Upload
others
View
4
Download
0
Embed Size (px)
Citation preview
KEPCO & KHNP Basic HSI Platform APR1400-E-J-NR-12009-NP, Rev. 0
KEPCO & KHNP
Basic Human-System Interface Platform
Technical Report
September 2013
Copyright ⓒ 2013
Korea Electric Power Corporation & Korea Hydro & Nuclear Power Co., Ltd
All Rights Reserved
Non-Proprietary
KEPCO & KHNP Basic HSI Platform APR1400-E-J-NR-12009-NP, Rev. 0
KEPCO & KHNP i
Revision History
Revision Page (Section) Description
0 All Issue for Standard
This document was prepared for the design certification application to the U.S. Nuclear Regulatory Commission and contains technological information that constitutes intellectual property. Copying, using, or distributing the information in this document in whole or in part is permitted only by the U.S. Nuclear Regulatory Commission and its contractors for the purpose of reviewing design certification application materials. Other uses are strictly prohibited without the written permission of Korea Electric Power Corporation and Korea Hydro & Nuclear Power Co., Ltd.
KEPCO & KHNP Basic HSI Platform APR1400-E-J-NR-12009-NP, Rev. 0
KEPCO & KHNP ii
ABSTRACT
The Basic Human-System Interface (HSI) Platform provides an overview of the HSI design descriptions of
reference plant including the main control room (MCR), remote shutdown room, technical support center,
emergency operations facility, and safety-related local control stations. MCR design includes operator
consoles, safety console, and large display panel (LDP). HSI resources are controls, alarms, information
displays, LDP, and computer-based procedures. The critical function monitoring, success path monitoring,
accident monitoring instrumentation, and bypassed and inoperable status indication are implemented
using the HSI resources as integrated fashion.
KEPCO & KHNP Basic HSI Platform APR1400-E-J-NR-12009-NP, Rev. 0
KEPCO & KHNP iii
TABLE OF CONTENTS
1.0 OVERVIEW 1
1.1 Purpose 1
1.2 Scope 1
1.3 Comparison between System80+ and APR1400 HSI Design 1
2.0 METHODOLOGY 2
2.1 HSI Design Inputs 2
2.2 Concept of operations 15
3.0 MAIN CONTROL ROOM DESIGN DESCRIPTION 18
3.1 Main Control Room Configuration 18
3.2 Main Control Room Environment and Communication 26
3.3 Control 32
3.4 Information Display 36
3.5 QIAS-N display 50
3.6 ESCM display 50
3.7 QIAS-P display 53
3.8 Diverse Indication System display 53
3.9 Alarms 53
3.10 Labeling and Demarcation 56
3.11 Emergency Response Facility 56
4.0 REMOTE SHUTDOWN ROOM DESIGN DESCRIPTON 57
4.1 Remote Shutdown Room Configuration 57
4.2 Remote Shutdown Room Layout 57
4.3 Control 59
4.4 Information Display 59
4.5 Alarm 59
4.6 Labeling and Demarcation 59
5.0 TECHNICAL SUPPORT CENTER 60
6.0 EMERGENCY OPERATIONS FACILITY 60
7.0 REFERENCES 61
KEPCO & KHNP Basic HSI Platform APR1400-E-J-NR-12009-NP, Rev. 0
KEPCO & KHNP iv
List of Appendix
Appendix 1. Comparison between System80+ and APR1400 HSI Design
KEPCO & KHNP Basic HSI Platform APR1400-E-J-NR-12009-NP, Rev. 0
KEPCO & KHNP v
LIST OF FIGURES
Figure 2-1. A Sample Diagram of Hierarchical Task Analysis
Figure 3-1. Schematic for Main Control Room
Figure 3-2. Horizontal Viewing Angle from RO Console to LDP
Figure 3-3. Horizontal Viewing Angle from TO Console to LDP
Figure 3-4. Horizontal Viewing Angle from EO Console to LDP
Figure 3-5. Horizontal Viewing Angle from SS Console to LDP
Figure 3-6. Horizontal Viewing Angle from STA Console to LDP
Figure 3-7. Horizontal Viewing Angle from Meeting Room to LDP
Figure 3-8. Horizontal Viewing Angle from Meeting Room to Operator Console
Figure 3-9. Example of Soft Control on ESCM
Figure 3-10. LDP Arrangement
Figure 3-11. A Sample of Soft Control
Figure 3-12. Primary System Directory Page in the ESCM
Figure 3-13. Secondary System Directory Page in the ESCM
Figure 3-14. System Mimic Display in the ESCM
Figure 3-15. Safety Related Soft Control on ESCM
Figure 4-1. Schematic Diagram for Remote Shutdown Room
KEPCO & KHNP Basic HSI Platform APR1400-E-J-NR-12009-NP, Rev. 0
KEPCO & KHNP vi
List of Tables
Table 2-1. The Major OER Issues Associated with HSI Design
Table 2-2. Success Paths of basic platform
Table 2-3. Success Path Allocations for Reactivity Control
Table 2-4. Success Path Allocations for Maintenance of Vital Auxiliaries
Table 2-5. Success Path Allocations for RCS Inventory Control
Table 2-6. Success Path Allocations for RCS Pressure Control
Table 2-7. Success Path Allocations for Core Heat Removal
Table 2-8. Success Path Allocations for RCS Heat Removal
Table 2-9. Success Path Allocations for Containment Isolation
Table 2-10. Success Path Allocations for Containment Environment
Table 2-11. Success Path Allocations for Radiation Emission
Table 2-12. Risk-Important HAs
Table 2-13. The Number of Operating Crew
Table 3-1. The Number of Operating Crew
KEPCO & KHNP Basic HSI Platform APR1400-E-J-NR-12009-NP, Rev. 0
KEPCO & KHNP vii
List of Acronyms
BISI bypassed and inoperable status indication BOP Balance of Plant CBP computer-based procedure CCF common-cause failure CFM critical function monitoring CFR Code of Federal Regulations CIAS containment isolation actuation signal CLD control logic diagram CPC core protection calculator CSF critical safety function CVCS chemical and volume control system DMA diverse manual ESF actuation EDG emergency diesel generator EO electrical operator EOF emergency operating facility EOG emergency operating guideline EOP emergency operating procedure ESCM ESF-CCS soft control module ESF engineered safety features ESF-CCS engineered safety features-component control system ESFAS engineered safety features actuation system FA function allocation FRA functional requirements analysis FPD flat panel display HA human action HED human engineering discrepancy HF human factor HFE human factors engineering HFEPP human factors engineering program plan HRA human reliability analysis HSI human-system interface HVAC heating , ventilation, and air conditioning I&C instrumentation and control ICR information and control requirement IPS information process system ISV integrated system validation ITS issue tracking system LCS local control station LDP large display panel LO local operator MCR main control room NSSS nuclear steam supply system OER operating experience review P-CCS process-component control system PAR passive autocatalytic recombiner
KEPCO & KHNP Basic HSI Platform APR1400-E-J-NR-12009-NP, Rev. 0
KEPCO & KHNP viii
PPS plant protection system PRA probabilistic risk assessment QIAS-N qualified indication and alarm system-non-safety QIAS-P qualified indication and alarm system-p RMS radiation monitoring system RO reactor operator RSC remote shutdown console RSR remote shutdown room SODP shutdown overview display panel SPADES+ safety parameter display and evaluation system + SS shift supervisor STA shift technical advisor TA task analysis TO turbine operator TSC technical support center V&V verification and validation VDU video display unit SPDS safety parameter display system
KEPCO & KHNP Basic HSI Platform APR1400-E-J-NR-12009-NP, Rev. 0
KEPCO & KHNP 1
1.0 OVERVIEW 1.1 Purpose The objective of Basic Human-System Interface (HSI) Platform is to document the HSI design scope,
including the translation of function and task requirements into the detailed design of alarms, displays,
controls, and other aspects of the HSI through the systematic application of human factors engineering
(HFE) principles and criteria.
1.2 Scope
Basic HSI Platform describes HSI design inputs, concept of operations, and design description of the
main control room (MCR), the technical support center (TSC), the emergency operations facility (EOF),
the remote shutdown room (RSR), and safety-related local control stations (LCSs). The inputs include
analysis of personnel task requirements (including operational experience review, functional requirement
analysis and function allocation, task analysis (TA), staffing/qualifications and job analyses), system
requirement, regulatory requirements, and other requirements.
1.3 Comparison between System80+ and APR1400 HSI Design
During the APR1400 HSI concept design development, Korea Hydro & Nuclear Power Co., Ltd.
performed a comprehensive survey and review of the MCR design used in advanced reactor plants in the
world including System 80+ French N4, and Japanese APWR to establish the MCR design concept.
Based on System 80+, the requirements from US EPRI Utility Requirement Document (Reference 1)
were applied to the APR1400 HSI design. Appendix 1 includes Comparison between System 80+ and
APR1400 HSI.
KHNP BASIC HSI PLATFORM APR1400-E-J-NR-12009-NP, Rev. 0
KEPCO & KHNP 2
2.0 METHODOLOGY 2.1 HSI Design Inputs 2.1.1 Analysis of Personnel Task Requirements 2.1.1.1 Operational Experience Review
The major operational experience review (OER) issues associated with HSI design are incorporated into the
HSI design as the design requirements. Table 2-1 includes the major OER issues associated with each of the
HSI design elements.
Table 2-1. The Major OER Issues Associated with HSI Design
TS
KHNP BASIC HSI PLATFORM APR1400-E-J-NR-12009-NP, Rev. 0
KEPCO & KHNP 3
2.1.1.2 Functional Requirement Analysis and Function Allocation
The critical functions and their success paths, and the operator's role in implementing them are described in
functional requirement analysis and function allocation (FRA/FA). The success paths are then evaluated
against the identified allocation criteria to verify the acceptability of the allocation of control of safety functions
in the design.
Critical Safety Functions (CSFs)
Safety functions are physical processes, conditions, or actions relied on to maintain the plant within
acceptable design basis limits (i.e., to ensure safe shutdown, to maintain plant condition within safety limits,
to prevent core melt and to ensure radiation release do not exceed the limits of 10 CFR 50.34).
These functions may be performed by automatic or manual actuation and/or regulation, from passive system
performance or from natural feedback in the plant design. The composition of the safety functions is
unchanged for a given type of plant design.
Success Paths
The success paths for the CSFs have been developed. A high level "functional" comparison of the major
success paths for the basic platform CSFs is provided in Table 2-2.
KHNP BASIC HSI PLATFORM APR1400-E-J-NR-12009-NP, Rev. 0
KEPCO & KHNP 4
Table 2-2. Success Paths of basic platform
Operator's Role and Safety Functions
The operator, along with automated systems and inherent and passive plant features, is part of the defense-
in-depth approach to assure that safety functions are maintained. Specifically, the operators' role in executing
safety functions can be summarized as follows:
Monitor the plant to verify that the safety functions are being accomplished
Actuate and control those systems that are not fully automated
Intervene where the automatically actuated systems are not operating as intended
First item represents a supervisory role for operators. Second item represents manual tasks that the operator
TS
KHNP BASIC HSI PLATFORM APR1400-E-J-NR-12009-NP, Rev. 0
KEPCO & KHNP 5
is normally expected to perform. And third item represents a back-up role for operators; it implies the use of
automatic, passive or inherent system features as a first line of safety defense. Manual and automatic
allocations in safety system operation are identified. Detailed specification of the operators' role in executing
safety functions is provided by the actions and contingencies of the Emergency Procedure Guidelines.
Allocation Data
To evaluate the acceptability of allocations to the operators' safety role, Table 2-3 through 2-11 provides a
summary of the safety function allocations in comparison to the criteria.
The data fields of Table 2-2 through 2-11 are defined as follows:
Critical functions and success paths - Per the contents of Table 2-2
Protective system or commodity - Whether or not this is a system relied on (i.e., credited) by
Chapter 15 to mitigate design basis events (DBEs) by performing the specified safety function.
10 CFR 50 allocation requirements - General or specific allocation requirements from 10 CFR 50
(Reference 2).
NUREG/CR-3331 (Reference 3) allocation requirements - The acceptance path resulting from
application of the criteria.
Auto initiation - The equipment that generates automatic protective action initiates a protective
system to achieve the safety function.
Manual initiation - Whether or not the operator is afforded with a means to manually initiate the
protective action.
Control modes - After initiation, the manual and/or automatic elements of a control system
configuration maintain the safety function throughout the limiting DBE. These are categorized as
follows:
- Automatic (Auto): A configuration that is completely automatic without a means for manual
action.
- Automatic-AND-Manual (AAM): A configuration that can be provided both manually and
automatically. The operator has the capability to provide manual actuation at any time, but
does not have the capability to defeat the automatic actuation. This strategy tends to
increase the likelihood of executing the function. It implies manual control is redundant to
fully automatic control.
- Automatic-OR-Manual (AOM): A configuration that can be provided both manually and
automatically. The operator has the capability to select the mode of actuation, which can
KHNP BASIC HSI PLATFORM APR1400-E-J-NR-12009-NP, Rev. 0
KEPCO & KHNP 6
defeat automatic actuation. This strategy tends to provide increased flexibility to the
operator.
- Automatic-XOR-Manual (AXM): A configuration that can be provided both manually and
automatically. There are sharing of actuation responsibilities between the human and
machine components. While there may be some functional overlap, there is no complete
redundancy. This actuation scheme exists because the operator has a continuous manual
interface that affects the actuation setpoint for the component.
- Manual: A fully manual configuration without a means for automatic actuation.
Justification for solely manual initiation/ control of protection (IEEE Std. 603) (Reference 4) - For
protective systems, an explanation of why some portion of safety function have not been automated.
The results of the FRA/FA have aimed to provide a descriptive evaluation of the allocation of CSFs
in the design. The conclusions of this evaluation are summarized as follows:
CSF Success Paths and their FAs are specified in Table 2-2 through 2-11.
The basic platform meets safety-related requirements for allocation of function.
Table 2-3. Success Path Allocations for Reactivity Control
TS
KHNP BASIC HSI PLATFORM APR1400-E-J-NR-12009-NP, Rev. 0
KEPCO & KHNP 7
Table 2-4. Success Path Allocations for Maintenance of Vital Auxiliaries
Table 2-5. Success Path Allocations for RCS Inventory Control
TS
TS
KHNP BASIC HSI PLATFORM APR1400-E-J-NR-12009-NP, Rev. 0
KEPCO & KHNP 8
Table 2-6. Success Path Allocations for RCS Pressure Control
TS
KHNP BASIC HSI PLATFORM APR1400-E-J-NR-12009-NP, Rev. 0
KEPCO & KHNP 9
Table 2-7. Success Path Allocations for Core Heat Removal
TS
KHNP BASIC HSI PLATFORM APR1400-E-J-NR-12009-NP, Rev. 0
KEPCO & KHNP 10
Table 2-8. Success Path Allocations for RCS Heat Removal
Table 2-9. Success Path Allocations for Containment Isolation
TS
TS
KHNP BASIC HSI PLATFORM APR1400-E-J-NR-12009-NP, Rev. 0
KEPCO & KHNP 11
Table 2-10. Success Path Allocations for Containment Environment
Table 2-11. Success Path Allocations for Radiation Emission
2.1.1.3 Task Analysis
The TA results are briefly described in this section.
Functions / Tasks / Task Elements by Event
Figure 2-1 provides an example of hierarchical TA structure. All analyzed functions, tasks and task elements
are stored in TA database, and these results will be described.
TS
TS
KH
NP
BA
SIC
HS
I PLA
TFO
RM
AP
R14
00-E
-J-N
R-1
2009
-P, R
ev. 0
KE
PC
O &
KH
NP
12
Fi
gure
2-1
. A S
ampl
e D
iagr
am o
f Hie
rarc
hica
l Tas
k A
naly
sis
TS
KEPCO & KHNP Basic HSI Platform APR1400-E-J-NR-12009-NP, Rev. 0
KEPCO & KHNP 13
Parameter Usage
The TA database is sorted to identify all required display and control inventory per each event. This allows
the use of this information as a reference for display and control design, and these results will be
described
Information and Control Requirements
TA activity related to determining ICRs is to consolidate the characteristics required for each parameter.
Examples such as the type, range, accuracy, and unit of parameters can be developed, and the results
will be described.
Error / Behavior Implication / Comments List
The TA database is sorted to identify the potential human error, complex operator's decision making, and
operator's comments on the design improvements. These are based on the operator interview, and these
results will be described.
Minimum Inventory of Fixed Position Alarms, Displays and Controls
A subset of the identified alarms, displays, and controls is specified as the MCR minimum inventory
required to execute the emergency operating guidelines (EOGs). Within this scope, the following criteria
are used to identify minimum inventory entries, and these results will be described.
Alarms and displays
- CSF status
- Preferred/credited success path performance indications
- Indications required to verify safe shutdown
- USNRC Regulatory Guide (RG) 1.97 (Reference 5) Type A, B, C variables
- Indications and alarms for risk-important human actions (HAs)
Controls
- Preferred/credited success path component (i.e., in major flow path)
- Components required to perform safe shutdown
- Controls for risk-important HAs
- Controls requested by the HFE V&V
KEPCO & KHNP Basic HSI Platform APR1400-E-J-NR-12009-NP, Rev. 0
KEPCO & KHNP 14
The MCR Minimum Inventory is provided as fixed HSI. The term fixed position refers to the unique
location on large display panel (LDP) and the safety console for alarms, displays, and controls defined for
the parameters in the MCR Minimum Inventory.
AV assures consistency between these requirements and the completed system I&C inventories, as well
as between the system I&C inventories and the as-built HSI.
The risk-important HAs are listed and provided to the task analysts to re-evaluate TA in detail. The risk-
important HAs are shown in Table 2-12.
Table 2-12. Risk-Important HAs
TS
KEPCO & KHNP Basic HSI Platform APR1400-E-J-NR-12009-NP, Rev. 0
KEPCO & KHNP 15
2.1.1.4 Staffing/qualifications and job analysis
Plant staffing is based on experience with previous plant operation, and staffing level of the basic platform.
The MCR staffing assumption used in the development of the basic platform is discussed in section 3.1.
The staffing requirements for the RSR are discussed in section 4.1. It is developed based on the following
information and references: (1) operating experiences with predecessor plants, (2) operating experience
review documents, (3) utility requirements and human factors guidelines relevant to APR1400 design, and
(4) government regulations. The initial staffing levels are iteratively evaluated for acceptability, and
modified as basic platform HFE design and evaluation proceeds. The result of staffing assumption will be
described.
2.2 Concept of operations
2.2.1 Crew composition
The basic platform MCR is designed to provide operational flexibility to accommodate a wide range of
MCR staffing requirements. A staffing assumption is established to accommodate design and validation of
the HSI system.
Table 2-13. The Number of Operating Crew
Number of Operator Position Title
1 Shift Supervisor (SS) 1 Reactor Operator (RO)
1 Turbine Operator (TO)
1 Electrical Operator (EO) 1 Shift Technical Advisor (STA)
2.2.2 Roles and responsibilities of individual crew members
Shift Supervisor (SS)
The SS is responsible for coordinating all activities within the plant that may affect operations. This
includes direct supervision of the operators in the MCR as well as activities outside the control room
(maintenance, etc.). The SS shall have a work space located within the MCR. The SS shall hold a valid
senior reactor operator’s license.
KEPCO & KHNP Basic HSI Platform APR1400-E-J-NR-12009-NP, Rev. 0
KEPCO & KHNP 16
Reactor Operator (RO)
The RO is “the operator at the controls” for purposes of regulatory compliance and is responsible for
making all reactivity manipulations. The RO will coordinate plant evolutions with the turbine operator as
necessary to maintain control of the nuclear steam supply system (NSSS). At least one licensed operator
must remain in the control area at all times. The RO is responsible to the SS. The RO shall hold a valid
reactor operator’s license.
Turbine Operator (TO)
In general, the TO is responsible for manipulating the controls for Balance of Plant (BOP) and turbine
systems. The TO is responsible to the SS and shall coordinate with the RO prior to making any control
manipulations which will directly affect the heat balance or reactivity control of the NSSS. The TO will
normally remain in the MCR, but may leave the MCR for specific tasks when directed by the SS.
Electric Operator (EO)
The functions of the EO is the operation of main generator, emergency diesel generator (EDG), electrical
distribution breaker, and other activities (i.e., fire protection, heating ventilation and air conditioning
(HVAC), radiation monitoring system (RMS), contact with electric load dispatcher) assigned by the
technical and administrative procedure of the specific plant in the MCR. The EO is responsible to the SS.
Shift Technical Advisor (STA)
The STA advises the SS on plant safe operation. The staff shall have a work space located within the
MCR and perform the task which are mandated by SS.
2.2.3 Personnel interaction with plant automation
2.2.3.1 Overriding automatic system
A priority interlock shall be incorporated in engineered safety features-component control system (ESF-
CCS) to block any effect from an ESCM on the ESF-CCS when ESF actuation is in progress.
ESFAS signals from the PPS and manual ESF system level actuation switches shall override soft control
signals at all times. The operator can override the ESF-2 interlock by using the ESCM if the plant
condition is in a safe status. This will be reflected in the System Designer’s CLD’s. The safety command
signals are categorized onto ESF-1 and ESF-2 as follows;
ESF-1: This safety command signal cannot be overridden.
ESF-2: This safety command signal can be subsequently overridden by the operator.
KEPCO & KHNP Basic HSI Platform APR1400-E-J-NR-12009-NP, Rev. 0
KEPCO & KHNP 17
Once the safety command signal is overridden, it continues to be blocked until it is reactivated.
2.2.4 Use of control room resources by crew members
2.2.4.1 MCR control and monitoring systems
Five consoles — Each console contains a set of interactive, selectable, information displays, alarm
acknowledge buttons, control confirm switches and soft control (popup) needed to remotely operate and
monitor systems and components within the plant. The console and the LDP are the primary control and
monitoring devices in the control room.
All MCR consoles (i.e., those designed for the SS, RO, TO, EO and STA) are designed to accommodate
single failures of hardware. Each console should contain a sufficient quantity of redundant hardware for
each type of I&C equipment (e.g., information FPDs, switches, communications equipment) so that a
single failure of a processor, power supply, display device, control device, or communication device does
not cause the operator to operate the plant from another location.
In addition to monitor and control, the console will have special applications designed to aid the operator,
such as computer-based procedures (CBPs) and information management.
2.2.5 Coordination of crew member activities
2.2.5.1 Large display panel
The LDP provides the variable displays for crew coordination and information such as parameter trend,
display for specific mode operation. Operators at the RO, TO, EO, SS, and STA consoles can select
displays for any display section of the LDP independent of what is displayed on their information FPD via
communication with the for operator workstations that drive the LDP sections.
2.2.5.2 Communication Systems
Voice communication inside and outside of the MCR is essential to the coordination of plant operations.
Various communication devices are used to ensure efficient voice transmission in the design.
KEPCO & KHNP Basic HSI Platform APR1400-E-J-NR-12009-NP, Rev. 0
KEPCO & KHNP 18
3.0 MAIN CONTROL ROOM DESIGN DESCRIPTION
3.1 Main Control Room Configuration
The MCR configuration was developed through an evolutionary process beginning with the reference
design configuration. Considerations influencing the design include plant system configurations for the
basic platform, post-TMI indication requirements, improved methods of alarm and display, and the Style
Guide (Reference 6). The following sections document staffing assumption, relevance to the Style Guide,
evaluation of configuration candidates, and design of the MCR configuration.
3.1.1 Definition of term
Main operating area
The area between and including operator consoles (RO, TO/ EO, STA, and SS), safety console and LDP
from which plant monitoring and control actions are taken.
Main control room
The entire area including the main operating area, auxiliary panels area, and meeting room.
3.1.2 Staffing Assumption
The MCR is designed to provide operational flexibility to accommodate a wide range of MCR staffing
requirements. A staffing assumption is established to accommodate design and validation of the HSI
system.
Table 3-1. The Number of Operating Crew
Number of Operator Position Title
1 Shift Supervisor (SS) 1 Reactor Operator (RO)
1 Turbine Operator (TO)
1 Electrical Operator (EO) 1 Shift Technical Advisor (STA)
3.1.3 Workspace and MCR configuration criteria The development and evaluation of MCR configurations require a comprehensive set of HFE criteria
related to workspace design.
KEPCO & KHNP Basic HSI Platform APR1400-E-J-NR-12009-NP, Rev. 0
KEPCO & KHNP 19
Workspace and configuration criteria are based on requirements defined in the Style Guide for the HSI.
Specific configuration criteria utilized for design of the MCR are listed below:
All of the MCR operator consoles are designed to accommodate the 5 to 95 percentiles of the
adult male population.
At a sit-down operator console, an operator is able to monitor all plant information and control
plant processes from a seated position.
In the main operating area, operators have proper line of sight to all information and controls
related to a given task.
Operators are able to integrate and associate information and controls across all operator
consoles.
Adequate work surface (including document lay down space) is provided at, or near, MCR
operator console for paper based procedures, schematics and other documents without
interfering with display viewing or control manipulation.
All desks and chairs in the MCR are designed for usability and comfort.
Chairs provided for sit down operator consoles have roller wheels for easy movement within the
operator console.
Operators have unimpeded physical access from one operator console to another.
Adequate passage way between operator console and other work areas is provided.
No obstacles (file cabinets, etc.) are located in the main operating area to ensure safe and
unimpeded movement within main operating area.
Designated workspace is provided for the SS with unimpeded visual access to LDP and the
main operating area.
Adequate storage is provided for reference documents and drawings at a readily accessible
location.
Commodities such as storage for equipment and supplies are provided for personnel who work
in the MCR on a periodic basis.
3.1.4 Reference Design Configuration
The HSI system design is being developed with review of the reference design. The design approach is
based on a compact operator console type MCR design where monitoring and control activities are
normally performed on selectable operator console display devices and soft controls. Fixed indication
information for plant overview and safety assessment is primarily provided by LDP which is sized for
viewing by operating staff in the main operating area.
3.1.5 Reference Design Evaluation Results
KEPCO & KHNP Basic HSI Platform APR1400-E-J-NR-12009-NP, Rev. 0
KEPCO & KHNP 20
The first phase of the configuration development process evaluated reference design configuration and
compact operator console design with respect to the operational requirements and the HFE criteria
identified previously. The following design considerations from the various reviewed designs are applied
to basic platform criteria:
The compact console design would use multiple identical and redundant consoles where at each
console one person has access to all information and controls necessary to safely operate the
plant.
The LDP has an important role in the MCR. In addition to providing overview and safety
information the LDP provides fixed indication of high priority alarms via alarm tile and
incorporates a variable display section to support current operating goals.
Safety console is provided for fixed position and qualified control switches and operator modules
for control of core protection calculators, and the plant protection system.
3.1.6 Console Configurations and Evaluations
In meeting the design goals of basic platform design, console configurations are analyzed. Design issues
to be analyzed include:
Visibility and size of LDP
Communication between operators and other MCR staff
Working area at console, laydown space
Maintainability of consoles
The MCR design configuration is depicted in Figure 3-1 and provides five redundant consoles, each of
which has capability to control all power plant processes. A typical utility staffing configuration of these
operator consoles is as follows:
Left front console - RO
Middle front console - TO
Right front console - EO
Left rear console - SS
Right rear console - STA
3.1.7 Functions and HFE Considerations for MCR Facilities
KEPCO & KHNP Basic HSI Platform APR1400-E-J-NR-12009-NP, Rev. 0
KEPCO & KHNP 21
The main operating area in the MCR contains five operator console, the safety console and the
monitoring console, additionally the MCR provides an LDP, tables and desks, and meeting room near the
MCR.
The function and characteristics of each of these operational features are discussed in this section.
Important HFE considerations related to workspace design are also discussed. These include workspace
visibility, mobility, access, operator furnishings, and console profiles.
3.1.7.1 Operator Console
Each of the three front consoles is designed to be used by one operator and two rear consoles are
assigned to SS and STA respectively. Each operator console provides devices for access to all
information and controls necessary for one person to monitor and control all processes associated with
nuclear plant operation and maintaining the plant in a safe condition.
The front operator consoles are linked together to provide good communications for the normal staffing
assignment of RO, TO, and EO. The two rear operator consoles assigned to the SS and STA who use the
operator console features for monitoring only. The rear operator consoles would also serve as an
alternate operator console to be used for plant monitoring and control in the event of a failure of one of
the front operator consoles (where monitoring and control capability of an operator console was
degraded). Each operator console contains:
Multiple FPDs that support process monitoring and control with pointing devices
ESF-CCS soft control FPDs.
Laydown space for logs, drawings, documents, paper procedures, etc.
3.1.7.2 Monitoring console
The monitoring console is located in the following areas to monitor the plant operating status and
supports the MCR operators with verbal and other suitable means of communication.
Meeting room near the MCR
Local operator's office
Technical support center
Emergency operation facility
3.1.7.3 Auxiliary Panel
KEPCO & KHNP Basic HSI Platform APR1400-E-J-NR-12009-NP, Rev. 0
KEPCO & KHNP 22
The space is provided for auxiliary panel in the back of the LDP. The auxiliary panel contains fire
protection instrumentation, closed circuit television equipment, printers, etc.
3.1.7.4 Meeting Room
The MCR provides a meeting room near the MCR for MCR personnel who are not actively engaged in
operation activities in the main operating area. This assures that the design of the meeting room is
integrated into the overall control room design philosophy.
Provisions of the meeting room allow flexibility for utility preferences and accommodate varying plant
conditions and staffing requirements. This meeting room is depicted in Figure 3-1.
These provisions include viewing of the main operating area to allow monitoring of the activities being
performed and to allow intelligible verbal communication among the operating staff.
The operators can monitor the plant overview status information on the LDP without leaving the office.
This provides a fixed constant overview that directs to more detailed information on their information
displays if necessary. The meeting room also provide easy and quick access to the main operating area
should the operating staff require assistance.
The visual and telephone communication between the main operating area and the meeting room is provided.
Figure 3-1. Schematic for Main Control Room 3.1.7.5 Main Control Room Furnishings
This section describes HFE considerations related to furnishings for operators within the MCR. The
TS
KEPCO & KHNP Basic HSI Platform APR1400-E-J-NR-12009-NP, Rev. 0
KEPCO & KHNP 23
issues addressed include furniture, document storage and laydown space.
Furniture
The main operating area is provided with sufficient quantities of tables, desks and chairs to support the
operating staff expected in the MCR. A desk space of operator consoles and table is provided as typically
shown in Figure 3-1. The table and desk space serves as works area for operators in the main operating
area where no active monitoring or control actions are to be performed at the operator consoles.
Locations of the desk provide visibility to the entire main operating area. The desk is designed in
accordance with desk dimensions required in the Style Guide. The desk height conforms to the Style
Guide. Chairs are provided in the main operating area at the operator consoles, desks, and at the safety
console as typically shown in the Figure. Each chair is designed according to the requirements of the
Style Guide for the operator at seated position. Chairs have adjustable heights and are on wheels to
facilitate seated movement, particularly at the operator consoles.
Document laydown space
Adequate space is provided in the main operating area for laying down procedures, manuals and other
reference materials while they are in use. Laydown space for a longer term use that does not require
control actions is provided at the main operating area desk.
Reference document storage
Adequate reference document storage space is provided in the MCR. Permanent storage space is
provided on MCR desks and in the main operating area. Additional storage and storage of large drawings
are provided in the storage room outside the main operating area. This is typically shown on Figure 3-1
and the location is convenient to access from the main operating area and the meeting room near the
MCR. The operators support office also has space designed for document storage.
3.1.7.6 Console Profile
The console profile is designed to support seated operation for each operator console and the safety
console. This profile is based on anthropometric data of the 95th to the 5th percentile adult male.
3.1.7.7 Safety Console
KEPCO & KHNP Basic HSI Platform APR1400-E-J-NR-12009-NP, Rev. 0
KEPCO & KHNP 24
The MCR includes a safety console. The safety console provides controls and displays with which a
backup operation could be performed during a failure of the operator consoles. The safety console is
located in the main operating area as shown in Figure 3-1. The mini-LDP installed on the safety console
provides the same fixed position alarms and displays included on the LDP.
The safety console provides the following indications, controls and alarms:
Minimum inventory of "fixed position" alarms, indications and controls necessary for the following:
- Performance of emergency operating procedure (EOP) and safe shutdown with preferred/credited success path components in the major flow path for each CSF.
- Performance of risk-important HAs required by the PRA/HRA. All alarms, displays, and controls needed to perform periodic surveillance, testing, and
maintenance of all safety components controlled from the MCR.
The safety console contains the following equipment:
Multiple FPDs that are of a same type as that of operator console
QIAS-N displays
QIAS-P displays
PPS/CPC operator modules
Reactor trip and ESF system level actuation switches
Diverse manual ESF actuation (DMA) controls
Minimum inventory of fixed position switches
ESF-CCS soft control modules (ESCM)
3.1.7.8 Fixed Position Control
The fixed position switches are provided on the safety console and remote shutdown console (RSC) to
support the manual actuation or the control by operator.
The fixed position controls in the MCR consist of minimum inventory switches for execution of EOP,
diverse manual ESF actuation switches and manual ESF system level actuation switches to meet the
requirements of SECY 93-087 Enclosure 1, Position II. Q. 4 (Reference 7), and manual BOP ESF
actuation switches.
Minimum inventory control
Minimum inventory controls provide defense against the operator console failure. The minimum inventory
controls are created by performing TA to identify all controls necessary to perform the tasks required for
execution of EOPs, and identifying the controls necessary to complete important tasks based on the
KEPCO & KHNP Basic HSI Platform APR1400-E-J-NR-12009-NP, Rev. 0
KEPCO & KHNP 25
PRA/HRA.
The minimum inventory controls involves the manual ESF system level actuation switches. The manual
ESF system level actuation switches are provided as input signals to execute ESF system actuation. Four
channels of switches are provided at the safety console for manual ESF system level actuation.
Manual reactor trip switches also are included in the minimum inventory controls. Manual reactor trip
switches are provided for the operator to manually trip the reactor, and the signal from the switches de-
energies the control element drive mechanism coils, allowing all the control element assembly to drop into
the reactor core.
Diverse manual actuation switch
Diverse manual actuation switches are provided for mitigation of common-cause failure (CCF) of digital
equipment in ESF-CCS. These diverse manual ESF actuation switches are for a defense-in-depth and
diversity design against a CCF. The design is hardwired/diverse system level actuation of the safety-
related equipment bypassing the ESF-CCS. These switches are functionally and physically independent
from the ESF-CCS. They are located on the safety console in the MCR.
Manual BOP ESFAS switches
Manual system level BOP ESFAS switches are provided for proper actuation of the BOP ESF HVAC
systems and equipment to mitigate the consequences of the fuel handling accidents in the containment
building and the fuel handling area as well as to provide a habitability condition for the plant operation
personnel in the MCR during all phases of the DBE.
3.1.7.9 Operator Modules
Operator module is HSI device to provide the function for operation, maintenance, surveillance and
testing for the control room operator. Class 1E channelized operator modules are provided on the safety
console. One operator module is assigned per safety channel (A, B, C, and D) and the operator modules
are grouped as follows:
Core protection calculator (CPC)
Plant protection system (PPS)
The CPC and PPS operator modules provide the function of control and indication for surveillance,
maintenance and testing.
KEPCO & KHNP Basic HSI Platform APR1400-E-J-NR-12009-NP, Rev. 0
KEPCO & KHNP 26
3.1.7.10 ESF-CCS Soft Control Module (ESCM)
Soft control FPDs are provided for controlling the ESF components.
3.2 Main Control Room Environment and Communication
This section provides the design criteria which assure that proper HFE environmental and communication
principles are incorporated into the design. The criteria assure that the MCR is in accordance with design
assumptions and accepted human engineering practice.
3.2.1 Environmental Design Criteria
The following are environmental criteria which the MCR design meets:
Humidity, temperature and ventilation
Temperature and humidity levels are maintained within comport climate level in accordance with
the HFE criteria.
Heating, ventilation and air conditioning (HVAC) system is capable of introducing sufficient fresh
air in accordance with HFE criteria
Illumination
MCR lighting design provides adequate operator console illumination in accordance with the
HFE criteria for the tasks being performed.
Lighting levels are uniform throughout a given operator console.
Task area luminance ratios and reflectance levels are in accordance with the HFE criteria. The
type of lights chosen and placement of lighting sources minimize glare.
Adequate emergency lighting is provided with automatic activation in accordance with the HFE
criteria.
Auditory environment
Background noise levels are in accordance with the HFE criteria. Background noise does not
impair verbal communication.
The MCR supports acceptable auditory design by minimizing distances for required
communication, keeping non-operating personnel out of the main operating area, providing
audible tones in the alarm system with none in other systems and using sound absorbing
material in the MCR interior.
Habitability
KEPCO & KHNP Basic HSI Platform APR1400-E-J-NR-12009-NP, Rev. 0
KEPCO & KHNP 27
Adequate personal storage space is provided for MCR personnel.
Adequate rest rooms, eating facilities and lounge areas are provided within easy access of the
MCR.
A pleasant and comfortable decor is provided through color coordination, lighting, and
comfortable seating to reduce operator fatigue.
Impact of MCR features (e.g., ceiling, walls, floors, operator console, and other furnishings) does
not have a negative effect on ambient environmental conditions or habitability of the MCR.
3.2.2 Communications Design Criteria
Voice communication inside and outside of the MCR is essential to the coordination of plant operations.
Various communication devices are used to ensure efficient voice transmission in the design. The
following design criteria ensure correct message interpretation and prompt operator response for these
devices.
Both intra and extra MCR communication are provided by the communication system.
The Style Guide is followed for each communication device employed.
Space is provided for communication devices on the MCR operator console in the main
operating area.
The type and placement of communications devices is compatible with all normal and
emergency tasks for the plant operation.
Visual and manual access to communications devices is not obstructed by furniture, panels or
consoles. Communication devices are positioned in the MCR to shorten the operator's line of
movement.
All communication handset / headset cords are sufficiently long to permit mobility around each
operator console.
Response frequency range is well within the auditory spectrum for intelligible hearing as per the
Style Guide. Automatic volume control for receivers is provided to account for unanticipated rises
in ambient noise levels.
Ringing of communication devices is provided only where needed. Communication device
ringing does not interfere with and is not masked by other MCR auditory warning systems.
Communications devices are usable by personnel wearing protective gear where required.
Headsets are designed for comfort even with extended wear.
Periodic maintenance is performed to ensure transmission systems are working properly.
Auditory signals are clear, unambiguous and consistent in meaning with other MCR
communications.
KEPCO & KHNP Basic HSI Platform APR1400-E-J-NR-12009-NP, Rev. 0
KEPCO & KHNP 28
3.2.3 Conformance to Design Requirements
3.2.3.1 Visibility Evaluation
Visibility permits general observation, and supports communication and coordination between operators.
A visibility evaluation was performed for the MCR configuration to ensure that the visibility requirements
identified in the operational requirements and the Style Guide are met. The visibility evaluation focused on
assuring that unobstructed visual access exists among all main operating area operator console and
consoles and from the meeting room near the MCR.
RO, TO/EO console visibility
Acceptable visibility from the MCR operator consoles is ensured by demonstrating that the line of sight
and visual access requirements are met. This is shown on Figure 3-2 through 3-4.
Adequate line of sight is provided between an operator seated at any operator console and other
operators seated at other operator consoles.
LDP is visible from the operator consoles and adequate visual angle exists in the vertical plane
to permit viewing the LDP.
Operators located at the safety console have visibility of all control room operator consoles, LDP,
desks and other consoles.
The meeting room near the MCR is visible from the operator consoles.
Figure 3-2. Horizontal Viewing Angle from RO Console to LDP
TS
KEPCO & KHNP Basic HSI Platform APR1400-E-J-NR-12009-NP, Rev. 0
KEPCO & KHNP 29
Figure 3-3. Horizontal Viewing Angle from TO Console to LDP
Figure 3-4. Horizontal Viewing Angle from EO Console to LDP
SS /STA console visibility
Acceptable visibility is demonstrated from the SS and STA console by confirming the following visual
access considerations. These are shown in Figure 3-2 through 3-5.
TS
TS
KEPCO & KHNP Basic HSI Platform APR1400-E-J-NR-12009-NP, Rev. 0
KEPCO & KHNP 30
All operator consoles and safety console are visible from the SS/STA console.
Meeting room near the MCR is visible from the SS/STA console.
LDP is visible from the SS/STA console.
Meeting room visibility
Acceptable visibility is demonstrated from the meeting room near the MCR by confirming the following
visual access considerations. These are also shown in Figure 3-5 and 3-8.
Unobstructed view of the MCR operator consoles exists from meeting room for general
observation.
LDP is visible from the meeting room.
Figure 3-5. Horizontal Viewing Angle from SS Console to LDP
TS
KEPCO & KHNP Basic HSI Platform APR1400-E-J-NR-12009-NP, Rev. 0
KEPCO & KHNP 31
Figure 3-6. Horizontal Viewing Angle from STA Console to LDP
Figure 3-7. Horizontal Viewing Angle from Meeting Room to LDP
TS
TS
KEPCO & KHNP Basic HSI Platform APR1400-E-J-NR-12009-NP, Rev. 0
KEPCO & KHNP 32
Figure 3-8. Horizontal Viewing Angle from Meeting Room to Operator Console 3.2.3.2 Mobility Evaluation
An evaluation is performed to demonstrate that each member of the operating staff would have adequate
mobility within the main operating area and that movement patterns in the main operating area would be
facilitated efficiently. Figure 3-3 shows the main operating area dimensions and clearances for typical
operator work locations and traffic patterns. The following key mobility considerations are provided by the
MCR configuration:
Adequate operator maneuvering space is provided for seated operation at each of the operator
consoles (i.e., space greater than 0.9m (3 feet) behind the operator without obstructions).
Adequate operator maneuvering space is provided for seated operation at the safety console.
3.2.3.3 Main Operating Area Access Evaluation
The MCR is designed to accomplish one key main operating area access function. The MCR
configuration permits rapid, direct access to the main operating area from any of the MCR. This is shown
in Figure 3-3. No hindrances are present to obstruct an operator's access to the main operating area.
3.3 Control
Soft controls are used to provide control room operators with plant control capabilities, which replace
conventional dedicated pushbuttons and process controllers. The soft control consists of the ESF-CCS
soft control and the process-CCS (P-CCS) soft control. The ESF-CCS soft control is used to control the
TS
KEPCO & KHNP Basic HSI Platform APR1400-E-J-NR-12009-NP, Rev. 0
KEPCO & KHNP 33
safety-related control components through the ESF-CCS, and the P-CCS soft control is used to control
the non-safety related control components through the P-CCS.
The soft control allows the control of continuous process, discrete components, and other special
controllers such as control rods and turbine generators from the MCR and the RSC. The operator can
control both safety and non-safety components using the ESF-CCS control or P-CCS soft control on any
one of operator console. The use of soft control is essential to achieve compact operator consoles design.
The soft control emulates and replaces the various physical switches and analog control devices which
populate conventional plant control panels. The operator interacts with the ESF-CCS soft control via
touch screen, and the P-CCS soft control via pointing device such as mouse. These soft controls, which
are software based, allow a standard interface device to assume the role of numerous control switches
and analog control devices via software configuration. The selection of components is possible from the
information displays.
The ESF-CCS soft control is implemented on the qualified touch screen-based FPD, and the P-CCS soft
control is implemented on each information FPD of the MCR and the RSC. Also the ESF-CCS soft control
and the P-CCS soft control are provided on the safety console to support the operator task of a
predesignated operator in post trip conditions as a means for controlling non-safety related equipment.
3.3.1 Control Display Presentation
Soft control is dynamic interactive graphics to monitor and manipulate process control functions. The
control template of a specific safety-related component comes out on the ESF-CCS soft control FPD
when the operator selects the symbol on the information display with a pointing device. The control
template of a non-safety related specific component also comes out on the information FPD when the
operator selects the symbol on the information display by the pointing device. Each soft control is
designed with a standardized graphic template to provide design and operational consistency. This design
approach minimizes potential for operator process control errors.
KEPCO & KHNP Basic HSI Platform APR1400-E-J-NR-12009-NP, Rev. 0
KEPCO & KHNP 34
Figure 3-9. Example of Soft Control on ESCM Soft control requires a pointing device to allow component control command (e.g., ON/OFF) selection.
The pointing device such as a mouse is also used to select the component control command (e.g.,
ON/OFF) on the P-CCS soft control display. The ESF-CCS soft control uses the touch screen-based FPD
as pointing device.
The soft control template for modulation component control provides loop operating mode (e.g., auto/
manual, remote/local), setpoint, demand output, process value, increase/decrease button and bar graph
necessary for the control of a modulating device.
The soft control template for discrete component control provides command selection targets (e.g.,
open/start button, close/stop button and auto/man selection button etc.) necessary for the control of
discrete devices. Inoperability status (e.g., trouble or disable) information is provided on the soft control
template for the control of discrete devices. The feedback is provided on the soft control template.
3.3.2 Switch Configuration
Switch configuration is applied to the fixed position switches located at the safety console, and RSC to
support the manual actuation or control by operator. The following information regarding switch
configuration is typically provided on the switch faceplate:
Control option available (on, off, auto, etc.)
Current component state (on, off, auto, etc.)
The name plate of each switch has an unambiguous identifier (e.g., tag number) of component name or
functional identifier (name of control). In order to display all of this information on the switch configuration,
visual coding technique based on the conventions established in the Style Guide is utilized.
The control option and component state convention used in the switch configuration are similar to the
convention used in switch design for soft control as described in Subsection 3.3.1.
TS
KEPCO & KHNP Basic HSI Platform APR1400-E-J-NR-12009-NP, Rev. 0
KEPCO & KHNP 35
3.3.3 Conformance to HFE Requirement
The following high-level design principles are key to the soft control design.
Simplicity
HSI resources should represent the simplest design consistent with functional and task requirements.
Simplicity may be of particular importance to the soft control HSI resource. This is true because the soft
control is inherently more complex than the pushbutton switches of conventional control rooms which they
replace. The number of actions to complete a task should be minimized. Complicating factors for the soft
control include I&C constraints on the design (e.g. channel independence and potential use of a confirm
switch). Maintaining simplicity in the design minimizes the operator's secondary task burden. This is
particularly important in the soft control design, to maintain operator speed and accuracy for execution of
control commands.
Task usability
All HSI resources must be designed to meet task performance requirements. Task usability is a primary
focus for the soft control, since this device provides the majority of the control capability available in the
control room. In particular control task requirements are considered in developing individual soft control
formats. Control options encompass the entire range of controls identified by the TA. Presentation of data,
such as current component state, is provided in a directly usable, unambiguous form.
Timeliness
Time response is a particularly important consideration for controls. Slow time response can be a
significant detriment to the usability for controls (i.e., soft control) if it is noticeable to the user. One issue
of specific concern in the soft control design is proper implementation of control system feedback based
on control selection. Timely feedback of the process response to control action, both for discrete and
modulating control, is also an important consideration. The operators can readily determine the current
status of the control system, its desired status, and the result of control action through a soft control.
Error tolerance, control and prevention
Error tolerance and control are an important consideration for soft control. Specific features are
considered for error prevention for critical or high risk components (e.g. letdown low temperature
overpressure protection valves or containment spray operation). These typically have key lock switches or
switch covers in conventional control rooms. Sufficient means to accomplish the same protection is
provided for soft controls.
KEPCO & KHNP Basic HSI Platform APR1400-E-J-NR-12009-NP, Rev. 0
KEPCO & KHNP 36
3.4 Information Display
Information display is displays show on information FPD at operator console and display at LDP. It is
driven by information processing system (IPS).
3.4.1 Large Display Panel
The presentation of plant processes on display page formats leads to a generally expressed concern that
the presentation of information on separate, relatively small formats which must be viewed independently
might prevent the operator from gaining an overall "feel" for plant status. In a typical nuclear power plant
the understanding of the whole plant process performance is gained by parallel processing of an array of
conventional instrumentation, i.e., by means of a sweeping glance around the control room. In the control
room, a LDP provides the information that the operator requires for quickly assessing overall plant status.
The fixed system mimic display of LDP is also available on any operator consoles in the MCR, TSC and
EOF.
The LDP is visible and interactively usable from the operator consoles in the MCR in order for the
overview to be useful in coordinating control room activities. Therefore, LDP provides text of sufficient
size and with acceptable characteristics to permit viewing from expected MCR locations. Figure 3-10
shows size, appearance and configuration of LDP.
Plant overview message section: It continuously shows plant level information such as reactor
power, turbine power
Fixed mimic section: It continuously shows overall plant mimic including main plant parameter
required for key parameters for normal operation, safe shutdown, representative parameters for
critical safety function, Type A, B, C of RG 1.97.
Critical function monitoring (CFM)/ bypassed and inoperable status indication (BISI) section: It
continuously shows alarm for critical function and status indication for BISI.
System group alarm (SGA)/important alarm tile section: It continuously shows the process
system based alarm and plant important alarm.
Variable display section: It allows to project display of operator console to it
KEPCO & KHNP Basic HSI Platform APR1400-E-J-NR-12009-NP, Rev. 0
KEPCO & KHNP 37
Figure 3-10. LDP Arrangement 3.4.1.1 LDP Characteristics and Features
The LDP provides the operator with information that allows him to determine overall operational and
safety status of the plant. The LDP presents high level process overview information as follows;
a selected set of high level function indicators, trend for key parameters, PPS actuation status
flags and alarms to support operators situation awareness of the plant.
critical function alarms to meet safety parameter display system (SPDS) requirements.
prioritized alarm presentation emphasizing important alarms to support operational concerns.
plant-wide system fixed mimic to alleviate display page navigation load and to support crew
coordination.
The LDP uses the same Style Guide for display design (i.e., dynamic symbols, color code, highlighting,
blinking, graphic layout and information coding features), that are used on the information display pages.
3.4.1.2 CFM/BISI Section on LDP
A primary benefit of the LDP is its capability to support operator response to plant disturbances,
particularly when a disturbance affects a number of plant functions. LDP information supports the
operator's ability to respond to challenges in plant safety. To that end, LDP allows the operator to assess
the overall plant's process performance by providing information to allow a quick assessment of the
plant's CSFs. Critical functions pertaining to the plant are:
Reactivity control
Maintenance of vital auxiliaries
TS
KEPCO & KHNP Basic HSI Platform APR1400-E-J-NR-12009-NP, Rev. 0
KEPCO & KHNP 38
RCS inventory control
RCS pressure control
Core heat removal
RCS heat removal
Containment isolation
Containment temp & press control
Containment H2 control
An alarm tile for each critical function is provided on the LDP. The tile provides a fixed location for the
continuous display of the presence of alarms that jeopardize the specific critical function, by which
operator can:
Determine overall operating status via critical function alarm status
Establish priorities for operator actions via prioritized alarm status of critical functions
The alarm tile representation is an overview summary of critical function display page information. The
detailed information about the alarms is available in any information display.
The BISI of safety system is continuously visible in this section based on the RG 1.47. It shows bypassed
or deliberately introduced inoperability of systems required for safe operation of plant.
3.4.1.3 System Group Alarm/Important Alarm Section on LDP
This section consists of SGA tiles and important alarm tiles. SGA tiles support the operator to assess the
overall plant condition at a glance and avoid the potential error condition of alarm missing in the LDP
mimic section so that an operator cannot misunderstand the plant condition as normal.
Important alarm tiles provide the status of important alarms so that an operator can continuously monitor
important alarm at a glance. The important alarm includes alarms that help an operator promptly
recognize the plant situation such as major parameters, components or systems related alarms.
3.4.1.4 Plant Overview Message Section on LDP
This section provides the high-level information that are useful for assessing plant level situation
awareness such as Plant Mode, Reactor Power, Generator Power.
3.4.1.5 Fixed Mimic Section on LDP
Mimic representation of the major heat transport path systems and systems that are required to support
the major heat transport process are presented on LDP. These systems include those that require
availability monitoring per RG 1.47 (Reference 8), and all major success paths that support the plant
KEPCO & KHNP Basic HSI Platform APR1400-E-J-NR-12009-NP, Rev. 0
KEPCO & KHNP 39
critical functions.
System information presented on LDP includes system operational status, change in operational status
(i.e. active to inactive, or inactive to active) and the existence of alarms associated with the system.
Process variables required to assess the critical functions are also presented on LDP.
3.4.1.6 Variable Display Section on LDP
The overview information requirements for plant operations change per plant operating conditions and the
needs of the operating crew. To address this informational requirement the LDP contains a variable
display area that may offer a useful means for the presentation of process information on a less
permanent basis.
Alarm lists, trend displays, and process mimic displays, normally displayed on VDU screens could be
projected on to the large screen for a monitoring or discussion purposes amongst the operating crew.
Operators are able to choose any process mimic display available on the operator console and have it
displayed on the LDP variable display area.
3.4.1.7 Alarms Presentation on LDP
LDP displays the following types of alarms:
Critical function alarms using alarm tile
System Group Alarm (SGA) and important alarm section
Priority process parameter/component alarms using alarm display convention
First-out alarm
3.4.2 Operator Console Information Display Hierarchy
The information display hierarchy in operator consoles provides dynamic display pages of plant
parameters and alarms using color graphic VDU so that an understanding of current plant conditions and
status is readily recognized. Information display pages provide information important to monitoring,
planning, controlling, and obtaining feedback on control actions.
These display pages contain all the plant information that is available to the operator, in a structured
hierarchy. The information display pages are useful for information presentation because they allow
graphical layouts of the plant and process in formats that are consistent with the operator's visualization
of the plant. In addition information display formats are designed to aid operational activities of the plant
by providing trends, categorized listings, messages, operational prompts, as well as alerts to abnormal
process.
The MCR operator consoles use multiple display devices that allow simultaneous access to a variety of
display pages in information display hierarchy. Each operator console includes four VDUs, to each of
which any display page in the information display hierarchy can be assigned. Use of four VDU's also
KEPCO & KHNP Basic HSI Platform APR1400-E-J-NR-12009-NP, Rev. 0
KEPCO & KHNP 40
provides a redundancy in the event of any VDU becoming unavailable.
A pointing device such as mouse is primary interface to navigate and access display pages in the
hierarchy. Keyboards are not used for information access to any of the control room operator consoles
during normal operation.
3.4.2.1 Contents and Organization
The basic platform utilizes a large number of information display pages presented on VDUs in operator
consoles and safety console. The displays provide the operator with the necessary supporting data and
information to help operate the plant in a safe and efficient manner. The displays are organized into a
hierarchical structure to allow for logical and convenient access by the operator.
System display
It is not feasible to provide operators with displays for every specific situations that can arise in a nuclear
power plant because of its complex nature and immensely large variety of operational situations. The HSI
provides, as a primary HSI resource for all modes of operation, general function displays such as first
order principle displays (mass/energy balance) and not for displays of specific conditions and situations.
System displays provide indications, alarms, and controls in the same way as the control panels of the
conventional control room provide operational information to the operators.
System display hierarchy consists of system mimic displays and their associated supporting pages.
System mimic display contains plant representation mimics with process parameters and component
status for operational use. The associated pages can be directly accessed from the system mimic
displays and contain the following types of information:
Trends for the parameters that are included in the system display for evaluation of detailed
behavior of the parameters.
Graphs with various forms to support quick assessment of conditions requiring evaluation of
multiple parameters/status.
Aids display
Aids displays support a limited set of plant operator tasks that cannot be adequately supported by system
display hierarchy or computer-based procedure display. System display hierarchy cannot efficiently and
expeditiously support operator functions that require information and control of multiple systems. Aids
displays are organized to provide a functional level view of the plant, rather than a system level view and
include plant mimics, parameter values, component/system status and some instructions if necessary. In
addition, these displays also allow access to display pages in system display hierarchy.
Aids displays are also to provide complex graphical and calculation aids such as core operating limit
KEPCO & KHNP Basic HSI Platform APR1400-E-J-NR-12009-NP, Rev. 0
KEPCO & KHNP 41
supervisory system (COLSS), xenon prediction and reactivity balance program or to provide information
required to perform specific plant operation.
Safety Parameter Display and Evaluation System + display
Safety parameter display and evaluation system + (SPADES+) display provides continuously information
of CSFs and success path performance. It meets SPDS requirement per NUREG-0737 Supplement 1.
Section 3.4.4 provides the detailed description for it.
Large Display Panel (LDP)
The fixed mimic section display of LDP is also provided at operator console information display
Soft Control display
Soft control display provides controls in software for actuating components. It is presented at Information
display for non-safety related components and ESCM display for safety related components. Section 3.3
provides the detailed description for it.
Bypassed and Inoperable Status Indication display
BISI display provides information of bypassed or deliberately induced inoperability of the protection
system and the systems it actuates to perform their safety-related functions. It also provide automatic
indication of the bypass and inoperable status of any auxiliary or supporting system that effectively
bypasses or renders inoperable the protection system and the systems actuated or controlled by the
protect in system.
Alarm display
Alarm display provides alarm information of component and parameter in list. Section 3.9 provides the
detailed description for it.
Procedure display
Procedure displays consist of the set of plant specific computer-based procedure. These displays provide
the appropriate procedural information for operational usage and may include text, parameter values, flow
charts, and access to other displays. Section 3.4.3 provides the detailed description for procedure display.
3.4.2.2 Display Page/Information Access
The operator's ability to access information and diagnose operational concerns with a VDU based
KEPCO & KHNP Basic HSI Platform APR1400-E-J-NR-12009-NP, Rev. 0
KEPCO & KHNP 42
information system is dependent on the ability to access appropriate display pages. It is important to limit
the need for the operator to "work the interface" (jump from one screen to another) in order to perform a
specific task. Display page access is fast, simple, consistent among the various display pages and easy
to use.
Dedicated areas are reserved on information display for the following information:
Standard menus for system display page directories, SPADES+, BISI, alarm, procedure display
and aid display
Display system/devices health check indication such as heart beat icon
Current date and time for operation
The information that is physically and functionally related to particular display is accessed by single click.
Any display pages that are directly used for operation can be accessed by two clicks. Multiple methods
are provided to allow access to the operator console display set. The access mechanisms are designed
to allow convenient and rapid access to all operator console display pages by the operator.
Display page access using display page directory
Information display page access is accomplished primarily through the use of display page directory
located in the frame of the display pages. Via this approach, logically organized display menus and
display directories are utilized to allow the operator to navigate to the desired display page. This
navigation method permits access to any system display with two clicks.
Direct access
Display pages may be accessed directly without navigating through the menu or directory hierarchies.
Two specific approaches are implemented as follows:
Dedicated display access in which certain display pages, which are deemed important enough to
have an immediate access capability, are provided with a direct access mechanism.
Format chaining in which each display page within information display hierarchy is 'linked'
(associated) with other related display pages or soft control HSIs or other information (such as
technical data sheets). The format chaining process (which is activated via a simple VDU
interaction by the operator) allows rapid and convenient access to other display pages,
information or soft control HSIs, directly from the current display page.
Control link
KEPCO & KHNP Basic HSI Platform APR1400-E-J-NR-12009-NP, Rev. 0
KEPCO & KHNP 43
The control link allows the operator to quickly select a controller on the soft control directly from the
information display. Format chaining for safety-related components 'links' controllable components that
appear on the ESF-CCS soft control FPD with their associated control template.
For non-safety related components, the format chaining 'links' controllable components that appear on the
information FPD display pages with their associated soft control. This access mechanism, from
information display to soft control, is provided to simplify the control selection process and to reduce the
mental workload of device selection. Once the component (or process symbol) on an information display
is designated, the related control device is automatically selected on the corresponding soft control.
Figure 3-11. A Sample of Soft Control 3.4.2.3 Historical Data Storage and Retrieval
All alarm information will be collected and stored by the IPS. Alarm activity (i.e., time in, priority, time
acknowledged, time cleared and time reset) are stored along with the description of the alarm and any
pertinent information that may be required by the operator or the TSC. It also stores a record of trends for
particular data points within the plant.
3.4.2.4 Conformance to HFE Requirements
The following high level design principles are key to the design of the operator console display hierarchy.
Consistency
IPS displays serve as the primary interface for access to plant information in the MCR. They present a
diverse range of information from a variety of sources including application programs. IPS displays are
also a focal point in accessing other HSI resources, of particular note format chains to soft control and
CBP. In these widely varying roles and interaction with other HSI resources, maintaining consistency in
the navigation, conventions and information presentation formats within the IPS displays and with other
HSI is critical.
Task usability
TS
KEPCO & KHNP Basic HSI Platform APR1400-E-J-NR-12009-NP, Rev. 0
KEPCO & KHNP 44
IPS displays are a primary source of obtaining information for plant operators in the MCR. They are
designed with consideration of task requirements, as well as the intended users, both at the control room
operator consoles and in other locations. Providing directly usable information, not raw data, is an
important consideration due to the breadth of data that is available in the IPS. Other considerations
pertinent to IPS display design include limiting required memorization and providing calculated
information so that the operators are not required to perform repetitious calculations.
Structure/organization
The IPS is the focal point for obtaining information for monitoring tasks in the MCR. In addition, due to the
breadth of the IPS scope, it has significantly more display pages than other HSI resources. Accordingly,
careful consideration of the structure and organization of IPS displays is warranted. The organization
should be clear to the operators and based on straightforward rules, such as the breakdown of plant
systems and conformance to the plant P&IDs. Convenient access to other information and displays
through clearly defined navigation methods is also important to fulfilling the IPS function.
Feedback
During the design of IPS display pages, an important consideration is its role in providing feedback to the
operators regarding system changes and the effect of control actions. The IPS feedback role is integrated
with soft controls, since fixed location feedback from control switches is limited to the displays in the MCR.
3.4.3 Computer-Based Procedure System
The CBP is a computer-based operator support system that enables the operating crew to execute
operation procedural steps with much reduced secondary tasks. It presents an overview and instructions
of a procedure and related process information and controls that need to be cross-referenced to execute
the procedure. The procedure display is used by the operator in conjunction with other types of displays.
3.4.3.1 Operation of CBP System
Basically the same operating process as conventional control room is maintained. SS has the overall
control over the execution of the procedure. RO and TO execute the procedural steps that are assigned
to them by SS. EOP is executed by the operating crew in coordination. Some procedures such as SOPs
can be executed by a single operator. The CBP supports coordination among operators. When an
operating crew executes a single procedure, the steps that the other operators are currently working on
are shown on the overview pane and SS who is in charge of coordination issues verbal orders.
3.4.3.2 Display Location of CBP
CBP can be displayed in the following locations:
KEPCO & KHNP Basic HSI Platform APR1400-E-J-NR-12009-NP, Rev. 0
KEPCO & KHNP 45
SS console
STA console
RO console
TO console
EO console
Switching the procedure display VDUs does not result in the loss of place keeping information. When an
operator does not use CBP, the operator can use all the console displays for other purpose.
3.4.3.3 Multiple Procedures Execution
CBP supports the concurrent execution of multiple procedures. However, switching between procedures
is initiated by an operator. Thus, procedure display should provide adequate information to help the
operator to switch among procedures without making mistakes.
3.4.3.4 Procedure Initiation
There are multiple methods to initiate a procedure:
Selecting a procedure among procedure list can initiate a procedure. Since all procedures are
categorized, an operator can select a category to narrow down the search items.
Executing an instruction in a procedure can switch to some another procedure.
Selecting a procedure in a system (mimic) display to can initiate a procedure.
3.4.3.5 Place Keeping of Procedure Execution
CBP keeps track of steps in the procedure being executed. Every step can have one of the following
states; "Executed", "Being Executed" or "Not Executed". The states are distinguished by appropriate
coding. From the opening to the closing of a procedure, place keeping information is recorded and shown
subsequently.
3.4.3.6 Management of Continuously Applied Steps
Monitoring of the continuously applied steps is supported by CBP. As an operator typically executes a
procedure step by step, the continuously applied step is registered to the CBP monitoring function. After
the registration, CBP continuously evaluates the registered step in background. Whenever the entry
condition of the step is met, procedure display informs operator of the fact.
3.4.3.7 Cross Referencing Aids
All the process information and control components that are cross referenced in the instruction are
KEPCO & KHNP Basic HSI Platform APR1400-E-J-NR-12009-NP, Rev. 0
KEPCO & KHNP 46
presented near the associated instructions so that an operator can easily evaluate the instruction. System
mimic displays, graphs, and tables are directly accessed by format changes from procedure display.
3.4.3.8 Checking Aids
The entry condition of the current step and/or the completion of current step objectives are evaluated by
the computer based on the process information and/or operator actions per instructions. The operator has
ultimate control over the decision of computer and is able to override the computer's evaluation results.
The operator initiates every transition among procedures and every transition among steps.
3.4.3.9 Procedure Display Format
The procedure displa