NSD-NRC-96-4874, Forwards Copies of Design Issues Tracking Repts for Human Factors Issues & Makeup of AP600 SSAR Chapter 18 to Reflect Resolution of Listed Dser Open Item Tracking Sys Items for NUREG-0711 Elements 2 & 4
| ML20132D858 | |
| Person / Time | |
|---|---|
| Site: | 05200003 |
| Issue date: | 12/16/1996 |
| From: | Mcintyre B WESTINGHOUSE ELECTRIC COMPANY, DIV OF CBS CORP. |
| To: | Quay T NRC OFFICE OF INFORMATION RESOURCES MANAGEMENT (IRM) |
| References | |
| RTR-NUREG-0711, RTR-NUREG-711 NSD-NRC-96-4874, NUDOCS 9612200152 | |
| Download: ML20132D858 (27) | |
Text
l.. _ _.. _ _. _.. _ _.. _ _. _. _.. _. - _ _ _..
.i 2
o w
i 4
I i
i Westinghouse Energy Systems Nx 355 -
i Electric Corporation Pittsburg Pennsylvania 15230-0355 i
NSD-NRC-96-4874 DCP/NRO)660 i
Docket No.: STN-52-003 l
8 December 16,1996 Document Control Desk U.S. Nuclear Regulatory Commission Washington, D.C. 20555 i
Attention:
T. Quay
Subject:
Progress Towards Resching Element 2 and 4 Open Items for AP600 j
l t
References 1.
WCAP-14645; " Human Factors Engineenng Operating Experience Review Report l
For the AP600 Nuclear Power Plant", Resision 1, October 1996.
2.
Ixtter fmm NRC to Westinghouse, HufTman to Liparulo, Comments on'AP600 i
Related Open Items Associated with Element 2 of the Human Factors Engmeenng j
Program Review Model (HFEPRM), dated 12/4/96.
j 3.
Ixtter from NRC to Westinghouse, Huffman to Liparulo, Comments on AP600 i
Related Open Items Associated with Element 4 of the Human Factors Engineenng j
Program Review Model (HFEPRM), dated 12/4/%.
4.
Ixtter from NRC to Westinghouse, Martin to Lipamlo, Inspections, Tests, Analyses, and Acceptance Criteria (ITAAC) for the AP600, dated 11/26/%.
Enclosures:
1.
Design Issues Tracking System Database Report For Human Factors Engineering Issues Associated With De Operating Experience Resiew 2.
Design Issues Tracking System lhtabase Report For Human Factors Engineering Issues Associated With Design Resiews 3.
Design Issues Tracking System Database Report For Human Factors Engmeenng Issues Associated With 'Ihe Design of De lluman System Interface and The Operation and Control Center Systems 4.
SSAR Chapter 18 markup to be incorporated into SSAR Revision 10.
t goDY
\\
190079 9612200152 961216 ADOCK OS g 3 PDR
l t
\\
Page 2 l-December 16,1996 I
NSD-NRC-96-4874 DCP/NRC0660 i
Dear Mr. Quay:
Enclosed are copies of Design Issues Tmcking repons for human factors issues and a markw of AP600 SSAR Chapter 18 to reflect resolution of the following DSER Open Item Tracking System items for NUREG-0711 Elements 2 and 4. These resohrtions were discussed with Messrs. Sebmsky and Bongarra via telecons on December 9 and 11,1996.
Element 2:
Onen Item 0113 Status (Westinghouse /NRC) 18.3.3.1-1 1316 Closed / Resolved per Reference 2.
18.3.3.1-2 1317 Action W/ Action W There were four parts of this item which were considered Action W as described below. This item will be considemd Closed / Resolved upon submittal of WCAP-14645 Resision 2 on December 20,1996, to reflect the followmg:
1.
Item 7 - WCAP-14645 Revision I will be revised to addmss the instmmentation to be used by opemtors for monitoring the buildup of clams, mussels, and corrosion products.
2.
Item 165 - WCAP-14645 Revision 1 will be revised to address valve position indication for risk-significant valves (as defined in SSAR Section 16.2).
3.
The transmittal letter to WCAP-14645 Revision 2 will specify that Westinghouse reviewed the remaining 50 percent of the items from the BNL OER repon and that no deficiencies were identified.
4.
The " transfer mechanism" issue is considered resolved based on the attached markw, to be incorporated in SSAR Revision 10, for section 18.3.1 which specifies where the COL action items identified in the OER report are found in the SSAR. Based on a review of the Combined License Applicant information items identified in WCAP-14645, the reference to a COL responsibility for SSAR Section 11.5 has been deleted fmm OER Report Table 1, item 168.
18.3.3.1-3 1318 Closed / Resolved per Refenmce 2.
18.3.3.1-4 1319 Closed / Resolved by this letter. To close this item, Westinghouse has m.
Page 3 December 16,1996 NSD-NRC-96-4874 DCP/NRC0660 included the appropriate operator inteniew commitments as documented in item 4179 of Enclosure 1.
18.3.3.2-1 1320 Closed / Resolved per Reference'2.
18.3.3.2-2 1321 Closed / Resolved per Reference 2.
18.3.3.2-3 1322 This item is statused Closed / Resolved based on Westinghouse submittal of Enclosures 1 through 3. Since the DIT HFE items have not been approved at this point, the requested design file documents are not available.
The AP600 design issues tracking system is described in SSAR subsection 18.2.4.
Tracking of the human factors engineering issues is accomplished within the fmmework of the overall plant design process. In this manner, human factors engineering issues are addressed in the same way as those for other disciplines.
Human factors engineering design issues are identified from the following three soumes and am entered into the design issues tracking system database:
Operating experience resiew o
Design reviews o
Design issues associated with the design of the human system interface o
and the operation and control center systems Enclosure (1) is a copy of the design issues tracking system database report for human factors engineering issues identified as a result of the operating experience resiew (Reference 1). Note that the "DIT-OER" entry in column 2 (Type column) of the report identifies each issue as one specified by Reference (1).
Enclosure (2) is a copy of the tracking system database mport for human factors issues identified as a result of design reviews. 'Ihere are currently about 400 design issues in the tracking system database that have been identified from the various design reviews conducted. Enclosure (2) presents the subset of these that have been identified as human factors engineering design issues. A human factors engineering design issue is one that is mlated to or associated with any of the ten elements of the Iluman Factors Engineering Program Review Model (NUREG-0711). Note that the "DIT-DRCHIlli" entry in column 2 (Type column) of the report identifies each issue as a human factors issue resulting from a design review.
m.
i
Page 4 December 16,1996 NSD NRC-96-4874 I
DCP/NRC0660
)
i Enclosure (3) is a copy of the tracking system database report for human factors issues identified by the human system interface designers as issues directly l
associated with the design of the human system interface and the operation and j
control center systems. Note that the "DIT-MMl" entry in column 2 (Type j
column) of the report identifies the issue as a human factors issue durctly associated with the design of the human system interface.
i Element 4:
Ooen Item OITS Status (Westinehouse/NRC) i 18.5.3-1 1338 Closed / Resolved per Reference 3.
18.5.3-2 1339 Closed / Resolved per Reference 3.
18.5.3-3 1340 Closed / Resolved per Reference 3.
18.5.3-4 1341 Closed / Resolved by the attached markup of SSAR Section 18.5.4 l
modification to the Combined License applicant item.
i 18.5.3-5 1342 Closed / Resolved per Reference 3.
j 18.9.3-2 1364 Closed / Resolved based on the December 11 telecon regarding designer input to procedure development and training program development and the relationship between task analysis and these programs.
18.123-1 1395 NRC action to review the minimum im'entory issue.
Also item 1397 remains open with Westinghouse action to respond to hRC comments on the ITAACs j
received by Reference 4.
If you have any questions regarding this transmittal, please contact Robin K. Nydes at (412) 374-4125.
k!
Brian A. McIntyre, h - ger Advanced Plant Safety and Licensing 3003a 1
I 1
.c t
l Page 5 December 16,1996 i
i NSD-NRC-96-4874 DCP/NRC0660' i
i
/.im!
l i
t f
i encloswes i
i cc:
J. Bongarra, NRC (all enclosures) l W. Huffman (all enclosures) l J. OHiggins (all enclosures)
J. OHara (all enclosures) l N. Liparulo (w/o enclosums) i I
i 5
P i
t 30Uh
a 0
+
1 I
.. ~ -
AP600 Open Itent Tracking System: Design Issues Tracking Dati: 12/13/96 Selection:
[ type] like 'DIT-OER* Sorted by Item #
Description hem (W)
Closure Path No.
Type Status RespEngmeer Detail Status 3461 DIT-OER Actum W T.L. Sdiutz Open stan from OER(WCAP-14645): Number of acaianon cycles for the emergency core coolmg system and reador proteason system; As part of the specification, allowable actuation cydes and the method by whidi cycles will be defmed, remrded, and tracked by the operstmg crew should be evaluated for
, human fadors engmeering implications.
References:
NUREG-Mi1 App. B, B 2 (12); TMIissue 2xvi r
[Responsitehty: Systems E..._i.
l I
3462 DIT-OER Action W L Easter Open item from OER(WCAP-14645): Main control voorn alarms, operator seledable a: arms: The operators may need a low prionty operator-seledable alarm to call attention to a component (c.g., a valve) that may be osa of its normal position. Alarm systems should have the flexikhty for the operators to easily add alanns to a screen when a potentially deviant situation is idmtified that they need caDed to their attermort
Reference:
NUREG.MII, Appt B =W subsedian 2.2.6 i
l Responsibility: Man-Machine Design l
3463 DIT-OER Adion W K. Deutsch Open item frorn OER(WCAP-14645): Component related insights - power conneasons, dislodged omnedors: Power <xmnecors have become accidently dislodged resulting in undesired transients. One example is power conneaors for the feedwater control system, which led to a reactor scrant Referena: NUREG-0711 App. B supplement, seaion 4.7 l Responsibility: Plant Instrumentation and Contml Systems l
3464 DIT-OER Adion W S. Kerth Opra item from OER (WCAP-14645): Importana of predictabihty; 1he operators should know where a requested display will appear. In this fossd apphcation, somenmes it agpeared in an unexpected place and covered critical information.
Reference:
WCAP-14645, Table 2 l
4
)tesponsilmlity: Man-Machme Design l
3970 DIT-OER Action W D.LMcDermott Open item from OER(WCAP-14645): Shutdown Operations ";--;=--r. CONTAINMENTEQUIPMENT HATCH An equirrnent upgrade that would improve shutdown safety is: A containment equipment hardi design that allows forexpeditious closure by operators when needed dunng a shutdown almormal event. Similiarprovisions should be made other contamment penetrm that may be opm during shutdown evolutions.
lResponsitahty: SystemsEngmeenng l
The eqmganent handi will be mantained dosed for operation modes requiring -
- t integrity or the capalnhty of rapid dosure will be 6.ar eJ into the designof the
-- -- hardies. An open item is assigned to foBow the resolution of this item. Other z r penetranons includmg ----- ~
r purge and
[
personnel airlodts provide the ability for rapid closure '..ir..i..: of non-safety related support services mduding ac power.
3971 DIT-OER Action W J. Easter: 5.Kerch
[
Open item from OER (WCAP.14645): From Table 2 (Ref. 2.1 item 4) of the refenenced WCAP, Providmg gindance or design features on how to configure /mordinate a multiple VDU display space.
[ Responsibility: Man. Machine Design j
L i
I 1
Page: 1 Total Rech ")
[
I
AP600 Open Item Tracking System: Design Issues Tracking Dat:: 12/13/96 Selection:
[ type] like 'DIT-OER' Sorted by Item #
Descnotion Item (W)
Closure Path No.
Type Status Resp Engmeer Detad Status 3972 DIT-OER Action W S.Kerdi Open item from OER (WCAP-14645): From Table 2 (Ref. 2.1 item 7) of the referenced WCAP. Contml task diaracterisacs and soft controls: a) operators question the value of touch semens because operators were accustomed to a mouse, and toudi poke points were to thick and inacmrate; b) potential problem of l
multiple individuals simuhaneously controllmg the same piece of equipment from VDUs at differme locations.
l
!Respms Nhty: Man-Machme Design l
3973 DIT-OER Action W S.Kerds Open item from OER (WCAP-14645): From Table 2 (Ref.2.2 item 1) of the refermoed WCAP. Soft control lessons teamed frorn aircraft industry: Lifting fingeroff the target area toudilogic to aduate is more forgiving than when the fmger enters the target area to aduate.
lResponsihlity: Man-Machine Design l
3974 DIT-OER Action W S.Kerdi: K.Deutsch l
Open item from OER (WCAP-14M5): From Table 3 (Ref. 3 3 item I) of the referenad WCAP. Operatorintemews on AP600 soft controls: Excessive lag in response time from the moment an operator inaiares a controlling action to the moment the respedive component tesponds can be an impedunent to the operator's i
ability to carry out manual contml tasks.
l lResponsibihty: Man-Machine Design and Plant Instrumentation and Control Systems l
4179 DIT-OER Adion W S.Kerdi
References:
NRC letter." Comments on Al%00 Related Open Items Associated With Element 2 of the iluman Faaors Engineenng Program Review Model*, Dec 4.1996 and NUREG-071I section 3.4.1 (4). WCAP-1445 addresses operatorinterviews (scoion 5.0 and table 3). Remote shutdown and staffing were not addressed in the operatorinterviews documented by the eight references to Table 3. Per the referenced hRC leser and N1 REG 411I liansed operators need to be LA a..; " covenng various topics indudmg vernate shutdown operations and staffing. Any human factors issues on these two topics need to be idm:1fied and addressed.
L
[ Responsibility: Man-Machine Design l
l t
,f i
i t
I L
Page: 2 Total Records: 10 t
l m
--w-,
- + -, - -. -
-___-.-e-,-__-
a G
t J
6
^
i l
l I
i l
AP600 Open Item Tracking SyCem: Design Issues Tracking Date: 12/13/%
Selection:
[ type] like 'DIT-DRCHITHF Sotted by Item #
Description hem (W)
Closure Path No.
Type Status Resp Engmeer Detail Status 3346 DIT-DRClimi ActionW Schult h is my i La.Juig that PRilR Ilx operatwn is no longer needed to prevent pzr overfill. If so, automatic PRIR aduanon follwoing an S-signal should be ehmated. Current activation causes unnecessary cooldown transient, has adverse interadion with SGS, decay heat goes into IRWST instead of outsale rcmtamment, requires operator to take actmn to regain contrtd.
l Remove auto. PRIR IIx actuation on S-signal (Note, actuatim could be dependent on CMT heatup and Im-b RG pressure (1200psig). See Out #10.
l 3562 DIT-DRCHITII ActimW Schulz p safety related cnteria state that "no operator actions for 72 Imrs for DBE's". I understand that emergency response guidehnes call for operators to isolate iCMTs and PRIR after inadvertent S-signal, CMT, PRIIR,etc. These actions may defeat auto safety response if anything else happens (hke TMI). Operators will lbeame accustomed to isolating PXS and hke TMI may do so at wirmg time due to habit or m: Aen interpretation of situation.
lElunination of auto PRIIR IIx actutatwn and inadvertent PRIIR IIx operation suggested in prevmus Otits should einninate need for operanon actions to isola PXS components and terminate cooldown and restored SG heat removal. Revise ERGS to eluninate PXS isolation.
i 3575 DIT.DRCilllli Adion W Schulz Section 4.2.3.3 of the FXS SSAR mentions an alarm in contamment which is intended to alert maintenana personnel of impendmg IRWST injectron. What interfacing system provided this alarm? Is this a unique alarm or do we have other similar alarms in contamment? llave the functmnal requirements for this personnel protection alarm been devehmed? Where do they agpeart l Insure that this alarm is past of the AP600 design baselme.
l 3577 DIT-DRClimi ActionW Schulz
% statement that no operator action is required for 72 hours8.333333e-4 days <br />0.02 hours <br />1.190476e-4 weeks <br />2.7396e-5 months <br /> after a DBA may not be tme. Even on an onhnary reactor trip, shutdown margin is begmmng to be
- lost after about 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> and up to 3% detta k SDM is lost 72-100 hours. h is not clear the bnration aspects have Seen fully investigated.
l Investigate need for boranon or note as an excepion to the operator action enterion.
l 3672 DIT-DRCilllli Aamn W Wills IIn the thennal analysis the mitial agmw was 78 F which conesponds to the maxinnan URD control room operstmg temperstme. The tedinical specifications (75 F) is recognized to be out of date but needs to be increased beyond 78 F to allow margin between the normal (perstmg range and the analysis value. In additim to URDs tunit the maximum allowable temperature rise during transient to 15 F which a; pears to be addmg sigmficantly to design cnrnplexity and to the cost of contml room constructwn.
' Vrform the thermal analysis at an initial starting temperature that provides for sufficient margin between the normal operating range and the analysis value.
l Investigate wheather a relaxation of the 15 F temperature rise limit is possible and shearher sudi a relaxation would allow for the deletion of the fmned conhng arrangement on the control room ceilmg. The magnitude of the relaxation would be hmited by the requirement of providing adequate control room contitions for
%oth operators and equipment.
3673 DIT-DRClllTil Action W Wills The logic and reasons for automatic actuation of the VES need furtherjustification. This seems to be unnecessanly complex and may lead to the unwarranted souation of safeguards equipment whids would then require NRC notification and follow up actions. As an example, the VES is actuated on loss of all AC power. Is the automatic aduation required? Could credit be taken for radiation monitors that would allow the deletion of actuation twi loss of all AC power?
lFurther jusufy the logic and seasons for staomatic actuation of the VES. If the need for automatic actuaum cannot be demonstrated connder the design of a l manual system.
Page: 1 Total Records: 10
1 AP600 Open Item Tracking System: Design Issues Tracking Dat:i 12/13/96 Selection:
[ type] like VIT-DRCHITHF Sotted by Item #
Descnptie hem (W)
Closme Path No.
Type Stams Resp Engmeer Detail Status 3677 DIT-DRGimi ActamW Wills
& control room is designed to be leak tight with only minimal leakage expeaed. With a constant inflow of air frorn the VBS or VES in certam c5wratmg modes n is expected that the amtml room may overpressurize and impact amtrol room operators and equipment (eg access doors). In adihtion, a FMEA needs to be conducted on the VES. For example, the fail open of the VES regulator valve and the resulting impact on the omtrol roarn needs to be addressed.
l Evaluate the need for a contml room overpressure mitigation system.
l 3685 DIT-DRGIml Adion W Wills lhe design basis for the number of people in the contml room needs to be confumed and used consistently thmughout the vanous analyses (eg thermal, dose etc.).
The frequency ofingress and egress is also input to the done analyses. It was stated during the presentations that a shift tunwver cocurred at 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> and then once every 12 hours1.388889e-4 days <br />0.00333 hours <br />1.984127e-5 weeks <br />4.566e-6 months <br /> thereafter in the event of an saident The only ingress and egress occurred at the time of sluft tumover. In the ccamittees view this low frequency needs to be clearly justified.
Determine the design basis manherof people in the amtrol room and detennine the shift duratum and basis for frequency of ingress and egress to the control room.
Utilize these nurrbers consistently in the analyses.
3691 DIT-DRGimi AaionW Wills It is a tedmical specifscation w,rm..am that the flow and pressurization capabihties of the VES be measured. If the VES is tested at power have the anpacts on the control room and contml room occupants been considered?
lPerfonn the assessment if the VES is to be tested at power.
l 3938 DIT-DRGIml AdianW llutdsings lThe Garrent layout arrangement of the spent resin storage tanks does not incorporate adequate shieldmg or spam allocation for memtenance and inspeason.
l l1he new Spent Resin Storage Tank layout should factor these cnteria into the design and arrangement.
l Page: 2 Total Records: 10
m_
A a,u
--_._-m..
J
-J wa_,m-me r42.
m..-...
_-a e
e I
I I
i 1
l i
i l
I l
I 1
l i
j 1
f i
f i
l i
AP600 Open item Tracking System: Design Issues Tracking Datz 12/3/96 Selection:
[ type]like 'DIT-MMr Sated by Item #
Descreion hem (W)
Oomre Paib No.
Type Status Resp Engmeer Detil Status 3465 DIT.MMI Aainn W J. Easter Safety Parameter Display System (SPDS) Is a 2 second display response tune for operator sumort dunng trannent operanons adequate or does it sesult in operator frustration?
Reference:
SSAR Oiagter 18, subsecnon 18.8.2.2; NRC letter.* Status of AP600 Draft Safety Evaluation Report (DSER) Open hem Related To Requirements i
ihrlhe Safety Parameter Display System (SPDS)", dtd Sept. 28,1995.
The maxpiabilay of a display nesponse time of 2 seconds for operator support during transiens operanons is desemuned durmg man-in-the-loop concess testing. If 2 seconds is determined to be unacceptable, then a revised display resprmse time is determmed.
3466 DIT-MMI Action W J. Easter Safety Parameter Display System (SPDS): Munrrun Infonnanon; 1he AP600 human system interface must display suficient infomianon to determine the plant safety status with respect to the SPDS safety functions.
Refeience: SSAR Qingter 18, subsection 18.8.2.6; NRC Ictter." Status of AP600 Draft Safety Evaluanon Report (DSER) Open hem Related To Requirernents ForThe Safety Parameter Display System (SPDS)', did Sep. 28,1995.
The safety functions and respective parameters presented in Table 2 of NUREG.1342 are used as a starung point for specifying the AP600 SPDS functions and respective parameters. The list needs to be evaluated and revised to address the AP600 passive plant design.
3467 DIT.MMI Action W S. Kerdi Open item from ARC USG M-MIS working group: November 1995 s 26 to ARCce the mWa proadure system strawman proposed a dynamic roadmap saece and a main interface saeen for the computerized procedure system. h was proposed that the dynamic road map information be displayed as part of the waB panelinfonnation system display. Dunng the MMI workmg group session of May 31,1996: ARC stated that many times, an operator is executing more than one procedure in parallel to control the plant. Ilow is this neflected or br,ad into the dynamic roadrnap saecn?
Referena: Meetmg mmunes from ARC USG M-MIS Working Group session as A-and by ARCletter ARCAOK0527; did June 14,1996; *ALWR AP600 First.cf-a. Kind Engineenng Program Mmutes From May 31,1996 ARC USG M-MIS Working Group / Westinghouse Meenng" 3474 DIT-MMI Action W M. Lipner/ Steve Ke AlW10 main conuel room operators will execure plant procedures through the computerired procedure system. Cunent plants,usmg paper meditan, have a process to implement " pen and ink" changes to a paper. based promdure when a situation is e..m.au " where the procedure can not be exectaed as writtest. This capabihty needs to be addressed by the AF600 mmputenzed promdure system.
1 Page: 1 Total Records: 4
i i
i l
i
\\
l ENCLOSURE 4 l
(Only those pages that have chang es to them have been enclosed.)
i
)
i
- 18. Hn=== Factors Engineering I
methodology used to arrive at the AP600 level of automation for the plant I
functions, processes, and systems involved in maintaining plant safety, and I
documents the results and rationale for function allocation decisions.
I i
18.5 Task Analysis l
I Section 18.5 presents the scope and implementation plan for task analysis. The task I
analysis provides one of the bases for the human system interface design; provides I
input to procedure development; provides input to staffing, training, and I
communications requirements of the plant; and ensures that human performance I
requirements do not exceed human capabilities.
I i
18.6 Staffing l
l Section 18.6 and Reference 5 provide input from the designer to the Combined I
License applicant for the dermination of the staffing level of the operating crew I
in the AP600 main control room.
I l
18.7 Integration of Human Reliability Analysis with Human Factors Engineering I
l Section 18.7 and Reference 6 present the implementation plan for the integration I
of human reliability analysis with the human factors engmeenng program.
I l
18.8 Human System Interface Design i
I Section 18.8 presents the implementation plan for the design of the human system I
interface.
I l
18.9 Prs =. Development I
I Section 18.9 and Reference 7 provide input to the Combined License applicant for I
the development of plant operanng procelmss, including informmion on the AP600 l
emergency response guidelines and er-s ucy operaung pucelmss.
e 1
I 18.10 Traming Program Development l
I Section 18.10 and Reference 8 provide W. from the designer on the traming of I
the operations personnel who participate as subjects in the human factors I
veri 5 cation and validation.
Human.
".. h_.DCh'!' fWie bs! fY/t hum l
bSh I 18.11 l
l Section 18.11 and Reference 9 presen' a prope...#:ic level desenption of the I
human factors verification and validation.
Revision: 9 August 9,1996 E WBElklgfl0088 18.1-3
- 18. Humam Factors EEgineering l
l 1
i 18.3 Operating Experience Review l
l I
ne objective of the operating experience review is to identify and analyze human factors 1
engineering-related problems and issues encountered in previous designs that are similar to l
l 1
the AP600. Reference 1 documents the results of this review, including descriptions of how I
the AP600 design addresses each identified issue.
1 I 18.3.1 Combined License Information i
I ni; x::ica he ao,,,rcraca: for 5ferinauca ;o t,c pr;c;ded in ;;pp;7: ;f :. cu,,co,,,cd 1
LErr 2ppH~in--
f i 18.3.2 References l
1 1.
WCAP-14645," Human Factors Engineering Operating Experi:nce Review Report for the I
AP600 Nuclear Power Plant."
bom'DiMCk b@SC O ppIt" cod IESp(MsibillMC5 ido WfndJ-in 22¢e i are :presex4ed n
in SecNoms 10Al2 A2g e.2.G, ia.A1 m.q,;
anci
)S. IO < \\.
l l
l Revision: 9 3 WOElktgh00Sg 18.3-1 August 9,1996
- 18. Human Factors E;gineering
}
J l 18.5 AP600 Task Analysis Implementation Plan l
l Task analysis, according to the Human Factors Engineering Program Review Model I
(Reference 1), has the following objectives:
I 1
i l
Provide one of the bases for the human system interface design decisions Match human performance requirements with human capabilities i
I Provide input to procedure development j
l
=
Provide input to staffing, training, and communications requirements of the plant l
=
l I
This section describes the scope of the AP600 task analysis activities and the task analysis I
implementation plan. In addition to Reference 1. References 2 through 12 are inputs to this M
l 18.5.1 Task Analysis Scope I
l The scope of the AP600 task analysis is divided into two complementary activities: function-I based task analysis (FBTA) and traditional task analysis, or operational sequence analysis I
(OSA). De scope of the function-based task analysis is the Level 4 functions identified in i
Figure 18.5-1. This figure is the functional decomposition (goal-means analysis) for normal I
power operations in a standard pressunzed water reactor. Examples of functions at Level 4 I
are " Control RCS Coolant Pressure" and " Control Containment Pressure." his set of I
functions define the breadth of functions to be analyzed. De function-based task analysis will I
be expanded in scope to include any additional Level 4 functions identified.
l l
l De traditional task analysis, or operational sequence analysis, is developed for a 4
I representative set of operational and maintenance tasks. He following guidelines are applied I
to select tasks:
I Tasks are selected to represent the full range of operating modes, including startup, I
i l
normal operations, abnormal and emergency operations, transient conditions, and low-I power and shutdown conditions.
I Tasks are selected that involve operator actions that are identifad as either critical human l
l actions or risk-important tasks, based on the criteria in Reference 13.
4 l
Tasks are selected to represent the full range of activities in the AP600 emergency I
I response guidelines, l
Tasks are selected that involve maintenance, test, inspection, and surveillance (MTIS) l I
actions. A representative set of maintenance, test, inspection, and surveillance tasks are I
analyzed for a subset of the " risk-significant" systems /stnictures/ components (SSCs).
I De set of tasks to be analyzed are not identified as a part of design certification. De human I
factors engineering program review model (Reference 1) indicates that task analysis should Revision: 9 T Westhghouse 18.5-1 August 9,1996 i
i l
Insert (1) on pg.18.5-1:
Execution and documentation of this task analysis implementation plan is the responsibility of the Combined License applicant.
t Insert (2) on pg.18.5-5:
Combined License applicants referencing the AP600 certified design will address the execution and documentation of the task analysis implementation plan presented in section 18.5.
Insert (3) on pg.18.7-1:
Execution and documentation of this implementation plan is the responsibility of the Combined License applicant.
Insert (4) on pg.18.7-1:
Combined License applicants referencing the AP600 certified design will address the execution and documentation of the human reliability l
analysis / human factors engineering integration implementation plan that is presented in section 18.7.
Insert (5) on pg.18.8-1:
Execution and documentation of this implementation plan is the responsibility of the Combined License applicant.
Along with insert 5 above, make the 3*rd sentence of the first paragraph under 18.8 the start of a new i
Paragraph.
1 Insert (6) on pg.18.8-23:
Combined License applicants referencing the AP600 certified design will address the execution and documentation of the human system interface design implementation plan that is presented by section 18.8.
Insert (7) on pg.18.11-2:
Using the programmatic level description, it is the responsibility of the Combined License applicant to develop an implementation plan for the AP600 human factors engineering verification and validation. The Combined License applicant is responsible for the execution and documentation of the plan.
.i Insert (8) on pg.18.11-2:
Combined License applicants referencing the AP600 certified design will address the development, execution and documentation of an implementation plan for the verification and validation of the AP600 human factors engineering program. The programmatic level description of the AP600 verification and validation program that is presented and referenced by section 18.11 will be used by the Combined License applicant to develop the implesmestation plan.
I
- 18. Humax F:ctors Ergineering I
nis second operational sequence analysis is performed for a representative subset of tasks I
that include the critical human actions and risk-important tasks and tasks that have human I
performance concems (for example, potential for high workload or high error rates).
I 18.5.2.4 Task Analysis of Maintenance, Test, Inspection and Surveillance Tasks l
De maintenance, test, inspection, and surveillance tasks that are identified to be " risk-I important" are analyzed using operational sequence task analyses. OSA-1 analyses are I
conducted on the set of maintenance, test, inspection, and surveillance tasks identified to be I
" risk-important."
I 18.5.3 Job Design Factors I
Section 18.6 addresses the control room staffmg that applies to the AP600. The staffing level I
of the main control room, job design considerations, and crew skills are the responsibility of I
the Combined License applicant.
I 18.5.4 Combined License Information Item OCUm1*(II (y) Serf l [2.f
?Combined License applicants referencing the AP600 certified design willeddress the scope m s
responsibilities, M 4% of each main control room position ccms(der npe.
I ctsseptions and results of the -hsk, ancdysis I 18.5.5 References I
1.
NUREG-0711. " Human Factors Engineering Program Review Model," 1994.
I 2.
U.S. NRC Guidance, NUREG/CR-3371, " Task Analysis of Nuclear Power Plant Control l
Room Crews."
l 3.
IEC 964, " Design for Control Rooms of Nuclear Power Plants."
l 4.
Department of Defense Documents: DI-H-7055, " Critical Task Analysis Report," and I
MIL-STD 1478, " Task Performance Analysis."
l 5.
NATO Document, " Applications of Human Performance Models to System Design,"
I edited by McMillan, Beevis, Salas, Strub, Sutton, & van Bi-da, New York:
I Plenum Press,1989.
I 6.
Rasmussen, J., "Information Processing and Human-Machine Interaction, An Approach I
to Cognitive Engineering," New York: North-Holland,1986.
I 7.
Holinagel, E. and Woods, D. D., " Cognitive Systems Engineering: New Wine in New I
Bottles," Intemational Joumal of Man-Machine Studies. Volume 18, 1983, I
pages 583-600.
Revision: 9 August 9,1996 T Wesmghouse 18.5-5
4
.18. Hrman Factors Ecgineering I 18.7 Integration of Human Reliability Analysis with Human Factors Engineering I
l Human reliability analysis (HRA) evaluates the potential for human error that may affect plant I
safety. There are important interfaces between the human factors engineering program and I
human reliability analysis. Human reliability analysis makes use of outputs of human factors I
engineering /HSI design activities including analyses of operator functions and tasks and I
specifications of HSI characteristics. Human reliability analysis is a source of input to human I
factors engineering /HSI design in identifying plant scenarios, human actions, and HSI I
components that are important to plant safety and reliability.
1 I
The objective of integration of human reliability analysis with human factors engineering is I
to specify the interfaces between human reliability analysis and human factors engineering I
activities. Reference 1 documents the implementation plan for the integration of human I
reliability analysis wg human factors engineering design.p L5&f [3)
The objective of the human reliability analysis / human factors engineering integration 7
I I
implementation plan is to enable:
l a
Human reliability analysis activity to integrate the results of the human factors 1
I engineering design activities 1
Human factors engineering design activities to address critical human actions, risk I
I important tasks, and human error mechanisms, in order to minimize the likelihood of I
personnel error and to provide for error detection and recovery capability I
l Human reliability analysis methodology and results are described in Chapter 30 of the AP600 l
PRA.
i I
l 18.7.1 Combined License Information l
]
--4his-sectiorrhu uv mquiremenrfvi uJuiu-uvu iv 6 ye,ided-m-supportdthe-CombmedA I
\\
Stf
)
U~v m!!& D
\\
l I 18.7.2 References l
l 1.
WCAP-14651, " Integration of Human Reliability Analysis with Human Factors l
Engineering Design Implementation Plan," 1996.
I O
Revision: 9 T Westkighouse 18.7-1 August 9,1996
- 18. Hums Fcctors Engi1eering
\\
StePA. uw %jn[f *
/
I 18.8 Human System Interface Design I
This section provides an implementation plan for the design of the human system interface r16g (HSI) and information on the human factors desig for the non-HSI ponion of the plant. The 1 I human system interface includes the design ofI operation and control centers (OCS) and I
each (the human system interface rerource@e operation and control centers includes the a
i mam fontrol room, the technical suppon center, the remote shutdown facility, operational I
support center, local control stations and associated workstations for each of these centers. The 1
1 AP600 human system interface resources include:
I Wall panel information system I
1 Alarm system Plant information system I
Computerized procedure system j
I Soft controls / dedicated controls l.
Qualified data processing system I
i I
He wall panel information station presents information about the plant for use by the I
operators. No control capabilities are included. The wall panel information station provides I
dynamic display of plant parameters and alarm information so that a high level understanding I
of current plant status can be readily ascenained. It is located at one end of the main control l
area at a height such that both operators and the shift supervisor can view it while sitting at I
their respective workstations. This panel provides information important to maintaining the i
situation awareness of the crew and for supporting crew coordination. De wall panel I
information station provides a dynamic plant display of the plant. It also serves as the alann I
system overview panel display. De display of plant disturbances (alarms) and plant process I
data are integrated on this wall panel information station display. De wall panel information i
station is a nonsafety-related system. It is designed to have a high level of reliability.
I i
I The mission of the AP600 alarm system, together with the other human system interface I
resources, is to provide the operations and control centers operating staff with the means for I
acquiring and understanding the plant's behavior.
De alarm system improves the l
1 performance of the operating crew members, when acting both as individuals and as a team, i
by improving the presentation of the plant's process alarms. De alarm system supports the I
control room crew members in the following steps or activities of Rasmussen's operator I
decision-makmg model(Reference 25):
l ne " alert" acuvity..which alerts the operator to off-normal conditions l
I The " observe what is abnormal" activity, which aids the user in focusing on the l
I imponant issue (s)
De process " state identification" activity, which aids the user in understanding the I
I abnormal conditions and provides corrective action guidance. It guides the operating I
crew into the information display system.
Revision: 9 3 W8Ethgh00S8 18.8-1 August 9,1996
- 18. Human Facters E::gineerirg i
ne plant information system presents plant process information for use by the operators. The I
plant information system provides dynamic display of plant parameters and alarm information I
so that an understanding of current plant conditions and status is readily ascertained. The I
plant information sysum uses color-graphic video display units located on the operations and I
control centers workstations to display plant process data. These displays provide information I
important to monitoring, planning,' and controlling the operation of plant systems and 1
obtaining feedback on control actions.
I The computerized procedure system has a mission to assist plant opmtors in monitoring and I
controlling the execution of plant procedures.
The computerized procedures systemIs a i
I software system. It runs on the hardware selected for the operations control centers. The 1
computerized procedure system is accessible from the operator workstations in the main 4
I control room. Procedure development, as stated in Section 13.5 and 18.9, is the responsibility I
of the Combined License applicant.
A procedure writer's guide is developed as part of the j
l human system interface design implementation plan for the computerized procedure system.
1 ne writer's guide is the design guidelines document for the computerized procedure system.
I Information on the writer's guide and on the computerized procedure system is found in l
Reference 31. Man-in the-loop concept tests (Reference 9) are planned as part of the human I
system interface design implementation plan.
Dese tests determine how effectively I
computerized procedures handle plant situations and whether computer-based procedures I
adequately support operator performance. The design of a backup to the computerized i
procedure system, to handle the unlikely event of a loss of the computerized procedure i
system, is developed as part of the human system interface design process. Design options I
include the use of a paper backup. The acceptability of the backup is evaluated through I
concept testing or by executing a walk-through using the full-scale mockup of the AP600 I
main control room. He computerized procedure system and its backup are evaluated as part I
of the integrated system validation phase of the human factors verification and validation I
(Reference 24).
l l
De mission of the controls in the main control room is to allow the operator to operate the I
plant safely under normal conditions, and to maintain it in a safe condition under accident I
conditions. The types of controls in the main control room include both discrete (dedicated)
I control switches and soft controls. He discrete control switches are controls dedicated to a i
single function, with ecch switch having a single action. As shown in Figure 18.8-1, the soft I
control units are control devices whose resulting actions are selectable~by the operator. He I
instrumentation and control architectu e uses both discrete control switches and soft control i
units. The soft control units are used to provide a compact attemative to the traditional i
I control board switches by substituting virtual switches in the place of the discrete switches.
I ne final configuration of these elements is dependent upon the results of the human system I
interface design process described in subsection 18.8.1 below.
g I
De mission of the qualified data processing system is to provide a Class IE system to display I
to the main control room and remote shutdown workstation operators the plant parameters I
which demonstrate the safety of the plant. De qualified data processing system pmvides for i
the display of the variables as described in Section Th 7"" " v=" ;; 42 Revision: 9 August 9,1996 18.8-2 T Westinghouse
,18. H: mas Factors EngineeriIg I
- Au mades dbphy: '"' F.;'y L opemvi - aWetymMed-syetsin n;p M 'a
_A l
1
- n ;a ;yg; cfa=tc.
'L l
i I
18.8.1 Implementation Plan for the Human System Interface Design I
l J
l Figure 18.2-3 provides an overview of the AP600 human factors engineering process, I
including the design stages of the human system interface. The relationship of other human I
factors engineering process elements to the human system interface design is shown.
l I
The functional design of the operation and control centers and the human system interface is 1
the activity where the functional requirements for the human system interface resources of the i
i main control room and related operation and control centers are developed. The output of the I
functional design is a set of documents that specify the mission, design bases, performance l
requirements, and functional requirements for each human cystem interface resource. These l
functional requirement documents are applied to an appropriate set of human factors 1
engineering design guidelines to develop the design specifications. The design specifications l
are proi.ded as input to the hardware and softwate system designers for design l
implementation. Rapid prototyping and man in the-loop concept testing are performed to l
establish that the human system interface design of the main control room adequately supports I
operator performance in the range of activities and situations that are anticipated to arise. The I
results of the concept testing are used to tefine the functional requirements and the design i
specifications of the operation and control centers and the human system interface.
I l
ne following subsections describe the activities cor.
'ted as part of the human system I
interface design and the documents that are produced.
1 i
18.8.1.1 Functional Design I
l A system specification document for the operation and control centers documents and tracks I
human system interface requirements and design specifications. The operation and control I
centers system specification document is the umbrella document for capturing human factors I
requirements and providing a uniform operational philosophy, and design consistency among I
the individual human systerr interface resources.
I I
Included in the operation and control centers system specification document are functional I
requirements and specifications for the AP600 operations and control centers, including the I
main control room, the technical support center, the remote shutdown facility, and local I
contml.,wions. In addition, functional requirement documents are gene..:ed for each of the I
individual human system interface resources. These documents are referenced by the I
operation and control centers system specification document.
I
~
l The operation and control centers system specification document and the individual human I
system interface functional requirement documents include mission statements and j
l performance requirements. He mission statements establish the high level goals and main I
tasks to be supported by the control center or human system interface resource. Performance I
requirements represent high level design goals and help to clarify the functional designer's Revision: 9 y@
18.8-3 August 9,19%
- 18. Humai Frctors Egineering i
l 18.8.4.1.8 Storage I
l Storage facilities are identified in the AP600. Radioactively clean and contaminated storage I
areas are designated.
j l
l 18.8.4.1.9 Coding and Labeling 1
I I
Equipment located in the AP600 has a unique identifier and plant descriptive name. The I
configuration management system includes the identification of the equipment in the plant.
l Each component is assigned an identifier during the design process. The identifier is I
maintained through manufacturing, constmetion, and operation. The components are labeled I
according to the assigned identifier. Rese labels help avoid errors in operating or working 1
on the wrong equipment and in reporting problems or conditions observed in the plant. He I
labels help reduce the training burden for operating and maintenance personnel.
I I
Color, syntax, abbreviations and symbols are consistently applied. The labels are located in 1
an easily visible location on the component and are not hidden by insulation, equipment I
covers, or surrounding equipment. Labels are fastened to the component to prevent easy I
detachment of the label.
1 l 18.8.S Combined License Information
[IFy h9
---Thirrsection-harnonequirement-for Informatierrto bc provided-in-suppott 5fthe'Combmect^
1
- _Licenscapplication. 1 I
18.8.6 References l
I 1.
American National Standards Institute, ANSI HFS-100-1988, "American Standard for i
Human Factors Engineering of Visual Display Terminal Workstations," Santa Monica, I
Califomia,1988.
I I
2.
CEI/IEC 964, " Design for Control Rooms of Nuclear Power Plants," International l
Electrotechnical Commission, Geneva, Switzerland,1989.
I l
3.
NUREG-0899, " Guidelines for the Preparation of Emergency Operating Procedures,"
l U.S. Nuclear Regulator Commission, Washington, D.C., August 1982.
I l
4.
NUREG-1358, " Lessons Learned from the Special Inspection Program for Emergency,"
l U.S. Nuclear Regulatory Commission, Washington, D.C., April 1989.
I I
5.
NUREG-0700, " Human-System Interface Design Review Guideline," Rev.1. U.S.
I Nuclear Regulatory Commission, Washington, D.C., February 1995. (Draft Report) i I
6.
NUREG/CR-5908, " Advanced Human-System Interface Design Guidelines," U.S. Nuclear i
Regulatory Commission, Washington, D.C., July 1994.
Revision: 9 T Wesunghouse 18.8-23 August 9,1996
- 18. Human Factors Engineeri2g Evaluations for controlling plant state 1
Evaluations of conformance to human factors engineering design guidelines 1
Evaluations for validation of the integrated human system interface l
I i
The first 15 issues are grouped into the first three headings above.
l l
As described in subsection 18.8.1, man-in-the-loop concept tests are performed as part of the I
human system interface design process. These concept tests are organized arovad the first 15 I
human performance issues. Reference 2 provides a description of the AP600. nan-in-the-loop i
test plan which includes the concept tests.
1 I
1 Evaluation issues 16 and 17 describe evaluations that are performed as part of the AP600 I
human factors verification and validation and fall under the last two headings above. A I
programmatic level description of the AP600 verification and validation program is provided I
by Reference 3. Figure 18.8 2 shows the man-in-the-loop concept testing and the verification p /.
\\ and validation activities conducted as part of AP600 human factors engineering program. A J
1 18.11.1 Combined License Informadon nis nuvo um uv ag6.m..d fu..;Je....ric.. ;e L y...=_e m auyyvn vTik Combined A
W
-Ure r gE--*k:
l l
18.11.2 References 1
I 1.
WCAP-14701, " Methodology and Results Of Defining Evaluation Issues For the AP600 I
Human System Interface Design Test Program."
l l
2.
WCAP-14396, " Man-In-The-Loop Test Plan Description."
l l
3.
WCAP-14401, " Programmatic Level Description of the AP600 Human Factors I
Verification and Validation Plan."
Revision: 9 August 9,1996 18.11 2 W Westinghouse
~
- 18. liuman Facton Engineering
[nVe/g 1* yl ys,hr[;, =d Cw. trois-l 18.12
-Alp...
1 I
18.12.1 Inventory of Displays, Alarms, and Controls I
1 An inventory of instruments, alarms, and controls for the AP600 systems is provided in the I
respective system piping and instrumentation diagrams.
I I
The AP600 system design engineers determine the specific sensors, instrumentation, controls, I
and alarms that are needed to operate the various plant systems. The instruments, abms, and I
controls for each system are documented in the piping and instrumentation diagram. An I
instrument, alarm, and control is specified by the system design engineer if it is needed to i
I control, verify, or monitor the operation of the system and its components. System functions i
and their respective functional requirements are considered by the system designer when I
determining the need for a specific instrument, alarm, or control.
1 I
The role of the Human Factors Engineering (HFE) design team in the determination of the I
total inventory list is one of verification. As described in Section 18.5, the Human Factors i
Engineering design team has functionally decomposed the plant, he top four levels of this I
model for the AP600, are shown in Figure 18.5-1. Each level 4 function has a function-I based task analysis (FBTA) peribrmed as described in the Task Analysis Implementation Plan.
I Considering the plant operating modes and emergency operations, the function-based task I
analysis:
1 Identifies the functions goals 1
Identifies the processes used to achieve each goal I
Documents the performance of a cognitive task analysis of each process I
I I
ne cognitive task analysis of each process answers the monitoring / feedback, planning, and I
controlling questions. De answers to these questions identify the data for each functional l
process (instrumentation, indications, alarms, and controls) needed by the operator to make I
decisions. The results of the cognitive task analysis phase of each function-based task l
analysis are used to verify the inventory list of instruments, controls, and alarms developed I
by the AP600 system designers and documented in the respective design documents.
I I 18.12.2 Minimum Inventory of Main Control Room Fixed Displays, Alarms, and Controls l
I
Background
I I
De man-machine interface system design includes the appropriate plant displays, alarms, and I
controls needed to support a broad range of expected power generation, shutdown, and I
accident mitigation operations. Soft control displays and plant information displays are I
generated by a computer and can be changed to perform different functions, allow control of I
different devices, or display different information. These displays appear on display devices I
such as cathode ray tubes, flat panel screens, or visual display units. Alarms are used to direct I
operator anention. Soft controls are provided through devices such as a keyboard, touch I
screen, mouse, or other equivalent input devices. The majority of the operations for both the Revision: 9 Westhghouse 18.12-1 August 9,1996
=a
- 1. Introd:ction and General Description of Plant C'
Table 1.8-2 (Sheet 4 of 4) i
SUMMARY
OF AP600 STANDARD PLANT COMBINED LICENSE INFORMATION ITEMS Item No.
Subject Subsection 12.5.5 12.5 1 Radiological Protection Organization and Procedures 13.1 1 Organizational Structure of Combined License Applicant '
13.1.1 13.2-1 Training Program for Plant Personnel 13.2.1 l
13.3-1 Emergency Planning and Communications 13.3.1 13.4-1 Operational Review 13.4.1 i
13.5-1,
Plant Procedures 13.5.1 13.6-1 Security Plans, Organization and Testing 13.6.13.1 j
13.6-2 Vital Equipment 13.6.13.2 f
13.6-3 Plant Security System 13.6.13.3 13.6-4 Vulnerability Analysis Report 13.6.13.4 l
14.4-1 Initial Test Program 14.4 f-
)
16.2-1 Design Reliability Assurance Program / Site Specific 16.2.7.1 i'
16.2-2 Operational Reliability Assurance Activities 16.2.7.2 1
8.6-1 Plant Staffing 18.6.1
'8M is.3-1 Opcab bFnew New 18.5.9 18 5-)
Task alpis l
l i
Revision: 9
[ WBStittgh00se 1.8-13 August 9,1996