Upload
others
View
7
Download
0
Embed Size (px)
Citation preview
ANP-10279 Revision 0
U.S. EPR Human Factors Engineering Program Topical Report January 2007 AREVA NP Inc.
Non-Proprietary (c) 2007 AREVA NP Inc.
Copyright © 2007
AREVA NP Inc. All Rights Reserved
The design, engineering and other information contained in this document has been prepared
by or on behalf of AREVA NP Inc., an AREVA and Siemens company, in connection with its
request to the U.S. Nuclear Regulatory Commission for a pre-application review of the U.S.
EPR nuclear power plant design. No use of or right to copy any of this information, other than
by the NRC and its contractors in support of AREVA NP’s pre-application review, is authorized.
The information provided in this document is a subset of a much larger set of know-how,
technology, and intellectual property pertaining to an evolutionary pressurized water reactor
designed by AREVA NP and referred to as the U.S. EPR. Without access and a grant of rights
to that larger set of know-how, technology, and intellectual property rights, this document is not
practically or rightfully usable by others, except by the NRC as set forth in the previous
paragraph.
For information address: AREVA NP Inc. An AREVA and Siemens Company 3315 Old Forest Road Lynchburg, VA 24506
U.S. Nuclear Regulatory Commission
Disclaimer Important Notice Concerning the Contents and Application of This Report
Please Read Carefully
This report was developed based on research and development funded and conducted by
AREVA NP Inc., and is being submitted by AREVA NP to the U.S. Nuclear Regulatory
Commission (NRC) to facilitate future licensing processes that may be pursued by licensees or
applicants that are customers of AREVA NP. The information contained in this report may be
used by the NRC and, under the terms of applicable agreements with AREVA NP, those
customers seeking licenses or license amendments to assist in demonstrating compliance with
NRC regulations. The information provided in this report is true and correct to the best of
AREVA NP’s knowledge, information, and belief.
AREVA NP’s warranties and representations concerning the content of this report are set forth
in agreements between AREVA NP and individual customers. Except as otherwise expressly
provided in such agreements with its customers, neither AREVA NP nor any person acting on
behalf of AREVA NP:
• Makes any warranty or representation, expressed or implied, with respect to the
accuracy, completeness, or usefulness of the information contained in this report, nor
the use of any information, apparatus, method, or process disclosed in this report.
• Assumes any liability with respect to the use of or for damages resulting from the use of
any information, apparatus, method, or process disclosed in this report.
AREVA NP Inc. ANP-10279 Revision 0
U.S. EPR Human Factors Engineering Program Topical Report Page i
ABSTRACT
The purpose of the U.S. EPR Human Factors Engineering Program Topical Report is to
describe the engineering process that will be employed to design the human-system interfaces
(HSIs) and associated equipment and control rooms.
The goal of the Human Factors Engineering (HFE) program is to provide reasonable
assurance that plant operators can access the required information and controls to enable safe
and efficient control and monitoring of plant processes and equipment.
The HFE program defines responsibilities of the HFE and Control Room Design Team. The
HFE program applies to the design of the Main Control Room (MCR), the Technical Support
Center (TSC), the Instrumentation and Control Service Center (I&CSC), and the Remote
Shutdown Station (RSS). HSIs, procedures, and training associated with monitoring and
control of functions belonging to instrumentation and control (I&C) systems are included within
the scope of the program. HSIs associated with non-I&C systems (e.g., manual valve
operators and other local control stations (LCS) should also follow guidelines established by
the HFE and Control Room Design Team. This topical report describes the corresponding
interface between the HFE and Control Room Design Team and other engineering disciplines.
The detailed design of the HSIs and the control centers is based on a set of standard features
and criteria.
The design of the control centers depends on an understanding of the interactions of operating
personnel with plant automation features. These interactions are defined by delineating
personnel responsibilities for monitoring and controlling the automatic, screen-based, and
conventional control and monitoring systems.
This report describes the records used for design control that document the designs and the
implementation plans, including analytical and validation activities. A proposed schedule is
also presented that shows the expected content for the various elements of the program.
AREVA NP Inc. ANP-10279 Revision 0
U.S. EPR Human Factors Engineering Program Topical Report Page ii
Nature of Changes
Item Section(s) or Page(s Description and Justification
AREVA NP Inc. ANP-10279 Revision 0
U.S. EPR Human Factors Engineering Program Topical Report Page iii
Contents Page
1.0 INTRODUCTION ......................................................................................................... 1-1
2.0 HUMAN FACTORS ENGINEERING PROGRAM SCOPE........................................... 2-1
2.1 General Principles............................................................................................. 2-1 2.1.1 Applicable Facilities ................................................................................ 2-2 2.1.2 Applicable Human-System Interfaces, Procedures, and Training .......... 2-2
2.2 Design Goals and Bases................................................................................... 2-3 2.2.1 Mechanical Properties and Dimensions for the Work Environment........ 2-3 2.2.2 Acoustic Environment............................................................................. 2-3 2.2.3 Lighting of the HMI Rooms and Workspace ........................................... 2-3 2.2.4 Ambient Conditions in the Control Rooms.............................................. 2-4 2.2.5 Coding, Language, and Information Presentation .................................. 2-4 2.2.6 Requirements for Screen-Based Information Presentation and Dialogs. 2-4 2.2.7 Information Needs and Controls ............................................................. 2-5 2.2.8 Alarm System Design ............................................................................. 2-6 2.2.9 Plant Operating Procedures ................................................................... 2-7
3.0 CONTROL ROOM AND HUMAN-SYSTEM INTERFACE STANDARD DESIGN FEATURES.................................................................................................................. 3-1
3.1 Control Rooms .................................................................................................. 3-1 3.1.1 Main Control Room................................................................................. 3-2 3.1.2 Technical Support Center....................................................................... 3-3 3.1.3 Remote Shutdown Station...................................................................... 3-4 3.1.4 Instrumentation and Control Service Center........................................... 3-4
3.2 Human-System Interfaces................................................................................. 3-4 3.2.1 Process Information and Control System ............................................... 3-5 3.2.2 Plant Overview Panel ............................................................................. 3-7 3.2.3 Safety Information and Control System.................................................. 3-7
4.0 CONCEPT OF OPERATIONS..................................................................................... 4-1
4.1 Staffing.............................................................................................................. 4-1 4.1.1 Shift Supervisor ...................................................................................... 4-2 4.1.2 Shift Technical Advisor ........................................................................... 4-3 4.1.3 Control Room Supervisor ....................................................................... 4-3 4.1.4 Reactor Operator.................................................................................... 4-3 4.1.5 Additional Licensed Operators ............................................................... 4-3
4.2 Normal Operations ............................................................................................ 4-4 4.2.1 Operating Procedures ............................................................................ 4-4 4.2.2 Alarm Response..................................................................................... 4-4 4.2.3 Usage of PICS and SICS ....................................................................... 4-5 4.2.4 Periodic Surveillances, Operations, and Tests ....................................... 4-5
AREVA NP Inc. ANP-10279 Revision 0
U.S. EPR Human Factors Engineering Program Topical Report Page iv
4.3 Expectations for Handling Operational Occurrences......................................... 4-6 4.3.1 Abnormal Operations and Incidents ....................................................... 4-6 4.3.2 Emergency Operations and Accidents ................................................... 4-7 4.3.3 Loss of MCR........................................................................................... 4-8
5.0 DESIGN CONTROL PROCESS .................................................................................. 5-1
5.1 Generic Design Control ..................................................................................... 5-1
5.2 Human Factors Engineering Design Control ..................................................... 5-3
5.3 Control Room and HSI Design Documentation ................................................. 5-4 5.3.1 HFE Program Plan ................................................................................. 5-4 5.3.2 Plant Technical Requirements Document .............................................. 5-7 5.3.3 System Design Requirements Documents ............................................. 5-7 5.3.4 System Description Document ............................................................... 5-7 5.3.5 Specifications ......................................................................................... 5-9
5.4 HFE Program (NUREG-0711) Design Elements............................................. 5-10 5.4.1 Introduction........................................................................................... 5-10 5.4.2 HFE Program Management.................................................................. 5-10 5.4.3 Operating Experience Review .............................................................. 5-20 5.4.4 Functional Requirements Analysis and Function Allocation ................. 5-24 5.4.5 Task Analysis ....................................................................................... 5-28 5.4.6 Staffing and Qualifications.................................................................... 5-29 5.4.7 Human Reliability Analysis ................................................................... 5-30 5.4.8 Human-System Interface Design.......................................................... 5-31 5.4.9 Procedure Development....................................................................... 5-36 5.4.10 Training Program Development............................................................ 5-37 5.4.11 Human Factors Verification and Validation........................................... 5-39 5.4.12 Design Implementation......................................................................... 5-41 5.4.13 Human Performance Monitoring........................................................... 5-42
5.5 Human Factors Engineering Issues Tracking.................................................. 5-42
6.0 SIMULATOR DESIGN ACTIVITIES............................................................................. 6-1
7.0 REFERENCES ............................................................................................................ 7-1
APPENDIX A SUMMARY OF HUMAN FACTORS ENGINEERING PROGRAM ELEMENT DEVELOPMENT........................................................................ A-1
AREVA NP Inc. ANP-10279 Revision 0
U.S. EPR Human Factors Engineering Program Topical Report Page v
List of Tables
Table A-1—Design Control Process Document Development................................................ A-2 Table A-2—HFE Program Elements Development.................................................................A-3
List of Figures Figure 3.1-1—U.S. EPR Control Rooms Layout..................................................................... 3-1 Figure 3.2-1—U.S. EPR I&C Basic Architecture..................................................................... 3-4 Figure 5.2-1—HFE Control Room Design Functions and Reporting ...................................... 5-3 Figure 5.3-1—Design Control Process ................................................................................... 5-6
AREVA NP Inc. ANP-10279 Revision 0
U.S. EPR Human Factors Engineering Program Topical Report Page vi
Nomenclature
Acronym Description ASHRAE American Society of Heating, Refrigerating and Air-Conditioning Engineers COL Combined Operating License CRS Control Room Supervisor DCD Design Control Document DNBR Departure from Nucleate Boiling Ratio DOD Department of Defense DRB Design Review Board EOF Emergency Operations Facility EOP Emergency Operating Procedure(s) EPRI Electric Power Research Institute FA Function Allocation FRA Functional Requirements Analysis GTG Generic Technical Guidance HA Human Action HED Human Engineering Discrepancy HFE Human Factors Engineering HMI Human-Machine Interface HRA Human Reliability Analysis HSI Human-System Interface HVAC Heating, Ventilation and Air Conditioning I&C Instrumentation and Controls I&CSC Instrumentation and Controls Service Center INPO Institute of Nuclear Power Operations KSA Knowledge, Skills, and Attributes LCS Local Control Stations MCR Main Control Room NEI Nuclear Energy Institute NLO Non-Licensed Operator NRC Nuclear Regulatory Commission NSAC Nuclear Sciences Advisory Committee NUMARC Nuclear Utilities Management and Resources Council OER Operating Experience Review OL3 Olkiluoto 3 PICS Process Instrumentation and Controls System POP Plant Overview Panel
AREVA NP Inc. ANP-10279 Revision 0
U.S. EPR Human Factors Engineering Program Topical Report Page vii Acronym Description PRA Probabilistic Risk Assessment PTRD Plant Technical Requirements Document PWR Pressurized Water Reactor QA Quality Assurance QAP Quality Assurance Program QDS Qualified Display System RMS Records Management System RO Reactor Operator RSS Remote Shutdown Station SAT Systematic Approach to Training SDD System Description Document SDRD System Design Requirements Document SER Safety Evaluation Report SICS Safety Information and Controls System SRO Senior Reactor Operator SS Shift Supervisor STA Shift Technical Advisor TA Task Analysis TSC Technical Support Center V&V Verification and Validation
AREVA NP Inc. ANP-10279 Revision 0
U.S. EPR Human Factors Engineering Program Topical Report Page 1-1
1.0 INTRODUCTION
The U.S. EPR Human Factors Engineering (HFE) Program Topical Report describes the
engineering process that will be employed to design the human-system interfaces (HSIs) and
associated equipment and the control rooms.
NUREG-0711, Human Factors Engineering Program Review Model (Reference 6), describes
the twelve elements of a generic HSI design which comprise a top-down example of a program
and relate the high-level goal of plant safety into individual, discrete focus areas for the HSI
design.
The U.S. EPR HFE program provides reasonable assurance that plant operators can access
the required information and controls to safely and efficiently control and monitor the plant
processes and equipment. The HFE program defines the responsibilities of the HFE and
Control Room Design Team as well as the equipment and facilities which the team will design.
The HFE and Control Room Design Team produces HFE guidance related to the design of
other equipment local control stations (LCSs). This report describes the interface between the
HFE and Control Room Design Team and other engineering disciplines. Design goals and
bases and features inherent to the standard U.S. EPR design are described to illustrate the
starting point and scope for the program.
This report also describes AREVA NP’s engineering design process and how the HFE design
process follows and interrelates with that process. Successive sections describe the specific
design records used to document the design and the implementation plans for the various
analysis and validation activities. Finally, this report contains a proposed schedule for the
various elements of the HFE program, which includes the twelve elements described in
NUREG-0711 and the various types of design documentation prescribed by AREVA NP’s
design control process.
AREVA NP requests that the NRC issue a Safety Evaluation Report (SER) that approves this
topical report. The U.S. EPR HFE Program Topical Report will be used to support AREVA
AREVA NP Inc. ANP-10279 Revision 0
U.S. EPR Human Factors Engineering Program Topical Report Page 1-2 NP’s U.S. EPR design. AREVA NP plans to reference the topical report in its Design Control
Document for the U.S. EPR.
AREVA NP Inc. ANP-10279 Revision 0
U.S. EPR Human Factors Engineering Program Topical Report Page 2-1
2.0 HUMAN FACTORS ENGINEERING PROGRAM SCOPE
2.1 General Principles
The HFE program enables plant operators and technicians to safely and efficiently access the
required information and controls to control and monitor the plant processes and equipment.
The HFE program also establishes the time and performance criteria for required equipment
operations via human reliability analyses and recognized guidelines.
The design of the human-machine interface (HMI) should meet the following basic
requirements:
• Operator tasks should be executable (sufficient time allocated, needed controls and
information available).
• The operator should be able to check the success of an action against the objective of
the action.
• The allocated tolerance range (safety limits, time limits, precision) should be clearly
defined.
• Actions that fail or are erroneous should be recoverable, if possible.
• The operator should be able to evaluate the system or plant response to a control
action. Multiple process monitoring contexts (i.e., physical, functional) are preferred.
• The operator should be able to evaluate the current safety state of the plant processes
from the available displays.
The HFE and Control Room Design Team establishes and provides reasonable assurance that
the program complies with the following criteria:
• Location and accessibility requirements for the control rooms and other control stations
• Layout of the control rooms, including locations and design of individual displays and
panels
AREVA NP Inc. ANP-10279 Revision 0
U.S. EPR Human Factors Engineering Program Topical Report Page 2-2
• Basic concepts and detailed design for the information displays, controls, and alarms for
HMI control stations
• Coding and labeling conventions for control room components and plant displays
• Design of the screen-based HMI, including the actual screen layout and the standard
dialogues for accessing information and controls
• Requirements for the physical environment of the control rooms (e.g., lighting,
acoustics, heating, ventilation and air conditioning (HVAC))
• Layout of operator work stations and work space
• Verification and validation (V&V) of the design of human interfaces
The HFE and Control Room Design Team is also responsible for program concepts for
developing operating procedures, staffing requirements, and designer’s input to the training
program, as described in successive sections of this document.
2.1.1 Applicable Facilities
The HFE program applies to the design of the Main Control Room (MCR), the Technical
Support Center (TSC), the Instrumentation and Control Service Center (I&CSC), the Remote
Shutdown Station (RSS), and LCSs associated with operation or maintenance. The design of
LCSs is typically accomplished concurrent with the applicable system design and follows
guidelines established by the HFE and Control Room Design Team. A COL applicant that
references the U.S. EPR design certification will design the Emergency Operations Facility
(EOF), though the HFE and Control Room Design Team is expected to participate in that
design.
2.1.2 Applicable Human-System Interfaces, Procedures, and Training
The scope of the HFE program includes HSIs, procedures, and training associated with
monitoring and controlling instrumentation and control (I&C) system functions. The system
functions include those required during the various normal operating modes as well as those
required during tests, inspections, surveillances, maintenance, abnormal, emergency, and
AREVA NP Inc. ANP-10279 Revision 0
U.S. EPR Human Factors Engineering Program Topical Report Page 2-3 accident conditions. HSIs associated with non-I&C systems (e.g., manual valve operators and
other LCSs) should follow guidelines established by the HFE and Control Room Design Team.
2.2 Design Goals and Bases
The design of the work environment for the operating and maintenance staffs should meet the
relevant HFE requirements described in the sections below.
2.2.1 Mechanical Properties and Dimensions for the Work Environment
The layout of the MCR and other HMI rooms should meet basic arrangement requirements for
information presentation on screens and control panels. The layout of the MCR and other HMI
rooms accounts for visibility constraints, accessibility requirements, and communication
requirements between the operating and maintenance staff members during all plant states.
The detailed layout will be generated, starting from a first draft layout, in the design process
described below. Similarly, the layout of the operator workstations (including safety and non-
safety HSI) and the large screen display panel (Plant Overview Panel (POP)) should be
defined taking into account visibility, reach and grasp requirements, and anthropometric
dimensions for the intended user population. Validation of these design results should be
performed by conducting walk-throughs, using a selected set of emergency procedures, in a
mock-up of the MCR.
2.2.2 Acoustic Environment
The acoustic environment and the mean noise level in the MCR should aid operator alertness
so that the monitoring and controlling of processes and the associated mental activities are
performed in comfort and promote communication between the members of the operating staff.
2.2.3 Lighting of the HMI Rooms and Workspace
The lighting in the control rooms provides optimum working conditions for personnel by:
• Providing an adequate lighting level for performance of tasks (e.g., good contrast for
easy discrimination of information, good minimum lighting for preservation of alertness).
• Avoiding glare and reflection.
AREVA NP Inc. ANP-10279 Revision 0
U.S. EPR Human Factors Engineering Program Topical Report Page 2-4 2.2.4 Ambient Conditions in the Control Rooms
During normal operation at basic atmospheric conditions, the temperature and humidity in the
MCR and the associated HMI rooms are controlled to normal comfort levels. The air-
conditioning system can adjust the temperature. During some design basis events, the
temperature in the MCR may exceed comfort levels, but the temperature should not exceed
the guidance provided in Reference 5.
2.2.5 Coding, Language, and Information Presentation
In order to minimize human error, rules for the arrangement of information on screens and
conventional control boards and for coding and labeling of information on the different types of
HMIs will be specified in the design phase (see Section 5.4.8).
The nomenclature and terminology used in operating procedures will be consistent with those
used on operator interfaces. The HMIs should be consistent with plant documentation to the
extent possible (e.g., system manuals and plant drawings).
2.2.6 Requirements for Screen-Based Information Presentation and Dialogs
Operators are provided with an overview of the plant state and rapid access to specific pieces
of information and specific controls. For conventional control boards, this will be accomplished
by logical grouping of indicators, alarms and status displays in functional groupings which
provide clear relationships between associated indicators and controls. For the screen-based
controls, the organization of operating displays and navigation methods accounts for the
limitations of display area and the serial character of information access to provide an overall
vision of plant state as well as access to details.
Four principal criteria apply to the design of screen-based HMI:
• The information hierarchy at the top levels contains a few overview displays showing
essential plant state information while the lower level displays progress through
increasing levels of detail.
• Multiple monitors are used to allow simultaneous display of several types of information.
• Task-oriented presentation of the same information in different arrangements is adapted
AREVA NP Inc. ANP-10279 Revision 0
U.S. EPR Human Factors Engineering Program Topical Report Page 2-5
to different operator processes.
• Calculated, pre-processed and condensed information is used to allow a rapid grasp of
the state of a complex system (e.g., core average axial power shape monitoring,
departure from nucleate boiling ratio (DNBR) and critical heat flux monitoring, plant
calorimetric calculation, saturation temperature, saturation pressure, curves and limits
for heat-up and cool-down).
The information presentation:
• Allows operators to evaluate the priority, gravity, and impact on safety and availability of
an event in the context of overall plant state.
• Directs the operators to the information and controls that are needed to plan and
execute any necessary action(s).
• Guides the operator from summary information (e.g., from a fault flag or an alarm) to the
detailed fault information (e.g., a detailed circuit format) or to the associated procedure
or alarm sheet.
2.2.7 Information Needs and Controls
Information that allows the operator to evaluate the plant state and provides feedback for any
action is displayed in a consistent manner.
The operators will be provided with an appropriate means to interact with screen-based and
conventional controls so that, as a minimum, the following types of information are accessible:
• Plant equipment data (fluid, mechanical, electrical and I&C systems and components)
• Process dynamics
• Functional relationships between sub-processes
• Automation equipment functions (e.g., control loops, automatic sequencers, protection
systems) and their relation to the state of the process
• Operational guidance (e.g., procedures and technical data sheets)
AREVA NP Inc. ANP-10279 Revision 0
U.S. EPR Human Factors Engineering Program Topical Report Page 2-6 Information about the first three types of items is communicated to the operators by state and
status information and by alarms, irrespective of the technology of the HMI systems.
The screen-based HMI systems, which are backed up by paper-based procedures, support
operational guidance. Aside from the navigation and layout differences and the availability of
live data, the electronic and hard copy procedures contain the same information in the same
format.
2.2.8 Alarm System Design
The alarms alert and inform the operators when unexpected events occur that require manual
actions to correct, mitigate, compensate for a failure, make repairs, or when a failure should be
accounted for during further process control because either the failure restricts the reachable
plant states or requires alternate means of reaching the desired state.
Alarms consist of either binary signals regarding the state of the process or the equipment or
acoustic and optical annunciations to alert and guide the operator to the applicable HMI
display.
Alarms may be generated when process variables leave their operating range, when
equipment is not in the operating mode that is required for the actual process state, or when
equipment fails. Status messages (i.e., messages indicating response to process or
equipment events) are also generated within the alarm hierarchy.
The operators should not be burdened by multiple alarms that demand simultaneous actions;
however, operator training establishes the priorities for responding to alarms to maintain a high
level of safety. The following factors are examples of criteria that determine how alarm
priorities are established:
• The available reaction time
• The safety relevance of the event
• The relevant impact of the event (e.g., leading to or the imminent loss of a function,
degradation of a function)
AREVA NP Inc. ANP-10279 Revision 0
U.S. EPR Human Factors Engineering Program Topical Report Page 2-7 The following principles are applied when designing the logic of alarms and overall alarm
processing:
• Alarm signals are based on information that indicates the true cause of the reported
event.
• Alarms are integrated with the HSI to assist the operator with situational awareness,
alarm response, and any associated troubleshooting.
• Alarm signals include logic so that only operationally relevant conditions are alarmed
(e.g., the alarm logic for "low discharge pressure" downstream of a pump will produce
an alarm only if the pump is supposed to be running).
• The overall plant state is taken into account for the generation of alarms, or at least to
inhibit alarms which are not relevant for the actual plant state.
• Pre-alarms are provided before automatic actuation only if manual corrective actions
are different from automatic actions and when an operator has sufficient time to identify
and perform these actions.
Alarm processing and presentation on the various screen-based HMI components (Process
Instrumentation and Controls System (PICS) and Qualified Display System (QDS) portion of
the Safety Information and Controls System (SICS)) will be as similar as possible.
2.2.9 Plant Operating Procedures
Besides constituting the means to perform overall process supervision, monitoring and
supporting performance of elementary process control actions, procedures provide guidance
for more complex tasks. This is accomplished by alarm sheets, procedures for normal
operation (including startup and shutdown procedures), and abnormal and accident
procedures.
Where technically feasible, operating procedures will be implemented in screen-based formats
that provide access to process information and contain format links, which provide access to
underlying additional information and direct the operator to control screens. Paper-based
AREVA NP Inc. ANP-10279 Revision 0
U.S. EPR Human Factors Engineering Program Topical Report Page 2-8 procedures back up screen-based procedures and contain the same guidance in the same
format.
The computerized formats of operating procedures should meet the following requirements:
• Action objectives should be clearly defined (i.e., the operator should be able to visualize
the current plant or system state and understand the expected result).
• Each applicable procedure step should establish a given objective, including the
parameters used to evaluate the objective, and (where appropriate) indicate the HSI
location (screen) for the state of the systems and the required functions. If the action
specified in the procedure is performed and the expected response is not achieved, the
procedure should direct the operator to perform mitigating actions.
• The appropriate sequence of actions should be clear and concise.
• The procedure should provide concise descriptions for the execution of tasks and
actions by providing step-by-step methods of manual execution or referencing the
appropriate automated sequences.
• Operator guidance should be structured with several levels of detail (i.e., objectives,
tasks, actions).
AREVA NP Inc. ANP-10279 Revision 0
U.S. EPR Human Factors Engineering Program Topical Report Page 3-1
3.0 CONTROL ROOM AND HUMAN-SYSTEM INTERFACE STANDARD DESIGN FEATURES
The U.S. EPR control rooms and HSIs contain a group of standard features that form the
bases for the detailed HSI design.
3.1 Control Rooms
The control rooms are locations where major I&C display and control functions are available
(i.e., I&C display and control functions not associated with an LCS). The control rooms include
the MCR, the TSC, the RSS, and the I&CSC. The layout of the U.S. EPR control rooms is
illustrated in Figure 3.1-1, with the exception of the RSS which is in a separate location.
Figure 3.1-1—U.S. EPR Control Rooms Layout
AREVA NP Inc. ANP-10279 Revision 0
U.S. EPR Human Factors Engineering Program Topical Report Page 3-2 3.1.1 Main Control Room
The MCR provides:
• A centralized location where actions to operate the plant safely are performed under
normal conditions and where actions to reach and maintain a safe condition under
accident conditions are performed.
• Adequate radiation protection that allows personnel to access and occupy the MCR
under accident conditions without receiving radiation exposure in excess of 10 CFR 50
Appendix A (GDC 19) (Reference 3) requirements.
• The ability to transfer control outside the MCR to equipment that is designed to achieve
prompt hot shutdown of the reactor and maintain a safe condition during hot shutdown
with the possibility for subsequent cold shutdown of the reactor through suitable
procedures.
• A means to communicate with the outside.
• A centralized location for initiating, monitoring, and authorization of maintenance for
process equipment and systems.
• Protection from hazards and adverse environmental conditions for personnel and
equipment required to operate the plant safely.
• A working environment for the operators that reduces conditions that adversely affect
human performance.
The MCR houses the major HSIs with the main plant monitoring and control systems. The
MCR is located in a hardened safeguards building where it is protected against radiation,
internal and external missiles, and earthquakes. The MCR interface with the I&C systems is
arranged in separated I&C cabinet rooms and in the rooms on the MCR floor level.
The MCR is sized sufficiently so that the MCR staff can perform necessary actions. The
arrangement of the adjacent control rooms facilitates coordination and communication
between the members of the operating staff while reducing the need for access to the MCR by
other plant personnel, such as field equipment operators, maintenance staff, and personnel in
AREVA NP Inc. ANP-10279 Revision 0
U.S. EPR Human Factors Engineering Program Topical Report Page 3-3 other HSI rooms (e.g., I&CSC). Several means of communication with non-licensed operators,
maintenance personnel, operations support staff, plant management, dispatchers, regulators,
and public officials are provided in the MCR.
The MCR is equipped with:
• Four operator workstations with HSI (Note: This number does not imply a staffing level.
See Section 4.1 for more information on staffing levels)
• A communication console (multiple means of communication are also available to each
operator)
• POP
• Storage space for backup procedures and documentation and for personal protective
equipment
3.1.2 Technical Support Center
The TSC is in close proximity to the MCR to simplify access to the MCR and maximize the
efficiency of the interface with other HSI rooms.
The TSC is located on the floor level of the control rooms outside the MCR, but has a separate
access point. The TSC is located in a hardened safeguards building. As shown in Figure 3.1-
1, the TSC is part of the integrated operations area.
If required, the technical support team uses the TSC to accommodate additional technical
engineering, senior operations, and management staff who analyze the plant conditions and
support the MCR operators during post-accident management. The TSC contains PICS
monitors which have access to process information needed to monitor the state of the plant in
all plant states, including maintenance, refueling, power, and accident conditions. The process
control functions that are associated with PICS in the MCR are blocked in the TSC. The TSC
is also provided with several means of communications within and outside the plant.
AREVA NP Inc. ANP-10279 Revision 0
U.S. EPR Human Factors Engineering Program Topical Report Page 3-4 3.1.3 Remote Shutdown Station
The RSS is independent from the MCR. It is in a different fire zone and utilizes a different
ventilation system than the MCR.
The RSS is a control center that contains the equipment necessary to bring the plant to a safe
shutdown state during an event requiring the evacuation of the MCR. The HSI (control)
functions of the RSS are isolated while the MCR is available and in use.
The RSS HSI consists of PICS equipment, SICS equipment, and communications equipment.
3.1.4 Instrumentation and Control Service Center
The I&CSC provides a centralized location for I&C technicians and other specifically qualified
plant staff to perform maintenance, periodic testing, and modification of I&C system software,
including the interface equipment (e.g., PICS) and the monitoring and control equipment. The
I&CSC also contains consoles for specialized systems (e.g., the loose parts and vibration
monitoring system, leakage monitoring system, and the Aeroball and PowerTrax core
monitoring systems).
3.2 Human-System Interfaces
Figure 3.2-1 shows the planned I&C architecture from the perspective of safety and non-safety
I&C and the relationship to the various HSIs.
AREVA NP Inc. ANP-10279 Revision 0
U.S. EPR Human Factors Engineering Program Topical Report Page 3-5
Figure 3.2-1—U.S. EPR I&C Basic Architecture
3.2.1 Process Information and Control System
The PICS is a non-safety-related digital I&C system. It provides a screen-based interface for
the operators in the MCR and in the RSS to control and monitor plant parameters during
normal, abnormal, and accident condition. Figure 3.2-1 shows the PICS interfaces with the
plant automation systems. The PICS receives both safety and non-safety data from the
instrumentation. The PICS provides a state-of-the-art digital HMI to monitor the plant (i.e., an
operator has access to available plant data at a single “workstation”). The PICS performs self-
diagnostics, receiving and displaying self-diagnostic information from other plant systems,
archiving data, and incorporating software changes. The PICS provides an alarm
management interface for the operators.
Individual PICS monitors are not specialized. The control functions on the PICS are divided
into hierarchies, and operator workstations should be logged in with responsibilities for
AREVA NP Inc. ANP-10279 Revision 0
U.S. EPR Human Factors Engineering Program Topical Report Page 3-6 selected hierarchies. Alarms and control capabilities on any one workstation correspond only
to those belonging to the hierarchy for which that workstation is logged in; however, any
available PICS monitor can display information and allow separate dialog boxes to be opened.
With the exception of the PICS workstation in the RSS, plant control functions are disabled
outside the MCR. Outside the MCR, a personal, specific login is required to access
information or, in the case of the I&CSC, to conduct maintenance or modifications.
The PICS screens provide the following information and controls:
• Binary and analog process information, including trend curves
• Manual control of plant actuators provided with remotely operated manual controls
including corresponding checkback information
• Manual control of I&C functions (e.g., automatic sequences, control loops, provision of
setpoints, switchover between manual and automatic mode, set and reset of memories)
including corresponding checkback information
• Alarm annunciation and presentation of abnormality indication concerning functions and
equipment having a direct impact on process control
• Parameter setting when linked to the process state
• Information about the operability and administrative status of actuators and sensors and
associated I&C equipment
• Alarms indicating failures of equipment needed for process control, indicating events
requiring special operator attention, or demanding manual actions by the operators
The PICS also enables operators to diagnose faults and supports the execution of
compensating and correcting actions by providing:
• Alarm sheets that show the possible cause, expected consequences, and predefined
corrective measures, as appropriate.
• Post-accident procedures that indicate the required actions to be executed.
• Normal operating procedures that show the actions required to change the state of the
AREVA NP Inc. ANP-10279 Revision 0
U.S. EPR Human Factors Engineering Program Topical Report Page 3-7
plant, or of systems and components, or to monitor the plant or system state where
such actions are automated.
The PICS is capable of data storage including access to on-screen historic information (e.g.,
logs of measurements, trends, state changes, and manual and automatic actions taken) and
support for shift turnover (e.g., special logs, procedure progress).
3.2.2 Plant Overview Panel
The POP (see Figure 3.2-1) is a subset of the PICS. The POP is implemented as a set of
large (approximately 94 in. diagonal) monitors driven by the PICS computers to present
formats which show the overall plant state or other task-related formats. The POP is visible
from workstations in the MCR and helps synchronize the operations staff with respect to
common operational objectives. Though several PICS display screens are designed for
viewing on the POP, the POP can display any PICS display screen. The graphical design of
display screens incorporates expected viewing distances, and administrative controls provide
recommendations for which screens should be displayed on the POP.
3.2.3 Safety Information and Control System
The SICS provides the safety-qualified HSI for operators to use the control and information
functions that are needed to monitor the plant safety status and bring the plant to a safe
shutdown state and maintain it in case of inoperability of the PICS.
The SICS consists of a seismically qualified Class 1E QDS along with Class 1E conventional
I&C that are utilized for safety-related functions that are not controlled through a digital
computer system. The QDS is a safety-related display system with touch screen capabilities.
Other input devices for the QDS (e.g., keyboards or trackballs) are also available.
AREVA NP Inc. ANP-10279 Revision 0
U.S. EPR Human Factors Engineering Program Topical Report Page 4-1
4.0 CONCEPT OF OPERATIONS
4.1 Staffing
One U.S. EPR design goal is to design the plant and the HSI so that three licensed operators
(one of which holds a senior reactor operator (SRO) license) can safely monitor and control the
plant under operating conditions, including normal operation, startup, shutdown, abnormal
operation, and accident conditions. Because of the levels of automation inherent in the I&C
architecture, only one licensed operator will be required to be at the controls during normal, at-
power operations. Also, one SRO licensed operator shall remain in the MCR at all times.
Additionally, each operating crew should include an SRO licensed shift supervisor, a shift
technical advisor (may be combined with the shift supervisor position), a number of non-
licensed equipment operators (NLOs), and a maintenance crew consisting of a supervisor and
chemistry, radiation protection, I&C, electrical, and mechanical technicians.
The HSI design process incorporates several HFE program elements from NUREG-0711 to
differentiate which functions are controlled by the operators and which are automated. The
HSI is designed to accommodate the assumed number of operators for the optimal operator
workload. Section 5.4.6 contains more details of the staffing needs analysis.
A COL applicant that references the U.S. EPR design certification will develop a complete
staffing arrangement. It is expected that a COL applicant that references the U.S. EPR design
certification will determine staffing levels and qualifications of plant personnel based on the
COL applicant’s corporate staffing philosophy, existing site operations, fleet operations, final
plant design, and current regulations. Plant operating procedures (i.e., normal, abnormal,
emergency) are based upon the different roles, functions, and responsibilities for the MCR
operators functioning as an integrated team.
As a minimum, the MCR staff performs the following:
• Carry out or request manual actions which are necessary to put plant systems into or
out of service or modify the plant systems during normal operation or after an incident or
accident
AREVA NP Inc. ANP-10279 Revision 0
U.S. EPR Human Factors Engineering Program Topical Report Page 4-2
• Use parameters and information delivered by the information systems to monitor the
safety and operability of the plant
• Perform checks and periodic tests to confirm that safety systems remain fully operable
• Initiate corrective action in case of equipment malfunctions or unforeseen events
• Request field operators or maintenance personnel to perform additional corrective
actions if actions from the MCR are not sufficient
• Take into account unavailability of equipment (e.g., during maintenance) so that the
plant is continuously operated safely within the bounds of the technical specifications
• Execute appropriate actions following an accident
• Review the actions of other operators
The following subsections provide the responsibilities that are specific to individual members of
the operations staff.
4.1.1 Shift Supervisor
Whether in or out of the MCR, the shift supervisor (SS) is the senior person on shift that is
responsible for the command and control of site activities. The SS holds the highest level of
operating license (i.e., SRO) and may also perform the function of the shift technical advisor
(STA) required by NUREG-0737 (Reference 7) if the qualifications are met.
Specific responsibilities for the SS are similar to those described in ACAD 97-004 (Reference
10).
The SS observes plant activities via the POP or other MCR workstations; however, the SS
may utilize the auxiliary workstation in the MCR if the workstation is not in use. To maintain
situational awareness, the SS should not become directly involved with process control.
As described in NEI 99-02 Revision 4, (Reference 12) the SS is expected to classify an event
promptly following indication that the conditions have reached an emergency threshold in
accordance with the emergency action level scheme. The SS is also responsible for any
associated prompt notification.
AREVA NP Inc. ANP-10279 Revision 0
U.S. EPR Human Factors Engineering Program Topical Report Page 4-3 The SS’s office is a room where administrative tasks are performed and is immediately
adjacent to the MCR. This office has access to the MCR itself and a window enabling the SS
to view the MCR (see Figure 3.1-1).
Depending on the plant state and the availability of other SRO licensed level personnel in the
MCR, the SS may make occasional field observations in the plant.
4.1.2 Shift Technical Advisor
In conformance with NUREG-0737, each operating shift should have a designated STA. The
SS may maintain the STA function. While the STA is not required to be in the MCR, the STA
should be able to reach the MCR within a short time.
4.1.3 Control Room Supervisor
The control room supervisor (CRS) is the senior licensed operator that monitors and controls
the entire plant in accordance with the operating procedures. The CRS should hold an SRO
license. To maintain situational awareness, the CRS is not generally at the controls, but is
present or readily available in accordance with 10 CFR 50.54(m) (Reference 2). Specific
responsibilities for the CRS are similar to those described in NUREG-1021 (Reference 9).
4.1.4 Reactor Operator
Significant improvements in the design of the HSI should ease some of the operational load
and allow for fewer operators. The Reactor Operator (RO) should hold an RO or SRO license
and is specifically tasked with being at the controls monitoring and controlling portions of the
plant in accordance with the operating procedures and as directed by the CRS. Specific
responsibilities of the RO are similar to those described in NUREG-1021.
4.1.5 Additional Licensed Operators
At least one additional licensed operator (i.e., SRO or RO) is assigned to each shift and fills
roles and functions as directed by the SS or CRS. The typical roles and responsibilities of the
additional licensed operator fall into administrative and operational categories and depend on
the needs of the shift. The additional licensed operator is not required to be at the controls
unless required to safely monitor and control the plant under labor intensive operating
AREVA NP Inc. ANP-10279 Revision 0
U.S. EPR Human Factors Engineering Program Topical Report Page 4-4 conditions (e.g., startup, shutdown, abnormal operation, and accident conditions). The
additional licensed operator should be able to reach the MCR within a short time.
4.2 Normal Operations
Normal operations are defined as operating within the modes described in Technical
Specifications in a controlled manner with no major equipment faults. As described above, a
licensed RO or SRO will be at the controls in the MCR during normal operations. The POP
allows some monitoring-only functions to be observed from elsewhere within the MCR. During
normal operations, the CRS is required to be in the MCR, and the SS is required to be within
the controlled area for the assigned unit.
4.2.1 Operating Procedures
The plant is operated in accordance with the Technical Specifications and with the applicable
normal, abnormal, or emergency operating procedures (EOPs). One of the PICS screens in
use should display the operating procedure for the process being either performed or
monitored. The HMI design should be programmed with the capability to jump to other
procedures of immediate interest without excessive navigational steps.
4.2.2 Alarm Response
Normal operations often include operator response to alarms. Operators monitor plant
performance to detect failures in mechanical, electrical, or I&C systems. The alarm systems
supplement this monitoring by alerting operators to certain types of failures. Upon detecting
such failures, operators implement applicable specific alarm response procedures. This may
include performing additional diagnostics, performing actions to compensate for the failure, or
requesting field operators or other staff to perform additional diagnostics or repair actions. In
addition, operators assess and respond to keep the plant and components in a safe state
based on their training and understanding of the plant situation.
AREVA NP Inc. ANP-10279 Revision 0
U.S. EPR Human Factors Engineering Program Topical Report Page 4-5 4.2.3 Usage of PICS and SICS
While the PICS is available, essentially all plant operations, including emergency operations,
should be performed via the PICS at a sit-down workstation. Section 4.3.1.1 describes the
criteria for PICS availability.
Single-purpose, fixed-location, continuously-available controls and related displays should
remain available via the SICS. Also, QDS screens are expected to mimic the operation and
format of the PICS screens for certain safety-related functions that are required in order to shut
down the plant to a safe state and maintain it in that state in the event that the PICS is
unavailable. The SICS contains the controls and displays required for design basis accident
monitoring.
4.2.4 Periodic Surveillances, Operations, and Tests
The I&C systems include integral self-testing features. Operators have no responsibility with
regard to these self-testing features other than monitoring and responding to alarms when the
self-testing indicates problems.
Only licensed operators use the normal operator interfaces (e.g., PICS and SICS) to perform
any periodic testing which entails the operation of plant process equipment (e.g., changing
valve positions, cycling pumps and motors on and off) in strict compliance with authorized test
procedures.
During operational modes, the conventional operator interfaces (i.e., SICS devices) may
require simple lamp and horn tests. The MCR operators manually perform such tests at the
proper intervals. Because the SICS conventional device inventory is minimal, the simple
testing of the conventional panel equipment does not require additional personnel in the MCR.
Routine calibration and testing within the digital I&C system should be performed from the
I&CSC engineering workstation and service units and should have minimal impact on MCR
operations. A monitor with access to operational displays but with no control capabilities is
provided in the I&C Service Center to support such activities.
AREVA NP Inc. ANP-10279 Revision 0
U.S. EPR Human Factors Engineering Program Topical Report Page 4-6 4.3 Expectations for Handling Operational Occurrences
4.3.1 Abnormal Operations and Incidents
Abnormal operations refer to incidents that may occur once or more during the life of the plant
and result, at worst, in a reactor trip with the plant capable of returning to power. These
incidents are easily recognized and identifiable. Operator responses to such anticipated
transients are in accordance with the event-oriented abnormal operating procedures which are
developed to support optimal responses to recognized conditions.
To support the safety of the plant, operators use the rules defined for emergency operation to
handle any abnormal incident leading to reactor trip. A return to power is only allowed after a
detailed check of the safety status of the plant has been completed.
4.3.1.1 Loss of PICS
If the following criteria are met, the PICS is considered available for use:
• Data communication with the automation level is working satisfactorily (i.e., the majority
of information and controls in the displays are not faulted, and the operator input
response is normal and without unexpected delays).
• Correlated information is consistent on PICS displays.
• A minimum of three monitors per workstation are functioning during accident conditions.
• Information on PICS displays and relevant SICS indicators are consistent.
4.3.1.2 Loss of Computerized I&C
Loss of computerized I&C refers to the loss of I&C systems other than, or in addition, to the
PICS. If PICS is available, status flags on the screens assigned to the display elements to
identify the unavailable indicators and controls. Additionally, the PICS includes I&C system
status displays, which present faults occurring in various I&C systems.
When the PICS is unavailable, the operator performs operations from the SICS including the
QDS. Depending on plant conditions and the availability of systems, the operators may use
the SICS and QDS to maintain steady state operations or commence shutdown to a safe state
AREVA NP Inc. ANP-10279 Revision 0
U.S. EPR Human Factors Engineering Program Topical Report Page 4-7 via conventional SICS controls. The operating manual should identify actions that are required
for dealing with the loss of computerized I&C systems and measures that establish the priority
of the actions implemented with the remaining conventional systems.
4.3.1.3 Loss of Electronic Operating Procedures
Hard copy backups of operating procedures are provided in the MCR and the TSC to address
a loss of the operating procedure computer. Electronic procedures should contain means of
navigating to appropriate HSI screens necessary to control or monitor response for the
required procedure steps. Aside from the navigation and layout differences and the availability
of live data, the electronic and hard copy procedures contain the same information in the same
format.
4.3.2 Emergency Operations and Accidents
Emergency procedures provide direction for the operators to mitigate the consequences of
transients and accidents that result in exceeding reactor protection system or engineered
safety features actuation setpoints or require a plant shutdown. The emergency procedures
for the U.S. EPR will be based on emergency procedure guidelines which will be developed
from analyses of transients and accidents that are specific to the U.S. EPR design and
operating philosophy. These analyses will include both design bases events and beyond
design bases events as required by NUREG-0737 and other requirements.
The emergency procedures for the U.S. EPR will be symptom-based procedures which will
provide guidance for the operator to mitigate transients without having to diagnose a specific
event. HSI issues will be considered during the development of these procedures to provide
reasonable assurance that the procedures support and guide operator interaction with plant
systems. The use of the procedures with the HSI will be verified and validated to provide
reasonable assurance that accepted HFE principles are incorporated.
In addition, operators will have procedures, equipment, and facilities, as a result of emergency
planning, to support an integrated response.
AREVA NP Inc. ANP-10279 Revision 0
U.S. EPR Human Factors Engineering Program Topical Report Page 4-8
Key features of this plan include:
• Standard emergency classification and action level schemes to determine minimum
response measures
• Procedures for notification of response organizations (i.e., federal, state, and local
response organizations and emergency personnel)
• Adequate emergency facilities and equipment to support the emergency response (e.g.,
TSC)
• A range of protective actions for the plume exposure pathway for emergency workers
and the public
• Methods, systems, and equipment for assessing and monitoring actual or potential
offsite consequences of radiological emergency conditions
4.3.3 Loss of MCR
If the MCR becomes uninhabitable, the plant is tripped as the operators leave the MCR.
Operators should use the PICS or SICS to conduct further shutdown activities in the RSS.
Emergency operations are not postulated from the RSS. Recovery operations should not be
attempted from the RSS, considering the possibility of later emergency situations after the
MCR is abandoned.
AREVA NP Inc. ANP-10279 Revision 0
U.S. EPR Human Factors Engineering Program Topical Report Page 5-1
5.0 DESIGN CONTROL PROCESS
5.1 Generic Design Control
The purpose of the design control process is to define the method used to provide control of
design, design verification, and analysis activities. The AREVA NP design control process
procedure as described in the AREVA NP Inc. Quality Assurance Plan (QAP) for Design and
Deployment of the U.S. Evolutionary Power Reactor (U.S. EPR) Topical Report (Reference 13)
contains a controlled, logical, systematic, and comprehensive flowchart and a hierarchy of
design information to expeditiously and correctly integrate and transform design inputs into
design outputs. The design control process facilitates the translation of high level
requirements to lower level requirements, design inputs to design outputs, and high level
design features to lower level subsystem and component design features. The process also
either integrates the various design control measures described below as part of the process
procedure or incorporates various design control measures in the procedure by reference.
The design control process develops a design and establishes a design configuration in the
AREVA NP records management system (RMS). Once released to the RMS, documents
produced within the design control process become part of the design configuration.
U.S. EPR project management establishes the scope, objectives, requirements, and safety
classification in writing for the responsible design organizations. These procedures govern the
preparation and review of design documents and also establish methods for the identification
and control of design interfaces, the coordination among participating design organizations,
and the review, approval, release, distribution, and revision of documents.
The appropriate engineering organization prepares, reviews, approves, and verifies design
documents for items and services within their respective area. Procedures are established to
promote adequacy and accuracy of design documentation. The following are types of design
documents that support facility design, construction, and operation:
• Plant technical requirements
• System design requirements
AREVA NP Inc. ANP-10279 Revision 0
U.S. EPR Human Factors Engineering Program Topical Report Page 5-2
• System descriptions
• Design drawings
• Design analyses
• Computer program documentation
• Specifications and procedures
These documents specify technical and quality requirements that are appropriate to the
activities they cover. A qualified individual other than the preparer of the document performs
an independent review of the documents for completeness and technical accuracy. Revisions
to approved design documents are considered design changes and are subject to the same
review and approval process as the original documents.
Verification methods include independent review of design documents, design analyses (i.e.,
calculations), design review boards, and design verification testing. Calculations can either
establish design requirements or verify the design. The analyst documents the purpose,
assumptions, methods, design input data, results, and conclusions of the calculation in a
manner that an independent reviewer can verify the technical accuracy of the calculation.
Independent reviewers should be competent in the particular type of analysis. Design Review
Boards (DRB) are conducted in accordance with written procedures for new designs and major
changes to the existing design configuration as determined by the responsible technical
manager and project management. When engineering judgment concludes that design
analyses or previous experience cannot substantiate a design or design feature, testing is
performed for design verification.
An integrated Quality Assurance (QA) organization oversees audits of design documents for
the inclusion of appropriate QA requirements. Deviations from specified quality standards are
identified and controlled in accordance with written procedures. Reference 13 provides a
description of the QA organization and the QAP requirements, including an overview of the
design control process.
AREVA NP Inc. ANP-10279 Revision 0
U.S. EPR Human Factors Engineering Program Topical Report Page 5-3 5.2 Human Factors Engineering Design Control
The HFE and Control Room Design Team reports through the Manager of I&C Engineering to
U.S. EPR project management. The HFE and Control Room Design Team is required to
follow the same design processes as other engineering disciplines, per Reference 13, and is
accountable for verifying the quality of the HSI and control room layout. The reporting lines for
the HFE and Control Room Design Team are shown in Figure 5.2-1.
Figure 5.2-1—HFE Control Room Design Functions and Reporting
The human factors engineering aspects of control room design are performed in accordance
with Reference 13 and under the guidelines of the AREVA NP design control process.
Changes to the design configuration are performed in accordance with the AREVA NP design
change control process described in Reference 13. The process of the HFE and control room
design is described below.
The I&C Engineering organization develops the U.S. EPR I&C system designs, which includes
defining design requirements, reviewing inputs, producing system documentation, verifying
U.S. EPR Project Management
Program Manager HFE and Control Room
Design
HFE Advisors
Automation Systems Design
Control Rooms Design
Human Factors Design
HSI Design
Manager I&C Engineering Local Control
Station Design
AREVA NP Inc. ANP-10279 Revision 0
U.S. EPR Human Factors Engineering Program Topical Report Page 5-4 that the design inputs link to the outputs, and outlining expected acceptance testing. The HFE
and Control Room Design Team integrates the U.S. EPR I&C system designs with the HSI and
performs design and layout of the control rooms. Both functions involve an iterative process.
As described above, the documentation produced by systems and component engineering
organizations include design requirements, system descriptions (e.g., design bases, safety
classifications), design system interfaces, drawings, calculations, and ancillary documents. A
design verification checklist is required for certain portions of the design to support the
evaluation of design adequacy.
Figure 5.3-1 shows an illustration of the design control process that has been adapted from the
process described in Reference 13. This figure shows the typical deliverables for plant design
discipline organizations and for the HFE and Control Room Design Team. Section 6.0
describes the deliverables associated with the simulator development, which are generally the
responsibility of the HFE and Control Room Design Team.
For processes not previously defined, writing guides and procedures are produced in
accordance with the design control process described in the QAP. System design
requirements decompose higher level (i.e., plant) requirements to define the design inputs for
each system. System descriptions for control rooms and for HSI platforms are produced as
roll-up documents. The documentation of the HFE and Control Room Design is included in the
system descriptions, in implementation plans for the various analyses, or in reports generated
as a result of the analyses. Appendix A provides a summary and schedule of the
documentation associated with the HFE program elements.
5.3 Control Room and HSI Design Documentation
5.3.1 HFE Program Plan
For the U.S. EPR, the HFE program plan, consistent with the guidance for the program
management element of NUREG-0711, will be described in the Design Control Document
(DCD). The HFE program plan will include descriptions of:
• General program goals and scope
AREVA NP Inc. ANP-10279 Revision 0
U.S. EPR Human Factors Engineering Program Topical Report Page 5-5
• HFE Team and organization
• HFE process and procedures
• HFE issues tracking
• Technical program, including schedule milestones, activities, and input and output
documents
AREVA NP Inc. ANP-10279 Revision 0
U.S. EPR Human Factors Engineering Program Topical Report Page 5-6
Figure 5.3-1—Design Control Process
AREVA NP Inc. ANP-10279 Revision 0
U.S. EPR Human Factors Engineering Program Topical Report Page 5-7
5.3.2 Plant Technical Requirements Document
The Plant Technical Requirements Document (PTRD) specifies the initial design inputs for
designing a nuclear power plant to capture overall plant design requirements and restraints.
The PTRD includes the reasoning for each design input based on design considerations to
provide a consistent basis for making design decisions, accomplishing design verification
measures, and evaluating design changes. The PTRD requirements should include sufficient
detail to allow requirements to be decomposed into the requirements specified in the System
Design Requirements Documents (SDRDs). The Olkiluoto 3 (OL3) EPR reference design
provides the starting point for development of design inputs for the U.S. EPR.
5.3.3 System Design Requirements Documents
SDRDs specify design inputs for systems, structures and components which have been
decomposed from plant level inputs. SDRDs document and convey design inputs so that they
can be reviewed and approved by the responsible design organization. SDRDs are released
before subsequent design output documents to provide reasonable assurance that inputs are
specified to a level of detail necessary to permit further design activity. SDRDs include the
reason and design basis for each design input so that the basis for design decisions, changes
to the configuration, and verification measures are consistently applied. SDRDs adequately
define design inputs so that the hierarchy of their application is clear.
For the U.S. EPR HFE program, SDRDs are produced for the control rooms (i.e., MCR, TSC,
RSS, and I&CSC) and the HSIs (i.e., PICS and SICS).
5.3.4 System Description Document
A System Description Document (SDD) is the principal document which defines a system
design. The SDD describes the system design in sufficient detail to permit verification that the
design satisfies the design requirements. The SDD identifies interfaces with other systems so
that the design input requirements for each system can be understood. Cross-discipline
independent reviews of SDDs for systems which interface with non-HSI, non-control room, or
non-I&C systems are also required.
AREVA NP Inc. ANP-10279 Revision 0
U.S. EPR Human Factors Engineering Program Topical Report Page 5-8 The SDD is a living document and the level of detail expands during successive iterations as
the system design develops. The final version of an SDD is used to write the system
equipment specification, which is used to procure, fabricate, and install the system.
SDDs follow a predefined format and require specific content, which includes:
• System and component functions
• General description
• Operation
• Design requirements and how the design accomplishes the requirements
• Interface requirements
• Operational aspects (e.g., testing, installation, inspection, and maintenance)
• Technical system specifications
To avoid unverified design information from being incorporated as verified during successive
iterations, unverified design information is identified as such via a separate process.
In addition to providing a description of the design of the HSI hardware, the SDD for each of
the HSIs provides the mechanism for capturing generic human factors requirements in
conjunction with the HSI design implementation plan (see Section 5.4.8). These documents
provide a uniform philosophy and design consistency among HSIs, including screen style and
layout guide, hierarchy of and navigation between screens, alarm system operation, electronic
procedure system, plant information system, and hard-wired control integration in panels and
workstations.
Within the U.S. EPR HFE program, SDDs are produced for the control rooms (i.e., MCR, TSC,
RSS, and I&CSC) and the HSIs (i.e., PICS and SICS). The SDDs reference applicable layout
drawings for the control room floors. The SDDs for the MCR and RSS contain the design and
layout for workstations, which include drawings and text but does not include individual screen
designs.
AREVA NP Inc. ANP-10279 Revision 0
U.S. EPR Human Factors Engineering Program Topical Report Page 5-9 5.3.5 Specifications
A specification document defines the technical characteristics and design requirements of
system equipment to procure, fabricate, and install the components of that system. An SDRD
specifies the system level design requirements and their technical bases. An SDD only needs
to specify the component level design requirements which are satisfied for the system to
perform its intended functions. An equipment specification may be used to specify other
component requirements.
As part of the design control process described in Reference 13, a specification contains the
following sections:
• Scope
• Definitions
• Design requirements
• Material requirements
• Fabrication requirements
• Examination and testing requirements
• Cleaning and preparation for shipping requirements
• Quality assurance requirements
• Engineering documentation requirements
• Technical proposal requirements
• Contract information
As shown in Figure 5.3-1, specifications are produced for the HSI system equipment and for
associated sub-functions for the control rooms (e.g., lighting, sound isolation, HVAC
requirements).
AREVA NP Inc. ANP-10279 Revision 0
U.S. EPR Human Factors Engineering Program Topical Report Page 5-10 5.4 HFE Program (NUREG-0711) Design Elements
5.4.1 Introduction
The following sections describe the application of HFE program elements (as listed in NUREG-
0711) to the design of the U.S. EPR.
5.4.2 HFE Program Management
The HFE program plan should demonstrate that:
• The HFE is integrated into the plant development, design, and evaluation.
• HFE products (e.g., HSIs, procedures, and training) allow the safe, efficient, and reliable
performance of operation, maintenance, test, inspection, and surveillance tasks.
• HFE products reflect "state-of-the-art human factors principles" [10 CFR 50.34(f)(2)(iii)
(Reference 1) and 10 CFR 52.47(a)(1)(ii) (Reference 4)] and satisfies all specific
regulatory requirements.
The objective of this element is to demonstrate that the HFE design team has the
responsibility, authority, placement within the organization, and composition to provide
reasonable assurance that the design commitment to HFE is met. Also, the team should be
guided by a plan to verify that the HFE program is properly developed, executed, overseen,
and documented. This plan describes the technical program elements ensuring that the HSI,
procedures, and training are developed, designed, and evaluated on the basis of a structured
analysis using accepted HFE principles.
To correspond with the review criteria of NUREG-0711, Section 18 of the DCD will be
organized in a similar fashion. Successive sections of this document describe the technical
program for HFE. Sections 2.0, 5.2, and 5.5 of this document describe the general HFE
program goals and scope, HFE process and procedures, and HFE issues tracking
respectively. The DCD will contain more details related to each of the topics.
AREVA NP Inc. ANP-10279 Revision 0
U.S. EPR Human Factors Engineering Program Topical Report Page 5-11 5.4.2.1 HFE Team and Organization
The HFE and Control Room Design Team reports through the Manager of I&C Engineering to
U.S. EPR project management. The HFE and Control Room Design Team follows the same
design processes as other engineering disciplines and is accountable for the quality of the HSI
and control room layout to meet the requirements of the QAP. Figure 5.2-1 shows the
reporting lines for the HFE and Control Room Design Team.
5.4.2.1.1 Responsibility
The HFE and Control Room Design Team is responsible for verifying the following design
facets:
• Location and accessibility requirements for the control rooms and other control stations
• Layout of the control rooms, including the location and design of individual displays,
panels, and workstations
• Basic concepts and detailed design for information displays, controls, and alarms for the
control rooms and other control stations
• Coding and labeling conventions for control room components and plant displays
• Design of the screen-based HMI, including standard dialogues for access to information
and controls and actual screen layout
• Requirements for the physical environment of the control rooms (e.g., lighting,
acoustics, temperature, humidity, and air flow)
• Layout of operator workstations and work space
• V&V of the control rooms design
The HFE and Control Room Design Team performs other activities, such as program concepts
or the designer’s input for COL applicants for operating procedure development, staffing
requirements, and training, which are described in successive sections. The HFE and Control
Room Design Team also coordinates HFE requirements with portions of the U.S. EPR design
that are not conducted by I&C Engineering (i.e., LCSs for non-I&C equipment).
AREVA NP Inc. ANP-10279 Revision 0
U.S. EPR Human Factors Engineering Program Topical Report Page 5-12 5.4.2.1.2 Organizational Placement and Authority
The HFE and Control Room Design Team consists of the Manager of I&C Engineering, the
Program Manager of HFE and Control Room Design, and individual members of the New
Plants Engineering organization. The Manager of I&C Engineering is responsible for the
design of the U.S. EPR I&C systems, including the HSIs, and reports to U.S. EPR project
management. For the purposes of HFE and control room design, the Program Manager of
HFE and Control Room Design and individual members of the New Plants Engineering
organization report to the Manager of I&C Engineering.
As the design evolves, the structure of the HFE and Control Room Design Team may change;
however, the functions required of the team do not transfer to any other organization.
The Program Manager of HFE and Control Room Design acts as the technical project
manager and is responsible for the HSI design and for integration of the HSI with the overall
plant design. The Program Manager of HFE and Control Room Design also coordinates the
functional design for the control rooms and tracks the HFE issues as described in Section 5.5.
A number of advisors selected by the Program Manager of HFE and Control Room Design
review and comment on the documentation developed by the team, provide supplemental
expertise for non-I&C and non-HFE aspects of the design, and oversee the general progress
of the design.
5.4.2.1.3 Composition
The HFE and Control Room Design Team is composed of individuals experienced in various
technical disciplines. The Program Manager of HFE and Control Room Design leads the team
and is responsible for integration of the technological input. The Program Manager of HFE
and Control Room Design has experience in managing multi-discipline designs and
operational systems. The technical discipline expertise required on the team includes:
• Technical Project Management
• Systems Engineering
• Nuclear Engineering
AREVA NP Inc. ANP-10279 Revision 0
U.S. EPR Human Factors Engineering Program Topical Report Page 5-13
• I&C Engineering
• Architect Engineering
• HFE
• Plant Operations
• Computer System Engineering
• Plant Procedure Development
• Personnel Training
• Security Engineering
• Maintainability and lnspectability Engineering
• Reliability and Availability Engineering
The members of the HFE and Control Room Design Team who are assigned design functions
in other disciplines may act as technical consultants and advisors for portions of the HFE and
control room design. Specifically, periodic DRBs (see Section 5.1) coordinated by the
Program Manager of HFE and Control Room Design promote the discussion and resolution of
common issues. Minutes are published for each DRB, and action items are tracked via the
HFE Issues Tracking System (Section 5.5). In this way, HFE issues are integrated into the
overall U.S. EPR design and other discipline issues are incorporated in the HFE program.
The section below describes the qualifications and responsibilities of the individual technical
discipline participants.
5.4.2.1.4 Team Member Responsibilities and Qualifications
The professional experience of the HFE and Control Room Design Team collectively satisfies
the qualifications presented below. The technical disciplines described do not necessarily
equate to a single individual. Greater emphasis is placed on experience than on education
credentials. Also, individual team members may report administratively to various discipline
design leads. For the purposes of the HFE and control room design, individual team members
AREVA NP Inc. ANP-10279 Revision 0
U.S. EPR Human Factors Engineering Program Topical Report Page 5-14 report functionally to the Manager of I&C Engineering through the Program Manager of HFE
and Control Room Design.
• Technical Project Management
- Minimum Qualifications
♦ Bachelor's degree
♦ 5 years of experience in nuclear power plant design or operations
♦ 3 years of management experience
- Responsibilities
♦ Develops and maintains the schedule for the HFE design process
♦ Provides a central point of contact for the management of the HFE design and
implementation process
• Systems Engineering
- Minimum Qualifications
♦ Bachelor of Science degree
♦ 4 years of cumulative experience in at least three of the following areas of
systems engineering: design, development, integration, operation, and test and
evaluation
- Responsibilities
♦ Provides knowledge of the purpose, operating characteristics, and technical
specifications of major plant systems
♦ Provides input to HFE analyses, especially the function analysis and task
analysis
♦ Participates in the development of procedures and scenarios for task analyses
and integrated system validation
AREVA NP Inc. ANP-10279 Revision 0
U.S. EPR Human Factors Engineering Program Topical Report Page 5-15
• Nuclear Engineering
- Minimum Qualifications
♦ Bachelor of Science degree
♦ 4 years of experience in nuclear design, development, testing, or operations
- Responsibilities
♦ Provides knowledge of the processes involved in reactivity control and power
generation
♦ Provides input to HFE task analyses
♦ Participates in the development of scenarios for task analyses and integrated
system validation
• I&C Engineering
- Minimum Qualifications
♦ Bachelor of Science degree
♦ 4 years of experience designing of hardware and software aspects of process
control systems
♦ Experience in at least one of the following areas of I&C engineering:
development, power plant operations, and test and evaluation
♦ Familiarity with the theory and practice of software quality assurance and control
- Responsibilities
♦ Provides detailed knowledge of the HSI design, including control and display
hardware selection, design, functionality, and installation
♦ Provides knowledge of information display design, content, and functionality
♦ Participates in the design, development, test, and evaluation of the HSI
♦ Participates in the development of scenarios for human reliability analysis (HRA),
validation, and other analyses involving failures of HSI data processing systems
AREVA NP Inc. ANP-10279 Revision 0
U.S. EPR Human Factors Engineering Program Topical Report Page 5-16
♦ Provides input to software quality assurance programs
• Architect Engineering
- Minimum Qualifications
♦ Bachelor of Science degree
♦ 4 years of experience designing power plant control rooms
- Responsibilities
♦ Provides knowledge of the overall structure of the plant, including performance
requirements, design constraints, and design characteristics of the following:
control room, remote shutdown area, and LCSs
♦ Provides knowledge of the internal configuration of plant components
♦ Provides input to plant analyses
• Human Factors Engineering
- Minimum Qualifications
♦ Bachelor's degree in human factors engineering, engineering psychology, or a
similar science
♦ 4 years experience in human factors aspects of human-computer interfaces,
including process control (e.g., design, development, and test and evaluation)
♦ 4 years of cumulative experience related to the human factors aspects of
workplace design (e.g., design, development, test and evaluation of workplaces)
- Responsibilities
♦ Provides knowledge of human performance capabilities and limitations, human
factors design and evaluation practices, and human factors principles, guidelines,
and standards
♦ Develops and performs human factors analyses
♦ Participates in the resolution of human factors problems
AREVA NP Inc. ANP-10279 Revision 0
U.S. EPR Human Factors Engineering Program Topical Report Page 5-17
• Plant Operations
- Minimum Qualifications
♦ Current or prior SRO license
♦ 2 years of experience in pressurized-water reactor (PWR) nuclear power plant
operations
- Responsibilities
♦ Provides knowledge of operational activities that are relevant to characterizing
tasks, HSI, and environment technical requirements
♦ Provides knowledge of operational activities to support HSI activities (e.g.,
development of HSIs, procedures, and training programs)
♦ Participates in the development of scenarios for HRA evaluations, task analyses,
HSI tests and evaluations, and V&V
♦ Participates in preliminary validation exercises on static mockups and provides
input relating to the expected plant response
♦ Participates in final validation exercises on a simulator by observing and
evaluating the subject operator’s response
• Computer System Engineering
- Minimum Qualifications
♦ Bachelor of electrical engineering or computer science degree or graduate
degree in another engineering discipline (e.g., mechanical, chemical)
♦ 4 years experience designing digital computer systems and real-time systems
applications
♦ Familiarity with the theory and practice of software quality assurance and control
- Responsibilities
♦ Provides knowledge of data processing associated with displays and controls
AREVA NP Inc. ANP-10279 Revision 0
U.S. EPR Human Factors Engineering Program Topical Report Page 5-18
♦ Participates in the design and selection of computer-based equipment (e.g.,
controls and displays)
♦ Participates in the development of scenarios for HRA, validation, and other
analyses involving failures of the HSI data processing systems
• Plant Procedure Development
- Minimum Qualifications
♦ Bachelor's degree
♦ 4 years experience in developing nuclear power plant operating procedures
- Responsibilities
♦ Provides knowledge of operational tasks and procedure formats
♦ Participates in the development of scenarios for HRA evaluations, task analyses,
HSI tests and evaluations, validation, and other evaluations
♦ Provides input for the development of EOPs, procedure aids, computer-based
procedures, and training systems
♦ Participates in the development and preparation of the procedures and training
systems.
• Personnel Training
- Minimum Qualifications
♦ Bachelor's degree
♦ 4 years experience developing personnel training programs for power plants
♦ Experience in the application of systematic training development methods
• Responsibilities
♦ Develops the content and format of personnel training programs
♦ Coordinates training issues that arise from activities (e.g., HRA, HSI design, and
procedure design)
AREVA NP Inc. ANP-10279 Revision 0
U.S. EPR Human Factors Engineering Program Topical Report Page 5-19
♦ Participates in the development of scenarios for HRA evaluations, task analyses,
HSI tests and evaluations, and V&V
• Security Engineering
- Minimum Qualifications
♦ Bachelor of Science degree
♦ 4 years experience in security systems engineering
- Responsibilities
♦ Identifies security concerns
♦ Performs a system security hazard analysis
• Maintainability and Inspectability Engineering
- Minimum qualifications
♦ Bachelor of Science degree
♦ 4 years experience in at least two of the following areas of power plant
maintainability and inspectability engineering: design, development, integration,
and test and evaluation
♦ Experience in analyzing and resolving plant I&C system or equipment-related
maintenance problems
- Responsibilities
♦ Provides knowledge of maintenance, inspection, and surveillance activities
♦ Supports the design, development, and evaluation of the control room and other
HSI components
♦ Provides input in the areas of maintainability and inspectability
♦ Participates in the development of scenarios for HSI evaluations, including task
analyses, HSI design tests and evaluations, and validation
AREVA NP Inc. ANP-10279 Revision 0
U.S. EPR Human Factors Engineering Program Topical Report Page 5-20
• Reliability and Availability Engineering
- Minimum Qualifications
♦ Bachelor's degree
♦ 4 years of cumulative experience in at least two of the following areas of power
plant reliability engineering activity: design, development, integration, and test
and evaluation
♦ Knowledge of computer-based, human-interface systems
- Responsibilities
♦ Provides knowledge of plant component and system reliability and availability
and assessment methodologies
♦ Participates in human reliability analyses
♦ Participates in the development of scenarios for HSI evaluations, especially
validation
♦ Provides input to the design of HSI equipment
5.4.3 Operating Experience Review
The main purpose of conducting an operating experience review (OER) is to identify HFE-
related safety issues. The OER should provide information on the past performance of
predecessor designs (i.e., earlier designs on which the new design is based). The issues and
lessons learned from operating experience provide a basis for improving the plant design at
the beginning of the design process. This review should identify the state-of-the-art HSI that
should reduce operator errors and promote accurate evaluation and control. The OER output
demonstrates that HFE-related problems and issues in previous designs that are similar to the
current design have been identified and analyzed. In this way, negative features associated
with predecessor designs are avoided in the current design while retaining the positive
features. The OER addresses the predecessor systems upon which the design is based,
selected technological approaches (e.g., if touch-screen interfaces are planned, the HFE
AREVA NP Inc. ANP-10279 Revision 0
U.S. EPR Human Factors Engineering Program Topical Report Page 5-21 issues associated with using them are reviewed), and the plant's HFE issues (e.g., generic
safety issues defined by the NRC).
The OER implementation process includes the following:
• Establishing a framework and screening system for analyzing human factor aspects of
operating experience, including evaluating defenses against potential or actual human
errors identified during the HSI design process and developing criteria for capturing
input
• Identifying and reviewing published research documents that address experience with
the HSI in different modes of operation and transitions between modes using selected
technological approaches
• Analyzing experience summary documents as applicable and integrating the insights
that support enhancement of human actions (HAs) affecting the risk and reliability of
both normal power operations (including abnormal, emergency) and outage operations
• Screening and evaluating events reported by PWR and PWR predecessor systems
upon which the design is based and other plant types with similar design features
• Obtaining and incorporating feedback from utilities on the needs of operations,
maintenance, and outage planners
• Providing input to the HFE Issue Tracking System
5.4.3.1 Sources of Information for U.S. EPR Experience Review
The HFE and Control Room Design Team provides reasonable assurance that operating
experience and the results of research relevant to safety are identified, reviewed and analyzed,
and that the lessons learned are incorporated into the HSI. These operating experience
reviews include screening and analysis of:
• Nuclear regulatory reports
- NUREGs
- AEOD event evaluation reports
AREVA NP Inc. ANP-10279 Revision 0
U.S. EPR Human Factors Engineering Program Topical Report Page 5-22
- Sponsored research and national lab reports (e.g., NUREG/CR-6400, 6842)
- Event reports
• Nuclear industry reports
- EPRI reports
- NUMARC/NEI guidelines
- INPO reports
- NSAC event evaluation reports
• Other reports and information
- Shutdown probabilistic risk studies
- Applicable research in the technologies considered for the design
- Proceedings published by HFE professional societies
- Research and development and experience reports published by HSI equipment
vendors
- Review with actual users in other industries (e.g., non-nuclear power generation,
process industries, aerospace, DOD) of the above technologies
• Personnel interviews
- Utility personnel interviews
5.4.3.2 Review of Experience Information
Document reviews related to the HSI design can range from the evaluation of single event
reports to an assessment of a summarized analysis of many related events. If summarized
data are already analyzed by others and applicable to the U.S. EPR HSI design, the need to
review single event reports by the HFE team is reduced.
5.4.3.2.1 Screening
Some reports may be remotely related to the issues of designing the U.S. EPR interfaces and
some might be very relevant. To make efficient use of time, the documents identified above
AREVA NP Inc. ANP-10279 Revision 0
U.S. EPR Human Factors Engineering Program Topical Report Page 5-23 are prioritized and screened for applicability to the design. This can involve several screening
steps in order to find the best information on the following examples: safety or availability
issues, the relative importance to changes in the design, or the mode of operation. Issues are
screened as to U.S. EPR MCR, RSS, TSC, or EOF applicability and then to an engineering
issue resolved by design or needing incorporation. Once information is in the database, the
results can be queried to support other HFE tasks as needed. Issues not resolved in the
current iteration of the HSI design are placed into the HFE Issue Tracking System, which is
discussed in Section 5.5.
5.4.3.2.2 Identification of Human Factors Issues
Once the event data or analyzed reports have been considered and selected for U.S. EPR
design HFE support, they are analyzed to identify problematic operations and tasks and also
potential human factor enhancements for the HSI.
5.4.3.2.3 Documentation
The results of the review activities described above will be entered into the HFE Issues
Tracking Database for traceable records so that the U.S. EPR implementation reflects the
experience gained by the resolution of the design problems in operating plants.
The HFE Issues Tracking program described in Section 5.5 will be used to analyze HFE issues
and propose resolutions which may then be used to initiate modification (design change)
requests to be tracked by I&C Engineering. HFE issues which are analyzed and found to be of
merit in similar HSI designs will also be captured for consideration in the U.S. EPR design.
The resolution of OER issues may involve the function allocation process, changes in
automation, HSI equipment design, procedures, and training (see Table 3.1 in NUREG-0711).
An output report will summarize the results contained in the evaluations of operating
experience, events, and HAs. The report will summarize relevant human performance issues,
sources and consequences of human errors, and HSI design elements that contribute to
enhanced human performance and decreased human error probabilities. Also, the output
report will point to effects on the HSI design or the elements of the process which may be
required to resolve the selected issue. This report will be updated periodically to coincide with
AREVA NP Inc. ANP-10279 Revision 0
U.S. EPR Human Factors Engineering Program Topical Report Page 5-24 the scheduled HFE program related DRB meetings (see Section 5.4.2.1) so that the current
state of resolution of HFE issues can be reviewed and resolved.
5.4.4 Functional Requirements Analysis and Function Allocation
Functional requirements analysis (FRA) is the identification of functions that must be
performed to satisfy plant safety objectives to prevent or mitigate the consequences of
postulated accidents that could damage the plant or cause undue risk to the health and safety
of the public. An FRA is conducted to:
• Determine the objectives, performance requirements, and constraints of the design.
• Define the high-level functions that must be accomplished to meet the objectives and
desired performance requirements.
• Define the relationships between high-level functions and the plant systems (e.g., plant
configurations or success paths) that perform the function.
• Provide a framework for understanding the role of controllers, whether personnel or
system, for controlling the plant.
The FRA identifies the control actions that are required to achieve the functional goals.
The Function Allocation (FA) is the analysis of these required plant control actions and the
subsequent assignment to manual control, automatic control with passive, self-controlling
phenomena, or combinations of manual and automatic control (e.g., shared control and
automatic systems with manual backup). Plant safety and reliability are enhanced by
exploiting the strengths of human and system elements, including improvements that can be
achieved through the assignment of control to these elements with overlapping and redundant
responsibilities. The FA should assign monitoring requirements for those functions which do
not require HAs to control (i.e., automated) and for alarm systems (e.g., when the monitoring
requirements are considered beyond human capabilities or to enhance human monitoring as
suggested by an OER). In addition to technological and economic considerations, the FA
should be based on HFE principles using a structured and well-documented methodology that
provides personnel with logical, coherent, and meaningful tasks. The FA should not be based
solely on technology considerations that allocate everything that the designers cannot
AREVA NP Inc. ANP-10279 Revision 0
U.S. EPR Human Factors Engineering Program Topical Report Page 5-25 automate to plant personnel, which would result in an ad hoc set of activities that may
negatively affect operator performance.
As described in NUREG-0711, the intent of implementation plans for FRA and FA is to allow
the NRC staff to review the process which:
• Defines the functions of the plant which should be performed to satisfy plant safety
objectives.
• Verifies the allocation of those functions to human and system resources to:
- Provide reasonable assurance that the functions can be adequately accomplished.
- Result in a role for personnel that takes advantage of human strengths and avoids
human limitations.
The U.S. EPR is an evolutionary PWR design based on many years of operation and design
experience and utilizes the same I&C concepts as the OL3 EPR. Most plant systems and
control systems for the U.S. EPR are defined as inputs to the design.
For the U.S. EPR, the process for defining and allocating plant functions is not relevant to the
HSI design as the HSI design has evolved to a high level of detail. Implementation of a
process for FRA and FA would be equivalent to reverse engineering for the sake of creating
documentation. The FRA and FA activities for the U.S. EPR design include an examination of
the automation criteria described in Section 5.4.4.3, below, and an assessment of whether
those criteria have been properly implemented by the resulting I&C system control schemes.
The consistency of the automation implementation is reviewed in the V&V process (see
Section 5.4.11) to provide reasonable assurance that the level of automation does not promote
increased numbers of human errors. Thus, the intent of the FRA and FA process activities as
specified in Reference 6 is satisfied.
Also as a subset of the V&V process output, AREVA NP will extract, from the OL3 set of
procedures, the I&C architecture, and the detailed one-line drawings, a list of the functions that
have been automated for the OL3 plant. AREVA NP will then compare that list of functions to
the list derived for the U.S. EPR from system and function allocation activities and capture the
AREVA NP Inc. ANP-10279 Revision 0
U.S. EPR Human Factors Engineering Program Topical Report Page 5-26 differences. The completed FA would then consist of those functions which are allocated
identically for OL3 and the U.S. EPR and a list of the gaps. Documentation of the design basis
and justification of design differences (gaps) will then be added to the specific SDD(s).
5.4.4.1 Defining Plant Functions which Satisfy Plant Safety Objectives
An independent, formal activity to generate, verify and validate plant EOPs is part of the U.S.
EPR design process. This procedure V&V includes an explicit identification of functions to be
performed to achieve plant safety objectives. Plant safety objectives are specifically
developed at the start of EOP development.
Section 5.4.11 describes the V&V implementation activities for the HFE design program. A
key element in the V&V implementation plan is the integrated system validation where
performance-based tests are used to determine if the HMI acceptably supports safe operation
of the plant through implementation of the EOPs. These performance-based tests are used to
verify that safety objectives are satisfied.
5.4.4.2 Verifying that the FA Results in an Advantageous Human Role
A specific objective of the HFE program V&V is to validate that the automation design
decisions have resulted in an interface that permits accomplishment of the safety functions
within human capabilities and identifies as human engineering discrepancies (HEDs) any
inappropriate function allocation observed. This V&V approach will verify that the FA utilizes
human strengths and avoids human limitations.
5.4.4.3 Automation Criteria
Automation is implemented according to the general criteria below with regard for safety,
availability, and economics. A function will be automated if it is defined as a protective function
needed to maintain a radioactive release barrier against failure. The following tasks will be
automated regardless of plant state:
• Tasks requiring a quick or highly reliable reaction.
• Functions requiring operator response within less than 5 minutes.
• Accident countermeasures required to quickly reach a controlled safe shutdown state.
AREVA NP Inc. ANP-10279 Revision 0
U.S. EPR Human Factors Engineering Program Topical Report Page 5-27
• Functions that provide short term protection to prevent danger to personnel or
irreversible degradation of components; typically the manufacturer’s technological limits
are considered as the protection thresholds.
• Functions that provide component protection. These functions are interlocks which
inhibit manual or automatic startup or shutdown of a system function if the pre-
conditions for sound operation are not met. These functions are required to be
automated if a response is needed in less than 5 to 10 minutes.
• Monotonous and repetitive tasks that would lead to a high operator workload if not
automated or that require fast responses to maintain plant availability.
Automation may also be preferred for functions such as:
• Checking parameters against thresholds (e.g., when sequencing the plant or a system
to a different state in several steps)
• Tasks which are performed frequently during shutdown and startup
• Tasks which are of long duration, particularly during shutdown and startup
• Tasks which directly influence availability, particularly those which reduce the time for
shutdown and startup
• Tasks which increase safety by reducing challenges to the actuation of safety systems
• Tasks which increase safety by automatic actuation of safety systems
• Tasks which reduce thermal fatigue
In addition, automation should enable the plant to be operated by only one operator during
plant situations that do not involve multiple failures or events. Operation by one operator
during high activity states is not preferred.
The following automation rules are also considered when they contribute to the previously
stated automation objectives:
• System adjustment during short time span load changes
AREVA NP Inc. ANP-10279 Revision 0
U.S. EPR Human Factors Engineering Program Topical Report Page 5-28
• Functions that are required to change the plant state or mode or for which failure would
lead to complicated or time consuming recovery actions
• Functions that are required for a change of plant state (e.g., power operation) if manual
execution would delay a load change
• A group of simple functions performed in parallel during plant startup or shutdown which
would cause an excessively high workload for the operators or extend the startup time
A control hierarchy between automatic and manual actions will be generated. Generally,
automatic protective actions take priority over manual actions, and manual actions take priority
over closed and open loop control functions. Automatic protective signals can be reset, but if
the plant conditions deteriorate, the signals are automatically re-initiated. Priority logic
prevents manual actuation from counteracting prior automatic commands.
5.4.4.4 Documentation of FA
Whether for an I&C system, an HSI platform, or a mechanical (i.e., fluid) or electrical system,
each SDD identifies system and component functions, contains the design basis for each
function or component in that system, and defines the system and type of control to which the
function is allocated.
5.4.5 Task Analysis
The functions allocated to plant personnel define their roles and responsibilities. HAs
accomplish these functions. HAs can be further grouped into tasks. A task is a group of
related activities with a common objective or goal. A task analysis (TA) is the identification of
requirements for accomplishing these tasks (i.e., specifying the requirements for the displays,
data processing, controls, and job support aids needed to accomplish tasks). As such, the
results of a TA are identified as inputs to many HFE activities, which form the basis for:
• Staffing, qualifications, job design, and training
• HSIs, procedures, and training program design
• Task support verification criteria definition
AREVA NP Inc. ANP-10279 Revision 0
U.S. EPR Human Factors Engineering Program Topical Report Page 5-29 The objective of the HFE and Control Room Design Team TA is to identify the specific tasks
that are required to accomplish functions and the information, control, and task-support
needed to support the specific tasks.
The scope of the TA includes:
• Selected representative and important tasks from the areas of operations, maintenance,
test, inspection, and surveillance.
• A full range of plant operating modes, including startup, normal operations, abnormal
and emergency operations, transient conditions, and low-power and shutdown
conditions.
• Risk-important HAs. Internal and external initiating events and actions affecting the
probabilistic risk assessment (PRA) Level I and II analyses are considered when
identifying risk-important actions.
• The analyses for tasks with automated critical functions, including the human tasks of
monitoring the automated system and executing backup actions if the system fails.
The operating procedures for the U.S. EPR are based on the work developing procedures for
the OL3 EPR and other precursor plants. The completed operating procedures constitute an
analysis of the tasks that operators should perform to safely operate the plant. The operating
procedures should satisfy the required safety objectives to be considered completed. The
completed plant procedures are subjected to a separate verification process to evaluate their
technical effectiveness. For the U.S. EPR, the TA will consist of verification (see Section
5.4.11) that controls and displays are available and are organized to be compatible with the
intended operations, including safety objectives as a subset, as defined in the procedures.
5.4.6 Staffing and Qualifications
The plant staff and their qualifications are an important consideration throughout the design
process. The initial MCR staffing level is established based on experience with previous four
loop PWR plants and takes into account the increased levels of automation and the minimum
number of operators required by 10 CFR 50.54(m). The functions of licensed operators for the
OL3 EPR are expected to be slightly different than is typical for U.S. utilities today. Section
AREVA NP Inc. ANP-10279 Revision 0
U.S. EPR Human Factors Engineering Program Topical Report Page 5-30 4.1, the concept of operations inherent in the HSI Design Plan, and initial staffing assumptions
for the U.S. EPR collectively define the job titles and expected functions for each licensed
operator. The HFE and Control Room Design Team performs systematic reviews of the
staffing assumptions concurrently with other functions.
5.4.7 Human Reliability Analysis
The HRA is an integral activity of the U.S. EPR PRA. The HRA evaluates the potential for and
mechanisms of human error that may affect plant safety. Thus, it is an essential element in
achieving the HFE design goal of providing a design that will reduce personnel errors, allow
their detection, and provide recovery capability.
The HRA is an integrated activity that supports both the HFE design and PRA activities. The
development of information to facilitate the understanding of causes and modes of human
error is an important human factors activity. Consequently, the HFE design effort should give
attention to those plant scenarios, risk-important HAs, and HSIs that have been identified by
the PRA and HRA as important to plant safety and reliability.
The U.S. EPR DCD will describe the PRA. The PRA and HRA identify risk-important HAs,
which are used as input to the HFE design effort. Risk-important HAs and their associated
tasks and scenarios will be specifically addressed during HFE task analyses activities, HSI
design, procedure development, and training. This will help verify that these tasks are well
supported by the design and within acceptable human performance capabilities. Identification
of risk-important HAs is also an input to the selection of activities to be assessed during the
Human Factors V&V process discussed in Section 5.4.11.
In the detailed design stage, personnel with operational experience will use either a plant-
specific control room mockup or simulator to perform walkthrough analyses to validate HRA
assumptions (e.g., decision making and diagnosis strategies for dominant sequences).
Reviews from the analyses should be incorporated into subsequent iterations of the PRA.
Prior to detailed design, an HRA implementation plan will be developed to enable the HFE
design activities to address the important HAs, which will reduce the likelihood of human error
and provide for error detection and the capability to recover from errors where applicable.
AREVA NP Inc. ANP-10279 Revision 0
U.S. EPR Human Factors Engineering Program Topical Report Page 5-31 5.4.8 Human-System Interface Design
The HSI design process translates function and task requirements into HSI characteristics and
functions. The HSI is designed using a structured methodology that will guide designers in
identifying and selecting candidate HSI approaches, defining the detailed design, and
performing HSI tests and evaluations. The HSI design process promotes the development and
use of HFE guidelines that are tailored to the unique aspects of the design (e.g., a style guide
that defines design-specific conventions). The HSI design process promotes standardization
and consistency in applying HFE principles. The process and the rationale for the HSI design
is documented and controlled under the design control process described in Reference 13.
Acceptable display formats and alarm system processing will be resolved through the
systematic application of HFE principles and criteria and integrated under the software
management plan.
5.4.8.1 HSI Design Inputs
The following sources of information provide input to the HSI design process:
1. Analysis of Personnel Task Requirements—The analyses performed in earlier stages of
the design process are used to identify the requirements for the HSIs. These analyses
include:
- OER—The OER provides lessons learned from other complex human-machine
systems, especially previous four loop PWR designs and designs involving similar
HSI technology.
- FRA and FA—The HSIs support the operator's role in the plant (e.g., appropriate
levels of automation and manual control).
- TA—The TA provides the set of requirements to support the role of personnel. The
task analysis should identify:
♦ Tasks that are necessary to control the plant during operating conditions (i.e.,
normal through accident conditions).
AREVA NP Inc. ANP-10279 Revision 0
U.S. EPR Human Factors Engineering Program Topical Report Page 5-32
♦ Detailed information and control requirements (e.g., requirements for display
range, precision, accuracy, and units of measurement).
♦ Task support requirements (e.g., special lighting and ventilation requirements).
♦ Risk-important HAs and their associated performance shaping factors, as
identified through HRA, which should be given special attention in the HSI design
process.
- Staffing, Qualifications and Job Analyses—The results of staffing and qualifications
analyses provide input for the overall control room layout and the allocation of
controls and displays to individual consoles, panels, and workstations. The
responsibilities establish the basis for the minimum and maximum number of
personnel to be accommodated and requirements for coordinating activities between
personnel.
2. System Requirements—Constraints imposed on I&C systems are evaluated throughout
the HSI design process.
3. Regulatory Requirements—Applicable regulatory requirements are inputs to the HSI
design process.
4. Other Requirements—During the evolution of the design, the HFE and Control Room
Design Team identifies other applicable requirements that are inputs to the HSI design
(e.g., utility requirements). The HFE and Control Room Design Team also coordinates
HFE requirements with portions of the U.S. EPR design which are not conducted by I&C
Engineering and for tracking HFE issues (see Section 5.5). A number of advisors
review and comment on the documentation developed by the team, provide
supplemental expertise for non-I&C and HFE aspects of the design, and oversee the
general progress of the design. Common issues are discussed and resolved during
periodic DRBs (see Section 5.1).
AREVA NP Inc. ANP-10279 Revision 0
U.S. EPR Human Factors Engineering Program Topical Report Page 5-33 5.4.8.2 Concept of Operations
The concept of operations indicates the composition of the crew and the roles and
responsibilities of individual crew members based on anticipated staffing levels (see Section
4.0). The concept of operations:
• Identifies the relationship between personnel and plant automation through specifying
the crew responsibilities for monitoring, interacting with, and overriding automatic
systems and for interacting with electronic procedures and other computerized operator
support systems.
• Provides a high-level description of how personnel work with HSI resources. For
example, the concept of operations identifies how tasks are allocated between the MCR
and LCSs, where personnel execute their duties during various types of situations, what
types of information each crew member can access, and what types of information are
displayed to the entire crew.
• Addresses the coordination of crew member activities (e.g., the interaction with auxiliary
operators, coordination between maintenance and operations).
• Defines the division of responsibilities.
5.4.8.3 Functional Requirement Specification
As part of later, detailed design revisions to the HSI SDDs, the HFE and Control Room Design
Team produces functional requirements for the HSIs which address the concept of operations,
personnel functions and tasks, and requirements for a safe, comfortable working environment.
These functional requirements apply consistently to both PICS and SICS with respect to, for
example, alarms, displays, and controls.
5.4.8.4 HSI Concept Design
With respect to applicable requirements, the U.S. EPR HSI design is based on the OL3 EPR
I&C design and on operating experience and takes into account human performance issues
identified through use of similar HSI platforms. Concepts such as hierarchy and navigation
between HSI screens, alarm management, and the overall HSI architecture should remain
consistent with the OL3 EPR design as much as possible. While minor differences exist
AREVA NP Inc. ANP-10279 Revision 0
U.S. EPR Human Factors Engineering Program Topical Report Page 5-34 between the MCR operating crew responsibilities of the OL3 EPR and the U.S. EPR, the types
of information available to the individual operator remain consistent. Because of language and
format requirements and differences in regulatory requirements, the actual content of display
screens used by the operators to control the plant may be different from those used at the OL3
EPR.
5.4.8.5 HSI Design and Integration
Table A-2 of Appendix A of this report contains the status of the design-specific HFE style
guide. This style guide is part of the HSI design implementation plan and is utilized in the
design of the HSI features, layout, and environment.
The HSI detailed design supports personnel in their primary plant monitoring and controlling
roles while reducing personnel secondary role demands that are associated with management
of the HSIs (e.g., window manipulation, display selection, display system navigation). Chapter
18 of the DCD will contain additional information on specific challenges that relate to the
training of operators for screen-based HSI control rooms.
For risk-important HAs, the design reduces the probability that errors will occur and increases
the probability that an error will be detected, if one occurs, and that the system is error tolerant
or permits recovery from the error, if possible.
The following factors are considered in the development of functional requirements for
monitoring and control capabilities that may be provided either in the MCR or locally in the
plant:
• Communication, coordination, and workload
• Feedback
• Local environment
• Inspections, testing, and maintenance
• Importance to safety
AREVA NP Inc. ANP-10279 Revision 0
U.S. EPR Human Factors Engineering Program Topical Report Page 5-35 The layout of HSIs within consoles, panels, and workstations are based upon operator job
analyses and systematic strategies for organization (e.g., arrangement by importance,
frequency of use, and sequence of use).
Personnel and task performance is supported at the defined minimum staffing level, normal
staffing levels, and during expected worst case scenarios involving the maximum number of
personnel in control room areas.
The design process factors in the use of the HSIs when performance degradation due to
fatigue may be a concern.
HSI characteristics support human performance under the full range of environmental
conditions. For the MCR, requirements address conditions such as the loss of lighting and
loss of ventilation. For the RSS and LCSs, requirements address constraints imposed by the
ambient environment (e.g., noise, temperature, contamination). The operation of screen-
based HSI by personnel wearing protective clothing is not postulated for the U.S. EPR.
The HSIs are designed to support and not interfere with inspections, maintenance, testing, and
repair of plant equipment and the HSIs while maintaining other plant control activities.
5.4.8.6 HSI Tests and Evaluations
The HFE and Control Room Design Team develops testing and evaluation plans for the HSI
designs, which can be performed iteratively, in conformance with guidance from Section 8.4.6
of NUREG-0711.
5.4.8.7 HSI Design Documentation
The PTRD, SDRD, and SDD for each HSI system document the HSI design. Each SDD
includes the detailed HSI description, including its form, function, and performance
characteristics and the basis for the HSI requirements and design characteristics with respect
to operating experience and literature analyses, engineering evaluations, experiments, and
benchmark evaluations. The outcomes of tests and evaluations performed in support of HSI
design are documented in separate test or evaluation reports.
AREVA NP Inc. ANP-10279 Revision 0
U.S. EPR Human Factors Engineering Program Topical Report Page 5-36 5.4.9 Procedure Development
Procedures are essential to plant safety because they support and guide personnel
interactions with plant systems and personnel responses to plant-related events. Procedures
and the HSI will be developed in parallel following similar processes and incorporating the
same accident analyses; the evaluation processes used are also interrelated. Human factor
principles will be applied to aspects of the interface to verify complete integration and
consistency.
For the U.S. EPR, the generic technical guidance (GTG) and U.S. EPR generic operational
guidelines are developed as part of the same design process as the HSIs and generic
operational guidelines to verify a high degree of integration and consistency.
While individual utilities in the nuclear industry have been historically responsible for
developing plant-specific procedures, AREVA NP will produce operational guidelines for the
development of plant-specific normal operating, abnormal operating, alarm response, and
EOPs that incorporates the aspects of the HSI design that are appropriate to the execution of
the COL applicants plant-specific procedure step in question. The HFE and Control Room
Design Team is essential to the development of that process. The generic plant operational
guidelines are developed concurrent with the HSI design and are developed or modified to
reflect the characteristics and functions of the screen-based or conventional HSIs as
appropriate. Section 2.2.9 discusses the design bases for screen-based electronic operating
procedures.
The development and modification of procedures includes activities similar to those described
in NUREG-0711 as an HFE program TA. However, AREVA NP will integrate the TA activities
with the procedure development activities. The guidance for development of operational
guidelines (i.e., normal operating, abnormal operating, alarm response, and emergency
operating) will also include a description of the identification of specific tasks that are required
for accomplishing functions and the information, control, and task-support needed to support
the specific tasks. The V&V of the HSI design verifies that the final generic operating
guidelines contain the functions and tasks assigned to the plant procedures as described in
AREVA NP Inc. ANP-10279 Revision 0
U.S. EPR Human Factors Engineering Program Topical Report Page 5-37 Section 5.4.11. The V&V of the procedures will be performed on the full-scope simulator with
trained operators.
The DCD will include a description of AREVA NP’s program for developing generic EOPs and
other generic operational guidelines in conformance with NUREG-0800 (Reference 8).
5.4.10 Training Program Development
Training of plant personnel is an important factor in promoting the safe and reliable operation
of nuclear power plants. Training programs help provide reasonable assurance that plant
personnel have the knowledge, skills, and abilities (KSAs) to properly perform their roles and
responsibilities. The training program design should be based on the systematic analysis of
job and task requirements as dictated by the Systematic Approach to Training (SAT) process
for developing a training program that is required for INPO accreditation. Therefore, training
program development should be coordinated with the other elements of the HFE design
process.
The training program is developed using a systematic approach. The training program
development includes the following five activities:
• A systematic analysis of tasks and jobs to be performed
• Development of learning objectives derived from an analysis of desired performance
following training
• Design and implementation of training based on the learning objectives
• Evaluation of trainee mastery of the objectives during training
• Evaluation and revision of the training based on the performance of trained personnel in
the job setting
A COL applicant that references the U.S. EPR design certification will develop a plant-specific
training program. A general framework of operational guidelines to help meet the training
program requirements is established in the sections below as input to the applicant’s training
program development.
AREVA NP Inc. ANP-10279 Revision 0
U.S. EPR Human Factors Engineering Program Topical Report Page 5-38 5.4.10.1 Task Analysis
The results of the FRA, FA, and TA activities described in Section 5.4.4 and 5.4.5 combined
with the operating procedures of the plant, HRA, and OER serve as inputs to the generic
training program development. These analyses are generated during the detailed design
process and identify the range of operational tasks that trainees are required to perform. The
HFE program V&V process will be used to validate or revise the results of the above analyses.
Detailed results of the V&V process will be supplied for use in plant-specific training program
development.
5.4.10.2 Learning Objectives
The resulting operational tasks required of plant personnel should be analyzed to identify the
learning objectives to be met to successfully complete these tasks. This process provides a
comprehensive outline of the KSAs required for the operators to successfully execute the
identified activities and tasks. AREVA NP anticipates that a significant overlap will exist
between the KSAs required for the U.S. EPR compared with the KSAs of currently operating
U.S. plants. Use of the screen-based HSI will require emphasis on developing secondary
interface management task proficiency (e.g., screen navigation) to allow operators to focus
their attention on the more important plant and process monitoring and control tasks.
5.4.10.3 Design and Implementation of Training
The learning objectives and KSAs identified in the step above should be incorporated into the
plant-specific training program. These learning objectives should be based on the actions
required to raise the operator’s KSAs (identified in the previous step) to the level of proficiency
required to successfully accomplish the tasks identified. Knowledge should be taught within
the context of actual tasks to facilitate the ability of operations personnel to apply it in the work
environment.
5.4.10.4 Evaluation of Trainee Mastery
The trainees should be evaluated to determine their mastery of the learning objectives taught.
Methods for this evaluation should include written and oral tests, as well as a review of
AREVA NP Inc. ANP-10279 Revision 0
U.S. EPR Human Factors Engineering Program Topical Report Page 5-39 personnel performance during walkthroughs, simulator exercises, and evaluation of on-the-job
performance.
5.4.10.5 Evaluation and Revision of Training
The training program should be evaluated for overall effectiveness using defined methods. If
training objectives are not being met effectively, the training program should be revised to
resolve such issues. When the training program is modified to update content or training
methods, the changes should be tracked. Operations personnel are retrained periodically to
remain effective operators.
Specific training objectives that are unique to operation of the U.S. EPR will be identified by
AREVA NP.
5.4.11 Human Factors Verification and Validation
V&V evaluations confirm that the design conforms to HFE design principles and enables plant
personnel to successfully perform their tasks to achieve plant safety and other operational
goals. Four activities are associated with the V&V of HSI design:
• Operational conditions sampling
• Design verification
- HSI task support verification
- HFE design verification
• Integrated system validation
• Human factors issue resolution verification and HED resolution
A sampling strategy should be devised to guide the selection of operating conditions to be
reviewed.
Design verification includes both HSI task support verification and HFE design verification.
HSI task support verification evaluates that the HSI supports personnel task requirements as
defined by task analyses. HEDs are identified when the HSI does not fully support the
identified personnel task requirements (i.e., controls or information is not available or not
AREVA NP Inc. ANP-10279 Revision 0
U.S. EPR Human Factors Engineering Program Topical Report Page 5-40 displayed in the proper format (control type, precision, etc.) for the specific task) or the
presence of HSI components which may not be needed to support personnel tasks or which
impede personnel tasks. HFE design verification is a static evaluation that verifies that the
individual HSI components and details accommodate the human capabilities and limitations
reflected in HFE guidelines. HEDs are identified if the design is inconsistent with the project-
specific HFE guidelines.
Integrated system validation is an evaluation using performance-based tests to determine if an
integrated system design (i.e., hardware and software elements) meets performance
requirements and sufficiently supports the safe operation of the plant. HEDs are identified if
performance criteria are not met.
HED Resolution is an activity that should be performed iteratively with V&V. Issues identified
during a V&V activity are resolved prior to conducting other V&V activities. The preferred order
is HSI task support verification, HFE design verification, and integrated system validation,
although iteration may be necessary.
V&V is documented throughout the HSI design process as directed by Reference 13. The
V&V implementation plan identifies HSI tests and evaluations activities. Mid-design process
tests are distinguished from V&V because they are activities that explore and evaluate HSI
subsystem design issues (e.g., the coding techniques used in the alarm system). These V&V
plan activities include integrated system validation using performance-based tests to determine
if the HMI sufficiently supports the safe operation of the plant and that the safety objectives are
satisfied through implementation of the EOPs. The TA determines which controls and displays
will be required for the intended operations, with safety objectives as a subset, as defined in
the procedures.
V&V is considered a test that evaluates whether final design requirements are met. The V&V
of the EOPs and other procedures will be the ultimate demonstration that the HSI design is
acceptable.
AREVA NP Inc. ANP-10279 Revision 0
U.S. EPR Human Factors Engineering Program Topical Report Page 5-41 5.4.12 Design Implementation
5.4.12.1 Final Plant HFE Design Verification
Aspects of the design not addressed during V&V are evaluated later using an appropriate
method. Aspects of the design addressed at this stage may include design characteristics
(e.g., displays for plant-specific design features) and features that cannot be evaluated in a
simulator (e.g., MCR noise and HVAC).
The final (i.e., as-built) HSIs, procedures, and training program are compared with the detailed
design description to verify that they conform to the design that resulted from the HFE design
process activities. Identified discrepancies are either corrected or justified.
HFE-related issues documented in the HFE issue tracking system (Section 5.5) will be verified
as having been adequately addressed.
The design implementation plan verifies the HFE considerations of the following aspects of the
HSI design against NUREG-0700 or other applicable guidance:
• Layout and arrangements for control rooms with HSI equipment
• Communications equipment
• Lighting
• Habitability systems
• Operating procedures system
• Training manuals
The design implementation verifies:
• Aspects of the design that are either partially verified or unverified prior to operation at
the site
• The as-built HSI designs are consistent with final design specifications, user and trainee
manuals, and operating and maintenance procedures
• The final MCR, RSS, and LCS layouts
AREVA NP Inc. ANP-10279 Revision 0
U.S. EPR Human Factors Engineering Program Topical Report Page 5-42
• Any design modifications (e.g., display changes) resulting from pre-operation and
startup testing
• Resolution of any open HFE issues
• That the final installed design and its performance criteria are described and
documented
5.4.13 Human Performance Monitoring
The human performance monitoring strategy provides reasonable assurance that the
confidence developed by the completion of the integrated system validation is maintained over
time. The integrated system validation is not intended to be repeated; however, the human
performance monitoring strategy is intended to discover evidence that plant personnel have
maintained the skills that are necessary to accomplish the assumed actions.
The human performance monitoring strategy verifies that no significant safety degradation
occurs because of any changes that are made in the plant and provides adequate assurance
that the conclusions drawn from the original integrated system evaluation remain valid over
time.
5.5 Human Factors Engineering Issues Tracking
The Program Manager of HFE and Control Room Design tracks HFE and control room design
issues. The AREVA NP corrective action program is used as a database to track issues that
are known to the industry or identified throughout the life cycle of the HFE and HSI design,
development, and validation. The corrective action program database enables the tracking
and documentation of issues which should be addressed during the life of the project. Several
levels and types of reviews may generate input to the corrective action program database. As
a minimum, these reviews include operating experience, design review board, and cross-
discipline reviews.
Each issue that is tracked in the corrective action program database is assigned a unique
tracking number and then assigned to an individual for disposition. Each issue requires the
documentation of actions taken to address the issue and final resolution of the issue.
AREVA NP Inc. ANP-10279 Revision 0
U.S. EPR Human Factors Engineering Program Topical Report Page 5-43 The tracking of HFE and control room design issues is accomplished within the framework of
the QAP and overall plant design process. The HFE and control room design issues which are
determined to be deviations from the standard design are escalated to a design review and
issue resolution process.
AREVA NP Inc. ANP-10279 Revision 0
U.S. EPR Human Factors Engineering Program Topical Report Page 6-1
6.0 SIMULATOR DESIGN ACTIVITIES
The U.S. EPR design process includes the use of a full-scale simulator that meets the
requirements of 10 CFR 50.34(f)(2)(xii)(C)(2)(i) to perform V&V testing and operator training.
This simulator will be a replica of the U.S. EPR MCR and include the equipment and
functionality of the U.S. EPR MCR.
The simulator software will be designed to properly emulate plant and system response to a
change in one or more plant or system variables. Operators manipulate controls on operator
workstations to initiate changes in plant or system variables in the replicated MCR. The
simulator staff members can also change plant or system variables from the special simulator
control workstation located outside of the simulated MCR.
The design of the full-scale simulator will occur during the detailed design phase of the U.S.
EPR project. AREVA NP expects that when simulator design activities commence, non-safety-
related I&C detailed design and safety-related I&C detailed design should be about half
complete. The completion of the simulator design will occur after the I&C detailed design work
is complete and the U.S. EPR generic operating guidelines are written.
When complete and certified according to ANSI/ANS-3.5-1998 (Reference 11), the U.S. EPR
full-scale simulator will be used to complete the V&V of HFE program element as well as the
V&V of the I&C system design and the plant operating procedures. The completed full-scale
simulator should also be used for initial and continuous training of U.S. EPR plant operators.
AREVA NP Inc. ANP-10279 Revision 0
U.S. EPR Human Factors Engineering Program Topical Report Page 7-1
7.0 REFERENCES
U.S. Regulations
1. 10 CFR 50.34, “Contents of Application; technical information.”
2. 10 CFR 50.54, “Conditions of Licenses.”
3. 10 CFR 50, Appendix A, “General Design Criteria for Nuclear Power Plants.”
4. 10 CFR 52.47, “Contents of Applications.”
U.S. Regulatory Guidance
5. NUREG-0700, “Human-System Interface Design Review Guidelines,” Revision 2.
6. NUREG-0711, “Human Factors Engineering Program Review Model,” Revision 2.
7. NUREG-0737, “Clarification of TMI Action Plan Requirements,” Revision 0.
8. NUREG-0800, “Standard Review Plan for the Review of Safety Analysis Reports for
Nuclear Power Plants,” Revision 2.
9. NUREG-1021, "Operator Licensing Examination Standards for Power Reactors",
Revision 9.
U.S. Industry Standards
10. ACAD 97-004, "Guidelines for Shift Manager Selection, Training and Qualification,
and Professional Development."
11. ANSI/ANS-3.5-1998, "Nuclear Power Plant Simulators for Use in Operator Training
and Examination."
12. NEI 99-02, Revision 4, "Regulatory Assessment Performance Indicator Guideline,"
April 2006.
AREVA NP Inc. ANP-10279 Revision 0
U.S. EPR Human Factors Engineering Program Topical Report Page 7-2 AREVA NP Documents
13. AREVA NP Topical Report, ANP-10266NP, "AREVA NP Inc. Quality Assurance Plan
(QAP) for Design and Deployment of the U.S. Evolutionary Power Reactor (U.S. EPR)
Topical Report," September 2006. (Enclosure to letter, Ronnie L. Gardner (AREVA
NP Inc.) to Document Control Desk (NRC), "Request for Review and Approval of
ANP-10266NP, 'AREVA NP Inc. Quality Assurance Plan (QAP) for Design and
Deployment of the U.S. Evolutionary Power Reactor (U.S. EPR) Topical Report',"
NRC:06:038, September 22, 2006.)
AREVA NP Inc. ANP-10279 Revision 0
U.S. EPR Human Factors Engineering Program Topical Report Page A-1
APPENDIX A
SUMMARY OF HUMAN FACTORS ENGINEERING PROGRAM ELEMENT DEVELOPMENT
AREVA NP Inc. ANP-10279 Revision 0
U.S. EPR Human Factors Engineering Program Topical Report Page A-2
Table A-1—Design Control Process Document Development
Design Control Process Document Description Schedule
SDRDs MCR System level input requirements Complete TSC System level input requirements Complete RSS System level input requirements Complete I&CSC System level input requirements TBD PICS System level input requirements Complete SICS System level input requirements Complete SDDs MCR System level design outputs, detail; iterated as design inputs are verified. Revision 0 - 2Q CY2007 TSC System level design outputs, detail; iterated as design inputs are verified. Revision 0 - 2Q CY2007 RSS System level design outputs, detail; iterated as design inputs are verified. Revision 0 - 2Q CY2007 I&CSC System level design outputs, detail; iterated as design inputs are verified. TBD PICS System level design outputs, detail; iterated as design inputs are verified. Complete SICS System level design outputs, detail; iterated as design inputs are verified. Complete Layout Drawings 53 ft. Elevation Floor layout including MCR, I&CSC, and Integrated Operations Area (TSC, work
control, operations office) Revision 0 - 1Q CY2007
39 ft. Elevation Floor layout including RSS Revision 0 - 1Q CY2007 Workstation layouts Showing inventory of conventional controls and placement of PICS monitors and
QDS displays. Detailed Design
Specifications PICS Procurement, fabrication, and installation requirements. Detailed Design SICS Procurement, fabrication, and installation requirements. Detailed Design Lighting, sound isolation, HVAC requirements
Procurement, fabrication, and installation requirements. Detailed Design
AREVA NP Inc. ANP-10279 Revision 0
U.S. EPR Human Factors Engineering Program Topical Report Page A-3
Table A-2—HFE Program Elements Development
Implementation Plan Output Results HFE Program Element (NUREG-0711) Explanation Schedule Explanation Schedule HFE Program Management
To be described in the DCD Complete N/A N/A
OER Internal process documented; summarized in the DCD.
Complete Summarizes results contained in evaluations, points to affects on the HSI design or the elements of the process required to resolve selected issue. Tracks results to HFE Issues Tracking database. Periodically updated.
Detailed Design
FRA and FA Not produced for U.S. EPR design. Based on OL3 functional assignments and assessment against automation criteria.
N/A Consists of documentation (within V&V output) of design basis and justification for functions not allocated identically for OL3 and the U.S. EPR. Added to specific SDD(s).
Detailed Design
TA Not produced for U.S. EPR design. Based on completed (separately verified) operating procedures for OL3 and U.S. EPR which satisfy required safety objectives.
N/A Consists of documentation (within V&V output) that controls and displays have been verified to be available and compatible with the intended operations as defined in the procedures.
Detailed Design
Staffing and Qualifications
Internal assumption documented; summarized in the DCD.
Complete Consists of justification (within V&V output) that operating staff numbers are able to cope in all situations.
Detailed Design
AREVA NP Inc. ANP-10279 Revision 0
U.S. EPR Human Factors Engineering Program Topical Report Page A-4
Implementation Plan Output Results HFE Program Element (NUREG-0711) Explanation Schedule Explanation Schedule HRA Implementation plan enables
design activities to address critical HAs, risk important tasks, and human error mechanisms to minimize the likelihood of human error and to provide for detection of and recovery capability for errors. See schedule for review availability.
2Q CY2007 Results summary evaluates human-error mechanisms in the HFE design and integration of HFE and PRA and risk analysis programs.
Detailed Design
HSI Design Several smaller plans are part of HSI design implementation plan:
1. Concept of operations 2. Hierarchy and navigation 3. Alarm management 4. Overall architecture
OL3 design allows us to put these together now.
1Q CY2007 HSI design documented in final SDDs for PICS and SICS and within V&V output.
Detailed Design
Procedure Development
The DCD will include a description of U.S. EPR program for developing EOPs and required content of the EOPs
Complete See Task Analysis output for how procedures are related and utilized.
Detailed Design
Training Program Development
Specific training objectives for U.S. EPR included in the DCD (COL applicant responsibility)
Complete See Simulator Design Activities Detailed Design
AREVA NP Inc. ANP-10279 Revision 0
U.S. EPR Human Factors Engineering Program Topical Report Page A-5
Implementation Plan Output Results HFE Program Element (NUREG-0711) Explanation Schedule Explanation Schedule Human Factors V&V Identifies HSI tests and
evaluations activities. Mid-design process tests explore and evaluate HSI subsystem issues. Integrated system validation uses performance-based tests to determine if the HMI supports safe operation of the plant and that safety objectives are satisfied through implementation of the EOPs. See schedule for review availability.
2Q CY2007 HSI task support verification evaluates whether the HSI supports personnel task requirements defined by task analyses. HFE design verification verifies that HSI accommodates human capabilities and limitations as reflected in HFE guidelines. HED Resolution is performed iteratively with V&V. Issues identified during a V&V activity are resolved prior to conducting other V&V activities. V&V is documented throughout the process as directed by the QAP. The V&V implementation plan identifies HSI tests and evaluations activities. Mid-design process tests explore and evaluate HSI subsystem issues. Integrated system validation uses performance-based tests to determine if the HMI supports safe operation of the plant and that safety objectives are satisfied through implementation of the EOPs.
Detailed Design
AREVA NP Inc. ANP-10279 Revision 0
U.S. EPR Human Factors Engineering Program Topical Report Page A-6
Implementation Plan Output Results HFE Program Element (NUREG-0711) Explanation Schedule Explanation Schedule Human Factors V&V (cont’d)
The TA determines which controls and displays should be required for the intended operations, with safety objectives as a subset, as defined in the procedures. V&V is considered to be a test that evaluates that final design requirements are met. The V&V of the EOPs and other procedures should be the ultimate demonstration that the HSI design is acceptable.
Design Implementation
Implementation Plan describes how to verify HFE considerations for HSI design against NUREG-0700 or applicable: • Layout and arrangements for
control rooms with HSI • Communications equipment • Lighting • Habitability systems • Operating procedures system • Training manuals
3Q CY2007 Summarizes “as-built” design as an accurate reflection of the design as it was V&V’d
Detailed Design
AREVA NP Inc. ANP-10279 Revision 0
U.S. EPR Human Factors Engineering Program Topical Report Page A-7
Implementation Plan Output Results HFE Program Element (NUREG-0711) Explanation Schedule Explanation Schedule Human Performance Monitoring
Implementation Plan describes how to provide reasonable assurance that no significant safety degradation occurs because of changes made to plant and provide adequate assurance that conclusions drawn from the evaluation remain valid over time.
3Q CY2007 N/A N/A