IAEA-TECDOC-812

Control room systems designfor nuclear power plants

Report prepared within the framework of theInternational Working Group on

Nuclear Power Plant Control and Instrumentation

INTERNATIONAL ATOMIC ENERGY AGENCY

The IAEA does not normally maintain stocks of reports in this series.However, microfiche copies of these reports can be obtained from

INIS ClearinghouseInternational Atomic Energy AgencyWagramerstrasse 5P.O. Box 100A-1400 Vienna, Austria

Orders should be accompanied by prepayment of Austrian Schillings 100,in the form of a cheque or in the form of IAEA microfiche service couponswhich may be ordered separately from the INIS Clearinghouse.

The originating Section of this publication in the IAEA was:

Nuclear Power Engineering SectionInternational Atomic Energy Agency

Wagramerstrasse 5P.O. Box 100

A-1400 Vienna, Austria

CONTROL ROOM SYSTEMS DESIGNFOR NUCLEAR POWER PLANTS

IAEA, VIENNA, 1995IAEA-TECDOC-812

ISSN 1011-4289

© IAEA, 1995

Printed by the IAEA in AustriaJuly 1995

PLEASE BE AWARE THATALL OF THE MISSING PAGES IN THIS DOCUMENT

WERE ORIGINALLY BLANK

FOREWORD

Exceptional opportunities have arisen in the 1990s to improve nuclear power plant safety andeconomics by upgrading the control room system design and facilities. These opportunities resultfrom the rapid evolution of new technology in the fields of computing and communications and, atthe same time, from the significant progress that has been made in understanding human behaviourand how to integrate the two streams of knowledge.

This TECDOC is the result of a series of advisory and consultants meetings held by the IAEAin Vienna in 1991-1992. It was prepared with the participation and contributions of experts fromCanada, Finland, France, Germany, Japan, the Russian Federation, Sweden and the United States ofAmerica.

This publication provides a resource for those who are involved in researching, managing,conceptualizing, designing, manufacturing or backfitting power plant control room systems. It willalso be useful to those responsible for performing reviews or evaluations of the design and facilitiesassociated with existing power plant control room systems. The ultimate worth of the publication,however, will depend upon how well it can support its users. Readers are invited to providecomments and observations to the IAEA, Division of Nuclear Power. If appropriate, the report willsubsequently be re-issued, taking such feedback into account.

Special thanks are due to R. Olmstead of Atomic Energy of Canada Limited, who edited thereport. Mr. A. Kossilov from the Nuclear Power Engineering Section, IAEA, is the officerresponsible for preparing this document.

EDITORIAL NOTE

In preparing this document for press, staff of the IAEA have made up the pages from theoriginal manuscripts as submitted by the authors. The views expressed do not necessarily reflect thoseof the governments of the nominating Member States or of the nominating organizations.

Throughout the text names of Member States are retained as they were when the text wascompiled.

The use of particular designations of countries or territories does not imply any judgement bythe publisher, the IAEA, as to the legal status of such countries or territories, of their authorities andinstitutions or of the delimitation of their boundaries.

The mention of names of specific companies or products (whether or not indicated as registered)does not imply any intention to infringe proprietary rights, nor should it be construed as anendorsement or recommendation on the pan of the IAEA.

The authors are responsible for having obtained the necessary permission for the IAEA toreproduce, translate or use material from sources already protected by copyrights.

CONTENTS

1. INTRODUCTION . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

1.1. Scope . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91.2. Purpose . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91.3. Benefits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91.4. Standards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101.5. Existing control room systems features . . . . . . . . . . . . . . . . . . . . . . . . . . . 101.6. Present technology and applications for control room systems . . . . . . . . . . . . . 111.7. Design principles and methodologies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111.8. Future trends . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111.9. Recommendations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

1.9.1. General . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121.10. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

2. BACKGROUND . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

2.1. Historical perspective . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182.1.1. Three generations of control rooms systems . . . . . . . . . . . . . . . . . . . 182.1.2. Development history before TMI . . . . . . . . . . . . . . . . . . . . . . . . . . 192.1.3. Importance of human-machine interface . . . . . . . . . . . . . . . . . . . . . . 192.1.4. International efforts and standards . . . . . . . . . . . . . . . . . . . . . . . . . . 232.1.5. The challenge of control room retrofits . . . . . . . . . . . . . . . . . . . . . . 24

2.2. Safety considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 242.3. Coping with increased complexity in the control room . . . . . . . . . . . . . . . . . . 242.4. Operational experience . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 252.5. Training . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

3. EXISTING CONTROL ROOM SYSTEMS FEATURES . . . . . . . . . . . . . . . . . . . . 28

3.1. Control room layout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 283.2. Panels and displays . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

3.2.1. Human engineering enhancements after TMI . . . . . . . . . . . . . . . . . . . 303.2.2. Use of modern information technology . . . . . . . . . . . . . . . . . . . . . . . 30

3.3. Alarms and annunciators . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 313.3.1. Windows and screen displayed alarms . . . . . . . . . . . . . . . . . . . . . . . 313.3.2. Improvements made with the feedback from operating staff . . . . . . . . . . 323.3.3. Alarm avalanche mitigation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 343.3.4. Alarm processing expert systems . . . . . . . . . . . . . . . . . . . . . . . . . . 353.3.5. Advanced control room alarm systems . . . . . . . . . . . . . . . . . . . . . . . 35

3.4. Operator support systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 353.4.1. Allocation of functions to OSS . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38

3.5. Human operational factors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 383.5.1. Operations organizational factors . . . . . . . . . . . . . . . . . . . . . . . . . . 393.5.2. Operations environmental factors . . . . . . . . . . . . . . . . . . . . . . . . . . 40

3.6. Procedures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 403.7. Communication systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 413.8. Information configuration control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 423.9. Other control room systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 423.10. Electro-magnetic interference . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42

4. PRESENT TECHNOLOGY FOR CONTROL ROOM SYSTEMS . . . . . . . . . . . . . . 43

4.1. Conventional hard-wired equipment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 434.2. Computer systems for control room systems . . . . . . . . . . . . . . . . . . . . . . . . 43

4.2.1. General . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 434.2.2. Computer architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 434.2.3. Hardware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 444.2.4. Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 444.2.5. Fault tolerant architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46

4.3. Display devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 464.3.1. Visual display units (VDUs) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 464.3.2. Controls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 484.3.3. Auditory devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48

4.4. Use of simulator for CRS design . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48

5. DESIGN PRINCIPLES AND METHODOLOGIES . . . . . . . . . . . . . . . . . . . . . . . . 50

5.1. Design standards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 505.2. Design teams . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50

5.2.1. Contents of the design team . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 505.2.2. Division of responsibilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51

5.3. Design requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 525.3.1. Design objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 525.3.2. Benefits of automation and information systems technology

in the control room . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 535.3.3. Safety critical CRS functions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53

5.4. Design process . . . . . . . . . . . . . . . . . ; . . . . . . . . . . . . . . . . . . . . . . . . 545.4.1. The fundamental principle - task driven design . . . . . . . . . . . . . . . . . . 545.4.2. Function analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 545.4.3. Allocation of functions to human or machine . . . . . . . . . . . . . . . . . . . 545.4.4. Task and job analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 575.4.5. Quality assurance, verification and validation . . . . . . . . . . . . . . . . . . . 57

5.4.5.1. Quality assurance (QA) . . . . . . . . . . . . . . . . . . . . . . . . . . 575.4.5.2. Verification and validation (V&V) . . . . . . . . . . . . . . . . . . . . 575.4.5.3. Evaluation of existing control room systems . . . . . . . . . . . . . 58

5.4.6. Application of human factors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 585.5. Design . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58

5.5.1. Conceptual design . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 585.5.1.1. Design process for main control room (MCR) . . . . . . . . . . . . 585.5.1.2. Emergency response facilities (ERF) . . . . . . . . . . . . . . . . . . 60

5.5.2. Detailed design . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 615.5.2.1. Visual display unit (VDU) design guide . . . . . . . . . . . . . . . . 615.5.2.2. Operator controls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 625.5.2.3. Integrating displays and mimics . . . . . . . . . . . . . . . . . . . . . 62

5.6. Design tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 625.6.1. Evaluation of existing CRS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 625.6.2. Display design . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 635.6.3. Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63

5.7. Backfitting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 635.7.1. General backfit design considerations . . . . . . . . . . . . . . . . . . . . . . . . 635.7.2. Specific backfit design considerations . . . . . . . . . . . . . . . . . . . . . . . . 64

6. FUTURE TRENDS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66

6.1. General design trends . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66

6.1.1. Centralization of control and distribution of monitoring . . . . . . . . . . . . 666.1.2. Integration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 666.1.3. Increased operator support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 676.1.4. The impact of new technology and design on training programs . . . . . . . 68

6.2. Technical trends . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 686.2.1. Increasing use of digital systems in safety and non-safety applications ... 686.2.2. Increasing computer and networking capabilities . . . . . . . . . . . . . . . . . 686.2.3. Advanced human-machine interface technology . . . . . . . . . . . . . . . . . 696.2.4. Increasing use of knowledge engineering and other advanced

information processing technology . . . . . . . . . . . . . . . . . . . . . . . . . 706.2.4.1. Computational techniques . . . . . . . . . . . . . . . . . . . . . . . . . 706.2.4.2. Model based techniques . . . . . . . . . . . . . . . . . . . . . . . . . . 71

6.2.5. Better computer-aided tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 716.3. Cognitive user model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 716.4. Human-centred design . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72

7. CONCLUSIONS AND RECOMMENDATIONS . . . . . . . . . . . . . . . . . . . . . . . . . 74

7.1. General . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 747.2. Conclusions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 747.3. Recommendations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75

APPENDIX A: SAFETY CLASSIFICATION METHODOLOGY FOR NUCLEARSYSTEM FUNCTIONS AND EQUIPMENT . . . . . . . . . . . . . . . . . 77

APPENDIX B: EVALUATION TECHNIQUES . . . . . . . . . . . . . . . . . . . . . . . . . . 81APPENDIX C: EQUIPMENT STATUS MONITOR . . . . . . . . . . . . . . . . . . . . . . . 82APPENDIX D: LIST OF ISSUES FOR DISCUSSION . . . . . . . . . . . . . . . . . . . . . . 83APPENDIX E: INTEGRATING DISPLAYS AND MIMICS . . . . . . . . . . . . . . . . . . 84

REFERENCES . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87

ANNEX. NATIONAL ACTIVITY REPORTS . . . . . . . . . . . . . . . . . . . . . . . . . . . 89

Process monitoring systems of Loviisa nuclear power plants . . . . . . . . . . . . . . . . . . . . 91T. Manninen

Control room systems and C&I systems for Canadian CANDU nuclearstations. National practices and approaches . . . . . . . . . . . . . . . . . . . . . . . . . . . 99R.A. Olmstead

State of the art of human factors engineering for control room systems in Japan . . . . . . . IllY. Fujita

SPDS development for RBMK unit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119A.I. Gorelov, V.A. Proshin

Electricité de France N4 control room and I&C system . . . . . . . . . . . . . . . . . . . . . . . 125J. Furet, G. Guesnier

Control room systems upgrades for operating nuclear power plants . . . . . . . . . . . . . . . . 139J. A. Naser, B.K.H. Sun

Control room system evaluation of outage: Some notes on methods . . . . . . . . . . . . . . . . 149C. Rollenhagen, L. Jacobsson

IAEA activity on operator support systems in nuclear power plants . . . . . . . . . . . . . . . . 153V. Dounaev, Y. Fujita, K. Juslin, K. Haugset, A. Kossilov, I. Lux, J. Noser

ABBREVIATIONS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175

CONTRIBUTORS TO DRAFTING AND REVIEW . . . . . . . . . . . . . . . . . . . . . . . . . 177

1. INTRODUCTION

1.1. SCOPE

This report contains comprehensive technical and methodological information andrecommendations for the benefit of Member States for advice and assistance in "NPP control roomsystems" design backfitting existing nuclear power plants and design for future stations.

The term "control room systems" (CRS), refers to the entire human-machine interface for thenuclear stations including the main control room, back-ups control room and the emergency controlrooms, local panels, technical support centres, operating staff, operating procedures, operatingtraining programs, communications.

1.2. PURPOSE

The IAEA, recognizing the growing importance of the human-machine interface to the safetyand economics of nuclear energy production, convened a cross discipline, cross industry internationalgroup of recognized leaders in the field to produce "Guidelines for Control Room Systems Design".

These guidelines do not constitute a standard for detailed design. The document identifies a listof the most comprehensive and up-to-date international standards which can be followed to achievea complete conceptual and detailed design.

The purpose of these guidelines is to provide up-to-date practices and methodologies useful forthe design of NPP Control Room Systems for the plant designers, the utilities and the manufacturersof equipment and systems to meet operational and safety requirements. Specifically,

to provide a broad, up-to-date status of the technology and applications that are rapidlychanging the way nuclear plant operators and maintainers interface with the plantto identify current issues and trends that require guidance that is not available in the present daystandardsto communicate a number of viewpoints which represent the consensus of the group on someimportant unresolved issues in this field.

The advisory group consists of experts in the relevant technical disciplines (including plantinformation system design, human factors, nuclear power plant operation, etc.). Eight countries, eachwith a significant operating power reactor program are represented.

1.3. BENEFITS

A unique and powerful feature of many existing and all new nuclear stations is the relativelyhigh degree of automation and the fact that the dynamic plant state is represented in digital computermemory and logic. Exploiting this advantage and the rapid evolution of digital technology, designerscan achieve substantial safety and operational benefits. Some of the most significant features andbenefits are the following:

1. Increased time for operators to think and plan - For safety critical plant transients, the periodof time for which operator intervention is not required can be extended so that no operatoraction is required for several hours.

2. Substantial reduction in panel complexity - Many of the fixed indicators and controls can beeliminated from the panels in favour of interactive CRT consoles. Large mimic displays inthe control room communicate overall plant status and support group decision making.Consequently, information can be grouped to suit each particular situation.

3. Substantial reduction in instrumentation complexity - The replacement of trunk cabling, relays,timers, comparators, etc. with distributed control processors can result in a significant reductionin the I&C hardware component count and the diversity of equipment and suppliers.

4. Elimination of error prone tasks - The objective is to relieve the operator from boring, stressful,time consuming tasks so that he has time to perform as a situation manager. An example is theautomation of the periodic testing for the nuclear protection systems.

5. Integrated emergency response information system - This is a safety qualified extension of thecomprehensive information management facility available in the control rooms. In the unlikelyevent of an accident, the operating staff will be familiar with the facility and confident of itsavailability.

6. Procedure driven displays - The control centre interactive CRT displays are designed to supportthe tasks called for in the station procedures, organization and operating policies. Sinceinformation is no longer fixed geographically on the panels, it can now be packaged to supportthe tasks under way at any particular time.

7. Critical alarms - During major plant disturbances a facility can be provided to provide operatorswith a short list of strategically critical diagnostic messages.

The above features applied to control room systems, will provide operating nuclear utilities withtools that will provide for substantial reductions in power plant operating, maintenance andadministration (OM&A) costs. This is achieved in the following ways:

Reduction of plant forced outagesFaster recovery from forced outagesAvoidance of plant equipment damage and extension of service life due to early diagnoses ofequipment malfunctionFaster startupsAutomation of labour intensive OM&A processes.

1.4. STANDARDS

The report recommends the use of five international standards and documents to provideguidance for conducting detailed design of control room systems. These are the following [1-5]:

1. Design for Control Rooms of Nuclear Power Plants; IEC-964, 1989.2. Control Rooms and Man-Machine Interface in Nuclear Power Plants; IAEA-TECDOC-565,

1990.3. The Role of Automation and Humans in Nuclear Power Plants; IAEA-TECDOC-668, 1992.4. Human Factors Guide for Nuclear Power Plant Control Room Development; EPRI report NP-

3659, August 1984.5. EPRI ALWR Requirements, Chapter 10, October 1991.

1.5. EXISTING CONTROL ROOM SYSTEMS FEATURES

The report describes the lessons learned from the Three Mile Island and Chernobyl accidentsand the specific recommendations of the US National Regulatory Commission to provide control roomoperators with better support during accidents (Section 5.5.1.2). Additional comprehensiveinformation can be found in the IAEA technical report IAEA-TECDOC-565 mainly prepared by J.Furet of France [2].

10

The application of new technology to provide useful, retrofittable operator support system (OSS)is emphasized. The following modern OSS facilities are described:

Task oriented displaysIntelligent alarm handlingFault detection and diagnosisSafety function monitoringComputerized operational procedures presentationPerformance monitoringCore monitoringVibration monitoring and analysisLoose part monitoringMaterials stress monitoringRadiation release monitoringCondition monitoring maintenance support.

Some of the most difficult problems with existing CRS designs are identified along withsuggestions for resolution. A prime example is the problem of alarm overload during plant transientsand during periods of low power operations and maintenance. Annex A describes one of the mostsuccessful major retrofits for CRS systems that was carried out at the Loviisa NPP in Finland in1989/1990. Section 5.7 provides a list of requirements for successful backfitting. The entirecontents of the report is applicable to facilities with operating power stations where future upgradesare likely.

1.6. PRESENT TECHNOLOGY AND APPLICATIONS FOR CONTROL ROOM SYSTEMS

The rapidly evolving technology that is revolutionizing control room system design is describedwith indication of how and why this hardware and software is being applied. This includescomputers, data highways, communication devices, many different information display mechanisms,human input/output facilities, software, voice annunciation and voice actuation systems. The reportdescribes significant design trends that result from the application of this technology such as the useof touch sensitive CRT screens to enable display and control of actuators to be accomplished throughthe same object on a CRT screen.

1.7. DESIGN PRINCIPLES AND METHODOLOGIES

The report recommends a non-traditional division of responsibility for the design of CRSsystems. This new organizational concept suggests a wider scope of responsibility for the end userin the electric utility who owns the associated nuclear station. The report also outlines thefundamental principles and subdivisions of the design process. It indicates how to establish a safeeconomical separation of safety critical CRS functions from those which do not have to meet stringentsafety grade quality requirements. The report explains how modern control room systems must besubjected to top down, user driven validation techniques and the increasing need to utilize a full scopetraining simulator as a vehicle to achieve validation of the human/machine interface. A good exampleis the use mode by EDF of a full scope simulator for the design and validation of the N4 Advancedcontrol room (see Section 4.4).

1.8. FUTURE TRENDS

The short term and long term future trends are described. This includes trends towards:

CentralizationIntegration of diverse equipment, processes and technologiesIncreased operator support facilities

11

Improved information management and network distributionIncreased use of digital computersApplication of artificial intelligenceApplication of high density and large screen displaysVoice recognition and voice actuationAlarm avalanche mitigation techniquesApplication of cognitive user modelsExpert systemNeural networksFuzzy logicOpen computer systems concepts (obsolence protection).

Some of the most recent innovative, technologically advanced improvements to CRS systemsare described. This includes:

1. An automated equipment status monitoring system in the Darlington CANDU station thatmaintains real time operational configuration control for 14000 operable devices on each unitof the four unit station.

2. An advanced, knowledge based alarm annunciation system designed by Mitsubishi for JapanesePWR stations that reduces the alarm overload by 80% during serious plant transients.

3. A computer software based safety critical operator interface system using flat panels to becommissioned by Tokyo Electric Power at Kashiwizaky 6 and 7.

1.9. RECOMMENDATIONS

1.9.1. General

During the final Advisory Group meeting, the consultants reviewed a list of current issuesassociated with control room systems (see Appendix D). The items marked with an asterisk (*) inAppendix D were selected for intensive discussion which resulted in a consensus leading toconclusions and recommendations on particularly difficult issues. Conclusions and recommendationsrelated to other issues resulted from discussion, analysis, and consensus reached in some of the earlierAdvisory Group meetings.

Section 7.2 summarizes all the conclusions which represent the consensus of the AdvisoryGroup with respect to trends and practices that are underway in the nuclear industry today. Theconclusions represent trends and practices the Advisory Group considers positive for the industry.

The following section summarizes the recommendations of the Advisory Group. Eachrecommendation represents an area where the Advisory Group believes there is a need for change.Formulating the specifics of changes and initiating action is the responsibility of others in the nuclearindustry.

Recommendations :

1. More specific R&D and nuclear plant operator feedback is needed to determine the best mixof "soft panels" and fixed physical display/control devices in the nuclear plant control room.For example more work should be done to assess the concept of distributing VDU displays tobetter simulate the overview provided by the old fixed device panel. There is also a need toimprove the design of overview mimic diagrams so they will be more effective in offsetting thetendency for operators to develop "VDU tunnel vision" in control rooms which usepredominantly soft panel interfaces.

12

2. For new plant designs and backfits to control rooms, electric utility organizations shouldparticipate more strongly in the definitions specifications and implementation of the controlroom systems.

3. If there is a requirement for costly verification and validation of safety critical software, aspecial operator interface may be necessary for the safety related portion of the control room.This has already happened in one of the new nuclear plants being constructed. A processshould be initiated to obtain an international consensus on this issue.

4. In the design of the alarm annunciation and information system portion of the CRS, moreattention must be given to the special needs of operating stations during plant annual outagesand extended periods of off normal (i.e., low power) operation.

5. Full scope simulators are a requirement during the CRS design phase for control room systemsfor new stations and for major backfits on existing stations.

6. There is a need for more systematic collection and interpretation of operating experience relatedto the incidence of human errors in operation and maintenance.

7. New and better techniques are required to assure the validity of data used in control and safetysystems.

8. More studies should be performed to assess what activities should be added or deleted frommodern control room staff job descriptions in view of the technology now available.

9. More R&D is needed to achieve the best allocation of control functions between humans andmachines.

1.10. TERMINOLOGY

The following are certain terms used in this document that may require explanation:

Accident - A state defined under accident conditions or severe accidents.

Accident conditions - Deviations from operational states in which the releases of radioactivematherials are kept to acceptable limits by appropriate design features. These deviations do not includesevere accidents.

Acknowledgement - An action taken by operator to indicate that alerted information (e.g., alarm) hasbeen observed.

Alarm - A piece of information presented to alert the operator to a component failure, an out-of-tolerance process condition, or any other component or process status that requires the operator tocarry out an appropriate operational task (e.g., verification, operation).

Alarm analysis - An analysis of functional or any other relationships among activated alarms thatintends to identify the root cause which has brought about the alarms.

Alarm filtering - Logical or any other dynamic information processing that intends to filter out lessimportant alarms. Usually, those alarms which are found less important are either suppressed (see"alarm suppression") or de-emphasized so that more important ones can be given proper operatorattention.

Alarm suppression - Elimination of alarms which are identified as less important.

13

Allocation of function - Assignment of responsibility for performing operations to human (i.e.,operator) and/or machine in either exclusive or complementary ways so that functional goals areachieved.

Ambient lighting - Lighting that produces general illumination.

Ambient noise - Non-information-bearing sound emitted from a variety of sources (e.g., airconditioner, printer or other office equipment, pumps and other rotating components).

Annunciator - A system used to present alarms which covers such functions as auditory warning,ring-back, reflash, acknowledgement, and reset.

Auxiliary control room - A centralized control centre separated from a main control room whichcovers operational tasks not covered by the main control room and local control points.

Availability - The probability that a system or component functions as intended when required.

Backfit - A change to the constituents of the control room system that intends to correct deficienciesor add functionality.

Back-up control room - A control centre designed to shutdown the reactor, to cool the core, tomonitor safety conditions in cases where the main control room cannot be occupied.

Black board architecture (BBA) - A framework used for expert system and/or other symbolicinformation processing technology which allows the definition of one or more agents carrying outspecified processing. One or more black boards may be used to transfer information among theagents.

Case-based reasoning (CBR) - A collection of artificial intelligence techniques which utilizes pastexperience, as represented by prior cases, for handling current problems. Both successful andunsuccessful prior cases are stored with a variety of knowledge chunks that characterize the cases;particularity, facts, outcome, solution method, context of solution, links to other cases, etc. Thesesets of knowledge are looked at to choose the best case that can be utilized to solve the currentproblem.

Cathode ray tube (CRT) - An electrical tube in which one or more well-defined and controllablebeams of electrons is directed to an electroluminescent surface to produce a visible display.

Controls - Push-button, rotational switch, computer-driven soft switch (e.g., touch sensitive screen)and other devices which are used to send component manipulation demand signals to I&C system.

Control room - See "main control room".

Control room staff- A group of plant personnel stationed in the main control room.

Control room system - An integration of human-machine interface (including operating procedures),control room staff, training program, and other associated facilities of equipment which togethersustain the proper functioning of the main control room.

Decision-making - A cognitive operation that intends to reach a conclusion about operational actionsto be taken.

Deep knowledge - A collection of knowledge to be used by artificial intelligence systems which isindependent of specific problems of current concern. It includes physical principles, general solution

14

methods, etc. The use of deep knowledge is expected to provide the ability to handle problems whichheuristic knowledge (i.e., shallow knowledge) may not be able to solve correctly.

Design basis events (DBEs) - A set of postulated events for which the plant design is required tosecure the maintenance of safety.

Design team - A group of individuals having interdisciplinary technical backgrounds who areresponsible for the design of the control room system.

Displays - Devices used to present information to the operator which include meters, recorders,lamps, CRTs, etc.

Direct digital control - Control technology which utilizes computers for generating and issuing controldemands.

Event - Any planned or unplanned change of status including transients and accidents.

Expert systems shell - A general programming tool that helps develop expert systems.

First-outalarm - An alarm which indicates an automatic safety action (e.g., reactor trip, emergencycore cooling). First-out alarms are alarms that are designed to activate automatic safety actions.First-out alarm and "first-hit" alarm are used interchangeably.

Frame - A form of knowledge representation used for artificial intelligence systems which frames achunk of knowledge representing a "concept". This knowledge may include facts, solution methods,links to other framed concepts. Frames are linked hierarchically on the basis of abstraction. Thisabstraction hierarchy provides the ability of default reasoning.

Function - An activity or role performed by man or automated systems.

Function allocation - See "allocation of function".

Function analysis - An analysis by which functions needed to achieve functional goals are identifiedand evaluated in terms of a variety of resources (e.g., human capability, machine capability) forproviding a basis for function allocation.

Functional goal - Conceptual performance specifications that must be satisfied to achieve thecorresponding function.

Functional requirements - Quantitative specifications that must be satisfied by control room systemdesign.

Human errors - Human actions or inactions which lead to an undesired result.

Human factors - A body of scientific knowledge about human abilities/limitations and other humancharacteristics relevant to design. It also refers to an engineering discipline in which human factorsknowledge is applied to various types of design activities for establishing effective and comfortablehuman use. More precisely, terms "human factors engineering" and "ergonomics" are used to referto this latter definition. Ergonomics is often taken as an engineering discipline that focuses onphysical characteristics of human (e.g., anthropometry), but it can be used to refer to an engineeringdiscipline that focuses on cognitive characteristics as well (i.e., cognitive engineering). Humanfactors is concerned with human's individual factors, but it is sometimes used to refer toorganizational factors.

15

Human-machine interface - Interface devices through which the operator communicates with theplant (via I&C system), which includes displays, controls, and OSS interface. It also includesoperating procedures and other documents that specify how the operator should interface with theplant. It also refers to functions that support communication between the operator and the plant. Inthis sense, OSS and other computerized systems which reduce and/or generate information/signals tobe exchanged between the operator and the I&C system are seen as human-machine interfacefunctions.

Information - What is obtained from signals, data, or verbal communications through reduction,interpretation, or any other processing that bears meanings in terms of operational activities (e.g.,confirmation, detection, problem-solving, decision-making). It may be quantitative or qualitative.

Instrumentation and control systems (I&C systems) - A hardware implementation of automatic andmanual controls functions which consists of instrumentation, control and information systemsincluding associated software.

Job - A specific set of operationally related tasks to be performed by operator. For general usage,it is also used to refer to the totality of one's role in a given organization, or just a one-time task.

Job analysis - An analysis that intends to identify basic requirements which a job imposes on thecontrol room system.

Liquid crystal display (LCD) - A type of display which utilizes liquid crystal to produce a visibledisplay.

Licensee event report (LER) - A report of any postulated or unpostulated event. LERs are intendedto include the identification and evaluation of the cause of event, both hardware failure and humanerrors.

Load follow operation/load following - A mode of operations in which nuclear power level iscontrolled (changed) in accordance with a pre-specified load pattern.

Nuclear safety (or simply Safety) - The achievement of proper operating conditions, prevention ofaccidents or mitigation of accident consequences, resulting in protection of site personnel, the publicand the environment from undue radiation hazards.

Machine - A collection of hardware and associated software which includes the I&C system, OSS,and other computerized systems. In functional terms, it is often used to refer to "automation" and/or"computerized support functions".

Main control room - A centralized control centre where operators are stationed to carry out jobsassigned to them. Though the scope of the jobs is a matter of design choice, it is assumed that theycover operational tasks essential to nuclear and thermal power generation.

Manual control - Operations made by the operator manually using controls.

Monitoring - Continuous or periodic measurement of parameters or determination of the status of asystem. Sampling may be involved as a preliminary to measurement.

Neural network - A kind of network technique which was originally developed to model human'spattern recognition capability on the neuron level. The technique utilizes nodes and links to memorizerelationships between given sets of inputs and outputs where inputs refer to signal patternscharacterizing reference objects, while outputs refer to the objects themselves. The technique canrecognize given objects by feeding inputs to pre-established neural network. The ability to update

16

(i.e., learn) the reference input-output relationships and the ability to handle incomplete inputs arefeatures of the technique.

Operating crew - A group of individuals consisting of control room operators and their supportmembers (e.g., patroller, auxiliary operators) who normally work on a shift basis.

Operating procedures - A set of written and/or computerized documents specifying tasks for bothnormal and abnormal operations which need to be carried out to achieve functional goals.

Operation - An act of automatic control or manual control.

Operator - An individual who is responsible for an operational process and for achieving functionsallocated to a human. (See "reactor operator", "senior reactor operator", and "senior technicaladvisor".)

Operator support system (OSS) - A system that implements functions that support mental processingtasks assigned to the operator (e.g., fault detection, diagnosis, procedures selection).

Object oriented programming - A programming environment in which programming is done in termsof knowledge chunks called "objects" and message passing. Each object frames relevant data andprocedures. These data and procedures are utilized to yield a response by passing messages amongobjects.

Parameter - Any sets of physical properties (e.g., pressure, level, temperature, frequency) of whichvalues/status reflect functional status of process/equipment.

Plant operational goals ~ The ultimate purposes of plant operations that are controlled generation ofelectricity and the maintenance of safety.

Plasma display (PD) - An assembly of small neon tubes arranged in matrix form which is used toproduce a visible display.

Post accident instrumentation - A selected set of instrumentation which provides the operator withparameters essentially necessary and/or important for post-accident operations.

Problem solving - A cognitive operation that intends to understand observed anomalous symptomsor to identify their cause(s) (e.g., diagnosis) and solutions.

Quality assurance - All those planned and systematic actions necessary to provide adequate confidencethat an item or service will satisfy given requirements for quality.

Reactor operator (RO) - An operator who is qualified to manipulate controls in the main control roomresponsible for operating all Control Room Systems.

Safety function - A specific purpose that must be accomplished for nuclear safety.

Safety system - Systems important to safety, provided to assure the safe shutdown of the reactor orthe residual heat removal from the core, or to limit the consequences of anticipated operationaloccurrences and accident conditions.

Safety related system - Systems important to safety which are not safety systems.

Seismic qualification - Validation required to be carried out experimentally or calculationally toensure that a system or a component can maintain its proper functioning during an earthquake withpre-defined intensity.

17

Senior reactor operator (SRO) - A qualified reactor operator who is responsible for supervising thereactor operators and other operating crew members. Normally, one is required to possess sufficientexperience and to pass the examinations for senior designation.

Senior technical advisor (STA) - A qualified operator who is responsible for supporting the SROduring transients and accidents. The STA is required to possess an engineering degree. In somecountries, STA is called a "Safety Engineer".

Severe accident - Nuclear power plant states beyond accident conditions including those causingsignificant core degradation.

Task - A set of operations and associated monitoring activities that need to be performed by theoperator to achieve a functional goal.

Task analysis - An analysis that intends to identify basic requirements which a task imposes on theoperator.

Transient - A planned or unplanned abnormal operating condition in which the level of powergeneration changes in a short period of time (e.g. reactor trip).

Truth maintenance system (TMS) - TMS is a collection of artificial intelligence techniques whichdeals with inconsistency caused by incomplete and/or inconsistent knowledge. It has the ability toidentify/select candidates for consistent reasoning when any inconsistency is encountered. There areseveral types of truth maintenance systems; justification-based, logic-based, assumption-based.

Visual display unit (VDU) - A kind of display incorporating a screen for presenting computer drivenimages (i.e., message text, graphic symbols).

Validation - Testing and/or evaluation that is performed to ensure that a designed object (i.e., system,component) meets pre-defined performance criteria.

Verification - Checking process that is performed to ensure that a designed object is designed and/ormanufactured as specified.

Workload - The level of activity or effort required of operator to carry out a given set of tasks.

2. BACKGROUND

2.1. HISTORICAL PERSPECTIVE

2.1.1. Three generations of control room systems

Control Room Systems represent an exceptional opportunity for industrial plant designers torealize significant gains through cost avoidance, operational reliability and safety. This opportunityexists because of rapid technological development in computers and electronics, coupled withsignificant progress in the behavioural sciences that greatly increases our knowledge of the cognitivestrengths and weaknesses of human beings.

In nuclear power stations, as in most complex industrial plants, control room systems designhas progressed through three generations.

First generation systems consist entirely of fixed, discrete components (hand switches, indicatorlights, strip chart, recorder, annunciator windows, etc.). Human factors input was based onintuitive common sense factors which varied considerably from one designer to another (seeFigure 1).

18

Second generation systems incorporate video display units and keyboards in the control panels.Computer information processing and display are utilized. There is systematic application ofhuman factors through ergonomie and anthropométrie standards and cookbooks. The humanfactors are applied mainly to the physical layout of the control panels and the physicalmanipulation performed by the operators (see Figure 2).Third generation systems exploit the dramatic performance/cost improvements in computer,electronic display and communication technologies of the 1990s (see Figure 3). Furtherapplications of human factors address the cognitive aspects of operator performance. Figure 4is a futuristic representation of what a nuclear power plant control room might look like ifdesigners were able to fully exploit computers and graphic display technology.

2.1.2. Development history before TMI

Since the beginning of the 1960s, the development of nuclear power plants has beencharacterized by a number of reactor types and models and by a marked increase in rated power. Toa large extent this was determined and even imposed by the designers or manufacturers of nuclearboilers, who until recently had always wielded a predominant influence on the development of nuclearequipment and on the design and performance of production units. The influence of Americanmanufacturers has had repercussions throughout the market economy countries. The result has beenthat, for the majority of LWR units in operation or near ing completion, in the market economy world,the design of control systems for the nuclear steam system was imposed by the NSSS manufacturers,while the design of the overall balance of plant system was determined by industrial architects,architect-engineers, or the relatively specialized branches of the utility (customer and future operator),such as Electricité de France (EDF) in France, TEPCO in Japan, IVO in Finland, ONTARIOHYDRO in Canada, VATTENFALL in Sweden, RWE in the Federal Republic of Germany andTennessee Valley Authority (TVA) in the USA, with varying degree of communication between twogroups.

Furthermore, from an investment standpoint control equipment represents only a smallpercentage of the total cost of the installation, electric utilities generally have preferred to use onlywell tested and proven equipment and technologies.

Moreover, the design and construction of control systems was often based on the skill andknowledge of the design teams, who were thoroughly knowledgeable about the actual problems andconditions experienced by the operating crews.

The utilities became accustomed to this situation, assuming perhaps, at least for the PWRs, thatthe operation of nuclear units which used this type of reactor was relatively easy and could be adaptedto a simple, largely manual control system which had already been proven effective in marineengineering applications for naval propulsion and in the first PWR installations for power productionin the 1960s.

The situation was completely different for the gas cooled reactor (OCR) and pressurized heavywater reactor (PHWR) nuclear power plants because their control systems since the early 1970s werehighly automated and based on software programs in digital control computers. This relatively highdegree of automation improved the safety and operational economics of the specific OCR and PHWRdesigns.

2.1.3. Importance of human-machine interface

The importance of human-machine interface for ensuring safe and reliable operation of NPP hadbeen recognized long before TMI and Chernobyl accidents by the nuclear energy community. Forinstance one of the first Specialists' Meetings sponsored by the IAEA International Working Groupon Nuclear Power Plant Control and Instrumentation (IWG-NPPCI) in 1975 concerned the controlroom design.

19

The main subjects discussed at that time were:

Use of VDU at primary display interface with the operator because with these devices it hasbecome possible to integrate a large amount of information and display in a compact manner.

FIG. 1. First generation control room LASSALLE Generation Station Unit 1 (BWR).

FIG. 2. Second generation control room Gentilly 2 Generating Station Hydro Quebec, Canada.

20

FIG. 3. Third generation control room. Choose B Generating Station, EOF, France.

N)N)

'7 ~7 7 7 7 l l/ / / / / / /

F/G. 4. /4« idealistic view of a future control room.

Eliminate the need for unnecessary operator reach for information by bringing condensedinformation to the operator rather than sending him scurrying around to collect and correlateindividual pieces of data.Wider use of human factors expertise.Alarm analysis, alarm suppression, incident diagnosis, identification of desired responsepatterns.

The concept of operator support and human factors have been increasingly used to better definethe role of control rooms. In the late 1970s the impact of analysis results from the TMI accidentconsiderably accelerated the development of recommendations and regulator requirements governingthe resources and data available to operators in NPP control rooms and specified facilities for teamsof experts in a position to assist them in case of an accident.

The regulatory documents published by US Nuclear Regulatory Commission NUREG 0696-0700-0737, which relate mainly to the ergonomics of control boards and panels, resources andfacilities to deal with emergency situations (ERF) and post-accident instrumentation, were widelyadopted for design improvements made to control room systems of light water cooled NPP.

Various different OSS applications are already operational or under development (see Section3.4).

2.1.4. International efforts and standards

The exchange of technical information in the nuclear energy community pushed by internationalorganizations such as IAEA, ISO, IEC has contributed to the recognition among the utilities, themanufacturers, the designers, the safety authorities of the advantage of NPP standardization foreconomy and safety.

To meet this goal the IAEA and the IEC have produced useful standards and documents.Themost significant of these guidelines are those which refer to control room design and use of computersin systems important to safety.

For instance, this guideline will refer particularly to IEC 964: Design for control rooms ofNPP, IEC-965: Supplementary control points for reactor shutdown without access to main controlrooms, IEC-960: Functional design criteria for safety parameter display for NPP [1, 6, 7]. Theinformation exchange of NPP and fossil plant operational experience between European utilities (eg.UNIPEDE contributed also to the guideline particularly in the domains of computerized operatorsupport systems and a life extension replacement strategy for instrumentation and control).

At the same time the constant evolution of electronic component technology has led to atremendous increase of digital computer usage in the process control in general. This evolution maybe reflected in the proceedings of the Specialists Meetings or Symposia suggested by the IAEA. Forexample:

Procedures and systems for assisting the operator during normal and abnormal NPP situations.Use of digital computing devices in systems important to safety.Computer based aids for operator support in NPP.Man-machine interface1 in the nuclear industry.Communication and data transfer in the NPP.

1 Wherever the term man-machine interface is used it is intended to mean the same as human-machineinterface.

23

Recognizing the evolution of the design of "NPP control rooms" and the importance of theimprovements made in many countries the IAEA commissioned at the end of the 1980s an expert toprepare a review report on the basis of visits to NPPs and research development centre in severalcountries [2]. A summary of this report is included in Section 2.

2.1.5. The challenge of control room retrofits

The economic lifetime of instrumentation and control systems is much shorter than for the majorprocess equipment and structures such as turbine and pressure vessels.

The main factors which affect the useful life of I&C are technical obsolescence and functionalobsolescence. Increased functionability is achieved mainly through software upgrades - consequentlythere is an increasing need to be able to modify existing software and build in new software modules.

The retrofit of "control rooms" in many plants in the world will be a challenge in the nearfuture. The cause of this is not only the ageing but also the safety modifications and operationalimprovements available from new technology.

In the replacement of equipment and systems, developments, technical trends and supplierpolicies should be considered particularly with computer based I&C standardization, compatibility andopen system architecture making gradual upgrading possible. These points are further consideredin Section 5.

2.2. SAFETY CONSIDERATIONS

Safety considerations are critical in the design and operation of control room systems. Theman-machine interface provides the media for communicating the plant state to the operators and, themechanisms for the operator to alter the state of the plant. If information is misrepresented becausethere is a fault in the display systems, the operator may respond incorrectly during a plant upset.Consequently, there may be situations where the correct operation of these systems is critical toensure public safety. If all of the control room systems were required to meet nuclear gradequalification requirements, the costs and time for implementation would be so great that functionalityof these systems would have to be reduced drastically. Nuclear design engineers in all countries havesolved this problem by identifying the small subset of the control room systems that are required toprovide the plant status feedback and controls to carry out those operators functions required torespond correctly to the "design basis accident" and Probabilistic Risk Analysis (PRA) scenarios thatare analyzed as part of the licensing process for the plant. These systems must be subjected tonuclear safety grade qualification requirements. The result of this process is that a relatively smallportion of the control room system are dedicated as "safety systems" that are physically, functionallyand electrically isolated from the other systems and subjected to more stringent design requirements.The challenge for the control room system design engineer is to provide an interface to the safety andnon-safety systems that alleviate any human factors problems resulting from the differences in design.Section 5.3.1.3 describes the safety classification process in more detail.

2.3. COPING WITH INCREASED COMPLEXITY IN THE CONTROL ROOM

From the production point of view the economic operation of NPPs is emphasized. Formaintaining the high availability of the plant, the design of control room and CRS should support theoperators in the following:

Normal operation including pre-analyzed transients;Abnormal transients, especially in early fault detection and diagnosis in order to prevent thesituation leading to reactor scrams on the initiation of safety systems;Outage operation.

24

The increased size and complexity of NPPs has greatly influenced the operational requirementfor the design of the control rooms and their systems. Plant operation is centralized in the maincontrol room. More extensive monitoring of the plant is needed to achieve high availability. As aconsequence, the number of indicators, alarms and manual controls etc. in the control room hasgrown substantially. Load following of the electrical grid is a factor in the operational requirementsfor utilities in geographical areas with a high percentage of nuclear power supply to the grid.

The following initiatives have been pursued to solve the problems of growing complexity andinformation overflow in control rooms:

Higher automation levels, i.e. automation of some operator actions.Utilization of computer technology, e.g. by:

reducing irrelevant information by means of hierachization, prioritization, condensing,suppression etc. (see Section 6.2.4)supporting operators by further data processing.

Increased presentation by exception.

This development has changed the role of the control room staff from process operation toprocess management.

2.4. OPERATIONAL EXPERIENCE

Since the first commercial nuclear power plant was commissioned in 1956, the nuclear powerindustry worldwide has accumulated more than 5000 reactor-years of experience, and to date nearly20% of the electrical power generated in the world was produced in nuclear power plants. More than430 nuclear power plants are in operation in 26 countries.

The operational experience of plants shows, that for safety and productivity of nuclear power,operator action is very important. Investigations indicate that human error is the main contributingfactor of the incidents which occurred. Table I shows selected major nuclear power plant accidentsrelated to the man-machine interface [8],

Accident reports indicate that in addition to procedural and manipulative errors operatorscommitted errors in the interpretation of the accident scenario and took inappropriate actions.

The scenarios of the TMI accident in 1979 and the Chernobyl accident in 1986 are well knownas several detailed analyses of them have been made and published. Nevertheless, it seems useful torecall the following lessons:

At TMI, because the operators had to base their decisions on a situation which was not clear,many of the actions they took to influence the process during the accident significantlyexacerbated the consequences of the initiating events. One of the factors, which led to actionsbeing taken which were both inadequate and too late, was poor use of the data made availableto the operators in the control room. They were unable to satisfactorily process the largeamounts of data available to them and had difficulty distinguishing between significant andinsignificant information.At Chernobyl, the main cause of the accident was a combination of the physical characteristicsand safety systems of the reactor and the actions and decisions taken by the operators:proceeding to test at an unacceptably low power level with the disabling of automatic trips.Their actions introduced unacceptable distortions in the control rod configuration, andeventually led to the destruction of the reactor. The root cause of the human error relates tothe lack of a safety culture in the station which in turn led to, among other things, inadequateknowledge of the basic physics governing the operational behaviour of the reactor.

25

to

TABLE I. SELECTED MAJOR NUCLEAR POWER PLANT ACCIDENTS RELATED TO MAN-MACHINE INTERFACE

Plant

Windscale

Enrico Fermi

St. Laurent Al

Browns Ferry

TMI-2

St. Laurent A2

Chernobyl

Power(MWe)

-

150

460

2 x 1067

880

515

950

Year

1956

1966

1969

1975

1979

1980

1986

Componentinvolved

Fuel

Fuel

Fuel

Instrumentationand Control

Fuel

Fuel

Fuel containment

Period of unavailability

Decommissioned

4 years

1 year

1.5 years

Indefinite

2 years

Indefinite

Instrumen-tation

Unsuitable

Malfunction

Unsuitable

Major failure

Unsuitable

Partly unavailable

Procedures

Veryimprecise

Veryimprecise

—

Incomplete

Imprecise

Incomplete

ImpreciseIncomplete

OperatorBehaviour

Errors ininterpretation

Errors ininterpretationdelay of 15

min in action

Errors ininterpretation

Very goodinterpretation

Inadequateaction

Errors ininterpretation

Errors ininterpretation

Errors ininterpretation

Inadequateand unsafe

actions

During the last three decades of reactor operations, the role of control room operators has beenshifting from the traditional equipment operator to a modern day information manager. As such, thecognitive requirements on control room operations personnel to improve availability and reliabilityand improve safety challenges to the plant have increased. These personnel are working with morecomplex systems, and responding to increasing operational and regulatory demands.

As tasks become more complex, involving large numbers of subsystem interrelationships, theeffects of potential errors increase both in magnitude and severity.

As the demand and requirement on the operators intensified, diagnostic and monitoring errorshave all occurred in power plants causing reductions in availability and substantial cost consequences.Plant safety has been challenged due to misinterpretations of data and incorrect assumptions of plantstate. Since the Three Mile Island event, a number of diagnostic aids have been implemented suchas critical parameter displays, saturation and subcooling margins and symptom based emergencyoperating procedures. These have all been useful in assisting humans in making their decisions. Anumber of human factors studies on human-machine interfaces have also been performed. Therefore,reliable, integrated information for operation use is a critical element for protecting the utility's capitalinvestment and increasing availability and reliability.

With appropriately implemented digital techniques, human capabilities have been augmentedsubstantially in their capacity to monitor, process, interpret and apply information, thus reducingerrors in all stages of information processing. Taking advantage of technological and humanengineering advances will continue to help operations personnel to reduce errors, improveproductivity, and reduce risk to plant and personnel.

As far as the hardware equipment is concerned, today there are large numbers of aging controland protection systems in use that many utilities will eventually decide to replace. Plant safety hasbeen challenged due to systems getting obsolete and becoming difficult to maintain because of difficultmanual operation and tests. The availability and quality of spare parts is another area of concern.System and human errors have caused unplanned scrams. In addition, the instrumentation and controlsystems that were designed and built with 1960s technology, have become a major contributor to plantoperating and maintenance costs. They have become the leading cause of licensee event reports inthe United States of America.

In recognition of the problems and needs from the operating experience, there are majorindustry efforts underway to take advantage of the experiences. One is the designing and constructionof new plants with modern control room systems, such as the French 1450 MW N4 plant and theJapanese 1300 MW advanced BWR plant. The other is the upgrading and backfilling of existingcontrol room systems including control and instrumentation as well as human-machine interfacesystems.

2.5. TRAINING

The training and qualification of NPP personnel has received much attention since the accidentat Three Mile Island. Performance-based technical training programmes requiring a systematicapproach to training (SAT) have been stressed. The IAEA has developed a guideline on the topic thatMember States should consider when designing new training strategies for NPP personnel. Thisguideline is published as IAEA-TECDOC-525 "Guidebook on Training to Establish and Maintain theQualification and Competence of Nuclear Power Plant Operations Personnel" [9].

The performance-based, systematic approach to training requires that job performancerequirements are known and that these requirements form the basis of each specific job-relatedtraining programme. The systematic approach requires that potential training needs are analyzed.These potential training needs arise from a variety of sources including: job performance evaluations,plant modifications and procedure changes, operating events, NPP specific operating experience, and

27

industry operating experience. Once identified as a training need, the requisite training is designed,developed, implemented, and evaluated in a consistent, professional, and systematic manner.Evaluations ensure that training effectiveness is achieved, and feedback ensures that improvementsare made to training programmes as deficiencies are identified. Thus, the Systematic Approach toTraining ensures that training will address job performance requirements, even as changes occur overthe lifetime of the NPP.

3. EXISTING CONTROL ROOM SYSTEMS FEATURES

LWR and PHWR are the main consideration here. Some features will be taken from the AGR.

LWRs are provided with CRS which can include the following sub-systems:

Main control roomLocal rooms and local central pointsBack-up control roomRadiation monitoring centreGrid control centreERF, TSCComfort and documentation rooms.

During the last years some of these sub-systems have been added or modified after the first startof the plant due to operational experiences or safety requirements.

3.1. CONTROL ROOM LAYOUT

There is often a common control room for two units but for the last generation of LWR plantsthe separation criteria between units are more clearly marked and even separate control rooms havebeen developed. Part of the reason for this trend is because some utilities have found that theiroperating staff perform better if they are organized into teams largely dedicated to individual units.

The control room layout is dependent on the type of the plant, the automation of the unit, themanufacturers of the NSSS, the operational strategy and the operator team structure which arethemselves also closely dependent on the capability of the utility. Generally the layout matches theoperator team composition which very often is composed of a shift supervisor and two operators forthe primary and secondary sides of the unit. The most modern designs follow the experience ofPHWR and AGR where the layout of control room is designed for one operator sitting near the maincontrol board - which includes a single integrated control system for the primary and secondary sides(e.g. Fukushima Daini, see Figure 5).

The influence of the manufacturers is pertinent on the control room lay out of the PWRparticularly in the USA where there are several NSSS manufacturers and many small utilities (e.g.Trojan, Diablo Canyon, Waterford, etc.).

Some other similar influences can be observed. For instance, Scandinavian CR inherits Germandesign practices. Russian CR, on the other hand inherits US design practices.

It happens that the same layout concept may be adapted by a single utility for different NPPtypes. Good examples are the Gundremmingen and Mulheim Kaerlich control rooms which areoperated by the same utility: RWE. An example of the standardization of the control roomhuman/machine interface for BWRs is TEPCO's operations at the Kashiwazaki station where Toshibaand Hitachi alternate from unit to unit.

28

FIG. 5. Fukushima Daini NPP Unit 3, Tokyo Power, Japan.

The control room concept for the AGR allows instant and ready access to preselectedinformation and control by one or two operators from a seated position. The design is based on theprinciple of modularity, it consists of primary control work station, secondary control work station,safety work station, supervisor's work station and separate engineering and maintenance supportstations. These work stations include the control and displays required for both NSSS and BOP, theyalso provide useful information for supervision and engineered personnel.

3.2. PANELS AND DISPLAYS

Generally control room panels are subdivided by systems. The main systems being:

NSSS - BOP - Safety systems - Electrical systems - Auxiliary systems. Very often their locationon the control board is divided into three parts:

Main control board used for steady state power operation, power control after hot shutdown anddiagnosis in the early stage of abnormal operation.NSSS auxiliary control boards used for startup and shutdown operations, and post-accidentoperation of primary systems.Turbine generator auxiliary control boards used for startup and shutdown operations, and post-accident operation of secondary systems.

For LWR this situation is more apparent on the BWR than on the PWR.

The positioning of displays, indicators and controls on the panels or desks have been based oncriteria which have been established more and more clearly since TMI.

The decrease in use of semiactive wired mimic diagrams for the plants of the 70s has beenreplaced for the plants of the 80's by an extensive use of colour screen displays driven by computerswhich handle input signals associated with control systems and plant equipment and components.

29

Radical change appears with the development of Advanced Control Room design. For instanceconventional panels disappeared completely in the N4 and Kashinizaki 5 and 6 control room exceptfor the auxiliary safety panel, as conventional monitoring and control systems have been eliminatedwith the reactor being fully operated by computerized control systems.

3.2.1. Human engineering enhancements after TMI

Human factors engineering is an interdisciplinary specialty which has an influence on the designof equipment, systems, facilities and operational environments to promote safe, efficient and reliableoperator performance. Ideally human engineering methods should be applied throughout the designprocess, from concept development to system implementation. Before TMI the human factors aspects(HFA) were taken care of by the I&C designers without assistance from HFA specialists. Often anew design was an evolutionary development of an existing one and operating experiences combinedwith common sense were the main inputs. After TMI the human factors engineering became morestructured and more specialists were educated. Special research programmes provided also therequired theoretical basis for the design engineering.

Following TMI, since the early 80's, human factors reviews of CR have become mandatory inseveral countries and guidelines for these reviews have been established. The NRC in the USA hasissued a requirement to follow a standard Review Plan for human factors [10]. Modifications havebeen made during scheduled extended outages in existing plants.

For instance the French 900 MW(e) series modifications to the layout were done between 1983and 1986 on all 28 units of the CP1 and CP2 series presently in service. These modifications werebased on studies and interviews of operators and training simulator instructors which allowed for theextraction of the principal requirements. These were then applied to all panels and were furtherstudied using a full scale simulator. Twenty-one rules or principles for the modifications wereidentified, including the following examples:

Division of panels into clearly identified functional assemblies and their clear identification,Standardization of the relative position of display and control assemblies,Identification of control functions by the form and position of the escutcheons,Identification of each panel by the use of only one alphanumeric code,Use of active mimic diagrams.

For plants such as the French 1300 MWe Series, Doel 4, Tihange 3, Brokdorf, Tsuruga 2 beingconstructed after TMI where the design was in progress, ergonomie studies and panels and deskslayout design were done on full scale mock-ups in collaboration with the future owners and the mainresults were the systematic use of colour screens (Brokdorf unit 1, for instance, uses the PRINZ datamanipulation and presentation system developed by Siemens). For the plants, where construction wasnearly complete after TMI, changes were limited to the panels related to safety and postaccidentmonitoring. Some examples are:

Identification by colour, red or orange, and/or by functional grouping of post accidentmeasurements.Identification by colour coding of different values or different type of parameters such astemperature, pressure, level, neutron flux.Identification by shape of switches used for valve control, pump control or signal selection.Identification by area of instrumentation and replacement of abbreviations with more completedescriptors.

3.2.2. Use of modern information technology

The use of modern information has evolved slowly. Progress in PWR resulted from thedevelopment of the ERF and the SPDS. For Canadian PHWR and the Japanese LWR the use ofmodern information features has developed rapidly.

30

For instance nine CRTs are on the panels of the CANDU Darlington control centre units. Thereare also three on the operator's console. A CRT terminal is used for periodic tests of the ECI. Afurther two are used to test the two shutdown systems located on the panel. Using a hierarchicalsystem, 2000 colour graphics pages related to system and equipment on each unit are accessible onCRTs, either by keyboard or light pen (ordinarily using only two steps). Three hundred graphicpages are mimics diagrams of systems. From a system mimic diagram, via a light pen, one can accessa more detailed equipment schematic or other related graphics. Measurements are shown graphicallyon bar-graphs with adjustable scales, trend indicators and setpoint margins. There is extensive use oftrend charts (on CRTs). A conventional panel approach is used for safety and maintenanceshutdowns. Panels have semi-active mimic diagrams and functionally divided areas identifying thecontrols necessary for hot and cold shutdowns.

It seems that the manufacturer GE and Westinghouse influenced the design of many controlrooms in the USA, Japan and Taiwan but not in Germany and Sweden.

Major advances have been made related to human factors for many NPPs includingGundremingen B and C, Forsmark 3, Fukushima Daini 3 and 4, Ohi 3 and 4, etc. For instance,colour CRTs are available for display in Forsmark 3 control room.

Very often a utility or a country has established a common practice for control rooms fordifferent types of conventional NPPs. This can result in that control rooms for different plants butdelivered by different companies are the same. A typical example are the control rooms forFukushima Daini 3 and 4 which are built by Toshiba and Hitachi.

The control room design of Grand Gulf 1 and Susquehanna 1 and 2 are the most advanced inthe United States. It is the result of the program for the design of "Advanced Control Rooms" carriedout by GE in the 70's, and which has led to the development of the NUCLENET 1000 system. Inthe Susquehanna control rooms there are 16 colour CRTs connected to 8 display generators whichin turn are connected to two redundant data processing systems including the display control system,which controls the displays on the screen, and the plant monitor system, which controls processmeasurements, fuel use and the programming of the control rods. More than 200 different displaysare available on the CRT screen. The display system makes it possible to display on the various CRTsthe main displays associated with the 9 phases of unit operation: hot shutdown, cold shutdown, startup to the critical state, power ascension, operation at rated power, etc.

The most advanced control room in Russia is Balakovo NPP where 10 CRTs (6 colour, 4monochrome) are installed. They are used for presentation of core characteristics and plant systems.Mostly "non treated" process data is presented but more intelligent systems are planned (i.e. OSS).

3.3. ALARMS AND ANNUNCIATORS

This is an area where much work is being done. Filtering of alarms and data presentation arecontinuously being improved due to operational feedback and analysis of the most significantincidents. Improvements are also due in large part to the new computerized data handling techniquesand most recently due to experiments using expert systems and neural networks. As a result, it hasincreasingly been difficult to distinguish the alarm system from OSSs.

The function of annunciators can be broken down into four decision making phases: detection,identification, planning and execution. Twenty-five annunciation functions have been identified (seeTable II). These functions are grouped by the predominant decision-making phase. Fifteen of thefunctions fall within the detection and identification decision-making phases.

3.3.1. Windows and screen displayed alarms

There are many alarms - approximately 1200 for a 3 loop PWR and the number can reach 2500for a 4 loop PWR. Too often, the alarms are still presented to operators via different colouredhardwired windows, the result of this is that the operators are swamped with information.

31

To relieve this load a colour coded alarm hierarchy has been adopted by some utilities. Atypical scheme is the following:

Red: immediate action required by the operator to correct the fault, with the means of actionbeing in the control roomYellow: action required, the time delay for action being defined by the nature of the fault andthe location of controls available to the operatorWhite: information indicating a change of state or an automatic action being takenGreen: automatic action being taken by the safety systems, Operators must immediately verifythat the action requested by the system was done.

Auditory alarms and annunciators with some coded principles have been also used. Capabilitiesand characteristics are usually limited as following: (IEC 964 A4.1.2) range of optimum frequency.500 Hz to 3000 Hz; levels of intensity between 60 dB and 90 dB, for emergency signal up 90 dB to100 dB. Auditory coding by frequency is used but not more than three signals of differentfrequencies should be recommended. Intensity coding for auditory annunciation have been used insome countries, but this way is not widely used and cannot be recommended.

The use of computers for data manipulation and display could greatly reduced the number ofwindows. That is how the number of alarm windows was reduced from 1200 for the French 900M We PWR to 300 for the 1300 M We series. Computers display an additional 2200 alarms on CRTsin the 1300 MWe series plants. This reduction is not so drastic for all units. For example: SouthTexas 2, which has 700 hardwired windows in the control room with another 900 windows, relatedto the safety system, driven by a computer using 1700 digital signals as input. The data handlingsystem of Mulheim Kaerlich (PWR), which uses four computers which handle 4000 alarms themajority of which are displayed on CRT, has 400 alarms hardwired to windows with a regroupingof these alarm's at the operator's console.

Identification of the first-out alarm(s) which trips the reactor or the turbo-generator group isdone systematically in most plants.

3.3.2. Improvements made with the feedback from operating staff

The improvements made or in the process of being completed on most units are the result offeedback from operating staff. Based on the remarks of the operators the following basic conceptshave been formulated and applied:

The alarm hierarchization should be established at the conceptual design level i.e. classificationaccording to the degree of urgency of reaction by the operators and not as a function of theseriousness of the fault.Any fault occurring, persisting or ending, and any unscheduled change of state must besignalled and differentiated (by a dual visual and audible process) to bring it to the attention ofthe operating personnel.

As a corollary, any alarm occurring must correspond to a fault taking into account the currentstate of the unit. This necessitates the operator being aware of the situation and taking anynecessary corrective action. In particular this principle implies the creation of an inhibit functionto eliminate "nuisance" alarms associated with reactor shutdown.

When a unit is operating normally and generating power without malfunctioning no alarmsignals must be on - this is termed the dark panel concept. This principle has been adopted in manycountries, e.g. Canada, Sweden and Japan.

Finally in the event of a trip or when an incident occurs the avalanche of "alarms" caused mustbe limited to those showing the first fault or faults, the changes of state and the resulting safetyactions, as well as any deviations in the functioning of the automatic sequences implemented.

32

The mixture of window and CRT alarms is increasingly being used, most often with additionalinformation associated with the alarm being displayed on the CRT. This is based generally onprocessing several thousands of digital inputs.

In many units the alarms noted originated from post-accident IE qualified instruments. Someof these alarms are used as inputs to EOPs. For instance, some unit specific alarm windows indicatethe following accidents: Boron concentration too low (based on control rod position) - loss ofcoolant accident - steam generator tube rupture-low steam pressure.

TABLE II. SUMMARY OF ANNUNCIATION FUNCTIONS

No. Function

1234567

91011121314

15

16

17181920212223

Detection: Inform the users of deviations that have occurred in the plant thataffect or could affect the plant operational goals

Direct the user's attention to system and equipment malfunctions.Direct the user's attention to the occurrence of an event.Assist users to track the execution of automatic actions.Alert users of undesirable values and trending of Critical Safety Parameters.Alert users of impending loss of production.Alert users of impending loss of main plant functions.Alert users of impending equipment and systems malfunctions.

Identification: Point users to information for evaluating the extent of theabnormality:

Enhance the user's ability to understand the process status even under fasttransient situations.Support users in associating alarm signatures to events.Indicate alarms caused by the malfunction of instrumentation.Help identify the root cause of malfunctions.Alert users of the unavailability of a dormant system.Assist users to determine the system and equipment state.Support users in handling conditions that exceed the design basis for the plant.Support users in handling conditions that may result in failure to comply withoperating license regulations.

Planning: Point users to information for determining corrective actions:Predict the effects that the user's actions may have on safety and productionaspects of the plant.Guide users in the selection of applicable operating procedures.Provide the means to summarize data to support communications betweendifferent users.

Execution: Assist in coordinating actions and confirm that actions havecorrected the deviations:

Support teamwork in execution of actions.Alert users of off-normal selection of equipment.Annunciate the success or failure of the operator's actions.Record the sequence of events.Support operators in post-accident situations.Support users in testing systems and equipment.Support commissioning of the systems.

33

3.3.3. Alarm avalanche mitigation

The problem of "alarm avalanche" has long been a classical problem in nuclear power plant(NPP) human-machine interface design. It has been a critical research issue for nearly thirty years.It is a problem that NPP operators face when a large number of alarms are presented in a short periodof time (e.g. in case of the plant scram).

When it happens, operators are said to have a great difficulty understanding the situation andalso identifying the root cause of the anomaly. Many references describe how operators are confusedby the alarms, suggesting that they try to interpret what the alarm means in the context of the situationand then become confused due to the great quantity of alarms.

However, a human factors study recently carried out in Japan has shown that the nature of theproblem is somewhat different [11]. The study has suggested the following:

1. In a situation where a large number of alarms are activated (e.g., transient), the operators areoverloaded with verification and control tasks. They are so overloaded that they cannot carryout all tasks immediately and leave some less important verification tasks for a later time. Theyrarely acknowledge alarms, not to mention that there is not the slightest evidence of their tryingto interpret alarms.

2. It can be said from the design and operational viewpoints that the operators do not acknowledgealarms for the following reasons:

There are no operational reasons for the operators to interpret alarms. Nothing of anyoperational value will be obtained even when alarms are analyzed.There are reasons for operators to monitor alarms for verifying component status, but itis more readily done with other displays (e.g., switch lamps). Consequently, there are noreasons for operators to monitor alarms when they are overloaded with other moreimportant tasks.

3. It can be said that the confusion is not the real problem of the alarm avalanche. The realproblem is the delay in detecting alarms that indicate the failure of some components which areimportant for mitigating the initial failure that caused the transient.

These findings can give a significant impact on the choice of remedial measures, because theysuggest that any attempt at alarms analysis is not operationally meaningful.

In the same study carried out in Japan, researchers tried to resolve the problem just by reducingthe number of alarms without trying to interpret the semantic relationships of alarms. This approachhas lead them to the successful completion of an alarm handling system which uses only simplescenario independent logic. The logic was formulated based on only three simple rules. The systemhas achieved the alarm reduction rate of up to 90%. The researchers also successfully demonstratedthat the system can eventually improve operator performance. The system has been fully applied tothe latest Japanese PWR (Ohi Unit 3 of Kansai) which will start commercial operation in 1992.Various dynamic alarm processing systems are being developed in other countries.

This example clearly shows the importance of grasping the true nature of the problem throughcareful observation of human operators. Though it is believed that the findings summarized abovehold true to many NPPs all over the world, it is recommended to carry out a careful human factorsstudy before deciding on any technical approaches. There are a number of possibilities (e.g.,operational rules) that may change the nature of the problem.

In any case, it has to be borne in mind that technology is needed to resolve problems but thetechnology itself cannot tell whether or not it makes the right design choice. It is fair to say that suchan innovative approach as "functional alarming" will demand a total reconsideration of the alarmsystem itself, rather than mere handling of existing alarms alone.

34

3.3.4. Alarm processing expert systems

Alarm processing expert systems have been recently installed in control rooms. Generally theyuse a dedicated computer connected to the centralized data processing and acquisition computers. Forexample the EXTRA EdF system at the Bugey station minimizes the number of alarm during loss ofone or more electrical power sources. It fulfils three objectives:

Continual identification of the availability of the major plant subsystems;Diagnosis of the alarms raised and contact driven suggestions of the incident instructions to beapplied;Indication of the limits of the diagnosis carried out and precautions to be taken when restoringpower.

Good results are anticipated for these alarm processing expert systems, but before they can beoperational, they need extensive validation tests on simulators.

3.3.5. Advanced control room alarm systems

In the advanced control room concept alarm sheets are displayed on a CRT screen. For instancein N4 control room (see Annex A) 3300 sheets are available. Each alarm sheet gives to the operatorthe correct procedure to follow for initiation of control action and gives access to other informationsuch as operating procedures.

3.4. OPERATOR SUPPORT SYSTEMSOperator support systems (OSSs) are discrete computer systems or functions of the plant process

computers that are based on intelligent data processing and are not part of the basic instrumentationand control. They support but are not necessary for the plant operation or safety. Applications aremostly "real-time" and "on-line", so the off-line systems, such as work planning, were excluded.Annex A describes the IAEA activity on operator support systems.

In addition to control room operators, users of OSSs include operations staff management,technical specialists (e.g. engineering reactor physicists), maintenance staff, emergency managementand sometimes safety authorities.

Even though there often seems to be a long delay from the R&D phase to a practicalapplication, there are several different systems or functions either in operation or under developmentphase in the NPPs that can be regarded as OSSs. Those can be classified as follows:

1. Task oriented displays2. Intelligent alarm handling3. Fault detection and diagnosis4. Safety function monitoring5. Computerized operational procedures presentation6. Performance monitoring7. Core monitoring8. Vibration monitoring and analysis9. Loose part monitoring10. Materials stress monitoring11. Radiation release monitoring12. Condition monitoring maintenance support.

In practice systems taken into operation or under development might combine functionspresented above, e.g. safety functions and procedural guidance. Typically the first seven OSSs listedabove are implemented as functions of plant process monitoring systems (PMS), but diagnosis andsafety functions monitoring can be found as stand-alone applications, even though materials stress

35

monitoring, for example, has been implemented in a PMS as well. Sometimes vibration and loosepart monitoring run in a common computer system.

This integration with PMSs reflects also the types of users and user needs of OSSs. For thefirst five OSSs the main users are control room operators who also utilize the results of computationprogrammes (items 6 and 7). Items 8, 9 and 10 are for specialists and maintenance staff and for OSS(no. 11) emergency staff together with authorities. No. 12 (condition monitoring maintenancesupport) is related to the co-operation of maintenance staff and control room operators. Naturally theoperation management uses the OSSs as well, especially when the local area network techniquemakes it possible to distribute the information through computer displays around the plant.

In the following, the function and purpose of the OSSs are described with examples of practicalapplications and their operational status.

1. Task oriented displays

The function is primarily to present relevant plant information to support operators in specifictasks such as start-up, shut down and other transients by optimizing information type, form andpresentation. Typical examples are operating point (x-y) diagrams and curves for optimumoperation in transients indicating operating area and possible limits and their violation.

There are simple applications operational in many countries and a limited number of morecomplicated ones having also safety relevance and perhaps licensing requirements which areexpected to be operational in the near future.

2. Intelligent alarm handling

The function is to support operators to understand the information given by the alarmsespecially in plant transients, where the alarm overflow often is a problem. This is done bylogical reduction and masking of irrelevant alarms, synthesizing them, dynamic prioritizationbased on the process state, first alarm indication, displaying the alarm state of subsystems orfunctional groups of the plant, etc.

Applications of intelligent alarm handling are operational in some countries. Furtherdevelopment is in progress, e.g. to improve the degree of alarm reduction and the displayphilosophy.

3. Fault detection and diagnosis

The function is to alert operators to problems and to aid them to diagnose those before thenormal alarm limits are reached, where simple alarm monitoring is impractical or wherecomplex situations cannot be revealed by alarms or alarm logic. Examples are:

Fault monitoring of protection logic and associated electrical supplies, fuel pin failuredetection and prediction.Detection and identification of leakages, e.g. in primary circuit based on mass balance.Model-based fault detection for components (e.g. preheaters) and measurement loops.

Examples described above are already operational in many countries. Present applications arenot safety-related but it is obvious that safety issues will be relevant in the future in thisdeveloping area.

4. Safety function monitoring

Examples include critical safety function monitoring, SPDS, etc. Their function is to alert theoperators to the safety status of the plant. This is based on the monitoring of derived critical

36

safety functions or parameters, so that operators can concentrate on maintaining those safetyfunctions. The severity of the threat which challenges functions as well as guidance in therecovery might be given too. In some cases relevant emergency procedures are referred andimplementation of corrective actions are supervised.

Applications are already operational or under development in many countries even thoughsometimes integrated with other operator support functions. Safety authorities increasinglyrequire those to be provided but they are not classified as safety grade systems.

5. Computerized operational procedures presentation

The function is to complement written operating and emergency procedures by computerizedoperator support. For instance:

Guiding the operator to the relevant procedurePresentation of procedures dynamically and interactively on displaysFollow-up monitoring of actions required in the procedures.

Simple operator guidance related to safety function monitoring is already operational in somecountries. At least one plant's wide application is under development. Safety issues will berelevant in the future in areas of fault detection and diagnosis.

6. Performance monitoring

The function is to calculate and monitor the efficiency and optimum operation of main pumps,turbine, generator, condenser, steam generators, preheaters, etc. in order to detect developing

anomalies. The reactor thermal energy can be calculated as well as heat, electricity and massbalances. The computation is based on physical equations and plant measurements which must beaccurate enough to guarantee reliable results.

Applications are operational in most countries.

7. Core monitoring

The function is to calculate and monitor the operation of reactor and fuel for instance in orderto maximize the energy output of the fuel but still keeping adequate operating margins.Examples are:

Load following and simulation/prediction.- Reactor power distribution and burn-up.- Prediction of Xenon, critical Boron.

Computation is based on reactor physics and in-core measurements (neutron flux, temperature).Applications are operational in most countries.

8. Vibration monitoring and analysis

The function is to reveal, in an early phase, failures of rotating machines such as turbines andmain pumps by monitoring the shaft vibration using Fourier analysis methods. Systems areoperational in most countries. Under development there are expert systems for aiding thetechnical specialists to analyze the often voluminous results of the monitoring system.

Even though systems are typically stand-alone or common with loose parts monitoring theymight be connected to the PMSs to submit information also to the control room operators.

37

9. Loose part monitoring

The function is to detect loose parts in the reactor circuit based on noise analysis methods.

Systems are operational in most countries. Safety authorities sometimes require these to beprovided but normally there is no acceptance procedure.

10. Materials stress monitoring

The function is to monitor and predict cracks in pipes, tanks, vessels, etc. This is based oncounting the thermal transients of the critical points, on the results/special arrangements, andcalculation of stresses and cracks using physical or empirical algorithms.

Applications are operational in some countries, both real-time and non-real-time systems. Theyare mostly dedicated stand-alone systems but can also be implemented as a function of PMS.Safety authorities typically require those to be provided but normally there is no acceptanceprocedure.

11. Radiation release monitoring

The function is to monitor in plant emergencies the radiation release to the plant environmentfor the plant emergency staff, authorities, etc. The evaluation is based on deviation modelsusing radiation measurements of the plant and meteorological measurements as the source data.Applications are operational in almost every country. Safety authorities typically require themto be provided but normally there is no acceptance procedure.

12. Maintenance support

The function is to support the maintenance staff and control room operators in the executionand supervision of maintenance activities. Examples are computerized work permits and orders,tagging of components under maintenance, calibration and testing aids, etc.

These are typically non-real-time functions of larger maintenance computer systems, dedicatedsystems or functions of process monitoring systems (e.g. automatic calibration).

Various different applications are operational in most countries. Appendix D describes theEquipment Status Monitor functions in a CANDU station.

3.4.1. Allocation of functions to OSS

It is widely recognized that the OSS is becoming an indispensable element of human/machineinterface. OSSs are expected to play a critical role in decreasing workload and also in enhancingoperator performance. For a totally CRT-based control board (e.g. control boards for French N4,Japanese APWR and ABWR), it is no longer a mere enhancement, but it is an integral part.

Due to the sophisticated computational techniques used the OSS tends to behave more like ahuman rather than a mere machine. Researchers believe that it is necessary to design OSS in sucha way that it functions more like a consultant than an instructor. If it is designed as an instructor,operators will become followers. This will cause a variety of problems similar to those caused byirrelevant function allocation between human and machine (i.e. automation). For this reason, it iscrucially important to decide function allocation between the human and OSS, and also the form ofOSS such that OSS remains as a subordinate to the human (i.e. tool).

3.5. HUMAN OPERATIONAL FACTORS

As human operators play a primary role in the safe and reliable operation of this nuclear plant,plant control rooms must provide human operators an environment and organizational system to

38

optimize operator performance and productivity. In the design of control room systems, this isreferred to as human operational factors which consist of organizational factors and environmentalfactors.

3.5.1. Operations organizational factors

The operations organizational factors generally consist of operator team staffing, operatorshifting and operator training. Team staffing can differ from country to country or plant to plant.A possible staffing for the main control room is described below. A common practice is that the teamincludes also operators for autonomous local control rooms. Examples of such local control roomsare:

Electrical grid controlMedium and low waste handlingWater make-up.

Operator team staffing for a control room typically includes two Reactor Operators (RO), aSenior Reactor Operator (SRO), and a Shift Technical Advisor (STA) or a Safety Engineer as calledby some countries.

ROs are responsible for monitoring and control of the activities at the control room panels,including manipulations of controls that change the state of plant operations and stabilize the plantduring unanticipated events. There are generally two ROs in each shift with one RO focusing onengineering safeguard and nuclear steam supply panels and the other RO primarily in charge of thebalance of plant and the electrical panels.

A SRO is typically a shift supervisor responsible for all activities inside the control room duringa shift. In addition to supporting ROs as needed, his job requires him to maintain overall cognizanceof the plant status including the monitoring of safety status, radiation environment and operatingprocedures.

An STA or Safety Engineer is an operator who has an engineering degree and whose main roleis to advise and help the shift supervisor in case of abnormal transient, incident or accident conditions.In some countries the STA is not a member of the control room team. Very often a STA is aqualified engineer within another department who can be called on at short notice.

Operator shifting for a nuclear plant control room typically consists of six shifts. There arethree shifts to cover the twenty-four-hours responsibility of control room operations, one shift is ontraining duties, one shift is on testing and surveillance, and the sixth shift is on vacations and resting.The six-shift arrangement has been prevalent throughout the world nuclear plants primarily for thepurpose of reducing the operators workload and to permit improvement of the training and educationof control room operators.

Operator training, retraining and education have increasingly become routine function of anoperator's job. This is a reflection of the recognition of the importance of the operators's role notonly for reliable production of electricity, but also for protection of the enormous capital investmentand public safety. In many countries, guidelines and criteria have been produced to cover aspects ofrecruitment, education, training, and qualification of operation personnel as well as traininginstructors.

An important training tool is the full-scale training simulator. These simulators use powerfulminicomputers that are capable of simulating real-time plant dynamics with interactive human/machineinterfaces which are replicas of plant control rooms. During training sessions, operation personnelundergoes various monitoring and control practices for plant start-up, shutdown, and management oftransients and accidents. Many plants and sites are provided with small scale engineering simulatorsor part test simulators for training of special operators aspects.

39

3.5.2. Operations environmental factors

In the existing control rooms, human factors principles and evaluations have been applied inestablishing ambient environmental conditions, such as illumination, sound, and climate, to promoteeffective personnel performance. Additionally, habitability feature, such as personal convenience,space, aesthetic considerations, safeguards against common hazards, etc. are specified to promotepersonnel comfort, morale, and safety.

Lighting units are used to provide adequate illumination to support required operation taskperformance. The lighting may be varied for different purposes, such as monitoring of gauge readingsfrom panels, reducing glare and reflection on CRT displays, or reading procedures and drawings onoperator tables, etc.

Sound can be generated from many sources. In addition to human traffic in the control room,alarms, line printers, paging loudspeakers, ventilation equipment are sources of noises that caninterface with operator communications and contribute to operator stress. Operation guides under theresponsibility of shift supervisors have been implemented to control unwanted noise level.

Distribution and adjustment of heating, cooling and ventilation are common concerns thatcontribute to discomfort. In addition, low humidity in control rooms with carpeting can produce staticelectricity which causes shocks and may unstabilize meter readings, or disrupt the computer system.

Human factors for habitability considerations are also important in existing control room design.These include working spaces, storage, furnishing, cables and cords, as well as resting and eatingareas, etc.

3.6. PROCEDURES

Procedures are instructions for personnel to perform their tasks. Procedures for control roomoperators include normal operating procedures for start-up and shutdown of the plant, surveillanceand testing procedures for equipment, alarm response procedures, and emergency operatingprocedures. These procedures are the most important elements of the human/machine interface forcontrol room operators.

When an alarmed condition occurs, an operator's primary responsibility is to identify andrespond to the deviation. The operating sequence controls are documented in the alarm responseprocedure. The procedure guides the operators to diagnose the cause of the alarm and to take thenecessary corrective actions. When the deviated plant conditions lead to a number of multiple alarmstoo large for operators to trace the sources by following the procedures, it is important that theoperators have access to and be trained in symptom based procedures designed to cope with thissituation.

EOPs are operating procedures that are given special considerations because they are part ofthe safety analysis and documentation which are submitted to nuclear regulatory bodies to licensenuclear power plants.

In the past, particularly before TMI in 1979, EOP were "event oriented" because the operatorfirst diagnoses the event causing a plant upset before executing the procedure designed to mitigate theconsequences of the event. Most NPPs are now modifying their EOPs so that they are at least partly"symptom oriented". An essential element is identifying a small group of plant "vital parameters"from process measurements that are critical to plant safety. The symptom oriented procedures monitorthese vital parameters and take into account the availability of the safety and safeguard system andinstruct the operator to perform actions that stabilize the plant in a safe state regardless of the natureof the disturbance. On the other hand, the event based procedures are sequential in nature. Thoughthey are easier for operators to apply, they require that the operators must diagnose the eventscorrectly. In an accident scenario with multiple failures, such as the case of the TMI accident, the

40

dynamic phenomena are complex and sensor readings can be misleading, the demand of operators todiagnose events correctly can be enormous challenges.

A good example is the R&D effort made by EOF since 1981 to generalize the use of symptomoriented procedures to "Cooldown of the reactor after on unsuccessful use of event orientedprocedures" in order to satisfactorily resolve all type of potential accident situations. These "statebased procedures" which have been designed and validated, are able to establish:

(a) Identification of all possible states of the nuclear steam supply system which are finite innumber. It is impossible to identify all combinations of events.

(b) Diagnosis of the state of the plant which is valid throughout the accident.(c) A direct relationship between each state and the required action.

These new generalized state-oriented procedures have been applied in the French PWR 1300MWe units since 1991 and will be extended soon to the PWR 900 MWe units.

Emergency Procedure Guides (EPG) have been produced as a result of cooperation amongnuclear utilities, vendors, and licensing authorities. These EPGs have been converted to plant specificEOPs by each plant. Before applications in control rooms, the EOPs are verified and validated incontrol room simulators by operators. The EOPs are used by operators in their training andqualification process and have been produced in flow chart or 2 column formats.

3.7. COMMUNICATION SYSTEMS

Communication system design influences the efficiency and effectiveness with which informationexchange can occur among personnel. Exchanges involving control room operators and personnel atremote or local stations (e.g., auxiliary operators and maintenance technicians) are of primaryinterest. Such exchanges of information supplement or verify displayed information, and advisecontrol room operators of changes in plant conditions not reflected by control room displays. Usually,the information must be communicated quickly, and without undesirable distortion.

While major emphasis in communications system design is on satisfying information andresponse requirements derived from task analyses, other communication needs are also of interest.For example, personal and security communication needs, as well as communications required bygovernment regulations such as the Nuclear Data Link or utility policies and procedures, should beaddressed. All such needs are considered in producing a well-integrated communications system.

The communications system in a nuclear power plant typically includes paging, conventional,and sound-powered telephones, radios, fax machines, and computer networks, that enable personnelto send and receive messages. An effective system incorporates integrated equipment capabilities,permitting the message sender to select who will receive it, alerting the receiver to an incomingmessage, and providing a sufficient number of channels for intelligible information exchange.

During backfitting with wireless communication system it has been observed that such systemscan disturb electronic equipment. It is therefore recommended to be careful to instal such anequipment or to instal only in areas without sensitive electronic equipment.

Human factor guidelines have been established to enable designers to define desirabletransmission characteristics, recommending noise compensation mechanisms as well as other detaileddesign features, and defining assessment methods.

Emerging standards such as the EPRI ALWR Requirements are calling for communicationsystems that are 100% wireless and capable of providing central managed crisis conferencing amongstdiverse individuals at many locations and levels of authority [5]. In order to provide sufficientcapability of communication systems (both verbal and non-verbal, but critical to operator oroperational crew performance), these systems have been usually redundant.

41

3.8. INFORMATION CONFIGURATION CONTROL

An important concern for control room systems is the accuracy and correctness of the datawhich they use as input. Considerable work has been done developing sophisticated signal validationtechniques. However, this is only part of the solution. Techniques need to be implemented whichassure that the correct data is being accessed and used. Information sources and documents; such asplant drawings, plant models, computer-aided design data bases, equipment descriptions andprocedures; must be kept up-to-date. On-line real-time data should be time stamped and should bechecked to ensure that the correct parameter and time step are used. Similarly plant archival andtrend data should be checked to ensure that the correct data is being used. Software configurationcontrol is also important to assure that the proper version is being utilized.

The importance of supplying the correct information to control room systems cannot beoverstated. These systems will perform control and safety functions which affect the plant directly.They will also perform monitoring, display, diagnostic and decision aid functions. The output ofthese functions will be used by the plant staff to make their decisions for operating the plant. If theinput to the control room systems is not correct and accurate then the output to these systems will befaulty and the wrong actions will be taken.

3.9. OTHER CONTROL ROOM SYSTEMS

The control room staff has in many countries the responsibilities for other tasks than processsupervision. Typical such tasks are:

Fire detection and fightingAccess controlPreparation for work permits.

In order to carry out these responsibilities equipment is located in the control room and veryoften integrated with other equipment.

3.10. ELECTRO-MAGNETIC INTERFACE

EMI (Electro-Magnetic-Interference) can cause equipment damage or malfunctions.

The interference can be introduced in the equipment by electrostatic or magnetic fields ordirectly through cables.

As modern digital equipment is sensitive to this kind of interference and at the same time theEMI level is increasing in NPPs, it is recommended to address this aspect as early as possible in thedesign process. A frequently used standard for specifying EMI requirements is given in [12].

Methodology Depending on the frequency of occurrence the interferences are divided into twoclasses:

Normal (frequency more than once per plant lifetime)Seldom (less than once per lifetime).

The philosophy for the consequences are similar as for earthquakes (OBE, SSE) and this isdescribed here. The methodology to design against EMI is as follows:

1. To reduce the generation of EMI at the sources. (Thyristor equipment, BMP, lightning,wireless communication).

2. To limit the consequences by location of the equipment away from sources.

3. Proper design of the cable installation and selection of cable types.

42

4. Design of the enclosures to the equipment.5. Specifying and purchasing equipment qualified for EMI.6. Administrative procedures limitating the use of wireless communication devices.

It is interesting to observe that EMI is a problem for the whole industry. The use of specificIEC standards may solve part of the problem.

Another observation is that Regulatory bodies are today specifying external events such as BMPand Lighting Strokes which shall not influence the safety of the plant. Regulatory bodies are in somecases asking utilities to measure the strength of fields in their plants. This is being required to assurethat EMI levels will not interfere with electronic equipment.

Conclusion

1. Protection against EMI shall be an integrated part of the design for the plant layout, equipmentinstallation and equipment design.

2. The EMI aspect shall be addressed as early as possible in the plant design (as opposed to theequipment design).

4. PRESENT TECHNOLOGY FOR CONTROL ROOM SYSTEMS

4.1. CONVENTIONAL HARD-WIRED EQUIPMENT

Even though computerization is growing in the control room, panels and consoles withdedicated indicators, manual controls, alarm annunciators etc. will still be used, especially in theextension and backfitting of existing systems. Safety considerations may also require the use ofhard-wired technology.

Panels and consoles can be connected directly to conventional I&C cabinets, or they can alsobe driven by computerized I&C systems.

Flexible mosaic tiles are recommended for their flexibility over fixed metal constructions.However, there may be some problems with seismic qualification.

4.2. COMPUTER SYSTEMS FOR CONTROL ROOM SYSTEMS

4.2.1. General

All new nuclear plants and most operating plants now utilize process computers to implementpart of the control room information system. As computer costs decrease and reliability increases,computers are being used more extensively. The increased functionality provided by computersystems yields significant benefits. The use of computers also creates problems that must be solvedby CRS designers. For example, additional costs must be justified, information overload must beavoided and provision must be made to deal with the possibility of rapid obsolescence because thetechnology is changing so rapidly.

4.2.2. Computer architecture

There are three classic forms of computer hardware architecture as they are applied to CRSsystem design:

1. Centralized Redundant Computers

Figure 6 illustrates a typical dual redundant centralized computer system where one computeris in control and the other one is running in "hot standby". When a fault is detected by the selfchecking in the controlling computer, the "hot standby" computer takes over.

43

,*. t t t t t t tU^CONTROL OUTPUTS)

MTTTt TTTTt

FIG. 6. Centralized computer systems.

2. Distributed Computing (functional distribution)

Functional distribution provides for multiple computers to dynamically share the total computingload. The computing tasks are allocated amongst a number of separate control processing units whichare interconnected in a communication network. Although the computing tasks are distributed, theprocessors are not geographically distributed to achieve cost saving and simplification in wiring,cabling and termination.

3. Distributed Control (geographic distribution)

Figure 7 illustrates a typical distributed control architecture where the processing isgeographically distributed. The processors are located close to the inputs and outputs to the plant.This architecture can provide substantial cost savings and reliability benefits because the conventionalwired analog and relay logic is replaced by more highly standardized self checking digital systemmodules. Because such configurations are relatively new and because they require greater performanceand faster response, there is slightly more technical risk in such an architecture.

4.2.3. Hardware

Computer hardware continues to advance as central processor performance improves in termsof faster instruction execution times and larger random access memory storage capability.At the same time, video display unit technology is evolving rapidly producing high resolution, highquality, rapidly changeable colour CRT displays. These two technologies have been packaged togetheralong with a general purpose keyboard to produce what is called a "work station" which provides theCRS designer with a powerful off the shelf graphics display module that can be used as a componentin the system design.

4.2.4. Software

In recent years there has been significant improvement in basic systems software such asoperating systems and data base management systems. Progress has been made in the direction of

44

SENSORS — VALVE CONTROLLERS — MOTOR CONTROLLERS

DUAL DATA-HIGHWAY CABLES

FIG. 7. Distributed control.

"open systems" because software is now being written in compliance with industry standardspecifications such as the IEEE POSIX standard which will make it possible to run the same softwareon many different hardware platforms. De facto standards such as the UNIX operating system areeven more important to accommodate a wide size of existing platforms and software.

Because of the improvements in computer and VDU functionality, computer system andinstrumentation suppliers are now providing application software development tools that essentiallyprovide the basic software building blocks that will permit an electric utility company to complete thedesign, implement and validate the detailed CRS software. These tools do not require extensivesoftware engineering or programming expertise. The existence of these tools makes it possible and,in fact, desirable, for utility plant staff to undertake the detailed design, implementation and validationof the CRS. The role of the NSSS or his instrumentation subcontractor should now be limited toproviding the hardware, system software design and verification. With the aid of the füll scopetraining simulators that are now required before start-up, the utility personnel can carry out the CRSvalidation by confirming that the plant operators are able to carry out the prescribed operator trainingsimulator exercises.

45

Software quality is essential for successful implementation and licensing of Control RoomSystems for new plant and retrofit applications [1, 13-15]. Software quality is achieved by carefulattention tot he following requirements:

Properly trained, and experienced software development staff;Comprehensive, clearly documented software requirements and specifications;A well organized and clearly documented and understood software development process basedon a pre-established software life cycle;Use of proven, up to date software development tools such as compilers, editors, graphicsinterpreters, de-bugging facilities, and file revision control tools;Documented validation and verification to the level required in the software developmentprocess in accordance with the degree of nuclear public safety functionality in the software;Thorough well organized testing;Comprehensive software configuration control.

To ensure regulatory approval of the CRS software the following steps should be taken:

(1) Classify the software in accordance with the guidelines in [16] to establish the level of softwarequality, validation and verification required.

(2) Declare compliance with a recognized existing software quality standard such as [17-19] or [14]depending on the degree of safety criticality of the software.

4.2.5. Fault tolerant architecture

Power plant control system design agencies are creating innovative combinations of the threebasic architectures described in Section 4.2.2 in order to achieve a high degree of fault tolerance:resistance to a single failure and other forms of failures of components, subsystems, software andoperator input.

The CANDU distributed control illustrated in Figure 7 is one example. Another example,illustrated in Figure 8, was conceived by the B&W Owners' group in conjunction with EPRI in theUnited States. Such redundant control systems have also been developed in other countries andinstalled in new or older power plants.

A triple modular redundant architecture ensures high reliability. Using voting logic, thearchitecture eliminates any one faulty signal out of three without interrupting control signals. Thesystem is also insensitive to the failure of a single computer component, such as a central processingunit, a bus, or a communications module.

Design studies have identified the critical input signals whose failure during operational transientevents may lead to a plant trip. These critical signals follow triply redundant paths. The analog anddigital output signals from the three redundant central processing units are voted on before beingpassed to the actuators, which ensures highly reliable control signals. To reduce the complexity andcost of the system, a dual-redundant configuration handles noncritical input signals.

The designers have selected specific commercial lines of hardware for the distributed controlsystem and the voter. However, a utility could use competing products to implement the genericarchitecture shown in Figure 8.

4.3. DISPLAY DEVICES

4.3.1. Visual display units (VDUs)

Several different types of VDUs are available. These include the following:

CRT;

46

Critical inputs

] Signal conditioning

Dual data• highway

Noncntical inputs

Signal conditioning

Two-waycommunication

I (read and control)

One-waycommunication(read only)

FIG. 8. The EPRI/B&Wfault tolerant computer configuration.

Plasma Display (PD);Liquid Crystal Display LCD).

Among these VDUs, CRT and PD are widely used in the nuclear industry. The CRT is a wellestablished display device which has a number of attractive features:

Multi-colour presentation;High visibility;High reliability;Powerful software environment (e.g. full graphics control, window management)

The general trend is to replace discrete units for recording and presentation of process valueswith CRTs.

47

However, for countries where strict seismic qualification is required, the use of CRT for safetyand safety-related functions is more difficult and costly. This is the reason why other display devicessuch as PD are used for those functions, although, until recently, their display capability was limited(i.e., monochrome). Presently LCD can provide multi-colour display capability.

4.3.2. Controls

The integration of display and control is believed to facilitate control tasks which are highlydynamic and done under time pressure. Placing information relevant to control tasks in thevicinity of control device displays may reduce the workload associated with verification activities andthe occurrence of human errors. It also contributes to the design of a compact control board whichis believed to have its own merits of reducing workload.

For these reasons, integrated displays and controls using touch sensitive CRT screens isbecoming a general trend. It is especially true for non-safety related control tasks. The AdvancedBWR and PWR control rooms developed in Japan illustrate this trend.

Interacting control can be achieved through many combinations and permutations of controldevices and visual displays. Figure 9 provides a compact summary of the various user input devicesavailable today.

4.3.3. Auditory devices

Multi-modal interaction may provide a more flexible and robust interface environment. Forinstance, the same set of information can be presented to the operator through graphic and auditorymedia simultaneously. This enables a redundant information presentation. Two different sets ofinformation can be presented similarly. This way of presentation may convey more information tothe operator in a limited time period. The combination of conventional control devices and anauditory input device may facilitate control tasks, enabling the operator to use both his or her handsand voices.

Among such interface devices that can be used in conjunction with conventional devices, voiceannouncement system (VAS) is considered a well developed technology. VAS has already beenapplied to the latest Japanese PWRs (i.e. Ohi Units 3 and 4 of Kansai). Nevertheless, its specificapplication forms do not seem to be well standardized. In case of the Ohi application, VAS is usedto announce that break-points are reached during automatic start-up and shut-down operations. Adifferent VAS application is to use it as a means to alert the operator to a very limited number ofcritical situations such as when critical safety functions are threatened. There could be many otherforms of applications. However, it should be borne in mind that the operator very often fails toacknowledge auditory messages. Therefore, a mean must be provided to facilitate acknowledgementor to demand a reply. Adding a meaningless, but special sound (e.g., chime) in precedence toauditory messages has been demonstrated to provide an effective means of facilitating theacknowledgement.

4.4. USE OF SIMULATOR FOR CRS DESIGN

Full scope simulation of the main control functions of the plant is very effective to support CRSdesign and its verification and validation.

In general they are developed for two main purposes:

1. Validation of the functional design of the control room and the control function functions of theplant in accordance with the human factor engineering principles applied to operation in normal,incidental and accidental conditions.

48

AIR TRAFFICCONTROL

AVIONICS

ELECTRONICINFORMATION SYSTEM

NUCLEARPOWER PLANT

ANALYSTWORK STATION

SIMULATIONTRAINING

BATTLEFIELD COMMAND,CONTROL, COMMUNICATIONS

AND INTELLIGENCE (O*I)

FLIGHTSCHEDULING

PERSONALCOMPUTER

FIG. 9. User input devices for human -machine interface.

1. Training of the Team of Plant Operators

For first and second generation control rooms, simulators were introduced after the constructionof the plant. Full scale mock ups of control desks and control panels were nevertheless usedfor control-board lay outs, choice of type symbols for equipment controls and indicators andthey are still used as a working tool for back-fitting of the control room after design reviewsfor ergonomie improvements. This tool was, for instance, used by EOF for the design of anew layout of a control room desk and panels of 28 identical 900 MWe PWR units after theTMI accident.

49

For the third generation NPP with an advanced control room, full scale simulators aresystematically needed for the design and V&V of control room. These simulators include computersfor the simulation of the entire plant and a full scale mock ups of the CRS with real work stations,including integration of dialogue and processing necessary for operation under normal, incidentalaccidental conditions and also a mimic board giving overall views of the plant. Verification andvalidation (see Section 5.4.5.2) of the design of the control room and also its improvement is madewith a great number of tests carried out with several plant operator teams.

The test program must cover all the normal situations of plant operation (from cold shutdownto full power) the major transients, as well as certain incident and accident situations. Each operatorteam underwent the same program of operations. During tests ergonomie and technical observersfollow the operator's reactions. These tests are conducted in 2 phases:

Phase 1 - Concerns the definition of Improvements needed for man/machine interfaces -Addition of information and alarms, modification of components, integration of the entry processingand dialogues for operating aids (procedures, operating area layouts), task preparation and execution,adaptation of operators, flexibility in the framework of the team environment.

During Phase 2 consideration will be given to the feedback from Phase 1 and integration ofimprovements will be made. Tests will be made again which the same operator teams and someothers for validation of improvements. In this phase priority will be given also to the assessment ofpost accident operation.

5. DESIGN PRINCIPLES AND METHODOLOGIES

5.1. DESIGN STANDARDS

There are many national and international design standards that can be used to perform thedetailed design for a new control room or for retrofit changes to existing control rooms.

This document recognizes the following standards that are widely recognized and used bynuclear industry CRS designers. Each of these documents is either an international standard or isrecognized worldwide [1,4-7, 16, 22-24].

1. IEC 964 Design for Control Rooms in Nuclear Power Plants2. IEC 965 Design for Reactor Shutdown outside the main control room3. IEC 960 Design for Safety Parameter Display Systems4. IEEE/ANSI 497 Design for Post Accident Monitoring Systems5. EPRI, NP3659 Human Factors Guide for NPP Control Room Development6. IAEA 50-SG-D8 Safety Related Instrumentation and Control7. EPRI ALWR Requirements, Chapter 108. IEC 1225 Nuclear Power Plants-Instrumentation and Control Systems Important for

Safety-Requirements for Electrical Supplies9. IEC 1226 Nuclear Power Plants-Instrumentation and Control Systems Important for

Safety-Classification10. IEC 1227 Nuclear Power Plants-Control Rooms-Operator Controls

5.2. DESIGN TEAMS

5.2.1. Contents of the design team

This document uses the term "design team". In this context the term refers to amulti-disciplinary group which is responsible for the planning, design, verification, validation andimplementation of the design of the plant, systems and the man-machine interface. A general problemin the design of control rooms and man-machine interfaces appears to have been that design teams

50

consisted mainly of individuals with control and instrumentation experience and with academictraining in engineering or a similar technical discipline. This team did not adequately represent thecharacteristics of the human operator or requirements of the operating environment.

An essential requirement for CRS designs is to define the composition of the design team.Because there are excellent design standards and design tools available, the team should be small tofacilitate communication. It is essential, however, to ensure that individuals on the team haveknowledge and experience in such areas as:

1. Control room area and control panel facilities design2. Instrumentation and control systems design3. Digital information and communications system design4. Human factors engineering and cognitive science5. Nuclear power plant operations management6. Nuclear power plant hands on operations and maintenance experience7. Nuclear safety requirements

The specific mix of disciplines depends on the application.

It is required that the team performs some form of functional analysis at an early stage in thedesign. Such analysis is based on the objectives and tasks established for the station operation staff.This analysis will result in design requirements that will govern the detailed implementation of thedesign to be carried out by the team.

5.2.2. Division of responsibilities

Division of responsibilities in the CRS design depends on:

type of project: new plant, retrofit, size capability;capability of the utility.

In a new plant an organization is required to take responsibility for the technical assembly. Theorganization may be the utility itself or an architect engineer or, in turn-key projects the vendor ofthe nuclear steam supply system (i.e. Westinghouse, ABB, etc.).

In retrofits the architect engineer is normally not needed but the utility may use a consultant forsupport.

The following represents an ideal concept for division of responsibilities.

The consulting organization or utility should have responsibility for:

General requirements and functional requirements (normal before signing the contract)functional specificationsfunctional specification and control of detailed design of CR layout, displays and CRSapplications software.

Thus the vendor would be responsible for:

technical specifications for the hardware and systems softwaredelivery of systems and tools for implementation.

Good co-operation between the design teams is necessary.The implementation of this concept, in terms of actual assignment of work scope depends on

a multitude of factors such as the size and technical capability of the utility. Detailed design will beshared between the utility and the vendor.

51

The IAEA consultants who prepared this report strongly recommend this division ofresponsibility because they believe that this will result in the greatest quality of the resulting designand implementation. An electric utility purchasing a new nuclear generating plant should possess orbe prepared to acquire the skilled resources and facilities to undertake the responsibility proposed.

5.3. DESIGN REQUIREMENTS

The standards given in section 5.1 provide the designer with information to carry out thedetailed design for all the CRS. A standard such as IEC 964 should be used as the primary documentestablishing the requirements and methodology governing the design. The basic requirements andphilosophy behind the standard should be clearly documented at the start of the project. Thefollowing sections summarize the fundamental principles behind the detailed requirements of thesestandards.

5.3.1. Design objectives

1. The control room environment

A control room is provided from which the NPP can be operated safely and efficiently in allplant operational states and accident conditions. The control room provides the control roomstaff with the human/machine interface and related information and equipment i.e. thecommunication interface, which are necessary for the achievement of the plant operationalgoals. In addition, it provides an environment under which the control room staff is able toperform their tasks without discomfort, excessive stress, or physical hazard.

2. Functional design objectives

The principle objectives of the control room design are to provide the operator with accurate,complete, and timely information regarding the functional status of plant equipment andsystems.

The design will allow for all operational states, including refuelling and accident conditions,and minimize the workload required to monitor and control the plant, and provide necessaryinformation to other facilities outside the control room.

An additional objective of the control room design is to permit station commissioning to takeplace effectively and to permit necessary modification of plant design and technologicalevaluation of the control system.

3. Safety principles

A control room shall be designed to enable the NPP to be operated safely in all operationalstates and to bring it back to a safe state after the onset of accident conditions. Such designbasis events are to be considered in the design of the control room.

Equipment controlled from the control room should be designed, as far as practicable, so thatan unsafe manual command cannot be carried out. A typical mitigation is to use a logicalinterlock depending on the plant status. No common mode software design error can beallowed to produce a direct unsafe result. Account shall also be taken of the need for functionalisolation and physical separation where safety and non-safety systems are brought into closeproximity.

Appropriate measures shall be taken to safeguard the occupants of the control room againstpotential hazards such as unauthorized access, undue radiation resulting from an accidentcondition, toxic gases, and all consequences of fire, which could jeopardize necessary operatoractions.

52

There shall be adequate routes through which the control room staff can leave or reach thecontrol room, or gain access to other control points, under emergency conditions.

4. Extent of automation

Today, it is recognized that automation is necessary for safe, effective operation of modernnuclear plant. It enhances and extends the capabilities of human operators. While automationhas a number of desirable attributes, for a number of reasons, both functional and social, it willnever replace human involvement in plant operation or maintenance. There are some functions(i.e. very fast decision time) that require machine implementation. Other functions are bestimplemented by humans (i.e. where there is a requirement to apply judgement, reasoning andexperience).

5.3.2. Benefits of automation and information systems technology in the control room

A unique and powerful feature of many existing and all new NPP is the relatively high degreeof automation and the fact that the dynamic plant state is represented in digital computer memory andlogic. Exploiting this advantage and the rapid evolution of digital technology, designers can achievesubstantial safety and operational benefits. Some of the most significant features and benefits are thefollowing:1. Increased time for operators to think and plan - For safety critical plant transients, the period

of time for which operator intervention is not required can be extended so that no operatoraction is required for several hours.

2. Substantial reduction in panel complexity - Many of the fixed indicators and controls can beeliminated from the panels in favour of interactive CRT consoles. Large mimic displays inthe control room communicate overall plant status and support group decision making.Consequently, information can be grouped to suit each particular situation.Many functions require shared man machine implementation.

3. Substantial reduction in instrumentation complexity - The replacement of trunk cabling, relays,timers, comparators, etc. with distributed control processors can result in a significant reductionin the I&C hardware component count and the diversity of equipment and suppliers.

4. Elimination of error prone tasks - The objective is to relieve the operator from boring, stressful,time consuming tasks so that he has time to perform as a situation manager. An example is theautomation of the periodic testing for the nuclear protection systems.

5. Integrated emergency response information system - This is a safety qualified extension of thecomprehensive information management facility available in the control rooms. In the unlikelyevent of an accident, the operating staff will be familiar with the facility and confident of itsavailability.

6. Procedure driven displays - The control centre interactive CRT displays are designed to supportthe tasks called for in the station procedures, organization and operating policies. Sinceinformation is no longer fixed geographically on the panels, it can now be packaged to supportthe tasks underway at any particular time.

7. Critical alarms - During major plant disturbances a facility can be provided to provide operatorswith a short list of strategically critical diagnostic messages.

5.3.3. Safety critical CRS functions

An essential system design requirement is to identify operator functions that are required as partof the design bases accident analysis that forms the bases for the safety and licensing of the associatednuclear station. These functions will then determine what portion of the CRS design must besubjected to nuclear safety grade standards.

A subcommittee of the IEC Reactor Instrumentation Standards Committee (IEC/TC 45, SC45A,working group WG1) has published a standard to classify instrumentation and control systemsimportant to safety for nuclear power plants [16]. Design or utility organizations considering majorCRS design or redesign projects should use that standard. Appendix A is an extract from the standard.

53

5.4. DESIGN PROCESS

IEC 964 describes the requirements for the design process as well as for the system designitself. The following sections identify the essential principles of the design process.

5.4.1. The fundamental principle - task driven design

The most essential philosophical principle is that the design process should first identify thetasks to be performed by the Control Room Systems, then establish job descriptions for the humanto perform the tasks, then design the systems and detailed procedures to carry out the tasks.

5.4.2. Function analysis

A key component of the assignment process is the analysis of the various functions which arerequired to be carried out. The analysis must cover areas such as start-up, shut down, low poweroperation, etc. Several techniques are available for this, with the exact choice of technique dependingupon the nature of the tasks under analysis, the available skills and resources for analysis and theextent of available plant and operating knowledge (see Appendix C). Where functions have notpreviously been defined, it may be necessary to carry out some synthesis based on observations ofexisting functions and other design information.

The function analysis should be broad enough to encompass all areas of plant operation andmaintenance and should be carried out with sufficient depth necessary to allow particular automaticfeatures and operator job specifications to be produced. Above all, the analysis must adequately coveroperations of the plant under abnormal conditions. The analysis must produce a hierarchy in whichthe top level functions represent the most general or fundamental objectives of the plant operating staff- i.e. safe, effective generation of electrical power, protection of the public from radiological hazards,etc.

The lowest level set of functions are the sub-functions which must be assigned to man ormachine using a methodology such as that described in this document. Application of themethodology described will result in lists of automated functions and functions to be performed bythe human operators, which will form the basis for defining operator tasks. It is important that themethodology used and the results obtained be fully documented. This is to enable decisions to bere-examined where necessary and to permit them to be audited when required.

5.4.3. Allocation of functions to human or machine

The IEC 964 standard calls for a systematic process to assign functions to human or machinein the CRS design, but does not define such a process. Under the sponsorship of the IAEA aninternational working group produced a design guideline document which proposes a suitablemethodology [3]. Figure 10 illustrates the process diagrammatically.

The principles of the procedures are described as follows:

The basic goal of the task allocation is to:

free the operator from the task be is not suitable for, andassign those tasks to the operator that benefit from the unique human capabilities as patternrecognition, extrapolation, abstraction, planning activities.

The general criteria to be used in the task allocation are:

human cognitive strengths should be fully exploited by the designers,automation should be used to protect society from the fallibility and variability of humans,automation should start with the most prescriptive procedural functions first,

54

Review; A••^f--- -. •. .v .- Orv^^

and „agree '-,':; * "< • s i&l?*^?''-s resulting „, *

** •••" ' -

V ' 'Identify Global Objectives" \;,

i •

* > • kJenlify Required System"!;-\ C"''\f ^Performance, '"'''

- i:\

i' '" ' JDENTIFV ASSIGN ',- ii;,r > ,, ,„„ vi Ï- ' s;;*;', ^-' '• '- '»' '»'i , ,

<^v ',<,}- <:v;"' A« luncuoos which (mist be |-;

% •• '' v'-'::V'^'"i% carried oui ^,

Function whichmust be automated

Functions which arebetter automated

.. ••;ve:;;:<-V Functions whch should' ' ' be given to Humans

(Tasks)

Fonctions which wouldbe shared

Hyposesised TaskAssignments

Man Machine

(Tasks)

Task & Activity èjveTto achieve bdance.

Human &Machine

Capabilities &Limitations

Criteria

INFLUENCINGFACTORS

ExistingPractice/Procedures

Feedback fromExperience

Regulations

Feasibility

Cost

Technical

Policy

Social

Input to Plant & C&lDesign Requirements

Procedures

Staffing Requirements

Training Needs

MMI Design Needs

' "-'"*Final Audit «'-;<-1 ~«-r..- , ^ -.•,;*£«>-.

FIG. 10. Function assignment methodology.

55

automation should be used to reduce human cognitive overload,tasks which have been assigned to automation should not be returned to manual when theautomation fails.

Consequently, the functions resulting from the function analysis are classified in the fourgroups.

functions which must be automated, e.g., functions requiring rapid performance, highrepeatability or where the consequences of errors are severe,functions which are better automated, e.g., lengthy tasks, functions requiring high accuracy orinvolving a degree of risk to the operator.functions which should be assigned to humans, as tasks requiring humanistic or inferentialknowledge or flexibility. This class also incorporates tasks in extreme abnormal and accidentsituations where automation is difficult or impossible.functions which should be shared between humans and machines. Example for these are takenwhere automation is used to detect and annunciate plant conditions or provide pre-processedinformation based on which the operator makes judgements and executes control actions.

Of course, the function allocation is strongly influenced by additional factors, such as existingpractices and procedures, operating experience, feasibility and cost. Figure 11 illustrates theinteraction of these factors.

Practical applications of this approach are still missing. Especially the area of function sharingbetween humans and machines using OSS requires considerable R&D effort.

engineered safetyoperational safety

hardware & softwarereliability

moraleducation

regulationpolicy

safety marginoccupational,

societal risks

cost/benefit

FIG. 11. Factors affecting fonction assignment.

56

5.4.4. Task and job analysis

In addition to recognizing the limitations of the elements in the man-machine systems, it is alsoimportant for human operators to achieve a suitable task loading. The term task loading is used torepresent the number of tasks and responsibilities which the human will be required to undertake atany one time.

The totality of the tasks which are assigned to a single operator must, when being carried outunder the worst possible circumstances, allow him to maintain an adequate level of operatorperformance. Conversely, it is important that the human should not be "under-loaded", i.e. giveninsufficient or inappropriate tasks. In this case, under-loading the operator can result in waste ofresources, inattention, boredom, lack of motivation and consequently poor performance. It istherefore important that the function analysis and subsequent assignment of functions bears in mindthe whole of each operator's job, rather than individual tasks and responsibilities. The benefits of,for example, operator training by inclusion of training systems embedded in the man-machineinterface should be considered.

Inappropriate sharing of tasks between operators must be avoided. Tasks may be sharedbetween operators in a group or team, but this cannot be done arbitrarily. The role of each personin the system must be considered and appropriately defined. Ideally, the resulting set or roles andtasks would be fully complementary, with a defined degree of overlap and, more importantly, nounder-lap. In practice, the designer may have to take account of limitations on the availability ofoperators and so allow for flexibility in performing tasks. Where team work is called for,communication matters and working structures must also be considered.

5.4.5. Quality assurance, verification and validation

5.4.5.1. Quality assurance (QA)

Control room systems should be developed according to a recognized quality assurance (QA)plan and properly defined project plan, describing the purpose of the system, the responsibility ofeach member of the project team, the project segmentation, reviews, hold-points, end-user approval,etc. International QA standards, should be followed [25-28].

The development should be split up in defined phases (e.g. definition, implementation,configuration), including for each phase, the required output (i.e. documentation and test results).In addition, in-service maintenance, development and upgrading should be considered.

Standardization in development helps in obtaining compatibility with other suppliers, easiermaintenance and longer life. Proven methods and tools should be used especially in the softwaredevelopment and new methods should first be tested with prototypes. Modular design eases themanagement of program units.

5.4.5.2. Verification and validation (V& V)

In the functional design phase, the correct assignment of control room functions betweenoperator and automation should be verified. Next this functional assignment should be validated todemonstrate that the whole system would achieve all the functional goals. The V&V of functionalassignment is related to the design of new control rooms and major retrofitting projects, where therole of the operator will change. The procedure of V&V should, however, be applied to the designof functional requirements of all new systems or functions installed in the control rooms. The outputof this phase is an input to the specification of control room systems.

In the specification phase the functional specifications are verified and validated in order tomake sure that they fulfil the design principles and technical requirements and the control roomsystems really support safe and reliable operation.

57

The use of flexible computerized human/machine interface techniques and simulators makes itpossible to perform the final validation in the implementation phase. Even in the commissioningphase of the implementation in the real plant it is possible to make modifications to thehuman/machine interface such as display pictures or operator support systems.

The process of V&V of control room systems is described in more detail in IEC 964. The mainconsiderations are:

V&V should be planned and systematicEvaluation should be based on predefined criteria and scenariosThe evaluation team should consist of specialists with various expertise, who are independentfrom the designers.

5.4.5.3. Evaluation of existing control room systems

Periodic evaluations of control systems is to be recommended. Such evaluations may beperformed as a combination of various methods such as those listed below:

5.4.6. Application of human factors

Human factors efforts in control room design should be based on a firm analytical foundation.They are most usefully initiated before development decisions are made that can unnecessarilyconstrain design freedom. Human factors efforts complement those of other team participants,resulting in an integrated design that supports tasks performed by control room personnel. Humanfactors principles and criteria, along with information resulting from analyses, are applied in selectingpanels and consoles, configuring them in relation to other furnishings, and establishing ambientenvironmental conditions (light, sound climate) to promote effective personal performance. Inaddition, ability features (personal conveniences, aesthetic considerations, safeguards against commonhazards) are specified to promote personnel comfort, morale, and safety.

The primary human factors objective in control room design is to increase operationaleffectiveness by ensuring that capabilities and needs of personnel are reflected in coordinateddevelopment of interactive design features. Human factors recommendations are intended to ensurethat the design and placement of consoles and other major items support effective task performanceduring all operating modes. Recommended layout alternatives facilitate visual and physical access todisplay/control instruments and other needed objects. Recommended environmental conditions supporttask performance.

5.5. DESIGN

5.5.1. Conceptual design

5.5.1.1. Design process for main control room (MCR)

This process assumes the CRS design team starts with a reference design from a previouscontrol room in a past plant. (See Figure 12).

First the design team must identify a basic set of plant functions with their present allocations(allocated by system designers) and to assess any allocations that deviate from the reference plant.This will provide a preliminary indication of task difficulties, allowing the team to address majorproblems early, rather than during subsequent more detailed task analyses. In this context it isexpected that the CRS will utilize past designs and staffing arrangements as much as possible.

The identification of basic plant functions (function analysis) and the subsequent review of theirallocations (function allocation) will permit designers to generate a conceptual control centre layoutthat is in accordance with civil space allocations for the control centre. The layout will show panels

58

and work stations in an appropriate arrangement with a list of basic functions attached to each. Usingthis information, a conceptual picture of the control centre will be developed that shows its 3-dimensional nature and assists designers in visualizing and refining the control centre concept.

Annunciation philosophy

Operations experience

CONTROL CENTRECONCEPTS

FUNCTION LISTFOR ALL SYSTEMS

(High Level)

REVIEWFUNCTION ALLOCATION

Control room placed in overall plantlayout in accordance with civiltraffic analysis

CONCEPTUAL CONTROLROOM LAYOUT

CONCEPTUAL "PICTURE"OF CONTROL ROOM

Overall human factors plan

Existing designInitial list of functions

Ensure that all functions allocatedto operators are identified fromsafety analysis

Preliminary allocations madeby process designer

• General civil constraints- Link analysis based on general

function list

Panels, consoles in appropriatearrangementGeneral description of functionsat each location

FORMAL CONCEPTUALDESIGN REVIEW

TASK ANALYSIS(TA)

I

- Final safety analysis input

- Existing procedures (note 1 )

PANELDESIGN

7~FIELD

PANELS

^V

CRTINTERFACE

DESIGN

^\^

NONSAFETYPANELS

SAFETYPANELS

1 1

POST ACCIDENTMONITORING

DESIGN

''

ANNUNCIATIONDESIGN

< '

Preliminaryhuman-machine

interface(HMI)design

note 1 & 2

Note 1 There will be a degree of parallelism between TA and preliminary HMI design

Note 2 Much of the HMI design will actually occur m the mockup with this activitygenerating concepts

FIG. 12. Control centre design approach.

59

The control centre concept will then be subjected to a formal conceptual design review that isto include its entire design methodology. This review is a standard practice and ensures that alldesign groups associated with the CRS are in agreement with the general concept. It also providesimportant management support for the approach to detailed design and validation before substantialresources are committed.

The detailed plant functions as represented by the various Design Documents will form the basisfor task analyses and preliminary HMI design. The level to which task analyses will be completedwill vary in accordance with the degree of innovation incorporated into the design. In other words,where existing designs are adopted (including the HMI), little task analysis data will be generated asopposed to designs that have process design (e.g. automation changes) or HMI innovations.Supporting the task analyses is existing operations knowledge in the form of procedures and operatorreview inputs and also the Operator Response Guidelines (ORG) which provides the safety criticaloperator function extracted from the safety analysis.

Implementation of the task analyses could take any one of a number of forms (an abundanceof formats exist in the human factors literature). In order to assist designers in selection of anappropriate methodology, a task analysis handbook is available.

In the course of this work, preliminary control centre human-machine interface design will bemocked-up. The mock-up will be full-scale and quasi dynamic, capable of reproducing the interfacefeatures and time based nature of information display necessary to support walk-throughs of selectedsegments of preliminary procedures (e.g. navigating through a display hierarchy). The mock-up willbe used in an iterative fashion to develop, refine and validate HMI. In this role it will serve as theprimary vehicle for establishing, recording and reviewing the conceptual panel layouts and displays.It is understood that this process will feedback to system design altering, for example, the initialallocations of functions.

As shown in Figure 12 this concludes the generic design phase. Site specific engineering willcommence following the identification of a customer. Development of operating procedures,maintenance procedures, training programs and final validation will then be undertaken by Utilitypersonnel with support from the design agency. Final control centre validation will be accomplishedwith the use of a full-scope simulator or with extensive walk-throughs of procedures in the actualcontrol centre. A plan for these activities will depend on the customer's needs and circumstances,and will be established after a utility is identified.

In summary, the approach to control centre design is to:

1. make considerable use of existing designs and their associated staffing structures,2. perform some front-end function analysis and allocation in order to reduce the occurrence of

inappropriate tasks being assigned to operators or automation early in the design process, and3. place substantial emphasis on development, verification and validation of the innovative aspects

of the standard product design through the application of a full-scale mock-up.

5.5.1.2. Emergency response facilities (ERF)

The TMI action plan (NUREG-660) calls for improvements in emergency preparedness throughthe provision of three separate facilities to be utilized in support of emergency operations, namely[29]:

1. Technical support centre (TSC), a room near to but separate from the control room that willbe the focus for technical and strategic support to the control room operations staff. The roommust provide a plant status information system and communication facilities.

60

2. On-site operational support centre (OSC), a marshalling area for operational support personnel(maintenance, security, auxiliary operators, etc.). This facility also must contain a plantinformation status system and communications facilities.

3. Near site emergency operations facility (EOF), the central focal point for planning andco-ordinating all on-site and off-site emergency activities including evacuation, communicationswith news media organizations, co-ordinating with government and community organizations.A plant information status system and adequate communication systems are required.

An essential requirement of the CRS design is that the plant information system that is used bythe main control room staff should be the same one that provides plant information in the ERFfacilities. The intent is to provide facilities for use in normal day to day operations which will alsobe useful in emergency situations. If station staff are not used to using a particular facility in day today operation, they will be unfamiliar or uncomfortable with it for emergency use.

5.5.2. Detailed design

5.5.2.1. Visual display unit (VDU) design guide

A supplement to the IEC 964 standard is being drafted by working group WG IECSubcommittee to provide assistance to designers of VDU screen formats. An ISO standard is beingdeveloped to guide the design of VDU display for office tasks.

These standards and others will provide some of the guidance necessary to facilitate the designof high quality VDU screen information presentation and the processes by which humans interact withthe plant through the CRT. By way of example, some of the basic principles for designing VDUdisplays are the following:

(a) Error tolerance

The VDU system must be able to respond positively to all types of errors mode by the user andbe robust in response to software and hardware errors in the host computer system.

(b) Feedback

Each time information is entered there must be immediate, understandable feedback to the VDUoperator confirming correct inclusion of the information.

(c) Consistency

Consistent formats, symbols, character types, character sizes, etc., are essential.

(d) Task focus

VDU screens should not contain information that is not directly supportive of the tools forwhich the display has been designed.

(e) Navigable

VDU screens that access data organized in a hierarchy should, for example, be limited to nomore than 3 levels in the hierarchy.

(f) Consistent with user expertise level

The VDU format and interactive procedures should be designed to accommodate the experienceand expertise of the user.

61

5.5.2.2. Operator controls

The types of operator interface available for control may be classified into three groups:

dedicated systems such as push buttons or rotary switchesmultiplexed conventional systems (for seldom-used systems)soft controls such as touch sensitive or cursor-selectable items on screens.

They shall be selected according to the requirements of the task analysis. This involves criteriasuch as

Frequency of useSpeed of accessSafety relevanceAcceptability of common mode failures, etc.

Controls shall be grouped either according to their functional relationship or according to theirrelevance for process control. Rules about the layout of panels, the positioning of groups, devicelayout, relative orientation of switches and coding can be found in a supplement to the IEC 964standard and in the IEC 73 standard [23, 29].

5.5.2.3. Integrating displays and mimics

To counteract the tendency for operators to over focus on the narrow view given by any oneCRT display, an Overview Mimic seems to be a valuable facility in the control room. The OverviewMimic must be designed so that it is an integral part of the rest of the control room.

The EPRIALWR requirements document establishes some valuable requirements and guidelinesfor integrating Control Room Displays with plant mimic diagrams [5]. Appendix E paraphrases thedescription from the EPRI document.

5.6. DESIGN TOOLS

5.6.1. Evaluation of existing CRS

Typical reasons for replacing or upgrading the existing systems are obsolescence and need forfunctional improvements. The evaluation of existing CRSs should reveal those problems as early aspossible in order to reserve enough time for a careful design and implementation of backfittingprojects.

Evaluation of existing systems means estimating their expected remaining lifetime and findingout the functional and technical improvements needed, especially from the end user's (operators) pointof view. This is a good way to integrate the operators in an early phase in the project and to utilizetheir know how in the specification and design of new systems as well as to get their acceptance.

CR layout and panel layout design

Computer aided design (CAD) tools should be used for two (2D) and three dimensional (3D)design of control room layout as well as detailed construction designs of desks, consoles, panels etc.Specific programs and libraries can be developed to enhance the possibilities of commercial CADtools. By these tools it is easy to generate various layout alternatives to be evaluated before the finaldecision.

Similar tools should be used for the detailed 2D-layout design of panels and consoles, i.e. panelmimics with indicators, manual controls, annunciators etc.

62

5.6.2. Display design

CAD tools can also be used for the design of display pictures such as process mimics, especiallyif the graphic editor of the process monitoring system is not yet available. Also here specific helpprograms and libraries are useful. Graphic editors of some process monitoring systems are alreadyconsidered with commercial CAD-tools, so the code generated by CAD-tools can be automaticallytransferred to the process monitoring system without re-coding.

The layout of many display pictures is typically of standard type, e.g. single variable displays,trend groups, bar graphics, sequence logic, etc. The context of those pictures is defined byconfiguration tools of the process monitoring system.

5.6.3. Applications

Modern process control and monitoring systems include tools for configuration of simplealgorithms without programming. Function block or high level instruction based programminglanguages (e.g. C, Pascal, Fortran) are needed for applications such as reactor performancecomputation and other operator support functions. Knowledge-based techniques can be used here inaddition to traditional algorithmic programming methods.

5.7. BACKFITTING

Typical CR backfitting projects include replacing/upgrading of plant process monitoring systems(PPMS), installation of new operator support systems stand-alone or integrated with PPMS andreorganizing of hard-wired CR panels and desks. In the future, partial or total replacement of I&Csystem by Distributed Control Systems (CRS) will take place and result in a complete rebuilding ofthe existing control room.

Most of the principles and methodologies presented in Chapter 5 are valid for backfitting ofexisting CRS as well. Here some considerations related to the design and implementation ofbackfitting projects are emphasized.

5.7.1. General backfit design considerations

It must be recognized that a control system constitutes a changing system. Due to operationalexperiences, regulatory demands, new technology and other factors, the system will undergo bothminor as well as substantial changes.

The overall backfitting process must involve careful consideration of several factors, such asthose listed below:

Changes should be imbedded in a context involving knowledge of the history of previouschanges. This process means that the motives and philosophies behind previous changes shouldbe clearly stated so that new changes do no violate previous control room philosophies. Forinstance, labelling, colour coding, new instructions, etc. should be consistent throughout thesystem.Changes should not be treated as isolated events with respect to the knowledge domainsconsulted in the design process. Thus, operators, human-factor specialists and others that canprovide information about important design considerations should always be considered at anearly stage. Involving operators early in the design process also promotes acceptance of thechange.It must be realized that changes may have far reaching consequences on work practices andorganizational factors. For instance, the realization of computer-based critical safety functionmonitoring may change work organization in the control room. It may also be important toinvestigate how individual factors (years of experience, age, etc.) may effect the implementationand acceptance at a given change concept.

63

5.7.2. Specific backfit design considerations

While many technological advances and human factors improvements offer promise forachieving better control room operations, success in backfitting improvement to existing operatingplants presents significant challenges. In a backfit environment, unless the implementation is requiredby government regulation, the changes in control room systems must obtain operator acceptance andprovide cost benefit to utility operations.

The I&C and control room upgrade plans must consider a modular program which permits theutilities to select the upgrades based on their specific needs. The program should allow the utility todetermine the best mix of old and new equipment design for their plant based on risk, needs andfunding.

Implementing computerized diagnostic and decision aids brings with it consideration of thereliability of hardware and software utilized by the aid. The change to computerized diagnostic anddecision aids also requires substantial human engineering effort to assure usability and usefulness.Seismic qualification and/or electrical and physical isolation of computers and displays may be neededfor aids which are put in the plant. Verification and validation of software will play a significant rolein the acceptance and reliability of man-machine support systems.

Key issues and concerns that should be addressed in technology backfitting to existing controlrooms include the following:

Each upgrade in a plant should result from a systematic evaluation process and be integrated,(1) within a long-range plan for plant I&C and control room upgrade, (2) within an overallplanned network or hierarchy for in-plant data communication, and (3) within an overall plantmanagement plan.

Using digital technology to tailor displays and controls to the specific roles and responsibilitiesof individual plant staff members.

Defining the role of digital technology in procedure design, plant operational documents, plantdesign documents, and plant staff training.

Integrating digital technology into the control room environment so that crew interaction andoperator alertness across rotating shifts is enhanced.

The effects of control room environmental conditions such as low luminescence, non-uniformityof lighting, and operator's alertness resulting from the use of digital technology.

Integrating digital technology into the control room environment to improve the quality ofinformation presented to the operating and support staff and incorporate human factorsengineering principles into the control room design to enhance the plant availability andreliability and plant safety.

Defining the integration of modular replacement schemes for control room upgrade to meet theutility's schedule for upgrade.

Developing diagnostic and decision aids which are usable and useful to the utilities, emphasizingthe role of operators vs. increased capability for automation as well as using capabilities ofmodern technology for providing improved utilization of information.

Control room upgrades must accommodate digital system interfacing to analog displays andsystems since the upgrade program most likely would adopt a phased replacement approach.

64

The human-machine support systems upgrade program must have provisions to extend over therange of all-analog design (existing design) to a fully integrated digital control, protection, anddisplay system (ALWR plant design) during all change-out phases of the program.

There is a risk that the nuclear regulatory authority may require software diversity and/orhardware diversity. Consideration of having a hardwired backup system, e.g., maintaining alimited analog system for plant protection systems, may be prudent.

The control room upgrade program must give consideration to equally upgrade the plantsimulator. The cost evaluations of an upgrade must take into account the potential addedexpense for upgrading the plant simulator. The upgrading of the simulator may be the first thingthe utility wants to do to check the proposed changes and associated new procedures.

Controls should be designed with fault-tolerance features, not only to automate certain routinecontrol tasks but also to avoid inadvertent mis-actuation by human error. The plant operatorshould serve as an overseer with skills for understanding and dealing with off-normalbehaviour.

The I&C system should assist the operator in calling up the necessary information to understandany problem situation and to help the operator make appropriate decisions [20]. In addition todisplay of overview information, the operator should always be able to obtain more detailedinformation to focus on any plant area.

• Disturbance of backfitting to the plant operation should be minimized. This meansreservation of enough time for utilization of refuelling and other planned outages for workthat cannot be done during normal operation. Parallel use of old and new systems isrecommended, where possible, for testing and validation of new systems. A detailed planand schedule of backfitting project is essential. A phase wise implementation isrecommended in large backfitting projects.

• Improvements in the control room should be based on the operators' real needs and theyshould not change the control room operational philosophy and operators' role unnecessarily.This means that the new systems should be the same as the old systems where those areconsidered acceptable. The new systems and functions should also be consistent with theother non-replaced CRS.

• Space problems should be carefully studied in an early phase of the project. This concernsmodifications in the data acquisition systems, computer rooms and the control room.Environmental requirements such as ventilation, lighting, etc. shall be considered.

• Training of the end users and technical specialists to the new CRS shall be part of thebackfitting project. This also indicates the need to have the new CRS at the simulator beforethe implementation in the real plant.

• It is recommended that the utility (i.e. plant personnel and other utility engineering staff)have a central role in the backfitting project, from the early planning to the specification andimplementation of applications.

If a plant-specific full-scale simulator is available, the modifications and installation of newsystems should first be implemented there. The simulator is an especially good tool for verificationand validation of new CRS within the limits of the fidelity of the simulation models.

Annex A is an excellent case study illustrating some of the most successful techniques forretrofitting a modern digital data acquisition and control system to replace 1960 vintage technologyat IVOs Loviisa nuclear power station in Finland. Some of the techniques included:

65

meticulous planningmodular distributed hardware systems architectureparallel operation of the new and old systemhigh level software toolstests and validation using the training simulator.

6. FUTURE TRENDS

6.1. GENERAL DESIGN TRENDS

6.1.1. Centralization of control and distribution of monitoring

A trend has existed for 30 years whereby more and more of the information and controls arebeing centralized in the main control room. However, at the same time, distributed computernetworks are being utilized to allow more effective control in the plant. Local area networks areincreasing in use to allow information to be distributed throughout the plant so that it can be used bywhomever needs it. This includes operations staff, safety engineers, maintenance staff, plantengineers and management. Wide area networks will allow information to be available to off-sitelocations. The availability of information exchange requires security measures to ensure that onlyauthorized utilization of information and functionality can be made. In addition, the system must beprotected from computer viruses.

6.1.2. Integration

The conventional view of control room and I&C encompasses the sensors, actuators, andcontrol elements that provide both normal control and protection to the plant, including the controlpanels that serve as the human/machine interface. This narrow view can no longer be maintained, asmodern technology (particularly the incorporation of digital computers) is leading the integration ofother functions into the spectrum of control room systems.

With increasing automation and OSSs, operators will become information and system managers withvast amount of information and the possibility to interact with maintenance and engineering activitiesto operate the whole plant. This expanded view of control room operation is depicted in Figure 4.

The computer replacements in existing plants will bring computing platforms, which will makepossible the integration of new sophisticated applications with the basic process monitoring systems.

Specifically, the integrated control room operation design approach will include the followingaspects:

1. The incorporation of all diagnostic and monitoring functions to operations staff. This not onlyincludes the traditional plant process computer and more recent safety parameter displayfunctions, but now includes the monitoring and diagnostics of plant equipment.

2. The incorporation of operator aids and advisory systems, many of which depend upon the plant"database" within the monitoring systems.

3. The merging of dynamic plant monitoring information systems with other aspects of informationmanagement such as electronic document management, automated procedures, and plantequipment databases.

4. The human-machine interface environment should be common for all systems. This allows theintegration of all capabilities rather than using several different human-machine interfaces. Italso removes the potential confusion as an operator goes between functions.

66

5. The incorporation of human factors engineering and human reliability in the design anddevelopment of systems for plant operation. Human factors applies not only to plant operatorsbut also to plant maintenance and engineering personnel.

6. The communication of real time plant information to off-site personnel for dispatch ormonitoring functions.

6.1.3. Increased operator support

The extent of R&D projects in various organizations indicates that more new types ofapplications will be taken into operation in working plants in coming years. Better and more user-friendly methods will be developed and computer capacity will become less of a limiting problem.This situation presents an exceptional opportunity to achieve significant operational cost savings byreducing forced outages in nuclear power plants. In 1992, INPO reported that the median and averageunplanned capability loss was 25 and 40 full power days respectively for U.S. nuclear utilities.Ontario Hydro, in Canada, has set a target to reduce nuclear plant forced outages by 25% throughthe introduction of new knowledge based Control Room Systems based on the APACS [30] prototypepresently under development. The target was established after reviewing significant event reports toidentify those incidents that would have been prevented by quicker action possible with an advancedoperator support system.

The study of forced outages in PWR units by ACYL and the experience of many nuclearutilities from their significant event reports show that the three most beneficial areas to improve are:

lack of mental attentionfailure to follow proceduresfailure to predict equipment failure.

Each of these categories of malfunction can be addressed by the new technology now emergingin Control Room Systems.

The following application areas of OSSs can be foreseen as particularly important:

Plant state diagnosis and root cause determination in disturbances and accidents.Alarm diagnosis/analysis, new alarm sources.Model-based and knowledge-based systems for fault detection and diagnosis.Assistance to the operator for operational planning and for enhanced safety.Advisory systems: model-based and knowledge-based systems for planning of control strategiesand corrective actions for improved productivity, e.g. testing of planned actions using predictivesimulation.Computerized procedures in order to decrease the errors in the utilization of operatingprocedures and to increase their usability.New aids for technical specialists and operation management for evaluating the condition of theplant systems and components, environment protection, etc.

The increased use of probabilistic safety assessment (PSA) studies might identify more areaswhere OSSs are justified. Because many of the systems will be safety-related, the problems ofvalidation and verification will become more and more important and, if not solved, will constrainOSS development.

The licensing of OSSs and their software might restrict the implementation of new applicationsin the future, especially when the complexity of the systems increases. Proven design practices areneeded as well as practical experience of the methods and tools and their reliability, first on non-safety- related applications before developing those for the safety-related OSSs.

67

In the long term, there will be an increasing transfer of certain operator tasks to OSSs. This willchange the operator's role and one must be very careful to ensure that the change will meet the goalof improved safety and efficiency. Problems will arise with guidance given by computers if the taskswhich are assigned to human and machine are not clearly defined. But even if it is clearly stated thatthe OSS is only a support system, it is natural that the operator in a critical situation will tend to relyon the guidance given by OSS and perhaps may not verify that guidance. The important decisionofwho has responsibility if incorrect guidance is provided must be taken and stressed. Currentthinking is that the operations staff has final responsibility for all actions and therefore must verifythe guidance given by the OSS.

6.1.4. The Impact of new technology and design on training programs

Design of a Control Room System should also involve careful consideration of training issuessuch as training programs and instructions.

There is always risk that instructions and training programs neglects human factor issues. Forinstance, if instructions are written without participation of the users they may only reflect technicalissues. Thus user participation is strongly recommended.

The way a control room system is organized from a ergonomical and human factors point ofview effects the way the operators learn to handle the system. For instance; clear labelling, codingand demarkation facilitates the learning process and the operator can spend more time in learning"mental models" about the system rather than be occupied with unnecessary cognitive activities relatedto bad ergonomy.

Maintenance outages may deserve special attention with respect to training as a general remarkit may be noted that outage operations have been found to create special problems from the controlroom point of view due to high activity in the station. Designer's should focus especially on thisphase both with respect to CRS design and training.

When retrofits are made it is important that the operators are given instructions and proceduresrelated to these changes before they are made.

6.2. TECHNICAL TRENDS

6.2.1. Increasing use of digital systems in safety and non-safety applications

Evaluation of I&C technology allows the use of digital systems in new plants and also inretrofitting of existing plants for both safety and non-safety applications. As a consequence there willbe screen-based CRSs not only for monitoring but also for operation of the plants. Physical andfunctional separation between safety-grade and non-safety grade control room systems shall bemaintained. The feedback of the use of digital technology in control systems and improvement ofsoftware tools and V&V methodology will facilitate the satisfaction of licensing requirements in theuse of digital technology in safety grade systems.

In existing plants digital and analog systems will co-exist. This necessitates the ability tointegrate these diverse technologies in a manner that they can cooperate and which does not hinderthe operator.

6.2.2. Increasing computer and networking capabilities

Computing power and memory capacity are increasing rapidly. The same is true for theinformation transmission capacity of networks. There is also a trend towards distributed computing

68

architecture as described in Section 4. As a resuit, a large amount of plant information (as many as20,000 individual plant status points) are available on a communication "highway", or network, whichcan be easily passed through industry standard "gateway" interfaces to industry standard networkssuch as ETHERNET or ARCNET. Information from databases and other computerized sources willalso be available on this communication highway. Because this vast amount of information will nowbe available for use by plant staff, it is important to have an information management capability toverify the correctness of the information used for decision making and other purposes.

The trend towards more open systems communication architectures will facilitate the integrationof systems and the ability to utilize equipment from various vendors. It will also make easier the jobof upgrading equipment in the plant. The increasing computation and networking capabilities providethe ability to develop more sophisticated and information intensive operator support systems. Anexample of this is the Equipment Status Monitor facility developed in Canada and described inAppendix C.

6.2.3. Advanced human-machine interface technology

In addition to the soft-control switches and voice actuation systems discussed in Section 4, thereare several other advanced interface devices. These are discussed below.

1. High-density display

One potential limitation of currently available VDUs is that they can display only a relativelysmall amount of information. Although limiting the number of parameters to be displayed bychoosing and integrating functionally related parameters is believed to be important in avoidinginformation overload, it often happens that several of those functional information chunks needto be displayed in combination. However, because of the limitation of display space, not allthe chunks can always be integrated into one display format. This causes a trade-off which canresult in presenting functionally incomplete information chunks.

Sometimes this problem can be alleviated by high-density display (e.g., High Vision), whichis already commercially available. The high-density display has also several other attractivefeatures which include:

- higher resolution- flat screen- large screen.

However, there are several technical questions that need to be answered before the high-densitydisplay can be used for industrial purposes, especially for nuclear industry:

- operator information overload - too much data in a confined area of VDU screen,- reliability- seismic qualification- display software.

2. Large-scale display

Large-scale graphic panels, based on large screen technology have been used in non-nuclearapplications and in future nuclear control room designs. They are believed to provide operatorswith an overview of the plant which can be shared between them.

This idea of "having a common information source" can now be upgraded by utilizingcomputer-driven large-scale displays which allow fully dynamic graphic presentations. Thequality of commercially available projection type large-scale displays seems to have reached apractically usable level for industrial applications.

69

There are several problems that need to be resolved before the large-scale displays can be fullyapplied. These include the following:

- Display visibility still requires further improvements- Higher density displays are desired. Currently available large-scale displays cannot present

elaborate overviews because of insufficient information density.

3. Voice recognition system (VRS)

The voice recognition system (VRS) has already been used widely in non-nuclear industries.It is utilized for simple tasks such as sorting transport items. Recent progress of the VRS hasbegun to allow more complicated applications. Now it is believed to be quite plausible that upto 5,000 words can be recognized with the recognition rate of more than 95%.

Though the VRS is a potentially attractive interface media, it needs to be carefully studiedbefore it is actually applied.

6.2.4. Increasing use of knowledge engineering and other advancedinformation processing technology

6.2.4.1. Computational techniques

It is expected that computer technology will continue to provide us with advanced computationaltechniques which may supply additional tools with unique properties to help facilitate the design ofthe human/machine interface and OSSs. New software techniques including knowledge-basedsystems, neural networks, fuzzy logic and high order languages will be proven and used whenappropriate. In many applications, the appropriate solution will be a combination of two or moretechniques [34].

1. Expert systems (or knowledge-based systems) programming.

Many of currently available expert system shells have the ability to represent knowledge inmany forms (e.g. rules, networks, frames, objects).

It is widely accepted that expert system shells, together with a powerful graphics supportenvironment, have established a highly flexible and productive programming environment.They will continue to be refined in the future.

There are several other potentially useful expert system capabilities still remaining in theresearch stage. These include the handling of time-dependent data and real-time inference andparallel processing. It is expected that these will facilitate handling more dynamic andlarge-scale applications.

2. Neural networks

Neural networks have been receiving considerable attention for the past several years. It is anattractive technology for several reasons:

- It can handle subtle pattern recognition- It has the ability to accumulate experienced patterns (i.e. learning ability)- It is robust to missing data.

The first generation tools are already commercially available which allows us to undertakeprototyping and even small-scale applications. The technique is expected to be useful in suchapplications as early fault detection, diagnosis of components and signal validations, etc.

70

3. Fuzzy logic

Fuzzy logic systems have demonstrated their capability to successfully control a wide varietyof processes in other industries. These systems have the ability to reason with less preciseinformation which is frequently all that is available. They can also successfully reason in caseswhere some of the data is missing. A side benefit of this technique is the ability to compressinformation which can be important when substantial information is utilized.

6.2.4.2. Model based techniques

In the model based approach, deep knowledge such as detailed knowledge about processdynamics and physical first principles is used to model relevant systems or components. Theoreticallythe technique could generate correct responses even in unpostulated situations where heuristic rule-based approaches have difficulty. However, in reality, it is often very difficult to obtain deepknowledge for general purposes. This limitation can cause the technique to face problems which areeven more fatal than ones with the heuristic approach. It is crucial to carefully analyze the area ofapplications where the technique can play its maximum role without causing any side effects.

6.2.5. Better computer-aided tools

More computer-aided tools are needed for the development and for the V&V of OSSs. Thesetools satisfy two needs, improved reliability and reduced software costs. Computer-aided toolssupport reliability in three ways. First, they allow a higher order description of the OSS to be givento the computer. This higher order description is easy to verify. Second, they can automate varioussteps of the software development process reducing the likelihood of error introduction. Third, theymay perform verification and validation activities in a more comprehensive manner.

The computer-aided tools also support reduced development cost in three ways. First, theautomation of software development is more economical. Second, the reduction of errors introducedinto the software reduces the costs of laminating these errors. Third, using tools for performing V&Vreduces the costs of V&V.

In the future, the specifications for these tools will be established. The V&V tools requirementswill come out of the V&V methodologies which are currently being developed. As thesespecifications are defined and the associated tools developed, they should become part of the normalpractice for developing OSSs.

6.3. COGNITIVE USER MODEL

There are at least two problems to which much attention needs to be paid in the future displaydesign.

One human factors problem associated with the use of a computerized system comes from thedifference between human information processing and computational processing. Humans are knownas "furious pattern matchers" of which default problem-solving framework is considered to be ahypothesis-and-test scheme. On the other hand, computers adopt logically complete andcomputationally economic strategies which are very different from the human information processing.This sometimes causes humans to have difficulties understanding computer outputs. Such a cognitivemismatch is envisaged in the use of OSSs which demand a high level of computational informationprocessing.

The VDU has established an information space where functionally relevant parameters aregrouped and integrated into a single display format. This undoubtedly facilitates the understandingof what those parameters mean about the situation. However, it is technically very difficult to havea set of function-oriented, all-purpose displays which can fit any situation when some of them areused in combination. In addition, there is a tendency among the operators that they prefer task-

71

oriented displays to function-oriented displays. However, it is not possible to prepare task-orienteddisplays, even when almost every task is identifiable, since the number of displays will becomeimpractically large. Then, what can be obtained is a product of trade-offs between the function-oriented and task-oriented approaches. Consequently, ideal cognitive matching is not obtained betweenoperator conception and what is shown on displays.

Another problem is inherent to humans' information processing mechanisms. Humans possessa remarkably efficient information processing ability. The hypothesis-and-test scheme combined withpattern matching strategy appears to be the secret of efficiency. Nevertheless, psychologists believethat this is a double-edged sword. In order to maintain the efficiency, humans tend to look at onlywhat they want to know. Once hypotheses are activated, they drive humans. Humans are concept-driven. Consequently, critical information may be overlooked when it is outside the focus of attention.This is likely to happen more frequently, especially in highly stressful situations where humans areshort of cognitive resources. Again, there is a mismatch between human conception and what ishappening in the real-world.

One way of alleviating all these problems of cognitive mismatch is to develop a cognitive usermodel and use it to control information flow between computers and the operator. There are a numberof ways to utilize the model. The following are examples:

Dynamically select information that the operator will find useful at any given moment;Dynamically select information that the operator is required to verify;Dynamically monitor operator's focus of attention and alert operators when the operator isfound to be trapped in inappropriate areas (i.e., mind-set).

6.4. HUMAN-CENTRED DESIGN

The goal of the control room system design is not to ensure the plant functional goals alone.It must also ensure a comfortable and respectable working place for the operator. This second goalof the control room system design cannot necessarily be directly related to the plant functional goals.However, failure to reach the goal may indirectly influence the achievement of plant functional goalssince it is believed to be connected to both psychological (e.g., motivation) and physiological (e.g.,arousal level) factors of the operator, which certainly affect his or her performance.

In order to achieve these goals of the control room system design, it is necessary to pay properattention to human factors in almost every phase of the design. IEC-964, a reference standard of thisguideline, identifies that human factors are necessary in the following steps of the control roomdesign:

Assignment of functions to human and machineJob designDesigning of controls and displaysFunction allocation to OSS.

Of course, many others will be found in the designing of other constituents of the control roomsystems (e.g., personnel selection, job education design). Many of those are interacting. Therefore,human factors considerations need to be integrated in some way. In conclusion:

A comprehensive human factors plan needs to be developed prior to actual designing.

Observation of established human factors criteria (e.g., ergonomie guidelines) is a prerequisite.However, it does not necessarily guarantee that the integrated system is satisfactory. There arealways interactions and feedbacks which may quite easily override individual human factorconsiderations. It should also be borne in mind that lists of human capabilities found in human factorshandbooks may not be directly applicable to real-world problems since many of them are meaningfulonly in experimentally controlled situations. Consequently:

72

Observation of individual design criteria is prerequisite;However, consultation with human factors specialists is necessary when applying the criteria;Validation needs to be made interactively at many stages of the design.

Human factors are evolving. Even straightforward ergonomics criteria may become obsoletewhen time passes. Anthropométrie criteria which guarantee 5 to 95 percentile of population now mayno longer be valid twenty years later. Social consensus may also change human factors considerably.A high-tech design which looked attractive ten years ago may look very obsolete and shabby, andtherefore not at all motivational to users. What this suggests is:

Human factors criteria need to be reviewed and if necessary they must be revisedExisting systems need to be reviewed repeatedly, and deficiencies need to be removed.

Human factors is cultural. Obviously, physical dimension varies considerably from country tocountry. This must be taken into account in anthropométrie design. Population stereotype is also agood example. Social factors are of course cultural. A matter-of-fact consensus in one culture maynot be at all acceptable in other countries. This may cause a serious problem because people are veryoften unaware of unfavourable natures of their own socially accepted consensus [35]. Therefore:

Human factors has to take cultural factors into considerationHowever, be aware that not all the social consensus are appropriate.

In the following several paragraphs, topical issues that need to be considered in the futurecontrol room design are discussed.

1. Information selection and generation

As discussed earlier in Section 4, mismatch between human information processing and thecomputational process needs to be minimized. Utilization of the cognitive model for human-machine interfaces is a potentially promising means to be taken.Another important research issue is the kind of information that best enhances operator ability.It seems to be an internationally accepted idea that diagnostic and operational guidanceinformation is useful. However, it is not a proven idea. Potential concerns are:

- When diagnostic information is overly detailed from the operational viewpoint, it may causeunnecessary additional workload

- Having guidance information presented, how can the operator risk his or her own decisionby rejecting it, even when his or her own decision looks better?

It is necessary to study the kind of information which best enhances operator ability under agiven operational rule. It may come about that presenting reduced information which is crucialfor making a decision is better than presenting the end decision alone.

2. Environmental design

The control room must be functional. However, it must also be a comfortable and respectableworking place for the operator. Employers and designers must be aware of the fact that theoperator spends most of his or her vocational life in the control room.

Architectural configurations, colour coordinations, lighting and other aesthetic factors are allrelated to this issue of "amenity". Ambient lighting and noise level are not only related topsychological conception of the control room design, but it is also influential to physiologicalstates of the operator. To keep the operator in mentally and physiologically good condition isvery important.

73

3. Error prone situations

Error psychologists believe that the same cognitive mechanics generates both correctperformance and errors. As discussed earlier in Section 6.3, the combination of the hypothesis-and-test strategy and pattern matching promises highly effective performance. Nevertheless,this combination of problem-solving strategies is subject to overlooking or even intentionaldenial of important pieces of information and mind-set, thereby resulting in various types oferroneous behaviour.

There are two categories of errors; systematic errors and variability. Variability is stochasticand hard to predict. It can be reduced, but cannot be removed completely. On the other hand,systematic errors are easier to predict, and therefore believed to be easier to remove. In manycases, persons who committed systematic errors have good reasons to behave that way. At leastin their personal views, there were good reasons for them to behave that way. At least in theirpersonal views, there were good reasons for them to believe that the decisions were eithercorrect or the best at the moment when they were made. There are situations where there is noother way to think. These are called error-prone situations (EPSs). Understanding of EPSs isvery important for removing systematic errors.

7. CONCLUSIONS AND RECOMMENDATIONS

7.1. GENERAL

During final Advisory Group Meeting, the consultants reviewed a list of current issuesassociated with control room systems. (See Appendix D). The items marked with an asterisk (*) inAppendix D were selected for intensive discussion which resulted in a consensus leading toconclusions and recommendations on particularly difficult issues. Conclusions and recommendationsrelated to other issues resulted from discussions, analysis, and consensus reached in some of theearlier Advisory Group meetings.

Section 7.2 summarizes all the conclusions which represent the consensus of the AdvisoryGroup with respect to trends and practices that are underway in the nuclear industry today. Theconclusions highlight trends the Advisory Group considers positive for the industry.

Section 7.3 summarizes the recommendations of the Advisory Group. Each recommendationrepresents an area where the Advisory Group believes there is a need for change. Formulating thespecifics of these changes and initiating action will be the responsibility of others in the nuclearindustry.

7.2. CONCLUSIONS

1. The integration of emerging human factors knowledge and practices with new informationsystem technology is leading to significant improvement in the nuclear power plant human-machine interface. Some of the integration that is occurring is the following:

- Operator behaviour knowledge is influencing control room design- Human factors techniques are being included in the design processes- VDU interaction experience from other industries is being used by nuclear industry designers- Systematic user feedback is influencing control room system design to a much greater

extent- Emergency response facility design is being integrated with the rest of the control room

displays- The control room design teams are now being drawn from a wider group of technical

disciplines- Integrated human/machine interfaces across CRS system boundaries.

74

2. Many utilities in the world nuclear industry are upgrading their procedures to provide symptomorientation and make them easier for operators to follow. These changes will make it easierfor eventual computer display and computer implementation of procedures.

3. The Human Factors technical discipline is having a positive input on new control room designand standards. For example the IEC 964 standard calls for functional analysis in the earlystages of design.

4. Many control room designers have realized the need to accommodate factors such as stationstaff organization operating philosophy, procedure implementation principles, operation workcontrol, operations work organization and personal communication amongst the plant operationsstaff. The need to improve human factors in nuclear plants is greatest in areas such asoperations staff training, organization, job definition and in the fostering of a safety culture.The members of this Advisory Group did not feel adequately qualified to make spécifierecommendations in these areas.

5. Control Room System designers have realized that the nuclear stations human/machineinterface, unlike other plant systems, is continually evolving and improving throughout the plantlife. Consequently there is a trend to build in expandability. The trend to application of openarchitecture (supplier independent) computer hardware and software is one example. Anotherexample is the efforts being made by designers to make software and hardware moreupgradable.

6. There were two areas in which the advisory group is aware of major technical concerns in theregulatory community. The experience of the group members in these areas suggests that theactual risks are less than those perceived by the regulators. These areas were:

- Electromagnetic Interference- Safety Critical Software.

More R&D and published standards are needed in these areas.

7. There is a positive trend for CRS designers to reduce control panel complexity by using graphicCRTs to provide integrated "soft panel" facilities where information display and devicescontrol are brought together.

8. There is R&D (particularly in Japan) activity focused on developing user cognitive models totry to reconcile the considerable differences between how computers solve problems (algorithmsolving) and how humans solve problems (hypothesis and test by pattern matching).

9. At this time there is an unsolved problem with respect to the possibility that control roomoperators may have difficulty trusting their own judgement when in conflict withrecommendations provided by an Operator Support System - particularly when artificialintelligence techniques are being used. If not solved, this problem may result in regulatoryrestrictions on the use of such systems. More R&D is needed.

10. In older operating nuclear power plants the proliferation of independent backfit systems iscausing maintenance and operational problems. Organizations that provide technical servicesto utilities are taking steps to assist in the resolution of these problems. These include theElectric Power Research Institute in the USA (EPRI), the CANDU Owners Group in Canadaand the World Association of Nuclear Operators (WANO), worldwide.

7.3 RECOMMENDATIONS

1. More specific R&D and nuclear plant operator feedback is needed to determine the best mixof "soft panels" and fixed physical display/control devices in the nuclear plant control room.

75

For example more work should be done to assess the concept of distributing CRT displays tobetter simulate the overview provided by the old fixed device panel.

2. For new plant designs and backfits to control rooms, electric utility organizations shouldparticipate more strongly in the definition specifications and implementation of the control roomsystems.

3. More R&D and operator feedback is needed to improve the design of overview mimic diagramsso they will be more effective in offsetting the tendency for operators to develop "CRT tunnelvision" in control rooms that use predominantly soft panel interfaces.

4. If there is a requirement for costly verification and validation of safety critical software, aspecial operator interface may be necessary for the safety related portion of the control room.

5. In the design of the alarm annunciation and information system portion of the CRS, moreattention must be given to the special needs of operating stations during plant annual outagesand extended periods of off normal (i.e. low power) operation.

6. Full scope simulators are a requirement during the CRS design phase for new stations and formajor backfits on existing stations.

7. There is a need for more systematic collection and interpretation of operating experience relatedto the incidence of human errors in operation and maintenance.

8. New and better techniques are required to assure the validity of data used in control and safetysystems.

9. More studies should be performed to assess what activities should be added or deleted frommodern control room staff job descriptions in view of the technology now available.

10. More R&D is need to achieve the best allocation of control functions between humans andmachines.

11. More R&D is needed to resolve issues related to safety, critical software, and operatordependence of operator support systems.

76

Appendix ÀSAFETY CLASSIFICATION METHODOLOGY FORNUCLEAR SYSTEM FUNCTIONS AND EQUIPMENT

Symbols and abbreviations

FSE Function and the associated systems and equipmentFMEA Failure Mode and Effect AnalysisIAEA International Atomic Energy AgencyNPP Nuclear Power PlantPIE Postulated Initiating Event

Requirements

I&C FSE of the NPP shall be assigned to categories according to their importance to safety.These categories shall then determine the criteria to be used in the design, manufacture, installation,commissioning and in-service maintenance and testing of the I&C systems and equipment.

Background

IAEA Safety Guide, Safety Series No. 50-SG-D1 establishes the concept of classification ofNPP systems according to their importance to safety, and gives examples of the classification of themajor systems of several types of NPP. Safety Guides, Safety Series No. 50-SG-D3 and 50-SG-D8establish the distinction between the Safety Systems (i.e. those systems provided to assure the safeshutdown of the reactor and heat removal from the core or to limit the consequences of anticipatedoperational occurrences or accident conditions) and safety related I&C systems (i.e. those I&Csystems important to safety that are not included in the safety system)[21, 31, 32].

The importance of, and the corresponding requirements on the different parts of the I&C of thesafety systems and safety related I&C systems may be different, so that it is appropriate to assignthem to different categories. Other I&C systems can have a significant effect on safety and thereforerequire appropriate consideration. Some I&C systems have intermediate, low or no significance tosafety. They have correspondingly less stringent requirements for assurance of performance andsafety justification and have different technical requirements.

The International Standard [16] extends the classification strategy presented in IAEA SafetyGuide, Safety Series No. 50-SG-D1 establishes the criteria and methods to be used to assign the I&Csystems of NPP to one of three categories A, B and C, depending on the importance of the equipmentto safety, or to a category of Unclassified for equipment with no direct safety role.

Description of categories

Category A

Category A denotes the FSE which play a principal role in the achievement or maintenanceof NPP safety. These FSE prevent PlEs from leading to a significant sequence of events, or mitigatethe consequences of PlEs. Category A FSEs may be accomplished automatically or via manualactions, providing such actions are within the capabilities of human operators. Category A alsodenotes FSE whose failure could directly cause a significant sequence of events. Category A FSEhave high availability requirements. They may be limited in their functionality so that their availabilitycan be very confidently guaranteed.

77

Category B

Category B denotes FSE that play a complementary role to the category A FSE in theachievement or maintenance of NPP safety. The operation of a category B FSE may avoid the needto initiate a category A FSE. Category B FSE may improve or complement the execution of acategory A FSE in mitigating a PIE, so that plant or equipment damage or activity release may beavoided or minimized. Category B also denotes FSE whose failure could initiate or worsen theseverity of a PIE. Because of the presence of category A FSE to provide the uitimate prevention ormitigation of PlEs, the safety requirements for the category B FSE need not be as high as those forthe category A FSE. This allows, if necessary, the category B FSE to be of higher functionality thancategory A FSEs in their method of detecting a need to act or in their subsequent actions.

Category C

Category C denotes FSE that play an auxiliary or indirect role in the achievement ormaintenance of NPP safety. Category C includes FSE that have some safety significance, but are notcategory A or B. They can be part of the total response to an accident but not be directly involvedin mitigating the physical consequences of the accident.

Basis of classification

I&C FSE shall be assessed in relation to the consequences of their malfunction, such as failureto operate when required to do so, or spurious operation. Maintenance and testing shall be consideredin this assessment. PlEs within the NPP's design basis shall be considered. The consideration shallinclude the analysisof significant sequences of events, to identify the functions required to be carriedout by the l&C FSE.

This considerabon of the functions carried out by the l&C FSE shall result in the assignmentof each FSE to one of categories A, B or C, or unclassified. An unclassified assignment is made ifthe FSE is not significant to safety.

The presence of a lower category FSE (respectively B, C or unclassified) shall not avoid theprovision of, or deletion of, a higher category FSE (respectively A, B or C).

National application of the principles and criteria of this standard may assign differingnomenclature to categories A, B and C. The national application shall be according to the principles,criteria and associated requirements given in this standard. This shall imolve establishing anddocumenting an appropriate correspondence to the categories defined.

I&C FSE falling within the boundary of the safety systems, as defined in IAEA Safety Guide,Safety Series No. 50-SG-D8 will generally be assigned to category A. I&C FSE defined as safetyrelated in that guide will be assigned to categories A, B or C.

Assignment Criteria

The criteria that shall be applied for assignment of FSE to categories A, B and C are givenbelow.

If a FSE does not meet any of the criteria given below, then it shall be "unclassified".

In the case of multiple assignment, the final assignment of category to each FSE, and to thesub-FSE that are needed to achieve the FSE, shall be the highest applicable category.

78

Category A

An l&C FSE shall be assigned to category A if it meets any of the following criteria:

(a) It is required to mitigate the consequences of a PIE to prevent it from leading to a significantsequence;

(b) Its failure when required to operate in response to a PIE could result in a significant sequenceof events;

(c) A fault or failure in the FSE would not be mitigated by another category A FSE, and wouldlead directly to a significant sequence of events;

(d) It is required to provide infomlation or control capabilities that allow specified manual actionsto be taken to mitigate the consequences of a PIE to prevent it from leading to a significantsequence.

In reference to point d), factors such as the availability of redundant information sources,sufficient time for operator evaluation of alternative sources of information, and whether the manualactions are the only sources of mitigation of the sequence of events shall be considered in categorizingFSE. If manual action is required to preserve NPP safety, the l&C FSE that enables this action shallbe assigned to category A.

Category B

An l&C FSE shall be assigned to category B if it meets any of the following criteria and is nototherwise assigned to category A:

(a) It controls the plant so that process variables are maintained within the limits assumed in thesafety analysis;

(b) A requirement for operation of a category A FSE in order to avoid a significant sequence wouldresult from faults or failures of the (category B) FSE;

(c) It is used to prevent or mitigate a minor radioactive release, or minor degradation of fuel,within the NPP design basis, but of less importance than a significant sequence of events;(The definition of a minor radioactive release or minor degradation of the fuel shall beaccording to national practice. A minor radioactive release might be that due to a release ofcoolant without additional fuel damage. Minor degradation of the fuel might involve damageto a small amount of fuel cladding without release of coolant or loss of ability to cool the coresatisfactorily)

(d) It is provided to alert control room staff to failures in category A FSE;(e) It is provided to monitor continuously the availability of category A FSE to accomplish their

safety duties;(f) It is used to reduce considerably the frequency of a PIE as cbaimed in the safety analysis.

Category C

An l&C FSE shall be assigned to category C if it meets any of the following criteria and is nototherwise assigned to category A or category B:

(a) It is used to reduce the expected frequency of a PIE;(b) It is used to reduce the demands on, or to enhance the performance of, a category A FSE;(c) It is used for the surveillance or recording of conditions of FSE, to determine their safety status

(fit for operation, operating, failed or inoperative), especially those whose malfunction couldcause a PIE;

(d) It is used to monitor and take mitigating action following internal hazards within the NPP designbasis (e.g. fire, floood);

79

(e) It is used to ensure personnel safety during or following events that involve or result in releaseof radioactivity in the NPP, or risk of radiation exposure;

(f) It is used to warn personnel of a significant release of radioactivity in the NPP or of a risk ofradiation exposure;

(g) It is used to monitor and take mitigating action following natural events (e.g. seismicdisturbance, extreme wind);

(h) It is the NPP internal access control.

80

Appendix BEVALUATION TECHNIQUES

Technique

1. Goals Operations and Methods

2. Hierarchical Task Analysis (HTA)

3.Task Analysis for Knowledge and RelatedDesign Knowledge Structures

4.Task Decomposition

5. Functional Decomposition(IEC Standard 964)

6. Function Analysis SystemTechnique (FAST)

7. Time Line Analysis

8. Operational Sequence Diagrams

9. Activity Analysis

10. Network Analysis

11. Flow Process Charts

12.Task Criticality Rating

13. Selection Analysis

14.Training Analysis

15. Decision-making Analysis

16. Link Analysis

17. Behavioural Task Analysis

18. Cognitive Complexity Theory

19. Equipment Analysis

20. Functional Analysis

21. Correlation Matrices

Typical Use

Describes the structure of routine operations oncomputer systems as a bases for predictingperformance.

Task Identification.

Task Descriptions for mapping into HMI.

Task Needs Identification.performance requirementsknowledge requireddisplays and controls.

Control Room MMI Design.

Function Relationships where no procedure exists.

Work Load.

Work Space Layout.

Work conditions,organization.

team organization, task

Sequence of Operations.

Plots of operator activity or information flow timesequences.

Consequence/Risk Analysis.

Determine skills, knowledge, special aptitude andphysiological characteristics needed to perform tasks.

Determine if special training/training equipmentneeded.

Determine types of decisions required of personneland information needed to make decisions.

Determine interactions and communications betweenpeople in systems.

Analysis of troubleshooting and non-troubleshootingtasks.

Describes both task and interface structures to predictperformance and complexity.

Identifying equipment maintenance needs.

Isolating discrete and measurable functions ofequipment.

Summing up all links betweenwork-stations and/or equipment.

operators,

81

Appendix CEQUIPMENT STATUS MONITOR

The equipment status monitor is a complete computerization of the work protection processfrom initial discussion of work permit requirements, preparation by an operator, authorization,implementation, and finally removal.

The enabling feature of ESM was the bar coding early on of all operable devices - a far sightedpre-ESM decision. A unique barcode on each device and careful use of an impersonal device likea barcode reader, makes it nearly impossible to approach and unknowingly operate the wrongequipment. Reading these tags is therefore an important part of the ESM process.

A recent actual event that occurred at Darlington Nuclear Generating Station in the TritiumRemoval Plant will be described so that the reader can appreciate the part played by the barcodereader. The following is an excerpt from a Darlington Nuclear Generating Station document calleda "Report to the Production Manager"; an event of serious nature but less so than a "Significant EventReport".

"During performance of OTO 69510...power supply 0-53330-MCC052-B3 was incorrectlyopened, tested and tagged. The correct device on OTO was 0-53330-MCCO-52L-B3".

This mistake is easily made by even a trained operator, but would certainly have been pickedup by an accurate barcode reader. As a matter of record, the Managers' response was to "give moreurgency to installing the ESM system to avoid errors of this type".

A well accepted data integrity strategy calls for a single source of a data set with oneowner/update person. This principle, and the need to avoid clogging up the ESM databases withthousands of more devices, led to a decision to use the official verified list of air and power suppliesresident on the Darlington Nuclear Generating Station mainframe storage.

To place a permit on a system requiring isolation, one would bring up the dynamic flowsheeton an ESM terminal, and either start selecting devices into a properly sequenced order to operate, orbring in a previously recorded by relevant version of what is currently required. Either an originalor an edited version can be prepared and downloaded into a barcode reader as well as its being usedto create a permit document output to a laser printer.

Field implementation will involve "walking" the permit with a barcode reader, making alloperations AFTER scanning a barcode tag on each field device, then returning to the ESM terminalto download the completion status to the server database. Figure 7 illustrates a typical "OTO".

The ESM data source is the equipment database of all of the stations operable devices takenfrom Computer Aided Drafting (CAD) produced flowsheets (see Figure 8). Once the flowsheetdevices are converted to symbols in the database, their description state, and involvement in anexisting or pending permit can be displayed on the high resolution screen. The graphic then becomesa dynamic live flowsheet. You may be interested to know that the Darlington Nuclear GeneratingStation will have a total of 2350 such flowsheets including those of four units, the common processes,and the Tritium Removal Plant. Even floor layouts with no operable devices will be included. TheDarlington breakdown is:

Operating Facility #Flowsheets

TRF 150Common Processes 600Units 1 to 4 4 x 400 Approximately 13 operable devices each.Total: 2350

82

Appendix DLIST OF ISSUES FOR DISCUSSION

What are the areas where existing control room design standards (such as IEC 964 and NRCNUREG 700) have fallen behind the rapidly evolving technology?

How to address the need for a systematic methodology to assign operational functions to manor machine.

How and to what extent to provide for adequate verification and validation of the control roomdesign.

Does an all CRT control room leave the operators with an inadequate capability to see the 'bigpicture'. Can large scale displays or mural mimics provide the overview?Is there an optimum compromise between an all CRT control room and a control room whereevery action and display is implemented through fixed discrete devices.

In accident situations, should there be specified minimum time duration during which thecontrol room operator does not need to take any action to mitigate the accident. If so, howlong?

How can the design achieve the maximum degree of context sensitivity in the control roominformation presentation.

How can computers and graphic CRTs be used to improve the communication of detailedoperating procedures in operating scenarios.

Alarm annunciation overload has been a problem in existing power stations. How canguidelines for control room design help improve this situation?

Since work control and equipment configuration control is a vital function of the operating staff- should facilities for these functions be considered part of the scope of the control room designguidelines?

Is there a roll for voice annunciation in the modern control room?

Is there a roll for hypertext information retrieved in the modem control room?

Is it OK for safety critical operator remote manual functions to be implemented by a means thatinvolves computer software?

Is it OK for safety critical operator remote manual functions to be transmitted over a serial datahighway en route to the final actuator.

Can guidelines be established to limit the risk from utilization of new technology or relativelyunproven equipment?

How can risk of common mode failure associated with Electromagnetic Interference be limitedwithout limiting the application of digital electronics in the nuclear power station?

Given the tools and technology available today and resources available to Nuclear Steam SupplyCompanies, Architect Engineers and Electric Utilities, what is the best division of responsibilityto perform the Control Room Systems Design and Implementation scope of work?

83

Appendix EINTEGRATING DISPLAYS AND MIMICS

Where several individual control or work stations are provided in a room or work area, theDesigner can evaluate the need for and, where necessary, provide integrated displays and mimics toco-ordinate the tasks at the various stations.

The displays and mimic will provide a spatially dedicated, continuously viewable, integratedpresentation of the plant status in a direct manner to a level of detail beyond that of summaryinformation to enable the operators to confidently assess the status of essential equipment operatedfrom the MCR. These spatially dedicated displays will supplement and complement the serialpresentations of subsets of this information at the work station. Thus, these displays will enhancecoordination among MCR personnel during normal, abnormal and emergency situations, and providea clear, concise and continuous point of reference for operators to assess frequently and quickly plantstatus while performing tasks at the work station. They will also be a useful aid during shift turnover,for assessing plant maintenance activities, and for training activities in the main control room. Thefacility will provide key parameters and status indications independent of other displays withinformation which would immediately be available to all operators and any supporting observerswithout burdening the normal display facilities and without any direct action by personnel other thanto look up at the display.

Any display shall be explicitly included in the process of developing the CRS design, especiallythe design of the work or control stations which it services. This shall include:

• The specific identification of the functions and tasks assigned to the overview displays;• The incorporation of the displays into simulators and mockups;• The specification of the use of the overview displays in the operating procedures.

The CRS design shall include an integrating overview display and mimic in the main controlroom. This display shall meet the requirements for integration into the CRS design process. Inaddition, the following requirements apply:

The MCR overview and mimic shall be included in the plant simulator and MCR functionalspecification. The suitability of the overview mimic shall be validated by active simulation.

The overview display shall provide for the display of a limited number of key operatingparameters. The specific parameters shall be determined in the design process; however, thefollowing shall be specifically considered for incorporation:

• Power level;• Reactor coolant system pressure;• Reactor coolant system temperatures;• Margin to saturation;• Reactor coolant flow rates;• Reactor vessel level (BWR);• Steam generator level (PWR);• Pressurizer level (PWR);• Steam pressure;• Steam flow.

The overview display shall provide for the display of the operational status, e.g., flow or no-flow, energized or de-energized, on or off, open or close, etc., of a limit number of essentialcomponents controlled or monitored from the MCR. The specific displays shall be determined in thedesign process; however, the following shall be specifically considered for incorporation;

84

• Reactor coolant pumps (PWR);• Recirculation pumps (BWR);• Feedwater and condensate system pumps;• Isolation valves (e.g., main steam and feedwater);• Safety systems pumps and valves;• Decay heat removal pumps and valves;• Power supply breakers;• Auxiliary power generators;• Safety and relief valves;• Circulating water pumps.

The overview display shall provide for the display of high level derived quantities, e.g., thosewhich depend on a particular logic algorithm, where the design process shows such informationdirectly supports the use of the overview display. The specific quantities shall be determined in thedesign process; however, the following shall be specifically considered for incorporation:

• Plant mode or state;• Availability of safety systems or functions

The overview display shall provide for the spatially dedicated display of certain key alarms orsimilar alarm-like information which needs to be brought to the operator's attention. The specificitems to be displayed shall be determined in the CRS design process for the alarm system.

The design practices and presentation guidelines for the overview mimic shall be validated byactive simulation. These design practices and guidelines shall be documented and shall include thefollowing:

• These overview displays shall be visible and usable from the work stations in the main controlroom as well as from the probable locations of observers or support personnel.

• The status of components shall not be presented by methods which depend entirely on colour,i.e; shape or position coding shall also be incorporated.

• Labels which are to be read at a distance shall be minimized; however, when the display isviewed from close range, each display quantity should be specifically identified by a labelreadable at the short distance.

• The overview display should provide for routine maintenance from the back of the panel.• The overview display shall be arranged so that loss of a single light element will not result in

the loss of information. In addition, all lights shall be testable by simple controls form the frontof the display.

• The design of the overview mimic shall be flexible so that changes in the arrangement can beaccommodated.

The overview display shall provide information needed to support use of any manualsystem-level actuation controls based on task analysis for events requiring their use. This shallinclude the information needed for the operator to determine that system-level actuation is required.The overview display shall also provide feedback information once the actuation has been performedunless this feedback is provided by displays which are part of the manual controls themselves.

85

REFERENCES

[I] INTERNATIONAL ELECTROTECHNICAL COMMISSION, Design for Control Rooms ofNuclear Power Plants, Standard IEC-964, Geneva (1989).

[2] INTERNATIONAL ATOMIC ENERGY AGENCY, Control Rooms and Man-MachineInterface in Nuclear Power Plants, IAEA-TECDOC-565, IAEA, Vienna (1990).

[3] INTERNATIONAL ATOMIC ENERGY AGENCY, The Role of Automation and Humans inNuclear Power Plants, IAEA-TECDOC-668, IAEA, Vienna (1992).

[4] ELECTRIC POWER RESEARCH INSTITUTE, Human Factors Guide for Nuclear Power PlantControl Room Development, EPRI NP-3659, EPRI, Palo Alto (1984).

[5] ELECTRIC POWER RESEARCH INSTITUTE, Advanced Light Water Reactor Requirements,EPRI, Palo Alto (1991).

[6] INTERNATIONAL ELECTROTECHNICAL COMMISSION, Control Points for ReactorShutdown with Access to Main Control Rooms, Supplementary Standard IEC-965, Geneva(1989).

[7] INTERNATIONAL ELECTROTECHNICAL COMMISSION, Functional Design Criteria fora Safety Parameter Display System for Nuclear Power Stations, Standard IEC-960, Geneva(1988).

[8] INTERNATIONAL ATOMIC ENERGY AGENCY, Computer Based Aids for OperatorSupport in Nuclear Power Plants, IAEA-TECDOC-549, IAEA, Vienna (1990).

[9] INTERNATIONAL ATOMIC ENERGY AGENCY, Guidebook on Training to Establish andmaintain the Qualification and Competence of Nuclear Power Plant Operations Personnel,IAEA-TECDOC-525, IAEA, Vienna (1989).

[10] US NUCLEAR REGULATORY COMMISSION, Guidelines for Control Room Design Review,NUREG-700 (1981).

[II] FUJITA Y., TOQUAM J., and WHEELER W.,"Collaborative Cross-Cultural ErgonomicsResearch: Problems, Promises, and Possibilities "(Proceedings of the Eleventh Congress of theInternational Ergonomie Association), Taylor and Fracis (1991) 875-877.

[12] US FEDERAL COMMUNICATION COMMISSION, Limits for Radiated and ConductedEmmissions.Part 15, Class A.

[13] INTERNATIONAL ELECTROTECHNICAL COMMISSION, Programmed Digital ComputersImportant to Safety for Nuclear Power Stations, Standard IEC-987, Geneva (1989).

[14] INTERNATIONAL ELECTROTECHNICAL COMMISSION, Software for Computers in theSafety Systems of Nuclear Power Station, Standard IEC-880, Geneva (1987).

[15] INTERNATIONAL ATOMIC ENERGY AGENCY, Computerization of Operations andMaintenance for Nuclear Power Plants, IAEA-TECDOC, IAEA, Vienna (in preparation).

[16] INTERNATIONAL ELECTROTECHNICAL COMMISSION, Nuclear Power Plants -Instrumentation and Control Systems Important fo Safety- Classificati on, Standard IEC-1226,Geneva (1993).

[17] IEEE Standard for Software Configuration Management Plans, IEEE-828 (1983).[18] IEEE Standard for Software Test Documentation, IEEE-829 (1983).[19] IEEE Guide to Software Requirements Specifications, IEEE-830 (1984).[20] INTERNATIONAL ATOMIC ENERGY AGENCY, Nuclear Power Plant Instrumentation

and Control, A Guidebook, Technical Reports Series No.239, IAEA, Vienna (1984).[21] INTERNATIONAL ATOMIC ENERGY AGENCY, Safety Related Instrumentation and

Control Systems for Nuclear Power Plants: A Safety Guide, Safety Series No. 50-SG-D8,IAEA, Vienna (1984).

[22] INTERNATIONAL ELECTROTECHNICAL COMMISSION, Nuclear Power Plants -Instrumentation and Control Systems Important for Safety - Requirements for ElectricalSupplies, Standard IEC 1225, Geneva (1993).

[23] INTERNATIONAL ELECTROTECHNICAL COMMISSION, Nuclear Power Plants -Control Rooms - Operator Control, Standard IEC 1227, Geneva (1993).

[24] IEEE/ANSI Standard 497, Design for Post Accident Monitoring Systems.[25] INTERNATIONAL ATOMIC ENERGY AGENCY, Quality Assurance Organization for

Nuclear Power Plants, A Safety Guide, No. 50-SG-QA7, IAEA, Vienna (1983).

87

[26] INTERNATIONAL ATOMIC ENERGY AGENCY, Establishing the Quality AssuranceProgramme for Nuclear Power Plant Project, and Safety Guide, No. 50-SG-QA1, IAEA,Vienna (1987).

[27] INTERNATIONAL ATOMIC ENERGY AGENCY, Code on the Safety of Nuclear PowerPlants: Quality Assurance, No. 50-C-QA, IAEA, Vienna (1988).

[28] INTERNATIONAL ATOMIC ENERGY AGENCY, Manual on Quality Assurance forInstallation and Commissioning of Instrumentation, Control and Electrical Equipment in NuclearPower Plants, Technical Reports Series No.301, IAEA, Vienna (1989).

[29] INTERNATIONAL ELECTROTECHNICAL COMMISSION, General Principles of NuclearReactor Instrumentation, Standard IEC 231, Geneva (1967).

[30] BENJAMIN,M.E., et al, Expert Systems for Advanced Process Analysis and control forNuclear Power plants, Proceedings of the IAEA Specialists Meeting on Analysis and Controlas a decision Tool, Arnhem.

[31] INTERNATIONAL ATOMIC ENERGY AGENCY, Safety Functions and ComponentClassification for BWR, PWR, and PTR: A Safety Guide, Safety Series 50-SG-D1, IAEA,Vienna (1979).

[32] INTERNATIONAL ATOMIC ENERGY AGENCY, Protection system and Related Featuresin Nuclear Power Plants: A Safety Guide, Safety Series No. 50-SG-D3, IAEA, Vienna (1980).

[33] INTERNATIONAL ATOMIC ENERGY AGENCY, Computer Based Aids for OperatorSupport Systems in Nuclear Power Plants, IAEA-TECDOC-549, IAEA, Vienna (1990).

[34] INTERNATIONAL ATOMIC ENERGY AGENCY, Expert Systems in Nuclear Industry,IAEA-TECDOC-660, Vienna (1992).

[35] INTERNATIONAL ATOMIC ENERGY AGENCY, Safety Culture, Safety Series, No. 75-INSAG-4, IAEA, Vienna (1991).

88

AnnexNATIONAL ACTIVITY REPORTS

PROCESS MONITORING SYSTEMS OFLOVHSA NUCLEAR POWER STATIONT. MANNINENIVO International Ltd,FinlandAbstract

The new process computer systems at Imatran Voima Oy's (IVO) Loviisa NFS in Finland have beenin operation since January 1990. In all, three process computer systems were replaced in this large project.,one for each reactor and one for the training simulator. Replacement was completed in schedule and withoutdisturbing the plant operation after a complex implementation programme stretching over three years. The newsystems were connected and tested alongside the old without interfering with their operation, the final exchangebeing done during normal plant operation. Besides the performance and availability requirements, extendibilityand upgradeability were among the main design requirements. After four years of operation and afterimplementation of several new functions and extensions the system have well proven to meet these requirements.

1. INTRODUCTION

Loviisa NFS is a two-unit PWR, which has been in use since 1977 (LOI) and 1981 (LO2).It is the first nuclear power station in Finland and its design is a combination of Western and Easterntechnologies. The reactor and turbogenerators are of Soviet design (VVER-440) whereas the I&Cand plant protection systems are of Western design (Siemens/KWU). Many components and systemsare also from Finnish suppliers, e.g. primary coolant pumps, main transformers, most computersystems etc.

The plant has operated successfully and achieved high load factors, short outages and lowreleases. This paper describes how the process monitoring computer systems have been replaced,utilized and developed during recent years.

2. REPLACEMENT OF COMPUTER SYSTEMS

The main tasks of the process computer systems at Loviisa NPS are process monitoring,execution of large plant performance and nuclear applications software and information presentationto the plant operators. All the dynamic process information in the control room, such asmeasurements and alarms, can be displayed by the computer CRTs. The computer system does notcontrol the process, this being done by the conventional I&C equipment. Even though the computersystem is not classified as important to safety, the normal operation of the plant is dependent on theavailability of the process computer, which can also be regarded as one of the factors affecting theexceptionally high performance of Loviisa NPS.

The computer systems have always had a very central role in the operation of the plant. Thisnot only placed great demands on the new system itself but also emphasized the importance of carefulplanning of such a replacement at a running plant. The main requirement set for the replacementproject was that the replacement shall not disturb the energy production and normal operation of theplant. The following arrangements were the main contributors for the success of the replacementproject:

Phasing the retrofitting of the analogue process interface (A/D conversionelectronics) to the future and installation of the binary signal scanners gradually inrefuelling outages. By these means the new system inputs were connected in parallelwith the old computer system.

91

Due to the high degree of distribution, the system could be tested in several stagesstarting from data acquisition subsystem and continuing to the applications andman-machine functions. This was done according to a detailed verification plan bothat the suppliers factory and as a repetition on site.Validation of man-machine functions and applications was performed at the on-sitefull-scope simulator.Both the new and old system were used in the main control room for several months.

The change over from parallel operation to the new system was done during normal operationof the plant and caused practically no disturbance to control room operations. Data acquisition fromthe process was arranged in parallel with the old system without touching the actual processinstrumentation wiring. This could be done by "listening" to the data scanning of the old system,because the analog data scanners and the interconnection relays of the digital signals were notreplaced.

For keeping the time schedule of the project it was very important to have the applicationdevelopment and man-machine interface design as much independent of the basic system developmentas possible. This was achieved by 'standardizing' both the database interface of the applicationsoftware and the PMS system graphics presentation file formats. IVO could do its own share of theproject without a direct connection with the PMS system supplier ABB's schedules. The applicationdevelopment could thus continue in parallel with the basic PMS system development. The applicationsoftware was developed by using a test database in IVO's in-house computer systems after which itwas transported to the target system. The preliminary display design was made using IVO'sCAD-systems and then converted to final displays by adding database references. Company-wide datanetwork and local CAD-workstation at the plant facilitated a direct follow-up and commentation ofthe display design by the plant staff. In the final integration of displays and reports into the mainsystem software tools had a very important role. A considerable part of the applications wereimplemented by means of software tools without any program coding, thus ensuring a high softwarequality and a reasonable development effort.

The man-machine functions and the applications were specified and designed largely on thebasis of the experience on the old system. This experience was extremely important for the successof the project and acceptance of the new system. Other reasons for the good acceptance among userswas the involvement of the plant operators from the beginning of the project, in the validation andcommissioning phase and in the final acceptance tests. Also, major part of the training process wasconducted by the operational people of the plant. The simulator had a very central role in thistraining. At the plant the operation and utilization of the new systems in advance were possible byhaving the parallel display units in the main control room and in the adjacent computer room but alsoby using a large video screen and the operator's keyboard in a training room for on-line trainingsessions. The later functional extensions and new functions have always been verified and validatedat the simulator first prior to the implementation at the plants.

3. FUNCTIONS

The functions of the Loviisa process computer systems have been expanded continuously sincethe implementation project, which ended in May, 1990. The functions can be divided into two mainlevels: the basic process management system (PMS) functions and application specific functions tosupport nuclear plant operator in his task. The latter group of functions is also called ComputerizedOperator Support Systems (COSS).

3.1. Basic functions

The basic functions comprise functions that are necessary for normal processmonitoring and are thus independent of the nuclear plant processes. Extension and maintenance ofthese functions are made interactively by parametering or by means of graphic user interface.

92

Main developments since commissioning are expansions in data acquisition and fast logiccalculation. Both are mainly due to the new applications, mentioned in the next chapter.

The basic functions, with some related characteristic data are presented briefly below:

Data acquisition • Analog signals: 2600 /unit, 1-30 s intervals, validity checking,on-line calibrationBinary signals: 6500 /unit, 20 ms resolution, pulse counters,filtering

Fast calculations • Interval: l sFunctions: gradient, max, min, range selector, logic valuesetc.Tool-based definition, graphical presentation of logicalgorithms

Alarm and event handlingLimit checking, status checking, inhibition logicThree alarm priorities, events

History data • Buffer for 1 0 000 latest alarms and eventsInstantaneous values on three levels:

interval: 2s 10 s 60 srange: 20min 2 h 24 h

Average values on three levels:period: 5 min 60 min 24 hrange: 1 week 1 month 1 year

Display system (man machine interface)Display types:

alarms, events, process diagrams, trend/historygraphical algorithms (logics), task oriented displays, X-Yplotscomputer system diagrams, measurements lists /pointinfo

Functions on displays:windowing, zooming , add-info, scaling, measurementselection

Calling sequences:direct function key, cursor + function key,menus, soft keys, page keys

Display copy:color hard copy, color "soft copy", laser "soft copy"

Reports • Measurement data and history(1 h, 8 h, 1 day, 1 week, 1 month)

Results from calculationsPrinted or displayed, scheduled or user activated.Reports and displays are made by using me same graphic toolsand all can be printed and displayed uniformly in the system.

Data storage • Post-incident data on disturbances automatically or on requestHistory data on selected variables

93

Collected data kept as long as neededData files or report files stored on magnetic tape on request

Computer system monitoringMonitoring of system and unit statusAutomatic change-over featuresChecking and restoring of integrity of distributed databaseVersion management of software in the networkDisplays, alarms, user controls

3.2. Computerized operator support functions

Computerized operator support functions/systems generally include software applications andfunctions designed for supporting the control room operators in identifying plant function, system andcomponent state and to identify faults and diagnose them. In the Loviisa case these have been integratedinto the process monitoring system.

A common practice in implementation of these functions into the system has been to utilize thecalculation and logic tools of the basic PMS software as far as feasible. Only in some special cases orin very- extensive calculations coding has been the natural choice. Verification and validation have beenmade in most cases at the simulator.

The operator support functions together with their main features are listed briefly in the following:

Plant performance calculations

Reactor performance calculations

Monitoring the efficiency and optimum operationof the plant componentsThermal power of the reactorThermal balance of the plantLeakages and flow balance of the primary circuitContinuous supervision of operation economyPerformance monitoring of main process components- Steam generators- Heat exchangers- Condensers

Input: 500 analog measurements, mainly in-core3D-power distribution automatically and on requestLocal thermal margins (pinwise power distribution)Automatic detection and filtering of defective measurementsFuel burn-up distribution and loading pattern calculation- Reduction of pressure vessel neutron flux- Mechanically optimum power history for assembly

Critical safety functions monitoring (SPDS)Monitoring critical safety functions:

SubcriticalityCore coolingPrimary coolingPrimary inventoryEmergency coolingContainment / radioactivity

94

Task oriented displays

Intelligent alarm handling

Logic displays

Features:Super priority alarms and special displaysLeakage detectionSafety system monitoringSafety system power supply monitoringTool-based implementation (no coding)

Advantages of embedding the Critical Safety Functionsmonitoring into process computer systems are:

Many of the basic process management functions(event/alarm lists, trends, flow diagrams, man-machinefunctions, etc.) necessaryClosely related to other process monitoringCommon calculated parametersUniform man-machine interface

To support operators in specific tasks such as start-up, shutdown and other transients by optimizing information presentation

Logical reduction and masking of irrelevant alarmsDynamic priorization based on the process stateAlarm state of subsystems and functional groups

For monitoring of I&C system interlockings and controlsequencesAutomatic graphical display of logic algorithms

Early Fault Detection

Materials stress monitoring

Forecasting reactivity effects

Long-term history

Model-based fault detection for high-pressure preheaters

For prediction of cracks and lifetime of pipes, tanks etc.Based on strain-gauge and temperature measurements

E.g. calculation of xenon poisoning

Plant life time history of selected parameters

Computerized operational procedures presentation

After the experience gained in testing and using the critical safety functions monitoring system(SPDS), the next step towards computer aided guidance of the operator was taken by starting the projectfor developing computerized operational procedures. The goals of this function are:

Guiding the operator to the relevant procedurePresentation of procedures dynamically and interactively on displaysFollow-up monitoring of actions required in the procedures

The first implementations of this functions will be made using the PMS tools and restricting theguidance into the critical safety functions. For future development on this area, artificial intelligencecould be considered as a potential technology.

95

4. TECHNICAL REQUIREMENTS

The following general requirements were determining the system architecture (both hardware andsoftware):

High real-time performance in data scanning, event processing and display updatingHigh availability, flexible back-up schemes and on-line resource allocation capabilityEasy expandability with new applications and interfaces to other systemsStandard solutions: conformance to international standards (ISO, OSI, OSF) utilization

of standard commercially available hardwareVersatile functions for preprocessing, data storage and presentationUser friendly interactions and data presentation for multiple user groups (operators,operation engineers, maintenance staff, plant management)Flexible, easy to expand hardware configuration according to plant specific requirements.

At the time of placing the order for Loviisa process computer systems the above requirementswere best fulfilled in the PMS platform, which at present is supplied by ABB Stromberg Power Ltd.,Finland. The hardware configuration is shown in Figure 1 .

The main developments into the system configuration are due to the adoption of X Windowextension into the original GKS-based graphics software. The client - server principle of X Window isimplemented in an additional MMI-node (VAX station) where the office-PCs are connected asX-terminals. Identical arrangement has been made for each of the three systems (LOI, L02 andsimulator).

Another improvement in the MMI is the soft copy feature, which allows the user to call anygraphical output of the system to a laser printer. This is sometimes a more useful form of hard copy thanthe originally used color hard copy.

The main features offered by the ABB PMS platform were: distributed data processing, dynamicresource allocation, expendability, open network architecture, application development tools and userinterface services.

5. CONCLUSION

Common key features and principles of the process monitoring systems (as well as other computersystems) at Loviisa NFS can be summarized as follows:

Utilization of in-house know-how

The Loviisa staff has been deeply involved in the specification of the systems. IVO Engineeringhas been responsible for the implementation and project management.

Evolution of system generations

The systems are now of second generation. The current systems are based on more than ten yearsof experience of real plant use of the earlier systems.

System architecture to support evolution

The current systems are based on distributed, modular local area network architecture facilitatingeasy, partial upgrades and development in the future.

96

AUX COfTFOL

IVARS JIVARS |[ VARS 11 VARS]|VARS 11VARS [ [VARS [[VARS

uûûûuuûùûû ûffiffiûANALOG INPUTSBOP

ANALOG INPUTS BINARY INPUTSIN-CORE

TRAINING SIMULATOR

OFFICES LOV1ISA2(Identical toUOl)

FIG. 1. Process computer system configuration LOVHSA 1.

Standard hardware and software

The hardware, system software, network and interfaces are similar or compatible were feasible,They are based on industry standard or widely used technology.

Toolsbased software development

System generation, software maintenance, software development and applications developmentare performed by means of software tools thus reducing update and maintenance costs as well asenhancing quality of the software.

REFERENCES

[1] MANNINEN, T., Computers replaced at Finland's Loviisa PWR - on-line and on-time, NuclearEngineering International (1990)

[2] UNIPEDE NUCLECONT Experts Group, Use of Computerized Operator Support Systems inNuclear Power Plants of Some UNIPEDE Countries (1992)

[3] TIITINEN, M., Computer systems in the operation, maintenance and technicalsupport of Eoviisa NPS, Transactions on ENS Topform (1992)

98

CONTROL ROOM SYSTEMS AND C&I SYSTEMSFOR CANADIAN CANDU NUCLEAR STATIONS.NATIONAL PRACTICES AND APPROACHESR.A. OLMSTEADAECL CANDU,Sheridan Park Research Community,Mississauga, Ontario, CanadaAbstract

CANDU 3 is a 450 MW(e) pressurized heavy water reactor (PHWR) that is presently undergoing the NRCrelicensing process. It was realized that advanced digital systems technology could be applied to achieve substantialbenefits for a utility operating a CANDU 3 plant or retrofitting CANDU 3 technology in older plants. The paperdescribes these systems in sufficient detail to quantify the benefits and identify the innovative design and applicationfeatures form which they were derived.

INTRODUCTION

Atomic Energy of Canada (AECL) has developed an evolutionary Advanced PWR that meets mostof the EPRI APWR requirements [1].

A design team has completed 60% of the detailed design for the CANDU 3 - a 450 MW(e)Pressurized Heavy Water Reactor (PHWR) that is presently undergoing the NRC prelicensing process.It was realized that advanced digital systems technology could be applied to achieve substantial benefitsfor an electrical utility operating a CANDU 3 plant or retrofitting CANDU 3 technology in older plants.

Some of the benefits that have emerged from the design are the following:

Operators have several hours to think and plan before they need to take any action duringdesign basis accidents.

Virtual elimination of unsafe equipment failures in protection systems and other safetycritical syslems.

Facility for operations staff with no programming experience to define or reconfigure theplant display and communication.

Reduced frequency of forced outages.

Fewer maintenance manuals and maintenance procedures because of reduced I&Ccomponent count and component diversity.,

Obsolescence protection because open architecture principles were pursued from the start.

Reliability because systems integrate off-the-shelf components that have been proven inprevious demanding industrial applications.

Substantial reductions in capital, operating, construction, and simulation costs.

These benefits have been achieved from the design and application of digital systems.

CANDU 3 is a 450 MW(e) pressurized heavy water reactor (PHWR) that is presently undergoingthe NRC prelicensing process. It was realized that advanced digital systems technology could be appliedto achieve substantial benefits for a utility operating a CANDU 3 plant or retrofitting CANDU 3

99

technology in older plants. The paper describes these systems in sufficient detail to quantify the benefitsand identify the innovative design and application features from which they were derived.

CONTROL CENTRE

General Layout

Like earlier designs, the CANDU 3 control centre is designed to be operable by a single firstoperator, who normally interacts with and is supported by additional station staff. Sufficient work stationsare provided in the main control room to accommodate a variable staff complement. These work stationsprovide access to the principal control room functions: plant control, safety systems control, monitoringand testing, fuel handling, emergency communications and plant state monitoring and diagnosis. Multipleredundant access points are provided to the various functions. A centrally located sit-down consoleprovides visual access to other work stations and has a computerized interface which supports normalplant operation. Figure 1 illustrates the general layout. The mezzanine level is an optional feature forutilities that desire extra maintenance, planning, work control and emergency response facilities in closeproximity to the control room.

Human Factors

In consonance with growing awareness that the human operator is an integral part of the overallhuman-machine system, with special strengths and weaknesses, human factors engineering is receivingsignificant attention in the design of the human-machine interface. For the CANDU 3, a Human FactorsEngineering Program Plan [2] documents, up-front, the overall HF Engineering process, the associateddocumentation requirements, and the HF engineering standards to be followed in all stages of plant design.

Advanced Features

A unique and powerful feature of existing CANDU stations is the relatively high degree ofautomation and the fact that the dynamic plant state is represented in digital computer memory and logic.Exploiting this advantage and the rapid evolution of digital technology, CANDU 3 designers have evolvedthe CANDU human/machine interface to achieve substantial safety and operational benefits. Some of themost significant features and benefits are the following:

Time for Operators to Think and Plan

For the design basis events, the period of time for which operator intervention is not required hasbeen extended from 15 minutes to over 8 hours for the CANDU 3.

Substantial Reduction in Panel Complexity

Many of the fixed indicators and controls have been eliminated from the panels in favour ofinteractive CRT stations. Large mural mimic displays in the control room communicate overall plantstatus and support group decision making.

Substantial Reduction in Instrumentation Complexity

The replacement of trunk cabling, relays, timers, comparators, etc. with distributed controlprocessors has resulted in a significant reduction in the C&I hardware component count and the diversityof equipment and suppliers.

100

FIG. 1. One of several architectural configurations for future CANDU control rooms.

Automation of Error Prone Tasks

The objective is to relieve the operator from boring, stressful, time consuming tasks so that hehas time to perform as a situation manager. An example is the automation of the periodic testing for theCANDU safety systems.

Integrated Emergency Response Facilities (ERF)

The CANDU ERF is an extension of the comprehensive information management facility availablein CANDU control rooms. In the unlikely event of an accident, the operating staff will be familiar withthe facility and confident of its availability.

Procedure Driven Displays

The Control Centre interactive CRT displays are designed to support the tasks called for in thestation procedures, organization, and operating policies.

Critical Annunciation

During major plant disturbances a facility will be provided to provide operators with a short listof priority alarms related to a set of predetermined critical safety parameters and emergency operatingprocedures.

PLANT DISPLAY SYSTEM (PDS)

The PDS is the computerized system which forms the interface between the operator and thedigital equipment controlling the plant. The PDS must present displays and controls to the operator whichwill support operational tasks and objectives in a suitable manner. Equally, the PDS must interface withthe digital control equipment system of the DCS.

Figure 2 is a schematic diagram of the PDS system. In this design, the two PDS data basecomputers located in the Main Control Area (MCA) and labelled PDS X and PDS Y, obtain most of theplant data through a preprocessing computer from the DCS. The balance of the plant data - thatassociated with the Special Safety Systems - is obtained from the field through a similar set of data basecomputers called the Safety System Monitor (SSM). The PDS data base computers transmit plantinformation onto redundant Local Area Networks (LANS) and the data on these LANs is used by fiveoperator work stations to produce the display and supervisory control interface between the plant and theoperator. Each of these work stations consist of three CRTs, a function keyboard, and a graphicspositioning device. Figure 3 is a more detailed configuration diagramme for the work station and CRT,on the stand-up panels and the operator's desk respectively.

In a similar fashion, information from the SSM can be routed to two operator work stations, onein the MCA and one in the Secondary Control Area (SCA). Note that the work station in the MCA whichis available for SSM information can be switched to the PDS LAN to operate like any of the other workstations on the PDS LAN.

Utilities will make frequent changes to the plant display system. So this system must be basedon hardware and software which are open in architecture and adhere to computer industry standards.Fortunately, such open systems are readily available at this point in time as the computer industry movesinto portable operating systems and languages, standard communication interfaces, standard GraphicalUser Interfaces (GUIs), families of compatible computer hardware and re-usable software components.

The hardware architecture is an open network of computers which provides an expandable andflexible platform for the PDS software. Each of the nodes on the network are industrially hardened

102

DCS DATA HIGHWAY

i

MCA

13ÏCA

LANsSUPPLEMENTARYWORKSTATIONS

oooooo

pool FUEL HANDLINGWORKSTATION

I

-4 OOO

t-II

OOO

GROUP 1WORKSTATION

GROUP 2WORKSTATION

SSMX SSMY

Y///////////////A

-SYSTEM ;

PDS

SCA WORKSTATION

ooo

1

SSMX SSMY

SAEÊXY

^•* .. \

DCS: Distributed Control SystemMCA: Main Control AreaPDS: Plant Display SystemSCA: Secondary Control AreaSSM: Safety System Monitor

Figure 1. - Plant Display Systems

FIG. 2. Plant display system computer architecture.

103

general purpose computers drawn from a family of computer products The network which connects thesecomputers is an industry standard LAN Drawing from a family of computers and using a standard LANallows PDS to be adapted as either a small and inexpensive display system or a large and powerfulsystem.

STAND-UP PANELS

J_,SDS2

—H GROUP II SERVICESPLC

(D

\\

GROUP II

PANEL

GENERAL

COMPUTERSAND PLC's

HARDWIREDMIMIC ANDWINDOWBOXES

NOTE:(1) NOT PART OF OIS930OU 2 1&-17

INTERNALLANs

-pLG

i-t\(')

cr*f*

\\

MONITOR

/ T7Î7?\f^Vyj'.. % .. ]\ S"-' "" J> • • • • • <

Y

OPERATOR'S DESK(MCA & SCA)

WORKSTATION

GROUP II GATEWAYCOMPUTER

FIG. 3. Configuration diagramme.

104

Once the system design for the PDS has been chosen, drawing the hardware platform from afamily of computers means that the actual hardware installed at the plant can be chosen later in the designwhen the requirements for the PDS have been very firmly established. Development work can proceedon a -target- machine with the knowledge that this machine will probably be upgraded later in the designcycle.

The LAN backbone to this design means that additional display capability can be added to thebasic system to accommodate special operating modes and requirements. For example additional displaywork stations can be brought into play, to accommodate the work associated with a unit commissioningor unusual shutdown maintenance activities.

The system design is such that the whole system can function in a closely coupled fashion muchlike a multiprocessor computer. This combination of features enables the standard CANDU 3 product tobe applied to a wide range of operator interface situations in other nuclear and conventional plantapplications in addition to the control of a CANDU plant.

In contrast to the experience of previous projects, the cost reductions associated with displaycomputer hardware coupled with the wide availability of acceptable display computer products has meantthat the software component has come to dominate the economics of the design. A prime considerationin the choice of hardware platform has become the availability of adequate software development andmanagement tools as well as the existence of operating system, languages and re-usable software packagesconforming to recognized standards.

Widely used commercial, off-the-shelf, software components will be used to construct the PDSsoftware. For example, for the PDS software, we expect to use the Portable Operating System Interface(POSIX) standards for the Operating System. POSIX is a set of related sub-standards which define thoseaspects of an operating system which should be employed to ensure that applications written for onePOSIX compliant operating system can be easily ported to another such system. At the time of writing,one of the POSIX sub-standards, IEEE Std. 1003.1-1988, C Language Interfaces to the Operating System,has been issued while other essential sub-standards such as Shell and Utility Facilities and RealtimeFacilities are nearing completion.

An industry standard windowing environment such as X-Windows and Open Look or Motif willbe adapted to the particular needs of the control room operator. X-Windows has become the standardwindowing software for work station and larger environments while open Look and Motif are the twoforemost competitors for the window manager software which gives the -look and feel- to the windowingenvironment. Despite the fact that we are using standard window software as the display engine, we donot expect the operator to navigate through the plant displays with overlapping windows and a mouse.The display stations will be customized to give the operator a convenient interface oriented toward thetask of power plant operations.

The language of choice used in software development will be one or more of the ANSI standardlanguage. There are several choices in this category including the language C which is the most widelyused language for display software at this time.

The use of open hardware architecture and adherence to computer industry standards will providea PDS which will satisfy present applications and provide for future expansion and upgrades in computertechnology without change to the basic PDS system design.

DISTRIBUTED CONTROL SYSTEM (DCS)

Scope

Data acquisition and process control functions for the non-safety systems are performed by anadvanced distributed digital control system.

105

The scope of the DCS data acquisition functions include change-of-state event detection and timestamping, for selected binary input signals, including buffered binary input signals from the independentGroup 2 systems, and for selected computed binary signals. The time stamped event data is transmittedto the PDS for alarm and event reporting functions.

The DCS control functions include low-level control and interlocking functions for individualprocess devices such as pumps and valves, as well as high-level control and coordination functions forgroups of devices and systems. Examples of the high level group control functions are reactor regulation,heat transport system pressure and inventory control, and steam generator level control. The scope of theDCS control functions includes manual and automatic control modes. Control mode changes, setpointchanges, and manual control actions are executed by the DCS in response to operator control commandsreceived from the operator interface systems and devices.

Concept

The DCS consist of a number of signal scanning and processing stations linked by highperformance data highways. Process instrumentation and control devices are connected to stationsassigned to specific plant areas and functions, in order to reduce the amount and complexity of plantcabling and wiring. An optimum compromise has been made between geographic and functionalpartitioning. In order to provide adequate reliability and minimize the need for separate manual backup,the system is divided into three separate channels to match the channelization of redundant sensors andprocess devices, within each channel, redundancy, self-checking, and automatic switch over concepts areused to provide a fault tolerant system. Data links are provided between the three channels to allow thetransfer of signal values between the channels. These data links are redundant and buffered, to avoidcompromising system reliability. Figure 4 shows the DCS layout in the CANDU 3 plant and the DCSsystem.

The specific functions for each process system are implemented by application programs installedin the system. The programs are designed and constructed by process control engineers in accordancewith the process system design requirements.

Benefits

The DCS concept makes a significant contribution to the reduction of project cost and schedule.The plant construction and commissioning schedule is reduced by at least 2 months, due to the reductionin site cabling and wiring, and by more complete system testing before installation. The design costs arereduced due to the use of a functional process control language and computer aided design methods.Equipment cost, design cost and maintenance cost are all reduced by increased use of up-to-datestandardized equipment.

Improved reliability is obtained by the elimination of a large number of wiring connections, andby the use of proven standard electronic devices, continuous comprehensive self checking and morecomprehensive redundancy and channelization.

DIGITAL PROTECTION SYSTEMS

Benefits

The use of computers in nuclear plant safety systems offers a number of operational and plantmaintenance benefits. An improved, computer-based operator interface has the following benefits:

Reduces routine operator workload.

Reduces number of operating errors.

Allows the operator to concentrate on the more technically challenging issues.

106

D2O SUPPLY.LIQUID WASTE ETC

MAINTENANCEBUILDING

D

GROUP 2SERVICEBUILDING

JUNCTION BOX

DCS STATION

PDS PLANT DISPLAY SYSTEM

——— DUAL REDUNDANTDATA HIGHWAY

NOTE: ONLY ONE OF THREECHANNELS IS SHOWN

920398

NSP ELECTRICAL ROOMS

CONTROLCENTRE

GROUP 1SERVICEBUILDING

FIG. 4. Distributed control system.

The more significant plant maintenance benefits include the following:

A higher safety system reliability due to reduced equipment wear-out.

The ability to perform on-line self checking and self testing resulting increased assurancethat the system is operating satisfactorily. Potentially unsafe failures are converted to safefailures by tripping the channels in accordance with the fail-safe philosophy.

107

Flexibility in accommodating different plant operator conditions, thus optimizing bothsafety and production margins.

Historically, CANDU was among the first reactors to include computers in safety systems withthe PDCs (Programmable Digital Comparators) used in the CANDU 600 reactors (early 1980s).

The operating statistics indicate a significant contribution to plant safety. The three CANDU 600stations (Wolsong 1, Gentilly 2, and Point Lepreau) have a total of 288 PDC-years of operating historywithout a single unsafe failure reported. All PDC failures have been safe failures which can be contrastedwith the experience with the conventional portions of the system where about 1/4 of the failures arepotentially unsafe; i.e. temporarily diminish the redundancy of protection, until corrected. This is duelargely to the design that employs features such as self-checks, -continuous- testing, hardware watch-dogtimers, etc. which convert detected unsafe faults into safe failures (i.e. trip the channel). From theproduction reliability viewpoint, there have been no spurious reactor trips attributed to PDC relatedfailures.

This experience has confirmed our original reasons for using computers, that they enhance safetyavailability (convert unsafe failures into safe ones), and also improve production reliability.

Assurance of adequate software quality

Software quality became a major regulatory issue that affected the start-up of the 3500 MWDarlington Generating Station in Ontario, Canada. The main issues were:

no agreed upon, measurable definition of acceptability existed for the engineering ofsafety critical software;

no widely accepted and adopted practices for the specification, design verification andtesting of safety critical software existed;

it is not possible to quantify the achieved reliability of the software component of a safetysystem;

it is not possible to quantify the benefits of using diverse software;

it is not possible to exhaustively test software in all of its possible modes; thus it isunclear what constitutes a sufficient degree of testing.

Because of these issues, obtaining a license from the regulatory authority, the Atomic EnergyControl Board (AECB), for the Darlington shutdown system trip computers was difficult. Severaladditional design and verification processes were backfitted after the original software developmentprocess was completed. Th-.* key additional processes were:

preparation of a mathematically precise software requirements specification;

formal verification of the code against the requirements specification;

statistically significant trajectory based random testing to demonstrate that the softwarereliability was consistent with the system reliability requirement;

hazard analysis of the code to identify failure modes that may lead to an unsafe event.

The approach adopted by Atomic Energy of Canada and Ontario Hydro is composed of fivedistinct processes.

108

The first process in the CANDU 3 approach is to establish guidelines for categorizing softwareaccording to the nuclear safety impact of a potential failure and the safety related reliance placed on thesystem of which the software is part.

The second process in the CANDU 3 approach is the preparation of software standards and tools.There are a large number of existing software standards (IAEA, IEC, IEE, ISO, NUREG and CSA), manyof which contain useful elements. However, we have found that there is no acceptable, directly applicablestandard for the complete development life cycle of safety system software.

The third process is to establish the requirements for safety system software. The subset of thesoftware which is critical to safety is restricted to the absolute minimum and is segregated fromnon-critical software.

Unambiguous, rigorous specifications are prepared in the early design phases. Such rigorousspecifications can be analyzed to ensure that requirements are correct, consistent and complete. Thisminimizes the transmission of conceptual errors into the detailed design stages, and facilitate verificationof the software against the specification.

The software is produced according to modern software engineering techniques and a set ofestablished CANDU software design principles to achieve a fail-safe and robust design. Modern softwareengineering techniques produce, for example, a well-structured design with cohesive software modulesand clearly defined minimal coupling between those modules. The design principles ensure, for example,that diversity in software and hardware is used where appropriate to minimize common mode errors.

Finally, the completed software product is subjected to multiple levels of systematic verificationand testing. The normal software testing levels of unit, integration and system testing are performed usingautomatic tools where possible. In addition, each stage in the development process is systematicallyverified against the previous stage.

Acknowledgements

The author wishes to acknowledge the work of the following individuals at Atomic Energy ofCanada and Ontario Hydro from which the contents of this paper were derived - N.M. Ichiyen, G.J.Hinton, P. Joannou, W.R. Whittall, J. Pauksens, R. Hohendorf, D. Chan, S. Malcolm.

REFERENCES

[1] HEDGES, K.R., BONECHIL, M., HINCHELEY, E.M., "Meeting ALWR Requirements with theCANDU 3", presented at the Joint ASME/IEEE Power Generation Conference, Boston,Massachusets, 21-25 October 1990.

[2] BEATTIE, J.D. and MALCOLM, J.S. (1991) Development of a Human Factors EngineeringProgram Plan for the Canadian Nuclear Industry. Proc. 35th Annual Conference of the HumanFactors Society.

[3] FENTON, E.F. , LUPTON, L.R., PAUKSENS, J., "Evolution of the CANDU Control CentreDesign Process", presented at the Canadian Nuclear Society Annual Conference, Saskatoon,Saskatchewan, Canada, June 1991.

[4] Nuclear Power Oversight Committee, "Strategic Plan for Building New Nuclear Power Plants",November 1990.

109

[5] HINTON, G.J., "A Plant Display System to Complement the Distributed Control System inCANDU Nuclear Power Plants", presented at the IAEA Nuclear Power Plant Control andInstrumentation Specialists' Meeting on Distributed Control Systems, Communications and DataTransfer in NPP, Lyon, France, 24-26 April 1990.

[6] HINTON, G.J., KENDRICK, S.H, SHIELDS, T.W. , SCHAFER, S. "Use of Computers inCANDU Shutdown Systems - An overview", presented at the IAEA Specialist Meeting on theUse of Computers in Safety Critical Applications in Nuclear Power Plants, London, England.

[7] JOANNOU, P. , HARAUZ, J. TREMAIN, D.R. , FONG, L.T., SAARI, M.E., CLARK, A.B.,"Standard for Software Engineering of Safety Critical Software", Rev. 0, December 1990.

[8] WHITTALL, W.R., "Reliability and Safety Features in the Distributed Control System for theCANDU 3", presented at the IAEA Technical Committee Meeting on the Safety Implications ofComputerized Process Control in Nuclear Power Plants, Vienna, Austria, 13-17 November 1989.

110

STATE OF THE ART OF HUMAN FACTORSENGINEERING FOR CONTROL ROOMSYSTEMS IN JAPANY. FUJITAControl Board and Plant Computer Engineering Team,Mitsubishi Atomic Power Industries Incorporated,Tokyo, JapanAbstract

"Control room system" is a concept introduced by IEC-964. It is an integration of man-machine interface,control room staff, operating procedures, training program and associated facilities or equipment which togethersustain the proper functioning of the control room. This paper gives an overview of relevant human factorsengineering efforts being made in Japan. Topics discussed in this paper include advanced control room, alarmhandling system, AI-based guidance system, control room environmental design, training performance evaluationsystem, analysis of performance shaping factors, and simulated operator model.

INTRODUCTION

IEC-964 introduced a concept of "control system" which is defined as "An integration ofman-machine interface, control room staff, operating procedures, training program, and associated facilitiesor equipment which together sustain the proper functioning of the control room"[l]. This rather newconcept views a control room not as an aggregation of man-machine interfaces alone but as a systemwhich is consisted of the four elements; man-machine interface, control room staff, operating procedures,and training program1. This is based on an idea that these four elements need to be tightly coupled sothat control room operators can serve their roles. The purpose of this review is to give an overview ofhuman factors engineering efforts relevant to the four elements which have been made recently in Japan.In order to highlight new trends, this review is selective rather than comprehensive.

MAN-MACHINE INTERFACE

Advanced Control Room

Both PWR and BWR utilities and vendors have completed the development of new advancecontrol room (ACR) for APWR and ABWR [1,2]. ACR is characterized by a compact operator consolewhich features the almost total elimination of conventional hard-wired instruments. This is accomplishedby the soft-control technology using touch-sensitive screens attached to Cathode Ray Tubes. Figure 1shows a prototype ACR developed for APWR. An experimental validation test using this prototypedemonstrated that the new control room has a good potential for benefiting operators. Yet, there are someproblems that need to be resolved [3].

Alarm Handling System

PWR utilities and vendor group have developed an alarm handling system which can eliminatethe problem of "alarm avalanche." The system (DPAS: Dynamic Priorities Alarm System) has the abilityto prioritize alarms dynamically [5], DPAS is already in service at several Japanese NPP. Tokyo ElectricPower Company, a leading BWR utility, plans to introduce a different but improved alarm system toABWR [3].

1 Generally, operating procedures are regarded as a man-machine interface. The author understands that"operating procedures" mentioned in IEC-964 are documented sources of functional rules of requirements whichform a basis of operating procedures in general sense.

Ill

FIG. 1. A prototype ACR developed for APWR.

An interesting point of the project was an effort of analyzing the interactions between operatorsand alarms. It was done to confirm a widely accepted theory that operators experience a difficulty ofanalyzing a large number of alarms during a plant transient. Based on a systematic analysis of videotapestaken from utility crews (N=19) coping with major simulated accidents, it was found that (i) there is noevidence that operators are confused with alarms during transients, on the contrary, (ii) operators ignorealarms at the time they are issued, and they later check each alarm mechanically. Discussion with systemdesigners gave a rationale for these operator behaviors which

said that (iii) the analysis of multiple alarms would not be necessary to find important cues. Contrary tothe theory, these findings suggested that the true problem of alarm avalanche is not a difficulty ofanalyzing multiple alarms, but the ignorance of alarms which could delay the detection of importantalarms embedded in a large number of alarms if there are any such alarms.

For many years, designers believed that the analysis of multiple alarms was essential and an alarmhandling method called "alarm analysis" was studied. However, this scenario-based method was, notnecessarily successful, because actual transients were often deviated from postulated scenarios. Havingknown that there was no technical basis for the analysis of multiple alarms, a different approach wasintroduced. Then, three scenario independent rules (i.e. mode rule, importance rule, and causeconsequence rule) which can dynamically handle alarms to identify "ineffective alarms" were conceived.Here, ineffective alarms refer to those which do not hold any hazard information. Though ineffectivealarms could be suppressed, I found that operators did not like to have any information withheld fromthem. Then a dynamic color-coding scheme was introduced to de-emphasize ineffective alarms ratherthan suppress them: Red and yellow for effective alarms and green for ineffective alarms. (Among thosewhich are effective, alarms used for interlock actions were differentiated with yellow.) A new annunciatortile which can be lit in the three colors was developed.

112

In the final stage of the project, a full-scale DPAS (about 700 annunciator tiles mounted on areplica CB) was prototyped and validated by utility crews (N=8). Subject crews were requested to copewith several simulated accidents with DPAS and a conventional system after sufficient familiarization.In order to test whether subjects were able to use alarms during a transient, a secondary failure which theycould detect with both an alarm and other information sources was added to each accident. (Note that thesecondary failure was added after a major transient occurred.) It appeared that (i) the time to detect thesecondary component failure was significantly reduced with DPAS, and (ii) the number of times alarmswere utilized to detect secondary failures were significantly larger with DPAS. These results clearlyindicated that DPAS can more successfully convey alarm information to operators during a majortransient. This was probably the first time, in the nuclear industry, the benefit of alarm handling systemwas successfully demonstrated experimentally in a real-life situation.

AI-Based Guidance System

Both PWR and BWR vendors have completed a 7-year government sponsored project forknowledge-based operator and maintenance personnel support systems in early 1992 (MITI Man-MachineSystem Project [6]. A variety of support systems have been developed. For PWR, the following systemshave been developed:

Normal Operations

planning and follow-up of restart operation following a transientplanning and follow-up of load-follow operationfollow-up of start-up and shut-down operations

Abnormal/Accident Operations

model-based intelligent interfacediagnosisguidanceverification of prescribed automatic actionsfollow-up monitoring of manual actions suggested by the systemprediction of several prescribed parameters

An experimental validation test conducted at the end of the project has shown that many of thesefunctions are potentially beneficial and operators liked them. Nevertheless, more efforts need to be madebefore actual implementations [3.]

These efforts are based basically on computational technologies (AI, simulations), though someinvolve ergonomie expertise. In the following paragraphs, the development of a diagnosis system forPWR is summarized to describe such ergonomie efforts.

There are two basic requirements for the diagnosis system (or any other operator support systems);scenario-independency and the structural consistency between system information and operator'sknowledge. Unfortunately, these are usually not satisfied by standard computational techniques. In orderto find an answer, how operators diagnose anomalies was analyzed. Based on a series of structuredinterviewing of experienced operators (N=5), it was found that the knowledge base they were using fordiagnosis was a kind of abstraction hierarchy. The hierarchy which was named "abnormalities hierarchy"is organized in such a way that a higher level node represents the loss of some higher level functionwhich can be caused by the loss of more specific functions represented by lower level nodes. Thisstructure is robust to unforeseen situations: Even when an unpostulated failure occurs, higher levelcounter-measures may be available when the failure begins to affect higher level functions. It also becameclear that operators were using a kind of hypothesis-and test strategy to manipulate the abnormalitieshierarchy. It can activate nodes both externally and internally. The external activation may occur at anynode(s) depending on patterns of external cue signal(s). On the other hand, the internal activation depends

113

on the structure of the abnormalities hierarchy (i.e. connections between nodes). Compared with searchstrategies used in AI (e.g. depth-first search), this is more flexible.

An important point of the above finding was that any problemsolving processes accompanied withspecific scenarios can be explained in terms of a chain of active functional nodes which themselves arescenario-independent. Once this was understood, it was possible to develop an abnormalities hierarchyand a hypothesis-and-test search mechanism based on the knowledge of design and operations. Theabnormalities hierarchy can be developed by identifying (i) functional nodes, (ii) evaluation criteria foreach node (i.e. conditions specifying the degradation of corresponding function), and (iii) relationshipsamong nodes. The search mechanism can be developed by defining (i) connections between externaltriggers (e.g. alarms) and nodes, and (ii) a mechanism that controls the external and internal activation.A prototype capable of diagnosing 35 functional and specific failures was developed and its inferenceprocesses analyzed with a plant simulator. It was confirmed that (i) depending on situations the systemwas able to diagnose the cause of anomaly effectively by changing inference processes flexibly, and (ii)even when an unpostulated failure occurred the system was able to identify higher level functionalfailures.

The above descriptions may be too specialized. The important point is that the careful analysisof operators' knowledge enabled a diagnosis system which, like human operators, has a robust knowledgebase and a very flexible inference mechanism.

Others

Other recent topics involve the development of computerized systems for presenting accidentprocedures by PWR and BWR groups [8, 9], and the development of critical information presentationsystem for emergency response support facility (i.e. governmental). [10]

Control Room Environmental Design

The control room of Ohi Unit-3 is one of the first control rooms which incorporate aestheticconsiderations. Color coordination and room configurations (e.g. ceiling configuration) are designed suchthat they match operators' subjective preference. The semantic differential method and factor analysisare used to identify operators' image patterns.

PROCEDURES

Recent progress in this field include the introduction of function-oriented, symptom-basedprocedures, and their computerized presentation. The latter is summarized previously in this review.

TRAINING

A variety of efforts have been made in this field which include the development of trainingfacilities (e.g. training simulator) and the upgrading of training programs. One of new topics which seemto deserve discussing is the performance evaluation of trainees participating in simulator training sessions.

Performance Evaluation System

It has been recognized that more objective methods of performance evaluation are needed forsimulator training. Traditionally, as is probably the same abroad, the evaluation has been relying oninstructor's subjective judgment. However, it has been argued that such approaches are prone to havesubjective biases. Though there is no doubt that the subjective evaluation has its own merits, efforts havetherefore been made to develop more objective evaluation methods.

114

One such effort is the development of performance evaluation systems. A performance evaluationsystem being developed by PWR utilities and vendor group is designed to provide instructors and traineeswith performance and relevant background data which include the following:

control omissions and commissionscontrol level (e.g. the amount of leakage)process trendstiming of control actions

An important point that became clear during the course of the development was that proceduresalone cannot form a basis of criteria for performance evaluation. Critical control omissions orcommissions of which criteria can be specified by procedures seldom occur. Yet, there are obviously awide range of variabilities in the abilities of trainees which can be grasped by the "level of plant control."Here, the level of control refers to how well trainees controlled the plant. An example is the speed ofleading the plant to a safe state after an accident. Another example is the smallness of the amount ofradioactive leakage. However, it is sometimes difficult to set a unique criterion because of interactionsamong process variables. For example, an operation leading the plant to a safe state faster requires tomaintain the margin to subcooling at a smaller value which can be riskier. As a result, it is sometimesnecessary to look at the interactions, and judge if the control was done adequately in a balanced way.Data on process trends-and the timing of relevant control actions are then necessary to help the judgment.

CONTROL ROOM STAFF

The major focus of research in this field seems to be the understanding of the nature of operatorbehaviors and job performance. No research on "selection" in the context of industrial engineering hasbeen reported. Another line of research is the development of simulated operator or crew model.

Analysis of Performance Shaping Factors

PWR utilities and vendor group have been involved in a long-term research program of whichobjective is to develop countermeasures against human factors deficiencies found in operating crews. [11]To reach this goal, factors (i.e. PSF: Performance Shaping Factors) that explain operator performancewere studied. The study was based on correlation analyses of performance and PSF data.

A set of 7-point expert ratings scales were used to collect performance data. The scales weredesigned to rate individual (6 scales) and crew performance (4 scales) by observations. Several expertraters were used and they are trained to maintain sufficient interrater agreement. They made observations(from an instructor's booth) of utility crews participating in one-week or two-week training courses at atraining center. (They later utilized videotapes.) A total of 86 training crews (each consisting of onesupervisor and two operators; N=248 operators) were rated in 3-7 simulated accidents. The areas of PSFlooked at included cognitive ability, job knowledge, personality, background stress and stress copingmeasures, leader behaviors, background experience, group interaction measures. A variety ofpsychological instruments were used to collect PSF data which included Educational Test Service,Minnesota Multiphasic Personality Inventory, Recent Life Change Questionnaire, Psychiatric EpidemicResearch Interview, Performance-Maintenance, Least Preferred Coworker Scale, Group Atmosphere, etc.Special tests and questionnaires were developed to collect data on job knowledge and backgroundexperiences. All the trainees were requested to take questionnaires and tests.

Results of correlation analyses indicated that (i) previous job and training experiences aresignificant performance predictors which explained up to 20% of performance score variance. Othersignificant individual PSF included (ii) some cognitive ability measures (e.g. perceptual speed), jobknowledge, personality traits (e.g. good impression), and personal stress and stress coping mechanisms.Significant group PSF included (iii) directive leader behaviors which appeared to be more effective inusing the abilities to resolve accident scenarios than non-directive behaviors. It also appeared that (iv)if trainees perceived the training and accident scenarios as stressful, the relationships between individual

115

PSF and crew performance were moderated: Those groups reporting high levels of stress appeared to useabilities and experiences less effectively. An additional analysis of personality traits revealed that (v) thehigher the job positions were the higher the scores on "social desirability" tended to be. [12] Thissuggested that as operators move up the job progression ladder, there is a greater tendency for them todescribe themselves in socially desirable terms. This last result is consistent with results of similar studiesconducted in different fields in Japan.

Analysis of Operator Behaviours and Performance

BWR utilities and vendors have been involved in a long-term research program covering a varietyof human factors issues. BWR utilities are also involved in collaborative research programs with KEIOUniversity and CRIEPI. Their recent primary focus has been on the understanding of crew dynamics.

Using data collected with a plant simulator, Ujita concluded that four types of operatorcommunications are identifiable (i.e. "top-down," "bottom-up," "loosely-coupled," "tightly-coupled" andthey could be mapped to four types of leadership styles proposed by Performance Maintenance (PM)Theory: The top-down, the bottom-up, the loosely-coupled, and the tightly-coupled corresponds to the Pm,the Pm, the PM, and the pm type, respectively [13]. Ujita plans to study the relationships between thecommunication types and crew performance. Similar analysis was made in the PWR project on theanalysis of PSF mentioned above, though the method of analysis used was different. It was concludedthat (i) there seem to be no standardized communication procedures, and (ii) crew performance appearednot to be correlated with patterns or frequencies of communications, but it tends to be correlated with thecontents of communications.

Simulated Operator Model

NUPEC has been sponsoring a research project in which a computerized cognitive task analysistool incorporating an operator model is developed [14]. The model is called Cognitive and ActionModeling of Erring Operator (CAMEO). This research program was motivated by a need for a taskanalysis tool which allows us to evaluate task design in its early stages so that operators in a supervisorycontrol environment would not cognitively overloaded.

The task analysis tool (i.e. CAMEO Task Analysis Tool) provides designers with a variety offunctions which allow them to model a target system to which task procedures are designed and also tocustomize a CAMEO. When task design is input in terms of rules of problem-solving, decision-making,and control actions, CAMEO simulates operator behaviors in given situations. CAMEO consists of sixmodules; perception & recognition module (P&R), decision making module (DM), action module (ACT),attention resource controller (ARC), working memory (WM), and long-term memory (LTM). P&Rroughly corresponds to the short-term sensory store and perception. It has two task modules; auditory(A-P&R) and visual (V-P&R). DM consists of four task modules, serving functions that their namesindicate; vigilance, diagnosis, response selection, and confirmatory evaluation. ACT selects a set ofactions corresponding to a response selection made by the response selection task module in DM. ARCallocates resources to A-P&R, V-P&R, DM, and ACT. Assuming that resource conflicts among them arerelatively weak, the allocation is done separately, but in the order determined by task demands and policy.When the total amount of resources demanded by tasks is larger than resources that ARC can supplies,less important tasks are subject to resource undersupply. If this happens, built-in error inducingmechanisms begin to work. For instance, when V-P&R is not supplied sufficient resources, (i) thenumber of incoming visual cue signals (e.g. flushing lights) is reduced, and (ii) the ability to update visualsignals demanded by DM is decreased, resulting in possible overlooking of important cues or misjudgmentcaused by potentially irrelevant old information. Though whether or not errors actually occur depend onsituations and task procedures adopted, these are unfavorable erroneous tendencies which designers liketo remove. Similar error inducing mechanisms are built in A-P&R, DM, and ACT.

116

The CAMEO Task Analysis Tool was prototyped with a rule-based AI shell called G2. Usinga hypothetical water supply plant, the prototype successfully demonstrated that CAMEO was able toexhibit erroneous behaviors in certain situations where resources were not supplied sufficiently.

There are several other similar efforts being made to develop an operator model or a group (crew)model. Furuta has developed an operator model which incorporates a truth maintenance mechanism [15].The model adopts a blackboard control architecture with four agents cooperating together to solveproblems. It was demonstrated in a case study using a BWR simulator, the model was able to simulatethe opportunistic and "révisable" nature of human thinking. Yoshida is developing an operator modelusing a blackboard control architecture [16]. The model is similar to CES. A series of simulation studieshave been made to validate the model. Furuta has developed an analytical group model designed for theevaluation of group reliability [17]. Another example of group model includes one developed by Sasouand his colleagues [181.

REFERENCES

[I] Design for control rooms of nuclear power plants, IEC-964 (1989).

[2] "Development of advanced main control room for APWR" (Proceedings of InternationalSymposium on Nuclear Power Plant Instrumentation and Control, OECD/NEA IAEA, 1992,NITTA, T. et al).

[3] "Development of ABWR type control room panels" (Proceedings of International Symposium onNuclear Power Plant Instrumentation and Control, OECD/NEA/IAEA, 1992, IWAKI, K. et al.).

[4] "Time for tailoring human-machine interface technology to humans" (Proceedings of 1992 IEEEConference on Human Factors and Power Plants, pp.85-90, IEEE, 1992, FUJITA, Y.).

[5] "Improved annunciator system for Japanese pressurized-water reactors," Nuclear Safety, 30, No.2(April-June 1989) pp.209-221, FUJITA, Y.

[6] "Advanced man-machine system for nuclear power plant operation and maintenance"(Proceedings of International Symposium on Nuclear Power Plant Instrumentation and Control,OECD/NEA-IAEA, 1992, NAITO, N. et al.).

[7] "Designing a knowledge-based operator support system for practical applications", NuclearTechnology, 95, (July 1990) pp.116-128, FUJITA, Y. et al.

[8] "Development of computerized support system for PWR plant emergency response guidelines(ERG) of Japan" (Proceedings of Specialists Meeting on Operator Aids for Severe AccidentsManagement and Training, OECD Halden Reactor Project, 1993,YAMAMOTO, Y., and ITO, K.).

[9] "Development of symptom based emergency procedure guidelines support system" (Proceedingsof Specialists Meeting on Operator Aids for Severe Accidents Management and Training, OECDHalden Reactor Project, 1993, NETSU, N. et al.).

[10] "Development of the Emergency Response Support System (ERSS) and A Prototype of It"(Proceedings of Specialists Meeting on Operator Aids for Severe Accidents Management andTraining, OECD Halden Reactor Project, 1993, TAKAHASHI, Y. et al).

[II] "Collaborative cross-cultural ergonomics research: Problems, promises, and possibilities"(Designing for Everyone, Proceedings of The Eleventh Congress of The International ErgonomieAssociation, Taylor & Francis, (1991), pp.875-877, FUJITA, Y., TOQUAM, J., and WHEELER,W.).

117

[12] "Ebunka: Do cultural differences matter?" (Proceedings of 1992 IEEE Conference on HumanFactors and Power Plants, IEEE, (1992), pp.188-194, FUJITA, Y., TOQUAM, J., WHEELER,W., TANI, M., and MOURI, T.

[13] UJITA, H., KUBOTA, R., and FUJI-IE, M., "Experimental analysis of plant operator crewcommunication" ,The Japanese Journal of Ergonomics, 29, No. 4, (1993) (In Japanese)pp.249-247.

[14] "Modeling operator with task analysis in mind" (Proceedings of Topical Meeting on Nuclear PlantInstrumentation, Control and Man-Machine Interface Technologies, ANS, 1993, pp.505-512,FUJITA, Y., NAKATA, K., ITOH, J., YAMANE, N., KUBOTA, R., and TANI, M.).

[15] "Assessment of man-machine systems by computer simulation of operator's cognitive behaviour"(Proceedings of International Symposium on Nuclear Power Plant Instrumentation and Control,OECD/NEA/IAEA, 1992, FURUTA, K., and KONDO, S.)

[16] "Development of a pilot system for dynamic simulation of man-machine system," (Proceedingsof 1992 Fall Meeting of Atomic Energy Society of Japan, E25, 1992, p. 275, (In Japanese),YOSHIDA, K., et al.)

[17] FURUTA, K., and KONDO, S., "Group reliability analysis," Reliability Engineering and SystemSafety, 35, (1992).

[18] "Development of the simulation system for behavior of the operating group - Total Planning"(Proceedings of 1992 Fall Meeting of Atomic Energy Society of Japan, E27, (1992) p.277, (inJapanese) SASOU, K., et al.)

118

SPDS DEVELOPMENT FOR RBMK UNITA.I. GORELOV, V.A. PROSHINResearch and Development Institute of

Power Engineering (RDIPE),Moscow, Russian FederationAbstract

Serious upgrades and improvements have been made and are planned in Russia to enhance safety of thenuclear power plants with the RBMK- reactor types. An important part of these measures is improvement in the areaof safety parameters' presentation. A Safety Parameters Display System (SPDS) has been developed forimplementation in the plants and in the special services for nuclear safety surveillance and management, in theoperation support centres. The development and implementation of the SPDS are performed in unison with the largescale actions (which include I&C systems upgrades) towards enhanced safety and reliability of RBMK nuclear plantsin Russia. This influences the work schedule and requires special efforts to coordinate various types of activities.There are many features of this type of reactor that determine a detailed set of the safety parameters and functions.The main features and existing I&C and MCR are described. Safety parameters are grouped into three levels;besides that number of channels' parameters is decreased by means of calculations. SPDS functional and technicalrequirements are developed on the basis of deep knowledge of the plant features, safety parameters list, operationalexperience, instructions and task analysis. Special group of specialists is involved to solve "human factor" problems.

1. INTRODUCTION

One of the major ways to enhance the Russian RBMKNPPs operational safety is to decrease theprobability of personnel errors by paying more attention to human factors. Personnel errors caused morethan 50% of incidents during NPP operation, according to the IAEA data. In Russia, out of 16 unplannedshutdowns of RBMK NPPs in 1991, only 3 were caused by equipment failure, 6 were from personnelerrors and 7 occurred due to complex causes, that were due to both equipment failures and personnelerrors.

The current status of RBMK I&C systems, which have been designed and constructed over last25 years, is characterized by common problems, associated with the following factors:

Operators mast cope with a lot of information during emergency situations;

There is a lack of general information characterizing the safety status of the plant;

It is difficult to control, monitor and diagnose an event (a great number of measured andcalculated parameters must be analyzed, operation manuals and procedures must be usedand a variety of regulations must be met.)

The greatest problems associated with "human factors" at Russian NPPs are those associated withhuman-machine interface and the fact that operators have to cope with a lot of information, especially inabnormal conditions.

Comparison with modern foreign information systems and with the IEC regulations has shownthat the systems of the Russian NPPs are lagging behind considerably. A number of the most importantcomputer functions, which are recognized abroad as to be necessary, are not available. In particular,RBMK-1000 monitoring system Skala does not have capability to display power unit safety parameterson computer displays, and there is no possibility to implement such a function on existing hardware. Thecharacteristics of the Safety Parameters Display System (SPDS) at RBMK units are not so good asWestern SPDSs. A new Skala-micro system is intended to replace the old (end of life) Skala system atthe NPP with the RBMK-1000 reactors. Design documentation demonstrates Skala-micro system is incompliance with the requirements of the Russian Regulatory Agency. Nevertheless, the system design does

119

not incorporate Western methodology and the IAEA and IEC recommendations on operator informationsupport systems and human factors.

In 1992, the SPDS system for RBMK reactors began development. This system is intended todisplay safety parameters for operators, supervisors and safety experts at NPPs. Such a system could alsopresent information for safety experts at national crisis center and technical support centers.

2. OBJECTIVES AND INTEGRATION OF SPDS IN PLANT OPERATION

SPDS is a major part of the Emergency Response Facilities, Emergency Guidelines and trainingprogrammes. To enhance safety, reliability, and efficiency of operation, as modernization of the RBMKreactors occurs, it is necessary:

to create modern Safety Parameters Display Systems (SPDS) for RBMK reactors;

to develop function- based procedures and display them on the SPDS;

to teach Russian specialists to deal with information system design technologies inaccordance with NPP SPDS requirements.

The objective of the SPDS is the continuous display of reliable information to operators in realtime. Such information should be sufficient to define the plant safety status and support operators incontrolling the reactor, avoiding and handling abnormal situations. This include radioactive releases duringnormal operation, emergency situations and, partially, during beyond-design basis accidents. The SPDSwill provide the main control room operators with an "intelligent interface" which will improve their workin abnormal conditions, will enable them to quickly identify deviations from safe operation and properlycontrol the reactor to manage emergency situations. The system also should allow NPP safety experts towork with computers and transfer data into external information systems.

Recent progress in development of the western SPDS systems has demonstrated a considerableincrease in complexity and extension in scope of functions by these systems. This is the result of a rapidincrease in system performed capabilities, a reduction in hardware and an increase in the scope of R&Dwork relating to the development of man-machine interfaces. Essentially, all new SPDS systems havefunctions such as display of ERGs for an operator and data on status and proper operation of safelysystems. Additional functions are chosen as determinant by deficiencies revealed in informational supportof operating personnel during control rooms inspections.

Alarm processing is important. It could reduce considerably the flood of information the operatorhas to handle and probability of operator error in an emergency. It is desirable to have a SPDS capableto be extended to incorporate new diagnostic concepts and evaluation methods such as expert systems.The RBMK operational experience and operators' stereotypes would used during SPDS design.

3. DESIGN BASIS SUBSTANTIATION

A variety of physic?! safety barriers such as a fuel matrix, leak tight fuel element cladding,primary system, and leak tight reactor space and compartments, are provided to prevent radioactiveproducts release into the environment in case of an accident. The fuel failure detection system, fuelchannel integrity monitoring system, NPP radiation monitoring system, and environment radiationmonitoring system are provided for monitoring barrier integrity.

Prevention of an accident and localization of its consequences are ensured by the "defence indepth" principle implemented in each of the main safety functions. The "Defence in depth" principlerelative to all safety functions is realized as a sequence of the automatic control system trips whendeviations from normal operating conditions take place.

120

The RBMK overall safety goal is protection health and safety of the public by preventinguncontrolled releases of radioactive materials. The hierarchical structures of safety subgoals form a treeof safety goals. The criteria for attaining the safety goals are formulated so that the integrity of all safetybarriers was ensured and potential risk of their failures was absent when attaining all high-level safetygoals for each specific operational mode of power unit.

The following safety functions have been chosen based on the safety analysis according to therequirements specified in Russian Regulatory documents with consideration of IAEA and IECrecommendations:

1. Maintain reactor neutron flux control (including emergency shutdown and subcritical corecontrol).

2. Maintain core cooling (including emergency cooling).

3. Maintain heat sink from reactor plant and circulation circuit equipment.

4. Maintain circulation circuit integrity.

5. Maintain integrity of leak tight reactor cavity.

6. Maintain integrity of leak tight compartment system.

7. Maintain circulation circuit inventory.

8. Monitor safety barrier destruction and radiation releases.

The depth of a subsequent "decomposition" of a safety function is defined both by a level ofdetailed characterization for each of the design stages and the objectives of their practical application.Generally the depth of decomposition is restricted by functions each subsystem has to attain and byoperator tasks (for objectives that require manual control) with quantitative characteristics.

The safety functions required to attain each subgoal and forming the tree hierarchical structuresof the functions are chosen according to the structure of the safety goal trees. The following should bedone for each function:

list of monitored parameters characterizing accomplishment of the function;

control algorithms and quantitative characteristics required for accomplishment offunction;

method to define correct accomplishment of function;

possible alternative functions in case of failure of the function under consideration andmethod for choosing these alternatives.

The functions capable of maintaining performance of a higher-level function, can be chosen asthe alternative ones.

It is expedient to describe all normal modes of operation and design-basis events, whenquantitative characteristics ensuring performance of functions are identified. Failure of a certain functionis equivalent to the corresponding design-basis event (events) and hence a designer should assess howeach design-basis event could affect the execution of higher-level function.

121

4. SYSTEM ARCHITECTURE

To determine the system structure and performances as a whole, the following factors are ofparamount importance:

the SPDS design should be performed within the framework of modernization ofautomated systems of operating RBMK NPPs;

as a result of modernization and implementation of new safety system, safety andcomputerization of power unit should be improved;

the existing system "Skala and other MCR information systems provide main informationfor operators, however, the information presentation formats are far from being optimalfrom the human factors perspective;

the requirements to the SPDS should be well defined by users proceeding from theirexperience with Skala system and other automated systems of RBMK power units.

The SPDS monitors the main and auxiliary RBMK safety-related systems and processes controlledby these systems. The main sources of information for the SPDS are the existing NPP I&C systems. Ifthe existing scope of measured parameters is insufficient or monitoring systems do not meet therequirements, additional sensors could be installed. To work out main principles implemented in SPDSit is suggested to test a prototype of the system using input data from Skala system only. Then along withmodernization of overall control systems more input data could be used for SPDS as other systems areadded.

DPDS users would be: control room operators, non-operating personnel, (e.g. safety engineers),management and support staff, safety experts at NPPs. The information from the SPDS could betransferred to external information systems to be used by safety experts and staff of local and NationalNuclear Power Crisis Centers, Technical Support Centers and Emergency Operation Centres.

RBMKs use currently the Skala system, control system and safety system to monitor safeoperation and display information for operators to prevent accidents. SPDS should not interfere with theoperation of the above systems.

The Skala-micro system is intended to replace the old Skala systems at RBMK-1000 reactors.Oreactor. The Skala-micro system monitors the processes of the plant by implementation of all the majorfunctions of the replaced Skala system at the new qualitative level.

The SPDS workstations arranged in the control room, complement the existing conventionaloperator console and provide the following:

continuous display of current safety functions status;

additional information displaying power unit systems status;

display of emergency respond guidelines;

information recording and its transfer to safety experts.

The purpose of Technical Support Center work station at the NPP is to carry out of the nonroutine labour-consuming calculations, perform a comprehensive analysis of safety status, calculatemodelling parameters, forecast accident development, assist in accident recovery using data fromemergency recording, and diagnose the status of the plant equipment, computerize the safety expert

122

fonctions and plant management and technical personnel, provide information support for non-operationalstaff, transmit recommendations made by the safety experts to MCR staff.

To work out main solutions adopted during SPDS design at the stage of SPDS prototype testingit is expedient to use reduced amount of the input data coming from Skala or its substituting systems(Skala-M or Skala- micro) only. To obtain measured and calculated data SPDS is equipped with twoDatalink Servers each of which is connected to one set of Skala systems. For data transmission it ispossible to use serial ports RS-232 or RS-422.

Connection of SPDS computer bridges to Skala-M was simulated on test-rig at RDIPE by meansof computer SM-1210. Communication between computer-bridges and SM-1210 is accomplished throughserial port RS-232 from the bridge side and remote communication adapter (RCIA 1) connected tomemory (CDAM) - from SCM-1210 side. Information exchange rate is 9600 baud. Designedcommunication line length is 70 m.

The scope of data and its acquisition rate could be enhanced in the future when other systemswould be connected to SPDS. It is supposed that SPDS could collect analog and digital data and checkits correctness.

5. SPDS VALIDATION AND TESTING

SPDS validation and testing should be arranged in such a way as to minimize the effect of theseactivities on the personnel of the currently operating power units. Planned outages should be consideredas a time to perform needed work at the NPP. To accomplish validation tasks it is necessary to usesufficiently precise mock- ups or SPDS simulators and associated plant systems.

At the design stage the system could be verified and qualified as far as adopted technical solutionsare concerned on SPDS prototype, creation of which is planned at RDIPE.

The major functions of the test-rig (prototype) are the following:

implementation of the primary and secondary functions of SPDS in an amount equivalentto the stage of designing and system surveillance in the course of operation;

simulation of the power unit' I&C systems;

acquisition, recording and documenting of data, obtained in the course of testing;

processing of the test data, recording and documentation.

Moreover, the test-rig can also be a support in development and testing of hardware and softwarefor SPDS, including an application software. The SPDS prototype's hardware and software are modifiedaccording to the results of the performed tests.

The SPDS mock-up shall be implemented at Smolensk RBMK Training Center. This mock-upintend for man-machine interaction testing. The emergency scenarios will be simulated using RBMK unitsimulator.

Therefore, each stage of designing and commissioning of the system must be accompanied byverification and validation.

123

6. CONCLUSIONS

The SPDS can be characterized as a computer system composed of local networks, computers andwork stations of the main control room operators and safety experts. The main SPDS function iscontinuous concise display of critical parameters to enable operators quickly and correctly estimate safetystatus of NPP and control the reactor in such a way as to prevent core damage and radioactive release.SPDS should operate in both normal and abnormal conditions.

Owing to the project realization the following benefits are anticipated:

reduction in possible errors of the NPP operators, especially in emergency, due tocontinuous display of general parameters, defining the power unit safety status;

improvement in human-machine interface at Russian NPPs and introduction of additionalinformation support functions for the MCR personnel.

The safety enhancement is achieved due to creation of new functional capabilities for the NPPpersonnel and safety experts of Crisis Centers and Technical Support Centers in accordance with currentRegulation, including:

display of safety parameters and safety functions' status for operators;

creation oi intelligent man-machine interface providing for improvement of personneloperating conditions;

computer display of emergency respond guidelines;

possibility of information interaction between operators and technical support and crisiscenters.

The work will result in quick testing of the SPDS and, if necessary, changing concepts ofhuman-machine interface design - very important for Russian NPP I&C modernization.

124

ELECTRICITE DE FRANCE N4 CONTROL ROOMAND I&C SYSTEMJ. FURETCEN-FAR,MICE/Direction de la sûreté des installations nucléaires,Fontenay-aux-RosesG. GUESNIERDirection de 1'equipment,Electricité de France,VilleurbanneFranceAbstract

The new concept of a computer-based control room, chosen by the EOF for the PWR 1400 M W N4 series,aims at improving the quality to operation in every situation of the plant by: a close association between commandsand information, operation and maintenance procedure; a very efficient alarm processing system, a reliable andrelevant presentation of information; and a diagnosis aid. The present paper discusses the new concept of a controlroom and I&C system.

1. INTRODUCTION

Incidents at nuclear plants, especially the TMI and the Chernobyl Accident, have shown theinfluence of the human factors. The research carried on by EOF with the aim of reducing this risk, hasproved that control room development and an improved man-machine interface in a conventional controlroom (addition of significant computerized systems for example), could improve the quality of plantmonitoring.

In 1981, EOF decided, to study and develop a new type of control room for the future series N4(1400 MWe), with the following features:

same operating-crew than in a conventional nuclear control room:

* two operators in normal conditions,

* four operators and crises teams in emergency conditions,

operators are seated opposite their work station,

improved data processing to provide integrated information and especially to limit thenumber of alarms,

development and integration of operator aids in the work station.

All these characteristics led to define a fully computerized control room. This solution givesalso some other advantages for instance:

to use the same operating means in every situation,

to avoid during operation, a mixture between conventional and computerized means,

to use a progressive modification of the automation level and easier evolutions,

125

to display information adapted to the task operation and to the situation of the plant,

to provide relationships between information, explanations, and controls,

to provide powerful alarm processing, direct link to alarm sheet (operating guide), andcontrols through the alarm sheet,

to closely associate:

* controls and related information,

* operating and maintenance procedures.

Before plant construction, it was decided to demonstrate all these assumptions and to build aprototype of the control room as a full-scope simulator. This new control room, which acronym is S3C,was evaluating for five years in BUGEY training centre near LYON in FRANCE.

2. CONTROL ROOM DESCRIPTION (see figure 1)

2.1. General organization

The general organization of the N4 control room is the following:

an operator for the nuclear island,an operator for the conventional island and the BOP (Balance Of Plant),a shift-supervisor.

FIG. 1. EOF N4 control room overview.

126

Under emergency conditions, a safety engineer joins the team (there is one safety engineer persite).

This organization dictated the number of computerized operator work stations:

4 identical work stations are installed in the control room. Theoretically, each of themenables the control and monitoring of the plant.

a complementary work station is installed in the technical support centre. It is only usedfor observation in crisis situation.

The operation of the installation is performed through the two operator work stations. The controlpossibilities of the two others work stations (reserved for the shift-supervisor and for the safety-engineer)are locked by a key. Unlocking the control is possible in case of one of the operating work stationsfailure.

Between the two operator work stations, an area is reserved for a dozen of emergency actionpush-buttons (these push-buttons are connected directly to the safety actuators).

Opposite the operators, a large mimic panel gives an overview of the plant. This animated mimicpanel presents the states of the main circuits and components of the plant.

Below the mimic panel, a conventional back-up panel ( auxiliary panel ) with about 200 controlstations, 2 CRT for the alarms, 2 video recorders for the analog values, allows the plant to be run to coldshut-down. This back up panel and the mimic panel are used in case of a total failure in the computersystem (probability of occurring is once every 8 years). When the computerized operating system is inservice this auxiliary panel is out of service (the video recorders are then on stand-by).

2.2. Organization of an operator work station (see figure 2)

From each operator work station it is possible to have access to all the formats ( images ) and allalarms of the plant.

Each of them includes:

an operating area with:

* 3 colour fully graphical CRT used for the formats which give needed informationin order to control the plant,

* a tracker ball (only active on one screen at a time) which is used to point out theobject controlled or selected,

* 3 tactile screens for:

o the control actions (this screen display menus)

o the control monitoring (this screen indicates if the control order has beencorrectly carried out or if it has failed because of unavailability, loss ofpower supply, or padlocking of the actuator),

o the formats management (this screen allows the last formats displayed tobe called back again).

127

Grophics CRTs Trocker ball Alarms CRTs

FIG. 2. Operator work station.

o a keyboard to validate the control actions, to perform a procedure etc.

o an alpha-numerical keyboard used to give new data to the control system.

an area for the alarms with:

* 4 colour alphanumeric CRT for the alarm display,

* keyboard to acknowledge and to handle the alarms.

The 4 work stations in the control-room are quite similar; it should be noted, however, that the2 operator work stations have their operating areas side by side whilst the alarm areas are to be found atthe extremities of the desks.

This configuration was requested by the operators themselves. It allows them to be nearer oneanother and to facilitate exchanges between them, particularly during transients.

To command an industrial installation, especially a nuclear power plant, from a work station with10 screens, imposes constraints concerning the user-friendliness of the man-machine interface and thealarm processing.

2.3. User-friendliness of the N4 man-machine interface

The man-machine interface must assist the operator in each of his tasks (control, monitoring, faultdiagnosis) without leading him to lose his overview of the installation; this has imposed the followingconstraints

128

(a) To adapt the formats to the operator's task

The principle is that any information, which the operator requires in order to carry out a precisetask, should be found on a single format - one has to avoid having the operator spend his timelooking for the information he requires. This principle has led to the development of a largenumber of "self-contained" images:

o the operating formats (about 600 are planed): These enable the use of individual manualcontrol of the actuators. In general, these are mimic type to witch curves, X, Y diagrams,or association of several bar-chart formats (profiles) have been added (see figure 3);

o the operating procedures. All normal and emergency procedures are presented on thescreens (about 3000 pages are provided). The procedure proposes the line of action tobe taken on a single format (in the form of a flow-chart) and the monitoring of theoperator's actions (the system tells the operator if he is following this guide correctly)(seefigure 4);

o Operation under an emergency situation is carried out following symptom basedprocedures which require the operators to react depending on certain reactor parameters(vessel level, margin to saturation, etc.).

RCV002YRG RCV-REGLAGE CHARGE/DECHARGE

N PRESSURISEUR0 100

1 •" , 1 > , 1 v0

10

i •i

HI o o•H MESni °

•N REF

1

KIC RCVQW]* A

RCU500RC

RCV

+ 10.0 B,W\

—ra*

rS^SSS ——————— 1

RCU272RC1

DIENT P PRIMflIRE

A

OS*RCU292PC1

fct

I

,074

272UP

J^«*-

!????H3^H |

1 0 - 0 H3/H

_ r, INJECT" JOINTS 1

DEBIT DE CHftRGE0 0

10

50 0> . ___I M3/H

•0 CHFIRGEI

P PRIMflIRE P LIGNE DE DECHARGE0 60

10

B

•RRflZiSMPTpgy

«008MP

EXT60. 0 Bpa— ——— ,

A

PCU023PC-4

MONOPHflSIOUE /

292MP

V J

PPP092IJP352I.IN

F/G. 3. Operating format.

129

FRCV2/6 I MISE H.S SOUTIRflGE EXCEDENTAIRE | | PflGE 01/01 j

MISE H S DU SOUTIRflGE

FERMER RCUJ23VP ft SX

FERMER RCU120 ET 122UP

5M OS/

FRIRE FERMER EN LOCftLRCUJ40UP SI OUVERTE

DISPOSER RPE021Bfl SURMODE DISCONTINU

FIN DE

FERMER RRI099 ET 037WNET RRI095UN BF4

SUIUI SOUTIRftGE EXCEDENTflIRE

(T)P flUftL 121RF-

)T flWL 121RF-

(T)N PCUlllBft -

IT) T RRI121RF -

DISCONTINU

RPE800TL

-,120UP

121F

-Ä--Ä- -t?1VP 122UP

DOT û^t _____ . Gn n. i M fr^ _

-JAl-CxFRRI B-* ——— P"UabUN

\\

R

H5E*RCU123RC

]| 12. OBF IL- ————— '

1 _.

' — H 1 W — RcyI?-*JP i#»w

Tl -i->?? CII —— —^ — RPE*-

9 l'9V4 r 4 c1 r\=>I09?UN 1RRI099UN (s/J

F/G. 4. Operating procedure.

The operators therefore have to constantly go through the same procedures (flow charts)in order to check whether the parameters have changed or not.

The symptom based procedure is particularly well adapted to computers, because they canindicate, at any time, if the situation has changed.

the alarm sheets: Each functional alarm is associated with an alarm sheet (there are about3000 of them). They are the guides which list the operations to be carried out followingthe alarm message and they enable the correct commands to be ordered directly from theformats shown (see figure 5);

the technical sheets: each sensor and each actuator has a technical sheet (there are about10 000), which is a table showing the characteristics of the item concerned (location,labelling, threshold values, electrical power input, availability and the ability to interlockthe control, etc.). This one serves as alarm sheet as far as failures in the component areconcerned.

130

RCV003AA T. HAUTE AMONT SOUPAPE 010VP

SITUATION

VERIFICATION D' ACTIONS AUTO .

CONDUITE A TENIR- SI L OUVERTURE DE LA SOUPAPE EST CONSECUTIVE

A Lft MISE EN SERVICE D UN SECOND ORIFICE ALORSQUE Lft P 051 OU 052 FI EST IMPORTANTE, ISOLERLE 2EHE ORIFICE ET PERMUTER DE FILTRE.

- REPRENDRE EVENTUELLEMENT RCU029UP EN MANU

- VERIFIER L AUGMENTATION. DE RCP 025 HTDU NIVEAU KDP : RCP 028 MN

. DE PRESSION RDP : RCP 022 MN

- VERIFIER LE LIGNAGE DE Lft DECHARGE JUSOU ftUBftLLON RCU 111 Bfl ET L ENCRR5SEMENT DES FILTRES

- SI TOUT EST CORRECT ET EVOLUTION CONSTATE DURDP, APPLIQUER IRCV 1 (LA SOUPAPE fl DU RESTEROUVERTE).

- FAIRE PROCEDER AU TARAGE DE RCV 010 VP.

IMAGE

CV002YRGJ

RCPOHYCDI

CONSEQUENCES RISQUES- ENVOI DE FLUIDE PRIMAIRE VERS RDP (CONTROLER LE NIVEAU)- RISQUE DE BATTEMENTS DE LA SOUPAPE ACCOMPAGNES DE VIBRATIONSELABORATION CAUSE -"""«"«* DU Q DECHARGE PAR 51

OU 52 FI ENCRASSE ET MES DU 2E ORIFICE.-DEFAILLANCE DE LA REGUL RCV 023 VP

VALIDATION

RENSEIGNEMENTS

Jgg]« AKLW^akLj ff 1 r

r-*n003VP>——— »Si-

004 VP

—A-005VP

[aoocj-

i,

200c[-

(

1

nFA-011VP

•

7 RCV\ 010VP

RA2y

111 ——— -f-1 /«009\USPy

041PF x— 'Q AH

-*k-^\r+**-^><^7 IMP . n?9"P

v ARRI||????M3/H

—$4 —— <\ REA EAU5CP271VP ————————— '

———— &-0RCP522VP

A A A, A031 BF'•" yfl •••«•

\ AAAAAA' i — 1 ?v??"xÎI 100c r^ KKt^II '"""- RCP291VP ' ————

FIG. 5. Alarm sheet.

(b) To limit serializing of the information

In a conventional control room, the operator has a general view of his installation. In acomputerized control room, he only has a partial view. In order to limit this difficulty, somepossibilities were foreseen:

Synthesis of the information by:

o the presentation on the same format of the control action means and of theconsequences of these actions.

o the calculation and the presentation of the in/out of service information for eachcircuit.

Suitable design of the format, for example

o the multi-variable presentation (curves, X, Y diagrams and association of severalbar-chart),

131

o the creation of formats giving an overall view of the installation, and presentingsome balances (water volume, weight, energy). It should be noted that theseimages are depending on the plant state,

Easy access to the information by setting up of functional relationship between thevarious formats (hierarchy of the formats, visual continuity between formats, etc ).

2.4. Alarm handling in N4 control room

Alarms processing has the following main characteristics

(a) Only pertinent alarms are presented

In order to do this 4 different validation and inhibition levels have been planned:

validation of the alarm by the sensor: exceeding the threshold level can only beconsidered to be an alarm if the information transmitted by the sensor is correct, for theexample if the sensor is out of range, the associated alarm is then inhibited.

validation of the alarm from the state of the function it is monitoring exceeding thethreshold level only becomes an alarm if the information is incoherent with the state ofthe function, for instance, a low flow becomes an alarm if the pump upstream is inservice.

inhibition of the alarm by a more serious alarm or by the consequent alarm, for example:

* the loss of 380 V power supply becomes an alarm if the 6.6 KV switchboardwhich supplies is in service,

* a high level is inhibited by a very high level,

validation of the alarm by the situation of the nuclear plant (about 15 normal or accidentsituations have been foreseen) for example: cold shut down, hot shut down, loadrejection.

The situation is calculated on-line by t'.ic computer system and validated by the operator.

(b) Hierarchy of the alarms is set up)

Alarm display colour is related to the degree of urgency which gives to the operator the speedof intervention required: red, yellow, white (by a decreasing order of urgency). The colour of the alarmmay change depending on the situation of the power plant.

(c) Functional alarms are differentiated from specific alarms concerning the equipment

Equipment alarms can be erased from the screens after the maintenance has been taken intoaccount.

3. CONTROL AND INSTRUMENTATION SYSTEM ARCHITECTURE

The control and instrumentation system has the usual levels (see figure 6)

level 0 which consists of sensors and actuators and which is the interface on theelementary acquisition and control signals;

132

Information andcontrol processing

Control olSafetySupportingSystems

3 A ôActuatorsValves Switchboard* Pumps Sensors

ProtectionSensors and switches

FIG. 6. Control and instrumentation architecture.

level 1 which consists of programmable logical and numerical controllers(microprocessors) that carry out the automatic protection actions and the automaticregulations;

level 2 which provides the interface with the operators for the control of the plant(information system); and which includes the computer-aided operation system, alsocalled KIC, the wall mimic panel, the emergency panel and the auxiliary panel that areconnected directly to the level 1 controllers;

level 3 which includes maintenance, servicing and technical management functions.

3.1. Architecture and equipment of the computerized operating system

The architecture and equipment (see figure 7) which have been selected to meet all the criteriahave the following characteristics:

redundancy of the equipment required for the operation of the nuclear power plant:front-ends (FE), main computers (MC), operator stations (OSi) distribution of theseequipments among different power supply lines

utilization of a lot of local area networks

* on the level 1, 20 islands of programmables controllers collects the informationfrom the level 0 with many local network. Each controller use a redundanttransmission medium with fiber-optic cable to send the necessary data to FrontEnd processors and to transmit commands (on/off and adjustments) from theoperators work stations to these level 0 actuators.

* on the level 2. a local network which also uses a redundant transmission medium,carries out tlK exchanges between the different computers of the KIC.The media of these local area networks are dual (coaxial cables) each cable isprovided with a fiber-optic section to ensure that the two instrumentation andcontrol lines, "line A" and "line B", are electrically separated one from another.The geographical layouts of the two cables of each network are different, whichensures the continuity of communications in case of accidental disconnection ofone of the cables;

* connection of the operation system to a third local area network, called the "sitenetwork" (the level 3 network) to allow exchanges with maintenance and sitecomputers.

3.2. The key figures of the KIC

The amount of data received by the Front-End processors (FE) from the level 1 controllers is:

65,000 digital values, and

2,500 analog values;

and the mean flow received each second is approximately

2,500,000 digital values, and

600 analogue values.

134

Technicalsupport center

Level1

FIG. 7. KIC architecture.

The system can manage

approximately 10,000 devices (pumps, valves, analogue sensors, motors ...),

600 operating formats (for control and monitoring),

3,300 alarms sheets (one for each alarm),

3,000 pages of operating procedures (all the procedures are on the screens),

10,000 technical sheets (one for each sensor, actuator).

The main response times of the KIC are as follows:

On/Off command

Adjustment command

Display of any format

Graphic update

in 90% of cases

500ms

300 ms

1,50 ms

maximum time

1 s

1 s

2 s

800ms

4. TECHNICAL AND ERGONOMIC EVALUATION

To validate this project, a full scope simulator called "S3C" has been built and a lot offeed-back improvements have been realized.

4.1. Evaluation plan

An evaluation plan with operators has been designed; it includes three phases:

a first phase has been finish in 1987; during this phase only a first part of the controlroom (with two work stations and a limited amount of operator aids). This fastevaluation under normal and incidental situations was expected to decide the N4 type ofcontrol room and to start all the studies of N4 Control and Instrumentations;

a second phase has been finish in 1989 for evaluation during normal and accidentalsituations; the "S3C" simulator was completed by all the operator aids needed (proceduresfor normal and accidental operation on CRT, alarm sheets for any alarm, aids foraccidental situations, ...) and by a third operator work station. This evaluation wasexpected to validate all the man-machine interface of this type of control-room;

a third phase took place in 1993 (just before the start-up of the first N4) with a fullcontrol room (an auxiliary conventional panel will be added). This evaluation will verifythe exact operation of N4 plant with the same sheets and procedures operation.

4.2. Evaluation team

The S3C team composed by engineers and teachers of training-school was reinforced byergonomists, by a safety authorities n presentative, by medicine doctors, and by data specialists.There were about 25 specialists in this team.

136

The evaluation has been held with about twenty operators associated by teams. Four teams, willthen become the first "N4" operators. This is the best guarantee to obtain feed back from S3Cto N4 and to well train first operators. The other teams has been detached from 1300 MWEnuclear power plant.

4.3. Evaluation method

The technical and the ergonomie evaluations are based on experimentations on the simulator andobservations of operators performance and activity. Operators are requested to operate thesimulator for several scenarios defined as representative of normal, incidental or accidentalsituations.

Technical and ergonomie evaluations are performed simultaneously, while operators operate,observations are made by ergonomists and engineers. At the same time, all operator's actions onthe work stations and on the process are automatically recorded as well as alarms, error messagesand some important process parameters. All information is sent to a data base. After thesimulation, interviews of the operators are conducted and results are collected.

Observations give objective (quantitative as well as qualitative) data of operators behaviour andperformance while interviews are aimed at getting data for interpretation of the behaviour andperformance as well as subjective data from the operators themselves.

4.4. Results of evaluation

The results of this evaluation are very important. All the parts of the control room have beenimproved:

the work station management to have a better access,

the location of each work station to have a better communication between the teamoperators,

the lighting to have less reflect in CRT,

the mural mimic (visibility and information),

the alarm dialogue (different groups of alarms),

each image had been improved, on average, two time,

the procedure dialogue.

All these improvements have been inserted in N4 project and in S3C control room.

5. CONCLUSIONS

The control room of the future N4 PWR power plant is a new design. It required, and stillrequires of Electricité de France, a very considerable engineering effort:

a technical and ergonomie validation carried out thanks to the building of an engineeringsimulator (S3C) was conducted from 1983. This simulator represents an investment of$ 30 MILLION and 200 engineer-years. This validation led to improvements in thecontrol room organization design and in the man-machine interface: particularly it enabled

137

precise rules concerning image design, procedures and processing of alarms to be drawnup.

these rules were passed on the various different designers of the N4 power plant who arein charge of the engineering and design of images.

A review team (of 7 specialists) has been set up in order to check the application of theserules by the design teams and the homogeneity of the processing procedures.

These figures show that it is only as a result of a very great effort of engineering that acomputerized control room can improve the operation of a nuclear power plant.

138

CONTROL ROOM SYSTEMS UPGRADES FOROPERATING NUCLEAR POWER PLANTSJ.A. NASER, B.K.H. SUNNuclear Power Division,Electric Power Research Institute,Palo Alto, California, United States of America

Abstract

EPRI's Integrated Instrumentation and Control (I&C) Upgrade Initiative is designed to help utilities upgradethe I&C systems in their plants. These include control room systems. Integration is a key word in the Initiative. Theobjective of integrating plant systems and information are to improve plant availability, to reduce operations andmaintenance costs, to reduce safety challenges and to improve performance with existing and new systems. The plantcommunications and computing architecture provides the infrastructure to support the integration of I&C systems,facilitate common interfaces between the human and the machine, and reduce unnecessary duplication of functionand information. EPRI is developing a generic methodology, utilizing open system concepts, to help the utilities todefine this architecture for their plant. This methodology is being tested at demonstration plants with feedback beingobtained to improve the methodology. An activities centered integrated work station is also being developed by EPRIto act as the interface between the human and the integrated I&C systems. A reactor water cleanup system is underdevelopment to demonstrate monitoring and control from a CRT.

1. INTRODUCTION

In recent years, the requirements on operations, maintenance and engineering personnel to improveavailability and reliability and reduce safety challenges to the plant, have increased. These personnel areworking with more complex systems, and responding to increasing operational, regulatory and productivitydemands. As tasks become more complex, involving large numbers of subsystem interrelationships, thereare more risks and chances for human errors. Therefore, reliable, integrated information is a criticalelement for protecting the utility's capital investment and increasing availability and reliability. Integratedsystems with integrated information can perform more effectively to increase productivity and enhancesafety. Traditionally systems have been implemented in a stand-alone manner which has resulted inincreased operations and maintenance costs. With appropriately implemented digital techniques, humanscan be augmented substantially in their capacity to monitor, process, interpret, and apply information, thusreducing errors in all stages of information processing.

Operational, diagnostic and monitoring errors have all occurred in power plants causing reductionsin availability and substantial cost consequences. Plant safety has been challenged due tomisinterpretations of data and incorrect assumptions of plant state. The event at Three Mile Island is anexample of this. Since this event, a number of diagnostic and decision aids have been implemented suchas safety parameter displays, boiling curve displays or tables, and emergency operating procedure flowcharts. These have all been useful in assisting humans in making their decisions.

Instrumentation and Control (l&C) systems including control room systems in nuclear powerplants need to be upgraded to replace obsolete equipment, to reduce operation and maintenance costs, andto improve plant performance. The primary impetus; however, for the replacement of the I&C systemsin nuclear power plants in the United States is the obsolescence of the existing hardware. The majorityof nuclear plants in the United States are operating with hardware that is no longer fully supported by theoriginal equipment manufacturer. Thus the procurement of replacement modules and spares under currentrequirements is costly, time consuming and in some cases not even possible.

2. INTEGRATED INSTRUMENTATION AND CONTROL UPGRADE PLAN

The Electric Power Research Institute (EPRI) Instrumentation and Control Upgrade Initiative isdesigned to help utilities upgrade the I&C systems in their plants. The goal of this initiative is "Develop

139

the methodology applicable to each reactor vendor type plant to implement an integrated instrumentationand control (I&C) upgrade plan. Demonstrate the methodology through utility application to at least tenkey systems by the year 2000 to achieve enhanced safety, reduction in operating and maintenance costs,increased plant performance and reduced vulnerability to I&C obsolescence.". To support this goal, thereare seven technical elements. These are Man-Machine Support Systems, Communications, SoftwareVerification and Validation, Instrumentation, Control and Protection, Maintenance, and Standards andSpecifications. The major role that the first two of these elements play in the control room will bediscussed here.

Integration is a key word in the EPRI Upgrade Initiative. First, there is the integrated upgradeplan which looks at the entire plant and plans all of the upgrades in an integrated manner. Second, is theintegration of the plant systems and information to enhance cooperation between systems and to reduceunnecessary duplication of functions and information. The objectives of integrating plant systems andinformation are to improve plant availability and reliability, to reduce operations and maintenance costs,to reduce safety challenges, and to improve performance with existing and new equipment systems. Theplant communications and computing architecture of the Communications element supplies theinfrastructure which allows the integration of systems and information. This architecture will support theinter-operability of systems and the interchangeability of equipment. It will also be designed to be easilyexpandable. Figure 1 gives a representation of these capabilities and figure 2 gives a simplifiedarchitecture. The activities centered integrated work station of the Man-Machine Support Systems allowsthe human to interface with (he integrated plant systems and to supply a platform for human aids. Thework station design needs to support modular implementation of the work station capabilities andinterfaces as demonstrated in figure 3. As the integrated I&C upgrade plan proceeds, the integrated controlwork station will be capable of migrating towards a CRT-based control room for operator monitoring andcontrol.

3. PLANT COMMUNICATIONS AND COMPUTING ARCHITECTURE

3.1. General Consideration

The plant communications and computing architecture activities support the control room systemsupgrades directly by providing the mechanism for integrating instrumentation and control systems, forproviding access to all of the plant's information sources, and for facilitating common interfaces betweenthe human and the machine. An essential part for providing the mechanism for integration in the plant'sinstrumentation and control upgrade program is the establishment of a long-term strategic plan that willguide the evolution of the plant communications and computing architecture as system upgrades areperformed. EPRI is developing a generic methodology for the creation of Plant Communications andComputing Architecture Plans which will define the requirements for the plants. EPRI is currentlyworking with three nuclear utility demonstration plants to help them develop their own PlantCommunications and Computing Architecture Plans. Feedback from these and other demonstration plantswill be used to improve the methodology which can be utilized by all utilities.

After this methodology has been completed, utilities will be provided road maps and guides todevelop a Plant Communications and Computing Architecture Plan based on an open systems concept.The structure and protocols of the networking service layers for an open systems concept has been definedby the EPRI Utility Communication Architecture (UCA) project. The Plant Communications andComputing Architecture Plan will help the utility to implement a plant communications and computingarchitecture where:

Each upgraded I&C system will be able to communicate with other internal and externalsystems.

The man-machine interface of each upgraded I&C system will be consistent in look andfeel with other upgraded I&C Systems.

140

FIG. L

141

EOF

CRTWorkStation

CRTWorkStation

Tech. Sup. CenterControl Room

Redundant High SpeedCommunication Lines

Process Computer I/O1 1 1 1 1 1 1 1 n 1 1 1 1 1

FDD! Networks

SafetySystem A

SafetySystem B

SafetySystem C

FDDI NetworksSafetySystem DNon Safety Grade

Control System

ComponentControl Safety

DPS = Distributed ProcessingSystem

FIG. 2. Nuclear power plant open architecture.

Operations

Maintenance

FIG. 3.

Future migration to a new hardware or technology will be accomplished withoutexcessive down time or a major conversion effort.

Each upgraded I&C system will be maintained at a more reasonable cost.

Information and functionality will not be unnecessarily duplicated.

Inefficient or incompatible existing network protocols will be phased out.

3.2. Challenges to Plant Communications

Many operating nuclear power plants have upgraded their I&C systems through like-for-likereplacement rather than overall system planning. That is, each I&C system was looked on as aseparate problem, without analyzing the interactions of adjacent and interrelated I&C or other plantsystems. Problems resulting from the evolution of i-ion-integrated I&C systems are having a seriouseffect on the performance, connectivity, and maintainability of these systems as well as causingduplication of effort. Today, many nuclear power plants are suffering from one or more of the followingproblems:

Isolated Islands of Computing -The existence of isolated islands of computing is one ofthe major problems in plants where the architecture has evolved rather than beensystematically planned. These islands are systems and computers that currently do nothave communications with other facility systems and computers. These systems andcomputers were tyi Ically implemented as stand-alone projects. During the projectanalysis and implementation phases, communications with other systems were either notconsidered, not required, or the implementation would have been too costly.

There is a need for these systems to participate in a facility-wide network. The reasonfor this participation may be to extract information that is necessary for reporting, toprovide the system with information that was previously entered manually, to allow thesystem to be monitored remotely, or to allow systems to cooperate with each other. Ifthe system is placed on the plant network in an ad hoc fashion, additional problems mayarise. The Plant Communications and Computing Architecture Plan will provide theguidelines and procedures for determining the most effective network communicationhardware and software to connect these isolated islands into the overall plantcommunication network.

Inefficient and Incompatible Network Protocols-When large numbers of heterogeneoussystems are networked together, those implementing the network usually select thenetwork protocol that is easiest or most cost effective on these individual systems withoutconsidering the overall plant activities. In plant architecture that have evolved, usuallypairs of systems and computers were linked together, then those pairs were linked toanother pair, and so on. This arrangement resulted in many small networks. Typically,there are several transmission media and network protocols in use. This requires that theimplementers retrofit a number of the systems with a common transmission medium andprotocol or that numerous routes and gateways be installed to convert the protocols. ThePlant Communications and Computing Architecture Plan contains network guidelineswhich allow the utility to establish the acceptable transmission media and networkprotocols that will be supported within the plant. Doing this significantly simplifies theintegration of new or replacement systems.

Saturated -Networks -A saturated network is usually indicative of a network that hasevolved. In many saturated networks, the problem is not that the network bandwidth isnot sufficient for the amount of information that is required, although it may be, butrather the amount of information that is being placed on the network is often greater than

144

the actual needs of the plant. There are two reasons for this. First, the networkarchitecture is relatively flat. Each system places all of its communications traffic on thenetwork. There is no hierarchy to filter the necessary information for the next level. ThePlant Communications and Computing Architecture Plan defines the network hierarchyand establishes criteria for the upward and downward communications requirements.Second, the network was implemented inefficiently. The computer systems were addedto the network without regard to isolation of local traffic. A system architecture planallows the definition of the communications needs of the system so that traffic on thenetwork can be localized with the correct placement of bridges and gateways. Thisarrangement limits the overall amount of traffic on a large part of the network.

In addition, the incorrect network technology may have been implemented. In theselection and implementation of many networks, the designers relied mostly on themanufacturer's specifications and recommendations. Often the theoretical maximumsconcerning bandwidth were used. In reality, however, theoretical band width are rarelyachieved.

Duplication of Information and Functionality -In networks that have evolved, there tendto be a great deal of duplication of functionality and information as monolithic systemsand subnets are brought into the network. The reason for this redundancy is that, beforenetworking, the information required by multiple systems had to be generated on eachlocal system. Unfortunately, even in a networked system the same duplication occurs.As systems are implemented without a set of guidelines and direction, the designers oftendo not recognize that they are duplicating the functionality and information of anothersystem in the network. The Plant Communications and Computing Architecture Plan willprovide guidelines and procedures for analyzing and eliminating unnecessary duplicationof information and functionality.

Inconsistent Man-Machine Interfaces -Inconsistent man-machine interfaces (MMI) haveresulted in training problems, overly complex operator tasks, operator fatigue, andoperator errors. In most plants there are several different man-machine interfaces. Whileit is probably not desirable to dictate a single MMI for all systems, it is desirable tospecify a set of guidelines that allows the utility to define acceptable MMI's for specifictypes of systems. This is especially true in areas that are involved with critical operations.The standardization of the MMI appearance could significantly reduce the probability ofhuman error in dealing with these systems. The Plant Communications and ComputingArchitecture Plan will provide the MMI guidelines.

Maintenance Problems - There are two basic types of maintenance problems thatnecessitate up-dating an I&C system. One is the difficulty of maintaining spare partsinventories or the difficulty of getting replacement parts for so many different systems,some of which are becoming obsolete. The second problem is the difficulty for themaintenance force to service different kinds of systems. In both cases reliability isaffected, maintenance costs increase, and down times lengthen. These problems areaggravated by a lack of plant standards for system equipment and computer hardware andoperating system platforms.

Different Computer Platforms and Equipment -In plants where no architecture plan exists,when a systems upgrade takes place, the cognizant engineer usually chooses the systemequipment or computer platform and operating system that the application software willrun on without systematic consideration of connectivity, standard MMI, maintenancecosts, and spare parts availability. The Plant Communications and ComputingArchitecture Plan will help the utilities to ensure that all system requirements areconsidered and the appropriate platforms and operating systems are selected.

145

Inability to Migrate to New Computer Platforms -When new hardware is needed, it maybe difficult and expensive to migrate software applications from one computer platformto another. While it is impossible to foresee all of the technological improvements thatwill take place, the Plant Communications and Computing Architecture Plan will provideguidance to help facilitate software portability. An open system that has widespreadsupport is one of several aspects of the solution that the Plant Communications andComputing Architecture Plan will consider. If the appropriate open system is chosen, thedependency on individual computer hardware vendors becomes less. This will supportinterchangeability of equipment.

3.3. Utility Solutions to the Challenges

In order to minimize these problems and maximize the return on investments in their I&Csystems, utilities need to carefully plan the upgrading of these systems by developing their own PlantCommunications and Computing Architecture Plan. Once this plan has been completed, they will be ableto implement integrated I&C systems which will help to extend plant life, improve efficiency, reducemaintenance costs, reduce operator errors, and improve safely. In addition, the Plant Communicationsand Computing Architecture Plan will provide an overview of what the plant architecture is like today,what it is envisioned to look like in the future, and a migration plan for getting there.

EPRI has undertaken four major activities related to the plant communications andcompleting, architecture. The first is to define what a plant communications and computing architectureplan should contain, the second is to develop a generic methodology for the creation of plantcommunications and computing architecture plans, the third is to work with lead demonstration plants tohelp them develop their plant communications and computing architecture plans, and the fourth is todevelop an architecture simulation capability.

The Plant Communications and Computing Architecture Plan is a strategic plan that defines whata utility's plant communications and computing architecture will look like throughout the upgrade planduration. The goal of developing the Plant Communications and Computing Architecture Planmethodology is to provide the utilities with a detailed set of guidelines for preparing a PlantCommunications and Computing Architecture Plan based on open system approaches that will allow themto upgrade their I&C systems in a logical, cost-effective, and non-disruptive fashion. The architecturewill then support the integration and information flow for control room systems.

The plant communications and computing architecture will also support proprietary standards.Although the desire is to have a completely open system to guarantee inter-operability of systems andinterchangeability of equipment, the practicality of upgrading plants in the United States may not allowa totally open system architecture. Since all I&C systems in the plant will not be replaced at once, thecommunications and computing architecture must support the existing systems as well as the new ones.This means that the architecture will have to support both open and proprietary protocols. The goal willbe to have all new systems comply with open systems standards so that over time the plant will becomemore and more open system compliant. It should be recognized that there are some proprietary systemswhich may not need to be replaced in the remaining lifetime of the plant. Likewise, there are analogsystems in the plant which will never be converted to digital systems. Therefore the communications andcomputing architecture must support analog-digital interactions.

EPRI is using plants with the different NSSS types as test sites to demonstrate the PlantCommunications and Computing Architecture Plan Methodology. These demonstration plants will serveto exercise the Methodology, so when it is ready for release, it will be well designed and tested. EPRIhas begun work to help each of these plants develop their Plant Communications and ComputingArchitecture Plans. As work continues with these test sites, the methodology will continue to be refinedand improved. Each of these plants has stated that one of their top priorities is to get this strategic planin place as quL 'y as possible. By developing their own Plant Communications and Computing

146

Architecture Plan in an organized fashion, they expect to achieve significant savings throughout theprocess of replacing their I-S:C systems.

The architecture simulation capability is being developed to provide utilities with a software-basedapproach to test the architecture designs before implementation. The implementation of a plantarchitecture can be very costly. Therefore, it is important that the architecture implemented will supportthe plant's needs under all conditions. EPRI has started the development of the design of asoftware-based architecture simulator. This simulator will allow potential architecture designs to bemodeled. These models can then be tested under a variety of plant and information flow conditions toassure that the performance can be achieved as desired. The simulator will also provide a vehicle fortesting modifications to the architecture and new systems being implemented. This capability willdiscover architecture problems and facilitate fixing them before costly implementation expenditures.

4. ACTIVITIES CENTERED INTEGRATED WORK STATION

4.1. Objectives

The objectives of the activities centered integrated work station are (1) to reduce the safetychallenges to the plant by presenting more complete, integrated and reliable information to plant staff tobetter cope with operating and emergency conditions; (2) to increase productivity by eliminating routinemanpower-intensive efforts such as recording, integrating and evaluating data and by developing tools toassist in performing monitoring and control activities; (3) to improve consistency and completeness ofdecision-making activities by developing diagnostic and decision aids; (4) to improve informationavailability so that it is readily obtainable and in the proper form for all groups requiring it and (5) tomake the integration of new systems into the control room easier and more economical without takingup more of the limited amount of control board space.

The activities centered integrated work station is designed to make necessary data readily availablein the format desired by the user and to simplify the monitoring and control activities. The work stationwill support the operations staff with normal, abnormal, and emergency operating procedures as well asalarm handling and alarm procedures. It is also a platform for the integration of diagnostic and decisionaids. The work station will allow systems to be easily added, changed, and integrated rather than havingto add new display units and controls.

4.2. Research and Development

Digital technology offers promise for achieving an activities centered integrated work station;however, success in developing this work station represents a significant challenge to the interfacedesigner. These designers, with substantial input from the users and human engineering concepts, willdecide the type and form of process information required for monitoring plant responses and as input tomanual control actions. Support for these key interface design decisions requires that current researchprograms be expanded to build on the existing technical base and to generate new information unique todigital systems.

Comprehensive testing and self-testing features, more reliable system components, moremonitoring information, and simpler designs which are possible through the use of digital technology willimprove system reliability. Supplying more comprehensive, integrated information to the plant operations,maintenance and ..igineering staffs can help improve their performance with existing and new equipmentand systems. The activities centered integrated work station must have a design with associatedcommunication lirks which permit the utilities to add new systems and aids, based on their specific needs.

The activities centered integrated work station will have on-line access to plant data for use byoperations, engineering and maintenance staffs. The work station will allow direct monitoring and controlof the plant. The work station will be designed to allow a wide variety of advisory and other applications

147

systems co-resilient on it. It will be able to communicate as desired with other computers throughout theplant.

The design for an activities centered integrated work station is being developed. This design needsto be able to support additional plant systems which are modified or added when desired by the utility.It will also be able to support diagnostic and decision aids as they are desired by the utility. The designwill be flexible enough to support any combination of systems and aids.

In parallel with the design work is the development and testing of the required capabilities toallow direct, real-time plant control from the work station in a nuclear plant. These control capabilitieswill be able to perform both critical and noncritical system control activities. The requirement forreal-time control with high reliability will dictate the needs on both the software and hardware of theactivities centered integrated work station. Displays for monitoring and control activities will bedeveloped with input from plant operators. As a starting point, software-based controls are beingdeveloped for both automatic and manual control for the reactor water cleanup system in a boiling waterreactor. The reactor water cleanup system will be tested in an integrated environment for monitoring andcontrol.

After the design and control capabilities are done, a prototype of the integrated control workstation will be developed. This activities centered integrated work station prototype will be tested on aplant simulator or special control room testing facilities. Potentially, one or more existing diagnostic anddecision aids may be implemented on the work station and tested to demonstrate the work station's abilityto integrate them. Examples of existing diagnostic and decision aids developed by EPRI are theEmergency Operating Procedures Tracking System and the Alarm Processing, and Diagnostic System.

5. CONCLUSIONS

The integration of I&C systems in general and control room systems in particular enhances thenuclear power plant goals of improved availability and reliability, enhanced safety, reduced operations andmaintenance costs, and improved productivity. Two major aspects which supports this integration arediscussed in this paper. The first is the plant communications and computing architecture which providesthe infrastructure which allows the integration. Open systems concepts are utilized to guaranteeinteroperability of systems and interchangeability of equipment. The second is the activities centeredintegrated work station which supplies the interface between the human and the plant systems. Itimplements common man-machine interfaces and supports the implementation of diagnostics and decisionaids. Work in both of these areas as described in this paper is being done as part of the EPRI and UtilityInstrumentation and Control Upgrade Program.

148

CONTROL ROOM SYSTEM EVALUATIONOF OUTAGESome notes on methodsC. ROLLENHAGEN, L. JACOBSSONVATTENFALL AB,Safety and Technology,Human Factors Group,Vällingby, SwedenAbstract

The present paper discusses some experiences made in the process of evaluating control room systemfunction during outage in nuclear power plants. It is recommended that a control room evaluation project shouldfocus on both problem identification and problem solving. For the phase of problem solving, a technique calledsystem groups are discussed. The method suggests that problem solving within the organization can be used withina group setting and that a wide variety of functions should be represented in the group. It is concluded that thismethod seems well suited to promote problem solving and that communication between different groups, riskawareness and management support are enhanced in system groups.

1. INTRODUCTION

Due to operational experiences, technical advances, regulatory demands etc. control room systemsare in constant evolution over time. Such changes may be associated with many factors such as;instrumentation, procedures, work habits and work organization. Even small changes in one factor mayeffect the control system as a whole so it is essential that changes are documented and evaluated.

The purpose of this paper is to discuss some experiences about how to perform control roomsystem evaluations of existing systems. In particular the interest will be focused on the control roomduring outage.

Vattenfall in Sweden has recently conducted two evaluations of control room functions in NPPduring outage. A major reason to focus on outage is that this operational mode has been found to becritical for safety. Outage presents rather high work demands for the operators in the control room aswell as for other personnel at the plant. Consequently, it is essential to know about these demands andto suggest and implement support functions and other improvements for the operators. Unfortunately,many existing evaluations of control room systems have tended to neglect outage as an operational modewhich present particular problems related to the, control room system. In particular, outage represent anoperational mode in which it is essential to analyze the whole system instead of focusing on isolated itemsin the control room.

The forthcoming discussion is presented on a rather general level and will be focused on method.The reader is however invited to contact the authors for questions regarding any additional details and dataregarding specific results of the projects discussed here. It should also be mentioned that although theprojects discussed were focused on outage, most of the methodological concerns are general in the sensethat they are applicable for analysis of all operational modes.

2. METHODS

There are many ways to evaluate existing control room system, such as:Task analysisRoot cause analysis of human errorsQuestionnaires and interviewsCheck-lists and standardsSimulator experiments and experiencesProblem solving groups

149

Depending on the purpose of the evaluation different methods are chosen. In general, however,a combination of methods is to be preferred. There exists a rather rich body of literature with respect tocontrol room evaluations, particularly in the fields of task analysis and check-lists based on standards.It shall be noted, however, that the literature is rather scant with respect to the use of group discussions(problem solving groups) as a tool to evaluate control room systems so the remainder of this paper willparticularly stress this method as a fruitful tool to investigate control room system functions.

3. EXPERIENCES FROM TWO EVALUATIONS

As was already mentioned in the introduction, Vattenfall has recently conducted two evaluationsof the control room system during outage. These two projects share some important methodologicalaspects.

First, much effort has been invested not only in the problem identification phase but also in theproblem solving phase. The reason for this is simply that an evaluation can be used as a basis forconcrete improvements. In our experience, some evaluations tend only to focus on problem identificationand invest less effort in the problem solving phase of the evaluation project.

Secondly, in both projects we have found that it is necessary to work with a strong userparticipation strategy throughout the whole project. This is of course rather self-evident in the problemidentification phase. However, our experience shows that also in the problem solving phase strong userparticipation is very important.

A third common factor for both projects have been to strive for a strong manager support fromthe start of the project.

3.1. Problem identification

As we see it, the term "evaluation" associated with control room system evaluation should involvetwo basic steps. First, the problems must be recognized and evaluated. Secondly, improvements shouldbe suggested, evaluated and implemented. In both phases a strong commitment and participation of"users" is essential in order to obtain realistic data and results. Thus a simplified "expert-model" ofevaluation where one or several human factor experts work rather detached from the "users" may not workso efficiently.

The identification of problems should focus on the whole control room system including the oneslisted below:

interface design/equipment conditionoperator performance and performance shaping factorsproceduresenvironmental conditionscommunicationwork scheduleswork practiceswork organization/planningsupervisory methodstrainingchange managementresource management

Human factor handbooks and other documents, for instance the HPES coordinator manual, canprovide basic categories for those important features that one should study in the problem identificationphase. It is important in this phase that one is rather broad with respect to factors that should be studied.

150

From the list presented above it can be seen that interface design only present one among severalimportant factors for control room system functions.

3.1.1. Use of questionnaires and interviews

In both projects, questionnaires were given to the operators. These questionnaires were intendedto screen some of the major problems that were encountered during outage from the control rooms pointof view. The results were given back to the operators and also served as a basis for in depth interviews.This is an important phase in all evaluation projects of this type: the users must have rather quickfeed-back of results to ensure strong motivation for later phases in the project.

3.2. Problem solving phase

The output from the problem identification phase is basically a list of problems encountered.These lists may be long and it is therefore necessary to assign priorities to the individual problems. Thereis also a need to cluster problems to form groups of "higher order" problem domains.

5.2.7. System groups as a basic tool

In order to use the results found in the problem identification phase both projects made use of theso called system group technique for problem solving. The basis of this technique is to use a groupsetting for generation and evaluation of ideas.

The concept of "system group" comes form the particular formation of the groups which are used(I, 2). A basic idea in this technique is that the members of the group should represent, as far as possible,those members of the organization that together constitute the system of interest. For instance, if focusis on outage the following functions should be represented:

Operators in the control roomMaintenance peopleInstrumentation personnelElectriciansPlanning functionManagers

By having the important functions represented as members in the system group a "micro-model"of the system is created. This model constitutes a temporary flat organizational structure which can beused to simulate suggested solutions and to screen additional problems through group discussions. Thesystem group has a strong benefit in that it removes organizational barriers. Thus different people canrealize that their behaviour and strategies have effects on other functions in the system. Oftenorganizational barriers do in fact hinder communication between functions that ought to communicate toa larger extend than they do. Another most important function of a system group is that managerrepresentation promotes information flow to the top levels of the organization. When managers participatein a system group it also seems as they take a strong commitment in what the group produces.

In both projects the efficiency of the system group philosophy became apparent already at thestart of the group discussions. Many of the people representing different functions became surprised tohear that their acts actually had influence on the performance of other groups. In some cases the personsreally heard for the first time that what they self considered as a minor problem actually was a bigproblem for another function. Very simplified, the system group perform the following task:

discussion of the problems identified in the first phaseselection of a restricted set of problems to be solvedgeneration of ideas (much like a brain storming session)selection of those ideas that seems relevant and realistic

151

assignment of responsibilities for follow up and implementationpresentation of results to managers

In one of the projects more than 100 hundred of ideas were generated in the system group. Ofthese about 30 were found to be of such a kind that they were really easy to implement without extensivecosts in time and money.

4. CONCLUSIONS

In the projects described above the following conclusions seem especially important:

many of the problems identified were seen as "minor" if regarded as isolated problems.However, seen as a sum of problems it became evident that it is not until one sees theproblem in its context that one can really assess the significance of the problems. Minorproblems are often neglected because they are seen as isolated from a major context;

the group setting was particularly useful to both describe and suggest improvements. Theimportance of the system group concept was clearly seen in that different functions of theplant could exchange ideas and perspectives. The system group helps to form many newcontacts in the organization, especially among groups that had no or very few formalcommunication channels. Our impression is also that people had the opportunity to seetheir work from an other perspectives than their own;

it was essential that the evaluation had support both from the operators and other personsinvolved as well as from the managers. This factor is very important and the systemgroup represent a good opportunity to model the overall system in question whichpromotes support from many organizational levels;

the group setting also increases risk awareness in the organization by focusing on thelinks between different functions and risk situations in a particular operational mode (i.eoutage in this case).

As an overall conclusion, we strongly favour an evaluation approach in which problemidentification and problem solution is a connected process. The system group concept seem particularlyuseful in order to suggest improvements, open up new channels of communication, increase riskawareness, and to create management support.

REFERENCES

[1] ANDERSSON, E.R. The use of system groups in product development - an experiment from theperspective of ergonomics. Doctoral thesis. Royal Institute of Technology. Report no. TritaAVE 0001, Stockholm (1988).

[2] JACOBSSON, L. and HENRIKSSON, M. Erfarenhetsgrupper - for säkerhetsutveckling ikärnkraftindustrin. (Experience feedbackgroups - a tool for enhanced safety in nuclear power).[Paper presented at The Nordic Ergonomie Society Annual Meeting, Liliehammer, Norway,(1992)].

152

IAEA ACTIVITY ON OPERATOR SUPPORTSYSTEMS IN NUCLEAR POWER PLANTSV. DOUNAEVConsyst Company Ltd,Moscow, Russian FederationY. FUJITAControl Board and Plant Computer

Engineering Team,Mitsubishi Atomic Power Industries Incorporated,Tokyo, JapanK. JUSLINTechnical Research Centre of Finland,Espoo, FinlandK. HAUGSETOECD Halden Reactor Project,Institut für Energiteknikk,Halden, NorwayA. KOSSILOVInternational Atomic Energy Agency,Vienna, AustriaI. LUXKFKI Atomic Research Institute,Budapest, HungaryJ. NASERElectrical Power Research Institute,Palo Alto, California, United States of AmericaAbstract

Various operator support systems (OSSs) for nuclear power plants are already operational or underdevelopment in the Member States. OSSs are based on intelligent data processing and in addition to plant operation,they are becoming more important also for safety. A key feature of OSSs is their availability to structure data toincrease its relevance to a given situation. This can improve the user's ability to identify plant function, systemsand component state and to identify and diagnose faults. OSSs can also assist the user to plan and implementcorrective actions to improve NPP availability and safety. In September 1991, the IAEA Committee for ContractualScientific Services approved the Co-ordinated Research Programme (CRP) on "Operator Support Systems in NuclearPower Plants" in the framework of the Project "Man-Machine Interface Studies". The main objective of theprogramme is to provide guidance and technology transfer in the development and implementation of OSSs,including the experience with man-machine interface and closely related issues such as instrumentation and control,the use of computers, and operator qualification.

1. INTRODUCTION

An international organization is in an ideal position for creating a framework which is instrumentalin the exchange of knowledge and experience. The role of the IAEA in collecting, systemizing, anddeveloping scattered knowledge and experience has been recognized since its inception.

Following recommendations made at the Specialists' Meetings in Helsinki ("Artificial Intelligencein NPPs", October 10-12, 1989) and Lyon ("Communication and Data Transfer in NPPs", April 24-26,

153

1990) the International Working Group on Nuclear Power Plant Control and Instrumentation (IWG-NPPCI) suggested the organization of a CRP on "Operator Support Systems in Nuclear Power Plants".

It was suggested by the IWG-NPPCI that the proposed CRP should be focus its efforts on variousaspects of who the users of OS S are, what their needs are, and what the benefits of Operator SupportSystems would be. In September 1991, the IAEA Committee for Contractual Scientific Services approvedthe programme in the framework of the "Man-Machine Interface Studies" project.

The main objective of this programme is to provide systematic guidance and information on man-machine interfaces and closely-related issues including control and instrumentation, the use of computers,and operator qualification. An essential part of this objective is to exchange experiences in these areasbetween co-operating organizations.

2. SCIENTIFIC BACKGROUND

Motivation

In the last twenty-five years, the size and complexity of nuclear power plants have increasedsignificantly. In addition the requirements on operations, maintenance and engineering and managementpersonnel to improve availability and reliability, and to reduce safety challenges to the plant haveincreased. These personnel are working with more complex systems, and responding to increasingoperational, financial and regulatory demands. As tasks become more complex, involving large numbersof subsystem interrelationships and large amounts of data, the likelihood of potential errors and theirdetrimental consequences may increase. Reliable, integrated Operator Support Systems can play a criticalrole in increasing availability and reliability, in reducing operation and maintenance costs, and inprotecting the utility's capital investment.

The technological advances of the last few years have made it possible to develop sophisticatedoperator support systems which can not only process and present information but can also give advice tothe operator. With appropriately implemented Operator Support Systems, humans can be augmentedsubstantially in their capacity to monitor, process, interpret and apply information, thus reducing errorsand increasing reliability and availability. These operator support systems can increase productivity byeliminating routine human-power-intensive efforts such as recording, collecting, integrating and evaluatingdata, and by assisting in monitoring and control activities. They can improve consistency andcompleteness of decision-making activities by performing the role of diagnostic and decision advisors.Operator Support Systems can assist in reducing safety challenges to the plant by presenting morecomplete, integrated and reliable information to plant staff to better cope with operating and emergencyconditions. Reducing safety challenges leads directly to improved reliability and availability and henceproductivity. An additional advantage of Operator Support Systems is that they can, and should be,tailored to the specific needs of the user.

Problems experienced and what has been done

Operational, diagnostic, monitoring and maintenance errors have all occurred in power plantscausing reductions in availability and substantial financial consequences. The event at Three Mile Islandis an extreme example of this. Since this event, a number of operator support systems have beenimplemented to assist in the control room such as critical parameter displays, boiling curve displays andtables, and emergency operating procedure flow charts. These operator support systems havedemonstrated their ability to assist humans in making their decisions and increasing the availability of thepower plant.

In the maintenance area, Operator Support Systems have been developed to reduce equipmentfailures such as sensors out of calibration, emergency diesel generator faults, and pump degradation.These operator support systems allow faster fault detection and diagnosis, and give the capability to know

154

when to perform predictive maintenance on plant equipment. Predictive maintenance and faster faultdetection and diagnosis can reduce the plant down time and repair costs.

In the engineering area, Operator Support Systems have been developed to assist in many areaswhich are either difficult or time consuming. Some examples are refuelling planning systems, designaiding tools, and root cause advisors.

Finally, in the management area, Operator Support Systems have been developed to assist inplanning and decision making. Examples are maintenance planning advisors and cost effective plantoperation decision aids.

Future directions

Advances in technological and human engineering offer the promise of helping nuclear powerplant staff to reduce errors, improve productivity and reduce the risk to plant and personnel. A plant -wide infrastructure for cooidinated Operator Support Systems will be created. This infrastructure willinclude information communication capabilities, database and knowledge base managers, and a unifiedhuman-machine interface. This infrastructure will permit incremental additions of operator supportsystems in all domains.

Eventually operator support systems will be developed to assist humans in all areas where thesystems can demonstrate usefulness to the human. Guidance and tools for developing and implementingthese operator support systems will be created. These operator support systems will be implemented bothin new plants and as retrofit upgrades to existing plants.

3. PROGRAMME GOALS

The major goal of the IAEA Coordinated Research Programme on Operator Support Systems inNuclear Power Plants is to supply guidance and technology transfer in the development andimplementation of operator support systems. Several subgoals have been identified to accomplish the firststeps necessary to achieve this overall goal. They are to:

Determine the current status of Operator Support Systems and their availability

Assess Member States experience with OSSs

Determine plant activities which can benefit from operator support systems

Identify needed operator support systems and classify them in terms of type, user and criticality

Evaluate the consequences of "soft automation" which occurs with some types of OperatorSupport Systems

Develop recommendations on how to implement Operator Support Systems in nuclear powerplants from both the technological and human factors aspects

Develop requirements for methods to evaluate the usefulness of Operator Support Systems to theuser

Develop requirements for methods to perform cost/benefit analyses to help justify OperatorSupport Systems

Perform a review of current practices for qualification, verification, and validation of OperatorSupport Systems.

155

4. SCOPE OF WORK

The scope of work for this programme has been divided into five areas. The tasks in these fiveareas are designed to achieve the goals mentioned above. The following is a detailed description of allthese tasks which support the goals of this programme.

Operator support systems' current status and experience

Various OSS are already operational or under development in different countries. Essentialconsideration in OSS development is the integration with other instrumentation and control (I&C) systems,where a serious lack of proven methods and practical international standards still exist.

Existing experience in the development and implementation of the OSS gives the possibility toevaluate the achieved results and implementation tasks and difficulties, and to define the requirements ofOSS to assist power plant personnel. The following activities are needed to achieve this information.The physical and mental tasks to be performed by the operator need to be defined to determine whatactivities are potentials for OSS. Areas of operation that are difficult or routine for human operators bothin operational maneuvers and in comprehending and planning should be identified. These are areas whichare prime candidates for OSS development. An understanding of existing OSS functions and how wellthey have been utilized can yield important lessons for future implementation activities. An accumulationof a list of operator errors and plant departures from optimum performance will also present potentialareas for future OSS. These activities will help identify the areas of use for OSS capabilities.

Identification and classification of operator support systems

The problems of terminology and classification are extremely important for all technical areas.Solving these problems allows the implementation of a systematic approach in the design of integratedoperator support systems. Initial practice in this area by UNIPEDE and the Halden Project can be a basisfor the classification of OSS. This classification will be useful for designers as well as for licensingorganizations.

So far OSS, which have been developed, have not been classified as safety systems or safety-related systems requiring a formal licensing procedure. However, there are signs that some OSSapplications m ight be in these areas in the near future. Therefore, it is essential to identify and correctlyclassify these systems and to consider the potential licensing ramifications of them.

An important effort in the identification of operator support systems is the development offunctional tasks performed by operators and the determination of where operator support systems cancontribute to these tasks in a useful manner. This can be achieved by looking at the operational,maintenance, engineering and management activities in a nuclear power plant. These activities can thenbe evaluated to determine which could benefit from the utilization of operator support systems.Associated with this effort, it is also important to understand the relationships between the responsibilitiesof the operator and the operator support systems.

In this connection it is important to consider the following problems. Information which wouldallow the matching of OSS with operator/operational needs must be obtained. It is important to definewho is the operator and what is an appropriate OSS. A foundation based in plant activities to classifyOSS should be established. An essential aspect for the success of operator support systems is thedetermination of a method for classifying the relationship between the operator's responsibility and theOSS's responsibility. Determining the operational degrees of freedom - how much control andresponsibility does an operator really have and should the operator have leads to what roles the OSS canplay in the power plant. To support implementation of OSS it is important to develop a classificationscheme for OSS functions.

156

Human aspects of introducing operator support systems

The availability of advisory systems to the operator is changing its basis for making decisions andperforming actions. It is essential that the OSS is not limiting the operator's ability to use his owncreativity and knowledge when faced with problem solving tasks. Rather, the OSS should support himin using his knowledge and also extending it. The success or failure of this depends very much on theway the OSS is designed, and the background the operator has in utilizing this technology. The specificitems to be treated are the following described below.

When designing the OSS, it is important to ensure that it, in practice, gives the intended supportand is accepted by the operator. One way of coping with this is by involving the user at an early phaseof OSS development. Should this be done at the time of OSS function specification, during the designof the man-machine interface (MMI), or when? Are there many steps in which to involve the user?

Introduction of OSS also changes the type of information available to the operator. The operatormay change his role from performing detailed actions like control actions to making more high-leveldecisions. Will this change the operator's role and also present new requirements to the operator withrespect to basic education and training.

Efficient use of OSS can only be made if the operator is familiar with the function of the OSSand its interface to the user. Training in use of the OSS is important, so that the operator can use it inthe right situation and in the right manner. Training, using a full scope simulator is foreseen, to insurethe operator has these abilities.

Extensive use of OSS may make the operator dependent on the system, and reduce his ability tohandle the situation correctly if the OSS is unavailable or gives wrong or incomplete information.Especially in the case of diagnostic systems for the handling of unexpected events, this may have anegative effect on operator performance. The reliance upon OSS may lead to what is called "softautomation". Is this desirable, and what requirements does that put on the OSS quality? Can the OSSbe designed so that the operator's ability to handle the situation on his own is not deteriorated, butactually improved?

Technology for implementation

In this section, the programme will be focussed on computerized Operator Support Systems whichare expected to constitute the main part of future OSS. With the fast development of computertechnology, a main task will be to apply the technology in the correct manner. That is, avoidingtechnology-driven OSS development and instead doing development based on user needs.

In cases where a large number of OSSs are to be implemented in the control room, specialattention must be paid to integration of the OSS both with respect to software as well as designing aunified human-machine interface. As introduction of new OSS normally means that more and new typesof information are available, guidance should be given on what information to display and how to displayit so that it is useful and does not add a burden to the operator.

Even though new plant designs are being developed where OSS-based control room concepts arepresented, OSS will mainly be utilized through a gradual upgrading of existing plants. Special attentionmust be paid to establishing the infrastructure necessary to successfully implement OSS. Elements in thisinfrastructure are at communication, databases, and knowledge bases. How to assure compatibilitybetween analog and digital equipment is another important issue. Regarding the HMI, the mixedanalog/digital control room represents a particular challenge.

157

Cost/benefit and evaluation

The cost/benefit of an OS S is very difficult to determine before experience with the system hasbeen gained through practical application. Especially systems intended to assist in rare events(disturbances, accidents) are difficult to analyze in this respect. The problem of defining cost/benefitreduces the speed with which OSS are introduced in nuclear plants. What may be done to assist incost/benefit analysis to change this situation? Which methodologies are currently available to arrive atmore accurate cost/benefit data?

One way of quantify ing the usefulness of an OSS is to perform a realistic evaluation of the OSSbefore actual implementation at the plant. Which methodologies are available to do this (experimental,analytical) and which requirements are needed to assure realism of the simulators, test subjects, and designof the evaluation experiments. It is also important to develop credible techniques for evaluating the OSSafter implementation.

In the case of computerized OSS which have a relevance to safety, software/hardware verificationand validation (V&V) is of particular importance to ensure a sufficient reliability of the OSS. Especiallyin case of complex support systems based on knowledge-based techniques, good V&V techniques are notavailable today. How should V&V be performed to guarantee the required quality of the system, andwhat limitations are there in use of the various OSS development methodologies (model-based,knowledge-based, simple logics, software size and complexity) for assisting in the various tasks (safetycritical, safety related, not safety related).

In many countries the utilities and safety authorities do not yet have any well established practiceand know-how on qualification of Operator Support Systems. More international cooperation is neededhere.

5. RESULTS EXPECTED

This programme will produce several documents and technology transfer meetings. During eachyear a Coordinated Research Programme meeting will be held to discuss the progress of each organizationon the tasks in this programme. A report of each of these meetings summarizing the results will be puttogether. At the end of the programme a final report will be created describing all of the activities carriedout by the co-operating organizations. Depending on the success of this programme and interest inperforming more work on Operator Support Systems for plant productivity improvements, it is envisionedthat a follow-up programme will be developed.

The intermediary and final reports will give guidance for the development and implementationof operator support systems. The information in the reports will consist of shared knowledge andexperience of organizations in several countries. The results of these efforts will benefit all countries intheir development and implementation of Operator Support Systems. Obviously, the organizations andcountries which need the most help in developing and implementing Operator Support Systems will havethe most to gain.

A comprehensive set of national technical reports after each Research Coordination Meeting, aswell as summary reports and final technical documents, will be distributed to all participatingorganizations.

6. DEVELOPMENT OF THE IAEA DATABASE ON OPERATOR SUPPORT SYSTEM

The group taking part in the first CRP regard it necessary to set up a database containing themost pertinent characteristics of the OSS's operating in NPP, worldwide. The main reasons for thisdecision are the following:

158

The important field of OSS is changing very rapidly and a database would be the most efficientmeans of keeping in the interested parties well informed. It was recommended that the IAEAshould consider assisting in the creation and maintenance of this database;

There is a large amount of activities going on worldwide related to the current topic. It wouldbe more efficient if the different countries and organizations could learn about each other'sexperiences and take advantages of them when appropriate;

Since the questionnaire will be sent to all countries engaged in NPP activities, the database willrepresent a more complete information about the worldwide status of OSSs at any time than canbe supplied by the CRP participants;

Since the implementation of OSSs in NPPs is growing every year and their influence on theoperation of the NPP is increasing, it is of primary importance to share the experiences andpractices;

Since the contents of the database will be available to everybody in connection with the IAEA,it would promote a more efficient and further exchange of information among the IAEAmembers.

Besides the general merits of the planned database as above, the potential users of the databaseare offered the following benefits and advantages:

The database is meant to contain the most detailed and concise information from thewidest source of information that has ever been gather on the operator support systemsofNPP's.

Furthermore, as it is expected to be a continuously updated set of data, up-to-dateinformation will be available to all possible areas at any time.

The database will serve as a source of information topossible users of an OSSpossible developers/vendors of an OSSauthoritiesPR officials and public.

As such it may help the mutual understanding of the above parties by offering concisetechnical contents with well defined terminology and context.

The database is an excellent tool for drawing general conclusions on worldwide basisconcerning specific aspects of the OSS's. With properly defined keys of the database,various features of the existing operator support systems can be collected, comparedand/or concluded on. The database will be a unique tool for making statistical analysisof information pertaining to specific characteristics or subsets of the existing OSS's.

Information concerning specific features of the systems (e.g., configuration, number ofsignals methods used, or even the invested human power) will help other developers orusers in the design and development of a new system.

Comparison of similar systems at various plants may reveal tendencies or systematicdifferences, the analysis of which may lead to the understanding of the possible futurerole and development directions of such systems.

159

Analysis of certain features, components and development methods of the OSS's maycontribute to the formulation or refinement of QA, V&V or other authority-setrequirements in some of the member states.

Finally, in the most general sense, since the database will be made available to all IAEAmembers it will contribute to a more efficient exchange of information among the firms,institutions and establishments involved.

Questionnaire on existing operator support systems

An important information basis for the present CRP is the status today on the use of operatorsupport systems. To gather as much information on this topic as efficiently as possible, the decision wasmade to develop a questionnaire to be sent to organizations engaged in this field. The two main groupsaddressed by the questionnaire are the developers of OSSs and the users of the system. The same set ofquestions will be sent to both groups.

The information expected from the survey is expected to represent an important extension of theinformation gathered by the CRP members directly from their respective countries.

The questionnaire for the survey on existing operator support systems covers the following areas:Organization information, functionality, usage, technical system specification, development process, testingresults and use, cost and benefits, training and documentation.

The document was sent out by the IAEA to national representatives who was responsible forfurther distribution within their own country. The completed questionnaires were returned to the IAEA.

Until now, the information on existing OSSs was collected by the IAEA from more than 60enterprises, institutions and utilities. That is why it is necessary to determine the exact contents ofdatabase including indicators, queries and forms of reports, the working methods for the creation andsupporting this database and the additional recommendations for IAEA to enhance the questionnaire formore efficient use of database by different users.

The proposed structure of the database

The members at the consultancy group analyzed the responses of the questionnaires. It wasconsidered if the existing data was sufficient and if possible new questions should be introduced tocomplement the collected information. It was found that some questions need additional clarifications.After reviewing the questionnaire the following questions were raised, from the point of view of userrequirements, designers and technology developers.

Answers to the following questions should be found regarding the functional requirements of OSS:

What do the users of OSS need?

What specific functions are necessary to satisfy the user needs?

What is required by the authorities?

How is the V&V performed?

Who uses the system, how many users, what are their relationships?

What are the appropriate forms at H-M interactions?

What kind of input and output information is needed for the OSS?

160

Is the OSS accepted by the users. What is desired from the OSS experiences already hasbeen gained?

From design and construction point of view the following questions were made:

Which algorithms or information processing technologies can we utilize to achieve agiven functional specification?

What information processing technology is most suitable in each case?

How can the system be integrated with existing I&C or monitoring systems (Software orHardware configurations)

Which languages or shells are suitable?

Regarding the technical development of OSS systems, following questions were stated:

For what kind of OSS can a given new algorithms or information processing technologybe applied?

What kinds of limitations might be imposed and how can these be overcome?

The proposed structure of the database and the additions for the questionnaire were based on theabove questions. The names, lengths and types of the data fields in the database were defined.

Also the structure of the database was discussed. The division of the OSS database into specifictables was also discussed and some primary indicators were prepared (e.g. classification of the systems,functions of the OSS, plant types).

The resulting database structure and the proposed revision of the questionnaire are described indetail in the Appendix.

Database (DE) Update Process

Recommended DB update processes consist of the following four steps.

Request member states to update relevant informationCollect responsesUpdate DB and prepare "DB update Floppy disks"Distribute DB update floppy disks

Requests for information update should cover

(i) corrections/modifications of information already existing in DB, and

(ii) collection of information on new systems. Since the volume of update information is notexpected to be enormous and the number of entries is not large, paper forms are probablysufficient. For the same reasons, floppy disks seem to be an appropriate form of mediato be used for distributing the DB update information.

Initial set up of database

There seem to be several tasks that need to be carried out before the initial setup of database isachieved. These include the following:

161

revise the questionnairesrequest additional information to organization which already answered the questionnairescollect more responsesclean-up of input datadatabase development (It is assumed that Agency is responsible for this task)initial appruisal database.

As discussed above, the members of the consultancy group reached a conclusion that there areseveral pieces of necessary information which are not covered by the current version of the questionnaires.It is necessary to include them so that database can fully answer questions which are likely to be askedby database users. The additional pieces of information that need to be collected include the following(See Appendix):

forms of human-machine interactionsforms of integrations with existing plant computersneed for manual data input by usersapplication software algorithms adopted (i.e. kinds of information processingtechnologies)use of simulator for the purpose of testingsome additional support functions (i.e. data collection)

This information should be collected from organizations which have already answered thequestionnaires using a revised set of questionnaires.

It is expected that information collected from various organizations on a particular OSSmight be inconsistent in many ways. Therefore, some clean-up review by specialists seems to benecessary.

162

APPENDIX

QUESTIONNAIRE ON EXISTING OPERATOR SUPPORT SYSTEM

1. Organization infoimation

Organization submitting the formKäme of organization 60

Division

Street Address or P.O.Box

Zip-code and town

Country

Type of organization

Developer (Specify Yes=Y or No=N)

User

Other

Type of plant

Specify

Contact person

20

Name 60

Street address or P.O.Box

Zip-code and town

Country

International telephone 20 International telefax

Electronic mail

20

60

163

2. GeneralName of system 60

Acronym 20 Version number

Developer Name 60

'lant types for which the system could be applicablePWRBWRCANDU

Gas-cooled

RBMK

Other

Any type

Specify 40

State of developmentDevelopment started

Testing phase started

Implemented

Entered mto operation

Latest revision

Retired from operation

Other Specify

Please indicate dates

40

ClassificationTask oriented displays

Intelligent alarm handling

Fault detection and diagnosis

Safety function monitoring

Computerized operational procedures presentation

Performance monitoring

Core monitoring

Vibration monitoring and analysis

Loose part monitoring

Materials stress monitoring

Radiation release monitoring

Condition monitoring maintenance support

Other Specify 40

164

Please fill in a short description of the system250

3. Motivation

What is the main motivation for the system

safety

business automation

reliability/availability

reduced workload

productivity

environment protection

regulatory requirements

Other Specify 40

Who initiated the development or installation

user

system supplier

regulatory organization

utility personnel (other than user)

Other Specify 40

4. Functionality

The system is designed to assist in (all that apply)

Normal situations

Incidents

Accidents (wrthm DBE)

Accidents (beyond DBE)

165

Does the system support (all that apply)

Data collection

Data archivation

Monitoring

Fault identification

Diagnosis

Selection of procedures

Execution of recovery

Identification of faulty equipment, components or systems

Decisions aid

Other Specify 40

Availability considerations

Can the system detect its own failure

Is back-up available m case of system failure

Redundancy is utilized

Diversity is utilized

Specify 120

Is the system considered

Non-safety related

Safety related

Safety system

5. Usage

Who is using the systemControl room personnel

Local operator

Engineering

Maintenance

Crisis team

Plant management

Other

If Yes Specify Job Position40

166

Specify location where the system (man-machine interface) is being used

Control room

Laboratories

Training centre

Emergency Control Room

Crisis centre

Engineering offices

Maintenance areas

Plant equipment area

Dosimetry control room

Other Specify 40

What type of human-machine interface is being used If Yes Specify

Text CRT

Graphic CRT

Mimics

Other outputs

Conventional keyboard

Function keyboard

Mouse

Tracker ball

Touch screen

Other mputs

30

Which form or forms of interaction does your system adopt

Use of one or more dedicated display devices (e g CRT)

Use of one or more dedicated display pictures which share display devices witch other systems

Other Specify 40

How many users is the system able to support simultaneously

Does the system process or utilize plant data for real time responseHow often is the system used

Continuously

Frequently

Once-m-awhile

167

Where there additional measures needed for acceptance by usersImprovements m user interface

Improvement m documentation

Additional training

Other Specify 40

6. Technical System Specifications

Please specify hardware characteristics

Brand and type of computers 40

Configuration of the system(e g no of work stations,memory, bus, printers,network communication, diskcapacity, plotters)

40

Does the system get data from the plant computer

Does the system require new sensors (specify)

60

Please specify software characteristics

Programming languages 40

Software shell fordevelopment (e g type ofdatabase, user interface,operating system, type ofknowledge base

40

168

Algorithms and methods used Specify

Calculatioaal methods

Statistical methods

Artificial intelligence

Neural networks

Other

40

Flexibility

Can the system be expanded for new functions

Can the system be tuned by the users

Is the system hardware dependent

Can the system functions be reconfigured for the users

Is the system connected or connectable to other plant systems

Does the system require manual data input from the operators

Indicate approximate number of input signals (if relevant)

7. Development Process

Were formal design methods applied (Y/N)

Specify methods and toolsused for the formal design

40

Length of development process (months)

Involvement of end user in

Specification

Design

Implementation

Validation

Testing

Other Specify 40

169

Were pre-existing software modules utilized (Y/N)Scheme of development process

Once through

Iterative

Other Specify

8. Testing

Methodology and tools appliedModule test

White block test

Black block test

Other Specify

Test criteria and requirements (standard defined) byUser

Authority

Other Specify

Was a simulator involved in testingFull scope simulator

Part task simulator

No simulator based tests

Length of initial testing period (days)

Periodic testing requirementsPeriodically Length of period

Occasionally Reason for test

None

40

Where there objective, quantifiable tests to evaluate usefulness of the systemSpecify

Userexperience

Problemsdiscovered

100

100

100

170

9. Documentation

(Y/N)

User's manual

Design document

Functional specification

QA

V&V

Test results

Training document

Maintenance document

Developers document

Reference to standards

References

10. Training

Language

20

Menusage

vi

—

ExternAvaila

alble

—

Does a user training program exist

Is user training performed on a full scope training simulator

Is user training performed on a special part task simulator

Does a framing program exist for maintenance of the system

Is technical support available by telephone

If yes, how long is the program (days)

11. Cost

Estimated man-years of efforts used for development

Estimated man-years of efforts used for implementation

Estimated total utility cost of the operator support system mcludmgown work, hardware and software

12

Specify type ofrequired hardware

40

Specify type ofthird partysoftware required

40

171

12. Benefits

Fill in where relevant: Give qualitative statements if quantitative data are not available.

Expected proven Quantity

Reduced operation and maintenance costs

Increased plant availability

Reduced number of scrams

Optimization of plant operational cycle

Improved operational or maintenance procedures

Other (specify) 40

20

13. Experience and additional information which you would like to supply

250

172

14. References of related literature

120

15. Sites where the system has been installed

60

173

ABBREVIATIONS

AGR advanced gas cooled reactorANN annunciationBWR boiling water reactorCR control roomCRS control room system(s)ECI emergency core injectionEOF emergency operations facilityERF emergency response facilityESM engineering simulation modelGCR gas cooled reactorHMI human-machine interfaceI&C instrumentation and controlLAN local area networkLCD liquid crystal displayLWR light water reactorMC R main control roomNPP nuclear power plantNSSS nuclear steam supply systemORC operator response guidelineOSC operational support centreOSS operator support systemPAM post accident monitoringPD plasma displayPHWR pressurized heavy water reactorPMS process monitoring systemPSA probabilistic safety assessmentPWR pressurized water reactorSPDS safety parameter display systemTMI Three Mile IslandTSC technical support centreV&V verification and validationVDU visual display unitVAS voice announcement systemVRS voice recognition system

175

CONTRIBUTORS TO DRAFTING AND REVIEW

Bruno, R.J.

Calori, F.

Dounaev, V.G.

Fujita, Y.

Furet, J.

Gemst Van, P.

Gorelov, A.I.

Hessler, C.

Korshunov, A.

Kossilov, A.

Naser, J.

EXITECH Corporation9790 Patuxent Woods DriveColumbia, Maryland 21046, USA

International Atomic Energy AgencyDivision of Nuclear PowerWagramerstrasse 5, P. O. Box 100A-1400 Vienna, Austria

CONSYSTCo., Ltd.Potapovski per., 5/4Moscow, 101000, Russian Federation

Control Board and Plant ComputerEngineering Team

Mitsubishi Atomic Power Industries Inc.4-1, 2-Chome, Sibakouen, Minato-kuTokyo 105, Japan

CEN/FARMICE/Direction de la Sûreté des

Installations Nucléaires, BP No. 6F-92265 Fontenay-aux-Roses Cedex FFrance

ABB Atom AB5-721 63 Västeras, Sweden

Research and Development Institute ofPower Engineering

2/8 Krasnosel'skaja107113 Moscow, Russian Federation

Siemens AG KWUR-242, P. O. Box 3220D-8520 Erlangen, Germany

AtomenergoproektSt. Petersburg Research InstituteSuvorovsky propspekt, 2A193036 St. Petersburg, Russian Federation

International Atomic Energy AgencyDivision of Nuclear PowerWagramerstrasse 5, P. O. Box 100A-1400 Vienna, Austria

Electric Power Research InstituteNuclear Power Division3412 Hillview Avenue, P. O. Box 10412Palo Alto, CA 94303, United States of America

(4)

(1)

(4)

(2,3)

(1, 2, 3)

(3)

(1,3)

(3)

(1)

(1,2,3,4)

(3)

177

Olmstead, R. A.

Rinttila, E.

Rollenhagen, Karl

Sun, B.

Wakayama, N.

Zimmerman, M.

AECL CANDUControl Centre Development2251 Speakman DriveMississauga, Ontario L5K 1B2, Canada

IVO InternationalP. O. Box 112FIN-01019 IVO Vantaa, Finland

Vattenfall ABS-162 87 Vällingby, Sweden

Electric Power Research InstituteNuclear Power Division3412 Hillview Avenue, P. O. Box 10412Palo Alto, ÇA 94303, United States of America

Japan Atomic Energy Research InstituteTokai-Mura, Naka-gun, Ibraki-ken319-11 Tokyo, Japan

Gesellschaft für Reaktorshicherheit (GRS) mbHForschungsgeländeD-8046 Garching, Germany

Advisory Group MeetingsVienna, Austria, 11-15 March 1991 (1)

15-19 June 1992 (3)

Consultants MeetingsVienna, Austria, 11-15 November 1991 (2)

24-28 January 1994 (4)

(1,2, 3, 4)

(1, 2, 3)

(3)

(2)

(1)

(1)

CMCO

9in

178

QUESTIONNAIRE ON IAEA-TECDOCs

It would greatly assist the International Atomic Energy Agency in its analysis of the effective-ness of its Technical Document programme if you could kindly answer the following questionsand return the form to the address shown below. Your co-operation is greatly appreciated.

Title: Control room systems design for nuclear power plantsNumber: IAEA-TECDOC-812

1. How did you obtain this TECDOC?

[ ] From the IAEA:[ ] At own request[ ] Without request[ ] As participant at an IAEA meeting

[ ] From a professional colleague[ ] From library

2. How do you rate the content of the TECDOC?

[ ] Useful, includes information not found elsewhere[ ] Useful as a survey of the subject area[ ] Useful for reference[ ] Useful because of its international character[ ] Useful for training or study purposes[ ] Not very useful. If not, why not?

3. How do you become aware of the TECDOCs available from the IAEA?

[ ] From references in:[ ] IAEA publications[ ] Other publications

[ ] From IAEA meetings[ ] From IAEA newsletters[ ] By other means (please specify)[ ] If you find it difficult to obtain information on TECDOCs please tick this box

4. Do you make use of IAEA-TECDOCs?

[ ] Frequently[ ] Occasionally[ ] Rarely

5. Please state the institute (or country) in which you are working:

Please return to: R.F. KelleherHead, Publishing SectionInternational Atomic Energy AgencyP.O. Box 100Wagramerstrasse 5A-1400 Vienna, Austria