ML20107C740: Difference between revisions

From kanterella
Jump to navigation Jump to search
(StriderTol Bot insert)
 
(StriderTol Bot change)
 
Line 17: Line 17:


=Text=
=Text=
{{#Wiki_filter:}}
{{#Wiki_filter:WEFrINGHOLEE NON-PROPRIETARY CIASS 3 WCAP-14401 Y
!                                  PROGRAMMATIC LEVEL DESCRIPTION l                                                        OF THE AP600 HUMAN FACTORS VERIFICATION AND VALIDATION PLAN i
                                                                        )
i l
April 1996 E. Roth S. Kerch AP600 Document No. OCS-GEH-020 9604170515 960412 PDR      ADOCK 05200003 A                    PDR WESTINGHOUSE ELECTRIC CORPORATION l                                    Energy Systems Business Unit i                                      Nuclear Technology Division P.O. Box 355 Pittsburgh, Pennsylvania 15230-0355 C1996 Westinghouse Electric Corporation All Rights Reserved u:\2157w.wptib-040996 i
 
l AP600 DOCUMENT COVER SHEET IDS: 1 TDC:                                            S Form 58202G(5/94) [t:\xxxx.wpf;1x]
AP600 CENTRAL FILE USE ONLY:
00S8.FRM                                                                                                RFS#:                RFS ITEM #:
AP600 DOCUMENT NO.                          REVISION NO.                                              ASSIGNED TO AP600 Doc. No. oCS-GEH-002                              0                    Page 1 of.22_            Enter Assigned To i'    ALTERNATE DOCUMENT NUMBER: WCAP-14401, Rev. O                                                      WORK BREAKDOWN #: WBS 3.3.2.4.15 DESIGN AGENT ORGANIZATION: Westinghouse Electric                                                                                                            ;
TITLE: Programmatic Level Description of the AP600 Human Factors Verification and Validation Plan ATTACHMENTS:                                                                                      DCP #/REV. INCORPORATED IN THIS DOCUMENT REVISION:
CALCULATION / ANALYSIS
 
==REFERENCE:==
 
ELECTRONIC FILENAME                  ELECTRONIC FILE FORMAT                      ELECTRONIC FILE DESCRIPTION u:\2157w.wpf:1b-040496              Word Perfect (C) WESTINGHOUSE ELECTRIC CORPORATION 199fL 0 WESTINGHOUSE PROPRIETARY CLASS 2 This document contains information proprietary to Westinghouse Electric Corporation: it is sutmtted in confidence and is to be used solely for the purpose for which it is fumished and retumed upon request. This document and such information is not to be reproduced, transmitted, disclosed or used otherwise in whole or in part without prior written authorization of Westinghouse Electric Corporation, Energy Systems Business Unit, subject to the legends contained hereof.
O WESTINGHOUSE PROPRIETARY CLASS 2C This document is the property of and contains Proprietary Information owned by Westinghouse Electric Corporation and/or its subcontractors and suppliers. It is transmitted to you in confidence and trust, and you agree to treat this document in strict accordance with the terms and conditions of the agreement under which it was provided to you.
          @ WESTINGHOUSE CLASS 3 (NON PROPRIETARY)
COMPLETE 1 IF WORK PERFORMED UNDER DESIGN CERTIFICATION ~OR COMPLETE 2 IF WORK PERFORMED UNDER FOAKE.
1 @ DOE DESIGN CERTIFICATION PROGRAM - GOVERNMENT LIMITED RIGHTS STATEMENT [See page 2)
Copyright statement: A license is reserved to the U.S. Govemment under contract DE-AC03-90SF18495.
          @ DOE CONTRACT DELIVERABLES (DELIVERED DATA)
Subject to specified exceptions, disclosure of this data is restricted until September 30,1995 or Design Certification under DOE contract DE ACO3-90SF18495, whichever is later.
EPRI CONFIDENTIAL: NOTICE: 1 U 2                                30 4              sO CATEGORY: A@ B                          CO D            E      F 2 O ARC FOAKE PROGRAM - ARC LIMITED RIGHTS STATEMENT [See page 2]
Copyright statement A license is reserved to tne U.S. Govemment under contract DE-FCO2-NE34267 and subcontract ARC-93-3-SC-001.
O ARC CONTRACT DELIVERABLES (CONTRACT DATA)
Subject to specified exceptions, disclosure of this data is restricted under ARC Subcontract ARC-93-3-SC-001.
ORIGINATOR                                          SIGNATURE /D TE S. P. Kerch AP600 RESPONSIBLE MANAGER Q
SI      RE*
APPROVA DAT n                        /* M k                  Y
* Approval of the responsible manager signifies that document is complete, all required reviews are complete, electronic file is attached and document is r: leased for use.
 
1 AP600 DOCUMENT COVER CHEET                                                                PJg2 2 Form 58202G(5!94)                                  LIMITED RIGHTS STATEMENTS DOE GOVERNMENT UMITED RIGHTS STATEMENT                                                                                                                  l 1
(A)      These data are submitted with lirnited rights under government contract No. DE-AC03-90SF18495. These data may be reproduced and used by the government with the express litnitation that they will not, without written permission of the contractor, be used for purposes l          of manufacturer nor disclosed outside the govemment; except that the govemment may disclose these data outside the govemment i          for the following purposes, if any, provided that the govemment makes such disclosure subject to prohibition against further use and i          disclosure:
(l) This " Proprietary Data" may be disclosed for evaluation purposes under the restrictions above.                                        .
(ll) The ' Proprietary Data" may be disclosed to the Electric Power Research institute (EPRI), electric utility representatives and their direct consultants, excluding direct commercial competitors, and the DOE National Laboratones under the prohibitions and restrictions above.
(B)      This notice shall be marked on any reproduction of these data, in whole or in part.
ARC UMITED RIGHTS STATEMENT:
This proprietary data, fumished under Subcontract Number ARC-93-3-SC401 with ARC may be duplicated and used by the govemment and l ARC, subject to the limitations of Article H-17.F. of that subcontract, with the express limitations that the proprietary data may not be disclosed t
outside the govemment or ARC, or ARC's Class 1 & 3 members or EPRI or be used for purposes of manufacture without prior permission of the Subcontractor, except that further disclosure or use may be made solely for the following purposes:
This proprietary data may be disclosed to other than commercial competitors of Subcontractor for evaluation purposes of this subcontract under i
the restriction that the proprietary data be retained in confidence and not be further disclosed, and subject to the terms of a non-disclosure l agreement between the Subcontractor and that organization, excluding DOE and its contractors.
l                                                                  DEFINITIONS 1
l CONTRACT / DELIVERED DATA - Consists of docurnents (e.g. specifications, drawings, reports) Which are                                                  i generated under the DOE or ARC contracts which contain no background proprietary data.
EPRI CONFIDENTIALITY / OBLIGATION NOTICES NOTICE 1: The data in this document is subject to no confidentiality obligations.
NOTICE 2: The data in this document is proprietary and confidential to Westinghouse Electric Corporation and/or its Contractors. It is forwarded to recipient under an obligation of Confidence and Trust for limited purposes only. Any use, disclosure to unauthorized persons, or copying of l this document or parts thereof is prohibited except as agreed to in advance by the Electric Power Research institute (EPRI) and Westinghouse l Electric Corporation. Recipient of this data has a duty to inquire of EPRI and/or Westinghouse as to the uses of the information contained herein i
that are permitted.
NOTICE 3: The data in this document is proprietary and confidential to Westinghouse Electric Corporation and/or its Contractors. It is forwarded to recipient under an obligation of Confidence and Trust for use only in evaluation tasks specifically authorized by the Electric Power Research Institute (EPRI). Any use, disclosure to unauthorized persons, or copying this document or parts thereof is prohibited except as agreed to in advance by EPRI and Westinghouse Electric Corporation. Recipient of this data has a duty to inquire of EPRI and/or Westinghouse as to the uses of the information contained herein that are permitted. This document and any copies or excerpts thereof that may have been generated are to be returned to Westinghouse, directly or through EPRI, when requested to do so.
NOTICE 4: The data in this document is proprietary and confidential to Westinghouse Electric Corporation and/or its Contractors. It is being revealed in confidence and trust only to Employees of EPRI and to certain contractors of EPRI for limited evaluation tasks authorized by EPRI.
Any use, disclosure to unauthorized persons, or copying of this document or parts thereof is prohibited. This Document and any copies or excerpts thereof that may have been generated are to be retumed to Westinghouse, directly or through EPRI, when requested to do so.
I NOTICE 5: The data in this document is proprietary and confidential to Westinghouse Electric Corporation and/or its Contractors. Access to this data is given in Confidence and Trust on!y at Westinghouse facilities for limited evaluation tasks assigned by EPRI. Any use, disclosure i to unauthonzed persons, or copying of this document or parts thereof is prohibited. Neither this document nor any excerpts therefrom are to I be removed from Westinghouse facilities.
EPRI CONFIDENTIALITY / OBLIGATION CATEGORIES CATEGORY 'A'-(See Delivered Data) Consists of CONTRACTOR Foreground Data that is contained in an issued reported.
l 1
, CATEGORY "B"-(See Delivered Data) Consists of CONTRACTOR Foreground Data that is not contained in an issued report, except for computer programs.
CATEGORY "C" - Consists of CONTRACTOR Background Data except for computer programs.                                                                  ,
CATEGORY *D" - Consists of computer programs developed in the course of performing the Work.
CATEGORY *E"- Consists of computer programs developed prior to the Effective Date or after the Effective Date but outside the scope of the Work.
CATEGORY 'F" - Consists of administrative plans and administrative reports.
 
TABLE OF CONTENTS Section                                              Title                                            Page a
l.0      INTRODUCTION                                                                                    1-1 1.1      AP600 V&V Activities and Objectives                                                    1-1 1.2      General Scope of AP600 V&V                                                            l-4 1.3      Guidance Documents for Development of V&V Implementation Plans                        1-5 2.0      M-MIS TASK SUPPORT VERIFICATION                                                                2-1 3.0      HFE DESIGN VERIFICATION                                                                        3-1 4.0      INTEGRATED SYSTEM VALIDATION                                                                    4-1 4.1      Methodology                                                                          4-1 4.2      Tools Used for Evaluating Dynamic Task Performance                                    4-1 4.3      Integrated System Validation Evaluations                                              4-2 4.4      Risk-Important Tasks                                                                  4-2 4.5      Compliance with Regulatory Guide 1.33                                                4-2 4.6      Criteria for Selection of Test Scenarios for Dynamic Evaluations                      4-3 4.7      Realistic Validation Scenarios                                                        4-4 4.8      Performance Measures and Acceptance Criteria                                          4-4 5.0      ISSUE RESOLUTION VERIFICATION                                                                  5-1  ;
6.0      FINAL PLANT HFE DESIGN VERIFICATION                                                            6-1
 
==7.0      REFERENCES==
7-1 u:\2157w.wpf:lt>4328%                                  iii
 
LIST OF FIGURES Figure                                        Title                              Page 1-1              AP600 Concept Testing and Verification and Validation Activities  1-3 I
l I
i uA2157w.wpf:Ib-0328%                            iv
 
==1.0      INTRODUCTION==
 
This document provides a programmatic level description of the AP600 Human Factors Verification and Validation (V&V) plan. It specifies at a high-level the activities to be performed as part of the AP600 V&V. Individual implementation plans that provide more detailed descriptions of the tests to be performed, and acceptance criteria to be used, will be developed for each V&V activity specified in this report. Individual V&V implementation plans will be developed after design certification.
1.1      AP600 V&V Activities and Objectives                                                                      ;
    'Ihe Human Factors Engineering Program Review Model (PRM) developed under the sponsorship of                      ,
the U. S. NRC (NUREG-0711) specifies that an HFE V&V program should include five activities with                    ,
the following objectives:                                                                                          l
: 1. Task Support Verification:          Verifies that the man-machine interface system (M-MIS)                    j design provides all necessary alarms, displays, and controls to            !
support plant personnel tasks                                              !
: 2. HFE Design Verification:              Verifies that the M-MIS design conforms to human factors engineering (HFE) principles, guidelines, and standards
: 3. Integrated System Validation:        Validates that the M-MIS design can be effectively operated by personnel within all performance requirements
: 4. Issue Resolution Verification:        Verifies that the M-MIS design resolves all identified HFE issues in the tracking system
: 5. Final Plant HFE Verification:        Verifies that the final as-built product conforms to the verified          j and validated design that resulted from the M-MIS design                  !
process l
The AP600 V&V will include all five of these activities. Figure 1-1 presents the AP600 V&V activities and sequence in which these activities shall be performed. The sequence for completing these V&V activities will be as follows:
: 1.        M-MIS Task Suppoit Verification
: 2.        HFE Design Verification
: 3.        Integrated System Validation
: 4.        Issue Resolution Verification
: 5.        Final Plant HFE Design Verification uA2157w.wpf:lb-0403%                                l-1
 
Figure 1-1 shows that additional Man-in-the-Loop concept tests will be performed as part of the M-MIS design process. Concept testing is performed as part of the functional design phase of the M-MIS design process. It is during the functional design phase that the core conceptual design for an        ,
M-MIS resource and corresponding functional requirements are developed. An integral part of this            l phase is rapid prototyping and design concept testing. Concept testing during the functional design phase serves two purposes. It:
I Provides input to help designers resolve design issues that have no well-established      i human factors guidance                                                                    l l
l Establishes the adequacy of the design concept and functional requirements that are produced in the functional design stage. Concept testing establishes that the            i conceptual design resulting from the functional design stage is adequate to support operator performance in the range of situations anticipated to arise.
Concept tests slated to be performed as part of the AP600 M-MIS design process are described in AP600 document # OCS-TS-001. While these concept tests are not part of the formal AP600 V&V, they provide early feedback on the adequacy of AP600 M-MIS design elements.
l l
l l
l l
l 1
l l
1 I
u:u157w.wpf:1b-0403%                                l-2
 
o a
G w
4 2  3
$ E
=
n 8  ?
t' y                                                                                                            ,.--__________________________________,,______-__________:
g                                                                                                            :                                                                                                  !
M-MIS                                                        '                                      Verification and Validation
                                                                                                                '                                                                                                  ,e O              M-MIS
                                +              Implementadon                                                        M-MIS Task
  @              Desige                        & Insegration                                    +l            e    Supp0n      +
Giardware & Software)                                                                                                                    Issue        Final Plant HFE    e 2                                                                                                            8  Verificanon am
* jk
* Integraled Sm                              + Resoludon    + Verificanon.
* 8 VmI= tar =wi H                                                                                                            '                                                                Verification        .gq          s 8
g
* Desige g
* Resolve design issues                                                              l    HFEDesign  +                                                                    ~        "'I '
e                                                                                                            o    Verifica60n m                          Estabhah adequacy of                                                              a
  #Q  . FuncGonal                                                                                              a                                        ,
3;,,        ,
doise concept med                                                                                                                                                                      ,
to    requuements                                                                                            '                                        :                                              ""== lest  ,
2                          Nwas . '                                                                          8                                        :-
7  4                y                                                                                                                                                                                              i w  <                                                                                                            l
:                      AP600-specific                                                              ,8 g
T*                                                                                      f                              h ridel e
training simulator
  ,C-    Man-in-the-loop test of concrete l
a      exasnple of functionaldesign:                                                                          '_______________________________________,,_,,,,,,,,,,,,e g      .y
  <
* Partaasksimiutations E.
  "--
* Near full-scope,blfidelity 2
g        simulator for sismilar plant o
a n
C.
3.
c.
2
 
. _ . . _ . _ . _ _            _ __ ~ _ _ . __ _ . _ _ . _ _ . . _ _ _ _ . . _. _ _ _ . _ .                ..__ _ _ _          _
l i
1.2      General Scope of AP600 V&V                                                                            l l
The AP600 V&V scope is defined with respect to M-MIS resources included in the V&V. The PRM scope description includes trained personnel and communication. Personnel training requirements and communication requirements will be addressed in the integrated system validation.                            -
The scope of the AP600 V&V will include:
l
                              =
M-MIS hardware                                                                          j
                              =
M-MIS software
* Procedures j
                              =
Workstation and console configurations a              Design of the overall work environment Specifically included in the AP600 V&V is verification and validation of the AP600 Emergency Operating Procedures (EOPs).
The AP600 EOPs will be computerized. A backup will be available to handle the unlikely situation where the Computerized Procedure System is lost. Verification and validation will be conducted                  '
primarily on the computerized procedures. The back-up will be evaluated as part of the integrated system validation by including test scenarios that examine the use of the back-up following the simulated loss of the Computerized Procedure System.
A set of representative and important tasks will be identified as part of task analysis activities,            l Element 4 (Task Analysis). This set of tasks will define and bound the scope of the AP600 V&V activities. Tasks will be drawn from the areas of:
Operations Maintenance
                            =
Test, inspection, and surveillance Tasks for inclusion in the task analysis and V&V will be identified based on consideration of the importance of human actions for function achievement, and the impact of task failure on safety. Tasks in the areas of maintenance, test, inspection, and surveillance, will be limited to those determined to be risk-important based on the probabilistic risk assessment (PRA) threshold criteria specified in the Implementation Plan for Integration of Human Reliability Analysis (HRA) and HFE Design.
Selected tasks will cover the full range of plant operating modes, including:
* Startup Normal operations Abnormal and emergency operations u:\2157w.wpf:Ib-0402%                                                  14
 
r i
                =
Transient conditions Low-power Shutdown conditions The V&V scope will be limited to those facilities required for scenario evaluation that involve risk-imponant tasks as defined by the PRA threshold criteria. Facilities included in the V&V scope are:
Main Control Room Remote shutdown workstations Technical Support Center (TSC)                                                      l The AP600 design does not require risk-imponant actions to be taken from local control stations, so local control stations are not included in the V&V scope. If, as a result of further analysis, risk-important tasks or critical actions are identified at local control stations, those stations, with respect to the identified tasks or actions, will be included in the V&V.
1.3      Guidance Documents for Development of V&V Implementation Plans                                )
Implementation plans providing detailed test procedures and acceptance criteria will be developed for each of the five V&V activities identified in Figure 1-1.
V&V implementation plans will be developed using accepted industry standards, guidelines, and i      practices. Documentation to develop the V&V implementation plans willinclude:
l CEIIIEC 964 Design for Control Rooms of Nuclear Power Plants. International Electrotechnical Commission,1989.
IEFF Std. 845-1988 IEEE Guide to Evaluation of Man Machine Performance in Nuclear Power Generating Station Control Rooms and Other Peripheries. Institute of Electrical and Electronics Engineers,1988.
  . NUREG-0899 Guidelinesfor the Preparation of Emergency Operating Procedures. US Nuclear Regulatory Commission, Washington, D. C., August 1982.
NUREG-1358 Lessons Exarnedfrom the SpecialInspection Programfor Emergency. US Nuclear Regulatory Commission, Washington, D. C., April,1989.
i NUREG-0711 Human Factors Engineering Program Review Model. US Nuclear Regulatory
;              Commission, Washington, D.C., July,1994.
a:utS7w.wpt:ib-o328%                                  l-5
 
NUREG-0700 Human-System Interface Design Review Guideline, Rev.1, Draft Report. US Nuclear Regulatory Commission, Washington, D.C., February,1995.                          ,i l
Regulatory Guide 1.33, Quality Assurance Program Requirements. Revision 2 US Nuclear Regulatory Commission Washington, D. C.                                          '
I i
l i
I 1
I
,                                                                                                        I l
i l
l l
l i
l l
l I
I 6
u:\2157w.wpf:lb-0328%                          }.6
 
2.0      M MIS TASK SUPPORT VERIFICATION An implementation plan shall be developed specifying a methodology for M-MIS task support verification. The M MIS task support verification objective will be to verify all aspects of the M-MIS design (e.g., controls, displays, alarms, procedures, and data processing) that are required to accomplish personnel tasks and actions as defined by task analyses, EOPs, and risk important human tasks identified by the PRA.
The M-MIS Task Support Verification implementation plan will include a methodology description by which the M-MIS design will be checked against the information and control requirements identified by the:
Function-based task analyses Operational sequence task analyses performed for important and representative tasks as defined in Element 4 (Task Analysis)
Operational sequence task analyses performed for risk important personnel tasks as defined by the PRA
              +
Operational sequence task analyses performed for the complete set of EOPs I
The M-MIS Task Support Verification methodology will describe how, in each case, the M-MIS resources will be verified to ensure that all alarms, displays, controls, procedures, and data-processing required for task performance are available, and that the characteristics of the M-MIS (e.g., units of    I measure, accuracy, precision, and dynamic response) match task requirements.                              l The M MIS Task Support Verification implementation plan will also describe a process by which the        :
M-MIS design will be verified to ensure that the M-MIS does not include information, displays, or controls that do not support operator tasks. The information and controls provided on the M-MIS resources will be checked against display and control requirements generated from the function-based      !
and operational sequence task analyses. Any information, display, or control appearing on an M-MIS
,    resource not identified as required by any of the task analyses, will be flagged, requiring further analysis and review. If the information, display, or control is shown to be necessary to support operator performance, it will be documented, and the task analyses will be revised accordingly. If, after review, no explanation can be found for how the information, display, or control supports operator performance, it will be removed and the documentation will be revised accordingly.
muis7w.wpr: b-032s*                                  2-1
 
l l                                                                                                              l t
3.0      HFE DESIGN VERIFICATION An implementation plan that specifies a methodology for HFE design verification will be developed.
The objective of the HFE design verification will be to verify that all aspects of the M-MIS (e.g.,
p  controls, displays, procedures, and data processing) are consistent with accepted HFE guidelines, standards, and principles.
The HFE design verification implementation plan will specify a process by which deviations from accepted HFE guidelines, standards, and principles will be identified and acceptably justified based on l  a documented rationale, such as trade study results, literature-based evaluations, demonstrated operational experience, and tests or experiments.
The HFE design verification will include all M-MIS in the control room, remote shutdown workstations, and the TSC. Local control stations will be reviewed to the extent that they are required for risk-important human actions as dermed by the PRA.
l  The HFE design verification specification plan will describe a procedure by which M-MIS resources will be verified, ensuring conformance to AP600-specific M-MIS standards and convention guideline documents that will be prepared to cover all M-MIS resources and their integration. The AP600-l  specific standards and convention guidelines will include:
l l
l
* Alarm guidelines l
* Display guidelines Controls guidelines l
Computerized procedures guidelines l
* Anthropometric guidelines The AP600-specific M-MIS standards and convention guidelines will provide:
A specification of accepted HFE guidelines, standards, and principles to which the M-MIS will conform A specification of particular design conventions (e.g., panicular coding conventions) to which the M-MIS will conform i
H            a Documentation of any deviations from accepted HFE guidelines, standards and principles, and justification based on documented rationale such as trade study results, literature-based evaluations, demonstrated operational experience, and tests and experiments
(
u A2157w.wpf.ll>O602%                                  3-1
 
i An illustrative subset of accepted HFE guideline documents that will be used in compiling accepted HFE guidelines, standards, and principles to be included in the AP600-specific standards and convention guideline documents are:
American National Standards Institute, ANSI HFS-100-1988, American Standardfor Human Factors Engineering of Visual Display Terminal Workstations. Santa Monica, California,1988.
                                                                                                        'l 4
CElllEC 964 Daly,for Control Rooms of Nuclear Power Plants. International Electrotechnical Commission, Geneva, Switzerland,1989.                                                          !
NUREG-0899 Guidelinesfor the Preparation ofEmergency Operating Procedures.
;          U. S. Nuclear Regulator Commission, Washington, D. C., August 1982.
NUREG-1358 lissons Leamedfrom the SpecialInspection Programfor Emergency. US Nuclear Regulatory Commission, Washington, D. C., April,1989.
NUREG-0700 Human-System Interface Design Review Guideline, Rev.1, Draft Repost. US Nuclear Regularary Commission, Washington, D.C., February,1995.
4 NUREGICR-5908 Advanced Human-System Interface Design Guidelines. US Nuclear Regulatoly Commission, Washington, D. C., July,1994.
NUREGICR-6501 Human Factors Engineering Guidelines for the Review of Advanced Alarm Systems. US Nuclear Regulatory Commission, Washington, DC., September,1994.
US Department of Defense, DOD-HDBK ~161 A, Human Engineering Guidelinesfor Management Information Systems. Office of Management and Budget, Washington, D.C.,1990.
All aspects of the M-MIS, including information, displays, controls, data processing, navigation mechanisms, and workstation and console configurations, will be verified against the standards and conventions specified in the applicable AP600-specific guideline documents.
l The HFE design verification implementation plan will specify procedures for identifying, reviewing,    .l and correcting deviations from the standards and conventions specified in the guideline documents.
Included in the scope of the HFE design verification will be the identification of nonfunctional decorative det.uls (borders and shadowing on graphic displays) not specified in the guideline documents that do not support operator task performance.
All deviations from standards and conventions specified in the guideline documents will be Gagged for review. If there is adequate justification for the deviation, the justification will be documented.
Otherwise, a change will be made to bring the M-MIS resource into compliace t.ith the guideline documents.
u A2157w.wpf;Ib-0402%                                3-2
 
l l
l 4.0      INTEGRATED SYSTEM VALIDATION l
An implementation plan will be developed specifying a methodology for integrated system validation.
l    The objective of integrated system validation is to ensure that the functions and tasks allocated to the l-  plant personnel can be accomplished with the M-MIS design implementation. Explicitly included in the integrated system validation is validation of the AP600 EOPs.
i i
l 4.1      Methodology The integrated system validation implementation plan will include a methodology section that addresses:
Objectives Personnel performance issues Test methodology and procedures Test participants                                                                    !
Test conditions (including plant conditions, operating sequences, accident scenarios)
M-MIS description Performance measures
* Data analysis Acceptance criteria Process by which resnits will be used to determine whether changes to the M-MIS are required, and the process by which change requirements are tracked and verified 4.2      Tools Used for Evaluating Dynamic Task Performance Integrated system validation will be performed using an AP600-specific, near full-scope, high-fidelity, simulator of the AP600 control room that is similar to a training simulator. The near full-scope, high-fidelity simulator of the AP600 control room will display high physical fidelity (the testbed will physically resemble the actual hardware to be implemented in the AP600 control room), as well as high-fidelity with respect to information content (containing AP600-specific displays and controls), and underlying process dynamics (it shall be driven by an AP600-specific plant simulation). Near is used
  ,  to indicate that features of the simulation are not relevant to the test being made may not be full-fidelity.
Operator actions at non-control room facilities, such as remote shutdown panels, and the TSC, may be evaluated using static mock-ups, or prototypes.                                                  -
l l
u:\2157w.wpf:lb-o402%                                  4-1
 
4.3      Integrated System Validation Evaluations The implementation plan will specify the objectives of the integrated system validation to:
Establish the adequacy of the integrated M-MIS for achieving HFE program goals        *'
Confirm allocation of function and the stmeture of tasks assigned to personnel Validate the EOPs Ccnfirm the dynamic aspects of the M-MIS for task accomplishment Evaluate and demonstrate error tolerance to human and system failures Establish the adequacy of staffing and the M-MIS to support staff to accomplish their tasks The implementation plan will specify how the integrated system validation will fulfill these evaluation objectives.
4.4      Risk Important Tasks The integrated system validation will include test scenarios designed to validate the adequacy of staffing and the M-MIS to support personnel performance for:
Important and representative tasks as defined in Element 4 (Task Analysis)
Risk-imponant tasks as defined by the PRA threshold criteria Design-basis and beyond4esign-basis accident scenarios covered by the EOPs 4.5      Compliance with Regulatory Guide 1.33 Regulatory Guide 1.33, Appendix A lists categories of activities that should be covered by written procedures, such as administrative procedures, general plant operating procedures, procedures for control of measuring and test equipment and for surveillance, procedures for performing maintenance, and chemistry and radiochemical control procedures. As indicated in Reg. Guide 1.33, the procedures may be combined, separated, or deleted to conform to procedure plans.
Complete validation of all classes of procedures identified in Regulatory Guide 1.33 is beyond the scope of the integrated system validation. As stated in Subsection 1.2, the V&V scope in the areas of maintenance, test, inspection, and surveillance, will be limited to tasks determined as risk-impo tant based on PRA threshold criteria Integrated validation will include test scenarios simulating situations governed by sample p;ocedures from selected Regulatory Guide 1.33 categories, for the purposes of increased realism, and to ensure that the AP600 control room design, in conjunction with such procedures, can achieve their intended functions without interfering with plant operations. Test scenarios will be developed that include select maintenance, test, and surveillance activities conducted in the main control room while the plant l
u:\2157w.wpf:Ib 032896                                4-2 i
I
 
is being operated to show that these tasks can be accomplished without interfering with operator tasks necessary for monitoring and controlling the plant 4.6      Criteria for Selection of Test Scenarios for Dynamic Evaluations                                        I l
A multi-dimensional set of criteria will be used to define a set of test scenarios to be included in the          j integrated system validation. Dimensions to be considered will include covenng:
                                                                                                                              )
A range of operational modes including normal plant evolutions (startup, fur, power,      ,
and shutdown)                                                                              I Transients (reactor trip, turbine trip)
Design-basis and beyond design-basis accidents covered by the EOPs AP600-specific design features (the Automatic Depressurintion System, the Diverse          i Actuation System)                                                                          '
Scenarios that include human performance actions identified to be risk-important by        )
the PRA                                                                                    ,
1 Instrument failures M-MIS equipment and processing failures, including failure of the computerized procedure system, establishing the ability to use the back-up                                l l
* 1 Reactor shutdown and cooldown from remote shutdown panel                                    i Situations that produce cognitive challenges, including situations that complicate:
Situation assessment by providing degraded or conflicting plant state information Response (require balancing of multiple goals, require manual takeover of automatic systems)
Performance by increasing personnel communication / coordination requirements or u:u 57 .wpr.ib-0402%                                                  4-3 1
 
1 Increase workload by introducing additional tasks or distractions (Subsection 4.5 & 4.7)
The sei of test scenarios specified will be sufficient to validate the EOPs as implemented in computerized procedures.
* They will also include scenarios to validate key HRA modeling assumptions for event sequences that                ,
involve risk-important human actions. Examples of assumptions to be confirmed are that particular human actions that need to be performed are satisfactorily completed within the time-window specified in the PRA.
The set of test scenarios included in integrated system validation will be defm' ed by a multi-disciplinary team that includes input from EOP developers, M-MIS designers, human factors specialists, and human reliability analysis /PRA analysts.
4.7                Realistic Validation Scenarios The implementation plan will specify how test scenarios will be realistic with respect. to plant conditions that are likely to hold for the situations being represented (number of personnel in the control room, communication requirements with personnel outside the control room, requirements for notification to outside organizations, noise level and temperature).
Selected scenarios.will include environmental conditions, such as noise and distractions, which may affect human performance in an actual nuclear power plant.
l For actions outside the control room that are within the scope of the integrated system validation,                  !
performance impacts of potentially harsh environments that require additional time will be realistically            I simulated (for example, time to don protective clothing and access hot areas).                                      !
4.8              Performance Measures and Acceptw Criteria i
i De implementation plan will specify performance measures used to establish that mission goals and operator performance requirements are achieved. Performance measures will include:                                .
System measures relevant to plant safety Personnel primary task performance Personnel errors Situation awareness uA2157w.wpf;1b4402%                                        4-4
 
2 n
4 4
i
* Workload
;                                    Personnel communications and coordination
                                    . Dynamic anthropometry evaluations (such as reach and dexterity)              i i
i j
* Physical positioning and interaction with M-MIS .
b
!          For each measure, the measurement approach and instmment to be used will be specified, and              !
l          objective acceptance criteria will be defined. Meas".rement approaches may range from objective
!          measures of crew performance to subjective me.m es of performance obtained through post-scenario        .
}          questionnaires and rating forms administered to test participants, to evaluations made by an evaluation j          team participating in the validation exercises as expert observers.
i                                                                                                                  .
3 i
I                                                                                                                  ;
)
i                                                                                                                  .
u:\2157w.wpf:Ib432896                                        4-5
 
[
i i
5.0      ISSUE RESOLUTION VERIFICATION l      An implementation plan will be developed specifying a methodology for human factors issues resolution verification.
The implementation plan will specify a procedure to ensure that all issues documented in the human factors issue tracking system are verified to be adequately addressed in the final M-MIS. The l      implementation plan will include a procedure for identifying and tracking human factors issues that cannot be resolved until a plant is built. The procedure will specify how verification of these human factors issues will be incorporated into the process for final plant HFE verification.
l l
l l'                                                                                                            ,
l l
f i
i uMI57w.wpf.lb440296                                51
 
6.0      FINAL PLANT HFE DESIGN VERIFICATION An implementation plan will be developed specifying a methodology for verifying that the in-plant HFE conforms to the M-MIS design that resulted from the HFE design process and V&V activities.
In the Westinghouse design process, mechanisms for insuring that systems conform to the final functional requirements and design descriptions, are factory acceptance tests conducted on the actual system hardware at the factory, and the site acceptance test conducted after the hardware is installed at !
the plant site.
The implementation plan for the final plam HFE design verification will specify the verifications that    !
will be conducted as part of the factory rocceptance test, and site acceptance test, ensuring that the l
in-plant HFE conforms to the M-M)S design that resulted from the HFE design process and V&V l
activities.
The implementation plan will include procedures for identifying aspects of the M MIS that were not addressed in the design process V&V, and procedures for evaluating them using appropriate V&V methods. Aspects of the M-MIS design that fall in this category include design features that could not be evaluated in a simulator, and design modifications that occurred subsequent to the M-MIS design V&V, such as hardware upgrades.
I 4
u \2157w.wpf:1b4328%                              6-1
 
l l
l l             
 
==7.0          REFERENCES==
 
ANSI HFS-100-1988, American Standardfor Human factors Engineering of Visual Display Terminal Workstations. American National Standards Institute, Santa Monica, California,1988.
l              CEllIEC 964 Design for Control Rooms of Nuclear Power Plants. Intemational Electrotechnical Commission, Geneva, Switzerland,1989.
DOD-HDBK-761 A Human Engineering Guidelinesfor Management Infonnation Systems.
US Department of Defense, Office of Management and Budget, Washington, D.C.,1990.
IEEE Std. 845-1988 IEEE Guide to Evaluation of Man-Machine Performance in Nuclear Power Generating Station Control Rooms and Other Peripheries. Institute of Electrical and Electronics Engineers,1988.
OCS-T5-001 Roth,5. & Mumaw, R. 3. Man-in-the-loop Test Plan Description, Rev. B.
March,1994.
NUREG-0899 Guidelinesfor the Preparation of Emergency Operating Procedures. US Nuclear Regulatory Commission, Washington, D. C., August 1982.
NUREG-1358 Lessons Learnedfrom the SpecialInspection Programfor Emergency. US Nuclear                        i Regulatory Commission, Washington, D. C., April,1989.
NUREG-0711 Human Factors Engineering Program Review Model. US Nuclear Regulatory                            ,
Commission, Washington, D.C., July,1994.
NUREG-0700 Human-System Interface Design Review Guideline, Rev.1, Draft Report. US Nuclear Regulatory Commission, Washington, D.C., February,1995.
NUREGICR-5908 Advanced Human-System Interface Design Guidelines. US Nuclear Regulatory Commission, Washington, D. C., July,1994.
NUREGICR-6501 Human Factors Engineering Guidelinesfor the Review ofAdvanced Alann Systems. US Nuclear Regulatory Commission, Washington, DC., September,1994.
Regulatory Guide 1.33, Quality Assurance Program Requirements. Revision 2 US Nuclear Regulatory Commission Washington, D. C.
l
                .:\2 57w.wyt:ib 032s*                              7-1}}

Latest revision as of 16:59, 18 May 2020

Non-proprietary Programmatic Level Description of AP600 Human Factors Verification & Validation Plan
ML20107C740
Person / Time
Site: 05200003
Issue date: 04/08/1996
From: Kerch S, Reid J
WESTINGHOUSE ELECTRIC COMPANY, DIV OF CBS CORP.
To:
Shared Package
ML20107C738 List:
References
WCAP-14401, WCAP-14401-R, WCAP-14401-R00, NUDOCS 9604170515
Download: ML20107C740 (23)
v  d  e


Text

WEFrINGHOLEE NON-PROPRIETARY CIASS 3 WCAP-14401 Y

! PROGRAMMATIC LEVEL DESCRIPTION l OF THE AP600 HUMAN FACTORS VERIFICATION AND VALIDATION PLAN i

)

i l

April 1996 E. Roth S. Kerch AP600 Document No. OCS-GEH-020 9604170515 960412 PDR ADOCK 05200003 A PDR WESTINGHOUSE ELECTRIC CORPORATION l Energy Systems Business Unit i Nuclear Technology Division P.O. Box 355 Pittsburgh, Pennsylvania 15230-0355 C1996 Westinghouse Electric Corporation All Rights Reserved u:\2157w.wptib-040996 i

l AP600 DOCUMENT COVER SHEET IDS: 1 TDC: S Form 58202G(5/94) [t:\xxxx.wpf;1x]

AP600 CENTRAL FILE USE ONLY:

00S8.FRM RFS#: RFS ITEM #:

AP600 DOCUMENT NO. REVISION NO. ASSIGNED TO AP600 Doc. No. oCS-GEH-002 0 Page 1 of.22_ Enter Assigned To i' ALTERNATE DOCUMENT NUMBER: WCAP-14401, Rev. O WORK BREAKDOWN #: WBS 3.3.2.4.15 DESIGN AGENT ORGANIZATION: Westinghouse Electric  ;

TITLE: Programmatic Level Description of the AP600 Human Factors Verification and Validation Plan ATTACHMENTS: DCP #/REV. INCORPORATED IN THIS DOCUMENT REVISION:

CALCULATION / ANALYSIS

REFERENCE:

ELECTRONIC FILENAME ELECTRONIC FILE FORMAT ELECTRONIC FILE DESCRIPTION u:\2157w.wpf:1b-040496 Word Perfect (C) WESTINGHOUSE ELECTRIC CORPORATION 199fL 0 WESTINGHOUSE PROPRIETARY CLASS 2 This document contains information proprietary to Westinghouse Electric Corporation: it is sutmtted in confidence and is to be used solely for the purpose for which it is fumished and retumed upon request. This document and such information is not to be reproduced, transmitted, disclosed or used otherwise in whole or in part without prior written authorization of Westinghouse Electric Corporation, Energy Systems Business Unit, subject to the legends contained hereof.

O WESTINGHOUSE PROPRIETARY CLASS 2C This document is the property of and contains Proprietary Information owned by Westinghouse Electric Corporation and/or its subcontractors and suppliers. It is transmitted to you in confidence and trust, and you agree to treat this document in strict accordance with the terms and conditions of the agreement under which it was provided to you.

@ WESTINGHOUSE CLASS 3 (NON PROPRIETARY)

COMPLETE 1 IF WORK PERFORMED UNDER DESIGN CERTIFICATION ~OR COMPLETE 2 IF WORK PERFORMED UNDER FOAKE.

1 @ DOE DESIGN CERTIFICATION PROGRAM - GOVERNMENT LIMITED RIGHTS STATEMENT [See page 2)

Copyright statement: A license is reserved to the U.S. Govemment under contract DE-AC03-90SF18495.

@ DOE CONTRACT DELIVERABLES (DELIVERED DATA)

Subject to specified exceptions, disclosure of this data is restricted until September 30,1995 or Design Certification under DOE contract DE ACO3-90SF18495, whichever is later.

EPRI CONFIDENTIAL: NOTICE: 1 U 2 30 4 sO CATEGORY: A@ B CO D E F 2 O ARC FOAKE PROGRAM - ARC LIMITED RIGHTS STATEMENT [See page 2]

Copyright statement A license is reserved to tne U.S. Govemment under contract DE-FCO2-NE34267 and subcontract ARC-93-3-SC-001.

O ARC CONTRACT DELIVERABLES (CONTRACT DATA)

Subject to specified exceptions, disclosure of this data is restricted under ARC Subcontract ARC-93-3-SC-001.

ORIGINATOR SIGNATURE /D TE S. P. Kerch AP600 RESPONSIBLE MANAGER Q

SI RE*

APPROVA DAT n /* M k Y

  • Approval of the responsible manager signifies that document is complete, all required reviews are complete, electronic file is attached and document is r: leased for use.

1 AP600 DOCUMENT COVER CHEET PJg2 2 Form 58202G(5!94) LIMITED RIGHTS STATEMENTS DOE GOVERNMENT UMITED RIGHTS STATEMENT l 1

(A) These data are submitted with lirnited rights under government contract No. DE-AC03-90SF18495. These data may be reproduced and used by the government with the express litnitation that they will not, without written permission of the contractor, be used for purposes l of manufacturer nor disclosed outside the govemment; except that the govemment may disclose these data outside the govemment i for the following purposes, if any, provided that the govemment makes such disclosure subject to prohibition against further use and i disclosure:

(l) This " Proprietary Data" may be disclosed for evaluation purposes under the restrictions above. .

(ll) The ' Proprietary Data" may be disclosed to the Electric Power Research institute (EPRI), electric utility representatives and their direct consultants, excluding direct commercial competitors, and the DOE National Laboratones under the prohibitions and restrictions above.

(B) This notice shall be marked on any reproduction of these data, in whole or in part.

ARC UMITED RIGHTS STATEMENT:

This proprietary data, fumished under Subcontract Number ARC-93-3-SC401 with ARC may be duplicated and used by the govemment and l ARC, subject to the limitations of Article H-17.F. of that subcontract, with the express limitations that the proprietary data may not be disclosed t

outside the govemment or ARC, or ARC's Class 1 & 3 members or EPRI or be used for purposes of manufacture without prior permission of the Subcontractor, except that further disclosure or use may be made solely for the following purposes:

This proprietary data may be disclosed to other than commercial competitors of Subcontractor for evaluation purposes of this subcontract under i

the restriction that the proprietary data be retained in confidence and not be further disclosed, and subject to the terms of a non-disclosure l agreement between the Subcontractor and that organization, excluding DOE and its contractors.

l DEFINITIONS 1

l CONTRACT / DELIVERED DATA - Consists of docurnents (e.g. specifications, drawings, reports) Which are i generated under the DOE or ARC contracts which contain no background proprietary data.

EPRI CONFIDENTIALITY / OBLIGATION NOTICES NOTICE 1: The data in this document is subject to no confidentiality obligations.

NOTICE 2: The data in this document is proprietary and confidential to Westinghouse Electric Corporation and/or its Contractors. It is forwarded to recipient under an obligation of Confidence and Trust for limited purposes only. Any use, disclosure to unauthorized persons, or copying of l this document or parts thereof is prohibited except as agreed to in advance by the Electric Power Research institute (EPRI) and Westinghouse l Electric Corporation. Recipient of this data has a duty to inquire of EPRI and/or Westinghouse as to the uses of the information contained herein i

that are permitted.

NOTICE 3: The data in this document is proprietary and confidential to Westinghouse Electric Corporation and/or its Contractors. It is forwarded to recipient under an obligation of Confidence and Trust for use only in evaluation tasks specifically authorized by the Electric Power Research Institute (EPRI). Any use, disclosure to unauthorized persons, or copying this document or parts thereof is prohibited except as agreed to in advance by EPRI and Westinghouse Electric Corporation. Recipient of this data has a duty to inquire of EPRI and/or Westinghouse as to the uses of the information contained herein that are permitted. This document and any copies or excerpts thereof that may have been generated are to be returned to Westinghouse, directly or through EPRI, when requested to do so.

NOTICE 4: The data in this document is proprietary and confidential to Westinghouse Electric Corporation and/or its Contractors. It is being revealed in confidence and trust only to Employees of EPRI and to certain contractors of EPRI for limited evaluation tasks authorized by EPRI.

Any use, disclosure to unauthorized persons, or copying of this document or parts thereof is prohibited. This Document and any copies or excerpts thereof that may have been generated are to be retumed to Westinghouse, directly or through EPRI, when requested to do so.

I NOTICE 5: The data in this document is proprietary and confidential to Westinghouse Electric Corporation and/or its Contractors. Access to this data is given in Confidence and Trust on!y at Westinghouse facilities for limited evaluation tasks assigned by EPRI. Any use, disclosure i to unauthonzed persons, or copying of this document or parts thereof is prohibited. Neither this document nor any excerpts therefrom are to I be removed from Westinghouse facilities.

EPRI CONFIDENTIALITY / OBLIGATION CATEGORIES CATEGORY 'A'-(See Delivered Data) Consists of CONTRACTOR Foreground Data that is contained in an issued reported.

l 1

, CATEGORY "B"-(See Delivered Data) Consists of CONTRACTOR Foreground Data that is not contained in an issued report, except for computer programs.

CATEGORY "C" - Consists of CONTRACTOR Background Data except for computer programs. ,

CATEGORY *D" - Consists of computer programs developed in the course of performing the Work.

CATEGORY *E"- Consists of computer programs developed prior to the Effective Date or after the Effective Date but outside the scope of the Work.

CATEGORY 'F" - Consists of administrative plans and administrative reports.

TABLE OF CONTENTS Section Title Page a

l.0 INTRODUCTION 1-1 1.1 AP600 V&V Activities and Objectives 1-1 1.2 General Scope of AP600 V&V l-4 1.3 Guidance Documents for Development of V&V Implementation Plans 1-5 2.0 M-MIS TASK SUPPORT VERIFICATION 2-1 3.0 HFE DESIGN VERIFICATION 3-1 4.0 INTEGRATED SYSTEM VALIDATION 4-1 4.1 Methodology 4-1 4.2 Tools Used for Evaluating Dynamic Task Performance 4-1 4.3 Integrated System Validation Evaluations 4-2 4.4 Risk-Important Tasks 4-2 4.5 Compliance with Regulatory Guide 1.33 4-2 4.6 Criteria for Selection of Test Scenarios for Dynamic Evaluations 4-3 4.7 Realistic Validation Scenarios 4-4 4.8 Performance Measures and Acceptance Criteria 4-4 5.0 ISSUE RESOLUTION VERIFICATION 5-1  ;

6.0 FINAL PLANT HFE DESIGN VERIFICATION 6-1

7.0 REFERENCES

7-1 u:\2157w.wpf:lt>4328% iii

LIST OF FIGURES Figure Title Page 1-1 AP600 Concept Testing and Verification and Validation Activities 1-3 I

l I

i uA2157w.wpf:Ib-0328% iv

1.0 INTRODUCTION

This document provides a programmatic level description of the AP600 Human Factors Verification and Validation (V&V) plan. It specifies at a high-level the activities to be performed as part of the AP600 V&V. Individual implementation plans that provide more detailed descriptions of the tests to be performed, and acceptance criteria to be used, will be developed for each V&V activity specified in this report. Individual V&V implementation plans will be developed after design certification.

1.1 AP600 V&V Activities and Objectives  ;

'Ihe Human Factors Engineering Program Review Model (PRM) developed under the sponsorship of ,

the U. S. NRC (NUREG-0711) specifies that an HFE V&V program should include five activities with ,

the following objectives: l

1. Task Support Verification: Verifies that the man-machine interface system (M-MIS) j design provides all necessary alarms, displays, and controls to  !

support plant personnel tasks  !

2. HFE Design Verification: Verifies that the M-MIS design conforms to human factors engineering (HFE) principles, guidelines, and standards
3. Integrated System Validation: Validates that the M-MIS design can be effectively operated by personnel within all performance requirements
4. Issue Resolution Verification: Verifies that the M-MIS design resolves all identified HFE issues in the tracking system
5. Final Plant HFE Verification: Verifies that the final as-built product conforms to the verified j and validated design that resulted from the M-MIS design  !

process l

The AP600 V&V will include all five of these activities. Figure 1-1 presents the AP600 V&V activities and sequence in which these activities shall be performed. The sequence for completing these V&V activities will be as follows:

1. M-MIS Task Suppoit Verification
2. HFE Design Verification
3. Integrated System Validation
4. Issue Resolution Verification
5. Final Plant HFE Design Verification uA2157w.wpf:lb-0403% l-1

Figure 1-1 shows that additional Man-in-the-Loop concept tests will be performed as part of the M-MIS design process. Concept testing is performed as part of the functional design phase of the M-MIS design process. It is during the functional design phase that the core conceptual design for an ,

M-MIS resource and corresponding functional requirements are developed. An integral part of this l phase is rapid prototyping and design concept testing. Concept testing during the functional design phase serves two purposes. It:

I Provides input to help designers resolve design issues that have no well-established i human factors guidance l l

l Establishes the adequacy of the design concept and functional requirements that are produced in the functional design stage. Concept testing establishes that the i conceptual design resulting from the functional design stage is adequate to support operator performance in the range of situations anticipated to arise.

Concept tests slated to be performed as part of the AP600 M-MIS design process are described in AP600 document # OCS-TS-001. While these concept tests are not part of the formal AP600 V&V, they provide early feedback on the adequacy of AP600 M-MIS design elements.

l l

l l

l l

l 1

l l

1 I

u:u157w.wpf:1b-0403% l-2

o a

G w

4 2 3

$ E

=

n 8  ?

t' y ,.--__________________________________,,______-__________:

g  :  !

M-MIS ' Verification and Validation

' ,e O M-MIS

+ Implementadon M-MIS Task

@ Desige & Insegration +l e Supp0n +

Giardware & Software) Issue Final Plant HFE e 2 8 Verificanon am

  • jk
  • Integraled Sm + Resoludon + Verificanon.
  • 8 VmI= tar =wi H ' Verification .gq s 8

g

  • Desige g
  • Resolve design issues l HFEDesign + ~ "'I '

e o Verifica60n m Estabhah adequacy of a

  1. Q . FuncGonal a ,

3;,, ,

doise concept med ,

to requuements '  : ""== lest ,

2 Nwas . ' 8  :-

7 4 y i w < l

AP600-specific ,8 g

T* f h ridel e

training simulator

,C- Man-in-the-loop test of concrete l

a exasnple of functionaldesign: '_______________________________________,,_,,,,,,,,,,,,e g .y

<

  • Partaasksimiutations E.

"--

  • Near full-scope,blfidelity 2

g simulator for sismilar plant o

a n

C.

3.

c.

2

. _ . . _ . _ . _ _ _ __ ~ _ _ . __ _ . _ _ . _ _ . . _ _ _ _ . . _. _ _ _ . _ . ..__ _ _ _ _

l i

1.2 General Scope of AP600 V&V l l

The AP600 V&V scope is defined with respect to M-MIS resources included in the V&V. The PRM scope description includes trained personnel and communication. Personnel training requirements and communication requirements will be addressed in the integrated system validation. -

The scope of the AP600 V&V will include:

l

=

M-MIS hardware j

=

M-MIS software

  • Procedures j

=

Workstation and console configurations a Design of the overall work environment Specifically included in the AP600 V&V is verification and validation of the AP600 Emergency Operating Procedures (EOPs).

The AP600 EOPs will be computerized. A backup will be available to handle the unlikely situation where the Computerized Procedure System is lost. Verification and validation will be conducted '

primarily on the computerized procedures. The back-up will be evaluated as part of the integrated system validation by including test scenarios that examine the use of the back-up following the simulated loss of the Computerized Procedure System.

A set of representative and important tasks will be identified as part of task analysis activities, l Element 4 (Task Analysis). This set of tasks will define and bound the scope of the AP600 V&V activities. Tasks will be drawn from the areas of:

Operations Maintenance

=

Test, inspection, and surveillance Tasks for inclusion in the task analysis and V&V will be identified based on consideration of the importance of human actions for function achievement, and the impact of task failure on safety. Tasks in the areas of maintenance, test, inspection, and surveillance, will be limited to those determined to be risk-important based on the probabilistic risk assessment (PRA) threshold criteria specified in the Implementation Plan for Integration of Human Reliability Analysis (HRA) and HFE Design.

Selected tasks will cover the full range of plant operating modes, including:

  • Startup Normal operations Abnormal and emergency operations u:\2157w.wpf:Ib-0402% 14

r i

=

Transient conditions Low-power Shutdown conditions The V&V scope will be limited to those facilities required for scenario evaluation that involve risk-imponant tasks as defined by the PRA threshold criteria. Facilities included in the V&V scope are:

Main Control Room Remote shutdown workstations Technical Support Center (TSC) l The AP600 design does not require risk-imponant actions to be taken from local control stations, so local control stations are not included in the V&V scope. If, as a result of further analysis, risk-important tasks or critical actions are identified at local control stations, those stations, with respect to the identified tasks or actions, will be included in the V&V.

1.3 Guidance Documents for Development of V&V Implementation Plans )

Implementation plans providing detailed test procedures and acceptance criteria will be developed for each of the five V&V activities identified in Figure 1-1.

V&V implementation plans will be developed using accepted industry standards, guidelines, and i practices. Documentation to develop the V&V implementation plans willinclude:

l CEIIIEC 964 Design for Control Rooms of Nuclear Power Plants. International Electrotechnical Commission,1989.

IEFF Std. 845-1988 IEEE Guide to Evaluation of Man Machine Performance in Nuclear Power Generating Station Control Rooms and Other Peripheries. Institute of Electrical and Electronics Engineers,1988.

. NUREG-0899 Guidelinesfor the Preparation of Emergency Operating Procedures. US Nuclear Regulatory Commission, Washington, D. C., August 1982.

NUREG-1358 Lessons Exarnedfrom the SpecialInspection Programfor Emergency. US Nuclear Regulatory Commission, Washington, D. C., April,1989.

i NUREG-0711 Human Factors Engineering Program Review Model. US Nuclear Regulatory

Commission, Washington, D.C., July,1994.

a:utS7w.wpt:ib-o328% l-5

NUREG-0700 Human-System Interface Design Review Guideline, Rev.1, Draft Report. US Nuclear Regulatory Commission, Washington, D.C., February,1995. ,i l

Regulatory Guide 1.33, Quality Assurance Program Requirements. Revision 2 US Nuclear Regulatory Commission Washington, D. C. '

I i

l i

I 1

I

, I l

i l

l l

l i

l l

l I

I 6

u:\2157w.wpf:lb-0328% }.6

2.0 M MIS TASK SUPPORT VERIFICATION An implementation plan shall be developed specifying a methodology for M-MIS task support verification. The M MIS task support verification objective will be to verify all aspects of the M-MIS design (e.g., controls, displays, alarms, procedures, and data processing) that are required to accomplish personnel tasks and actions as defined by task analyses, EOPs, and risk important human tasks identified by the PRA.

The M-MIS Task Support Verification implementation plan will include a methodology description by which the M-MIS design will be checked against the information and control requirements identified by the:

Function-based task analyses Operational sequence task analyses performed for important and representative tasks as defined in Element 4 (Task Analysis)

Operational sequence task analyses performed for risk important personnel tasks as defined by the PRA

+

Operational sequence task analyses performed for the complete set of EOPs I

The M-MIS Task Support Verification methodology will describe how, in each case, the M-MIS resources will be verified to ensure that all alarms, displays, controls, procedures, and data-processing required for task performance are available, and that the characteristics of the M-MIS (e.g., units of I measure, accuracy, precision, and dynamic response) match task requirements. l The M MIS Task Support Verification implementation plan will also describe a process by which the  :

M-MIS design will be verified to ensure that the M-MIS does not include information, displays, or controls that do not support operator tasks. The information and controls provided on the M-MIS resources will be checked against display and control requirements generated from the function-based  !

and operational sequence task analyses. Any information, display, or control appearing on an M-MIS

, resource not identified as required by any of the task analyses, will be flagged, requiring further analysis and review. If the information, display, or control is shown to be necessary to support operator performance, it will be documented, and the task analyses will be revised accordingly. If, after review, no explanation can be found for how the information, display, or control supports operator performance, it will be removed and the documentation will be revised accordingly.

muis7w.wpr: b-032s* 2-1

l l l t

3.0 HFE DESIGN VERIFICATION An implementation plan that specifies a methodology for HFE design verification will be developed.

The objective of the HFE design verification will be to verify that all aspects of the M-MIS (e.g.,

p controls, displays, procedures, and data processing) are consistent with accepted HFE guidelines, standards, and principles.

The HFE design verification implementation plan will specify a process by which deviations from accepted HFE guidelines, standards, and principles will be identified and acceptably justified based on l a documented rationale, such as trade study results, literature-based evaluations, demonstrated operational experience, and tests or experiments.

The HFE design verification will include all M-MIS in the control room, remote shutdown workstations, and the TSC. Local control stations will be reviewed to the extent that they are required for risk-important human actions as dermed by the PRA.

l The HFE design verification specification plan will describe a procedure by which M-MIS resources will be verified, ensuring conformance to AP600-specific M-MIS standards and convention guideline documents that will be prepared to cover all M-MIS resources and their integration. The AP600-l specific standards and convention guidelines will include:

l l

l

  • Alarm guidelines l
  • Display guidelines Controls guidelines l

Computerized procedures guidelines l

  • Anthropometric guidelines The AP600-specific M-MIS standards and convention guidelines will provide:

A specification of accepted HFE guidelines, standards, and principles to which the M-MIS will conform A specification of particular design conventions (e.g., panicular coding conventions) to which the M-MIS will conform i

H a Documentation of any deviations from accepted HFE guidelines, standards and principles, and justification based on documented rationale such as trade study results, literature-based evaluations, demonstrated operational experience, and tests and experiments

(

u A2157w.wpf.ll>O602% 3-1

i An illustrative subset of accepted HFE guideline documents that will be used in compiling accepted HFE guidelines, standards, and principles to be included in the AP600-specific standards and convention guideline documents are:

American National Standards Institute, ANSI HFS-100-1988, American Standardfor Human Factors Engineering of Visual Display Terminal Workstations. Santa Monica, California,1988.

'l 4

CElllEC 964 Daly,for Control Rooms of Nuclear Power Plants. International Electrotechnical Commission, Geneva, Switzerland,1989.  !

NUREG-0899 Guidelinesfor the Preparation ofEmergency Operating Procedures.

U. S. Nuclear Regulator Commission, Washington, D. C., August 1982.

NUREG-1358 lissons Leamedfrom the SpecialInspection Programfor Emergency. US Nuclear Regulatory Commission, Washington, D. C., April,1989.

NUREG-0700 Human-System Interface Design Review Guideline, Rev.1, Draft Repost. US Nuclear Regularary Commission, Washington, D.C., February,1995.

4 NUREGICR-5908 Advanced Human-System Interface Design Guidelines. US Nuclear Regulatoly Commission, Washington, D. C., July,1994.

NUREGICR-6501 Human Factors Engineering Guidelines for the Review of Advanced Alarm Systems. US Nuclear Regulatory Commission, Washington, DC., September,1994.

US Department of Defense, DOD-HDBK ~161 A, Human Engineering Guidelinesfor Management Information Systems. Office of Management and Budget, Washington, D.C.,1990.

All aspects of the M-MIS, including information, displays, controls, data processing, navigation mechanisms, and workstation and console configurations, will be verified against the standards and conventions specified in the applicable AP600-specific guideline documents.

l The HFE design verification implementation plan will specify procedures for identifying, reviewing, .l and correcting deviations from the standards and conventions specified in the guideline documents.

Included in the scope of the HFE design verification will be the identification of nonfunctional decorative det.uls (borders and shadowing on graphic displays) not specified in the guideline documents that do not support operator task performance.

All deviations from standards and conventions specified in the guideline documents will be Gagged for review. If there is adequate justification for the deviation, the justification will be documented.

Otherwise, a change will be made to bring the M-MIS resource into compliace t.ith the guideline documents.

u A2157w.wpf;Ib-0402% 3-2

l l

l 4.0 INTEGRATED SYSTEM VALIDATION l

An implementation plan will be developed specifying a methodology for integrated system validation.

l The objective of integrated system validation is to ensure that the functions and tasks allocated to the l- plant personnel can be accomplished with the M-MIS design implementation. Explicitly included in the integrated system validation is validation of the AP600 EOPs.

i i

l 4.1 Methodology The integrated system validation implementation plan will include a methodology section that addresses:

Objectives Personnel performance issues Test methodology and procedures Test participants  !

Test conditions (including plant conditions, operating sequences, accident scenarios)

M-MIS description Performance measures

  • Data analysis Acceptance criteria Process by which resnits will be used to determine whether changes to the M-MIS are required, and the process by which change requirements are tracked and verified 4.2 Tools Used for Evaluating Dynamic Task Performance Integrated system validation will be performed using an AP600-specific, near full-scope, high-fidelity, simulator of the AP600 control room that is similar to a training simulator. The near full-scope, high-fidelity simulator of the AP600 control room will display high physical fidelity (the testbed will physically resemble the actual hardware to be implemented in the AP600 control room), as well as high-fidelity with respect to information content (containing AP600-specific displays and controls), and underlying process dynamics (it shall be driven by an AP600-specific plant simulation). Near is used

, to indicate that features of the simulation are not relevant to the test being made may not be full-fidelity.

Operator actions at non-control room facilities, such as remote shutdown panels, and the TSC, may be evaluated using static mock-ups, or prototypes. -

l l

u:\2157w.wpf:lb-o402% 4-1

4.3 Integrated System Validation Evaluations The implementation plan will specify the objectives of the integrated system validation to:

Establish the adequacy of the integrated M-MIS for achieving HFE program goals *'

Confirm allocation of function and the stmeture of tasks assigned to personnel Validate the EOPs Ccnfirm the dynamic aspects of the M-MIS for task accomplishment Evaluate and demonstrate error tolerance to human and system failures Establish the adequacy of staffing and the M-MIS to support staff to accomplish their tasks The implementation plan will specify how the integrated system validation will fulfill these evaluation objectives.

4.4 Risk Important Tasks The integrated system validation will include test scenarios designed to validate the adequacy of staffing and the M-MIS to support personnel performance for:

Important and representative tasks as defined in Element 4 (Task Analysis)

Risk-imponant tasks as defined by the PRA threshold criteria Design-basis and beyond4esign-basis accident scenarios covered by the EOPs 4.5 Compliance with Regulatory Guide 1.33 Regulatory Guide 1.33, Appendix A lists categories of activities that should be covered by written procedures, such as administrative procedures, general plant operating procedures, procedures for control of measuring and test equipment and for surveillance, procedures for performing maintenance, and chemistry and radiochemical control procedures. As indicated in Reg. Guide 1.33, the procedures may be combined, separated, or deleted to conform to procedure plans.

Complete validation of all classes of procedures identified in Regulatory Guide 1.33 is beyond the scope of the integrated system validation. As stated in Subsection 1.2, the V&V scope in the areas of maintenance, test, inspection, and surveillance, will be limited to tasks determined as risk-impo tant based on PRA threshold criteria Integrated validation will include test scenarios simulating situations governed by sample p;ocedures from selected Regulatory Guide 1.33 categories, for the purposes of increased realism, and to ensure that the AP600 control room design, in conjunction with such procedures, can achieve their intended functions without interfering with plant operations. Test scenarios will be developed that include select maintenance, test, and surveillance activities conducted in the main control room while the plant l

u:\2157w.wpf:Ib 032896 4-2 i

I

is being operated to show that these tasks can be accomplished without interfering with operator tasks necessary for monitoring and controlling the plant 4.6 Criteria for Selection of Test Scenarios for Dynamic Evaluations I l

A multi-dimensional set of criteria will be used to define a set of test scenarios to be included in the j integrated system validation. Dimensions to be considered will include covenng:

)

A range of operational modes including normal plant evolutions (startup, fur, power, ,

and shutdown) I Transients (reactor trip, turbine trip)

Design-basis and beyond design-basis accidents covered by the EOPs AP600-specific design features (the Automatic Depressurintion System, the Diverse i Actuation System) '

Scenarios that include human performance actions identified to be risk-important by )

the PRA ,

1 Instrument failures M-MIS equipment and processing failures, including failure of the computerized procedure system, establishing the ability to use the back-up l l

  • 1 Reactor shutdown and cooldown from remote shutdown panel i Situations that produce cognitive challenges, including situations that complicate:

Situation assessment by providing degraded or conflicting plant state information Response (require balancing of multiple goals, require manual takeover of automatic systems)

Performance by increasing personnel communication / coordination requirements or u:u 57 .wpr.ib-0402% 4-3 1

1 Increase workload by introducing additional tasks or distractions (Subsection 4.5 & 4.7)

The sei of test scenarios specified will be sufficient to validate the EOPs as implemented in computerized procedures.

  • They will also include scenarios to validate key HRA modeling assumptions for event sequences that ,

involve risk-important human actions. Examples of assumptions to be confirmed are that particular human actions that need to be performed are satisfactorily completed within the time-window specified in the PRA.

The set of test scenarios included in integrated system validation will be defm' ed by a multi-disciplinary team that includes input from EOP developers, M-MIS designers, human factors specialists, and human reliability analysis /PRA analysts.

4.7 Realistic Validation Scenarios The implementation plan will specify how test scenarios will be realistic with respect. to plant conditions that are likely to hold for the situations being represented (number of personnel in the control room, communication requirements with personnel outside the control room, requirements for notification to outside organizations, noise level and temperature).

Selected scenarios.will include environmental conditions, such as noise and distractions, which may affect human performance in an actual nuclear power plant.

l For actions outside the control room that are within the scope of the integrated system validation,  !

performance impacts of potentially harsh environments that require additional time will be realistically I simulated (for example, time to don protective clothing and access hot areas).  !

4.8 Performance Measures and Acceptw Criteria i

i De implementation plan will specify performance measures used to establish that mission goals and operator performance requirements are achieved. Performance measures will include: .

System measures relevant to plant safety Personnel primary task performance Personnel errors Situation awareness uA2157w.wpf;1b4402% 4-4

2 n

4 4

i

  • Workload
Personnel communications and coordination

. Dynamic anthropometry evaluations (such as reach and dexterity) i i

i j

  • Physical positioning and interaction with M-MIS .

b

! For each measure, the measurement approach and instmment to be used will be specified, and  !

l objective acceptance criteria will be defined. Meas".rement approaches may range from objective

! measures of crew performance to subjective me.m es of performance obtained through post-scenario .

} questionnaires and rating forms administered to test participants, to evaluations made by an evaluation j team participating in the validation exercises as expert observers.

i .

3 i

I  ;

)

i .

u:\2157w.wpf:Ib432896 4-5

[

i i

5.0 ISSUE RESOLUTION VERIFICATION l An implementation plan will be developed specifying a methodology for human factors issues resolution verification.

The implementation plan will specify a procedure to ensure that all issues documented in the human factors issue tracking system are verified to be adequately addressed in the final M-MIS. The l implementation plan will include a procedure for identifying and tracking human factors issues that cannot be resolved until a plant is built. The procedure will specify how verification of these human factors issues will be incorporated into the process for final plant HFE verification.

l l

l l' ,

l l

f i

i uMI57w.wpf.lb440296 51

6.0 FINAL PLANT HFE DESIGN VERIFICATION An implementation plan will be developed specifying a methodology for verifying that the in-plant HFE conforms to the M-MIS design that resulted from the HFE design process and V&V activities.

In the Westinghouse design process, mechanisms for insuring that systems conform to the final functional requirements and design descriptions, are factory acceptance tests conducted on the actual system hardware at the factory, and the site acceptance test conducted after the hardware is installed at !

the plant site.

The implementation plan for the final plam HFE design verification will specify the verifications that  !

will be conducted as part of the factory rocceptance test, and site acceptance test, ensuring that the l

in-plant HFE conforms to the M-M)S design that resulted from the HFE design process and V&V l

activities.

The implementation plan will include procedures for identifying aspects of the M MIS that were not addressed in the design process V&V, and procedures for evaluating them using appropriate V&V methods. Aspects of the M-MIS design that fall in this category include design features that could not be evaluated in a simulator, and design modifications that occurred subsequent to the M-MIS design V&V, such as hardware upgrades.

I 4

u \2157w.wpf:1b4328% 6-1

l l

l l

7.0 REFERENCES

ANSI HFS-100-1988, American Standardfor Human factors Engineering of Visual Display Terminal Workstations. American National Standards Institute, Santa Monica, California,1988.

l CEllIEC 964 Design for Control Rooms of Nuclear Power Plants. Intemational Electrotechnical Commission, Geneva, Switzerland,1989.

DOD-HDBK-761 A Human Engineering Guidelinesfor Management Infonnation Systems.

US Department of Defense, Office of Management and Budget, Washington, D.C.,1990.

IEEE Std. 845-1988 IEEE Guide to Evaluation of Man-Machine Performance in Nuclear Power Generating Station Control Rooms and Other Peripheries. Institute of Electrical and Electronics Engineers,1988.

OCS-T5-001 Roth,5. & Mumaw, R. 3. Man-in-the-loop Test Plan Description, Rev. B.

March,1994.

NUREG-0899 Guidelinesfor the Preparation of Emergency Operating Procedures. US Nuclear Regulatory Commission, Washington, D. C., August 1982.

NUREG-1358 Lessons Learnedfrom the SpecialInspection Programfor Emergency. US Nuclear i Regulatory Commission, Washington, D. C., April,1989.

NUREG-0711 Human Factors Engineering Program Review Model. US Nuclear Regulatory ,

Commission, Washington, D.C., July,1994.

NUREG-0700 Human-System Interface Design Review Guideline, Rev.1, Draft Report. US Nuclear Regulatory Commission, Washington, D.C., February,1995.

NUREGICR-5908 Advanced Human-System Interface Design Guidelines. US Nuclear Regulatory Commission, Washington, D. C., July,1994.

NUREGICR-6501 Human Factors Engineering Guidelinesfor the Review ofAdvanced Alann Systems. US Nuclear Regulatory Commission, Washington, DC., September,1994.

Regulatory Guide 1.33, Quality Assurance Program Requirements. Revision 2 US Nuclear Regulatory Commission Washington, D. C.

l

.:\2 57w.wyt:ib 032s* 7-1

Retrieved from "https://kanterella.com/w/index.php?title=ML20107C740&oldid=2814566"