ML20197A412
ML20197A412 | |
Person / Time | |
---|---|
Site: | NuScale |
Issue date: | 06/19/2020 |
From: | Bergman T NuScale |
To: | Office of Nuclear Reactor Regulation |
Cranston G | |
References | |
NUSCALESMRDC, NUSCALESMRDC.SUBMISSION.12, NUSCALEPART02.NP, NUSCALEPART02.NP.5 | |
Download: ML20197A412 (80) | |
Text
NuScale Standard Plant Design Certification Application Chapter Eighteen Human Factors Engineering PART 2 - TIER 2 Revision 4.1 June 2020
©2020, NuScale Power LLC. All Rights Reserved
COPYRIGHT NOTICE This document bears a NuScale Power, LLC, copyright notice. No right to disclose, use, or copy any of the information in this document, other than by the U.S. Nuclear Regulatory Commission (NRC), is authorized without the express, written permission of NuScale Power, LLC.
The NRC is permitted to make the number of copies of the information contained in these reports needed for its internal use in connection with generic and plant-specific reviews and approvals, as well as the issuance, denial, amendment, transfer, renewal, modification, suspension, revocation, or violation of a license, permit, order, or regulation subject to the requirements of 10 CFR 2.390 regarding restrictions on public disclosure to the extent such information has been identified as proprietary by NuScale Power, LLC, copyright protection notwithstanding. Regarding nonproprietary versions of these reports, the NRC is permitted to make the number of additional copies necessary to provide copies for public viewing in appropriate docket files in public document rooms in Washington, DC, and elsewhere as may be required by NRC regulations. Copies made by the NRC must include this copyright notice in all instances and the proprietary notice if the original was identified as proprietary.
TABLE OF CONTENTS NuScale Final Safety Analysis Report Table of Contents Tier 2 i
Revision 4.1 CHAPTER 18 HUMAN FACTORS ENGINEERING.................................. 18.0-1 18.0 Human Factors Engineering - Overview..................................... 18.0-1 18.1 Human Factors Engineering Program Management.......................... 18.1-1 18.1.1 Human Factors Engineering Program Goals and Scope...................... 18.1-1 18.1.2 Human Factors Engineering Team and Organization........................ 18.1-4 18.1.3 Human Factors Engineering Process and Procedures........................ 18.1-5 18.1.4 Tracking Human Factors Engineering Issues................................ 18.1-7 18.1.5 Human Factors Engineering Technical Program............................. 18.1-9 18.1.6 References................................................................ 18.1-9 18.2 Operating Experience Review.............................................. 18.2-1 18.2.1 Objectives and Scope...................................................... 18.2-1 18.2.2 Methodology.............................................................. 18.2-2 18.2.3 Results.................................................................... 18.2-6 18.2.4 References................................................................ 18.2-7 18.3 Functional Requirements Analysis and Function Allocation.................. 18.3-1 18.3.1 Objectives and Scope...................................................... 18.3-1 18.3.2 Methodology.............................................................. 18.3-1 18.3.3 Results.................................................................... 18.3-5 18.3.4 References................................................................ 18.3-5 18.4 Task Analysis.............................................................. 18.4-1 18.4.1 Objectives and Scope...................................................... 18.4-1 18.4.2 Methodology.............................................................. 18.4-2 18.4.3 Results.................................................................... 18.4-6 18.4.4 Reference................................................................. 18.4-6 18.5 Staffing and Qualifications................................................. 18.5-1 18.5.1 Objectives and Scope...................................................... 18.5-1 18.5.2 Methodology.............................................................. 18.5-1 18.5.3 Results.................................................................... 18.5-3 18.5.4 References................................................................ 18.5-4 18.6 Treatment of Important Human Actions..................................... 18.6-1 18.6.1 Objectives and Scope...................................................... 18.6-1 18.6.2 Methodology.............................................................. 18.6-1
TABLE OF CONTENTS NuScale Final Safety Analysis Report Table of Contents Tier 2 ii Revision 4.1 18.6.3 Results.................................................................... 18.6-4 18.6.4 References................................................................ 18.6-5 18.7 Human-System Interface Design............................................ 18.7-1 18.7.1 Objectives and Scope...................................................... 18.7-1 18.7.2 Methodology.............................................................. 18.7-1 18.7.3 Results................................................................... 18.7-11 18.7.4 References............................................................... 18.7-12 18.8 Procedure Development................................................... 18.8-1 18.9 Training Program Development............................................ 18.9-1 18.10 Human Factors Verification and Validation................................. 18.10-1 18.10.1 Objectives and Scope..................................................... 18.10-1 18.10.2 Methodology............................................................. 18.10-1 18.10.3 Results..................................................................18.10-14 18.10.4 References..............................................................18.10-14 18.11 Design Implementation................................................... 18.11-1 18.11.1 Objectives and Scope..................................................... 18.11-1 18.11.2 Methodology............................................................. 18.11-1 18.11.3 Reference................................................................ 18.11-3 18.12 Human Performance Monitoring.......................................... 18.12-1
LIST OF TABLES NuScale Final Safety Analysis Report List of Tables Tier 2 iii Revision 4.1 Table 18.1-1:
Human Factors Engineering Program and Design Activity Milestones......... 18.1-10
LIST OF FIGURES NuScale Final Safety Analysis Report List of Figures Tier 2 iv Revision 4.1 Figure 18.1-1:
Overview of Human Factors Engineering Program Process................... 18.1-11 Figure 18.7-1:
NuScale Main Control Room Layout......................................... 18.7-13
NuScale Final Safety Analysis Report Human Factors Engineering - Overview Tier 2 18.0-1 Revision 4.1 CHAPTER 18 HUMAN FACTORS ENGINEERING 18.0 Human Factors Engineering - Overview This chapter describes the human factors engineering (HFE) program for the NuScale Power Plant. The HFE program utilizes proven technology and incorporates accepted HFE standards and guidelines including the applicable guidance provided in NUREG-0711, Revision 3.
The HFE program incorporates 12 HFE elements under four general activities in NUREG-0711:
planning and analysis
HFE program management
operating experience review
functional requirements analysis and function allocation
task analysis
staffing and qualifications
treatment of important human actions design
human-system interface design
procedure development
training program development verification and validation
human factors verification and validation implementation and operation
design implementation
human performance monitoring Section 18.1 describes the plan for the management of the overall HFE program. Sections 18.2 through 18.12 describe the remaining elements of the HFE program. These sections demonstrate that the HFE program is:
developed by a qualified HFE design team, using a comprehensive HFE program plan derived from proven HFE studies and analyses that provide complete and accurate results documented using software that allows consistent application of the HFE analysis results to the human-system interface (HSI) design, procedure development, and training program development designed via proven technology incorporating accepted HFE standards and guidelines evaluated with a thorough V&V test program implemented such that it effectively supports operations
NuScale Final Safety Analysis Report Human Factors Engineering - Overview Tier 2 18.0-2 Revision 4.1 monitored during operations to detect changes that have the potential to impact human performance The design implementation (see Section 18.11) is performed in accordance with the associated inspections, tests, analyses, and acceptance criteria (ITAAC). ITAAC and requirements for their closure are discussed in Section 14.3.
NuScale Final Safety Analysis Report Human Factors Engineering Program Management Tier 2 18.1-1 Revision 4.1 18.1 Human Factors Engineering Program Management The program management element of the human factors engineering (HFE) program ensures that the HFE principles are effectively incorporated into the development, design, and evaluation of the human-system interface (HSIs), procedures, and training program. This section addresses the following aspects of the program management plan:
HFE program goals and scope HFE team, member qualifications, and organization HFE process and procedures HFE issues tracking HFE technical program Section 18.1.1 through Section 18.1.5 provide a summary of these aspects of the plan. A more detailed description of the program management plan is contained in the Human Factors Engineering Program Management Plan (Reference 18.1-1).
18.1.1 Human Factors Engineering Program Goals and Scope 18.1.1.1 Human Factors Engineering Program Goals The HFE program is designed utilizing a human-centered approach. The program's primary goals are to ensure that tasks are performed in accordance with the defined performance criteria and within the required time frame.
ensure that HSI, procedures, staffing and qualifications, training, management, and organizational arrangements support a high degree of personnel performance and situation awareness.
support personnel in maintaining vigilance over plant operations and provide acceptable workload levels.
minimize personnel errors and enhance error detection and recovery capability.
As the HFE program develops, the program objectives are further defined and used as the basis for HFE tests and evaluations.
18.1.1.2 Assumptions and Constraints The assumptions and constraints used as inputs to the HFE program reflect the following aspects of the NuScale Power Plant design:
Passive Features Nuclear steam supply system is integrated in the reactor vessel to eliminate large bore piping.
Reactor coolant flow is by natural circulation to eliminate the need for reactor coolant pumps.
NuScale Final Safety Analysis Report Human Factors Engineering Program Management Tier 2 18.1-2 Revision 4.1 Safety systems are designed with passive and fail-safe features.
Decay heat removal to the ultimate heat sink is without the use of pumps or the need for electric power.
No operator actions are necessary for a minimum of 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> following a design basis event.
Modular Design Operation of the first unit may begin before construction of successive units is complete.
Refueling of individual units may occur with others on line.
Limited number of shared systems may be shared by up to 12 units.
Up to 12 units may be controlled from a single main control room (MCR).
High Degree of Automation HSIs support monitoring and management of automated actions and sequences by the operator.
Steady state routine operating tasks are automated to the extent that human interactions to start, stop, or abort automated sequences do not distract the operator.
Shutdown functions are automated to the extent that one operator at the controls can maneuver a unit from power operations to safe shutdown within a short period of time.
Most operability surveillance tests are sequences initiated by operators or executed by automation.
Administrative tasks are integrated into an electronic information and records management system that is available to operators.
Computer-based procedures for normal, abnormal, and emergency operations and alarm response are text-based.
Main Control Room Operators The staffing evaluations are based on activities performed by licensed control room operators. Staffing analysis for maintenance or refueling activities, activities completed by craft and technical personnel (i.e., mechanical, electrical, or instrumentation and controls maintenance; health physics; chemistry; engineering; or information technology), or activities associated with the technical support center, emergency operations facility, operations support center, or any other emergency response facilities are included only if they are determined to impact licensed operator workload.
When licensed operator workload is impacted, then the area of concern is analyzed to a degree sufficient to quantify the impact to licensed operator workload or staffing, and develop any HSI or staffing adjustments required to address the specific task and associated staffing requirements.
NuScale Final Safety Analysis Report Human Factors Engineering Program Management Tier 2 18.1-3 Revision 4.1 Analysis of the numbers and qualifications of non-licensed operator personnel, including technicians and maintenance staff, are the responsibility of a NuScale Power Plant licensee.
18.1.1.3 Human Factors Engineering Program Duration The HFE program is in effect from the start of the plant conceptual design through completion of startup testing. After plant turnover to the owner, a human performance monitoring (HPM) program is established by the owner to maintain the HFE program design data and appropriate processes throughout the life of the plant. The HPM program is an element of the HFE program and is discussed in Section 18.12.
18.1.1.4 Applicable Facilities The scope of the NuScale HFE program includes the MCR and the remote shutdown station (RSS). The HSI of the technical support center, the emergency operations facility, and local control stations are derivatives of the MCR human-system interface.
18.1.1.5 Applicable Human-System Interfaces, Procedures, and Training The HSI design inputs and interfaces include the following:
operating experience review functional requirements analysis (FRA) and function allocation task analysis staffing and qualifications (S&Q) treatment of important human actions (TIHAs) concept of operations instrumentation and controls systems design system requirements HSI style guide The HFE program supports procedure and training program development for normal operating, abnormal operating, emergency operating, alarm response, and accident management activities performed or supervised by operational personnel.
The HFE program provides inputs to the training programs for the personnel identified in 10 CFR 50.120 as appropriate.
18.1.1.6 Applicable Operations Personnel The HFE program analyzes and defines the minimum number and qualifications of licensed control room operators. This is further described in the staffing and qualifications element of the HFE program (Section 18.5).
NuScale Final Safety Analysis Report Human Factors Engineering Program Management Tier 2 18.1-4 Revision 4.1 18.1.1.7 Effects of Modifications on Personnel Performance The HFE design process evaluates the effects of plant modifications, performed prior to completion of startup testing, on personnel performance, HSI design, procedures, and training. After completion of startup testing and turnover, the licensee institutes an HPM program (see Section 18.12) to evaluate impacts on human performance going forward.
18.1.2 Human Factors Engineering Team and Organization 18.1.2.1 Human Factors Engineering Team Responsibility The HFE team is responsible for developing HFE implementation plans (IPs), procedures, and results summary reports (RSRs).
ensuring HFE activities comply with the HFE plans and procedures.
scheduling and overseeing HFE activities in HFE design, development, test, and evaluation, as appropriate, and verifying that the team's recommendations are implemented.
reviewing relevant documents produced by other engineering disciplines from an HFE perspective.
initiating, evaluating, resolving, and maintaining tracking records for HFE issues noted during design activities for the engineering disciplines (Section 18.1.4).
18.1.2.2 Human Factors Engineering Organizational Placement and Authority The HFE team consists of a core group of human factors engineers with formal HFE training, experienced operators, and simulator engineers reporting directly to the HFE supervisor. The HFE team also includes a broader group of members from design engineering organizations such as system engineering, probabilistic risk assessment, safety analysis, and design engineering. The broader team members do not report directly to the HFE supervisor; instead, theyre distributed throughout the design organization and represent available expertise to the core HFE group on an as-needed basis.
The HFE supervisor reports to an operations manager who in turn reports directly to a vice president of operations.
Each of the HFE elements--operating experience review, FRA and function allocation, TA, S&Q, TIHA, HSI, and human factors verification and validation--has a team lead who is responsible for managing the activities of the associated element. The HFE supervisor has ultimate responsibility for scheduling and overseeing various HFE activities and is the owner of the human factors engineering issue tracking system (HFEITS) database.
The HFE supervisor or other members of the HFE team elevate HFE issues within the management chain as necessary utilizing appropriate NuScale programs and tools.
NuScale Final Safety Analysis Report Human Factors Engineering Program Management Tier 2 18.1-5 Revision 4.1 18.1.2.3 Human Factors Engineering Design Team Composition As described earlier, the HFE design team consists of personnel from multiple disciplines. The qualifications of the personnel are in accordance with Appendix A of NUREG-0711.
The HFE design team has over 500 years of combined experience in the operation of commercial and Navy nuclear power plants.
18.1.2.4 Human Factors Engineering Design Team Staffing The HFE supervisor assigns the team members to HFE activities across various elements of the HFE program in accordance with their expertise.
18.1.3 Human Factors Engineering Process and Procedures 18.1.3.1 General Process and Procedures The process through which the HFE team executes its responsibilities is described in this section. The HFE supervisor assigns personnel from throughout the organization to the HFE team in such a way that the needed expertise, knowledge, and experience are applied to the activities of each HFE program element. The HFE supervisor has the ultimate responsibility for assigning HFE tasks to members of the HFE team and supervising them during their performance of the tasks.
scheduling and overseeing various HFE activities.
reviewing and approving HFE team products.
making management decisions related to HFE activities.
design of MCR equipment and control of design changes to MCR equipment.
While the HFE supervisor is responsible for the design of MCR equipment and for controlling changes, design engineering is responsible for the design of HSIs throughout the plant. Design changes to HSI and other equipment that have major input from HFE are governed through a design change process.
Where design decisions require input from multiple organizations, the HFE supervisor may elevate HFE issues within the management chain utilizing NuScale tools and programs including HFEITS, the design decision procedure, design review boards, and the corrective action program.
Any member of the HFE team may identify problems and propose solutions using the HFEITS tool. The HFE supervisor has authority to make decisions regarding resolution of HFEITS items, including human engineering discrepancies (HEDs).
NuScale Final Safety Analysis Report Human Factors Engineering Program Management Tier 2 18.1-6 Revision 4.1 18.1.3.2 Process Management Tools The HFE activities are conducted in accordance with the Quality Assurance Program (Section 17.5), as applicable, and subordinate plans and procedures, including design control processes. The design process includes provisions to control design inputs, outputs, changes, interfaces, records, and organizational interfaces within the organization and with suppliers. These provisions ensure that design inputs are correctly translated into design outputs so that the final design output can be related to the design input in sufficient detail to permit verification.
Design change processes and the division of responsibilities for design-related activities are detailed in procedures. The design control program includes interface controls necessary to control the development, verification, approval, release, status, distribution, and revision of design inputs and outputs. Design changes and disposition of nonconforming documents are reviewed and approved by applicable design organizations or by other authorized supplier organizations.
18.1.3.3 Integration of Human Factors Engineering and Other Plant Design Activities The HFE design process is iterative, and the design activities are integrated. The iterative design process includes review and feedback from other engineering and design groups. Figure 18.1-1 provides an overview of the HFE process and illustrates the HFE program's integration into the design process through HFEITS. The figure also depicts the iterative nature of the HFE design process.
Reference 18.1-1 contains details on the HFE team integration into the iterative design process.
18.1.3.4 Human Factors Engineering Program Milestones Table 18.1-1 shows the relationship of HFE program elements to the design and licensing phases, and general plant design activities.
The project schedule, including HFE milestones, is integrated into the overall project design development schedule.
18.1.3.5 Human Factors Engineering Documentation An IP is prepared for each HFE element, with the exception of the procedure development, training program development, and HPM elements, and submitted for NRC review. The IP for a given element describes the methodology for conducting that element.
Upon completion of the associated HFE activities, RSRs are prepared for the following HFE elements:
operating experience review (Section 18.2)
FRA and function allocation (Section 18.3) task analysis (Section 18.4)
NuScale Final Safety Analysis Report Human Factors Engineering Program Management Tier 2 18.1-7 Revision 4.1 staffing and qualifications (Section 18.5) treatment of important human actions (Section 18.6)
HSI design (Section 18.7) human factors verification and validation (Section 18.10)
The RSRs for these elements, with the exception of the human factors verification and validation RSR, contain the results and the latest methodology, and supersede the previously-submitted IPs. Since the human factors verification and validation RSR will be completed after the initial DCA submittal, the human factors verification and validation IP will remain a standalone document. As a result, the human factors verification and validation RSR will not contain a methodology section but will simply reference the IP. The RSRs contain sufficient detail to demonstrate that the results were derived from implementing the methodology. The RSR scope is in accordance with the applicable guidance of NUREG-0711.
The HFE documents that support the design are quality records and are retained in accordance with the quality assurance program (Section 17.5). The HFE documentation includes design verification checklists, HFEITS records (see Section 18.1.4), HFE element IPs, RSRs, and applicable documentation identified in the IPs and RSRs.
18.1.3.6 Subcontractor Human Factors Engineering Efforts Subcontractors may be utilized in the HFE program. The HFE team verifies that any subcontractor performing HFE activities is properly trained and complies with the quality assurance program and the applicable subordinate plans and procedures. The quality assurance organization verifies that the subcontractors conduct work in accordance with the quality assurance program or the subcontractor's quality assurance programs, as approved and contracted.
18.1.4 Tracking Human Factors Engineering Issues 18.1.4.1 Availability of Human Factors Engineering Issue Tracking System If identified HFE issues cannot be immediately resolved, they are included and tracked in the HFEITS database, which is available to the HFE team members. HFE issues may include recognized industry HFE issues, HEDs identified during HFE design, and issues identified throughout the life cycle of the HFE program. Details on the HFEITS process are contained in Reference 18.1-1.
18.1.4.2 Human Factors Engineering Issue Tracking Method Identified HFE issues that cannot be immediately resolved are entered into the HFEITS database and assigned a unique tracking number. Supporting documentation in electronic format is attached to the database item. The issue is screened and evaluated for potential degradation in human performance. Issues that are found to not degrade human performance are either closed or transferred to more appropriate corrective action processes.
NuScale Final Safety Analysis Report Human Factors Engineering Program Management Tier 2 18.1-8 Revision 4.1 For the HFE issues that are found to degrade human performance, proposed corrective action to resolve each issue is identified and assigned. Schedules for the overall evaluation or for each corrective action are established by the HFEITS administrator.
Issue close-out and transfer with proper documentation is approved by both the HFEITS administrator and the HFE supervisor. The HFE supervisor may obtain support from the HFE team to resolve and approve the closure of items in the HFEITS database.
18.1.4.3 Documentation of Human Factors Engineering Issues For each identified HFE issue, the following information is documented in the HFEITS:
issue identification date any supporting information, such as attachments documenting the issue assigned issue owner and evaluator whether or not the issue involves an HED proposed issue resolution HFE team acceptance or rejection and detailed justification detailed description of issue resolutions actions taken affected document(s) 18.1.4.4 Responsibility for Tracking Human Factors Engineering Issues The HFE team members are responsible for identifying, logging, evaluating, and tracking HFE issues to resolution.
The HFE supervisor has the overall responsibility for administering and managing HFEITS. This includes oversight of HFE issue tracking, approval of HFE issue resolution, and approval of changes to issue resolution schedule.
The HFEITS administrator is responsible for managing the software component of the HFEITS database. This includes database security management, maintenance of hardware and software, controlling changes to database, and tracking the issue resolution and corrective actions.
The issue evaluator is responsible for identifying the extent and significance of the identified HFE issues, and providing recommendations for issue owner assignment, corrective actions, and issue resolution schedule.
The issue owner is responsible for resolving the issues, updating HFEITS with proposed or completed actions, and updating design documentation where appropriate.
An HFEITS review committee is responsible for verifying that the HFEITS issues and HEDs are resolved before final closure. Details on the HED resolution process are provided in Reference 18.1-1.
NuScale Final Safety Analysis Report Human Factors Engineering Program Management Tier 2 18.1-9 Revision 4.1 18.1.5 Human Factors Engineering Technical Program 18.1.5.1 Applicability and Status of Human Factors Engineering Elements In addition to the HFE program management plan addressed in Section 18.1, the other elements of the HFE program outlined in NUREG-0711 and listed in Section 18.0 are applicable to the HFE program. These other elements are described in Section 18.2 through 18.12. Figure 18.1-1 provides an overview of the HFE process, including primary inputs to the process and the HFE program's integration into the design process through HFEITS.
18.1.5.2 Human Factors Engineering Activity Completion Schedules The HFE activity completion schedules are addressed in Table 18.1-1.
18.1.5.3 Standards and Specifications The HFE standards and specifications, which are sources of HFE requirements imposed on the design process, are identified in the quality assurance program description (refer to Section 17.5).
18.1.5.4 Human Factors Engineering Facilities, Equipment, Tools, and Techniques Section 18.1.1.4 addresses the facilities that are part of the HFE program scope. Tools and techniques used to support the HFE program elements include design guidelines.
design verification checklists.
low fidelity aids such as mock-ups (computer-aided drawings or physical representations of HSI).
unit simulator (capable of supporting single-unit HSI, training, and procedure evaluation and analysis but having little or no shared or multi-unit simulation capability).
multi-unit control room simulator (capable of supporting single, shared, and multi-unit HSI, as well as training, procedure, and S&Q analysis).
relational requirements management software (e.g., DOORS).
18.1.6 References 18.1-1 NuScale Power, LLC, "Human Factors Engineering Program Management Plan,"
RP-0914-8534, Rev. 4.
18.1-2 U.S. Nuclear Regulatory Commission, "HFE Documents for the NuScale DCD (sic) Application," [Table], April 11, 2016, Agencywide Documents Access and Management System (ADAMS) Accession No. ML16034A181.
NuScale Final Safety Analysis Report Human Factors Engineering Program Management Tier 2 18.1-10 Revision 4.1 Note 1: In accordance with Reference 18.1-2, verification and validation RSR is to be submitted prior to start of Phase 4 of the NRCs review of the design certification application.
ANSI = American National Standards Institute COL = combined license DCD = Design Control Document HFE = human factors engineering IP = implementation plan PRA = probabilistic risk assessment RSR = results summary report S&Q = staffing and qualifications SSC = structures, systems, and components Table 18.1-1: Human Factors Engineering Program and Design Activity Milestones HFE and Design Activities Activity Milestones Type of activities Activities DCD COL activity (prior to fuel load)
HFE element evaluation Operating experience review (RSR)
X Functional requirements analysis and function allocation (RSR)
X Task analysis (RSR)
X Staffing & qualifications (RSR)
X Treatment of important human actions (RSR)
X Human-system interface design (RSR)
X Procedure development X
Training program development X
Verification & validation (IP)
X Verification & validation (RSR)
X (Note 1)
Design implementation X
Human performance monitoring X (on-going)
Plant design activities PRA - Chapter 19 Level I & II PRA (all modes/all hazards)
X Chapter 15 safety analyses X
Physical plant layout X
X (site specific)
Simulator development X (sufficient to support S&Q RSR)
X (ANSI 3.5)
SSC design X
X SSC testing X
NuScale Final Safety Analysis Report Human Factors Engineering Program Management Tier 2 18.1-11 Revision 4.1 Figure 18.1-1: Overview of Human Factors Engineering Program Process
NuScale Final Safety Analysis Report Human Factors Engineering Program Management Tier 2 18.1-12 Revision 4.1 Figure 18.1-1: Overview of Human Factors Engineering Program Process (continued)
Points 1 through 21 identified in Figure 18.1-1 are defined as follows. A more detailed definition is provided in Reference 18.1-1.
Point 1 illustrates the HFE program's integration into the design process through HFEITS.
Point 2 (not represented) impacts the interdisciplinary review process.
Point 3 represents the resolution of HFE issues within the HFE program.
Point 4 represents OE input to the HFE program.
Point 5 represents the OE that may be applicable but requires further investigation.
Point 6 represents the collective input of HFE issues into HFEITS.
Point 7 represents the issues entered into HFEITS that contain some action or issue resolution outside of the HFE program.
Point 8 represents the facet of subject matter experts input to the HFE program.
Point 9 represents direct input of TIHA to the functional requirements analysis and function allocation (FRA/function allocation).
Point 10 represents direct input of TIHA to task analysis.
Point 11 represents the availability of FRA/function allocation results.
Point 12 represents the results of task analysis, which, along with influence of the concept of operations, are inputs to the staffing and qualification analysis.
Point 13 represents the working results of the HFE program analysis elements that shape the development of HSI, procedures, and training.
Point 14 represents the iterative design and development of HSI.
Point 15 represents the HSI design maturation from development to HFE verification and validation.
Point 16 represents the iterative feedback from the HFE verification and validation element to the treatment of important human actions and to the iterative development processes for HSI, procedures and training.
Point 17 represents the iterative development of operating, alarm response, abnormal and emergency response procedures.
Point 18 represents the procedure development maturation and transition to HFE verification and validation.
Point 19 represents the iterative development of training.
Point 20 represents the maturation of the licensed and non-licensed training program development, and transition to HFE verification and validation.
Point 21 (along with Points 9 and 10) represents the iterative feedback generated by the treatment of important human actions based on revisions to design documents (PRA/
human reliability analysis) and the results of HFE verification and validation.
NuScale Final Safety Analysis Report Operating Experience Review Tier 2 18.2-1 Revision 4.1 18.2 Operating Experience Review The operating experience review (OER) element of the NuScale human factors engineering (HFE) program ensures that the lessons learned from the reviews of applicable operating experience from nuclear and various non-nuclear industries are incorporated in the design of the NuScale Power Plant. Specifically, the positive features identified during the OER are incorporated into the design while negative features are avoided.
The OER is conducted and implemented in accordance with the applicable NUREG-0711, Revision 3 guidance. The following sections provide a summary of the HFE operating experience review objectives and scope, methodology, and results. The methodology and the results are documented in the OER results summary report (Reference 18.2-1).
18.2.1 Objectives and Scope The purpose of the OER program is to identify and document safety issues and lessons learned from applicable operating experience from nuclear and various non-nuclear industries. The positive features identified are incorporated into the NuScale Power Plant design while the negative issues are avoided. The lessons learned are also applied to the development and implementation of human-system interfaces (HSIs), operating procedures, and operator training, thereby reducing human errors and risk, and improving reliability of plant operations.
NuScale utilizes a simple passive design with a highly automated digital control system with an advanced digital HSI. As a result of this design, NuScale does not have a predecessor plant from which to gather operating experience. Operating experience is taken broadly from the existing commercial nuclear power industry, reviewing significant events at Three Mile Island, Chernobyl, and Fukushima as well as mining for specific operating experience related to systems similar to those used in the NuScale design. In addition, operating experience is obtained from other industries on the basis of their similarities with the NuScale Power Plant design, technologies, and concept of operations.
These other industries include:
nuclear installations that do not produce power.
the non-nuclear power industry.
U.S. military platforms, such as nuclear-powered submarines and aircraft carriers.
the petrochemical industry.
the airline industry, including air traffic controller operator experience data.
automotive industry and railroad industry.
Design of the NuScale Power Plant also allows operation of up to 12 NuScale Power Modules from one control room. Current operating experience in multi-unit operation from a single control room is limited. Therefore, additional operating experience is obtained in the following areas:
highly automated digital control systems monitoring and control of multiple units in one control room
NuScale Final Safety Analysis Report Operating Experience Review Tier 2 18.2-2 Revision 4.1 initial plant testing of one or more units concurrent with operating units refueling a unit concurrent with operating units incident and accident management of a unit concurrent with operating units In addition to these OER data sources, the NuScale OER also considers the following:
results from the HFE element treatment of important human actions (see Section 18.6) review of issues identified in NUREG/CR-6400 operator interviews nuclear industry websites and databases (U.S. Nuclear Regulatory Commission and Institute of Nuclear Power Operations) 18.2.2 Methodology 18.2.2.1 Operating Experience Review Process The NuScale OER methodology establishes the process and procedures for identifying, evaluating, and tracking relevant nuclear and various non-nuclear industry design, construction, and operating experience to ensure that the applicable experience data are provided to NuScale Power Plant design personnel in a timely manner. The OER process is conducted in accordance with written procedures, which contain administrative instructions to control the OER process.
The OER team is responsible for conducting the OER and dispositioning the individual review items. The qualifications of the OER team are stipulated in the HFE program management plan (Reference 18.2-2). Specific team member responsibilities include reviewing OER issues for identification of human performance issues, sources of human error, and design elements that support or enhance human performance.
screening OER issues for applicability to the NuScale power plant design using criteria established in the HFE operating experience review procedure.
summarizing and documenting screening results with a description of the applicability to NuScale Power Plant design.
identifying further sources and topics for OER.
collecting, preparing, and documenting new sources of OE applicable to the NuScale Power Plant design.
conducting operator interviews.
identifying the need for NuScale Power Plant design action on OER issues.
entering actions resulting from OER into the human factors engineering issues tracking system (HFEITS).
An initial screening is performed on each OER issue to determine if further evaluation is necessary to identify potential HFE issues related to the NuScale Power Plant design. If the screening reveals that the issue is not applicable, then the issue is closed. If an OER issue is determined to be applicable to the NuScale HFE scope, but the current design
NuScale Final Safety Analysis Report Operating Experience Review Tier 2 18.2-3 Revision 4.1 documents do not address the issue, the OER issue becomes an HFE issue for tracking in the HFEITS database. The OER issues are categorized to show which of the 12 HFE program elements (see Section 18.1) they affect. This categorization facilitates future searches of the OER database by HFE program elements.
The OER team includes senior reactor operators and other personnel with significant commercial and Navy experience in the operation of nuclear power plants. These personnel are integrated into the HFE/OER team. They apply their knowledge and operating experience during reviews of NuScale design documents and recommend improvements and refinements to the design, in addition to identifying and dispositioning issues during the dedicated OER activities. These personnel are integrated into the inter-disciplinary reviews of documents as appropriate, which allows application of their operating experience directly into the design and design documents. Examples of design improvements attributable to their reviews are provided Section 18.2.3.
Specific topics covered in the review and analysis of operating experience are discussed in Section 18.2.2.2 through Section 18.2.2.7.
18.2.2.2 Predecessor Plants and Systems The NuScale Power Plant design incorporates features such as passive safety systems, no reliance on safety-related AC or DC power, and modular design that relies on automation and digital HSI technology. The combination of these design features and the extent to which they are utilized in the NuScale Power Plant design is not found in the existing commercial nuclear reactors; therefore, no existing designs are considered direct predecessors to the NuScale Power Plant design. However, many of the NuScale systems and components are found in existing designs. Therefore, operating commercial nuclear power plant experience is reviewed and used appropriately in the development of the NuScale Power Plant design.
Due to the limited use of digital HSI technology in the current U.S. operating commercial nuclear power plants, the OER boundaries for this technology are extended beyond the experience of the existing U.S. commercial nuclear power plants to include human factors issues operating experience from similar features in various non-nuclear industries. The operating experience related to multi-unit operation from a single control room is also limited in the nuclear industry. Therefore, the review of this experience is also extended beyond the operating nuclear power plants.
18.2.2.3 Recognized Industry Issues The NuScale Power Plant design addresses the HFE issues identified in NUREG/CR-6400 and the issues identified subsequent to its publication. The categories of issues addressed in NUREG/CR-6400 are unresolved safety issues and generic safety issues.
Three Mile Island issues.
NRC Generic Letters and Information Notices.
NuScale Final Safety Analysis Report Operating Experience Review Tier 2 18.2-4 Revision 4.1 operating experience reports reviewed in the NUREG-1275 series, Volumes 1 through 14.
low power and shutdown operations.
operating plant event reports.
In addition to the industry issues addressed in NUREG/CR-6400, the NuScale Power Plant design incorporates lessons learned from applicable issues identified subsequent to 1996 (NUREG/CR-6400 publication date), including lessons learned from the Chernobyl event, and the seismic and tsunami events at the Fukushima Daiichi power station.
18.2.2.4 Related Human-System Interface Technology The NuScale design addresses OER related to highly automated, digitally-controlled process systems.
computerized procedures systems.
use of flat panel displays.
use of touchscreens.
multi-unit control rooms.
Experience in multi-unit operation from a single control room in the nuclear power industry is limited; therefore, in addition to available information in the nuclear industry, pertinent information is obtained from other industries and facilities described in Section 18.2.1.
The related HSI technology experience data are collected by visits to sites of selected installations, personnel interviews, and literature searches on HSI technology. The installations visited and a summary of the information collected are documented in Reference 18.2-1.
18.2.2.5 Issues Identified by Plant Personnel The OER team conducts interviews of nuclear and non-nuclear industry personnel, and collects data based on their experience with systems or technology applicable to the NuScale Power Plant design. Interviews are conducted in accordance with written procedures. The interview topics are tailored to the job description of the individuals being interviewed and include the following:
plant operations
normal plant evolutions (startup, full power, and shutdown)
instrument and control system degraded conditions and failures
HSI equipment failures and processing failures
transients and accidents
reactor shutdown and cooldown using remote shutdown system
NuScale Final Safety Analysis Report Operating Experience Review Tier 2 18.2-5 Revision 4.1 HFE design topics
alarm and annunciation
display
control and automation (including highly automated control systems)
information processing and job aids
real-time communications with plant personnel and with other organizations
procedures, training, staffing qualifications, and job design
multi-unit control room design effect on plant operation Data obtained from the interviews are reviewed for positive and negative design aspects, and are evaluated for incorporation into the NuScale Power Plant design.
Potential issues identified in the interviews are entered into the OER database and evaluated in accordance with written procedures.
In addition, HFE team members are integrated into the inter-disciplinary review process utilized during the review and approval of design documents. Therefore, there is a mechanism for personnel with plant experience to formally provide their input to improve and refine the design utilizing their knowledge and experience in industry issues.
18.2.2.6 Important Human Actions Using preliminary results from the probabilistic risk assessment, the important human actions (IHAs) for the NuScale Power Plant design are identified early in the design process and recorded in the OER database to make the information available while analyzing operating experience. The OER database is updated as necessary with revised IHAs.
The purpose of evaluations of the IHAs as part of OER is to determine whether other operating nuclear plants or systems with similar HSI technology had experienced related error-causing conditions. The IHAs are used in succeeding HFE program elements (task analysis, staffing and qualifications, and HSI design) to define the roles and responsibilities of plant personnel and to produce interfaces designed to minimize human error probabilities.
In examining the operating experience data, both the successful completion of IHAs applicable to NuScale, and the errors that may have occurred in the execution of those IHAs are identified and considered.
The evaluation of the NuScale probabilistic risk assessment identified two IHAs. These IHAs are considered to be of low probability and easy to recognize, and are discussed in Section 18.6. Deterministic engineering analyses performed as part of Chapter 7 (instrumentation and controls) and Chapter 15 (accident analyses) identified no IHAs.
NuScale Final Safety Analysis Report Operating Experience Review Tier 2 18.2-6 Revision 4.1 18.2.2.7 Issue Analysis, Tracking, and Review The OER issues that are identified as potential human performance issues or sources of human error, or identified as design elements that might support or enhance human performance are captured in HFEITS. Human factors engineering issue tracking system entries are evaluated during the design process.
During the OER, if an OER issue is determined to be not applicable to the NuScale Power Plant design, the justification for its non-applicability is written and reviewed by the OER team. Once this justification is approved, the issue is closed but retained in the OER database.
If an issue is determined to be applicable to the NuScale Power Plant design but is not within the HFE program scope, a justification for it not being within the program scope is written. Upon approval of the justification, the issue is transferred to the appropriate engineering discipline for consideration by means of the engineering tracking database. The applicable engineering disciplines use appropriate methods for assimilation and disposition of these issues. The OER issue is then closed but retained in the OER database.
If an OER issue is determined to be applicable to the NuScale Power Plant design and is within the HFE program scope but is resolved by the current design, documentation of that resolution is prepared and captured in the OER database. Documentation includes reference to appropriate approved design documents. The resolved-by-design documentation is reviewed and closed but retained in the OER database.
An OER issue that is determined to be applicable and within the HFE program but is not resolved by the current design, is documented as such in the OER database. The OER team member that analyzed the issue proposes a design modification to resolve the OER issue. The OER team reviews the documentation and the proposed design modification. If approved, the OER issue is closed and retained in the OER database, and the associated documentation and proposed modification are captured in the HFEITS database.
If a justification or set of documentation for closure of an OER issue is rejected, the OER team and HFE supervisor either reassign the issue to another team member or resolve the item as a team.
18.2.3 Results The review of operating experience led to significant enhancements to the NuScale Power Plant design, thereby meeting the OER goals. Consistent with the guidance of NUREG-0711, the OER was performed for the following five areas using the methodology described above:
predecessor plants and systems recognized industry issues related HSI technology issues identified by plant personnel
NuScale Final Safety Analysis Report Operating Experience Review Tier 2 18.2-7 Revision 4.1 important human actions The fundamental NuScale design features eliminate the potential for the operating experiences encountered in the commercial nuclear power industry such as natural circulation within the primary system eliminating the potential for operating experience related to reactor coolant pumps, motors, and seals.
the integrated NuScale Power Module design eliminating piping, welds, and valves associated with an external pressurizer and steam generators.
the small containment and evacuated annulus eliminating the need for thermal insulation around the reactor vessel, reducing GSI-191 concerns.
simple, passive safety systems that transition to a state that meets their safety function on a loss of power, eliminating the need for safety-related AC or DC power and their associated backup and support systems.
The issues identified from the reviews as being applicable to NuScale Power Plant design were incorporated into the design. The following are examples of significant enhancements to NuScale Power Plant design resulting from the OER (with the associated type of OER noted parenthetically):
minimizing and prioritizing alarms in the control room, thereby reducing the likelihood of alarm avalanche (related HSI technology) providing improved methods for allocation of information across workstations (issues identified by plant personnel) providing diverse HSI capabilities to allow operators to cope with postulated failures or degradation of the normally used HSIs (issues identified by plant personnel)
The results of reviews of each of the five OER areas are documented in Reference 18.2-1.
18.2.4 References 18.2-1 NuScale Power, LLC, Human Factors Engineering Operating Experience Review Results Summary Report, RP-0316-17614, Rev. 0.
18.2-2 NuScale Power, LLC, Human Factors Engineering Program Management Plan, RP-0914-8534, Rev. 4.
NuScale Final Safety Analysis Report Functional Requirements Analysis and Function Allocation Tier 2 18.3-1 Revision 4.1 18.3 Functional Requirements Analysis and Function Allocation Functional requirements analysis (FRA) and function allocation (FA) is a key element of the NuScale human factors engineering (HFE) program. The FRA is the process of identifying and analyzing those functions that must be performed to satisfy the plant safety and power generation goals. The plant safety goals include prevention or mitigation of the consequences of postulated accidents that could cause undue risk to the health and safety of the public.
The function allocation is the process of assigning the functions identified by FRA to personnel and machines (automation) in a way that takes advantage of human strengths and avoids human limitations.
The FRA and function allocation activities are performed in accordance with the applicable guidance provided in NUREG-0711, Revision 3.
The FRA and function allocation methodology and the results of the analyses are documented in the functional requirements analysis and function allocation results summary report (Reference 18.3-1). The following sections summarize the FRA and function allocation objectives and scope, methodology, and results.
18.3.1 Objectives and Scope The purpose of FRA and function allocation is to ensure that the functions necessary to accomplish NuScale Power Plant safety and power generation goals are sufficiently defined, analyzed, and allocated. Functions are allocated to personnel (manual),
automation (machine), or a combination of personnel and automation, to take advantage of human and machine strengths and avoid human and machine limitations. These allocations support subsequent elements of the HFE program:
task analysis staffing and qualifications human-system interface design procedures development training program development The FRA and function allocation apply to activities performed by licensed operators in the main control room during normal, abnormal, and emergency operating conditions, and do not apply to maintenance or refueling activities performed by craft or technical personnel or activities associated with facilities other than the main control room.
18.3.2 Methodology The FRA and function allocation incorporate HFE program principles and practices, and are performed utilizing a structured and documented methodology. The process is iterative in nature and kept current over the plant life cycle, from design development through decommissioning.
NuScale Final Safety Analysis Report Functional Requirements Analysis and Function Allocation Tier 2 18.3-2 Revision 4.1 18.3.2.1 Functional Requirements Analysis Methodology Early in the HFE program, a plant functional requirement hierarchy is developed to organize plant functions according to their contribution to achieving the plant safety and power generation goals. The broad, plant-level functions are the following:
reactivity control maintain containment integrity remove fuel assembly heat power generation maintain reactor coolant pressure boundary integrity radioactivity control emergency response human habitability protection of plant assets plant security Organization of the hierarchy and the FRA process begin with an HFE team review of the preliminary list of structures, systems, and components functions derived from design documentation. Based on this review, the plant functions are grouped into the categories discussed above.
Because the NuScale Power Plant has no predecessors, each NuScale system is reviewed for comparable systems or functions in traditional nuclear facilities.
Differences are analyzed and documented in the FRA and function allocation database.
Function decomposition is analyzed starting at the plant functions down to the components to ensure that the plant function is satisfied. The decomposition addresses the following:
plant functions (e.g., reactivity control) and processes, as appropriate, that enable achievement of the functions specific plant systems and components The identified subfunctions, system functions, processes, and components necessary to accomplish the function are documented in the FRA and function allocation database. The types of information documented in the database include purpose of the function.
predecessor designs.
subject matter expert input.
differences from functions for systems similar to those used in other pressurized water reactor designs.
supporting system functions.
NuScale Final Safety Analysis Report Functional Requirements Analysis and Function Allocation Tier 2 18.3-3 Revision 4.1 supporting components, instrumentation, controls, automation, and alarms.
support systems.
The FRA is performed when the function decomposition is complete. To conduct this analysis, the HFE team determines the conditions and parameters necessary for monitoring and control. This analysis reveals success paths for accomplishing all or part of the function.
Following decomposition and FRA, the HFE team documents the following information for each function in the FRA and function allocation database:
supported plant goal conditions that indicate the need for the function parameters that indicate the availability and operating status of the function parameters that indicate whether the function is achieving its purpose(s) parameters that indicate when the operations of the function can or should be terminated The HFE team members review the FRA and verify that all high-level functions necessary to achieve safe operation have been identified and analyzed along with the requirements for each of the identified functions. The verification is documented in the FRA and function allocation database.
The development of NuScale plant functional requirement includes comparing the plant goals, functions, processes, and systems to those of existing plants as applicable.
Differences and technical basis for changes are noted in HFEITS. Success paths for carrying out the safety and other plant functions are defined. The functions are decomposed into lower levels.
18.3.2.2 Function Allocation Methodology Plant-and system-level functions are allocated to personnel, machine, or shared ownership. The ranges of possible allocations required to accomplish functions are grouped into the following types:
fully manual operation shared operation between manual and automation operation by consent (automation when directed by operator) operation by exception (automation until reaching a critical automation step or obtaining a system response identified by automation) fully automatic operation Function allocation is determined by reviewing one or more of the following: operating experience, human capabilities, likelihood of human error, technical feasibility or cost, requirement for precise control, and the need for human knowledge and judgment.
NuScale Final Safety Analysis Report Functional Requirements Analysis and Function Allocation Tier 2 18.3-4 Revision 4.1 Criteria for function allocation to automation include personnel responsibility to monitor automatic functions and to assume manual control in the event of an automatic system failure. Functions that require human knowledge and judgment to ensure reliable performance are allocated to personnel.
Determining the level of automation during design is an iterative process. Balancing the needs of the operator, the capabilities of the instrumentation and controls architecture, and the design of the system requires communication between designers and operators. When making the decision to use automation, the following guidance is considered:
Automation is used to aid the operator and avoid human error.
For routine tasks, it is preferred that the automation would identify initiating conditions and prerequisites and prompt the operator to perform the task instead of requiring the operator to select the appropriate automation to perform. As an example, to perform the correct dilution amount on the correct unit, the automation should monitor parameters and request the operator to concur with selected automation.
Every effort should be taken to design the automation so that it prevents the operator from performing an undesired action through use of interlocks, prompts, and intuitive displays.
Information display for automation should be as consistent as possible in terms or location, arrangement, and functionality in order to optimize operator to system interaction and to reduce potential error.
Automation controls should be standard and intuitive to understand. This simplifies training and provides the operator with a base level of comprehension regardless of the specific automated task.
Automated processes should be incorporated into the task analysis and procedures, so that they can be referenced for pre-job discussions. Automated tasks should be described in a relational database and accessed similarly to any other procedure.
Most functions are automated at NuScale to aid the operators in managing the workload for up to 12 NPMs. This aids the operator to remain situationally aware and to be engaged during automated tasks. Functions with one or more of the following attributes are allocated to automation:
major plant evolutions (e.g., unit shutdown, unit power escalation) system operations that require continuous monitoring, are repetitive or require quick response (e.g., temperature/pressure/level control, standby pump start, routine rotation of operating equipment) component operation that has special requirements or restrictions (e.g., valves need to close upon pump stop, prerequisites must be met to open valve) routine/repetitive tasks (e.g., 12-hour surveillance checks, rod movement testing) personnel safety or dose reduction sequence is complex
NuScale Final Safety Analysis Report Functional Requirements Analysis and Function Allocation Tier 2 18.3-5 Revision 4.1 time to perform task challenges the time available implementation cost seems reasonable for the automation benefit Subject matter expert determines that automation would aid the operator based on operating experience.
18.3.3 Results Using the FRA process and methodology described in Section 18.3.2.1, plant functions were identified and analyzed at the system level. The FRA included determination of the conditions when each function is needed, and the parameters that indicated that the function is available, operating, achieving its purpose, and when it can or should be terminated.
The functions were decomposed into components, and using the function allocation process and methodology described in Section 18.3.2.2, the functions were allocated to personnel, automation, or a combination of both. The results of the function analysis and allocation were captured in a FRA and function allocation database.
The FRA and function allocation results are documented in Reference 18.3-1, and include a set of safety functions for the NuScale Power Plant and a set of functional requirements to satisfy the plant goals.
conditions when each function is needed; and the parameters that indicated that the function is available, operating, achieving its purpose, and when it can or should be terminated.
allocation of functions and the technical bases for the allocation.
design changes resulting from implementation of the FRA and function allocation process.
18.3.4 References 18.3-1 NuScale Power, LLC, Human Factors Engineering Functional Requirements Analysis and Function Allocation Results Summary Report, RP-0316-17615, Rev. 0.
NuScale Final Safety Analysis Report Task Analysis Tier 2 18.4-1 Revision 4.1 18.4 Task Analysis The task analysis (TA) element of the NuScale human factors engineering (HFE) program identifies specific tasks (human actions) that are required to be performed in order to satisfy the plant safety and power generation goals as determined from the functional requirements analysis and function allocation process described in Section 18.3. The results of the TA establish the number of personnel needed to complete each task, the human-system interface (HSI) inventory requirements, including alarms, controls, displays, procedures, and knowledge and abilities needed to support performance of tasks.
The TA is conducted and implemented in accordance with the applicable guidance provided in NUREG-0711, Revision 3. The task analysis results summary report (Reference 18.4-1) documents the methodology for conducting the TA and the TA results. This section provides a summary of the TA objectives, scope, methodology, and results.
18.4.1 Objectives and Scope The TA encompasses a range of plant operating modes, including startup, normal operations, low-power and shutdown conditions, transient conditions, abnormal conditions, emergency conditions, and severe accident conditions. The TA also includes important human actions (IHAs) (Section 18.6), tasks that have negative consequences if performed incorrectly, tasks related to monitoring of automated systems that are important to plant safety, tasks related to the use of automated support aids for personnel such as computer-based procedures, tasks related to identifying the failure or degradation of automation and implementing backup responses, and tasks anticipated to impose high demands on personnel.
The tasks to be analyzed include those that are performed by licensed control room operators. Maintenance or refueling activities, activities completed by craft/technical personnel (i.e., mechanical, electrical, or I&C maintenance; health physics; chemistry; engineering; or information technology), or activities associated with the technical support center, emergency operations facility, operations support center, or any other emergency response facilities are considered in the TA if those activities are determined to impact licensed operator workload.
The operating experience review, functional requirements analysis, and treatment of IHA elements of the HFE program provide inputs to the TA.
The output from the TA includes definition of roles and responsibilities for individuals analyzed in the staffing and qualifications HFE element.
a list of HSI inventory and characteristics for HSI design.
information and controls needed for task support that are used for procedure development.
determination of required knowledge and abilities of personnel.
The HSI inventory and its characteristics generated by the TA include the alarms, controls, displays, and procedures needed to monitor plant functions, and to monitor and control
NuScale Final Safety Analysis Report Task Analysis Tier 2 18.4-2 Revision 4.1 their success paths. The HSI design (Section 18.7) uses the detailed TA results and inventory of alarms, controls, and indications to establish alarm logic, display and control designs, and grouping of HSI inventory especially for task-oriented screens.
18.4.2 Methodology The TA process includes the following steps:
identify tasks develop detailed task narrative decompose tasks develop operational sequence diagram verify IHA(s) identify task attributes identify high workload tasks identify task job position determine knowledge and abilities define task support requirements assess the workload determine inventory of alarms, displays, and controls to support performance of tasks Not all steps may be needed for each task, and the level of detail for the tasks depends on the complexity of the task.
18.4.2.1 Task Identification Methodology All tasks, regardless of their importance, are analyzed so that the full extent of the work load can be determined. Examples of tasks to be analyzed include:
important human actions determined through the human reliability portion of the PRA and deterministic means (i.e., transient and accident analyses, diversity and defense-in-depth coping analyses (D3CA)). The methodology for determining important human action is discussed in Section 18.6 tasks that have negative consequences if performed incorrectly.
tasks that are new or performed significantly differently from those in plants with similar systems and components.
tasks related to monitoring and interacting with automated systems, automated-by-consent systems, and the use of automated support aids for personnel, such as computer-based procedures and adaptive automation features, such as for the critical safety function displays.
tasks related to identifying the failure or degradation of automation, and other I&C computer-based systems, and those tasks required for implementing backup responses.
NuScale Final Safety Analysis Report Task Analysis Tier 2 18.4-3 Revision 4.1 tasks anticipated to impose high demands on personnel (such as administrative tasks that contribute to workload and challenge the operators' ability to monitor the plant).
tasks with potential concerns for personnel safety.
Identification of tasks to be analyzed is performed by subject matter experts on the basis of their experience at current operating nuclear plants. The process typically includes review of operating experience and available system design material.
18.4.2.2 Personnel Task Narrative For the tasks that are identified for TA as described in Section 18.4.2.1, detailed task narratives (descriptions) are prepared. The task narratives provide:
a description of the objectives of a specific system's operator tasks.
an overview of the activities personnel are expected to accomplish to complete the task.
a definition of alarms, information, controls, and task support needed to accomplish the task.
a basic outline of the procedure steps.
The task narratives contain requisite detail for a reviewer to correlate the described task objectives to the results of the completed task analysis. The length of the narrative is commensurate with the complexity of the task it describes.
Task narratives are revised as relationships among tasks are better defined.
18.4.2.3 Relationships Among Tasks A task may include multiple subtasks that are needed to complete a task. In order to identify the stimulus and response relationship for each lowest level task, each task is decomposed by identifying the parent task, subtasks, and task elements. The lowest level task (element) is a discrete human action, cognitive or physical, executed to support a task.
An operational sequence diagram is created and used for certain tasks as necessary to aid in evaluating the flow of information between the operators and the HSI from the beginning to the end of the task. Information flow includes operator decisions, operator and control activities, and the transmission of data. Operator actions are identified in a top-down sequential format. The sequencing of the tasks provides input for the plant operating procedures and defines the activities that plant personnel are trained to execute.
Depending on their types and complexity, tasks may be performed sequentially, in parallel, or in any order. Tasks may also be conditional, may involve coordinated actions among crew members or among crew members and local personnel.
NuScale Final Safety Analysis Report Task Analysis Tier 2 18.4-4 Revision 4.1 18.4.2.4 Time Required for Performing Tasks The time required to complete a task is a combination of cognitive processing time, physical movement time, and HSI response time (e.g., screen navigation, control operation, I&C platform processing, plant system response). Calculations of time required for task performance consider decision-making (which may or may not be part of cognitive processing depending on task complexity), communications with the operations team, task support requirements, situational and performance-shaping factors, and workplace factors and hazards for each step of a task.
The analysis of time required is also based on a documented sequence of operator actions.
Time estimates for individual task components (e.g., acknowledging an alarm, selecting a procedure, verifying that a valve is open, starting a pump), and the basis for the estimates are established through a method applicable to the HSI characteristics of digital computer-based I&C.
The time available to perform the actions is based on analysis of the plant response to the anticipated operational occurrences, accidents, and infrequent and special events, in accordance with the applicable regulatory guidance.
18.4.2.5 Personnel Required for Performing Tasks The number of personnel required to perform each task is determined by the task narrative, complexity of the task, time required to perform the task, and the time available.
The task narrative defines job functions for personnel who perform the tasks, requirements for communication with other operations personnel while performing tasks, and the impact of staffing levels on task performance.
18.4.2.6 Required Knowledge and Abilities In addition to the attributes included in the detailed task narrative, each task is analyzed to determine the knowledge and abilities needed for success of the task. The NuScale knowledge and abilities are benchmarked against a modern pressurized water reactor using NUREG-2103, and a gap analysis is performed. The results of this analysis are used to develop the NuScale-specific knowledge and abilities catalog to address the unique characteristics of the NuScale Power Plant design.
Tasks are allocated to personnel in accordance with the identified knowledge and abilities required to perform each task.
Learning objectives are developed from knowledge and abilities and are used to develop training program content in support of personnel qualifications.
NuScale Final Safety Analysis Report Task Analysis Tier 2 18.4-5 Revision 4.1 18.4.2.7 Iterative Nature of Task Analysis The TA is iterative in nature and is updated as the design progresses. The HFE program itself is iterative in that elements of the program provide inputs to other elements and some design issues are only resolved by changing assumptions or re-analyzing based on new data.
When problems arise during HFE program activities after TA, human engineering discrepancies are initiated, and resolution of those human engineering discrepancies may result in changes to or rework of the TA.
Task analysis subject matter experts revise the TA as details of the plant, system, and component designs change.
18.4.2.8 Analysis of Feasibility and Reliability for Important Human Actions Analysis of feasibility and reliability for important human action addresses time available and time required to perform actions.
use of techniques to minimize bias.
sequence of actions.
estimated time for operators to complete credited actions.
Time available to perform actions is the length of time from the initiation of the task to when the task needs to be completed as defined in the analysis that identifies the IHA.
Applicable regulatory guidance is considered for the analyses that determine each IHA, and for any task that industry experience identifies as a potential IHA. The time available is based on plant response to the anticipated operational occurrence or accident.
As discussed in Section 18.4.2.4, the time required to complete a task considers cognitive processing time, physical movement time, and HSI response time. The time-required calculation is based on an understanding of the sequence of operator actions and takes into account secondary tasks. Time-required estimates for IHAs are simulated and measured when feasible, or obtained through operator and expert interviews, software modeling of human behavior during tasks and operating experience reviews.
The estimated time for operators to complete the credited action is sufficient to allow successful execution of applicable steps in the emergency operating procedure.
Estimates of time required to perform IHAs are obtained whenever feasible using table top walkthroughs and simulator scenarios. Other techniques used for deriving the time required include interviews of operators and experts, software modeling of human behavior during task performance, and operating experience reviews. If measurements are not feasible, independent assessments of time required for IHAs are developed by two different subject matter experts.
NuScale Final Safety Analysis Report Task Analysis Tier 2 18.4-6 Revision 4.1 As discussed in Section 18.6, analysis of the HFE element treatment of IHAs identified no IHAs that require additional staffing for the operation of the NuScale Power Plant.
18.4.3 Results The function allocations determined as part of the HFE element functional requirements analysis and function allocation (see Section 18.3) provided the foundation for TA. Detailed task analysis is the foundation for the HSI design, the development of operating procedures and the operator training program.
Tasks identified for analysis represented a range of operating modes for a 12-module plant, including startup, normal operations, low-power and shutdown conditions, transient conditions, abnormal conditions, emergency conditions, and severe accident conditions, including those that affected multiple modules simultaneously.
As discussed in Section 18.6, evaluation of the PRA results identified two risk-important human actions; evaluation of the deterministic analysis results identified no deterministically important human actions. NuScale utilized a high-fidelity simulator as a testbed for validating task completion times. The performance of the IHA within the allowed time was verified during the staffing plan validation as part of the HFE element S&Q (see Section 18.5).
Task analysis provided input to the HSI inventory and characterization, and for the HSI style guide, which provide the foundations for the HSI design (see Section 18.7), and from which HSI design verification and task support verification are performed. Task support verification, performed as part of the human factors verification and validation activities (see Section 18.10), ensures that the alarms, information, controls, and task support needed for personnel to perform their tasks are provided.
Task analysis was a major input for the development of the scenarios used for the staffing plan validation. TA identified highly challenging tasks, (e.g., those tasks that are considered to be high stress, and those that have high error potential, high cognitive workload). These tasks were used to develop scenarios to determine the adequacy of the plant staffing and qualifications as part of the HFE element S&Q (see Section 18.5).
The workload identified during TA were used to guide additional function allocation to automation to reduce workload.
Task analysis also produced the basic knowledge and abilities catalog necessary for training and qualifying operators, and for establishing the mechanisms required to validate staffing goals.
The results of the TA are documented in Reference 18.4-1.
18.4.4 Reference 18.4-1 NuScale Power, LLC, Human Factors Engineering Task Analysis Results Summary Report, RP-0316-17616, Rev. 1.
NuScale Final Safety Analysis Report Staffing and Qualifications Tier 2 18.5-1 Revision 4.1 18.5 Staffing and Qualifications The staffing and qualifications (S&Q) element of the NuScale Power, LLC human factors engineering (HFE) program establishes the number and qualification of licensed operators required for safe and reliable NuScale Power Plant operation.
This section provides a summary of the methodology used in performing the licensed operator S&Q analysis and the results of the analysis. The S&Q methodology and the results are documented in the Human Factors Engineering Staffing and Qualifications Results Summary Report (Reference 18.5-1).
18.5.1 Objectives and Scope The objective of S&Q element of NuScale's HFE program is to determine the number and qualification of licensed operations personnel required for safe and reliable operation of a NuScale Power Plant with up to 12 NuScale Power Modules.
The plant operations personnel considered in the S&Q analysis includes licensed control room operators as defined in 10 CFR 55, and the licensed personnel in the categories defined in 10 CFR 50.120, including shift supervisors and the shift technical advisor.
COL Item 18.5-1:
A COL applicant that references the NuScale Power Plant design certification will address the staffing and qualifications of non-licensed operators.
The NuScale Power Plant is designed to operate up to 12 NuScale Power Modules from a single main control room (MCR). This configuration is not addressed in 10 CFR 50.54(m).
NuScale takes an alternative approach to control room staffing to be used in lieu of 10 CFR 50.54(m). The approach involves use of applicable NRC guidance contained in NUREG-0800, Chapter 18, Revision 2; NUREG-0711, Revision 3; NUREG-1791 (July 2005);
SECY-11-0098 (July 22, 2011); and NUREG/CR-6838 (February 2004). The minimum staffing requirements for the NuScale Power Plant are located in the Design Certification Rule Part 52 Appendix. Refer to Part 7, Chapter 6 for more details.
The organizational structure is described in Section 13.1.
18.5.2 Methodology The analysis to determine the number and qualification of licensed operators is performed in a systematic manner taking into account inputs from other applicable HFE elements and in accordance with regulatory requirements and guidance.
Due to the NuScale Power Plants passive safety systems, simplicity of operation, high levels of automation, reduced licensed operator workload, and limited number of important human actions (IHAs), a twelve-module NuScale Power Plant is planned to be operated with a minimum MCR shift contingent of three licensed reactor operators and three licensed senior reactor operators.
The staffing analysis begins with an assumed MCR shift contingent of three licensed reactor operators and three licensed senior reactor operators. These initial staffing levels are established on the basis of inputs from task analysis (TA) and other relevant HFE elements
NuScale Final Safety Analysis Report Staffing and Qualifications Tier 2 18.5-2 Revision 4.1 as discussed below. The S&Q analysis then confirms or modifies the baseline assumptions to achieve the final licensed MCR shift staffing and qualifications. This is accomplished in an iterative fashion as information from the analyses of other HFE elements become available.
The staffing analysis includes activities performed by licensed control room operators.
Staffing analysis for other activities (activities completed by craft/technical personnel [i.e.,
mechanical, electrical, or instrumentation and controls maintenance; health physics; chemistry; engineering; or information technology], or activities associated with the technical support center, emergency operations facility, operations support center, or any other emergency response facilities) are included only if they are determined to impact licensed operator workload. When licensed operator workload is impacted, then the area of concern is analyzed to a degree sufficient to quantify the impact to licensed operator workload or staffing and to develop any human-system interface or staffing adjustments required to address the specific task and associated staffing requirements.
The basis for S&Q levels includes consideration of specific staffing-related issues identified in the following HFE elements.
Operating experience review: Although there is no existing commercial nuclear reactor that is considered a direct predecessor or similar to NuScale Power Plant from a staffing level perspective, operating experience of current commercial nuclear power plants is analyzed because many NuScale Power Plant systems and components are also found in those designs. The initial staffing levels and qualification goals for the NuScale Power Plant are based, in part, on staffing levels and qualifications from commercial nuclear power plants taking into account the passive features and degree of automation.
Functional requirements analysis and function allocation: As discussed in Section 18.3, the functions that must be performed to satisfy the plant safety and power generation goals are allocated to personnel and automation to maximize performance. The S&Q analysis involves review of initial function allocation to ensure that the requirements for performing actions allocated to humans do not exceed the qualifications of the assigned staff or cause an overload.
Task analysis: As discussed in Section 18.4, TA provides early definition of individual roles, responsibilities, and qualifications, and identifies time needed to perform a task, the workload involved, and the number of personnel needed to complete each task.
The S&Q analysis considers tasks from a range of plant operating modes, including startup, normal operations, low-power and shutdown conditions, transient conditions, abnormal conditions, emergency conditions, and severe accident conditions.
Treatment of important human actions: Section 18.6 discusses the identification and treatment of IHAs. The staffing plan validation conducted as part of the S&Q analysis includes the IHAs and confirms the assumptions that IHAs can be conducted within the time available by the minimum licensed MCR staff for the applicable plant operating modes and conditions. The staffing plan validation also confirms the availability, degree of clarity, and indication cues for manipulation of the human-system interface related to IHAs.
Procedure development: The S&Q analysis uses task sequencing from the TA element as preliminary procedures, assumes specific personnel numbers, and assumes a certain level of secondary tasks such as communication. The S&Q analysis also considers task
NuScale Final Safety Analysis Report Staffing and Qualifications Tier 2 18.5-3 Revision 4.1 sequencing during concurrent use of multiple procedures. Procedures are discussed in Section 13.5.
Training program development: The S&Q analysis provides input to the training program development related to knowledge, skills, and abilities to be attained and maintained. As the S&Q analysis encompasses licensed operations staff, the analysis provides input essential to coordinating actions between individuals inside and outside the MCR. The training program includes this set of coordination knowledge, skill, and abilities. Training program development is discussed in Section 13.2.
Staffing plan levels and personnel qualifications are validated using performance-based tests focused on operator performance, workload, and situation awareness during challenging plant operating conditions. These tests are performed on a simulator that is able to support the scenarios required for the staffing plan validation. Three challenging and workload-intensive scenarios are selected on the basis of inputs from HFE elements operating experience review, functional requirements analysis and function allocation, TA, treatment of IHAs, and human factors verification and validation, including sampling of operational conditions. See Section 18.5.3 for the results of the staffing plan validation performed by NuScale.
18.5.3 Results A staffing plan validation was conducted using guidance in NUREG-0711, NUREG-1791, and NUREG/CR-6838 as well as other industry guidance. The staffing plan validation included performance-based tests using a simulator focused on operator performance, workload, and situation awareness during challenging plant operating conditions, which included design basis events, beyond design basis events, multi-module events, and events in series and parallel. Two independent crews were trained and qualified to conduct three challenging and workload-intensive scenarios utilizing conduct of operations guidance that was reflective of the current industry standards with respect to communications and use of human performance tools. A team of trained and qualified observers consisting of operations, management, and HFE personnel observed and analyzed the crew performances utilizing multiple methods of monitoring crew performance, workload, and situation awareness.
The results of the S&Q analysis, performed using the methods described above, confirm that up to 12 NuScale Power Modules and the associated plant facilities may be operated safely and reliably by a minimum staffing contingent of three licensed reactor operators and three licensed senior reactor operators from a single control room during normal, abnormal, and emergency conditions. The analysis employed an alternative approach to control room staffing in lieu of 10 CFR 50.54(m), and was conducted in accordance with the applicable NRC guidance contained in NUREG-0800, Chapter 18; NUREG-0711; NUREG-1791; SECY-11-0098; and NUREG/CR-6838.
The staffing plan validation resulted in comprehensive data that supports the initial staffing plan. The simulator supported the scenarios effectively without significant issues.
The test and evaluation team was effective in administering the test and analyzing the test results. Both crews completed all tasks within the required time limits while maintaining acceptable levels of situational awareness and workload. All evaluation criteria were met.
NuScale Final Safety Analysis Report Staffing and Qualifications Tier 2 18.5-4 Revision 4.1 The staffing plan validation methodology and results are documented in Reference 18.5-1.
18.5.4 References 18.5-1 NuScale Power, LLC, Human Factors Engineering Staffing and Qualifications Results Summary Report, RP-0316-17617, Rev. 0.
NuScale Final Safety Analysis Report Treatment of Important Human Actions Tier 2 18.6-1 Revision 4.1 18.6 Treatment of Important Human Actions Treatment of important human actions (TIHA) is an element of the NuScale Power, LLC human factors engineering (HFE) program that ensures that important human actions (IHAs) are identified and addressed throughout the HFE program.
This section provides a summary of the TIHA objectives, scope, methodology, and results. The TIHA methodology and the results are documented in the treatment of important human actions results summary report (Reference 18.6-1). The TIHA approach is consistent with the applicable provisions of NUREG-0711, Revision 3.
18.6.1 Objectives and Scope The TIHA element of the HFE program identifies the IHAs and addresses them in designing the HFE aspects of the NuScale Power Plant to minimize the likelihood of personnel error, and to help ensure that personnel can detect and recover from errors that might occur.
The IHAs are identified by a combination of probabilistic and deterministic analyses as discussed in the following sections. Specific treatment of the IHAs in the applicable elements of the HFE program is addressed in Section 18.6.2.3.
18.6.2 Methodology The IHAs consist of risk-important as well as deterministically important human actions.
18.6.2.1 Risk-Important Human Actions The risk-important human actions are identified from the human reliability analysis (HRA) as part of the probabilistic risk assessment (PRA) in Chapter 19. The methodology for identifying risk-important human actions is consistent with the applicable provisions of NUREG/CR-1278 (Reference 18.6-2), and includes the following characteristics:
from Level 1 (core damage) PRA and Level 2 (release from containment) PRA for power operation, low power and shutdown, including both internal and external events (refer to Chapter 19) using selected importance measures and PRA sensitivity analyses to provide reasonable assurance that an important action (or multiple actions in the same scenario) is not overlooked because of the selection of the measure or the use of a particular assumption in the analysis Risk-important measures, HRA and PRA sensitivity analyses, and threshold criteria (with bases) are used to arrive at the list of risk-important human actions. The risk-important human actions are identified by the HFE team by analyzing the initial HRA and PRA results and the potentially risk-important human interactions. To ensure that the actual IHAs are considered and captured, the initial HRA, PRA, and the set of IHAs are updated as the design progresses, and finalized when the plant and human-system interface (HSI) designs are complete.
NuScale Final Safety Analysis Report Treatment of Important Human Actions Tier 2 18.6-2 Revision 4.1 The methodology for identifying risk-important structures, systems, and components is consistent with the NuScale Topical Report, TR-0515-13952-A, Risk Significance Determination (Reference 18.6-3). Risk-important human actions are those human actions to operate systems or components that are above the risk-significance thresholds described in the topical report.
The approach for identifying candidate risk-important human actions consists of identifying situations in the PRA where an operator can function as a backup to an automatic actuation.
identifying situations where an operator can place in-service a non-safety backup to a safety-related system.
understanding the context for successful execution of the action.
assessing the time available for the operator to accomplish the action using thermal-hydraulic simulations of bounding scenarios.
verifying accessibility of the equipment needed to be accessed.
quantifying the likelihood of the operator failing to accomplish the human action.
evaluating the importance of the human action in the full-scope, all operating modes PRA.
As the PRA model is updated, the resulting risk-important human actions are reviewed and task analysis (TA) is performed.
18.6.2.2 Deterministically Important Human Actions Deterministically important human actions are identified from the operator actions that are credited in the transient and accident analyses (Chapter 15), and from operator actions that are identified in the diversity and defense-in-depth (D3) coping analyses (Chapter 7).
The operator actions that are 1) performed to confirm automatic actions, 2) required for long-term decay heat removal or reactivity control, or 3) needed to maintain a stable plant condition for the long term, are not considered deterministically important human actions, even though they may be identified in the transient and accident analyses or D3 coping analysis. None of these operator actions are required to ensure reactivity control, core heat removal, or containment isolation and integrity.
Subject matter experts review each event scenario described in the transient and accident analyses and D3 coping analyses, and extract the deterministically important human actions.
18.6.2.3 Consideration of Important Human Actions in Human Factors Engineering Program Elements To minimize the likelihood of human error and facilitate error-detection and recovery capability, the IHAs are addressed during the HFE program elements, operating experience review (OER), functional requirements analysis and function allocation, TA,
NuScale Final Safety Analysis Report Treatment of Important Human Actions Tier 2 18.6-3 Revision 4.1 HSI design, procedure development, training program development, and human factors verification and validation.
OER: Potential IHAs identified early in the NuScale Power Plant design process are evaluated during the issue analysis and review portion of the OER. Each operating experience item analyzed and entered into the OER database is evaluated against the list of potential IHAs. Operating experience review issues that indicate a potential to impact IHAs are tracked as HFE issues in the HFE issues tracking system for resolution during appropriate HFE program elements.
Functional Requirements Analysis and Function Allocation: Functional requirements analysis and function allocation (Section 18.3) evaluate the IHAs and verify that they are appropriately allocated.
TA: Tasks involving IHAs receive detailed TA (Section 18.4). The TA confirms the assumptions used in the PRA to determine human error probabilities, and the assumptions used in the accident and transient analyses and D3 coping analysis to conclude that operators can execute deterministically important human actions within the time available. The TA also assesses the operator workload when conducting the IHA (for individual or overall operating crew as appropriate) and provides additional assurance that the IHA can be carried out within the time available. Human engineering discrepancies are generated for IHAs that result in excessive workload conditions and IHAs that cannot be executed with adequate margin between the time available and the time required.
Staffing and Qualifications: During staffing and qualification analyses (Section 18.5), IHAs are evaluated to ensure that staffing levels and staff qualifications are sufficient to successfully execute the IHAs, including within specified time requirements. During control room staffing plan validation, IHAs are included in the scenarios that evaluate task performance, cognitive and physical workload, and situation awareness.
HSI Design: During HSI design (Section 18.7), assumptions regarding HSI characteristics for IHAs are verified. To reduce the probability of human errors for IHAs, the HSI design includes the following considerations:
a minimum of two actions are required for the video display unit controls (e.g.,
an action to call up the control function on the video display unit and an action to actuate the control).
tasks associated with a single IHA are conducted from a single display screen wherever possible; task-based displays are created to achieve this, as necessary.
After the HSI design for the alarms, indications, controls, and procedures are developed based on input from the plant design and the TA, performance-based testing is performed to assess those designs in support of the IHAs.
Procedure Development: Operating procedures (Section 18.8) are developed to meet the operation sequences and guidance contained in plant design specifications. Procedure verification includes evaluation of how the IHAs have been procedurally addressed.
NuScale Final Safety Analysis Report Treatment of Important Human Actions Tier 2 18.6-4 Revision 4.1 Training Program Development: Licensed operator training program (Section 18.9) is developed to ensure that personnel are qualified to operate and to maintain the facility in a safe and efficient manner, as well as to keep the facility in compliance with its license, technical specifications, and applicable regulations.
Training includes normal, abnormal, and emergency operating procedures that contain IHAs.
Human Factors Verification and Validation: The adequacy of the HSI design to support operator performance of IHAs is confirmed in the integrated system validation (ISV) process (Section 18.10). Consideration of IHAs during ISV involves defining simulator scenario initiating events with system and component failures that challenge the operators to bring the plant to a safe state following appropriate procedures. The scenarios used in the ISV address the IHAs, dominant sequences, systems, and events. The ISV assesses whether the needed task-support HSIs are present and whether the HSIs comply with the governing HFE guidelines to support successful performance of IHAs. The ISV assesses the successful performance of the integrated crew and the HSI for IHAs. Human engineering discrepancies are processed when they are found.
18.6.3 Results The results of the PRA and the HRA were evaluated using the processes described above.
The evaluation identified two risk-important human actions. The first IHA is for the operator to un-isolate and initiate injection of inventory into the reactor vessel using the chemical and volume control system following incomplete emergency core cooling system actuation during a loss of coolant inside containment, or a loss of coolant outside containment in conjunction with the failure of the associated containment isolation valves.
The second IHA is for the operator to un-isolate and initiate injection of inventory into the containment vessel using the containment flooding and drain system if chemical and volume control system is unavailable during a loss of coolant outside containment in conjunction with the failure of the associated containment isolation valves. Details of the two IHAs are documented in Reference 18.6-1. These risk-important human actions are of low probability, easy to recognize, require low cognitive workload to confirm their validity, and have high margins for time-available versus time-required. These human action scenarios are also well beyond design basis scenarios where operator actions may be considered.
The identified risk-important human actions are applied in the applicable HFE program elements as described in Section 18.6.2.3. During staffing plan validation, the IHAs were successfully validated, as described in Section 18.5.3.
The results of the plant transient and accident analyses and the D3 coping analysis were evaluated using the processes described above and identified no deterministically important human actions.
The results of the evaluations of the PRA, transient and accident analysis, and the D3 coping analysis for risk-important and deterministically important human actions as well as the treatment of the IHAs are documented in Reference 18.6-1.
NuScale Final Safety Analysis Report Treatment of Important Human Actions Tier 2 18.6-5 Revision 4.1 18.6.4 References 18.6-1 NuScale Power, LLC, Human Factors Engineering Treatment of Important Human Actions Results, Summary Report," RP-0316-17618, Rev. 0.
18.6-2 U.S. Nuclear Regulatory Commission, "Handbook of Human Reliability Analysis with Emphasis on Nuclear Power Plant Applications," NUREG/CR-1278, SAND80-0200, August 1983.
18.6-3 NuScale Power, LLC, Risk Significance Determination, TR-0515-13952-A, Rev. 0.
NuScale Final Safety Analysis Report Human-System Interface Design Tier 2 18.7-1 Revision 4.1 18.7 Human-System Interface Design The human-system interface (HSI) design element of the NuScale human factors engineering (HFE) program provides design of interfaces between plant personnel and plant systems and components. The HSI design process represents the translation of function and task requirements identified during earlier HFE program elements into HSI characteristics and functions. An HSI Style Guide (Reference 18.7-1) ensures consistency in applying HFE principles.
This section summarizes the methodology used in the NuScale HSI design and the analysis results. The methodology and the results are also documented in the human-systems interface design results summary report (Reference 18.7-2), and are consistent with the applicable provisions of NUREG-0711, Revision 3; and NUREG-0700, Revision 2.
18.7.1 Objectives and Scope The objective of the HSI design element is to translate the function and task requirements identified earlier in the HFE program (see Sections 18.3 and 18.4) into HSI design requirements and to the detailed design of alarms, indications, controls, and other aspects of the HSI. This is accomplished by systematically applying HFE principles and criteria.
The HSI design activities include those in the main control room (MCR) that support important human actions (IHAs). The main control room HSI development process includes consideration of other activities that are determined to impact licensed operator workload, including maintenance or refueling activities, activities completed by craft or technical personnel (i.e., mechanical maintenance, electrical maintenance, radiation protection, chemistry, engineering, information technology, instrumentation and controls (I&C) maintenance), or activities associated with the emergency response facilities. The HSI for locations outside the MCR will be derived from the main control room HSI.
18.7.2 Methodology The HSI design process uses a structured methodology for the iterative design of the overall HSI, translating the function allocation and task analysis (TA) into detailed HSI for the plant.
18.7.2.1 Human-Systems Interface Design Inputs Inputs to HSI design include analyses of personnel task requirements, system requirements, and the HSI Style Guide, which incorporates regulatory guidance and other requirements.
18.7.2.1.1 Analyses of Personnel Task Requirements Analyses of personnel task requirements performed earlier in operating experience review (OER), functional requirements analysis (FRA) and function allocation, TA, staffing and qualifications (S&Q), and treatment of IHAs are used to identify and establish design requirements for the HSIs.
During OER (see Section 18.2), issues from other plants and similar HSI designs are evaluated for applicability, and for inclusion or exclusion in the NuScale HSI design.
NuScale Final Safety Analysis Report Human-System Interface Design Tier 2 18.7-2 Revision 4.1 The issues identified during OER are tracked in the human factors engineering issue tracking system and resolved within the HSI design element as applicable.
The FRA and function allocation (see Section 18.3) analyze the plant functions and define the success paths for controlling those functions, along with the key parameters and components used to monitor them. Safety functions are used as input to the design of the overview screens within the HSI inventory. Automation criteria established during function allocation define the levels of automation anticipated for the HSI design. The allocation of functions to humans, machine, or a combination of the two during function allocation largely defines the scope of HSI design. Human factors engineering issue tracking system issues initiated in FRA and function allocation are also generally resolved during HSI design.
The TA (see Section 18.4) provides the information needed to build a complete HSI inventory and the characteristics necessary to monitor and control critical functions during normal, abnormal, and accident conditions. While building the HSI inventory during TA, characteristics such as alarm conditions, indication range and resolution, control function modes and accuracy, procedure applicability conditions, and backup controls for automated functions are established. Grouping of HSI elements in TA leads to HSIs designed for specific tasks and may reduce both reliance on system-based HSIs and navigation between screens. Task support requirements are defined in TA and may be implemented during HSI design or as issues tracked in the human factors engineering issue tracking system for resolution by appropriate engineering disciplines.
The S&Q analyses (see Section 18.5) are used to provide input to the HSI design by influencing the HSI hierarchy and navigation concepts, allocation of controls and indications to individual video display units (VDUs), and overall MCR layout. The S&Q analyses also validate the MCR crew complement and responsibilities of each member of the crew.
Important human actions (see Section 18.6) identified from the probabilistic risk assessment and from deterministic analyses are considered in the HSI design to minimize the probability that errors will occur and maximize the probability that any error made will be detected.
18.7.2.1.2 System Requirements The NuScale HSI design incorporates pertinent design considerations based on accepted HFE principles and industry standards. In addition, the design incorporates high-level design considerations identified during preliminary analyses, such as maintaining situational awareness with a highly automated system, and acceptable workload levels with multiple modules assigned to a single operator.
There are no known I&C platform system constraints related to the MCR layout optimization for monitoring and control of multiple units.
NuScale Final Safety Analysis Report Human-System Interface Design Tier 2 18.7-3 Revision 4.1 18.7.2.1.3 Regulatory and Other Requirements The NuScale HSI design incorporates the guidance in NUREG-0711 and NUREG-0700, which are incorporated into the HSI Style Guide (Reference 18.7-1).
18.7.2.2 Concept of Operations The concept of operations document describes how the design, systems, and operational characteristics of the plant relate to the organizational structure, staffing, and management framework. The concept of operations document informs and guides the design and engineering effort as it relates to the HSI and supporting equipment. It provides an overview of the individual roles, operations staffing, crew structure, and operating techniques that are used by the operating crews. The concept of operations is refined as the design, engineering and simulator evaluation associated with safety analysis, system design, control system automation, and HSI progress.
The concept of operations specifies the following:
staffing levels and crew composition roles and responsibilities of each crew member information available to individual operators and the entire crew division of tasks and supporting HSIs between the control room and local control stations (LCSs) control room and workstation layout and the implications for operations and tasks crew coordination and communication relationship and interaction of crew, computer-based procedures, and plant automation through the HSI 18.7.2.3 Human-Systems Interface Concept Design 18.7.2.3.1 Concept of Use Licensed operators in the MCR and operating crews outside the MCR are responsible for power production and safe operation of each unit and the overall NuScale Power Plant. To achieve these objectives, the operators assume the following roles and responsibilities:
monitoring structures, systems, and components performance operating local and remote structures, systems, and components commanding automated sequences directing subordinate operators to perform procedures monitoring the performance of automated sequences and procedures interrupting and reprioritizing automated sequences or procedures summoning additional resources to expand capabilities monitoring and evaluating Technical Specification conditions
NuScale Final Safety Analysis Report Human-System Interface Design Tier 2 18.7-4 Revision 4.1 testing surveillance reviewing trends responding to off-normal conditions responding to plant notifications establishing plant conditions to support preventative or corrective maintenance maneuvering the plant to support maintenance, technical specifications response, etc.
performing emergency response duties such as offsite notifications performing non-emergency off-site reporting maintaining a narrative log of events and activities relevant to the plant site communicating plant status, constraints, and planned actions to the appropriate stakeholders The HSIs facilitate the operators' abilities to perform these activities and provide the controls, indications, alarms, and procedures necessary for the operators to carry out their responsibilities.
Automation performs functions associated with parameter and process monitoring, defined sequence functions, continuous process control, alert and alarm monitoring, safety limit monitoring, and automatic safety functions.
Operators interface with automated functions via a digital control screen in most aspects of operation. Operators employ automation to place equipment into service, conduct tests, and control processes.
Operators monitor and evaluate automated functions, and intervene when it becomes apparent that the automation has failed or when the automation is no longer appropriate for the current or planned plant conditions. Operators may also elect to share control with the automation or assume control of the automated function.
Operators communicate with crew members routinely to share information, confirm receipt of information, recommend actions, and give direction. The means of communication is commensurate with the type of information that is being communicated (e.g., basic information to be passed to a single teammate, or urgent information to be passed to multiple crew members). Technologies to support teamwork and communication include individual and group HSI notification techniques and non-wireless communication such as standard phone, and verbal and email protocols.
The NuScale Power Plant design provides for the operation and control of up to 12 NPMs and common plant systems from a single control room. Figure 18.7-1 shows the layout of the control room. The layout provides for the following:
a bank of VDUs configured with spatially-dedicated, continuously visible HSIs (e.g., post-accident monitoring variables)
NuScale Final Safety Analysis Report Human-System Interface Design Tier 2 18.7-5 Revision 4.1 sit-down workstations for three reactor operators, each providing access to HSIs for all units sit-down workstations for three senior reactor operators (shift manager, shift technical advisor, control room supervisor) a dedicated stand-up control panel for each unit allowing for focused operation of that unit a dedicated stand-up control panel for shared or common systems The HSIs displayed on the sit-down workstations and selected stand-up control panel VDUs are navigable and contain the alarms, controls, indications, and procedures necessary to monitor and manage any unit chosen by the operator during normal, abnormal, emergency, shutdown, and refueling operations.
18.7.2.3.2 Human-System Interface Conceptual Design Overview Iterative Methodology Human-system interface conceptual design is developed using an iterative methodology incorporating the HSI design inputs discussed in Section 18.7.2.1.
The iterative design and evaluation approach serves to guide the selection of one design from multiple candidate designs.
answer open HFE questions related to situation awareness, workload, and staffing.
identify and eliminate HFE issues from the design early in the process.
Feedback from results of tests of HSI prototypes (see Section 18.7.2.5) is also incorporated prior to detailed design. This provides a high degree of confidence in the HSI design prior to implementation and verification and validation activities (see Section 18.10).
The iterative nature of the HSI design is closely connected with other HFE program activities. As part of the design effort, the HFE team presents findings to and solicits input from various other design disciplines as appropriate.
Survey of State-of-the-Art Human-System Interface Technologies The state-of-the-art HSI technology is established with an emphasis on adaptability, principles, and design patterns and serves the needs of the NuScale plant. Various options are evaluated for human usability and technical feasibility.
Specific software and hardware development is not the scope of the survey; however, an understanding of the state-of-the-art software and hardware technologies provides insight for development of the functional and procurement specifications for the HSI platform.
NuScale Final Safety Analysis Report Human-System Interface Design Tier 2 18.7-6 Revision 4.1 Human-System Interface Conceptual Design Documentation The following documents are developed during the HSI conceptual design stage:
Concept of Operations (see Section 18.7.2.2)
The HSI Style Guide (see Section 18.7.2.3.3)
These documents are revised as necessary during detailed design consistent with findings from testing and analyses.
Conceptual Sketches A template screen (conceptual screen sketch) is developed for each major portion of the HSI (e.g., task-based screens, computer-based procedure screens, and overview type screens). Representative screens and task sequences are selected for demonstrating key concepts, features, and interactions, and for providing concrete grounds for analysis and feedback from other disciplines. Screen sketches incorporate the best current understanding of design principles as outlined in the latest HSI style guide. Conceptual sketches are produced for multiple candidate approaches, and are maintained as design records.
The HSI style guide is updated as appropriate to include conceptual sketches that are found to bring positive features to the overall design.
Rapid Prototyping Based on the latest conceptual sketches and feedback from other disciplines, mock-ups or prototype screens, integrated with a software simulator of the system, are developed for evaluation. While the prototype provides a realistic user experience with the system, the focus in this effort is on testing design concepts and soliciting feedback. Except for early throw-away prototypes, rapid development aims for code modifiability and reusability for fast subsequent development iterations.
18.7.2.3.3 Human-System Interface Style Guide The HSI design employs a style guide for various types and formats of HSIs (Reference 18.7-1). The HSI style guide applies to the MCR, the emergency response facilities, and the remote shutdown station (RSS) as well as other HSIs throughout the plant. Most of the HSIs are screen-based, but the style guide is also used for HSIs that are hard-wired.
The style guide addresses the form, function, and operation of the HSIs included in the design. For screen-based HSIs, design considerations include the environment in which the HSIs are to be used (e.g., colors, brightness and contrast, ambient lighting, and element spacing). Factors such as accessibility, lighting, air quality, heat and humidity, and radiation zones are also considered in the design of HSIs.
A style guide section is specifically developed for the different types of HSIs at the applicable stage in the design process. NUREG-0700 serves as the initial source for
NuScale Final Safety Analysis Report Human-System Interface Design Tier 2 18.7-7 Revision 4.1 the development of the style guide. New sections are added or existing sections revised as more details or new guidance are needed, or if analysis such as OER, FRA and function allocation, or TA determines a need for NuScale Power Plant-specific guidance. The human factors engineering issue tracking system is used to track the NuScale Power Plant specific needs.
The style guide section for VDU-based HSIs is used for MCR, facilities that use HSIs derived from MCR, and LCS human-system interfaces. The HSIs on the VDU-based LCSs are MCR derivatives. For vendor-supplied LCSs, the NuScale HFE program scope is limited to ensuring that those interfaces adhere as closely as possible to the HSI style guide. Inputs from the vendor-supplied LCSs are replicated on the VDU-based HSI on an as-needed basis.
In the initial stages of HSI design, while the number of screens and complexity of interaction between screens are low, individual guidelines in the style guide are stated in general terms. As the HSI design progresses, style guide details increase and use precise, easily observable guidance statements for consistency, supplemented by graphical examples as needed. The guidance includes specific definition of colors in the color palette, equipment symbols, and size and type of text font.
The style guide is in the format that is readily accessible and usable. It is also easily modified as the design progresses or new guidance emerges. The reference section in the style guide provides the source documents on which the guide is based.
18.7.2.4 Human-System Interface Detailed Design and Integration The objective of the detailed design and integration phase is to validate, using performance-based tests, that the integrated system design (i.e., hardware, software, procedures and personnel elements) supports the safe operation of the plant.
The HSI detailed design and integration is performed using outputs from the planning and analysis phase of the HFE program (i.e., HFE program elements OER, FRA and function allocation, TA, S&Q, and analysis for treatment of IHAs, see Sections 18.2 through 18.6). In addition to these HFE program elements, the HSI design team also takes into consideration the design features discussed in the following section.
18.7.2.4.1 General Considerations Minimizing Errors in Performance of Important Human Action The HSI design incorporates features to minimize the probability of operator error in the performance of IHAs and to provide for early detection of errors, should they occur. This includes the feature that requires a minimum of two actions for VDU controls (i.e., an action to call up the control function on the VDU (a pop-up window) and an action to actuate the control). This two-step actuation process reduces the potential for erroneous operator actions that could cause a transient.
NuScale Final Safety Analysis Report Human-System Interface Design Tier 2 18.7-8 Revision 4.1 Bases for Human-System Interface Layout The layout of workstations (number and location of VDUs) in the MCR, the arrangement or hierarchy of the individual HSI screens for each workstation, and the arrangement of the workstations within the MCR are based on job analysis, frequency and sequence of use, and the roles of operators defined during S&Q analysis.
Concept of Operations provides an operating strategy where one reactor operator monitors up to 12 NPMs and transfers responsibility for modules to other operators when events occur that challenge the operator's ability to monitor the remaining modules. In accordance with this strategy, each licensed operator is able to monitor any module. Since any sit-down station may be required to monitor multiple modules, it is necessary to have a minimum equivalent of four VDUs to effectively monitor the status of all 12 modules, alarms, and procedures or processes.
Each of the 12 stand-up workstations has a minimum equivalent of five VDUs and the ability to manually initiate protective functions. The uppermost display provides an overview for that module so that other MCR personnel can quickly determine module status. The HSIs displayed on the lower displays are navigable and contain the alarms, controls, indications, and procedures necessary to monitor and manage the corresponding module during normal, abnormal, emergency, and shutdown operations.
The HSI layout in the MCR is specifically designed to support minimum, nominal, and enhanced staffing levels during a range of operating plant modes. The location of shared system displays and unit or plant overview VDUs is such that they can be observed from multiple locations within the MCR. Unit workstations are spaced to allow sufficient room for side-by-side operation at adjoining unit workstations.
The RSS, emergency operations facility, and technical support center HSIs are derived from the main control room HSIs and are designed to support various staffing arrangements within those facilities.
Human-System Interface Support for Inspection, Maintenance, and Testing The HSI design supports inspection, maintenance, test, and repair of plant equipment. The information records management system is used to control work and manage component tagging for out-of-service conditions; the information records management system is also used to communicate status information with the plant HSI, which uses shading and a color scheme to alert the operators of those conditions on the system display VDU.
Human-System Interface Support for Staffing Conditions The HSIs support minimum staffing. The passive features, modular design and high degree of automation incorporated in the NuScale Power Plant design result in a reduction in the number of alarms, controls, displays, and procedures. The automation, along with the reduced task burden of managing the HSI, enhances
NuScale Final Safety Analysis Report Human-System Interface Design Tier 2 18.7-9 Revision 4.1 the ability of operators to maintain situation awareness of overall plant conditions.
The use of minimum staffing to operate the plant safely is confirmed through the S&Q element of the HFE program.
The HSI design activity includes the MCR facility, which is sized to accommodate enhanced staffing needed during crew meetings and shift turnover, and additional staffing during operating conditions such as refueling, and accident conditions.
Reducing Human Performance Errors and Fatigue The design features incorporated in the NuScale Power Plant design enhance human performance by reducing operator fatigue. Automation of plant functions reduces operator repetitive tasks. Simplified plant design and increased automation result in reduced need for navigation between individual screens. The arrangement or hierarchy of individual screens is based on job analysis, the frequency and sequence of use, and operator role to increase the simplicity of navigation. Task-based displays are incorporated to reduce navigation steps during procedure use. Video display units are designed for pointing device (mouse) operation.
In addition, the detailed design of the MCR facility optimizes facility attributes that are known to affect fatigue, such as lighting, ergonomics, and overall physical layout.
Environmental Conditions for Optimal Operator Performance Environmental conditions in the MCR, including temperature, humidity, air quality, and radiation protection, are controlled using Regulatory Guide 1.196 guidance.
Design of auxiliary systems such as heating, ventilation, and air conditioning system, and lighting systems incorporate inputs from the HFE team.
Human-System Interface Modifications in an Operating Plant The human performance monitoring program (see Section 18.12) evaluates HSI design change proposals against the analyses and design bases established for the as-built design.
18.7.2.4.2 Main Control Room The HSI design addresses the following parameters in accordance with the guidance provided in NUREG-0711. Reference 18.7-2 documents the means by which the HSIs related to these parameters are displayed, as follows:
safety display and indication system bypassed and inoperable status indication relief and safety valve position monitoring containment monitoring core cooling
NuScale Final Safety Analysis Report Human-System Interface Design Tier 2 18.7-10 Revision 4.1 post-accident monitoring leakage control radiation monitoring manual initiation of protective actions diversity and defense-in-depth important human actions computer-based procedure platform The computer-based procedures are designed in accordance with the guidance of NUREG-0700 Section 8, and Section 1 of Digital Instrumentation and Controls Interim Staff Guidance (DI&C ISG-5). Paper copies of selected procedures are available as back-up.
18.7.2.4.3 Technical Support Center, Emergency Operating Facility, and Remote Shutdown Station The emergency operations facility and technical support center will comply with the guidance in NUREG-0696, Functional Criteria for Emergency Response Facilities. The HSIs in the technical support center and emergency operating facility are derivatives of the main control room HSIs and comply with the HSI style guide; however, these HSIs are for information display only. No control functions are provided in any of the emergency response facilities. Similarly, the HSIs in the RSS are also derivatives of the main control room HSIs. The RSS provides both monitoring and control capabilities.
18.7.2.4.4 Local Control Stations The HSIs on the VDU-based LCSs are derived from main control room HSIs. For vendor-supplied LCSs, the NuScale HFE program scope is limited to ensuring that those interfaces adhere to the HSI style guide as closely as possible. Inputs from the vendor-supplied LCSs are replicated on the VDU-based HSI on an as-needed basis.
18.7.2.4.5 Degraded Instrumentation and Controls and Human-System Interface Conditions The NuScale Power Plant HSI is designed to accommodate I&C and HSI system failures. Procedures govern operator identification of and response to the various failure modes.
Failures of I&C sensors are accounted for in the diversity and defense-in-depth coping analysis (Section 7.1). Redundant sensors are provided within system trains and safety systems have multiple trains. Alarm response procedures guide trouble-shooting activities by the operator.
Failures of individual VDUs are accommodated by use of other VDUs at the workstation for the affected unit. Hardware failures that lead to loss of all VDUs at a workstation are accommodated by monitoring of LCSs and redundant
NuScale Final Safety Analysis Report Human-System Interface Design Tier 2 18.7-11 Revision 4.1 MCR-derivative VDUs in the RSS. The unit with failed MCR workstation may be shut down from those alternate HSIs as needed.
Selected automated functions have manual backup at the MCR workstation, LCSs, or a combination of the two. Failures of automation sequences are alarmed in the MCR. Operators also monitor automation for expected plant response and detect automation failures when plant response is not as anticipated.
The NuScale Power Plant design incorporates multiple communication systems, and failure of one system is accommodated by use of another, controlled by procedure.
Task analysis includes consideration of loss of HSIs that support IHAs.
18.7.2.5 Human-System Interface Tests and Evaluations Human-system interface design tests and evaluations include trade-off evaluations and performance-based tests.
Trade-off evaluations pertain to comparing HSI design approaches and consideration of alternatives. In comparing HSI design approaches, consideration is given to ways to enhance human performance for performance of tasks, including IHAs.
Performance-based tests are performed to validate that the integrated system design (i.e., hardware, software, procedures, and personnel elements) supports the safe operation of the plant. The staffing plan validation is a performance-based test that is discussed in Section 18.5.
18.7.3 Results Figure 18.7-1 reflects the MCR configuration that resulted from the HSI design analysis.
Enhancements to the HSI focused on providing improved intuitive interfaces and supervisor oversight to minimize personnel errors, and to support error detection and recovery capability.
Operating up to 12 NPMs from one control room drove the development of a unique concept of operations where one reactor operator can be responsible monitoring multiple modules. This concept drove the HSI design to utilize advanced automation features and develop innovative HSI that allow a single operator to effectively monitor up to 12 modules while maintaining an acceptable workload and maintain situational awareness. The HSI allows the operators to quickly identify off-normal trends, respond to alarm conditions, diagnose events, initiate the appropriate response procedures, and transfer module responsibilities including applicable procedure responses and alarm conditions between reactor operators. The HSI provides at-a-glance displays that quickly and efficiently convey each modules safety function status. Flexibility and redundancy allow defense-in-depth in response to HSI failures. The extensive use of a high fidelity simulator allows performance-based testing to validate the effectiveness of the HSI design.
NuScale Final Safety Analysis Report Human-System Interface Design Tier 2 18.7-12 Revision 4.1 The results of the HSI design analysis, including details of the resulting MCR configuration, are documented in Reference 18.7-2.
The HSI tests and evaluations activities are part of the HSI design analysis, and include HSI inventory and characterization, HSI task support verification, and HSI design verification.
These activities will continue during the detailed design and integration phase to capture the HSI design as it evolves through the verification and validation HFE element.
18.7.4 References 18.7-1 NuScale Power, LLC, Human Factors Engineering Human-System Interface Style Guide, ES-0304-1381, Rev. 2.
18.7-2 NuScale Power, LLC, Human-System Interface Design Results Summary Report, RP-0316-17619, Rev. 1.
NuScale Final Safety Analysis Report Human-System Interface Design Tier 2 18.7-13 Revision 4.1 Figure 18.7-1: NuScale Main Control Room Layout Unit 6 Unit 7 Unit 5 Unit 8 Unit 4 Unit 9 Unit 3 Unit 10 Unit 12 Unit 11 Unit 1 Unit 2 Safety Displays Shift Technical Advisor Shift Manager Reactor Operator 1 Reactor Operator 2 Reactor Operator 3 Control Room Supervisor Common Systems Module Control System Plant Control System Safety Display &
Indication/ Module protection system
NuScale Final Safety Analysis Report Procedure Development Tier 2 18.8-1 Revision 4.1 18.8 Procedure Development Procedures are essential to plant safety because they support and guide personnel interactions with plant systems and personnel responses to plant-related events. The procedure development program incorporates human factors engineering principles and criteria, along with other design requirements, to ensure that procedures are technically accurate, comprehensive, explicit, easy to utilize, validated, and in conformance with 10 CFR 50.34(f)(2)(ii).
The NuScale Power Plant design supports both hard-copy and computer-based procedures.
The infrastructure and functionality for the computer-based procedure content is integrated into the human-system interface design. The NuScale Power Plant concept of operations specifies the relationship and interaction of crew, computer-based procedures, and plant automation through the human-system interface. The concept of operations is further discussed in Section 18.7.
The COL applicants responsibilities for the development of procedures are addressed in Section 13.5.
NuScale Final Safety Analysis Report Training Program Development Tier 2 18.9-1 Revision 4.1 18.9 Training Program Development Training of plant personnel is an important factor in ensuring safe and reliable operation of a nuclear power plant. The training program provides reasonable assurance that plant personnel have the knowledge, skills, and abilities to properly perform their roles and responsibilities.
A COL applicants specific responsibilities for the development of the training program are discussed in Section 13.2.
NuScale Final Safety Analysis Report Human Factors Verification and Validation Tier 2 18.10-1 Revision 4.1 18.10 Human Factors Verification and Validation The human factors verification and validation (V&V) element of the human factors engineering (HFE) program confirms that the final HFE design conforms to accepted HFE design practices and principles and supports plant personnel in the safe and reliable operation of the plant.
This section summarizes the methodology for performing the V&V activities contained in the Human Factors Verification and Validation Implementation Plan (Reference 18.10-1). The methodology is consistent with the applicable provisions of NUREG-0711, Revision 3.
Upon completion of the V&V activities, the results will be summarized in a results summary report (RSR) and submitted to the Nuclear Regulatory Commission.
18.10.1 Objectives and Scope The objective of the human factors V&V program is to verify that the final HFE design conforms to accepted HFE design practices and principles, and enables plant personnel to successfully perform their tasks to assure plant safety and operational goals. Specifically, the V&V program confirms that the final HFE design provides a state-of-the-art human-system interface (HSI) with alarms, information, controls, and task support defined by task analysis needed for personnel to perform their tasks.
provides an HSI that conforms to the HFE guidelines contained in the NuScale style guide.
is validated using performance-based tests using a control room simulator to demonstrate that the integrated system design supports safe operation of the plant.
The scope of the program includes the alarms, controls, indications, and procedures applicable to the main control room (MCR) and the remote shutdown station. The HSI at the remote shutdown station are derived from the HSI in the MCR. The emergency operations facility and the technical support center will comply with the guidance of NUREG-0696, Functional Criteria for Emergency Response Facilities. The HSI in the technical support center and the emergency operations facility are derivatives of the main control room HSI and comply with the HSI style guide; however, these HSI are for information display only. No control functions are provided in any of the emergency response facilities.
For these facilities, the V&V program scope is limited to defining the plant data and voice communication requirements.
18.10.2 Methodology The V&V methodology addresses the following four major V&V activities:
sampling of operational conditions design verification integrated system validation (ISV) human engineering discrepancy (HED) resolution
NuScale Final Safety Analysis Report Human Factors Verification and Validation Tier 2 18.10-2 Revision 4.1 These activities are discussed in the following sections.
18.10.2.1 Sampling of Operational Conditions The sampling of operational conditions process is used to identify a sample of broad and representative range of operating conditions to guide the selection of HSIs to be reviewed during HSI design verification and ISV activities (see Section 18.10.2.2 and Section 18.10.2.3). The sample is deemed representative of the operating conditions if the conditions' safety significance, risk, and challenges to the operating crew are within the range of events that operators are expected to encounter during the plant's life cycle.
The sampling of operational conditions process includes defining the sampling dimensions, scenarios identification, and scenario definition.
18.10.2.1.1 Sampling Dimensions A range of plant operating conditions, personnel tasks, and situational factors are considered in the sampling process. Plant operating conditions considered in the sampling process include normal operating conditions including startup, shutdown, applicable portions of refueling, low-power operation, and significant power changes.
instrumentation and controls and HSI failures and degraded conditions.
transients and accidents.
The personnel tasks considered in the sampling process include the following:
important human actions (IHAs) and factors that contribute highly to risk (see Section 18.6) protective functions initiation by manual means either planned or as backup to automation monitoring of automation sequences tasks identified during operating experience review (see Section 18.2) as problematic procedure-guided tasks from normal, abnormal, emergency, and alarm response procedures tasks not well-defined by detailed procedures (e.g., knowledge-based tasks) tasks requiring diverse use of human cognitive abilities tasks requiring a range of interactions among plant personnel (e.g., personnel interactions within the MCR and between MCR operators and personnel at other locations such as the technical support center and the emergency operations facility) and between MCR operators and non-plant personnel Situational factors, especially those known to challenge human performance, considered in the sampling process include
NuScale Final Safety Analysis Report Human Factors Verification and Validation Tier 2 18.10-3 Revision 4.1 high-workload and multi-tasking situations.
varying-workload or workload transition situations (e.g., abrupt increase or decrease in number of alarms or indications needing monitoring).
fatigue-inducing situations (e.g., repetitive/high frequency tasks, back shift).
environmental factors (e.g., noise, temperature, normal expected variation in MCR lighting).
18.10.2.1.2 Identification of Scenarios The selected scenarios are those that have both positive and negative outcomes.
require varying degrees of administrative burden (simulator set-up, instructor input).
minimize the use of well-known and well-structured sequences (e.g., textbook design-basis accident mitigation).
can be performed on a simulator.
To avoid or minimize bias, goals and conditions are established and incorporated for each scenario to be selected.
18.10.2.1.3 Scenario Definition Scenarios selected during the sampling of operational conditions and scenario development processes, and used for design verification, and ISV (see Section 18.10.2.2 and Section 18.10.2.3), are defined so that they can be performed on a simulator, and to provide a consistent, objective, and high-fidelity environment in which to validate performance of integrated systems. The scenarios involve major plant evolutions or transients, reinforce team concepts, and identify the role of each individual within the crew. Tasks performed by operators remote from the MCR are modeled in the ISV scenario and realistically simulate effects on personnel performance due to potentially harsh environments.
Scenarios are selected to confront the crew with challenging normal conditions and abnormal events containing multiple and unanticipated failures. Scenario definition is complete when each sampling of operational conditions criterion is addressed at least once in at least one scenario.
18.10.2.2 Design Verification Human-system interface design verification includes HSI inventory and characterization, HSI task support verification, and HFE design verification.
18.10.2.2.1 Human-System Interface Inventory and Characterization Human-system interface characterization defines the functionality of the HSI. The scope of HSI inventory includes alarms, controls, indications, procedures, and
NuScale Final Safety Analysis Report Human Factors Verification and Validation Tier 2 18.10-4 Revision 4.1 automation for the HSI that personnel require to complete the tasks covered in the validation scenarios that are identified by the sampling of operational conditions.
The list of HSI inventory includes aspects of the HSI used for managing the interface, such as navigation and retrieving displays, utilizing automation, use of computer-based procedures, management of notifications and alarms, as well as those that control the plant.
The HSI inventory and characterization information is verified using the control room simulator. The simulator advances the HSI characterization by providing the verifier with a desktop interface that simulates indications, controls, alarms, procedures, and control panels as well as the means of navigation between elements. The simulator also supports inventory and characterization of non-screen-based HSI (e.g., voice communication). The simulator allows the verifier to confirm the visual aspects of the HSI during HSI task support verification, including conformance to the HSI style guide during HFE verification.
Human-system interface task support verification related to performance (e.g.,
accuracy and dynamic response) is also supported by the simulator.
18.10.2.2.2 Human-System Interface Task Support Verification Human-system interface task support verification confirms that the HSI design accurately reflects the HSI inventory and characterizations required by the TA. The HSI support verification is based on the TA results that define the inventory and characterization for the alarms, controls, indications, procedures, automation, and task support needed to execute operator tasks including manual tasks, automation support tasks, and automation monitoring tasks. The most recent TA results provide the basis for task support verification.
In addition to the most recently completed TA, the task support verification is based on the HSI inventory characterization including detailed descriptions of the final HSI design.
review of the alarms, controls, indications, procedures, automation, and system navigation capabilities.
HSI screen shots and drawings as applicable.
The HFE team conducting HSI task support verification performs a comparison of the personnel task requirements identified by the TA with the available alarms, controls, indications, and procedures in the HSI inventory. The team uses a verification procedure to control bias and improve consistency.
Results of the task support verification will be documented in the V&V results summary report (see Section 18.10.3).
An HED is written when an HSI is needed for completion of a task and is not identified or not available.
is identified as available but is not needed for any task.
NuScale Final Safety Analysis Report Human Factors Verification and Validation Tier 2 18.10-5 Revision 4.1 does not meet the established requirements for the task.
The HSI deficiency is evaluated and corrected using the HED process.
18.10.2.2.3 Human Factors Engineering Design Verification Human factors engineering design verification is conducted to confirm that HSI characteristics conform to HFE guidelines as represented in the style guide (see Section 18.7). The style guide is a document that contains guidelines that have been tailored so they describe the implementation of HFE guidance for the NuScale design.
The style guide provides the criteria for HFE design verification.
To assure consistency of results and to control analyst bias, HFE design verification is conducted in accordance with written procedures.
Human engineering discrepancies are created for HSIs that do not meet the HFE design criteria. Subsequent HED evaluation determines the extent of the discrepancy and potential indicators of additional issues across the HSI. The sampling based on the sampling of operational conditions is expanded to encompass other display and control formats of the HSI if determined to be necessary.
18.10.2.3 Integrated System Validation Integrated system validation validates that the integrated system design (i.e.,
hardware, software, procedures, and personnel elements) supports the safe operation of the plant. Validation is achieved using performance-based tests and by performing the ISV scenarios using a fully-developed simulator. Development of scenarios is discussed in Section 18.10.2.1. Performance measures used for assessing ISV results are described in Section 18.10.2.3.5.
The ISV is performed after the significant HEDs that were identified during verification reviews have been resolved and the resulting design changes implemented on the simulator.
18.10.2.3.1 Validation Team The validation team performing the ISV consists of the test team (test administrators, operations and HFE observers, and simulator operators) and operating crews. The test team administers the ISV and collects data via questionnaires, post-scenario debriefing, personal observations, and simulator-archived data. Videos are available for review as needed. The operating crews are assigned to roles appropriate to their skill and knowledge level within each scenario.
Operating crews are prevented from obtaining advanced knowledge of the specific ISV scenarios as appropriate. Bias is reduced by the training program applicable to
NuScale Final Safety Analysis Report Human Factors Verification and Validation Tier 2 18.10-6 Revision 4.1 each validation team member; in addition, the test results are obtained by consensus of the test team rather than individual observations.
18.10.2.3.2 Test Objectives The objectives of the ISV are to validate the acceptability of shift staffing level for all plant conditions, assignment of tasks to crew members, and crew coordination within the MCR, between the MCR and local control stations and support centers, and with individuals performing tasks locally.
the design capability for alerting, informing, controlling, and feedback to enable successful completion of personnel tasks during normal plant evolutions, transients, design basis accidents, and under selected risk-significant events beyond design basis, as defined by sampling of operational conditions.
that specific personnel tasks can be accomplished within the time and performance criteria, with effective situational awareness and acceptable workload levels that balance vigilance and personnel burden.
that the HSI minimize personnel error and assure error detection and recovery capability when errors do occur.
the assumptions about performance of IHAs.
18.10.2.3.3 Validation Testbeds The principal validation testbed for the ISV is the control room simulator. The fidelity of the simulator model and HSI is verified to represent the current, as-designed NuScale Power Plant prior to use of the simulator as the testbed for the validation.
Discrepancies found during the simulator verification are corrected prior to starting the ISV. Alternately, if the simulator represents a more recent version of the HSI than was previously verified, the verification is reconfirmed on the simulator.
The validation testbed attempts to accurately simulate the plant MCR environment. Where this is not achievable by the testbed, an exception is taken and noted in the human factors V&V results summary report. If necessary, changes are also made to the ISV test procedure to reflect the alternate testbed configuration. In the event the validation team considers testbed discrepancies to affect specific aspects of the validation results, an HED is generated to document the discrepancy. The HED is resolved in accordance with the HED resolution process (see Section 18.1).
The testbed represents a complete and integrated system with HSI and procedures not specifically required in the test scenarios. The testbed further represents interfaces (i.e., communications) with other remote locations and local control stations to provide an integrated system).
NuScale Final Safety Analysis Report Human Factors Verification and Validation Tier 2 18.10-7 Revision 4.1 The testbed's HSI and procedure functionality is represented by a high degree of physical fidelity in the HSI and procedures, including accurate presentation of alarms, controls, indications, procedures, automation, job aids, communications, interface management tools, layout, and spatial relationships.
a testbed, which is a replica in form, appearance, and layout of the MCR design to be implemented in the actual plant.
a high degree of functional fidelity in the HSI and procedures so that the HSI functions are available and the HSI component modes of operation, types of feedback, and dynamic response characteristics operate in the same way as designed in the plant.
The testbed's environmental fidelity is such that it is representative of the actual NuScale Power Plant with regard to lighting, noise, temperature, humidity, and ventilation characteristics. In cases where the testbed cannot accurately simulate the environment, the ISV captures human factors engineering issue tracking system entries for further evaluation and resolution.
The testbed's high degree of fidelity for data completeness, data content, and data dynamics is demonstrated by information and data provided to personnel represent the complete set of plant systems monitored and controlled from that facility.
the alarms, controls, indications, and procedures presented are based on an underlying plant model that accurately reflects the NuScale Power Plant.
the plant model provides input to the HSI in a manner such that information flow and control responses occur accurately and in a correct response time.
Information is provided to personnel with the same delays as would occur in the plant.
The NuScale Power Plant has no IHAs that are conducted outside of the MCR. In the event that a remote IHA is required, the testbed uses mock-ups to verify human performance requirements for IHAs conducted at HSIs remote from the MCR.
18.10.2.3.4 Plant Personnel Individual operating crews participating in the ISV as test subjects (see Section 18.10.2.3.1) may be previously licensed commercial reactor or senior reactor operators, operators with Navy nuclear experience, or independent design engineering staff familiar with the NuScale Power Plant design. The personnel participating in ISV are trained, qualified, and are assigned to roles commensurate with their experience, skill, and knowledge level.
The crew participant selection process is such that it avoids individuals who are known to possess a bias that impacts the ISV, who have supported the ISV test development and pilot test, and who are involved in the design of the HSI or are part of the V&V team.
NuScale Final Safety Analysis Report Human Factors Verification and Validation Tier 2 18.10-8 Revision 4.1 Crew size for the validation tests includes a range of expected sizes to assure that the HSI supports operations and event management. This range includes the minimum, nominal, and higher operating crew levels, as defined during the HFE program staffing and qualifications element (see Section 18.5) for positions such as senior reactor operator, reactor operator, and shift technical advisor, for all plant modes. The crew size for each scenario is identified in the ISV test procedure.
The ISV includes at least one scenario with more than minimum crew staffing defined in the staffing and qualifications element (e.g., additional licensed operators to complete a complex evolution) to simulate conditions during times of high control room traffic and distractions, and high environmental loading. The roles of the additional personnel and their interaction with the operating crew are determined by the scenario developers based on meeting the test objectives and goals and by applying the sampling of operational conditions criteria.
18.10.2.3.5 Performance Measurement Performance measures for ISV are hierarchical and include measures of plant performance, personnel task performance, situation awareness, cognitive workload, and anthropometric and physiological factors. Performance measures are designated as either pass/fail or diagnostic. Diagnostic measures are measurable and the criteria include both range and unit of measures.
18.10.2.3.5.1 Types of Performance Measures Plant performance resulting from operator action or inaction includes plant process data and component status (e.g., on/off; open/closed) as a function of time at as many locations in the plant simulation as possible. Any plant component that provides plant process data or component status in the plant is simulated with full fidelity. The testbed has the ability to record plant process data and component status (including state changes) for the full length of any ISV scenario.
For each scenario, primary and secondary tasks that are required to be performed are identified and assessed. Primary tasks are those involved with function and task completion including detection, assessment, planning, and response. The level of detail to which primary tasks are measured and performance measures selected are assessed based on the complexity of the task. It may only be necessary to measure time and accuracy for a lower level, rule-based tasks to recognize and respond, while knowledge-based tasks (e.g.,
detection, seeking additional data, making decisions, or taking actions) may entail the use of more detailed performance measures.
Secondary task performance measures reflect the workload associated with HSI manipulations for maintaining the overall plant. Test personnel evaluate secondary tasks in conjunction with primary tasks to observe effects on overall performance and workload both at individual and operations crew level.
Personnel task performance measurements are selected to reflect those aspects of the task that are important to system performance (e.g., time,
NuScale Final Safety Analysis Report Human Factors Verification and Validation Tier 2 18.10-9 Revision 4.1 accuracy, frequency) and used depending on the particular scenario. For knowledge-based tasks, more detailed data (e.g., number of navigational steps, accuracy of actions) are collected in order to assess the complexity of the crew actions.
Objective measures of individual and crew performance are also collected during validation scenarios and are used in the evaluation. These include:
video recordings of operator performance the alarm history log operator control interactions plant variable control interactions (resulting from operator controls) component status change the HSI use log (display screen request history and operational history)
The capturing of data using cameras enables documenting the operator actions as they are performed, thus allowing comparison to what was expected. Comparison of actual to expected actions is an important method to identify errors of omission and commission.
To measure situation awareness, ISV applies a combination of objective measures and subjective post-scenario questionnaire methods. Performance measures for situation awareness are obtained using non-intrusive human performance measures as well as subjective questionnaires.
To measure cognitive workload, the ISV employs questionnaires and observations of operators' ability to gather specific plant information, and crew performance.
Anthropometric and physiological performance measures are employed during ISV to assess those aspects of the design that cannot be evaluated during design verification. Anthropometric and physiological performance measures evaluate how well the HSI supports plant personnel in monitoring and controlling the plant. Anthropometric challenges are collected through observations by test personnel during the scenarios or during review of video recordings.
18.10.2.3.5.2 Performance Measure Information and Validation Criteria Subjective assessments of the HSI and its impact on performance, including self-ratings of workload, situation awareness, and teamwork, are conducted by the validation team. Operator feedback on the HSI is collected via post-scenario debriefs and questionnaires. Operator feedback includes scale rating questions and open feedback (long answer) questions.
Objective data (e.g., video recording, administrator observations) collected during test scenarios are analyzed as necessary to assess impacts of operator actions on plant processes and equipment states. The analysis compares the
NuScale Final Safety Analysis Report Human Factors Verification and Validation Tier 2 18.10-10 Revision 4.1 performance derived from parameters and times collected by the simulator to the evaluation criteria for operator actions and for overall plant process behavior developed for each scenario.
The test team documents their observations on post-scenario observer forms immediately after the scenarios. Observations include individual assessment of crew performance (including any observed performance issues), technical and teamwork performance, crew size sufficiency, and any potential HEDs.
The operating crews also document their feedback on a post-scenario observer form, similar to that used by the test team, immediately after the scenario.
The data collected from subjective and objective sources are analyzed by the test team to determine the sufficiency of the HSI design.
18.10.2.3.6 Test Design Test design is a process of developing scenarios, test planning, and conducting ISV with a goal of permitting the observation of integrated system performance while minimizing bias.
The test design characteristics that are important to support ISV validity include scenario sequencing, test procedures, test personnel training, participant training, and pilot testing.
18.10.2.3.6.1 Scenario Sequencing For selection of crew or the order of scenario presentation, NuScale uses the industry standard guidance provided in NUREG/CR-6393.
18.10.2.3.6.2 Test Procedures Prior to start of ISV, detailed test procedures are prepared to manage the tests, assure consistency, control test bias, support repeatable results, and focus the test on the specific scenario objectives. Scenario developers use test procedures to build the scenario set, and the test team uses them to set up each scenario, manage the scenario, and analyze the test results.
Integrated system validation test procedures are designed to minimize the introduction of bias by both test team and operating crews.
18.10.2.3.6.3 Training Test Personnel Prior to start of ISV, the test team is trained on NuScale Power Plant systems, the HSI, and ISV test procedures. Training consists of both classroom and simulator time with well-defined training goals, and emphasis on the use of test procedures, documenting the problems identified during testing, and the bias and errors that test personnel may introduce into the data.
NuScale Final Safety Analysis Report Human Factors Verification and Validation Tier 2 18.10-11 Revision 4.1 18.10.2.3.6.4 Training Test Participants Test participants training topics are similar to those for plant operators, which include NuScale Power Plant systems, the HSI, plant events, and operating procedures. Test participants are not privy to the test scenarios prior to commencement of the scenarios.
To assure near-asymptotic performance and a consistent level of proficiency between individuals making up the operating crews, only participants who have successfully completed the training program and have reached an acceptable level of proficiency are considered to be qualified for operating crew assignment.
18.10.2.3.6.5 Pilot Testing A pilot test, or pre-validation test, is conducted to assess the adequacy of the test design, performance measures, and data collection methods.
give the observer/administrators experience in running the test.
ensure that the ISV runs smoothly and correctly.
The pilot test is conducted by a test crew that does not participate in an ISV.
18.10.2.3.7 Data Analysis and Human Engineering Discrepancy Identification Test data are analyzed using both quantitative and qualitative methods. The analysis identifies the relationship between the observed and measured performance and the established acceptance criteria described in Section 18.10.2.3.5.2.
The broad-reaching testing and number of performance measures to be evaluated limit the ability to perform statistical analyses. Testing of multiple scenarios with multiple crews (generally, each crew develops a different strategy) makes it impractical to arrive at conclusions based on performance of the population or deviations from a norm. Therefore, the test team evaluates any instances where a performance measure is not met to determine causal factors.
Design-related deficiencies identified for indications, controls, alarms, or procedures are documented in an HED. Previous HFE program elements may need to be evaluated to resolve the deficiency. The HSI design is not considered validated until an HED initiated as a result of ISV is resolved. Test-related deficiencies are documented in the human factors engineering issue tracking system and may result in changes to the test procedure or scenario definition.
Human engineering discrepancies resulting from ISV are prioritized according to importance. Priority 1 HEDs are those that have a potential direct or indirect impact on plant safety and are resolved before HFE verification and validation is considered complete. Human engineering discrepancies initiated as a result of a
NuScale Final Safety Analysis Report Human Factors Verification and Validation Tier 2 18.10-12 Revision 4.1 performance measure not being met (pass/fail performance measures) are priority 1 HEDs. Cross-cutting issues determined through HED analysis or performance measure analysis are priority 1 HEDs due to their global impact on the HSI design performance. Priority 2 HEDs are those that have a direct or indirect impact on plant performance and operability. Priority 2 HEDs are determined through V&V analysis, and are resolved before the plant design is implemented. Priority 3 HEDs are those that do not fall into priority 1 or priority 2, and are addressed as time and resources allow. The HEDs are resolved/closed after further analysis by either identifying changes to the plant design, by changes to the procedures, providing training to the staff, by other administrative means, or by justifying the deviation as acceptable.
Assessments attained by different means, which are intended to measure same or similar performance measures, are compared. When differing conclusions are reached, more detailed cause analysis is performed, including the review of simulator logs, video and audio tapes, if necessary. Measuring convergence may be necessary for a single team and single scenario or for multiple teams and across several scenarios depending on the performance measure.
Expert judgment is employed to infer a margin of error from the observed performance or data analysis. This allows for the possibility that actual performance may be slightly more variable than ISV test results.
Integrated system validation data analysis is reviewed to verify the correctness of the analyses of the data. Data and data-analysis tools (e.g., equations, measures, spreadsheets, expert opinions, resulting HEDs) are documented and available for review and subsequent audit and application during HFE program elements design integration or human performance monitoring.
18.10.2.3.8 Validation Conclusions Conclusions from the ISV will be documented in the RSR. This includes the bases for determining that the integrated system performance is acceptable, and the limitations in the validation tests, their possible effects on validation conclusions and their impact on implementing the design.
18.10.2.4 Human Engineering Discrepancy Resolution Resolution of HEDs resulting from task support verification, design verification, and ISV is a major activity of the human factors V&V element. The HED resolution process follows the general process described in Section 18.1 with the following additional requirements.
Human engineering discrepancies generated during task support verification are resolved (with resulting design changes completed) prior to completion of task support verification. Sampling is expanded if a significant number of HEDs are generated during task support verification to include additional TA input requirements beyond ISV scenarios.
NuScale Final Safety Analysis Report Human Factors Verification and Validation Tier 2 18.10-13 Revision 4.1 Human engineering discrepancies resulting from design verification are resolved (and any resulting HSI design changes implemented in the test facility) prior to the start of the ISV. This assures that ISV tests the final HSI design.
Human engineering discrepancies resulting from ISV are resolved within ISV whenever practical based on importance level and prior to additional testing. At the point of documenting an ISV human engineering discrepancy, completed tests are evaluated to determine the need for retesting.
Human engineering discrepancies that are unresolved may be found to be acceptable following evaluation by the HFE team in the context of the integrated design. The decision for accepting an HED without change in the integrated design is based on accepted HFE practices, current published HFE literature, trade-off studies, tests, or engineering evaluations.
Human engineering discrepancy resolution is performed iteratively with V&V; that is, an HED identified during one V&V activity may be addressed before conducting other V&V activities, depending on the HED priority and its potential impact on the next phase of the V&V.
The HED resolution process involves evaluation of the HEDs to determine if they require correction, identification of design solutions to address HEDs that must be corrected, and verification that the design solutions have been implemented.
To determine whether the HEDs require correction, the HEDs are categorized into three principal categories (Priorities 1, 2, and 3) on the basis of their impact on personnel tasks and functions, plant systems, cumulative effects, and HEDs as indications of broader issues. Refer to Section 18.10.2.3.7 for a discussion of the three principal priorities.
Design solutions are developed and evaluated to address those HEDs that are required to be corrected. Design solution for a given HED demonstrates resolution of that HED.
Consideration is given to inter-relationships of individual HEDs as part of design solution. Evaluation of the design solution also ensures that no new HEDs are introduced.
As described in Section 18.1, HED evaluations are documented in the human factors engineering issue tracking system. The documentation includes related personnel tasks and functions.
related plant systems.
cumulative effects of HEDs.
HEDs as indications of broader issues.
design changes made for individual HEDs and their status.
compliance of design change with V&V evaluation criteria.
the basis for not correcting an HED.
NuScale Final Safety Analysis Report Human Factors Verification and Validation Tier 2 18.10-14 Revision 4.1 18.10.3 Results Once the V&V activities are completed, the results will be compiled in an RSR. The contents of the RSR will be consistent with the methodology described in Reference 18.10-1 and the applicable NUREG-0711 guidance.
18.10.4 References 18.10-1 NuScale Power, LLC, "Human Factors Verification and Validation Implementation Plan, RP-0914-8543-P, Rev. 4.
18.10-2 American National Standards Institute/American Nuclear Society, "Nuclear Power Plant Simulators for Use in Operator Training and Examination,"
ANSI/ANS 3.5-2009, LaGrange Park, IL.
NuScale Final Safety Analysis Report Design Implementation Tier 2 18.11-1 Revision 4.1 18.11 Design Implementation The design implementation element of the human factors engineering (HFE) program verifies that the implemented (as-built) HFE design accurately reflects the verified and validated design resulting from the HFE design process. This includes evaluation of the design features that could not be evaluated during the human factors verification and validation (V&V) process (see Section 18.10).
Design implementation is completed when plant construction is complete. After completion of start-up testing, a licensee institutes a human performance monitoring program (see Section 18.12) to evaluate impacts of design changes on human performance during operation.
This section provides a summary of the design implementation methodology. A more detailed description of the methodology is provided in the Human Factors Engineering Design Implementation Implementation Plan (Reference 18.11-1). The design implementation methodology is consistent with the applicable provisions of NUREG-0711, Revision 3.
The completion of design implementation activities is confirmed by an Inspections, Tests, Analysis, and Acceptance Criteria item addressed in Section 14.3. This ensures that the as-built design conforms to the verified and validated design resulting from the HFE design process.
18.11.1 Objectives and Scope The objectives of design implementation are to evaluate those aspects of the design that were not addressed in the human factors V&V (see Section 18.10).
confirm that the final (as-built) human-system interfaces (HSIs), procedures, and training program conform to the NuScale Power Plant design HSIs, procedures, and training program.
confirm that the remaining human engineering discrepancies (HEDs) and open items in the human factors engineering issues tracking system are appropriately addressed and resolved.
The HSIs, procedures, and training program evaluated for conformance apply to the main control room (MCR), technical support center (TSC), remote shutdown station (RSS),
emergency operations facility (EOF), and certain local control stations (LCSs).
18.11.2 Methodology The methodology described in Reference 18.11-1 addresses the objectives described above and ensures that the as-built design is in conformance with the verified and validated standard design.
NuScale Final Safety Analysis Report Design Implementation Tier 2 18.11-2 Revision 4.1 18.11.2.1 Aspects of the Human Factors Engineering Design not Verified During Verification and Validation Aspects of the HFE design that are not addressed in the HFE verification and validation include modifications to the standard design and the HFE aspects that cannot be performed in the simulated environment. This may include design characteristics, such as new or modified displays for plant-specific design features.
Features that may not be accurately simulated include ergonomic considerations, such as lighting and background noise.
HSIs outside the MCR but within the plant HFE program scope, including the TSC, RSS, EOF, and certain LCSs.
18.11.2.2 Verification of As-Built Human-System Interfaces, Facility Configuration, Procedures, and Training The methods used to verify conformance of the final HSIs, facility configuration, procedures, and training program to the planned design (that resulted from the HFE design process and V&V activities) include configuration control, HFE review, plant walkdowns, and reviews of potential design changes.
For the MCR, TSC, RSS, EOF, and certain LCSs, the evaluation for conformance addresses the as-built aspects of the software and hardware configurations, facility configurations, and other aspects of the facility that are not simulated but are relevant to the overall HFE program.
The conformance evaluation of software, hardware, and facility configurations confirms clear configuration-controlled design traceability for the HSIs (alarms, controls, indications, and procedures) and peripheral equipment. The as-built configuration is compared to drawings, specifications, and other final design documents used for integrated system validation (ISV) (see Section 18.10) to determine conformance. If the configuration does not conform exactly, further HFE review is conducted to determine if the as-built HSI is equivalent to the HSI of the ISV with regard to HFE design standards such as the HSI style guide.
Conformance assessment of facility configuration is conducted by plant walkdown and includes physical configuration of workstations, panels, and displays.
visibility and sight lines.
accommodations for communication.
inclusion of emergency plans and personal protection equipment.
lighting.
background noise.
environmental controls and conditions (e.g., temperature and humidity).
NuScale Final Safety Analysis Report Design Implementation Tier 2 18.11-3 Revision 4.1 Evaluation of aspects of the facility that are not simulated (e.g., LCSs) but are relevant to the overall HFE program includes a walkdown to confirm conformance to the documentation approved by the HFE team (results of HFE analyses, style guides, etc.) and to human factors V&V conclusions.
a subject matter expert review of suitability of use of operating procedures for LCSs.
a subject matter expert evaluation of training material used for MCR, TSC, RSS, EOF, and LCS human-system interfaces.
Where the evaluation cannot confirm that the as-built HSIs, procedures, and training design are the same as or equivalent to the planned design, an HED is generated and tracked as discussed below.
18.11.2.3 Verification that Human Factors Engineering Issues in Issue Tracking System are Addressed HEDs found during design implementation activities are documented, evaluated, and tracked by the licensee performing these activities. The HEDs are tracked in the licensee's QA policy related programs and processes. The HEDs from earlier HFE program elements and those generated during human factors V&V activities are addressed as follows:
All HEDs affecting the ISV are closed prior to the ISV.
All priority 1 HEDs are closed prior to submitting the V&V Results Summary Report.
All Priority 2 and any new priority 1 HEDs are closed prior to turning over HFE program responsibility to the licensee.
All Priority 3 HEDs open at the time the HFE program responsibility is turned over to the licensee and any Priority 1 and 2 HEDs identified after turnover are tracked and resolved in accordance with the licensees programs and processes.
18.11.2.4 Addressing Important Human Actions Important human actions are identified, addressed, and tracked as described in Section 18.6, and are incorporated into the HSI design as described in Section 18.7.
18.11.3 Reference 18.11-1 NuScale Power, LLC, Human Factors Engineering Design Implementation Implementation Plan, RP-0914-8544, Rev. 1.
NuScale Final Safety Analysis Report Human Performance Monitoring Tier 2 18.12-1 Revision 4.1 18.12 Human Performance Monitoring COL Item 18.12-1: A COL applicant that references the NuScale Power Plant design certification will provide a description of the human performance monitoring program in accordance with applicable NUREG-0711 or equivalent criteria.