ML20056E079
| ML20056E079 | |
| Person / Time | |
|---|---|
| Site: | 05200002 |
| Issue date: | 07/30/1993 |
| From: | Stewart Magruder Office of Nuclear Reactor Regulation |
| To: | Office of Nuclear Reactor Regulation |
| References | |
| NUDOCS 9308190306 | |
| Download: ML20056E079 (71) | |
Text
- . .. . _ _ _ _ - - _ - -
, , July 30,1993 i Decket No. 52-002- ,
APPLICANT: ABB-Combustion Engineering, Inc. (ABB-CE)
PROJECT: CE System 80+
i
SUBJECT:
PUBLIC MEETING JUNE 14, 1993, ON SYSTEM 80+. HUMAN FACTORS ENGI- l NEERING (HFE) VERIFICATION AND VALIDATION (V&V) PLAN j On June 14, 1993, a public meeting was held at Brookhaven National Laboratory !
(BNL) Upton, New York, between representatives of the U.5. Nuclear Regulatory .
Commission (NRC), ABB-CE, and BNL. Enclosure I lists the attendees. The l topics discussed during the meeting included ABB-CE's HFE JV .(Enclosure 2),
including an unresolved issue related to procedures. A summary of each of the -
topics discussed is provided below and, where appropriate, agreements between the NRC and ABB-CE are indicated. A detailed. discussion of these topics will- :
be provided in the staff's final technical report that evaluates the ABB-CE !
HFE V&V Plan.
Verification and Validation Plan The staff and representatives from ABB-CE and BNL discussed the staff comments ;
(Enclosure 3) on ABB-CE's HFE V&V Plan. A summary of the staff comments and j ABB-CE responses related to the V&V Plan is provided in Enclosure 4. ,
The staff and ABB-CE reached verbal agreement on the resolution of all of the :
V&V related issues in Enclosure 4 except for Item 7-5 (i.e., system should be -
validated for tolerance to human error; include planned errors in scenarios). ,
The staff and ABB-CE agreed to continue discussions after the meeting related 4 to resolution of this issue. During the meeting, ABB-CE discussed.a handout-(Enclosure 5) that describes ABB-CE's availability verification process and suitability verification process. These figures (and a similar figure for validation) will be included in the HFE V&V Plan.
O rg M g T g p g Stewart L. Magruder, Project Manager Standardization Project Directorate Associate Directorate for Advanced Reactors and License Renewal Office of Nuclear Reactor Regulation
Enclosures:
.As stated cc w/ enclosures:
See next page M
DISTRIBUTION: See next page f.
OFC: LA:PDS PM:HHFBA) PM:PDST:ADAR SC:PDST:ADAR' NAME:.PShe GWest N SMagruder.934 TEssig-DATE: 07 95 07/2/1/93 07/a(3/93 -07/30/93 0FFICIAL RECORD COPY: DOCUMENT NAME: MSUM0614.GW (h
I 9308190306 930730 ,-
a
c s e
' !. ?
p.
ABB-Combustion Engineering, Inc. Docket'No.52-002 cc: - Mr. C. B. ; Brinkman, Acting Director Nuclear. Systems Licensing Combustion Engineering, Inc.
1000 Prospect Hill Road Windsor, Connecticut 06095-0500 Mr. C.-B. Brinkman, Manager
, Washington Nuclear Operations Combustion Engineering, Inc.
12300 Twinbrook Parkway, Suite 330 Rockville, Maryland 20852-Mr. Stan-Ritterbusch-Nuclear Systems Licensing Combustion Engineering, Inc.
1000 Prospect Hill Road Post Office Box 500 Windsor, Connecticut 06095-0500 Mr.- Sterling Franks U.S. Department of Energy-NE-42 Washington, D.C.- 20585 Mr. Steve Goldberg Budget Examiner 725 17th Street, N.W.
. Washington, D.C. 20503-Mr. Raymond Ng 1776 Eye Street, N.W.
Suite 300 3 Washington, D.C. 20006 l Joseph R. Egan, Esquire ll Shaw,.Pittman, Potts & Trowbridge' 1 2300 N Street, N.W. ,
l Washington, D.C. 20037-1128 Mr. Regis A. Matzie, Vice President ~ !
Nuclear Systems Development i Combustion Engineering, Inc. i 1000-Prospect Hill Road
. Post Office Box 500' Windsor, Connecticut- 06095-0500 ,
[
- i i
i
F r .
DISTRIBUTION w/ enclosures:
Docket File PDR PDST R/F DCratchfield MFranovich RPerch, BH7 TWambach SMagruder PShea DISTRIBUTION w/o enclosures:
TMurley/FMiraglia,12G18 RBorchardt JMoore, 15B18 TGody Jr., 17G21 DTerao, 7H15 ACRS (11)
MPratt, 7E4 GWest, 10D24 EJordan, MNBB3701 050n,~. ~
ABB-CE SYSTEM 80+
June 14, 1993 NAME ORGANIZATION Garmon West, Jr. NRR/DLPQ/HHFB Daryl Harmon ABB-CE Robert Fuld ABB-CE Bob Rescorl ABB-CE John O'Hara BNL Bill Stubler BNL Jim Higgins BNL Enclosure 1
,,e ABB-CE'S HUMAN FACTORS ENGINEERING VERIFICATION AND VALIDATION PLAN 4
I t
h t
6 Enclosure 2
- Thth+*4he*4W N] Je- ~ r ., , , . , ,
I.
i 1- s.
6 t
-f RECORD OF REVISIONS t
>f i
DATE PAGES PREPARED BY APPROVALS j No.
INVOLVED ,
0 D. 'ALL i 1
'I
?
i k
i i
?
w t
u 1 2
i i
i b
'a e
i I
l r
3 I
.i s
i 1
..'f
)
3 4
1
- 1 2-NPX80-IC-VP790-03 Rev 00 l 1
l a
~
_ : _. A
- ~ _ _.
1 4
i i
TABLE OF CONTENTS Pace Section Title J 2
RECORD OF RE71810NS . . . . . . . . . . . . . . . . . . . . .
6 1.0 PURPOSE , . . . . . . . . . . . . . . . . . . . . . . .
2.0 SCOPE ......................... 7
3.0 REFERENCES
9 4.0 DEFINITIONS . . . . ._ . . . . . . . . . . . . . . . . .
Il 5.0 MANAGEMENT OF Vsv ". . . . . . . . . . . . . . . . . . . II ,
5.1 V&V PLAN REVISIONS . . . . .. .. .. .
. . . . . . . . . 11-5.2 EVALUATION OF V&V RESULTS . . . . . . . . . . 11 5.3 VEV REPORT STRUCTURE AND CONTENT 11 5.4 MANAGEMENT REVIEW . . . . . . . . . . . . . . . . . ;
. . . . .. . . . . . 12 i 6.0 V&V TASK METHODOLOGY AND CRITERIA 12 l 6.1 AVAILABILITY ANALYSIS AND AVAILABILITY VERIFICATION l 6.1.1 Purpose. . . . . . . . . . . . . . . . . . .- 12. i 12 6.1.2 E_ cope . . . . . .. . . . . . . . . . . . .
6.1.3 Fesources . . . . . . . . . . . . . . . . .- 13 Methodoloey . . . . . . . . . . . . . . . . 13.
6.1.4 14- l 6.1.5 _ Criteria . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . 16 6.2 SUITABILITY ANALYSIS .
6.2.1 Purpose . . . . . . . . . . . . . . . . .. 16 [
. . . . . . . . . . . . . . . . . . . 16 6.2.2 Scope 6.2.3 Resources . . . . . . . . . . . . . . . .. 17 Methodolocy . . . . . . . . . . . . . . . . . 17 6.2.4 .28 6.2.5 Criteria . . . . . . . . . . . . . . . . .. 18 ,
6.3 VALIDATION . . . . . . . . . . . . . . .. .. . . . 18 6.3.1 PurDose . . . . . . . . . . . . . . . . . .
18 l 6.3.2 Scope . . . . . . . . . . . .. . . . . . . '
6.3.3 Resources . . . . . . . . . . . . . . . . .. 19 6.3.4 Methodoloey . . . .. . . . . . . . . . . . 19 6.3.4.1 General Description . . . . . . . . . . . . 19 ;
6.3.4.2 Plant Accident, Abnormal, Normal, and ESI '
and IEC Equipment Failure operating Sequences .. . . . . . . . . . . - . . . . ... ~ 21
. . . . . . . s . . . . . . . . . 22 6.3.5 Criteria . ,
27 7.0 SCHEDULE & MILESTONES 7.1 AVAILABILITY ANALYSIS E AVAILABILITY VERIFICATION 27 i SCHEDULE & MILESTONES . . . . . . .. . .- .. . . .
. . . 29 7.2 SUITABILITY VERIFICATION SCHEDULE & MILESTONES 31 l 7.3 VALIDATION SCHEDULE & MILESTONES ... .- . . . . . . .
. . . . . . . . . . . 33
- 8. 0 - NFE V4V ADMINISTRATIVE PROCEDURES . . . . . . . 33 ,
8.1 FINDINGS REPORTING & RESOLUTION POLICY 3 f NPXBO-IC-VP790-03 Rev 00 l
)
~
~
.1_
i r
I i
TABLE OF CONTENTS .
gection Tit 39 Facs l 8.2 TASK ITERATION POLICY . . . . . . .. . . . . . . . 33 l 8.3 CONTROL PROCEDURE 8 . . . . . . . . . . . . 4 . . . . 33 i 8.4 GUIDELINES, PRACTICES, & COh7ENTIONS . . . . . . . . 33 APPENDIZ A NUPLEI 80+ DESIGN TEAM EVALUATION . . . . . . A-1 LIST OF FIGURES f Figure 7.1 AVAILABILITY ANALYSIS & VERIFICATION PROCESS . 28 Figure 7.2 SUITABILITY VERIFICATION PROCESS . . . . . . . 30 ,
Figure 7.3 VALIDATION PROCESS . . . . . . . . . . . . . . 32 i
t i
?
-1 l
I
. i F
i i
~1 I
- 1
']
I l
4 NPX80-IC-VP790-03 Rev 00
i I
ABBREVIATIONS ASB-CE Asea Brown Boveri - Combustion Engineering ;
ATWS Anticipated Transients Without Scram i CCS Component Control System CFR Code of Federal Regulations CRT Cathode Ray Tube '- ;
CSAS Containment Spray Actuation Signal i DIAS Discrete Indication & Alarm System DPS Data Processing System ETAS Emergency Feedwater Actuation Signal !
EPG Emergency Procedure Guidelines ESDE Excess Steam Demand Event i EST-CCS Engineered Safety Feat".res Component Control System FTA Function & Task Analysis HTE Human Factors Engineering
I&Cs Indications, Controls, and Alarms IPSO Integrated Process Status overview -
LOAF Loss of all Feedwater Loss of Coolant Accident LOCA MCR Main Control Room MSIS Main Steam Isolation Signal PGICR Procedure Guideline Information & Control Requirements f PRA Probable Risk Assessment RCS Reactor Coolant System RSA Remote Shutdown _ Area RSP Remote Shutdown Panel RSR Remote Shutdown Room SGTR Steam Generator Tube Rupture SIAS Safety Injection Actuation Signal TOI Tracking-of-open-Issues (database)
VAC Volts Alternating Current ,
VDC Volts Direct Current V&V Verification and Validation 6
l l
5 NPX80-IC-VP790-03 Rev 00
s i
1.0 PURPOSE The Human Factors Engineering (HTE) Verification and Validation (V&V) Plan for Nuplex 80+ describes how the HTE i V&V is managed, administered, and performed. Additionally, the V&V analysis criteria, nethodology, required resources (e.g. Emergency Procedure Guidelines, normal and abnormal operating sequences, I&C design requirements, HSI hardware ,
including a full scope simulated mockup, etc.), schedule for I activities, and milestones are provided. Specifically, the HFE V&V Plan meets the design process requirements and ,
criteria for availability verification, suitability verification, and validation of the ensemble as defined in .
Sections A-3.6, A-3.7, and A-3.7 of the HFE Program Plan (Reference 1). - t The HTE V&V Plan addresses the requirements of Elemer4t 8, '
, Human Factors Verification and Validation of the draft NRC Program Review Hodel (Reference 3). The intent of the criteria in Element 8 have been ret. This includes: 1) the i design commitment of thoroughly evaluating the HSI as an integrated system using HFE evaluation procedures, "
guidelines, standards, and principles, 2)
Inspection / Test / Analysis including the following: pethod for implementing HTE V&V, documentation of analyses and findings, and review by the Nuplex 80+ Design Team, 3)
Design Acceptance Criteria including the following: 1)
General Criteria, 2) Implementation Plan, 3) Analysis .'
Results Report, and 4) Nuplex 80+ Design Team Evalu,ation :
Report.
~
i i
6 NPX80-IC-VP790-03 Rev 00 I
i
r 2.0 SCOPE l
The HFE V&V Plan applies to all Human System Interface (HSI) '
in the Main Control Room (MCR), Remote Shutdown Area (RSA) and those control stations specified in the Energency- ;
Procedure Guidelines (EPG). V&V in not performedThis on i procedures nor the HSI and procedure ensemble. is performed as a COL Applicant task. ,
j v- ,
i i
i I
4 l
l
(
1
)
I
)
i
. .I i
7 ;
NPX80-IC-VP790-03 Rev 00
~~
'_- 1 14C. _ - .~ . . ,_12_ . , . , '
~ ^ ~" '
l
- i
3.0 REFERENCES
}
- 1. Human Tactors Procram Plan for the System 80+ (TM) Standard .
Plant Desion, NPX80-IC-DP790-01,. Revision 01, December 15, l 1992.- l l
- 2. Gujdelines for Control Roon Desian Reviews, NUREG-0700, U.S. ;
Nuclear Regulatory Commission, 1981. !
- 3. HTE Procram Reviev'Model and Acceptance Criteria for j Evolutionary Reactors, Draft, U.S. Nuclear Regulatory l Commission, 1992. .;
- 4. Nuclex 80+ Verification Analysis Report, NPX80-TE-790-01, i Revision 2, December: 1989. 1!
- 5. Simulator Performance Measures, Final Report, CE-NPSD-514, j Task 572, combustion Engineering,-Inc., December, 1988. ]
- 6. Huran Factors Encineerina Standards,' Guidelines, and Bases- j for System 80+,-NPX80-IC-DR-791-02, (Draft). [
- 7. Office of the Federal Register (1992). . Code of Federal .
Regulations. Title 10, Chapter I - Nuclear Reculatory- .!"
Commission (10'CFR Parts 0-199)-
d
- 8. DelaiJed Control Room Desion Review Supplemental Report,-San l Onofre Nuclear Generating Station,. Units 2 & 3,. Volumes 1 & l 2, SCE Document No. M37328, January 1986.
.j a
- 9. Standard _?eview Plan, NUREG-0800, U.S. Nuclear Regulatory:
Cor. mission, Revision 1, _1984.. j
- 10. Advanced Human-System Interface Desian Review Guideline,- 7 NUREG/CR-5908, Draft, 1992. ;
'I
- 11. Corruter Generated ~ Display System Guidelines (Vol 1 and 2),. '
EPRI NP-3701, Electric Power Institute,-1984.
~
- 12. IEEE Guide _Lo Evaluation of Man-Machine Performance in' Nuclear -Power Generatlyjg Station Control Rooms and Other - '
Peripherie1', IEEE Std .*,45-1988, IEEE, 1988.
- 13. Desion f or Control 'Roons of Nuclear Power Plants, :IEC 964,: 7 Bureau Central de la Ccmmission Electrotrotechnique Internationale, 1989.
t 4
f NPX80-IC-VP790-03 Rev 00- 8
-i
- , - , 4
4.0 DEFINITIONS Availability - verification of task performance capability such that the necessary indications and controls to accomplish a defined set of tasks (e.g., emergency operating procedures) are afforded in a specified work area (e.g., a control room), per Section 3.2.3 and 3.7.2 of NUREG-0700 (Reference 2).
Features - HCR console annunciators, displays and controls are implemented using Video Display Unit (VDU) devices and backlit component control switches on each control console panel. The following applications are standardized Human-System Interface (HSI). features that utilize consistent ,
operating conventions at Nuplex 80+ control panels:
DPS Display Hierarchy DIAS Alarm Tile Displays DIAS Dedicated Parameter Displays DIAS Multiple Parameter Displays CCS Process Controller Displays CCS Svitch Configurations HTE Specialists - Individuals with credentials in the area of Human Factors Engineering equivalent to 1) at least two years of successful graduate-level study of applicable subjects, plus a year of related design experience; or 2) fiva years of related design experience; 3) or any evenly proportioned combination of 1) and 2).
Huzan Factors Engineerino (HTE) - The application of Human Factors Principles and methods to practical engineering and design problems; as distinguished from research and theoretical development.
Human-S,ystem Interface (HSI) - The operator's point of use of a controlled system in terms of indication and control; with particular emphasis on its organization, and the resulting human performance-related constraints.
Jndication and Control Features - General denotation for information output (i.e., from plant systems to human operator) and action input (i.e., from human operator to plant systems) features of the HSI systems, respectively, '
without regard for specific implementation.
Operations Experts - Currently or formerly licensed reactor operators with operating experience on sinilar plants.
9 NPXBO-IC-VP790-03 Rev 00
Procedure Guideline Information & Control Peauirerents (PGICR) - A sunnarization of the procedure-based parametric require =ents for display and control variables identified by the PTA. Sunnaries are sorted from the PTA data base for each variable. For example, characteristics for
" pressurizer pressure" are summarized for each distinct gross function where pressurizer pressure is used.
Characteristics include the following areas: device type, range, accuracy, and units.
Fesponsible Manacement Structure - The organizational and management structure responsible for the direction and integration of HFE in the design of the proposed plant.
Suitability - verification of task performance capability such that the HSI design itens are individually acceptable (i.e., are Usable, or suitable for their intended use) in terns of applicable HTE Design Guidance, per Section 3.2.2 and 3.7.2 of NUREG-0700 (Reference 2).
Systen IEC Inventory - This inventory includes instrumentation characteristics (e.g. device type, range, accuracy, units, etc.) for all instrumentation, controls, and alarms needed (from the systen design engineers perspective). This inventory is generated by the individual system cognizant engineers.
Useb'e - Operable, naintainable, testable, inspectable, efficient, effective, etc.; i.e., sufficient to support the
- operator's specified tasks.
verification - Availability and Suitability analyses; part of the design process (along with Validation) by which HSI design sufficiency is confirmed (per Section 3.7 of Reference 2).
Validation - Evaluation of the dynamic operating ensemble deronstrating trained operators' ability to successfully perform their. anticipated (i.e., procedural) role in the afforded task environment (i.e., the control room design) under anticipated operating conditions (the Validation scenarios). Part of the design process (along with-Verification) by which the HSI design sufficiency is confirmed (per Section 3.8 of Reference 2). ;
I I
i 10 NPXS0-IC-VP790-03 Rev 00
~
5.0 MANAGEMENT OF VGV The Responsible Management Structure of HTE V&V is integrated into the Human System Interface (HSI) design process as described in Reference 1. The responsible management structure vill be responsible for the following: i
- 1. the development of the HFE V&V Plan;
- 2. the implementation of the HFE V&V Plan;
- 3. the final disposition and resolution of all findings identified during the V&V activities. <
5.1 VEV PLAN REVISIONS Revisions to the HFE V&V plan are administrative 1y controlled.
5.2 EVALUATION OF VEV RESULTS Findings and associated resolutions identified during the V&V tasks, as exemplified in Reference 4 vill be itemized and documented in its associated V&V report. The V&V report will be sent to the Nuplex 80+ design team for review and comment. The Responsible Management Structure of HFE V&V ,
will ensure that all comments are resolved.
5.3 V&V REPORT STRUCTURE AND CONTENT V&V analysis reports shall be structured in accordance with ABB-CE internal documentation format requirements. The HFE V&V analysis reports shall include sections or appendices containing the following information: purpose, scope, references, resources used during the analysis, analysis methodology, analysis criteria and metrics, completed analysis checklists or data sheets, recommendations, resolutions, and a list of discrepancies entered into the Tracking-of-Open-Issues (TOI) database.
5.4 MANAGEMENT REVIEW The ABB-CE document review and comment process and document distribution process ensure that the results of the HFE V&V activities are received, reviewed and commented on by the Nuplex 80+ design team. An internal procedure described in Reference 1 requires all human factors and man-machine interface documents for Nuplex 80+, including V&V documents,-
to be distributed in accordance ABB-CE internal distribution requirements.
NFX80-IC-VP790-03 Rev 00 11
'W e a 6.0 VEV TASK METHODOLOGY AND CRITERIA 6.1 AVAILABILITY ANALYSIS AND AVAILABILITY VERIFICATION 6.1.1 Purpose The purpose of availability analysis and availability verification is to:
- 1. to ensure operator tasks can accomplished with available HSI information and controls;
- 2. to ensure that EPG tasks and critical tasks identified in the Probable Risk Assessment (PRA) can be accomplished with the fixed location MCR HSI alone;
Availability analysis and availability verification takes part in two phases (see Figure 7.1):
The purpose of Phase I (Availability Analysis) is to assure that the complete set of the following three-types of requirements are included in the Systen I&C Bequirements (as defined in'section 4.0): 1) Procedure Guideline Information & Control Requirements (PGICR)' (as defined in Section 4.0) as specified in the Functional.
Task Analysis, 2) Federally mandated indication and control requirenents, and 3).the minimum inventory of fixed location alarns, controls, and indications necessary to carry out the Energency Procedure Guidelines (EPG) or critical tasks identified in,the PRA.
The purpose of Phase 2 (Availability Verificationi is to compare the as-designed HSI to the checklist produced by the Phase 1 analysis, this includes:
- 1. verifying and documenting that'all System I&C Inventory are available in the HSI design;-
- 2. id'entifying candidate HSI indications or controls for renoval or relocation.
6.1.2 Scope Phase 1 (Availability Analysis) will be performed as a single task and compares the System I&C Inventory for-the panels in the Main Control Room (MCR), Remote.
Shutdown Area (RSA), and those control stations
^
12 NPX80-IC-VP790-03 Rev 00.
o o specified in the EPGsto the following: 1) Federally mandated requirements, 2) Procedure Guideline and 3)
Information & Control Requirements (from FTA),
sininun set of fixed location alarms, controls, and indications needed to complete the EPGs and critical tasks identified in the PRA. >
Phase 2 (Availability verificationi vill be performed on the HSI for all of the panels in the MCR, RSA and those control panels specified in the Emergency Procedure Guidelines (EPQ) using the availability checklist developed in phase 1.
6.1.3 Resources The following resources will be available:
individual panel design reports containing the MCR and RSA data base inventory elenents. The MCR inventory elenents used for the verification shall include device type, units, and range, scale precision, and accuracy in a data base;
- PGICR will come from the FIA; F
- nininun inventory of fixed location alarns, controls, and indications carry out the EPGs defined in CESSAR-DC;
- System I&C Inventory will come from a controlled .
Systen 80+ project document or data base;
- a qualified HTE specialist will be available to direct and review the analysis.
6.1.4 Methodelecy As exemplified in Reference 4 the following methodology is used:
PRASE 1 METHODOLOGY (AVAILABILITY ANALYSIS)
The following takes place (see Figure 7.1):
1)
A list of all Federally mandated Indication and Control requirements in 10CRF50.34 vill be co= piled j Each Indication based on criteria in Section 6.1.5.
and Control from the compiled list will be confir=ed to be in the Systen I&c Inventory; 2)
A list of all fixed location alares, controls, and indications required to conplete the EPGs will be
\
13 NPX80-IC-VP790-03 Rev 00 1
._-_ _ _. . . _ . , s _.
l l
l 6
+
used. Each Indication and Control from the compiled !
list will confirmed to be in the System I&C J Inventory; )
- 3) The FTA produces a list of PGICR. This PGICR will be ,
confirmed to be in the System I&C Inventory.
The co=parisons will be reviewed to identify -!
instrumentation that may be necessary for the above '
i requirements but were not included in-the System I&C Inventory. System I&C Inventory findings and resolution :
are sent to the System IEC Inventory for final resolution. When the System I&C Inventory includes all three types of reqbirements, an availability checklist ;
is developed to be used in phase 2, availability r verification. When all required HSI are included in the System I&C Inventory, an availability checklist will be -
generated. The requirements-to-inventory mapping, findings, explanations (if necessary),' resolution, and ;
final availability checklist will become part of the availability analysis-report. j PRASE 2 METHODOLOGY (AVAILABILITY VERITICATION) l The availability checklist will be used to evaluate The HOR, RSA, and those control stations specified in the EPG HSI (as defined in the panel design reports) for !
completeness. Discrepancies between the design HSI and the availability checklist will be formally evaluated and resolved. This analysis will identify-findings such as missing required panel HSI, and 2)' unnecessary panel- ;
H5I. The findings and a resolution will be documented.
Any resulting changes to the design will be sent to the TOI data base-for eventual inclusion in the HSI panel report (s). The process will be repeated until the HSI ~
panel designs match the availability _ checklist. The-findings, explanation (if necessary),-and resolution 1 will becene a part of the availability verification report.
5.1.5 Criteria ,
Phase 1 Availability Analysis Criteria ,
I. All of.the required Federally mandated ,
Indication and Control features listed below are '
included in the System I&C-Inventory:
a) Integrated display of safety parameter indications; 10 CFR 50.34 (f) (2) (iv) .
NPX80-IC-VP790-03 Rev 00 -24 [
w . ,
t b) Indication of the Bypassed and Inoperable l~
Status of Safety Systems; 10 CFR
- 50. 34 (f) (2) (v) .
c) Indication of relief and safety valve position; 10 CFR 50.34 (f) (2) (xi) .
d) Indication of auxiliary feedwater system flow; 10 CFR 50.34 (f) (2) (xii) .
e) Control of auxiliary feedwater system initiation; 10 CFR 50.34 - (f) (2) (xii) . ,
f) Indication of containment pressure; 10 CFR
- 50. 34 (f) (2) (xvii) .
g) Indication of containment water level; 10 ':
CFR 50.34 (f) (2) (xvii) .
h) Indication of containment hydrogen concentration; 10 CFR 50.34 (f) (2) (xvii) .
i)
Indication of containment (high level) radiation intensity; 10 CFR
- 50. 34 (f) (2) (xvii) .
t j) Indication of noble gas effluents at potential accident release points; 10 CFR
- 50. 34 (f) (2) (xvii) .
Indication of inadequate: core cooling; 10- a k)
CFR 50.34 (f) (2) (xviii) .
- 1) Post-Accident Monitoring Indications; 10 CFR 50.34 (f) (2) (xix) .
n) Indication of in-plant radiation and airborne activity; 10 CFR
- 50. 34 (f) (2) (xxvii) ;
- 2. All of the fixed location alarms, controls, and .
l indications identified in CESSAR-DC needed to complete the EPGs and perform critical' tasks i identified in the PRA.are included and identified in ,
the system I&C Inventory as a fixed _ location alarm, -
control or. indication; -
- 3. All of the PGICR identified in'the FTA are included in the System.I&C' Inventory;<
- 4. System I&C Inventory.
~
9 15 NPXBO-IC-VP790-03 Rev 00 i
Phase 2 Availability Verification criteria
- 1. All System I&C Inventory items with appropriate characteristics are found on HSI designs;
- 2. There are no HSI that have no operational basis.
6.2 SUITABILITY ANALYSIS 6.2.1 Furpose Suitability analysis addresses the issue of whether the form and arrangement of HSI indications and controls supports operator task accomplishment. It roughly spans the gap between the questions of "is the needed information, and only the needed information, present?" .
(Availability) and "does the design, in terms of actual operators, using the full control room, the actual procedures, the real plant dynamics, etc. actually work together as a whole?" (Validation). Suitability therefore overlaps somewhat with both these areas of evaluative effort. The suitability analysis is performed using two different approaches, 1) a top-down approach, and 2) a bottom-up approach. (
The " top-down" approach attempts to evaluate the appropriateness of the design selections in the context of the big picture. This view considers the overall system design, the nature of real-world operator tasks, ,
and the integration of the parts of the man-machine interface into a coherent and easily used whole.
The " bottom-up" approach uses the control room design review guidelines found in NUREG 0700 (Reference 2).and-the HFE Standards,-Guidelines and Bases (Reference 6) as a set of accepted and established criteria. These criteria are particularly useful for identifying .
individual item discrepancies, such as inadequate letter !
sizes or lighting levels, where genuine specifications-exist.
There is substantial but not complete overlap between the results of the two methods. This is to be expected,.
because they both are directed towards the same system and overall goals;~ it also' indicates that the two '
approaches together are more complete than either one alone. ,
6.2.2 peope .
-l Suitability analysis will be performed on all HSI features in the MCR, RSA and those control stations 16 l NPXBO-IC-VP790-03 Rev 00
P L
h specified in the EPG. Suitability analysis concentrates on added features using prototypes of those edded features. Added features refers to features that are not part of the standard features listed in the ,
definition. After suitability analysis they may be docunented and added to the standard features list.
6.2.3 Fesources The following resources will be available:
- sources for the individual panel I&C features from the individual panel reports as exemplified by the panel mockups or prototypes;
- prototypes of added HSI features;
- suitability criteria provided in the form of
- checklists (to be developed as part of the verification process), as exenplified in Reference 4;
- a qualified HTE specialist and an operations expert to perform the analysis.
6.2.4 Methodoloav As exenplified in Reference 4, the following methodology will be used:
Panel HSI designs will be evaluated using a checklist that contains criteria identified in Section 6.2.5, including a place for comments. The analysis is perforced on individual panel HSI designs however, the analysis concentrates of prototypes of added features (those generic HSI features not previously analyzed).
The criteria vill address suitability for all areas of the Nuplex 80+ HSI design, including, but not limited to the following: control room work space, communications, annunciators, controls, visual displays, labels and location aids, process computers, panel layout and control-display integration.
The findings identified in the panel HSI design suitability analysis, and resolution will be documented.
Any resulting changes to the design will be sent to the ToI data base for eventual inclusion in the HSI panel report (s). The process will be repeated until the HSI panel designs are suitable. The conpleted checklists, findings, explanation, and resolution, will become part of the suitability analysis report for each panel.
17 NPXBO-IC-VP790-03 a
Rev 00
- :- .. ~ -
l E.2.5 Criteria The criteria to determine the suitability of whether the ,
form and arrangement of HSI indications and controls ;
supports operator task accomplishment in contained in Reference 2 and 6, supplemented by the subjective ,
evaluation of the HTE specialist performing the '
analysis. The applicable criteria are presented in the !
form of a checklist.
l 6.3 VALIDATION s.3.1 Purpose The purpose of validation is to ensure that the sum of the various HSI features afforded by the MCR, RSA, and any local '
(
control stations specified in the EPGs provide usable HSI ensembles that support the successful accomplishment of the operator's required tasks under dynamic, real-time
- conditions (i.e. validate performance of the integrated Man- i l Machine system for. System 80+). Validation includes 1 i operator interaction with the ensemole and EPGs.
I specifically, validation neets the following objectives:
i
- 1. Validate ability to execute operator tasks required by procedure guidance.
- 2. Validate the MCR configuration staffing assumptions and :
confirm the' Task Analysis results;
- 3. Validate time response for credited operator actions based on the safety analysis;
- 4. Validate'the allocation of functions and operator f situational awareness; -
S. Validate operator communication and team interaction;
- 6. Validate operation with HSI and I&C equipment failures; I
6.3.2 peone Validation will take place on a stimulated full fidelity' - ' '
simulation of the MCR and RSR using EPGs and selected ,
normal and abnormal operating sequences (e.g. reactor
~
startup, plant cooldown, etc.) . These sequences provide' a frame of reference for evaluation because they require the operators to perform evaluations, take control r actions, gather information, and complete other tasks .. I that require interaction with the HSI ensemble.
E i
NPXBO-IC-VP790-03 Rev 00 .18
.i
6.3.3 Resources The followino resources are reauired for validation: :
- a stimulated full fidelity Nuplex 80+ nockup of all MCR, RSR, and the local control stations required for executing emergency operating sequences and selected normal and abnormal operating sequences (as described in Section 6.3.4); ,
a complete set EPGs for System 80+;
- System 80+ normal operating sequencer for the following: plant heatup, reactor and plant startup and escalation to 100% power, plant and reactor shutdown (100% power to 0% power), and plant cooldown, including mid-loop operation; System 80+ abnormal operating sequences for the above facilities for the following: Rod Drop, '
Inadvertent (Emergence Feedwater Actuation Signal (EFAS), Shutdown and Cooldown from the RSR, Loss of 120VAC Vital Instrumentation, Loss of 125VDC Instrumentation, Loss of Instrument Air, and Loss of Condenser Vacuum; the ability to irplement HSI and I&C equipment failures sequences for the above facilities for the following: Complete loss of Data Processing System .
(DPS), Loss of a Discrete Indication and Alarm System (DIAS-N) Segment, Loss of a DIAS-P Segment, Loss of an (Engineered Safety Features-Component Control System (ESF-CCS) Segment, and Loss of a Hultiplexer;
- a validation team that includes HTE Specialist (s), i design engineers, and Nuplex 80+/ System 80+ trained Operations Experts. The validation team should be familiar with the full fidelity mockup,-the exercise ;
scenarios, and the observation criteria prior to running the exercises. i 6.3.4 Methodolo7v 6.3.4.1 General Description , !
Walk-throughs supplemented by talk-throughs of each of I the plant accident, abnormal, normal, and HSI and IEC equipment failure operating sequences listed in section 6.3.4.2 vill be performed on the full fidelity Nuplex B0+ mockup. For the exercises, a minimum complement of MCR personnel should be represented by operations NPX80-IC-VP790-03 Rev 00 19
^
j
experts. During walk throughs the following will take place:
- a. All validation team personnel will be briefed on the purpose and objectives of the walk-throughs;
- b. Operations experts will walk through the tasks they would perform during the event; to supplement observations, these personnel may be asked to do the ,
following:
- describe what they are doing;* '
- identify information sources they use to complete required tasks;
- describe their selection;
- describe expected system response;
- describe how they verify correct system response;
- c. Observers will observe the operations experts, supplemented by "what if" questions related the event and operator response.;
- d. On selected sequences, observers may trace movement patterns and plot them on control room diagrams;
- e. The observers should compare the integrated Man-Machine system performance to the criteria that this event is designed to validate. This criteria will be provided in the form of a checklist with places to enter notes and findings.
The validation team will be debriefed after each scenario for the purpose of identifying and defining discrepancies. The observation team leader will moderate the discussion utilizing the following techniques to identify and define findingc:
- a. present problems and findings (verbal explanations may be augnented by videotape displays of problems);
- b. present possible causes for problems;
- c. present potential solutions to problems;
- d. present explanations of possible causes and potential solutions.
Identified findings from this debriefing will be documented on a discrepancy form. This discrepancy form shall include the following: discrepancy number, 20 NPX80-IC-VP790-03 Rev 00 ,
scenario discrepancy was identified under, discrepancy description, name of the operator / observer who identified the discrepancy, and resolution.
Each resolution requiring a subsequent design change will be entered into the TOI database. The process will be repeated until the HSI panel designs are validated.
The completed checklists, reviewers notes, findings, identified discrepancy forms, will be compiled and summarized in the validation report. The report will be sent to the Nuplex 80+ design team for review and comment.
6.3.4.2 Plant Accident, Abnormal, Normal, and Ets! and I&C Equip =ent Tailure operating Sequences The following sequences will be used to perform validation:
Eneroency Operation fusino Emeroency Procedure Guidelines)
- 1. Uncomplicated Reactor Trip (Using Reactor Trip Guideline)
- 2. Loss of Coolant Accident (LOCA), including loss of a 480VAC Vital Bus using Optimal Recovery Guideline
- 3. Steam Ccnerator Tube Rupture (SGTR) including a Cooldown in Natural Circulation using Optimal Recovery Guideline
- 4. Excess Steam Demand Event (ESDE) using Functional Recovery Guideline
- 5. Loss of All Feedwater (LOAF) using Optimal Recovery Guideline
- 6. Station Blackout (including recovery by starting a 480V Emergency Diesel Generator) using Optimal Recovery Guideline
- 7. Loss of Off-Site Power from 100% Power
- 8. Anticipated Transient Without Scram,(ATWS) requiring Emergency Boration using Functional Recovery Guideline ,
Normal Operation (usina Normal Operatina Seauences)
- 9. Plant Heatup from Tech Spec Mode 5 (Cold Shutdown) to Hot Zero Power Conditions (Mode 3 Hot Standby)
- 10. Reactor and Plant Startup (0% to 100% power)
- 11. Plant and Reactor Shutdown (100% power to CA power) 21 NPXBO-IC-VP790-03 Rev 00
- ~
_._,.-.~1. .
1 s .
l g
- 12. Plant- Cooldown to Shutdown' Cooling, including aid loop j RCS level operations j
'i Abnormal Operation (usina Abnormal Operatino secuences) -l J
- 13. Rod Drop from 100% power (Reactivity anomaly and' power l transient) {
i
- 15. Plant Shutdown and Cooldown from the Remote Shutdown ~ 4 Panel (including startup of the Shutdown Cooling System) }:
- 16. Loss of a single 120VAC Class 1E Instrument Bus during ,
'j an accident (e.g. LOCA) l
. 1,
- 17. Less of a single 125VDC Class 1E Instrument Bus,from at j
~
power conditions
- 18. Loss of Instrument Air from 100% power ;
. . i
- 19. Loss of Condenser Vacuum from 100% power _ -l HSI and I&C Eauipment Failure Secuences
- 20. Complete Loss of the Data 1 Processing System (DPS) !
i
-a. during an accident (e.g. LOAF) i
- b. during power operation (including a plant and 1 reactor shutdown to Tech Spec Mode 3 (Hot Shutdown' ]
- 21. Loss of power to a DIAS segment -
- a. DIAS-P during an accident (e.g. LOCA) )
l
- b. DIAS-N at power- 3 I
- 22. Loss of an ESF-CCS Segment j
- a. loss of' power'from.at power conditions:( e.g.
greater than 20% power) .
- b. Multiplexer failure..during-an accident _(e.g. LOCA),
l 6.3.5 Criteria l The criteria for validation of the performance of'the , integrated Man-Machine sys. tem for System 80+ are. organized.into six categories corresponding to.the_six' 1 specific validation' objectives identified in Section l 22 j
.NPX80-IC-VP790-03 Rev 00. .
L
}
2 6.3.1. The criteria for each of these categories is as ; follows:
- 1. Validate abildtv to execute coerator tasks recuired by procedure cuidance.
- a. There are sufficient information and controls for the operators to perform all procedural. steps;
- b. There is adequate information for the operators to successfully complete the immediate post trip ,
actions without errors of omission;
- c. There is adequate information for the operators to successfully co=plete the safety function status check without errors of omission;
- d. Operators are able to successfully ' retrieve dynamic data in the format required by the EPG;
- e. Information ne; dei for control actions is located close to (cr '.n the same functional group) as the control;
- f. Operators a;.4 eLle to locate the psrticular display or control device when required;
- g. operators can complete standard post trip actions without errors that cause undesirable transients (e.g., overfilling a steam generator) or plant conditions; l
- h. Operators can perform normal operation sequences and maintain critical plant parameters within technical specification limits for plant heatup, reactor and :
plant startup and escalation to 100% power, plant and reactor shutdown (100% power to 0% power), and plant cooldown;
- i. Operators are able to locate RG 1.97 category 1 data and distinguish it from other types of data;
- j. operators accurately use displays;
- 2. Yaljdate'the MCR configuration staffino assumptions and confirm the Task Analysis resultgi
- a. Operators can perform continuous monitoring tasks without the need to go to panels other than the one where continuous monitoring is taking place-1 NPXBO-IC-VP790-03 Rev 00 23 )
I l
- b. A single operator can perform a plant startup and ,
escalation from 5% power to 100% power without ! continuous support from another operator; ' 1
- c. A single operator can perform normai operating ,
sequences while greater than 5% power and maintain , critical plant parameters within technical , specification limits; !
- d. Adequate work space is provided so physical interference between operators are minimized.
- 3. Validate time response for credited operator actions l based on the safety analysis; e ,
- n. Operators can complete emergency procedure checklists and verify proper response to safety system actuation (e.g. SIAS, CSAS, MSIS) within 30 minutes of the actuation; r b. For control actions credited in the safety analysis, operators can complete within the time criteria specified;
- c. Critical tasks identified in the Task Analysis and Human Reliability Analysis (HP.A) can be completed in the time specified in the Task Analysis; ,
i
- d. Operators can recognize safety function status :
checklist violations, technical specification liait violations, and conditions requiring EPG entry within 30 minutes;
- e. Operators can successfully complete the immediate :
post trip actions withcut errors of omission in 10 , minutes. I
- 4. Validate the allocations of functions and operator i situatipnal awareness- !
- a. There is" sufficient information to evaluate '
procedural conditions and actions (e.g. select , applicable EPG during an accident, Shutdown Cooling System. entry conditions, conditions requiring a plant cooldown, entry conditions for Steam Generator , isolation during a Steam Generator Tube Rupture, ' etc.);
- b. operators can identify and confirm challenges to ;
safety functions before violations occur; j i i i NPX80-IC-VP790-03 Rev 00 24 I
- i
,i m 6 r, -
- c. Operators can identify when the exit conditions for an EPG is reached;
- d. Operators can take control of the followir.g important automatic syste=s and control in manual (Pressurizer Pressure Control, Pressurizer Level Control, Steam Generator Level Control, Control Rod Sequence Control, Steam Bypass Control, and Emergency Diesel Generator Speed Control);
- e. Operators can perform normal plant maneuvering without propagating undesirable transients or plant conditions and maintain critical plant parameters (e.g. pressurizer pressure, pressurizer level, steam generator level, reactor power, average RCS temperature, and reactor power distribution) within normal operating range;
- f. Operators can manage emergency event scenarios within the time criteria credited in the Task Analysis;
- g. The operators can locate, organize and convert dynamic data to the desired format for decision making when complex diagnostic activities are required (e.g. identifying which steam generator has a tube rupture during a steam generator tube rupture event);
- h. Operators can correctly determine available success paths during specified accident scenarios;
- i. Operators can identify automatic actuation of safety systems;
- j. Operators can identify when a safety system is bypassed or becomes inoperable;
- k. Operators can identify critical function. violations using the Integrated Plant St atus Overview (IPSO);
- 1. Operators can identify high priority alarms during an accident;
- 5. Validate operator communication and team interaction;
- a. Operators are able to communicate with each other effectively (e.g. there is no excessive noise, and tasks requiring coordination were completed without excessive repetition of commands and confirmation);
NPX80-IC-VP790-03 Rev 00 25
_m.. _ _ _ l l
- b. The controlling work space accommodates team- '
briefings without excessive. crowding;- I
- c. Operators are able'to communicate with personnel outside the controlling work space easily (e.g. .;
communication devices provided.within easy reach at > panels where continuous monitoring and control is 4 required);- , i
- d. Control room supervisory personnel are able to i interface with management, technicians, and others without excessive interference.with operators in the controlling work space. j i
- 6. Validate operation with HSI and T&C eculement failures. 'l I
- a. Operators recognize and do not use data marked questionable or invalid to make critical decisions; !
J
- b. Operators are able.to locate. alternate sources 1of information when the primary source is unavai3able or in doubt (for scenarios-that result in a loss of- ;
some information); 5
+ ;
- c. Operators recognize within 15 ninutes when'a' control or information system failure occurs;
- d. Following a control system. segment failure operators are able to locate the alternate control device; ;
- e. When there is a control system segment' failure operators'are able to use alternate-control devices' ,
(e.g. process controllers) to perform required -; tasks; l When there-is a control system segment failure.
- f. - ]
during an accident operators are able to'use . _l alternate control devices and complete steps in the~ l time credited in the. safety analysis; j
- g. Following a complete loss of-the DPS, operatorsfare; j able to complete a plant shutdown without causing a ;
reactor trip;(from 100% power in Mode'l to 0% power j in Mode.3;- ) h.. operators-are able complete all-procedure steps and ] reach EPG exit conditions without errors of omission- l following complete loss of the-DPS. j j NPX80-IC-VP790-03 Rev 00 26: } l l
'I
7.0 SCHEDULE & MILESTONES The V&V Program Plan outlines how ABB-CE satisfies V&V program and product requirements. However, it is not yet possible to plan a detailed, sonth-by-month schedule for these activities, due to commercial aspects of the design (future schedule depends heavily on external funding.) A qualitative schedule based on design activities is provided, specifying the general sequence in which these activities will be performed. Exact calendar dates for the work indicated shall remain to be determined. 7.1' AVAILABILITY ANALYSIS & AVAILABILITY VERIFICATION BCHEDULE & MILESTONES . Availability analysis and availability verification can be performed in parallel with, before, or after suitability verification. However, availability analysis and availability verification must be complete before validation exercises and analysis are started. This does not preclude the validation scenarios and checklists from being developed during availability verification. Availability analysis and availability verification is performed in two phases, Phase I and Phase 2, with Phase 1 required to be completed prior to beginning Phase 2. Availability verification produces the following three ottputs:
- 1. an availability checklist;
- 2. a list of resolutions requiring design changes for >
entry into the TOI data base (if any are found);
- 3. Availability Analysis Report.
The availability verification process, including inputs and outputs is illustrated on Figure 7.1. 1 l i i l
)
NPXBO-IC-VP790-03 Rev 00 27 l 1 I
?
Figure 7.I AVAILABILITY ANALYSIS & VERIFICATION PRoCESE i N PROCESS
. . .. . . .A. VA. . .I L. A. . .B. . .I.L. .IT. .Y. . . .A. .N.A. . L. .Y. . .S. . .I .S. . .&
PHASE 1 , i i 1 2 3 Federally Required Rxed PGICR Mandated Location I&Cs from > I&Cs Needed to FTA ) Complete EPGs r 4 v 4 Analyze System I&C Inventory System to Verify All of the above Requirements < I&C
-(1.2.& 3) are Present -
Inventory ; A No I Discrepencies Findings
* & Resolution :
t Generate
- Availability Checklist
- PHASE 2 HSI from Panel Design Reports l Resolutions _ ; ~ v v - Requiring l AvailabilityVerificationh Design Changes i to i TOI Data Base j Rndin9s n ,
Findings -
+ & ;
No Resolutions Findings , V Availability Verification Report --+ Nu e,nB + Team Review i NPX80-IC-VP790-03 Rev oo 28 i i
i i 7.2 SUITABILITY VERIFICATION SCHEDULE & MILESTONES Suitability verification can be performed in parallel bith, I before, or after availability analysis and verification. i However, suitability verification must be complete before validation exercises and analysis are started. This does not preclude the validation scenarios and checklists from being developed during availability verification. suitability verification can be done panel.by panel. Suitability verification produces the following two outputs: '
- 1. a list of resolutions requiring design changes for entry into the TOI data base (if any are found); i
- 2. Suitability Verification Report.
The suittbility verification process, including inputs and : outputs is illustrated on Figure 7.2. l i 1 i i f
+
i
-l>
l NPXBO-IC-VP790-03 Rev 00 29 I f i
_ . . c .u._ :-- :_ ' -_- Figure 7.2 SUITABILITY VERIFICATION PROCESS l
~
SUITABILITY ANALYSIS PROCESS. Prototypes HFE Standards HSI from Assemble Panet Design e Sultability of Added & Features Guldelines Reports Analysis
- Team .
i Resolutions Requiring l Design Changes l I to - y v v ' -TOl Data Base . Suitability ^ i Analysis __. Findings ; Findings Resolutions : No _ t Findings v ; Sultability Nuplex 80+ ! Verification > Design -_ 1 Report . Team Review- .' 30-NPX80-IC-VP790-03 Rev 00 , e ! I
7.3 VALIDATION SCHEDULE & MILESTONES Validation exercises and analysis cannot begin until both availability verification and suitability analysis and verification are complete. However, this does not preclude validation scenarios and checklists from being developed during either availability analysis and verification or The validation process produces suitability verification. the following three outputs:
- 1. Validation scenarios and checklists,
- 2. a list of resolutions requiring design changes for entry into the ToI data base (if any are found);
- 3. Validation Report. ,
The validation scenarios and checklists require the , following inputs prior to completion:
- 1. Complete set of EPGs;
- 2. Representative set of operating sequences, as '
defined in Section 6.3.4.3;
- 3. Representative set of abnormal operating sequences, as defined in Section 6.3.4.3;.
To run the validation scenarios the following must be - available:
- 1. A stimulated full fidelity Nuplex 80+ nockup of the NCR and RSR capable of running the scenarios listed ;
in Section 6.3.4.3,
- 2. A complete set of validation scenarios (approved by the Nuplex 80+ Design Team);
- 3. A validation team including Operations Experts trained on Nuplex 80+/ System 80+, HFE Expert (s), and !
systems engineers. The validation process, including inputs and outputs is illustrated on Figure 7.3.
+ .
31 NPX80-IC-VP790-03 Rev 00
h Figure 7.3 VALIDATION PROCESS VALIDATION PROCESS Complete Representative Set Representative Set of ; Set of of NormalOperating AbnormalOperating EPG for Sequences Sequences System 80+ for System 80+ for System B0+ 4 y v , Develop Validation Scenarios
& Checkiists b :
- Nuplex 80+ Design Team Review & Approval ,
k , Validation , Scenarios & Checklists Stimulated Full ., Assemble Validation Team Fidelity Mockup <- HSI Design of Nuplex 80+ a
+- v v Resolutions Run Scenarios & -
Requiring' Perform Validation Design Changes to ; TOl Data Base : Findings n 1 Findings- 1 Resolutions No Findings l 4
' Nuplex B0+
Validation Report > sn
, Team vew l
)
1
^
i 32 NPXBO-IC-VP790-03 Rev 00
, ... _~ - - ,- . .- - . - . - .
7
')
+
..- .. q i
'I
+
l
'8.0 EFE v'v& ADMINISTRATIVE PROCEDURES .
1 i S.1 FINDINGS REPORTING & RESOLUTION POLICY i Each.of the findings identified during the V&V tasks will- l resolved, itemized and documented.in its associated V&V - l report. These itemized findings and' resolutions (except 1 phase 1 availability analysis findings and resolutions), as l exemplified in Reference 4 will sent to the TOI. data base .; for tracking.until incorporated into'the design. Phase 1 ; availability analysis: findings and resolutions will be sent l to the System I&C Inventory for incorporation into the- ! design. .The V&V reports will be sent to the Nuplex 80+ design team for review-and comment. The Responsible- g Management Structure of HFE'V&V will ensure that all- l comments related to'the findings and resolutions are , resolved. The Responsible Management Structure of HFE V&V- l will also ensure that any finding and resolution requiring a j design change is entered into the TOI data base. .i
- . i 8.2 TASK ITERATION POLICY j All V&V tasks that identify a finding will be considered for- i iteration as part of the Nuplex 80+ design review and comment' process. If iteration of a V&V task ils determined - ;j to be necessary, the Responsible Management-Structure of HTE l V&V will determine the level or iteration, schedule,-and l 3
ensure that the associated V&V task iteration-is completed. 7 After iteration of the analysis, the V&V task will.followz the HFE V&V control procedures regarding' document review and' l]
-- comment until final resolution. j l
8.3 CONTROL' PROCEDURES ! A formal procedure will be issued to control V&V activities. -l J 8.4 GUIDELINES, PRACTICES, & CONVENTIONS l l The following guidelines, practices, and conventions are used for the HFE V&V processes for Nuplex 80+:- j Guidelines for Control Room _Desian Reviews, NUREG-0700, U.S. 1
'NLclear Regulatory Commission, 1981'(Referencei2)._ , :l; HTE Procrap Review Model and Acceptance Criteria for !
Evolutionary Reactors, Draft, U.S.7 Nuclear. Regulatory-
~
Commission, 1992-(Reference 3). Nuplex 80+' Verification Analysis Report,:NPX80-TE-790-01,-' ! Revision 2, December 1989 (Reference 4). l 1 NPXBO-IC-VP790.-03'Rev 00 33 I Li
e: . Detailed Control Room Desien Review Sunclemental Report, San Onofre Nuclear Generating Station, Units.2 & 3, Volumes 1 & 2, SCE Document No. E77328, January 1986 (Reference 3). Standard Review Plan, NUREG-0800, U.S. Nuclear Regulatory com=ission, Revision 1, 1984 (Reference 9). A_dvanced Human-System Interface Deslan Review Guideline, NUREG/CR-5908, Draft, 1992 (Reference 10). Computer Generated Disolav System Guidelines (Vol 1 and 21, EPRI NP-3701, Electric Power Institute, 1984-(Reference 11). IEEE Guide to Evaluation of Man-Machine Performance in Nuclear Power Generatine Station Control Rooms and Other Peripheries, IEEE Std 845-1988, IEEE, 1988 (Reference 12). - Design for Control Rooms of Nuclear Power Plants, IEC 964, Bureau Central de la Commission Electrotrotechnique Internationale~, 1989 (Reference 13). NPX80-IC-VP790-03 Rev 00 34
Mfl@IX A FUPLEX 80+ DESIGN TEAM EVALUATION HSI design team evaluation is done by a multi-disciplined internal review without issuing a fornal HSI design team evaluation report. The system 80+ Program Plan (Reference 5) describes this review process. Significant comments received and resolved during this review process include the following:
- 1. The overall objectives of validation should be clearly stated and include the following: integrated system performance of the integrated HSI, including IPSO, confirm task analysis and staffing assumptions, operator communication ability, credited operator actions time response, and evaluation of function allocation and situational awareness.
- 2. Phase 1 verification should ensure that EPG tasks and critical tasks identified in the Probable Risk Assessment (PRA) can be accomplished with the fixed location NCR HSI .
^
alone;
- 3. Validation exercises should include all EPG;
- 4. Validation exercises should include a special category of scenarios that include HSI and I&C equipment failures;
- 5. The V&V Plan should clearly identify V&V activity outputs and inputs to other design activities;
- 6. Part of the resolution analysis should identify whether all or a portion of the V&V activity needs repetition;
- 7. Findings and resolutions should feed the TOI data base or the System I&C Inventory;
- 8. Validation should include time response tasks identified in the Task Analysis;
- 9. Validation criteria for operator error should be included;
-10. Control / display interaction criteria should be added; II. Validation sequences should be identified in the V&V Plan.
- 12. The SONGS validation program for EOIs provides a good example of a validation methodology that may be nodified to accommodated Nuplex 80+ validation;
- 13. Review and comment of V&V reports should be done by the Nuplex 80+ design team; NPX80-IC-VP790-03 Rev 00 A-1
- 14. Availability verification should be performed in 2 phases; phase 1 should ensure the System I&C Inventory is complete and phase 2 should verify the HSI on the Panel Design Reports includes all required System I&C Inventory;
- 15. Definitions are needed for PGICR and System I&C Inventory;
- 16. Suitability analysis must be performed on HSI devices in the HCR, RSA, and those control stations specified in the EPG;
- 17. Prototypes of added features are needed for previously unanalyzed features;
- 18. Confirm need for HFE V&V to verify Federally mandated indication and control requirements;
- 19. Confirm the need to verify the System I&C Inventory for completeness;
- 20. Consistent terminology should be used throughout the HFE V&V Plan;
- 21. Plan should specify that suitability verification can be done by panel.
3 I NPX80-IC-VP790-03 Rev 00 A-2 0
=%m'-
eg 9 DRAFT TECHNICAL REPORT FOR ELEMENT 8 VERIFICATION AND VALIDATION PLAN , l h t l a P k I L P i Enclosure 3 i
i .& 9
- 1. INTRODUCTION The NRC Human Factors Engineering Program Review Model(PRM) for advanced evoludonary reactors specified that a formal verification and valida60n (Element 8) of the human-system interface OlSl) should be performed. The staffs Draft Safety Evaluation Repon (DSER) review of the CESS AR has identined an open issue related to PRM Element 8 (i.e.. DSER issuc 18.10 ,
1).
- 2. OBJECTIVES ,
he objective of this review is to provide comments on the ABB-CE plan related to PRM Element 8 Venfication and Validadon. , i
- 3. METHODOLOGY ,
3.1 Material Reviewed The following AHB-CE documents were used in this review: , I. Draft Human Faciors Engineering Verifica6on and Validation Plan for Nuplex 80+, Rev (X) (NPX80-IC-VP790 03). LD-93 tXis.1/1R/93, hereafter n:ferred to as the " Plan." 7
- 2. CESS AR Section 18.9 VeriGeation and Validation (Amendment E),12/30/88. l
- 3. Human Factors Program Plan for the System 80+ Standard Plant Design (NPX80-IC-DP790-01, Rev 01),12/15/92.
.: . NUPLEX 804 Vcnfication Analysis Repon (NPXS0-TE790-01) Revision 2,12/13/89
- 5. System 804 Prototype Design Descriptions and FTA.AC (LD-93-038),3/5/93.
3.2 Review Scope 1 ne scope of this review was centered on the V&V plan. although additional ABB-CE documents , were consulted (as referenced above). The neview focuwd on (1) resolution of DSER issues,and (2) evaluation of the ABB-CE documents with respect to the topics and general criteria of the PRM. Complete adherence to the PRM was not considerrd to be mandatory. Differences in approach would be considered acceptable provided (1) the program can still mcci the HFE commitment and goals,(2) the difference between the proposed criteria and those contained in the PRM are adequately justified, and (3) there is no adverse impact on other program elements. . 3.3 Review ~ Procedure , As indicated above, the staffs Draft Safety Evaluation Report (DSER) review of the CESSAR has identified an open issue related to PRM Element.8 (i.e., DSER 1ss,uc 18.10-1). The draft Plan was developed following a meeting held on September 10th and lith between the staff and ABB-CE to addrets DSER issues. De Plan was n: viewed using the PRM Element 8 general criteria as they would apply to an implementa6on plan (as contrasted to a final repon of the V&V cffon). T1e l D1Rfor Eternent 8 Ven)) canon a valu! anon Plan (May 20. Ivv.U . Puxe 1 I
4 focus of an implementation plan is to provide the mcthodology by which the general criteria of the PRM clement are to be accomplished. Thus, the Plan was evaluated in tenns of the PRM general cntena and the inethodology proposed for the V&V activides. ne following materials were consulted as pan of the evaluation: NUREG-1492 Draft Safety Evaluation Report. September,1992. (DSER) 1.
- 2. Public Mectirig minutes from September 10-11.1992, hereafter referred to as the .;
- September meeting.'
- 3. NRC HFE Program Review Model for Evolutionary Reactors (PRM).
- 4. Review of the ABB-CE Sysicm 8th Human Factors Program Plan (BNL -
Technical Repon E2090-T21-3/93). March 1993
- 4. R ESULTS 4.1 DSER Review :
4.1.1 DSER issue in the staffs initial review of this element reponed in the DSER. Open Issue 18.10-1 was ' identified. The open issue identified concerns including:
+ Establishment of V&V criteria to suppon the assessment of test results;
+ Incorporatmn of ' human centered" operator performance such as operator ,
workload in V&V tests; and
- Verifying that the integrated control room suppons the stafGng requirements of 10 !
CFR 50.54(m). In the September 10th and 1 Ith meeting. CE agreed to address these concerns in a V&V Plan to : include the following 15 iteme (a) Identification of a st.hedule for a validation report, ) t10 Evaluation of design goals and functional requirements, ; Cntenon 2 of the PRM. [ (c) (d) Evaluation of availability and suitability of HS1 elements, j i (c) Evaluation of integration _ of HS1 elements with each other and personnel including HSI prototypes and plant simulator. 1 (f) The dynamic evaluations in Criterion 5 of the PRM, The perfonnance measures for dynamic evaluations included in Criterion 6 of NRC's : (g) HFE Program Review Model, (h) Veri 6 cation that all issues addressed m the applicant's HFE Issues Tracking System have been addressed, ; VeriGeation that critical human actions have been supported in the design. ;
.(i) -
(j) Operational definitions of " adequate" and " acceptable.' (k) Demonstration that control room design accommodaies the staffing requirements of 10 CFR Pan $0.549(m), (1) Specification of additional skill areas required other than HFE specialists and operations ; experts to pe.rform a formal analysis. ;
~!
D1Rfor Element 8 Venfttutwn & Valalutwn I'lan (Muy 20. Ivv3) Page 2 l
+ - ~ ~
- w. ..e..- r r t. , t , e n, . ,_ ,., , ,, , _ c . u.
e s (m) Evaluation of operator aids, (n) Demonstration of acceptable operator performance, and (o) Evaluadon of yo4 tor perform.snee undcs degraded conditions including complete failure of the DPS. 4.1.2 Issue Resolution These 15 items addressing the DSER open issue are addressed in Section 4.2. Table i provides a - cross reference between the incm specification and the appropriate V&V plan section and Subsection of 4.2 in this document where the stem 15 addressed. Tahic 1. Resolution of DSER lssue items ITEM PLAN SECTION TER SECTION a 7 4.2.7 b 63 4.2.6 e 6.1.2/62.2/632 4.2.1 d 6.I10.2 4.2.4/4.2.5 e 6.3 4.2 6 f 6 3 4.2 4.2.6
- g 6.3.4.1/615 4.2.6 h et :uhsed 4.2.3 s 61 4 2.6 1 not ack!rcued (xx Nate 1) 4.2.6 k 6.3.5 4 2.6 1 6 I/6 216.3 4.2.3/42.4/4.2.54.2.6 m rul dirtsol not addrev.cd (sce Note 2) n 615 476 0 6.3.4.2 4.2.6 Note 1 0;rratiotal dcnnitions of " adequate' and " acceptable" are not meciGcally
- dJmwd. however, the VI V methah piuvide entena that a.Mrets what con (6tutes adequacy ark 1 actrplabihty.
twoic 2. 0;rrator aid ( are not specarically adJrnuxi. towever, the sdenuncauon of as should be accomphshed through the V&V analyses. 4.2 PRM Criteria. Based Evaluation
- According to PRM General Criterion I, the V&V cvaluadon shall ensure that the performance of .
the HSI. when all elements are fully integrated into a system, meets (1) all HFE design goals as established in the program plan; and (2) all system functional requirements and support human
- operations, maintenance. test, and inspection task accompli.shment. This is accomplished through
- set of evalua6ans which are described below.
4.2.1 Scope Critersur PRM Ceneral Criterion 2 states that V&V evaluations chall addrete D1Rfor Lirmera b Vetsjitutiers & Valid.nion Plan iMay 26. I993) Page3 e .
Human-hardware interfaces Human-suftware interfaces Procedures Workstation and console conGgurations Control room design Remote shutdown system Dcsign of the overall work environment Eruluation: The Plan scope is identified in several arcas. A general scope statement appears in ' Secuon 2 which idendfies the scope as all HSis in the main control room (MCR), remote shutdown area (RSA), and the local control stadons (LCSs) specified in the emergency procedure guidelines (EPGs). Procedun;s are speciGcally cxcluded from V&V as is, therefore, the ' integration of the procedures with the rest of the HSI. The reviewers mterpret the reference to HSis to include all of the above with the two excepdons discussed below. ' First, it is not clear that V&V activities will be directed toward environmental considerations such as lighdng and noiw in the MCR and lighdng, noise, temperature.etc. at local pancis. ABB CE' consideration of the work environment should be clanned. Second the issue of the ahence of a procedure element from the HFE program has already been identiGed (BNL Technical Repon E2090-T2-l-3/93). The scope of ABB-CE's V&V cffort will remain open until the procedure issue is resolved. 4.2.2 Technical Basis in Current Literature Cntenon: PRM General Cnterion 9 states that V&V effen shall he performed using the set of identified documents as guidance (see the PRM for the speciGe list). The purpose of this i.riterion
~
is to ensure that the HSI is cvaluated using accepted HFE principles beed upon current HFE pracdecs? Eruluution: Sections 3 and IR4 of the Plan idendfics documents that are identified as V&V plan - references. Many of these documents correspond to the documents identined in PRM General Criterion 9. However, while the section is entitled references, most of the documents listed are not specifically referenced nor is it clear how they were used. For exampic, EPRI NP 3701, , Computer Generated Display System Guidelines,is rescrenced; yet in the section on suitability verification (where the document would most likely be applied), it is not identified as a critena ' drument. An esamination of the VenGention Analysis Report did not indicate that anything other than NUREG-07(0 was used for verification. This document does not contain adequate criteria for a CR such as the Nuplex 80+. Clarify how industry documents will be utilized. 4.2.3 Human Factors Issue Resolution Verineation Crirenon: PRM Criterion 7 states that a verification ~shall be made that allissues documented in the Human Factors issue Tracking Sysicm have been addrc33cd. ; Evalaction: VeriGcation of HFE issues resoludon is not addressed in the Plan. l UIRJor Lkment 8 Verzficcuon & Vahdation Phn (May 26. IW.U Page4 i
, u. w c m .,e.,c w ,
Criterion: Implementauon Plan Requin ments for Methodology Specification (relevant to this scnfication).
+
General objecuvcs Methodology and procedures Cniena for evaluation of results Evaluatiors: Not addressed in the plan. 4.2.4 IISI Task Support (Availability) Verification Criterion: PRM Cntenon 3 states that individual HSI elements shall he evaluated in a static and/or
- pan-task
- mode to assure that all contmts dispir.ys, and data processing that are required to -
accomplish human safety related tasks and actions las defined by the task analysis, EOP analysis, and probabilistic risk assessment / human reliability analysis (PRA/HR A)] are available through the HSI. Evaluation; Plan Section 61 desenbes the approach to availability verification. ABB-CE's availability analysis accomplishes two objectives: first, consistent with PRM Criterion 3 to ensure that all required HSI elements are available; second, to identify HSI elements that are not required for task accomphshment so that they can either be removed or relocated to the appropriate placc. De latter objective is consistent with one of the purposes of HFE verification in the PRM and is described in Draft NUREG/CR-5908 The wope of the tasks to be analyzed is unclear. Under " Purpose" item one identified " operator tasks" with no qualification. Under purpuse of availability analy3is, the
- procedure Guidclinc Information & Control Requirements (PGlCR)is identified along with the minimum inventory and federally mandated requirements. He PGICR is defined as "a summarianon of procedure-based parametric requirvments? The scope of Phase 1 is then 6cd to those aspects of the HS1 that are
'si ecified in the EPG
- It is unclear whether the availability analysis will be limited to EPG-based actions? PRA cntical tasks normal operations abnormal operations should be addressed as well.
- Criterion: Implementauon Plan Requirements for Methodology Specificatmn (relevant to this serification).
General Objectn es Methodolopy and procedures Panicipants Analyus Cntena for esalua6cn of results Utili7ation of evaluations Evalunrion: While most of the information identified above is provided in the Plan, several points regardmg methodology require clanfication:
- 1. Under the Phase 1 purpose paragraph. should the last line read "EPG and critical tasks" rather than TPG or critical tasks."
- 2. Tbc uitcria for asailabihty analysis critciis foi SPDS should include NUREG-1342 since the 10 CFR 50.34 (f)(2)(iv) requirements are very general. The post accident monitoring indications should include Reg. Guide 1.97.
- 3. Availability analysis criteria number 4 states " System 1&C Inventory" only. What is the critenon?
D7Rfor Elmas 8 Venfication & Vahdanon Pfar: (May 26. JW3) Page$ r
- . ~ , .;- m- o.: w r ,- m ea t - orc.up--- -
w...- . . . - . . . - ,-- i
- 4. Depending on the clasificatism of the task scope issue (and 2 above), the availability analysis may sesult in a list of minirnally acquired ilSI clements. As such, the liu may not be necessary and sufficient for a fulJ ranpe of operauons. De Phase 2 methodology addresses identification of HS1 elements that are not required for task .iccomplishment. It seems as though an
- unnecessary" aspect of the 11S1 wnuld be anything not on the list resulting from availability analysis as defined and would require removal of anything not on the list (note: "De process will be repeated until the 1151 panel designs match the availability checklist"). The development of the checklist and the specification of what is unnecessary needs to be clarified.
4.2.5 HFE (Suitability) Verification criterion: PRM Criterion 3 states that individual HSI elements shall be evaluated in a st "part-task" mode to assure that all controls, displays, and data processing that are required arc designed according to accepted HFE guidelines, standaids, and principles. Saluation: Sunability veriGeation is addressed in Section 6.2 of the Plan. He stated purpose of suitability venGcanon is consistent with the PRM criterion. The proposed methodology is addressed below. Criterion: Implementation Plan Requirements for Methodology SpeciGeation (relevant to this verincation). General Objectives Methodology and procedures Panicipants Performance rueasures
- Analysis Cnteria for evaluadon of results
- Utilizatinn of evaluations nulaation: he plan generally addresses the above requirements. The general approach is good, but sescrai points of cl.uiGcation are requested.
- 1. Suitability is addressed using both a top-down and bottom-up approach. The top-down approach addresses the appropriateness of design selections within the context of operator tasks (which is consistent with " appropriate use' considerations in NUREG/CR-5908). However, the methodology settion,6.2.4, seems unty to addre33 the bottom up appmach. Consultation of the VenGeation Analysis Repon appeared to have the same limitation. ClariGration of the methodology by which top-down analysis is accomplished is needed.
- 2. ne bouom-up approach ut.cs HFE guidance as a basis. The criteria identified are limited to ;
NUREG-0700 and ABB-CE's HFE Standards, Guidelines, and Bases for System 80+ (NPX-IC-DR-791-02). It is uncicar if these are to be the only criteria or whether additional documents (such as those identified in Sec6on 3 References) will be utilized. A check of the Verification Analysis Report rvvealed that only NUREG-0700 was untiad. Overall, NUREG-0700is not a comprehensive analysis for the review of a primarily cornputer based control room such as the NUPLEX 80+. In addition. there are unique characteriuies in incal ennirol stations (such as valve position indication) and unique HFE requirements due to the working environment (such as working under high heat, humidity, or exposure conditions) that are not addressed by the docitments and to which the application of NUREG-0700 critcria is inappropriate (such as meeting j temperature requirements). , DDtfor Elernens b Venficanon & Valulanun Plan (May 20.1Yv.U rageri
* . .n. m . . . . m. . . . . . . . ~ . . , , , _ , . - - - - -
i
- 3. Will all elements in the HS1 (e.g.. every display) be reviewed or will a sampling process be used? If the latter, what is that process?
- 4. How will disempancies from guidance checklists be resolved? Conformance to any specific i individual guideline should not in itself. he a requirement because guidelines are insensitive to the trade-offs between design features and functions that typically occur in final designs. These trade-offs may rcsult in discrepancies between an acceptable final design and a specific guideline.
Instcad a verincadon against pencric guidelines should identify potential concerns which should be addressed, but which may bc perfectly acceptable due to a technical hasis in design studics, tests, and trade-off analyses as justified by the designer. , 4.2.6 Integrated System Validation - Criterion: PRM Criterion 4 states that the integration of HSI elements with each other and with personnel shall be evaluated and validated through dynamic task performance evaluation using evaluation tools which are appropriate to the accomplishment of this objective. A fully functional HSI pmtotype and plant simulator shall he used as part of these evaluations. If an alternative to a HS1 prototype is proposed its acceptability shall be documented in the implementation plan. The evaluations shall have as their objectives: ,
- Adequacy of entire HSl configuration for achievement of safety goals
- Confirm allocadon of funcdon and the structure of tasks assigned to personnel
- Adequacy of staf6ng and the HS! to support staff to accomplish their tasks
+ Adequacy of Procedures .
- Con 6rm the adequacy of the dynamic aspects of all interfaces for task l accomplishment i
- Evaluation and demonstration of error tolcrance to human and system failures brahun.on: Vahdation is discussed in Plan Section 63. Several aspects of the validation plan - ,
necJ clarification. , e
- 1. The Human Factors Program Plan and the SSAR (Section 18.9.2 and 18.93) refer to phased v.didadon, but the vahdation descripuon m the Plan makes no such distinction.- The differences :;
between the approach to validation between these documents needs to be clarified. 2 'Ihe Plan does not clearly indicate that a dynamic plant simulator will or will not be used.' A !
- stimulated high fideJity simuladon of the MCR and RSR" is identi6cd without reference to plant -
simt.ladon, yet the stated purpme of validation is to ensun that operators can accoinplish their : tasks "under dynamic, real.dme condidons
- The draft ITA AC indicates that the " dynamic mock- :
up of the MCR consoles that simulates plant operational response." The Human Factors Program .t Plan indicates that final validation will be performed "on a full-scope simuladon facility * (p30). : The SSAR describes a variety of test beds including a " partially dynamic mockup with plant - l spc416c emphasis." The test bed irquirements for validation need to be clarined. ' , j
- 3. The, purposes of the validation seem to be Fenerally consistent with the PRM with the following .
excepuans; i
- Adequacy of Procedures .
+
- Evaluation and demonstration of error tolerance to human failures 11 is recognized that the procedure issue is being addressed elsewhere, however, Section 63.1 makes references to EPGs. Validation should i :clude other procedures as well, e.g., normal procedures, abnormal procedurcs, and alarm response procedun s. The vahdation activitics with :
respect to these objectives needs to te clarified. DiRfor Dement h Venpcatwn & VoMatwn Plan (May 20. Ivv31 Page 7
, . i (Note. The ABB.CE Plan makes frequent reference to the use of EPGs and operating sequences
- rather than EOPs. Since this issue has already been identified it will not be further addressed in each specific instance whese it appears).
Criscrion: PRM Criterion 5 states that the dynamic evaluadons shall evaluate HSI under a range of operadonal conditions and upsets, and shall include:
- Normal plant evolutions (c g., start-up. full power, and shutdown operations)
- Instrument Failures (e.g., Safety System Logic & Conuol(SSLC) Unit Fault ;
Tolerant Controller (NSSS), Local " Field Umt" f or MUX system. MUX Controller (BOP), Break in MUX line)
- HS1 equip.nent and processing failure (e.g.. loss of VDUs, loss of data processing, loss of large overview display) e
- Transients (e.g., Turbine Trip Loss of Offsite Powcr, Station Blackout, Loss of all FW. Loss of Service Water, Loss of power to selected buses /CR power supplies, and SRV transients)
- Accidents (e g . Main steam line break. Positive Reactivity Addition. Control Rod Inseruon at power, Control Rod Ejection. ATWS, and various-sized LOCAs)
L ahanion. Plan Scciion 63.4.2 identiGe> the .wenarios identified for validadon. A total of 22 situations are defined which generally cover the evaluadon classifications defined by the PRM critenon. Several recommendatinnr/ comments are provided below:
- l. Secdon 6 3.4.2 Emergency Operadons -The reviewers would expect that all operations based on EOPs and procedures that are based on CE8n+ functional recovery guidelines would be included in validation. While EPG related scenarios seem to be addressed, there seems to be .
incomplete uvatment of functional recovery guidelines. Please clarify this iuuc.
- 2. Secdan 6.3.4.2 Abnormal Operations - Include scenarios reflecting (1) delected RCP failures, e p . loss of seal cooling and injection. seal failure (a knor n PWR operational iscue, GI-23); and :
(2) stuck open pressunzer relief valve (the TMl scenario).
- 3. Section 6.3 A2 HS1 and 1&C Failure Sequences - Include scenarios seflecting (1) loss of wiected instrument failures (e.g.. Lrza. Tii. Tc. etc.); (2) Lass of IPSO in combination with emergency operadons events / transients J
- 4. PRA critical actions - ensure that all PRA critical ac6cns have been addressed in the defined ,
scenarios. If not, constnati wenarios io validaic the accomplishment of these actions.
- 5. The system should be validated for tolerance to human error. Scenanos should be constructed with planned errors to evaluate system response and operator recovery.
Criterinn: PRM Criterion 6 states that p:rformance measures for dynamic evaluations shall be ! adequate to test the achievement of all objectives, design goals, and perfonnance requirements and shall include at a minimum: , l
- System performance measures relevant to safety _;
- Crew Pnmary Task Performance (e.g., task times. procedure violations) !
- Crew Errors -
- Situauon Awareness j
- Workload
- Crew communications and coordination j DTKfor Element B Venfualwn & Vohdutwn 1%n (Muy 20.1993) Puxe 5 ,
L l
~
~ s i,o ;+... i ?phc 02 :'"N11 f Ke i in a_ HrP.:. Gr ooo 10 :F. I FF is i4 P.23 l
. Anthropometry evaluadons ;
- Physical positioning and interactions l c
bohenon: 1hc Plan does not specifically identify the data to be collected? For example, no v mention of system performance or task times is made. Since one of the stated objectives of the tests is " validation of 6me reponse for credited operator actions",it is expected that time would be measured. Secdon 63.4.1 generally discussed the collection ofinformation related to a verbal ; f protocol of operator actions and selected link analysis typc data, but no cicar pmsentation of data to ; be collected is presented. %e SSAR (Section 18.9.2 and 18.93) discuues validation of i ~ anthropometncs and the assurance of adequate perceptual and cognitive load, yet these art not addressed by the Plan. De data collecdon requirements for validation need to be clarified. l Cdrerion: PRM Criterion 8 states that a verification shall be made that all critical human actions as defined by the task analysis and PRA/ lira have be adequately supponed in the design. The design of tests and evaluations to be performed as pan of HFE V&V activities shall specifically ' examine these actions.
&oluation: Sec comment 4 under PRM Critenon 5 discussion above regarding PR A critica! 3 acnons.
Criterion: Implementadon Plan Requirements for Methodology Specification (rcicvant to ; validation). General Objectives Test methodology and procedures
- Tcst panicipants .
- Test Conditions ;
1151destapaan i Performance measures Data analysis l i
- Cnteria for evaluadon of results Utiliation of evaluations l
.haharion: Tbc PRM pencial cntena address most of the sipinficant methodological .!
consider 4 ions. thu( the comment and clarifications n> quested below are directed to the remaining topes. A cf oss reference is provided in the appropriate location where cach item is discuued. l General Objecuses (Discussed under PRM C iterion 2 arme)
- Test methodology and procedurcs (see I to 3 below) f
- Test pardcipants (see 4 and 5 below) 1 i
Test Conditions (Discuued under PRM Critenon 5 above)
- 11S! description (see 6 below) ;
Performance measures (Discussed under PRM Criterion 6 above)
~
- Data analysis (sec 7 below) i
- Criteria for evaluation of results (sec 8 below)
- Utili7adon of evaluadons (su 9 below) ,
Documentation {see 10 below) : s
- 1. In general, the methodology is described at a very general lesel for the purposes of a validation plan. The PRM intention was for a plan which described the details of the validation ellort. .
i i . 1 DTKfor Litrvra 6 Ytnfuunon & Volsdarwn Plan (May 2n, IY9)) Page y
~
...., ..- . m.m.. r eo , em ,v r e o m.y , , , , . . .. . . < ~ . ,
- 2. Does the term " walk-throughs" imply that the underlying plant dynamics are absent. If so, how would criteria such as 4e (on p. 25) te assessed since it would seem to require interaction between ,
the operator, HSI, and plant systems.
- 3. Related to the the data collecdon clarification made above. since one of the objec ves of the tests is confinnation of time dynamics, will the question and answer type of data collection i
methods described in Secdon 63.4.1 (the first set of items b & c) be mtrusive and result in invalid ' timc data.
- 4. Test participants - the Plan indicates that the panicipants will be " operations experts' who are defined as " currently of f ormerly licensed reactor operators. ." Please clarily the past duties of l these cxperts, specifically, will they be part of the design team. .
- 5. How many crews am expected to panicipate in the validation tests?
- 6. 'Ihc HS1 is denned as a dynamic mock-up of the MCR consoles that simulates plant operadonal ..
re ponses. In what ways is the HSI different for the final design design (in terms of the HFE significant aspects. e c.. response times, COL-selecied equipment representations in displays. site-speciSc HSI characteristics)
- 7. Wlut type of data analysis is expected in order to test the objectives of the validation.
- 8. With regard to critena in Section 63.5:
- a. Operator errors made during scenarios should be examined to assess system response and tolerance. This should be included along with specific crror scenarios .
a3 part of the criteria,
- b. How are la, Ib and lg different (omission vs. commission)?
- c. The criteria addressing human enor seem focused on very specific tasks, e.g., post -
trip actions. Will the identiGcadon and evaluadon of errors he accomplished for all operator tasks in the validation exercises?
- d. As part of 2d. the criterion should include adequate work space for procedure usage. <
- e. Criterion 6e validates that operators can recognize an information or control failure l within 15 minutes. Why was 15 minutes chosen as the critciion? Recognidon time would seem to depend on the plant dynamics, for example.15 minutes may be long for recornition of loss of fecdwater control at full power.
- f. Additional critena will be needed should modifications to the Plan reflecting the above comments be implemented.
- 9. Udlindon of results is discussed on Section 8 and is illustrated as pan of the V&V process in Figures 7.1 to 73. Issue identification, resolution. and review are provided for in the process.
- 10. Documentation is addressed in Section 7 of the Plan. Each proposed V&V acdvity will ,
pcncrate a report that documents the activity and which will be reviewed by the design team (as per the iluman Factors Program Plan). Each report is described in mor'e detail in the appropriate analysis secuen. (Note. Figures 7.1,7.2, and 73 should indicate that revisions to the repons are possible following Design Team review by providing a feedback loop in the figures). Add rional Criteria: Issues were raised during the review of other clements that were to be addressed in validation. These are identified below: DTRfur Dement E Ven)) canon & Vahdanon Plan (May 10. Iw.4) Page 10 i
. R. s;.1 -,_ ~.
.; n , , - r e . . . m. ,m a vu9 -
6a.. , e e ' ,o . . -- y. g I ~ Task Analysis:
' l. Intencrence of nwmerw.u: acusiues associated with 1&C in the MCR and operations. :
- 2. Maintenance work order management and equipment tagout. ABB-CE has indicated that most of this work will be done in the MCR, but outside the main control space. However, there is a requirement to interact with CR operators and this interaction should be evaluated. l
- 3. .Fquipment, documentation and supplies required to support personnel during normal, abnorinal, and emergency operations. An imponant consideradon is how CR personnel will use paper procedures in the CR. His includes considerations of task lighting, ease of handling, and '
adequacy of laydown. Similar evaluations should consider P&lDs, tech. Specs, and other operator sids. ' i
- 4. Operator awareness of the status of equipment under surveillance test or repair.
HS1 Desien-
- 1. The evaluation of the DPS and Dl AS alarm implementation under high-alann conditions should be speciGcally evaluated in validation. ;
Era /uation: These issues are not speciGeally addressed in the Plan. , 4.2.7 Scheduling Criterion: In the proposed resolution of the DSER, ABB-CE agreed to provide a schedule of V&V activides (as per the PRM requirement in Element 1). I Evaluation: Scheduling is described in Section 7 of the Plan. In Section 7.1 it states that availability veriGcatinn can he accompli (hed "in parallel with, before.or after suitability l verification." Clanfy how availability verification can be perfonned after suitability verification. ' Would mod:Gcations to the HS1 following availabihty analyses then be subject to a suitability l senfication? ,
- 5. CONCLUSIONS i
Overall, the V&V plan generally addn ssed most of the PRM Element 8 criteria for an implementation plan. The most signincant issues are: ne plan was presented in high-level details rather then providing specific and detailed plans, procedures and criteria. For example, suitability checklists are not i provided and specific data collection for validation tests are not described. ]
+ VeriGcation ofissuc tracking sysicm issues is not addressed.
=
Exclusion of detailed procedures from V&V. , Many pomts of clanfication regarding specific aspects of the Plan are identified. Once dRussed, a final evaluation of the Plan will be completed. DTRfdr Elemem 8 Ver@ation & Validation Plan (May M,1993) Vage 11 I 1 T AT r.si P 1 c, j I __ _____ -__ . )
A>, s t
't.
- VERIFICATION AND VALIDATION PLAN REVIEW COMMENTS AND RESPONSES l i
1 1 1
, b f
l l o Enclosure 4
.. , _ . _ . - __.____1_. _
A VERIFICATION AND VALIDATION PLAN REVIEW Table 1: Criterion 2 - VEY Scope (4.2.1) Table Draft Tech Report . ABB-CE Response Resolution Ref # Comment 1-1 It is not clear..that V&V section 2.0, Scope will will be directed toward modified to. include environmental workspace environment. considerations'such as' lighting,. noise, etc..in' the MCR and at' local control stations 1-2 The issue'of;the absence Resolution is beyond the of a procedure _ element scope of V&V. from the'HFE program has already been identified. n The: scope of ABB-CE's_V&V-effort will remain open ! until the procedures issue is resolved. 4 E L 6 0
..m.m.m.-m...-v . . - . --~e+-,.e.~..-i .--~,.-.,.-,_esv. .. .e..:.-.-..,w.-e.., ,w r.-7, . . - . ~ - , - - - . .w ,,-e = . . .....i. . .>. m... . _ --- __ __ _ - -
o VERIFICATION AND VALIDATION PLAN REVIEW Table 28 Criterion 9 - Technical Basis in Current Literature (4.2.2) Table Draft Tech Report- ABB-CE Response Resolution Ref / Comment 2-1 Most of the documents ABB-CE will specifically listed are not list references and how specifically referenced they will be used. nor is it clear how they were used. 2-2 The Verification Ana'ysis Verification suitability Report did not indicate criteria will come from that anything other than the !!FE Standards, NUREG-0700 was used for Guidelines, and Bases for verification. This System 80+ (liFESGB) . The document does not contain HFESGB critoria is based adequate criteria for a CR on design guidance >- such as Nuplex 80+. , applicable to advanced ' Clarify how induntry "d control rooms including !- docueran will bu used. TUREG-0700. See HFESGB i for a reference list. t t
. -.. ~
VERIFICATION AND VALIDATION PLAN REVIEW Table 3: . Criterion 7 - Human Factors Issue Resolution Verification (4.2.3) Table Draft Tech Report BB-CE Response Re olution l Ref # comment _ _ l 3-1 Verification ~of H7B issues The TOI database is a documented.in the HFE tool used in the design Tracking System res7lution process to track HFE is not addressed in-the issues, it is not a Plan. design product that lends itself to verification. However, an activity will ' be added to' Availability Verification, suitability . l Verification, and Validation to review all applicable unresolved HFE TOI database issues. The purpose of these activities is to identify any issues that should be considered during V&V. l
-- - . . . . - - - - . - - - - . . . - - - . - - - . . - ~ ~ - . - - - -
an,- - - . - - - ,----s-+- . . - - . . ~ ~ .---~~.v- wn -- - -w .-- " - - - - - = - - * - ~ ~ ~ .
VERIFICATION AND YALIDATION PLAN REVIEW Table 4 Criterion 3 - HBI Task Support (Availability) Verification (4.2.4) Table Draft Tech Report ASB-CE Response Resolution Ref # Comment 4-1 It is unclear whether the Phase I Availability availability analysis will Analysis is performed on be limited to EPG-based the following: actions. PRA critical - Federally mandated tasks, normal operating req. operations, and abnormal - PGICR form FTA which operations should be includes some normal addressed as well, and abnormal operation tasks
- Min. Inventory from PRA -
Phase II Availability !; Insp. is performed on all '~ control station HSI, which includes the above and cognizant engineering organization requirements. t. 4-2 1. Under the Phase 1 Agreed, will be changed purpose paragraph, should from EPG "or" critical the last line read EPG and tasks to "and". critical tasks? l 4-3 2. The criteria for Agreed, NUREG-1342 and RG availability criteria for 1.97 will be referenced. SPDS should include NUREG-1432. Additionally, 10 CFR 50.34 requirements should include RG 1.97. , , .- + - - + . , - -n. - ., , . , . -, ~=w, , . n. _-
-e b
Table Draft. Tech Report ABB-CE Response Resolution Ref'# Comment _ 4-4 3. Availability analysis . In this activity we are criteria number 4 states verifying that the System
" System I&C Inventory" I&C Inventory is only. What is the complete. The System I&C criteria? Inventory is specified by the system cognizant engineering organization.
It has-no criteria and will be removed. , 4-5 I4. The development of.the The availability ' availability checklist and checklist includes all the. specification of what required I&C, both HFE is unnecessary needs to be- requirements verified in clarified. . Phase I (see response 10-
- 1) and the cognizant . [,
engineering organization [! requirements. I&C not on the list is unnecessary. 3 i r m___U__ .-_._.___._______mm.__ _ - _ _ _ _ _ .m__.m.m __1 _ . _ . _ _ ._ . . . - __ __ a - w,*,_u m 2 -*= , + , w , e 6 . - - -. ,, e . + - , - a-. - _e. - - - - -
e VERIFICATION AND VALIDATION PLAN REVIEW Table 5: Criterion 3 - HFE (Suitability) Verification (4.2.5) Table Draft Tech Report ABB-CE Response Resolution Ref # Comment 5-1 1. Clarification of the The top-down approach methodology by which top- conparos elemental tasks down analysis is with the design. The accomplished is needed. methodology considers the overall system design, and integration of the parts of the HSI into a coherent and easily used whole. It is a knowledge , based review (performed s by a HP expert) that ;- identifies deficiencies , that may be missed during l t-the rule-based evaluation (bottom-up approach). j 5-2 2. The Verification The HFE Standards, i Analysis Report indicated Guidelines, and Bases I that only NUREG-0700 was document will be used as ; used. This is not a the criteria for the comprehensive document. It suitability verification does not apply to local analysis. It addresses control stations. all HSI criteria ' including criteria related to soft displays, and local control stations (See response 2-2).
5-3 3. Will all elements in All elements of the HSI the HSI (e.g..every will be reviewed. display) be reviewed or Suitability verification will a sampling process be will concentrate on added used? (i.e. previously unanalyzed) and unique applications of HSI features and characteristics. _ 5-4 4. How will discrepancies The ABB-CE document from guidance-checklists review and comment be resolved? Verification; process and document should address potential distribution process concerns and trade-offs ensure that.the results should be justified'by the of the HFE V&V activities designer. are received, reviewed, and commented on. The HFE V&V management I structure ensures that I. all comments are resolved (see Plan sections 5.4 and 8.1) . Suitability verification [ is performed by.HF and operations experts with + expertise,in Nuplex 80+. These_ experts will be able to verify and justify if the trade-offs are acceptable; if not, e the discrepancies will be documented and resolved -" using ABB-CEs review process. t ,. . ,i.--,.. . . - v <r.- ,w-- .~.,,-.w,- r <r.. w i,.-, + = - -=-+4 -w w- * - - - *-=-- - - - - - , - , . . - e,, -w,r, ,r--+, -m- = *,e- ,s-+ .- r
- y. ,,
VEV PLAN REVIEW (VALIDATION) Table 6: Criterion 4 - Dynamic Performance Evaluation Table Draft Tech Report ABB-CE Response Resolution Ref # Comment 6 Clarify differences in - Val Plan describes approach within'SSAR, final activities; others HFPP,.& Val Plan. are for refinement, not acceptance, of design. Consistency will be verified in cited references. 6 Test bed requirements - HFPP, SSAR, and Val for Val need to be Plan shall conform with clarified. ITAAC statements, i: 6 Section-6.3.1 makes - Citation will be i-reference to EPGs (expand changed to be consistent ;4 scope). with broader scope of Val 1: Plan. i , 4
'h.
i' r _ _ _ _ _ _ -- _ ._ _ _ . ~ . . . , _ , . . ~ . . . _ _ _ - .. . . _ . _ . . - _ . - . . . - , . .- - . - - . .-
o V&V PLAN REVIEW (VALIDATION) Table 7: Criterion 5 - Range of Conditions Evaluated i Table Draft Tech Report ABB-CE Response Resolution Ref # Comment __ .__ 7-1 - Seems to be incomplete - FRGs addressed by TA as treatment of functional leftover task req.s after ORGs recovery guidelines. are partialed out; gives total task coverage. 7-2 - AOP scenarios should - Agreed. include loss.of RCP seal cooling & injection, RCP ' seal ~ failures, & stuck open PZR Relief valve. 7-3 - Include selected inst. - Redundancy prevents loss of failures & loss of IPSO info or control capability by in HSI and I&C failure a credible single failure. scenarios combined with Loss of DPS bounds loss of emergency ops & events. selected instruments. Loss of IPSO will lead to transfer of function to CRT --> no impact. 7-4 - Ensure that all PRA - Agreed. critical tasks addressed by defined scenarios (also criterion 8). e l
'- 7-5 - System should-be - All errors identified.will validated for tolerance be. eval'd for impact, but to human error; include without metrics, baseline planned errors'in data, etc. error tolerance is scenarios. poor object of analysis;
- Tolerance to single equipmerit failures envelopes single human error results;
- Sys80+ tolerance increased from acceptable SysBO. design with expanded capacities &
redundancies.
+
k
-$~
.i:
-- t.
i! t P 1 f _ . . . - . . - ....,..._me.w.-,..- ., . . . . . . 4.-. _. . . . . ,. ... .- = . , .-.+ . ,w. -
, ~ . ~ . , , . . . ,, * . _ . . . . . - + - , . _ . - . . , . . .~,.e.
' O, VEV PLAN REVIEW (VALIDATION)
Table 8: Criterion 6 - Performance Measures Table Draft Tech Report ABB-CE Response Resolution Ref # Comment 8 Performance - 2 basic approaches to measures should... data will be used: 1) Auto test achievement of event data loccina, to objectives, design assess overall system goals,-&. performance. performance, crew primary reqs, including: task performance, workload
- system safety levels, movement, and
- crew primary tasks errors; and
- crew errors 2) subiective evaluation,
- sit'n awareness to assess crew movement,
- workload positioning, coordination,
- comm.s & coord.s- communication, workload,
- physical mvat & situational awareness, and i interaction errors.
- anthropometry - Anthropometry is suitability issue, but observed concerns will be addressed.
- Data analysis approach to be added to Val Plan. i F
l
~,
4
-U V&V PLAN REVIEW (VALIDATION)
Table'93 Residual Methodology Requirements Eval Draft Tech Report ABB-CE Response Resolution Item # Comment 9-1 - Methodology lacks - Plan details are added detail, as.necessary. Generating elaborate plans far in advance of effort is'ill-advised; at present, requirements-(such as provided) are appropriate and sufficient. 9-2 & - Use of " walk-through" - Agreed. Revision to 9-3 methodology.not sufficient draft Plan will properly ; for-real-time data deemphasize role of walk- , collection. through techniques in F overall Validation. 1. 9-4 & - Clarify number, - No requirements or 'j. 9-5 experience, and criteria specified on- > organizational membership participants ~that delimit i of." expert" participants. acceptability of test !
, plans. Detailed J description of .
participants is otherwise 1' not presently necessary. 9-6 -How will. mock-up --Requirements are not - simulation differ from based on difference, but ' actual design? on similarity. Facility will meet ~ ANSI'3.5 fidelity requirements.
.--...s_, . . m - - _.w . , . . - <,-~ _ . ..,-m.-.._m . .. d
o 6 9-7 - What type of data - See Performance analysis is planned? Measures response in Ref 8-1. . 9-8 On 6.3.5 Val Criteria: - Errors will be examined (see Performance Measures
- a , b, & c. Errors response in Ref 8-1) for all tasks.
- la (availability) criterion is sufficient; omission & commision are meaningful distinctions, but N/A to criteria; to be revised in Val Plan appropriately.
- d. Include criterion for - Laydown space is a procedure laydown space. suitability issue; but ,
observed concerns will be :: addressed.
- e. Basis for 15 minute - Criterion was arbitrary recognition criterion in & will be removed; 6.c? concern for prompt response will be addressed through event logging & subjective evaluation.
[ - f. Additional criteria - Specific criteria can may be needed... be added, where necessary. _ 4 s _ _ . ._ __ _.m_ _ . . _ _ . . _ . _ . _ _ _ . _ _ . _ *
. fi l
+
VEY PLAN REVIEW (VALIDATION) .. . Table 10: : Task Analysis Issues Table Draft Tech Report ABB-CE Response Resolution Ref-# Comment
,10-1 - Address. - BasicL M-tasks (e.g.,
interference-of I&C panel component maintenance (M) replacements, component activities ~w/MCR ' control tagout) shall be ops. demo'd for normal ops.
- Loss of.I&C components N/A; enveloped by loss of
-I&C system. scenarios..
! - Basic M-tasks not performed in accident scenarios, since 1) 'M-tasks 1:
would be deferred, and in 2)' Dual failures are Beyond DBEs. ,
.10-2 Evaluate work _- Agreed.' Impact of basic order & tagout M-tasks as described in Ref interaction w/MCR. :10-1 shall be evaluated.
ops. 10 Consider adjunct'- - These are primarily' issues (e.g., suitability issues; but
- lighting,-laydown observed concerns will be O . >
space). associated. addressed. ;.:
~'
with use of printed matter'in MCR.' 10 Operator awareness- - - Agreed. . Scenarios can of the' status of' ' incorporate-exemplar OOS out-of-service' .. equipment; results will be equipment.should be: evaluated using methods of , evaluated. Ref 8-1. *
. _ - _ . - _ _ - - . _ . - . . --.u.-_.- :-.. . - . . .: -... .. - .._ . .
e e : VEV PLAN REVIEW (VALIDATION) Table'11: H8I Design
'- Table ~ Draft Tech Report 'ABB-CE Response Resolution Ref # ~ Comment 11-1 - DPS & DIAS ' alarm - Agreed.
implementations should be evaluated' ' under high alarm conditions. t t
'I' i;
r. m' h e n - ._- . . -__m_._c -
,. . . _ m- eUw e . . . - . _ _ . - - . m - - e, .-e mm 2.c....&- . u . - m . _m..m m.
+-,E,*.,- . . - .m . ue .UA. m .._*e-- _ --um-.um. ~
. = .
f ABB-CE'S AVAILABILITY VERIFICATION PROCESS ' AND SUITABILITY VERIFICATION PROCESS b i N i 4 r Enclosure 5 l l 1
.,. . t
.......................... AVAILABILITY VERIFICATION PROC PHASE 1 (Availability Analysis).......................................................
--( -
-)
Federally - Mandated Required Fixed I&Cs Location l&Cs PGICR HFE TOI L- Needed to from Database Complete EPGs .
' FTA issues
-J '
l r , y r System I&CR Analyze System I&C Inventory+ to Verify All of the above Requirements _ inventory (1,2,& 3) are Present & that HFE TOl t Cognizant ~! u Database issues (4) are Reviewed Engineering Oganization Findings -
^ _
4 Findings & ,J t_ v Resolution Generate Availability Check!!st
........................,,........................,4............... _
PHASE 2 (Availabilityinspection) ................................................,,,... ' TiSIfrom PanelL i D esign Reports ' l v v Resolutions ' [ Availabilityinspectionr - Requiring Design Changes to Findings LTOI Data Base Findings
+ g a Resolution v
1 i Availability Verification Nu e 8 Report V&VFIG1.DP ~ gn
^
Team Review u - t O
_ _ _ _. - .._..___m_. . _ ._ . ._ j i j.- q 1 1
.u SUITABILIT(VERIFICATION PROCESS .
~~
j
........n........n..........................n...n......n.n..nnannnn."nnnennnnnnnnnn."nnn- -
PHASE 1 (Suitability Analysis) j a V HFE Assemble Prototypes Relevant HSI from 'i Standards Suitability of Added HFE TOI Panel Design +- 1
& Analysis Features' Database Reports- :
Guidelines Team . Issues - 1 Resolutions ! .r Requiring !
- li F v v v 4 Design Changes ,.
p Sultability TOl Data Base ; Analysis . y ; i Findings - Findings j
> & 7 l . Resolution 1 i
..n.n.n .n." n nin n a n a a n
-- ..........n..................... 4...... ... ................................... ..n j PHASE 2 Resolutions 1 (Suitability inspection) HSI from - . Requiring - 1 V " Panel Design 4- Design Changes Generate Reports to ji inspection TOI Data Base !
Checklist A i I t
" " Findings Findings 3 Sultability . > &- !
inspection Resolution .; y v :j Sultability Nuplex 80+
]
~ Verification - m !
Report Design - 1 Te'am Review l V&VFIG2.DP ; i _}}