ML20101S676
| ML20101S676 | |
| Person / Time | |
|---|---|
| Site: | Farley  |
| Issue date: | 01/31/1985 |
| From: | WESTINGHOUSE ELECTRIC COMPANY, DIV OF CBS CORP. |
| To: | |
| Shared Package | |
| ML19269A987 | List: |
| References | |
| NUDOCS 8502050585 | |
| Download: ML20101S676 (61) | |
Text
p-
-M eT ,"g',
S ATTACHMENT 1 DESIGN PROCESS OF THE FARLEY STATUS TREE MONITORING SYSTEM DISPLAYS M
05h$ds PDR .,
., . .~.
PROPRIETARY INFORMATION NOTICE TRANSMITTED HEREWITH ARE PROPRIETARY AND/OR NON-PROPRIETARY VERSIONS OF D0QJMENTS FURNISHED TO THE NRC IN CONNECTION WITH REQUETS FOR GENERIC AND/OR PLANT SPECIFIC REVIEW AND APPROVAL.
IN ORDER 10 CONFORM TO THE REQUIREMENTS OF 10CFR2.790 0F THE COMMISSION'S REGULATIONS CONCERNING THE PROTECTION OF PROPRIETARY INFORMATION SO SUBMITTED 10 THE NRC,1HE INFORMATION WHICH IS PROPRIETARY IN THE PROPRIETARY VERSIONS IS CONTAINED WITHIN BRACKETS AND WHER,E THE PROPRIETARY INFORMATION HAS BEEN DELETED IN THE NON-PROPRIETARY VERSIONS GILY THE BRACKETS REMAIN,1HE INFORMATION 1 HAT WAS CONTAINED WITHIN THE BRACKETS IN THE PROPRIETARY VERSIONS HAVING BEEN DELETED. THE JUSTIFICATION FOR 1 AIMING THE INFORMATION SO DESIGNATED AS PROPRIETARY IS INDICATED IN BOIH VERSIONS BY MEANS OF LOWER CASE l LETTERS (a) THROUGH (g) CONTAINED WITHIN PAREN1HEECS LOCATED AS A SUPERSCRIPT IMIEDIATELY FOLLOWING THE BRACKETS EN10 SING EACH ITEM OF INFORMATION BEING IDENTIFIED AS PROPRIETARY OR IN THE MARGIN OPPOSITE SUCH INFORMATION. 1 HEE LQiER CASE LETTERS REFER 101NE TYPES OF INFORMATION WETINGHOUSE CUS10MARILY HOLDS IN CONFIDENCE IDENTIFIED IN SECTIONS (4)(ii)(a) through (4)(ii)(g) 0F THE l AFTIDAVIT ACCOMPANYING THIS 1RANSMITTAL PURSUANT 1010CFR2 790(b)(1).
l l
t LJ ;
, e WESTINGh0USE CLASS 3 Table of Contents -
1 INTRODUCTION 2 BACKGROUND o 2.1 THE CRITICAL SAFETY FUNCTIONS 2 2.2 THE CSF STATUS TREES 2 2.3 EVENT RECOVERY 3 2.4 RULES OF USAGE 3 3 HUMAN FACTORS ISSUES 3 5
3.1 A CHANGING PURPOSE FOR THE SYSTEM 3.1.1 Detection &
3.1.2 Evaluation / Verification 5 3.1.3 Response 5 3.2 MAPPING ACROSS LEVELS OF DATA 5 6
3.3 PRESENTING THE VARIOUS TYPES OF DATA 4 INFORMATION TRANSFER GOALS 6 4.1 DISPLAY SYSTEM TASKS 7 4.2 DISPLAY SYSTEM ORGANIZATION 7 4.3 DISPLAY WINDOW TASKS 7 9
s 4.3.1 DISPLAY WINDOW: Collected status of six critical safety functions 10
' [4.3.2 DISPLAY %%'DOW: Alert variaat of collected 12 status 4.3.4 DISPLAY WINDOW: Status ofindividual critical safety functions ]a,c 4.3.5 DISPLAY WINDOW: Sensor inputs 14 4.4 DATA QUALITY 16 5 DESCRIPTION OF THE DESIGN 18 5.1 DISPLAY STRUCTURE 19 19 5.2 CAPABILITIES OF THE COMPUTER HARDWARE 19 SJ DESCRIPTION OF THE DISPLAYS 20
{5.3.1 LEVEL 1, LEFT SIDE: Colleeted status of six critical safety 20 functions 5.3.3 LEVELS 2 & 3, INSERT BOTTOM LEFT: Alert bar: ]a,c 5.3.4 LEVEL 2: States ofladividual critical safety reactions 22 5.3.5 LEVEL 3: Sensor impets to decision points 22 6 EVALUATION OF THE DESIGN 23 24 6.1 GENERAL HUMAN FACTORSISSUES 24 6.2 SPECIFIC PRESENTATION TECHNIQUES (
25 6.2.1 DISPLAY WINDOW: Collected states of crities! safety fasetions 6.2. 25
{ 2 DISPLAY WINDOW: Alert variaat of collected status 27 windo 6.2.4 DISPLAY WINDOW: Ststus of individual critical safety functions
] a,c 6.2.5 DISPLAY WINDOW: Sensor inputs 28 7 REFEENCES 31 33 i
e i WESTINGWUSE CLASS 3 1 INTRODUCTION The purpose of this report is to document the human factors concepts that were used in the development of the Farley nuclear plant computer-based system for monitoring critical safety functions, called the Status Tree Monitoring System (STMS). The process that was used to develop the displays for the system is diagrammed in Figure 1.
The first step in the design of any display system is to analyse the system being represented in the displays. An analysis of the current system for monitoring critical safety functions is presented in the next section.
The result of this initial design step is the determination of information transfer goals-a description of all the information which must be communicated on the displays to the user. These goals usually include such topics as: -
e which parameters must be apparent to the user e which relationships between variables must be portrayed e how the significance of the data will be communicated Knowledge of human factors principles for effective person. computer communication determines how the information transfer goals are best achieved. The human factors principles especially relevant to the types of data output from the STMS are discussed in Section 3. The goals for information transfer are listed in Section 4.
(
The final step in designing displays is to specify the prototype system. The information transfer goals and the principles for effective person-computer communication are used to generate criteria for evaluating the prototype, and the display designs are iteratively evaluated until all criteria are met. The final design for the prototype status tree monitoring system is described briefly in Section 5. The final design has resolved the evaluation questions of earlier iterations. Therefore, the " evaluation
- in Section 6 is an explanation of how certain display design techniques were used to accomplish the information transfer goals for the system.
At the conclusion of developing the Farley CSF monitoring system, there was consensus between the designers that the human factors criteria incorporated into the STMS design ensures that the displayed information is readily perceivable, easily comprehended, and not misleading to STMS users.
WESTINGHDUSE CLASS 3 AnalysisofUser FF Principles for InformationNeeds/ EffectivePersan-Camputer Constraints Communication Displays'rstem
-~
> Information "ransfer Goals v
~
Evaluation Criteria y
' Pratatype DisplaySystem V
a Evaluation <
V C Implementation Figure 1. Westinghouse Computer-Based Display Approach i
c.
v WESTINGIOUSE CLASS 3 2 BACKGROUND The present system for monitoring critical safety functions (paper Status Trees) and how it relates to overall plant operations is described in the Westinghouse Owners Group (WOG) Emergency Response Guideline Background Documents. This section willlook at the critical features of the present system.
2.1 THE CRITICAL SAFETY FUNCTIONS The job of protecting a nuclear power plant from the dangers of escaping radiation is conceived as a process of maintaining a series of barriers, ranging from the material surrounding the radiation-producing
~~
elements, to the physical barrier separating the plant from the outside world.
The job of maintaining those barriers is defined by the WOG to be based upon the successful operation of certain plant functions, called the Critical Safety Functions (CSFs).
The mapping of functions to barriers is as follows:
Barrier Critical Safety Function Fuel Matrix SUBCRITICALITY ,
and CORE CCOLING Fuel Clad HEAT SINK INVENTORY Reactor Coolant Systen HEAT SINK Pressure Boundary INTECRITY INVENTORY Containment Vessel CONTAINMENT To simplify the above mapping, the CSFs have been ordered into a priority sequence which maintains the priority of the barriers in terms of " distance" from the core:
SUBCRITICALITY CORE COOLING HEAT SINK INTECRITY c CONTAINMENT INVENTORY The status of each Critical Safety Function is derived from evaluating a small set of plant parameters which have been selected because of their relevance to the status of that CSP. The Critical Safety Functions have four status categories: SATISFIED, NOT SATISFIED, SEVERE CilALLENGE, and JEOPARDY. The increasing severity of each category means that an inercasing number of parameters have been evaluated unfavorably.
2
n WESTINGHOUSE CLASS 3 3.3 THE CSF STATUS TREES
' The parameters that are evaluated to determine CSF status have been arranged into decision trees whose endpoints indicate the different status categories for the CSFs. These " status trees' have been developed to portray the data points in an order that evaluates situations of the highest severity first. As a consequence, the endpoints of the trees are also in this type of order, to the extent that the tree format allows.
3.3 EVENT RECOVERY
~
Monitoring the CSF status trees is an established component in the procedures for recovery after an event. Obviously, the CSFs are related to a function-based approach to event recovery. In fact, each endpoint in the status trees (except for the ' SATISFIED
- endpoints) directs the operator to one procedure from a whole series of recovery procedures which are function-based (the Function Restoration Procedures-the FRPs).
It is also possible to try to take an event-based approach to plant recovery. Event-based recovery strategies rely on the ability of the operator to match the current plant state to a predefined set of conditions. These conditions relate to a separate set of recovery procedures (the Optimal Recovery Procedures-which consist of Emergency Event, Emergency Specific, and Emergency Contingency
. Procedures). If the operator can accomplish this match, the event based procedures provide the most efficient means of plant recovery. However, to ensure that the barriers to radiation are not being violated, the operator must also continuously monitor the CSF status trees at all times. If the status trees tell him protection is not being maintained, he must leave the event-based guidelines and use the function-based guidelines entirely.
3.4 RULES OF USAGE
, The operator's decision to leave the function based procedures is based upon the status of the CSFs:
e If any CSF indicates JEOPARDY, the operator must stop the ORP, verify that the CSF status is accurate, and begin the appropriate function-based procedure (FRP).
e if no CSF indicates JEOPARDY, but one does indicate SEVERE CilALLENGE, the operator must stop the ORP, verify the CSF status, and initiate the FRP associated with the SEVERE CilALLENGE.
e if no CSF is higher than NOT SATISFIED, the operator may decide whether or not to leave the ORP and initiate the appropriate FRP instead, e if all CSFs are SATISFIED, the operator should continue with the current procedures.
The operator continues to monitor the CSFs while using the function-based procedures. If at any time a 3
. o.
WESTINGHOUSE CLASS 3 t
must stop the current procedure and check of the CSFs yields a higher priority CSF status, the opera or switch to the one associated with the higher priority status.
h ition to normal The status trees are monitored after reactor trip until the procedures indicate operation can be attempted, K
r C
4
i 0 O 1
)
WESTINGHOUSE CLASS 3 3 HUMAN FACTORS ISSUES 3.1 A CHANGING PURPOSE FOR THE SYSTEM The impetus for designing the automated STMS is to have the computer take over the burden of continuously monitoring the status trees from the operator. This means that an additional, primary task of the computer system is to alert the operator as to its conclusions. Thus the messages of the system are now more like alarms. There are three characteristics of a good alarm system: 1) The operator must be able to detect an abnormality. 2) lie must be able to evaluate or verify the abnormality. 3) lie must be able to determine the correct response.
3.1.1 Detection There are six critical safety functions which are evaluated against four status categories indicating the degree of severity. The status categories are determined by multiple data points in a logical relationship, i.e., the status trees. In the paper system, the operator arrived at the status of each CSF by working his way through the appropriate status tree. Once the status of the CSFs had been determined, the predefined priorities of the CSFs and their status categories aided the operator in determining which FRP r
was appropriate for current plant conditions. Since the computer will now be determining the status of each CSF,it will be possible to display the status of all the CSFs at one time. This ' collected status
- of
{ CSFs will be the new primary focal point of the data system. .
I 3.1.3 Evaluation /Verlfleation The operator will evaluate the significance of the status of the collected CSFs by assessing their priorities.
The status trees essentially use a two-dimensional priority system. There are priorities across CSFe-and c between the status categories for each CSF. A presentation method must be used which integrates the two priority dimensions, and enables the operator to quickly evaluate which CSP to pursue based upon the rules of usage outlined previously.
In order to verify the status of the CSFs, the operator will need to be able to examine the logic that the computer used to determine its conclusions.
3.1.3 Response The basic purpose of the status trees is to indicate CSF status to the operator. It is crucial that the operator also know what action to take as a result of CSF status. That is, the new displays must make salient the link between CSF status and the correct procedure to follow.
Also, the operator continues to monitor the status trees while he executes both the event and function-based procedures. lie should be able to see the results of tlie actions he has taken to recover from the event in the parameters contained in the trees.
5
1 WESTINGHOUSE CLASS 3 l
i 3.2 MAPPING ACROSS LEVELS OF DATA The CSFs are determined from multiple sensor inputs. The operator must have a way of assessing the 1
accuracy of those inputs (i.e., the data quality) In the paper ,vttem, the operator obtains data directly from control room meters and makes a determination about the legitimacy of those readings by evaluating the behavior of those meters. In this new system, the operator must have a presentation of sensor inputs so that he can check the accuracy of the data. Thus the operator will be dealing with the concepts of CSF status at three levels: he will be comparing the status of collected CSFs, he will be examining parameters relating to CSF status, and Ae will be looking at sensor inputs to those parameters.
- The operator must be able to work between t' vels in any direction. This is another example of the derived parameter issue in display design. The ..ator must understand how to work down from the more abstract levels to the specific to check his concerns about data quality; he must also be able to think
' upward' and understand how the data values were combined.
- s.3 PRESENTING TIIE VARIOUS TYPES OF DATA One of the first questions in selecting formats in which to display data is to ask whether a parameter should be presented in digital or analog form. Two requirements are apparent:
e Status conditions are discrete parameters. A format must be used which presents that quality
. clearly.
( - - a,c r e
't in addition, the status trees have been developed to a point where they portray the relevant decision parameters in a certain order. As a consequence, the endpoints of the trees are also ordered, to the extent that the tree format allows. It would be desirable to preserve this order in the computerized system.
t
o .
WESTINGHOUSE CLASS 3 4 INFORMATION TRANSFER GOALS 4.1 DISPLAY SYSTEM TASKS The display system tasks have been identified in the functional requirements for the SThlS. They are listed again (verbatim)in the left column of Table 1. After analyzing the present system,it was determined that four types of display windows were needed to accomplish the system tasks.
e Ta=ks 16.1.1 16.1.4: In order to identify the highest priority CSF, the operator needs to see the status of all six critical safety functions collected in one location. Thus this is referred to
~
as the ' COLLECTED STATUS' window. Because the collected status window has the current status condition for each CSF and the current action priority of each FRP,it also satisfies display system tasks 16.1.1 16.1.3.
e Task 16.1.5: In order to verify the computer's execution of the logie used to arrive at CSF status, the operator will need to examine the structure of the decisions represented by the status trees (the ' INDIVIDUAL STATUS
- displays). The operator will also need to consult a set of display windows which contain the inputs to algorithms and which describe those algorithms for determining the plant parameters used in the status tree-the ' SENSOR INPUTS' windows.
3,C,
-1 e Task 161 In order to display the sensor inputs from the plant to the status tree logic, the operator will need a full set of " SENSOR INPUTS
- displays.
4.2 DISPLAY SYSTEM ORGANIZATION Before determining specific information transfer goals,it is useful to consider the relationships between display windows in the system to enhance the use of the system for status tree monitoring. The result is an organization of displays which lays the groundwork for individual display design.
e First, the operator should be able to see the status of the CSFs at all times while using the display system. It was decided that a variant of the collected status display should be (
designed which could fit into a small space and thus could be included as an alert window on all applicable displays. The operator's need to understand how the computer evaluated the CSFs status can be satisfied with separately accessed displays as long as he can be kept aware of each CSF status (i.e., with the alert window).
[ ~~, 3,C M
7
WESTINGHOUSE CLASS 3 Table 1: Allocation of Display System Tasks to Display Windows 16.1 1. Identify the current status condition )
of each CSF. )
)
- 2. Identify the current action priority }
of each Function Restoration Procedure. ) COLLECTED STATUS
}
- 3. Identify the current Function )
Restoration Procedure associated with )
each CSF. }
- 4. Identify easily ... the currently }
highest action priority CSF, its )
current status condition, and its } COLLECTED STATUS current Function Restoration )
Procedure. }
- 6. Verify the cosputer's execution of )
the logic used in determining the ) INDIVIDUAL STATUS status condition and Function } AND SENSOR INPUIS Restoration Procedure for each CSF. )
3,C I.
16.2 The Status Tree Monitoring Systes shall )
i display to the user the sensor inputs from )
the plant to the status tree logic. These } SENSOR INPUTS inputs shall be displayed in a sanner that )
presents the ispact of each sensor on CSF )
e status. .... }
(
8
WESTINGh0USE CLASS 3 4.3 DISPLAY WINDOW TASKS .
The foDowing description of display window tasks has intentiosa!!y been writtes in outline forma developlag the displays, the designers foemd it useful to have a checklist of generic goals from whi start (i.e. the. topics la apper ease). The specific goals become the criteria for evaluating the are used as the streetere for the discussion in Section 6.
4 Each set of goals is organised into three subsets-goals for commesicating the e of the displ window, the streetere li.e., relationships) of the groups of data la the window, and the values of th themselves.
M
(
r
{
l l
I i
WESTINGHOUSE CLASS 3 4.3.1 DISPLAY WINDOWS Collected status of six critical safety functions
- 1. PURPOSE la. GLOBAL PURPOSE: Show status of highest priority CSF.
Ib. ASSOCIATED PURPOSE: Show status of each of the lower priority CSFs.
Ic. ASSOCIATED PURPOSE: Alert operator to change in highest priority CSF.
Id. ACTIONS ASSOCIATED WITH PARAhfETERS: (If status other than satisfied,) show correct function restoration procedures for-e highest priority CSF e other CSFs le. SIGNIFICANCE OF PARAh!ETER STATES OR ACTIONS: Show degree of urgency of action.
- 2. STRUCTURE
- 22. DECISION htODES: Show conditions for containment instrumentation [ adverse or normalj.
2b. RELATIONSillPS DETWEEN PARAhfETERS: Show priorities-e between CSFs e between status categories e dominance of status priorities over CSF priorities
(
Show associations-e CSF + status e CSF status + procedure 10
4 WESTINGh0USE CLASS 3
- 3. DATA Sa. PARAMETER 3DENTITIES: Provideidest#iers foe-e 'CONTAINhENT*,
all CSFWSUBCRITICALITY',
' INVENTORY * ' CORE COCLING', ' HEAT SINK *, *!NTEGRITY*,
~
-. e procederes for all CSF states categories (i.e., FRP sombers) ab. PARAMETER STATES: Show names of CSF states estegorise-e ' JEOPARDY *, ' SEVERE CHALLENGE', "NOT FULLY SATISFED',
- SATISFIED
- t O
k o
11
WESTINGHOUSE CLASS 3 et 4.3.3 DISPLAY WINDOWS Alert varlaat et sollected status l I
The goals for the alert variaat of the collected status window are the same as for the There will siinply be less space in which to accomplish them. The following cri for compromise:
e window.
2a. DECISION MODES: Conditions of adverse containment may be shown on another eabbreviated Sa,3b. PARAMETER format.
IDENTITES AND STATES: Westifiers will have to be shows in
(
e e
12
a- d - -- -
g - aa I
1 1
1 i
WESTINGM USE CLASS 3
"'3C e
w 9
e t
o N
33
WESTINGh0USECLIS13 4.34 DISPLAY WINDOWS Status ofladividual erttical safety fhastaene l
- 1. PURPOSE 3a. GLOBAL PURPOSE: Present the decisions the computer made la determlalag CS current decision path. '
Ib. ASSOCIATED PURPOSE: Show eB alternative decision paths, c and consequence y
Ic. ASSOdlATED PURPOSE: Present the computer decisions la a form operator ases to determine CSF states in the paper states trees.
- 14. ACTIONS ASSOCIATED %TTH PARAMETERS. For alternative (and corrent) de states is other than satisfied, identify the applicable tenetion restoration procedere.
le. SIGNIFICANCE OF PARAMETER STATES OR ACTIONS: Portray corrent path and contaising CSF states and procedere identifiers.
- 2. STRUCTURE 2a. DECISION MODES: Show comdition for contatament lastrementatios [ adverse o
~
2b. RELATIONSHIPS BETWEEN PARAMETERS: Show the followies relationshipe-o severity.
Show decisions la order of priority and (thus) endpoint states of alternative paths is order of I
o Emphastre current decision path over alternative paths.
- 8. DATA 3a. PARAMETER IDENTITIES: Show the following-o Provide feu and precise test for each dscision statement.
o Articulate deelslon (*YES' or 'NO') to eneb decisloa statement.
o Provide identifiers for au parameters weed to determlae outcome of decision statements.
14
m.- . - - .
WESTINGHOUSE CLASS,3_
e Provide identifiers (FRP (s) for all procedures associated with endpolat statas, 3b. PARAMCTER STATES: Show the following-Show valve of au parameters used to determine outcome of decision statements.
~
Provide identifiers for endpoint status of each alternative path- -
o
- JEOPARDY *,
- SEVERE CHA1.LENGE*, 'NOT FULLY SATISFIED *,
- SATISFIED i
L w
e ig II l
WESTINGM)USE CLASS 3 4.3.5 DISPLAY WINDOWS Seasoe Impete l
. 1. PURPOSE la. GLOBAL PURPOSE: Show sensor inputs to parameters which are used to ev 3b. ASSOCIATED PURPOSE: Where appropriate, show algorithms used for d tree parameters.
le. ACTIONS ASSOCIATI2) WITH PARAMETERS: None.
3d. SIGNIFICANCE OF PARAMETER STATES OR ACTIONS: Show the re the computer eslag these sensor impets.
, 2. STRUCTURE 1
2a. DECISION MODES:
Show condition for containment instrumentation [ adverse 2b. RELATIONSHIPS BETWEEN PARAMETERS. Show the following:
a,c o Show relationship of multichassel average valse and channelimpets.
ovalues.
Present redundant and diverse sensor inputa in a way thatm promotes compar' on of their 1
- 8. DATA <
Sa. PARAMETER IDENTITIES:. Show the following-
~
t a,c 4-Provide identireers for-o an evaluative parameters and their maiss l
l 36
STINGh00SE CLASS 3 ,
e d trais, leg, or chamael distisetbas Sb. PARAMETER STATES: Show values of a8 summary parameters wd au sensor imp em e
e t
A 17
WESTINGkOUSECLASS3[ .-
4.4 DATA QUALITY The goals for representing data quality have been stated is the Functions! Regelrements:
'Four (4) quality attributes shall be associated with each variable. The data qualities are Good, Massal, Poor, and Bad. Manant data shall indicate the value has been manually estered lato the data base rather than from a scanned sensor. Poor data shall
_ indicate that one or more sensors of a redundant or diverse set of acasors are no longe Bad data shall be used to indicate that a sensor value is either removed from acan being calibrated [without a value belas manually entered to replace the datum under enlibration], or detected by the system as resulting from failed loput devices.*
O L
e
-.-.g_ - .~.
4
- WESTINGh0USE CLASS 3 5 DESCRIPTION OF THE DESIGN M .
S,C m
G e
i 9
9 t
m to
~
WESTINGh0USE CLASS 3 5J DESCRIPTION OF THE DISPLAYS .
%% nading the foDowiss description of de displays, please refer to de rigsres at de end a,c, e
0 m
9 t
(
dm
~
l -
WESTINGkOUSE CLASS 3 I N 4
' 'a C, M
4
~ a,c m
.t
, - ?
2-99
\
WESTINGit0USE CLASS 3 .
~-
. . . . . _ ~ _
~ a,c I
a,c,: '
1 i~
L 5.8.4 LEVEL 3: Status of todividual ertileal safety Anactions The states of each critical safety function is derived by determining the value of a series o which are connected together la a tree type decision structure to promote esse of use is th This format was also selected to depict the computer's evalention of the states of each CSFim C provide a tie to the paper states trees. Since there are six CSFs, there are six separate tre display windows.
The tree diagrams are shown la a " block' format; that is, the statements to be evaluate as enclosed decision points from which the tree branches emanate. The valees of & parameters to evaluate h statements are shown outside of the boxes. At the endpoint of every branch is &
descriptor of CSF states obtained by foDowing that path, and the identireer of its associat Since & questions la the tree are arranged is order of priority, starting fross top left and p right and dows, & sequence of endpoints, from top to bottom,is generally in order of CSF 22
! WESTINGh0USE CLASS 3 .
i The current decision path h shown by thicheming the Ene along the decision rouse When a path is not active,its Ene and endpoint data are la the mestral color. W active, the (thiehesed) Ese stays the acetral color, bet a box surrounds the endpoin and the identifiers of the CSF states and procedere inside are shown is the color assoc estegory of CSF states. Thus the oaty color to show os each tree is the endpoint conta CSF states.
During conditions of bad, poor, and massaDy impet data quality, the lines comme are laterspersed at regular intervak by the letters 'B', 'P' and 'M', respectively. The path t retah>ed during au quality conditions so the operator may trace alternate rootes. H
. quality conditions, the active path and endpoints are not highlighted.
, 8,C '
j a
i
- \
i f
l 23
WESTINGh0USE CLASS 3 6 EVALUATION OF THE DESIGN 6.1 GENERAL HUMAN FACTORS ISSUES This display system has been designed to address the human factors issues described in Section 3. The system has three characteristics of a good alarm and therefore STMS system:
- The operator detects the status of the critical safety functions by viewing a display which collects the CSFs in a summary format. He does not have to draw those conclusions himself from separate presentations of individual CSF status.
_ e The operator is aided in evaluating the priorities of the CSFe because the format chosen for the collected status display integrates the two dimensional nature of the priorities into one presentation.
8,C e The operator can easily determine what response to take as a result of CSF status because the displays present that data to him in a format which directly connects CSF status and procedure identifiers.
f The structure for mapping across levels is contained within the displays. The operator will be able to t *- work his way down from the parameters presented on the top level displays to their underlying inputs.
And the description of algorithms used in the. third level displays was included to aid the operator in understanding how the sensor inputs affect overall CSF status.
3,C,f
[
- 8,C m
24
WESTINGHOUSE CLASS 3 6.2 SPECIFIC PRESENTATION TECHNIQUES The goals for the display windows were set up in a hierarchy-to communicate first the purpose, then the structure, then the values of the data in the display window. Often,in the process of satisfying a goal pertaining to the purpose of a display, a lower level goal will be satisfied. Therefore, in the following explanations of how information transfer goals were attained, some repetition occurs. Furthermore, since certain aspects of the displays have already been discussed, compliance with a goalis sometimes noted only briefly.
8.3.1 DISPLAY WINDOW: Collected status of critical safety functions Goal la: Show status g highest priority CSF.
a,c,f i
Goal Ib: Show status d lower priority CSFs.
hiethod: Collected status display defined to include all CSFs.
Advantage: Operator is aware of status of all CSFs, not just highest priority.
Goal Ic: Alert operator to change in highest priority CSF.
a,c,f Advantage: By reserving blinking for change to highest priority, the operator is not overwhelmed by a field of blinking elements.
Goal Id: Show correct function restoration procedures for the highest priority CSF and other CSFs.
a,c,f Advantage: Grouping FRPs together with CSF identifiers makes it unmistakable which procedure to follow.
.25
WESTINGHOUSE CLASS 3 Goal le: Show degree d urgency d action.
a,c,f Goal 22: Show condition for containment instrumentation ladverse or normall.
Method: There will be a message showing the status of containment conditions. This message will appear
~
in the upper left hand corner of all collected status displays.
,- Ad antage: Consistency between displays.
Goal 2b: Show priorities: between CSFs, between status categories, dominance d status priorities over CSF priorities.
b Method:' See Goal la.
5
. 1.
'?
Goal 2c: Show a=sociations: CSF i status, CSF status i procedure.
- a,c,f Advantage: See Goal Id. s Goal 3a: Provide identifiers for all CSFs, and procedures for all CSF status categories.
- - a,c,f.
Goal 3b: Show names d CSF status categories.
-~ -
a,c,f O-26
e WESTINGHOUSE CLASS 3 4.1.3 DISPLAY WINDOWS Alert variant of soUseted status window Goal: Achieve goals of collected states window la smaller format. ~
a,c,f 3,C 1
~0 r
(
m WESTINGh0USE CLASS 3 '
a,c i
S.S.4 DISPLAY WINDOWS Status ofIndividual critleal safety Annetloas Goalla:
Present & decisions t,he computer made la determinina CSF status, b g estrent decision d !
1 Method: Active path la decision tree-block format.
Advantage: There was some discussion whether to ese branch or block format. la the paper vers 28 l l
l
. . _ . _ _ ._ _ _ _. _ -. _ . - . - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ~ ~ ~ ~ ' - ~ ' " ' ' - "
WESTINGHOUSE CLASS 3 was determined that the block format was easier to use for purposes of tracing the active path. The relative advantages and disadvantages of the two formats does not outweigh the concern for consistency between these displays and the paper back-up. Therefore,it was determined that the block version was the most appropriate for the application in this medium.
Goal Ib: Show aJ alternative decision paths, and consequences of each path.
Method: Status trees.
Advantage: The impact of individual parameters on the determination of the active path is clear in the branching nature of the format.
Goal Ic: Present the computer deci< ions in a format clo<cly similar to the one the operator uses to
'deterrnine CSF status with m status trees.
Method: The status trees in the individual status displays are similar-but not identical-to the paper version of the status trees. In order to portray the current status category, the paper version encodes the lines in different patterns, portrays the endpoints of the trees with symbols, and uses the appropriate color
- [
~*
in the line and endpoint. This information is desirable when the trees are used to trace the current path.
However, the purpose of the computerized version is to present the conclusion of tracing through the path.
Thus the computer version uses line coding to show only the active path, and color coding on the endpoint of the current status only.
Goal Id: For alternative land currentl decision paths, if status is other than satisfied, identify the applicable function restoration procedures.
Method: FRPs shown in endpoints of decision trees.
Goal le: Portray current path and endpoint containing CSF status and procedure identifiers. <
Method: See Goal Ic.
Goal 23: Show condition for containment instrumentation ladverse or normall.
~
Method: There will be a message showing the status of containment conditions. This message will appear in the upper left hand corner of the displays.
29
)
WESTINGHOUSE CLASS 3 Advantage: Consistency between displays.
Goal 2b: Show & following relationships-Show decisions in order of priority and,lthus] show endpoint status of alternative paths in order of severity.
Emphasite current decision path over alternative paths.
hiethod: Decision priority-order of paper status trees was preserved.
Current path-the line connecting applicable decision points is highlighted.
Advantage: The format of the paper status trees is preserved to provide continuity when the paper version is used as the system back-up. Ilighlighting techniques make the current path immediately apparent.
Goal 3a: Show & followinn-Provide full and precise text for each decision statement.
Articulate decision l'YES" og "NO'l y each decision statement.
Provide identifiers for all parameters used to determine outcome of decision statements.
Provide identifiers (FRP g for all procedures associated with endpoint status.)
Afethod: Text-inside decision boxes.
Answer-within decision boxes.
Parameter identifiers-repeated outside of decision boxes with parameter values.
- Procedure identifiers-at endpoints of decision trees.
Goal 3b: Show tiLe followinn-Show value of all parameters used to determine outcome of decision statements.
Provide identifiers for endreint status of each alternative path " JEOPARDY", ' SEVERE CHALLENGE *, "NOT SATISFIED *, ' SATISFIED".
1 hiethod: Values-outside of decision boxes.
Status identifiers-in endpoints of decision trees.
30
WESTINGK)USE CLASS 3 6.2.5 DISPLAY WINDOW: Sensor inputs Goal la: Show sensor inputs to parameters which are used to evaluate CSF status trees.
.a,c I
Advantage: The operator can expect to find a type of information by looking in the appropriate location.
Goal Ib: Show algorithms used for determining value of status tree parameters.
a,C t-a Goal Ic: Show the results of decisions made by & computer using these sensor inputs.
-4 0 a,c y
' Goal 22: Show condition for containment instrumentation ladverse or normall.
Method: There will be a message inserted in the displays to show containment conditions, where those containment conditions are relevant to sensor accuracy.
31
, s.
WESTINGHOUSE CLASS 3 Advantage: Operator is aware of containment status where it is necessary.
Goal 2b: Show & following:
- Show link between statement on status trees and values used as inputs.
Show relationship of multi-channel average value and channelinputs.
Present redundant and diverse sensor inputs in a wy that promotes comparison d their values.
a,C Method:
Comparison-whenever values are presented for comparison, they are aligned so that their decimal points are (or would be)in the same vertical position. For example, the individual sensor inputs are lined up below the summary statement.
Goal 3a: Show @ following-Show g of land answer toloall status tree statements.
Show applicable algorithms in succint format.
Provide identifiers for all evaluative parameters and their units.
Provide identifiers fg ag train, & g channel distinctions.
3,C z
Goal 3b: Show values of all summary parameters and all sensor inputs.
Method: Tables, lists.
3,C C
32
WESTINGh0USE CLASS 3 l
7 REFERENCES
- 1. STAS.MMFD 293. Fenetional Requirements Document for Farley State System, Rev.1. Westingbosse Nuclear Center. September 7,1984.
- 2. Westingbosse Owner's Group (WOG). Backgrosed laformation for Westia Rev.1. September 1,1983.Groep Emergency Response Guidelines, F-
+
8
.a
}
t
! ~~ (
l i
I l
l l
m
& 6 w .
WESTINGh0USECLASS3!
U.
N e
.e e
e
.t t
t i
1
4 e 464 e
- q WESTINGHOUSE CLASS 3 '
=
e ah e
O t
l a
l-I
e4- .- sa -a-, e A 4 - Aa._. A. _--.4 -
, .e
. t e
% ~
U. WESTING USECLASS3!
N e
- w h
e 9
m 4
e i
1: t t
O 4
/
e I
g *
- u. WESTINGh0USE CLASS 3 -
e5 e
- ene i
e O
4' V-I : 1 1 -?
s
. c
(
l 1
.I
. _ . . . .. ... _ . .- . .. . _ - . . . _ ___. __ =_ -
i ,
J. WESTINGh0USE CLASS 3 e .-_
T I
e l
~-o 4
i O
I t
Y k-
't b
d 4
I L 1
1 1
'9 e a
h __
'. "
- m.g ,
u' WESTINGM)USE CLASS 3 l e
@na m
O i
w 1
1 t
I
-l O
f L
-l
^ "W Y ESTINGHOUSE CLASS 3 00tlTATtJef FitT Jl w Mtl4 -
FRP-5.1 IU43t RANcE "N .
ygg j IISS I W $5
-gg SEVERE CHALLEINiE
,g YES FRP.$.1 lj$
HK MilSFIED
. '?
gygg I
FRP-$.2 INTEIDE.DIA1E W INITAEDIATE 10 INT RNG RANGE SIR A sX.X 1E91 - N
- " EEE A XIW M CATIVE M:CATIVE 3 a~'~ Df98 YES tilAN 0.2 Dl98 YES CSF SATISFIED sanz "
RAscE IMJIGIID YES
~
mr SATISFIED I '
FRP-5.2 m
suscs atace rug o
RAuce a m am zERo m ex.X m MiGATIVE YES I
Csr SATISFIED
_ _ a,c,f XXXXXXXXXXX)OO( XXX XXXXXX g * - COPYRIGHT -
XxxXX XXXX>O(X XXXX WESTINGHOUSE ELECTRIC CORPORATlON 198S Figure 8. Suberiticality - 2nd Level .
8
ESTINGIOUSE CLASS 3 XX.X X \\ \ ,
C.OrsTAINMEslT
- Jizrmw FRP-C.1-
" s Hao esT TC's a=, gj; mFmF __ f,40.
1HAN 1200*F XXXX *F M *F FRP-C.2 YES g *p a s HIGEST TC'S TC'S IISS XXXX 'F XXXX 'F 1HAN 700*
-XXXX 'F -XXXX 'F RCS su=nx.im m --
E 'F R64 tM pcs
" IGE -
SUBW0t.
GMili EXIT g op gsrggy TC MIER YES 1HAN w *F FRP-C.3 csF SATIStilD a,c,f -
- - COPYRIGHT WESTINGHOUSE ELECTRIC CORPORATION 198S Figure 9. Core Cooling - 2nd Level _ _ _ _ _ _ _ . .
,8
XXX XX'( \ WESTINGHOUSE CLASS 3 CONrAIMME4T
.narAmr i
FRP-M.1 MAL Aux pc gg nyrAL Atag
,w, g ruD Fim
- Ar.t. Sc'S xxxX Gm caEAM DIAN g3
, 377 GIN
^ M
! SATISFIED a' mRRow m=
30 E '. , FRP-H.2 L3 RANGE 10 . M
)j IB1:L IN AT IIASF ODE SG B 23L l i
A JII. l " '
agz IN gggg SC PRESS A XXXX PSIC NMN CE m B H H PSIG 33 1129 PSIG g3 C IIII PSIG ,
DCF SATISFIED FRP-N.3 NARROW RANCE 30 ma SG 32y
.,_. 1B7.1 IN A[L g yggg SG'S IISS 3gg
. 1HAN 75%
YES C 331 %
DCT SATISFIED FRP-H.4 1 PREShlEE IN SC PRESS i
- All Sn es gzss A XXXX PSIG THAN 3 IIII PSIG 1075 PSIG g5 C IlDtf PSIG i
ter SATISFIED FRP-N.5
. - mRmw a SG 1 RANCE 12 VEL 11V
~
IN All SG'S A llL l cREA m u m s au.1 .
X11 YES CJEL1 a,c,f csF
- SATISFIED
- - COPYRIGHT i
$h!51NGHOUSE ELECTRIC CORPORATION I
i Figure 10. Heat Sink - 2nd Level -
l .'
'= g_ a m a g- a 9 8 s.i ls Es q
- Bi a Es i B B i Et ? E5 B B5 E5 E Es E BE B5 9
4 m
e 8
o
.O O
.I $
w
$5 5 -
co g PPP PPP hU >
g5E5El IE 8 ,3 l ~<
85<=u d<EHl av 0$$
3 $ Y E g - -
E $ -
d
~
gg. . N m es... Bl" 3! I i
km - ENE- Se el.
E -
E e es,, lE'Ehil s<-u aghs a Ell - 3 !.
' t g E g5<iijEE' -
e, E I e E -
. .- P y.
s ! == ,
dEERI
- g=s -
!!gs M
= - go g*. .-P EiE_ a W y Ed gg)s EEE E <EEEi-u
, i i a , a _ .
'(-. >
-@ , d E
s .i -
Ely ea
- 5.
E el5 s_ a in
!_bibl
<.u 4D
~. I ku. 3 gg!l :
- l l si-l '
hEin eo
/ U-
/.
M k.
- d. "
.s..
\
1 p.gp WESTINGHOUSE CLASS 3 CON 1 AIN*lEeJT f RP-Z.1 -
(DiTAlleEiNT 90 pggsamt Of!NT PltESS LISS DIAN M PS!G ,
54 PSIG YES .. .- - - -
SEVERE CHALLElIGE FRP-Z.1 CarTAIMGif M
,,_ PRLSSURE Of!NT PRESS LESS DIAN XX.1 PSIG 27.0 PSIG YES 5[VIRE CHALLElIGE TRP-Z.2 3
4 M)
GMTAIMOfT ggy g _
NN XX.X FT 1155 DIAN 7.0 PT. YES NJT 'l-
< SATISFlfD FR9-E.5 '
4 l B(ml g) l GNTAIMO(T O(INT RAD
- .. RADIATION A X.X R/im.
. .. IISS DIAN 3 T.I R/pa.
2 R/la. YES
} CSF 1
SATISFIED i
4 a,c,f l * - COPYRIGHT-WESTINGHOUSE ELECTRIC CORPORATION
] 198S Figure 12. Containanent - 2nd Level ,
g w.%.
m WESTINGHOUSE CLASS 3 XXXXYW C0tlTAIMMENT M7f SAltsflus FRP-I.1 PRESS!RIZER 10 1 DEL PRZR Ik.V g .,
... !ISS .
~l XXX 4 .'
.. BMN 924 g SAllSFliD FRP-l.2 PRESSRZIER IU 1HEL PRZRIN GLEATER XXX 4
. MM 154 YES g ,
SATISellD FRP-l.3 IFFER LEAD . IFPER lead S2000LIls SUB000L
> m *F 2 XXX 'F YES CSF SATISFilD a,c,f
- - COPYRIGHT WESTINGHOUSE ELECTRIC CORPORATION 198S Figure 13. Inventory - 2nd Level -
~e f
__ 4 m. -. - O .#.. . -.
9 4 - 9 4
t I. WESTINGHOUSE CLASS 3
-.(.
l O
e 4
M
'I b-s e
(
i c
1 I
M WESTINGH0llSECLASS3!
{
e h
o O
4 e
f s
C I
- _ _ _ - l
e --
-m-(
=
WESTINGHOUSE CLASS 3 I 1
'I O
1 e,
O e
1 S
^5 4
s s
k',
1 1
e g 'h e
~ WESTINGh0USE CLASS 3 i -
- e
=
4 m
b e."
l i
_ ~w - - - -
f t.
WESTINGh0USECLASS3$
N 9
9 e
W h
e
=
f a-3
~
4
-(
l
4 - =-i a h
O O* *'W *
- W e
- * *ee-J. WESTINGHOUSE _ CLASS 3!
N 1
w I
J' i
1
'I T
/
e
(
l
f- O
. WESTINGIOUS_E_ CLASS 3 ',
q_
s e
4
-w e
e A
'9 k
l 1
I
w 'O l No ~
4, ; WESTINGh0USE CLASS 3_
M O
i
.6 .
C
-+
U. WESTINGM)USE. CLASS 3- --
N O
e
-e e
O
-I
.f I
'4
. W' m o
O
+m-~ .
- ~_
=
- U WESTINGkOUSE CLASS 3 O
a
.m, O
W D
er A-
.weh-9 9
4 l
1 1
l 1
I 1
p N 04 O
w - I WESTINGh0USE CLASS 3 u.
N O
e
- aum 6
e >
V A
O t.'
C 1
I
~
.-44 AJ. . _ _ - _ , , , , W_as A ,. ,4 .a ,,_a._ a am ,
.s 4 I
i I
r _ 1
- ~ .~.".. .
%**w%... l q idESTINGh0USE CLASS 3_
e m
i o
e 9
. I i
(
I