anp-10279, rev 0, 'u.s. epr human factors engineering ... · areva np inc. anp-10279 revision...

ANP-10279 Revision 0

U.S. EPR Human Factors Engineering Program Topical Report January 2007 AREVA NP Inc.

Non-Proprietary (c) 2007 AREVA NP Inc.

Copyright © 2007

AREVA NP Inc. All Rights Reserved

The design, engineering and other information contained in this document has been prepared

by or on behalf of AREVA NP Inc., an AREVA and Siemens company, in connection with its

request to the U.S. Nuclear Regulatory Commission for a pre-application review of the U.S.

EPR nuclear power plant design. No use of or right to copy any of this information, other than

by the NRC and its contractors in support of AREVA NP’s pre-application review, is authorized.

The information provided in this document is a subset of a much larger set of know-how,

technology, and intellectual property pertaining to an evolutionary pressurized water reactor

designed by AREVA NP and referred to as the U.S. EPR. Without access and a grant of rights

to that larger set of know-how, technology, and intellectual property rights, this document is not

practically or rightfully usable by others, except by the NRC as set forth in the previous

paragraph.

For information address: AREVA NP Inc. An AREVA and Siemens Company 3315 Old Forest Road Lynchburg, VA 24506

U.S. Nuclear Regulatory Commission

Disclaimer Important Notice Concerning the Contents and Application of This Report

Please Read Carefully

This report was developed based on research and development funded and conducted by

AREVA NP Inc., and is being submitted by AREVA NP to the U.S. Nuclear Regulatory

Commission (NRC) to facilitate future licensing processes that may be pursued by licensees or

applicants that are customers of AREVA NP. The information contained in this report may be

used by the NRC and, under the terms of applicable agreements with AREVA NP, those

customers seeking licenses or license amendments to assist in demonstrating compliance with

NRC regulations. The information provided in this report is true and correct to the best of

AREVA NP’s knowledge, information, and belief.

AREVA NP’s warranties and representations concerning the content of this report are set forth

in agreements between AREVA NP and individual customers. Except as otherwise expressly

provided in such agreements with its customers, neither AREVA NP nor any person acting on

behalf of AREVA NP:

• Makes any warranty or representation, expressed or implied, with respect to the

accuracy, completeness, or usefulness of the information contained in this report, nor

the use of any information, apparatus, method, or process disclosed in this report.

• Assumes any liability with respect to the use of or for damages resulting from the use of

any information, apparatus, method, or process disclosed in this report.

AREVA NP Inc. ANP-10279 Revision 0

U.S. EPR Human Factors Engineering Program Topical Report Page i

ABSTRACT

The purpose of the U.S. EPR Human Factors Engineering Program Topical Report is to

describe the engineering process that will be employed to design the human-system interfaces

(HSIs) and associated equipment and control rooms.

The goal of the Human Factors Engineering (HFE) program is to provide reasonable

assurance that plant operators can access the required information and controls to enable safe

and efficient control and monitoring of plant processes and equipment.

The HFE program defines responsibilities of the HFE and Control Room Design Team. The

HFE program applies to the design of the Main Control Room (MCR), the Technical Support

Center (TSC), the Instrumentation and Control Service Center (I&CSC), and the Remote

Shutdown Station (RSS). HSIs, procedures, and training associated with monitoring and

control of functions belonging to instrumentation and control (I&C) systems are included within

the scope of the program. HSIs associated with non-I&C systems (e.g., manual valve

operators and other local control stations (LCS) should also follow guidelines established by

the HFE and Control Room Design Team. This topical report describes the corresponding

interface between the HFE and Control Room Design Team and other engineering disciplines.

The detailed design of the HSIs and the control centers is based on a set of standard features

and criteria.

The design of the control centers depends on an understanding of the interactions of operating

personnel with plant automation features. These interactions are defined by delineating

personnel responsibilities for monitoring and controlling the automatic, screen-based, and

conventional control and monitoring systems.

This report describes the records used for design control that document the designs and the

implementation plans, including analytical and validation activities. A proposed schedule is

also presented that shows the expected content for the various elements of the program.


U.S. EPR Human Factors Engineering Program Topical Report Page ii

Nature of Changes

Item Section(s) or Page(s Description and Justification


U.S. EPR Human Factors Engineering Program Topical Report Page iii

Contents Page

1.0 INTRODUCTION ......................................................................................................... 1-1

2.0 HUMAN FACTORS ENGINEERING PROGRAM SCOPE........................................... 2-1

2.1 General Principles............................................................................................. 2-1 2.1.1 Applicable Facilities ................................................................................ 2-2 2.1.2 Applicable Human-System Interfaces, Procedures, and Training .......... 2-2

2.2 Design Goals and Bases................................................................................... 2-3 2.2.1 Mechanical Properties and Dimensions for the Work Environment........ 2-3 2.2.2 Acoustic Environment............................................................................. 2-3 2.2.3 Lighting of the HMI Rooms and Workspace ........................................... 2-3 2.2.4 Ambient Conditions in the Control Rooms.............................................. 2-4 2.2.5 Coding, Language, and Information Presentation .................................. 2-4 2.2.6 Requirements for Screen-Based Information Presentation and Dialogs. 2-4 2.2.7 Information Needs and Controls ............................................................. 2-5 2.2.8 Alarm System Design ............................................................................. 2-6 2.2.9 Plant Operating Procedures ................................................................... 2-7

3.0 CONTROL ROOM AND HUMAN-SYSTEM INTERFACE STANDARD DESIGN FEATURES.................................................................................................................. 3-1

3.1 Control Rooms .................................................................................................. 3-1 3.1.1 Main Control Room................................................................................. 3-2 3.1.2 Technical Support Center....................................................................... 3-3 3.1.3 Remote Shutdown Station...................................................................... 3-4 3.1.4 Instrumentation and Control Service Center........................................... 3-4

3.2 Human-System Interfaces................................................................................. 3-4 3.2.1 Process Information and Control System ............................................... 3-5 3.2.2 Plant Overview Panel ............................................................................. 3-7 3.2.3 Safety Information and Control System.................................................. 3-7

4.0 CONCEPT OF OPERATIONS..................................................................................... 4-1

4.1 Staffing.............................................................................................................. 4-1 4.1.1 Shift Supervisor ...................................................................................... 4-2 4.1.2 Shift Technical Advisor ........................................................................... 4-3 4.1.3 Control Room Supervisor ....................................................................... 4-3 4.1.4 Reactor Operator.................................................................................... 4-3 4.1.5 Additional Licensed Operators ............................................................... 4-3

4.2 Normal Operations ............................................................................................ 4-4 4.2.1 Operating Procedures ............................................................................ 4-4 4.2.2 Alarm Response..................................................................................... 4-4 4.2.3 Usage of PICS and SICS ....................................................................... 4-5 4.2.4 Periodic Surveillances, Operations, and Tests ....................................... 4-5


U.S. EPR Human Factors Engineering Program Topical Report Page iv

4.3 Expectations for Handling Operational Occurrences......................................... 4-6 4.3.1 Abnormal Operations and Incidents ....................................................... 4-6 4.3.2 Emergency Operations and Accidents ................................................... 4-7 4.3.3 Loss of MCR........................................................................................... 4-8

5.0 DESIGN CONTROL PROCESS .................................................................................. 5-1

5.1 Generic Design Control ..................................................................................... 5-1

5.2 Human Factors Engineering Design Control ..................................................... 5-3

5.3 Control Room and HSI Design Documentation ................................................. 5-4 5.3.1 HFE Program Plan ................................................................................. 5-4 5.3.2 Plant Technical Requirements Document .............................................. 5-7 5.3.3 System Design Requirements Documents ............................................. 5-7 5.3.4 System Description Document ............................................................... 5-7 5.3.5 Specifications ......................................................................................... 5-9

5.4 HFE Program (NUREG-0711) Design Elements............................................. 5-10 5.4.1 Introduction........................................................................................... 5-10 5.4.2 HFE Program Management.................................................................. 5-10 5.4.3 Operating Experience Review .............................................................. 5-20 5.4.4 Functional Requirements Analysis and Function Allocation ................. 5-24 5.4.5 Task Analysis ....................................................................................... 5-28 5.4.6 Staffing and Qualifications.................................................................... 5-29 5.4.7 Human Reliability Analysis ................................................................... 5-30 5.4.8 Human-System Interface Design.......................................................... 5-31 5.4.9 Procedure Development....................................................................... 5-36 5.4.10 Training Program Development............................................................ 5-37 5.4.11 Human Factors Verification and Validation........................................... 5-39 5.4.12 Design Implementation......................................................................... 5-41 5.4.13 Human Performance Monitoring........................................................... 5-42

5.5 Human Factors Engineering Issues Tracking.................................................. 5-42

6.0 SIMULATOR DESIGN ACTIVITIES............................................................................. 6-1

7.0 REFERENCES ............................................................................................................ 7-1

APPENDIX A SUMMARY OF HUMAN FACTORS ENGINEERING PROGRAM ELEMENT DEVELOPMENT........................................................................ A-1


U.S. EPR Human Factors Engineering Program Topical Report Page v

List of Tables

Table A-1—Design Control Process Document Development................................................ A-2 Table A-2—HFE Program Elements Development.................................................................A-3

List of Figures Figure 3.1-1—U.S. EPR Control Rooms Layout..................................................................... 3-1 Figure 3.2-1—U.S. EPR I&C Basic Architecture..................................................................... 3-4 Figure 5.2-1—HFE Control Room Design Functions and Reporting ...................................... 5-3 Figure 5.3-1—Design Control Process ................................................................................... 5-6


U.S. EPR Human Factors Engineering Program Topical Report Page vi

Nomenclature

Acronym Description ASHRAE American Society of Heating, Refrigerating and Air-Conditioning Engineers COL Combined Operating License CRS Control Room Supervisor DCD Design Control Document DNBR Departure from Nucleate Boiling Ratio DOD Department of Defense DRB Design Review Board EOF Emergency Operations Facility EOP Emergency Operating Procedure(s) EPRI Electric Power Research Institute FA Function Allocation FRA Functional Requirements Analysis GTG Generic Technical Guidance HA Human Action HED Human Engineering Discrepancy HFE Human Factors Engineering HMI Human-Machine Interface HRA Human Reliability Analysis HSI Human-System Interface HVAC Heating, Ventilation and Air Conditioning I&C Instrumentation and Controls I&CSC Instrumentation and Controls Service Center INPO Institute of Nuclear Power Operations KSA Knowledge, Skills, and Attributes LCS Local Control Stations MCR Main Control Room NEI Nuclear Energy Institute NLO Non-Licensed Operator NRC Nuclear Regulatory Commission NSAC Nuclear Sciences Advisory Committee NUMARC Nuclear Utilities Management and Resources Council OER Operating Experience Review OL3 Olkiluoto 3 PICS Process Instrumentation and Controls System POP Plant Overview Panel


U.S. EPR Human Factors Engineering Program Topical Report Page vii Acronym Description PRA Probabilistic Risk Assessment PTRD Plant Technical Requirements Document PWR Pressurized Water Reactor QA Quality Assurance QAP Quality Assurance Program QDS Qualified Display System RMS Records Management System RO Reactor Operator RSS Remote Shutdown Station SAT Systematic Approach to Training SDD System Description Document SDRD System Design Requirements Document SER Safety Evaluation Report SICS Safety Information and Controls System SRO Senior Reactor Operator SS Shift Supervisor STA Shift Technical Advisor TA Task Analysis TSC Technical Support Center V&V Verification and Validation


U.S. EPR Human Factors Engineering Program Topical Report Page 1-1

1.0 INTRODUCTION

The U.S. EPR Human Factors Engineering (HFE) Program Topical Report describes the

engineering process that will be employed to design the human-system interfaces (HSIs) and

associated equipment and the control rooms.

NUREG-0711, Human Factors Engineering Program Review Model (Reference 6), describes

the twelve elements of a generic HSI design which comprise a top-down example of a program

and relate the high-level goal of plant safety into individual, discrete focus areas for the HSI

design.

The U.S. EPR HFE program provides reasonable assurance that plant operators can access

the required information and controls to safely and efficiently control and monitor the plant

processes and equipment. The HFE program defines the responsibilities of the HFE and

Control Room Design Team as well as the equipment and facilities which the team will design.

The HFE and Control Room Design Team produces HFE guidance related to the design of

other equipment local control stations (LCSs). This report describes the interface between the

HFE and Control Room Design Team and other engineering disciplines. Design goals and

bases and features inherent to the standard U.S. EPR design are described to illustrate the

starting point and scope for the program.

This report also describes AREVA NP’s engineering design process and how the HFE design

process follows and interrelates with that process. Successive sections describe the specific

design records used to document the design and the implementation plans for the various

analysis and validation activities. Finally, this report contains a proposed schedule for the

various elements of the HFE program, which includes the twelve elements described in

NUREG-0711 and the various types of design documentation prescribed by AREVA NP’s

design control process.

AREVA NP requests that the NRC issue a Safety Evaluation Report (SER) that approves this

topical report. The U.S. EPR HFE Program Topical Report will be used to support AREVA


U.S. EPR Human Factors Engineering Program Topical Report Page 1-2 NP’s U.S. EPR design. AREVA NP plans to reference the topical report in its Design Control

Document for the U.S. EPR.



2.0 HUMAN FACTORS ENGINEERING PROGRAM SCOPE

2.1 General Principles

The HFE program enables plant operators and technicians to safely and efficiently access the

required information and controls to control and monitor the plant processes and equipment.

The HFE program also establishes the time and performance criteria for required equipment

operations via human reliability analyses and recognized guidelines.

The design of the human-machine interface (HMI) should meet the following basic

requirements:

• Operator tasks should be executable (sufficient time allocated, needed controls and

information available).

• The operator should be able to check the success of an action against the objective of

the action.

• The allocated tolerance range (safety limits, time limits, precision) should be clearly

defined.

• Actions that fail or are erroneous should be recoverable, if possible.

• The operator should be able to evaluate the system or plant response to a control

action. Multiple process monitoring contexts (i.e., physical, functional) are preferred.

• The operator should be able to evaluate the current safety state of the plant processes

from the available displays.

The HFE and Control Room Design Team establishes and provides reasonable assurance that

the program complies with the following criteria:

• Location and accessibility requirements for the control rooms and other control stations

• Layout of the control rooms, including locations and design of individual displays and

panels



• Basic concepts and detailed design for the information displays, controls, and alarms for

HMI control stations

• Coding and labeling conventions for control room components and plant displays

• Design of the screen-based HMI, including the actual screen layout and the standard

dialogues for accessing information and controls

• Requirements for the physical environment of the control rooms (e.g., lighting,

acoustics, heating, ventilation and air conditioning (HVAC))

• Layout of operator work stations and work space

• Verification and validation (V&V) of the design of human interfaces

The HFE and Control Room Design Team is also responsible for program concepts for

developing operating procedures, staffing requirements, and designer’s input to the training

program, as described in successive sections of this document.

2.1.1 Applicable Facilities

The HFE program applies to the design of the Main Control Room (MCR), the Technical

Support Center (TSC), the Instrumentation and Control Service Center (I&CSC), the Remote

Shutdown Station (RSS), and LCSs associated with operation or maintenance. The design of

LCSs is typically accomplished concurrent with the applicable system design and follows

guidelines established by the HFE and Control Room Design Team. A COL applicant that

references the U.S. EPR design certification will design the Emergency Operations Facility

(EOF), though the HFE and Control Room Design Team is expected to participate in that

design.

2.1.2 Applicable Human-System Interfaces, Procedures, and Training

The scope of the HFE program includes HSIs, procedures, and training associated with

monitoring and controlling instrumentation and control (I&C) system functions. The system

functions include those required during the various normal operating modes as well as those

required during tests, inspections, surveillances, maintenance, abnormal, emergency, and


U.S. EPR Human Factors Engineering Program Topical Report Page 2-3 accident conditions. HSIs associated with non-I&C systems (e.g., manual valve operators and

other LCSs) should follow guidelines established by the HFE and Control Room Design Team.

2.2 Design Goals and Bases

The design of the work environment for the operating and maintenance staffs should meet the

relevant HFE requirements described in the sections below.

2.2.1 Mechanical Properties and Dimensions for the Work Environment

The layout of the MCR and other HMI rooms should meet basic arrangement requirements for

information presentation on screens and control panels. The layout of the MCR and other HMI

rooms accounts for visibility constraints, accessibility requirements, and communication

requirements between the operating and maintenance staff members during all plant states.

The detailed layout will be generated, starting from a first draft layout, in the design process

described below. Similarly, the layout of the operator workstations (including safety and non-

safety HSI) and the large screen display panel (Plant Overview Panel (POP)) should be

defined taking into account visibility, reach and grasp requirements, and anthropometric

dimensions for the intended user population. Validation of these design results should be

performed by conducting walk-throughs, using a selected set of emergency procedures, in a

mock-up of the MCR.

2.2.2 Acoustic Environment

The acoustic environment and the mean noise level in the MCR should aid operator alertness

so that the monitoring and controlling of processes and the associated mental activities are

performed in comfort and promote communication between the members of the operating staff.

2.2.3 Lighting of the HMI Rooms and Workspace

The lighting in the control rooms provides optimum working conditions for personnel by:

• Providing an adequate lighting level for performance of tasks (e.g., good contrast for

easy discrimination of information, good minimum lighting for preservation of alertness).

• Avoiding glare and reflection.


U.S. EPR Human Factors Engineering Program Topical Report Page 2-4 2.2.4 Ambient Conditions in the Control Rooms

During normal operation at basic atmospheric conditions, the temperature and humidity in the

MCR and the associated HMI rooms are controlled to normal comfort levels. The air-

conditioning system can adjust the temperature. During some design basis events, the

temperature in the MCR may exceed comfort levels, but the temperature should not exceed

the guidance provided in Reference 5.

2.2.5 Coding, Language, and Information Presentation

In order to minimize human error, rules for the arrangement of information on screens and

conventional control boards and for coding and labeling of information on the different types of

HMIs will be specified in the design phase (see Section 5.4.8).

The nomenclature and terminology used in operating procedures will be consistent with those

used on operator interfaces. The HMIs should be consistent with plant documentation to the

extent possible (e.g., system manuals and plant drawings).

2.2.6 Requirements for Screen-Based Information Presentation and Dialogs

Operators are provided with an overview of the plant state and rapid access to specific pieces

of information and specific controls. For conventional control boards, this will be accomplished

by logical grouping of indicators, alarms and status displays in functional groupings which

provide clear relationships between associated indicators and controls. For the screen-based

controls, the organization of operating displays and navigation methods accounts for the

limitations of display area and the serial character of information access to provide an overall

vision of plant state as well as access to details.

Four principal criteria apply to the design of screen-based HMI:

• The information hierarchy at the top levels contains a few overview displays showing

essential plant state information while the lower level displays progress through

increasing levels of detail.

• Multiple monitors are used to allow simultaneous display of several types of information.

• Task-oriented presentation of the same information in different arrangements is adapted



to different operator processes.

• Calculated, pre-processed and condensed information is used to allow a rapid grasp of

the state of a complex system (e.g., core average axial power shape monitoring,

departure from nucleate boiling ratio (DNBR) and critical heat flux monitoring, plant

calorimetric calculation, saturation temperature, saturation pressure, curves and limits

for heat-up and cool-down).

The information presentation:

• Allows operators to evaluate the priority, gravity, and impact on safety and availability of

an event in the context of overall plant state.

• Directs the operators to the information and controls that are needed to plan and

execute any necessary action(s).

• Guides the operator from summary information (e.g., from a fault flag or an alarm) to the

detailed fault information (e.g., a detailed circuit format) or to the associated procedure

or alarm sheet.

2.2.7 Information Needs and Controls

Information that allows the operator to evaluate the plant state and provides feedback for any

action is displayed in a consistent manner.

The operators will be provided with an appropriate means to interact with screen-based and

conventional controls so that, as a minimum, the following types of information are accessible:

• Plant equipment data (fluid, mechanical, electrical and I&C systems and components)

• Process dynamics

• Functional relationships between sub-processes

• Automation equipment functions (e.g., control loops, automatic sequencers, protection

systems) and their relation to the state of the process

• Operational guidance (e.g., procedures and technical data sheets)


U.S. EPR Human Factors Engineering Program Topical Report Page 2-6 Information about the first three types of items is communicated to the operators by state and

status information and by alarms, irrespective of the technology of the HMI systems.

The screen-based HMI systems, which are backed up by paper-based procedures, support

operational guidance. Aside from the navigation and layout differences and the availability of

live data, the electronic and hard copy procedures contain the same information in the same

format.

2.2.8 Alarm System Design

The alarms alert and inform the operators when unexpected events occur that require manual

actions to correct, mitigate, compensate for a failure, make repairs, or when a failure should be

accounted for during further process control because either the failure restricts the reachable

plant states or requires alternate means of reaching the desired state.

Alarms consist of either binary signals regarding the state of the process or the equipment or

acoustic and optical annunciations to alert and guide the operator to the applicable HMI

display.

Alarms may be generated when process variables leave their operating range, when

equipment is not in the operating mode that is required for the actual process state, or when

equipment fails. Status messages (i.e., messages indicating response to process or

equipment events) are also generated within the alarm hierarchy.

The operators should not be burdened by multiple alarms that demand simultaneous actions;

however, operator training establishes the priorities for responding to alarms to maintain a high

level of safety. The following factors are examples of criteria that determine how alarm

priorities are established:

• The available reaction time

• The safety relevance of the event

• The relevant impact of the event (e.g., leading to or the imminent loss of a function,

degradation of a function)


U.S. EPR Human Factors Engineering Program Topical Report Page 2-7 The following principles are applied when designing the logic of alarms and overall alarm

processing:

• Alarm signals are based on information that indicates the true cause of the reported

event.

• Alarms are integrated with the HSI to assist the operator with situational awareness,

alarm response, and any associated troubleshooting.

• Alarm signals include logic so that only operationally relevant conditions are alarmed

(e.g., the alarm logic for "low discharge pressure" downstream of a pump will produce

an alarm only if the pump is supposed to be running).

• The overall plant state is taken into account for the generation of alarms, or at least to

inhibit alarms which are not relevant for the actual plant state.

• Pre-alarms are provided before automatic actuation only if manual corrective actions

are different from automatic actions and when an operator has sufficient time to identify

and perform these actions.

Alarm processing and presentation on the various screen-based HMI components (Process

Instrumentation and Controls System (PICS) and Qualified Display System (QDS) portion of

the Safety Information and Controls System (SICS)) will be as similar as possible.

2.2.9 Plant Operating Procedures

Besides constituting the means to perform overall process supervision, monitoring and

supporting performance of elementary process control actions, procedures provide guidance

for more complex tasks. This is accomplished by alarm sheets, procedures for normal

operation (including startup and shutdown procedures), and abnormal and accident

procedures.

Where technically feasible, operating procedures will be implemented in screen-based formats

that provide access to process information and contain format links, which provide access to

underlying additional information and direct the operator to control screens. Paper-based


U.S. EPR Human Factors Engineering Program Topical Report Page 2-8 procedures back up screen-based procedures and contain the same guidance in the same

format.

The computerized formats of operating procedures should meet the following requirements:

• Action objectives should be clearly defined (i.e., the operator should be able to visualize

the current plant or system state and understand the expected result).

• Each applicable procedure step should establish a given objective, including the

parameters used to evaluate the objective, and (where appropriate) indicate the HSI

location (screen) for the state of the systems and the required functions. If the action

specified in the procedure is performed and the expected response is not achieved, the

procedure should direct the operator to perform mitigating actions.

• The appropriate sequence of actions should be clear and concise.

• The procedure should provide concise descriptions for the execution of tasks and

actions by providing step-by-step methods of manual execution or referencing the

appropriate automated sequences.

• Operator guidance should be structured with several levels of detail (i.e., objectives,

tasks, actions).



3.0 CONTROL ROOM AND HUMAN-SYSTEM INTERFACE STANDARD DESIGN FEATURES

The U.S. EPR control rooms and HSIs contain a group of standard features that form the

bases for the detailed HSI design.

3.1 Control Rooms

The control rooms are locations where major I&C display and control functions are available

(i.e., I&C display and control functions not associated with an LCS). The control rooms include

the MCR, the TSC, the RSS, and the I&CSC. The layout of the U.S. EPR control rooms is

illustrated in Figure 3.1-1, with the exception of the RSS which is in a separate location.

Figure 3.1-1—U.S. EPR Control Rooms Layout


U.S. EPR Human Factors Engineering Program Topical Report Page 3-2 3.1.1 Main Control Room

The MCR provides:

• A centralized location where actions to operate the plant safely are performed under

normal conditions and where actions to reach and maintain a safe condition under

accident conditions are performed.

• Adequate radiation protection that allows personnel to access and occupy the MCR

under accident conditions without receiving radiation exposure in excess of 10 CFR 50

Appendix A (GDC 19) (Reference 3) requirements.

• The ability to transfer control outside the MCR to equipment that is designed to achieve

prompt hot shutdown of the reactor and maintain a safe condition during hot shutdown

with the possibility for subsequent cold shutdown of the reactor through suitable

procedures.

• A means to communicate with the outside.

• A centralized location for initiating, monitoring, and authorization of maintenance for

process equipment and systems.

• Protection from hazards and adverse environmental conditions for personnel and

equipment required to operate the plant safely.

• A working environment for the operators that reduces conditions that adversely affect

human performance.

The MCR houses the major HSIs with the main plant monitoring and control systems. The

MCR is located in a hardened safeguards building where it is protected against radiation,

internal and external missiles, and earthquakes. The MCR interface with the I&C systems is

arranged in separated I&C cabinet rooms and in the rooms on the MCR floor level.

The MCR is sized sufficiently so that the MCR staff can perform necessary actions. The

arrangement of the adjacent control rooms facilitates coordination and communication

between the members of the operating staff while reducing the need for access to the MCR by

other plant personnel, such as field equipment operators, maintenance staff, and personnel in


U.S. EPR Human Factors Engineering Program Topical Report Page 3-3 other HSI rooms (e.g., I&CSC). Several means of communication with non-licensed operators,

maintenance personnel, operations support staff, plant management, dispatchers, regulators,

and public officials are provided in the MCR.

The MCR is equipped with:

• Four operator workstations with HSI (Note: This number does not imply a staffing level.

See Section 4.1 for more information on staffing levels)

• A communication console (multiple means of communication are also available to each

operator)

• POP

• Storage space for backup procedures and documentation and for personal protective

equipment

3.1.2 Technical Support Center

The TSC is in close proximity to the MCR to simplify access to the MCR and maximize the

efficiency of the interface with other HSI rooms.

The TSC is located on the floor level of the control rooms outside the MCR, but has a separate

access point. The TSC is located in a hardened safeguards building. As shown in Figure 3.1-

1, the TSC is part of the integrated operations area.

If required, the technical support team uses the TSC to accommodate additional technical

engineering, senior operations, and management staff who analyze the plant conditions and

support the MCR operators during post-accident management. The TSC contains PICS

monitors which have access to process information needed to monitor the state of the plant in

all plant states, including maintenance, refueling, power, and accident conditions. The process

control functions that are associated with PICS in the MCR are blocked in the TSC. The TSC

is also provided with several means of communications within and outside the plant.


U.S. EPR Human Factors Engineering Program Topical Report Page 3-4 3.1.3 Remote Shutdown Station

The RSS is independent from the MCR. It is in a different fire zone and utilizes a different

ventilation system than the MCR.

The RSS is a control center that contains the equipment necessary to bring the plant to a safe

shutdown state during an event requiring the evacuation of the MCR. The HSI (control)

functions of the RSS are isolated while the MCR is available and in use.

The RSS HSI consists of PICS equipment, SICS equipment, and communications equipment.

3.1.4 Instrumentation and Control Service Center

The I&CSC provides a centralized location for I&C technicians and other specifically qualified

plant staff to perform maintenance, periodic testing, and modification of I&C system software,

including the interface equipment (e.g., PICS) and the monitoring and control equipment. The

I&CSC also contains consoles for specialized systems (e.g., the loose parts and vibration

monitoring system, leakage monitoring system, and the Aeroball and PowerTrax core

monitoring systems).

3.2 Human-System Interfaces

Figure 3.2-1 shows the planned I&C architecture from the perspective of safety and non-safety

I&C and the relationship to the various HSIs.



Figure 3.2-1—U.S. EPR I&C Basic Architecture

3.2.1 Process Information and Control System

The PICS is a non-safety-related digital I&C system. It provides a screen-based interface for

the operators in the MCR and in the RSS to control and monitor plant parameters during

normal, abnormal, and accident condition. Figure 3.2-1 shows the PICS interfaces with the

plant automation systems. The PICS receives both safety and non-safety data from the

instrumentation. The PICS provides a state-of-the-art digital HMI to monitor the plant (i.e., an

operator has access to available plant data at a single “workstation”). The PICS performs self-

diagnostics, receiving and displaying self-diagnostic information from other plant systems,

archiving data, and incorporating software changes. The PICS provides an alarm

management interface for the operators.

Individual PICS monitors are not specialized. The control functions on the PICS are divided

into hierarchies, and operator workstations should be logged in with responsibilities for


U.S. EPR Human Factors Engineering Program Topical Report Page 3-6 selected hierarchies. Alarms and control capabilities on any one workstation correspond only

to those belonging to the hierarchy for which that workstation is logged in; however, any

available PICS monitor can display information and allow separate dialog boxes to be opened.

With the exception of the PICS workstation in the RSS, plant control functions are disabled

outside the MCR. Outside the MCR, a personal, specific login is required to access

information or, in the case of the I&CSC, to conduct maintenance or modifications.

The PICS screens provide the following information and controls:

• Binary and analog process information, including trend curves

• Manual control of plant actuators provided with remotely operated manual controls

including corresponding checkback information

• Manual control of I&C functions (e.g., automatic sequences, control loops, provision of

setpoints, switchover between manual and automatic mode, set and reset of memories)

including corresponding checkback information

• Alarm annunciation and presentation of abnormality indication concerning functions and

equipment having a direct impact on process control

• Parameter setting when linked to the process state

• Information about the operability and administrative status of actuators and sensors and

associated I&C equipment

• Alarms indicating failures of equipment needed for process control, indicating events

requiring special operator attention, or demanding manual actions by the operators

The PICS also enables operators to diagnose faults and supports the execution of

compensating and correcting actions by providing:

• Alarm sheets that show the possible cause, expected consequences, and predefined

corrective measures, as appropriate.

• Post-accident procedures that indicate the required actions to be executed.

• Normal operating procedures that show the actions required to change the state of the



plant, or of systems and components, or to monitor the plant or system state where

such actions are automated.

The PICS is capable of data storage including access to on-screen historic information (e.g.,

logs of measurements, trends, state changes, and manual and automatic actions taken) and

support for shift turnover (e.g., special logs, procedure progress).

3.2.2 Plant Overview Panel

The POP (see Figure 3.2-1) is a subset of the PICS. The POP is implemented as a set of

large (approximately 94 in. diagonal) monitors driven by the PICS computers to present

formats which show the overall plant state or other task-related formats. The POP is visible

from workstations in the MCR and helps synchronize the operations staff with respect to

common operational objectives. Though several PICS display screens are designed for

viewing on the POP, the POP can display any PICS display screen. The graphical design of

display screens incorporates expected viewing distances, and administrative controls provide

recommendations for which screens should be displayed on the POP.

3.2.3 Safety Information and Control System

The SICS provides the safety-qualified HSI for operators to use the control and information

functions that are needed to monitor the plant safety status and bring the plant to a safe

shutdown state and maintain it in case of inoperability of the PICS.

The SICS consists of a seismically qualified Class 1E QDS along with Class 1E conventional

I&C that are utilized for safety-related functions that are not controlled through a digital

computer system. The QDS is a safety-related display system with touch screen capabilities.

Other input devices for the QDS (e.g., keyboards or trackballs) are also available.



4.0 CONCEPT OF OPERATIONS

4.1 Staffing

One U.S. EPR design goal is to design the plant and the HSI so that three licensed operators

(one of which holds a senior reactor operator (SRO) license) can safely monitor and control the

plant under operating conditions, including normal operation, startup, shutdown, abnormal

operation, and accident conditions. Because of the levels of automation inherent in the I&C

architecture, only one licensed operator will be required to be at the controls during normal, at-

power operations. Also, one SRO licensed operator shall remain in the MCR at all times.

Additionally, each operating crew should include an SRO licensed shift supervisor, a shift

technical advisor (may be combined with the shift supervisor position), a number of non-

licensed equipment operators (NLOs), and a maintenance crew consisting of a supervisor and

chemistry, radiation protection, I&C, electrical, and mechanical technicians.

The HSI design process incorporates several HFE program elements from NUREG-0711 to

differentiate which functions are controlled by the operators and which are automated. The

HSI is designed to accommodate the assumed number of operators for the optimal operator

workload. Section 5.4.6 contains more details of the staffing needs analysis.

A COL applicant that references the U.S. EPR design certification will develop a complete

staffing arrangement. It is expected that a COL applicant that references the U.S. EPR design

certification will determine staffing levels and qualifications of plant personnel based on the

COL applicant’s corporate staffing philosophy, existing site operations, fleet operations, final

plant design, and current regulations. Plant operating procedures (i.e., normal, abnormal,

emergency) are based upon the different roles, functions, and responsibilities for the MCR

operators functioning as an integrated team.

As a minimum, the MCR staff performs the following:

• Carry out or request manual actions which are necessary to put plant systems into or

out of service or modify the plant systems during normal operation or after an incident or

accident



• Use parameters and information delivered by the information systems to monitor the

safety and operability of the plant

• Perform checks and periodic tests to confirm that safety systems remain fully operable

• Initiate corrective action in case of equipment malfunctions or unforeseen events

• Request field operators or maintenance personnel to perform additional corrective

actions if actions from the MCR are not sufficient

• Take into account unavailability of equipment (e.g., during maintenance) so that the

plant is continuously operated safely within the bounds of the technical specifications

• Execute appropriate actions following an accident

• Review the actions of other operators

The following subsections provide the responsibilities that are specific to individual members of

the operations staff.

4.1.1 Shift Supervisor

Whether in or out of the MCR, the shift supervisor (SS) is the senior person on shift that is

responsible for the command and control of site activities. The SS holds the highest level of

operating license (i.e., SRO) and may also perform the function of the shift technical advisor

(STA) required by NUREG-0737 (Reference 7) if the qualifications are met.

Specific responsibilities for the SS are similar to those described in ACAD 97-004 (Reference

10).

The SS observes plant activities via the POP or other MCR workstations; however, the SS

may utilize the auxiliary workstation in the MCR if the workstation is not in use. To maintain

situational awareness, the SS should not become directly involved with process control.

As described in NEI 99-02 Revision 4, (Reference 12) the SS is expected to classify an event

promptly following indication that the conditions have reached an emergency threshold in

accordance with the emergency action level scheme. The SS is also responsible for any

associated prompt notification.


U.S. EPR Human Factors Engineering Program Topical Report Page 4-3 The SS’s office is a room where administrative tasks are performed and is immediately

adjacent to the MCR. This office has access to the MCR itself and a window enabling the SS

to view the MCR (see Figure 3.1-1).

Depending on the plant state and the availability of other SRO licensed level personnel in the

MCR, the SS may make occasional field observations in the plant.

4.1.2 Shift Technical Advisor

In conformance with NUREG-0737, each operating shift should have a designated STA. The

SS may maintain the STA function. While the STA is not required to be in the MCR, the STA

should be able to reach the MCR within a short time.

4.1.3 Control Room Supervisor

The control room supervisor (CRS) is the senior licensed operator that monitors and controls

the entire plant in accordance with the operating procedures. The CRS should hold an SRO

license. To maintain situational awareness, the CRS is not generally at the controls, but is

present or readily available in accordance with 10 CFR 50.54(m) (Reference 2). Specific

responsibilities for the CRS are similar to those described in NUREG-1021 (Reference 9).

4.1.4 Reactor Operator

Significant improvements in the design of the HSI should ease some of the operational load

and allow for fewer operators. The Reactor Operator (RO) should hold an RO or SRO license

and is specifically tasked with being at the controls monitoring and controlling portions of the

plant in accordance with the operating procedures and as directed by the CRS. Specific

responsibilities of the RO are similar to those described in NUREG-1021.

4.1.5 Additional Licensed Operators

At least one additional licensed operator (i.e., SRO or RO) is assigned to each shift and fills

roles and functions as directed by the SS or CRS. The typical roles and responsibilities of the

additional licensed operator fall into administrative and operational categories and depend on

the needs of the shift. The additional licensed operator is not required to be at the controls

unless required to safely monitor and control the plant under labor intensive operating


U.S. EPR Human Factors Engineering Program Topical Report Page 4-4 conditions (e.g., startup, shutdown, abnormal operation, and accident conditions). The

additional licensed operator should be able to reach the MCR within a short time.

4.2 Normal Operations

Normal operations are defined as operating within the modes described in Technical

Specifications in a controlled manner with no major equipment faults. As described above, a

licensed RO or SRO will be at the controls in the MCR during normal operations. The POP

allows some monitoring-only functions to be observed from elsewhere within the MCR. During

normal operations, the CRS is required to be in the MCR, and the SS is required to be within

the controlled area for the assigned unit.

4.2.1 Operating Procedures

The plant is operated in accordance with the Technical Specifications and with the applicable

normal, abnormal, or emergency operating procedures (EOPs). One of the PICS screens in

use should display the operating procedure for the process being either performed or

monitored. The HMI design should be programmed with the capability to jump to other

procedures of immediate interest without excessive navigational steps.

4.2.2 Alarm Response

Normal operations often include operator response to alarms. Operators monitor plant

performance to detect failures in mechanical, electrical, or I&C systems. The alarm systems

supplement this monitoring by alerting operators to certain types of failures. Upon detecting

such failures, operators implement applicable specific alarm response procedures. This may

include performing additional diagnostics, performing actions to compensate for the failure, or

requesting field operators or other staff to perform additional diagnostics or repair actions. In

addition, operators assess and respond to keep the plant and components in a safe state

based on their training and understanding of the plant situation.


U.S. EPR Human Factors Engineering Program Topical Report Page 4-5 4.2.3 Usage of PICS and SICS

While the PICS is available, essentially all plant operations, including emergency operations,

should be performed via the PICS at a sit-down workstation. Section 4.3.1.1 describes the

criteria for PICS availability.

Single-purpose, fixed-location, continuously-available controls and related displays should

remain available via the SICS. Also, QDS screens are expected to mimic the operation and

format of the PICS screens for certain safety-related functions that are required in order to shut

down the plant to a safe state and maintain it in that state in the event that the PICS is

unavailable. The SICS contains the controls and displays required for design basis accident

monitoring.

4.2.4 Periodic Surveillances, Operations, and Tests

The I&C systems include integral self-testing features. Operators have no responsibility with

regard to these self-testing features other than monitoring and responding to alarms when the

self-testing indicates problems.

Only licensed operators use the normal operator interfaces (e.g., PICS and SICS) to perform

any periodic testing which entails the operation of plant process equipment (e.g., changing

valve positions, cycling pumps and motors on and off) in strict compliance with authorized test

procedures.

During operational modes, the conventional operator interfaces (i.e., SICS devices) may

require simple lamp and horn tests. The MCR operators manually perform such tests at the

proper intervals. Because the SICS conventional device inventory is minimal, the simple

testing of the conventional panel equipment does not require additional personnel in the MCR.

Routine calibration and testing within the digital I&C system should be performed from the

I&CSC engineering workstation and service units and should have minimal impact on MCR

operations. A monitor with access to operational displays but with no control capabilities is

provided in the I&C Service Center to support such activities.


U.S. EPR Human Factors Engineering Program Topical Report Page 4-6 4.3 Expectations for Handling Operational Occurrences

4.3.1 Abnormal Operations and Incidents

Abnormal operations refer to incidents that may occur once or more during the life of the plant

and result, at worst, in a reactor trip with the plant capable of returning to power. These

incidents are easily recognized and identifiable. Operator responses to such anticipated

transients are in accordance with the event-oriented abnormal operating procedures which are

developed to support optimal responses to recognized conditions.

To support the safety of the plant, operators use the rules defined for emergency operation to

handle any abnormal incident leading to reactor trip. A return to power is only allowed after a

detailed check of the safety status of the plant has been completed.

4.3.1.1 Loss of PICS

If the following criteria are met, the PICS is considered available for use:

• Data communication with the automation level is working satisfactorily (i.e., the majority

of information and controls in the displays are not faulted, and the operator input

response is normal and without unexpected delays).

• Correlated information is consistent on PICS displays.

• A minimum of three monitors per workstation are functioning during accident conditions.

• Information on PICS displays and relevant SICS indicators are consistent.

4.3.1.2 Loss of Computerized I&C

Loss of computerized I&C refers to the loss of I&C systems other than, or in addition, to the

PICS. If PICS is available, status flags on the screens assigned to the display elements to

identify the unavailable indicators and controls. Additionally, the PICS includes I&C system

status displays, which present faults occurring in various I&C systems.

When the PICS is unavailable, the operator performs operations from the SICS including the

QDS. Depending on plant conditions and the availability of systems, the operators may use

the SICS and QDS to maintain steady state operations or commence shutdown to a safe state


U.S. EPR Human Factors Engineering Program Topical Report Page 4-7 via conventional SICS controls. The operating manual should identify actions that are required

for dealing with the loss of computerized I&C systems and measures that establish the priority

of the actions implemented with the remaining conventional systems.

4.3.1.3 Loss of Electronic Operating Procedures

Hard copy backups of operating procedures are provided in the MCR and the TSC to address

a loss of the operating procedure computer. Electronic procedures should contain means of

navigating to appropriate HSI screens necessary to control or monitor response for the

required procedure steps. Aside from the navigation and layout differences and the availability

of live data, the electronic and hard copy procedures contain the same information in the same

format.

4.3.2 Emergency Operations and Accidents

Emergency procedures provide direction for the operators to mitigate the consequences of

transients and accidents that result in exceeding reactor protection system or engineered

safety features actuation setpoints or require a plant shutdown. The emergency procedures

for the U.S. EPR will be based on emergency procedure guidelines which will be developed

from analyses of transients and accidents that are specific to the U.S. EPR design and

operating philosophy. These analyses will include both design bases events and beyond

design bases events as required by NUREG-0737 and other requirements.

The emergency procedures for the U.S. EPR will be symptom-based procedures which will

provide guidance for the operator to mitigate transients without having to diagnose a specific

event. HSI issues will be considered during the development of these procedures to provide

reasonable assurance that the procedures support and guide operator interaction with plant

systems. The use of the procedures with the HSI will be verified and validated to provide

reasonable assurance that accepted HFE principles are incorporated.

In addition, operators will have procedures, equipment, and facilities, as a result of emergency

planning, to support an integrated response.



Key features of this plan include:

• Standard emergency classification and action level schemes to determine minimum

response measures

• Procedures for notification of response organizations (i.e., federal, state, and local

response organizations and emergency personnel)

• Adequate emergency facilities and equipment to support the emergency response (e.g.,

TSC)

• A range of protective actions for the plume exposure pathway for emergency workers

and the public

• Methods, systems, and equipment for assessing and monitoring actual or potential

offsite consequences of radiological emergency conditions

4.3.3 Loss of MCR

If the MCR becomes uninhabitable, the plant is tripped as the operators leave the MCR.

Operators should use the PICS or SICS to conduct further shutdown activities in the RSS.

Emergency operations are not postulated from the RSS. Recovery operations should not be

attempted from the RSS, considering the possibility of later emergency situations after the

MCR is abandoned.



5.0 DESIGN CONTROL PROCESS

5.1 Generic Design Control

The purpose of the design control process is to define the method used to provide control of

design, design verification, and analysis activities. The AREVA NP design control process

procedure as described in the AREVA NP Inc. Quality Assurance Plan (QAP) for Design and

Deployment of the U.S. Evolutionary Power Reactor (U.S. EPR) Topical Report (Reference 13)

contains a controlled, logical, systematic, and comprehensive flowchart and a hierarchy of

design information to expeditiously and correctly integrate and transform design inputs into

design outputs. The design control process facilitates the translation of high level

requirements to lower level requirements, design inputs to design outputs, and high level

design features to lower level subsystem and component design features. The process also

either integrates the various design control measures described below as part of the process

procedure or incorporates various design control measures in the procedure by reference.

The design control process develops a design and establishes a design configuration in the

AREVA NP records management system (RMS). Once released to the RMS, documents

produced within the design control process become part of the design configuration.

U.S. EPR project management establishes the scope, objectives, requirements, and safety

classification in writing for the responsible design organizations. These procedures govern the

preparation and review of design documents and also establish methods for the identification

and control of design interfaces, the coordination among participating design organizations,

and the review, approval, release, distribution, and revision of documents.

The appropriate engineering organization prepares, reviews, approves, and verifies design

documents for items and services within their respective area. Procedures are established to

promote adequacy and accuracy of design documentation. The following are types of design

documents that support facility design, construction, and operation:

• Plant technical requirements

• System design requirements



• System descriptions

• Design drawings

• Design analyses

• Computer program documentation

• Specifications and procedures

These documents specify technical and quality requirements that are appropriate to the

activities they cover. A qualified individual other than the preparer of the document performs

an independent review of the documents for completeness and technical accuracy. Revisions

to approved design documents are considered design changes and are subject to the same

review and approval process as the original documents.

Verification methods include independent review of design documents, design analyses (i.e.,

calculations), design review boards, and design verification testing. Calculations can either

establish design requirements or verify the design. The analyst documents the purpose,

assumptions, methods, design input data, results, and conclusions of the calculation in a

manner that an independent reviewer can verify the technical accuracy of the calculation.

Independent reviewers should be competent in the particular type of analysis. Design Review

Boards (DRB) are conducted in accordance with written procedures for new designs and major

changes to the existing design configuration as determined by the responsible technical

manager and project management. When engineering judgment concludes that design

analyses or previous experience cannot substantiate a design or design feature, testing is

performed for design verification.

An integrated Quality Assurance (QA) organization oversees audits of design documents for

the inclusion of appropriate QA requirements. Deviations from specified quality standards are

identified and controlled in accordance with written procedures. Reference 13 provides a

description of the QA organization and the QAP requirements, including an overview of the

design control process.


U.S. EPR Human Factors Engineering Program Topical Report Page 5-3 5.2 Human Factors Engineering Design Control

The HFE and Control Room Design Team reports through the Manager of I&C Engineering to

U.S. EPR project management. The HFE and Control Room Design Team is required to

follow the same design processes as other engineering disciplines, per Reference 13, and is

accountable for verifying the quality of the HSI and control room layout. The reporting lines for

the HFE and Control Room Design Team are shown in Figure 5.2-1.

Figure 5.2-1—HFE Control Room Design Functions and Reporting

The human factors engineering aspects of control room design are performed in accordance

with Reference 13 and under the guidelines of the AREVA NP design control process.

Changes to the design configuration are performed in accordance with the AREVA NP design

change control process described in Reference 13. The process of the HFE and control room

design is described below.

The I&C Engineering organization develops the U.S. EPR I&C system designs, which includes

defining design requirements, reviewing inputs, producing system documentation, verifying

U.S. EPR Project Management

Program Manager HFE and Control Room

Design

HFE Advisors

Automation Systems Design

Control Rooms Design

Human Factors Design

HSI Design

Manager I&C Engineering Local Control

Station Design


U.S. EPR Human Factors Engineering Program Topical Report Page 5-4 that the design inputs link to the outputs, and outlining expected acceptance testing. The HFE

and Control Room Design Team integrates the U.S. EPR I&C system designs with the HSI and

performs design and layout of the control rooms. Both functions involve an iterative process.

As described above, the documentation produced by systems and component engineering

organizations include design requirements, system descriptions (e.g., design bases, safety

classifications), design system interfaces, drawings, calculations, and ancillary documents. A

design verification checklist is required for certain portions of the design to support the

evaluation of design adequacy.

Figure 5.3-1 shows an illustration of the design control process that has been adapted from the

process described in Reference 13. This figure shows the typical deliverables for plant design

discipline organizations and for the HFE and Control Room Design Team. Section 6.0

describes the deliverables associated with the simulator development, which are generally the

responsibility of the HFE and Control Room Design Team.

For processes not previously defined, writing guides and procedures are produced in

accordance with the design control process described in the QAP. System design

requirements decompose higher level (i.e., plant) requirements to define the design inputs for

each system. System descriptions for control rooms and for HSI platforms are produced as

roll-up documents. The documentation of the HFE and Control Room Design is included in the

system descriptions, in implementation plans for the various analyses, or in reports generated

as a result of the analyses. Appendix A provides a summary and schedule of the

documentation associated with the HFE program elements.

5.3 Control Room and HSI Design Documentation

5.3.1 HFE Program Plan

For the U.S. EPR, the HFE program plan, consistent with the guidance for the program

management element of NUREG-0711, will be described in the Design Control Document

(DCD). The HFE program plan will include descriptions of:

• General program goals and scope



• HFE Team and organization

• HFE process and procedures

• HFE issues tracking

• Technical program, including schedule milestones, activities, and input and output

documents



Figure 5.3-1—Design Control Process



5.3.2 Plant Technical Requirements Document

The Plant Technical Requirements Document (PTRD) specifies the initial design inputs for

designing a nuclear power plant to capture overall plant design requirements and restraints.

The PTRD includes the reasoning for each design input based on design considerations to

provide a consistent basis for making design decisions, accomplishing design verification

measures, and evaluating design changes. The PTRD requirements should include sufficient

detail to allow requirements to be decomposed into the requirements specified in the System

Design Requirements Documents (SDRDs). The Olkiluoto 3 (OL3) EPR reference design

provides the starting point for development of design inputs for the U.S. EPR.

5.3.3 System Design Requirements Documents

SDRDs specify design inputs for systems, structures and components which have been

decomposed from plant level inputs. SDRDs document and convey design inputs so that they

can be reviewed and approved by the responsible design organization. SDRDs are released

before subsequent design output documents to provide reasonable assurance that inputs are

specified to a level of detail necessary to permit further design activity. SDRDs include the

reason and design basis for each design input so that the basis for design decisions, changes

to the configuration, and verification measures are consistently applied. SDRDs adequately

define design inputs so that the hierarchy of their application is clear.

For the U.S. EPR HFE program, SDRDs are produced for the control rooms (i.e., MCR, TSC,

RSS, and I&CSC) and the HSIs (i.e., PICS and SICS).

5.3.4 System Description Document

A System Description Document (SDD) is the principal document which defines a system

design. The SDD describes the system design in sufficient detail to permit verification that the

design satisfies the design requirements. The SDD identifies interfaces with other systems so

that the design input requirements for each system can be understood. Cross-discipline

independent reviews of SDDs for systems which interface with non-HSI, non-control room, or

non-I&C systems are also required.


U.S. EPR Human Factors Engineering Program Topical Report Page 5-8 The SDD is a living document and the level of detail expands during successive iterations as

the system design develops. The final version of an SDD is used to write the system

equipment specification, which is used to procure, fabricate, and install the system.

SDDs follow a predefined format and require specific content, which includes:

• System and component functions

• General description

• Operation

• Design requirements and how the design accomplishes the requirements

• Interface requirements

• Operational aspects (e.g., testing, installation, inspection, and maintenance)

• Technical system specifications

To avoid unverified design information from being incorporated as verified during successive

iterations, unverified design information is identified as such via a separate process.

In addition to providing a description of the design of the HSI hardware, the SDD for each of

the HSIs provides the mechanism for capturing generic human factors requirements in

conjunction with the HSI design implementation plan (see Section 5.4.8). These documents

provide a uniform philosophy and design consistency among HSIs, including screen style and

layout guide, hierarchy of and navigation between screens, alarm system operation, electronic

procedure system, plant information system, and hard-wired control integration in panels and

workstations.

Within the U.S. EPR HFE program, SDDs are produced for the control rooms (i.e., MCR, TSC,

RSS, and I&CSC) and the HSIs (i.e., PICS and SICS). The SDDs reference applicable layout

drawings for the control room floors. The SDDs for the MCR and RSS contain the design and

layout for workstations, which include drawings and text but does not include individual screen

designs.


U.S. EPR Human Factors Engineering Program Topical Report Page 5-9 5.3.5 Specifications

A specification document defines the technical characteristics and design requirements of

system equipment to procure, fabricate, and install the components of that system. An SDRD

specifies the system level design requirements and their technical bases. An SDD only needs

to specify the component level design requirements which are satisfied for the system to

perform its intended functions. An equipment specification may be used to specify other

component requirements.

As part of the design control process described in Reference 13, a specification contains the

following sections:

• Scope

• Definitions

• Design requirements

• Material requirements

• Fabrication requirements

• Examination and testing requirements

• Cleaning and preparation for shipping requirements

• Quality assurance requirements

• Engineering documentation requirements

• Technical proposal requirements

• Contract information

As shown in Figure 5.3-1, specifications are produced for the HSI system equipment and for

associated sub-functions for the control rooms (e.g., lighting, sound isolation, HVAC

requirements).


U.S. EPR Human Factors Engineering Program Topical Report Page 5-10 5.4 HFE Program (NUREG-0711) Design Elements

5.4.1 Introduction

The following sections describe the application of HFE program elements (as listed in NUREG-

0711) to the design of the U.S. EPR.

5.4.2 HFE Program Management

The HFE program plan should demonstrate that:

• The HFE is integrated into the plant development, design, and evaluation.

• HFE products (e.g., HSIs, procedures, and training) allow the safe, efficient, and reliable

performance of operation, maintenance, test, inspection, and surveillance tasks.

• HFE products reflect "state-of-the-art human factors principles" [10 CFR 50.34(f)(2)(iii)

(Reference 1) and 10 CFR 52.47(a)(1)(ii) (Reference 4)] and satisfies all specific

regulatory requirements.

The objective of this element is to demonstrate that the HFE design team has the

responsibility, authority, placement within the organization, and composition to provide

reasonable assurance that the design commitment to HFE is met. Also, the team should be

guided by a plan to verify that the HFE program is properly developed, executed, overseen,

and documented. This plan describes the technical program elements ensuring that the HSI,

procedures, and training are developed, designed, and evaluated on the basis of a structured

analysis using accepted HFE principles.

To correspond with the review criteria of NUREG-0711, Section 18 of the DCD will be

organized in a similar fashion. Successive sections of this document describe the technical

program for HFE. Sections 2.0, 5.2, and 5.5 of this document describe the general HFE

program goals and scope, HFE process and procedures, and HFE issues tracking

respectively. The DCD will contain more details related to each of the topics.


U.S. EPR Human Factors Engineering Program Topical Report Page 5-11 5.4.2.1 HFE Team and Organization

The HFE and Control Room Design Team reports through the Manager of I&C Engineering to

U.S. EPR project management. The HFE and Control Room Design Team follows the same

design processes as other engineering disciplines and is accountable for the quality of the HSI

and control room layout to meet the requirements of the QAP. Figure 5.2-1 shows the

reporting lines for the HFE and Control Room Design Team.

5.4.2.1.1 Responsibility

The HFE and Control Room Design Team is responsible for verifying the following design

facets:

• Location and accessibility requirements for the control rooms and other control stations

• Layout of the control rooms, including the location and design of individual displays,

panels, and workstations

• Basic concepts and detailed design for information displays, controls, and alarms for the

control rooms and other control stations

• Coding and labeling conventions for control room components and plant displays

• Design of the screen-based HMI, including standard dialogues for access to information

and controls and actual screen layout

• Requirements for the physical environment of the control rooms (e.g., lighting,

acoustics, temperature, humidity, and air flow)

• Layout of operator workstations and work space

• V&V of the control rooms design

The HFE and Control Room Design Team performs other activities, such as program concepts

or the designer’s input for COL applicants for operating procedure development, staffing

requirements, and training, which are described in successive sections. The HFE and Control

Room Design Team also coordinates HFE requirements with portions of the U.S. EPR design

that are not conducted by I&C Engineering (i.e., LCSs for non-I&C equipment).


U.S. EPR Human Factors Engineering Program Topical Report Page 5-12 5.4.2.1.2 Organizational Placement and Authority

The HFE and Control Room Design Team consists of the Manager of I&C Engineering, the

Program Manager of HFE and Control Room Design, and individual members of the New

Plants Engineering organization. The Manager of I&C Engineering is responsible for the

design of the U.S. EPR I&C systems, including the HSIs, and reports to U.S. EPR project

management. For the purposes of HFE and control room design, the Program Manager of

HFE and Control Room Design and individual members of the New Plants Engineering

organization report to the Manager of I&C Engineering.

As the design evolves, the structure of the HFE and Control Room Design Team may change;

however, the functions required of the team do not transfer to any other organization.

The Program Manager of HFE and Control Room Design acts as the technical project

manager and is responsible for the HSI design and for integration of the HSI with the overall

plant design. The Program Manager of HFE and Control Room Design also coordinates the

functional design for the control rooms and tracks the HFE issues as described in Section 5.5.

A number of advisors selected by the Program Manager of HFE and Control Room Design

review and comment on the documentation developed by the team, provide supplemental

expertise for non-I&C and non-HFE aspects of the design, and oversee the general progress

of the design.

5.4.2.1.3 Composition

The HFE and Control Room Design Team is composed of individuals experienced in various

technical disciplines. The Program Manager of HFE and Control Room Design leads the team

and is responsible for integration of the technological input. The Program Manager of HFE

and Control Room Design has experience in managing multi-discipline designs and

operational systems. The technical discipline expertise required on the team includes:

• Technical Project Management

• Systems Engineering

• Nuclear Engineering



• I&C Engineering

• Architect Engineering

• HFE

• Plant Operations

• Computer System Engineering

• Plant Procedure Development

• Personnel Training

• Security Engineering

• Maintainability and lnspectability Engineering

• Reliability and Availability Engineering

The members of the HFE and Control Room Design Team who are assigned design functions

in other disciplines may act as technical consultants and advisors for portions of the HFE and

control room design. Specifically, periodic DRBs (see Section 5.1) coordinated by the

Program Manager of HFE and Control Room Design promote the discussion and resolution of

common issues. Minutes are published for each DRB, and action items are tracked via the

HFE Issues Tracking System (Section 5.5). In this way, HFE issues are integrated into the

overall U.S. EPR design and other discipline issues are incorporated in the HFE program.

The section below describes the qualifications and responsibilities of the individual technical

discipline participants.

5.4.2.1.4 Team Member Responsibilities and Qualifications

The professional experience of the HFE and Control Room Design Team collectively satisfies

the qualifications presented below. The technical disciplines described do not necessarily

equate to a single individual. Greater emphasis is placed on experience than on education

credentials. Also, individual team members may report administratively to various discipline

design leads. For the purposes of the HFE and control room design, individual team members


U.S. EPR Human Factors Engineering Program Topical Report Page 5-14 report functionally to the Manager of I&C Engineering through the Program Manager of HFE

and Control Room Design.

• Technical Project Management

- Minimum Qualifications

♦ Bachelor's degree

♦ 5 years of experience in nuclear power plant design or operations

♦ 3 years of management experience

- Responsibilities

♦ Develops and maintains the schedule for the HFE design process

♦ Provides a central point of contact for the management of the HFE design and

implementation process

• Systems Engineering


♦ Bachelor of Science degree

♦ 4 years of cumulative experience in at least three of the following areas of

systems engineering: design, development, integration, operation, and test and

evaluation

- Responsibilities

♦ Provides knowledge of the purpose, operating characteristics, and technical

specifications of major plant systems

♦ Provides input to HFE analyses, especially the function analysis and task

analysis

♦ Participates in the development of procedures and scenarios for task analyses

and integrated system validation



• Nuclear Engineering



♦ 4 years of experience in nuclear design, development, testing, or operations

- Responsibilities

♦ Provides knowledge of the processes involved in reactivity control and power

generation

♦ Provides input to HFE task analyses

♦ Participates in the development of scenarios for task analyses and integrated

system validation

• I&C Engineering



♦ 4 years of experience designing of hardware and software aspects of process

control systems

♦ Experience in at least one of the following areas of I&C engineering:

development, power plant operations, and test and evaluation

♦ Familiarity with the theory and practice of software quality assurance and control

- Responsibilities

♦ Provides detailed knowledge of the HSI design, including control and display

hardware selection, design, functionality, and installation

♦ Provides knowledge of information display design, content, and functionality

♦ Participates in the design, development, test, and evaluation of the HSI

♦ Participates in the development of scenarios for human reliability analysis (HRA),

validation, and other analyses involving failures of HSI data processing systems



♦ Provides input to software quality assurance programs

• Architect Engineering



♦ 4 years of experience designing power plant control rooms

- Responsibilities

♦ Provides knowledge of the overall structure of the plant, including performance

requirements, design constraints, and design characteristics of the following:

control room, remote shutdown area, and LCSs

♦ Provides knowledge of the internal configuration of plant components

♦ Provides input to plant analyses

• Human Factors Engineering


♦ Bachelor's degree in human factors engineering, engineering psychology, or a

similar science

♦ 4 years experience in human factors aspects of human-computer interfaces,

including process control (e.g., design, development, and test and evaluation)

♦ 4 years of cumulative experience related to the human factors aspects of

workplace design (e.g., design, development, test and evaluation of workplaces)

- Responsibilities

♦ Provides knowledge of human performance capabilities and limitations, human

factors design and evaluation practices, and human factors principles, guidelines,

and standards

♦ Develops and performs human factors analyses

♦ Participates in the resolution of human factors problems



• Plant Operations


♦ Current or prior SRO license

♦ 2 years of experience in pressurized-water reactor (PWR) nuclear power plant

operations

- Responsibilities

♦ Provides knowledge of operational activities that are relevant to characterizing

tasks, HSI, and environment technical requirements

♦ Provides knowledge of operational activities to support HSI activities (e.g.,

development of HSIs, procedures, and training programs)

♦ Participates in the development of scenarios for HRA evaluations, task analyses,

HSI tests and evaluations, and V&V

♦ Participates in preliminary validation exercises on static mockups and provides

input relating to the expected plant response

♦ Participates in final validation exercises on a simulator by observing and

evaluating the subject operator’s response

• Computer System Engineering


♦ Bachelor of electrical engineering or computer science degree or graduate

degree in another engineering discipline (e.g., mechanical, chemical)

♦ 4 years experience designing digital computer systems and real-time systems

applications

♦ Familiarity with the theory and practice of software quality assurance and control

- Responsibilities

♦ Provides knowledge of data processing associated with displays and controls



♦ Participates in the design and selection of computer-based equipment (e.g.,

controls and displays)

♦ Participates in the development of scenarios for HRA, validation, and other

analyses involving failures of the HSI data processing systems

• Plant Procedure Development



♦ 4 years experience in developing nuclear power plant operating procedures

- Responsibilities

♦ Provides knowledge of operational tasks and procedure formats


HSI tests and evaluations, validation, and other evaluations

♦ Provides input for the development of EOPs, procedure aids, computer-based

procedures, and training systems

♦ Participates in the development and preparation of the procedures and training

systems.

• Personnel Training



♦ 4 years experience developing personnel training programs for power plants

♦ Experience in the application of systematic training development methods

• Responsibilities

♦ Develops the content and format of personnel training programs

♦ Coordinates training issues that arise from activities (e.g., HRA, HSI design, and

procedure design)




HSI tests and evaluations, and V&V

• Security Engineering



♦ 4 years experience in security systems engineering

- Responsibilities

♦ Identifies security concerns

♦ Performs a system security hazard analysis

• Maintainability and Inspectability Engineering

- Minimum qualifications


♦ 4 years experience in at least two of the following areas of power plant

maintainability and inspectability engineering: design, development, integration,

and test and evaluation

♦ Experience in analyzing and resolving plant I&C system or equipment-related

maintenance problems

- Responsibilities

♦ Provides knowledge of maintenance, inspection, and surveillance activities

♦ Supports the design, development, and evaluation of the control room and other

HSI components

♦ Provides input in the areas of maintainability and inspectability

♦ Participates in the development of scenarios for HSI evaluations, including task

analyses, HSI design tests and evaluations, and validation



• Reliability and Availability Engineering



♦ 4 years of cumulative experience in at least two of the following areas of power

plant reliability engineering activity: design, development, integration, and test

and evaluation

♦ Knowledge of computer-based, human-interface systems

- Responsibilities

♦ Provides knowledge of plant component and system reliability and availability

and assessment methodologies

♦ Participates in human reliability analyses

♦ Participates in the development of scenarios for HSI evaluations, especially

validation

♦ Provides input to the design of HSI equipment

5.4.3 Operating Experience Review

The main purpose of conducting an operating experience review (OER) is to identify HFE-

related safety issues. The OER should provide information on the past performance of

predecessor designs (i.e., earlier designs on which the new design is based). The issues and

lessons learned from operating experience provide a basis for improving the plant design at

the beginning of the design process. This review should identify the state-of-the-art HSI that

should reduce operator errors and promote accurate evaluation and control. The OER output

demonstrates that HFE-related problems and issues in previous designs that are similar to the

current design have been identified and analyzed. In this way, negative features associated

with predecessor designs are avoided in the current design while retaining the positive

features. The OER addresses the predecessor systems upon which the design is based,

selected technological approaches (e.g., if touch-screen interfaces are planned, the HFE


U.S. EPR Human Factors Engineering Program Topical Report Page 5-21 issues associated with using them are reviewed), and the plant's HFE issues (e.g., generic

safety issues defined by the NRC).

The OER implementation process includes the following:

• Establishing a framework and screening system for analyzing human factor aspects of

operating experience, including evaluating defenses against potential or actual human

errors identified during the HSI design process and developing criteria for capturing

input

• Identifying and reviewing published research documents that address experience with

the HSI in different modes of operation and transitions between modes using selected

technological approaches

• Analyzing experience summary documents as applicable and integrating the insights

that support enhancement of human actions (HAs) affecting the risk and reliability of

both normal power operations (including abnormal, emergency) and outage operations

• Screening and evaluating events reported by PWR and PWR predecessor systems

upon which the design is based and other plant types with similar design features

• Obtaining and incorporating feedback from utilities on the needs of operations,

maintenance, and outage planners

• Providing input to the HFE Issue Tracking System

5.4.3.1 Sources of Information for U.S. EPR Experience Review

The HFE and Control Room Design Team provides reasonable assurance that operating

experience and the results of research relevant to safety are identified, reviewed and analyzed,

and that the lessons learned are incorporated into the HSI. These operating experience

reviews include screening and analysis of:

• Nuclear regulatory reports

- NUREGs

- AEOD event evaluation reports



- Sponsored research and national lab reports (e.g., NUREG/CR-6400, 6842)

- Event reports

• Nuclear industry reports

- EPRI reports

- NUMARC/NEI guidelines

- INPO reports

- NSAC event evaluation reports

• Other reports and information

- Shutdown probabilistic risk studies

- Applicable research in the technologies considered for the design

- Proceedings published by HFE professional societies

- Research and development and experience reports published by HSI equipment

vendors

- Review with actual users in other industries (e.g., non-nuclear power generation,

process industries, aerospace, DOD) of the above technologies

• Personnel interviews

- Utility personnel interviews

5.4.3.2 Review of Experience Information

Document reviews related to the HSI design can range from the evaluation of single event

reports to an assessment of a summarized analysis of many related events. If summarized

data are already analyzed by others and applicable to the U.S. EPR HSI design, the need to

review single event reports by the HFE team is reduced.

5.4.3.2.1 Screening

Some reports may be remotely related to the issues of designing the U.S. EPR interfaces and

some might be very relevant. To make efficient use of time, the documents identified above


U.S. EPR Human Factors Engineering Program Topical Report Page 5-23 are prioritized and screened for applicability to the design. This can involve several screening

steps in order to find the best information on the following examples: safety or availability

issues, the relative importance to changes in the design, or the mode of operation. Issues are

screened as to U.S. EPR MCR, RSS, TSC, or EOF applicability and then to an engineering

issue resolved by design or needing incorporation. Once information is in the database, the

results can be queried to support other HFE tasks as needed. Issues not resolved in the

current iteration of the HSI design are placed into the HFE Issue Tracking System, which is

discussed in Section 5.5.

5.4.3.2.2 Identification of Human Factors Issues

Once the event data or analyzed reports have been considered and selected for U.S. EPR

design HFE support, they are analyzed to identify problematic operations and tasks and also

potential human factor enhancements for the HSI.

5.4.3.2.3 Documentation

The results of the review activities described above will be entered into the HFE Issues

Tracking Database for traceable records so that the U.S. EPR implementation reflects the

experience gained by the resolution of the design problems in operating plants.

The HFE Issues Tracking program described in Section 5.5 will be used to analyze HFE issues

and propose resolutions which may then be used to initiate modification (design change)

requests to be tracked by I&C Engineering. HFE issues which are analyzed and found to be of

merit in similar HSI designs will also be captured for consideration in the U.S. EPR design.

The resolution of OER issues may involve the function allocation process, changes in

automation, HSI equipment design, procedures, and training (see Table 3.1 in NUREG-0711).

An output report will summarize the results contained in the evaluations of operating

experience, events, and HAs. The report will summarize relevant human performance issues,

sources and consequences of human errors, and HSI design elements that contribute to

enhanced human performance and decreased human error probabilities. Also, the output

report will point to effects on the HSI design or the elements of the process which may be

required to resolve the selected issue. This report will be updated periodically to coincide with


U.S. EPR Human Factors Engineering Program Topical Report Page 5-24 the scheduled HFE program related DRB meetings (see Section 5.4.2.1) so that the current

state of resolution of HFE issues can be reviewed and resolved.

5.4.4 Functional Requirements Analysis and Function Allocation

Functional requirements analysis (FRA) is the identification of functions that must be

performed to satisfy plant safety objectives to prevent or mitigate the consequences of

postulated accidents that could damage the plant or cause undue risk to the health and safety

of the public. An FRA is conducted to:

• Determine the objectives, performance requirements, and constraints of the design.

• Define the high-level functions that must be accomplished to meet the objectives and

desired performance requirements.

• Define the relationships between high-level functions and the plant systems (e.g., plant

configurations or success paths) that perform the function.

• Provide a framework for understanding the role of controllers, whether personnel or

system, for controlling the plant.

The FRA identifies the control actions that are required to achieve the functional goals.

The Function Allocation (FA) is the analysis of these required plant control actions and the

subsequent assignment to manual control, automatic control with passive, self-controlling

phenomena, or combinations of manual and automatic control (e.g., shared control and

automatic systems with manual backup). Plant safety and reliability are enhanced by

exploiting the strengths of human and system elements, including improvements that can be

achieved through the assignment of control to these elements with overlapping and redundant

responsibilities. The FA should assign monitoring requirements for those functions which do

not require HAs to control (i.e., automated) and for alarm systems (e.g., when the monitoring

requirements are considered beyond human capabilities or to enhance human monitoring as

suggested by an OER). In addition to technological and economic considerations, the FA

should be based on HFE principles using a structured and well-documented methodology that

provides personnel with logical, coherent, and meaningful tasks. The FA should not be based

solely on technology considerations that allocate everything that the designers cannot


U.S. EPR Human Factors Engineering Program Topical Report Page 5-25 automate to plant personnel, which would result in an ad hoc set of activities that may

negatively affect operator performance.

As described in NUREG-0711, the intent of implementation plans for FRA and FA is to allow

the NRC staff to review the process which:

• Defines the functions of the plant which should be performed to satisfy plant safety

objectives.

• Verifies the allocation of those functions to human and system resources to:

- Provide reasonable assurance that the functions can be adequately accomplished.

- Result in a role for personnel that takes advantage of human strengths and avoids

human limitations.

The U.S. EPR is an evolutionary PWR design based on many years of operation and design

experience and utilizes the same I&C concepts as the OL3 EPR. Most plant systems and

control systems for the U.S. EPR are defined as inputs to the design.

For the U.S. EPR, the process for defining and allocating plant functions is not relevant to the

HSI design as the HSI design has evolved to a high level of detail. Implementation of a

process for FRA and FA would be equivalent to reverse engineering for the sake of creating

documentation. The FRA and FA activities for the U.S. EPR design include an examination of

the automation criteria described in Section 5.4.4.3, below, and an assessment of whether

those criteria have been properly implemented by the resulting I&C system control schemes.

The consistency of the automation implementation is reviewed in the V&V process (see

Section 5.4.11) to provide reasonable assurance that the level of automation does not promote

increased numbers of human errors. Thus, the intent of the FRA and FA process activities as

specified in Reference 6 is satisfied.

Also as a subset of the V&V process output, AREVA NP will extract, from the OL3 set of

procedures, the I&C architecture, and the detailed one-line drawings, a list of the functions that

have been automated for the OL3 plant. AREVA NP will then compare that list of functions to

the list derived for the U.S. EPR from system and function allocation activities and capture the


U.S. EPR Human Factors Engineering Program Topical Report Page 5-26 differences. The completed FA would then consist of those functions which are allocated

identically for OL3 and the U.S. EPR and a list of the gaps. Documentation of the design basis

and justification of design differences (gaps) will then be added to the specific SDD(s).

5.4.4.1 Defining Plant Functions which Satisfy Plant Safety Objectives

An independent, formal activity to generate, verify and validate plant EOPs is part of the U.S.

EPR design process. This procedure V&V includes an explicit identification of functions to be

performed to achieve plant safety objectives. Plant safety objectives are specifically

developed at the start of EOP development.

Section 5.4.11 describes the V&V implementation activities for the HFE design program. A

key element in the V&V implementation plan is the integrated system validation where

performance-based tests are used to determine if the HMI acceptably supports safe operation

of the plant through implementation of the EOPs. These performance-based tests are used to

verify that safety objectives are satisfied.

5.4.4.2 Verifying that the FA Results in an Advantageous Human Role

A specific objective of the HFE program V&V is to validate that the automation design

decisions have resulted in an interface that permits accomplishment of the safety functions

within human capabilities and identifies as human engineering discrepancies (HEDs) any

inappropriate function allocation observed. This V&V approach will verify that the FA utilizes

human strengths and avoids human limitations.

5.4.4.3 Automation Criteria

Automation is implemented according to the general criteria below with regard for safety,

availability, and economics. A function will be automated if it is defined as a protective function

needed to maintain a radioactive release barrier against failure. The following tasks will be

automated regardless of plant state:

• Tasks requiring a quick or highly reliable reaction.

• Functions requiring operator response within less than 5 minutes.

• Accident countermeasures required to quickly reach a controlled safe shutdown state.



• Functions that provide short term protection to prevent danger to personnel or

irreversible degradation of components; typically the manufacturer’s technological limits

are considered as the protection thresholds.

• Functions that provide component protection. These functions are interlocks which

inhibit manual or automatic startup or shutdown of a system function if the pre-

conditions for sound operation are not met. These functions are required to be

automated if a response is needed in less than 5 to 10 minutes.

• Monotonous and repetitive tasks that would lead to a high operator workload if not

automated or that require fast responses to maintain plant availability.

Automation may also be preferred for functions such as:

• Checking parameters against thresholds (e.g., when sequencing the plant or a system

to a different state in several steps)

• Tasks which are performed frequently during shutdown and startup

• Tasks which are of long duration, particularly during shutdown and startup

• Tasks which directly influence availability, particularly those which reduce the time for

shutdown and startup

• Tasks which increase safety by reducing challenges to the actuation of safety systems

• Tasks which increase safety by automatic actuation of safety systems

• Tasks which reduce thermal fatigue

In addition, automation should enable the plant to be operated by only one operator during

plant situations that do not involve multiple failures or events. Operation by one operator

during high activity states is not preferred.

The following automation rules are also considered when they contribute to the previously

stated automation objectives:

• System adjustment during short time span load changes



• Functions that are required to change the plant state or mode or for which failure would

lead to complicated or time consuming recovery actions

• Functions that are required for a change of plant state (e.g., power operation) if manual

execution would delay a load change

• A group of simple functions performed in parallel during plant startup or shutdown which

would cause an excessively high workload for the operators or extend the startup time

A control hierarchy between automatic and manual actions will be generated. Generally,

automatic protective actions take priority over manual actions, and manual actions take priority

over closed and open loop control functions. Automatic protective signals can be reset, but if

the plant conditions deteriorate, the signals are automatically re-initiated. Priority logic

prevents manual actuation from counteracting prior automatic commands.

5.4.4.4 Documentation of FA

Whether for an I&C system, an HSI platform, or a mechanical (i.e., fluid) or electrical system,

each SDD identifies system and component functions, contains the design basis for each

function or component in that system, and defines the system and type of control to which the

function is allocated.

5.4.5 Task Analysis

The functions allocated to plant personnel define their roles and responsibilities. HAs

accomplish these functions. HAs can be further grouped into tasks. A task is a group of

related activities with a common objective or goal. A task analysis (TA) is the identification of

requirements for accomplishing these tasks (i.e., specifying the requirements for the displays,

data processing, controls, and job support aids needed to accomplish tasks). As such, the

results of a TA are identified as inputs to many HFE activities, which form the basis for:

• Staffing, qualifications, job design, and training

• HSIs, procedures, and training program design

• Task support verification criteria definition


U.S. EPR Human Factors Engineering Program Topical Report Page 5-29 The objective of the HFE and Control Room Design Team TA is to identify the specific tasks

that are required to accomplish functions and the information, control, and task-support

needed to support the specific tasks.

The scope of the TA includes:

• Selected representative and important tasks from the areas of operations, maintenance,

test, inspection, and surveillance.

• A full range of plant operating modes, including startup, normal operations, abnormal

and emergency operations, transient conditions, and low-power and shutdown

conditions.

• Risk-important HAs. Internal and external initiating events and actions affecting the

probabilistic risk assessment (PRA) Level I and II analyses are considered when

identifying risk-important actions.

• The analyses for tasks with automated critical functions, including the human tasks of

monitoring the automated system and executing backup actions if the system fails.

The operating procedures for the U.S. EPR are based on the work developing procedures for

the OL3 EPR and other precursor plants. The completed operating procedures constitute an

analysis of the tasks that operators should perform to safely operate the plant. The operating

procedures should satisfy the required safety objectives to be considered completed. The

completed plant procedures are subjected to a separate verification process to evaluate their

technical effectiveness. For the U.S. EPR, the TA will consist of verification (see Section

5.4.11) that controls and displays are available and are organized to be compatible with the

intended operations, including safety objectives as a subset, as defined in the procedures.

5.4.6 Staffing and Qualifications

The plant staff and their qualifications are an important consideration throughout the design

process. The initial MCR staffing level is established based on experience with previous four

loop PWR plants and takes into account the increased levels of automation and the minimum

number of operators required by 10 CFR 50.54(m). The functions of licensed operators for the

OL3 EPR are expected to be slightly different than is typical for U.S. utilities today. Section


U.S. EPR Human Factors Engineering Program Topical Report Page 5-30 4.1, the concept of operations inherent in the HSI Design Plan, and initial staffing assumptions

for the U.S. EPR collectively define the job titles and expected functions for each licensed

operator. The HFE and Control Room Design Team performs systematic reviews of the

staffing assumptions concurrently with other functions.

5.4.7 Human Reliability Analysis

The HRA is an integral activity of the U.S. EPR PRA. The HRA evaluates the potential for and

mechanisms of human error that may affect plant safety. Thus, it is an essential element in

achieving the HFE design goal of providing a design that will reduce personnel errors, allow

their detection, and provide recovery capability.

The HRA is an integrated activity that supports both the HFE design and PRA activities. The

development of information to facilitate the understanding of causes and modes of human

error is an important human factors activity. Consequently, the HFE design effort should give

attention to those plant scenarios, risk-important HAs, and HSIs that have been identified by

the PRA and HRA as important to plant safety and reliability.

The U.S. EPR DCD will describe the PRA. The PRA and HRA identify risk-important HAs,

which are used as input to the HFE design effort. Risk-important HAs and their associated

tasks and scenarios will be specifically addressed during HFE task analyses activities, HSI

design, procedure development, and training. This will help verify that these tasks are well

supported by the design and within acceptable human performance capabilities. Identification

of risk-important HAs is also an input to the selection of activities to be assessed during the

Human Factors V&V process discussed in Section 5.4.11.

In the detailed design stage, personnel with operational experience will use either a plant-

specific control room mockup or simulator to perform walkthrough analyses to validate HRA

assumptions (e.g., decision making and diagnosis strategies for dominant sequences).

Reviews from the analyses should be incorporated into subsequent iterations of the PRA.

Prior to detailed design, an HRA implementation plan will be developed to enable the HFE

design activities to address the important HAs, which will reduce the likelihood of human error

and provide for error detection and the capability to recover from errors where applicable.


U.S. EPR Human Factors Engineering Program Topical Report Page 5-31 5.4.8 Human-System Interface Design

The HSI design process translates function and task requirements into HSI characteristics and

functions. The HSI is designed using a structured methodology that will guide designers in

identifying and selecting candidate HSI approaches, defining the detailed design, and

performing HSI tests and evaluations. The HSI design process promotes the development and

use of HFE guidelines that are tailored to the unique aspects of the design (e.g., a style guide

that defines design-specific conventions). The HSI design process promotes standardization

and consistency in applying HFE principles. The process and the rationale for the HSI design

is documented and controlled under the design control process described in Reference 13.

Acceptable display formats and alarm system processing will be resolved through the

systematic application of HFE principles and criteria and integrated under the software

management plan.

5.4.8.1 HSI Design Inputs

The following sources of information provide input to the HSI design process:

1. Analysis of Personnel Task Requirements—The analyses performed in earlier stages of

the design process are used to identify the requirements for the HSIs. These analyses

include:

- OER—The OER provides lessons learned from other complex human-machine

systems, especially previous four loop PWR designs and designs involving similar

HSI technology.

- FRA and FA—The HSIs support the operator's role in the plant (e.g., appropriate

levels of automation and manual control).

- TA—The TA provides the set of requirements to support the role of personnel. The

task analysis should identify:

♦ Tasks that are necessary to control the plant during operating conditions (i.e.,

normal through accident conditions).



♦ Detailed information and control requirements (e.g., requirements for display

range, precision, accuracy, and units of measurement).

♦ Task support requirements (e.g., special lighting and ventilation requirements).

♦ Risk-important HAs and their associated performance shaping factors, as

identified through HRA, which should be given special attention in the HSI design

process.

- Staffing, Qualifications and Job Analyses—The results of staffing and qualifications

analyses provide input for the overall control room layout and the allocation of

controls and displays to individual consoles, panels, and workstations. The

responsibilities establish the basis for the minimum and maximum number of

personnel to be accommodated and requirements for coordinating activities between

personnel.

2. System Requirements—Constraints imposed on I&C systems are evaluated throughout

the HSI design process.

3. Regulatory Requirements—Applicable regulatory requirements are inputs to the HSI

design process.

4. Other Requirements—During the evolution of the design, the HFE and Control Room

Design Team identifies other applicable requirements that are inputs to the HSI design

(e.g., utility requirements). The HFE and Control Room Design Team also coordinates

HFE requirements with portions of the U.S. EPR design which are not conducted by I&C

Engineering and for tracking HFE issues (see Section 5.5). A number of advisors

review and comment on the documentation developed by the team, provide

supplemental expertise for non-I&C and HFE aspects of the design, and oversee the

general progress of the design. Common issues are discussed and resolved during

periodic DRBs (see Section 5.1).


U.S. EPR Human Factors Engineering Program Topical Report Page 5-33 5.4.8.2 Concept of Operations

The concept of operations indicates the composition of the crew and the roles and

responsibilities of individual crew members based on anticipated staffing levels (see Section

4.0). The concept of operations:

• Identifies the relationship between personnel and plant automation through specifying

the crew responsibilities for monitoring, interacting with, and overriding automatic

systems and for interacting with electronic procedures and other computerized operator

support systems.

• Provides a high-level description of how personnel work with HSI resources. For

example, the concept of operations identifies how tasks are allocated between the MCR

and LCSs, where personnel execute their duties during various types of situations, what

types of information each crew member can access, and what types of information are

displayed to the entire crew.

• Addresses the coordination of crew member activities (e.g., the interaction with auxiliary

operators, coordination between maintenance and operations).

• Defines the division of responsibilities.

5.4.8.3 Functional Requirement Specification

As part of later, detailed design revisions to the HSI SDDs, the HFE and Control Room Design

Team produces functional requirements for the HSIs which address the concept of operations,

personnel functions and tasks, and requirements for a safe, comfortable working environment.

These functional requirements apply consistently to both PICS and SICS with respect to, for

example, alarms, displays, and controls.

5.4.8.4 HSI Concept Design

With respect to applicable requirements, the U.S. EPR HSI design is based on the OL3 EPR

I&C design and on operating experience and takes into account human performance issues

identified through use of similar HSI platforms. Concepts such as hierarchy and navigation

between HSI screens, alarm management, and the overall HSI architecture should remain

consistent with the OL3 EPR design as much as possible. While minor differences exist


U.S. EPR Human Factors Engineering Program Topical Report Page 5-34 between the MCR operating crew responsibilities of the OL3 EPR and the U.S. EPR, the types

of information available to the individual operator remain consistent. Because of language and

format requirements and differences in regulatory requirements, the actual content of display

screens used by the operators to control the plant may be different from those used at the OL3

EPR.

5.4.8.5 HSI Design and Integration

Table A-2 of Appendix A of this report contains the status of the design-specific HFE style

guide. This style guide is part of the HSI design implementation plan and is utilized in the

design of the HSI features, layout, and environment.

The HSI detailed design supports personnel in their primary plant monitoring and controlling

roles while reducing personnel secondary role demands that are associated with management

of the HSIs (e.g., window manipulation, display selection, display system navigation). Chapter

18 of the DCD will contain additional information on specific challenges that relate to the

training of operators for screen-based HSI control rooms.

For risk-important HAs, the design reduces the probability that errors will occur and increases

the probability that an error will be detected, if one occurs, and that the system is error tolerant

or permits recovery from the error, if possible.

The following factors are considered in the development of functional requirements for

monitoring and control capabilities that may be provided either in the MCR or locally in the

plant:

• Communication, coordination, and workload

• Feedback

• Local environment

• Inspections, testing, and maintenance

• Importance to safety


U.S. EPR Human Factors Engineering Program Topical Report Page 5-35 The layout of HSIs within consoles, panels, and workstations are based upon operator job

analyses and systematic strategies for organization (e.g., arrangement by importance,

frequency of use, and sequence of use).

Personnel and task performance is supported at the defined minimum staffing level, normal

staffing levels, and during expected worst case scenarios involving the maximum number of

personnel in control room areas.

The design process factors in the use of the HSIs when performance degradation due to

fatigue may be a concern.

HSI characteristics support human performance under the full range of environmental

conditions. For the MCR, requirements address conditions such as the loss of lighting and

loss of ventilation. For the RSS and LCSs, requirements address constraints imposed by the

ambient environment (e.g., noise, temperature, contamination). The operation of screen-

based HSI by personnel wearing protective clothing is not postulated for the U.S. EPR.

The HSIs are designed to support and not interfere with inspections, maintenance, testing, and

repair of plant equipment and the HSIs while maintaining other plant control activities.

5.4.8.6 HSI Tests and Evaluations

The HFE and Control Room Design Team develops testing and evaluation plans for the HSI

designs, which can be performed iteratively, in conformance with guidance from Section 8.4.6

of NUREG-0711.

5.4.8.7 HSI Design Documentation

The PTRD, SDRD, and SDD for each HSI system document the HSI design. Each SDD

includes the detailed HSI description, including its form, function, and performance

characteristics and the basis for the HSI requirements and design characteristics with respect

to operating experience and literature analyses, engineering evaluations, experiments, and

benchmark evaluations. The outcomes of tests and evaluations performed in support of HSI

design are documented in separate test or evaluation reports.


U.S. EPR Human Factors Engineering Program Topical Report Page 5-36 5.4.9 Procedure Development

Procedures are essential to plant safety because they support and guide personnel

interactions with plant systems and personnel responses to plant-related events. Procedures

and the HSI will be developed in parallel following similar processes and incorporating the

same accident analyses; the evaluation processes used are also interrelated. Human factor

principles will be applied to aspects of the interface to verify complete integration and

consistency.

For the U.S. EPR, the generic technical guidance (GTG) and U.S. EPR generic operational

guidelines are developed as part of the same design process as the HSIs and generic

operational guidelines to verify a high degree of integration and consistency.

While individual utilities in the nuclear industry have been historically responsible for

developing plant-specific procedures, AREVA NP will produce operational guidelines for the

development of plant-specific normal operating, abnormal operating, alarm response, and

EOPs that incorporates the aspects of the HSI design that are appropriate to the execution of

the COL applicants plant-specific procedure step in question. The HFE and Control Room

Design Team is essential to the development of that process. The generic plant operational

guidelines are developed concurrent with the HSI design and are developed or modified to

reflect the characteristics and functions of the screen-based or conventional HSIs as

appropriate. Section 2.2.9 discusses the design bases for screen-based electronic operating

procedures.

The development and modification of procedures includes activities similar to those described

in NUREG-0711 as an HFE program TA. However, AREVA NP will integrate the TA activities

with the procedure development activities. The guidance for development of operational

guidelines (i.e., normal operating, abnormal operating, alarm response, and emergency

operating) will also include a description of the identification of specific tasks that are required

for accomplishing functions and the information, control, and task-support needed to support

the specific tasks. The V&V of the HSI design verifies that the final generic operating

guidelines contain the functions and tasks assigned to the plant procedures as described in


U.S. EPR Human Factors Engineering Program Topical Report Page 5-37 Section 5.4.11. The V&V of the procedures will be performed on the full-scope simulator with

trained operators.

The DCD will include a description of AREVA NP’s program for developing generic EOPs and

other generic operational guidelines in conformance with NUREG-0800 (Reference 8).

5.4.10 Training Program Development

Training of plant personnel is an important factor in promoting the safe and reliable operation

of nuclear power plants. Training programs help provide reasonable assurance that plant

personnel have the knowledge, skills, and abilities (KSAs) to properly perform their roles and

responsibilities. The training program design should be based on the systematic analysis of

job and task requirements as dictated by the Systematic Approach to Training (SAT) process

for developing a training program that is required for INPO accreditation. Therefore, training

program development should be coordinated with the other elements of the HFE design

process.

The training program is developed using a systematic approach. The training program

development includes the following five activities:

• A systematic analysis of tasks and jobs to be performed

• Development of learning objectives derived from an analysis of desired performance

following training

• Design and implementation of training based on the learning objectives

• Evaluation of trainee mastery of the objectives during training

• Evaluation and revision of the training based on the performance of trained personnel in

the job setting

A COL applicant that references the U.S. EPR design certification will develop a plant-specific

training program. A general framework of operational guidelines to help meet the training

program requirements is established in the sections below as input to the applicant’s training

program development.


U.S. EPR Human Factors Engineering Program Topical Report Page 5-38 5.4.10.1 Task Analysis

The results of the FRA, FA, and TA activities described in Section 5.4.4 and 5.4.5 combined

with the operating procedures of the plant, HRA, and OER serve as inputs to the generic

training program development. These analyses are generated during the detailed design

process and identify the range of operational tasks that trainees are required to perform. The

HFE program V&V process will be used to validate or revise the results of the above analyses.

Detailed results of the V&V process will be supplied for use in plant-specific training program

development.

5.4.10.2 Learning Objectives

The resulting operational tasks required of plant personnel should be analyzed to identify the

learning objectives to be met to successfully complete these tasks. This process provides a

comprehensive outline of the KSAs required for the operators to successfully execute the

identified activities and tasks. AREVA NP anticipates that a significant overlap will exist

between the KSAs required for the U.S. EPR compared with the KSAs of currently operating

U.S. plants. Use of the screen-based HSI will require emphasis on developing secondary

interface management task proficiency (e.g., screen navigation) to allow operators to focus

their attention on the more important plant and process monitoring and control tasks.

5.4.10.3 Design and Implementation of Training

The learning objectives and KSAs identified in the step above should be incorporated into the

plant-specific training program. These learning objectives should be based on the actions

required to raise the operator’s KSAs (identified in the previous step) to the level of proficiency

required to successfully accomplish the tasks identified. Knowledge should be taught within

the context of actual tasks to facilitate the ability of operations personnel to apply it in the work

environment.

5.4.10.4 Evaluation of Trainee Mastery

The trainees should be evaluated to determine their mastery of the learning objectives taught.

Methods for this evaluation should include written and oral tests, as well as a review of


U.S. EPR Human Factors Engineering Program Topical Report Page 5-39 personnel performance during walkthroughs, simulator exercises, and evaluation of on-the-job

performance.

5.4.10.5 Evaluation and Revision of Training

The training program should be evaluated for overall effectiveness using defined methods. If

training objectives are not being met effectively, the training program should be revised to

resolve such issues. When the training program is modified to update content or training

methods, the changes should be tracked. Operations personnel are retrained periodically to

remain effective operators.

Specific training objectives that are unique to operation of the U.S. EPR will be identified by

AREVA NP.

5.4.11 Human Factors Verification and Validation

V&V evaluations confirm that the design conforms to HFE design principles and enables plant

personnel to successfully perform their tasks to achieve plant safety and other operational

goals. Four activities are associated with the V&V of HSI design:

• Operational conditions sampling

• Design verification

- HSI task support verification

- HFE design verification

• Integrated system validation

• Human factors issue resolution verification and HED resolution

A sampling strategy should be devised to guide the selection of operating conditions to be

reviewed.

Design verification includes both HSI task support verification and HFE design verification.

HSI task support verification evaluates that the HSI supports personnel task requirements as

defined by task analyses. HEDs are identified when the HSI does not fully support the

identified personnel task requirements (i.e., controls or information is not available or not


U.S. EPR Human Factors Engineering Program Topical Report Page 5-40 displayed in the proper format (control type, precision, etc.) for the specific task) or the

presence of HSI components which may not be needed to support personnel tasks or which

impede personnel tasks. HFE design verification is a static evaluation that verifies that the

individual HSI components and details accommodate the human capabilities and limitations

reflected in HFE guidelines. HEDs are identified if the design is inconsistent with the project-

specific HFE guidelines.

Integrated system validation is an evaluation using performance-based tests to determine if an

integrated system design (i.e., hardware and software elements) meets performance

requirements and sufficiently supports the safe operation of the plant. HEDs are identified if

performance criteria are not met.

HED Resolution is an activity that should be performed iteratively with V&V. Issues identified

during a V&V activity are resolved prior to conducting other V&V activities. The preferred order

is HSI task support verification, HFE design verification, and integrated system validation,

although iteration may be necessary.

V&V is documented throughout the HSI design process as directed by Reference 13. The

V&V implementation plan identifies HSI tests and evaluations activities. Mid-design process

tests are distinguished from V&V because they are activities that explore and evaluate HSI

subsystem design issues (e.g., the coding techniques used in the alarm system). These V&V

plan activities include integrated system validation using performance-based tests to determine

if the HMI sufficiently supports the safe operation of the plant and that the safety objectives are

satisfied through implementation of the EOPs. The TA determines which controls and displays

will be required for the intended operations, with safety objectives as a subset, as defined in

the procedures.

V&V is considered a test that evaluates whether final design requirements are met. The V&V

of the EOPs and other procedures will be the ultimate demonstration that the HSI design is

acceptable.


U.S. EPR Human Factors Engineering Program Topical Report Page 5-41 5.4.12 Design Implementation

5.4.12.1 Final Plant HFE Design Verification

Aspects of the design not addressed during V&V are evaluated later using an appropriate

method. Aspects of the design addressed at this stage may include design characteristics

(e.g., displays for plant-specific design features) and features that cannot be evaluated in a

simulator (e.g., MCR noise and HVAC).

The final (i.e., as-built) HSIs, procedures, and training program are compared with the detailed

design description to verify that they conform to the design that resulted from the HFE design

process activities. Identified discrepancies are either corrected or justified.

HFE-related issues documented in the HFE issue tracking system (Section 5.5) will be verified

as having been adequately addressed.

The design implementation plan verifies the HFE considerations of the following aspects of the

HSI design against NUREG-0700 or other applicable guidance:

• Layout and arrangements for control rooms with HSI equipment

• Communications equipment

• Lighting

• Habitability systems

• Operating procedures system

• Training manuals

The design implementation verifies:

• Aspects of the design that are either partially verified or unverified prior to operation at

the site

• The as-built HSI designs are consistent with final design specifications, user and trainee

manuals, and operating and maintenance procedures

• The final MCR, RSS, and LCS layouts



• Any design modifications (e.g., display changes) resulting from pre-operation and

startup testing

• Resolution of any open HFE issues

• That the final installed design and its performance criteria are described and

documented

5.4.13 Human Performance Monitoring

The human performance monitoring strategy provides reasonable assurance that the

confidence developed by the completion of the integrated system validation is maintained over

time. The integrated system validation is not intended to be repeated; however, the human

performance monitoring strategy is intended to discover evidence that plant personnel have

maintained the skills that are necessary to accomplish the assumed actions.

The human performance monitoring strategy verifies that no significant safety degradation

occurs because of any changes that are made in the plant and provides adequate assurance

that the conclusions drawn from the original integrated system evaluation remain valid over

time.

5.5 Human Factors Engineering Issues Tracking

The Program Manager of HFE and Control Room Design tracks HFE and control room design

issues. The AREVA NP corrective action program is used as a database to track issues that

are known to the industry or identified throughout the life cycle of the HFE and HSI design,

development, and validation. The corrective action program database enables the tracking

and documentation of issues which should be addressed during the life of the project. Several

levels and types of reviews may generate input to the corrective action program database. As

a minimum, these reviews include operating experience, design review board, and cross-

discipline reviews.

Each issue that is tracked in the corrective action program database is assigned a unique

tracking number and then assigned to an individual for disposition. Each issue requires the

documentation of actions taken to address the issue and final resolution of the issue.


U.S. EPR Human Factors Engineering Program Topical Report Page 5-43 The tracking of HFE and control room design issues is accomplished within the framework of

the QAP and overall plant design process. The HFE and control room design issues which are

determined to be deviations from the standard design are escalated to a design review and

issue resolution process.



6.0 SIMULATOR DESIGN ACTIVITIES

The U.S. EPR design process includes the use of a full-scale simulator that meets the

requirements of 10 CFR 50.34(f)(2)(xii)(C)(2)(i) to perform V&V testing and operator training.

This simulator will be a replica of the U.S. EPR MCR and include the equipment and

functionality of the U.S. EPR MCR.

The simulator software will be designed to properly emulate plant and system response to a

change in one or more plant or system variables. Operators manipulate controls on operator

workstations to initiate changes in plant or system variables in the replicated MCR. The

simulator staff members can also change plant or system variables from the special simulator

control workstation located outside of the simulated MCR.

The design of the full-scale simulator will occur during the detailed design phase of the U.S.

EPR project. AREVA NP expects that when simulator design activities commence, non-safety-

related I&C detailed design and safety-related I&C detailed design should be about half

complete. The completion of the simulator design will occur after the I&C detailed design work

is complete and the U.S. EPR generic operating guidelines are written.

When complete and certified according to ANSI/ANS-3.5-1998 (Reference 11), the U.S. EPR

full-scale simulator will be used to complete the V&V of HFE program element as well as the

V&V of the I&C system design and the plant operating procedures. The completed full-scale

simulator should also be used for initial and continuous training of U.S. EPR plant operators.



7.0 REFERENCES

U.S. Regulations

1. 10 CFR 50.34, “Contents of Application; technical information.”

2. 10 CFR 50.54, “Conditions of Licenses.”

3. 10 CFR 50, Appendix A, “General Design Criteria for Nuclear Power Plants.”

4. 10 CFR 52.47, “Contents of Applications.”

U.S. Regulatory Guidance

5. NUREG-0700, “Human-System Interface Design Review Guidelines,” Revision 2.

6. NUREG-0711, “Human Factors Engineering Program Review Model,” Revision 2.

7. NUREG-0737, “Clarification of TMI Action Plan Requirements,” Revision 0.

8. NUREG-0800, “Standard Review Plan for the Review of Safety Analysis Reports for

Nuclear Power Plants,” Revision 2.

9. NUREG-1021, "Operator Licensing Examination Standards for Power Reactors",

Revision 9.

U.S. Industry Standards

10. ACAD 97-004, "Guidelines for Shift Manager Selection, Training and Qualification,

and Professional Development."

11. ANSI/ANS-3.5-1998, "Nuclear Power Plant Simulators for Use in Operator Training

and Examination."

12. NEI 99-02, Revision 4, "Regulatory Assessment Performance Indicator Guideline,"

April 2006.


U.S. EPR Human Factors Engineering Program Topical Report Page 7-2 AREVA NP Documents

13. AREVA NP Topical Report, ANP-10266NP, "AREVA NP Inc. Quality Assurance Plan

(QAP) for Design and Deployment of the U.S. Evolutionary Power Reactor (U.S. EPR)

Topical Report," September 2006. (Enclosure to letter, Ronnie L. Gardner (AREVA

NP Inc.) to Document Control Desk (NRC), "Request for Review and Approval of

ANP-10266NP, 'AREVA NP Inc. Quality Assurance Plan (QAP) for Design and

Deployment of the U.S. Evolutionary Power Reactor (U.S. EPR) Topical Report',"

NRC:06:038, September 22, 2006.)


U.S. EPR Human Factors Engineering Program Topical Report Page A-1

APPENDIX A

SUMMARY OF HUMAN FACTORS ENGINEERING PROGRAM ELEMENT DEVELOPMENT



Table A-1—Design Control Process Document Development

Design Control Process Document Description Schedule

SDRDs MCR System level input requirements Complete TSC System level input requirements Complete RSS System level input requirements Complete I&CSC System level input requirements TBD PICS System level input requirements Complete SICS System level input requirements Complete SDDs MCR System level design outputs, detail; iterated as design inputs are verified. Revision 0 - 2Q CY2007 TSC System level design outputs, detail; iterated as design inputs are verified. Revision 0 - 2Q CY2007 RSS System level design outputs, detail; iterated as design inputs are verified. Revision 0 - 2Q CY2007 I&CSC System level design outputs, detail; iterated as design inputs are verified. TBD PICS System level design outputs, detail; iterated as design inputs are verified. Complete SICS System level design outputs, detail; iterated as design inputs are verified. Complete Layout Drawings 53 ft. Elevation Floor layout including MCR, I&CSC, and Integrated Operations Area (TSC, work

control, operations office) Revision 0 - 1Q CY2007

39 ft. Elevation Floor layout including RSS Revision 0 - 1Q CY2007 Workstation layouts Showing inventory of conventional controls and placement of PICS monitors and

QDS displays. Detailed Design

Specifications PICS Procurement, fabrication, and installation requirements. Detailed Design SICS Procurement, fabrication, and installation requirements. Detailed Design Lighting, sound isolation, HVAC requirements

Procurement, fabrication, and installation requirements. Detailed Design



Table A-2—HFE Program Elements Development

Implementation Plan Output Results HFE Program Element (NUREG-0711) Explanation Schedule Explanation Schedule HFE Program Management

To be described in the DCD Complete N/A N/A

OER Internal process documented; summarized in the DCD.

Complete Summarizes results contained in evaluations, points to affects on the HSI design or the elements of the process required to resolve selected issue. Tracks results to HFE Issues Tracking database. Periodically updated.

Detailed Design

FRA and FA Not produced for U.S. EPR design. Based on OL3 functional assignments and assessment against automation criteria.

N/A Consists of documentation (within V&V output) of design basis and justification for functions not allocated identically for OL3 and the U.S. EPR. Added to specific SDD(s).

Detailed Design

TA Not produced for U.S. EPR design. Based on completed (separately verified) operating procedures for OL3 and U.S. EPR which satisfy required safety objectives.

N/A Consists of documentation (within V&V output) that controls and displays have been verified to be available and compatible with the intended operations as defined in the procedures.

Detailed Design

Staffing and Qualifications

Internal assumption documented; summarized in the DCD.

Complete Consists of justification (within V&V output) that operating staff numbers are able to cope in all situations.

Detailed Design



Implementation Plan Output Results HFE Program Element (NUREG-0711) Explanation Schedule Explanation Schedule HRA Implementation plan enables

design activities to address critical HAs, risk important tasks, and human error mechanisms to minimize the likelihood of human error and to provide for detection of and recovery capability for errors. See schedule for review availability.

2Q CY2007 Results summary evaluates human-error mechanisms in the HFE design and integration of HFE and PRA and risk analysis programs.

Detailed Design

HSI Design Several smaller plans are part of HSI design implementation plan:

1. Concept of operations 2. Hierarchy and navigation 3. Alarm management 4. Overall architecture

OL3 design allows us to put these together now.

1Q CY2007 HSI design documented in final SDDs for PICS and SICS and within V&V output.

Detailed Design

Procedure Development

The DCD will include a description of U.S. EPR program for developing EOPs and required content of the EOPs

Complete See Task Analysis output for how procedures are related and utilized.

Detailed Design

Training Program Development

Specific training objectives for U.S. EPR included in the DCD (COL applicant responsibility)

Complete See Simulator Design Activities Detailed Design



Implementation Plan Output Results HFE Program Element (NUREG-0711) Explanation Schedule Explanation Schedule Human Factors V&V Identifies HSI tests and

evaluations activities. Mid-design process tests explore and evaluate HSI subsystem issues. Integrated system validation uses performance-based tests to determine if the HMI supports safe operation of the plant and that safety objectives are satisfied through implementation of the EOPs. See schedule for review availability.

2Q CY2007 HSI task support verification evaluates whether the HSI supports personnel task requirements defined by task analyses. HFE design verification verifies that HSI accommodates human capabilities and limitations as reflected in HFE guidelines. HED Resolution is performed iteratively with V&V. Issues identified during a V&V activity are resolved prior to conducting other V&V activities. V&V is documented throughout the process as directed by the QAP. The V&V implementation plan identifies HSI tests and evaluations activities. Mid-design process tests explore and evaluate HSI subsystem issues. Integrated system validation uses performance-based tests to determine if the HMI supports safe operation of the plant and that safety objectives are satisfied through implementation of the EOPs.

Detailed Design



Implementation Plan Output Results HFE Program Element (NUREG-0711) Explanation Schedule Explanation Schedule Human Factors V&V (cont’d)

The TA determines which controls and displays should be required for the intended operations, with safety objectives as a subset, as defined in the procedures. V&V is considered to be a test that evaluates that final design requirements are met. The V&V of the EOPs and other procedures should be the ultimate demonstration that the HSI design is acceptable.

Design Implementation

Implementation Plan describes how to verify HFE considerations for HSI design against NUREG-0700 or applicable: • Layout and arrangements for

control rooms with HSI • Communications equipment • Lighting • Habitability systems • Operating procedures system • Training manuals

3Q CY2007 Summarizes “as-built” design as an accurate reflection of the design as it was V&V’d

Detailed Design



Implementation Plan Output Results HFE Program Element (NUREG-0711) Explanation Schedule Explanation Schedule Human Performance Monitoring

Implementation Plan describes how to provide reasonable assurance that no significant safety degradation occurs because of changes made to plant and provide adequate assurance that conclusions drawn from the evaluation remain valid over time.

3Q CY2007 N/A N/A