpretation and planning during multiple-he types of plant upsets presented are the same as fault events? in the concept testing phase. l l P18.8-42 l W-W8Stingh0USe 1 l ' 18. HUMAN FACTORS ENGINEERING Revision: O s' Effective: 06/26/92 l---E f Rdevant M-MIS Resources: study is on crew interaction and joint problem-solving. He study is performed using a crew size consistent with

• Wall panel information station the AP600 main control room mannmg assumptions for

• Alarm system handling emergency events. %e subject (s) is presented

• Workstation displays with a complex alarm condition and selects and executes

• Computer-based and/or paper-based procedures the appropriate response using procedures and displays

• Plant communication system. of the M-MIS.

Subjects are presented with complex muhiple-fan.!! Spaific Concerns: events to test several facets of crew communication and coordination. He primary experimental manipulations Does the integration of alarms, displays and proce- are: dures support the crew in:

• Re type of event presented

• Communicating relevant plant state information

• Whether each of the individuals forming a crew are

• Developing and mainemining a shared understanding " subjects," or whether only one is the subject and of plant state the others are confederates whose actions are determined by scripts

• Allocation and coordination of goals and responsi-bilities

• Whether the crews are observed responding to the

~ event uninterrupted, or whether the simulation is

• Maintaining awareness of the goals and activities of frozen at specified points and the subjects are asked other crew members questions relating to their knowledge of plant state, the activities of the other individuals, and the

• Maintaining successful role separation (that is, the implications for safety goal achievement.

supervisor able to maintain a broad view leaving the detailed monitoring and control activities to control Concept Testing operators) Hypothesis

• Detecting performance errors of other crew mem-bers ne integrated M-MIS supports crew commanica-tion and coordination during multiple-fault events.

• Engaging in group problem solving?

Experimental Manipulations Approach Dunng concept testing, two exghtal conditions ne purpose of this test is to provide confidence are used. In one condition, multiple individuals 1mrtici-that the integrated M-MIS supports crew communication pate as a crew in the study, and their interaction and and coordination in responding to multiple-fault situa- coordination are obscrved. His condition is more tions. His study examines crew performance on the realistic. He second condition is more controll d. In same types of plant upsets described in evaluation issue the second condition, one individualis the subject of the number 8. The difference is that the emphasis of this study. One or more additionalindividuals are taed to a W85tiligt10USB l 1 l

18. HUMAN FACTORS ENGINEERING

........ Revision: 0 ' Effective: 06/26/92 ~ complete the crew, but these additional individuals are upset is compared to an ideal response path defined by part of the experiment team (that is experiment confed- experts. Particular attention is focused on analysis of erates). Heir actions are determmed by a script de- crew communication and coordination activities. signed to create critical crew interaction situations with He primary objective measures of performance the individual who is serving as the subject. For exam- are: ple, a confederate might fail to take an action or may take an action that is incorrect. In this second

• Whether relevant plant status information was condition, the question of interest is whether the subject communicated detects the error, brings it to the attention of the confed-erste and attempts to resolve the situation.

• Whether subjects maintained a shared understanding At various points in the event, the simulation is of plant state frozen, and the subjects participating in the study are asked a series of questions designed to assess:

• Whether subjects successfully allocated and coor-dinated goals and responsibilities

• Heir awareness of plant state

• Whether subjects successfully maintained role

• Heir awareness of the response plan being fol- separation lowed

• Whether subjects were able to detect performance

• Heir awareness of the activities of the other opera- errors made by other crew members (such as, tor (s) errors intentionally made by confederates)

~.

• Their awareness of the goals and activities of other

• Whether subjects engaged in group problem- solv-crew members ing, obtaining consensus on interpretations and planning decisions.

• Reir awareness of the impact of the activities of the other operator (s) on their activity, and vice Implications of Results versa.

The purpose of this evaluation is to contribute to the Dependent Measures and Evaluation Criteria development of functional requirements for the integrat-ed M-h0S to support crew communication and coordi-his evaluation uses a breadboard design to inves- nation for interpretation and pinnnmg. tigate the effectiveness of the integrated M-MIS in He results are analyzed to identify design features supporting crew communication and coordination for that lead to confusions, errors, and slow or awkward interpretation and planning. His is assessed through actions by the subjects. Particular attention is paid to objective performance measures, think-aloud protocol the ability of the integrated M-MIS to support develop-during task performance, as well as the participant's ment of a shared plant state interpretation, efficiat task subjective assessment obtained during debriefing inter- allocation and coordination, effective role separation, views. and group problem solving and decision makmg. Subject decisions and actions are analyzed using Instances of breakdowns in communication or task decision tracing and analysis of task completion time. coordination are analyzed in detail to determine M-MIS Re subject's performance in responding to the plant characteristics that might have contributed to the error P18.8-44 W W85tingt10tlSe -

18. HUMAN FACTORS ENGINEERING Revision: O v Effective: 06/26/92 ~

[ and improvements that could be made to the M-MIS to Performance Tesring reduce this type of error. Verification Required Stage of Development of the M MIS Design features of the hardware and displays are nis test is conducted during the functional re- exammed and evaluated against functional requirements quirements phase of the M-MIS design process ne using a checklist-type procedure. His evaluation M-MIS design is at a phase where prelimmary design focuses on the fundional requimaeats that are defined concepts exist for the wall panel information station, the during the concept test phase to support integration of alarm system, workstation displays and procedures. M-MIS features. His test is conducted with equipment that emulates production prototype hardware for the Minimum Test Bed Requirements: workstation. Deviations from tne functional regmre-ments are documented and then evaluated. Physical form: He wall panel information station, alarm system, workstation displays, and computer- Validation ized procedure displays are representative of the AP600 M-MIS in terms of appearance. Hisin- His test is a validation of that integ> M MM cludes display format, use of windows, display supports crew communication and coorut w k,r navigation mechanisms, and links among the differ- interpretation and planning. ent M-MIS resources (such as mechanisms linking alarm messages to particular workstation displays or Requirement: Effective coordination and communica-procedures). He M-MIS features need not be high tion of plant status information between crew members fidelity with respect to physicel scale. For exam- Measures plc, the wall panel information station and alarm

• Successful communication of operator moni-system could be simulated on a CRT. toring assignments Accurate communication of dita regandhg piant Information content: A set of displays are devel- condition oped to cover the set of faults included in the test,

• Operator assessments of plant condition as well as to provide a set of realistic displays to test the adequacy of navigation. Requirement: Prompt and correct diagnosis of multiple faults Dynamics: Static displays may be used. He Measures displays need not be AP600 specific.

• Correct identification of inoperable equipment and assessment of causes Minimum Subject Characteristics

• Task completion time relative to plant dymmics Subjects can include designers, engineers, operator Requirement: Prompt and correct prioritization of goal trainers and operators. Subjects have familiarity with challenges the AP600 M-MIS features Measures Operator assessment of goal conflicts and priori-ties

• Task completion time P18.8-45

i l l

18. HUMAN FACTORS ENGINEERING Revision: 0 O

! H Effective: 06/26/92 - Requirement: Prompt and correct selection of proce-

• Dynamics: A near full-scope, high-fidelity AP600 dure or strategy main contml room simulator is used. j l Measures l

• Correct selection of procedure or strategy Subject Characteristics (Validation)

• Procedure selection time relative to plant dynam-ics Subjects are experienced operators who have a basic

• Task completion time, understanding of the AP600 control requirements. %ey also have familiarity with the operation of the AP600 For each scenario used in the validation study, a M-MIS.

description is created of how the crew responds to time event. Operator performance is compared against this 18.8.7.3.5.2.6 Evaluation Issue 10: description. He performance criterion is the correct  ; response. Criteria for task completion times are deter- Interpretation and Planning by Crew During l mined at a later point as discussed previously in Severe Accidents Using the Technical Sup-  ! Section 18.8. port Center, Alarms, Workstation, Wall Panel , . Information Station and Procedures ' Experimental Manipulations I the bteWon of alanm, wall panel infor-ne types of plant upsets presented are the same as . . . mation station, workstation and procedures support the m the concept testmg phase. Only the more realistic crew in interpretation and planning during severe experimental condition is used. He concept testing accidents? ' discussion provides a description of two expenmental conditions' Relevant hf41IS Resources: Required Stage of Development of the M-MIS

• Wall panel information stat. ion

• AI*'"

%is test is conducted after the design of the wall '7."*** displays

• Workstation panel information station, alarm system, and workstation

• Computer-based and/or paper-based procedures.

hardware, software and information content are complet-ed. His test is conducted using a near full- scope . Specific Concerns: simulator consisting of equipment that emulates the M-MIS hardware.

• Does the M-MIS present information in ways that Support interpretation of plant state under degraded Minimum Test Bed Requirements: ,

plant information conditions

• Physical form: The hardware emulates M-MIS

• Does the M-MIS enable the crew to assesr data equipment in the relevant respects.

quality and recognize when plant parameter mea-sures are unreliable

• Information content: ne information content of the M-MIS is representative of AP600 interfaces in .

• Does the m. tegration M-MIS support the formulation content and format.

i of a response strategy in cases where procedural j guidance is not available l "' 8'8'#8 WM@m I l

18. HUMAN FACTORS ENGINEERING 1

3 Revision: O d Effective: 06/26/92 ,

• Does the M-MIS encourage efficient use of infor- Concept Testing mation found inside and outside the nr.in control room Ilypothesis

• Does the M-MIS provide confidence of effective He integrated M-MIS supports the coorrimation of comrnmication between crew members and per- people and information required for plant state interpre-sonnel located outside the main control room (such tation and response strategy planning activities during as the technical suppod center) severe plant acCdents.

1

• Does the M-MIS support effective group decision Experimental Manipulations mahng?

A variety of severe accident conditions are included Approach to test: The purpose of this test is to provide confidence

• System understanding in diagnostically complex that the design of the M-MIS suppons response to cases (for example masked symptoms and obscured severe accident eventr.. Severe accidents place increased evidence due to degraded sensors) cognitive demands in several respects. First, because plant sensors can become unreliable, interpreting plant

• Success path planning in complex cases (such as state is more difficult. Second, conditions may arise complex constraints, side effects, and conflicting beyond the scope of Emergency Cperating Procedures goals) l requiring a response strategy to be developed. In Rasmussen's terminology, this means that there is

• Communication and coordination between the main greater emphasis on knowledge-based performance control room staff the technical suppod center and during severe accidents. A third complication is that offsite emergency center staff.

there is a greater need for communication and coordi-nation with a variety of personnel outside the main Dependent Measures and Evaluation Criteria control room. His includes personnel in the technical support center, and personnel in the offsite emergency his evaluation uses a breadboard design to inves-response facility. tigate the effectiveness of the integrated M-MIS in His study is performed using a crew size consistent suppoding interpretation and plannmg during severe with the AP600 main control room msnmng assumptiens accidents. Particular attention is focussed on the ability for handling severe accident events. of the integrated M-MIS to support knowledge- based he subjects are presented with a severe accident reasoning. His is assessed through objective perfor-scenario. Additional personnel resources (such as, the mance measures, think-aloud protocol during task ! technical support center or the offsite emergency re- performance and the participant's subjective assessment l sponse facility) are added, based on the time-frame and obtained during debriefing interviews. l rrianning assumptions for the AP600. Decision- trace Subject decisions and actions are analyzed using methodology is used to unce the information access 'ecision tracing and analysis of task completion time. l activities, communication, goal formulation, response %e subject's performance in responding to the ! strategy planning, and decision- mahng activities of the pl.nt upset is compared to an ideal response path main control room crew and outside support personnel. P18.8-47 W-Westinghouse l l

18. HUMAN FACTORS ENGINEERING Revision: O O Effective: 06/26/92 d defined by experts Performance is assessed in terms

• Ways of promoting effective group decision mak-of: ing.

• Successful task completion (such as the selection of Required Stage of Development of the M-MIS proper procedures and displays, and the proper execution of the procedure) His test is conducted during the functional re-quirements phase of the M-MIS design process The

• Task completion time M-MIS design is at a phase where preliminary design l concepts exist for the wall panel informati ; : sudon, the

• Errors (such as incorrect intentions and incorrect alarm system, workstation displays and procedures. In execution of actions) addition, preliminary concepts for the technical support i center and offs? mergency response center mannmg,

• Inefficiencies (such as delays or wasted actions, responsibilities . msources are available.

including excessive transitions between displays, induced by the M-MIS design). Minimum Test Bed Requirernents: i Implications of Results

• Physical Form: He wall panel information station,  !

alarm system, workstation displays, and computer-ne purpose of this evaluation is to contribute to the ized procedure displays are representative of the development of functional requirements for the integrat- AP600 M-MIS in terms of appearance. His in-ed M-MIS to support severe accident management. He cludes display format, use of windows, display study identifies errors and inefficiencies induced by the navigation mechanisms, and links among the differ-design of the M-MIS that may affect emergency re- ent M-MIS resources (such as mechsma.m linking sponse during severe accidents. His evaluation leads to alarm messages to particular workstation displays or the following types of recommendations: procedures). He M-MIS featums need not be high fidelity with respect to physical scale. For exam-

• Ways of presenting information that promote the ple, the wall panel information station and alarm efficient formation and testing of hypotheses re- system could be simulated on a CRT.

garding plant state

• Information content: A set of displays are devel-

• Ways for verifying that multiple information soure- oped to cover the set of faults included in the test, es are used effectively as well as to provide a set of realistic displays to test the adequacy of navigation.

• Ways for promoting effective communication be-tween crew members and personnel located outside

• Dynamics: Statie displays may be used. ne the main control room displays need not be AP600-specific.

• Ways of enhancing greap problem solving, includ- Minimum Subject Characteristics ing understanding plant conditions, planning, and coordinating actions Subjects can include designers, engineers, operator trainers, and operators. Subjects have familiarity with l

the AP600 M-MIS features. l P18.8 48 W - Westinghouse i 1

18. HUMAN FACTORS ENGINEERING 1 Revision: O d Effective: 06/26/92 J=M t l

[ Performance Testing crew and outside personnel must respond to the event. Performance is compared against this description. %e Verification performance criterion is the correct response. Criteria for task completion times are determmed at a later Design features of the hardware and displays are point. examined and evaluated against functional requirements using a checklist procedure. His evaluation focuses on Experimental Manipulations the functional requirements that are defind during the concept test phase to support severe accident manage- He types of plant upsets pmsented are the same as ment. His test is conducted with equipnent that in the concept testing phase. emulates production prototype hardware for the M4flS. Deviations from the functional requirements are docu- Required Stage of Development of the M-MIS mented and then evaluated. His test is conducted after the design of the wall Validation panel information station, alarm system, and workstation hardware, software and information content are complet- i his test is a validation that integrated M-MIS ed. His test is conducted using a near full- scope I supports severe accident management. simulator consisting of equipment that emulates the M-MIS hardware. m Requirement: Prompt and correct diagnosis of plant condition Minimum Test Bed Requiranents: ,~, Measures

• Successful diagnosis of plant condition

• Physical form: %e hardware emulates M-MIS

• Time to diagnose plant condition equipment in the relevant respects.

Requirement: Prompt and correct evaluation of con-

• Information content: ne information content of sequences of altemative recovery paths the M-MIS is representative of AP600 interfaces in Measures: content and format.

• Successful assessment of consequences of recov-ery paths

• Dynamics: A near full-scope, high-fidelity AP600

• Tune to ==== consequences of recovery paths main control room simulator is used. In cases where the postulated events cannot be fully simu-Requirement: Timely and accurate communication of lated on the full-scope AP600 simulator, information betv La the main control room and outside walk-throughs are conducted for those phases of the personnel (such as, the technical support center) severe accident event that cannot be simulated.

Measures

• Accuracy of communicated information Subject Characteristics (Validation)

• Currentness of communicated information rela-tive to decision requirements. Subjects are experienced operators who have a basic understanding of the AP600 control requirements. %ey For each scenario used in the validation study, a also have familiarity with the operation of the AP600 description is created of how the main control room M-MIS. Personnel mannmg the technical support center P18.8-49 l a W

Westinghouse l \ l

18. HUMAN FACTORS ENGINEERING Revision: 0 ^

_ . . . . . ."~" Effective: 06/26/92 I l l l l and offsite emergency response center are representative

• Evaluation Issue 14: Do the M-MIS features '

of the type of individuals who man those sites during support the operator in performing event-paced actual incidents, control tasks? i 18.8.2.3.5.3 Evaluations for Controlling e Evaluation Issue 15: Do the M-MIS features I Plant State support the operator in performing control tasks that require coordination among crew members? %e purpose of evaluations in this subsection is to provide confidence that the M-MIS supports the operator 18.8.2.3.5.3.1 Evaluation issue 11: in making changes in plant state, including: Simple Operator-Paced Control Tasks e Control activities that are operator-paced Do the M-MIS features support the operator in

• Control activities that require consideration of performing simple, operator-paced control tasks?

preconditions, side effects and post-conditions of control actions Relevant M40S Resources:

• Control tasks that require coordination of multiple e Workstation displays and display navigation features procedures e Hani-wired and soft controls

• Control activities that are event-paced e Computer-based and/or paper-based procedures

• Control activities that require coordination among multiple individuals. Specific Concerns:

l ne controlling plant state class of evaluation issues

• Are the procedures well<oordinated with the includes the following: workstation displays to allow efficient location and execution of control actions?

• Evaluation Issue 11: Do the M-hDS features support the operator in performing simple, e Do the workstation displays support the operator in operator-paced control tasks? efficiently locatmg relevant displays and executing control actions?

• Evaluation Issue 12: Do the M-MIS features suppoit the operator in performing control tasks that

• Are the soft controls provided in the workstation require assessment of preconditions, side effects and adequate for supporting operator execution of post-conditions? control actions (including providing adequate feed-back on actuation of control action)?

e Evaluation Issue 13: Do the M-MIS features support the operator in performing control tasks that Approach require multiple procedures? Control maneuvers (such as taking systems out of operation, or switching systems) represent a primary P18.8-50 W-Westinghouse l 1 i l l l

18. HUMAN FACTORS ENGINEERING

, Revision: O d Effective: 06/26/92 ammmmmmmmmmmmmer IN- 1 l activity operators perform during normal and abnormal %e following dependent measures are also col-operations. %e purpose of this test is to verify that the lected: AP600 M-MIS can support operators in performing straightforward control maneuven (that is maneuvers

• Efficiency of navigation - He number of displays I that can be accomplished by a single operator, are traversed to locate a relevant display is compared to operator-paced, and do not involve consideration of l the ideal navigation path specified by design engi-  !

preconditions, side effects, or post-conditions). He neers. M-MIS is evaluated by recording a number of perfor-mance measures while subjects attempt to perform a e Degree of coordination of displays and procedures - series of straightforward control tasks. He number of shifts in displays to accomplish a i procedure (particularly shifts back and forth be- , Concept Testing tween sets of displays; display thrashing) are ' recorded. His is compared to an optimal standard Hypothesis (such as each display supports several procedure steps; display shifts follow a logical progression and he workstation displays and the soft controls occur at logical breaks in procedure step grouping provided in the workstation support operator execution and, there is no display thraslung). I of control actions. Rese controls mimmire errors, provide appropriate feedback on control actuation, and

• Number and type of execution errors - Ideally,  !

allow the operator to quickly correct actions identified number, type, and severity (that is plant control as erroneous. versus navigation) of execution errors observed with ~ the AP600 M-MIS are compared with number and Experimental Manipulations type of execution errors observed for identical control tasks in a typical main control room (under Mechanisms for CRT-based (soft) controls are identical conditions). tested for vadous control actions (such as, initiation / termmation, tuning, or mode selection) and under vary-

• Ability to correct control actions not executed ing task conditions, including the presence of time correctly.

pressure and task distractions. Also, the coordination of controls with the displays that provide feedback for

• Anthropometric problems with the soft contmls (if control actions is tested. any). Any problems locating, activating, or ob-taining feedback on soft control activation are Dependent Measures and Evaluation Criteria recorded.

His evaluation uses breadboard designs to inves-

• nne required to complete task.

tigate human factors issues related to the selection of displays and controls and the execution of soft controls. Implications of Results Qualitative information is gathered through protocol analysis or debriefing of subjects. He intention is to %e purpose of this evaluation is to contribute to the identify characteristics of the design concepts that led to development of functional requirements for the design of confusion, errors, and slow responses by subjects in the physical and functional displays and the soft controls attempting to make an appropriate control action. embedded within them. Specifically, the results guide s W85tirigt10US8

18. HUMAN FACTORS ENGINEERING '

__ Revision: 0 Effective: 06/26/92 ' the design of the display navigation scheme, soft control Minimum Subject Characteris:fes representation, screen interaction devices and control selection and actuation. Subjects can include designers, engineers, operator %e qualitative information gathered from concept trainers, and operators. Subjects have familiarity with testing is analyzed to identify design features that lead the operr. tion of the workstation displays, to confusion, errors and slowness. Functional require-ments are developed to address those design characteris- Performance Testhig tics that had significant effects on the subjects' perfor- , mance on the control task. Verification He quantitative measures are used as baselines to compare alternative designs and evaluate performance Design features of the hardware and displays are benefits achieved through subsequent refinements of exammed and then evaluated against functional require-design concepts. ments using a checklist procedure. His evaluation focuses on the functional requirements that were defined Required Stage of Development of th. M411S during t1e concept testing phase to facilitate the loca-tion, selection, and actuation of soft controls. %is test his test is conducted during the functional re- is conducted with equipment that emulates production quirements phase of the M-MIS design process. He prototype hardware for the workstation. Deviations M-MIS design is at a phase where design concepts exist from the functional requirements are documented and for display formats, navigation aids, screen interaction then evaluated. devices and soft control mechanisms. Prelimmsry decisions regarding display system hardware are made. Validation Minimum Test Bed Requirements: his test is a validation of the ability of trained operators to locate, select, and actuate control actions ,

• Physical form: Computer-based static displays are specified by the procedures in simple control tasks. I used to simulate the workstation displays. His l includes soft controls that have high physical Requirement: Prompt and accurate execution of control fidelity. actions specified by procedures Measures:

• Information content: A set of workstation displays

• Successful retrieval of procedures, displays and  !

are developed to cover the set of control tasks controls, and execution of actions tested, as well a.s to provide a set of realistic dis-

• Time to execute control actions plays to test the adequacy of navigation.

The criterion for display and control retrieval is that

• Dynamics: Static displays are adequate (that is, no the required display or control data be retrieved success-changes in parameter values over time). The only fully. %e criteria for execution times are defined by dynamic characteristics required are changes in the the control response requirements for each of the display required to provide feedback of soft control specific control tasks. Further, these criteria for control actuation (that is, that the control was actuated and execution times are based on analyses of plant dynamics that the desired change in plant state took place). for the specific control tasks. nese analyses of the M s.s 2 W-Westinghouse

l l

18. HUMAN FACTORS ENGINEERING Revision: O s Effective: 06/26/92 a plant dynamics are conducted as the design of the IE controls, and soft controls emulate M-hDS M-MIS evolves. equipment.

Experimental Manipulations

• Information content: The information content of individual displays is representative of actual plant his test uses a range of simple control tasks to displays. A sufficient set of displays is provided to evaluate the location and use of controls. Subjects, generate realistic and representative control maneu-starting fmm procedures, are required to retrieve the vers.

appropriate displays and controls and then execute the control action. This test requires operators to coordi-

• Dynamics: ne M-MIS displays and controls nate their use of various display screens with the exhibit the operational properties of the actual procedure display as they advance through the proce- AP600 system. Response time for display retrieval dure. Relevant plant conditions are sampled by the and control feedback is accurately simulated. A control tasks. He control actions that require that dynamic plant simulation is not needed to drive the l

Class 1E controls are used. A broad sampling of soft displays. control types is represented. Task difficulty is manip-ulated through the number of displays that are accessed Subject Characteristics (Validation) and through the introduction of realistic time pressure into the task. Subjects are experienced operaton who have a basic understan ding of the AP600 concept and control reauire-Required Stage of Development of the M-MIS ments. %ey also have familiarity with the operation of ~ the workstation display system. His test is conducted after the design of the workstation has been completed, the workstation display 18.8.2.3.5.3.2 Evaluation issue 12: hierarchy has been defined, a major portion of the workstation displays have been defined, and the hard- Conditional Operator-Paced Control Tasks wired and soft control mechanisms have been devel-oped. This test is conducted using a part-task simulator Do the M-MIS features support the operator m consisting of equipment that emulates the workstation performing control tasks that require assessment of hardware and detailed prototypes of the AP600 displays. preconditions, side effects and post <onditions? Minimum Test Bed Requirements: Relevant M-MIS Resources:

• Physical form: ne displays used in this test are e Compact workstation (workstation) physical and representative of the AP600 display system in terms functional plant displays of appearance, including display format, coding schemes, use of windows, and control mechanisms. . Wall panel information station displays dynamic Workstation hardware emulates M-MIS equipment plant mimic in the relevant characteristics, including display size and resolution and configuration of display selection e Computer-based and/or paper-based procedures and control actuation. Hard-wired controls, class l

P18.8-53 i W Westinghouse f l \ l

18. HUMAN FACTORS ENGINEERING Revision: 0 Effective: 06/26/92 -

l Computer-based and/or paper-based plant specifica- post-conditions that result from control actions. Fur-t;ons. ther, the plant specifications (computer-based or paper-based) are well coordinated with the workstation Specific Concerns: displays to support this same function. Do the wall panel information station and work- Experimental Manipulations station displays support the operator in identifying violations in preconditions, side effects of control his evaluation uses breadboard designs of the l actions, and post-conditions that result from control workstation displays and control displays to investigate actions? human factors issues related to completing control tasks that can lead to violations. Subjects are given control Are the plant specifications (computer-based or tasks such as tagging out a component. Subjects are not paper-based) well coordinated with the workstation told whether a violation of plant specifications (or other displays to allow efficient identification of violation violation)is likely. Rey have the wall panel informa-of preconditions, side effects, and post-conditions tion station displays, which provide them with an that result from control actions? overview of current plant status, the displays and the plant specifications. Approach he evaluation manipulates the complexity of the control task in terms of the number of displays that must Control maneuvers can become complicated when be eM De control tasks presented to subjects operators need to consider action preconditions, subtle sample from the following situations: side effects, and necessary post-conditions (such as, an action that results in a violation of plant specifications).

• No violatior.2 occur from completion of the con:rol ne purpose of this test is to verify that the AP600 task M-MIS can support operators in performing control maneuvers where preconditions, side-effects and/or

• Preconditions for performing the task are violated post-conditions need to be considered. He tagging out of plant components is an example of this type of a Negative side effects for other ongoing activities situation. occur through completion of the control tasks he proposed approach to test these issues is to record a number of performance measures while sub-

• Completion of the control task results in plant jects attempt to perform a series of control maneuvers systems being unavailable and/or operational goals that require consideration of preconditions, side effects being violated and post-conditions.

• Completion of the task results in plant specification Concept Testing violations.

Hypothesis Dependent Measures and Evaluation Criteria The wall panel information station and workstation ne subject is asked to perform each of a series of displays support the operator in identifying violations in control tasks. For each task, it is determmed whether: l preconditions, side effects of control actions, and I P18.8-54 3 Westinghouse l l i l , 18. HUMAN FACTORS ENGINEERING Revision: O d Effective: 06/26/92 w

• Here are any violations of preconditions for per- characteristics that have significant effects on the sub-forming the task jects' performance on the control task.

He quantitative measures are used as baselines to

• Performing the tasks results in negative side effects compare attemative designs and evaluate performance for other ongoing activities benefits achieved through subsequent refinements of design concepts.

• Completion of the task results in plant systems i being unavailable and/or operational goals being Required Stage of Development of the M-MIS violated his test is conducted during the functional re-

• Completion of the task results in plant specification quirements phase of the M-MIS design process ne violations. M-MIS design is at a phase where design concepts exist for wall panel information station displays, workstation he pnmary dependent measures are the subject's displays, navigation aids, plant specifications, ruamen-ability to detect and, if possible, take action to avoid tary procedures, and soft control mechanisms. Prelimi-violations of any kind. Subject comments and reactions nary decisions regarding display system hardware are to the breadboard M-MIS features are also solicited made.

during the debriefing following completion of the control tasks. %e intention is to identify characteristics Minimum Test Bed Requiresnents: of the design concepts that led to confusion, difficulty, errors, or slowness. Other measures are the following:

• Physical form: Computer-based static displays are used to simulate the wall panel information station

• Task compbtion time displays. Computer-based static displays are also

• Display navigation paths used to simulate the process data displays.

• Nu& of inappropriate displays selected.

• Information content: A set of workstation displays Implications of Results are developed to cover the set of control tasks tested, as well as to provide a set of realistic dis-

%e purpose of this evaluation is to contribute to the plays to test the adequacy of navigation. development of functional requirements for the design of j the wall panel information station, the physical and

• Dynamics: Static displays are adequate (that is, no '

functional displays, the controls and control displays and changes in parameter values over time). %e only the plant specifications. Specifically, the results guide dynamic characteristics required are changes in the development of functional requirements to enable wall panel information station and workstation dis-operators to maintain a broad perspective of the plant plays needed to indicate consequences of control and the interrelations between their actions and other actions on plant state. Rese can be simulated by ongoing activities. replacing one static display with another. For He qualitative information gathered from concept example, after a control action, a new static wall testing is analyzed to identify design features that lead panel information station display is presented that subjects to miss preconditions, side effects, or post- provides revised indications of plant state. l conditions associated with their control task. Functional j requirements are developed to address those design l W Westinghouse l l I

18. HUMAN FACTORS ENGINEERING Revision: 0 O

• _ ~ Effective: 06/26/92 -

Minimum Subject Characteristics of the plant dynamics are conducted as the design of the AP600 evolves. Subjects can include designers, engineers, operator trainers, and operators. Subjects must have familiarity Requirement: Prompt and accurate execution of control with the operation of the workstation displays. actions Measures: Performance Testing

• Successful e: ecution of control actions

• Time to execute control actions Verification ne criterion for successful execution is that, after Design features of the hardware and displays are potential violations are detected, control actions are exammed and then evaluated against functional require- executed. He criteria for task completion times are ments using a checklist procedure. His evaluation defined by the control response requirements for each of focuses on the functional requirements that were defined the specific control tasks. Further, these criteria for durirg the concept testing phase to facilitate the detec- task completion times are based on analyses of plant tion of potential violations of procedure preconditions dynamics for the specific control tasks. Rese analyses and post. conditions or plant specifications. His test is of the plant dynamics are conducted as the design of the conducted with equipment that emulates production AP600 evolves.

prototype hardware for the workstation and wall panel information station. Deviations from the functional Experimental Manipulations requirements are documented and then evaluated. His test uses a range of control tasks to evaluate an Validation operator's ability to execute control actions successfully while avoiding potential violations of procedure and his test is a validation of the ability of trained plant specifications. Subjects, starting from a proce-operators to carry out control tasks and successfully dure, are required to execute a meanmgful sequence of detect potential violations of procedure preconditions control actions. Tag outs and other difficulties are and post-conditions or plant specifications. incorporated to create potential violations of the proce-dures or the plant specifications. Subjects are instructed Requirement: Prompt and accurate identification of to avoid violations. Relevant plant conditions are preconditions, side effects and post-conditions sampled by the control tasks. Task difficulty is manipu-Measures

• lated through the number of displays that must be

• Operator assessment accessed and through the introduction of realistic time

• Task completion time pressure into the task.

He criterion for operator assessment measures is Required Stage of Development of the M-MIS that potential violations are detected before a control action is taken. He criteria for task completion times His test is conducted after the designs of the wall are defined by the control response requirements for panel information station and workstation have been each of the specific control tasks. Further, these criteria completed, the workstation display hierarchy has been for task completion times are based on analyses of plant defined, a major portion of the workstation displays dynamics for the specific control tasks. Rese analyses have been def'med. It is conducted after the hard- wired P18.8 56 W Westingh0USB , 18. HUMAN FACTORS ENG!NEERING Revision: 0 d Effective: 06/26/92 ~ ..a ' i..e and soft control mechanisms have been developed, and 18.8.2.3.5.3.3 Evaluation issue 13: rwlimentary procedures and plant specifications have been defined. This test is conducted using a part-task Control Using Multiple, Simultaneous Pro-simulator consisting of equipment that emulates the wall cedures panel information station and workstatior hardware and detailed prototypes of the AP600 displays. Do the M-MIS features support the operator in performing control tasks that require multiple proce-Minimum Test Bed Requirements: dures?

• Physical form: The displays used in this test are Relevant M-MIS Resources:

representative of the AP600 display system in terms of appearance, including display format, coding

• Compact workstation (workstation) schemes, use of windows, and control mechanisms.

• Wall panel information station Wall panel information station and workstation

• Computer-based and/or paper-based procedures.

hardware emulate M-MIS equipment in relevant characteristics, including display size and resolu- Specific Concerns:  ! tion, and configuratior. of display selection and control actuation. . Does the design of the procedure display interfaces ' prevent operators from getting lost in nested proce-

• Information content: %e information content of dures?

individual displays is representative of actual plant displays. A sufficient set of displays is provided t

• Does the design of display devices support the generate realistic and repri.sentative control maneu-concurrent use of multiple independent (not nested) vers.

procedures?

• Lynamics: He M-MIS displays and controls

• Does the coordination of procedure display with exhibit the dynamic properties of the actual AP600 physical and functional displays allow effective use system. Response time for display retrieval and of plant displays during concurrent use of multiple control feedback is accurately simulated. A dy-procedures?

namic plant simulation is not needed to drive the displays. Approach Subject Cnaracteristics (Validation) Operators may be required to access more than on.e procedure at a time. %ere are typically two general Subjects are experienced operators who have a bas,ic cases of multiple-/xedure use: One is the use of understanding of the AP600 control requirements. Rey adependent, concurrent procedures. For example, an also have familiarity with the operation of the wall panel operator may be involved in both an operating procedure information station system, workstation display system, and a maintenance procedure. %e second case is the the plant specifications, and the procedures, use of nested procedures, where the first procedure refers the operator to a second procedure. In this case, the operator typically completes the second procedure and then returns to complete the first procedure. Given P18.8-57 W Westingflouse

18. HUMAN FACTORS ENGINEERING Revision: 0 Effective: 06/26/92 that these cases exist, the design of the procedure corresponding plant displays; and windowing features display interface must allow operators to accomplish for depicting open procedures.

several feats during control tasks: he approach for testing the case of multiple independent procedures is to have subjects work through Perform steps of procedures with mmtmal disrup- a plant procedure (s) (such as, normal or emergency tions due to manipulations and adjustments of other operating procedures; and, maintenance or surveillance procedures and corresponding plant displays procedures) that is unrelated to the procedure currently accessed For example, while the operator is executing Maintain an awareness of the dependent nature of a procedure for change in plant power, he is asked to nested procedures perform a sarveillance procedure that requires a plant system to be realigned. He subject is allowed some Maintain an awareness of the procedures that are flexibility for determmmg which procedure steps to "open" and which steps remain to be completed. perform first (that is, determinmg when to switch from one procedure to the other). As in the previous case, Herefore, success in these tasks requires consid- the subject is asked at various predefined points to erable coordination between displays and procedures. identify which procedures are open and the implications ne intent of this evaluation is to test an operator's of these open procedures to plant state. Performance is ability to use multiple procedures in the two general evaluated in terms of correct access of procedures and cases described. Subjects are given each multiple- correct response to questions regarding open procedures. procedure case and asked to work through the proce- Inefficiencies in procedure and display use (such as, dures. Performance is evaluated in terms of the excessive search and manipulation of displays) are subject's ability to maintain an awareness of the status noted. of these procedures and their implications to plant state. He approach for testing the nested procedure case involves having subjects work through a scenario that Concept Testing requires use of nested procedures. He subject accesses the required procedure and a corresponding set of static Hypothesis plant displays. Using the procedure and plant displays, he explains how each procedure step would be executed. He procedures and workstation displays support the ne subject accesses other nested procedures as re-operator's ability to access and use multiple (inde- quired. At various predefined points in the scenario, the pendent and nested) procedures and to maintain an subject is asked to identify which procedures are open awareness of the status of these procedures and their and the implications of these open procedures to plant implications to plant state. state. He subjects actions and comments are recorded on video tape. Performance is evaluated in terms of Experimental Manipulations correct access of nested procedures and correct response to questions regarding open procedures. Inefficiencies j His evaluation uses breadboard designs to inves- in procedure and display use (such as, excessive search  ! tigate alternative procedure display selection concepts. and manipulation of displays) are noted. Important characteristics may include: bookmarks and After each test condition, the subject is debriefed to other navigation aids, logical branch displays to identify identify features of the procedure disphy system that , ~ open procedures and steps; control logic for accessing made the task difficult. In the case of multipleindepen-dent procedures, the subject is questioned to determine " 8'8 8 W-Westinghouse l l

18. HUMAN FACTORS ENGINEERING Revision: O s Effective: 06/26/92 L=1

] I l whether constraints of the procedure display system fewer navigation errors and a better aware-l affected the order in which the independent procedures ness / understanding of the status of active procedure were performed. steps. %e qualitative information gathered from concept Dependent Measures and Evaluation Criteria testing is analyzed to identify design features that lead to confusion, difficulties, errors, and slowness. Func-Qualitative results include assessment of difficulties, tional requirements are developed to address those delays, and inefficiencies induced by the design or design characteristics that had significant effects on the performance of the procedure display system. Qualita- subjects' performance on the control task. tive results also include comments from the subjects He quantitative measures are used as baselines to conce ning characteristics of the display that they felt compare alternative designs and evaluate performance made the task difficult and comments regarding any benefits achieved through subsequent refinements of effect that the design of the display system had on the design concepts. way they executed independent procedures. The primary objective measures of performance Required Stage of Development of the M-MIS are: his test is conducted during the functional re-Number of errors made in procedure and display quirements phase of the M-MIS design process. Proce-navigation and selection dures are well defined for the specific scenarios ad- ^ dressed Operator actions also are well defined as Correct identification of "in-progress" procedures criteria for accessing additional procedures. Plant and steps awaiting completion. displays corresponding to the procedure steps also are well established. Alternative concepts for the procedure Subject responses are compared to a predefined set display system are available. of most correct responses. Performance is analyzed using protocol analysis to identify errors ofintent (such Minimum Test Bed Requirements: as, subject identified the wrong procedure but retrieved it correctly) and errors on execution (such as, the

• Physical form: Procedures and procedure selection subject identified the correct procedure but made a and retrieval aids included in the test bed are of mistake while retrieving it). He subject's stated high fidelity. Wording of text, labels, and titles is intentions and actual behavior are recorded and analyzed accurate. Character sizes and salience coding are to identify the causes of these errors. well thought out and well executed. Menus are well structured. Procedures, procedure selection Implications of Results information and plant displays must are displayed in the same mode as in the main control room--on he purpose of this evaluation is to contribute to the CRTs or plasma panels.

development of functional requirements for the design of the procedures, particularly the computer-based proce-

• Information content: Scenarios for these tests are dures, and the physical and functional displays. The well defined and credible. Procedures for these performance measures are used to assess the relative scenarios are complete including full, properly merits of different procedure display concepts. %e formatted text for procedure steps. Clear criteria l results identify procedure display concepts that lead to for referring the subject to other procedures are P18.8-59 W Westinghouse

i ! 18. HUMAN FACTORS ENGINEERING Revision: 0 Effective: 06/26/92 ]s very important. Data values for plant parameters

• Operator identification of procedures and steps are credible, but need not be actual values derived that are *m progress from a simulation.

• Successful retrieval of info mation from workstation displays

• Dynamics: Computerized plant procedures must

• Successful execution of nested procedures have as many operational properties as possible

• Tinie to complete nested procedures.

(such as, scrolling, book marking, or electronic links between procedures). Individual static dis- Re criterion for the first three measures is the plays of the plant may be used. He man-machine error-free completion of multiple-procedure control interfaces for retrieving and displaying procedures tasks. He criteria for task completion times are defined and plant displays is operational. by the control response requirements for each of the specific control tasks. Further, these criteria for task Subjects Characteristics completion times are based on analyses of plant dynam-ics for the specific control tasks. Rese analyses of the Subjects can include designers, engineers, operator plant dynamics are conducted as the design of the trainers and operators. Subjects have familiarity with M-MIS evolves. the operation of the workstation displays. Requirement: Efficient tcd effective use of indepen-Performance Testing dent, concurrent procedures Measures - Verification

• Operator identification of procedures and steps that are in progress Design features of the hardware and displays are

• Successful retrieval of information from work-exammed and then evaluated against functional require- station displays ments using a checklist procedure. His evaluation

• Successful execution of concurrent procedures focuses on the functional requirements that were defined * 'l~tme to complete concurrent procedures, during the concept testing phase to facilitate the use of multiple procedures. His test is conducted with equip- He criterion for the first three measures is the ment that emulates production prototype hardware for error-free completion of multiple-procedure control the workstation. Deviations from the functional re- tasks. He criteria for task completion times are defined quirements are documented and then evaluated. by the control response requirements for each of the specific control tasks. Further, these criteria for task Validation completion times are based on analyses of plant dynam-ics for the specific control tasks. Rese analyses of the his test is a validation of the ability of trained plant dynamics are conducted as the design of the operators to use multiple procedures in two generic M-MIS evolves.

Cases. Experimental Manipulations Requirement: Efficient and effective use of nested procedures ne test evaluates both generic cases of multiple-Measures- procedure use-concurrent independent procedures and ' nested procedures. Subjects are given several control P18.8-60 g_ Westinghouse l ,

18. HUMAN FACTORS ENGINEERING

, Revision: 0 V Effective: 06/26/92 4 tasks that require multiple-procedure use. Both emer- ic plant simulation is not needed to drive the dis-gency and normal operating conditions are tested. Com- plays. plexity is manipulated through increasing or decreasing the number of procedures involved. Miniminn Subject Characteristics (Validation) Required Stage of Development of the M-MIS Subjects are experienced operators who have a basic understanding of the AP600 control requirements. They This test is conducted using a part-task simulator also have familiarity with the operation of the work-consisting of equipment that emulates the workstation station display system and the computerized procedures. hardware and detailed prototypes of the AP600 dirplays and procedures. 18.8.2.3.5.3.4 Evaluation issue 14: Minimum Test Bed Requirements Event-Paced Control Tasks

• Physical form: Procedures and procedure selection p,, the M-MIS features support the cperator in and retrieval aids included in the test bed are of perforrring event-paced control tasks?

high fidelity. Wording of text, labeis, and titles are accurate. Character sizes and salience coding are Relevant M-MIS Resources: well thought out and well executed. Menus must be ~- well structured. Procedures, procedure selection

• Compact workstation (workstation) - physical and information, and plant displays are displayed in the functional plant displays same mode that are used in the main control room-on CRTs or plasma panels. Workstation hardware

. Hard-wired and soft controls emulates M-MIS equipment in the relevant char-acteristics, including display size and resolution and . Wall panel information station displays - dynamic configuration of display selection and control plant mimic actuation.

• Information content: Scenarios for these tests are well defined and credible. Procedures for these Specific Concerns:

scenarios are complete including full, properly forma"ed text for procedure steps. Clear criteria . Do the workstation displays support the operator in for referring the subject to other procedures are locating relevant displays and executing control very important. Data values for plant parameters actions at a rate that allows the operator to keep are credible, but need not be actual vsdues derived pace with the event? from a simulation.

• Are the computer-based (or paper-based) control

• Dynamics: 'Ibe M-MIS displays and controls procedures well coordinated with the workstation exhibit the operational properties of the AP600 displays to allow the operator to keep pace with the system. Response time for display retrieval and event?

control feedback is accurately simulated. A dynam-W Westingh00Se

18. HUf AAN FACTORS ENGINEERING Revision: O Effective: 06/26/92

• In cases where event dynamics are slow (that is, Concept Testing long response 'ime to reach desired state for a step in the procedure) do the displays and IIypothesis computer-basd control procedures allow the opera-tor to go on to perform next steps (that is, suspend he workstation displ.tys, the computer-ba3ed a step) and re*u a to complete the pending step at procedures, and soft controla support the operator in the appropriate time 7 efficiently locatmg relevant displays and executing control actions in pace with prccess dynamics. In cases

• Do the soft controls support the operator in exe- where event dynamics are slow, the operator is able to cution of control actions and evaluation of feedback perform subsequent steps (that is, suspend a step) and in pace with the event? return to complete the pending rtep at the appropriate time.

Approach Expenmental Manipulations Many operator activities performed during normal and abnormal operation involve dynamic control tasks he proposed approach to test these issues is to (such as, plant startup, plant mode changes, and load have subjects attempt to perform a series of event-paced changes) where the operator activity keeps pace with control tasks. Two types of control tasks are used. He plant dynamics. Keeping pace often refers to the first type of control task involves rapid process dynam-operator's ability to execute actions quickly enough to les (such as, manual feedwater control during startup), stay ahead of the dynamics of a plant state progression. requiring skilled operator response to keep up with However, problems can also arise when the event moves process dynamics. The second type of control task slowly. In this case, the operator may have to suspend involves slow dynamics (processes with a long response one procedural step (such as, wait for a parameter value time to reach desired state) so that operators are re-to reach a threshold) but not other steps subsequent to it. quired to initiate processes, go on to other activities, and De operator may continue to complete steps subsequent then return to confirm that the process goal states are to the suspended step. ' Ibis decision creates a need for achieved and complete pendmg steps. the operator to remember to complete a step thst is no longer cued by the procedures. Herefore, when the Dependent Measures and Evaluation Cdteria condition is satisfied (such as, the value reaches the threshold), the operator retums to the step and executes Qualitative results include assessment of difficulties, it. delays, and inefficiencies induced by the design or ne purpose of this test is to verify that the A?600 performance of the control and displays systems. M-MIS can support operators in performing event-paced Qualitative results also incide comments from the control tasks. He proposed approach to test these subjects concerning characteristics of the displays or issues is to have subjects attempt to perform a series of controls that they felt made the task difficult and com-event-paced control tasks and to record a number of ments regarding any effect that the design of the display performance measures. system on the way they executed independent proce-dures. The pnmary objective measures of performance are: P18.8-62 T Westinghouse 1 i l l 1 I

18. HUMAN FACTORS ENGINEERING l Revision: 0 d Effective: 06/26/92 -

E

• Ability of the operator to keep up with process dy-

• Effect of M-MIS on errors of execution and ability i namics (that is, are process goal states reached in to detect and correct errors of execution and im- '

adequate time? Are process limits exceeded 7). provements that may be needed Evaluation criteria require determination of time limits within which control tasks must be complet-

• Adequacy of anthropometric characteristics of soft ed, and control boundaries that are not exceeded controls (such as, size, shape, or saliency) for sup-(such as, trip setpoints) porting event-paced control activities and improve-ments that may be needed.

• Number and types of errors of execution (such as, Are steps omitted? Does the operator fail to return he qualitative information gathered from concept to complete pending steps? Are boundary limits testing is analyzed to identify design features that lead exceeded?) to confusion, difficulties, errors, and slowness. Func-tional requirements are developed to address those

• Whether operators detect and correct errors of design characteristics that had significant effects on the execution when they occur subjects' performance on the control task.

He quantitative measures are used as baselines to Anthropometric problems with the soft controls (if compare alternative designs and evaluate performance l any) benefits achieved through subsequent refinements of ' design concepts.

• Degree of coordination of displays and procedures.

~ He number of shifts in displays to accomplish a Required Stage of Development of the M-MIS procedure (particularly shifts back and forth be-tween sets of displays--display thrashing are re- His test is conducted during the functional re-corded. quirements phase of the M-MIS design process. He following components are available. Implications of Results

• Workstation displays for the event-paced control

%e purpose of this evaluation is to contribute to the tasks selected; A dynamic prototype of the work-development of functional requirements for the design of station that includes a set of realistic displays and the controls and the physical and functional displays. navigation mechanisms to test the adequacy of %e performance measures are used to assess the navigation relative merits of different control and display concepts,  ; including the following:

• A dynamic prototype of the workstation that in-cludes soft controls that have high physical form i

• Information on the ease of locating relevant dis- fidelity (that is, size, shape, saliency, actuation plays, controls and procedures in pace with process feedback characteristics) dynamics and improvements that may be needed

• Procedures (either paper-based or computer-based).

• Information on whether the displays and procedures are well coordinated, allowing operators to keep A high-fidelity plant simulation that models the pace with process dynamics and improvements that plar.t dynamics for the event-paced control tasks selected may be needed P18.8-63 W Westinghouse

I l l l

18. HUMAN FACTORS ENGINEERING

~ Revision: 0 O Effective: 06/26/92 ' is necessary to drive the displays. He displays need not Validation be AP600 specific. His test is a validation of the ability of trained Minimum Test Bed Requirements: operators to efficiently locate relevant displays and execute control actions in pace with process dynamics.

• Physical form: Computer-based dynamic displays are used to simulate the workstation display. This Requirement: Correct execution of control tasks in pace includes soft controls that have high physical with event:

fidelity. Measures

• Completion time for control actions relative to

• Information content: A set of workstation displays requirements of plant dynamics is developed to cover the set of control tasks tested,

• Successful execution of the procedure as well as to provide a set of realistic displays to test the adequacy of navigation. He criterion for successful procedure execution is the error-free completion of the control tasks. He

• Dynamics: A dynamic plant simulation is required criteria for task completion times are defined by the to drive the workstation displays to simulate the control response requirements for each of the specific plant dynamics involved in the event-paced control control tasks. Further, these criteria for task completion tasks selected. He displays need not be AP600 times are based on analyses of plant dynamics for the specific. specific control tasks. These analyses of the plant dynamics are conducted as the design of the M-MIS Minimtan Subject Characteristics evolves.

Subjects can include designers, engineers, operator Experimental Manipulations trainers, and operators. Subjects have familiarity with the operation of the workstation displays. His test uses a set of control tasks to evaluate an operator's ability to efficiently locate relevant displays Performance Testing and execute control actions in pace with process dy-namics. Subjects are instmeted to execute control Verification actions in pace with an evolving event. Subjects are also required to suspend certam control actions until Design features of the hardware and ?isplays are their criteria are met. Complexity is manipulated by examined and then evaluated against functional require- changes in the complexity of the event and the proce-ments using a checklist procedure. This evaluation dures that support it. Control tasks are taker from both focuses on the functional requirements that were defined normal and emergency plant states. during the concept testing phase to support event-paced control tasks. His test is conducted with equipment Required Stage of Development of the M MIS that emulates production prototype hardware for the workstation. Deviations from the functional require- His test is conducted using a part-task simulator ments are documented and then evaluated. consisting of equipment that emulates the workstation hardware and detailed prototypes of the AP600 displays and procedures. P18.8-64 W Westinghouse

18. HUMAN FACTORS ENGINEERING Revision: 0 O Effective: 06/26/92 =4 5

Minimum Test Bed Requirements: Specific Concerns:

• Physical form: Computer-based dynamic displays Do the wall panel information station displays, are used to simulate the workstation display. This workstation displays and procedures allow an operator includes soft controls that have high physical to:

fidelity.

• Maintain awareness of control actions of other

• Information content: A set of workstation displays personnel working in parallel is developed to cover the set of control tasks tested, as well as to provide a set of realistic displays to

• Provide a common frame of reference and promote test the adequacy of navigation. common mental models of plant state

• Dynamics: A dynamic AP600 simulation is re-

• Anticipate the consequences of the control actions quired to drive the workstation displays to simulate of other personnel working in parallel the plant dynamics involved in the event-paced control tasks selected.

• Coordinate setivities with other personnel working in parallel Subject Characteristics (Validation)

• Develop control strategies that take into account the Subjects are experienced operators who have a basic control actions of other personnel working in paral-understanding of the AP600 concept and control require- lei (that is, that build on the activities of the other

~ ments. Hey also have familiarity with the operation of personnel rather than work at cross- purposes) the workstation display system and the AP600 proce-dures.

• Monitor performance of others to verify actions and identify and correct errors 18.8.2.3.5.3.5 Evaluation issue 15:

• Allocate tasks among crew members as plant Control Tasks Requiring Crew Coordination conditions change to improve efficiency of perfor-mance, provide assistance, and/or avoid reaching Do the M-MIS features support the operator in undesirable plant states?

performing control tasks that require coordination among crew members? Approach Relevant M MIS Resources: he Purpose of this test is to verify that the AP600 M-MIS can support operators in performing control

• Compact workstation (Workstation): physical and tasks that require cmrdinatim ammg multiple individu-functional plant displays als. Coordination supports increased error checking, more efficient use of human resources, and better

• Hard-wirai and soft controls

• Wall panel information station displays respmse to changing plant conditions.

• Computer-based and/or paper-based procedures Subjects are placed in control tasks requiring

• Plant communication system. cmrdination to test several facets of crew coordination.

The primary experimental manipulations are: P18.8-65 . T Westinghouse I { l l i

18. HUMAN FACTORS ENGINEERING l

Revision: 0 ^ F*.I Effective: 06/26/92 l 1

• Type of control task presented, including simulta- mance and/or avoid reaching undesirable plant i neous but related and simultaneous but unrelated states.

procedures Experimental Manipulations l

• Whether each of the operators forming a crew are subjects or whether only one is the subject and the This evaluation uses concept designs of the work-others are confederates whose actions are deter- station, the wall panel information station, and the mined by scripts procedures to test the human factors issues related to crew coordination in control tasks. The approach is to

• Whether the crews are observed performing the have subjects attempt to perform a series of control control task uninterrupted or whether the simulation maneuvers that require coordination among multiple is frozen at specified points and the operators are individuals and enmme whether operators are able to ,

asked questions relating to their knowledge of the maintain awareness of the activities of others and  ! activities of the other operators and their conse- coordinate with them effectively. This requires setting quences. up a dynamic test bed that enables multiple operators to l interact with plant processes simultaneously. 7,vo Concept Testing experimental conditions are proposed. In one con { tion, i multiple operators panicipate as a crew in the study and 1 Hypothesis their interaction and coordination is observed. His l condition is more realistic. He second condition is ' The wall panel information station displays, more controlled. In the second condition, one operator ) workstation displays, and the computer-based procedures is the subject of the study. One or more additional ' support crew coordination in control tasks by: operators are used to complete the crew required to i perform the control task, but these additional individuals

• Maintain awareness of control actions of other are part of the experiment team (that is, expenment )

personnel working in parallel (that is, they provide confederates). Their actions are determined by a script 1 a common frame of reference and promote common designed to create critical crew interaction situations mental models of plant state) with the operator who is serving as the subject. For example, the confederate might take an action that has

• Anticipate the consequences of the control actions undesirable effects on the process controlled by the of other personnel working in parallel subject. The subject detects this error, brings it to the other operator's attention, and attempts to resolve the

• Coordinate activities with other personnel working situation.

in parallel At various points in the control maneuver, the simulation is frozen, and the operators participating in

• Develop control strategies that take into account the the study are asked a series of questions designed to control actions of other personnel working in paral- assess:

lel (that is, that build on the activities of the other personnel rather than work at cross-purposes)

• Their awareness of the activities of the other opera-tor (s)

• Allocate tasks flexibly (dynamically) among them-l selves in order to improve efficiency of perfor-i P18.8-66 W Westirighouse

18. HUMAN FACTORS ENGINEERING Revision: 0 v Effective: 06/26/92 i -- "

suunumusumummmmma dlE

• Heir awareness of the impact of the activities of Implications of Results the other operator (s) on their activity, and vice versa %e purpose of this evaluation is to contribute to the development of functional requirements for the design of

• Heir ability to anticipate the future consequences of the controls, the wall panel information station, and the their activities on the activities of the other opera- physical and functional displays. The performance tor (s) and vice versa measures are used to assess the relative merits of different control and display concepts. ,

• Heir ability to formulate coordination strategies %e qualitative information gathered from concept that build on the activities of the other operators testing is analyzed to identify design features that lead i rather than working at cross-purposes. to confusion, difficulties, errors and slowness. Func- l tional requirements are developed to address those Dependent Measures and Evaluation Criteria design characteristics that had significant effects on the l subjects' performance on the control task. J Qualitative results include assessment of difficulties, he quantitative measures are used as baselines to )

delays, and inefficiencies induced by the design or compare alternative designs and evaluate performance performance of the control and displays systems. benefits achieved through subsequent refirements of Qualitative results also include comments from the design concepts. j subjects concerning characteristics of the displays or l controls that they felt made the task difficult, and Required Stage of Development of the M-MIS l comments regarding any effect that the design of the ) display system on the way they executed independent his test is conducted during the functional re-  ! procedures. quirements phase of the M-MIS design process %e l He primary objective measures of performance following components are available: Multiple work- ' are: stations to support multiple operators working in paral-lel; workstation displays for the control tasks selected; )

• %e adequacy of performance on the control task and, procedures (either paper-based or computer-based).

(that is, the ability to achieve goal states, time to achieve goal states, and to limit violations) A high-fidelity plant simulation that models the plant dynamics for the event-paced control tasks selected

• He degree of crew communication and coordina- is necessary to drive the displays.

tion (that is, using decision-trace methodology) Minimum Test Bed Requirements:

• %e responses to questions relating to operator l I

awareness of activities of the other operators and

• Physical form: Multiple workstations are high their consequences. fidelity with respect to physical form and layout in the main control room. A wall panel information Criteria may be set for adequate response (such as, station is high fidelity in physical form (such as, maximum time to achieve goal stste, or no limit viola- size, location relative to workstations, and display tions). Another criterion is the subject's success in characteristics).

detecting and describing the actions of crew members that conflict with his actions. W WBStingh0USB

18. HUMAN FACTORS ENGINEERING

. . . . . . Revision: 0 N ~~ Effective: 06/26/92

• Information content: A set of wall panel infor- He crite-ion for operator assessment is a complete mation station and workstation displays is developed accounting (at a low level of detail) of the actions of to cover the set of control tasks tested. other critical operators.

• Dynamics: A dynamic plant simulation is required Re:[uirement: Effective coordination of multiperson to drive the wall panel information station and control tasks workstation displays to simulate the plant dynamics Measums:

involved in the operator coordination control tasks

• Successful completion of the control task selected.

• Task completion time Minimum Subject Characteristics %e criterion for successful completion is the error-free completion of control tasks. He criteria for Subjects can include designers, engineers, operator task completion times are defined by the control re- l trainers, and operators. Subjects have familiarity with sponse requirements for each of the specific control the c,peration of the workstation displays. tasks. Further, these criteria for task completion times  !

are based on analyses of plant dynamics for the specific Performance Testing control tasks. Rese analyses of the plant dynamics are conducted as the design of the M-MIS evolves. Verification Requirement: Effective coordination of control actions Design features of the hardware and displays are for independent, concurrent procedures examined and then evaluated against functional require- Measures ments using a checklist procedure. His evaluation

• Successful completion of the control task focuses on the functional requirements that were defined

• Task completion time during the concept testing phase to facilitate crew 1 coordination during control tasks. His test is conducted The criterion for successful completion is the with equipment that emulates production prototype hard- error-free ecmpletion of control tasks. He criteria for ware for the workstation. Deviations from the fune- task completion times are defined by the contml re-iional requirements are documented and then evaluated. sponse requirements for each of the specific control tasks. Further, these criteria for task completion times Validation are based on analyses of plant dynamics for the specific control tasks. Rese analyses of the plant dynamics are his test is a validation of the ability of trained conducted as the design of the M-MIS evolves.

operators to use crew coordination in order to gain a number of advantages during control tasks. Requirement: Effective allocation of crew member responsibilities in response to exceptions Requirement: Awareness of control actions of others Measures-Measures

• Successful communication of responsibilities to e Operator assessment of operator actions operators

• Successful completion of the control task

• Task completion time.

P18.8-68 W Westinghouse i s 1 1

18. HUMAN FACTORS ENGINEERING i Revision: O s Effective: 06/26/92  ;

ne criterion for successful completion is the Required Stage of Development of the M-MIS error-free completion of control tasks. He criteria for task completion times are defined by the control re- he following components are available: high-sponse requirements for each of the specific control fidelity plant simulation that models the AP600 dynam-tasks. Further, these criteria for task completion times ics for the event-paced control tasks selected to enable are based on analyses of plant dynamics for the specific observation of interacting effects on plant dynamics of ~ control tasks. Rese analyses of the plant dynamics are the actions of multiple operators; multiple workstations i conducted as the design of the M-MIS evolves. to support multiple operators working in parallel; l workstation displays for the control tasks seleded; and Experimental Manipulations procedures (either paper-based or computer-based). l l His test uses a small set of fairly complex control Minimum Test Bed Requirements: l tasks, each of which requires coordination among crew members. Only the more realistic task is used. He

• Physical form: Multiple workstations are high concept testing discussion provides a description of the fidelity with respect to physical form and layout in two tasks. His realistic task requires coordination the main control room. A wall panel information among multiple individuals and exammes whether station is high fidelity in physical form (that is, operators are able to maintain awareness of the activities size, location relative to workstations, and display of others and coordinate with them effectively. Multiple characteristics).

operators participate as a crew in the test, and their interaction and coordination are observed. At various

• Information content: A set of wall panel infor-points in the control maneuver, the simulation is frozen, mation station and workstation displays is developed and the operators participating in the study are asked a to cover the set of control tasks tested. ,

I series of questions designed to assess:

• Dynamics: A dynamic AP600 simulation is re- l

• Reir awareness of the activities of the other opera- quired to drive the wall panel information station  !

tor (s) and workstation displays to simulate the plant dynamics involved in the operator coordination a Their awareness of the impact of the activities of control tasks selected. the other operator (s) on their activity, and vice versa Subject Characteristics (Validation)

• Deir ability to anticipate the future consequences of Subjects are experienced operators who have a basic their activities on the activities of the other opera- understanding of the AP600controlrequirem nts. Rey tor (s) and vice versa also have familiarity with the operation of the work-station display system and procedures.

• Reir ability to formulate coordination strategies that build ou the activities of the other operators rather than working at cross purposes Test scenarios involve both normal and emergency conditions.

P18.8-69 W Westinghouse

18. HUMAN FACTORS ENGINEERING Revision: O N I

Effective: 06/26/92 i 18.8.2.3.5.4 Evaluations for Conformance Approach to Human Factors Engineer-ing Design Guidelines To date, the most significant set of human factors engineering guidelines relevant to nuclear power plant ne purpose of these evaluations is to provide main control room design is NUREG-0700 (Refer-confidence that the M-MIS features satisfy relevant ence 2). Much of the approach and specific design human factors engineering design guidelines and opera- criteria have been incorporated into the man-machine tor requirements for comfort and ease of use. interface design methodology. Section 6 of NUREG-He human factors engineering class evaluation 0700 contains guidelines for evaluating the suitability of issue is the following: the following main control room components: Main control room work space. communications, annunciator

• Issue 16: Do the M-MIS components satisfy warning systems, controls, visual displays, labels and relevant human factors engineering criteria for I cation aids, process computers, panel layout and acceptability? control-display integration. Rese guidelines were intended for evaluation of existing, conventional main 18.8.2.3.5.4.1 Evaluation issue 16: c ntr I r ms. Hey were n t specifically designed to provide guidance for the design and evaluation advanced

. main control rooms such as the microprocessor based Human Factors Eng.ineenng Guideh.nes main control room of the AP600. However, portions of these guidelines may still provide relevant guidance for Do the M-MIS components satisfy relevant human some features of the AP600 M-MIS. A major emphasis factors engineering critena for acceptability 7 of these guidelines is the evaluation of physical charac-teristics of main control suom features (such as, sizes, evant EE Resoums: shapes, arrangements, and lighting) that affect human performance in terms of ease of use, legibility, comfort,

• Remote shutdown panel and safety. Other human factors design guidelines

• Other local operating panels include MIIeSTD-1472, the American National Stan-

• Wall panel information station dard for Human Factors Engineering of Visual Display

• Alann system Termmal Workstations, and the ASHRAE Standard for Workstation displays . Hermd Comfort.

- Physical and function displays his evaluation focuses on the assessment of these - Alarm support displays issues at two stages--concept testing and acceptance - Gntrols testing. He evaluation format is essentially the same Computer- and paper-based procedures for these two stage. However, concept testing is con-ducted with breadboard designs, while acceptance testing Spec.fic i Concerns: is conducted with prototype equipment. Evaluations are focused at two levels-individual M-MIS features and the

• Do .individual M-MIS components satisfy human integration of the individual M-MIS features into a engineering criteria?

complete main control room. Rese guidelines are also . applied to remote shutdown panel and other remote Does the m. tegration of M-MIS components satisfy opentor pands. Rese evduations pMy consist of human engineering critena for work environments? P18.8-70 W-Westinghouse

18. HUMAN FACTORS ENGINEERING Revision: O s Effective: 06/26/92 r

checklist-type verifications--measuring characteristics of Implications of Results M-MIS features and comparmg them to these guidelines. His evaluation is to refine the functional require-Concept Testing ments for the M-MIS through interactive review of design concepts. Discrepancies between design concepts Hypothesis and established human factors engineering design guide-lines are noted. Functional requirements are revised to Characteristics of the M-MIS are consistent with satisfy relevant guidelines. He goal of this evaluation relevant human factors engineering guidelines. is to reduce the likelihood of guideline discrepancies during performance testing. Experimental Manipulations Required Stage of Development of the M-hDS Relevant characteristics of M-MIS design concepts are measured and evaluated against human engineering This test is conducted throughout the functional guidelines at various stages in their development pro- requirements phase of the M-hES design process for cess. Design concepts fo. individual M-hDS resources, each component. including the remote shutdown room and other remote operator workstations, are evaluated against relevant Minimum Test Bed Requirements: human factors guidelines related to character legibility, labels and locating aids, controls, visual displays,

• Physical form: his evaluation addresses drawings process computers, panel layout and annunciator warn- and breadboard designs.

ing systems. Design concepts for the overall main control room are evaluated against relevant human

• Information content: Hese evaluations generally factors guidelines related to acoustics, lighting, thermal do not require high fidelity for infomation content.

comfort, communications and general layout. Guide- For example, legibility evaluations can be per-lines are evaluated at appropriate stages of the develop- formed with fictitious data or even random charac- , ment process In some cases, a human subject is ters. required to act out operator tasks to provide the appro-priate context for measurements (such as, some anthro-

• Dynamics: Static displays generally be used. In pometric requirements for dynamic reach). some cases, display ammation such as blinking and flashing, may be used. He workstation display Dependent Measures and Evaluation Criteria selection mechanisms is operational.

His is a verification-type evaluation in which Minimum Subject Characteristics design concepts are evaluated againet conducted human factors design concepts. Breadboard designs or draw- Subjects occasionally are required to act out opera-ings are evaluated against the criteria specified by the tor tasks to provide the appropriate context for measure-guidelines (such as, the criteria for accommodating users ments. Subjects for these evaluations generally do not ranging in size from a 5th percentile woman to a 95th need extensive plant operating experience. Designers percentile man). familiar with the orgamration and operation of the relevant M-MIS component (s) are appropriate as sub-jects. P18.8-71 W-W85tiflgt10LISO

18. HUMAN FACTORS ENGINEERING Revision: 0 O Effective: 06/26/92 '

Performance Testing Relevant M-MIS Resources: Verification

• Wall panel information station

• Alarm system Performance testing involves the same evaluation

• Workstation displays methods and criteria as those described for concept

• Physical and function displays testing. However, acceptance testing is conducted using

• Alarm support displays M-MIS production prototypes or equipment that emu-

• Controls lates M-MIS prototypes. It is not conducted with

• Computer-based and paper-based procedures breadboard designs. Deviations from the functional requirements are documented and then evaluated. Specific Concems:

Validation Does the integration of M-hBS components in the main control room support operator performance his evaluation is a verification study. His evalu- requirements for normal, abnormal, and emergency ation has no validation component. conditions? 18.8.2.3.5.5 Evaluations for Validation of Approach Integrated M-MIS Section 3.8 of NUREG-0700 describes a validation his 7,.luation is the validation portion of the process that has the objective of determmmg whether the acceptance testing for the integrated M-MIS. He functions allocated to the main control room operating purpose of this evaluation is to provide confidence that crew can be accomplished effectively within the strue-the integration of the M-MIS features satisfies the design ture of the defined operating and emergency procadures mission of supporting safe and efficient operation of the and the design of the main control room. The recom-AP600 in a variety of plant conditions. mended approach is walk-throughs and talk-throughs of Validation of the integrated man-machine interface events that had been previously analyzed using function system class evaluation issue is: and task analyses. Real-time simulation trials were ' i recommended when feasible, but were not required.

• Issue 17: Does the integration of M-MIS compe. His is evaluation is the validation acceptance test  ;

nents satisfy requirements for validation of main for the integrated M-MIS. He purpose of this evalu-control room functions and integrated performance ation is to expenmentally determine whether the l 1 M-MIS, as designed and implemented, supports safe and capabilities? efficient operation of the plant for the conditions ad-dressed by the design mission. His experiment re-18.8.2.3.5.5.1 Evaluation issue 17: quires the following: Validation of integrated M-MIS

• A near full-scope, high-fidelity su.nulator consistmg of integrated M-MIS components and a high-Does the m, tegration of M-MIS components satisfy fidelity, dynamic simulation of plant behavior  ;

requirements for validation of main control room fune- l tions and integrated performance capabilities? P18.8-72 W Westiligh0US0

18. HUMAN FACTORS ENGINEERING Revision: 0 j Effective: 06/26/92

^ Groups of subjects to perform the functions of main Requirement: Effective and efficient control of plant i control room crew members during emergency operating conditions Measures

• Subjects or experimenters to perform the functions

• Task completion time of personnel outside of the main control room (such

• Successful completion of the task as the technical support center, emergency off-site facility, load dispatcher and remotes. Experimental Manipulations c

Subjects use the simulator to execute operating Test scenarios address design-basis events with the procedures for design-basis events. Subject decisions recommended staffing of crew members in a full-scope, and actions are analyzed using decision tracing and full-fidelity simulator. Design-basis events that were analysis of task completion time. Following each previously addressed in the performance testing portions scenario, subjects are debriefed to assess their under- of Evaluations 1 through 15 may be excluded ihm this standing of plant conditions and how features of the evaluation. M-MIS contributed to their perfonnance. The evalua-tion focuses on the influence of the M-MIS on oper: tor Required Stage of Development of the M-MIS: errors and the severity of these errors. The M-MIS design and integration are complete and Performance Testing fully implemented with a dynamic plant simulation. Verification Minimum Test Bed Requirements: This evaluation has no verification test component. 1"sysical form - near full fidelity Information content - high fidelity Validation Dynamics - near full fidelity with dynamic plant simula-tion. This test is a validation of the ability of the M-MIS to support safe operation of the AP600 plant, including Minimum Subject Characteristics (Validation) mitigation of design-basis events. Subjects are experienced operators who have a Requirement: Effective and efficient control of plant suitable understanding of the AP600 control require-during normal operating conditions ments. Prior to this test, they are trained in the use of Measures: the M-MIS including the organization and operation of

• Task completbn time displays, procedures and controls.

• Successful completion of the task 18.8.2.3.6 Summary of Evaluation Require-Requirement: Effective and efficient control of plant m6. its and Acceptance Criteria during abnormal operating conditions Measures:

'Ihis verification and validation plan for the AP600

• Task m :pletion time M-MIS defines evaluations for two phases of the M-MIS

• Succe:sful completion of the task design process--concept testing and testing. Perfor-mance testing is further defined as verification (analyti-P18.8-73 W

W85ttligt100Se __- .. . . _ - - - _ . . ~ . . .- _ . . .-

18. HUMAN FACTORS ENGINEERING

'N Revision: 0 rzuww ffective: 06/26/92 i cal checks for conformance to functional requirements) and validation (empirical tests to compare actual ! man-machme system performance to anticipated perfor-I mance). Verification and validation evaluations are performed using part-task simulaters when practical. 'Ihis allows any design modifications that result from these tests to be incorporated into the M-MIS design

earlier.

l l l l l l l l I 1 l l 1 P18.8-74 W W85tingh00S8 i l 5 1 l l l

18. HUMAN FACTORS ENGINEERING

] Revision: 0 V Effective: 06/26/92 I Table 18.8.2-1 (Sheet 1 of 2) Major Evaluation issues Operator Activity: Detedion and Monitoring ) Issue 1: Do the wall panel information station and the workstation summary and overview displays support the operator in maintaining an awareness of plant status and system availability without needing to search actively through the workstation displays? Issue 2: Does the wall panel information station support the operator in getting more detail about plant status and system availability by directed search of the workstation functional and physical displays? . I Issue 3: Do the M-MIS features support efficient navigation to locate specific information? Issue 4: Do the M-MIS features effectively support crew awareness of plant condition? Operator Activity: Interpretation and Planning ~ Issue 5: Does the alarm system convey information in a way that enhances operator awareness and understanding of plant condition? Issue 6: Does the physical and functional organization of plant information on the workstation displays enhance diagnosis of plant condition and the planning / selection of recovery paths? Issue 7: Does the integration of alarms, wall panel information station, workstation, and procedures support the operator in responding to single-fault events? Issue 8: Does the integration of alarms, wall panel information station, workstation and procedures support the operator in interpretation and planning during multiple-fault events? Issue 9: Does the integration of alarms, wall panel information station, workstation and procedures support the crew in interpretation and planning during multiple-fault events? Issne 10: Does the integration of alarms, wall panel information station, workstation, and procedures support the crew in interpretation and planning during severe accidents? P1ct.g. 5 W Westiligt10USB m l

18. HUMAN FACTORS ENGINEERING

. . . . . Revision: 0 A

Effective: 06/26/92 I

~' Table 18.8.2-1 (Sheet 2 of 2)- Major Evaluation issues Operator Activity: Controlling Plant State Issue 11: Do the M-h0S features support the operator in performing simple, operator-paced control tasks? Issue 12: Do the M-MIS features support the operator in performing control tasks that require assessment of preconditions, side effects and post-conditions? Issue 13: Do the M-MIS features support the operator in performing control tasks that require multiple procedures? Issue 14: Do the M-MIS features support the operator in performing event paced control tasks? Issue 15: Do the M-MIS features support the operator in performing control tasks that require coordmation among crew members? Conformance to Human Factors Engineering Design Guidelines l Issue 16: Do the M-MIS components satisfy relevant human factors engineering design guidelines? j I Validation of Integrated M-MIS Issue 17: Does the integration of M-MIS components satisfy requirements for validation of control room functions and integrated performance capabilities 7 l i I l I P18.8-76 W-W8Stingh0USB l i n _ }t

18. gf og.aN FACTORS ENGINEERING naw .

PAST EXPFN ADO DEO9 BON MOLE.L _Ne,=tAATORY m ou = T.--. p Ase MCCEDUFE 0 DER PUNCY REQUWEMENTS DES /GN STANDAms g, . yyngy,,a y,mcacPm "" PRomstse -user FNOWLEDGE LEVEL I- - ,o T sPECFIC DESON _ c, .mm ROOM OESK3M N FUNCTION Basts BASED TASK N CONTROL

• "eransvac h"eRs ANALYSIS ROOM Ea woonac sEAssuufv assa.ses FUNCTIONAL SUBSYSTEM mRDWARE SELECTtDN 6ARE 6 s'=

8: R 8557W ANALYSIS DEstGN . asts , SAS,S SussYsTEu rA= o-Au- _4,,,,, = = oe = = s ryNCTiONAt F== a "" yy a wwAnaN No REQUIREMENTS PLA"Y LAN '^ '* " * * @ ruMCTIONE HMBTA8EfrV REQ CX3empeCAT10NS REO W3RA' 8V8 N8* 88"8 WORKSTATION LAYOUT CONTROL arRais Tg4NAtVMS ,,,,,,g manames e,,n,,wa sy, coNTRats eESmN eAss Aumas ROOM REQ LAN TR****3 MADE* DES Ev5 PRDCEmWE9 0ESRN bMMS cMMROLS wau nseec LAVOUT ORAWW8GS DESK 3N SLS5v5 FEM STMJCTtFIE TRAptpdS MSIGNGAS$ TRNNpWB WORKSTATION DESIGN SPEC mm  % N ARE ""* " wAu nst4C DEWGN EASE 5 ENVIROfe#Ei4T AND "0 A N w"TvdAYwY PAme DEsGN eases uswsTEM DEssess specs MAN MACHNE - s= N.E ""U""'

• Au- wrE m CE neesc cxwmeats DESIGN

=, PA = .mo-. maRmm Pates a v= m -- mc DESIGN INTEGRATION BY *m;;,_ * " "8 DESIGN ITERATION AND VERIFICATION "E"a,."r, Rguse 18.8.21 Cordrol Room Design Process showing owns sequence P18.8-77 3 Westinghoust l l 18. HUMAN FACTORS ENGINEERING  ;- Revision: O P Effective: 06/26/92 1 J 4 4 i i i uOoEL O' l . As ,_______..., ,___._j.__.._______..____ DEC M 8 DEFINITION g ' GulDEUNES DOCLiMENTS ALARM PROCEDURES MAfGNG .'g.. g SYSTEM l I g { s OPERATIONS ,,,,,,,,,,,,,,,,,,,e , , , , REVIEWS,, '**e , I OPERATIONS s l OfSPLAY CONTROL e CENTERS 8 TASK s SYSTEM WORK. goog a TASK e DESIGN g . AWYSIS ALLOCATION ' Of3G " " LAYOW hl g MISSION s OF + yAn ys WM DESG e 8 PLANT ggggggg CMOJ NM WM B, , f OPERATIONS g , GOAL MEANS e's DES 6GN ENVIRON g REVIEW OF PAST e STRUCTURE OF ~ l ,8 8 EXPERIENCE IN NPPS e PLANT e 8 ' AND OTHER PROCESS e FUNCTIONS 's DES m e i CONTROL ROOMS e lt g j ...................e s FUNCTION BASED TASn ANALYSIS s TOTAL PLANT ,, SPECIRC DESIGN DESIGN i (SSon, PolOs. etc) NNChL - TRAINING PROGRAM q, PHYSICAL IMPLEMENTATION DOCUMENTS I h k

• GUIDELINES DOCUMENTS SOFTWARE MA8IDWARE ANTHROPOMETRIC QUIDELINES DESIGN DESIGN ALARM OUlDEUNES DISPLAY GUIDELINCS CONTROLS GUIDEUNES PROCEDURES GUIDEUNES SYSTEM l MAINING GUIDEUNE$ INTEGRATION  ;

i l Figure 18.8.2-2 Man-Machine Interface Design Process m W Westinghouse P18.8-78 I - .__ m _ . . _ . _ . . .__ i

18. HUMAN FACTORS ENGINEERING en.cNeve esas ,

==n > ._._1 FusscTreest 4 - ,. -+i SOFTWARE DESIGN, I- -> '","c.nc.. . " - -* IMPLEMENTATION, AND , t ' VERIFICATION PROCESS ,, - i. a, 9 ww- , , sweinesimo. i. e 6 g . N. - g m ' . E hStftaE9dTA110h 8 9 6 l -  ! l l 6 g 8-*-***=**T g TEST 4 e , a a... ......m... . .. ' D gygTgge MM ~~ f, Of?EGRATEM t SYBTEtt [ WEMrtcA1tose . j

• sv5=

lm.e an t

===

l . ,,

' mntwnw ocsan . .

i me an u w e m w . I '=== m mxrss l j + w.mmvE l l l I. a 6 l L - l i l l ., 1 L . - - .

i s

i 6

i LEGEND l CE91.t Pdt3CE90

---+ vtewacATKyo aND WALBATENe 54Ethe8EasEarfs Rgme18 R 3 i i

e_ . . . . veneicawns me wateatum vest semmTs Sonware Design, up;.u .;A., and VerfReaMcn Procoes P15.8-79

• N westinghouse ,

-~

18. HUMAN FACTORS ENGINEERING R; vision: 0 1,

s I

\

l DESIGN ACTIVITY l l

INPUTS = = OUTPUTS --

A A TROUBLE REPORT l

VERIFICATION ACTIVITY l

l l

TROUBLE REPORT i.,

l Figure 18.8.2-4 Software Design, implementation, and Verification Process Detail of Design Activity T Westinghouse P18.8-80

- - _ ~ _ . - . - -

18. HUMAN FACTORS ENGINEERING =L ects e: 06/26/92 Phase 1. IssueDefinition Summanze Map M-M;S Define Major MM;S Feauresto Operator Evaluaton Evaluaten m issues r l Features A:tvites issues as I

(Modelof Support) Unks BeNeen MMS Features j and Operator 8 **

Employ Human Performance

[

Model Identfy Major Classes

[

of Operator A:!ivites Phase 1 Test Development l

Define Eyaluaten Develop Evaluation Define Evaluaten n

, equirements for Document issueinto Testab!e Approach for Hypothesis and Concept Testng and y Concept Testing 4 evaluaton and Pedormance Descriptions Performance Performance Testing:

Testng Recuirements Venicaten Vakcation Validation l

l i

Figure 18.8.2-5 Methodology for Developing Verification and Valididation Plan 3 Westinghouse P18.8 81

-m ._

, e

'N.j 3 ,el I

s. j $,

=  ;  ;! ,O l

j' -

/l .!! y { II I j P I I 1

he Il I ~hII;\II h! .

[ N,]'1/ in il hs it l'*o i s-  !!?

j I 1.: i er i .

'j;l \ ~

{ fl$

.s.

4 h

- a l, .;

f, ,. - 7

' Ir

.; '$ \l jl .

11!! }l-p:l;

.. l c.

qu

.i =

.. I ,? "

hh] , /IN N 5 [I  !!

kj Ill 'j N\! I- f; j{

s

.mcl l!h

/

i l

,: l

'l Ib..! D ut y t

,ll I

e It h:

t I

I $ iI 1l1 l,

' l.  : ggg g

<Id t .. ,, . . ..

i g ~

le sea8 a'b du". @

. - -. .- ~_- - . - . . .

I

18. HUMAN FACTORS ENGINEERING _ --E 4*

Revision: 0 I. l 1

FIDELITY Dimensions REALISM Completeness Physical Functional Form Information Dynamics Content e Aostract (e g., dramng) , o State e Part-task simulation e Representative (o g., mockup) characters) e State-discrete 9 Full simulation e Actual (e g., prototype) e Medium (e.g.,

e Dyname slow, fast sample data) e High (e.g., o Dynanc realtime complete data)

Human Perception: Decision Dynamics Integration perform-ance o * "9 Detectability e Procedure and

• Perception of motion e Corrpatibility of human &

aspects e LegiMty machine components display use o Accuracy of acton e Diagnosis (e.g., e Physicalfahgue

e satisfacton of masion Physical Fit: information

((e"eE'c'ts '

post conditions) Dynamics statement (vahdation) e Reach e Response to plant

• Strength dynames e Comfort

• Mental workload e Vigi:ance o Usabehty o Navigation Figure 18.8.2-10 t

l Testbed Fidelity Dimensions and Evoluotion issues l

t

[ Westingh0USe P18.8-83

, 1 4

i

18. HUMAN FACTORS ENGINEERING l Revision: O

/ Effective: 06/26/92 7 E

, r. g l

r j

18.9.2.4 Alarm System Design Basis j 18.9.2.4.1 Safety Classification The alarm system is not a safety Class IE system.

- he alarm system is a monitoring system required to be operating for normal and abnormal plant conditions.

< he system is not required for post-accident manage-ment or mitigation, as indicated in Reg. Guide 1.97, nor is it required with respect to ANS 4.5 (Reference 2).

Rose elements of the alarm system that, by their

.l r destruction under safe shutdown earthquake (SSE)

conditions could cause damage to other equipment or

< mjury to personnel in main control room are structurally l qualified to meet a SSE. He alarm system should not J

h P18.9-7 W-Westinghouse 1

I l l

l

18. HUMAN FACTORS ENGINEERING -

Revision: 0 Effective: 06/26/92 be the cause of damage to safety-related plant equipment Engineering (Reference 3)). The second is the as a result of the SSE. capability for the operator to interrogate the alarm system with regard to the inputs and mechanisms that 18.9.2.4.2 Environmental Conditions it used to conclude that an alarm message criteria is or is not currently valid.

Since the alarm system is not a safety system, no The M-MIS is comprised of three elements. Two of j special requirenuts exist for the protection of its these elements are visual and the third is auditory. He components against adverse environmental conditions. reasons are as follows:

The system is designed to operate in the same environ-ment where it is physically lwated, during the plant

• The objective of an alarm system is to alert the conditions for which the system is required to operate, human staff responsible for the management and The system is capable of operating within its control of the plant to the fact that some portion of performance limits when exposed to the input voltage the plant has deviated from its expected operating and frequency transients typical of the electrical buses envelope.

by which it is powered.

The alarm system components and the wiring is not

• Industrial experience with modern computer sys-a source of fue. tems has been that potential users have declined to use a system if there is no confidence in the com-18.9.2.4.3 Alarrn/ Status Message Presen- Puter system, because they cannot understand what the system did to arrive at its results. This experi-tation (Visual and Audio) ence has been thoroughly explored in the applica-tion of " Expert Systems' to industry.

The alarm system supports a number of plant staff members:

• The extensive history of alarm systems in the industrial process control industry has shown that

• Main control room area operators auditory accompanimmt of alarm messages is very

• Technical support center staff helpful in alerting the human operating staff (that l

• Plant operation management staff often has other tasks or diversions included in their

• Site specific interface (as needed).

activities) to the fact that an abnormal condition or alarm exists. The audible alarm directs that staff's herefore, the alarm system has a user interface at attention to the visual portions of the alarm system least in the following plant areas:

to investigate the abnormality.

• Main control room area The following conclusions are made regarding the

. Remote shutdown room N alarm system:

• Technical support center

• Site specific interface (as needed).

• The spatial dedication (a specific and permanent I cation for particular messages), found in tradition-

'Ibe man-machine interface portion of the alarm al light-box annunciator systems, should be main-system supports two operator activities. The first is the tained to the degree possible in the design of the presentation to the operator of plant abnormalities in alarm system. Operators have found that they learn support of the " Alert" step in the human decision-the message-location relationship rather easily and, makmg process (Information Processing and Human-therefore, can get a quick understanding of the Machine Interaction, An Approach to Cognitive P18.9-8 W Westinghouse l -

l

1 l

l l

I l

18. HUMAN FACTORS ENGINEERING l Revision: 0 Effective: 06/26/92 l

general nature of the abnormality simply by noting simultaneously visible to main control area mem-the location of the alarm message. Specific details bers.

of the abnormality can be obtained by reading the I detailed message. * %e alarm system overview panel (see the precedmg paragraph) is ' system paced"; the messages that it

• Alphanumeric messages are acceptable for the displays are initiated by plant process state changes, display of alarms. Rey present a certain similarity not operator actions. Here are situations where with traditionallight-boxannunciator systems which there is more data coming into the control room are familiar to the control room operators. In a for operating staff consumption than they can further phase of the alarm system design, graphic digest. His situation is known as information or presentation of the alarm messages may be consid- data overload. To reduce the overload conditions, cred, since pictures are often more effective at the alarm system overview panel is divided into conveying meaning than words. The assumption is three parts. The first part is spatially dedicated to made of the use of new or thoroughly retrained process abnormality messages that are correctable l operators, to present them with a non-traditional from the control room. The second part is reserved I graphic presentation display design. for process abnormality messages that are correct-able from outside the main control room on local

• He display of alarm messages must be done by control panels. He third part is reserved for l plant process function, to be consistent with opera- messages related to the state of plant systems and tors' mental models of the plant processes they are components that are controlled by automatic sys-controlling. tems (status messages).

• Le message wording must be as explicit as possi- Hese three groups of messages are given in order ble with regard to the identification of the abnor- of their urgency to the control room staff. Here-mality. It must provide the value of the message fore, the first group is located on that portion of the initiating setpoint. His provides the operating staff overview panel that is the most salient; that area of with a target for subsequent corrective actions. the panel that is most easily seen by the operating staff while operating the controls to take corrective

• The alarm system (the alert activity) is the entry action.

point into the human decision-mnhng process It often is the final indication that corrective actions he second and third groups are of essentially are having the desired effect on the plant process equal, but lower priority than that of the first state (for example, analog process parameters group. Therefore, they are placed on separate and usually move before the discrete alarm message distinct portions of the overview panel or on the system is able to recognize that an alarm message alarm system support displays.

should clear). At the begmnmg and end of the decision-mahng process, therefore, the alarm The presentation of the messages of one group will system must be available simultaneously to crew not be mixed with those of either of the others.

members to aid in maintaining synchronization and Experience in current plants has shown that combin-focus for the crew's activities. His, coupled with ing these classes of messages adds to the confusion the need for spatial dedication, leads to the conclu- resolution (mental processing load) of the operators.

sion that the alarm sys'em needs to contain an j

overview panel display medium, located so that it is l

l P18.9-9 W Westingtiouse

18. HUMAN FACTORS ENGINEERING ,

Revision: 0 c  ? Effective: 06/26/92

• The alarm system meets the requirements for a * %e workstation operators are able to read the text safety parameter display system, as defined in of the messages located on the overview panel NUREG-0696 with the exception describal in this displays. Based upon the suggestions regarding the paragraph. Rese requirements are the result of the character size for engraved annunciator tiles found inadequacies of the alarm system at TMI-2. His in Reference 4, the letter height should subtend a requires a layout of messages by plant process visual angle of 20 minutes of arc. He shift super-function, coordination with the Emergency Operat- visor needs to be able to see only that there is a ing Procedures, and the ability to show new abnor- message active, not be able to read clearly the text malities that occur after others have begun. The of the message from his normal working position.

safety parameters display system (SPDS) monitors His is a reasonable assumption, since he has or is coordinated with a medium that can monitor, immediate access to the alarm system support panel in an analog fashion, the departure of plant condi- displays (described in the next paragraph) and he is tions from normal during the initiation of abnormal not expected to take any detailed control actions to plant process events. An alarm system is a discrete either acknowledge or silence the alarm, or to system and, therefore, cannot meet such a require- correct the cause of the abnormality.

ment. He organization of the presentation of messages in the alarm system must be tightly

• Each alphanumeric message displayed on the over-coordinated with the presentation of the plant view panel is limited in the number of characters process data displays. used to make up the wording. %ese limits are evaluated on the basis of the amount ofinformation Readability of the alphanumeric message characters necessary to exactly identify the nature of the on the displays is an issue of concern. A compro- abnormality, and to include the initiating setpoint mise is made with regard to how large the alphanu- that represents the target for subsequent corrective meric message character size needs to be in order actions (more characters than are available en con-to be legible by those who might need to read the ventional light-box engraved tiles are expected for messages. %e tradeoff is between the necessary the overview panel messages). He 80 characters viewing distance, dictating character size, versus (two lines of 40 characters) used in the existing the amount of display space required. Determmmg system design is a suitable starting point for the the required character size, based upon the neces- alarm system design.

sary viewing distance, is a traditional human factors calculation.

• Ilmit the number of messages which are simulta-neously displayed on the overview panels to be-he design methodology adopted by NUREG-0700 tween 300 and 400, manmum. To take the first (Reference 4) assumes that the characters are visible step in reducing the overload of data that is present-as a result of reflected light. Using a display ed to nuclear power plant control room operators, device that is, itself, a light source permits some- a reduction of the number of alarm display devices what smaller character. He exact reduction is not by a factor of four to five is appropriate. %e determmed at this time. Based upon visual experi- AWARE system design is for a number of 360 ence, the NUREG-0700 minimum character size is overview panel display devices; such a solution is rather large. As a result, verification of compliance adopted for the alarm system.

with these alarm system requirements is by a test.

• To meet the needs for spatial dedication, and to he following assumptions are made: make the alarm presentation medium available P18.9-10 W-Westinghouse

18. HUMAN FACTORS ENGINEERING Revision: 0

-' T" Effective: 06/26/92 E

simultaneously to control area crew members, the 9. Acknowledged alann on the overview panel and the alarm meciage display devices are mounted on an queue is empty.

overview panel, located in a position of the main control area easily visible from the operators' work- 10. Acknowledged alarm on the overview panel, queue stations. The design basis for the wall panel is not empty, alarms in the queue have already been display station that should be present in the main acknowledged.

control room have not yet been identified. He alarm presentation on the overview panel is a means 11. Acknowledged alarm on the overview panel, queue for keeping the control room crew synchronized. is not empty, new alarm arrives and is placed in the queue.

To attract the operating staff's attention to the overview panel messages, the alarm s; un over- 12. Acknowledged alarm on the overview panet, queue view panel display medium supports a number of is not empty, and an alarm in the queue is cleared.

display dynamics (such as, flashing, dimmmg, underlining and color coding). He following list 13. Alarm on the overview panel cleared, queue is identifies the message states that require a dynamic empty.

action to be displayed:

14. Alarm on the overview panel cleared, queue is not Message State empty, alarms in the queue have already been acknowledged.

1. New message and the queue is empty.

15. Alarm on the overview panel cleared, queue is not

2. New message, queue is not empty, alarms in the empty, new alarm arrives and is placed in the queue have already been acknowledged. queue.

3. New message, queue is not empty, new alarm 16. Alarm on the overview panel cleared, queue is not arrives and is placed in the queue. empty, alarm in the queue is cleared.

4. New message, queue is not empty, and an alarm in %e required action that follows a change in the the queue is cleared. status of a message (that is, the mapping of the display dynamics to message state) is specified once the display

5. Acknowledge the new message and the queue is implementation media are chosen.

empty. Blinking (oscillating the message on and off)is not recommended. For a portion of the blink duty cycle,

6. Acknowledge the new message, queue is not empty, the message wording does not appear. A better method alarms in the queue have already been acknowl- is to oscillate the message between two distinguishable edged. levels of brightness. His is strongly dependent on the overview panel implementation medium.

7. Acknowledge the new message, queue is not empty, Any oscillating message dynamic (such as, flashing new alarm arrives and is placed in the queue. with dimmmg or video / reverse video) is implemented so that messages on the alarm system overview panel

8. A: knowledge the new message, queue is not empty, oscillate in synchronization. He maxtmum asynchroni-and an alarm in the queue is cleared. ration (that is, from the display of the first message to W

Westillgt10tlSe

18. HUMAN FACTORS ENGINEERING

^

Revision: 0

~*

Effective: 06/26/92 the display of the last message) is not greater than 50 zation of the alarm / status message presentation on the milliseconds. This is necessary to avoid having the alarm system overview panel. Operators may wish to alarm system overview panel appear to ' twinkle" which find additional data about particular messages displayed operators have found to be very distracting and discom- on the overview panel. He key words, in the forting. operators' search for additional data in the support panel The rates of oscillation for the primary alerting set of displays, should be the alarm / status message activity should be between two and five hertz, and the queue labels (the plant process function and category duty cycle should be appronmately 50 percent on, names) as displayed on the overview panel. %e entry 50 percent off. For less urgent applications, such as into the support panel displays shall permit the operator signifying the clearing of a message, the rate should be to use the overview panel arrangement of the slower, for example 0.5 Hz and the duty cycle can be alarm / status messages as the indexing mechanism to the increased (Guidelines for Designing User Interface support panel presentation of the remaming alarm Software (Reference 5)). system data.

As noted later in this subsection, the alarm system The main control room operating staff can query the has a mechanism that permits the operatmg staff to alarm system about the alarm system data presented in query the system with regard to the content of the plant- the following list:

specific input data, and with regard to the data process-ing and data storage activities. This capability is 1. The time at which a given message was initiated.

controllable by the staff with regard to what information or data is presented and when. This aspect of the alarm 2. The list of alarms that forms the queue of possible system is user paced. His permits the operator to use messages that can be displayed on each overview this part of the system when he has the time and inclina- panel display device; that is, each of the message tion to do so, rather than forcing him to deal with data queues.

that might not be relevant or necessary to support his current activities, thus adding to the data overload 3. The time at which the initiating conditions for a problem rather than alleviating it. His suggests, that Fi ven message returns to normal; that is, the time man-machme interface devices, separate and distinct that a message ' clears'.

from those of the overview panel, be used for this supporting purpose. 4. The list of inputs to each message's trigger or The alarm system support panel displays are avail- initiating logic, able at each of the main comrol area operating staff's locations. These include the reactor operator 5. The logic manipulations that trigger or initiate the workstations A and B and the main control room message.

supervisor's and the shift technical advisor's workstations. In addition, the alarm system support 6. The chronological list of messages for each message panel displays need to be available to the technical queue.

support center staff, to the remote shutdown room staff,

, to the plant operation management staff, and potentially 7. The chronological list of messages for the alarm to the emergency offsite facility staff. This is further system message list.

discussed in Subsection 18.9.2.4.16.

To make the use of the alarm system support panel 8. He list of alarms sorted by plant system.

displays as easy as possible, the organization of the alarm system data on these displays matches the organi-P18.9-12 T Westinghouse

1 i

18. HUMAN FACTORS ENGINEERING l Revision: 0 .. ,.

J Effective: 06/26/92 9 **

In addition, the alarm system support panel data the same way. In general, color is used primarily for displays either contain, or are linked to, the alarm backgrounds, for showing various types of groupings, respense procedures (ARPs) and to other media for and as a secondary or backup method of attracting atten-examinmg the current process data pertinent to each tion to, or indicating the severity level of, active data.

message. His is done via instructions or directions for User data selection on the support panel displays is j locating the required procedures or data, or through as convenient as possible for the human operators. A )

direct computer linkage with other computer-based mechanism, that permits the operator to point at the item l display media. he wishes to see, should be used. For example, touch With these complex display motives, it makes sense screens or a user moveable cursor on the graphics to use a high-resolution graphics medium, preferably display screen are possible solutions.

with color capability, for creating the support panel User navigation through the alarm system support l displays, panel displays should be convenient and easy. He he design of the displays for the support panel is searching for the desired display should mimic as critical to the operating staff acceptance of the alarm closely as possible the way that humans search for items system as a whole. in their natural environment; such as moving their Differences in display media (between the medium headleyes and by getting closer or farther away.

of the alarm system overview panel and the high-resolu-tion visual display units of the alarm support panel 18.9.2.4.4 Alarms About System Health medium) may not permit the use of identical message display dynamics in both media. For example, flashing, ne alarm system informs the main control room blinking, and dimming consume a great deal of time and crew about those failures, within its own equipment, computer resources on the visual display units. He which could degrade to the point where either system l visual display units easily support the use of color. performance is reduced or system availability is threat-A compromise may consist in the use of the same ened. This is discussed further in Subsec-message display dynamics where feasible. In those tion 18.9.2.4.7. As illustrated in that subsection, the circumstances where it is either infeasible or not cost alarm system design philosophyis such that the system's effective, a dynamic form should be chosen so that the preferred failure mode is a succession of " gracefully display dynamics on both the overview panels and the degraded' states of operation.

suppon panels are as close as possible to each other. He display of these alarm messages are treated as For example, if the overview panel display device uses though the alarm system was a local panel, as discussed a dynamic of dimmmg (that is, oscillating brightness in Subsection 18.9.2.4.3.

levels), then the visual display unit might use alternating video / reverse video, using the same frequency in both 18.9.2.4.5 Permanent Record-Keeping media. He essence, though, of any compromise that is chosen is that each coding mechanism chosen for the ne alarm system makes available the data about overview panel display shall have only one parallel alarm and plant system status messages that it uniquely mechanism (preferably the same, but not required) on generates for any interfacing systems, including systems the support panel displays. Also, any coding mecha- that do permanent record-keeping. Since the alarm nism chosen should be used only once for only one system is integrated in a network environment, there is Purpose. no point in adding redundant data to the network com-On the alarm system support panel displays, color munications net, or to permanently record and store is not the primary means of message display dynamics redundant data. In the plantinstrumentation and control unless all the message display media use it, and use it in architecture, permanent record-keeping facilities are 3

P18.9-13

1

18. HUMAN FACTORS ENGINEERING

= Revision: O 7 Effective: 06/26/92 '

l expected to be provided by, and for, the network. Various individuals have access to the alarm system

%erefore, this functionality is not duplicated in the support panel displays, (as discussed in Subsec-alarm system. Instead, provisions for verifying the tion 18.9.2.4.16), are located both inside and outside of correct transfer of data from the alarm system to the the main control room area. nese individuals can permanent record-keeping facilities is provided, make hard copies of these displays (that is, CRT

• screen Since the plant network permanent record-keeping dumps") for the purposes of their own record-keeping i facilities are digital-computer-based, the alarm system and to provide the basis for discussions with others (for I provides a program that can, upon date retrieval, display example, those of the technical support center staff).

the stored data for the operating staff. Subsec-tion 18.9.2.4.15, provides further detail. For consisten- 18.9.2.4.6 Location and Viewing Distances cy, the displays used for this purpose are identical to the of the Man-Machine Interface alarm system support panel displays. Devices his data includes, the alarm and status messages, t'eir times of initiation, acknowledgment, and clearing, ne overview panel, containing the alarm / status with a time resolution of one second.

message display devices, is visible by the main control l In addition, to provide the operating staff with room area crew members. His provides a focal point access to a complete set of data, and to assist them in for crew discussion and for synchronizing their indi-performing the plant state identification decision mahn: vidual approaches to the plant abnormality.

task, the fewing data is available: V sible does not mean that all of the messages are readable from all main control room area locations or e

ne plant function and the category (s) in which the workstations. De messages are readable by the reactor ,

alarm message is queued operators when sitting at their workstations, but only is I visible from the main control room area supervisor's

• Re alarm trigger logic workstation. For the main control room area supervisor's workstation, it is sufficient to provide the e ne alarm trigger setpoints user with a set of alarm support panel displays to make the message readshle from his seated position, in front

• Any algorithms and coefficients that are incorpo- of the workstation display screen.

rated in the alarm system data processing (the algo- ne overview panel arrangement of the alarm rithms used to create synthetic or calculated vari- message display devices locates the display of the alarm ables that are read by the alarm system - that is, messages according to a stmetured functionallayout, to synthesized elsewhere on the computer network - reflect the ideal flow of energy from the nuclear genera-are not available for exammation or for permanent tion to the turbine with final injection into the electrical record keeping through the alarm system) grid. His facilitates the operator's comprehension of the functionalimplication of abnormalities, and provides

• The list of messages that are contained in each homogeneity with the other main control room resources alarm / status message queue which are designed on the basis of a functional model of the plant operations.

• He current revision number of the alarm system To provide confidence that the messages are, in data base / file. fact, readable at the locations / workstations just noted, the designers shall refer to nuclear industry guidelines his data is updated for every new alarm entry. and standards that specify how to determme character size.

P18.9-14 I

W-Westinghouse I

18. HUMAN FACTORS ENGINEERING Revision: 0 ^

a Effective: 06/26/92 ne same nuclear industry standards assist in the the system ineffective. As stated in design of the support panel controls. He acquisi- Subsection 18.9.2.4.1, the alarm system is not required tion / selection devices are located within easy reach of to mitigate the consequences of an accident scenario.

the system user when ncunally seated at the The use of the alarm system after a design basis acci-workstation. dent event is constrained by the amotmt of instrumenta-In addition to the operating staff located in the main tion available after the accident, and by the availability control area, operating support staffs located in the of its support systems (electric power, cooling). He following facilities have access to the alarm system's alarm system is considered to be unavailable in the data to perform their assigned tasks: following cases:

• He remote shutdown room

• The system is unable to provide information about

• The technical support center those messages that are normally presented on the

• Site specific locations. overview panel displays, no matter what the cause may be. Hat is when all or part of the informa-He seated position is the assumed viewing position tion that is displayed on the overview panel is lost, of the users of the alarm system support panel work- and no other backup means are available, the alarm stations located in these facilities. system is unavailable.

18.9.2.4.7 System Avallabillty and

• The time responses and the data latency require-Reliability ments, presented in Subsection 18.9.2.4.9, cannot be achieved (this case includes loss of communi-He alarm system is not a Class 1E system. cation with the rest of instrumentation and control However, it needs to be very reliable, since it is the systems).

startmg point for many of the operator's decision-making activities and the entry point, or index, into the

• here are no means for displaying the alarm system other control area operating resources (such as controls, support panel displays, (discussed in displays, and procedures). The loss of the information Subsection 18.9.2.4.17) for the following required normally covered by the alarm system is a critical situa. locations:

tion. He main control area operating staff must be confident that the alarm system is available during th e - Main control room area following modes of plant operation: - Remote shutdown room (when it is in use)

- Technical support center

• Normal power operation - Outside or remote site data links

• Plant startup - Operations administrative areas.

• Hot standby

• Hot shutdown Without the alann system support panel displays,

• Cold shutdown the main control room area operators cannot have access

• Refueling to the queues of alarm messages currently not displayed

• Abnormal plant conditions. on the overview panel. Also, the other specified locations cannot properly function without the support Failures are rare because of the redundancy and Panels.

other fault tolerant features of the alarm system. He design goalis that no single failure in the alarm Failures are identified and repaired before they render system causes :he system to become unavailable, O*O'

[ W85tingt10USe

i I

18. HUMAN FACTORS ENGINEERING "

Revislon: 0

1. "I Effective: 06/26/92 l

according to the aforementioned definitions of unavail- staff of the alarm / status messages, according to the ability. ne alarm system contains internal redundancy timing requirements discussed in Subsection 18.9.2.4.9.

of its constituent hardware. ne alarm support panel ne design philosophy is to make the alarm system displays are redundant in the main control area, since degrade, rather than fail.

each workstation is equipped with them. He alarm The alarm system is able, upon the loss of power, system support panel displays can be used as a backup to automatically restart once power has been restored.

or can serve as redundant displays for the overview He power supply for the alarm system is Non-Class IE panel messages in those situations where the overview de which is described in Sectior. 8.3.

panel display media are implemented with the use of a pixel-based or equivalent technology. In such a case, 18.9.2.4.8 Accuracy and Precision the alarm system's unavailability is determined on the basis of the number of alarm support panel displays that he alarm system is implemented with digital, ,

can replace, in their functionality, the failed sections of computational and communications equipment. Verify- l the overview panel. His is based on assuming that ing overall system accuracy by controlling such things each section of the overview panel contains about 30 as amplifier drift, is not as serious a problem as with contiguously located message display devices. In case analog equipment. A requirement which limits added a projection technology is used for the implementation inaccuracy to 1/100th of the span of the process variable of the overview panel, the alarm support panel displays signals that the alarm system monitors is appropriate.

cannot be used as a backup of the overview panel, since ne capability is provided so that the alarm system the number of displays required for mahng a parallel maintainers can control the degree of precision of dis-presentation of the alarm messages would be too great. played values in the alarm system. A single specifica-For this situation, other types of redundancy should be tion of the precision should suffice for the display of the considered. numerical variable anywhere in the alarm system; for ne availability goal of the alarm system is the overview panel displays, the support panel displays, 99.9 percent. Conformance to guidelines is shown by or the data that the alarm system transmits for the the use of the statistical techniques of reliability analy- purpose of long-term storage. This suggests that the sis. structure of the alarm system plant-specific data file Even though the alarm system is highly reliable, (discussed in Subsection 18.9.2.4.15) be such that the maintenance frequency is kept to a minimum, as well as field length and precision of any alarm system displayed efforts for corrective actions. numerical data is described in it.

These requirements cover only the hardware or equipment aspects of the system. Software reliability 18.9.2.4.9 Time Response and Data and, therefore, the availability of the system due to Latency software problems, is currently best handled through the use of modern software design techniques, such as here are three issues related to time response and structured analysis / structured design and through the use data latency. He first is the question of throughput -

of a competent verification and validation program. (what is the maximum permitted time for a datum to be ne equipment is designed so that the unavailability processed from input to alarm display (data latency))7 does not come in one continuous period. Self-checking %e second is the question of displayed data refresh rate and self-diagnostics are built into the equipment which - (what is the manmum permitted time allowed to are coupled with a periodic testing program. His al- update the display of a process variable once the process lows finding small failures and fixing them before they variable has changed, given that the parameter is cur-become large enough to deprive the main control area rently being displayed 7) %e corollary here is that the P18.9-16 W-Westinghouse

18. HUMAN FACTORS ENGINEERING l Revision: O d -"

Effective: 06/26/92 l

(

l system does not update the value too frequently, since major cause of user unacceptance of computer-based that could lead to a condition where the displayed values display systems. ,

are never steady enough to be read by the operating In a plant-wide information network, the alarm I staff. He third is the question of display access time - system's users can be divided into four categories with (what is the manmum permitted time for the system to associated mimmum time response requirements:

create and show a display once the user has initiated a request for it (this time must include the time required 1- he operating staff located in the main control area for the system to recognize that a request has been or in the remote shutdown room (when it is in use) l made, as well as the time required to process the have immediate and continuous access to all of the I request)?) data in the alarm system.

He requirements governing data latency, or throughput, are based on common sense. For an alarm 2- The emergency support staffs located in the techni-system to be an effective help to the operating staff, the cal support center have real-time access to the plant display of an alarm or status message should be very data in the alarm system. Reir requests, however, closely synchronized with the initiating process parame- should be honored before any other requests, except ter(s). From this perspective, a value of two to those of the main control room staff.

three seconds or less is reasonable.

With regard to the second and third questions, 3- ne operations' n.nnsgement staff, usually located NUREG-0700 (Reference 4) contains recommendations. in offices in an administration building, may have Relative to the data update rate question, these guide- access to plant data in the alarm system; real-time l lines call for an update rate no more frequent than once response characteristics of the system are not per second. Rates of change in process parameters, required. heir requests can be honored after those including consideration for instrument response time, of the main control room staff and the emergency suggest that as a general rule the plant process data support staffs (the emergency offsite facility and the values should be updated no less frequently than once technical support center).

even two seconds.

Rese guideliaes call for the displays to appear in 4- Other users on the plant information network.

two seconds or less to maintain the users' attention. On-line access to the data in the alarm system is not However, they also recognize that the computer process- needed in real-time or close-to-real-time. Their ing of some displays, because of the sophistication /com- function is usually after-the-fact analysis, so their plexity of the processing required, may take longer. In alarm / status message data can be supplied by the those cases where a display requires more than two sec- network's data storage system.

onds, a message indicating that the alarm system is working on the users' request should appear in less than he number of users desiring simultaneous access two seconds, to the alarm system data in the main control area is he set of displays that appear in two seconds or four: the two reactor operators, the main control room less should be tested under full system loading condi- supervisor, and the shift technical advisor.

tions (that is, all of the termmals which can call up In the remote shutdown room, there is only one alarm system support 7 4 1 displays requesting displays workstation for operating staff members. H e use of simultaneously) so that the user can have a 95 percent that workstation is not simultaneous with the use of the confidence level that any given request for a display four workstations in the main control room, since the from this set appears in two seconds or less. A large remote shutdown room should only be operating in case degree of variability in the display response time is a of main control room evacuation.

W85ti!1gfl0US8

l

18. HUMAN FACTORS ENGINEERING Revision: 0 .

-- U  !

Effectivo: 06/26/92

)

There is a possibility of eight workstations having third is to acknowledge or reset messages that are priority Class 2 (see item 2) =ccm to alarm system data clearing, or are indicative of conditions returmng to from the technical support center. normal. It is necessary to make the reset action differ-A similar number of workstations may be appropri- ent from acknowledge response, since it is highly ate for the emergency offsite facility. %ese facilities probable that two different messages could appear at the need workstations with, as a mmtmum, Category 3 same time (one message indicating that a new alarm has access to alarm system data. been triggered, another message indicating that an old It is reasonable to assume that operations' manage- alarm has cleared). Any single action taken by the ment needs four workstations with Category 3 access to operator to acknowledge one of these condition = mhould the alarm system data. These would include work- not result in the acknowledgment or resetting of the stations for the following: the operations department other. i manager's office, the chief of operations' office, the %erefore, two different types of control actions are shift technical advisor's office, and a workstation for used to accomplish the two different types of acknowl-general access by other management personnel, edgment tasks. One for acknowledgment of new or reappearmg alarms and one for resetting clearing 18.9.2.4.10 Alarm Acknowledge, Reset and alarms. An independent control action is possible for Audio Silence Interfaces silencing of audible tones generated by the system. ,

he design goal for the main control area is to l He description of which alarm / status conditions ask Provide the capabilities for one reactor operator to for a specific display dynamic for the presentation to the Operate de plant for once steady-state conditions are j

operator's interface is found in Table 18.9.2-1, Subsec. achieved. During some plant transients, both the reactor tion 18.9.2.4.3. His issue presents the requirements Operators' workstations are intended to be operating, to relative to the operator interface devices to execute the reduce the mental and physical workload on the opera-acknowledgment of the alarm / status messages and to tors. Furthermore, the supervisor's workstation is silence associated tones. designed to be unlocked and to replace any reactor

%e following requi ements are intended to reflect Operator workstation out of service. Each main control the functionality of eqwvalent interfaces that currently area workstation is provided with the capability, for the exist in operating plants and have been found, through Operators, to manually respond to the alarm dynamics.

considerable experience in the process control industry, A set of alarm control soft-control pushbuttons are to be effective and convenient. %ese requirements are located on each of the three main control area work-based upon the substantial contribution of many indus. stations. l trial and nuclear regulatory standards in this area, such Traditional designs of alarm control interfaces are as ISA-S18.1 (Reference 6), EPRI Draft Report of constrained by space limitations on the control board Project 20ll (Reference 7), and the guidelines provided and only a limited number of hard pushbuttons are ,

Provided. A typical ratio is that one operator's interface j in Section 6.3 of NUREG-0700 (Reference 4).

%ree actions are necessary following an alarm device is capable of acknowledging messages appearing annunciation. He first is to acknowledge new messages on roughly one third of the display devices. Two '

that are activated in the alarm system, and by so doing, distinct new alarms appearmg at the same time could, stop video dynamics of the displayed message on both therefore, be acknowledged by means of a single the alarm overview panel and the alarm support panel operator action,just because they share the same control displays. He second is to silence audible tones gene. device.

rated by newly activated messages appearmg on the overview panel or on the support panel displays. He P18.918 W W85tiflgh0USB

18. HUMAN FACTORS ENGINEERING l . Revision: O d Effective: 06/26/92 N7 He alarm control software implemented solution set of pushbuttons only performs its function for the set has a variable, dynamic setting of the alarm acknowl- of displays and audio devices associated with the tasks edgment scope, which depends on the frequency of of the workstation it is located on.

newly generated alarms that appear on the overview he remote shutdown room is supplied with one panel. He organization of the acknowledgment /si- workstation. He message displays are affected by one lencing controls is such that the acknowledgment or the operator interface module, located on that workstation.

silence actions can be possible for at least two different Note that the setpoint that initiates an alarm / status levels of aggregation of alarms: message and the one that clears it need to be different.

His eHn4naw the oscillating on and off of a message ,

1- Acknowledgment / silencing capability at the single due to process noise in signals that are close to the alarm level, when density of displayed alarms is setpoints. Here should be a deadband between the low and the operator has enough time to read each initiation and the clearing setpoints of the alarm / status alarm message messages.

Alarms / status messages that are of a sufficientlylow 2- Acknowledgment / silencing capability at the level of priority as to never make the alarm overview panel a portion of overview panel alarms (for example, display before they clear themselves, also are acknowl-all the alarms pertainmg to a given plant function) edged, silenced, and cleared from the workstation when the rate of new generated alarms is high. control devices. His helps keep the operator's attention focused on the alarm system overview panel displays, l He operator is informed, when the acknowledg- the single central place for acquiring alarm data and for  !

ment mechanism is changing towards any of the two starting the decision-mahng peocess ,

directions, and he has the possibility of manually For newly activated or clearing messages that only l selecting the type of control actions he prefers. A rate appear on the alarm system sup}, ort panel displays,  !

of three new messages per minute is reasonabk. to fix indication as to which alarm queue is affected is accom-the threshold that makes the default acknowledgment plished by an " overflow" indicator on the appropriate function change. alarm system overview panel display device. Indication In case only one workstation is active in the main of the difference between acknowledgment and reset is control area, it is the sole location from which the plant through the use of a different audio tone for each is controlled. Therefore, the controlling mechanism for activity, as discussed in Subsection 18.9.2.4.3. He alarm acknowledgment, reset, and audio silence extends implication is that the overflow indicator on the alarm its functions over the full set of alarm displays and system overview panel displays needs to be cogmrant of l audio devices of the alarm system. the state of all of the alarm / status messages in its queue, When two main control area workstation are operat- and its display dynamics should reflect it.

ing, it is likely that the two operators are working on ne duration of the audible tones associated with different portions of the plant scope (one monitoring and each alarm message is of a fixed length, even if no controlling systems belonging to the primary systems spedfic action is taken to silence them. Nonstop alarms and one supervising the secondary systems). He have not been found to be useful. %e period for alarm possibility could exist for an operator to inadvertently associated wunds should be related to the amount of acknowledge or silence alarms which relate to specific time required for recogm7mg that specific alarm condi-tasks assigned to another workstation. Part of the tion, in the context of the situation. When very few information contained in the alarm message dynamics alarms are present, this time should be long enough to can be hidden or delayed to the user. His possibility is avoided, by designing the controlling logic so that each i

P18.9-19 i

, ~

W Westinghouse

18. HUMAN FACTORS ENGINEERING ,

n.- Revision: O Effective: 06/26/92 l

require the operator's attention, if he is performing 18.9.2.4.12 Visual Aberration arid Audible other tasks. Noise Level Limit When many alarms are occurring this time should be shortened in order to reduce mental load of the To mimme user fatigue, the display devices used operators while facing many problems. nerefore, an in the implementation of the alarm system do not have j adjustable timeout should be provided, which defines the any visible flicker or lack of focus of the displayed i average period of life for each alarm sound annuncia- images, nor do they visually distort the alarm system I tion. It should be set proportional to the number of new data displayed (due to the lack of convergence, to the l alarms that are appeanng on the display interfaces. The nonlinearity of a CRT, or to a poor resciution of the default values that have been established for the timeout displayed images).

are: 15 seconds, for a 15 message per minute rate of Similarly, components of the alarm system that are new alarm generation; and three minutes, for a one placed in those human occupied control / monitoring cen-alarm per minute rate of alarm generation (See ters do not contribute to exceeding the manmum Figure 18.9.2-1). Rese default values could be tolerable noise level defined for those working environ-adjusted, upon operator's request. ments.

18.9.2.4.11 Alarm System Overload and 18.9.2.4.13 Alarm System Test and Cali-Recovery bration he alarm system is an on-line system. It operates The issues of testing and calibrating the alarm in real-time, as a direct support to the operators in system are very closely related to the issue of system controlling the power plant. As such, it is a reliable ava lability and reliability (discussed in system, able to function independently and, without Subsection 18.9.2.4.7). He requirements for testing human attention, perform its required functions. and calibration of the system are relatively few because:

ne alarm system is able to restart itself upon the restoration of power after system power has been lost. . By specifying that no single failure causes the It is recognized that the loss of power is likely to system to be unavailable and by providing reliable cause the loss of some historical data, such as the data system design (discussed in Section 7.7), the issue base for determining rates of change, and so on. In of what tests are conducted, and when, results from view of this, the alarm system is connected to the the designers' evaluation of how the design meets Non-Class IE de uninterruptible power supply (UPS). those availability and reliability goals.

He alarm systern data processing is impervious to off-normal (such as a variable out of range) and combi- . He alarm system is a digital system. Herefore, nations of off-normal inputs. Once the variable returns the p oblem of ' drift' and the associated require-to its normal condition, the alarm system retums from ment for tracking the drift and of recalibrating the this saturated or overloaded condition and continues to system that exists in analog implementations is not process input data without requiring action by the a problem. The exception is for the analog-to-operator to reset the system. digital (A/D) conversion that is accomplished in the data acquisition portion of a digital system. He data acquisition activity is performed as a service of the instrumentation and control network, for all network users. As a result, there are no calibration requirements for the alarm system.

P18.9-20 W WestinghotJse

1 l

l i

i l 18. HUMAN FACTORS ENGINEERING l

l Revision: O _,... -

I d Effective: 06/26/92 5

l l

Re remammg test activity, is the need for the main Similarly, failures or degraded performance in control area operators to be able to see if the alarm systems that interface with the alarm system does not l system overview panel display devices are capable of affect the performance of the alarm system, other than displaying messages, should the alarm system call upon the possible loss of input data or the transmission of them to do so. Such a test is specified by the design incorrect data to the alarm system.

objective for the alarm system which is to support a De alarm system has the capability to make the dark-board design philosophy, as discussed in Subsec- data that it generates available to other plant operational tion 18.9.2.2.8. If there are no process problems, then support systems (such as the technical support center or there are no alarm messages displayed. Here is no the emergency offsite facility). %ere is no need for the indication that the display devices are completely alarm system to pass through its input data, since this operational. task is performed by other systems in the integrated The test is be manually initiated by the main control network instrumentation and control application. De area operating staff. %e type of test to be performed alarm system software that performs the interface with is specified according to the characteristics of the these other systems is: modular, and can be "un-overview panel display devices, and the type of technol- plugged

• and replaced with other protocols; and is ogy adopted. limited to providing the output data in a form that is So that the operating staff has sufficient time to useful by the communications equipment, and not assess the state of the display devices, the test pattern or necessarily the receiving devices or systems.

test sequence remmim in operation until the operating Alarm system output data is in a form that is usable staff initiates the cancellation of the test. His test by the communications system that connects the alarm cancellation activity automatically restores the alarm system with the other operational support systems. %e system and the overview panel to normal operation, tineliness of this data is discussed in Subsec-including the display of the alarm / status messages that tion 18.9.2.4.9.

existed prior to the test, plus the display of messages . Since the alarm system is included in a network occurring during the test period. environment, peripheral equipment that intenfaces with The results of any automatic or periodic tests are the alarm system (such as data storage facilities or available to the operator. If there are failures that are printers) are provided as a node on the network. %ere-discovered by the testing activity, then the alarm system fore, the alarm system passes its output, in a network conveys the information to the operating staff. In usable form, to that node, conformance with the discussion of Subsec-tions 18.9.2.4.3 and 18.9.2.4.4, messages alerting the 18.9.2.4.15 Requirements for the Off-Line operating staff to failures are displayed on the local Alarm System Support Work-panel section of the overview panel. stations He test results are available as a display on the alarm system support panel displays. To make data easy for the Combined License holder to access and maintain, the alarm system software is 18.9.2.4.14 Regtsrements for Interfacing constructed to collect and separate the requisite plant-with Associated Equipment specific data from the data processing software. %is plant-specific data is constructed in the form of a data Failures of the alarm system hardware do not cause file that is maintainable by the Combined License other systems or hardware with which the alarm system holder, using nomenclature, abbreviations, units of mea-l is interfaced to degrade or otherwise prevent those sure, and variable names that are consistent with stan-l systems from performing their function. dards used in the specific system design.

t P18.9-21 W Westinghouse

l 1

18. HUMAN FACTORS ENGINEERING m Redsbn: 0 I _ ~.

EE,.

~

• Effective: 06/26/92 i

im M l Dis separation of the knowledge base from the

• He wording of the alarm / status messages that are processing engine makes modifications by plant person- displayed nel easier since they do not have to be software engi-neers or programmers. hey only need to know the

• Re inputs to the alann/ status message trigger logic structure of the data file. He separation of knowledge (such as process variables, synthetic / calculated l base and processing engine keeps the verification and variables, and constant or variable and setpoints);

l validation activities of any modifications to a mmimum, the capability of the system to accept setpoint and since changes only affect data that is directly relatable constant inputs in engineering units is provided to plant changes - that is, there are no software changes required to change plant data.

• Re alarm / status message trigger logic that uses the A separate off-line workstation is used for the type inputs to determine when to initiate the display of of activities described above. His off-line alarm system the alarm / status message and when to recognize that support workstation has two missions. He first is to the abnormality is clearing

, provide a location where personnel can create or modify I

the plant-specific data file, for use by the on-line alarm

• ne category or display queue in which the system data processing software, to create and display alarm / status message is resides the alarm / status messages. He second is to provide a workstation for the maintenance and diagnostic person-

• Re identification of the workstation pushbutton nel to analyze alarm system self. diagnostic data without group that is used to acknowledge, silence and interfering with the main control room operations. He reset / clear the alarm / status message off-line alarm system support workstation is not located in the main control area of the main control room.

• Re priority of each message relative to the other His workstation is off-line. Activities performed messages in the category or display queue on this workstation do not affect the on-line performance of the concurrently operating alarm system.

• Re identi5 cation of the desired visual dynamics to Once a new set of data is prepared, there is a appear with the alarm / status message mechanism, with some level of security, that controls its initiation. Controlling initiation prevents inadvertent

• Re identification of the desired audio dynamics to interference with the on-line operations of the alarm be sounded with the alarm / status message system, and allows loading the new data into, and subse-quently rebooting the on-line alarm system.

• Re duration of a time delay after which the ne workstation contains, or has available, tools alarm / status message is displayed; it affects the that support the user in constructing the required alarm display of the alarm / status messages throughout the system data file, in a way that the resulting data are alarm system acceptable to and usable by the on-line alarm system data processing software. He tools aid the user in

• Other message-related data that are provided as a properly formatting the data, and determmmg what data result of the software design activity or other is required. He man-machine interface for these tools system requirements.

is easy to use. He use of graphics rather than alphanumeries is preferred to the extent possible. Direct ne user is able to view the alarm / status message keyboard entay is kept at a minimum. trigger logic through 6e use of a computerized gra-

%e alkrm data set contains, as a mmimum, the phical interface that permits the user to draw a logic following: diagram, identifying the required data inputs to the 1

i P18.9-22 i

l WM Westinghouse

18. HUMAN FACTORS ENGINEERING Revision: 0 . _ .

~ Effective: 06/26/92 .

u logic, using a support-tool-resident set of standard = %ose messages that are of interest to the main symbols for the logic operators, a dictionary of plant control area staff and that currently reside on the specific variable names, and any required data base plant computer identifiers.

Once the logic diagram is drawn, the tool should

• Space for some slight expansion of the messap iiss permit the user to test the logic to see if the logic to accommodate multiple input messages produces the d: sired results.

He support tool reads the logic diagram and then

• Spare capacity for future operational neuls.

creates a string oflogicals that conforms with the syntax of the alarm system data file. Since the AP600 alarm system includes the slarms he support tool is capable of assembling the of interest from the distributed computer, the input iin necessary data required by the alarm system into a data is larger. Also, it is expected that the trigger logic must set that is usable and processable by the alarm system to expand to help reduce the ambiguity that currently exists create the appropriate overview panel and support panel with engraved-tile annunciator systems (too few charac-displays. ters available on a given tile and limitations is the here should be a means, for auditing purposes, for analog implementation of the trigger logic) by refining the user to obtain a hard copy of the work that he does and limiting the range of applicability of each message.

at this workstation. %is should take the form of the his reduces the number of messages that appear at any capability to print files. In addition, a means is required point in time, thus reducing the data overload on the for makmg CRT hard copies in support of auditing operating staff. His is likely to cause an expansion of changes made to the alarm system support panel dis- the input list.

plays, and copies in support of auditing changes made In addition, there needs to be some provision for to the alarm overview panel. spare capacity to accommodate future operational needs.

An engineering estimate of 5,000 inputs is the upper 18.9.2.4.16 The Alarm System Sizes anci limit that the AP600 alarm system surprts.

Capacities He scope of these functional requirements does not include the data acquisition for the alarm sys'em. He It is an intent of the alarm system designer not to AP600 alarm system is implemented in a distributed expand the total message list normally contained in a network. %e data acquisitionis done elsewhere and the traditional nuclear power plant control room. Itis alarm system accepts digitized inputs off of a network recogmzed that many current annunciator systems highway (monitor bus).

contain multiple inputs to a single annunciator window. For concerns of future implementation capabilities Rese multiple inputs are given separate messages, to the protocol of the digitized inputs to the alarm sys-thereby expanding the overall message list. tem and its interface with a data acquisition system, it is Current plant annunciator systems contain approxi. wise to create the alarm system software in a manner mately 1,500 annunciator windows (depending on plant that modularizes the input / output (1/0) portion. His size and plant age, newer plants tending to have more way, it is easily removed or unplugged, and a new windows than older ones). De basis for an estunation module (accepting the new input protocol), inserted into of the upperlimit of the maximum number of messages the main body of the software.

that can be included in the system includes: He alarm system supports the activities in the technical support center and, possibly, the emergency offsite facility, depending on the feasibility of the communication distances involved during emergencies.

P18.9-23 W,,,,

Westinghouse

1 l

18. HUMAN FACTORS ENGINEERING l

^'

4 " Revision: 0 I Effective: 06/26/92

( l He capability to support external data links so as to variables (either primitive process variables or synthetic transmit (only) data to each outside organizations as the variables calculated elsewhere). %e alarm system, emergency offsite facility and the regulatory authorities reads the quality of each piece of data that it acquires is considered. and uses it to assign a data quality to resulting Re main control room needs four such work- alarm / status messages that it creates. The processing stations, one for each operator plus one for the shift algorithm for the assignment of the appropriate data technical advisor. Twelve workstations are provided for quality is standard across the systems.

plant administative offices and training facilities. To keep the operatmg staffm' formed of the level of Herefore, with some additional allowance for credibility of the alarm / status messages that it displays, 1 future expansion, it is reasonable to expect that the the alarm system incorporates the appropriate data number of support panel workstations that the alasu qu#ty symbol in those alarm / status messages that are system must support is less than 40. %is number is displayed within the alarm system itself, or for use in used to size the software and the system. other parts of the instrumentation and control systems, It is assumed that under emergency conditions, for any level of degraded data quality.

40 support panel workstations are in operation and are Any message that is based upon one or more inputs expecting to have alarm system data available via the that have the lowest data quality are not displayed to the support panel displays. In addition, the alarm system main control room operating staff on the alarm system  !

continues to operate if most of the workstations are shut overview panel displays. No alarm tones are initiated.

down and is able to recognize when the workstations are His keeps the operating staff from immediately )

returned to service. responding to incorrect messages. He exception is the To reduce the data overload, particularly the message related to primitive process sensor data quality.

avalanching of alarms that can occur during upset Here are likely to be alarm messages related to the fact conditions, the alarm system overview panel display that a sensor has degraded to the point where its output l slots is limited to a maximum of 360. is no longer credible and is, therefore, given a data quality of " unreliable.' %ese circumstances are treated l 18.9.2.4.17 Data Quality Processing and as valid inputs (since they are) and, subsequently, are l l

Display treated as valid alarm messages by the alarm system.

%e appropriate message (s) are displayed to the main )

ne alarm system does not provide the operator control area operating staff on the alarm system over-with erroneous data, and does not mislead the operator view Panel displays, and the appropriate alerting audio in his tasks of identifying the plant state and planning tone is sounded.

appropriate corrective actions. His is done using process input data that is ' quality coded' and to pass 18.9.2.4.18 Nurnerical Processing Capabili-that quality code on to subsequent variables that are ties calculated. His approach stems from the need for better on-line sensor validation and the concurrent While the alarm system is a logic processor, the development of digital computational capability to aid in system is also able to support arithmetic processing.

meetmg that desire. %is permits modification of the alarms, or creation of ne alarm system is not intended to perform the new alarm conditions, through the use of its off-line data acquisition, but rather is intended to be connected workstation. Since the alarm trigger logic may contain to a communication network. the calculation of process variables and various mathe-

%e alarm system does not need to do sensor matical models of a process, logical and numerical validation or assigning of data quality to its input processing capabilides are supported by the system.

P18.9-24 T Westinghouse

l

18. HUMAN FACTORS ENGINEERING

! Revision: 0 l -

Effective: 06/26/92 i

The system provides the fouowing functions, accessible as " function calls" within the system:

• Computerized version of various handbook tables i

• he usual arithmetical operators (such as ADD and l SUB) -

• Mathematical functions (such as MAX, MIN, ABS, e ome e tions (such as SIN, COS, and

• Hyperbolic functions (such as SINH, COSH, and i

TANH)

• Exponential functions (such as EXP t.nd LOG)

• The logical functions (such as GT, LT, LE, GE, NOT, and AND).

l He alarm system provides the capability to set up additional user defined functions of multiple argummts using desired combinations of the system-provided i

P18.9 25 j ,, [ WB5tiligt10USB i

2 --

l l

l

18. HUMAN FACTORS ENGINEERING Revision: O S ,

sjii "'i j Effective: 06/26/92 j /

l j

l i 18.9.8.1 Development of the Emergency Operating Procedures The emergency operattng procedures (EOPs) for the AP600 design define the actions required by the plant operating staff during emergency conditions. 'Be main purpose of the EOPs is to provide guidance to the l operators for the prevention or mitigation of the conse-quences of emergency conditions. These procedures l

include automatic actions that occur in the event of an emergency, operator actions to help prevent or mitigate the consequences of an emergency, and operator actions necessary to stabilize the plant condition. EOPs provide a conservative course of action for the operator and are j flexible enough to accom nodate variatiote.

s l P18.9-30 4 W -

Westinghouse 1

t L.. - _ _ - - _ - _ . _ _ _ _ _ _ _ _ _ _ _ . - _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ - _ _ _ _ . _ _ - _ , . _ - - . .

, 18. HUMAN FACTORS ENGINEERING Revision: O d Effective: 06/26/92 - =i ne use of a comprehensive set of human-factored, are developed to identify possible operator actions used symptom-based EOPs that encompass both optimal to assist in determmmg instrumentation and control recovery and function restoration guidance enhances needs. Supporting analysis to demonstrate the effective-human reliability and decreases adverse results for a ness of these operator actions is performed in a manner broad range of initiating events and subsequent multiple similar to that used for the Westinghouse Owners Group failures or operator errors. These EOPs use the West- ERG supportmg analyses. Rese actions are then inghouse Owners Group (WOG) set of emergency subject to modification or rearrangement, in order to response guidelines (ERG) as their basis. He EOP incorporate the results of the analyses. De AP600-development process for the AP600 is also based on the specific ERGS correspond to the same type of guidelines same accepted and established process used extensively provided in the low-pressure ERGS. Once the support-by utilities with Westinghouse pressurized water reactors ing analyses are completed and the operator action (PWRs). strategies finali7ed, additional detail is added, resulting For the AP600 design, the Westinghouse Owners in AP600-specific ERGS.

Group generic ERG's are modified and adapted to the specific plant configuration of the AP600. ne process 18.9.8.1.1.1 Differences Between the is described in Subsection 18.9.8.1.1. Plant-specific Two-Loop Low-Pressure EOPs are then written using the criteria described in Reference Plant and the Subsection 18.9.8.1.2. AP600 Plant 18.9.8.1.1 Development of AP600-Specific His subsection establishes the high-level operator Ernergency Response Guidelines action strategies for emergency operations for the AP600 design. Since the Westinghouse Owners Group

%e first step in developing the AP600-specific ERGS are the industry-approved reference for Westing-emergency response guidelines (ERGS) is to compare house-designed pressunzed water reactors, they are used the low-pressure (LP) reference plant design with the for and adapted to the AP600 AP600 design. To identify the design differences with he objective of this section is to compare the ERG respect to emergency operations between the ERG low- reference plant system designs upon which the ERGS are pressure reference plant design and the AP600 design, based, to the AP600 system designs to determine design a comparison of the systems of the two plants is made. differences with respect to emergency operation high-His comparison is performed in a systematic and level operator action strategies. The results of this complete manner by reviewing all systems. comparison are used as the basis for determmmg the he low-pressure reference plant is chosen as the applicability of the transient and accident analyses basis initial starting point in the development of AP600- of the ERGS to the AP600 and preparation of high-level specific ERG's because the charging pumps are not part operator action strategies for the AP600 based on the of the emergency core cooling system, thus mahng the ERGS.

AP600 more similar to the low-pressure reference plant.

Because of the major functional similarities between the 18.9.8.1.1.2 High-Level Operator Action AP600 design and the low-pressure ERG reference Strategies plant, the ERG process can easily be applied to the AP600 design. The high-level operator action strategies for emer-Subsection 13.9.8.1.1.2, provides the high-level gency operations are found in this subsection in operator action strategies initially developed for the Tables 18.9.8-1 through 18.9.8-37. Tables 18.9.8-1 AP600 design. The high-leveloperator action strategies i

W_

westinghouse

18. HUMAN FACTORS ENGINEERING '

Revision: 0 Effective: 06/26/92 through 18.9.8-13 contain the optimal recovery strate- 18.9.8.1.2 Criteria for Establishing AP600-gies encompassing the following: Specific EOPs

• Diagnosis (E4, ES-0.0) He development of the AP600 EOPs follows a

• Reactor trip response (ES-0.1, ES-0.2, ES4.3) process meetmg the guidelines of NUREGs 0899

• Iess of reactor or secondary coolant (E-1) (Reference 12),0737 Supplement 1 (Reference 13), and

• Safety injection termmation (ES-1.1) 1358 (Reference 14).

1

• Post-IACA cooldown and depressurization The development of AP600 EOPs is based on two (ES-1.2) primary elements. %e first, technical content, is

• Faulted steam generator isolation (E-2) developed from the AP600 technical guidelines, along

• Steam generator tube rupture (E-3) with additional sources of information such as design

• Iess of all ac power sources (ECA-0.0) characteristics, transient and accident analysis, engineer-

• LOCA outside contamment (ECA-1.1) ing judgment and operstmg experience.

• Uncontrolled depressurization of all steam He second, the presentation of information in the generators (ECA-2.1). EOPs, is determined by the principles defined in the AP600 procedures writer's guide. He procedures Tables 18.9.8-14 through 18.9.8-19 contain strategies writer's guide helps to provide confidence in consistent encompassing the following six critical safety functions: production of high-quality EOPs over time and through personnel changes. In addition, the use of a thorough

• Suberiticality (F-0.1) procedures writer's guide is necessary for the integration

• Core Cooling (F-0.2) of human factors principles when converting technical

• Heat Sink (F-0.3) guidelines into an acceptable EOP format.

• Integrity (F-0.4) Technical guidelines represent the translation of a

Contamment (F-0.5) engineering data derived from operating experience and i

• Inventory (F-0.6). transient and accident analysis into information present-ed in such a way that it can be used to write EOPs.

, Tables 18.9.8-20 through 18.9.8-37 contain function The AP600 technical guidelines (the AP600 ERG's) will restoration strategies encompassing the following: be developed using the criteria defined in Subsection 18.9.8.1.1.

• 1ess of suberiticality (FR-S.1, FR-S.2) He procedures writer's guide contains the neces-

• bss of core cooling (FR-C.1, FR-C.2, FR-C.3) sary information and guidance for translating the AP600

• Iess of heat sink (FR-H.1, FR-H.2, FR-H.3, ERGS into AP600 EOPs. He use of a thorough FR-H.4, FR-H.5) procedures writer's guide in writing AP600 EOPs

• Ioss of vessel integrity (FR-P.1, FR-P.2) provides confidence that the EOPs are usable, accurate,

,

• 1ess of contamment integrity (FR-Z.1, FR-Z.2, complete, readable, convenient to use and acceptable to FR-Z.3) main control room personnel.

• 1.o1. of inventory (FR-I.1, FR-I.2, FR-I.3). Emergency Operating circumstances involve some degree of stress (psychological, time or load) or ne critical safety functions and the corresponding degraded environmental conditions or both that may not function restoration strategies are provided for the be present when other types of procedures are used.

prevention or mitigation of emergency conditions ne AP600 procedures writer's guide addresses the without the need for diagnosis of specific initiating goals, requirements and recommendations identified in events.

P18.9-32 W Westingt10US8

18. HUMAN FACTORS ENGINEERING Revision: O d Effective: 06/26/92 the writer's guide section of NUREG-0899 AP600 EOPs. This process selects approaches and (Reference 12). sequences for presenting the operator actions while at he process of translating the AP600 ERGS into the same time addresses such concerns as content, action steps that make up the EOPs is the responsibility orgmntion, format end style of expression and presen-of the procedure writer. He AP600 ERGS identify the tation.

J plant objectives to be met, the systems and subsystems he AP600 EOPs are subjected to a verification and required, the required level of performance, the situa- validation on the AP600 simulator. his process tions requiring operator action and the order in which addresses the following objectives:

the actions must be carried out. It is the task of the procedure writer to extract the relevant information, and a. He EOPs are technically correct. (Hey accurately to carry out additional function, task, or technical reflect the AP600 ERGS.)

analysis required in order to provide the EOPs.

Operating experience and inform 43on contained in b. He EOPs are written correctly. (Hey accurately the procedures writer's guide are used throughout this reflect the AP600 writer's guide.)

process so that the EOPs are written in a form that optimizes operator performance. As the sequence and c. He EOPs are usable. (Rey can be understood and relationships among action steps are developed, the followed without confusion, delays, errors.)

technical guidelines are followed by the EOP writers.

This AP600 EOP development process is iterative and d. Here is a correspondence between the EOPs and usually begins at a system level and becomes more the main control room / plant hardware (controls, specific at the subsystem and the component levels. It equipment, indications) that becomes a reference for is during this iterative process that the specific operator use both inside and outside of the main control tasks are identified and written in the form of action room. EOPs use the same designation, use the steps. same units of measurement, and operate consistent The orientation of the AP600 EOPs parallela that of with the plant hardware.

the AP600 ERGS and are function-oriented, with provisions for specific event-based actions (for example, e. He language and level of information presented in loss of coolant accident, steam generator tube mpture, the EOPs are compatible with the number, qualifi-secondary break). Function oriented EOPs provide the cations, training and experience of the operating operator with guidance on how to verify the adequacy of staff.

safety functions and on how to restore and maintain those functions when they are degraded. f. Here is a high level of confidence that the EOPs he analysis of functions ano tasks used in the work. (%at is, the EOPs guide the operator in development of AP600 EOPs is provided by the AP600 mitigating transients and accidents.)

ERGS and the Westinghouse Owners Group (WOG) low-pressure ERGS. This information provides the EOP discrepancies found during the  ;

initial cut at identifying functions, their associated verification /validationprocess are corrected and factored hardware systems, the actions that are taken (by man into the EOPs prior to issuance.

and machme) and the circumstances under which they he final step in the AP600 EOP implementation '

I are taken, process is operator training. During trammg, operators Once the necessary technical and operator task are encouraged to point out additional recommendations information is defined and the information contained in that further improve the EOPs. Valid comments are the writer's guide is used, it is possible to produce resolved and incorporated into the EOPs. Once this W-Westinghouse

18. HUMAN FACTORS ENGINEERING

^

Revision: 0 t i Effective: 06/26/92 i final step is complete, the AP600 EOPs are reviewed

, and approved for implementation.

l l 18.9.8.6.3 Computerized Procedures De-sign Basis

'Ibe design basis of the computerized procedures system is:

• To guide the user step by step through the proce-dures by monitoring the appropriate plant data and by identifying the recommended course of action I

• To provide the necessary parallel information that allows the user to assess other plant conditions that j may require attention, and that are embodied in notes, cautions, foldout page items (for emergency

operating procedures - EOPs) and the critical safety functions (for EOPs).

l l

=llllm===-

P18.9-34 Westingh0USS l

18. HUMAN FACTORS ENGINEERING

^

Revision: 0 Effective: 06/26/92 _

Table 18.9.8-1 (Sheet 1 of 2)

AP600 - E 0 Reactor Trip or Safety injection

1. Verify Reactor Trip

a. If Reactor Will Not Trip, Go To FR-S.1, Response to Nuclear Power Generation /ATWS

2. Verify Arbine Trip

3. Check If Safety Injection (SI) Is Actuated

a. If SI not actuated, go to ES-0.1, Reactor Trip Response

4. Verify Feedwater (FW) Isolation

5. Verify Containment Isolation

6. Verify Core Make-up Tank (CMT) Actuated

7. Verify SI Valve Alignment

8. Check If Main Stearn lines Should Be Isolated

9. Check If PRHR Should Be Actuated

10. Check If ADS Should Be Actuated

11. Verify RCPs Tripped

12. Verify Passive Contamment Cooling Not Required

13. Check RCS Average Temperature Stable Or Trending To No-Imd

14. Check Power To AC Busses

15. Check SFW Pumps Running

16. Check Total SFW Flow - Greater han Required Flow For Heat Sink

17. Check SFW Valve Alignment

18. Check CVS Makeup Pumps Running

19. Establish Charging Flow

20. Check CCS Pumps Running

21. Check CCS Valve Alignment

22. Check SW Pumps Running

23. Check SW Valve Alignment

24. Check Contamment Fan Coolers

25. Check Chilled Water Pumps l

26. Check Chilled Water Valve Alignment  !

I

27. Check If SGs Are Not Faulted

a. If SGs Are Faulted, Go To E-2

28. Check If SG Tubes Are Not Ruptured

a. If SG Tubes Are Ruptured, Go To E-3

29. Check If RCS Is Intact

a. If RCS Is Not Intact, Go To E-1 .

30. Check If SI Flow Should Be Termmated

31. Go To ES-1.1, SI Termination, Step 1

32. Initiate Monitoring of Critical Safety Function Status Trees P18.9-52 Westinghouse

i

18. HUMAN FACTORS ENGINEERING Revision: 0 v Effective: 06/26/92 _

I Table 18.9.8-1 (Sheet 2 of 2)

AP600 - E-0 Reactor Trip or Safety injection 4

{ 33. Check SG Levels i a. If Narrow Range level Continues To Increase, Go To E-3

34. Check Secondary Radiation Normal

a. If Abnormal, Go To E-3

35. Check Auxiliary Building Radiation Normal

., m. If Cause Of Radiation Is IDCA Outside Containment; Go To ECA-1.1

! 36. Check If DGs Should Be Stopped j 37. Return To E4, Step 25 4

4 1

~

i i

1 l

P18.9-53 WB5tiflgh0USe l

4 e

18. HUMAN FACTORS ENGINEERING

! . Revision: 0 Effectiva: 06/26/92 l W, j-Table 18.9.8-2 i

l AP600 - ES-0.0 Rediagnosis i

1. Check If Any SG Is Not Faulted

2. Check If All SGs Are Not Faulted

3. Check If SG Tbbes Are Ruptured

4. You Should Be In E-3 Or ECA-3 Series Guideline i

i i

e I

l P18.9-54 Westi!1gt100Se

- . - - _ _ . . . .- =. . _ . _ - - - - _ - . .

l l

1 1

18. HUMAN FACTORS ENGINEERING j Revision: 0 v' Effective: 06/26/92 E--l Table 18.9.8-3 AP600 - ES-0.1 Reactor Trip Response j l

1. Check RCS Temperature Stable At Or Trending To No-Ioad l

2. Check FW Status

3. Check If PRHR Should Be Actuated

4. Verify All Control Rods Fully Inserted

5. Check PRZR Ievel Control i

6. Check PRZR Pressure Control l l

7. Check SG Ievels

8. Verify All AC Busses

9. Transfer Condenser Steam Dump To Pressure Control Mode

10. Check RCP Status

11. Check If Source Range Detectors Should Be Energized

12. Shut Down Unnecessary Plant Equipment

13. Maintain Stable Plant Conditions

14. Determine If Natural Circulation Cooldown Is Required

.~

T Westinghouse

18. HUMAN FACTORS ENGINEERING ,

Revision: 0 Effective: 06/26/92 -

Table 18.9.8-4 I

l AP600 - ES-0.2 Natural Circulation Cooldown

1. Try To Restart An RCP

2. Borate RCS To Cold Shutdown Boron Concentration

3. Verify Cold Shutdown RCS Boron Concentration By Sampling j

4. Check RCS Makeup Control System i

5. Verify All CRDM Fans Running

6. Initiate RCS Cooidown To Cold Shutdown

7. Check RCS Hot I.eg Temperatures Less Than 550*F

8. Dg:essurize RCS To SI Block Permissive

9. Block SI Actuation

10. Maintain RCS Conditions 4

11. Monitor RCS Cooldown

12. Initiate RCS Dopissunzation l

13. Continue RCS Cooldown And Depressunzation 1 4

14. Check For Steam Void In Reactor Vessel

15. Check If Accumulators Should Be I.ocked Out

16. Maintain Letdown Flow i 17. Check If RHR System Can Be Placed In Service

18. Continue RCS Cooldown To Cold Shutdown

19. Continue Cooldown OfInactive Portion Of RCS l i 20. Determme If RCS Depressunzation Is Permitted I

r l

t a

P18.9-56 Westinghouse

+

18. HUMAN FACTORS ENGINEERING Revision: 0 v Effective: 06/26/92

[

Table 18.9.8-5 AP600 - ES-0.3 Natural Circulation Cooldown With Void in Reactor Vessel

1. Try To Restart An RCP

2. Establish PRZR Ievel To Accommodate Void Growth

3. Decrease RCS Hot Leg Temperature To RHR Entry Temperature 1

4. Depressurize RCS

a. Stop Depressunzation On High PRZR Level OR RHR Entry Pressure

5. Check PRZR Ievel less 'lhan High Value

a. If Ievel High, Reduce level With Letdown

6. Check if Accumulators Should Be Iecked Out

7. Check If RHR System Can Be Placed In Service

8. Continue RCS Cooldown To Cold Shutdown

9. Continue Cooldown OfInactive Portion Of RCS

10. Determine If RCS Depressunzation Is Permitted

[ W85tingfl0USS

_- .-_ _ _ = _ . . . . - . - _. _ .

18. HUMAN FACTORS ENGINEERING Revision: O A Effective: 06/26/92 . _ .

Table 18.9.8-6 AP600 - E-1 Loss of Reactor or Secondary Coolant

1. Check If Any SGs Are Faulted

a. If Faulted Not Isolated, Go To E-2, Faulted Steam Generator Isolation

2. ControlIntact EG Level

a. If Any Increasing In An Uncontrolled Manner, Go To E-3, Steam Generator Tube Rupture

3. Check Secondary Radiation

a. If Abnormal, Go To E-3, Steam Generator Tube Rupture

4. Control Charging Flow To Maintain CMT Level

5. Check If SI Mode Of Operation Can Be Terminaux 1

a. Subcooling Exists

b. Heat Sink Exists

c. RCS Pressure Stable Or Increasing

d. CMT Level Stable Or Increasing

e. PRZR Level On Span

f. If Criteria Not Met, Go To Step 7

6. Transition To ES-1.1, SI Termination

7. Check If ADS Should Be Actuated

8. Check If Passive Containment Cooling Should Be Stopped  ;

9. Check RCS And SG Pressures

a. All SGs Stable Or Increasing

b. RCS Stable Or Decreasing

c. If a And b Not Met, Return To Step 1 j

10. Begin Evaluating Plant Status

11. Should ES-1.2, Post-LOCA Cooldown And Depressunzation Be Performed

a. If ADS Not Actuated, Go To ES-1.2, Post-LOCA Cooldown and Depressunzation

12. Check If RHR Should Be Established

13. Check If Long-Term Cooling Established

14. Should Accumulators Be Isolated

15. Should Intact SGs Be Depressurized

16. Should Reactor Vessel Head Be Vented

17. Evaluate long-Term Status P18.9-58 3 W85tingh0USS

18. HUMAN FACTORS ENGINEERING

., Revision: 0 . . .

v' Effective: 06/26/92

. IRNl

Tabh ' '8-7 AP600 - ES-1.1 Si Termination

1. Control Charging Flow To Maintain CMT And PRZR Ievel

2. Reset All SI-Related Signals ,

3. Realign CMTs To Pre-SI Configuration

4. Verify SI Not Required  ;

a. RCS Subcooling Exists I

b. CMT Ievel Stable Or Increasing

c. PRZR Ievel Stable Or Increasing 2 d. If Required, Go To E-1, Iess of Reactor or Secondary Coolant

5. Realign Other Components To Pre-SI Configuration

a. PRHR Heat Exchanger

b. Other Components 1

6. Verify All Control Rods Fully Inserted

a. If Any Rods Stuck Out, Borate As Necessary

7. Check If Passive Containment Cooling Should Be Stopped

8. Transfer Condenser Dump To Pressure Control Mode

9. Stabilize RCS Temperature

10. Control PRZR Pressure  !

11. Control SG Levels

12. Verify AC Busses Energized By Offsite Power

13. Chack If DGs Should Be Stopped

14. Reetablish CCS Cooling To RCPs

15. Restart RCPs

16. Check If Source Range Detectors Should Be Energized

17. Shut Down Unnecessary Plant Equipment

18. Maintain Stable Plant Conditions

a. RCS Pressure

b. RCS Temperature

c. PRZR Ievel

d. SG Ievel

19. Go To Appropriate Plant Procedure W Westinghouse

18. HUMAN FACTORS ENGINEERING Revision: 0 l l

gffective: 06/26/92 l

Table 18.9.8-8 l l

AP600 - ES-1.2 Post-LOCA Cooldown and Depressurization

1. Verify AC Busses Energized By Offsite Power

2. Control Charging Flow To Maintain CMT Ievel

3. Control Intact SG Levels ,

4. Initiate RCS Cooldown At Maximum Plant Spec Rate I

5. Place All PRZR Heaters In OFF Position

6. Depressdze RCS To Refill Pressurizer

7. Check CCS Cooling To RCPs

8. Should An RCP Be Started

a. If No Subcooling, Go To Step 10 i

b. If No Pressunzer level, Return To Step 6 l

9. Depressurize RCS To Minimim RCS Subcooling l

10. Verify ADS Actuation Not Necessary ,

11. Check Shutdown Margin I

12. Should Accumulators Be Isolated i

13. Should DGs Be Stopped )

14. Should Source Range Detectors Be Energized i 15, Stop Unnecessary Equipment i I

16. Should RCPs Be Stopped

- Normal RCP Operating Ilmits

17. Should RHR Be Placed In Service

- If Not, Go To Step 18

18. Is RCS At Cold Shutdown

- If Not, Return To Step 2

19. Evaluate long-Term Status i J

~

P18.9-60 Westinghouse 1

1

18. HUMAN FACTORS ENGINEERING Revision: 0 Effective: 06/26/92 Table 18.9.8-9 AP600 - E-2 Faulted Steam Generator Isolation

1. Check Main Steam Line Isolation And Bypass Valves Of Affected SG(s) Closed

2. Check If Any SG Is Not Faulted

3. Identify Faulted SG

4. Isolate Faulted SG

5. Check SFW Water Supply

6. Check Secondary Radiation

7. Go To E-1, loss of Reactor or Secondary Coolant I

l 1

P18.9-61 W-westinghouse

l l

18. HUMAN FACTORS ENGINEERING Revision: O r g Effective: 06/26/92  % j Table 18.9.8-10 (Sheet 1 of 2)  !

AP600 - E-3 Steam Generator Tube Rupture j

1. Identify Ruptured SG

2. Isolate Flow From Ruptured SG

3. Maintain Ruptured SG Ievel Above U-Tubes

4. Control Charging Flow To Maintain CMT Ievel {

n

5. Check If SGs Are Not Faulted I

6. Control Intact SG Ievel

7. Verify AC Power Energized By Offsite Power

8. Check Cooldown Rate Should Be Mnimimi But Not Exceed Plant Spec Ilmit

a. Ruptured SG Pressure Decreasing

b. Low RCS Subcooling

c. CMT Izvel Decreasing

9. Initiate RCS Cooldown To Cold Shutdown

10. Depressunze RCS To Refill Pressunzer

11. Verify ADS Actuation Not Necessary i

12. Check CCW Cooling To RCPs j

13. Should An RCP Be Started ~s i

a. If No Subcooling, Go To Step 14

b. If No Pressurizer Ievel, Return To Step 10

14. Depressurize RCS To Stop Prunary-To-Secondary Break Flow

15. Control RCS And Ruptured SG Pressure To Mmimize Prunary To Secondary I enk=ge

16. Should DGs Be Stopped

17. Check If Passive Contamment Cooling Should Be Stopped

18. Mmimire Secondary System Contamination

19. Operate Pressunzer Heaters To Saturate Pressunzer

20. Check Shutdown Margin

21. Should Accumulators Be Isolated

22. Should Source Range Detectors Be Energized

23. Stop Unnecessary Equipment

24. Depressunze RCS And Ruptured SG

a. Depressunze RCS Using Normal Spray, .iuxiliary Spray, Or One ADS Valve In That Order

b. Dym wize Ruptured SG Using Either 1 ackfill, Blowdown, Or Steammg

25. Maintain Ruptured SG 1evel Above Top Of L Tubes

26. Should RCPs Be Stopped

a. Normal RCP Operating limits P18.9-62

[ WeStingt10USe j

18. HUMAN FACTORS ENGINEERING Revision: O

- + -

d Effective: 06/26/92 Table 18.9.8-10 (Sheet 2 of 2)

AP600 - E-3 Steam Generator Tube Rupture

27. Should RHR Be Placed In Service

a. If Not, Go To Step 9

28. Is RCS At Cold Shutdown i

a. If Not, Return To Step 9

29. Evaluate Long-Term Status 2

P'e.

4 l

a J

P18.9-63 W W85tingh0USS s .,,,

18. HUMAN FACTORS ENGINEERING

. _ _ _ _ _ _ Revision: 0 Effective: 06/26/92 Table 18.9.8-11 AP600 - ECA-0.0 Loss of All AC Power Sources

1. Verify Reactor Trip

2. Verify Turbine Trip

3. Verify PRHR In Service

4. Check If SI Should Be Actuated

5. Verify RCS Isolated

6. Try To Restore AC Power

7. Check If Main Steam line Isolation And Bypass Valves Should Be Closed

8. Verify SG Blowdown Valves Closed

9. Check If SG Tubes Are Not Ruptured

10. Check If ADS Is Required

11. Check DC Bus Ioads

12. Determine If RCS Cooldown Is Required

13. Check SI Signal Status

14. Verify Contamment Isolation

15. Verify Containment Ventilation Isolation

16. Check If Passive Containment Cooling Is Required

17. Check Contamment Radiation

18. Check If AC Power Restored

a. If Not, Retum To Step 3

19. Stabilize SG Ihi,cww

20. Ioad Necest,uy Equipment On AC Busses

21. Determine Appropriate Recovery Guideline

a. If SI Signal Exists, Go To E-1, Ioss Of Reactor Or Secondary Coolant

b. If SI Signal Does Not Exist, Go To ES-0.1, Reactor Trip Response

" 8'8#

T Westinghouse

18. HUMAN FACTORS ENGINEERING Revision: O d Effective: 06/26/92 Table 18.9.8-12 AP600 - ECA-1.1 LOCA Outside Containment

1. Try To Identify And Isolate Break

2. Check If Break Is Isolated

a. If Not Isolated, Start Making More Borated Water For Charging Pumps

3. Go To E-1, loss Of Reactor or Secondary Coolant P18.9-65 W WB5tingh00Se

i

18. HUMAN FACTORS ENGINEERING Revision: 0 O Effective: 06/26/92 /

l h o Table 18.9.8-13 AP600 - ECA-2.1 Uncontrolled Depressurization of All Steam Generators

1. Check Secondary Pressure Boundary

2. Determine If Both SGs Should Be Isolated

3. Control Feed Flow To Mmimize RCS Cooldown

4. Check Secondary Radiation Normal

a. If Not, Go To E-3, Steam Generator Tube Rupture

5. Control Charging Flow To Maintain CMT And PRZR I.evel

6. Check If ADS Should Be Actuated

7. Check If Passive Containment Cooling Should Be Stopped

8. Check If Accumulators Should Be Isolated

9. Check RCS Hot Ieg Temperatures Stable Or Decreasing

10. Check Narrow Range I.evel In All SGs less Than 50%

11. Control Pressunzer Pressure

12. Verify AC Busses Energized By Offsite Power

13. Check CCW Cooling To RCPs

14. Check If An RCP Should Be Staned

15. Check If Source Range Detectors should Be Energized

16. Check If DGs Should Be Stopped

17. Shut Down Un-*==7 Plant Equipment

18. Maintain Plant Conditions Stable

19. Verify ADS Actuation Not Necessary

20. Check If Accumulators Should Be Isolated

21. Check If RCS Hot leg Temperatures less Than RHR Cut-in Temperature

22. Check If RCS Pressure 12ss 'Ihan RHR Cut-in Pressure

23. Check If RHR Can Be Placed In Service

24. Continue Cooldown To Cold Shutdown

25. Check RCS Temperatures less Than Cold Shutdown

26. Evaluate Long-Term Plant Status P18.9-66 g

18. HUMAN FACTORS ENGINEERING

Revision: O d Effective: 06/26/92  ::

Table 18.9.8-14 AP600 - F-0.1 Subcriticality I. Go To FR-S.I On RED Path If:

a. Power Range Las 'Ihan 5% - NO

2. Go To FR-S.I On ORANGE Path If:

a. Power Range less "Ihan 5% - YES

b. Intermediate Range SUR Zero Or Negative - NO

3. Go To FR-S.2 On YELIDW Path If:

a. Power Range Less Than 5% - YES

b. Intermediate Range SUR Zero Or Negative - YES

c. Source Range Energized - NO

d. Intermediate Range SUR More Negative 'Ihan -0.2 DPM - NO

4. GREEN Path If:

a. Power Range less Than 5 % - YES

b. Intermediate Range SUR Zero Or Negative - YES

c. Source Range Energized - NO

d. Intermediate Range SUR More Negative h -0.2 DPM - YES

^

5. Go To FR-S.2 On YELLOW Path If:

a. Power Range less Than 5% - YES ,

I

b. Intermediate Range SUR Zero Or Negative - YES

c. Source Range Energized - YES

d. Source Range SUR Zero Or Negative - NO

6. GREEN Path If:

a. Power Range less Than 5% - YES

b. Intermediate Range SUR Zero Or Negative - YES

c. Source Range Energized - YES

d. Source Range SUR Zero Or Negative - YES

" " ~

T Westinghouse

18. HUMAN FACTORS ENGINEERING

^

.. Revision: 0 Effective: 06/26/92 t

< r

Table 18.9.8-15 l AP600 - F-0.2 Core Cooling I

1. Go To PR-C.1 On RED Path If:

a. Core Exit TCs less 'Ihan 1200'F - NO

2. Go To FR-C.2 On ORANGE Path If: l

a. Core Exit TCs less 'Ihan 1200*F - YES 1

)

b. RCS Subcooling Based On Core Exit TCs Greater 'Ihan Predetermmed Value - NO l

c. Core Exit TCs less 'lhan Predetermined Value - NO )

3. Go To FR-C.3 On YELLOW Path If:

a. Core Exit TCs less Than 1200'F - YES

b. RCS Subcooling Based On Core Exit TCs Greater Than Predetermined Value - NO

c. Core Exit TCs less 'Ihan Predetermined Value - YES

, 4. GREEN Path If:

a. Core Exit TCs less Than 1200*F - YES

b. RCS Subcooling Based On Core Exit TCs Greater Than Predetermined Value - YES d

i i

4 f

4 t

i P18.9-68 W

Westinghouse

18. HUMAN FACTORS ENGINEERING Revision: 0

,_./ Effective: 06/26/92 +-. . . . .

f 1

Table 18.9.8-16 (Sheet 1 of 2)

AP600 - F-0.3 Heat Sink

1. Go To FR-H.1 On RED Path If:

a. Nanow Range Level In At least One SG Greater han On Span - NO l b. Total Feed Flow To SGs Greater han Predeterruned Value - NO

e. PRHR Flow Greater %an Predetermined Value - NO

2. Go To FR-H.2 On YI1 LOW Path If:

a. One Of The Following:

. 1. Narrow Range level In At Least One SG Greater han On Span - YES; Or

2. Total Feed Flow To SGs Greater %an Predetermined Value - YES; Or

3. PRHR Flow Greater han Predetermined Value - YES

b. Pressure In All SGs less han Highest Safety Valve Setpoint - NO

3. Go To FR-H.2 C.; YELLOW Path If

a. One Of %e Following:

1. Narrow Range Level In At least One SG Greater han On Span - YES; Or

2. Total Feed Flow To SGs Greater %an Predetermined Value - YES; Or

3. PRHR Flow Greater han Predetermined Value - YES

^

b. Pressure In All SGs Less Than Highest Safety Valve Setpoint - YES

~,

e. Narrow Range level In All SGs less Than Top Of Span - NO

4. Go To FR-H.2 On YELLOW Path If:

4 a. One Of %e Following:

1. Narrow Range level In At least One SG Greater han On Span - YES; Or

2. Total Feed Flow To SGs Greater %an Predetermmed Value - YE5; Or

3. PRHR Flow Greater han Predetermined Value - YES

b. Pressure In All SGs less Han Highest Safety Valve Setpoint - YES j e. Narrow Range Level In All SGs Less %an Top Of Span - YES

d. Pressure In All SGs less Than Iowest Safety Valve Setpoint - NO

5. Go To FR-H.2 On YELLOW Path If:

4 a. One Of he Following:

1. Narrow Range level In At least One SG Greater han On Span - YES; Or

2. Total Feed Flow To SGs Greater han Predetermmed Value - YES; Or

3. PRHR Flow Greater han Predetermmed Value - YES t b. Pressure In All SGs less han Highest Safety Valve Setpoint - YES

e. Narrow Range level In All SGs Iess han Top Of Span - YES

d. Pressure In All SGs less han lowest Safety Valve Setpoint - YES

e. Narrow Range Level In All SGs Greater han On Span - NO T Westinghouse

s d

18. HUMAN FACTORS ENGINEERING

_ _ _ _ _ _ _ _ Revision: 0 &

Effective: 06/26/92 __,

1 Table 18.9.8-16 (Sheet 2 of 2)

AP600 - F-0.3 Heat Sink

6. GREEN Path If:

a. One Of'Ibe Following:

4

1. Narrow Range Ievel In At least One SG Greater 'Ihan On Span - YES; Or

2. Total Feed Flow To SGs Greater Than Predetermined Value - YES; Or

3. PRHR Flow Greater Than Predetermined Value - YES

b. Pressure In All SGs less Than Highest Safety Valve Setpoint - YES

c. Narrow Range level In All SGs less Than Top Of Span - YES i

d. Pressure In All SGs less Than Iowest Safety Valve Setpoint - YES

e. Narrow Range level In All SGs Greater Than On Span - YES 1

1 1

)

l P18.9 70 W8SfiDgh00se

18. HUMAN FACTORS ENGINEERING Revision: 0 . . .

s Effective: 06/26/92 E

Table 18.9.8-17 AP600 - F-0.4 Integrity

1. Go To FR-P.1 On RED Path If:

a. Temperature Decrease In All RCS Cold Iegs less Than Plant Spec Limit - NO

b. All RCS Pressure-Cold leg Temperature Points To Right Of Umit A Curve - NO

2. Go To FR-P.1 On ORANGE Path If:

a. Temperature Decrease In All RCS Cold legs less Than Plant Spec Umit - NO

b. All RCS Pressure-Cold Leg Temperature Points To Right Of Ilmit A Curve - YES

c. All RCS Cold Ieg Temperatures Greater h T1 - NO

3. Go To FR-P.2 On YELLOW Path If:

a. Temperature Decrease In All RCS Cold legs less Than Plant Spec Limit - NO

b. All RCS Pressure-Cold leg Temperature Points To Right Of Limit A Curve - YES

c. All RCS Cold leg Temperatures Greater Than T1 - YES

d. All RCS Cold Ieg Temperatures Greater Than T2 - NO

4. GREEN Path If:

a. Temperature Decrease In All RCS Cold legs less Than Plant Spec Ilmit - NO

b. All RCS Pressure-Cold leg Temperature Points To Right Of Limit A Curve - YES All RCS Cold Ieg Te+raww Greater 'Ihan T1 - YES c.

d. All RCS Cold leg Temperatures Greater 'Ihan T2 - YES

5. Go To FR-P.1 On ORANGE Path If:

a. Temperature Decrease In All RCS Cold legs less "Ihan Plant Spec limit - YES

b. RCS Temperature Greater Than Cold Overpressure Cut-in Temperature - NO

c. RCS Pressure Iess Than Cold Overpressure Ilmit - NO

d. All RCS Cold Ieg Temperatures Greater Than T1 - NO

6. Go To FR-P.2 On YEUAW Path If:

a. Temperature Decrease In All RCS Cold legs less Than Plant Spec Ilmit - YES

b. RCS Tempesature Greater Than Cold Overpressure Cut-in Temperature - NO

c. RCS Pressure less Than Cold Overpressure limit - NO

d. All RCS Cold leg Temperatures Greater Than T1 - YES

7. GREEN Path If:

a. Temperature Decrease In All RCS Cold legs less Than Plant Spec Umit - YES

b. RCS Temperature Greater Than Cold Overpressure Cut-in Temperature - NO

c. RCS Pressure less Than Cold Overpressure limit - YES  ;

i

8. GREEN Path If:

a. Temperature Decrease in All RCS Cold Iegs less Than Plant Spec Ilmit - YES

b. RCS Temperature Greater Than Cold Overpressure Cut-in Temperature - YES 1

T Westinghouse i

1

18. HUMAN FACTORS ENGINEERING Revision: 0 *

, Effective: 06/26/92 _.

Table 18.9.8-18 4

J 4

AP600 - F-0.S Containment

1. Go To FR-Z.1 On RED Path If:

a. Containment Pressure less h Design Umit - NO

2. Go To FR-Z.1 On ORANGE Path If:

a. Containment Pressure less h Design Limit - YES ,

b. Contamwent Pressure less h Setpoint - NO

3. Go To FR-Z.2 On ORANGE Path If:

a. Contamment Pressure less h Design Umit - YES

b. Containment Pressure Iess Than Setpoint - YES

c. Contamment Sump level less Than Flooding Level - NO l'

4. Go To FR-Z.3 On YELLOW Path If:

a. Cnntninment Pressure less Than Design Umit - YES

b. Contamment Pressure less h Setpoint - YES

c. Contamment Sump level less Than Flooding level - YES

d. Containment Radiation less h Predetermined Value - NO

5. GREEN Path If:

a. Containment Pressure Less h Design Umit - YES

b. Contamment Pressure less Than Setpoint - YES

c. Containment Sump Ievel less h Flooding level - YES

d. Contamment Radiation less h Predetermmed Value - YES l

l l

l 1

I P18.9-72 WBStingh00Se i

18. HUMAN FACTORS ENGINEERING Revision: 0

/ Effective: 06/26/92 Table 18.9.8-19 AP600 - F-0.6 Inventory

1. Go To FR-I.3 On YELLOW Path If:

a. Pressunzer level Im Than Top Of Span - NO

b. Pressurizer level Behavior Indicates Upper Head Void - YES

2. Go To FR-I.1 On YELLOW Path If:

a. Pressunzer Ievel less h Top Of Span - NO

b. Pressunzer level Behavior Indicates Upper Head Void - NO

3. Go Tcr FR-I.2 On YELLOW Path If:

a. Pressurizer level less h Top Of Span - YES

b. Pressunzer Level Greater Than On Span - NO

4. Go To FR-I.3 On YELLOW Path If:

a. Pressunzer Ievel Iess Than Top Of Span - YES

b. Pressunzer level Greater Than On Span - YES

c. Pressurizer level Behavior Indicates Upper Head Void - YES

5. GREEN Path If:

a. Pressurtzer level less Than Top Of Span - YES

b. Pressunzer level Greater Than On Span - YES

c. Pressunzer level Behavior Indicates Uppe.r Head Void - NO P18.9-73

1 J

l

18. HUMAN FACTORS ENGINEERING Revision: 0 O,

"- i Effective: 06/26/92 v' I

i Table 18.9.8-20

AP600 - FR-S.1 Response to Nuclear Power Generation /ATWS i

i j 1. Verify Reactor Trip

2. Verify Thrbine Trip j 3. Verify PRHR Actuated 4 4. Initiate Emergency Boration Of RCS l 5. Verify SFW Pumps Running

6. Check If The Following Trips Have Occurred

a. Reactor Trip i b. Turbine Trip

7. Check SG Ievels

8. Verify All Dilution Paths Isolated

9. Check If Reactivity Insertion Is From An Uncontrolled Cooldown

a. If Not, Go To Step 13

10. Check Main Steam Iine Isolation And Bypass Valves Closed

11. Identify Faulted SGs

12. Isolate Faulted SGs

13. Verify Reactor Suberitical

14. Return To Guideline And Step In Effect '

Westinghouse

18. HUMAN FACTORS ENGINEERING Revision: 0 . _ _ = . ..m-d, ,

Effective: 06/26/92 e

Table 18.9.8-21 AP600 - FR-S.2 Response to Loss of Core Shutdown

1. Check Intermediate Range Flux

2. Check Source Range Channel Startup Rate

3. Return To Guideline And Step In Effect l

l l

P18.9-75 T Westinghouse

18. HUMAN FACTORS ENGINEERING

. . . . . . Revision: 0 '

Effective: 06/26/92 W1I Table 18.9.8-22 AP600 - FR-C.1 Response to inadequate Core Cooling

1. Check SI Valve Alignment i

2. Establish Charging Flow

3. Check SI Accumulator Isolation Valve Status

4. Check If ADS Should Be Manually Actuated

5. Check Core Exit TCs Less Than 1200'F

a. If Not, Go To Step 6

b. If Less 'Ihan 1200*F, Return To Guideline And Step In Effect

6. Check RCP Support Conditions

7. Check Contamment Hydrogen

8. Check Intact SG Ievels

9. Check RCS Vent Paths Closed

10. Depressurtze AllIntact SGs To Inject Accumulators

a. If Not, Use PRHR I

11. Check If Accumulators Should Be Isolated l

12. Stop All RCPs

13. Depressurize AllIntact SGs To Atmospheric Pressure j

14. Check If Core Cooling Re-established

a. If Not, Go To Step 15

15. Go To E-1, Loss Of Reactor Or Secondary Coolant

16. Check If RCPs Should Be Started

17. Continue To Try To Depressunze AllIntact SGs

18. Check If Accumulators Should Be Isolated

19. Check If Core Cooling Re-established

a. If Not, Return To Step 15

20. Go To E-1, Ioss Of Reactor Or Secondary Coolant i

4 4

P18.9-76 g

i j

I

18. HUMAN FACTORS ENGINEERING l Revision: 0 . , . . .

I

~ ~ "

• s' Effective: 06/26/92 I

Table 18.9.8-23 d

AP600 - FR-C.2 Response to Degraded Core Cooling

1. Check CMT Valve Alignment l 4

2. Establish Chargmg Flow ,

3. Check RCS Vent Paths Closed l

4. Check Core Exit TCs less ' Ban Predetermined Value

a. If Not, Go To Step 5

b. If less 'Iban Predetermined Value, Return To Guideline And Step in Effect

5. Check If One RCP Should Be Stopped

6. Check Core Cooling

a. If Adequate, Return To Guideline And Step in Effect  !

7. Check SI Accumulator Isolation Valve Status ]

8. Check Intact SG hvels l

9. Depressurize AllIntact SGs To Inject Accumulators l

a. If Not, Use PRHR l

10. Check If Accumulators Should Be Isolated

11. Stop All RCPs

12. Depressurize AllIntact SGs To Atmospheric Pressure

13. Check If Core Cooling Re-established

a. If Not, Return To Step 8 j

14. Go To E-1, I.oss Of Reactor Or Secondary Coolant l

1 T westinghouse

1

18. HUMAN FACTORS ENGINEERING

~

9 Revision: 0 Effective: 06/26/92 O

V

, Table 18.9.8-24 AP600 - FR-C.3 Response to Saturated Core Cooling

1. Check RHR System Not Placed in Service

2. Check CMT Valve Alignment

3. Establish Charging Flow

4. Check RCS Vent Paths Closed

5. Return To Guideline And Step In Effect 1

l

j l

i l

l 1

1 J

e i

k l

I i

1 1

P18.9-78 WM, Se _., 4 d

18. HUMAN FACTORS ENGINEERING Revision: O d Effective: 06/26/92 k

Table 18.9.8-25 AP600 - FR-H.1 Response to Loss of Heat Sink

1. Check If PRHR Is Required

a. If Not Required, Return To Guideline And Step In Effect

2. Verify PRHR Actuated

3. Check If Secondary Heat Sink Is Required

a. If Not Required, Return To Guideline And Step In Effect

4. Try To Establish SFW Flow To At least One SG

5. Check If Heat Sink Is Restored

a. If PRHR Actuated OR SFW Flow Restored To At least One SG, Return To Guideline And Step In Effect

6. Stop All RCPs

7. Try To Establish Main FW Flow To At least One SG

8. Check SG Levels

a. If SG NR 12 vel Restored In At Least One SG, Return To Guideline And Step In Effect

9. Try To Establish Feed Flow From Condensate System

10. Check SG Ievels

a. If SG NR Ievel Restored In At least One SG, Return To Guideline And Step In Effect

11. Check For Loss Of Heat Sink

a. If Heat Sink Is Not Imst. Return To Step 1

12. Actuate ADS

13. Go To E-1, Ims: of Reactor or Secondary Coolant I

W Westinghouse

18. HUMAN FACTORS ENGINEERING Revision: O O

+-

Effective: 06/26/92 l

Table 18.9.8-26 AP600 - FR-H.2 Response to Steam Generator Overpressure

1. Identify Affected SGs

2. Verify FW Isolation To Affected SG

3. Check Affected SG Narrow Range level less Han Full

4. Try To Dump Steam From Affected SG i

5. Check Affected SG Pressure '

6. Isolate AFW To Affected SGs j

7. Isolate All FW To Affected SG

8. Check RCS Hot leg Temperatures ,

9. Continue Attempts To Manually Or Locally Dump Steam From Affected SGs' I

10. Retum To Guideline And Step In Effect I l

I l

p18.s-8 W Westinghouse

i 1

4

18. HUMAN FACTORS ENGINEERING Revision: 0 .. .

s' Effective: 06/26/92 ..

j

Table 18.9.8-27 AP600 - FR-H.3 Response to Steam Generator High Level

l

1. Identify Affected SG

2. Verify FW Isolation

3. Isolate AFW To Affected SGs i

4. Check Affected SG Ievel

! 5. Close Affected SG Main Steam Line Isolation And Bypass Valves

6. Check Affected SG Radiation Normal

a. If Not, Go To E-3, Steam Generator Tube Rupture 3

7. Establish Blowdown From Affected SGs

8. Return To Guideline And Step In Effect 4

i 1

l 1

l l

i ,

l t

4 i

i 1

i i

i l

1 l

l l

P18.9-81 i W Westinghouse i i

1 l

' l l

18. HUMAN FACTORS ENGINEERING Revision: 0 'N l#" W Effective: 06/26/92 vj p

Table 18.9.8-28 AP600 - FR-H.4 Response to Loss of Normal Steam Release Capabilities

1. Try To Restore Normal Steam Release Capability Of Affected SGs ,

2. Check SG Pressure less %:n Safety Valve Setpoint

3. Return To Guideline And Step In Effect P18.9-82 W8Stingh00S8

18. HUMAN FACTORS ENGINEERING

$, Revision

0 V Effective: 06/26/92 f -E I

Table 18.9.8-29 AP600 - FR-H.5 Response to Steam Generator Low Level

1. Identify Affected SG

2. Verify Blowdown Isolation Valves From Affected SGs Closed

3. Check If Affected SGs Not Faulted

a. If Faulted, Go To E-2, Faulted Steam Generator Isolation

4. Check FW Flow To Affected SGs Greater Than Predetermined Value

5. Continue To Fill Affected SG

6. Return To Guideline And Step In Effect ee' I

l l

l l

l l

l P18.9-83 W

Westinghouse

_ _ _ _ _ _ _ _ _ _ . _ . . _ . . . _ . . . . . _ _ _ _ _ - - _ _ . . . . _ . _ . ~ _ _ - - - - - - - - -

J d

1

18. HUMAN FACTORS ENGINEERING

- ^

_._; Revision: 0 u 2 Effective: 06/26/92 .

1 1

Table 18.9.8-30

. AP600 - FR-P.1 Response to imminent Pressurized Thermal Shock Condition

} 1. Check RCS Cold leg Temperatures Stable Or Increasing

a. If Not, Try To stop Cooldown

2. Check RCS Hot Ieg Temperature Stable

. 3. Check If Accumulators Should Be Isolated l 1 4. Depressurize RCS To Decrease Subcooling

5. Check Pressurizer level Not IUgh i a. If High, Reestablish letdown To Reduce level

6. Check If Subcooling Has Been Reduced

a. If Not Return To Step 4 l

7. Control RCS Pressure '

8. Determine If Temperature Soak Is Required

9. Return To Guideline And Step In Effect P18.9-84 Westingh0USS

18. HUMAN FACTORS ENGINEERING Revision: 0 __

d Effective: 06/26/92 4.

1 Table 18.9.8-31 AP600 - FR-P.2 Response to Anticipated Pressurized Thermal Shock Condition

1. Check RCS Cold Ieg Temperatures Stable Or Increasing

a. If Not, Try To Stop Cooldown

2. Check RCS Pressure Within Plant Spec Limits

a. If Not, Depressurize RCS To Within Plant Spec Limits

3. Determine If Additional Cooldown Restrictions Are Required

4. Return To Guideline And Step In Effect

.c i

i P18.9-85 W -

Westinghouse

i l

18. HUMAN FACTORS ENGINEERING

.. Revision: 0 Effective: 06/26/92

]

.~

I' Table 18.9.8-32 AP600 - FR Z.1 Response to High Containment Pressure

1. Verify Contamwnt Isolation

2. Verify Containment Ventilation Isolation

3. Check if Passive Cnat=ia=nt Cooling Is Required

4. Verify Main Steam lines Isolated

5. Chmk If Feed Flow Should Be Isolated To Any SG

6. Check Hydrogen Concentration

7. Check If Hydrogen Concentration Should Be Reduced

a. If Hydrogen Concentration Imw, Go To Step 9

8. Notify Plant Engineering Staff Of Hydrogen Concentration I

9. Return To Guideline And Step In Effect t

't 4

4 P18.9-86 W85tingh0USB

t 1

1

18. HUMAN FACTORS ENGINEERING

- Revision: O i

/ Effective: 06/26/92

~

If Table 18.9.8-33

]

i AP600 - FR-Z.2 Response to Containment Flooding l

! 1. Try To Identify Unexpected Source Of Water To Sump j 2. Check Containment Sump Activity Level j 3. Notify Plant Staff Of Sump level And Activity Level To Obtain Recommended Action

4. Return To Guideline And Step In Effect l

1 4

i i

l 4

l i

} P18.9-87

W Westinghouse 4

t 4

i 18. HUMAN FACTORS ENGINEERING

^

q_=_ .

Revision: 0 Effective: 06/26/92 -

Table 18.9.8-34 AP600 - FR-Z.3 Response to High Containment Radiation Level

1. Verify Containment Ventilation Isolation ,

2. Check If SI Signal should Be Actuated l l 3. Notify Plant Engineering Staff To Obtain Recommended Action  ;

4. Return To Guideline And Step In Effect l i

I 4

n P18.9-88 T Westinghouse

18. HUVs.id FACTORS ENGINEERING Revision: 0 -"

,/ Effective: 06/26E

{

Table 18.9.8-35 AP600 - FR-l.1 Response to High Pressurizer Level

1. Check If Charging Flow Has Been Established

2. Establish Ietdown

3. Turn On Heaters

4. Check Pressurizer and Auxiliary Spray Valves closed

5. Control Charging And letdown Flow As Necessary To Maintain Stable RCS Pressure

! 6. Check Pressunar Pressure less 'Ihan High Value

a. If Not, Return To Step 4

7. Return To Guideline And Step In Effect d

= , .

P18.9-89

.] T westinghouse

18. HUMAN FACTORS ENGINEERING

__g Revision: 0

'dffective: 06/26/92 Table 18.9.8-36 AP600 - FR-1.2 Response to Low Pressurizer Level

1. Verify Letdown Isolated

2. Increase Charging Flow To Establish Pressunzer level

3. Check Pressurizer level On Span

a. If Not, Increase Charging Flow And Return To Step 2

b. If Charging Flow At Maximum, Initiate SI And Go To E-1, Imss of Reactor Or Secondary Coolant

4. Operate Pressurizer Heaters As Necessary

5. Return To Guideline And Step In Effect l

d d

P18.9-90 W Westinghouse l

18. HUMAN FACTORS ENGINEERING 3

Revision: 0 s Effective: 06/26/92 Table 18.9.8-37 AP600 - FR-1.3 Response to Voids in Reactor Vessel

1. Check If Charging Flow Has Been Established

2. Check IfIetdown In Service

3. Establish Stable RCS Conditions

4. Check AllRCPs Stopped ,

5. Check If RCS Pressure Should Be Increased '

6. Control Charging And letdown To Maintain I%ssurizer level

7. Determine If Reactor Vessel Is Full

a. If Full, Return To Guideline And Step In Effect

8. Try To Start One RCP

9. Determme If Reactor Vessel Is Full

m. If Full, Return To Guideline And Step In Effect

10. Obtain Contamment Hydrogen Concentration Measurement .

11. Record RCS Pressure l

12. Establish Desired RCS Conditions

13. Prepare Coat =in-t For Reactor Vessel Venting  ;

~

14. Determine Maximum Allowable Reactor Vessel Venting Time

15. Review Reactor Vessel Venting Termination Criteria

16. Vent Reactor Vessel

17. Determine If Reactor Vessel Is Full

a. If Not, Return To Step 14

18. Check Pressuruer Level Stable

19. Return To Guideline And Step In Effect i

P18.9-91 W85tingt10USe

e %-4 -4 m.- A. =5 4 A d .,-4 & - 4 < , 34 LJ A e-a-mmh 4_ ..h, 4

sji

• x l

1 l

, - . , -,r

, 3. DESIGN OF STRUCTURES, COMPONENTS, EQUIPMENT AND SYSTEMS ;jiP i Revision: 1 -

9 t

1 1

7D l

l C0 -

l 1

50 -

n

. . 9 @

40 4 n

/

, 30 -

cr i &

' tn i 20 I

10 -

A 1

0 ' ' >

. 0 2 4 0 8 10 12 14 10 18 20

STRAIN (PEPIENT)

)

1 1

Figure 3B-1

, True Stress True Strain Curve for SA376 TP31GLN Stainless Steel at 530 F P30-5 W Westinghouse

.- .,~-- ~ .

.t .s: ~ r5, ,

3. DESIG,N OF STRUCTURES. COMPONENTS,'EQ'UIPMENT AND SYSTEMS j,gli tilj ill O l l

i l

70 l

60 50 - i l

m i m

@ 40 Os v b

u 30 -

5 in 20 10 0

0 2 4 6 8 10 12 14 10 18 20 STRAIN (PERCEtR)

Fi Fure 3112 True Stress True Strain Curve for SA376 TP316LN Stainless Steel at 600* F P3B-6 l 3 Westinghouse i

' o ?{,yp~,te

• g,; c

m. . ...

18. HUMAN FACTORS ENGINEERING Revision: 1 O- Effective: 01/13/94 !Uii ammmmmmmmmmmmmmer i8i!!! 1 1

Table 18.5-1 Design Acceptance Testing: Verification Tests 1 Near Full-Scope, j Part-Task liigh Fidelity 1 Simulator Simulator 2

)

laaluation tri lluman engineering design guidelines

• Confornumce to human engineering guidelines a Review of design attributes of the operations and control center > related to physical characteristics, such as scous- X4 ties, lighting. comfort, communications, and general layout against human engineering design guidelines.

b Dengn attributes of the individual M MIS components, p such as alarm warning systems, panel and workstation

(' layout, visual displays, controls, labels, locating aids, and legibility. X3 lhe human engineenng design guidelines used to establish l perfonnance criteria include the followin'g:

NL' REG 41700. Guidelines for Control Room Design Re-views (Reference 1)

MIL-STD 1472 (Reference 2)

American National Standard for Human Factors Engi- ,

neering of Visual Display Terminals and Workstations (Reference 3)

ASilRAli Standard for Thermal Comfort (Reference 4)

EPRI NP-3659, Human Factors Guide for Nuclear Power Plant Control Room Development (Reference 5).

~

I~Perf$rEce requirements are indicated with a *** Performance measures kre indicated with a *

• 2 Not to be completed for design certification l3 livaluated at design stage I: valuated at construction sts.ge j4 P18.5-1 fw W

Westinghouse 1

_ , . - - - _- . . - ,l 1

e,s. m mu.,p j .

j '.s

-4

$, ry 3, .

2

, 18. HUMAN FACTORS ENGINEERING Revision: 1 ii!!i ii@ Effective: 01/13/94 Table 18.5-2 (sheet 1 of 8)

Design Acceptance Testing: Validation Tests 1 Near Full Scope.

Part-Task High-Fidelity Simulator Simulator 2 1 Detection and Monitoring Evaluation 1. Passive monitoring of wall panel information station X3  !

and workstation displays

• Prompt and accurate overall assessment of plant state and

condition l 1

Succcesful identification of plant state and important indications of plant condition l Task completion time )

Esaluation 2. Directed search for information with the work. X3 1 j station displays based on wall panel information sta-i tion displays

• Retrieval of detailed information from workstation displays t after a cue from wall panel information station j -

Number of displays accessed before retrieving correct display

- Success in accessing the required information t

Task completion time Evaluation 3. Directed search for information within the work- X3 station displays based on a request

• Retrieval of requested information in response to plant condi-tiong

- Number of displays accessed before retrieving correct I

display

- Success in accessing the required information j Task completion time I Performance requirements are indicated with a *** Performance measures are indicated with a *

• 2 Not to be completed for design certification 3 Evaluated at design stage 4 Evaluated at construction stage l

P18*5 2 i

• N Westlngh00Se v 1

4 l

d i

a

. . - - - - p N FWK MN'"E

.w . ,.m l

N

18. HUMAN FACTORS ENGINEERING Revision: 1 .. ..

s Effectivo: 01/13/94 i '

I Table 18.5 2 (sheet 2 of 8)

Design Acceptance Testing: Validation Tests 1 Near Full-Scope.

Part-Task High Fidelity Simulator Simulator 2 Evaluation 4. Maintaining crew awareness of plant condition X3

• Crew awareness of plant condition Accurate operator assessment of plant conditions rele-vant to own responsibilities

- Accurate operator asseument of plant conditions rele.

sant to other's responsibilities

• Effective and ef ficient shift turnover Shift tumover completion time Review of required plant parameters Accurate operator assessment of plant condition

• New person awareness of plant condition Time to review wall panel information station and O workstation displays Accurate operator assessment of plant condition Interptrtation and Plamdng Evaluation 5 Detecting and understanding disturbances using X3 alarms

• Prompt and correct interpretation of alarm messages Operator report of fault and implications Task completion time

• Prompt and correct selection of response: procedure or strategy Successful retrieval of procedure / strategy Pmeedure/ strategy selection time

• Prompt and correct selection of appropriate workstation display Successful retrieval of displays Display selectmn time I

I ' ~l eIfbrn[ance requirements are indicated with a *** Performance measures are indicated uth a *

• 2 Not to be completed for design certification l3 Evaluated at design stage i4 Evaluated at construction stage ,

i p W westinghouse l

........... .......- _ - - w - .

- _- m m == - -- - - --~

~

.yr 7j

.,  : , - ww%.,, %

. .y . g.,

4

18. HUMAN FACTORS ENGINEERING Revision: 1

. ,! Effective: 01/13/94 l.

Table 18.5-2 (sheet 3 of 8)

Design Acceptance Testing: Validation Tests 1 Near Full-Scope, Part-Taak High-Fidelity Simulator Simulator 2 Evaluation 6. Interpretation and planning using workstation dis- X3 plays

= Prompt and correct determination of fault causes identification of equipment misalignments / failures Task completion time

• Prompt and correct determination of fault implications Assessment of potential consequences to operational goals Task completion time Evaluation 7. Interpretation and planning during single-fault X3 eventa using alarms, workstation, wall panel infor-mation station and procedures

• Prompt and co rect interpretation of alarm messages Operator report of fault and implications '

Task completion time ,

• Prompt and correct retrieval of detailed information from workstation regarding alarm message Successful retrieval of required inforrration Information retrieval time Correct operator assessment of cause of fault

• Prompt and correct selection of procedure Successful retrieval of procedure Procedure selection time

• Prumpt and correct selection of controls and displays Successful retrieval of controls and displays

- Control and display selection time

• Prompt and correct assessment of goal threats and goal ,

achievement  !

Operator assessment of goal threats and goal achieve- 1 ment  ;

Task completion time  !

I Performance requirements are indicated with a *** Performance measures are indicated with a *

• 2 Not to be completed for denigr* certification 3 Evaluated at design stage 4 Evaluated at construction stage P18.5-4 W westinghouse  :

( ,

18. HUMAN FACTORS ENGINEERING Revision: 1 '

Effectivo: 01/13/94 f Table 18.5 2 (sheet 4 of 8)

Design Acceptance Testing: Validation Tests 1 Near Full Scope, Part Task Hi_ ridelity Simulator Simui .or2 livaluation 8. Interpretation and planning during multiple-fault X3 events using alarms, workstation, wall panel infor-mation station and procedures

• Prompt and correct identification of immediate actions Successful identification of immediate actions Task completion time

• Prompt and co rect diagnosis of faulta Successful retrieval of required information ,

Infortnation retrieval time )

Operator asessment of cause of fault

• Prompt and correct managemer,t of automatic control sys-

, tems Correct assessment of automatic system performance j relative to operational goals i Correct identification of requirements for and future implications of overriding automatic systems Task completion time

• Prompt and correct prioritiation of conflicting operational goals Operator assessment of goal conflicts and priorities Successful selection of proper procedure or strategy Procedure or strategy selection time relative to plant dynamics

• Prompt and correct selection of controls and displays to initiate response Successful retrieval of contrnis and displays Control and display selection time j

• Prompt and correct assessment of goal status and goal achie-vement I -

Operator assessment of goal threats and goal achieve-ment Task completion time t

1 4 i Performance requirements are indicated with a ***- Performance measures are indicated with a *

• 2 2 Not to be completed for design certification i 3 livaluated at design stage 4 livahtated at construction stage l W WB5tlfigt100SB l

l 4

4 e E

( M. m

.. ., g . .

, ' g d ., , e ' t 4 ,,\, se ,, ' ' g a s I ',

18. HUMAN FACTORS ENGINEERING l Revision: 1 li!" , , , ,Ui!! Eff ectiv e: 01/13/94 1 ..

l l

l Table 18.5 2 (sheet 5 of 8)

Design Acceptance Testing: Validation Tests 1 Near Full-Scope, 4

Part-Task High Fidelity

,  ; Simulator Simulator 2 Evaluation 9. Interpretation and planning by crew during X3 multiple-fault events using alarms, workstation, wall panel information station and procedures

• Effective coordmation and communication of plant status

! information between crew members 4

Successful communication of operator monitoring as-l signments Accurate communication of data regarding plant condi-tion

, Operator assessments of plant condition

• Prompt and correct diagnosis of multiple faults Correct identification of inoperable equipment and as-sessment of causes Task completion time relative to plant dynamics i

• Prompt and correct prioritization of goal challenges l 4 -

Operator nuessment of goal conflicts and priorities  !

Task completion time a Prompt and correct selection of procedure or strategy j - Correct selection of procedure or strategy Procedure selection time relative to plant dynamics i Task completion time l Esaluation 10. Interpretation and planning by crew during severe X3 accidents using technical support center, alarms, workstation, wall panel information station and i procedures

• Prompt and correct diagnosis of plant condition Successful diagnosis of plant condition Time to dispose plant condition j = Prompt and correct evaluation of consequences of attemative j

recovery paths Successful assessment of consequences of recovery paths j -

j -

Time to assess consequences of recovery patha 1

Performance requirements are indicated with a **" Performance measures are indicated with a " "

2 Not to be completed for design certification 3 Evaluated at design stage 4 Evaluated at construction stage P18.5-6 3 Westingtlouse l

l

) ,

. ! ;< 36 A

. w wninw:ri y2suur- vsw'gT=hN3r'Jymmm"#;thm QT rmi

,t 4 y Turn (m;*,y s )

, , e .

i' s 18. HUMAN FACTORS ENGINEERING 4 b

O Revision: 1 F  !!

l Effective: 01/13/94 I ii Table 18.5 2 (sheet 6 of 8)

Design Acceptance Testing: Validation Tests 1 Near Full-Scope. l

. Part-Task High Fidelity Simulator Simulator 2

• Timely and accurate communication of information between l main control room and technical support center (

Accuracy of communicated information

- Currentness of communicated information relative to decision requirements Controlling Plant State livahtation 11. Simple operator paced control tasks X3

• Prompt and accurate execution of control actions specified by procedures Successful retrieval of procedures, displays and con-troln, and execution of actions

( Time to execute control actions A

livaluation 12. Conditional operator paced control tasks X3 I

• Prompt and accurate identification of preconditions, side effects and post <onditions

- Operator anessment Task completion time

• Prompt and accurate execution of control act'ons

- Successful execution of control actions Time to execute control actions livaluation 13. Control using multiple simultaneous procedures X3

• IIfficient and effective use of nested procedures Operator identification of procedures and steps that are in progress Successful execution of nested procedures

- Time to complete nested procedures I Performance requirements are indicated with a *** Performance measures are indicated with a *

• 2 Not to be comple'ed for design certification I livaluated at design stage 4 livaluated at con' truction stage A

W- WestinEhouse

n

, 3,;,. -,y;;

18. HUMAN FACTORS ENGINEERING Revision: 1 .i Effective: 01/13/94 Table 18.5-2 (sheet 7 of 8)

Design Acceptance Testing: Validation Tests 1 l Near Full-Scope.

Part Task liigh Fidelity Simulator Simulator 2

• Efficient and effective use of independent, concurrent proce-dures Operator identification of procedures and steps that are in progrens

- Successful execution of concurrent procedures Time to complete concurrent procedures livsluation 14. Event paced-control tuks X3

• Correct execution of control tasks in pace with event Completion time for control actions relative to require-ments of plant dynamics Successful execution of procedure Evaluation 15. Control tasks requiring crew coordination X3

• Awarenean of control actions of others Operator anessment of tv>erator

actions

• Effective coordination of multiperson control tasks Successful completion of control task Task completion time

• Effective coordination of control actions for independent, concurrent procedures Suce $sful completion of control tasks Task completion time

• Effective allocation of crew member responsibilities in re-sponsc to exceptions

- Successful communication of responsibilities to opera-tors Succcuful completion of task Tek completion time f Performance requirements are indicated with a *** Performance measures are indicated with a *

• 2 Not to be completed for design certification l34 Evaluated at design stage Evaluated at constrv: tion stage j

P18.5 8 W-WB5tingh00Sc

~_ ..-.-. -. -- -  ;- , M 4 p ,atwc,A e .*semva8"948W'/IEdf" O ~I#J' F88' P8'" * ==- * - * * *-d * - *" *

~

,: 7 I

18. HUMAN FACTORS ENGINEERING i Revision: 1 ..

Effective: 01/13/94 .

i i

i Table 18.5-2 (sheet 8 of 8)

Design Acceptance Testing: Validation Tests 1 Near l'ull Scope,

]

High-I'idelity Part-Task

. Simulator Simulator 2 l

Validation of Intcyrsted M MIS 1 lisaluation 17. Integrated M MIS and crew performance X4

• liffective and efficient control of plant - normal operating conditions tnormal includes startup and shutdown)

Task completion time )

Successful completion of tuk

• lif fective and efficient control of plant - abnormal operating conditione Task completion time Successful completion of tuk l

• liffective and efficient control of plant - emergency operat- 1 ing conditions Task completion time Succeuful completion of task ,

l I Erformance I requirements are indicated with a *** Performance measures are indicated with a "

• 2 Not to be completed for design certification l3 livaluated at design stage l4 livaluated at construction stage P18.5 9 l [ WB5tingh0DSe i

gg<g;e> +

<,i;4,;$.j'pyxygngt 4 b,

.g ,.- - -

kr y;sf;(;$d. , s %ey. ,jy;y;l: py'..:.h.

1.9 2. ;' ' -s "'

d

~ ; p r,f,;g,p 1 >/#o;s n." /

g< ,,

. , > n ,,

' i-3 18. HUMAN FACTORS ENGINEERING

'(*' '(([' Revision: 1 0 > "-- Effective: 01/13/94 t

0 2

[Ihis page intentionally blank}

P18.510 3 WB5tingh0USS T

~-

18. HUMAN FACTORS ENGINEERING Hevision: 1 Effective: 01/13t94 l 18.6.4 The Decision Sets Organizatlon Applications of the model are not independent of the Model type of decision maker. De numbec and the nature of the decision makers (human versus automation) cause his model is a nuip of wts of cognitive tasks that other supporting tasks to be required. Hese must also are denanded by the plant. His map acts as an aid to be included because the decision makers have their own

' the human engineering design team, helping them to effect on the various task loading analyses and on the optematically consider, and to include in their design hi hf!S scope determination that come later in the efforts the determination of the appropriate scope of human engineering process. De human engineering AP600 operations and to esamine the differences process is an iterative one, depending on the structure or

' betw een decision sets. His is reflected in the answers organiution of humans, and the results of the human / automation task allocation activity. His model to crucial questions, such as:

is the first place in the design process where the itera-five nature becomes apparent.

• Does a given decision set require execution in real, time, near real time, or non real-time? One of the first places that the effects of the user

• What data must be available to effectively execute behavior / decision making m(xiel can be seen in the decision sets organiation model is in the use of aggre-the decismn set?

• Where must the results of the decision set go? gation/ abstraction as a means of dealing with the com-

• What are the circumstances that cause the activation plexity (both in quantity and content) of the decision sets (Reference 4). %e decision sets organiation model is or need for a given decision set?

How is the decision nuiker made aware that deci. a " decomposition" model. It begins with a high level of f *

( sions are required?

sggregation/ abstraction and then allows the designer to decompose the aggregation / abstraction t i see the rnore Using this decision sets organiation model to elicit detailed decision sets that compnne the lower levels in the model. %ese two ideas, the need to capture the these kinds of questions is the beginning of a cognitive decisions that need to be made and their relationships task analpis.

ne modeler tries to create a model that is not with each other, and the need to organize these deci-interested in whether the decisions are made by humans sions into decomposable sets for easier comprehension, or by automation. It is only interested in capturing the led to the use of a computer-aided software engineering nature of the required decisions, what inputs are re. (CASE) tool to develop the model in a graphical form.

AP600 depicts the decision sets and the associated quired to make them. and where (or to what other decision sets) the results of the decision must go. data graphically, Specifically, the nature of the labeled he model is also independent of the scope of the decision set is captured in the form of the numerical hi hilS. Once the decision mapping process is com. algorithms and comparisons that are required to success- I fully execute the decision set. De definition and plete, the M-h115 designers determine which decisions and which communication links are supported by the contents of the communication links are captured by the M-MIS. De M MIS nwy support certain decisions,but label given to the link in the graphical depiction, ne graphical interface being used has a limited set the output may not be electronic, that is, the M MIS may simply print an appropriately formatted form DIICon* fwf "'Hng a decomposable model. Specifi-containing the required data for communication by other cally, circles are used for representmg a oecompvulk decision set. De label that the modeler gives to the set means. Derefore, the decision sets organiution model attempts to be as complete with regard to the requisite is automatically recorded as an entry for later definition and the tool assigns a unique number to each circk The decisions as possible.

P18.6-1 3 Westingtiouse l

, {lr

18. HUMAN FACTORS ENGINEERING Revision: 1 Eff ective: 01/13/94 tool also checks to see that the decision sets have There are tasks that the Combined License holder must descriptive labels Likewise, the communication or data perform to cairy-out these communications.

transfer links are represented by directed lines with %e circle in Figure 18.6-1 represents the decision either uni or bi directional arrows. The labels given tol sets that are accomplished by the Combined License these knks are automatically entered into a

• data diction- holder relative to plant operations. Decision sets such ary", with similar checks for completeness. as those of a commercial or financial nature, including in the course of building the model, the modeler communications with outside parties interested in these focuses on the decision sets required by the plant subjects, are not included since they are outside of the design. Here are, however, places in the model where scope of the AP600 design.

the decision sets are the result of the fact that humans Figure 18.6-2 further shows that this decision set, are involved in the operations of the plant. He staffing is made up of five decision sets related to the five states requirements for the Al%00 are discuned in of AP600 operation. He dashed lines in Figure 18.6 2 Sectmn 18.7. li is expected that current operating indicate that a ' control

• action needs to take place. in expenences support decision sets resulting from human this case, the control actions are the result of plant involvement and are applicable to the operational tasks conditions being such that the next indicated plant state of the AlWXL Re following example is a piece of the is the appropriate one. He model symbol (vertical bar) model that represents the decision sets and data commu- labeled 'Sg* indicates that a matrix or truth table exist .

nications of the Al%00 De complete model for the that definea the criteria under which the control action Al%00 is not included in this report. Included here is is required. De execution of one of these control a ponion of the model. It in intended to provide a sense actions implies a major shift in the operational objec-of what is included in the model and a sense of how the tives for the plant and, therefore, an implied shift in the model is used n the Ap600 human engineering activi- decision sets, in the decision results receivers, and in the ties need for and the content of their communications; that ,

I Figure 18.6-1 in the highest level diagram in the is, in the cognitive tasks that must be accomplished.

model. It show n the esternal communications context in looking further into the decision set decomposition.

)

which the XYZ utility operates its Al%00. Very few of Figure 18.6-3 shows that the 'Ap600 Emergency these communication links are currently direct electronic Operation

• decision set in Figure 18.6-2 is composed of data links or are planned to be so in the near future. several interrelated decision sets. Included is an in-With the exceptmn of the link to the NRC as described stance of the interrelationship between this decision sets in Clarification of the TMI Action plan Requirements organistion model and the user behavior / decision (Reference 5). these e xternal communicaticas are making model. He user behavior / decision making performed s ia the traditional methods af written letter or model has a component in it related to the anticipated memo, or by telephone, either verbal or electronic and proven need for two separate sets of cognitive task 6 facsimile. Dese communications are usually very to be on going in the control and management of a structured. De two communicating parties have complex real time process, particularly w ben the process reached an agreement about the content and, in a is in a crisis as discussed in Challenges in Socio-Techni-general way, w hat the content means. Often the order cal Systems; Design for the Individual Operator, and in or structure of the data of the communications is includ- Human Factors Evaluation of Control Room Design and ed in the agreement. he communications are so well Operator Performance at TMI-2 (References 6 and 7).

predefined and structured that a form or table is often Dese two sets of cognitive tasks are usually used to allow the completeness of the data and to make discussed from the perspective of human performance in the processes of gathenng and reading the data efficient. real-time process control. Major ponions of the de-P18 G-2 W WB5tingh0tlSB

!. ..u , a i,...- ' '% -' '

18. HUMAN FACTORS ENGINEERING

[nT Revision: 1 V Effectivo: 01/13/94 UII @

Dimemiom of Task Comp!cxity -- De following

• Failure to observe feedback of actions (that is, factors contribute to tha complexity of this activity: monitor that :he action was properly executed; monitor that the action had the desired effect on the

• Complex proceu dynamics (such as, rapid process plai.. parameter, plant process. and goal hierarchy) changes or long lags) may speed constraints on operators and/or require open loop responses

• Failure to keep pace with process dynamics

• Plant parameter values nmy be missing or obscured

• Failure to coordinate and/or communicate with (such as those due to inaccurate sensor readings or other crew members long process lags)

• Failure to monitor autonated systems and take

• Actions of multiple operators may be interdepen- manual intervention when required.

dent, requiring communication / coordination among multiple individuals (such an aanessing plant state, 18.8.2.3.2.4 Mapping of M MIS Resources anticipating future plant state or preventing working to Operator Activities (Model at cron-purposca) of Support)

• Actions may have negat.ve side effects requiring Subsections 18.8.2.3.2.3.1 through 18.8.2.3.2.3.3 anenment of preconditions before action is taken, describe three clanes of operator activities that are and awument of post-conditions and execution of supported by the M MIS and the major cognitive l ) additional actions after the original action is taken. processing steges that underlie these activities. D ese V For example, when tagging out a train or system, subsections identified the scope and boundarien of the the operator must be cognirant of preconditions that tasks to be included in the evaluation of the M-MIS.

must be satisfied before the train or system is taken They also identified the dimensions of task complexity out of operation, such as plant specification require- and human error. This foundation allowi one to tie the ments for plant operability. He operator must also various M-MIS features to tukt. That is. each M MIS be cognirant of post-conditions that result from feature is intended to support human performance in taking the system out of service, such as limits on simple and complex tasks and t. wluce error. In this plant operation and constraints on which additional section, links are drawn between the M MIS features spiems can be taken out of service and automated and the operator activities to show how the M MIS systems may malfunction or fail to keep up with features support control room performance. His proceu dynamic *- supports the development of evaluation issues for testing those relationships. More specifically, the evaluation The following are potential types of hunum error: issues link an activity, one or more M-MIS features, and a performance measure. These are discuned in Failure to chec k preconditions, anticipate side l Subsection 18.8.2.4, M MIS livaluations.

effects and post-condition" he mapping of AP600 M MIS features to operator activities is accomplished by reviewing the rationale for Failure of execution (that is. either an error of each M MlS feature. An understanding of each I omission -- not taking a required action, or an error feature's rationale provides a means for relating it to the of commission -- taking the wrong action or taking human performance model, and through that model, to actions in wrong sequence) the operator activities. Because the design of the j l

P18.811

[

s

\

1 W

WB5dflgt100SB

\j l

- -__-urww - _: C 4,4 p M s.esW.M 6. ---- - I

.- . _ . - . - -- - . . - .. ~ . -- .- - - _. _ -

J

18. HUMAN FACTORS ENGINEERING '

Revision: 1 Effective: 01/13/94 '

1 M-MIS features is not complete. there are limits on the Plant Communications System - De plant com-detail that can be assigned to the model at this time. munications system mids detection and monitoring by

%e following subsections capture the primary links linking crew memben. Communication about current i between the operator activitica that are important for plant status and monitoring of the effects of cor. rol i i

supporting the development of evaluation issues and the actions in facilitated by providing easy and direct M MIS features communication among crew members.

De remaining major M MIS features - hard- i i 18.8.2.3.2.4.1 Detection and Monitoring wired and soft controls, the procedures, and the compact (

] ; workstations - are not tied to supporting detection and Wall Panel Infonnation Station - ne wall panel monitoring, infornution station provides high level information about j the status of safety and availability goals, allowing 18.8.2.3.2.4.2 Interpretation and Planning

, operators to quickly identify violations. He wall panel infornution station also indicates plant operating mode Functionally Organiud Alann System - He alarm and a set of plant parameters that are most important to system aids the operaton in selecting appropriate views l

monitor for that plant mode. His aids operators in of the plant and appropriate procedures for mitigating j monitoring by bnnging together the most meaningful the abnormal event. De alarm system, therefore.

i data m a central location. focuses attention on the abnormalities that are the most useful in selecting a procedure or response ,trategy.

i i l'unctionally Organired Alarm Systun - he value of %e alarm system reduces confusion by subordinating the functionally organized alarm system for detection alarms that are misleading or secondary to the primary and monitoring lies in focusing attention on the most disturbance. It also cues operators to muhiple fault l significant alarms. Herefore, data overlo.d is reduced, situations and/or situations where multiple nafety goals

%e alarm system removes redundant or less meaningful are compromised.

alarms from the met of stanns that are activated.

Workstation Functional and Physical Display s - ne j

Workstation functional and Physleal Displays - De funettonal and physical displays aid situation auenment j overview or summary displays found on the cornpact and planning by encouraging operaton to take a func-workstation serve a role similar to that of the wall panel tionalview of the plant that is tied to the physical view.

information station. He functional and physical dis- he functional view makes explicit information about plays, on the other hand support operators in monitor- the current goal, goal violations, processes required to ing plant data not four d on the wall panel information satisfy the goal. and potential side effects. De intent is station or overview displays. The functional and physi- to provide a tool for planning activities that reduces the cal displays pro $ide detailed infonnation by allowing likelihood that the operator loses sight of the larger l

accen to any parameters through a network of displays picture when engaged in control activities.

that can be obtained by the operator. Rese displays j provide the best indication of data quality (such as failed Procedures - ne procedures created for main control i or unreliable sensors) and the most comp'ete context for room operators fonnalize the set of appropriate control plant data by linking the physical views with the func- actions that are available to achieve safety and availabil-tional views. %ey also support the monitoring of ity Eoals. Dese are the net of actions operators should automated systemt take. De difficulties in using procedures is in selecting i

the most appropriate procedure and in periodically 1

1 P18.8 12 W WB51lfigh0llSO r + x }I .\

e **

. . . 3 . . . . ..jl .. . . .

l

18. HUMAN FACTORS ENGINEERING (n\ Revision: 1 EHective: 01/13/94 l0!I~3N

• Success in accessing r@ed information ment that emulaten the wall panel information station

• Task completion time and workstation hardware. prototypes of the work-station displays and wall panel information station ne criterion for information retrieval is that the displays are used.

l required infornation be successfully retrieved. De  ;

criterion is retrieval of information rather that displays Minimum Test Ecd Requirements:

because a given plant parameter may be presented on  ;

more than a single display. De criterion for task

• Physical form: he displays used in this test are i completion time is defined by the control response representative of the Ap600 display system in ternu l requirements for each of the specific test scenarios. of appearance, including display format. coding i Criteria for task completion times are based on analyses schemes and use of windows. Hardware emulates of plant dynamics for the specine test scenarios. He M MIS equipment in the relevant characteristics in-criterion for number of displays accessed is either a ciuding display size and resolution and config-maximum number of displays or a number of displays uration of the display selection controls.

compared to the shortest possible display navigation path. His criterion is determined by the design of the

• Information content: He information content of workstation display navigation system and is denned individual displays is representative of Ap600 upon the completion of the functional requirements for displays for actual plant conditions. A sufficient set the workstation displays of displays is provided to generate realistic and representative display naviption teks for the test ]

e ) Experimental Manipulatium scenarios.

%./

Dis tcat evaluates display navigations of varying

• Dynamics: Static displays are used. Due to the degrees of complexity for normal, off-normal and brief duration of the nasigation tasks, a dynamic emergency conditions. His is accomplished by varying simulation of the plant is not be required. Display  ;

the operator's starting point in the display space, the animation, such as blinking is used. H e w ork- l type of data that is to be retrieved and the amount of station display selection mechanisms, such as menus time allowed for retrieval. De operator's staning point and display selection buttons, are ope rationa'-

in the display space is defined using scenarios which Response time for display retrieval is accurately represent nornal, abnormal, and emergency conditions, simulated.

De complexity of the navigation task is a function of the location of the required information relative to the Minimum Subject Characteristics (Validation) starting point. Acceptable limits for information retriev-al tirne are defined for each scenario. Subjects are experienced operators w ho have a basic understanding of the Ap600 control requirements. Wey Required Stage of Development of the M-MIS .also have familiarity with the operation of the work-station display system and the wall panel infornation his test is unducted after the design of the station, workstation hardware is completed, the workstation display hierarchy is defined, and a major portion of the workstation displays are developed. His test is con-ducted using a part task simulator consisting of equip-P18.8 21 G W WBS1lflgt10llSe

' ~

' ' 5 rF h e },

-mi ww.sunussemuseum c,wameme-wyngym

1 %

18. HUMAN FACTORS ENGINEERING Revision: 1 n

Effective: 01/13/94

.l j 18.8.2.3.5.1.3 Evaluation Issue 3: Concept Testing Directed Search for Information Within the flypothesis

Workstation Displays Based on a Request The workstation display system supports the opern-tor in efficiently determining the current value of plant Do the w orkstation displays support efficient parameters and processes not represented m the default navigation to locate specific information7 displays.

Releunt Af411S Rnources: Experimental Manipulations

• Workstation display s and display navigation features . l Mam.pulat. ions involve the complex.ity of navigating ,

through the display system. In some cases the required Specific Concerns:

navigation la brief, and in other cases. the most complex navigation is required

+ llow accurately and efficiently can operators, when given a specific request, locate and select the Dependent Measures and Evaluation Critena correct u orkstation display?

This evaluati n usen breadboard designs to inves-What typen of navigation errors are made with the tigate human factors issues related to navigation through workstation displavs?

large sets of displays. Qualitative information is gath.

cred through protocol analysis or debriefing discussions Approach with the subjects. The intention is to identify character-istics of the design concepts that led to confusion.

ne workstation functional and physical displays are errors, and slow or awkward actions by the subject.

naended to support the operator in searching for specific ne f 11 wing bjective dependent measures are  ;

parameter values and other indicators of plant status that also collected:

are not part of the default displays. Din is the case of directed search of the workstation displays. In many

• 11 w many displays are accessed before selecting cases. tM search is directed by a request from a the correct display or displays?

supervism or other technical staff or by a procedure,

• Which displays are selected and in what order (the j I: rom this request. the operator navigates through the navigation path)?

displays to determine the status of the requested process ,

• ne degree to which the relevant mformation is or parameter. nin directed scarch must be efficient and I ##

not detract from other duties, ne intent of this experi-

• ne success in returning from search to a desig-ment is to test operators' ability to do this display nated location navigation and s, election task efficiently with the work- a ne requ red t c mplete the task.

station display system. Subjects are given a parameter or process name and asked to use the workstation mp cat.mns of huhs displays to determine the current value and then retum to the display from which they began. . . .

De purpose of th.is evaluation is to contnbute to the development of functional requirements for the design of 4

i P18.8 22 W WB5110gh0lJS8 by . . t w ..

_. , . . . . . . . ,. ..u, . . , , . _ ,3 , ,

syqr g w a I y.

l

18. HUMAN FACTORS ENGINEERING Revision: 1 ..

Effectivo: 01/13/94 j

• Groups of subjesta to perform the functions of main Requirement: Effective and efficient control of plant control room crew members during emergency operating conditions Measures:

. Subjects or experimentern to perform the functions

• Task completion time of personnel outside of the main control room (such e Successful completion of the taak as the technical support center, emergency off site facility load dispatcher and remotes. Experimental Manipulatiom Subjects use the nimulator to execute operating Test scenarios addrens design-buis events with the procedures for design basis events. Subject decisions recommended staffing of crew members in a full scope, and actionn are analyicd using decision tracing and full-fidelity simulator. Design-basis evenin that were analynin of taak completion time. I'ollowing each previously addressed in the performance testing portions scenario, subjects are debriefed to assess their under- of Evaluations I through 15 may be excluded from this standing of plant conditions and how features of the evaluation.

M MIS contributed to their performance. %e evalua-tion focusen on the influence of the M MIS on operator Required Stage of Development of the M-MIS:

errors and the neverity of theme errors.

%e M MIS design and integration are complete and l'erformance Testing fully implemented with a dynamic plant simulation.

Verification Minimum 'l est !!cd Requirmnents:

His evaluation has no serification tent component. Physical form near full fidelity Infornuttion content - high fidelity Validation Dynamics near full fidelity with dynamic plant simula-tion.

Min test is a validation of the ability of the M MIS to nupport safe operation of the Al%00 plant, including Minimum Subject Characteristics (Validation) mitigation of design basin events.

Subjects are experienced operators who have a itequirement: Elfective and efficient control of plant suitable understanding of the Al%00 control require-during normal operating conditionn ments. Prior to this test, they are trained in the use of Measu res: the M MIS including the organiution and operation of I

• Taak completion time displays, procedures and controls. l

• Successful completion of the insk ]

18.8.2.3.6 Summary of Evaluation Require- '

-I Requirement: Effective and etlicient control of plant j ments and Perf ormance Criteria during abnormal operating conditions Measuren: His verification and validation plan for the Al%00 e Task completion time M-MIS defines evaluations for two phases of the M-MIS

• Successful completion of the tek design process--concept testing and testing. Perfor-mance testing is further defined as verification (analyti-P18.8 73

(^

s W-Westinghouse

_m.,,,,,,m. - . . ._....s l

':y:?@'4:(G i t;L

'i) 1 4

i

18. HUMAN FACTORS ENGINEERING Revision: 1 iij!! !il.i Effective: 01/13/94 cal checks for conformance to functional requirements) j and validation (empirical tests ! compare actual

! rnan-mnchine system performance i ricipated perfor-mance). Verification and validat, evaluations are ,

performed using part-task simulators when practical. '

i nis allows any design modifications that result from these tests to be incorporated into the M MIS design l earlier. ..

i i

t 1

e i

~

. el  !

P18.8 74 W WB5tlngt10llSO

, r% og p. a <

,e'.,,,.

yW

18. HUMAN FACTORS ENGINEERING R^vislin: 1 Effective: 01/13/94

~ CU5 TOWER REQUIREMENTS

,PAST DPERiENCE ANO DECISION MOOEL

._N GULATORY COGNniVE a ocs ,* *****

. CODES ANO GUIDCUNES STHER FUNCT REQUIREMENTS DESIGN

^"

FUFCTIONAL -OPERATING PHILOSOPHY OPERATOR -5TRUCTURE

~ANCILwy GUOEUNES -USER KNOWLEDGE LEVEL

! ACTMTIES J TOTAL MW - CREW STRUCTURE SPECinC OEStGN CONTRC.

ROOM DESIGN FUNCTION BA BASED f~ au,,n,,,SIS ~

c TASK 's CONTROL C' "' as ANALYSIS ROOM __ mmmo w'55<a5

, , , , , FUNCTIONAL __ SUBSYSTEM

_____.__ _j GUOEUNCl C', OPE M10$n ANALYSIS DESIGN a muw wen tau mscarros BASIS SUBSYS ouim acs NE" ~ % FUNCTIOP

[',,, ,

Q'**

twenoNs uca mrroRAma neo m s's N SGaaAss REQUIRElAl'

. ,, ,,o CL*11WA 5

""'8 # CUWWUwCATION3 No OSPLAY SYS DE3t3m BA&ts -

GWR t ease 3 "DI Sub SYSTIM TAMl CPfMATwo s rage W W150ts4N hs At. Anus TR4we=0 TASN M OCA M & SJPPORI HLQ O SPLAYS auoti set t *dN PfEEEDURES DESaGN SAS15 pmg NM MAE WALL MiWIC MI HfKWN5 iMrC 77WNING M $8CN M383 iFWMNG wh int

• SicurtTY REQ PROCEN nt$

MALL Wausc DE 3GN MSr3 PM3 auk 4 tint 96OR

>N f(QM'pe O' S 8Y M FUW PM9 M SeGN MS S.A%vi11 W 5 ALAAM3 D& PLAYS CONTROLS WALL uruc TRAlmNG Pf0CENRES PMS DESIGN INTEGRATION BY DESIGN ITERATION AND VE W WestinEhouse

4. s

.a--. - e- -a - -

' , ?gf;"t3*[~[g{-:-rs

?ly L 'i'sM J. . . . ...

, L " [, 4 }{ U

..e il.

_ ~ _

I dETRfC ECONowC TFASmiUTY HARDWARE $ ELECTION

-- SOrTWARE ARCHITECTunE IM I.

WORKST ATION D( SGN

'AL .

}_ CRITER;A NTS I

... MT LANT

~A WORKSTATION '.i i

_.! CONStIWNTS

,, IAYOUT j l CONTROL l N ROOM i i t$w $$u '

{i LAYOUT DESIGN e stAi m m son s m

$14fC w

i INCLUDfNG %d WRDWARE l EtMRONMENT AND om neo L- SOFBVARE m.yn,w me,o sw '%  % MAN MACHINE

• ^^"8 DSMA4 INTERFACE ct,,f Ras OESIGN

• "*'e TRAsa ng INTEGRATION I PTAX DURE S j

9Aus wCA .AMAlf DRAMNi$

WCA 3LSsCm $PEC (NVWOMW(WT 91FICATION bb*"'

Figure 18.8.2-1 Control Room Design Process Showing Overall Sequence P 18.8-77

. . - ~

e h , #

=,. j .e .- .s*

W.

e 8f . r$ . -

$g0A , . e p g

-- - . - - - _ ~ - - - . . _ . . _ - . _ _. - . - . . . . .

_ - - - - . _ . . < , . ~ _ _ . , , _ , _ . , , _ _ _ _ . _

18. HUMAN FACTORS ENGINEERING Revision: 1 E ff ec tiv e: 01/13/94

~

I l

1 i

18.9.2.4 Alarm System Design Basis 18.9.2.4.1 Safety Classification i The alarm system is not a mafety Class 111 system 1 The alarm system is a monitoring sy stem required to be operating for normal plant conditmns The sy stem is not required for post accident management or mitigation, as indicated in Reg. Guide 197. not is it required with respect to ANS 4.5 (Refer n:e 2)

Those elements of the alarm sy stem that. by their destruction under sa fe shutdow n earthquake (SSin conditions could cause danuge to other eqaipment or injury to personnel in main control room are structurally qualified to meet a SSE lhe alarm sy stem should not P18.9 7 l

W westingtwuse 1

4 y, s

18. HUMAN FACTORS ENGINEERING Revision: 1

g. g Ef f ective: 01/13/94 i  !

be the cause of danuge to safety related plant equipment Engineering (Reference 3)). De second is the as a result of the SSI:. capability for the operator to interrogate the alarm system with regard to the inputs and mechanisms that 18.9.2.4.2 Environmental Conditions it used to conclude that an alarm message criteria is or is not currently valid.

Since the alarm system is r.ct a safety system, no he M MIS is comprised of three elements. Two of special requirements exist for the protection of its these elements are visual and the third is auditory. He components against adserve environmental conditions. reasons are as follows:

The :) stem n designed to operate in the same environ-ment where it n physically located during the plant * %e objective of an alarm syste n is to alert the conditmns for which the system is required to operate, human staff responsible for the nutnagement and he mystem in capable of operating within its control of the plant to the fact that some portion of performance limits when exposed to the input voltage the plant br.J deviated from its expected operating and frequency transients typical of the electrical buses envelope, by which it is powcred he alarm sy stem componerts and the wiring is not

• Industrial experience with modern computer sys-a source of fire tems has been that potential users have declined to use a system if there is no confidence in the com-18.9.2.4.3 Alarm / Status Message Presen. poter system, because they cannot understand what the system did to arrive at its results. His experi-tation (Visual and Audio) ence has been thoroughly explored in the applica-ti n of " Expert Systems" to industry ne alarris system supports a number of plant staff members

• Re extensive history of alarm systems in the industrial process control industry has shown that

• Mam control room area operators auditory accompaniment of alarm messages is very

• Technical support center staff helpful in alerting the hunun operating staff (that

• l'lant operation management staff ften has other tasks or diversions included in their

• Site specific interface (as needed). .,

g activities) to the fact that an abnonnal condition or alarm exists. He audible alarm directs that staff's herefore. the alarm system has a user interfilee at attention to the visual portions of the alarm system least m the following plant areas: I, j to investigate the abnormality.

• Main control room area he fou wing c nelusi ns are nuule regarding the

• Remote shutdown room A alann system:

+ lechmtal support center

+ Site specific mterface tas needed). * %c spatial dedication (a specific and permanent I cation for particular messaFesh found in tradition. l he man-machme interface portion of the alarm al light box annunciator systems, should be mam-nystem supports two operatur netnities. ne first is the tained to the degree possible in the design of the presentation to the operator of plant abnormalities in alann system. Operators have found that they learn support of the

• Alert" step in the human deci on- the message location relationsh.ip rather easily and.

nuking process tinfontution Proccasing and Hu -

therefore, can get a quick understanding of the Machme Interaction. An Approach to Cognitive P18.9 8 3 WB5tlngt10tlSB

=- - .. mnl

ll

18. HUMAN FACTORS ENGINEERING Revision: 1 m!i! Effective: 01/13/94 a

e

\ ._

i ep 18.9.8.1 Development of the Emergency Operating Procedures The emergency operating procedures (liOPu for !he AP600 design define the actions required by the plant operating staff during emergency conditions lhe main purpose of the EOPs is to provide guidance to the operators for the prevention or mitigation of the conse-quences of emergency conditions lhese procedures include automatic actions that occur in the event of an emergency, operator actions to help present or mitigate the consequences of an emergency, and operator actions necessary to stabilize the plant condition. I! ops provide a conservative course of action for the operator and are flexible enough to accommodate sananens P18.9 30 W85tlngt10USB i

_