ML20197K065
Text
m 4
d o
UNITED STATES I
NUCLEAR REGULATORY COMMISSION
~,,
o 74 j
WASHINGTON. D. C. 20555
...../
JUL 2 41985 MEMORANDUM FOR:
George W. Knighton, Chief Licensing Branch No. 3 Division of Licensing FROM:
William H. Regan, Jr., Acting Chief Human Factors Engineering Branch Division of Human Factors Safety
SUBJECT:
IN-PROGRESS AUDIT REPORT OF THE DETAILED CONTROL ROOM DESIGN REVIEW FOR DIABLO CANYON NUCLEAR POWER STATION UNITS 1 AND 2 The audit conducted during February 11-15, 1985 was planned to be a Pre-Implementation Audit. However, based on the status of the licensee's Detailed Control Room Design Review (DCRDR), we conducted an In-Progress Audit of the control room for the Diablo Canyon Nuclear Power Station Units 1 and 2.
The enclosed In-Progress Audit (IPA) Report provides the basis for this evaluation with respect to the DCRDR being conducted by the Pacific Gas and Electric Company (PG&E).
We reviewed the organization, processes, and results of the licensee's DCRDR, against the requirements contained in Supplement 1 to NUREG-0737, and guidance contained in NUREG-0700 and NUREG-0800, Standard Review Plan, Section 18.1, Revision 0 and Appendix A to Section 18.1, Revision 0.
Our review included the following:
1.
The IPA' conducted February 11-15, 1985, (Enclosure 1);
2.
A review of PG&E's:
a.
Sumary Report dated December 28, 1984, by the staff and consultants from Science Applications International Corporation (SAIC);
b.
DCRDR Program Plan dated August 2, 1983.
The staff concludes that PG&E's DCRDR does not satisfy the requirements of Supplement 1 to NUREG-0737.
It is recommended that a meeting be held in Bethesda, Maryland to discuss how PG&E plans to modify their DCRDR process so
Contact:
W. N. Thompson
[7 x24886 05M$L OsE6ee k
N n; rn o
4-.u,
J George W. Knighton JUL 2 41985 that their review can lead to a successful DCRDR. During this meeting the staff expects to establish a Supplemental Summary Report submittal date.
The enclosed IPA Report identifies information that should be submitted by the licensee in a Supplemental Summary Report (SSR) in order for the NRC to complete its evaluation of the licensee's DCRDR. Depending on the acceptability of the SSR, we may plan to conduct an on-site Pre-Implementation Audit within 30 days of submittal of the SSR. A Supplemental Safety Evaluation Report will be prepared by the staff based on the information contained in the SSR and the Pre-Implementation Audit.
The enclosed IPA Report, prepared by consultants from SAIC, provides results of the IPA conducted February 11-15, 1985 and a suggested agenda for a Diablo Canyon DCRDR meeting (pp. 21 and 22). The staff agrees with the technical content and conclusions of the SAIC report and requests that the audit report be transmitted to PG&E for their use in (a) preparing for the meeting, and (b) completing the DCRDR.
We suggest the Project Manager arrange for a meeting in Bethesda with PG&E within 60 days after the licensee receives the IPA Report.
llilliam H. Rega, J., Acting Chief Human Factors E gineering Branch Division of Human Factors Safety
Enclosure:
As stated cc:
D. Crutchfield H. Shierling W. Paulson M. Fineberg, SAIC R. Peterson, LLNL l
i l
INFORMAL TECHNICAL COMMUNICATION 2
Date July 12, 1985 70:
R. Ramirez FROM:
M.L. Finebergfit$
U.S. Nuclear Regulatory Consnission Science Applications International Corp.
Washington, D.C. 20555 1710 Goodridge Drive McLean, VA 22102 Attention:
Reference:
SAI Project 1-263-03-020-XX NRC Contract NRC-03-82-096 NRC TAC No.
SAI Task FWA-19 1-263-07-557-XX
Title:
DetailedControlRoomDesignReviewEvaluations,PhasesIIIY
Attachment:
In-Progress Audit of the Detailed Control Room Design Review for Diablo Canyon Power Plant, Units 1 and 2, Final Report.
7 ~~
Message:
Transmittal.
l l
NRC cc:
S. Bajwa SAI cc:
R. Liner C. Kain Comex:
- D. Tondi D. Jackson J. Stokley M. Good N. Thompson N. Meyer L. Beltracchi T. O'Donoghue Task File: 1-263-07-557-86/87
a IN-PROGRESS AUDIT OF THE DETAILED CONTROL ROOM DESIGN REVIEW FOR DIABLO CANYON POWER PLANT, UNITS 1 AND 2 FINAL REPORT July 12,1985 Prepared by Science Applications International Corporation 1710 Goodridge Drive McLean, Virginia 22102 Prepared for U.S. Nuclear Regulatory Commission Washington, D.C. 20555 Contract NRC-03-82-096
?S$26i656L'86ff6
i e
TABLE OF CONTENTS Section Page Foreword.............................
1 Introduction...........................
1 Background............................
2 Discussion............................
4 Planning Phase 4
Element 1 Establishment of a Review Team..........
4 Element 2 Function and Task Analysis............
5 Element 3 The Control Room Inventory............
8 Element 4 The Control Room Survey.............
8 Element 5 Assessment of HEDs................
13 Element 6 Selection of Design Improvements.........
15 Elements 7 and 8 Verification That Selected Improvements Will Provide the Necessary Correction and Will Not Introduce New HEDs................
16 Element 9 Coordination of Control Room Improvement With Changes From Other Programs :
17 Co n cl u s i o n s............................
18 Suggested Agenda for Meeting...................
20 References............................
22 Attachment A Audit Agenda 23 Attachraent B Review of the Safety Parameter Display System..
28 Attachment C Audit Meeting Attendance Lists..........
31
FOREWORD This report was prepared by Science Applications International Corporation (SAIC) under Contract NRC-03-82-096, Technical Assistance in Support of NRC Licensing Actions:
Program III. NRC previously evaluated Pacific Gas and Electric Company's (PG&E) program plan (Reference 1) for conducting Detailed Control Room Design Reviews (DCRDR) at Diablo Canyon.
NRC staff comments on PG&E's program plan were forwarded to the licensee on November 10,1983 (Reference 2).
The SAIC evaluation team held discussions with the HFEB staff in the course of evaluatir.g PG&E's Summary Report (Reference 3) and in preparing this report.
Subsequent to a review of the Summary Report the NRC and its contractors conducted an on-site in-progress audit (February 11-15, 1985).
The audit was necessary in order to gather further information on which to base a valid assessment of the DCRDR.
The audit also provided an opportunity to address concerns that resulted from an NRC staff review of Diablo Canyon's Safety Analysis Report for their Safety Parameter Display System (SPDS).
The audit was conducted by a team comprised of two r~
representatives from the NRC, two representatives from SAIC, and one representative from Comex Corporation (a subcontractor to SAIC).
4 9
O e
b IN-PROGRESS AUDIT OF THE DETAILED CONTROL ROOM DESIGN REVIEW FOR DIABLO CANYON POWER PLANT, UNITS 1 AND 2 INTRODUCTION Pacific Gas and Electric Company (PG&E) submitted a Detailed Control Room Design Review (DCRDR) Program Plan for Diablo Canyon Power Plant Units 1 and 2 (DCPP) on August 2, 1983 (Reference 1).
Nuclear Regulatory Commission (NRC) staff comments on that Program Plan were forwarded to PG'E on November 10,1983 (Reference 2).
PG&E submitted the Summary Report for -
the DCRDR on December 28,1984 (Reference 3).
Based on review of the Summary Report, the NRC staff planned a pre-implementation audit of the DCPP DCRDR. That audit was arranged through the NRC Project Manager for DCPP and was scheduled for February 11-15, 1985.
The purpose of the audit was to compare the products of the DCPP DCRDR against the DCRDR requirements of Supplement 1 to NUREG-0737. The audit included review of DCRDR documentation, visits to the control room, remote shutdown, portions of a half-scale mockup 2nd simulator, and discussion of PG&E's activities. Attachment A provides the audit agenda.
A major finding of the audit, which is documented in this report, was that DCPP has a significant amount of work to finish in order to meet the requirements of Supplement 1 to NUREG-0737.
Additionally DCPP has, in some cases, implemented methodology which will not meet the intent of Supplement I to NUREG-0737. Consequently the overall level of completion of the DCRDR j
requirement did not permit a pre-implementation audit, rather the audit team Performed.an in-progress aedit.
i The audit also included an on-site review of the DCPP Safety Parameter Display System (SPDS).
The purpose of that review was to address concerns regarding the human factored design of the display formats and to permit visual inspection of the installed SPDS. Results of the review are provided in Attachment B.
1 l
}
e
i The audit team was comprised of two NRC members, two consultants from SAIC, and a consultant from Comex Corporation. The disciplines of human factors engineering, architectural engineering, mechanical engineering, and nuclear operations were represented on the team. Attachment C provides Itsts of attendees at the entrance and exit meetings.
This report documents the findings of the in-progress audit and review of the Summary Report. It was compiled and integrated by SAIC with input from Comex Corporation and the NRC staff.
The report represents the consolidated observations, conclusions, and recommendations of the audit team.
BACKGROUND Item I.D.1, " Control Room Design Reviews," of Task I.D., " Control Room Design," of the Nuclear Regulatory Commission Action Plan NUREG-0660 (Reference 4), developed as a result of the TMI-2 accident, states that r --
operating licensees and applicants for operating licenses will be required to perform a Detailed Control Room Design Review to identify and correct design discrepancies. The objective, as stated in NUREG-0660, is to improve the ability of nuclear power plant control room operators to prevent or cope with accidents, if they occur, by improving the information provided to them. The requirements of Supplement I to NUREG-0737 (Reference 5) indicate the need to include a number of elements in the DCRDR. They are:
1.
Establishment of a qualified multidisciplinary review team.
2.
Function and task analyses to identify control room operator tasks and information and control requirements during emergency opera-tions.
3.
A comparison of. display and control requirements with a control room inventory.
4.
A control room survey to identify deviations from accepted human factors principles.
2
s 5.
Assessment of human engineering discrepancies (HEDs) to determine which are significant and should be corrected.
6.
Selection of design improvements.
7.
Verification that selected design improvements will provide the necessary correction.
8.
Verification that improvements will not introduce new HEDs.
9.
Coordination of control room improvements with changes from other programs such as the safety parameter display system (SPDS),
operator training, Reg. Guide 1.97 instrumentation, and upgraded emergency operating procedures (EOPs).
Licensees are expected to complete Element 1 during the DCRDR's planning phase, Elements 2 through 4 during the DCRDR's review phase, and Elements.5 through 8 during the DCRDR's assessment and implementation phase.
Completion of Element 9 is expected to cut across the planning, review, and assessment and implementation phases.
A Summary Report is to be submitted at the end of the DCF.DR.
As a minimum it shall:
1.
Outline proposed control room changes 2.
Outline proposed schedules for implementation 3.
Provide summary justification for HEDs with safety significance to be left uncorrected or partially corrected.
The NRC staff evaluates the organization, process, and results of the DCRDR.
Results of the evaluation are documented in a Safety Evaluation Report (SER) published within two months after receipt of the Summary Report.
NUREG-0700 (Reference 6) describes four phases of the DCRDR and provides applicants and licensees with guidelines for its conduct. The phases are:
1 3
O
\\
5 1.
Planning 2.
Review 3.
Assessment and implementation 4.
Reporting.
NUREG-0800 (Reference 7) describes " Evaluation Criteria for Detailed Control Room Design Review."
Criteria for evaluating each phase are contained in Section 18.1, Rev. O of the Standard Review Plan.
DISCUSSION Planning Phase A DCRDR is to be conducted according to the licensee's own Program Plan (which must be submitted to the NRC). The DCRDR Program Plan for Diablo Canyon Power Plant was submitted to the NRC on August 2,1983 (Reference 1).
r~
The Nuclear Regulatory Commission forwarded staff comments on that plan to PG&E in November 1983 (Reference 2).
Even though the NRC concluded that the Program Plan was well structured and addressed all major points stated in NUREG-0737 Supplement 1,
the staff had some concerns, e.g.,
(1) no methodology for conducting a control room inventory; (2) inadequate HED assessment methodology which used degree of difficulty of implementation as criterion; and (3) selection of design improvements had inadequate completion date scheduling criteria.
As a result of reviewing the Summary Report and conducting the in-progress audit, the NRC staff and its contractor SAIC came to the conclusion that some of the concerns with the Program Plan were justified.
Additional problems came to light during the audit. These will be addressed as a part of the nine DCRDR elements which follow.
Element 1 Establishment of a qualified multidisciplinary review team PG&E provided DCRDR team member resumes both in the summary report and during the audit.
Based upon that information it was evident that a qualified multidisciplinary team was established to conduct the DCRDR.
An orientation p.ogram was provided by the human factors specialist to educate the core team members in the objectives of a human factors review. The l
4 m
r
DCRDR project manager has the necessary authority to request supplemental expertise. The audit team was told that DCPP management has committed the needed resources and freedom of access to conduct the review.
Although the DCPP team was competent to perfbrm the DCRDR, the audit team was concerned that a human factors specialist was not involved in all key areas of the design review. Specifically, the human factors specialist was not involved in the function and task analysis, integration of the Emergency Operating Procedures (EOPs) with the control room review, or the coordination of the SPDS with the DCRDR.
Provision of information clari-fying all team members' roles in accomplishing each DCRDR element could alleviate this concern.
A second concern of the audit team is that although PG&E management appears committed to the DCRDR, it was not evident from documentation that a management review team participated in review of Human Engineering Discrep-ancies (HEDs) and approval of proposed solutions to HEDs. The audit team r-recommends that PG&E develop procedures to provide for management review and approval and that the process be documented. This recommendation is made to assure management participation and support through review of findings up to the correction of those findings.
In conclusion, the audit team found that a qualified multidisciplinary team was assembled. However, provision of documentation addressing the level of involvement of each team member and PG&E management in the DCRDR is necessary for NRC staff to fully evaluate this requirement.
Element 2 Function and task analysis to identify control room operator tasks and information control requirements during emergency operations.
This requirement as stated in Supplement 1 to NUREG-0737 calls for "...
the use of function and task analysis (that had been used as the basis for developing emergency operating procedure technical guidelines and plant-specific emergency operating procedures (EOPs) to identify control room operator tasks and information and control requirements during emergency operations" (Reference 5). An adequate task analysis should identify all l
tasks involved in the plant-specific upgraded E0Ps and all the information i
5 l
l i
and control capabilities necessary to perform those tasks.
It should also identify the suitable characteristics of displays and controls that will support tasks specified in the E0Ps.
The discussion of the function and task analysis which was included in the DCPP Summary Report had insufficient detail to permit an adequate evaluation. Consequently, the NRC audit devoted considerable effort to urderstanding the process used by DCPP to conduct this critical element of the DCRDR.
The E0Ps completed to date had been derived from Revision 1 of tne Westinghouse Owner's Group (WOG) Emergency Procedure Guidelines (EPGs).
The licensee has committed to having all E0Ps completed by March,1985.
During the audit, DCPP provided documentation to show " step deviations" from the generic EPGs as well as " background information." The step devia-tions were generated to document all plant-specific deviations (and their justification) from the generic EPG task step. The " background information" comprises calculations for plant-specific information needs such as set-paints for operator actions.
For example, the magnitude of a setpoint was conservatively modified for (a) instrument errors and (b) human reading errors to arrive at a setpoint usable by operators in the control room. The ECPs were then walked through in both the control room and the simulator to observe operators' capability to perform the E0Ps.
Human factors deviations were identified accordingly.
During the walk-throughs, the E0P writers verified that E0Ps could be carried out; sections of the E0Ps were modified to facilitate the sequence of ttsk steps, to minimize operator movement, and to save execution time.
l This procedure was carried out several times resulting in several rewrites of the E0Ps based on the walk-throughs. The walk-throughs were conducted by the E0P writers without the participation of the human factors specialist, thereby precluding any potentially valuable contributions from this expertise in this phase. Also omitted from the walk-throughs and validation of the E0Ps was the writing of HEDs.
Only after the completion of the iterative process described above were the E0Ps delivered to the DCRDR team. The DCRDR team then performed an 6
l w
i e
operability analysis of the plant-specific E0Ps to check the operator-machine interface. This was carried out by walk-throughs of the E0Ps in the control room and simulator.
Appendix C of the DCPP Summary Report includes sample documentation from the DCRDR operability analysis. These pre-fill sheets had no provision for noting the human factors characteristics of the needed instruments and controls which are expected to be developed prior to and independent of the control room walk-through. In fact, there is no provision for recording human factors characteristics while reviewing the control room.
In conclusion, the NRC audit team finds that the DCPP function and task analysis only partially meets the intent of the requirement. Adequate areas are the background information and step deviation processes for converting generic ERGS to plant-specific E0Ps and the E0P validation processes.
Areas in which the processes and results were found inadequate or incomplete are:
a.
The exclusion of the human factors specialist during development of the E0Ps (particularly during the process to optimize task sequence).
b.
The conversion of Revision 1 of the EPGs to E0Ps (EOPs have not received a full task analysis).
c.
The identification of required human factors characteristics of the instruments and controls; these should be determined independ-ently of the control room.
d.
Validation of all E0Ps to assure tasks can be conducted smoothly with the existing control room and panel layout, and with the existing control / display configuration.
All of these efforts should have the full participation of the human factors expert.
7 m-
s e
Element 3 Comparison of display and control requirements with a control room inventory.
According to the NRC requirement stated in NUREG-0737 Supplement 1, the DCRDR should include: "(iii) a comparison of the display and control requirements with a control room inventory to identify missing controls and displays" (r ference 5). The necessary input for the requirement is the e
product frons the task analysis -- the needed instruments and controls and their characteristics, and the control room inventory.
The intent of this requirement is to identify any missing controls and displays, and those that are unsuitable for the operator task needs.
Only when a satisfactory task analysis is completed can the Instrumentation and Control (I&C) requirements be compared with a control room inventory and thereby satisfy the requirement.
Note that the purpose of the control room inventory is to provide a data base of the characteristics of existing instruments and controls which will allow a meaningful comparison with the needed informa-r --
tion and control capabilities. Accordingly, a written data base can con-ceivably be substituted by the actual control room instrumentation and controls to serve as the inventory.
Documentation was not generated during the task analysis to identify all human factors characteristics of information and controls needed in order to afford a direct comparison with existing characteristics of con-trols and displays. The audit team concludes that this requirement has not been satisfied.
The DCRDR team should conduct a task analysis to determine the needed instruments and controls and their characteristics on a piant-specific level. The results of the analysis should be compared with the existing control and display capabilities presently available to the opera-tor to determine both the availability and suitability of the instruments and controls to meet operator task needs. The inventory should include information displayed to the operator on the plant computer /SPDS as well as all other sources of information and control.
Element 4 A control room survey to identify deviations from accepted human factors principles.
This requirement as contained in Supplement I to NUREG-0737 calls for the conduct of a control room survey to identify deviations from accepted 8
9 9
,----..,.n.-
o human factors principles. The NRC staff consider the control room survey to consist of a systematic comparison of control room design features with human engineering guidelines. Although the NRC staff has presented guidance contained in Section 6 of NUREG-0700 for this activity, other comparable references will be acceptable.
DCPP has conducted some of the survey activity; however, much of the effort is still in progress.
The surveys were conducted by using a check-listing technique (the individuals performing the survey had been trained by the HFS to identify HEDs), operator interviews, and an independent survey of the control room by the human factors specialists.
Control room features were evaluated against criteria in the NUTAC survey checklist.
HEDs were recorded on forms that contained the item / location (s), the checklist code (s), and discrepancy description.
HED forms also contained a prelimi-4 nary prioritization with the significance estimate, backfit feasibility, and preliminary recommendations.
Photo documentation for HEDs was also r --
generated.
The audit team found that HEDs were identified in many areas; however, most are of a generic nature and will require further surveys to identify the extent of the HED.
For example, an HED concerning the absence of direct feedback indication while using process controllers is one finding that will
~
be investigated on a case-by-case basis. Also, some HEDs will require mea-surements and specific documentation to determine the degree to which the HED departs from the guideline.
The DCRDR team acknowledged that further studies were required to gather more precise data regarding several control room features.
They are committed to conducting quantitative studies for the auditory environment; lighting in the control room (normal and emer-gency), and heating, ventilation, air-conditioning (HVAC). The guidelines contained;in Section 6. NUREG-0700, will be used for these surveys which are still in progress.
DCPP indicated that expertise outside of the core team is needed to complete some of the surveys; for example, they will employ a lighting expert to conduct the lighting survey.
Other control room surveys that were in progress are the control room environment, emergency equipment.
l he annunciator system, and communications.
It also appeared that the remote shutdown panels had not been fully surveyed. The core team should j
ensure that these future activites incorporate the needed expertise as well as that of the human factors specialist.
9 1
w,,..
,,nn,
,c,,,
The audit team reviewed available checklists, operator interview results, and HED records to determine the thoroughness of the survey effort completed so far. Visits to the control room were made to conduct a mini-survey, to walk through an event scenario, and to evaluate display formats on two video monitors. As a result of these visits, the audit team compiled the following observations and concerns.
(NOTE:
These findings do not necessarily indicate that the DCRDR team has not also identified them; HED records were often written in a generic fashion such that documentation of detailed HEDs could not always be found.)
1.
The following results from operator interviews were noted by the audit team as important and should be addressed by DCPP:
Phone handsets can be inadvertently knocked out of their cradles on the main control boards.
7 ~
Extension phones are hard to locate.
P250 failure indication caused excessive delay in operations due to the lengthy task of a directing a dispatcher to verify indications at local stations in the plant.
Phases A and B Containment Isolation Actuators are similar in shape and may be inadvertently substituted during operations.
2.
Concerns resulting from a minisurvey based on criteria in NUREG-0700:
Air packs were not stored in the control room with other emergency equipment.
Excessive traffic in the control room Simple indicator lights located at the top of vertical board 1 labeled " Power Available" are single indications.
If extinguished, the light either means " Power Not Available" or that the bulb is burned out. Equipment status is inferred by the absence of illumination.
10
9 Meter for the synchronizing bus has the range of 0-150 AC volts; however, the existing meter range does not reflect the j
actual operating band of 0-15000. (i.e., the operator is required to mentally convert reading to a directly useful value). Also, the vital buses are 4 kv which have units of measurement that are inconsistent with other buses.
Meter for the synchronizing bus has the range of 0-150 AC volts; however, the existing meter range does not reflect the actual operating band of 0-15000 (i.e., the operator is required to mentally convert reading to a directly useful value). Also, the vital buses are 4 kv which have units of measurement that are inconsistent with other buses.
1 Toggle switches on vertical board 2 for Safety Injection Recirculation Pumps, RHR to CL 1 and 2 RH'R PP SUCT from
+
NTMT are not grouped with the related pump controls, violat-ing principles of operational sequence layout.
Also, an operator expressed a need to have them arranged according to alternative trains ( A,B) rather than grouping controls for train A together followed by train B.
Switch positions for these same toggle switches are the reverse of expected population stereotypes; the closed posi-tion is on the top and the open position is on the bottom.
Because these controls are for circuit breakers to power corresponding pumps, this may conform to operator expecta-tions, however. In that light, the top / closed position is activating power to the pump and does meet operator expec-tations in some plants. This remains to be determined for DCPP.
There is no auditory alarm-silence with alarm-save capability; however, the DCRDR team indicated that they are considering installation of this capability.
I There is no push-to-test on safety feature legend lights, indicator lights on breakers, valves, etc.; however, DCPP has i
11 l
}
a procedure in place to instruct operators to verify bulbs are not burned out during regular panel walk-downs. This procedure also cautions operators against erroneously replac-ing the wrong legend cap lens over the wrong light when replacing a failed lamp.
Meters on vertical board 2; HCV-105,104, LCV-112A, PCV-1308, PCV-135, HCV-123, 133 have no units on scale.
Meters for Boric Acid Tank Level are arranged as follows (from left to right): TK 2 LVL, TK 1 LVL, TK 2 Temp TK 1 Temp. The present sequence violates operator expectations.
3.
The following concerns resulted from an evaluation of the display fonnats on the two video monitors shared by the SPDS:
r --
Displays for the heatup and cooldown curves could be substituted particularly if viewed from a distance. This is due to the high similarity of the displays and the poor readability of the display label.
The display of the cooldown curve does not contain the operating limitation box.
The curves for heatup and cooldown omit the 1600 PSI differ-ential pressure limitation between primary and the steam generator.
The cold leg temperature indication was observed on Unit 1 (which was operating) to be slightly outside of the operating limits. The indication reflected a display error rather than the operating condition.
Displays for the thermocouple map were not oriented with respect to the location of the coolant loops. North was to the left. The addition of loop orientation and neutron level detector orientation would improve this display as an operator aid.
Highlighting the hottest thermocouple (by 12
demarcation or some other means) would serve as an aid to operators during an emergency.
The radiation monitor display reference to the " Steam Jet Air Ejector" is inconsistent with the terms used on the radiation monitor panel which refers to the same parameter as
" Condenser Air Ejector."
Displays have a brightness problem which is especially noticeable with the use of the color blue.
One indication exhibited color echo where mixed colors were used on a single bar chart.
DCPP should develop a follow-on schedule to indicate all survey activities that are in progress, the specific studies that are part of those r~
activities, and when they will be completed. The licensee could provide this needed information in a supplement to the Summary Report. The require-ment is open until such time as the information is provided and a valid assessment of PG&Es completed efforts can be conducted.
Element 5 Assessment of HEDs to determine which are significant and should be corrected.
Supplement I to NUREG-0737 requires that HEDs be assessed for significance.
In that assessment, the potential for operator error and the consequences of that error in terms of plant safety should be systematically considered. Both the individual and aggregate effects of HEDs should be considered. One of the results of the assessment process is a determination of which HEDs should be corrected because of their potential effect on plant safety.
Considerations associated with the resources, cost and other fac-tors impacting the selection of the design improvement are to be addressed during the process of selecting a correction rather than during the assess-ment of the HED for significance on plant safety.
The DCPP assessment process began with a preliminary assessment by the team member who identified the HED. The preliminary assessment was based on 13
I two characteristics:
significance and backfit feasibility. These two characteristics were rated along a scale of "high, medium /high, medium, medium / low, or low."
DCPP assessed significance based on factors such as safety-related implications or consequences of the HED, probability of operational errors, instances of actual errors attributed to the HED, and the potential for interrupting plant availability. After assessing signifi-cance, DCPP assessed the backfit feasibility along a similar scale. The DCPP team periodically met to discuss HEDs' significance and the preliminary assessments. They indicated that HED significance was a separate issue from backfit feasibility; however, they considered both in the assessment.
All team members participated in the assessment, with the team leader making the final assessment.
The audit team reviewed HED records including those that had been assessed by this process. The audit team observed that a large majority of HEDs were assessed but noted that further investigation was required before final assessment could be made.
The audit team held discussions with the DCPP team regarding the criteria used to assess the HEDs. In the auditors' judgment, the process used was unsatisfactory because it did not screen out HEDs that were of safety significance. The assessment also needs to identify HEDs of high priority in order that they are appropriately scheduled for correction. The DCPP team leader acknowledged the need to identify and document those HEDs of high safety significance. Also, the audit team expressed concern that due to the way many HEDs were written (e.g., some HEDs had to be studied further on a component-by-component basis), the assessment may not accu-rately reflect the full extent of the problem.
The audit team discussed a list of specific HEDs that were provided in the Summar'y Report. Although HEDs have undergone a preliminary assessment, it was concluded that many HEDs required further assessment to identify and document the safety significance of all HEDs. This requirement is open until HED assessment is completed and documented and the results of the assessment are reported to the NRC in a supplement to the Summary Report.
l I
l 14 I
I i
f l
i M
2 Element 6 Selection of design improvements DCPP's process to select design improvements began in part during the assessment of the HED. After estimating the significcnce of HEDs, the DCPP team estimated the "backfit feasibility." Backfit feasibility was rated on a five-point scale:
Easy, Easy / Moderate, Moderate, Moderate / Difficult, and Dif ficul t.
During the audit, the DCPP team clarified the use of this esti-mate as helping them gain a perspective on the feasibility of alternative solutions proposed.
The DCPP Summary Report contains some descriptions of proposed design improvements and reports on various alternatives being studied.
- However, because many studies and investigations had not yet been completed, this element of the DCRDR was still underway.
The audit team did note that considerable effort has'been made in r~
selecting design improvements.
During the audit, DCPP presented modifica-tions to a vertical panel that were developed on a half-scale mock-up with translucent overlays to allow experimentation with different design solu-tions. Plant operators and their management were asked for feedback and input to develop modifications using the mockup as a redesign tool. Follow-ing completion of the proposed design modifications, they are implemented on the plant training simulator to allow operators to receive special training on forthcoming panels.
The audit team observed that this process had been completed for label enhancements on one vertical panel and that operators were currently training with the enhancements in place.
The audit team found that DCPP has demonstrated an understanding of the requirement, and the selection of design improvements is underway.
It is recommended, however, that DCPP document the procedure or flowpath which describes how design improvements will be developed up through implementa-tion. This information should be provided in the supplement to the Summary Report.
4
- l 15 e
-,v-,-
,,m,
t Elements 7 and 8 Verification that selected improvements will provide the necessary correction, and verification that improvements will not introduce new HEDs.
DCPP's Summary Report contains a description of the process to verify that selected design improvements correct HEDs without creating new HEDs.
DCPP states on page IV-3 that "... to e.nsure that enhancements actually address issues identified in the HEDs, a rigorous technical approach was-devi sed."
The process described includes the following techniques.
DCPP will document conventions to provide a standardized approach for present and future control room enhancements.
With drawings prepared for enhancements, a half-scale mockup of the panels is used to superimpose the solution on panel photographs for plant operators and their management to review. Modifications are verified by evaluating against human factors guidelines, by soliciting operator feedback, by walking through selected emergency procedures, and from review by the engineering department.
Im pl e-r --
mentation of the recommendations on the site simulator and additional walk-throughs in a dynamic mode will serve as further verification that the design improvement will correct the HED without creating new HEDs.
In addition to these verification techniques, DCPP will review procedures that may need to be changed as a result of the control board changes.
Operators receive special training specifically directed at pointing out forthcoming modifications.
At the time of the NRC audit. DCPP had begun the verification process up to the point of implementing enhancements on a vertical panel of the s i mul ator.
The audit team was impressed with the proposed enhancement.
DCPP informed the audit team that a formal design change procedure existed which they intend to use.
The PG&E procedure will have a step in it for human factors approval. This procedure as it impacts the DCRDR should be described in a supplement to the Summary Report.
l The audit team concludes that the process necessary to meet this requirement of Supplement 1 to NUREG-0737 is in place and should satisfy the t
requirement.
Design improvements are selected and verified through an iterative process that should result in consistent control room changes.
The requirement, however, is open until the process is completed.
16
s 9
Element 9 Coordination of control room improvements with changes resulting from other programs such as the SPDS, operator training, Reg.
Guide 1.97 instrumentation, and upgraded E0Ps.
The coordination of the DCRDR with other programs was mentioned in both the Summary Report and during the NRC audit. The efforts to upgrade the E0Ps based on the WOG ERGS were well underway. Although the E0P writers had validated the E0Ps on the DCPP control room simulator and developed them from a WOG generic function and task analysis, the procedures were completed without the benefit of the DCRDR team human factors members' review.
The audit team believes this needed integration was not accomplished particu-larly for the identification of needed instrumentation and control charac-teristics. The integration of such a product from the task analysis with the E0P development would have helped to assure that the control room inven-tory was complete and would support emergency operations.
~ ~
Reg. Guide 1.97 instrumentation was installed in the control room prior to DCRDR activities.
Dr.PP is now reviewing installed instruments with an eye for human factors concerns. The audit team observed that this is a major area for concern because much of the instrumentation appears on back panels, e.g., Reactor Vessel Level, Radiation Monitoring indications.
With this existing situation, the plant display monitors are being considered for use to pro ~ vide these needed indications during an emergency. The audit team found that quite a bit of effort had been devoted to the addition of the SPDS to the control room. However, the SPDS is lagging behind the DCRDR and the development of the E0Ps.
Coordination of these programs remains to be accompl i shed.
Training of operators on changes to the control room and on the SPDS appeared to be underway at the time of the audit.
In conclusion, the audit revealed that DCPP has paid some attention to the needed coordination between all programs; however, it is recommended that DCPP formalize the process and provide a procedure and milestone chart for the completion of the DCRDR phases and related programs.
17
--n.-
~
CONCLUSIONS A Summary Report for DCPP DCRDR has been submitted for evaluation to the NRC. An in-progress audit of the DCRDR activities to date was conducted to gather more information from 'which to base a valid assessment of all DCRDR elements 'and the satisfaction of the DCRDR requirements of Supplement 1 to NUREG-0737.
The NRC audit team found the DCPP DCRDR team cooperative and helpful in providing for a productive audit; however, the DCRDR activities were incom-plete and much of the needed documentation was therefore absent. Conse-quently, some of the issues and questions resulting from review of the Summary Report and listed in the audit agenda could not be answered. The audit team did, however, make some observations and draw conclusions. As a result of these observations, the NRC recommends that a meeting take place to discuss any new developments in how DCPP plans to modify their DCRDR methodology so that their effort can lead to a successful DCRDR.
(See attached agenda pp. 20 and 21.) At the time of the meeting DCPP should also be prepared to. discuss a schedule for submitting a Supplement to the Summary Report and for the completion of the open items listed below to be closed out for all DCRDR activities and the requirements of Supplement 1 to NUREG-0737.
The conclusions are:
1.
The members of the DCPP DCRDR team have the necessary qualifica-tions and multidisciplinary structure to conduct the DCRDR.
Pro-vision of information addressing the level of involvement of each team member in all DCRDR tasks is needed for NRC staff to draw final conclusions. Also, involvement of PG&E management in HED review and approval should be described and documented for NRC review.
2.
The function and task analysis was incomplete and unavailable for audit.
It is not evident that a product was generated by identifying needed instrumentation and control characteristics associated with operator tasks.
Additional documentation in this area is needed to complete the inventory comparison (item 3 18
below).
All the Revision 1 EPGs should be written as E0Ps and analyzed with the appropriate method using the HF specialist.
3.
Documentation of the comparison between instrument and control needs and those that exist in the control room was not complete at the time of the audit. DCPP should report their intentions for future efforts to meet this requirement in the supplement to the Summary Report.
4.
The control room survey was underway at the time of the audit.
The survey effort to date has resulted in approximately 600 HEDs, some of which are still being investigated.
Follow-on activities in this area should be reported in the supplement to the Summary Report.
5.
Assessment of HEDs had proceeded through a preliminary assessment phase, however, the prioritization of HEDs based on safety signif-icance to determine which should be corrected was incomplete.
6.
Selection of design improvements had not progressed far enough at the time of the audit to satisfy the requirement. The audit team recommended that DCPP enhance their process for this phase by developing a formal written procedure that will guide the HED through selection of design improvement through verification to i m pl em enta ti o n.
The procedure should be provided in the supplementary report.
7.
A process to verify that design improvements will correct HEDs without creating new ones was developed and will satisfy the
.. requirement.
As mentioned above, however, this process should be
' formalized in a procedure for NRC review in the supplement to the Summary Report.
8.
Coordination of the DCRDR with other programs was partly evident during the audit. The Summary Report described some integration, but the team concludes that future efferts will have to be under-taken. The team concludes that further integration of the E0Ps and the DCRDR is required as the introduction of the DCRDR with 19 G
W
_y,,_,_
l the already-developed E0Ps came late. The integration of Reg.
Guide 1.97 instrumentation with the control room is underway. The coordination of the SPDS with the DCRDR is lagging behind the development of the E0Ps.and control room changes. Training of operators on control room changes and on the use of the SPDS was incomplete at the time of the audit, but DCPP is aware of the need to do so.
Consideration is being given to use of the displays shared by the SPDS to compensate for needed instrumentation that exists on back panels out of the primary control room area. This requirement is open until activities relative to the DCRDR are completed; a procedure and schedule reflecting overlap of all programs and projected completion dates are advisable for proper coordination functions.
SUGGESTED AGENDA FOR DIABLO CANYON DCRDR MEETING 1.
Structure and Participation of the DCRDR team A.
Increased participation of human factors consultants B.
Provision for documenting levels of effort or task assignments C.
Increased involvement of PG&E management in HED review and approval process.
2.
Function and Task Analysis A.
Changes to methodology in order to provide a listing of needed instrument and control characteristics associated with operator tasks.
B.
Change in process to include human factors specialists in task optimization of E0Ps.
C.
Completion of all tasks associated with Revision 1 or the EPGs.
20
-.w
l 3.
Comparison of Display and Control Requirements with a Control Room Inventory A.
Change in methodology to use identified inventory and the product from SFTA B.
Method for documentation.
1 4.
Control Room Survey A.
Discuss current status and plans for completion of studies / surveys.
B.
Discuss methods for documenting specific HEDs which are part of a larger generic group.
5.
Assessment of HEDs Change of process to screen safety significant HEDs 6.
Selection of Design Improvements Development of a procedure to guide HED correction from design improvement through to implementation, including the participation of the human factors specialists in all phases.
- 7. and 8.
Verification and Validation Discuss a formalized procedure for this activity, and include the participation of the human factors specialists.
9.
Coordination of DCRDR with other programs A.
Discuss a formalized process B.
Provide a procedure with a milestone chart to illustrate product completion, integrator, and iteration with other programs.
i 21
REFERENCES l'. " Program Plan for Implementation of Control Room Design Review, Diablo Canyon Power Plant Units 1 and 2," Pacific Gas & Electric Company, August 2, 1983.
2.
NRC Response:
Transmitted by letter to PG&E from DOL, November 1984,
" Nuclear Regulatory Commission Staff Comments on the Pacific Gas &
Electric Diablo Canyon Units 1 and 2 Detailed Control Room Design Review Program Plan," Division of Human Factors Safety, NRR, NRC, November 10, 1983.
3.
" Summary Report for Unit I and 2 Control Rooms," Pacific Gas and Electric Company, December 1984.
4.
NUREG-0660, "NRC Action Plan Developed as a Result of the TMI-2 Accident," May 1980; Revision 1, August 1980.
~ ~~
5.
NUREG-0737, Supplement 1. " Clarification of TMI Action Plan Require-ments - Requirements for Emergency Response Capability (Generic Letter No. 82-33) " December 17, 1982.
6.
NUREG-0700, " Guidelines for Control Room Design Review " September 1981.
7.
NUREG-0800 " Standard Review Plan for the Review of Safety Analysis Reports for Nuclear Power Plants," Section 18.1, Rev. O, " Control Room," and Appendix A to SRP Section 18.1, " Evaluation Criteria for Detailed Control Room Design Reviews (DCRDR)," September 1984.
8.
NRC Memo, " Meeting Summary - Task Analysis Requirements of Supplement 1 to NUREG-0737, Westinghouse Owners Group," from H. Clayton to D.
Ziemman, April 5, 1984.
i i
l 22
0 9
b S
Attachreent A e
23
O o
TENTATIVE AGENDA Diablo Canyon Detailed Control Room Design Review Pre-Implementation Audit
" Monday, January 28, 1985 A.M.
Planning and Preparation - Establish office and meeting locations, clear security and obtain camera passes; informal entry briefing and introductions; short visit to control room or mock-up with general systems briefing.
NRC audit team will review elements of the DCRDR through di.scus-sions with PG&E DCRDR team members and audit of documentation.
r~
PG&E should be prepared to discuss the items under each and the following elements.
A.M.
1.
Qualifications and Structure of the DCRDR team.
A.
Extent of participation of the human factors consultants B.
Identity and resume for reactor operator and nuclear engineer DCRDR team members C.
Provide list of task assignments to individual team members A.M.
2.
Function and Task Analysis and P.M.
A.
Process and auditable record using ERGS and background documentation to identify the human factors characteris-tics of needed instrumentation and controls B.
Demonstration of the procedure used to fill out the task analysis worksheet and the instrument suitability review worksheet.
24
,r-
,,---v
,,n-,-,- -, - -
,.--,v--
..-.---m---
,,-,_--,mn-
C.
Discuss the operability analysis used to evaluate the dynamics of the man-machine interface.
D.
Scope of walkthroughs and E0Ps involved.
E.
Discuss procedure to determine that no needed controls and displays are missing.
TUESDAY A.M.
F.
Walkthrough small bresk LOCA procedures from SFTA viewpoint at mockup with operator.
3.
The Control Room Inventory A.
Discuss the process used to compare a control room inventory with needed controls and displays.
~~
P.M.
4.
The Control Room Survey A.
Discuss the differences between the NUTAC checklists and Section 6 of NUREG-0700. (Provide checklists as used for survey activity.)
s B.
Discuss the acceptance criteria for evaluating the noise, lighting and other environmental features.
C.
NRC team audit of selected panels using NUREG-D700, Section 6 (mockup of control room).
WED. A.M. 5.
Assessment of HEDs A.
What is the usefulness of assessing backfit feasibility l
while determining the HED impact on plant safety?
B.
Describe how HEDs are rated along a five-point scale for signi ficance.
C.
Discuss how the cumulative and interactive effects of HEDs were considered.
t i
l 25
,,----,_p_._,.,,,.e.,,
D.
Specific list of HEDs will be provided to PG&E.
PG&E shall discuss assessment of these HEDs and the proposed design solutions.
WED. A.M. 6.
Selection of Design Improvements and P.M.
A.
This is still an open item because proposed design solutions are incomplete and no implementation dates have been submitted.
B.
Description of procedure to arrive at corrective action selected.
C.
Provide complete list of proposed solution and corres-ponding implementation date.
7.
Verification that selected design improvements will provide necessary correction and can be introduced into the control room without creating additional HEDs.
A.
Item is open because activity not completed.
THURSDAY 8.
Coordination of DCRDR With Other Programs A.M.
A.
Procedure to integrate the DCRDR with Regulatory Guide 1.97 instrumentation, the SPDS.
9.
Other Concerns A.
Provide summary justifications for any safety-related HEDs that are to be left uncorrected or partially corrected.
FRIDAY 10.
Audit Team Meeting and Exit Briefing P.M.
26
NRC Attendees:
Neil Thompson Leo Beltracchi SAIC Attendees:
Carol Kain John Stokley
.Comex Attendee:
Mark Good l
27
. EL 9
0 a
Attachment B r
I i
l i
28
'O A
Entrance Meeting Attendance John Stokley SAIC/NRC Carol Kain SAIC/NRC Joseph L. Seminara Lockheed/ Human Factors Mark Good COMEX/NRC F. Joseph Cucco Jr.
PG4E - M&NE (Review Team Member)
Bruce M. Grosse PG&E - EE (Review Team Member)
John J. Vranica PG&E - NPO W. Neil Thompson NRC/DHFS (Team Leader Audit)
Leo Beltracchi NRC/DHFS/HFEB Wayne Gonzalez Lockheed O
S i
{
l I
29
,-y-.--.-3.----,.,,f.
,, _,, - -. = - - -, - - - - - - - - -,,. -
y.,,----r..--
Exit Meeting Attendance John Stokley SAIC/NRC Carol Kain SAIC/NRC Bryant Giffin NP0/PG&E Peter E. Beckham NP0/PG&E Joseph L. Seminara Lockheed/ Human Factors Mark Good COMEX/NRC F. Joseph Cucco, Jr.
PG&E - M&NE (Review Team Member)
Bruce M. Grosse PG&E - EE (Review Team Member)
John J. yranica PG&E - NPO W. Neil Thompson NRC/DHFS (Team Leader Audit)
Leo Beltracchi NRC/DHFS/HFEB Bob Thornberry PG&E/ Plant Manager John Fuhriman' NPO QC W. H. Hadley, Jr.
PG&E, Elec. Eng., Project W. T. Rapp PG&E, Chairman Onsite Review Group David A. Taggart PG&E Acting Director. Quality Support; QA Bob Patterson Plant Superintendent Jim Shiffer PG&E Vice President /NPG Roger Jett Simulator Supervisor Roger Johnson DC Project Licensing Bill Crockett DC 30
o o
Attachment C r --
l 31
=
- =~--
""'""'w--
r-
A REVIEW 0F THE SAFETY PARAMETER DISPLAY *Y5 TEM FOR THE DIABLO CANYON POWER PLANT This report documents the findings from a review of the Safety Parameter Display System (SPDS) for Diablo Canyon Power Plant (DCPP).
Findings were gathered during a pre-implementation audit of the Detailed Control Room Design Review at DCPP which was conducted during the week of February 11-15, 1985. The audit team was comprised of two NRC staff from the Human Factors Engineering Branch, two consultants from Science Applications International Corporation, and one consultant from Comex Corporation. The purpose of the on-site audit of the SPDS was to address concerns that resulted from an NRC staff review of the DCPP Safety Analysis Report and to permit visual evaluation of the SPDS as installed. The on-site review encompassed the display formats only.
As a result of the on-site review, the staff concerns as documented in the NRC's Safety Evaluation Report regarding potential human engineering discrepancies were resolved.
However, the on-site visit did result. in i
additional observations regarding the human factors design of the SPDS.
Those observations are:
Display formats are largely well human factored with some excep-tions.
The number and appropriateness of the indications available on the SPDS appeared excellent.
. Thin lines used in symbols as perceptual aids were difficult to distinguish.
This was compounded by the use of red symbols on a black backgroun'd which hampered contrast and readability.
Numbers that appeared at the top of the Critical Safety Displays to indicate the Safety Function were difficult to distinguish due to thin stroke width and low discriminability of minor color changes.
Highlighting the number with bands of color is one potential means to improve discriminability.
32
---,_.----,.._---.n,,..n-,---.
-n.-----
b.
e*
b The conteim nt p.'anure indication on the Unit 1 SPDS (which was operating) contained a red bar to convey an abnormal condition.
In reality, the pressure was normal and the display was inaccu-rate.
The plant vent monitor read in pc/cc on the SPDS and in CPM on the back panel indication in the control room. "The EARS system had yet another unit of measurement:
uc/sec.
This inconsistency could result in failure to communicate proper units during an emergency operation.
Overall, there appears to be a need to consider human factors principles to provide consistency between the proposed hierarchical labeling for control panels and the labeling on the SPDS.
This consistency should also extend to the emergency operating procedures.
Tic marks along bar charts were not always identified with a numerical value. Lower tic marks were sometimes a zero value and at other times a negative value with zero appearing further ~up scale.
This could be confusing and result in erroneous readings.
33 r
.