ML20099E299: Difference between revisions

From kanterella
Jump to navigation Jump to search
(StriderTol Bot insert)
 
(StriderTol Bot change)
Line 2: Line 2:
| number = ML20099E299
| number = ML20099E299
| issue date = 07/31/1992
| issue date = 07/31/1992
| title = Forwards Sys 80+ Human Factors Engineering Team Description & Markup of Part II of Human Factors Criteria Document Submitted by 920707 Ltr,Per 920709 Meeting W/Nrc
| title = Forwards Sys 80+ Human Factors Engineering Team Description & Markup of Part II of Human Factors Criteria Document Submitted by ,Per 920709 Meeting W/Nrc
| author name = Brinkman C
| author name = Brinkman C
| author affiliation = ABB COMBUSTION ENGINEERING NUCLEAR FUEL (FORMERLY, ASEA BROWN BOVERI, INC.
| author affiliation = ABB COMBUSTION ENGINEERING NUCLEAR FUEL (FORMERLY, ASEA BROWN BOVERI, INC.
Line 11: Line 11:
| contact person =  
| contact person =  
| document report number = LD-92-085, LD-92-85, NUDOCS 9208100117
| document report number = LD-92-085, LD-92-85, NUDOCS 9208100117
| title reference date = 07-07-1992
| document type = CORRESPONDENCE-LETTERS, INCOMING CORRESPONDENCE
| document type = CORRESPONDENCE-LETTERS, INCOMING CORRESPONDENCE
| page count = 59
| page count = 59

Revision as of 07:21, 24 September 2022

Forwards Sys 80+ Human Factors Engineering Team Description & Markup of Part II of Human Factors Criteria Document Submitted by ,Per 920709 Meeting W/Nrc
ML20099E299
Person / Time
Site: 05200002
Issue date: 07/31/1992
From: Brinkman C
ABB COMBUSTION ENGINEERING NUCLEAR FUEL (FORMERLY, ASEA BROWN BOVERI, INC.
To:
NRC OFFICE OF INFORMATION RESOURCES MANAGEMENT (IRM)
References
LD-92-085, LD-92-85, NUDOCS 9208100117
Download: ML20099E299 (59)


Text

- .- . - . . . . .

t'

, n ABB ASEA BROWN BOVERI July 31, -1992 LD-92-085 Docket No.52-002 Attn: Document Contro' Desk U.S. Nuclear Regulatory Commission Washingtca,.D.C. 205b5

Subject:

System 80+" Human Factors Engineering Teata R,ference: ABB-CE Letter LD-92-080, Human Factors Criteria, July-7, 1992

Dear Sirs:

At the July 9, 1992 meeting with NRC staff, ABB-CE agreed to provide a description of the human factors engineering team.- We also agreed to provide a markup - of Part 11 nf the Human Factors Criteria document (Reference) to identify the sources of the criteria therein; . The team '

description and the Part'I! markup are provided in Attachments 1 and II of-this letter.

If you have any questions, please call me or Mr. Stan Ritterbusch at (203) 285-5206.

! Very truly yours,.-

\

COMBUSTION ENGINEERING, INC. [

-3 C. B.- Brinkman

-Acting Director --.

l. Nuclear Systeras Licensing '[ .

-CBB/ser ,

cc: J. Trotter (EPRI)

T. Wambach (NRC)

ABB Combustion Engineering Nuclear Power h')6N i 70 0 015 ~~--m m eo -~ n- ~~~ a-o l PD 0 002 b A

._ PDR__ _ , _ _ . . _. .. ,_ _ _ _ _ . __....>

A 4s.-.- 4 sy-e. m.,

  • __ 4 - A c .4+- -, 4 t

4 i

e 1

k i

e I

g i

1 e

i 1

1 k

4 Y

4 e

e 6

4 r 4

b N

4 a'

I ATTACHMENT I 1,.

i 4

4

^

4 1

s

?

i i

i k

i i

f i

J l

-. 1 i ~i l

i-

-'i F

e f

8 4

f 9

t

... ... ; .- . . . . ~ , ' -, . . -.. . ., s . - , . . , - . . - - ,~-,~, .-m . . . . < . , . , ,, +.

t 4

Human-Systems Intera1 tion Design Team Organization and Responsibilities I- Minimum Job Descriptions and Expertise of Team HFE Team,

( Indepadent of Current Personnel.**

Manager, Advanced Reactor I&C

, Manager and co-ordinator for all advanced reactor projects' I&C and HF, reviews all HSI documents, integrates concerns of I&C engineering, cperations, management and MMI design, provides engineering management support for licensing activities Technical Supervisor, Control Complex Engineering Hux.n Factors (HF) Supervisor for all advanced reactor projects including all ALWR Human Factocs Engineering (HFE) and licensing, ITAAC/DAC, Standard Review Plan, Architect / Engineer co-ordination Consulting Engineer, HFE (I&C dept i Authors HF documents, ,*erforms ana: zes, supports licensing, develops MMI practices and features (HI ;tandards and guidance),

supports IEC enoineering, reviews applic =le System 80+ documents, g conducts HF Training sieminars, etc.

Also experienced in Architect /Eng: ering' (A/iO and utility HF.

Lead Engineer, HFE (Services dept.)

(

Description largely the same as consulting engineer. .More experience in operations and training, less in A/E and utility areas.

Senior Engineer, HFE (Services dept.)

, Develops HF standards and guidance, performs Human Reliability Assessment (HRA) and assists Probabilistic Risk Analysis (PRA),

RAMI, critical Task Analysis (TA), reviews HF documents, provides general HSI design support in HF area.

Consulting Engineer, I&C Expert on panel fabrication, MMI/I&C integration, I&C systems:

Reviews HF and I&C documents pertinent to his ataa of expertise.

Lead Engineer, I&C/HF DAC/ITAAC development for I&C, Human System Interface (HSI) design support, expert in Nuplex 80+ design systems, provides licensing support

HSI Job Descriptions (cont.)

Lead Engineer, I&C/HF/ Operations Experienced. 3icensed simulator instructor and plant operator with formal HF training. Performs suitability analysis, aids in 4

panel layout and HSI design, document reviewer, operability expert,

. plant computer designer.

Consulting Engineer, I&C/ Operations Experienced plant operator and simulator instructor. Many duties similar to above including participation in analyses, walkthroughs, and validation work. Also an expert in software and training areas.

Technical Supervisor, I&C Expert in I&C systems, safety systems engineering, cor,ventional plant technology. Performs engineering and review for Nuplex 00 conventional evolution, HSI-I&C interface, and ,

supervises many laa system designs.

Consulting Engineer, I&C Expert in plant alarm and data processing systems. . Performs conventional /Nuplex BO+ evolutionary design worke Experienced U.S.

Navy operator. Assists in analyses and reviews HF products for operability and I&C engineering aspects.

A/E Liaison and Operations Expert; Duke Eng. & Services Experienced, licensed operator. Works for A/E as NSSS/AE liaison and A/E reviewer of System 80+ design. Provides regular input on HSI design and leads DESI work on Nuplex 80+ (e.g.-BOP layouts).

Provides continuous Utility & A/E design input.

a*These are the current positions and relative expertise on the team. However, the HFE team composition may change over time and specific areas or qualifications may change or he moved between positions depending on career paths of those involved.

t 9

i Human-Systems Interface Design Team Organization and Responsibilities II.-Team ConDosition and Exnertisa **

Expertise Area Team Member Systems Engineering Several Team members have training and experience in this area including the HFE supervisor and staff.

Architect / Engineering One HFE (Human Factors Engineer) has spent 3 yrs as senior HFE with a major Architect / Engineer

, (A/E). The A/E liaison is on the staff at the System 80+ A/E:

Duke Engineering Services.

Nuclear Power Plant Procedures All the project HF engineers have diverse procedure writing and formatting experience.

ABB-CE has a Start-up group which is experienced in procedure writing and will develop System 80+ operating procedure guidelines with input from the HSI team. Actual procedure development is out of scope for certification.

Personnel Training / The I&C operations Experts Systems Approach to Training are licensed simulator instructors. The HFE staff are experienced at seminars teaching and familiar with the systems approach. One HFE is a former naval operations instructor.

Training other plant staff is outside the scope for design certification, as is training in general. However,-ABB-CE will use its in-house expertise to provide input.

Safety Systems Engineering One technical I&C supervisor on the HSI de sign team is an expert in this area. Several I&C engineers are also experienced in safety systems design.

4 t 6 RAMI Two HP experts are experienced in the HSI aspects of RAMI.

Several I&C . engineers are experienced in other aspects of RAMI.

    • Theses expertise listings are based on the HFE team members for System 80+ as of 7/1/92. 'Over the course of the project life some details of who possesses what expertise may change although HFE team always possesses expertise in the areas listed.

b d

4

, i 1

, MISC 021.wp/I i l 1

I i DESIGN REVIEW TEAM i

I. Process Management Uses to Make Decisions on HFE Issues The majority of decisions made on Nuplex 80+ HFE issues during the design a process are made at the technical level by the HSI design teami That is,

! only a few HFE issues are not able to be resolved-by the design team and i must be brought to the attention .of management for resolution.

l- Within the design team, technical issues are resolved through a review and j consensus process using design review meetings. Whenatechnicalissue(s)

is identified tor resolution, the rc,ponsible design team member performs l necessary evaluations and formulates a recommended solution or design concept. A design review meeting is then held with representation from all affected -disciplines on the design team - (e.g. , human factors,

) operations). During -the design review meeting all perspectives on the=

issue are presented and the issue is either resolved or further required work is identified (e.g., feature.prototyping). The resolutions of the i meeting are documented in - an - internal memorandum- and subsequently

, incorporated into project documentation at the next appropriate revision.

d Open items are tracked through the internal memorandum - and similarly

, resolved at subsequent design review - meetings. -- In this process the 4 members cf the HSI design team are the decision makers. More than 95% of j the'HFE issues are resolved through this process.

l Large : cope or controversial issues which cannot be conclusively resolved i at the design team level are brought to the attention of ALWR project-

management for resolution and concurrence. - This would include items such i as CRT-implementation or procedures and use of fully selectable control devices. Less than five percent of issues _ fall 'into this category.
L In addition to the design review' meetings-within the HSI design team as described above, an independent- Nuplex 80+ - design review- team exists.

This team is described in Section.18.2.2 of CESSAR-DC. - Its function is to L review the Huplex 80+ design developments from a wide variety of project wide engineering perspectives. Primary' interaction with the review team-is through documentation review of- all Nuplex 80+ design documents and-design review meetings as necessary.

II. Describe the tools and techniques the HSI team uses to accomplish their responsibilities.

4-The HSI- design team uses Nuplex 80+ project documentation as a primary

- tool for carrying out its responsibilities.- Project documents include

plans, system descriptions, human factors standards- and guidelines,
verification reports, task analysis reports, -panel design reports etc.

l This documentation serves as the current status of the design and design -

i process. All project documents are reviewed and signed off within. the--

l design team and by representatives of other engineering organizations.

f

.-- , . _ . . - - _ _ . . _ _ , . ~ . . _ , . . , , - , ,_,,,,m_ < _ , , - - , _ , , - , , - - -

s

, MISC 021.wp/2 As described in the previous section another main tool of the design team is design review meetings and documentation of their results through

, internal memoranda. The results are incorporated into the appropriate

project documents during the next revision to that document.

i A final tool being implemented by the design team is a Tracking of Open 4 issues (T01) system. This system tracks to resolution and implementation all open issues related to the Nuplex 80+ human factors efforts. The requirements for this system is stated in the HFE Program Management design process element in the System 80+ Human Factors Engineering Criteria (LD-92-080).

4 4

A i

l i

j k

i i

4 4

, . . - - , . , . . , --e o --

yg ,

- g :.

s t

3

.' ATTACHMENT II e

4

.i=

4 s

PART II-DESIGN PRODUCT REQUIREMENTS.

b 11-1

HYDE.WP DESIGN PRODUCT REQUIREMENTS l, CRITERIA FOR ALARMS J

OBJECTIVE Part II of this document presents criteria for use in-the design certification

review of the main control room and other operating stations for an advanced light water reactor such as System 80+. It is intended-that these criteria

, address NRC requirements such that subsequent review of the design shall be, j principally, restricted to confirmation that_the criteria have been met.-.

i SCOPE To facilitate implementation in a design review the criteria are grouped

according to the functional elements which comprise an ALWR control room. Each section of Part 11 presents the criteria related to one of these groups, as shown in the Table of Contents.

j METHOD J

} These criteria were derived from a review of documents (References 1 through 27)

{ which provide guidance for implementation of digital technology and application of human factors engineering in the evolutionary design of a nuclear power plant j control complex. .s 4

h J

a l

II-2 i

i

, ,..r . -..w.. ww v v , ,e..., ..e,- #e- - . - - - . , . . , , -,.,_.n-.- -e , . , ,* gww., w-..g-mr.. , g.m, -.p..

- HYDE.WP DESIGN PRODUCT REQUIREMENTS CRITERIA FOR ALARMS l l

l ItEFERENCES (1) ANSI /HFS 100-198 -

American National Standari for Humaa Factors Engineering of Visual Display Terminal Workstations, Santa Monica, CA; Human Factors Society (1988).

(2) MIL-HDBK-761A - Human Engineering Guidelines for Management Information Systems; Washington, DC; Department of Defense (1989).

(3) MIL-STD-14720 - Huinan Engineering Design Criteria for Military Systems, Equipment, and Facilities; Washington,'DC; Department of Defense (1981),

(4) NASA-STD-3000 - Man-Systems Integration Standards; Houston, TX; National Aeronautics and Space Administration (1989).

(5) NP-4350 - Human Engineering Design Guidelines for Maintainability; Palo Alto, CA; Electric Power Research Institute (1985).

(6) NPX80-IC-SD-791 Syste Description for Control Coylex Information System for Nuplex 80+, Res 01; Windsor, CT; ABB Combustion Engineering (1991).

(7) NUREG-0700 - Guidelines for Control Room Design Reviews; Washington, DC; US Nuclear Regulatory Comission (1981).

(E; NUREG-0899 -

Guidelines for the Preparation of Emergency Operating Procedures; Washington, DC; US Nuclear Regulatory Comission (1982).

(9) NUREG/CR-3517 - Recomendations to the NRC on Human Engineering Guidelines for Nuclear Power Plant Maintainability; Washington, DC; US Nuclear Regulatory Comission (1985).

(10) UCRL-15673 - Human Factors Design Guidelines for Haintainability of l Department of Energy Nuclear Facilities; Washington, DC; Department of l

Energy (1985).

i (11) USE-1000 - Space Station Freedom Program Human Computer Interface Guide; Houston, TX; National Aeronautics and Space Administration (1988).

(12) 10 CFR 29 - Code of Federal Regulations, Occupational Health and Safety

! Administration; Washington, DC; Office of Federal Register (1990).

(13) Bailey, R. W. (1982) - Human Performance Engineering: A Guide for System Designers; Englewood Cliffs, NJ; Prentice Hall.

(14) Boff, K. R., and Lincoln, J. E. (1988) - Engineering Data Compendium:

Human Perception and Performance; Wright-Patterson AFB, OH; Armstrong Aerospace Medical Research Laboratory.

l l II-3 l

HYDE.WF DESIGN PRODUCT REQUIREMENTS

. CRITERIA FOR ALARMS j l

(15) Ehrenreich, (1985); Computer Abbreviations: Evidence and a Synthesis.

Human Factors, H , 2, 143-156.

(16) Gilmore, W. E., Gertmann, D. I., and Blackman, H.S. (1989); User-Computer Interface in Process Control: A Human Factors Engineering Handbook; Idaho Falls, ID; Idaho National Engineering Laboratory.

(17) Helander, M. (Ed.); Handbook of Human-Computer Interaction; New York, NY; North-Holland (1988).

(18) Kiger, J. I. (1984). The Depth / Breadth TradeofT in the Design of Menu-driven User Interfaces; International Journal of Man-Machine Studies,1Q, 201-213.

(19) ledgard, H. P. (1989) - The Case Against User Interface Consistency; Communications of the ACM, E , 10, 1164-1173.

(20) Rasmussen, J. (1985) - The Role of Hierarchical Knowledge Representation in Decision Makir and System Management; IEEE Transactions on Systems.

Man, and Cybernetics, SMC-15, 2, 234-243.

(21) Rodgers, S. H. (Ed.) - Ergonomic Design for People at Work; Rochester, NY; Eastman Kodak Company (1983).

(22) Salvendy, G. (Ed.) - Handbook of Human Factors; New York, NY; Wley (1982).

(23) Sanders, M. S., and McCormick, E. J. (1987) - Human Factors in Engineering and Design; New York, NY; .icGraw-Hill.

(24) Tufte, E. R. (1983) - The Visual Display of Quantitative Information;

, Chesire, CT; Graphics Press.

(25) Van Cott, H. P., and Kinkade, R. G. (Ed.s) - Human Engineering Guide to Equipment Design; Washington, DC; Department of Defense (1972).

(26) Weiman, N., Beaton, R. J., Knox, S. T., and Glasser, P. C. (1985) -

Effects of Key Layout, Visual Feedback, and Encoding Algorithm on Menu Selection with LED-based Touch Panels (Tech Report HFL-604-02); Beaverton, OR: Tektronix.

(27) Advanced Light water Reactor Utility Requirements Document, Volume II, ALWR Evolutionary Plant, Chapter 10, Man-Machine Interface Systems, Rev.

1, Electric Power Research Institute, August 31, 1990.

11-4

HYDE.WP DESIGN PRODUCT REQUIREMENTS .[

11 CRITERIA _FOR ALARMS 11-1 CRITERIA FOR ALARMS 1.1 Alarm Processina

,$n <; 010 0 0'3* 1.1.1 The selection of conditions to be alarmed shall include the g,( ; o following:

a) Conditions related to exceeding safety limits, operating 4,] g' L limits or manufacturer's limits on equipment shall be included.

b) Alarm conditions shall only represent infrequent, unexpected-and/or undesired variable states, as a measure to reduce nuisance alarms, c) Selection of alarm variables and setpoints shall be done with consideration that the alarm should allow :.he -

operator sufficient time and information to effectively and deliberately respond to the out-of-tolert.nce condition.

i d) Alarm setpoints and logic shall be consistent with the Emergency Operating Procedures, e) Data related to status information shall not be displayed as an alarm.

1.1.2 Methods of data validation shall be applied-consistently to o s ci alarmed parameters and displayed parameters, such that - the

  • 7 ~.,

, alarm condition is accurately represented in the relationship of the displayed - parameter : and the alarm setpoint. If validation is performed on an alarmed parameter, the validation shall be-performed prior to processing the alarm.

1.1.3 Processing To Support Reduction Of Alarm Displays. '

l.1.3.1 As a measure to reduce the potential for sensory overload, the total number of spatially dedicated alarm-displays shall be limited. Redundant alarms, such as g' (,' (c -(

those_ representing ~ separate channels of the- same parameter, shall be represented by a single spatially

([ 3,/ C, dedicated alarm display, and alarms not related to the current operating mode shall be eliminated.

Additional acceptable methods for reducing the number of alarm displays:

11-5

_______..___m___ _ . _ - - - - _ - _ - - _ _ - _ - _ - - - - - - - - - -- - -

. HYDE.UP DESIGN PRODUCT REQUIREMENTS

!! 1 - CRITERIA (OR Al. ARMS

( (' I'^:

a) Use of cross channel comparison to represent several channels of a single parameter with a (f.],J(/ singic alarm, b) Use of alarm logic aad setpoints which are plant I mea or equipment status dependent.

c) Cov,'elnation of related alarms, such as those -

which require the same operator responso, into a single display and use of alarm messages to indicate the specific condition in alarm. For example, if several alarms are associated with loss of cooling to a reactor coolant pump, these may be represented under a single alarm tile.

I This method of alarm grouping can be applied to both dedicated and selectable alarm displays, including: tiles, Video Display Unit display directories and system level (VDU) VDU displays.

d) Use of a multi-priority display scheme to combine

] alarms, such as low and low-low alarms, into a single alarm tile.

FPL ( ?. ! r 1.1.3.2 Where multi-inout alr ms are used, the capability Y.7 7 7 to individua11'y disMy the status of each alarm shall be provi 6 1.1.4 Processing Yo Support Alaro prioritilation.

1.1.4.1 An alarm prioritization scheme shall be used.

O ,p such that alarms requirpg a quicker operator 9.J %9 response will be identifie:1 as having a higher priority.

1.1.4.2 The number of priority categories shall be small A'e<7e7<# (i.e., 2 to 4).

e . 7. / F II-6

, HYDE.WP DESIGN PRODUCT REQUIREMENTS 11 1 CP.!TERIA FOR ALARMS i

(lr I C' l.1.4.3 An acceptable basis for division of alarm 4-[, p' u, // priority is the proximity of an alarm setpoint to a Significant Operator Action Condition (SOAC),

which is defined as one of the following A/n c 7 c>7cV undesirable plant conditions: .

(. , 3. /. V 1) a criticil function violation (safety or powerproduction),

i

2) a success path violation (availability or performance),
3) eafor damage to equipment,
4) a personnel hazard, j

l.1.4.4 An acceptable method of division of alarm priority is:

Priority 1 -

! mediate Action (i.e., last 4

warning prior to reaching an SOAC).

Priority 2 -

Prompt Action (i.e., second to last warning prior to reaching an SOAC).

{

  • priority 3 - Caution (i.e., any warning prior to the second to last warning prior to reaching an 50AC, and also for all non-SOAC alarms).

1.1.5 Integrated Alarms l.1.6 Alarm List 4.j , '( , t/ f 1.1.6.1 Each alarm shall be tagged with its time of occurrence. The resolution shall be within 2 seconds for all al arnis. For all exceptions, justification shal' be provided that a coarser i

time resolutisn is adequato.

11-7 y y - - . ----wim ew,o y -,e,. w y-y.w ei.

. HYDE.WP DESIGN PRODUCT REQUIREMENTS

!! 1 - CRITERIA FOR ALARMS I bi  !" 1.1.6.2 The operators shall be provided the capability to access at any time, via an on line display and in k[. J. !/ -[' )rinted form, the time sequence of alarms that lave occurred. The capability to access the l' alarm list shall be provided at all (Main Control Room (HCR workstations and in the technical support ce)nter.

1.1.6.3 The time period covered by the alarm list shall be predetermined and at least 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br />.

1.1.6.4 Documentation shall be provided which demonstrates that the alarm system hardware and software have sufficient computational speed and capacity, and buffer capacity to assure that no alarm information would be lost from the alarm list historical record for the worst case upset or emergency that the plant may suffer.

1.1.6.5 The time sequence of alarms shall LT recorded via non volatile media.

l l

I l

11-8 l

l

HYDE.WP DESIGN PRODUCT REQUIREMENTS 11 1 - CRITERIA FOR Al. ARMS 1.2 Alarm Displays

/?

" ,' In 1.2.1 The alarms shall be displayed in a manner such that the operator can discern the highest priority without first k[, }, t/, 7'- idatifying them. The method of displaying alarm priority shall include these attributes:

b'3 *I a) Distinct visual cues to differentiate alarms of different priority; the cue for the higher priority alarms ire the most salient.

b) The visual cues of alarm priority are appliad consistently on different display media (e.g., on alarm tiles and VDU screens, overview displays, and in the redundant and diverse systems).

1.2.2 Visual display cf alarms requiring immediate or plompt operator action shall be provided immediately, automatically (i.e., without operator action), and in a manner that enhances i immediate recognition that an alarmed condition exists.

Spatial dedication of such alarms, in a location directly viewable from the operator's normal working position, is an acceptable method.

, 1.2.3 Where alarms are grouped in a single display, lower priority alarms shall not mask higher priority alarms. Acceptable methods include:

U . ) . '. !

a) Use of different color hues or flash rates to indicate

, '?, , 77 ' the priority of the highest pricrity alarm represented by an annunciator, b) Use of flash suppression to temporarily redace emphasis of lower priority alarms in order to enhance emphasis of higher priority alarms.

1.2.4 Display techniques shall be utilized to correlate an alarm to related critical functions or success paths. The following O 'echniques are acceptable:

43.'t.]

a) Physical grouping of alarms for parameters, components f % eq c7cc or systems which shars a common function, g 3, 3

  • i b) Physical grouping of spatially dedicated alarms which have related safety functions to take advantage of 4 3 , 52 ,7 pattern recognition.

c) Automatic indication of critical functions and success paths affected by actuated alarms.

11-9

I HYDE.WP DESIGN PRODUCT REQUIREMENTS I

i. 11 1 - CRITERIA FOR ALARMS ,

I

  • i I

((3 'O 1.2.5 Access to information supporting evaluation of the alarm l condition shall be direct and prompt. Acceptable methods l include:

l Lj . 3. ,7. 3 i a) Automatic display of messages related to the alarmed

}

condition upon alarm acknowledgement.

b) Automatic display of an index or other prompt which j identifies reference pages for further diagnostic 2 information or a display which supports initiation of j corrective actions.

! AM # 1.2.6 The alarm display shall provide visual and audible indication 4.m 6 of cleared alarm conditions.

, i

' ' ~~.). O Distinct visual cues differentiate alarm states (e.g., new, i 1.2.7 1

existing (acknowledged), cleared, reset (acknowledged)).

The visual cues for new, cleared and existing alarms shall not mask each other.

! An acceptable scheme for visual differentiation:

A_larm State Visual Cu u  ;

l New Fast Flash, Bright yellow.

i Cleared Slow Flash, Dark Yellow.

Existing No Flash, Dull Yellow.

! No Alarm or Reset Normal Display with No Yellow l Highlighting, i

  • ( (t /D 1.2.8 Visual display of the existence of an alarmed condition shall be provided at all times that any alarm condition requiring <

l g e- i ,

prompt or immediate operator action exists. That is, visual indication that an alarmed condition exists shall not require

. operator action (e.g., activation of ar. appropriate display

page shall not be necessary), and shall not be removed by

! automatic or operator action (e.g., due to selection of

alternate display pages).

I 1.2.9 Spatial dedication of alarm displays shall be based on - an

C .,~. ' ,' evaluation of the significance of an operator response to the i alarm, which includes consideration of the following factors:

i Af.3,t/.1 system impact, technical specification criteria, importance or-severity of consequences, and time available to respond.

1.2.10 Where alarms are unacknowledged or deferred, they shall be

0. a c c -

stored in an ordered buffer- and messages related to these alarms should be stored for ready access when the alarra is

j. Cf. 3 .1. .-. . .

11-10 I

h j

- ~ - - _ _ . - . , - . _ . - , - . . _ . - . - .-,,,-.-e ,.,w., .~..-.,~m.,,..,w-...m..m._.,-..e,wm --,-.----,---.r . om,,... e .u.-,.- - -w--

HYDE.WP DESIGN PRODUCT RE0VfREMENTS

. 11 CRITERIA FOR ALARMS acknowledged.

1.2.11 Overview Alarm Displays 1.2.11.1 The overview panel shall provide for the display of high level derive alarms s9ch as would provide indication of I-[, if *9D ;V-) - plant mode or state, and availabilit of safety systems or functions. Indication of the foi owing is required:

f a) Alarrr.s indicating failure of a critical safety

function.

b) Alarms indicating poor performance or unavailability of success paths supporting critical safety functions.

t c) Alarm mode, to indicate the state of the alarm system (for plant mode dependent alarm logic and setpoints).

1.2.11.2 Spatial dedication shall be provided on the overview display for certain key alarms. An acceptable approach is to provide dedicated display of the critical safety function alarms on the overview display.

I 11-11

.  !! l - CRITERIA FOR ALARMS 1

f ps7eo

/ 1.3 Acknowledaement

[ 3. 'f . /

., 1.3.1 Alarm acknowledgement techniques which facilitate acknowledgement of alarms without perceiving them, such as

/

9 " global acknowledge", shall not be used.

( fp(y n,o 1.3.2 A common acknowledge for redundant alarm systems shall be implemented such that the operator can acknowledge any alarmed Y 7'/.I condition on both systems with a single action.

1.3.3 Methods shall be implementud for reducing the burden

/. associated with alarm acknowledgement. The following techniques are acceptable:

a) Prnvision of the capability te acknowledge alarms in small functionally related groups as well as individually, b) Physical grouping of functionally related alarm displays.

c) Ptavision to display alarm messages convenient to the operator's position while perfor.ning other tasks.

i d) Provision to defer acknowledgement of lower priority g alarms such thct distraction is reduced but notification is not lost. Such features may include: use of periodic rather than continuous audible alarms (e.g., momentary audible tones and reminder tones), and flash suppression (e.g., stop flash and resume flash).

1

!!-12 i

ilYDE.UP DESIGN PRODUCT REQUIREHiNTS

- . 11 CRITERIA FOR ALARMS 1

1.4 Reliability 1.4.1 Alarms shall be provided by redundant means in all elements of I power supply, processing and display to ensure that failures l of normally replaceable parts do not result in loss of function.

1.4.2 for alarms related to critical safety function violations or prompting operator safety related mitigation actions for which there is no automatic action, the redundancy design shall meet separation and independence criteria similar to that provided for the redundant channels of the protection system.

. Exceptions to this criteria would be acceptable in areas where total separation would compromise the human factors aspects of the design (e.g., common acknowledgement vs separate acknowledgement, periodic data correlation). For these-alarms, redundant elements shall be diverse to protect against common mode failure, and shall be seismically qualified.

1.4.3 Performance of the redundant systems should be monitored automatically via methods which detect deviations between the two systemt and immediately report any indication of degraded i performance to the operator.

1.4.4 Display of an alarmed condition shall occur within 5 seconds of reaching the associated setpoint.

4 11-13

HYDE.WP DESIGN PRODUCT REQUIREMENTS 11 CP.lTERIA FOR AL*RMS 1

0b IO 1.5 Audible Tones 93%b Implementation of audible tones shall comply with the following:  !

1.5.1 Audiole tones shall be used to alert the operator to the

/v/r7 47 @ presence of a new alarm condition and to the occurrence of g,7, cleared alarm conditions.

- - 1.5.2 The location from which an-audible tone is generated in the

)'' .

MCR shall be selected to enhance recognition of the physical location in the control room where the spatially dedicated j display of the alarm resides.

l 1.5.3 Tones for new alarms are separate and distinct from tones used to signify clearing alarrs.

1.5.a The scheme for implementing audible annunciators shall limit the distraction and stress associated with audible alarms.

(\

t The following are included as acceptable practices:

i a) Use of momentary or self-silencing tones for new and cleared alarms.

b) Use of pe. iodic, momentary reminder tones for unscknowledged alarms.

l 1

11-14 m

HYDE.WP DESIGN PRODUCT REQUIREMENTS 11 CRITERIA FOR OPERATOR AIDES II-2 OPERATOR AIDS I 2.1 Indication of the following shall be provided to the operator via visual cues that are distinct from the alarm displays.

4 2.1.1 Indication of the change of state of an interlock which allows manual action by the operator to take effect if certain conditien, are met, and defeats the operator action if the conditions are not met.

2.1.2 Indication of automatic actuation that is appropriate for the

, plant state.

i 1

4 j

11-15 4

_ _.___ _._.~._..._ _ _ _ . _ _ _ _.__. _ _ _ _ _ ._._

4 i

HYDE.WP DESIGN PRODUCT REQUIREMENTS j .

II CRITERIA FOR PARAMETER INDICATIONS i

i j II-3 CRITERIA FOR PARAMETER INDICATIONS l 3.1 Selection of Parameter Disol_av Modes -

i 3.1.1 Dedicated Displays i

ReI & ~. L l 3.1.1.1 Dedicated display device (s) shall provide a continuous 4

lO display of all Regulatory Guide 1.97 Category 1

! variables as follows:

I a) All Regulatory Guide 1.97 Category I variables i ,1 shall be provided in a validated list.

i f j l f b) Access to the individual channel parameter valves j

j shall be- provided for all Regulatory Guide 1.97

variables.  ;

' 3 J.l.2 lay device s) shall be dedicated to access of the j d b k, Dis fol $owing key p(arameters. Multiple display pages can be ,

used to accommodate display of this information.

l LJ p '

l l- .

a) Key parameters bacd to assess critical function ,

. status for safety and power production.  ;

^

f j b) Key parameters indicative of success path

performance for both safety and power production.

1 --

c) for composed parameters which are determined by

an algorithm which uses sensor input from multiple parameters (e.g., determines average coolant temperatures from multiple hot leg' and cold leg sensors), operator access to the

. individual sensor channels shall be provided, j 3.1.2 Selectable Parameter Displays

j. Ch (D 3.1.2.1 Selectable displays shall _ provide all the plant
parameters that are required for operation, but do-not -

t-(, y c7, p necessarily need to be displayed continuously.

! 3.1.2.2 Selectable parameter displays of like nature -shall -

employ a consistent selection scheme throughout the-t- control room.

r i

j 11 4 e

HYDE.WP DESIGN PRODUCT REQUIREMENTS

, 11 CRITERIA FOR PARAMETER INDICATIONS 3.2 Parameter Proggssino 3.2.1 Validation f ( (O 3.2.1.1 Where multiple sensors or channels provide data for the q'q,q,f( same parartster to the control room, a validation scheme shall be implemented in determining a representative value to be displayed to the operator.

3.2.1.2 The operator shall be afforded a mechanism to access and

, view all sensor readings used in the validation reheme, f 3.2.1.3 Indication shall be provided of data identified as sus)ect by a validation program. Use of a unique sym)ol, indicating suspect status, displayed adjacent to the displayed parameter value is an acceptable method.

q 19 3.2.2 Historical Reccrding g ,, g 3.2.2.1 Facilities shall be provided so that operators can e- *- obtain past histories of particular parameters either through a VDU interface or on paper.

I 3.2.2.2 The capability to call up a pre defined trend shall be provided for those parameters specified in the task analysis.

3.2.2.3 A trena shall be provided automatically in the display of certain para aeters as identified in the task analysis,

,e 3.2.3 Parameter values shall be adjusted through processing to p",

provide the most applicable information pcssible with current plant instrumentation (e.g., compensated for density effects).

';, .~ , *,q;8,(- This must be indicated to the operator by means of a label or coding scheme.

l l

l 11-17

HYDE.WP DESIGN PRODUCT REQUIREMENTS 11 CRITERIA FOR PARAMETER INDICATIONS i

3.3 Features of Parameter Display 3.3.1 The rationale for selecting the manner in which parameter 6[,4/.q indications are presented to the operator (for characteristics range, -display accuracy, response time, character size and time period for trends) shall be based on either task i analysis, expert operator judgement, or predecessor designs, and documented. For example, the units of pressurizer pressure shall be the same on the display as it is described

< in the procedures and the procedure guidelines.

3.3.2 An alphanumeric designator or label shall identify parameter indications.

3.3.3 If two or more parameters are to be routinely compared then the difference, summation, average, etc. (as required) shall be displayed as a parameter in its own right.

3.3.4 When parameter information is displayed using bar graphs, all grsphs shall be oriented consistently. To facilitate comparison and correlation among like parameters, scales shall also be consistent. Exceptions to this must be justified with respect to criteria 3.3.1.

3.3.5 When a bar graph is used to indicate a parameter, the operator shall be allowed access, either continuously or via some menuing mechanism, to the digital value of the parameter.

3.3.6 Scales -bil conform to accepted HFE guidelines and these shall bc - >1ied consistently throughout the control rom. The

/Y" q # 7/C 4 S./.f following are acceptable:

a) Grid lines on bar graphs shall be unobtrusive and shall A/A5 4 # er not obscure data elements.

U ! I' 2*l f b) When parameters are to be displayed on a bar graph, tha x-axis shall be time and the y-axis shall be the I monitored parameter.

c) On the scale, the major and minor graduations shall have different sizes. Different lengths may be more legible for connotative point readings; different widths may be more visible if only quantitative check readings are required.

d) Graduation intervals shall be of one, two oc five units, or multiples thereof by powers of ten.

e) Between the numbered graduations, the unnumbered 11-18

- ,. , n - , < , - , , , - -

. HYDE.WP DESIGN PRODUCT REQUIREMENTS 11 CRITERIA FOR PARAMETER INDICATIONS i

4 i

i graduations shall not (xceed nine in number. ,

f) Who percentage scales are used, 0% of the scale shall correspond to the low end of the parameter, e.g.. minimum

, level, flow, power; similarly, 100% of scale shall .

correspond to the high end.of the parameter range

I 1

g) The individual numerals on any scale should be vertically oriented with respect to the operator. '

i l 3.3.7 Display devices shall have sufficient s: ale range to accomodate all anticipated normal and abnormal operating conditions.

3.3.8 Instruments shall provide ranges such that nominal scale

, readings fall between 20% and 90% of full scale during normal operations.

3.3.9 If a display device incorporates the capability to-automatically change the displayed range of a bar graph, then the operator shall automatically be informed before this occurs. Operator acknowledgement can be implemented to assure cognizance of the change.

3.3.10 Time history displays utilized in the control room shall have a consistant position for the origin.

1 l

l 11-19

HYDE.WP DESIGN PRODUCT REQUIREMENTS

. II 3 - CRITERIA FOR PARAMETER INDICATIONS

! 3.4 Reliability 3.4.1 Parameter displays shall be provided by redundant means in all elements of power supply, processing and display to ensure that failure of normally replaceable parts do not result in loss of function.

3.4.2 Parameter displays shall be provided via redundant and diverse means, such that the processing and c'isplay of the following indications will be maintained even if a complete failure or common mode failure occurs in a system supporting those functions:

a) Information for Technical Specification monitoring with surveillance timas less thaa 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />.

b) Information required to assess major equipment dr. mage or personnel hazard alarms.

c) Regulatory Guido 1.97 Category 1 and 2 parameters (Types A-C) (not alrea.iy on single parameter displays).

3.4.3 The devices used to display the Post Accident Monitoring Instrumentation (PAMI) parameters shall meet the applicable qualification criteria of Regulatory Guide 1.97.

3.4.4 If the device that displays the parameter indication fails then this shall be immediately apparent to the operator. -

i l

l l-l l

11-20

HYDE.WP DESIGN PRODUCT REQUIREMENTS

, 11 CRITERIA FOR INTEGRATED DISPLAYS 11 4 CRI RRIA FOR INTEGRATED DISPLAYS Integrated displays are those which combine parameter indications, alarms and component statJs indications to provide a higher level indication of system functional status. Piping and Instrumentation Diagram (PalD) representations may be used in such displays.

4.1 Hierarchy of QLsplays

[ h 'O 4.1.1 Integrated displays shall be organized in a hierarchical

, , . relationship that reflects the way that the operators will

'i. 7 h utilize them and the hierarchical scheme shall be documented.

The hierae.hy can be organized by sequence of use in particular tasks, by system or by function. Incorporation of the following features is acceptable:

a) Organization of the display hierarchy in such a way as to facilitate learning by the operator, including application of basic principles of the psychology cf memory such as the limits of short term memory, chunking, etc.

b) Use of critical functions and success path monitoring as a basis in the design of the overview display, so that in training this basis can be used to guide the use of the ov2rview display.

4.1.2 There shall be an overviw daplay that provides the cperator with infor. nation in a for,nat so that high level " states" of the plant can be ascertained in minimum time.

4.1.3 A display of the overview shall be available at all normal operator working positions. Implementation of CRT displays at each working positica or a big board panel in a location viewable from all such positions is acceptable.

11-21

HYDE.WP DE5!GN PRODUCT REQUIREMENTS l 3

11 4 - CRITERIA FOR INTEGRATED DISPLAYS j

4.2 Navirration Su, em 4.2.1 Integrated displays on CRTs shall afford the operator the 4 7.tra ability to move from one display to another with a maximum of 4 two torches. A design in which the first stroke accesses the a hi,/ 5 m W n o pertinent detailed menu and the second stroke makes the 2

r.M blf specific item selection is acceptable.

< . i r. 3 s A'u M 3'## 4.2.2 Access to integrated display pages shall be afforded the 4 es.s..i.'/.y.t perator by a system that makes use of "the human's natural e . o . 3 I .c .; inclination to point".

4.2.3 In order for the operator to select displays, the choices shall be displayed. An acceptable method is use of menus.

l 4.2.4 Elements of a meru shall belong to a logical group.

Acceptable groupings of menu elements include:

a) Plant Sector b) System c) function 4.2.5 The menu formats shall be consistent within particular display and control systems.

I 0h'# 4.2.6 The ability to restore the display to the previous display N. 4/ '7 7 page shall b2 provided to the operator.

4.v 7 Navigation through displays and through the hierarchy shall be gasa,foco facilitated by labeling and title schemes that reflect the 4.G

  • p./, G .2. f commonly used terms for the elements displayed. Examples of this are: Labelling .the part of a display that shows the safety injection system with " SIS", labeling a display page that contains an overview of the primary system with "PRl",

etc.

gA 5A 3

  • 4.2.8 When a single display, e.g., an alarm list, requires more screen area than is available, then the information shall be 46O'2'7 "

partitioned and some technique for the operator to move within and between partitioned groups shall be tiforded. Direct access to the first page of such a display shall be provided on each page of the partitioned set.

11-22 4

.m v.,, ,. .,_r, -, . . _ . . , - - ,

=-. . - -_ _ . - .

11 CRITERIA FOR INTEGRATED DISPLAYS 4.3 Physical and Functional Features Sg y 4.3.1 Consistent coding of information shall be used throughout the integrated displays. A common metaphor, 4.uch as P&lDs, should y' 9, q, / be used consistently among the displays to the extent possible. Exceptions, and the basis for their use, shall be documented.

g 4.3.2 All integrated displays shall have the current time and date to facilitate date starr. ping activities as required for certain tasks. The format of this chronological indication shall be consistent across all displays.

4.3.3 Each integrated display shall provide a title by which it can be referred from a procedure or other document.

4.3.4 Coding schemes used on integrated displays shall conform to those specified by the parameter indications section and the component contre! section.

l.1.2 f

.M* " 9 # 70 ' 4.3.5 Screen loading or information density shall not exceed 50% of

,,,, ore s m e the total screen area (not including demarcation lines).

g, o c.3 2. 2 t 4.3.6 Empty screen area, lines and spaces should be the primary means of organizing and separating data.

, ,, m ., 7,, c 4.3.7 Data presented to the user shall be in a readily usable end c,

, c. p . .? readalle form, such that the user does not have to transpose, compute, interpolate or translate into other units, number bases or meaningful language.

8W E y , f' (' 4.3.8 Data fields that appear in multiple locations within a system 6'"" shall have consistent names, and should have consistent

, relative position within similar displays.

[

4.3.9 The integrated displays shall duplicate and verify the i

information provided in a spatially dedicated manner.

4.3.10 Integrated displays shall provide quick direct access to supporting information for alarm conditions.

l l

11-23

HYDE.WP DESIGN PRODllCT REQUIREMENTS 115 - CRITERIA FOR DISCRETE COMPONENT CONTROL (ON/0FF) i i

!!-5 CRITERIA FOR DISCRETE COMPONENT CON 1ROL (ON/0FF) 5.1 Control Strateay 1

/t/gr$ #W 5.1.1 1he c'.irrent status (on/off, open/closa) of a discrete state 0 'b f' j,e component shall be visible whenever the control mechanism for

/ that component is t.vailable for use. The intent is to prevent fof p o S.J.l.y / blind operation of equipment.

f 1.1.I f / 5.1.2 Identification of locally controlled components for which

__ _J status indication 1111 be provided in the control room (e.g., i

(.M I& containment latch door position) shall be determined by a -

documented task analysis, expert operator opinion or i

3. l . 3 ' z -

predecessor design. Status of such components shall be

. provided in the control room either by instrumentation or i administrative procedure. l ch tv \

<f , y , f 5.1.3 Consistent component status coding shall be used throughout the control room. For example, red status indicators for on or open; and green status indicators for off or closed.

i' 5.1.4 The human factor attributes of packaged control devices shall be consistent, to the extent practical, with the human factors engineering standards set for the man machine-interface,

~i (b 5.1.5 The design shall provide mechanisms to restrict usage of y , f. component control devices (e.g., administrative control, automatic interlocks, alarms, two action controls, etc.).

/,6 l# 5.1.6 Electrical current flow (amperage) indication shall be available for motor operated components rated at 100 h.p. (75 45,1 kw) and greater. This indication may be provided via soft-interface VDU, or continuous dispity hardware.

4 1

)

f 11-24

IlYDE.WP DESIGN PR00001 REQUIREMENTS

!! 5 - CRITERIA FOR DISCRETE COMPONENT CONTROL (GN/0FF) 5.2 Auto / Manual Mode Chanaes 5.2.1 Automatic control shall be provided where manuel control is not suitable due to response time requirements, the complexity (h W of the control function, or the need to free the operator for a other control room tasks.

' ~

3. l .5. b .

This criteria is not intended to exclude the operator from the control loop. Ir. general, the operator shall always have the ability to disable automatic control action and/or take manual control. This does not apply to automatic interlocks or actuation signals which are designed to --keep the plant or equipment within the bounds of the technical specifications and plant operating procedures. >

5.2.2 Control schemes with multhle modes (auto, manual, etc.) shall -

permit a "bumpless" transfer between any two control modes.

- I'I - 2 5

HYDE.WP DESIGN PP00VCT REQUIREMENTS

.  !! 5 - CRITERIA FOR DISCRETE COMPONENT CONTROL (ON/0FF) 5.3 Auto Scauent.. Operations 5.3.1 Where two or more redundant components have a sequential auto l start feature (e.g.. at setpoint #1 start A, at setpoint #2 start B), the operater shall have the option to assign the in-service or first to start component, and the succeeding start sequence of the remaining redundant components if applicable. The intent is to give the operator the ability to establish a known sequence of events.

5.3.2 Where two or more redundant components have a standby feature (e.g., if A fails to start or trips, start B), the operator shall have the option to assign the first to start component, and the succeeding start sequence of the remaining redundant co.1ponents if appl icable. The intent is to give the operator the ability to establish a known sequence of events.

5.4 Common Codina Features 5.4.1 S)atially dedicated controls shall be provided for components t1at makeup the main flow path of normal and emergency success naths for all critical functions. Spatially dedicated controls shall meet the following criteria:

1. The controlling device shall operate the subject component and no others. It shall not share control function with other components.
2. The controlling device and its control state shall be continwusly visible ano available for use.
3. The controlling device shall occupy a fixed location on the control panel in an orientation that hr.s a functional relationship to its adjacent controls.
4. Control action can be initiated directly (with no prior screen selection) or with minimal screen selection (i.e.

or.eortwo). Where selection is required it is only to access specific control options in a set of functionally related controls.

5.4.2 Control loops that require little or infrequent operator intervention may be accessed through selectable soft-interface VDU displays.

5.4.3 Failures in a component control loop that result in loss of control, or a control discrepancy shall be indicated at by a unique visual code or label. For example, use of a blinking switch position is an acceptable means of indicating that the

, demand state is different from the actual state of a l controlled component, i

l 11-26 l

. liYDE.WP DESIGN PRODUCT REQUIREMENTS 11 S - CRITERIA FOR DISCRETE COMPONENT CONTROL (ON/0FF) j 5.5 fLeliability

, 5.5.1 Component controls shall be redundant to the extent that a failure in the man machine-interface device will not prevent further control action. The intent is to provide a backup

means of inputting component control command s.

I I

i 11 . . . - _ , .. _, --.

HYDE.WP DESIGN PRODUCT REQUIREMENTS 11-6 CRITERIA FOR MODULATING COMPONENT CONTROL 4

11-6 CRITERIA FOR MODULATING COMPONENT CONTROL 4

6.1 Controller Strateov 6.1.1 Control loops that have a cascade or nested relationship (e.g., master /subloo)) shall be hierarchically arranged to clearly indicate the< r functional interaction.

6.1.2 Control systems with multil>1'e input sources for the controlled variable shall indicate witch input source is being used as the controlling variable. For example, if a control system can accept inputs from channel X, or channel Y, or the average of channels X and Y, then the control system must indicate which of the three opticns is being used and provide controls to changs the input source.

6.1.3 Control systems with multiple setpoint sources (e.g.,

auto / operator) shall indicate the actual setpoint source at the contral station. For example, if a control system can accept a setpoint from either the operator or some other source, an indication shall be provided to indicate which of the two posr'ble setaoint sources the system is using and provide controls to c1ange.

6.1.4 Control systems with a variable setpoint shall indicate the current value of the setpoint at the control station.

6.1.5 Control systems u th auto / manual output modes shall indicate

whether the source of the output signal is from the automatic t

or manual system.

6.1.6 Control systems with a variable output signal shall indicate the value (or relative analog) of the actual output signal.

6.1.7 Failures in a component control loop that result in loss of control or a control discrepancy shall be indicated by a unique visual code or label at the man-machine-interface. For example, use of a blinking switch position is an acceptat)1e

, means of indicating that the demand state is different from the actual state of a controlled component.

11-28

a .

HYDE.WP DESIGN PRODUCT REQUIREMENTS  :

!! CRITERIA FOR MODULATING COMPONENT CONTROL l l

1 1

i 6.2 Throttlina Components i

6.2.1 Components whose primary function is to provide' throttling action (flow control) shall have real time throttle position j feedback visible from the control station. The intent is to

provide positive primary indication of componaat performance j and not rely on secondary means (i.e., flow indication alone)-

j for control action performance monitoring.

i 6.3 Reliabni.ty .

J

! 6.3.1 Component controls shall be redundant to the extent that i failure of a man machine-interface device will not prevent further control action. The intent is to provide a backup i

i means for inputting component control commands.

i 1.

i i

i t

4 1

i i

t 1

11-29 i

l I

HYDE.WP DESIGN PRODUCT REQUIRiMENTS

, 11 CRITERIA FOR SPECIAL CONTROLS

!!-7 CRIIERIA FOR SPECIAL CONTROLS Gh(D 7.1 System Actuations y ' g, ( The following criteria apply to reactor trip, main turbine and generator trip, and engineered safety features actuation signals.

7.1.1 Control devices for manual reactor trip, main turbine and generator trip, and ESF system actuation shall be amenable to rapid actuation by one operator.

7.1.2 Control devices for manual trip and system actuation shall i incorporate design techniques to reduce the potential for inadvertent actuation.

! 7.1.3 The current state (actuated / reset) of system actuation and trip shall be visible from the actuation control station.

7.2 Operatina Stations 7.2.1 Spatially dedicated operator modules, related indications, and other control devices shall be grouped by function such that the control function can be accomplished without the need to rove. This should not be interpreted to preclude the use of multiple operating stations. Only that each operating station must have the necessary information and controls available within the immediate area. The intent is to prevent the need to rove from the operating station to perform related control actions or acquire information important to control.

. 7.2.2 There shall be spatially dedicated operating stations for the following systems and operational functions:

1) Reactor Coolant System: pressure, tempereture, and inventory control
2) Reactor Control Rods
3) Main Feed System
4) Emergency Feed System
5) Main Turbine and Generator
6) Engineered Safety Features Systems
7) Heat Rejection Control Systems: atmospheric steam dump, steam bypass to main condenser, and long term decay heat cooling 7.2.3 The human factor attributes of packaged control devices shall be consistet with the human factors engineering standards set for the man a ' chine-interface.

11-30

, _ . - - . . _ . , - - - - ~- -

. . . ~ .. _

. I l

HYDE.WP DESIGN PRODUCT REQUIREMENTS 11 CRITERIA FOR SPECIAL CONTROLS I

7.3 Process Controls c.h (C 7.3.1 Process control devices shall be separate from " indicate or'v" i, C 0 4 displays. The intent is to provide a clear distinction between indication only and active proc 3ss control devices.

> 7.3.2 Process controllers shall provide continuous display of all parameters being controlled. As a minimum, process controllers shall have continuous display of the r'ollowing:

- Mode of control (aute, manual, etc.)

- Setpoint and real time process value

- Process value identification tag 7.3.3 Response Time Process controllers shall indicate the relative magnitude of O le '

the actual output signal being sent to the component in real time without the use of anticipatory simulation or other

'i b c" g enhancement techniques. The intent is to keep the operator informed of the actual state of the control loop and thus prevent false expectations.

l l

11 l

l HYDE.WP DESIGN PRODUCT REQUIREMENTS l

,  !!-7 CRITERIA FOR SPECIAL CONTROLS l

l 7.4 Enaineered Safety Features Component Control and Monitorina

(,l3 10 7.4.1 Operator Override 4 6. {-

Operator override capability shall be provided on a component basis for all ESF actuated components. The logic shall be such that the override may be executed only after the ESF actuation signal.

7.4.2 When the ESF signal clears, the override logic shall also clear such that subsequent ESF actuation signals are not blocked.

7.4.3 Once the ESF actuation signal is cleared, repositioning of the component will occur only by a subsequent operator command or by an automatic control signal, g, j ( 7.4.4 Inoperable Component Status Monitoring

, ,y ESF com)onent inoperable conditions which may result from bypassecl or inoperable conditions shall be continuously

~

i

displayed to the operator per requirements in NRC Regulatory l Guide 1.47. The intent is to identify ESF system availability prior to its actual need.

In addition to component inoperable conditions, the monitoring system shall also consider component misalignments.

~

In general, inoperable status monitoring should apply to all active components but are required for ESF components.

7.4.5 ESF Actuation Status Monitoring ESF component status monitoring shall be provided such that upon the initiation of an ESF actuation signal the operator is able to determine if all components in the ESF trains have responded properly.

4

! 11-32

IlYDE.WP DESIGN PRODUCT REQUIREMENTS 1107 - (.9.iTERIA FOR SPECIAL CONTROLS 1

7.5 Auto Mode Selection With Multiple Components This section addresses control designs that require multiple components to be controlled by the same automatic control signai.

7.5.1 There shall be one switch for each component if each component is being controlled individually.

7.5.2 There shall be one auto mode switch (not one for each component) if all components are controlled as a group. This switch shall be located and labeled to indicate its group orientation.

7.6 Features of Displav 7.6.1 Process flow lines shall be included in all layouts of controls and dedicted indicators where the physical relationship of plant components is the basis for the layout.

7.6.2 Labels shall be provided in mimics such that all flow lines lead to or from a specified component, a source label or a destination label.

7.6.3 Demarcation lines and mimic flow lines on control panels shall be wide enough to provide the appropriate demarcation without adding visual clutter to the control boards. Use of lines at least 3/16 of an inch wide are acceptable.

7.6.4 Demarcation lines and mimic flow lines shall be consistently sized throughout the control room.

gc 7.7 Overview Disolay

y. y. 9. 2. 7.7.1 Component indications found on the overview display shall utilize the same coding conventions established in the control room.

7.7.2 When component indications are composite, that is, reflect the aggregate effect on flow path of the component, this shall be apparent to the operator by the indications used in the display, 11-33

___ _ )

HYDE.WP DESIGN PRODUCT REQUIREMENTS

, 11 CRITERIA FOR CONTROL ROOM MONITORING AND CONTROL FUNCTION LOCATION 11-8 CRITERIA FOR CONTROL ROOM MONITORING Ed CONTR0t. FUNCTION LOCATION 8.1 Main Control Room Criteria for Control and/or Monitorinci The following criteria shall be considered when making control and instrumentation assignments in the MCR (potential exceptions to these general criteria will be on a case by case basis, with doc 7 entation of the rationale):

b ],, gg lO 8.1.1 Controls and indication used for critful safety and n,

e production functions and their success paths 'e.g., Emergency q'n{'( Cooling, Emergrecy Diesel Generators, Post Accident Monitoring) shall be directly or indirectly (e.g., verify that there is no leaiap; by monitoring a t mk level) instrumented and displayed la the MCR;

/yb o 1.2 Indication an associatcJ controls for systems that require 44 M

frequent (more than two times every eight 1.ours) or expedited

]peration (two hours or less) should be lo nted in the MCR; 8.1.3 The primary location for normal controls that can cause a reactor trip shall be the MCR (e.g., Reactor Coolant Pump contrels, Circulating Water System Pump controls, etc.); Note.

y this does not preclude controls required for hot shutdown from g

being located in the Remote Shutdown Room (RSR) as well as the

, .ie r local controls for large circuit breakers or

tive features;
a primary location for normal controls and indication used for critical safety and power production functions and their success paths shall be the MCR (e.g., Reactivity Control, Inventory Control, Pressure Control, Core Heat Removal, [

L, vergency Diesel Generators, Post Accident Monitoring P dication, etc.). A method of backup control outside the MCR shall be provided at local control stations (e.g. Local Diesel  %

Grnerater Control Panel for long term told shutdown) or the RSP.

11-34

HYDE.WP DESIGN PRODUCT REQUIREMENTS 11 CRUCRIA FOR CONTROL ROOM HONITORING AND rJNTROL FUNCTION LOCATION 8.2 Criteria for Local Safety Related Control and/or Monitorino (A (C 8.2.1 Systems important to safety and that make use of local control yb q ' 7 stations (e.g., local Diesel Generator Control Panel) shall have a Man-Machine Interface (MMI) that will avoid incompatibilities and encourage a high degree of positive transfer of training when compared to similar MMI in the MCR.

Gk to 8.2.2 In addition to controls in the Main Concrol Raom, local control shall be provided for all systems and components N. 7. 3 needed to achieve and maintain cold shutdown of the reactor (e.g., local Diesel Generator Control Panel) for which controls sre not provided for in the Rcmote Shutdown Room; 8.2.3 Safety and non-safety related cr als used primarily for 0h# initial system startup (e.g., pump suction isolation valves, instrument isolation valves, traiisformer cooling fans, lube

7. N' I

~

oil systems, and fully automated support systems (i.e., oil systems, seal water)) may be locally controlled and not controlled from the MCR. Locating these controls locally wil' not significantly increase operator workload because these support systems are infrequently operated (e.g., after a refueling outage, after mair.tenance);

[ h ( t, 8.2.4 Local controls shall be provided for:

- g a. Where local manual control actions and/or surveillance g A" ._ must be accessed frequently or performed in close Q, , proximity to the equipment (e.g., cycling r. valve during

,-e. i maintenance);

m

b. Where testing and surveillance nuld ennece:;sarily burden the MCR operators and not effect power production or safety;
c. Lo:a1 disconnects for electrical components greater thsn 120 volts to provide personnel protection;
d. For cases in which safety, and power production cupport <

and/or auxiliary system processes are controlled iocally (e.g., filling a diesel generator day tank, ett.;,

administrative controls (e.g. , surveillance, test or operating procedures), physical barriers (t.g., key locks, locked doors) or alarms shall be provided to' ensure that MCR operators are cognizant of all activities that could effect pour production and safety.

11-35

ilYDE.WP DESIGN PRODUCT REQUIREMENTS 11 CRITERIA FOR CONTROL ROOM MONITORING AND CONTROL FUNCTION LOCATION 8.3 Remote Shutdown Room Criteria for Control and/or Monitorina 6k N 8.3.1 The Remote Shutdown Room shall provide an alternate control stat on which can be used in the unlikely event that the MCR L/, q , 3 becomes uninhabitable or damaged. In the event that evacuation of the MCR becomes necessary, the operators shall be provided with the means to transfer control to the Remote Shutdown Room.

1 gg 8.3.2 The RSR shall contain the controls and indication required to:

a) Achieve prompt hot shutdown of the reactor, subsequently referred to as hot standby per standard technical I specificatirns (reactor +ubcritical at operating pressure and tamperature);

b) Maintain the unit in a safe condition during hot standby; c) Achieve and maintain cold shutdown per standard technical specifications.

8.3.3 Specifically, the RSR shall meet General Design Criteria (GDC)

19 of 10CFR50, Appendix A and Appendix R.

f ,6 ,e 8.4 Surveillance. Maintenance and Testina Control and/or monitorina Criteria 4 . "? . I 8.4.1 The MCR operators shall be provided with all indication and controls needed to support any surveillance or testing that r.;st be conducted by icensed opers. tors.- All systems should

, provide the operational status /re4Jiness (bypassed, in test, disabled, etc.) fur display in the MCR.

4 8.5 . Access. Earess and Security Control and/or Monitorina Criteria

8.S.1 The MCR shall be given the ability to override security and provide permissive to allow tecess to all vital area
: at the discretion of the Shift Supervisor or his designated representative. However, MCR operators should not be required to control or provide a permissive to access vital areas as a part of their routine duties. In addition, the MCR personnel shall be automatically alerted to security alerts or changes in plant security status, and whenever any vital I&C equipment door is opened since these may have a direct impact on plant operation and/or safety.

11 36

HYDE.WP DESIGN PRODUCT REQUIREMENTS l I? CRITERIA FOR MAIN CONTROL R00M (MCR) CONFIGURATION II-9 CRITERIA FOR MAIN CONTROL ROOM (MCR) CONFIGURATION 9.1 Overall MCR Confiaurti.ign bC 9.1.1 The Main Control Room (MCR) shall contain areas to accommodate the following:

4. # 1, *.

a) Controlling Work Space with workstations containing plant controls, displays and alarms.

b) Offices for the plant shift supervisor, control room supervisor and remaining operating staff, c) Reference material and emergency equipment storage.

/6 W 9.1.2 The controlling work space shall allow operation by a single

, operator between hot standby and full power. Adequate M.1 7 workspac9 shall. be provided to accommodate up to two suparvisors and up to four operators continuously.

9.1.3 Techniques shall be used in the MCR configuration design which

& W- limit the required ac tss to the controlling work space for non-operating staff during both normal ind emergency dbsb% operation. This is intended to prevent unnecessary 1 distractions to plant operators at the controls, 9.1.4 The MCR configuration shall provide a work station for a control room supervisor within the controlling work space to y.(7 7' q "q allow direct coordination of controlling workspace activities and support his/her tasks.

y' q g' "", 9.1.5 The control room configuration shall allow visibility of a 1

' big board" overview display from all locations within the MCR controlling work space, and from control roca offices.

l

.. 9.).6 The Technical Support Center (TSC) shall be provided with

'f . T 4 . .' . 2 systems and/or features to ensure effective communication with personnel in the MCR including viewing. of MCR activities.

Acceptable systems and/or facilities include Telephones, Viewing Window, Television Display, y 9.1.7 The capability shall be provided outside the NCR for plant

! . Q /(, 3 , p technical staff to access the same real time plant performance data as in the_MCR. Video display devices are an acceptable means to accomplish this.

9.1.8 Accessibility of Instrumentation and Controls - The operators V 9. [. 'l. I

  • shall not have to leave the controlling workspace to attend to-control room instrumentation on back panels or elsewhere

/V- r4 3 o ) c' " s during operations.

6......

_ Il-37

y. . . -

4 liVDE.WP- DESIGN PRODUCT REQUIREMENTS . I

- ' 11 CRITERIA FOR MAIN CONTROL ROOM .

l (MCR) CONFIGURATION j i

/ I 9.1.9 Operator Freedom of Movement - Operatnrs should be able to get _ 4

"' y 3 to any point _in the control; room without having to; overcome- >

obstacles such' as filing cabinets, storage racks, or. '

i maintenance equipment.- Adequate space shall be available for

! the operator to freely access console operating positions.

l Ck (C '

j Communicaticns - The. arrangement of consoles and desks in the-L y' c j* q y 9.1.10 controlling- workspace 'shall- facilitate direct- communication-

, between operators at any combination of workstations.-

M "7 M' 9.1.11 Leaibility - All labels and indications _shall be 'legibl'e at 3 g defined reading' distances.

e 4 4. /. 4 )

i j 9.2 Panel Arranaements 5

9.2.1 The MCR controlling work space shall provide dedicated main operational areas for normal, frequently performed operations and infrequent auxiliary or safety operations.

l The normal operating area- shall.. be designed -for seated and- occasional

! standing operation. The auxil_iary .-and safety operations j' workstations may be designed for seated or standing operation.

l 9.2.2. The normal operator workstation shall provide all controls and j indicators to perform the'following tasks:

! Perform all monitoring and control tasks associated with a)

!- maneuvering the plant from hot shutdown to ~ full power

, operation and return to hot shutdown- __ .

} b) Monitor all major. automatic. controls (e.g., pressurizer l au',omatic pressure and level controls) to maintain plant -

availability c c) Perform standard p6st trip actions
following a: reactor i- trip d) Monitor Critical FunctioF Processes: .during - plant -

l- emergencies t

9.2.3 The normal operator workstation panels that contain functions,

. _ performed most- frequently shall-be placed toward the center of -

4 the-console. '

9.2.4 Controls for safety rebted systems shall be located on panels such that they can: be managed independently from power production and auxiliary systems and so that they are clearlyL

distinguished from non-safety controls.

i f

I

~

11 -38 ~-

L 3

,e_

e,,_ y -.,,,y., , , , . ~ , , , , _ m, my. , _ , . . ..-,.-.,-ews.e-.,*L.-.,.,.-+,--

} . HYDE.WP- DESIGN PRODUCT REQUIRCHENTS 4 11 CRITERIA FOR MAIN CONTROL ROOM l (MCR) CONFIGURATION.

i 4

9.2.5 Controls for non-safety' related systems and . fur.ctions not req ired to be assessed frequently for normal power production shad be located on panels such that they can be r3Nged .

, independently from power production and safety systems.

.i 7

i i

t I

i i

J e

I s

s 9

0 e

11-39

- - . .- .. ,, - . ..-... .- ., . . . ~ - . . . . - . - . . . , , . -

. NYDE.WP DESIGN PRODUCT REQUIREMENTS 11 CRITERIA FOR INDIVIDUAL CONTROL PANELS 11-10 CRITERIA FOR INDIVIDUAL CONTROL-PANELS 10.1 Panel Section Arranaement 10.1.1 Instrumentation and controls on individual panel sections shall be laid out based on operator functions as the primary design criteria, and not on functions of equipment or systems, gq cic o 10.2 Panel Dimensions 6!23 , 10.2.1 Standardized panel profiles shall be used for sit-down panels

' , f. 2. / e

, (that accommodate both seated and standing viewing) and panels that accommodate standing operation only. These panels shall

'g' . ,e c i' m 0 be designed to meet a project specific set of !!uman Factors

c. s Engineering anthropometric guidelines. These parels shall be s- designed to accommodate the 5th percentile female through the 95th percentile male.

10.3 Panel layout 10.3.1 FUNCTIONAL LAYOUT vyr 10.3.1.1 Separate functional groups of components should be

, _ spaced apart so that the functional group boundary is 4 r. # / ^

obvious.

4 p , ,3 r 10.3.1.2 Demarcation shall separate functional groups of componentr, particularly where ample space between functional groups of components is not available.

G . P. (, ^ . b 10.3.1.3 Functional groups within a panel shall be identified by the use of name tags and demarcations.

10.3.1.4 Spatially dedicated alarm tiles shall be.placed in the-upper ust section of a control panel to accommodate viewing when not directly in front of a panel.

f' L .o 10.3.1.5 Display only devices (e.g. VDUs and discrete indicators) shall be placed in the vertical sectica of a control q , p , g . f- panel to accommodate viewing from locations not directly r in front of a panel.

10.3.1.6 Control devices (e.g. process controllers, on/off switches) _ shall be placed in the apron se:: tion of l' panels, below their functionally related display and alarm devices to provide a distinctive break from monitoring functions.

11-40

- _ ~

J HYDE.WP DESICN PRODUCT REQUIREMENTS 11 CRITERIA FOR INDIVIDUAL CONTROL PANELS 10.3.1.7 Devices within panel sections shall be arranged to promote easy understanding of the relationships between the devices and the system. Acceptable relationshi)s for use in determining panel arrangements include tie following: sequence of operation, related function and system flow path.

J Arrangement of Physically Similar Components h r g C P p 10.3.1.8 j ' g, g , 7- a. _ Consistent Layout - The layout of similar control and . display sets shall be consistent at all locations.

f

b. Orientation -

Horizontal rows rather than vertical columns should be usr.1

c. Parsino Rows of Components - Large groups of similar components shall not be laid out in an unbroken row or column (e.g., no more than 5 similar components shall be laid in an unbroken i

row or column).

d. Mirror Imaaes -

Plant relationships may show bilateral (i.e. left-right) symmetry, and this may be an effective organizing framework for displays and controls. However, arbitrary reversal of component layout relationships (mirror-imaging) that does not denote a meaningful attribute of the system shall be avoided.

e. Large Matrices Matrices of similar components shall have labeled coordinate axes for identification of any single component within the grid. The left and top sides of the matrix shall be used for labeling.

Large (more than 5 by 5 element) matrices shall be broken up using physical spacing or demarcaticn.

ft/st eg 5700 10.3.1.9 Paired Controls & Displays 4, g , f, l Controls and related displays shall be closa.ly placed so that the two items are readily associated and can be used conveniently with one another. The control shall be placed so that the display is not obscured by the operator during control operation.

11-41 e, ,- ~>

HYDE.WP DESMN PRODUCT REQUIREMENTS .

, 11 CRITERIA FOR INDIVIDUAL CONTROL PANELS l

10.3.1.10 Paper Surfaces Sit down panels should be provided with open surfaces for required o paperwork (e.g. operatina-procedures, logs,peratoralarm response procedures, etc.). If sit down panels are not provided with open surfaces, such areas shall be provided within the controlling work space with full visibility to the controlling work space panels.

13.3.2 Component Spacing p' pen 37c0 g g,g; g p. 2. 10.3.2.1 Separation between control devices should be sufficient such- that access to one device cannot be impoded by e ,9 J adjacent devices,. and that erroneous activation of P ' U 5 ' ' _',q components can be reasonably avoided.

'c, 5 . l-10.3.2. Where simultaneous actuation of ' devices isL necessary anthropometric guidance shall be provided to ensure that all operators can accompl)G all required control i

7.ctions (e.g., the devices should not be separated by more than 40 inches).

10.3.3 Display Position.

/ 1 Displays and controls shall be positioned on panels considering all project specific. ergonomic criteria. These C ,, f1 6 _/ , .5 criteria shall include:

M #' -

visual field 4 '- # W, display height / vertical angle

/i <3 horizontal display plane angle i f , _ ,, g display distance.

ts j . ;. > . ~

Display position shall accommodate the 5th percentile female through the 95 percentile male to' provide indications within the nominal field of vision, controls within the nominal reach and to avoid excessive movement.

II-42 l-

HYDEcWP DESIGN PRODUCT REQUIREMENTS 11 CRITERIA FOR WORK SPACE ENVIRONMENT 4

11-11 CRITERIA FOR WORK SPACE ENVIRONMENT 11.1 Liahtino & Illumination The level of control room illumination (in foot candles) shall be high enough to adequately perform all anticipated duties without being so high as to cause undue problems with glare and reflectance.

Because some tasks, such as VDU viewing, will require relatively low levels while others, such as paperwork or maintenance may require high levels, control room lighting shall be adjustable and non-uniform.

/Vsey C ?' Task lighting q,g 11.1.1 Illumination levels should be uniform at each work station.

CV~ 11.1.2 Einergency lighting a) Loss of lighting AC power shall activate emergency

,t ' ryr lighting, which shall be independent cf non-emergency 7 power supplies.

? . /, c . ',

b) Under emergency conditions where off site power, or any AC power is available, lighting levels shall be kept the same as during normal conditions, c) Battery packs (for emergency lights) shall be mounted as unobtrusively as possiMe but rtill be accessible for testing. Bulb change ia regular fixtures must be able to be carried out in a speedy manner which does not impair plant operations, g.,,c; c 7 I 11.1.3 Task area luminance ratios 6 d' '

Extreme differences or sudden transitions between the p " ' j ','" # 'c "' us luminance of a task and its surrounds (e.g., ratios in excess a

of 100:1 or 1:100) shall be avoided.

(s.].tl."

11.1.4 Reducing glare and reflectance Techniques shall be taken to limit problems with glare and A '# " 1

  • undesirabia reflectance. Acceptable methods include:

I' I 3 a) maintaining low task area luminance ratios, W, ,j p"'f ',, f "u p- b) low reflectance flooring and wall covering, c) anti-glare screens C h. T' II-43 r - w -

  • ww

. HYDE.WP DESIGN PRODUCT REQUIREMENTS

. 11 CRITi.RIA FOR WORK SPACE ENVIRONMENT 11.2 Noise 11.2.1 Noise levels in control room & work spaces

,%, ca n' 6 . /. f. C The acoustic design of the control rooin shall ensure that 1) verbs 1 communications between operators are unimpaired; 2)

/ V72 D O f'. 7 auditory signals are readily detected; and 3) techniques are used to minimize auditory distraction, irritation, and fatigue of operators, 11.2.2 Noise levels in equipment spaces

- It is recognized that due tu flow, operating equipment, etc.,

h- f , 6. !r the balance of plant will contain r.ny areas that are noisier heTV " , 9 ,,, than the Main Control Complex. Nonetheless, noise levels in equipment spaces should be minimized, where reasonable c .. u possible, particularly for excessive noise from isolated sources. Project specific maximum noise levels shall be establ ished.

11.3 Air OualitY and Temperature

,, <, ,11.3.1 Temperature and humidity

_ ,. s<<;

c The climate control sustem shall be capable of continuously

  • * ' ' ' maintaining temperature and humidity within the project specific comfort zone for an approved heating, 7entilation and air conditioning guideline (e.g., Ashrac Comfort Standard 55-74).

f ./ , C. ; 11.3.2 Ventilation The ventilation system should be capable of intrrducing outdoor air into the control room.

II-44

. HYDE.WP DESIGN PRODUCT REQUIREMENTS II CRITERIA FOR 6 3RK SPACE ENVIRONMENT i

11.4 Architectural Features AQry o f.4 c, 11.4.1 Operator comfort fr. /. 8/ '] Design features shall be employed to assure operator comfort.

Towards that end, . the following architectural and design (f. I, T F featt.res shall be _ incorporated:

?I*E7 a. Adequate seating shall be provided in all work spaces, sufficient to support intended staffing.

A

f

, b. Personal storage space for each on-duty operator shall be provided within or adjacent to the control rcom (but outside the controlling work spact).

l l' c. Work space environmental controls such as temperature and humidity shall provide work . space staff with a

suitable ravige of adjustment tr maintain comfort and

! compensate for - changes in plant arid ambient l environmental conditions.

d. Accessories and wnrk equipment :(logs, chart paper, 1 - office supplies, etc.).shall have appropriate and 2

convenient storage within or adjacent to the control

~

room (but outside the controlltng work space).

I Bathrooms, kitcliens and other facilities 11.4.2 a q, , , , e ,, c 7 11.4.2.1 Bathrooms

} /, , I , p, , t, / ,

Separate men's-and women's lavatories shall be prodded within 100 feet of the main control room.

n to u.Q.,..c*

i _ -11.4.2.2 Kitchen

!~ 6./. C'7'

- A kitchen or food storage and preparation area shall be provided- within : ;00 - feet of the. main control room, Q (( y./[, l, 4/ including an eating area.- sink, microwave,- and refrigerator.

11.4.2.3 Other-facilities-  ;

'A clothes change- and coat storage area (which could i

[h, vif e' C 7@ double as an air-pack, hard hat, flashlight, .etc. area)-  !

shall be provided within 100 feet of the' main control. '

4 4 p, o room.

11-45 W

%. . - , , . - ~ ,~, e -,,-,,.---,,r-< . - - - - , , n-, , , . . -

e a.,+,,,,.e,.,

,..v,-gy. ,-y-e> ,mw,.. vg , , ..,,.,,.,,e.,-. ,

HYDE.WP DESIGN PRODUCT REQUIREMENTS 11 CRITERIA FOR WORK SPACE ENVIRONMENT 6/MT ( 5 3)t'(II.4.2.4 Flooring NN Flooring should be non-slip, non-glare, and minimize Flooring should aid in dust control.

6 N g2yu' foot fatigue.

Inside the control room, carpeting shall be used.

In the event carpeting is nr t allowed for fire or other technical concerns, rubberized mats cr similar devices

, to reduce operator foot fatigue shall be used.

11.4.2.5 Wall covering F#U Cf 3 7F Wall covering should be low-glare and sound-absorbent,

_ , ., and durable aesthetically (easy to clean, able to 1 *-

wi+.hstand rubbing and scrapping).

Communication links between the office and the main operating area shall be provided.

11.4.3 Storage 11.4.3.1 Document storage

/.'.,c. g'i g' Storage space shall be provided so that procedures, 4 logs,' and drawings needed for routine job performance at operator work stations are conveniently available for

<c.'..."

the operator. Document storage shall permit individual documents to ba easily located and extracted.

11.4.3.2 Emerger.cy equipment storage Emergency equipment shall all be stored so as to be fl 's c < ., r ? c' O ly accu.sible, and kept in an immedf ately useable

]a

/ ' "; Equipment su:h as air packs, protective cic,thi ng ,

b " */ ' '

flashlights, etc. shall be located such that operators do not have to traverse ' hostile' environment to reach it.

t l

l 11.5 Desks and Chairs 11.5.1 Desks

/ h's r< /, O)CC Desks shall provide for flat laydown of the maximum size  ;

g , 7, 7,, g , d drawing used in the MCR.

l l

l 11.5.2 Chairs

/k m ) 0700 , II-46 t

v. ,

i ..o . Y:

_ _ . _ , _ . .y.

i ,

, HYDE.WP DESIGN PRODUCT REQUIREMENTS 1 . 11 - CRITERIA FOR WORK SPACE ENVIRONMENT 1

~!

r I - Chairs used at desks and seated work. stations should i- have back rests .. ara rests, cushions, breathable covering, adjustabla seat height, be able te rotate and-have mobility.

  • 4 s

v 1

b t

i-4 4

1 1

1 f

i a

1 4

11-47 fi f

q.---,..,, -- y ,e ., ,, , _ ,--~-,s.,-,..,w i-,..,y . . , -, , , , . , , , , , . . . , , - -

q.c..,,4,e.. ,,y e, a me n , . ,-y, ,4 ,,v,,v.,

.* HYDE.WP. DESIGN PRODUCT REQUIREMENTS 11 CRITERIA FOR PRINT & TEXT FORMAT CONVENTIONS i i

11-12 CRITERIA FOR PRIhf & TEXT FORMAf CONVENTIONS 12.1 bbbreviations and Acronyms 12.1.1 . Acronyms and abbreviations shall be combined and i

.gu*m b6gO maintained on - a single list, known as the Approved lby f,,. (w . u. E.9 Abbreviations List.

! 12.1.2 Management of the approved abbreviations list l The Approved Abbreviations List shall support consistent

/\/g q I e,pc)c) development- of meaningful materials for use. by i' operators, maintainers, designers, engineers,

{ b g-)' 0 technicians, 'and other Operations and Maintenance (0&M) technical- staff. This list will be controlled - and

{ updated as necessary to incorporate new terms. This

! list of -abbreviated- O&M terms . shall not incorporate organizational or administrative terms unless these will j be used in labeling, procedures, tech specs, etc.-

12.1.3 Guidance for generating abbreviations and acronyms shall be provided. Acceptable means' of guidance include things such as an algorithm made cvailable to- all personnel who have a need to generate an abbreviation or i acronym.

l 12.2 Alohanumeric Characters for Labels & Text Human factors standards and guidu;ce shall be dev'- ed and i documented for alphanumeric characters for labels and text, based on accepted industry guidance. These shall be applied througwut the design or mechanisms shall be in place to detect non-ci,mpliance

during subsequent design phases. -The guidance. shalt at dress. the
following basic issues:- font style, use of cases, character size-i and viewing distance, character width, stroke width ant' reacing.

12.3 Other Concerns-

! 12.3.1 Warnino labels - Titles on warning labels (e.g., Caution i

g4 Warning,- radioactivity, ; etc.) should- be 3 times 2 the i -

MTO# 2 minimum specification for legible character size at the

specified reading distance. Text beneath the title h,W \ C It#1 should use the standard size of characters based on the l-T. f. 3' viewing distance.

i 12.3.2 VDU Resolution - The minimum font matrix size should be gg gn,7m,, 7 by 9 dots or pixels per character (12 raater lines per

- <-+

textline).

! b 1, /, . T. ?

11-48 J

.. ' HYDE.WP DESIGN PRODUCT REQUIREMENTS

. 11 CRITERIA FOR OTHER CONTROL PANELS 11-13 CRITERIA FOR OTHER CONTROL PANELS 13.1 Remote Shutdown Panel (k I C2 13.1.1 The Remote Shutdown Panel shall conform to Main Control

,. Room anthropometric guidelines and panel profiles.

4. cf. 3 . 5 13.1.2 System / device layouts on the panel shall use the same layout / format, where possible, as those same features are laid-out on the Main Control Room Panels.

13.1.3 The criteria for print and text format, equipment labels, demarcations, color coding, lighting, noise, and sir quality and temperature used in the Main Control Room snall also apply to the Remote Shutdown Panel.

13.2 Local Panels

,e L; cal panels containing safety related equipment (e.g., Diesel C #

Generator Control Panel) shall provide a Han-Machine Interface (HMI) to operators that will avoid incompatibilities and

% 5' . , encourage a high degree of positive transfer of training when compared to similar MMI interfaces in the Main Control Room.

Acceptable methods of accomplishing this are use of the same Human factors Standards and Guidelines and use of standard MMI devices.

l l

11-49

HYDE.WP DESIGN PRODUCT REQUIREMENTS 11 CRITERIA FOR MAINTAINABILITY-f I

!!-14 CRITERIA FOR MAINTAINABILITY

~

Maintainability humsn factors standa'rds and guidelines shall be deve10 ped and documented. These shall be- applied throughout the design -or-mechanisms shall be in place to detect non-compliance during subsequent design process elements. The guidance shall address the following i maintainability issues: general. HFE principles, standard materials,

! removal and replacement fool proof features (e.q., alignment aids or interlocks), In-situ maintenance, (e.q., accessibility. modular constructun), facility- arrangements and installation (e.q., laydown

space), and documentation of maintenance task data and requirements, and software maintainability.

4 i

l 11-50 l

i l

. - . _ . _ . . - . _ - . . , . . . , . . . . . , . . , , , , . , _ . , . _ ~ _ , . . - . -

_. . . . . - . . . ._ - - . . _