Basic Human-System Interface Platform · 2014. 1. 31. · KHNP BASIC HSI PLATFORM...

KEPCO & KHNP Basic HSI Platform APR1400-E-J-NR-12009-NP, Rev. 0

KEPCO & KHNP

Basic Human-System Interface Platform

Technical Report

September 2013

Copyright ⓒ 2013

Korea Electric Power Corporation & Korea Hydro & Nuclear Power Co., Ltd

All Rights Reserved

Non-Proprietary


KEPCO & KHNP i

Revision History

Revision Page (Section) Description

0 All Issue for Standard

This document was prepared for the design certification application to the U.S. Nuclear Regulatory Commission and contains technological information that constitutes intellectual property. Copying, using, or distributing the information in this document in whole or in part is permitted only by the U.S. Nuclear Regulatory Commission and its contractors for the purpose of reviewing design certification application materials. Other uses are strictly prohibited without the written permission of Korea Electric Power Corporation and Korea Hydro & Nuclear Power Co., Ltd.


KEPCO & KHNP ii

ABSTRACT

The Basic Human-System Interface (HSI) Platform provides an overview of the HSI design descriptions of

reference plant including the main control room (MCR), remote shutdown room, technical support center,

emergency operations facility, and safety-related local control stations. MCR design includes operator

consoles, safety console, and large display panel (LDP). HSI resources are controls, alarms, information

displays, LDP, and computer-based procedures. The critical function monitoring, success path monitoring,

accident monitoring instrumentation, and bypassed and inoperable status indication are implemented

using the HSI resources as integrated fashion.


KEPCO & KHNP iii

TABLE OF CONTENTS

1.0 OVERVIEW 1

1.1 Purpose 1

1.2 Scope 1

1.3 Comparison between System80+ and APR1400 HSI Design 1

2.0 METHODOLOGY 2

2.1 HSI Design Inputs 2

2.2 Concept of operations 15

3.0 MAIN CONTROL ROOM DESIGN DESCRIPTION 18

3.1 Main Control Room Configuration 18

3.2 Main Control Room Environment and Communication 26

3.3 Control 32

3.4 Information Display 36

3.5 QIAS-N display 50

3.6 ESCM display 50

3.7 QIAS-P display 53

3.8 Diverse Indication System display 53

3.9 Alarms 53

3.10 Labeling and Demarcation 56

3.11 Emergency Response Facility 56

4.0 REMOTE SHUTDOWN ROOM DESIGN DESCRIPTON 57

4.1 Remote Shutdown Room Configuration 57

4.2 Remote Shutdown Room Layout 57

4.3 Control 59

4.4 Information Display 59

4.5 Alarm 59

4.6 Labeling and Demarcation 59

5.0 TECHNICAL SUPPORT CENTER 60

6.0 EMERGENCY OPERATIONS FACILITY 60

7.0 REFERENCES 61


KEPCO & KHNP iv

List of Appendix

Appendix 1. Comparison between System80+ and APR1400 HSI Design


KEPCO & KHNP v

LIST OF FIGURES

Figure 2-1. A Sample Diagram of Hierarchical Task Analysis

Figure 3-1. Schematic for Main Control Room

Figure 3-2. Horizontal Viewing Angle from RO Console to LDP

Figure 3-3. Horizontal Viewing Angle from TO Console to LDP

Figure 3-4. Horizontal Viewing Angle from EO Console to LDP

Figure 3-5. Horizontal Viewing Angle from SS Console to LDP

Figure 3-6. Horizontal Viewing Angle from STA Console to LDP

Figure 3-7. Horizontal Viewing Angle from Meeting Room to LDP

Figure 3-8. Horizontal Viewing Angle from Meeting Room to Operator Console

Figure 3-9. Example of Soft Control on ESCM

Figure 3-10. LDP Arrangement

Figure 3-11. A Sample of Soft Control

Figure 3-12. Primary System Directory Page in the ESCM

Figure 3-13. Secondary System Directory Page in the ESCM

Figure 3-14. System Mimic Display in the ESCM

Figure 3-15. Safety Related Soft Control on ESCM

Figure 4-1. Schematic Diagram for Remote Shutdown Room


KEPCO & KHNP vi

List of Tables

Table 2-1. The Major OER Issues Associated with HSI Design

Table 2-2. Success Paths of basic platform

Table 2-3. Success Path Allocations for Reactivity Control

Table 2-4. Success Path Allocations for Maintenance of Vital Auxiliaries

Table 2-5. Success Path Allocations for RCS Inventory Control

Table 2-6. Success Path Allocations for RCS Pressure Control

Table 2-7. Success Path Allocations for Core Heat Removal

Table 2-8. Success Path Allocations for RCS Heat Removal

Table 2-9. Success Path Allocations for Containment Isolation

Table 2-10. Success Path Allocations for Containment Environment

Table 2-11. Success Path Allocations for Radiation Emission

Table 2-12. Risk-Important HAs

Table 2-13. The Number of Operating Crew



KEPCO & KHNP vii

List of Acronyms

BISI bypassed and inoperable status indication BOP Balance of Plant CBP computer-based procedure CCF common-cause failure CFM critical function monitoring CFR Code of Federal Regulations CIAS containment isolation actuation signal CLD control logic diagram CPC core protection calculator CSF critical safety function CVCS chemical and volume control system DMA diverse manual ESF actuation EDG emergency diesel generator EO electrical operator EOF emergency operating facility EOG emergency operating guideline EOP emergency operating procedure ESCM ESF-CCS soft control module ESF engineered safety features ESF-CCS engineered safety features-component control system ESFAS engineered safety features actuation system FA function allocation FRA functional requirements analysis FPD flat panel display HA human action HED human engineering discrepancy HF human factor HFE human factors engineering HFEPP human factors engineering program plan HRA human reliability analysis HSI human-system interface HVAC heating , ventilation, and air conditioning I&C instrumentation and control ICR information and control requirement IPS information process system ISV integrated system validation ITS issue tracking system LCS local control station LDP large display panel LO local operator MCR main control room NSSS nuclear steam supply system OER operating experience review P-CCS process-component control system PAR passive autocatalytic recombiner


KEPCO & KHNP viii

PPS plant protection system PRA probabilistic risk assessment QIAS-N qualified indication and alarm system-non-safety QIAS-P qualified indication and alarm system-p RMS radiation monitoring system RO reactor operator RSC remote shutdown console RSR remote shutdown room SODP shutdown overview display panel SPADES+ safety parameter display and evaluation system + SS shift supervisor STA shift technical advisor TA task analysis TO turbine operator TSC technical support center V&V verification and validation VDU video display unit SPDS safety parameter display system


KEPCO & KHNP 1

1.0 OVERVIEW 1.1 Purpose The objective of Basic Human-System Interface (HSI) Platform is to document the HSI design scope,

including the translation of function and task requirements into the detailed design of alarms, displays,

controls, and other aspects of the HSI through the systematic application of human factors engineering

(HFE) principles and criteria.

1.2 Scope

Basic HSI Platform describes HSI design inputs, concept of operations, and design description of the

main control room (MCR), the technical support center (TSC), the emergency operations facility (EOF),

the remote shutdown room (RSR), and safety-related local control stations (LCSs). The inputs include

analysis of personnel task requirements (including operational experience review, functional requirement

analysis and function allocation, task analysis (TA), staffing/qualifications and job analyses), system

requirement, regulatory requirements, and other requirements.

1.3 Comparison between System80+ and APR1400 HSI Design

During the APR1400 HSI concept design development, Korea Hydro & Nuclear Power Co., Ltd.

performed a comprehensive survey and review of the MCR design used in advanced reactor plants in the

world including System 80+ French N4, and Japanese APWR to establish the MCR design concept.

Based on System 80+, the requirements from US EPRI Utility Requirement Document (Reference 1)

were applied to the APR1400 HSI design. Appendix 1 includes Comparison between System 80+ and

APR1400 HSI.

KHNP BASIC HSI PLATFORM APR1400-E-J-NR-12009-NP, Rev. 0

KEPCO & KHNP 2

2.0 METHODOLOGY 2.1 HSI Design Inputs 2.1.1 Analysis of Personnel Task Requirements 2.1.1.1 Operational Experience Review

The major operational experience review (OER) issues associated with HSI design are incorporated into the

HSI design as the design requirements. Table 2-1 includes the major OER issues associated with each of the

HSI design elements.

Table 2-1. The Major OER Issues Associated with HSI Design

TS


KEPCO & KHNP 3

2.1.1.2 Functional Requirement Analysis and Function Allocation

The critical functions and their success paths, and the operator's role in implementing them are described in

functional requirement analysis and function allocation (FRA/FA). The success paths are then evaluated

against the identified allocation criteria to verify the acceptability of the allocation of control of safety functions

in the design.

Critical Safety Functions (CSFs)

Safety functions are physical processes, conditions, or actions relied on to maintain the plant within

acceptable design basis limits (i.e., to ensure safe shutdown, to maintain plant condition within safety limits,

to prevent core melt and to ensure radiation release do not exceed the limits of 10 CFR 50.34).

These functions may be performed by automatic or manual actuation and/or regulation, from passive system

performance or from natural feedback in the plant design. The composition of the safety functions is

unchanged for a given type of plant design.

Success Paths

The success paths for the CSFs have been developed. A high level "functional" comparison of the major

success paths for the basic platform CSFs is provided in Table 2-2.


KEPCO & KHNP 4

Table 2-2. Success Paths of basic platform

Operator's Role and Safety Functions

The operator, along with automated systems and inherent and passive plant features, is part of the defense-

in-depth approach to assure that safety functions are maintained. Specifically, the operators' role in executing

safety functions can be summarized as follows:

Monitor the plant to verify that the safety functions are being accomplished

Actuate and control those systems that are not fully automated

Intervene where the automatically actuated systems are not operating as intended

First item represents a supervisory role for operators. Second item represents manual tasks that the operator

TS


KEPCO & KHNP 5

is normally expected to perform. And third item represents a back-up role for operators; it implies the use of

automatic, passive or inherent system features as a first line of safety defense. Manual and automatic

allocations in safety system operation are identified. Detailed specification of the operators' role in executing

safety functions is provided by the actions and contingencies of the Emergency Procedure Guidelines.

Allocation Data

To evaluate the acceptability of allocations to the operators' safety role, Table 2-3 through 2-11 provides a

summary of the safety function allocations in comparison to the criteria.

The data fields of Table 2-2 through 2-11 are defined as follows:

Critical functions and success paths - Per the contents of Table 2-2

Protective system or commodity - Whether or not this is a system relied on (i.e., credited) by

Chapter 15 to mitigate design basis events (DBEs) by performing the specified safety function.

10 CFR 50 allocation requirements - General or specific allocation requirements from 10 CFR 50

(Reference 2).

NUREG/CR-3331 (Reference 3) allocation requirements - The acceptance path resulting from

application of the criteria.

Auto initiation - The equipment that generates automatic protective action initiates a protective

system to achieve the safety function.

Manual initiation - Whether or not the operator is afforded with a means to manually initiate the

protective action.

Control modes - After initiation, the manual and/or automatic elements of a control system

configuration maintain the safety function throughout the limiting DBE. These are categorized as

follows:

- Automatic (Auto): A configuration that is completely automatic without a means for manual

action.

- Automatic-AND-Manual (AAM): A configuration that can be provided both manually and

automatically. The operator has the capability to provide manual actuation at any time, but

does not have the capability to defeat the automatic actuation. This strategy tends to

increase the likelihood of executing the function. It implies manual control is redundant to

fully automatic control.

- Automatic-OR-Manual (AOM): A configuration that can be provided both manually and

automatically. The operator has the capability to select the mode of actuation, which can


KEPCO & KHNP 6

defeat automatic actuation. This strategy tends to provide increased flexibility to the

operator.

- Automatic-XOR-Manual (AXM): A configuration that can be provided both manually and

automatically. There are sharing of actuation responsibilities between the human and

machine components. While there may be some functional overlap, there is no complete

redundancy. This actuation scheme exists because the operator has a continuous manual

interface that affects the actuation setpoint for the component.

- Manual: A fully manual configuration without a means for automatic actuation.

Justification for solely manual initiation/ control of protection (IEEE Std. 603) (Reference 4) - For

protective systems, an explanation of why some portion of safety function have not been automated.

The results of the FRA/FA have aimed to provide a descriptive evaluation of the allocation of CSFs

in the design. The conclusions of this evaluation are summarized as follows:

CSF Success Paths and their FAs are specified in Table 2-2 through 2-11.

The basic platform meets safety-related requirements for allocation of function.

Table 2-3. Success Path Allocations for Reactivity Control

TS


KEPCO & KHNP 7

Table 2-4. Success Path Allocations for Maintenance of Vital Auxiliaries

Table 2-5. Success Path Allocations for RCS Inventory Control

TS

TS


KEPCO & KHNP 8

Table 2-6. Success Path Allocations for RCS Pressure Control

TS


KEPCO & KHNP 9

Table 2-7. Success Path Allocations for Core Heat Removal

TS


KEPCO & KHNP 10

Table 2-8. Success Path Allocations for RCS Heat Removal

Table 2-9. Success Path Allocations for Containment Isolation

TS

TS


KEPCO & KHNP 11

Table 2-10. Success Path Allocations for Containment Environment

Table 2-11. Success Path Allocations for Radiation Emission

2.1.1.3 Task Analysis

The TA results are briefly described in this section.

Functions / Tasks / Task Elements by Event

Figure 2-1 provides an example of hierarchical TA structure. All analyzed functions, tasks and task elements

are stored in TA database, and these results will be described.

TS

TS

KH

NP

BA

SIC

HS

I PLA

TFO

RM

AP

R14

00-E

-J-N

R-1

2009

-P, R

ev. 0

KE

PC

O &

KH

NP

12

Fi

gure

2-1

. A S

ampl

e D

iagr

am o

f Hie

rarc

hica

l Tas

k A

naly

sis

TS


KEPCO & KHNP 13

Parameter Usage

The TA database is sorted to identify all required display and control inventory per each event. This allows

the use of this information as a reference for display and control design, and these results will be

described

Information and Control Requirements

TA activity related to determining ICRs is to consolidate the characteristics required for each parameter.

Examples such as the type, range, accuracy, and unit of parameters can be developed, and the results

will be described.

Error / Behavior Implication / Comments List

The TA database is sorted to identify the potential human error, complex operator's decision making, and

operator's comments on the design improvements. These are based on the operator interview, and these

results will be described.

Minimum Inventory of Fixed Position Alarms, Displays and Controls

A subset of the identified alarms, displays, and controls is specified as the MCR minimum inventory

required to execute the emergency operating guidelines (EOGs). Within this scope, the following criteria

are used to identify minimum inventory entries, and these results will be described.

Alarms and displays

- CSF status

- Preferred/credited success path performance indications

- Indications required to verify safe shutdown

- USNRC Regulatory Guide (RG) 1.97 (Reference 5) Type A, B, C variables

- Indications and alarms for risk-important human actions (HAs)

Controls

- Preferred/credited success path component (i.e., in major flow path)

- Components required to perform safe shutdown

- Controls for risk-important HAs

- Controls requested by the HFE V&V


KEPCO & KHNP 14

The MCR Minimum Inventory is provided as fixed HSI. The term fixed position refers to the unique

location on large display panel (LDP) and the safety console for alarms, displays, and controls defined for

the parameters in the MCR Minimum Inventory.

AV assures consistency between these requirements and the completed system I&C inventories, as well

as between the system I&C inventories and the as-built HSI.

The risk-important HAs are listed and provided to the task analysts to re-evaluate TA in detail. The risk-

important HAs are shown in Table 2-12.

Table 2-12. Risk-Important HAs

TS


KEPCO & KHNP 15

2.1.1.4 Staffing/qualifications and job analysis

Plant staffing is based on experience with previous plant operation, and staffing level of the basic platform.

The MCR staffing assumption used in the development of the basic platform is discussed in section 3.1.

The staffing requirements for the RSR are discussed in section 4.1. It is developed based on the following

information and references: (1) operating experiences with predecessor plants, (2) operating experience

review documents, (3) utility requirements and human factors guidelines relevant to APR1400 design, and

(4) government regulations. The initial staffing levels are iteratively evaluated for acceptability, and

modified as basic platform HFE design and evaluation proceeds. The result of staffing assumption will be

described.

2.2 Concept of operations

2.2.1 Crew composition

The basic platform MCR is designed to provide operational flexibility to accommodate a wide range of

MCR staffing requirements. A staffing assumption is established to accommodate design and validation of

the HSI system.


Number of Operator Position Title

1 Shift Supervisor (SS) 1 Reactor Operator (RO)

1 Turbine Operator (TO)

1 Electrical Operator (EO) 1 Shift Technical Advisor (STA)

2.2.2 Roles and responsibilities of individual crew members

Shift Supervisor (SS)

The SS is responsible for coordinating all activities within the plant that may affect operations. This

includes direct supervision of the operators in the MCR as well as activities outside the control room

(maintenance, etc.). The SS shall have a work space located within the MCR. The SS shall hold a valid

senior reactor operator’s license.


KEPCO & KHNP 16

Reactor Operator (RO)

The RO is “the operator at the controls” for purposes of regulatory compliance and is responsible for

making all reactivity manipulations. The RO will coordinate plant evolutions with the turbine operator as

necessary to maintain control of the nuclear steam supply system (NSSS). At least one licensed operator

must remain in the control area at all times. The RO is responsible to the SS. The RO shall hold a valid

reactor operator’s license.

Turbine Operator (TO)

In general, the TO is responsible for manipulating the controls for Balance of Plant (BOP) and turbine

systems. The TO is responsible to the SS and shall coordinate with the RO prior to making any control

manipulations which will directly affect the heat balance or reactivity control of the NSSS. The TO will

normally remain in the MCR, but may leave the MCR for specific tasks when directed by the SS.

Electric Operator (EO)

The functions of the EO is the operation of main generator, emergency diesel generator (EDG), electrical

distribution breaker, and other activities (i.e., fire protection, heating ventilation and air conditioning

(HVAC), radiation monitoring system (RMS), contact with electric load dispatcher) assigned by the

technical and administrative procedure of the specific plant in the MCR. The EO is responsible to the SS.

Shift Technical Advisor (STA)

The STA advises the SS on plant safe operation. The staff shall have a work space located within the

MCR and perform the task which are mandated by SS.

2.2.3 Personnel interaction with plant automation

2.2.3.1 Overriding automatic system

A priority interlock shall be incorporated in engineered safety features-component control system (ESF-

CCS) to block any effect from an ESCM on the ESF-CCS when ESF actuation is in progress.

ESFAS signals from the PPS and manual ESF system level actuation switches shall override soft control

signals at all times. The operator can override the ESF-2 interlock by using the ESCM if the plant

condition is in a safe status. This will be reflected in the System Designer’s CLD’s. The safety command

signals are categorized onto ESF-1 and ESF-2 as follows;

ESF-1: This safety command signal cannot be overridden.

ESF-2: This safety command signal can be subsequently overridden by the operator.


KEPCO & KHNP 17

Once the safety command signal is overridden, it continues to be blocked until it is reactivated.

2.2.4 Use of control room resources by crew members

2.2.4.1 MCR control and monitoring systems

Five consoles — Each console contains a set of interactive, selectable, information displays, alarm

acknowledge buttons, control confirm switches and soft control (popup) needed to remotely operate and

monitor systems and components within the plant. The console and the LDP are the primary control and

monitoring devices in the control room.

All MCR consoles (i.e., those designed for the SS, RO, TO, EO and STA) are designed to accommodate

single failures of hardware. Each console should contain a sufficient quantity of redundant hardware for

each type of I&C equipment (e.g., information FPDs, switches, communications equipment) so that a

single failure of a processor, power supply, display device, control device, or communication device does

not cause the operator to operate the plant from another location.

In addition to monitor and control, the console will have special applications designed to aid the operator,

such as computer-based procedures (CBPs) and information management.

2.2.5 Coordination of crew member activities

2.2.5.1 Large display panel

The LDP provides the variable displays for crew coordination and information such as parameter trend,

display for specific mode operation. Operators at the RO, TO, EO, SS, and STA consoles can select

displays for any display section of the LDP independent of what is displayed on their information FPD via

communication with the for operator workstations that drive the LDP sections.

2.2.5.2 Communication Systems

Voice communication inside and outside of the MCR is essential to the coordination of plant operations.

Various communication devices are used to ensure efficient voice transmission in the design.


KEPCO & KHNP 18

3.0 MAIN CONTROL ROOM DESIGN DESCRIPTION

3.1 Main Control Room Configuration

The MCR configuration was developed through an evolutionary process beginning with the reference

design configuration. Considerations influencing the design include plant system configurations for the

basic platform, post-TMI indication requirements, improved methods of alarm and display, and the Style

Guide (Reference 6). The following sections document staffing assumption, relevance to the Style Guide,

evaluation of configuration candidates, and design of the MCR configuration.

3.1.1 Definition of term

Main operating area

The area between and including operator consoles (RO, TO/ EO, STA, and SS), safety console and LDP

from which plant monitoring and control actions are taken.

Main control room

The entire area including the main operating area, auxiliary panels area, and meeting room.

3.1.2 Staffing Assumption

The MCR is designed to provide operational flexibility to accommodate a wide range of MCR staffing

requirements. A staffing assumption is established to accommodate design and validation of the HSI

system.


Number of Operator Position Title

1 Shift Supervisor (SS) 1 Reactor Operator (RO)

1 Turbine Operator (TO)

1 Electrical Operator (EO) 1 Shift Technical Advisor (STA)

3.1.3 Workspace and MCR configuration criteria The development and evaluation of MCR configurations require a comprehensive set of HFE criteria

related to workspace design.


KEPCO & KHNP 19

Workspace and configuration criteria are based on requirements defined in the Style Guide for the HSI.

Specific configuration criteria utilized for design of the MCR are listed below:

All of the MCR operator consoles are designed to accommodate the 5 to 95 percentiles of the

adult male population.

At a sit-down operator console, an operator is able to monitor all plant information and control

plant processes from a seated position.

In the main operating area, operators have proper line of sight to all information and controls

related to a given task.

Operators are able to integrate and associate information and controls across all operator

consoles.

Adequate work surface (including document lay down space) is provided at, or near, MCR

operator console for paper based procedures, schematics and other documents without

interfering with display viewing or control manipulation.

All desks and chairs in the MCR are designed for usability and comfort.

Chairs provided for sit down operator consoles have roller wheels for easy movement within the

operator console.

Operators have unimpeded physical access from one operator console to another.

Adequate passage way between operator console and other work areas is provided.

No obstacles (file cabinets, etc.) are located in the main operating area to ensure safe and

unimpeded movement within main operating area.

Designated workspace is provided for the SS with unimpeded visual access to LDP and the

main operating area.

Adequate storage is provided for reference documents and drawings at a readily accessible

location.

Commodities such as storage for equipment and supplies are provided for personnel who work

in the MCR on a periodic basis.

3.1.4 Reference Design Configuration

The HSI system design is being developed with review of the reference design. The design approach is

based on a compact operator console type MCR design where monitoring and control activities are

normally performed on selectable operator console display devices and soft controls. Fixed indication

information for plant overview and safety assessment is primarily provided by LDP which is sized for

viewing by operating staff in the main operating area.

3.1.5 Reference Design Evaluation Results


KEPCO & KHNP 20

The first phase of the configuration development process evaluated reference design configuration and

compact operator console design with respect to the operational requirements and the HFE criteria

identified previously. The following design considerations from the various reviewed designs are applied

to basic platform criteria:

The compact console design would use multiple identical and redundant consoles where at each

console one person has access to all information and controls necessary to safely operate the

plant.

The LDP has an important role in the MCR. In addition to providing overview and safety

information the LDP provides fixed indication of high priority alarms via alarm tile and

incorporates a variable display section to support current operating goals.

Safety console is provided for fixed position and qualified control switches and operator modules

for control of core protection calculators, and the plant protection system.

3.1.6 Console Configurations and Evaluations

In meeting the design goals of basic platform design, console configurations are analyzed. Design issues

to be analyzed include:

Visibility and size of LDP

Communication between operators and other MCR staff

Working area at console, laydown space

Maintainability of consoles

The MCR design configuration is depicted in Figure 3-1 and provides five redundant consoles, each of

which has capability to control all power plant processes. A typical utility staffing configuration of these

operator consoles is as follows:

Left front console - RO

Middle front console - TO

Right front console - EO

Left rear console - SS

Right rear console - STA

3.1.7 Functions and HFE Considerations for MCR Facilities


KEPCO & KHNP 21

The main operating area in the MCR contains five operator console, the safety console and the

monitoring console, additionally the MCR provides an LDP, tables and desks, and meeting room near the

MCR.

The function and characteristics of each of these operational features are discussed in this section.

Important HFE considerations related to workspace design are also discussed. These include workspace

visibility, mobility, access, operator furnishings, and console profiles.

3.1.7.1 Operator Console

Each of the three front consoles is designed to be used by one operator and two rear consoles are

assigned to SS and STA respectively. Each operator console provides devices for access to all

information and controls necessary for one person to monitor and control all processes associated with

nuclear plant operation and maintaining the plant in a safe condition.

The front operator consoles are linked together to provide good communications for the normal staffing

assignment of RO, TO, and EO. The two rear operator consoles assigned to the SS and STA who use the

operator console features for monitoring only. The rear operator consoles would also serve as an

alternate operator console to be used for plant monitoring and control in the event of a failure of one of

the front operator consoles (where monitoring and control capability of an operator console was

degraded). Each operator console contains:

Multiple FPDs that support process monitoring and control with pointing devices

ESF-CCS soft control FPDs.

Laydown space for logs, drawings, documents, paper procedures, etc.

3.1.7.2 Monitoring console

The monitoring console is located in the following areas to monitor the plant operating status and

supports the MCR operators with verbal and other suitable means of communication.

Meeting room near the MCR

Local operator's office

Technical support center

Emergency operation facility

3.1.7.3 Auxiliary Panel


KEPCO & KHNP 22

The space is provided for auxiliary panel in the back of the LDP. The auxiliary panel contains fire

protection instrumentation, closed circuit television equipment, printers, etc.

3.1.7.4 Meeting Room

The MCR provides a meeting room near the MCR for MCR personnel who are not actively engaged in

operation activities in the main operating area. This assures that the design of the meeting room is

integrated into the overall control room design philosophy.

Provisions of the meeting room allow flexibility for utility preferences and accommodate varying plant

conditions and staffing requirements. This meeting room is depicted in Figure 3-1.

These provisions include viewing of the main operating area to allow monitoring of the activities being

performed and to allow intelligible verbal communication among the operating staff.

The operators can monitor the plant overview status information on the LDP without leaving the office.

This provides a fixed constant overview that directs to more detailed information on their information

displays if necessary. The meeting room also provide easy and quick access to the main operating area

should the operating staff require assistance.

The visual and telephone communication between the main operating area and the meeting room is provided.

Figure 3-1. Schematic for Main Control Room 3.1.7.5 Main Control Room Furnishings

This section describes HFE considerations related to furnishings for operators within the MCR. The

TS


KEPCO & KHNP 23

issues addressed include furniture, document storage and laydown space.

Furniture

The main operating area is provided with sufficient quantities of tables, desks and chairs to support the

operating staff expected in the MCR. A desk space of operator consoles and table is provided as typically

shown in Figure 3-1. The table and desk space serves as works area for operators in the main operating

area where no active monitoring or control actions are to be performed at the operator consoles.

Locations of the desk provide visibility to the entire main operating area. The desk is designed in

accordance with desk dimensions required in the Style Guide. The desk height conforms to the Style

Guide. Chairs are provided in the main operating area at the operator consoles, desks, and at the safety

console as typically shown in the Figure. Each chair is designed according to the requirements of the

Style Guide for the operator at seated position. Chairs have adjustable heights and are on wheels to

facilitate seated movement, particularly at the operator consoles.

Document laydown space

Adequate space is provided in the main operating area for laying down procedures, manuals and other

reference materials while they are in use. Laydown space for a longer term use that does not require

control actions is provided at the main operating area desk.

Reference document storage

Adequate reference document storage space is provided in the MCR. Permanent storage space is

provided on MCR desks and in the main operating area. Additional storage and storage of large drawings

are provided in the storage room outside the main operating area. This is typically shown on Figure 3-1

and the location is convenient to access from the main operating area and the meeting room near the

MCR. The operators support office also has space designed for document storage.

3.1.7.6 Console Profile

The console profile is designed to support seated operation for each operator console and the safety

console. This profile is based on anthropometric data of the 95th to the 5th percentile adult male.

3.1.7.7 Safety Console


KEPCO & KHNP 24

The MCR includes a safety console. The safety console provides controls and displays with which a

backup operation could be performed during a failure of the operator consoles. The safety console is

located in the main operating area as shown in Figure 3-1. The mini-LDP installed on the safety console

provides the same fixed position alarms and displays included on the LDP.

The safety console provides the following indications, controls and alarms:

Minimum inventory of "fixed position" alarms, indications and controls necessary for the following:

- Performance of emergency operating procedure (EOP) and safe shutdown with preferred/credited success path components in the major flow path for each CSF.

- Performance of risk-important HAs required by the PRA/HRA. All alarms, displays, and controls needed to perform periodic surveillance, testing, and

maintenance of all safety components controlled from the MCR.

The safety console contains the following equipment:

Multiple FPDs that are of a same type as that of operator console

QIAS-N displays

QIAS-P displays

PPS/CPC operator modules

Reactor trip and ESF system level actuation switches

Diverse manual ESF actuation (DMA) controls

Minimum inventory of fixed position switches

ESF-CCS soft control modules (ESCM)

3.1.7.8 Fixed Position Control

The fixed position switches are provided on the safety console and remote shutdown console (RSC) to

support the manual actuation or the control by operator.

The fixed position controls in the MCR consist of minimum inventory switches for execution of EOP,

diverse manual ESF actuation switches and manual ESF system level actuation switches to meet the

requirements of SECY 93-087 Enclosure 1, Position II. Q. 4 (Reference 7), and manual BOP ESF

actuation switches.

Minimum inventory control

Minimum inventory controls provide defense against the operator console failure. The minimum inventory

controls are created by performing TA to identify all controls necessary to perform the tasks required for

execution of EOPs, and identifying the controls necessary to complete important tasks based on the


KEPCO & KHNP 25

PRA/HRA.

The minimum inventory controls involves the manual ESF system level actuation switches. The manual

ESF system level actuation switches are provided as input signals to execute ESF system actuation. Four

channels of switches are provided at the safety console for manual ESF system level actuation.

Manual reactor trip switches also are included in the minimum inventory controls. Manual reactor trip

switches are provided for the operator to manually trip the reactor, and the signal from the switches de-

energies the control element drive mechanism coils, allowing all the control element assembly to drop into

the reactor core.

Diverse manual actuation switch

Diverse manual actuation switches are provided for mitigation of common-cause failure (CCF) of digital

equipment in ESF-CCS. These diverse manual ESF actuation switches are for a defense-in-depth and

diversity design against a CCF. The design is hardwired/diverse system level actuation of the safety-

related equipment bypassing the ESF-CCS. These switches are functionally and physically independent

from the ESF-CCS. They are located on the safety console in the MCR.

Manual BOP ESFAS switches

Manual system level BOP ESFAS switches are provided for proper actuation of the BOP ESF HVAC

systems and equipment to mitigate the consequences of the fuel handling accidents in the containment

building and the fuel handling area as well as to provide a habitability condition for the plant operation

personnel in the MCR during all phases of the DBE.

3.1.7.9 Operator Modules

Operator module is HSI device to provide the function for operation, maintenance, surveillance and

testing for the control room operator. Class 1E channelized operator modules are provided on the safety

console. One operator module is assigned per safety channel (A, B, C, and D) and the operator modules

are grouped as follows:

Core protection calculator (CPC)

Plant protection system (PPS)

The CPC and PPS operator modules provide the function of control and indication for surveillance,

maintenance and testing.


KEPCO & KHNP 26

3.1.7.10 ESF-CCS Soft Control Module (ESCM)

Soft control FPDs are provided for controlling the ESF components.

3.2 Main Control Room Environment and Communication

This section provides the design criteria which assure that proper HFE environmental and communication

principles are incorporated into the design. The criteria assure that the MCR is in accordance with design

assumptions and accepted human engineering practice.

3.2.1 Environmental Design Criteria

The following are environmental criteria which the MCR design meets:

Humidity, temperature and ventilation

Temperature and humidity levels are maintained within comport climate level in accordance with

the HFE criteria.

Heating, ventilation and air conditioning (HVAC) system is capable of introducing sufficient fresh

air in accordance with HFE criteria

Illumination

MCR lighting design provides adequate operator console illumination in accordance with the

HFE criteria for the tasks being performed.

Lighting levels are uniform throughout a given operator console.

Task area luminance ratios and reflectance levels are in accordance with the HFE criteria. The

type of lights chosen and placement of lighting sources minimize glare.

Adequate emergency lighting is provided with automatic activation in accordance with the HFE

criteria.

Auditory environment

Background noise levels are in accordance with the HFE criteria. Background noise does not

impair verbal communication.

The MCR supports acceptable auditory design by minimizing distances for required

communication, keeping non-operating personnel out of the main operating area, providing

audible tones in the alarm system with none in other systems and using sound absorbing

material in the MCR interior.

Habitability


KEPCO & KHNP 27

Adequate personal storage space is provided for MCR personnel.

Adequate rest rooms, eating facilities and lounge areas are provided within easy access of the

MCR.

A pleasant and comfortable decor is provided through color coordination, lighting, and

comfortable seating to reduce operator fatigue.

Impact of MCR features (e.g., ceiling, walls, floors, operator console, and other furnishings) does

not have a negative effect on ambient environmental conditions or habitability of the MCR.

3.2.2 Communications Design Criteria

Voice communication inside and outside of the MCR is essential to the coordination of plant operations.

Various communication devices are used to ensure efficient voice transmission in the design. The

following design criteria ensure correct message interpretation and prompt operator response for these

devices.

Both intra and extra MCR communication are provided by the communication system.

The Style Guide is followed for each communication device employed.

Space is provided for communication devices on the MCR operator console in the main

operating area.

The type and placement of communications devices is compatible with all normal and

emergency tasks for the plant operation.

Visual and manual access to communications devices is not obstructed by furniture, panels or

consoles. Communication devices are positioned in the MCR to shorten the operator's line of

movement.

All communication handset / headset cords are sufficiently long to permit mobility around each

operator console.

Response frequency range is well within the auditory spectrum for intelligible hearing as per the

Style Guide. Automatic volume control for receivers is provided to account for unanticipated rises

in ambient noise levels.

Ringing of communication devices is provided only where needed. Communication device

ringing does not interfere with and is not masked by other MCR auditory warning systems.

Communications devices are usable by personnel wearing protective gear where required.

Headsets are designed for comfort even with extended wear.

Periodic maintenance is performed to ensure transmission systems are working properly.

Auditory signals are clear, unambiguous and consistent in meaning with other MCR

communications.


KEPCO & KHNP 28

3.2.3 Conformance to Design Requirements

3.2.3.1 Visibility Evaluation

Visibility permits general observation, and supports communication and coordination between operators.

A visibility evaluation was performed for the MCR configuration to ensure that the visibility requirements

identified in the operational requirements and the Style Guide are met. The visibility evaluation focused on

assuring that unobstructed visual access exists among all main operating area operator console and

consoles and from the meeting room near the MCR.

RO, TO/EO console visibility

Acceptable visibility from the MCR operator consoles is ensured by demonstrating that the line of sight

and visual access requirements are met. This is shown on Figure 3-2 through 3-4.

Adequate line of sight is provided between an operator seated at any operator console and other

operators seated at other operator consoles.

LDP is visible from the operator consoles and adequate visual angle exists in the vertical plane

to permit viewing the LDP.

Operators located at the safety console have visibility of all control room operator consoles, LDP,

desks and other consoles.

The meeting room near the MCR is visible from the operator consoles.

Figure 3-2. Horizontal Viewing Angle from RO Console to LDP

TS


KEPCO & KHNP 29

Figure 3-3. Horizontal Viewing Angle from TO Console to LDP

Figure 3-4. Horizontal Viewing Angle from EO Console to LDP

SS /STA console visibility

Acceptable visibility is demonstrated from the SS and STA console by confirming the following visual

access considerations. These are shown in Figure 3-2 through 3-5.

TS

TS


KEPCO & KHNP 30

All operator consoles and safety console are visible from the SS/STA console.

Meeting room near the MCR is visible from the SS/STA console.

LDP is visible from the SS/STA console.

Meeting room visibility

Acceptable visibility is demonstrated from the meeting room near the MCR by confirming the following

visual access considerations. These are also shown in Figure 3-5 and 3-8.

Unobstructed view of the MCR operator consoles exists from meeting room for general

observation.

LDP is visible from the meeting room.

Figure 3-5. Horizontal Viewing Angle from SS Console to LDP

TS


KEPCO & KHNP 31

Figure 3-6. Horizontal Viewing Angle from STA Console to LDP

Figure 3-7. Horizontal Viewing Angle from Meeting Room to LDP

TS

TS


KEPCO & KHNP 32

Figure 3-8. Horizontal Viewing Angle from Meeting Room to Operator Console 3.2.3.2 Mobility Evaluation

An evaluation is performed to demonstrate that each member of the operating staff would have adequate

mobility within the main operating area and that movement patterns in the main operating area would be

facilitated efficiently. Figure 3-3 shows the main operating area dimensions and clearances for typical

operator work locations and traffic patterns. The following key mobility considerations are provided by the

MCR configuration:

Adequate operator maneuvering space is provided for seated operation at each of the operator

consoles (i.e., space greater than 0.9m (3 feet) behind the operator without obstructions).

Adequate operator maneuvering space is provided for seated operation at the safety console.

3.2.3.3 Main Operating Area Access Evaluation

The MCR is designed to accomplish one key main operating area access function. The MCR

configuration permits rapid, direct access to the main operating area from any of the MCR. This is shown

in Figure 3-3. No hindrances are present to obstruct an operator's access to the main operating area.

3.3 Control

Soft controls are used to provide control room operators with plant control capabilities, which replace

conventional dedicated pushbuttons and process controllers. The soft control consists of the ESF-CCS

soft control and the process-CCS (P-CCS) soft control. The ESF-CCS soft control is used to control the

TS


KEPCO & KHNP 33

safety-related control components through the ESF-CCS, and the P-CCS soft control is used to control

the non-safety related control components through the P-CCS.

The soft control allows the control of continuous process, discrete components, and other special

controllers such as control rods and turbine generators from the MCR and the RSC. The operator can

control both safety and non-safety components using the ESF-CCS control or P-CCS soft control on any

one of operator console. The use of soft control is essential to achieve compact operator consoles design.

The soft control emulates and replaces the various physical switches and analog control devices which

populate conventional plant control panels. The operator interacts with the ESF-CCS soft control via

touch screen, and the P-CCS soft control via pointing device such as mouse. These soft controls, which

are software based, allow a standard interface device to assume the role of numerous control switches

and analog control devices via software configuration. The selection of components is possible from the

information displays.

The ESF-CCS soft control is implemented on the qualified touch screen-based FPD, and the P-CCS soft

control is implemented on each information FPD of the MCR and the RSC. Also the ESF-CCS soft control

and the P-CCS soft control are provided on the safety console to support the operator task of a

predesignated operator in post trip conditions as a means for controlling non-safety related equipment.

3.3.1 Control Display Presentation

Soft control is dynamic interactive graphics to monitor and manipulate process control functions. The

control template of a specific safety-related component comes out on the ESF-CCS soft control FPD

when the operator selects the symbol on the information display with a pointing device. The control

template of a non-safety related specific component also comes out on the information FPD when the

operator selects the symbol on the information display by the pointing device. Each soft control is

designed with a standardized graphic template to provide design and operational consistency. This design

approach minimizes potential for operator process control errors.


KEPCO & KHNP 34

Figure 3-9. Example of Soft Control on ESCM Soft control requires a pointing device to allow component control command (e.g., ON/OFF) selection.

The pointing device such as a mouse is also used to select the component control command (e.g.,

ON/OFF) on the P-CCS soft control display. The ESF-CCS soft control uses the touch screen-based FPD

as pointing device.

The soft control template for modulation component control provides loop operating mode (e.g., auto/

manual, remote/local), setpoint, demand output, process value, increase/decrease button and bar graph

necessary for the control of a modulating device.

The soft control template for discrete component control provides command selection targets (e.g.,

open/start button, close/stop button and auto/man selection button etc.) necessary for the control of

discrete devices. Inoperability status (e.g., trouble or disable) information is provided on the soft control

template for the control of discrete devices. The feedback is provided on the soft control template.

3.3.2 Switch Configuration

Switch configuration is applied to the fixed position switches located at the safety console, and RSC to

support the manual actuation or control by operator. The following information regarding switch

configuration is typically provided on the switch faceplate:

Control option available (on, off, auto, etc.)

Current component state (on, off, auto, etc.)

The name plate of each switch has an unambiguous identifier (e.g., tag number) of component name or

functional identifier (name of control). In order to display all of this information on the switch configuration,

visual coding technique based on the conventions established in the Style Guide is utilized.

The control option and component state convention used in the switch configuration are similar to the

convention used in switch design for soft control as described in Subsection 3.3.1.

TS


KEPCO & KHNP 35

3.3.3 Conformance to HFE Requirement

The following high-level design principles are key to the soft control design.

Simplicity

HSI resources should represent the simplest design consistent with functional and task requirements.

Simplicity may be of particular importance to the soft control HSI resource. This is true because the soft

control is inherently more complex than the pushbutton switches of conventional control rooms which they

replace. The number of actions to complete a task should be minimized. Complicating factors for the soft

control include I&C constraints on the design (e.g. channel independence and potential use of a confirm

switch). Maintaining simplicity in the design minimizes the operator's secondary task burden. This is

particularly important in the soft control design, to maintain operator speed and accuracy for execution of

control commands.

Task usability

All HSI resources must be designed to meet task performance requirements. Task usability is a primary

focus for the soft control, since this device provides the majority of the control capability available in the

control room. In particular control task requirements are considered in developing individual soft control

formats. Control options encompass the entire range of controls identified by the TA. Presentation of data,

such as current component state, is provided in a directly usable, unambiguous form.

Timeliness

Time response is a particularly important consideration for controls. Slow time response can be a

significant detriment to the usability for controls (i.e., soft control) if it is noticeable to the user. One issue

of specific concern in the soft control design is proper implementation of control system feedback based

on control selection. Timely feedback of the process response to control action, both for discrete and

modulating control, is also an important consideration. The operators can readily determine the current

status of the control system, its desired status, and the result of control action through a soft control.

Error tolerance, control and prevention

Error tolerance and control are an important consideration for soft control. Specific features are

considered for error prevention for critical or high risk components (e.g. letdown low temperature

overpressure protection valves or containment spray operation). These typically have key lock switches or

switch covers in conventional control rooms. Sufficient means to accomplish the same protection is

provided for soft controls.


KEPCO & KHNP 36

3.4 Information Display

Information display is displays show on information FPD at operator console and display at LDP. It is

driven by information processing system (IPS).

3.4.1 Large Display Panel

The presentation of plant processes on display page formats leads to a generally expressed concern that

the presentation of information on separate, relatively small formats which must be viewed independently

might prevent the operator from gaining an overall "feel" for plant status. In a typical nuclear power plant

the understanding of the whole plant process performance is gained by parallel processing of an array of

conventional instrumentation, i.e., by means of a sweeping glance around the control room. In the control

room, a LDP provides the information that the operator requires for quickly assessing overall plant status.

The fixed system mimic display of LDP is also available on any operator consoles in the MCR, TSC and

EOF.

The LDP is visible and interactively usable from the operator consoles in the MCR in order for the

overview to be useful in coordinating control room activities. Therefore, LDP provides text of sufficient

size and with acceptable characteristics to permit viewing from expected MCR locations. Figure 3-10

shows size, appearance and configuration of LDP.

Plant overview message section: It continuously shows plant level information such as reactor

power, turbine power

Fixed mimic section: It continuously shows overall plant mimic including main plant parameter

required for key parameters for normal operation, safe shutdown, representative parameters for

critical safety function, Type A, B, C of RG 1.97.

Critical function monitoring (CFM)/ bypassed and inoperable status indication (BISI) section: It

continuously shows alarm for critical function and status indication for BISI.

System group alarm (SGA)/important alarm tile section: It continuously shows the process

system based alarm and plant important alarm.

Variable display section: It allows to project display of operator console to it


KEPCO & KHNP 37

Figure 3-10. LDP Arrangement 3.4.1.1 LDP Characteristics and Features

The LDP provides the operator with information that allows him to determine overall operational and

safety status of the plant. The LDP presents high level process overview information as follows;

a selected set of high level function indicators, trend for key parameters, PPS actuation status

flags and alarms to support operators situation awareness of the plant.

critical function alarms to meet safety parameter display system (SPDS) requirements.

prioritized alarm presentation emphasizing important alarms to support operational concerns.

plant-wide system fixed mimic to alleviate display page navigation load and to support crew

coordination.

The LDP uses the same Style Guide for display design (i.e., dynamic symbols, color code, highlighting,

blinking, graphic layout and information coding features), that are used on the information display pages.

3.4.1.2 CFM/BISI Section on LDP

A primary benefit of the LDP is its capability to support operator response to plant disturbances,

particularly when a disturbance affects a number of plant functions. LDP information supports the

operator's ability to respond to challenges in plant safety. To that end, LDP allows the operator to assess

the overall plant's process performance by providing information to allow a quick assessment of the

plant's CSFs. Critical functions pertaining to the plant are:

Reactivity control

Maintenance of vital auxiliaries

TS


KEPCO & KHNP 38

RCS inventory control

RCS pressure control

Core heat removal

RCS heat removal

Containment isolation

Containment temp & press control

Containment H2 control

An alarm tile for each critical function is provided on the LDP. The tile provides a fixed location for the

continuous display of the presence of alarms that jeopardize the specific critical function, by which

operator can:

Determine overall operating status via critical function alarm status

Establish priorities for operator actions via prioritized alarm status of critical functions

The alarm tile representation is an overview summary of critical function display page information. The

detailed information about the alarms is available in any information display.

The BISI of safety system is continuously visible in this section based on the RG 1.47. It shows bypassed

or deliberately introduced inoperability of systems required for safe operation of plant.

3.4.1.3 System Group Alarm/Important Alarm Section on LDP

This section consists of SGA tiles and important alarm tiles. SGA tiles support the operator to assess the

overall plant condition at a glance and avoid the potential error condition of alarm missing in the LDP

mimic section so that an operator cannot misunderstand the plant condition as normal.

Important alarm tiles provide the status of important alarms so that an operator can continuously monitor

important alarm at a glance. The important alarm includes alarms that help an operator promptly

recognize the plant situation such as major parameters, components or systems related alarms.

3.4.1.4 Plant Overview Message Section on LDP

This section provides the high-level information that are useful for assessing plant level situation

awareness such as Plant Mode, Reactor Power, Generator Power.

3.4.1.5 Fixed Mimic Section on LDP

Mimic representation of the major heat transport path systems and systems that are required to support

the major heat transport process are presented on LDP. These systems include those that require

availability monitoring per RG 1.47 (Reference 8), and all major success paths that support the plant


KEPCO & KHNP 39

critical functions.

System information presented on LDP includes system operational status, change in operational status

(i.e. active to inactive, or inactive to active) and the existence of alarms associated with the system.

Process variables required to assess the critical functions are also presented on LDP.

3.4.1.6 Variable Display Section on LDP

The overview information requirements for plant operations change per plant operating conditions and the

needs of the operating crew. To address this informational requirement the LDP contains a variable

display area that may offer a useful means for the presentation of process information on a less

permanent basis.

Alarm lists, trend displays, and process mimic displays, normally displayed on VDU screens could be

projected on to the large screen for a monitoring or discussion purposes amongst the operating crew.

Operators are able to choose any process mimic display available on the operator console and have it

displayed on the LDP variable display area.

3.4.1.7 Alarms Presentation on LDP

LDP displays the following types of alarms:

Critical function alarms using alarm tile

System Group Alarm (SGA) and important alarm section

Priority process parameter/component alarms using alarm display convention

First-out alarm

3.4.2 Operator Console Information Display Hierarchy

The information display hierarchy in operator consoles provides dynamic display pages of plant

parameters and alarms using color graphic VDU so that an understanding of current plant conditions and

status is readily recognized. Information display pages provide information important to monitoring,

planning, controlling, and obtaining feedback on control actions.

These display pages contain all the plant information that is available to the operator, in a structured

hierarchy. The information display pages are useful for information presentation because they allow

graphical layouts of the plant and process in formats that are consistent with the operator's visualization

of the plant. In addition information display formats are designed to aid operational activities of the plant

by providing trends, categorized listings, messages, operational prompts, as well as alerts to abnormal

process.

The MCR operator consoles use multiple display devices that allow simultaneous access to a variety of

display pages in information display hierarchy. Each operator console includes four VDUs, to each of

which any display page in the information display hierarchy can be assigned. Use of four VDU's also


KEPCO & KHNP 40

provides a redundancy in the event of any VDU becoming unavailable.

A pointing device such as mouse is primary interface to navigate and access display pages in the

hierarchy. Keyboards are not used for information access to any of the control room operator consoles

during normal operation.

3.4.2.1 Contents and Organization

The basic platform utilizes a large number of information display pages presented on VDUs in operator

consoles and safety console. The displays provide the operator with the necessary supporting data and

information to help operate the plant in a safe and efficient manner. The displays are organized into a

hierarchical structure to allow for logical and convenient access by the operator.

System display

It is not feasible to provide operators with displays for every specific situations that can arise in a nuclear

power plant because of its complex nature and immensely large variety of operational situations. The HSI

provides, as a primary HSI resource for all modes of operation, general function displays such as first

order principle displays (mass/energy balance) and not for displays of specific conditions and situations.

System displays provide indications, alarms, and controls in the same way as the control panels of the

conventional control room provide operational information to the operators.

System display hierarchy consists of system mimic displays and their associated supporting pages.

System mimic display contains plant representation mimics with process parameters and component

status for operational use. The associated pages can be directly accessed from the system mimic

displays and contain the following types of information:

Trends for the parameters that are included in the system display for evaluation of detailed

behavior of the parameters.

Graphs with various forms to support quick assessment of conditions requiring evaluation of

multiple parameters/status.

Aids display

Aids displays support a limited set of plant operator tasks that cannot be adequately supported by system

display hierarchy or computer-based procedure display. System display hierarchy cannot efficiently and

expeditiously support operator functions that require information and control of multiple systems. Aids

displays are organized to provide a functional level view of the plant, rather than a system level view and

include plant mimics, parameter values, component/system status and some instructions if necessary. In

addition, these displays also allow access to display pages in system display hierarchy.

Aids displays are also to provide complex graphical and calculation aids such as core operating limit


KEPCO & KHNP 41

supervisory system (COLSS), xenon prediction and reactivity balance program or to provide information

required to perform specific plant operation.

Safety Parameter Display and Evaluation System + display

Safety parameter display and evaluation system + (SPADES+) display provides continuously information

of CSFs and success path performance. It meets SPDS requirement per NUREG-0737 Supplement 1.

Section 3.4.4 provides the detailed description for it.

Large Display Panel (LDP)

The fixed mimic section display of LDP is also provided at operator console information display

Soft Control display

Soft control display provides controls in software for actuating components. It is presented at Information

display for non-safety related components and ESCM display for safety related components. Section 3.3

provides the detailed description for it.

Bypassed and Inoperable Status Indication display

BISI display provides information of bypassed or deliberately induced inoperability of the protection

system and the systems it actuates to perform their safety-related functions. It also provide automatic

indication of the bypass and inoperable status of any auxiliary or supporting system that effectively

bypasses or renders inoperable the protection system and the systems actuated or controlled by the

protect in system.

Alarm display

Alarm display provides alarm information of component and parameter in list. Section 3.9 provides the

detailed description for it.

Procedure display

Procedure displays consist of the set of plant specific computer-based procedure. These displays provide

the appropriate procedural information for operational usage and may include text, parameter values, flow

charts, and access to other displays. Section 3.4.3 provides the detailed description for procedure display.

3.4.2.2 Display Page/Information Access

The operator's ability to access information and diagnose operational concerns with a VDU based


KEPCO & KHNP 42

information system is dependent on the ability to access appropriate display pages. It is important to limit

the need for the operator to "work the interface" (jump from one screen to another) in order to perform a

specific task. Display page access is fast, simple, consistent among the various display pages and easy

to use.

Dedicated areas are reserved on information display for the following information:

Standard menus for system display page directories, SPADES+, BISI, alarm, procedure display

and aid display

Display system/devices health check indication such as heart beat icon

Current date and time for operation

The information that is physically and functionally related to particular display is accessed by single click.

Any display pages that are directly used for operation can be accessed by two clicks. Multiple methods

are provided to allow access to the operator console display set. The access mechanisms are designed

to allow convenient and rapid access to all operator console display pages by the operator.

Display page access using display page directory

Information display page access is accomplished primarily through the use of display page directory

located in the frame of the display pages. Via this approach, logically organized display menus and

display directories are utilized to allow the operator to navigate to the desired display page. This

navigation method permits access to any system display with two clicks.

Direct access

Display pages may be accessed directly without navigating through the menu or directory hierarchies.

Two specific approaches are implemented as follows:

Dedicated display access in which certain display pages, which are deemed important enough to

have an immediate access capability, are provided with a direct access mechanism.

Format chaining in which each display page within information display hierarchy is 'linked'

(associated) with other related display pages or soft control HSIs or other information (such as

technical data sheets). The format chaining process (which is activated via a simple VDU

interaction by the operator) allows rapid and convenient access to other display pages,

information or soft control HSIs, directly from the current display page.

Control link


KEPCO & KHNP 43

The control link allows the operator to quickly select a controller on the soft control directly from the

information display. Format chaining for safety-related components 'links' controllable components that

appear on the ESF-CCS soft control FPD with their associated control template.

For non-safety related components, the format chaining 'links' controllable components that appear on the

information FPD display pages with their associated soft control. This access mechanism, from

information display to soft control, is provided to simplify the control selection process and to reduce the

mental workload of device selection. Once the component (or process symbol) on an information display

is designated, the related control device is automatically selected on the corresponding soft control.

Figure 3-11. A Sample of Soft Control 3.4.2.3 Historical Data Storage and Retrieval

All alarm information will be collected and stored by the IPS. Alarm activity (i.e., time in, priority, time

acknowledged, time cleared and time reset) are stored along with the description of the alarm and any

pertinent information that may be required by the operator or the TSC. It also stores a record of trends for

particular data points within the plant.

3.4.2.4 Conformance to HFE Requirements

The following high level design principles are key to the design of the operator console display hierarchy.

Consistency

IPS displays serve as the primary interface for access to plant information in the MCR. They present a

diverse range of information from a variety of sources including application programs. IPS displays are

also a focal point in accessing other HSI resources, of particular note format chains to soft control and

CBP. In these widely varying roles and interaction with other HSI resources, maintaining consistency in

the navigation, conventions and information presentation formats within the IPS displays and with other

HSI is critical.

Task usability

TS


KEPCO & KHNP 44

IPS displays are a primary source of obtaining information for plant operators in the MCR. They are

designed with consideration of task requirements, as well as the intended users, both at the control room

operator consoles and in other locations. Providing directly usable information, not raw data, is an

important consideration due to the breadth of data that is available in the IPS. Other considerations

pertinent to IPS display design include limiting required memorization and providing calculated

information so that the operators are not required to perform repetitious calculations.

Structure/organization

The IPS is the focal point for obtaining information for monitoring tasks in the MCR. In addition, due to the

breadth of the IPS scope, it has significantly more display pages than other HSI resources. Accordingly,

careful consideration of the structure and organization of IPS displays is warranted. The organization

should be clear to the operators and based on straightforward rules, such as the breakdown of plant

systems and conformance to the plant P&IDs. Convenient access to other information and displays

through clearly defined navigation methods is also important to fulfilling the IPS function.

Feedback

During the design of IPS display pages, an important consideration is its role in providing feedback to the

operators regarding system changes and the effect of control actions. The IPS feedback role is integrated

with soft controls, since fixed location feedback from control switches is limited to the displays in the MCR.

3.4.3 Computer-Based Procedure System

The CBP is a computer-based operator support system that enables the operating crew to execute

operation procedural steps with much reduced secondary tasks. It presents an overview and instructions

of a procedure and related process information and controls that need to be cross-referenced to execute

the procedure. The procedure display is used by the operator in conjunction with other types of displays.

3.4.3.1 Operation of CBP System

Basically the same operating process as conventional control room is maintained. SS has the overall

control over the execution of the procedure. RO and TO execute the procedural steps that are assigned

to them by SS. EOP is executed by the operating crew in coordination. Some procedures such as SOPs

can be executed by a single operator. The CBP supports coordination among operators. When an

operating crew executes a single procedure, the steps that the other operators are currently working on

are shown on the overview pane and SS who is in charge of coordination issues verbal orders.

3.4.3.2 Display Location of CBP

CBP can be displayed in the following locations:


KEPCO & KHNP 45

SS console

STA console

RO console

TO console

EO console

Switching the procedure display VDUs does not result in the loss of place keeping information. When an

operator does not use CBP, the operator can use all the console displays for other purpose.

3.4.3.3 Multiple Procedures Execution

CBP supports the concurrent execution of multiple procedures. However, switching between procedures

is initiated by an operator. Thus, procedure display should provide adequate information to help the

operator to switch among procedures without making mistakes.

3.4.3.4 Procedure Initiation

There are multiple methods to initiate a procedure:

Selecting a procedure among procedure list can initiate a procedure. Since all procedures are

categorized, an operator can select a category to narrow down the search items.

Executing an instruction in a procedure can switch to some another procedure.

Selecting a procedure in a system (mimic) display to can initiate a procedure.

3.4.3.5 Place Keeping of Procedure Execution

CBP keeps track of steps in the procedure being executed. Every step can have one of the following

states; "Executed", "Being Executed" or "Not Executed". The states are distinguished by appropriate

coding. From the opening to the closing of a procedure, place keeping information is recorded and shown

subsequently.

3.4.3.6 Management of Continuously Applied Steps

Monitoring of the continuously applied steps is supported by CBP. As an operator typically executes a

procedure step by step, the continuously applied step is registered to the CBP monitoring function. After

the registration, CBP continuously evaluates the registered step in background. Whenever the entry

condition of the step is met, procedure display informs operator of the fact.

3.4.3.7 Cross Referencing Aids

All the process information and control components that are cross referenced in the instruction are


KEPCO & KHNP 46

presented near the associated instructions so that an operator can easily evaluate the instruction. System

mimic displays, graphs, and tables are directly accessed by format changes from procedure display.

3.4.3.8 Checking Aids

The entry condition of the current step and/or the completion of current step objectives are evaluated by

the computer based on the process information and/or operator actions per instructions. The operator has

ultimate control over the decision of computer and is able to override the computer's evaluation results.

The operator initiates every transition among procedures and every transition among steps.

3.4.3.9 Procedure Display Format

The procedure displa

Date post:	03-Feb-2021
Category:	Documents
Upload:	others
View:	1 times
Download:	0 times

Basic Human-System Interface Platform · 2014. 1. 31. · KHNP BASIC HSI PLATFORM...

Documents