ML20215M868
| ML20215M868 | |
| Person / Time | |
|---|---|
| Site: | 05000601 |
| Issue date: | 10/31/1986 |
| From: | WESTINGHOUSE ELECTRIC COMPANY, DIV OF CBS CORP. |
| To: | |
| Shared Package | |
| ML19292G169 | List: |
| References | |
| NUDOCS 8611030385 | |
| Download: ML20215M868 (127) | |
Text
__. - - _ - _ - _ . _ _ _ - . . _ - . - ..- ._ _ _ - _ _ .
l
!O RESAR-SP/90 CONTROL ROOM / HUMAN O FACTORS ENGINEERING !
3 l WESTINGHOUSE ADVANCED PRESSURIZED Q WATER REACTOR i
O i
l l
APWR
_n ru , -
i O .-
i l O I
- O STANDARD PLANT DESIGN R DO 00 01 i K PDR
i I
NESTINGHOUSE CLASS 3 i
i i
i i
1 i
l i
i 1
i 4
i l ;
1 l
i i
l 4
I i I
i ,
i i
l l l 1
l WAPWR-CR/HFE i OCTOBER 1986 5517e:1d
TABLE OF CONTENTS Reference SAR Section Section Title % Status
1.0 INTRODUCTION
AND GENERAL DESCRIPTION OF 1.1-1 II PLANT
1.1 INTRODUCTION
1.1-1 !!
O 1.2 GENERAL PLANT DESCRIPTION 1.2-1 II 1.2.2 Principal Design Criteria 1.2-1 !!
1.6 MATERIAL INCORPORATED BY REFERENCE 1.6-1 II 1.8 CONFORMANCE WITH THE STANDARD REVIEW PLAN 1.8-1 II 2.0 SITE CHARACTERISTICS 2.0-1 NA 3.0 DESIGN OF STRUCTURES, COMPONENTS, EQUIPMENT 3.0-1 NA AND SYSTEMS 4.0 REACTOR 4.0-1 NA 5.0 REACTOR COOLANT SYSTEM AND CONNECTED SYSTEMS 5.0-1 NA 6.0 ENGINEERED SAFETY FEATURES 6.0-1 NA 7.0 INSTRUMENTATION AND CONTROLS 7.1-1 II 71 INTRODUCTION 7.1-1 !!
7.8 CONTROL ROOM 7.8-1 I 7.8.1 Control Room Layout 7.8-3 I 7.8.2 Main Control Board 7.8-3 I 7.8.2.1 Main Control Board Layout 7.8-3 1 7.8.2.2 Main Control Board Interfaces to the I&C 7.8-4 I System O WAPWR-CR/HFE ii OCTOBER 1986 5517e:1d
. . - - -__ ~ _ _ _ - _ _ . _ _ . _ . . . - _ - _ __ _ _ _ - - - - _ _ _ -
d E
TABLE OF CONTENTS (Cont'd)
Reference ,
i SAR Section Section Title h Status
~
! 7.8.2.2.1 Alarm
- System 7.8-4 I l
, 7.8.2.2.2 Display System 7.8-4 I
{ 7.8.2.2.2.1 Accident Monitoring Displays 7.8-5 I
. 7.8.2.2.2.2 Operational Displays 7.8-5 I a
j 7.8.2.2.2.3 Plant Computer Driven Displays 7.8-5 I l
7.8.2.2.3 Control Switches 7.8-6 I !
3 7.8.2.2.3.1 Connections to the Logic Buses 7.8-6 I l 7.8.2.2.3.2 Connections to the Process Bus 7.8-6 I j 7.8.2.2.3.3 Hardwired Control Switches 7.8-7 I l 1 7.8.3 Supervisory Console 7.8-7 I !
! 7.8.4 Remote Shutdown Panel 7.8-8 I i j 7.8.5 Conformance to Regulatory Guides 7.8-9 1
! 7.9 PLANT COMPUTER 7.9-1 ! ;
1 l 8.0 ELECTRIC POWER 8.0-1 NA i
1 9.0 AUXILIARY SYSTEMS 9.0-1 NA i
j 10.0 STEAM AND POWER CONVERSION SYSTEM- 10.0-1 NA
! l
! 11.0 RA0!0 ACTIVE WASTE MANAGEMENT 11.0-1 NA !
!O l 12.0 RADIATION PROTECTION 12.0-1 NA i !
13.0 CONDUCT OF OPERATIONS 13.0-1 NA l
Q 14.0 INITIAL TEST PROGRAM 14.0-1 NA l
O WAPWR-CR/HFE 111 OCTOBER 1986 I
5517e:1d )
\ i
.- w,- - -,c- , . _ . _ - . . , - , . , , - _ , . -_ . , , , , . . - - - . _ - -
.. - . - - . - __- -_ _==_- -. - . . _ . _ - _ _ _ .
i i
TA8LE OF CONTENTS (Cont'd)
, Reference 2
SAR Section Section Title h Status l 1
15.0 ACCIDENT ANALYSES 15.0-1 NA i
16.0 TECHNICAL SPECIFICATIONS 16.0-1 NA l
! 17.0 OVALITY ASSURANCE 17.0-1 I j 17.1 OVALITY ASSURANCE DURING DESIGN AND 17.0-1 ! ,
i j CONSTRUCTION 17.1.1 References 17.0-1 !
l 2
18.0 HUMAN FACTORS ENGINEERING 18.1-1 I
) 18.1 OVERVIEW 18.1-1 I l 18.2 CONTROL ROOM DESIGN PROCESS 18.2-1 I 18.2.1 Introduction 18.2-1 1
} 18.2.2 Design Team 18.2-2 I l 18.2.3 Systems Functional Analysis 18.2-3 !
l 18.2.3.1 The Operator Behavior Model 18.2-3 1 ;
l 18.2.3.2 Plant System Functional Analysis 18.2-5 I r
} 18.2.4 Task Analysis 18.2-7 I
! 18.2.5 TaskAllocation(Manvs.AutomaticSystems) 18.2-8 I 18.2.6 Control Room Functional Design Basis 18.2-9 1 l
l 18.2.7 Functional Requirements 18.2-10 I 18.3 CONTROL ROOM DESIGN 18.3-1 I i l
! 18.3.1 Overview 18.3-1 !
', 18.3.2 The Alarm System 18.3-1 I l l 18.3.3 Information System 18.3-16 1 18.3.4 Layout of Controls 18.3-19 I i 18.3.5 Workstation / Panel Layout 18.3-19 !
!O WAPWR-CR/HFE iv OCTOBER 1986 l l 5517e:1d
r 7i l
1 TABLE OF CONTENTS (Cont'd) i j Reference SAR Section j (
Section Title Pm Status 18.3.6 Coordination Between Workstations 18.3-21 I ,
j 18.3.7 Control Room Work Space Environment 18.3-23 I 18.4 CONTROL ROOM DESIGN VERIFICATION AND 18.4-1 I VALIDATION PROCESS
- 18.4.1 Introduction 18.4-1 I j 18.4.2 Design Process, The Testing Perspective 18.4-1 I 18.4.3 Verification of the Human Engineering 18.4-2 I
(
l Design Process l
{ 18.4.3.1 Types of Tests 18.4-2 I l 18.4.3.2 Test Participants 18.4-3 I 18.4.3.3 Test Bed Variables 18.4-4 I l 18.4.3.4 Stages of Product Design 18.4-5 I l O 18.4.3.5 Control Board Interface Elements / Aggregates 18.4-7 I f to be Tested
- 18.4.3.6 Theoretical Basis for Expected Interface 18.4-8 I Performance ;
l 18.4.4 Validation of the WAPWR Control Room Design 18.4-8 I ;
! 18.4.5 NRC Audit for the Verification and 18.4-9 I Validation of the Human Engineering Design Process for the WAPWR Control Room 18.5 POST TMI REQUIREMENTS 18.5-1 1 18.6 CONTROL ROOM DESIGN REVIEW 18.6-1 I i 18.7 OPERATOR TRAINING 18.7-1 1 18.8 LOCATIONS OUTSIDE THE CONTROL ROOM 18.8-1 I l
!O i
I WAPWR-CR/HFE v OCTOBER 1986 5517e:1d l
.ee<w
~ .,.v_ --
e s - - - - - - -- T -
i
}-
i :
TABLE OF CONTENTS (Cont'd) i i
KEY TO " REFERENCE SAR SECTION STATUS" COLUMN:
Category I
{ Those sections which are complete and for which no additional information is
! to be provided for the PDA application.
!O j Category II Those sections which are completed insofar as providing material relevant to this system module but for which additional information will be provided in j support of' subsequent modules, i
~
j Category III 1
Those sections for which information on interfacing systems will be provided
} at a later date.
E i
' Those sections for which categorization is not applicable. Only the section titles are included for clarity.
O 1
O O WAPWR-CR/HFE 5517e:1d vi OCTOBER 1986 I
i !
. . . . - . _ . . . - - . . ~ . . . . . . . . . - . _ . - . . - . - - - _ . - - - - .
4 4
i i I
.TA8LE OF CONTENTS (Cont'd) l
- LIST OF TABLES j
I Title Number %
4 1.6-1 Naterial Incorporated by Reference 1.6-2
!, 1.8-1 Standard Review Plan Daviations 1.7-2 18.2-1 Sample Page of the Task Description for Choosing 18.2-11
] (a,c) j 8etween Processes Which Control [ ]
18.2-2 Sample Pages from a Control Room Task Analysi: 18.2-12 18.3-1 Sample Alarm Message Worksheet 18.3-25 18.3-2 Sample of Alarm Message [ ] 18.3-26 +(a,c) i 18.3-3 .iample of Alarm Message [ ] 18.3-27 +(a,c) 18.4-1 Man-In-The-Loop Testing: Test Elements 18.4-10 l
!O .
L i .
i i
i 1
O i.
i
!O i
)
}
O WAPWR-CR/HFE vii OCTOBER 1986 5517e:1d 1
i i
i i
TABLE OF CONTENTS (Cont'd)
LIST OF FIGURES Number Title 7.8-1 I&C Architecture 4 7.8-2 Main Control Board 7.8-3 Plant Process Data System 7.8-4 Main Control Board Multiplexing 7.8-5 Control Room Mockup j 7.8-6 Equipment Operator Sitdown Workstation Profile 7.8-7 Equipment Operator Standup Workstation Profile 7.8-8 Main Control Board - Typical Sect' ion j 7.8-9 Plant Alarm System 7.8-10 Supervisory Console
]
, 18.1-1 Graphic Knowledge Systems l p 18.2-1 Westinghouse Control Room Design Process l V 18.2-2 Westinghouse Control Room Design Process I
-Necessary Human Resources-
) 18.2-3 Decision-Making Model 18.2-4 Illustration of the [ ] ^(a,c) and Their Typical Coupling 18.2-5 ( ) +(a,c) l ^
18.2-6 Example of ( ) (Function Decomposition) (a,c)
I 18.2-7 Task Analysis 18.3-1 Operation of Alarm Overview Panels (Conceptual Diagram)
{ 18.3-2 Possible layout of Alarm Message Categories and Message Slots for 1
the Function of RCS Temperature Control 18.3-3 Window Format for Displays Associated with Plant Functions Which
! Have Complex Functional Relationships to Other Plant Functions j 18.3-4 Window Format for Displays Associated with Plant Systems Which Have Complex Physical Relatiorships With the Rest of the Plant i
lO
! WAPWR-CR/HFE viii OCTOBER 1986 5517e:1d l
i I
i i,
j
,1 -
TABLE OF CONTENTS (Continued)
I LIST OF FIGURES ,
i Number Title
- 18.3-5 Workstation Design: Simplified Decision-Making Model -
l 18.3-6 Possible Arrangement of Workstations to Form WAPWR Control Room
,f 18.3-7 Control Workstations: Layout by Plant Function 18.4-1 Westinghouse Control Room Design Process Showing Iterative Loops l for Human Engineering Verification and Validation f
! 18.4-2 Westinghouse Control Room Design Process Showing Location of Possible NRC Pre-Implementation Audit 5 ,
i i
i lO i
i i
l 1
i O
l l
lO i
WAPWR-CR/HFE ix OCTOBER 1986 5517e:1d t
1.0 INTRODUCTION
AND GENERAL DESCRIPTION OF PLANT
1.1 INTRODUCTION
The Westinghouse Electric Corporation (hereinafter referred to as Westinghouse) i has developed this Reference Safety Analysis Report (RESAR-SP/90) for the
- Westinghouse Advanced Pressurized Water Reactor (WAPWR) as part of its continuing efforts toward design and licensing standardization of nuclear power j plants. RESAR-SP/90 is a standard safety analysis report submitted initially for Preliminary Design Approval (PDA) in accordance with Appendix 0,
" Standardization of Design; Staff Review of Standard Designs," to Part 50 of Title 10 of the Code of Federal Regulations (Sereinafter referred to as
{ 10CFR). The ultimate objective is to obtain a Final Design Approval (FDA) of RESAR-SP/90 followed by a rulemaking proceeding and design certification.
]
d 1
i O
O i
j O WAPWR-CR/HFE 1.1-1 OCTOBER 1986 j
5320e:1d i
i
-,---.-,,-.,r-.-,,.,c- , ,,,,,,m.-,m-_ a _.,ww-ee
l'
.i ,
i l l ,
1.2 GENERAL PLANT DESCRIPTION
) 1.2.2 Principal Design Criteria
?,
) RESAR-SP/90 is designed to comply with 10 CFR Part 50, Appendix A, " General j Design Criteria for Nuclear Power Plants." The specific applications of f General Design Criteria to RESAR-SP/90 are discussed in Section 3.1 of l RESAR-SP/90 Module 7, "Structura;/ Equipment Design.
P O
i I
~
i
? ;
i i
i i
1 4
1 O !
i
)
O i
1.2-1 WAPWR-CR/HFE OCTOBER 1986 5320e:1d
1.6 MATERIAL INCORPORATED BY REFERENCE The WAPWR Control Room / Human Factors Engineering Module incorporates, by reference, certain topical reports. The topical reports, listed in Table 1.6-1, have been filed previously in support of other Westinghouse applications.
The legend for the review status code letter follows:
.A U.S. Nuclear Regulatory Commission review complete; USNRC j % acceptance letter issued.
AE -
U.S. Nuclear Regulatory Commission accepted as part of the Westinghouse emergency core cooling system (ECCS) evaluation model only; does not constitute acceptance for any purpose other than for ECCS analyses.
8 -
Submitted to USNRC as background information; no undergoing formal USNRC review.
0 -
On file with USNRC: older generation report with current validity; not actively under formal USNRC review.
U -
Actively under formal USNRC review.
O .
O i
i WAPWR-CR/HFE 1.6-1 OCTOBER 1986 i 5320e:1d l l
. - - - _ . =_. _ -- __ _-. -_ , . - . - . - - _ . . . . . ._ ._- - - .
TABLE 1.6-1 MATERIAL INCORPORATED BY REFERENCE l Westinghouse SAR
! Topical Revision Section Submitted Review l Report No. Title Number Reference to the NRC Status WCAP 10170 Emergency Response Facilities 0 7.9 12/1/82 A Design and V&V Processes 18.2 O WCAP 8370 Westinghouse Water Reactor Divisions' Quality Assurance Plan Rev 9A 17.1 11/14/77 A l
l l
1 i
. O i
4 I
l0 l
i O
a j
O WAPWR-CR/HFE 1.6-2 OCTOBER 1986
- 5320e
- 1d i
j
j i
l 1.8 CONFORMANCE WITH THE STANDARD REVIEW PLAN
- In accordance with 10CFR50.34(g), Table 1.8-1 of each PDA module identifies and evaluates deviations from the acceptance criteria of those sections of the NRC Standard Review Plan (NUREG-0800) pertinent to the subject module. Table f '
1.8-1 provides this list for the " Control Room / Human Factors Engineering" module.
O i I i
i
.i lO l
l I
l :
1 i
O in O
O WAPWR-CR/HFE 1.8-1 OCTOBER 1986 5320e:1d t
__ .~_ . _ .. . . _ ._ __ _ . _ _ _ . .
2 l
TABLE 1.8-1 '
STANDARD REVIEW PLAN DEVIATIONS O SRP Acceptance Criteria Deviation Section 1
1
{
O Section 7.8, " Control Room" and Section 7.9, " Plant Computers" address subjects which are not currently part of the standard review plan.
Section 18, " Human Factors Engineering," was developed and written with the intent to follow SRP 18 guidelines (NUREG's, Reg. Guides, etc.) where applicable. The nature of the " modern" control room and the human factors
- engineering aspects of the design does not allow for total adherence to the SRP, but, in some areas, may exceed the intended requirements set forth by the j staff.
i During the licensing process, any deviations with respect to the SRP acceptance criteria which are applicable to the Control Room / Human Factors
! Engineering will be listed here as appropriate.
I lO l
I l
l O
O WAPWR-CR/HFE 1.8-2 OCTOBER 1986 5320e:1d L. _ _. . _... _ ______ _ _ _. _ .._ __ _ ._ .__ _ ___.___ _ ._
d 2.0 SITE CHARACTERISTICS No portion of this chapter is pertinent to the RESAR-SP/90 " Control Room / Human Factors Engineering" module.
O
, O
- l l O lO l
! O l
i i
l WAPWR-CR/HFE 2.0-1 OCTOBER 1986 5320e:1d
. - - - . -__ _ .. . . . . - . . - . - = .
2-1 i
i 3.0 DESIGN OF STRUCTURES, COMPONENTS, EQUIPMENT AND SYSTEMS a
- See RESAR-SP/90 PDA Module 7, " Structural / Equipment Design" for a discussion
- of the design of structures, components, equipment and systems pertinent to the }{APWR instrumentation and control, and electric power systems.
4 i
i
!O f
I 4 i ll l@
i i
i l
l l
l WAPWR-CR/HFE 3.0-1 OCTOBER 1986 5320e:1d
i 4.0 REACTOR No portion of this chapter is pertinent to the RESAR-SP/90 " Control Room / Human l Factors Engineering" module. l
\
1
.I 4
i l
l ,
I T
O +
L WAPWR-CR/HFE 4,0-1 OCTOBER 1986 5320e:1d
- - -- e - rm+, e - - - - mmw e n,e **w , ,, .--m-vv,---- , -y - - , , ,,~
5.0 REACTOR COOLANT SYSTEM AND CONNECTED SYSTEMS No portion of this chapter is pertinent to the RESAR-SP/90 " Control Room / Human Factors Engineering" module.
O O
O O
O O WAPWR-CR/HFE 5.0-1 OCTOBER 1986 5320e:1d
i.
i
! i 1
6.0 ENGINEERED SAFETY FEATURES See RESAR-SP/90 PDA Modules 1, " Primary Side Safeguards System," 6/2, s
" Secondary Side Safeguards System," and 10, " Containment Systems," for '
i discussions of Engineered Safety Features pertinent to the WAPWR.
i I
i 9 :
i i
a r
t 3 !
5 i i >
! l 1 .
1 I
I i
l
\
l 4
4 O ;
O l
l WAPWR-CR/HFE 6.0-1 OCTOBER 1986 1 5320e:1d ;
7.0 INSTRUMENTATION AND CONTROLS
7.1 INTRODUCTION
The instrumentation and control (I&C) systems presented in Section 7 of O RESAR-SP/90 PDA Module 9, " Instrumentation & Controls and Electric Power,"
provide protection against improper or unsafe reactor operation during steady-state and transient power operations. They will initiate selected protective functions to mitigate the consequences of design basis accidents.
O Emphasis is placed on those I&C systems which assure that the reactor can be
- operated to produce power in a manner that ensures no undue risk to the health and safety of the public. The sections described in Module 9 relate the functional performance requirements, design bases, system descriptions, and safety evaluations for those I&C systems.
O O
i i
O i
WAPWR-CR/HFE 7.1-1 OCTOBER 1986 5320e:1d
7.8 CONTROL ROOM The control room includes the main control board, the supervisory console, and all other panels located in the primary operating area. The main control O
V board and supervisory console portion of the control room are specifically addressed here. The other panels in the immediate viewing area of the control room operator will be similarly treated when the detailed requirements of a specific plant are identified.
The control room supports the operator in monitoring and controlling the plant in a way that optimizes safety and power production.
l The control room described is based upon the actual, detailed control and display content of an existing plant control room to establish the physical size and scope of the control room equipaent. It is the basis for a control room that will be modified to meet the requirements of a specific plant.
Human factors engineering processes, as described in Section 18 of this O. module, permeate the design of the control room. NUREG-0700 is used as a checklist to ensure acceptable human factors coverage.
The control room is the focal point of the I&C architecture (Figure 7.8-1),
which includes microprocessors and conventional instrumentation and control systems. Figure 7.8-2 shows how the main control board and supervisory console interfaces with the other parts of the I&C architecture.
With the exception of hardwired reactor trip and system level engineered safety features actuation switches, which interface directly with the integrated protection system as described in Section 7.1.1.2 of RESAR-SP/90 PDA Module 9, " Instrumentation and Controls / Electric Power," all control signals out of the main control board and all display sigr.als into the main control board and the supervisory console are transmitted by serial data links. -
- O 7.8-1 OCTOBER 1986 i WAPWR-CR/HFE 5320e:1d
) The plant process data system (Fig. 7.8-3) provides the accident monitoring displays required by Reg. Guide 1.97 and the displays for all modes of plant operation. The safety displays include [ ] information. +(a,c)
( ) outputs are provided to qualified recorders located in +(a,c) n separate cabinets in the control room. The displays on the main control board and the supervisory console are [ ] (for accident (a,c) monitoring) and [ ] (for operation). This system also provides display *(a,c) signals to the remote shutdown panel.
O Alarms are displayed along the top of the main control board, and on alarm support displays on the vertical section and at the supervisory console. Both the alarm overview and support displays are driven by [ +(a,c)
] which categorize and prioritize the alarm data.
[ ] groups of multiplexers (Figure 7.8-4) are used to send control signals +(a,c) from.the main control board switches. These multiplexers also receive plant component status information for indication on the main control board.
[ l multiplexers communicate Class 1E control and status signals *(a,c)
O' between the main control board and the engineered safety features logic actuations cabinet. The [ ] multiplexers communicate between the main *(a,c) control board and the control logic. The [ ] multiplexers communicate +(a,c)
I between the main control board and the integrated control cabinets. An
[ ] multiplexers communicate control and status signals +(a,c) between the main control board and the turbine generator control system.
The plant computer, described in Subsection 7.9, provides the control room operator and supervisor with an overview of the plant operations and the state of the operating goals. These displays are presented on a set of CRTs at the main control board [ ] section. These same displays are available at +(a,c) the supervisory console.
O O
WAPWR-CR/HFE 7.8-2 OCTOBER 1986 5320e:1d
d 7.8.1 Control Room Layout The main control board / supervisory console arrangement is shown on Figure 7.8-5, which is a photograph of the control room mockup. Advantages of the
[ ] are covered in Section 18. +(a,c) 7.8.2 Main Control Board The main control board is made up of ( +(a,c)
, )
(Figure 7.8-7). The [ ] are joined to make up a *(a.c)
( ) main control board. Dedicated standardized backlighted pushbutten +(a,c) switches and auto / manual stations are vovided for plant control and component status indication. Displays are presented on ( +(a,c)
, )
a 7.8.2.1 Main Control Board Layout In general, the [ ] of all sections is the alarm overview +(a,c) displays, the [ ] are primarily devoted to the display system and (a,c) l alarm support displays, and the [ ] contain the backlighted *(a,c) pushbutton switches and process control stations (see Figure 7.8-8).
f Flexibility for the human- engineered arrangement of controls and the
^
! simplification of electrical and physical separation is provided by [ (a,c)
). The placement of ( +(a,c) i ] simplifies seismic qualification.
t O Human factored engineering features of the main control board include
^
[ (a,c)
] to aid the operator in device identification and location; and restriction of systems placed on the main control board based i upon need, i
! O l WAPWR-CR/HFE 7.8-3 OCTOBER 1986 j 5320e:Id
m
) 7.8.2.2 Main Control Board Interfaces to the I&C System With the exception of the hardwired circuits, all plant component status indication signals into and all control signals out of the main control board
[] are multiplexed. With the exception of the actual plant parameter feedback and setpoint indications on the operator interface modules, all displays and alarms are presented on [ J. The number of +(a,c) cables entering the main control board is reduced to a small fraction of those entering a conventionally wired board, greatly simplifying cable routing and Class 1E separation in the main control and potentially eliminating cable spreading rooms.
All multiplexers, [ +(a,c) i ). Each control switch provides contacts to [ ] multiplexers and +(a,c) each component status indicator (backlighted pushbutton) contains lamps controlled by [ ] multiplexers. Switching logic is accomplished in the +(a,c)
( ) so that each control switch requires *(a,c)
^
[ ). (a,c) 7.8.2.2.1 Alarm System i
The alarm system architecture is shown on Figure 7.8-9. A particular overview display contains ( +(a,c)
]. The total number of permanently labeled alarm windows is approximately [ ]. Predetermined alarm messages +(a,c) covering all defined alarm conditions for the plant are provided for display 4
in a ( ). Lower priority alarms +(a.c) in a category already in alarm, as well as information about all defined alarm conditions and alarm system logic, are available for display on the
[ ). *(a,c) 7.8.2.2.2 Display System The Main Control Board contains [ ] types of displays: [ +(a,c)
]
i O WAPWR-CR/HFE 7.8-4 OCTOBER 1986 5320e:1d I
d
.( +(a,c)
] Class 1E separation between redundant i
trains is accomplished by complete electrical isolation and were feasible by physical separation. Barriers in the form of individual enclosures (switch modules) for controls and conduit for cabling are provided where sufficient ,
space is not available, such as for front panel mounted main control board components.
O 7.8.2.2.2.1 Accident Monitoring Displays Safety displays meet the requirements of Reg. Guide 1.97 and provide sufficient information for operation of the plant in a safe condition before, during, and following an event. These displays are presented on ( +(a,c)
] of the main control board and also at the supervisory console. The [ ] and the data *(a,c) processors are seismically qualified.
- 7.8.2.2.2.2 Operational Displays j Operation of the plant for all conditions may be accomplished by using the j [ ). These displays are driven by ( +(a,c) l ) Each display generator governs a
( ) Data is provided from the qualified data processing '(a,c) cabinets which are part of the plant process data system. This system also has the capability to drive indicators and recorders.
7.8.2.2.2.3 Plant Computer Driven Displays The coordination of data between the plant computer, Subsection 7.9, sets of
( '(a , c) j ] as described in Section 18 of this module. The algorithms that are the basis for these I
I
!O WAPWR-CR/HFE 7.8-5 0CTOBER 1986 5320e:1d I
i displays a're contained in the plant computer. Access to the displays is direct. There is no need for the operator to learn access codes, commands, or I computer language.
7.8.2.2.3 Control Switches Process controls are [ ] switch modules with'(a,c) backlighted pushbuttons, and operator interface modules with ( + (a , c)
] in addition to ( ] Both types of +(a,c) modules include backlighted labels. The modular design facilitates Class 1E
^
separation [ ], standardized (a,c) connections, and control board layout. Each pushbutton is lighted from
( ). Each pushbutton has +(a,c)
[ +(a,c)
]
7.8.2.2.3.1 Connections to the Logic Buses
! O Class 1E main control board switches that are required to control plant equipment with ( 'o] normal states (isolation valves, motors, heaters), are *(a,c)
^
connected via main control board redundant ( (a,c)
] Non-Class 1E switches are connected via redundant ( +(a,c) i
] described in Subsection 7.7 of RESAR-SP/90 PDA Module 9, " Instrumentation & Controls and Electric Power."
7.8.2.2.3.2 Connections to the Process Bus l The [ ] modules are used for manual and automatic control of +(a,c) plant process requiring analog control such as flow, level, pressure, and O temperature.
conventional control systems.
These modules are similar to the auto / manual Indicators are provided to show the (
stations used with
^
(a,c)
] Auto, manual, up l O l WAPWR-CR/HFE 7.8-6 0CTOBER 1986 5320e:1d 1
and down pushbuttons are included, as required. These control stations are connected via redundant [ (a,c)
] described in Subsection 7.7 of RESAR-SP/90 PDA Module 9,
" Instrumentation & Controls and Electric Power."
(
7.8.2.2.3.3 Hardwired Control Switches The reactor trip / reset and system level engineered safety features initiation switches are [ ^(a,c)
- ] The reactor trip / reset switch and the reactor trip function of the safety injection initiation switch are [ +(a,c)
] All engineered safety feature system level switches are wired
[ ] described in +(a,c)
Subsection 7.1.1. 2. 2 of RESAR-SP/90 PDA Module 9, " Instrumentation & Controls and Electric Power."
i 7.8.3 Supervisory Console The supervisory console is surrounded by the main control board and provides a location that brings together the resources needed to support the supervisor in his decision making role. It also is the location in the control room for external communications.
^
. The console houses a[ ] for plant computer processed plant (c.:)
l and component data displays; a [ +(a,c)
] and an [ ] The console also contains +(a,c)
- desk space, which accommodates storage for drawings and manuals as well as a work surface.
An arrangement of the supervisory console is shown in Figure 7.8-10. The components are arranged within a [ '(a,c)
] A corridor of not less than five feet is provided in front of the main control board.
O WAPWR-CR/HFE 7.8-7 OCTOBER 1986 5320e:1d i_____
l 1
)
The front of the console has a lay down area for books and procedures for the main control board operators. A bookshelf is built into the front of the console for storage of procedures. Parking facilities for a rolling procedures cart is provided on either side of the console. The console has an area for a personal computer or terminal. Other space is provided on the console for storage of drawings, references, and files. Components positioned at the rear of the console include a[ +(a,c)
] with provision for storage of replacement paper, replacement parts, and small tools, and two 3-drawer ^ file cabinets.
i 7.8.4 Remote Shutdown Panel ,
The remote shutdown panel will be designed using the [ ] as a +(a,c) model, with the same type of operator display and control interfaces, and with the [ ]
+(a,c) i 7.8.5 Conformance to Regulatory Guides The control room design conforms to the following Regulatory Guides.
- 1. Reg. Guide 1.29 " Seismic Design Classification," September, 1978.
- 2. Reg. Guide 1.42 " Bypassed and Inoperable Status Indication for Nuclear Power Plant Safety Systems," May, 1973.
- 3. Reg. Guide 1.53 " Application of the Single-Failure Criterion to O Nuclear Power Plant Protection System," June, 1973
- 4. Reg. Guide 1.62 " Manual Initiation of Protective Actions,"
. October, 1973.
O 5. Reg. Guide 1.75 " Physical Independence of Electrical Systems,"
i January, 1975.
O i
l WAPWR-CR/HFE 7.8-8 OCTOBER 1986 5320e:1d S
i I
- 6. Reg. Guide 1.78 " Assumptions for Evaluating the Habitability of a j
Nuclear Power Plant Control Room During a Postulated Hazardous i Chemical Release," June, 1974.
- 7. Reg. Guide 1.5 " Protection of Nuclear Power Plant Control Room Operators Against an Accidental Chlorine Release," Revision 1, January, 1977.
't
- 8. Reg. Guide 1.97 " Instrumentation for Light Water Cooled Nuclear Power Plants to Assess Plant and Environs Conditions During and Following an e Accident," Revision 3, May, 1983.
I
! 9. Reg. Guide 1.100 " Seismic Qualification of Electric Equipment for Nuclear Power Plants," Revisicri 1, August,1977.
l
- 10. Reg. Guide 1.120, " Fire Protection Guidelines for Nuclear Power Plants
- (for comment)," Revisioni, November, 1977.
O 4
l t
!O
'1 i
i WAPWR-CR/HFE 7.8-9 OCTOBER 1986
- 5320e
- 1d L _ _ . - _ . _ _ _ . , _ , . _ _ , _ _ _ _ _ _ _ _ _ . _ _ _ _ _ _ . _ _ _ . . - . _ _ _ _ _ _ _ _ _ _ . _ . . - _ _ _ _ _ _ _ . . , _
7_--------.- _ . _ . _ . . . . _ _ . _ ,
1 l
O O O O O O O i l
+(a c) !
I i
i
'l i
- . i t
i Figure 7.8-1 I&C Architecture WAPWR-CR/HFE OCTOBER 1986 5320e:1d t
9 9 9 9 0 9 9 i i
+(a,c) ,
I i
i t
l l
I i
i l
i
~, i.
I i
Figure 7.8-2 Main Control Board !
ilAPWR-CR/HFE OCTOBER 1986 5320e:1d .
i
F
@ 9 0 @ O @ O
+(a , c) '
I I
i
'4 Figure 7.8-3 Plant Process Data System WAPWR-CR/HFE OCTOBER 1986 5320e:1d
i l
9 9 9 9 9 9 9 l
+(a,c) t l
I l
i i
l .
l l
Figure 7.8-4 Main Control Board Multiplexing
, 5320e:1d
e e e e G O 9 .
"(a,c)-
l i i
3 figure 7.8-5 Control Room Mockup
! WAPWR-CR/HFE OCTOBER 1986
! 5320e:1d
. . ~ . , . - - . . - . . - - - - - . - - . . - . . - , . . - . . . . , --
i -l l \
i i i-l l' --
O +(a,c) l i
l l
O \
l O
t l
1 l
t i
I 1
i l
l l
1 O
l i
I O
Figure 7.8-6 Equipment Operator Sitdown Workstation Profile i
WAPWR-CR/HFE OCTOBER 1986 5320 :1d I
f l
i 1
+ (a , c) 1 1
4 i ,
- I i
l '
i 1 1
I I :
l I
f 4
i i
!e r
l l
l@
l l
l Figure 7.8-7 Equipment Operator Standup Workstation Profile 1
~
WAPWR-CR/HFE OCTOBER 1986 5320e:1d s
[
i O O O O G
, i
+(a,c) i i
t l
i i
t i
r l
ln I
- 4. t l
l I
! l i
i t-i ;
\ r
) !
i i
/
- .l . ,
'l t
4 1
} I Figure 7.8-8 Main Control Board - Typical Section
)- WAPWR-CR/HFE OCTOBER 1986
{ 5320e:1d I !
1 :
3 -- --- _ . , - - . . . _ - . , . . , , _ . _ . - . . . _ _ , . _ - - - - - _ -
s G O O O O G G
+(a,c)
I 1 .
l t
, i i
i i
i l
i i
! l I i i
Figure 7.8-9 Plant Alarm System i WAPWR-CR/HFE OCTOBER 1986 -
a 5320e:1d f
i t
- i. . _.
a.
~
x z- .<- ,.
~
i f . . ; :~ - .
1 :
~
, a
+(a c) i f t
)
l f */ L
- I I
)
- .- je#
r i
i t
r s-a t
1 i-
-4 W
l P
h l
L 1 '
l l
Figure 7.8-10 Supervisory Consold
! WAPWR-CR/HFE OCTOBER 1986 I
5320e:Id !
- r
E i 7.9 PLANT COMPUTERS The plant computer as shown in Figure 7.8-1 receives non-1E signals and isolated IE signals via data links from the integrated protection system (IPS) and integrated control system (ICS), described in Chapter 7 of RESAR-SP/90 PDA Module 9, " Instrumentation and Controls and Electric Power" and the plant monitoring systems (PMS) and plant process data system (PPDS) described in Subsection 7.8 of this module. The plant computer processes sensor data and O
V performs all calculations necessary to generate [ +(a,c) l The processed data is also available to an emergency operations facility ( +(a,c)
]
The information content of the [ ] at each location will be+(a,c) determined on the basis of functional task analysis as described in Chapter
- 18. Implementation of the functional requirements will be in accordance with the design process and verification activities described in WCAP 10170,
" Emergency Response Facilities Design and V&V Processes."
In addition to generation of displays designed to support operations and supervisory personnel, the plant computer system performs calculations which monitor the performance and status of the NSSS and the secondary plant. The
- plant computer system also performs the function of collection and printout of historical operational data.
O O
O WAPWR-CR/HFE- 7.9-1 OCTOBER 1986
{ 5320e:1d i
7,v-, ,.--,.-----------.-----.o, ,w,,,------w-w -.-,.--w--.w,-,----_ . . - - , - - - - - - , - - - , - , . . - , - - - . - - , . _ - - - - - - - - - - . . - - - - - - - , , ----w--
i r
l.
4 4
8.0 ELECTRIC POWER
! See RESAR-SP/90 PDA Module 9, " Instrumentation and Controis and Electric 4-
- Power" for a complete description and evaluation of the WAPWR onsite _ electric power systems.
i I
O I
i i
1 O l
I t
O 1 l
l l
l O
i O WAPWR-CR/HFE 8.0-1 OCTOBER 1986 5320e:1d
y_ . . m . . _ . . . _ _ _ _ _ _ _ . _ . . _ . . _ _ __ - _ _ _ . ____
l~
i l
f 1
9.0 AUXILIARY SYSTEMS See RESAR-SP/90 PDA Module 13, " Auxiliary Systems" for a complete description and evaluation of the auxiliary systems within the WAPWR Nuc. lear Power Block.
l i l9 j I
l i
i I.
2 I
{
i i
i I
i i
l i
i i
l G
l G WAPWR-CR/HFE 5320e:1d g 0-1 OCTOBER 1986 I
't 2
10.0 STEAM AND POWER CONVERSION SYSTEM i
l See RESAR-SP/90 PDA Module 6/8, " Secondary Side Safeguards System / Steam and
! Power . Conversion" for a detailed discussion of the steam and power conversion system.
1 4
- L 1e 1
f i
1 i
! l 1
i i
i l@
l l
i t
l l I
i 9
O d
l l
l 9 WAPWR-CR/HFE 10.0-1 OCTOBER 1986 j 5320e:1d ii
i i
l
,f i
h 11.0 RADI0 ACTIVE WASTE MANAGEMENT i See RESAR-SP/90 'PDA Module 12 " Waste Management" for a discussion of the design of structures, components, equipment and systems pertinent to the WAPWR
! waste management systems.
l
\@ '
1 l i
i .
i l l l
I i
i i
i r
I I
!. - l I
e ;
i l
l e WAPWR-CR/HFE 5320e:1d 11.0-1 OCTOBER 1986 i
l l
1 l
l
[
I 4 . i
- 5 12.0 RADIATION PROTECTION
! See RESAR-SP/90 PDA Module 11, " Radiation Protection," for a discussion of the design of components, equipment and systems pertinent to the WAPWR radiation protection system.
I i
i !
!O i
k 1
1 1
1 O
i l
i t
1 i
9 O
l i
O WAPWR-CR/HFE 12.0-1 OCTOBER 1986 5320e:1d j
13.0 CONDUCT OF OPERATIONS See the applicant's safety analysis report for a discussion of " Conduct of Operations".
O O
O O
O WAPWR-CR/HFE 13.0-1 OCTOBER 1986 5320e:1d
l t
14.0 INITIAL TEST PROGRAM See tr e applicant's safety analysis report for a discussion of the initial ;
test program.
t l
l 1
4 1
l i
i
)
l l
)
i l
l i i
l WAPWR-CR/HFE 14.0-1 OCTOBER 1986 i 5320e:1d j j
. 1 l
i
\
i l
l 15.0 ACCIDENT ANALYSES i
! No portion of this chapter is pertinent to the RESAR-SP/90 " Control Room / Human f Factors Engineering" module.
i 1
I i
i
?
i 4
I i
}
j i
-l
)
l 1
J 1
l WAPWR-CR/HFE 15.0-1 OCTOBER 1986 5320e:1d i
^
a i
I I 16.0 TECHNICAL SPECIFICATIONS No portion of this chapter is pertinent to the RESAR-SP/90 " Control Room / Human Factors Engineering" module.
=,
I i
4 i
1 i
i i
i i
i l
l l
I i
i I
l WAPWR-CR/HFE 16.0-1 OCTOBER 1986 1 5320e:1d f
I
17.0 OVALITY ASSURANCE 17.1 QUALITY ASSURANCE DURING DESIGN AND CONSTRUCTION The Westinghouse Water Reactor Divisions Quality Assurance Program is described in Reference 1.
See the WAPWR integrated PDA subnittal for a description of the complete WAPWR l Quality Assurance Program, including modifications to reflect the expanded design and construction scope of the WAPWR Nuclear Power Block.
17.1.1 References ,
- 1. " Westinghouse Water Reactor Divisions Quality Assurance Plan," WCAP-8370, Revisions 9a, Amendment 1, February, 1981.
O l
l l
O l
O O WAPWR-CR/HFE 17.0-1 OCTOBER 1986 5320e:1d
18.0 HUMAN FACTORS ENGINEERING 18.1 OVERVIEW rapid development of computational system technology has, within the last O
The five years, made it possible to take a different perspective when it comes to the design of new process control rooms. There has been, at the same time, a significant improvement in the understanding of how humans make decisions in m real-time process control environments and subsequently, an improvement in how this decision making might better be supported. These technological advances, coupled with the study of the role that operators have played in abnormal events in operating nuclear power plants, led Westinghouse to embark on several development programs which culminated in the design of totally new control room for the WAPWR. ,
4 In general, the philosophical approach to the man-machine interface (MMI) design problem that Westinghouse has developed can be best expressed in the terminology of the artificial intelligence community. From this framework, the computer system contains the knowledge structure and manipulates the
] process data as determined by the knowledge structure and displays the
! results through a display network that is, again, a reflection of that structure. This creates the proper context for the data. The role of the human operator is to do the work of the " inferior engine", using his expertise, intuition and process control heuristics to herein recognize
- abnormality and develop strategies to correct it. Figure 18.1-1 is a graphic illustration of this approach.
The remainder of this chapter provides the details of how a complete control room is designed from this perspective.
O
, O WAPWR-CR/HFE 18.1-1 OCTOBER, 1986 l'
5387e:1d
l l O O O O O O O '
i l
l l
l GRAPHIC KNOWLEDGE SYSTEMS *(a,c) l i
t i
! i i i t
i l 1
i t
L I
Figure 18.1-1 Graphic Knowledge Systems ,
WAPWR-CR/HFE OCTOBER, 1986 5387e:Id
) 18.2 CONTROL ROOM DESIGN PROCESS v
18.2.1 Introduction As the title indicates, this chapter will discuss those aspects of the control
)
room design related to the human factors engineering of the " front" side of the board, i.e., the aspects of the control room design that dictate the nature of the interface between the human operators of the WAPWR plant and the process which makes up the plant and whose performance the operators control.
U In general, this chapter of the RESAR-SP/90 PDA, which seeks a Preliminary Design Approval (PDA) from the U.S. NRC, will emphasize the engineering process used to design the WAPWR control room rather than focus on a particular control room design, i.e., a particular result of the process. A flow diagram for this engineering process is shown as Fig. 18.2-1. Much of the technical work that forms the basis of this process was developed by Westinghouse during its participation in an EPRI sponsored program which n
kj examined the scoping and feasibility of designing and building a plant-wide disturbance analysis and surveillance system (DASS). The work is documented in EPRI Report NP-2240. This work was done in the post-TMI era, as such a great deal of emphasis was placed during this study on examining the man-machine aspects of plant diagnosis via digital computer systems.
Application of this aspect of the DASS project was made in the design of the Westinghouse safety parameter display system (SPDS). The NRC conducted a pre-implementation review of the generic SPDS design and issued a Safety Evaluation Report (SER) in Feb., 1984 (see letter LS05-84-02-009 to Mr. E. P. Rahe, Jr. (W) from D. M. Crutchfield (NRC)), which approved the model of operator behavior, the method of deriving the content and organization of displays from the model and the human factors verification and validation process. In short, the process that Westinghouse is using to do the human factors engineering for the WAPWR control room is fundamentally the v) same as that used to design the Westinghouse SPDS.
n v
WAPWR-CR/HFE 18.2-1 OCTOBER, 1986 5387e:1d
The organization of this chapter follows closely the process shown in Fig. 18.2-1 with the exception of the section which immediately follows this introduction. That section describes the design team or rather outlines the human talents that Westinghouse believes are required and which Westinghouse expects to put into place when a commercial contract for an WAPWR plant becomes effective. Subsequent sections then examine the design process in detail.
18.2.2 Design Team For the WAPWR control room design, Westinghouse utilizes a ( ]+(a,c) team that has the technical and operational experience required to perform the i task. This team is comprised of experts in the fields of:
+(a,c)
O .
O Clearly, not all of these resources are necessary at every step in the human factors engineering process shown in Fig. 18.2-1. Figure 18.2-2. overlays the human resources needed for each step in the process.
O WAPWR-CR/HFE 18.2-2 OCTOBER, 1986 5387e:1d
18.2.3 Systems Functional Analysis in order to ensure that the control room provides the operators with the proper process data, at the proper time and is presentedzin an understandable form and that appropriate O process controls are available and are easy to access, the control room design team needs [ ] upon which to base *(a,c) their engineering judgments and decisions. ( +(a,c) d 1 Therefore, the design team also needs a
( *(a,c)
] Since the nature of the ( +(a,c)
} on the appropriateness of the plant process performance model, the following discussion will examine the operator behavior model that Westinghouse is presently using and how, in the human factors engineering process, it is used.
18.2.3.1 The Operator Behavior Model This section of the discussion focuses on the activities of "Modeling Human Decision Making" and the subsequent " Generic Cognitive Tasks of Descision-Making" that are shown in Fig. 18.2-1.
The generic model of human decision-making that Westinghouse has been working with for some time is based on the one developed at [ '(a,c)
] A modification of this model was developed in the course of supporting the design process for the ( '(a,c)
] to include feedback in the decision-making process and is shown in Fig. 18.2-3. This model was submitted to and reviewed and approved by the U.S. NRC as part of the Safety Evaluation Report that was granted to Westinghousa for a ( )
- (a,c) '
O l
O 18.2-3 OCTOBER, 1986 WAPWR-CR/HFE 5387e:1d
i J
, The step involving " Generic Cognitive Tasks of Decision-Making" reflects the I
questions that operators, in the course of doing their process control tasks
- must ask in order to work their way through the decision-making steps outlined by [ ] The right-hand side of Fig. 18.2-7 shows the questions tha t +(a , c) need to be considered as a function of the [ *(a,c)
I 1 i
In addition to these questions, there are ( *(a,c)
O j
] This means there is a requirement to
- monitor the function that the automatic control system provides [ *(a,c)
] To l
- accomplish the latter, an operator must be able to [ +(a,c) i 3
The decision-making model shown in Fig. 18.2-3, however, is only part of the
- overall decision-making formulation. A complimentary piece is contained in the report ( ] in which is +(a,c) l suggested that humans deal with problem solving in complex situations, ( +(a,c) i I
l ) For example, rather than l trying to deal with or think about the individual states of each component (detailed form) in a system, humans will,instead,[ +(a,c) l 1
- Typically, the descriptions used to define the [ ] will be more +(a,c) f abstract than those used to describe the [ ] The coupling +(a,c)
, ( ) is (a,c) i shown in Fig. 18.2-4.
l0 l WAPWR-CR/HFE 18.2-4 OCTOBER, 1986 5387e:1d l
1 A more expanded' discussion of all of these concepts can be found in l
i 2
1 l
! 18.2.3.2 Plant System Functional Analysis !
Clearly, from examining the [ ] and the+(a,c) associated questions that an operator needs# to answer, the model of the plant's processes that is required is ( +(a,c)
!O l
] l In order to deal with the levels of abstraction issue with some degree of
- order, the WAPWR control room designers have developed a methodology for j analyzing or decomposing the plant processes. This methodology is based on
! the concept of ( +(a,c)
] Figure 18.2-5 shows an abstract view of this structure.
~
Figure 18.2-6 shows a small sample of the [ ] that is +(a,c) applicable to the design of the WAPWR control room. This sample shows ( +(a,c) i
\
O i
)
! Also shown in Figure 18.2-6 is a ( +(a.c) i O
i
- IO 1 ]
i j WAPWR-CR/HFE 18.2-5 OCTOBER, 1986 5387e:1d l
1
I
+(a,c)
O
]
In this particular example, the plant designer has provided several means of accomplishing the [ ] function. These alternate means are also (a,c) decomposed in Figure 18.2-6 showing the decisions of choice that the operator must make and then developing as generic a model of the processes that provide
[ ] as is possible. This ( *(a,c)
]
The [ ] described here (a,c) that results in a useful (for the meaning of "useful," see the following O section on task analysis) model of the plant processes is similar to the functional analysis technique suggested in NUREG-0700, Appendix B, as the basis for new control room designs.
This [ ] forms the structural portion of the knowledge,+(a,c) i.e., process data plus the relationships between data, that needs to be provided to the operator as part of the control room design and which, ultimately, should form the operator's mental model of the plant process and should provide the basis for training the operator in plant supervisory and O operational skills.
It is important to note that this ( +(a,c) attempts to describe a ( *(a,c)
]
O WAPWR-CR/HFE 18.2-6 OCTOBER, 1986 5387e:1d
18.2.4 Task Analysis Once the ( ) is created showing the [ *(a,c)
] then the task analysis can be performed. This task analysis's objective is to determine the process plant data required to support the decisions that the control room crew is responsible for making and for identifying the detailed actions (i.e. what valves to open/close, what pumps to start /stop) that the crew is responsible for carrying out as a result of those decisions. Specifically, for the WAPWR control room, the [ ] (a.c) cSown .in Fig. 18.2-3 on to the [ ] for the plant. This *(a,c) takes the form of determining the answers to the questions that now represent ,
the [ ] Again,*(a,c) these questions and their relationships to the ( +(a c)
] are shown in Figure 18.2-7.
At the conclusion of this task analysis exercise, the designer has determined:
- (a,c)
O ;
I O
O WAPWR-CR/HFE 18.2-7 OCTOBER, 1986 5387e:1d
~ _
( +(a,c)
The results of the task analysis are task descriptions. A sample of the task description for a ( +(a,c)
O ) is given as an example of these task descriptions in Table 18.2-1.
Note that this task analysis is at a " higher" level than the one described in NUREG/CR-3371. Table 18.2-1 is a sample page of a ( +(a,c)
O 3
In addition, Westinghouse performs a task analysis at the ( *(a,c)
] This task analysis examines the [ ^(a.c)
] A sample of pages from such a task analysis is shown as Table O 18.2-2. This type of task analysis not only aids in job descriptions and workstation layout but also contributes design objectives for the overall room design and environment.
18.2.5 Task Allocation (Man vs Automatic Systems)
The task allocation step in the human factors engineering process consists of
( ) activities. These ( ) activities are: +(a,c)
- (a,c)
O O
WAPWR-CR/HFE 18.2-8 OCTOBER, 1986 5387e:1d
d
+(a,c)
O O
In summary, the task allocation step cannot be done independently of the other steps in the human factors engineering process. In fact, there are a variety ,
of factors that can influence a particular allocation decision or the choice of a general philosophy about human / automatic system roles in a system, O including cost, available technology, and control philosophy, to name a few.
The task analysis does not invalidate these considerations; rather, it adds to them the point that there are ( +(a,c) 3 18.2.6 Control Room Functional Design Basis This section will be provided at the time of an FSAR application, and will describe the control room functional design bases (the results of the application of the design process to a specific plant). In general, these design bases will explain why the design has taken a particular form.
O WAPWR-CR/HFE 18.2-9 OCTOBER, 1986 5387e:1d
. . _ _ - _ _ . . . . _ . ~ . . _ _ _ _ _ _ - - - - --
l l
@ 18.2.7 Functional Requirements The functional requirements for the plant specific control room will appear in this section at the time of an FSAR application. In general, these functional
- 9 requirements outline, in a functional way, the detailed performance that the control room design must achieve.
l j
e i
i l
i i !
l l
I i
l r
i I
)
I i
l l
O O
O WAPWR-CR/HFE 18.2-10 OCTOBER, 1986 5387e:1d
t-I' l
TABLE 18.2-1 SAMPLE PROCESSESPAGE 3FCONTROL WHICH THE TASK
( DESCRIPTION FOR ) CHOOSING BETWEE
- PROCESS CHOICE Choice Data Needs , ,
+(a,c) t i
O l l
l l
4
{ ,
9 O
WAPWR-CR/HFE 18.2-11 OCTOBER, 1986 ;
5387e:1d
. . _ . - - - . . . _ - . . _ . _ _ - - .- . - - . - _ - - . _ - . - - _ - - - ~ . . .
l TABLE 18.2-2 (Sheet 1 of 4) l SAMPLE PAGES FROM A CONTROL ROOM TASK ANALYSIS t
1.4 ROLE ACTIVITY ANALYSIS 1
- j. 1.4.1 Equipment Operator Role Activities Equipment operator role activities may be divided into four parts 1) Process Control, 2) Testing 3) administrative work and 4) time-out activities.
l A. Equipment Operator Process Control Activities A simple way to determine the activity units associated with the equipment j operators process control tasks is to ( ^(a,c)
)
i O 1. ( ) to Equipment Operat:r For Process Control +(a,e)
^
j (a.c)
} '
1 i Ir t
O !
l ,
I i
i O !
l l
I WAPWR-CR/HFE 18.2-12 OCTOBER, 1986 i 5387e:1d !
t I
}
_ _ _ _ 7. _ _ _.__ _ _ _. _
s s i -
i
- TABLE 18.2-2 (Sheet 2 of 4) ]
i v.
j ; ,
-4 (a ,c)
{ , ,
3 t . < s a /
- y t
- 2. Equipment Operator Processing Activities For Process Contr'ol '
r l
+(a,C) [
% i i
t
. i
\
/
~
- 3. [ ] For Plant Process Control . .$(;e , c)
~ ,
- (a,c) 1
- 1
-. t
(
L
- 4. EquipmentOperatorCommunicationsForProcessContr[ol l
t 4-(a.c)
I s
s :
1 l
N e i 9 18.2-13 OCTOBER, 1986 WAPWR-CR/HFE 5387e:1d l l
l I
i
}
i i
i TABLE 18.2-2.(Sheet 3 of 4)
- 8. Equipment Operator Test Activity Units
- 1. [ ] Activities for Test +(a.c)
+(a.c)
O i
- 2. Processing Activities For Test ,
- (a,c) i e
t O '
l
- 3. [ ] Activities For Test *(a.c)
+(a c)
I I
i
- 4. Communications Activity Units For Test
- (a,c) l l .
!O 18.2-14 OCTOBER, 1986 WAPWR-CR/HFE 5387e:1d i
. _ . . - . - _ . - . . - _ _ - - - . _ - _ _ . _ _ _ - . = . . _ . . - . . - - . . - . . _
Y,
- s 5
TABLE 18.2-2 (Sheet 4 of 4) 4
! C. Equipment Operator Administrative Work Activities :
- +(a,c) 1 I I 4
i 1
4 i
D. Equipment Operator Time-Out Activities s +(a , c) ,
I I
1 i
i I
i i O '.
A i
i i
I t h t
~
h ME , _
18.2-15 0CTOBER, 1986 4
44 j -(
- _ _ _ _ . . 3 I
G @ @ @ 9 @ G
+(a,c) .;
ie r
, i
. t j
i i
+
s 1
! i i !
f 1
i t
i 1
i e
l i
1 i
! I l f, Figure 18.2-1 Westinghouse Control Room Design Process i
\ r l OCTOBER, 1986 ;
- WAPWR-CR/HFE
! 5387e:1d l
. . . _ . _ _ . _ . . _ . _ . . _ . . . _ _ _ _ . _ _ . . . _ _ _ , . _ _ _ - - . - . _ _ _ - . . _ . - ~ , _ _ _ . - _ , , - _ . _ _ . - , . . _ _ .
9 9 9 9 9 9 9 t f
+(a , c) i t
'l 1 !
i 1
1 l
i i
l l
. Figure 18.2-2 Westinghouse Control Room Design Process
-Necessary Human Resources-OCTOBER, 1986 -i WAPWR-CR/HFE 5387e:1d iI
+-nN e Tam'r- c's TWtt*WwmTwew--MW ezTrur w T -7m-w-'-W--rt-' -TP' N---- MW=-1 P++- i+-' ^ -
57 '-~m--n ww-m-eTut- tm -NN Br- -94u---'*-m-- ------*T'w-Pm-m- '
--t--i -
e e e e e o i
o i
+(a,c)l
'{
i i
F t
s i
t.
i I
l Figure 18.2-3 Decision-Making Model i I
OCTOBER, 1986 WAPWR-CR/HFE .
t 5387e:1d .;
t
J l i
+ (a , c,, i j
i
- 9 1 l
- l 1
.)
)
- i i
i i
j i
i l
i i
\O i
I r
O Figure 18.2-4 Illustration of the ( .
(a,c)
] and Their Typical Coupling i
l*(a,e)
I WAPWR-CR/HFE OCTOBER, 1986 5387e:1d .
1
+(a,c) l i
i i
j 1
i i
i i
! i i
i 1
i i
.l 1
j .
j Figure 18.2-5 [ ] +(a,c)
I WAPWR-CR/HFE OCTOBER, 1986 5387e:1d i
I l
j 1
a
+(a,c) 1 l
j i
I
.l l
1 i
l l
i l
l l
l l
l Figure 18.2-6 Example of [ ] +(a ,c)
WAPWR-CR/HFE OCTOBER, 1986 5387e:1d
i i
i l
l 1
+(a.c) i i
.I 1
l a
1, i
I 1
4 1
l i
i i
i i
i i
i figure 18.2-7 Task Analysis -
OCTOBER, 1986 WAPWR-CR/HFE 5387e:1d
18.3 CONTROL ROOM DESIGN 18.3.1 Overview D
d The following discussion describes how Westinghouse turns the results of the plant process modeling, task analyses and task allocation activities into a cohesive control room design that is documented and described by the Control Room Functional Requirements.and Design Bases documents. The order of topic presentation in this section of Chapter 18 follows the design steps, i.e., the alarm systems, the process-data presentation or the information system, and the controls layout are done as individual elements; these are then coordinated / integrated to form a work station; work stations are coordinated / integrated to form a control room; control room size, detailed layout, environment, traffic patterns and interfaces with other decision-making conters are then designed to complete the design.
18.3.2 The Alarm System From the operating crew's perspective, the alarm system is a major entry point
, into the decision-making process, and, to a large degree, it provides the feedback as to the correctness of actions taken, and therefore, forms the completion step in that process.
With this as the high level goal for the alarm system, some additional design objectives need to be considered relative to accomplishing that goal. Some of these objectives come from the experience or problems related'to the design of N previous real-time process control alarm systems and some are of a more common
\ sense variety, having their roots in the fundamentals of cognitive psychology and/or human factors.
i One that stems from past experience has to do with the robustness of the i design. Complaints concerning the heavy "avalanching" of alarms during major off-normal events need to be addressed with this alarm system design.
Traditional alarm annunciator window designs were designed so that every O
WAPWR-CR/HFE 18.3-1 OCTOBER, 1986 5387e:1d I
. - - - - - - - , . . - - . - ---. . . _ . . , - . ,,.n.,.,,,. , ~ ~ , . - . . , - , - , - - . , , , - - _ _ . , - . ,
alarm, no matter the severity, urgency or level of detail, occupied a permanent spatial location on the control board. During major off-normal events, large numbers of these annunciator windows would be triggered (lit) making the operators' task of sorting the important alarms from the unimportant, (i.e., those alarms which are true indications of cause from those that are merely the result or consequence of the cause), extremely difficult, if not impossible.
In addition, many traditional alarm system designs included annunciation and
' O the lighting of permanent alarm windows for the results of control actions that are " normal," i.e., not alarming or abnormal. Often these " control status" messages (e.g., " Safety Injection is On") are interspersed, often seemingly randomly, in the spatial display of alarm windows, compounding further the operators' sorting and assimilating tasks, i.e., observing what is abnormal and identifying plant state.
A[ ] system design would be one which filtered out or suppressed +(a,c) unimportant and inconsequential alarms for situations of high alarm activity, yet would allow those same alarms to penetrate through to places of significance, [ +(a,c)
] when alarm activity is low.
In addition, because the alarm system is the starting point for the decision-making process, it makes sense to make it [ +(a,c)
O ] For all of their faults, traditional annunciator window alarm systems have qualities that support this sort of l design objective. [ +(a,c)
]
i l
O !
l WAPWR-CR/HFE 18.3-2 OCTOBER, 1986 1
5387e:1d l
4
+(a,c)
$ (
- 1 Also, when reading the requirements for an SPDS, a commonly asked question is "why doesn't the alarm system do these?" Indeed, one can view the initiative for an SPDS after the March, 1979 incident at TMI-2 as an indictment of the failings of traditional annunciator window alarm system designs. The SPDS requirements (see NUREG-0696) include
o identifying all of the plant variables pertinent to assessing the overall health of the plant's processes relative to protecting the I health and safety of the public, o grouping those variables according to the " critical safety functions" (RCS inventory, core cooling, radiation, etc.) to which they apply, b
o displaying those variables in such a way as to support the operators 4- O cogaltive task of " detecting" when a malfunction has jeopardized or
- f. degraded the plants processes which accomplish those critical safety 1 functions.
1
, ( +(a,c)
I 1
An alarm system is one mechanism that the plant's processes use to " talk to" the operating crew. The coerating crew, in order to fully understand the
^
, meaning of the alarm system, ( (a,c) i O i i
O
} WAPWR-CR/HFE 18.3-3 OCTOBER, 1986 5387e:1d 1
Finally, the alarm system presents to the operator [ +(a,c)
]
These three types include:
+(a,c)
O
!O -
- These types of plant process data were identified in the functional structure 1
l of the plant's processes that was performed as part of the systems functional analysis and the task allocation steps and was discussed ir Subsections 18.2.3 i and 18.2.5. Clearly, the issue concerning what is alarming is based upon
! noting abnormality in the nodes of the functional structure; the issue of tracking the performance of automatic systems is the result of the added supervisory task that is placed on the human operator is a direct result of the design decision to [ +(a,c)
] So the work of systems functional analysis, task analysis and task allocation are identifying [ ]+(8'c)
O WAPWR-CR/HFE 18.3-4 OCTOBER, 1986 5387e:1d a
.,-,-,.-.._.,-..---__m.____
-.- . _ . ,-,,___.m.,-..,_.v_,__,......,h.. . -.y,-.-m.,y-,-y,,,...._...._,--,-m.,,,,,_y___,y.,_.mm-,,
t
[ +(a,c)
]
i Effective alarm management depends on a shift away from messages that are only signals of possible abnormal conditions to [ ] that focus +(a,c)
I on the abnormal conditions (disturbances) that are being signaled. This is basically a problem of defining the [ *(a,c) i i O i
3 j To obtain stronger evidence of underlying abnormalities so that the data i provided to the operator has the desired significance, the WAPWR alarm system ,
[
(a,c)
]
As indicated by the above-discussed example, an analysis of [ +(a , c)
] for any application reveals [ +(a,c) l O
1 i
a 4 ]
O WAPWR-CR/HFE 18.3-5 OCTOBER, 1986 5387e:1d i
4
[ ] In the WAPWR alarm system, to +(a c) relate the abnormality indicators and ( *(a,c)
- O ]
i The grouping of alarm messages by ( ) provides a first level of +(a,c) organization of the [ +(a,c) 1
] In effect, each specific abnormal condition in this alarm system design results in a [ ] to the +(a,c) operator with ( "(a,c)
] This alarm organization within [ ] +(a,c) communicates the significance of a particular abnormal condition in the context of other alarm messages for the same [ ] to the operator. For +(a,c) example,[ +(a,c) i O In the WAPWR alarm system, the significance of the [ *(a,c)
] can be seen against the context or background of the
, ( ) because of the [ +(a,c)
] This level of context is needed to support operator j
. + .
', judgment related to the significance of the alarm status of one [ ] (a,c) relative to other ( ) The [ ] +(a , c)
O WAPWR-CR/HFE 18.3-6 0CTOBER,1986 5387e:1d
i 4
( '(a,c) l l
1 l
i The presentation technique of the WAPWR alarm system is a (
+(a,c) l O
l l
I 4
I i 9 !
i l
I l l I ,
3 l l;
1 O One way to describe this approach to alarm presentation is to characterize l
alarm systems in terms of ( +(a . c) l i
t I
i ;
i ) Experience has shown j that fault management performance is poor when either of these extremes 4 ,
l WAPWR-CR/HFE 18.3-7 OCTOBER, 1986 4 5387e:1d 1 ,
i i j
constitute the primary alarm system. The power of the [ +(a , c) 1 1
l ] The key to the present approach to alarm management is to use the units from the [ +(a,c)
] and the task analysis to build an information space at [ *(a,c) l ] When these levels of organization are linked to a [ *(a,c)
] the operator is able to view alarm data in a [ ]+(a,c)
! context and thereby better extract the significance or meaning of this data to j enhance alarm management performance and allow the operator a better understanding of plant state.
Figure 18.3-1 is a conceptual diagram of the operation of the alarm overview panels. Sensor signals [ +(a,c) l The tree branching to the right of each node [ *(a,c) i I
O i )
As can be seen from Figure 18.3-1, each display node [ ] has at least *(a,c)
WAPWR-CR/HFE 18.3-8 OCTOBER, 1986 i
5387e:1d l
one slot [ ] as desired by ^(a,c) the designer. The current set of abnormality messages within that category are ranked within category according to what the [ ] indicates about the*(a,c) category, for example, according to severity. As a result, [ +(a , c)
O O
] As a result, the abnormalities with the greatest effect or magnitude are always displayed for the operator [ +(a,c)
] the sensitivity of the system is very high to minor disturbances since even the most minor disturbances have the capability of [ ] +(a,c) l'
'\ The following is a specific example, using [ *(a,c) 4
] are those referenced in Subsctions 18.2-3 and 18.2-4. The specific example which follows is based on an operating plant design due to the maturity and completeness of the documentation for this design. The fact that these examples are not based on the WAPWR plant design l in no way detracts from the credibility of these examples as they would apply to the WAPWR design.
~
O The engineering task is to examine those plant processes that are designed to achieve or accomplish the functions in question and to determine [ +(a,c)
]
!O
, WAPWR-CR/HFE 18.3-9 OCTOBER, 1986 5387e:1d
-yr-. ,#-r---- - - - - - - , - - - - , - , . . - . , _ =v.- -------,---e--- --e%e.. ->ee,,eer. - --4 ---,r- - - - + --m---w--w s'---=T e-
l
[ *(a.c) l i
- ] so as to provide the operator with a general target that his control actions should aim for. A l sample of the results of this effort is shown in Table 18.3-2. These results, l within each [ ] have been grouped into [ *(a,c)
O ]
i
! [ +(a,c) 4 i
]
[ +(a,c) i
)
l This means that the algorithmic requirements creating the alarm triggers are essentially the same as that required in present plants. The triggers are
- [ +(a,c)
- ] However, the WAPWR alarm system design does not define nor use plant modes as such. Rather [ +(a,c)
O i O 3 i
O
! WAPWR-CR/HFE 18.3-10 OCTOBER, 1986 j 5387e:1d 1
i I
4 5
[ +(a,c) 1
, The next engineering ~ step is to group the alarm [ ] into units called +(a,c)
[ +(a,c)
- ] Sample results of this activity are shown in Table 18.3-2, Alarm Message Categorization. This step is represented by the [ +(a,c) l] in Figure 18.3-1. Note that the [ .] now are constructed in +(a,c) the [ ] discussed earlier. +(a,c)
The [ ] determined in this process are allocated [ +(a,c)
] All that remains is determining how many alarm [ ] within a given [ ] need to be *(a,c)
[ +(a,c)
] These tasks usually turn out to be straightforward in that by the time that the alarm l
[. ] have been sorted into [ *(a,c)
] to naturally appear. For example, [ +(a,c) i O
1 6 ]
l O
WAPWR-CR/HFE 18.3-11 OCTOBER, 1986 5387e:1d 1
_ . - _ _ _ . _ _ ~ . . _ . _ _ _ _ _ _ - _ ._. .. _ _ _ - _ _- __ __
l i
i l
[ +(a,c) l 4
O
] A sample of the results of these analyses are shown in Table 18.3-3, Alarm Messages Prioritization.
The above process has created and organized the alarm ( ) By +(a,c) i way of summary, consider a simplistic description of the on-line real time processing that is necessary. The computer system begins ( +(a,c) i O e
i i
- O i I
All that remains is to design an appropriate layout for the display of the I ( ) A sample of a possible ( +(a,c) *
! ] is shown in Figure 18.3-2. ,
1 m
l In examining Figure 18.3-2, RCS Temperature, there are several things that
! should be noted. First, there are [ ] which deserved more than *(a,c)
WAPWR-CR/HFE 18.3-12 OCTOBER, 1986 5387e:1d I
i
[ ^(a,c) i i ] A second item to be aware of is that from the [ +(a,c)
] This means that if the tradit'onal design contained, typically, 1300 windows the WAPWR design will use approximately ,
[ ] to display the same messages and, because of the [ +(a,c) i i
! ] to sorting and grouping and the attention paid to the [ +(a , c)
] on the overview panels, present these messages in a much more comprehensible form.
1 i
.j Finally, the WAPWR alarm management system further helps the operator to
! prioritize and plan his actions by, to the extent possible, [ +(a,c) 4
!O i
i i
l
!O i
lO i
ll
]
!O 18.3-13 OCTOBER, 1986 WAPWR-CR/HFE i 5387e:1d
' (
1 i
I i
As an example of how the [ ] are displayed on the +(a,c) '
I overview panels and responded to by the operator, suppose that there has been ,
a failure in the control system which controls [ +(a , c)
)
) !
i r
A l
l I
$. )
.i I
The alarm support panels provide the capability for the operator ( +(a,c) !
! ) The types of ( +(a, c) !
) are: t i
! +(a,c) i !
i l
i l
- l l l 1
i i
i j WAPWR-CR/HFE 18.3-14 OCTOBER, 1986 5387e:1d
+(3 C) 3 O
In addition, consideration could be given to computerizing the [ Na,c)
O ] The WAPWR alarm system will sbpport the
[ ] The remaining items on the [ ] will be ' (a,c) treated as options available at the utility customer's request.
. The [ ] for the displays on the support panels +(a,c) should be within easy reach of the support panel they serve in order that the operator can easily see the display and, in the same bodily position, easily manipulate the accessing mechanism.
4 The [ ] will be chosen to support the normal +(a,c) instincts of humans to point at what they want in order to give the use of the support panels as " natural" a feel as possible. To this end, such ( +(a,c)
] are being considered.
The ( ) display to the operator the actions +(a,c) being taken by the various automatic systems in the plant at the time the actions are being executed. The display of these actions is available to all crew members ( +(a,:)
O i The purpose of a typical traditional emergency safety features (ESF) status panel is two-fold, namely:
O a. To convey to the operating staff, by a pattern of lights, the overall state (i.e., the ability to perforre) of certain complex (i.e., large numbers of monitored components) safety systems (containment isolation being a typical example).
WAPWR-CR/HFE 18.3-15 0CTOBER, 1986 5387e:1d
.. . - . ~ . . - - - , . - . , . . - - - , _ . - . - . - . - _ _ . - - _ . . - - . . . - - - _ - . . - - - - - , - - . . , _ _ _ _ . _ , . - . .
- b. To identify for the operator, by the failure of the desired light pattern to exist, the exact component (s) which do not conform to the desired state.
The complex pattern recognition aspects of these panels is performed by the WAPWR alarm system ( +(a,c)
O 18.3.3 Information System The "information system" is that portion of the WAPWR control board which displays the process data. The means for acquiring and creating the displays is through a network of ( +(a.c)
]
The coordination of data between [ is +(a,c)
O determined by the [
]
] The +(a,c) data displays provide the operator with display access to any and all data that is in the data base and displays the requested data in its appropriate context, [ +(a,c)
]
Cognitive psychologists have discovered that humans form mental models (usually of a very qualitative nature) of processes in order to organize and, thereby, understand data being received or gathered about those processes, i.e., the mental models are the collection of the [ +(a,c)
] that are necessary for human understanding of the data and which l are identified in the [ ] +(a,c)
The two types of models are:
+(a,c)
O WAPWR-CR/HFE 18.3-16 0CTOBER, 1986 5387e:1d
[ >
+(a,c) l L
Data displays, then, are designed to reflect these two views, ( +(a c) '
1 Depending on the particular function being represented, these displays are
- constructed from ( (a,c)
!i i
i i
l
!O l i
i l
j ] All displays in the WAPWR turnkey control room are constructed from one of these two formats based on the nature of the process being represented.
i j Notice that the [ ] identified i the construction of +(a,c) 4 the data base have been presented to the operator in the form of ( +(a,c)
!O 1
l ] For example, data concerned with the [ *(a,c)
I 3
] i WAPWR-CR/HFE 18.3-17 OCTOBER, 1986 5387e:1d 1
f l
i a
i O t + < .o lO
,f i
In addition, displays that are [ +(a,c) i i
i O
] represents a perspective of the plant lI and its processes around which the operator can and should form a mental model j of that process.
i i
Data may be accessed in any of a number of ways at the [ +(a,c) -
i j
l l } Final selection of one or more of these methods will be i determined, in part, by a testing program.
l In these ways the WAPWR control room intends to provide the control room l
j operators with a " natural" interface to the plant's data base. By making the interface easy to use and [ . +(a,c)
! ) Access to the data shall be straight forward; there will be no need l for learning special access codes, commands or computer languages. The !
! display of data shall provide the proper context for the data and shall l l ( +(a,c) [
!O
! 3 l
l O
l WAPWR-CR/HFE 18.3-18 OCTOBER, 1986 i l 5387e:1d l
i
r ,
18.3.4 Layout of Controls '
The WAPWR control room uses a human engineered layout of modern low-voltage dedicated controls. The layout of the controls follows, as closely as practicable, ( (a.c)
,s These landmarking techniques include those suggested :1 NUREG-0700 as well as others. -
The philosophy of the [ ] is brought into the controls,^(a,c) layout. The controls layout is coordinated with [ +(a,c)
) Therefore, in general, the overall controls _ layout should be p analogous to ( ) This completeness in +(a,c) i d following through on the design philosophy should continuaily make the coordination between the data displays and the centrols layodt clear and make the interface between information and control (both mental, and physical) easy and natural for the operator to cross in both directions. .
18.3.5 Workstation / Panel Layout ,
In Subsection 18.2.3, a discussion of the model of process controi' operator ,
decision-making was presented. In the subsequent sections of this chapter, the process for designing individual devices which will support various l activities in that model has been discussed. This paragraph' discuss'es the
] design process used to coordinate or integrate those pieces together to form an operator work station or panel. ,,
j O The other constraint that affects the work station design is 't he [~ '-
(a,c),.. ,
I i
, ] s j __
, WAPWR-CR/HFE 18.3-19 OCTOBER, 1986 5387e:1d s
---,~ +_y ,--f ---.v,---- -
--,--e,n,--,----- - - , - -
i l
- i. !
i i l
l
[ +(a,c) ,
]
With regard to meeting the constraint on coordinating the individual support devices with the decision making model, consider Figure 18.3-5. [ (a,c) !
O ,
i
. 1 Access to the entire plant process data base, including the procedures, is necessary [ +(a,c) k O i i
l l
3 l
+(a,c)
Q WAPWR-CR/HFE IS 3-20 OCTOBER, 1986 5387e:1d
. , i.t m .
4 18.3.6 Coordination Between Workstations The intent of at good control room design enables human operators to safely control the plant processes with a minimum chance of error. The basis for a i 'L' O
%,./
design which does this includes [ +(a , c)
O The WAPWR control room is designed such that under normal power operation the
, ..N ' %4 plant can be operated by one or two operators under the supervision of a
' supervisor.
centrol i room Under these circumstances, the supervisor is responsible for the overall state of the plant, for setting operational objective's (goal setting) and for the determination of the high level strategy (planning) necessary to accomplish those objectives. The operator is p responsible for, under the umbrella of the written procedures, the actual configuring of the plant's equipment to carry out the supervisor's plan. For L relative,1y simple events, it is reasonable to expect the operator, through his training and knowledge of plant behavior, to carry out the planning and execution phases 'with little or no influence from the supervisor. On the other hand, for very complex events the supervisor may choose to defer his <
planning function, particularly if the generation of long term plans is 3 necessary, to either u higher authority or to outside experts such as those that might be located in the technical support center. The control room layout must provide, in a coordinated manner, appropriate resources at appropriate times to appropriate people and places. To this end, [ +(a,c) u.]
l
)
O WAPWR-CR/HFE 18.3-21 OCTOBER, 1986 5387e:1d s
a . - - . - , - , - - - . - - - . - - - . . , -
--, . . - . - - - - - - - - _ + , - ~ . . , - -
i
, An example of a possible organization of work stations is shown in Figure 18.3-6 and results from and is a demonstration of the application of the l following human factors engineering logic:
L +(a,c) i-9 i @
f' f
l -
t i
i I .
l@
i
}
i i
l 1
1 L
4 f
^ /HFE 18.3-22 OCTOBER, 1986 f3 e i
i I
l (a,c) l J
O
[
O 18.3.7 Control Room Work Space Environment The design Westinghouse scope relative to 'he t control room workspace environment is to:
+(a,c) ,
i
+
O '
With regard to the determination of lighting, present NRC standards, in particular NUREG-0700, or other industry standards do not establish acceptance criteria, particularly for control room designs which use light emitting devices [ ] as their principle means for data presentation. This'(a c) technology is so new that there is little in the reference literature that
! appears applicable. Westinghouse's approach will be to use presently I available references and standards as found in such industrial sources as:
o Human Engineering Guide for Equipment Designers, Woodson, W. E.,
j Canover, D. W.
i o Humah Engineering Guide for Equipment Design, Van Cott, H. P.,
Kinkade, R. G.
and others as a starting point and perform lighting tests on mock ups.
O
! WAPWR-CR/HFE 18.3-23 OCTOBER, 1986 5387e:1d
In Subsection 18.3.6, comments are made at the end of the section that point
! out that one of the considerations in arranging the work stations in the example control room shown were the issues of [ +(a,c)
< ] Beyond this, Westinghouse will, where practical, 4 ( (a,c) i 1
i
] )
- O Similarly, Westinghouse will specify criteria for acceptable levels of humidity and temperature based on industrial standards for comfortable human I
! working conditions, but the responsibility for the design and installation of ;
l systems to meet that criteria belongs to the utility customer.
i
)
i i O l
1 l
i O
i I
O WAPWR-CR/HFE 18.3-24 OCTOBER, 1986 5387e:1d
e e e e e e t
e ;
t i
i TABLE 18.3-1 ;
i SAMPLE ALARM MESSAGE WORKSHEET
+(a,c) i l
i l
i i
t I
i i
WAPWR-CR/HFE 18.3-25 0CTOBER, 1986 5387e:Id i
l 1
..-=.--.._,
2 l'
l TABLE 18.3-2 SAMPLE OF ALARM MESSAGE [ } (a ,c)
}
l RCS INV ;
9 GOAL i'
+(a.c)
S .
l l
l i l 1 !
J i
! i I I i
t 9 1 s
i i
i.
i l i l t
i i
i I
l 9
i t
4 1
l9 1
1 l
J i
4 9
WAPWR-CR/HFE 18.3-26 0CTOBER, 1986 5387e:1d
l TABLE 18.3-3 ;
SAMPLE OF ALARM MESSARY [ ] +(a,c) 4 i
s
- \
i J
l l INV GOAL
+
(a,c)
'i l
)
i t
i
- l l I l
l J
i i
WAPWR-CR/HFE 18.3-27 OCTOBER, 1986 5387e:1d
___wyap.*.www--e y-ypy.9gw e-% _,gyy9,-g
9 9 9 9 ,
9.9 9 1 t
i I
+(a,c) 'l t
t t
k i
r i
i i
l t
figure 18.3-1 Operation of Alarm Overview Panels (Conceptual Diagram) l WAPWR-CR/HfE OCTOBER, 1986 5387e:1d
I O O O O O O O i
v
\/ ) _
v (a , c) i i
t l
1 i
i l .
l i
I t i ,
l t 4
i I
Figure 18.3-2 Possible Layout of Alarm [ ] +(a,c) ;
for the [ ] +(a ,c)
OCTOBER, 1986 !
WAPWR-CR/HFE
_ __..___._E'^' _-._.-_ _ _ __ _ . _ _ _ _ _ . .
O O O O O a O O
+(a,c) .,
i Figure 18.3-3 Window format for Displays Associated with Plant functions Which flave i Complex functional Relationships to Other Plant functions ;
t i
OCTOBER, 1986 :
WAPWR-CR/IlfE ;
r,o y , . i ., i
. _ . _ . _ . _ _ ..-k
i
)
i G G 9 9 9 9 9 1 I
.I
+ (a , c ) -
t l
l I
1 1
\
l i
i l
I l
I l
< t
) 'I>
l j
l Figure 18.3-4 Window format for Displays Associated with Plant Systems Which Have i l Conglex Physical Relationships with the Rest of the Plant !
, I
[
WAPWR-CR/HfE OCTOBER, 1986 [
! 'l l
9 9 9 9 9 9 9 l
l l
+(a,c) ji l
-j ib
.I
.I Figure 18.3-5 Workstation Design: Simplified Decision-Making Model ::
WAPWR-CR/HFE OCTOBER, 1986 5387e:Id .
l i
J i
i
! r 1 4-(a , c) ;
1 i
figure 18.3-6 PossibleArrangementofWorkstationstoformhAPWRControlRoom OCTOBER, 1986 WAPWR-CR/HFE r,m, , ,
- t I
, , t t .t! l l' t il ,iil'i!.Il :i.1 I
. )
c, a
- (
+
6 8 _
9 _
1
, R E
B O.
T C _
O n
i o
. t c _
n _
u _
f _
t _
n _
a _
l _
P _
. y b _
t
- u _
oy a -
- L
- s J n -
i o _
t
- a t
s k
r -
- o W
l o _
r _
t n _
o C _
7
. 3
-. 8 1
- e _
- r u _
g -
i
_ F
- E _
_ f _
- lI
- / _
R. _
- C,
- R, W
Pn
. A,
. Wr
\
18.4 CONTROL ROOM DESIGN VERIFICATION AND VALIDATION PROCESS 18.4.1 Introduction O In general, the pattern and the philosophy followed here is based upon and is intended to conform with the International Electrotechnical Commission's Document 45A/WGA8 (Secretary 47), " Draft of Design Standard of Control Room,"
dated July 25, 1986. This standard drew heavily upon NUREG-0700. Also, a great ceal of similarity exists between this discussion and the verification and validation of the Emergency Response Facility Design Process that was presented to and approved by (in the SER for the Westinghouse SPDS, see the U.S. NRC document LS05-84-02-009) the NRC in the form of WCAP-10170.
18.4.2 Design Process, The Testing Perspective Figure 18.4-1 shows the human engineering design process employed by Westinghouse. This version also shows where verification and validation testing occurs and provides a general feel for the types of tests which might be most fruitful. The various types and purposes of these tests are further discussed in this chapter.
18.4.3 Verification of the Human Engineering Design Process In general, an operational definition, as applied to the design of a com;:lete control room, of " verification" is to show that the results of the design process step under examination are the consequence of using the inputs to the step in accordance with the proper application of the procedures or processes Os-for performing the step, i.e., a completeness check, it should be noted that verification is an iterative process, i.e., the results or finding of flaws in the design are fed back to the appropriate preceding step in the design process for further evaluation and, if appropriate, for correction and C* re-verification of the design.
In examining Figure 18.4-1, the Model of Human Decision-Making and the Generic Cognitive Tasks of Decision-Making tasks were given NRC approval in the Safety WAPWR-CR/HFE 18.4-1 OCTOBER, 1986 5387e:1d
Evaluation Report (U.S. NRC Occument LS05-84-02-009) for the Westinghouse Generic Safety Parameter Display System design. Recently, additional work in i this area has been published in NUREG/CR-4532.
t i
The large verification iteration loop that covers the plant system functional j analysis steps, the task analysis and task allocation steps and the functional i design specification step are expected to be made up of I +(a,c)
] The determining factor in the identification and implementation of these loops will be the appropriateness, as determined by Westinghouse, of specific test elements to j individual steps or groups of steps. A more specific test plan will be
! incluced in the WAPWR FDA application.
! The tools and resources Westinghouse deems appropriate for conducting the verification task s at this point in the design process are shown in Table 18.4.1. This table should be viewed as simply a set of individual j lists, i.e., not as a matrix where across-element (horizontal) relationships are meaningful. The following subsections discuss and define these lists and i their elements.
- 18.4.3.1 Types of Tests
^
The kinds of ( (a,c)
I
.i i
s O
t
] A great deal of valuable insight into design flaws or possible trade-offs and corrections is usually gained from such tests. Reviews will -
occupy a significant place in the Westinghouse process for performing the l
control room verification.
1O WAPWR-CR/HFE 18.4-2 OCTOBER, 1986 5387e:1d
)
, _ . -.. _ _ _ _ , _ ,._, - _ _ . ~ . _ , . _ - _ _ _ _ _ _ . - _ _ . . . - _ - _ _ _ _ _ . _ .
Similarly, [ '(a,c)
O -
) 3 4
i O As is the case for reviews, ( ) will be an essential ingredient in +(a,c)
U the process of verifying the WAPWR control room design.-
( ) can become experiments when one has a comparative situation *(a,c) j whereby test data can be fully analyzed against fairly stringent criteria.
This criteria may be a ( +(a,c)
] Experiment and analysis tend to be proactive in that j the test is to examine a specific, preconceived issue using a formal process or experimental procedure. Reviews [ ] are more reactive in +(a,c) the sense that the examiner is reacting on the fly to the design; those O reactions being based on a comparison of the design and its performance relative to his expertise or experience.
! As implied earlier, reviews [ ] are usually much broader in +(a,c) scope in terms of the issues that end up being examined as part of the test, while experiments are much more focused. In general, then, it i s more appropriate to begin the verification of a design with reviews [ *(a , c)
] to ferret out issues and to examine several possible alternative solutions and to reserve experiments for exploring the importance i or relevance of particular issues and for optimizing the choice among a limited set of possible design alternatives.
18.4.3.2 Test Participants O The list of necessary test participants is lengthy, but not all are applicable to all of the various types of tests. Reviews [ ] are the +(a,c)
- most general and, therefore, tend to require the widest diversity of O
WAPWR-CR/HFE 18.4-3 OCTOBER, 1986 i 5387e:1d i
,._._._----.7,y.,.:,.m_., ._-,_._m__.-._,___--..___m..._m- ,,,__4 ,____._,___.-_-,.-._.,.___,______.m,,,s__,.m , , _ - _ ,
participant expertise. Reviews [ ] may use various combina +(a,c) tions of licensed plant operators and/or training instructors, several types of engineers including plant system designers (NPB and 80P), plant safety engineers and component design engineers. Specialists in various aspects of the human factors discipline are also essential participants. These include industrial engineers, ergonomists and psychologists who help to interpret the cognitive aspects of the operator's tasks.
Experiments, on the other hand, will tend to emphasize the use of licensed operators as test subjects and human factors specialists as test planners and for data analysis, using the various engineering d Sciplines in the test planning and analysis on an as needed basis. 3 l
18.4.3.3 Test Bed Variables This is a list, at a general level, of the issues that characterize the >
differences and possible trade-offs in test bed design. Clearly, each issue offers different capabilities and different costs relative to the desired test O- objectives.
^
A test bed can be created using [ (a,c)
O i To get a feel for the demands of real-time performance, or to see how a design aspect changes with changing plant process conditions ( +(a,c)
O 1 WAPWR-CR/HFE 18.4-4 OCTOBER, 1986 5387e:1d
i
( +(a,c) :
1-J !
l I
)
( +(a,c) 3 ;
[
+(a,c)- [
t
! l
] l Clearly, this discussion of the appropriate or necessary level of [ *(a,c) 3 f
1 18.4.3.4 Stages of Product Design i
The types of tests used, the requirements for the test participants and the choice of the test bed variables are driven by the test objectives or needs
{
for the test. These will vary as the control room design progresses from a !
{
! collection of possibilities and concepts to prototype and, finally, an t
WAPWR-CR/HFE 18.4-5 0CTOBER, 1986 5387e:1d 9
i 1
installed operational product. The list of product design stages shown in l
Table 18.4-1 was conceived by [ +(a,c)
}
] For example, i
+(a,c) 1 i
O i
i l 1
I l
4 i
!O i
i i
I
- O i
j Clearly, the various aspects of man-in-the-loop testing are appropriate at various stages in the product design process. Many of the issues or design criteria, for example that are expressed in NUREG-0700 as part of the traditional control room design review can be accomplished using a static WAPWR-CR/HFE 18.4-6 0CTOBER, 1986 5387e:1d i
1
i mock-up of various portions of the control room. On the other hand, Appendix
~
- B of this same NUREG asks that new control room designs have various analyses performed during the design process ( +(a,c) f I
] that are intended to lead to a design which has some new functionality that supports the decision-making aspects of the operator tasks. Since these
. decision-making tasks (at least those outside the scope of the written 1
- procedures) are done in response to events within the plant processes, i.e.
I
( +(a,c)
!O I 1 i
l 18.4.3.5 Control Board Interface Elements / Aggregates to be Tested 3
! As noted by the titles of the subsections in Section 18.3 of this Chapter, the i control room design task has been broken into several major facets. The rationale behind this break down is based on beginning the overall design by (a,c)
~
designing the [
i l
l O
l 1
^
Finally, the synergism is extended to the [ (a,c) lO
- )
i O
WAPWR-CR/HFE 18.4-7 OCTOBER, 1986 5387e:1d
1 l
1 Clearly, there _are aspects in each step ( +(a,c)
[G) in this design process that warrant man-in-the-loop
) l testing. However, the objectives of and, therefore, the test design and the !
resources necessary to implement the tests may well be different.
O 18.4.3.6 Theoretical Basis for Expected Interface Performance
{
As with any well designed test, a set of criteria, a hypothesis or a O theoretical model against which to judge the performance or to suggest !
expected performance is needed. A discussion of the basis of decision-making behavior upon which the WAPWR control room design will be based is given in t Subsection 18.2.4.
In summary, for the verification of the design process steps leading up to and including the development of the WAPWR control room functional design
, specification, a series of appropriate and effective tests will be designed utilizing the tools and test elements noted in Table 18.4.1.
O In addition, there will be a verification test data collection method which will; ( '(a,c)
) The results of these tests will be available for review at a pre-implementation audit of the WAPWR control room (see Figure 18.4-2) should the NRC wish to conduct such a review.
l Once the functional design specification is finalized and is ready for the l implementors, what remains for man-in-the-loop testing of the human
^
engineering aspects of the room design is the ( (a,c)
) that adds to the validation phase of the design, 18.4.4 Validation of the WAPWR Control Room Design O
The generally recognized definition of " validation" is to show that the complete design performs as an integrated entity according to the functional .
requirements and design bases, i.e., a correctness check, i :
i WAPWR-CR/HFE 18.4-8 OCTOBER, 1986 j 5387e:1d i
l L___ _ _ - _ - _ _ _ _ J
With this definition, it is clear that in order to perform an adequate validation test, the test will require at least a ( +(a,c)
) I While this perspective suggests that complete closure on the validation question may take several plant years of carefully documented experience to achieve, a great deal of confidence regarding the anticipated outcome of that experience can be gained from simpler tests, employing a variety of the testing tools suggested earlier in this section. Fig.18.4-1 shows where, in ,
the design process for the WAPWR control room, activities related to the validation of the design might be performed.
18.4.5 NRC Audit for the Verification and Validation of the Human Engineering l Design Process for the WAPWR Control Room Figure 18.4-2 suggests that the NRC might wish to consider a technical audit to include human engineering aspects of the WAPWR control room functional l
i design specification and the results of the man-in-the-loop tests to be performed to verify and validate the results of the human engineering design process and to support the functional design specification when the FDS is completed.
As part of the FSAR submittal, Westinghouse will submit a detailed human factor engineering verification and validation plan that will include the i criteria used to select a particular combination of test variables at I
particular points in the WAPWR control room design process, the test objectives, type of data to be collected, and the type of data analysis to be i performed. Results of the execution of this plan will be available for NRC t
l review.
i lO i WAPWR-CR/HFE 18.4-9 OCTOBER, 1986 j 5387e:1d i
i 1
i e e e e e .
e e 1 r
TABLE 18.4.1 l !
MAN-IN-THE-LOOP TESTING i
TEST ELEMENTS
+(a,c) l l
i l
i l
i I
I l
f 18.4-10 OCTOBER, 1986 WAPWR-CR/HFE 5387e:1d l
l
l e e e e e e e i
l
+(a,c) l l
Figure 18.4-1 Westinghouse Control Room Design Process Showing Iterative Loops for Human Engineering Verification and Validation WAFWR-CR/HFE OCTOBER, 1986 i 5387e:Id I
I l
l O O O O O O O l
l l
! +(a,c)
I I
I i
l Figure 18.4-2 Westinghouse Control Room Design Process Showing Location of Possible NRC Pre-Implementation Audit OCTOBER, 1986 WAPWR-CR/HFE 5387e:Id k ____________________________.___-.---_._-________________--_____.__.._.a
^
m.
.g w [
. s ..
O 18.5 POST TMI REQUIREMENTS
~
As a general approach, Westinghouse includes the post-TMI requirements in the human factors engineering area directly in the design requirements for the O' appropriate man machine interface area in the WAPWR control room. Consider, for example, the post-TMI requirement for an SPDS.
- /
l .
When reading the requirements for an SPDS, a commonly asked question ' is :"why "
O doesn't the alarm system do these?" Indeed, one can view the initiative for an SPDS after the March, 1979 incident at TMI-2 as an- indictment of the 6 failings of traditional annunciator window alarm system designs. The SPDS -
requirements (see NUREG-0696) include:
o identifying all of the plant variables pertinent to assessing the ;
overall health of the plant's processes relative to protecting the
~
safety of the public, o grouping those variables according to the " critical safety functions" (RCS inventory, core cooling, radiation, etc.) to which they apply, o displaying those variables in such a way as to support the' operators cognitive task of " detecting" when a malfunction has jeopardized or degraded the plants processes which accomplish those critical safety ~
functions. ~
Therefore, the alarm system for the }{APWR control room will include the attributes for an SPDS.
Similarly, the requirements for a " Bypassed and Inoperable Status Indication System" as defined by Reg. Guide 1.47 are included in the design requirements for the alarm and information systems, i.e., the status of the necessary components will be explicitly shown on appropriate displays in the information system and where deviation from normal, or expected state meets the criteria for an alarming condition, a message will take its rightful place in the appropriate queue in the alarm system.
~
WAPWR-CR/HFE 18.5-1 OCTOBER, 1986 l 5387e:1d
This approach to including these requirements in the WAPWR control room design _
! fully integrates these man-machine interfaces which are safety related, and therefore, tend to be less frequently used, into the daily activities of control room operat' ion.
O The requirements for a safety grade post-accident monitoring device are approached in much the same way, with one notable exception from the human factors engineering perspective.
O The display device must be a qualified piece of hardware. For a WAPWR control i room design that does not normally use qualified display devices, several separate qualified devices will be judiciously (from, the perspective of human i factors engineering) located throughout the control room. The displays that are accessible on these devices will use the same rules for arranging and locating data that are used on the normal displays.
Similarly, the choice of display accessing mechanisms will be guided by the A same principles as those used to select the mechanisms for the normal i
U displays. By this approach, Westinghouse intends to design a man-machine interface for the Reg. Guide 1.97 system that is convenient and that the
- operators find to be a natural extension of the normal means for acquiring data about the plant.
Trends (time histories) of Reg.1.97 variables are available on the Reg. 1.97
. displays. Permanent recording is provided but is not on the control board, i
I
- l O
O
, WAPWR-CR/HFE 18.5-2 0CTOBER, 1986
- 5387e:1d
e
$t i 4 O 18.6 CONTROL ROOM DESIGN REVIEW
\
4 The requirements for acceptable control room design as specified in NUREG-0700
, shall be, included in the appropriate design step (s) in the human factors l' engineering design process for the WAPWR control room. This will lead to a j control room design that intrinsically meets the NUREG-0700 requirements and, l therefore, does not need an after the fact detailed control room design review c as defined in the NUREG. As such, there is no plan to perform a review of that nature as part of the WAPWR control room design process.
I
\
O \
>\
O O
O WAPWR-CR/HFE 18.6-1 OCTOBER, 1986 5387e:1d 1
se -.-,-,-__.,,,-,-,..m,w,- -
e,m,- ------,me,,, _w__n ,__ , . .- e e-e e. pay y,- - ,,---y, c ,,rv y
18.7 OPERATOR TRAINING The central theme of the previous sections of this chapter in essence deals with the process by which Westinghouse accomplishes, in effect, a technology transfer from the plant design engineers to the control room operating staff via a knowledge base that is resident in a digital conputational system and is displayed to them through alpha-numeric and graphic display ' devices. The intent is to continually re-inforce the operator's mental image or model of the plant and its processes with the perspective on plant performance and behavior of the plant's designers. To complete this technology transfer, the operator training program, both initial and recurring, must be focused in a similar manner.
The training program will need to meet industry accreditation requirements.
Accreditation of an operator training program is the responsibility of the utility owner. Accreditation is based upon a " job task analysis", (JTA) i.e.
a job task analysis is used to identify the tasks for which the operating crew
(" is responsible and the subsets of tb so tasks for which each individual crew member is responsible. From the JTA a curriculum for class room, simulator and other training is derived that logically covers all of the tasks.
For the WAPWR control room, the functional analysis, task analysis and task allocation steps as discussed earlier in this chapter form a comprehensive JTA upon which a comprehensive training program can be built. Westinghouse would then work with the utility, the architect engineer and any other organizations which contributed to the plant design and construction which formed tasks that must be performed by the control room staff in developing a sound training curriculum.
O ,
l l
O l WAPWR-CR/HFE 18.7-1 OCTOBER, 1986 5387e:1d
1 t'
18.8 LOCATIONS OUTSIDE THE CONTROL ROOM i To the extent that the human factors engineering for such facilities as the ,
remote shutdown panel and other emergency response facilities are within Westinghouse scope, the design process for these will be functionally the same as that shown in Fig. 18.4-1. This will include a review of nuclear power plant experience in using these facilities to the extent that such data is readily accessibic. Any results of such reviews will be incorporated in the requirements for the design of such facilities.
1 O
i t
l l
1 O l l \
lO i
O WAPWR-CR/HFE 18.8-1 OCTOBER, 1986 5387e:1d
. , - _ . - . , _ - - _ - . - . . . - _ . - . - - - - - . . - - - _ - . . . . . . - . - - . . . . _ - . - -_.