human-system interface design implementation plandps diverse protection system edg emergency diesel...

KEPCO & KHNP HSI Design Implementation Plan APR1400-E-J-NR-12008-NP, Rev.0

KEPCO & KHNP

Human-System Interface Design

Implementation Plan

Technical Report

September 2013

Copyright ⓒ 2013

Korea Electric Power Corporation & Korea Hydro & Nuclear Power Co., Ltd

All Rights Reserved

Non-Proprietary

KEPCO & KHNP HSI Design Implementation plan APR1400-E-J-NR-12008-NP, Rev.0

KEPCO & KHNP i

Revision History

Revision Page

(Section) Description

0 All Issue for Standard

This document was prepared for the design certification application to the U.S. Nuclear Regulatory Commission and contains technological information that constitutes intellectual property. Copying, using, or distributing the information in this document in whole or in part is permitted only by the U.S. Nuclear Regulatory Commission and its contractors for the purpose of reviewing design certification application materials. Other uses are strictly prohibited without the written permission of Korea Electric Power Corporation and Korea Hydro & Nuclear Power Co., Ltd.


KEPCO & KHNP ii

ABSTRACT

The objective of this plan is to control the human-system interface (HSI) design process and scope,

including the translation of function and task requirements into the detailed design of alarms, displays,

controls, and other aspects of the HSI through the systematic application of human factors engineering

(HFE) principles and criteria.

The scope of HSI design includes the main control room (MCR), remote shutdown room, technical

support center, emergency operations facility, and local control stations associated with important human

actions, and the HSI resources. MCR design includes operator consoles, safety console, and large

display panel (LDP). HSI resources are controls, alarms, information displays, LDP, and computer-based

procedures. The critical function monitoring, success path monitoring, accident monitoring instrumentation,

and bypassed and inoperable status indication are implemented using the HSI resources as integrated

fashion.


KEPCO & KHNP iii

TABLE OF CONTENTS

1.0 OVERVIEW 1

1.1 Purpose 1

1.2 Scope 1

2.0 METHOD 2

2.1 HSI Design Process 2

2.2 HSI Design Input 4

2.3 Concept of Use and HSI Design Overview 8

2.4 HFE Design Guidance for HSIs 17

3.0 IMPLEMENTATION 18

3.1 HSI Detailed Design and Integration 18

3.2 Degraded I&C and HSI Conditions 24

3.3 HSI Tests and Evaluations 25

4.0 RESULT 26

4.1 Results Summary Report 26

5.0 REFERENCES 27


KEPCO & KHNP iv

LIST OF FIGURES Figure 1. HSI Design Process Figure 2. Schematic for Main Control Room


KEPCO & KHNP v

List of Acronyms AFAS auxiliary feedwater actuation signal AFWS auxiliary feedwater system AMI accident monitoring instrumentation ANS American Nuclear Society ANSI American National Standards Institute APR1400 Advanced Power Reactor 1400 BISI bypassed and inoperable status indication BOP Balance of Plant C&ID control & instrumentation and diagram CBP computer-based procedure CCF common-cause failure CFM critical function monitoring CFR Code of Federal Regulations CIAS containment isolation actuation signal CLD control logic diagram COL combined license CPIAS containment purge isolation actuation signal CREVAS control room emergency ventilation actuation signal CSAS containment spray actuation signal CSF critical safety function DPS diverse protection system EDG emergency diesel generator EO electrical operator EOF emergency operating facility ESF engineered safety features ESF-CCS engineered safety feature-component control system ESFAS engineered safety features actuation system FHEVAS fuel handling area emergency ventilation actuation signal FPD flat panel display FRA functional requirements analysis FA function allocation HA human action HF human factor HFE human factors engineering HFEPP Human Factors Engineering Program Plan HSI human-system interface HSIDIP Human-System Interface Design Implementation Plan HVAC heating , ventilation, and air conditioning I&C instrumentation and control IHA important human action IPS information process system IRWST in-containment refueling water storage tank KHNP Korea Hydro & Nuclear Power Co., Ltd. LCS local control station LDP large display panel


KEPCO & KHNP vi

MCR main control room MSIS main steam isolation signal NRC U.S. Nuclear Regulatory Commission NSSS nuclear steam supply system OER operating experience review P-CCS process- component control system P&ID piping & instrumentation diagram POSRV pilot operated safety relief valve PPS plant protection system QIAS-N qualified indication and alarm system-non-safety QIAS-P qualified indication and alarm system-P RCPB reactor coolant pressure boundary RMS radiation monitoring system RO reactor operator RSC remote shutdown console RSR remote shutdown room S&Q staffing and qualifications SDC system design criteria SFA system functional analysis SFD system functional description SG steam generator SIAS safety injection actuation signal SPADES+ safety parameter display and evaluation system + SPDS safety parameter display system SPM success path monitoring SS shift supervisor STA shift technical advisor TA task analysis TO turbine operator TSC technical support center V&V verification and validation VDU visual display unit


KEPCO & KHNP 1

1.0 Overview

1.1 Purpose

The systematic design of the APR1400 human-system interface (HSI) and incorporation of human factors

engineering (HFE) principles in the design are controlled by the Human Factors Engineering Program

Plan (HFEPP) (Reference 1).

The purpose of the HSI design implementation plan is to define the necessary and sufficient activities to

be performed to develop the HSI. This includes the development and incorporation of HFE design

guidance (e.g., Style Guide, HFE design process). This plan provides a systematic approach to integrate

this guidance and the results and evaluation methods defined in other HFE program elements into the

HSI design process. This integration helps assure that the resulting HSI resources and control and

monitoring facilities effectively support performance of operational functions and tasks.

1.2 Scope

The scope of HSI design includes the main control room (MCR), remote shutdown room (RSR), technical

support center (TSC), emergency operations facility (EOF), and local control stations (LCSs) associated

with important human actions (IHAs), and the HSI resources. MCR design includes operator consoles,

safety console, and large display panel (LDP). HSI resources are controls, alarms, information display

hierarchy, large display panel and procedure display. The computer-based procedures (CBPs), critical

function monitoring (CFM), success path monitoring (SPM), accident monitoring instrumentation (AMI),

and bypassed and inoperable status indication (BISI) are implemented in the HSI resources in integrated

fashion.

These resources constitute the basic design from which plant system specific designs will be

implemented.

The plan defines those activities directly related to creating and refining the HSI design based on the

other HFE program elements and their associated implementation plans. Activities defined in other HFE

program elements will be referenced in this plan to ensure their integration into the HSI design process.


KEPCO & KHNP 2

2.0 Method 2.1 HSI Design Process

The HSI design process are composed of five phases as follows and the structure of HSI design process

is shown in Figure 1:

Planning phase

Analysis phase

Design phase (Basic HSI Platform design, and HSI detail design)

Test and evaluation phase

HF V&V phase

Figure 1. HSI Design Process 2.1.1 Planning Phase

The HFEPP and HSI Design Implementation Plan (HSIDIP) are issued for HFE and HSI design during the

planning phase. They describe how the HFE elements are managed and define the activities to be

performed to develop the HSI.

TS


KEPCO & KHNP 3

2.1.2 Analysis Phase

The Implementation Plan and Results Summary Report of functional requirements analysis (FRA) and

function allocation (FA) (Reference 2) and task analysis (TA) (Reference 3) are developed during the

analysis phase and provided as the design input for the HSI designer of each design entity. They provide

the basis for the Basic HSI Platform design of HSI resources and control and monitoring facilities (e.g.,

critical safety function (CSF) display for information flat panel display (FPD), critical function/success path

monitoring alarm for large display panel (LDP), minimum inventory for LDP, and safety console). The TA

Results Summary Report will be used in the detailed design phase.

The results of operating experience review (OER) (Reference 4) are incorporated in system design

criteria (SDC) and HSI detail design as shown in Figure 1.

The initial staffing and qualifications (S&Q) (Reference 5) provide an input for the layout of the control

room and allocating controls and displays to individual consoles, panels, and workstations.

The system requirements, regulatory requirements, and other requirements are incorporated in SDC and

Style Guide. Other requirements are described in subsection 2.2.4.

2.1.3 Design Phase

The major activities for the HSI design phase are Basic HSI Platform design and HSI detail design.

2.1.3.1 Basic HSI Platform Design

The SDC and system functional description (SFD) are developed to establish the Basic HSI Platform

design. The detailed design criteria and system descriptions are described in the Basic HSI Platform

design documents such as SDC, SFD, system requirement, design requirement and System Description.

The General Design Criteria (GDC) and Classification Criteria provide the high level goals and design

bases for the Basic HSI Platform design. The Project Engineering Guides or Engineering Procedure is

provided for the consistent development of the Basic HSI Platform design. It includes the index and

writing guide for the Basic HSI Platform design. The interface requirements between the HSI resources

and control and monitoring facilities are provided through the Basic HSI Platform design.

2.1.3.2 HSI Detail Design

The HSI Detail Design Report and HSI Design Specification are developed to support the component


KEPCO & KHNP 4

design in the detailed design phase.

The HSI Detail Design Report includes HSI display drawings and system functional analysis (SFA). SFA is

the identification of system function to determine the composition of system mimic display. The HSI

designer can produce the integrated and consistent system mimic display by using the SFA.

The HSI Design Specification includes the design specification for qualified indication and alarm system-

non-safety (QIAS-N), engineered safety feature-component control system (ESF-CCS), distributed control

system (DCS), and Consoles. The CBP Design Specification and the nuclear steam supply system

(NSSS) I&C Design Specification implemented in HSI system BOP will be integrated in HSI system BOP

Design Specification.

The SDC and SFD provide the basis and design reference (e.g., inventory and function) for detail design.

The Style Guide was developed to guide the detail design. The Style Guide provides human factors

principles and detail design guidelines (e.g., visual information display and coding convention, display and

control hardware and software, alarm system, workspace environments).

The interface requirements among the HSI resources and control and monitoring facilities are provided

through the project design procedure and interface design meeting.

2.1.4 Test and Evaluation Phase

Tests and evaluations of concepts and detailed design features are conducted during the process of

developing HSIs to support design decisions through trade-off evaluation and performance-based tests.

2.1.5 HF V&V Phase

HF V&V is performed on the HSI Detailed design, which is the final HSI design using a dynamic simulator

that meets the criteria of ANSI/ANS 3.5 (Reference 5).

2.2 HSI Design Input

The HSI design process represents the application of the lessons learned from the OER and results of FA,

TA, treatment of IHAs and initial staffing assumption into a detailed HSI product.

The OER forms the bases of the design by identifying past, positive and negative, experience that is


KEPCO & KHNP 5

accounted for in the APR1400 HSI. This includes nuclear experience, predecessor plant experience and

experience with the application of similar advanced technologies.

The HSI design reviews the output from the FA to assure that the HSI design supports the identified roles

of the human in the plant and that levels of automation are used to reduce operator burden, reduce the

chance for error and enhance the ability of the operator to recover from an error when one occurs. The

task analysis is used by the design to identify: the task needs to monitor and control the plant for a range

of operating conditions, the information and control requirements including display range, precision,

accuracy and units of measure, and the task support requirements.

The HSI includes cost effective and technology possible designs to assure that all identified important

human actions are limited by the design and when this is not achievable that other compensatory

measures (e.g., training, procedures, staffing) are identified.

The resulting staffing assumption levels and qualifications of the plant staff are used as inputs to the

control room layout and allocation of controls and displays to assure that the integrated HSI, staffing and

design, results in successfully meeting the function and task requirements.

The following sources provide input to the HSI design process.

2.2.1 Analysis of Personnel Task Requirements The analyses performed in the early stages of the design process are used to identify requirements for the HSIs. These analyses include the following:

Operational Experience Review – An input to the HSI design encompasses lessons learned from other complex human-machine systems, especially predecessor designs and those involving similar HSI technology.

Functional Requirements Analysis and Function Allocation – The HSIs supports the roles of

personnel in the plant, e.g., appropriate levels of automation.

Task Analysis – The set of requirements to support the role of personnel is provided by task analyses that should identify:

- tasks needed to control the plant during a range of operating conditions from normal through

accident conditions

- detailed information and control requirements (e.g., requirements for display range, precision, accuracy, and units of measurement)


KEPCO & KHNP 6

- task support requirements (e.g., special lighting and ventilation requirements) - Important HAs that should be given special attention in the HSI design process

Staffing and Qualifications – The findings from analyses of S&Q provide input for deciding upon

the layout of the overall control room and allocating controls and displays to individual consoles, panels, and workstations. The S&Q analyses establish the basis for the number of personnel to be accommodated, and requirements for coordinating activities between them.

2.2.2 System Requirements Constraints on the HSI design imposed by the overall I&C system, (e.g., constraints on the information

that can be presented due to sensor data availability) are the inputs for the HSI design as follow.

Piping & instrumentation Diagrams (P&IDs)

Control & instrumentation and diagrams (C&IDs)

Control logic diagrams (CLDs)

System functional description (SFD)

2.2.3 Regulatory Requirements

The following regulatory requirements are applicable.

10 CFR 50.34(f)(2)(iv) Safety Parameter Display System

10 CFR 50.34(f)(2)(v) Bypassed and Inoperable Status

10 CFR 50.34(f)(2)(xi) Relief and Safety Valve Position Monitoring

10 CFR 50.34(f)(2)(xii) Manual Feedwater Control

10 CFR 50.34(f)(2)(xvii) Containment Monitoring

10 CFR 50.34(f)(2)(xviii) Core Cooling

10 CFR 50.34(f)(2)(xix) Post-accident Monitoring

10 CFR 50.34(f)(2)(xxvi) Leakage Control

10 CFR 50.34(f)(2)(xxvii) Radiation Monitoring

10 CFR 50 Appendix A GDC 19 General Design Criteria for Nuclear Power Plants

BTP 7-19, Point 4 Guidance for Evaluation of Diversity and Defense-in-Depth in Digital

Computer-Based Instrumentation and Control Systems

DI&C-ISG-5, Highly-Integrated Control Rooms-Human Factors Issues (NRC,2008)

Regulatory Guide 1.23, Meteorological Monitoring Programs for Nuclear Power Plants, (NRC,

2007)

Regulatory Guide 1.47, Bypassed and Inoperable Status Indication for Nuclear Power Plant


KEPCO & KHNP 7

Safety Systems, Rev.1 (NRC, 2010)

Regulatory Guide 1.62, Manual Initiation of Protective Actions (NRC, 2010)

Regulatory Guide 1.97, Criteria For Accident Monitoring Instrumentation For Nuclear Power

Plants, Rev.4, (NRC, 2006)

NUREG-0654, Criteria for Preparation and Evaluation of Radiological Emergency Response

Plans and Preparedness in Support of Nuclear Power Plants, (NRC,1980)

NUREG-0696, Functional Criteria for Emergency Response Facility, (NRC, 1981)

NUREG-0737, Clarification of TMI Action Plan Requirements, (NRC,1980)

NUREG-0700, Human-System Interface Design Review Guidelines (NRC, 2002)

NUREG-0711, Human Factors Engineering Program Review Model, Rev. 3, (NRC, 2012)

NUREG-0800, Standard Review Plan, Chapter 18 Human Factors Engineering (NRC, 2004)

NUREG-0835, Human Factors Acceptance Criteria for the Safety Parameter Display System,

(NRC, 1981)

NUREG-1342, A Status Report Regarding Industry Implementation of Safety Parameter Display

Systems, (NRC, 1989)

2.2.4 Other Requirements

As customer requirements are identified, the HSI design and the functional requirements documents will

be revised to include them.

The following codes and standards are applicable.

NUREG/CR-6393, Integrated System Validation: Methodology and Review Criteria (1997).

NUREG/CR-6633, Advanced Information Systems: Technical Basis and Human Factors Review

Guidance (2000).

NUREG/CR-6634, Computer-Based Procedure Systems: Technical Basis and Human Factors

Review Guidance (2000).

NUREG/CR-6635, Soft Controls: Technical Basis and Human Factors Review Guidance (2000).

NUREG/CR-6636, Maintenance of Digital Systems: Technical Basis and Human Factors Review

Guidance (2000).

NUREG/CR-6637, Human-System Interface and Plant Modernization Process: Technical Basis

and Human Factors Review Guidance (2000).

NUREG/CR-6684, Advance Alarm Systems: Guidance Development and Technical Basis (2000).


KEPCO & KHNP 8

2.3 Concept of Use and HSI Design Overview

2.3.1 Concept of Use

The concept of use provides a high-level description of how personnel will work with HSI resources and

address the coordination of personnel activities, such as interactions with auxiliary operators and the

coordination of maintenance and operations.

2.3.1.1 High-level Description

Based on anticipated staffing levels, the operations personnel consist of reactor operator (RO), turbine

operator (TO), electrical operator (EO), shift supervisor (SS), and shift technical advisor (STA).

The RO is responsible for making all reactivity manipulations. The RO coordinates plant evolutions with

the TO as necessary to maintain control of the NSSS.

The TO is responsible for manipulating the controls for BOP and turbine systems. The TO coordinates

with the RO prior to making any control manipulations which will directly affect the heat balance or

reactivity control of the NSSS.

The EO is responsible for the operation of main generator, emergency diesel generator (EDG), electrical

distribution breaker, and other activities (for example, fire protection, heating ventilation and air

conditioning (HVAC), radiation monitoring system (RMS), contact with electric load dispatcher) assigned

by the technical & administrative procedure of the specific plant in the MCR.

The SS is responsible for coordinating all activities within the plant that may affect operations. This

includes direct supervision of the operators in the MCR as well as activities outside the control room

(including maintenance).

The STA advises the SS on plant safe operation and performs the tasks which are mandated from SS.

2.3.1.2 Coordination of Personnel Activities

The coordination of personnel activities, such as interactions with auxiliary operators and the coordination

of maintenance and operations is accomplished through voice communication, loudspeakers, paging

phone, evacuation alarm, sound powered telephone, and direct wire telephone.


KEPCO & KHNP 9

The voice communication is provided between plant personnel in all vital areas during normal and

accident conditions. Voice communication is provided to the MCR, RSR, TSC and EOF, and Nuclear

Emergency Response Center.

Loudspeakers are located and distributed such that the page is intelligible in all locations.

The paging phone system is designed so that it provides effective communication between plant

personnel in all vital areas during the full spectrum of accident or incident conditions under normal

operating noise levels. For operating purposes, a paging phone system provides communications through

handset stations and loudspeaker assemblies. The system provides two independent communication

modes, page and partyline consisting of five circuits. Intra-plant communication can be established by

using the page channel to call a particular party and then communicating through one of the five party

lines available, thus leaving the page channel open for others. This page-and-partyline system is

available for use during emergency shutdown operations outside the MCR and communication between

the remote shutdown area, control room, and other areas that may require operator action during this

period.

An evacuation alarm system is provided utilizing sirens located throughout the plant. The sirens and tone

generator are manually activated from the evacuation switch board. The audible alarm system is

supplemented by visual alarm in high-noise areas.

A sound powered telephone system is located throughout the plant at designated control points for plant

maintenance and testing and to serve as a backup communication system.

This direct wire telephone system consists of desk-type telephones and signal addition units located

throughout the plant and plant site. This system is connected to the commercial telephone system and

the combined license (COL) private network, which allows offsite communications for normal and

abnormal/accident conditions. This system operates as backup to the paging phone system.

The Basic HSI Platform (Reference 7) provides the detailed concept of operations and the detailed

description of the HSI design and the methodology used to develop that design.

2.3.2 HSI Design Overview

The HSI design overview includes a description of:


KEPCO & KHNP 10

facility layouts, including workstations, large screen displays, and the nominal staff working

positions

key HSI resources and their functionality, such as alarms, displays, controls, CBPs, and other

support and job aids

technologies to support teamwork and communication within the MCR and between the MCR,

RSR, the TSC, EOF, and LCS associated with IHAs

the responsibilities of the crew for monitoring, interacting, and overriding automatic systems and

for interacting with computerized procedures systems and other computerized operator support

systems

2.3.2.1 MCR Layout

MCR design includes operator consoles, safety console, and LDP. The MCR design configuration is

depicted in Figure 2 and provides five redundant consoles, each of which has capability to control all

power plant processes. Redundant operator consoles and the LDP are the main means of operation

during normal and accident situations.

Figure 2. Schematic for Main Control Room

Each of the three front consoles is designed to be used by one operator and two rear consoles are

assigned to SS and STA respectively. Each operator console provides devices for access to all

information and controls necessary for one person to monitor and control all processes associated with

nuclear plant operation and maintaining the plant in a safe condition. The front operator consoles are

linked together to provide good communications for the normal staffing assignment of RO, TO, and EO.

TS


KEPCO & KHNP 11

The two rear operator consoles assigned to the SS and STA who use the operator console features for

monitoring only. The rear operator consoles also serves as an alternate operator console to be used for

plant monitoring and control in the event of a failure of one of the front operator consoles (where

monitoring and control capability of a operator console was degraded).

Each operator console contains as follows:

Multiple FPDs that support process monitoring and control with pointing devices

Engineered safety features-component control system (ESF-CCS) soft control flat panel displays

(FPDs).

Laydown space for logs, drawings, documents, paper procedures, etc.

The safety console provides controls and displays with which a backup operation can be performed

during a failure of the operator consoles. The safety console is located in the main operating area as

shown in Figure 2. The mini-LDP installed on the safety console provides the same fixed position alarms

and displays included on the LDP.

The safety console contains the following equipment:

Multiple FPDs that are of a same type as that of operator console

qualified indication and alarm system-non-safety (QIAS-N) displays

qualified indication and alarm system-p (QIAS-P) displays

plant protection system (PPS)/ core protection calculator operator modules

Reactor trip and ESF system level actuation switches

Diverse manual actuation controls

Minimum inventory of fixed position switches

ESF-CCS soft control modules

The LDP is located in front of operator consoles as shown in Figure 2. It displays information that the

operator requires for quickly assessing overall plant status and is viewable from all MCR consoles and

the MCR offices.

The Large Display Panel is made up of eight separate display areas which are driven by workstations as

listed below:

Four Variable Display Sections


KEPCO & KHNP 12

The CFM/BISI and System Group/Important Alarm Sections

The Reactor Operator Mimic Section

The Turbine Operator Mimic Section

2.3.2.2 Key HSI Resources and Functionality

Key HSI resources include soft control, LDP, information display hierarchy, CBP, alarm.

Soft control

Soft controls are used to provide control room operators with plant control capabilities, which replace

conventional dedicated pushbuttons and process controllers. The soft control consists of the ESF-CCS

soft control and the process-component control system (P-CCS) soft control. The ESF-CCS soft control is

used to control the safety-related control components through the ESF-CCS, and the P-CCS soft control

is used to control the non-safety related control components through the P-CCS.

The soft control allows the control of continuous process, discrete components, and other special

controllers such as control rods and turbine generators from the MCR and the remote shutdown console

(RSC).

The operator can control both safety and non-safety components using the ESF-CCS control or P-CCS

soft control on any one of operator console. The use of soft control is essential to achieve compact

operator consoles design.

The soft control emulates and replaces the various physical switches and analog control devices which

populate conventional plant control panels. The operator interacts with the ESF-CCS soft control via

touch screen, and interacts the P-CCS soft control via pointing device such as mouse. These soft controls,

which are software based, allow a standard interface device to assume the role of numerous control

switches and analog control devices via software configuration. The selection of components is possible

from the information displays.

The ESF-CCS soft control is implemented on the qualified touch screen-based FPD, and the P-CCS soft

control is implemented on each information FPD of the MCR and the RSC.

Also the ESF-CCS soft control and the P-CCS soft control are provided on the safety console to support

the operator task of a predesignated operator in post trip conditions as a means for controlling non-safety

related equipment.

Large display panel

The LDP provides two types of displays.


KEPCO & KHNP 13

One is a fixed display and the other is a variable display. The fixed display provides the rapid assessment

of plant conditions so that personnel are able to quickly extract status information from the display.

Therefore, the fixed displays are centrally located in the MCR.

The Variable Display Section of the LDP provides the operator with flexibility in specifying LDP display

information which will support varying information needs.

The LDP display is also available on any operator consoles in the MCR, TSC and EOF.

The LDP provides the operators with information that allows them to determine overall operational and

safety status of the plant.

The LDP presents high level process overview information by which an operator can:

Provide a selected set of high level function indicators, trend for key parameters, PPS actuation

status flags and alarms to support operators situation awareness of the plant.

Provide continuous display of critical function and success path alarms to meet SPDS

requirements.

Provide prioritized alarm presentation emphasizing important alarms to support operational

concerns.

Provide plant-wide system fixed mimic to alleviate display page navigation load and to support

crew coordination.

Provide flexible display areas in variable display section to meet the diverse information

requirements of different operators in different operational situations.

The LDP uses the same Style Guide for display design (i.e., dynamic symbols, color code, highlighting,

blinking, graphic layout and information coding features), that are used on the information display pages.

Information display hierarchy

The information display hierarchy in operator consoles provides dynamic display pages of plant

parameters and alarms using color graphic VDU so that an understanding of current plant conditions and

status is readily recognized. Information display pages provide information important to monitoring,

planning, controlling, and obtaining feedback on control actions. These display pages contain all the plant

information that is available to the operator, in a structured hierarchy. The information display pages are


KEPCO & KHNP 14

useful for information presentation because they allow graphical layouts of the plant and process in

formats that are consistent with the operator's visualization of the plant. In addition information display

formats are designed to aid operational activities of the plant by providing trends, categorized listings,

messages, operational prompts, as well as alerts to abnormal process.

The MCR operator consoles use multiple display devices that allow simultaneous access to a variety of

display pages in information display hierarchy. Each operator console includes four VDUs, to each of

which any display page in the information display hierarchy can be assigned. Use of four VDUs also

provides a redundancy in the event of any VDU becoming unavailable. A pointing device such as mouse

is primary interface to navigate and access display pages in the hierarchy. Keyboards are not used for

information access to any of the control room operator consoles during normal operation. The information

display hierarchy is driven by the information process system (IPS).

Computer-based procedure

The CBP is a computerized operator support system that enables the operators to execute operation

procedural steps with much reduced secondary tasks. It presents an overview and instructions of a

procedure and related process information and controls that need to be cross-referenced to execute the

procedure. The procedure display is used by the operator in conjunction with other types of displays.

Basically the same operating process as conventional control room is maintained. SS has the overall

control over the execution of the procedure. RO and TO execute the procedural steps that are assigned

to them by SS. The emergency operating procedures is executed by the operating crew in coordination.

Some procedures such as system operating procedures can be executed by a single operator. The CBP

supports coordination among operators. When an operating crew executes a single procedure, the steps

that the other operators are currently working on are shown on the overview pane and SS who is in

charge of coordination issues verbal orders.

The CBP can be displayed in the following locations:

RO workstation

TO workstation

EO workstation

SS workstation

STA workstation

Switching the procedure display VDUs does not result in the loss of place keeping information. When an


KEPCO & KHNP 15

operator does not use CBP, the operator can use all the workstation displays for other purpose.

Alarm

The purpose of the alarm system is to alert the operators by means of visual and audible signals of

abnormal conditions that require operator action.

The alarm system is designed to perform the following functions:

Alerting the operators to off-normal conditions that require the operator to take action

Guiding the operators to the appropriate response

Assisting the operators in determining and maintaining an awareness of the state of the plant

and its systems or functions

The alarm warning system consists of three major functions; an auditory alert function, a visual alarm

function, and an operator response function. Together, these three functions are designed to provide a

preferred operational sequence for alarm warnings. The alarm system follows Style Guide in order to be

immediately and correctly alert the operator, for the operator to accurately responded to in a timely

fashion, the alarms to be easily acknowledged, reset, and distinguished.

Alarms are presented and prioritized so that the operator's response can be based on their relative

importance or urgency and the time within which the operator must take action. Alarms are grouped into 3

priorities. In addition, there exists a separate category called "Flag". Flag provides operational guidance

information that is not representative of an undesirable process or component condition.

Shape coding on alarm tiles, alarm descriptor, mimic diagram component descriptors, process parameter

descriptors, and directory/display page option fields is used to help MCR operator identify each alarm.

The alarm system is implemented in both the IPS and QIAS-N. Alarms are presented or accessed with

various formats or methods on LDP, operator console displays and QIAS-N Display.

Alarm information is presented on the LDP with alarm tile representation to graphically mimic the

conventional alarm windows and parameter/component descriptor. Alarm tile representations are used for

critical function, success path alarms and system level alarm, and parameter/component descriptors are

used for process alarm on process mimic of the LDP. Each alarm representation can show either priority

1, 2, or 3 conditions. Each alarm can notify the operator of one or more possible alarm conditions relating

to a system, component, or major process problem. For the grouped alarms presented on LDP, specific


KEPCO & KHNP 16

alarm information is provided on alarm list of operator console displays.

The alarm list of operator console displays presents all alarm information associated with activated priority

1, 2, and 3 alarms. This list provides various kind of lists including prioritized, operator established and

chronological alarm. The operator can acknowledge the alarm on this list.

The multiple methods of operator console displays alarm presentation allow the operators to utilize alarm

information in the most meaningful manner for a given function or task, and it also allows operators to

efficiently access, acknowledge, and diagnose any alarm condition. Alarm priority and status coding is

applied when alarms are present on component/parameter alarm descriptor, directory options, and

display page menu options. The menus located at the operator console displays screen in the alarm

design provides the operator with an overview of the existence of any unacknowledged alarm conditions

and a general overview of where they exist by plant sector. If an alarm exists in a particular plant sector,

the corresponding directory page menu option flashes. This is the sector of the hierarchy where the

display page can be found that would best allow the alarm to be acknowledged.

Important alarm list is shown on the QIAS-N displays located on the safety console. The QIAS-N displays

alarms related with NRC RG 1.97 (Reference 8) Type A, B, C, and selected sets of Type D and E

variables, minimum inventory and operating support information, which are mainly displayed on the LDP.

Alarm acknowledgment is accomplished on these displays by clicking the track ball.

The HSIs allow significant flexibility in alarm acknowledgment to accommodate varying numbers of

alarms (single and multiple) and various methods by which the operator can acknowledge them. Alarm

acknowledgment in either IPS or QIAS-N display will acknowledge the same alarm in the other system.

2.3.2.3 Technologies to Support Teamwork and Communication

LDP variable display area

Alarm lists, trend displays, etc., normally displayed on VDU screens can be projected on to the large

screen for a monitoring or discussion purposes amongst the operating crew. Operators are able to

choose any display format available on the operator console and have it displayed on the LDP variable

display area.

The communication technologies within MCR and between the MCR, RSR, TSC, EOF, and local control

stations are described in Section 2.3.1.2.

The Basic HSI Platform provides the overall HSI design concept and rationale.


KEPCO & KHNP 17

2.4 HFE Design Guidance for HSIs

The topics in Style Guide address the scope of HSIs, their form, function and operation, as well as the

environmental conditions in which they will be used that are relevant to human performance. The Style

Guide is provided in the Style Guide (Reference 9).

The Style Guide is developed for each of the HSI resources to facilitate the standard and consistent

application of HFE principles to the HSI design. The Style Guide contains a set of standards and

conventions that are produced by tailoring generic HFE guidance to the specific design of HSI and define

how those HFE principles are applied.

The HFE guidelines in NUREG-0700 (Reference 10) are included in the Style Guide.

The Style Guide provides:

Specification of accepted HFE standard, guideline, and principles to which HSI must conform

Statements of scope of the Style Guide

instructions for proper use of the Style Guide

Specification of design conventions to which HSI must conform


KEPCO & KHNP 18

3.0 Implementation 3.1 HSI Detailed Design and Integration 3.1.1 General

The HSI Detailed Design will

Consider Important HAs

Base the layout of HSIs within consoles, panels, and workstations on analyses of personnel

roles (job analysis), and systematic strategies for organization, such as arrangement by

importance, and frequency and sequence of use.

Design the HSIs to support inspection, maintenance, test, and repair of (1) plant equipment, and

(2) the HSIs. The applicant should design the latter so that inspection, maintenance, test, and

repair of the HSIs do not interfere with other plant-control activities.

Support personnel task performance under conditions of S&Q assumption.

Account for using the HSIs over the duration of a shift where decrements in human performance

due to fatigue may be a concern.

Support human performance under the full range of environmental conditions, ranging from

normal to credible extreme conditions, such as loss of lighting and of ventilation. For the remote

shutdown facility and local control stations, the applicant’s HFE design should consider the

ambient environment (e.g., noise, temperature, contamination) and the need for and type of

protective clothing.

3.1.2 Main Control Room 3.1.2.1 Safety Parameter Display System

The safety parameter display and evaluation system + (SPADES+) application program in conjunction

with the continuous LDP display and the information display VDUs meets the safety parameter display

system (SPDS) requirements for the HSI without using stand-alone monitoring and display systems.

Since the main intended use of SPDS is during relatively rare occurrences, HFE suggests that the

operators will find that the use of data acquisition habits acquired and repeated during the normal

operation of the plant will be the most successful. The operator interface to the plant is improved by


KEPCO & KHNP 19

integrating SPDS requirements into the overall HSI design to avoid the need for another system that is

infrequently used. The SPDS functions are implemented in the SPADES+. CSF and success path

(availability and performance) information is integrated throughout the HSI information hierarchy.

3.1.2.2 Bypassed and Inoperable Status Indication

The bypassed and inoperable status indication (BISI) status display at the system level provides a

continuous indication of the bypassed and inoperable status of the system. Deliberately induced

bypassed conditions typically occur during plant startup/shutdown and during routine testing activities.

The System level status indication of BISI is provided for the protection systems and auxiliary or

supporting systems which are required for safe operation of the plant.

Graphic information is presented on display page formats with hierarchical structure to aid in rapid

operator comprehension from LDP. The operator can select the proper menu on the information FPD for

confirming the BISI status from LDP in the MCR.

The bypassed and inoperable condition of ESF components is provided to the IPS which indicates the

system level bypassed and inoperable condition. The IPS also provides status information at the

component level. The operator has the ability to manually activate each ESF system level bypass

indication in the MCR. Inoperable indication is shown on the IPS displays and LDP.

3.1.2.3 Relief and Safety Valve Position Monitoring

The position indicators and temperature indicators downstream of each pressurizer pilot operated safety

relief valves (POSRVs) are provided to monitor each pressurizer POSRVs position and to detect leakage

from each pressurizer POSRVs. The LDP and IPS provide operators with monitoring function for POSRVs.

3.1.2.4 Manual Feedwater Control

The auxiliary feedwater system (AFWS) is actuated by an auxiliary feedwater actuation signal (AFAS)-1

for steam generator (SG) 1 and an AFAS-2 for SG 2. The AFWS is also actuated by the diverse

protection system (DPS).

The AFWS is started automatically on an AFAS. Both motor-driven and turbine-driven auxiliary

feedwater pumps aligned to the affected SG(s) are started simultaneously, and the auxiliary feedwater

modulating valves to the SG are automatically placed in the modulation mode. When an AFAS signal is

present, the auxiliary feedwater modulation valves are in a modulation mode and opened/closed


KEPCO & KHNP 20

depending on SG level.

The AFAS is initiated by either low water level in the associated steam generator(s) or manual actuation

from the MCR. The AFAS is also initiated by loss of power to two or more channels.

The LDP and IPS display feedwater flows to control the flows.

3.1.2.5 Containment Monitoring

The LDP and information FPD display containment atmosphere pressure, containment water level,

containment hydrogen concentration, in-containment refueling water storage tank (IRWST) hydrogen

concentration, containment radiation intensity, and noble gas effluents.

3.1.2.6 Core Cooling

The QIAS-P and QIAS-N provide the operator in the control room with an unambiguous indication of

inadequate core cooling.

3.1.2.7 Post-accident Monitoring

The QIAS-P, QIAS-N, and IPS display accident monitoring variables.

The QIAS-P is dedicated to continuously monitor and display NRC RG 1.97 Type A, B, and C variables.

These displays are located on the MCR safety console.

The QIAS-N is designed to support continuous plant operation if the IPS becomes unavailable. The

function of QIAS-N also includes displaying NRC RG 1.97 Type A, B, C, and selected sets of Type D and

E variables. These displays are located on the MCR safety console and RSC.

The IPS provides displays for all NRC RG 1.97 variables. The IPS also has historical data storage,

retrieval and trending capability.

3.1.2.8 Leakage Control

MCR provides necessary control and displays for leakage control. The LDP and IPS provide monitoring

function for operators to mitigate leakage.

To minimize leakage from portions of systems outside containment that could contain highly radioactive

fluids during a serious transient or accident to levels as low as practicable, The systems include

containment spray system, safety injection system, and chemical and volume control system are used.

HSIs for monitoring and control are provided in the MCR.


KEPCO & KHNP 21

3.1.2.9 Radiation Monitoring

The QIAS-P, QIAS-N, and IPS display accident monitoring variables including in-plant radiation and

airborne radioactivity under a broad range of routine and accident conditions.

3.1.2.10 Manual Initiation of Protective Actions

Manual ESF system level actuation switches are provided on the safety console. The engineered safety

features actuation system (ESFAS) consists of follows:

Safety injection actuation signal (SIAS)

Containment spray actuation signal (CSAS)

Containment isolation actuation signal (CIAS)

Main steam isolation signal (MSIS)

Auxiliary feedwater actuation signal (AFAS)

Fuel handling area emergency ventilation actuation signal (FHEVAS)

Containment purge isolation actuation signal (CPIAS)

Control room emergency ventilation actuation signal (CREVAS)

3.1.2.11 Diversity and Defense-in-depth

The diverse manual ESF actuation switches are provided to permit the operator to actuate ESF systems

from the MCR after a postulated CCF of the PPS and ESF-CCS. Also, the diverse indication system

provides functions to monitor critical variables and control the heater power for proper heated junction

thermocouple output signal level, when the CCF of digital I&C safety systems occurs.

3.1.2.12 Important HAs

The minimum inventory on the safety console provides the controls, displays and alarms that ensure the

reliable performance of identified important HAs. The APR1400 Basic HSI Platform provides the minimum

inventory of HSIs.

3.1.2.13 Computer-Based Procedure Platform

The CBP system is designed to be consistent with the design review guidance in NUREG-0700, Section 8,

the CBP system and in Section 1 of DI&C-ISG-5 (NRC, 2008).


KEPCO & KHNP 22

3.1.3 Technical Support Center

The TSC provides plant management and technical support to plant operating personnel during

emergency conditions.

The IPS provides the necessary interfaces with the TSC, EOF and ERDS to make the same information

that is available to the operating staff available to other interested personnel.

The SPADES+ is a computer applications program that is a part of the IPS and displays a primary safety

parameters directly monitoring critical plant functions on the FPD in the MCR, TSC, and EOF.

The Information FPDs and station including SPADES+ displays, keyboards and a hard copy device is

provided along with a minimum of 10 regular telephones, "hot-lines", and other communications

equipment as deemed necessary by the regulatory office to remain in contact with the control room and

other emergency facilities.

The TSC instrumentation consists of Information FPDs, keyboards, and hard copy devices necessary to

monitor plant data systems such as SPADES+. In addition, instrumentation or other TSC equipment such

as display boards and files is provided for data storage and retrieval. Instrumentation for display of

radiological, environmental, and meteorological data variables includes those specified in IEEE Std. 497

(Reference 11), NUREG-0737, Supplement 1 (Reference 12), and meteorological variables listed in

proposed RG 1.23 (Reference 13). These historical data are retrieval and available in the TSC for a

minimum of 2 hours prior to and 12 hours after the accident.

The TSC location, design and equipment meet the requirements of NUREG-0696 (Reference 14) and

NUREG-0737, Supplement 1 as applicable.

3.1.4 Emergency Operation Facility

The EOF is an owner controlled and operated offsite support center. Equipment is provided in the EOF

for the acquisition, display and evaluation of all radiological, meteorological, and plant system data

pertinent to determination of offsite protective measures.

The IPS provides the necessary interfaces with the TSC, EOF and ERDS to make the same information

that is available to the operating staff available to other interested personnel.

The SPADES+ is a computer applications program that is a part of the IPS and displays a primary safety


KEPCO & KHNP 23

parameters directly monitoring critical plant functions on the FPD in the MCR, TSC, and EOF.

The EOF instrumentation consists of Information FPDs, keyboards, and hard copy devices necessary to

monitor plant data systems such as SPADES+. In addition, instrumentation or other EOF equipment such

as display boards and files is provided for data storage and retrieval. Instrumentation for display of

radiological, environmental, and meteorological data variables includes those specified in IEEE 497,

NUREG-0737, Supplement 1, and meteorological variables listed in proposed RG 1.23. These historical

data are retrieval and available in the EOF for a minimum of 2 hours prior to and 12 hours after the

accident.

3.1.5 Remote Shutdown Facility

The remote shutdown facility has an HSI that supports remote shutdown of the reactor that is consistent

with and outside of the MCR per 10 CFR 50, Appendix A, GDC 19.

3.1.6 Local Control Stations

The LCS and those LCS associated with risk-important and credited human actions are designed through

the same design process as the MCR and are consistent with those in the MCR. As the HSI design

matures the design documentation will describe how the final HSI design meets the above criteria.


KEPCO & KHNP 24

3.2 Degraded I&C and HSI Conditions

The HFE program and the HSI design process account for the effects on the plants performance in the

event of the failure or degradation of automated systems. Alarms and displays required for the timely

detection, and evaluation of significance, of degraded I&C and HSI conditions are identified and provided

in the HSI. Conditions where back-up systems are required are identified and designed into the HSI to

support important tasks can be accomplished. The need for specific compensatory actions, supporting

procedures and degraded I&C training will be evaluated and be supplied to ensure effective management

of degraded I&C and HSI conditions.

The goal of the HSI design for degraded I&C and HSI conditions is to ensure that personnel will

successfully transition to back up systems.


KEPCO & KHNP 25

3.3 HSI Tests and Evaluations

Tests and evaluations of concepts and detailed design features are conducted during the process of

developing HSIs to support design decisions.

HSI trade-off studies will rely on the following factors when selecting one design over another:

personnel-task requirements

human performance capabilities and limitations

HSI performance requirements

inspection, test and maintenance needs

application of proven technology, OER results and predecessor experience

application of advanced technologies to improve human performance

HSI performance-based tests are used to verify aspects of the HSI design meet performance criteria. The

following aspects of the tests will be described:

participants

testbed

design features or characteristics of the HSI being tested

tasks or scenarios used

performance measures

test procedures

data analyses

Both HSI trade-off studies and performance based tests will be performed under an approved and

documented test procedure. The conclusions from the tests and their impact on design decisions will be

described.


KEPCO & KHNP 26

4.0 Result 4.1 Results Summary Report

The Results Summary Report incorporates the following contents:

SDC

SFD

Drawings

HSI display drawings

Design specification


KEPCO & KHNP 27

5.0 References

1. KHNP, APR1400-E-J-NR-12002-P, “Human Factors Engineering Program Plan,” September,

2013.

2. KHNP, APR1400-E-J-NR-12001-P, “FRA/FA Implementation Plan,” September, 2013.

3. KHNP, APR1400-E-J-NR-12007-P, “Task Analysis Implementation Plan,” September, 2013.

4. KHNP, APR1400-E-J-NR-12003-P, “Operating Experience Review Implementation Plan,”

September, 2013.

5. KHNP, APR1400-K-J-NR-13001-P “Staffing and Qualifications Implementation Plan,” September,

2013.

6. ANSI/ANS 3.5, "Nuclear Power Plant Simulators for Use in Operator Training and Examination,”

2009.

7. KHNP, APR1400-E-J-NR-12009-P, “Basic HSI Platform,” September, 2013.

8. NRC RG 1.97 Revision 4, “Criteria for accident monitoring instrumentation for nuclear power

plants.”

9. KHNP, APR1400-E-J-NR-12005-P, “Style Guide,” September, 2013.

10. NUREG-0700, Revision 2, “Human-System Interface Design Review Guidelines,” U.S. NRC,

Washington, DC, May 2002.

11. IEEE Std. 497-2002, “Accident monitoring instrumentation for nuclear power generating stations.”

12. NUREG-0737, Supplement No. 1, “Clarification of TMI Action Plan Requirements,” 1982.

13. NRC RG 1.23, Revision 1, “Meteorological Monitoring Programs for Nuclear Power Plants.”

14. NUREG-0696, Functional Criteria for Emergency Response Facility, 1981.

human-system interface design implementation plandps diverse protection system edg emergency diesel...

Documents