Lessons Learned in Process Control at the Halden

NUREG-1361

Lessons Lear11ed in Process Cont1~ol at the Halden Reactor Project

U.S. Nuclear Regulatory Commission Office of Nuclear Reactor Regulatio1n Office of Nuclear Regulatory Research W. G. Kennedy

AVAILABILITY NOTICE Availability of Reference Materials Cited in NRC Publications Most documents cited in NRC publications will be available from one of the following sources:

1.

The NRC Public Document Room, 2120 L Street, NW, Lower Level, Washington, DC

20555 2.

The Superintendent of Documents. U.S. Government Printing Office, P.O. Box 37082, Washington, DC 20013-7082

3.

The National Technical Information Service, Springfield, VA 22161

Although the listing that followH represents the majority of documents cited in NRC publications. it is not intended to be exhaustive. Referenced documents available for inspection and copying for a fee from the NRC Public Document Room include NRC ~~orrespondence and internal NRC memoranda; NRC Office of Inspection and Enforcement bulletins. circulars, Information notices. inspection and Investigation notices; Licensee Event Reports; vendor reports and correspondence; Commission papers; and applicant and licEmsee documents and correspondence. The following documents in thE1 NUREG series are available for purchase from the GPO Sales Program: formal NRC staff and contractor reports, NRC-sponsored conference proceedings, and NRC booklets and brochures. Also available are Regulatory Guides. NRC regulations in the Code of Federal Hegulations. and Nuclear Regulatory Commission Issuances. Documents available from the National Technical Information Service Include NUREG series reports and technical reports prepared by other federal agencies and reports prepared by the Atomic Energy Commissic1n, forerunner agency to the Nuclear Regulatory Commission. Documents available from public and special technical libraries include all open literature items, such as books. journal and periodical articles, and transactions. Federal Register notices, federal and state leDislation, and congressional reports can usually be obtained from these libraries. Documents such as theses. dissertations, foreign reports and translations, and non-NRC conference proceedings are available for purchase from the organization sponsoring the publication cited. Single copies of NRC draft reports are available free, to the extent of supply, upon written request to the Office of lnfc1rmation Resources Management, Distribution Section, U.S. Nuclear Regulatory Commissi1on, Washington, DC 20555. Copies of industry codes and standards used in a substantive manner in the NRC regulatory process are maintained at thu NRC Library, 7920 Norfolk Avenue. Bethesda, Maryland, and are available there for referen1ce use by the public. Codes and standards are usually copyrighted and may be purchas1~d from the originating organization or. if they are American National Standards, from the American National Standards Institute, 1430 Broadway, New York, NY 10018.

NUREG-1361

Lessons Learned in Process Control at the Halden Reactor Project

Manuscript Completed: November 1987 Date Published: December 1989

W. G. Kennedy

Office of Nuclear Reactor Regulation Office of Nuclear Regulatory Research U.S. Nuclear Regulatory Commission Washington, DC 20555

NOTICE

Availability of Reference Materials Cited in this Report References cited in this report cire of three types: (1) OECD Halden Reactor Project reports, (2) reports resulting from bilateral agreements between the Halden Reactor Project and another country, and (3) reports resulting from contractual agreements between the Norwegian lnstitutt for Energitiknikk (IFE) and industry. Under the international agreement between the U.S. Nuclear Regulatory Commission (NRC} and the OECD Halden Reactor Project, the Project reports are not releasabl·e without the consent of the member countries. Bilateral reports are not routinely given to other countries, and the NRC does not have access to these reports nor the authority to releas•e them. Finally, IFE reports are treated like bilateral reports and are not releasable without approval of the contracting parties. Therefore, the references in this report are generally not available to the public. However, the NRC was granted access to these reports fort.he purpose of preparing this report, and the Halden Programme Group did grant the NRC permission to publish this report.

ABSTRACT This report provides a list of those findings particularly relevant to regulatory authorities that can be derived from the research and development activities in computerized process control conducted at the Halden Reactor Project. The report was prepared by a staff member of the U.S. Nuclear Reirulatorv Commission workinl! at Halden. It identifies those resultS that may be of use to regulatory organi7.ations in three main areas: as support for new re-

quirements, as part of regulatory evaluations of the acceptability of new methods .and techniques, and in exploratory research and development of new approaches to improve operator pedormance. More than 200 findings arranged in 9 major categories are presented. The findings were culled from Halden Re.actor Project documents, which are listed in the report.

iii

NUREG-1361

CONTENTS Page ABSTRACT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

iii

ACKNOWLEDGMENT............... .. .....................................................

vii

1

2

INTRODUCTION . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.1 A Lesson Learned . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.2 A Regulatory Lesson Learned . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.3 Intended Use of This Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.4 Reports Used in This Survey . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.5 Methodology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.6 Discussion of Categories . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.7 Categories of Lessons Learned . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.8 Layout of the Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

3 3

COMPUTER-BASED CONTROL ROOMS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

4

2.1 2.2 2.3

2.4 2.5

2.6 2.7 2.8

General Man-Machine Interface Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Overall Design Considerations . . . . . . . . . . . . . . . . . . . • . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Use of Color .. . ... . ................................................. .·............... Presenting Parametric Data . . . . . . . . . . . . . . . . . . . . . • . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Presenting Alarms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Prt:senting Groups of Parameters or Alarms in CRT Formats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Hardware Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Source Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

1 1 1 2 2 2 2

5 6 7

8 9

10 11 12

ALARM HANDLING . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

13

Alarm Filtering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Alarm Generation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Alarm Presentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Observations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Source Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

13 13 14 14 16

SURVEILLANCE SYSTEMS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4.1 Core Surveillance... . ...... . ... . ........ . .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4.2 Safety Function Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4.3 Early Fault Detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4.4 Source Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

16

5

At.rrOMATIC CONTROLS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5.1 Source Reports................ . .......... . ..........................................

19 20

6

COMPUIER-BASED PROCEDURES . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6.1 Source Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

20

3

3.1 3.2 3.3 3.4 3.5 4

7

CONTROL ROOM REDESIGN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7.1 Design Team Makeup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . v

17 17 17 18

21 22 22

NUREG-1361

7.2 7.3

The Review Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Source Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

22 23

OPERATOR SfRESS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

23

8.1

Source Reports.......... . ..... . .......................................... . ..........

24

T'R.AINING WTIH SIMULATORS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

24

9.1

Source Reports............ . ............................... . .... .. . . ......... . .......

26

10 RELIABILITY OF COMPUTER-BASED SYSTEMS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

26

10.1 Source Reports........ . ....................... . ... . ......................... . ... . ...

28

11 MISCELLANEOUS LESSONS LEARNED . . . . . .. .. . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. ..

28

11.1 Source Reports......................................................................

29

12 SUMMARY...................................................... . .. . ... . ...............

29

13 REPOR'fS REVIEWED . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

29

13.1 Process Control-Related Halden Project Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13.2 Halden Work Reports......... . ......................... . ..... . ............. . . . . . . . .. 13.3 Institutt for Energiteknikk (IFE) and Bilateral Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

30 33 40

8

9

NUREG-1361

vi

ACKNOWLEDGMENT The author would like to express his sincere thanks to the professional researchers, developers, and operators at the Halden Reactor Project who patiently and thought-

fully discussed and reconsidered their many projects and reports.

vii

NUREG-1361

LESSONS LEARNED IN PROCESS CONTROL AT THE HALDEN REACTOR PROJECT 1

INTRODUCTION

ing particular problems or accomplishing a specific function.

1llis report provides a review of the Organization for Eco· nomic Cooperation and Development (OECD) Halden Reactor Project reports in the area of computerized process control in order to identify those findings particularly important to regulatory authorities. This task was undertaken in cooperation with the U.S. Nuclear Regulatory Commission (NRC) with the approval of the Halden Programme Group as a part of Halden's 1987 research program. A senior NRC staff member visited Halden in the spring of 1987 to carry out this work.

Evaluations of systems or techniques in the field of ad· vanced process control, however, usually cannot be stated simply as "X works" or "X does not work"-most evaluative statements fall on a scale somewhere between these two extremes. For instance, many of the experiments reported are comparisons between two or more techniques, and conclusions are stated in the form: "Xis better than Y" or "operators prefer X over Y." It must be stressed that since the evaluation methods themselves, as well as the problems being addressed, are not fully developed, it can be difficult to provide conclusions at the extremes of the scale. Therefore, it is felt that, in the majority of cases, the intermediate or comparative statement (or lesson learned) may in fact provide the best available information.

The OECD, an international organization headquartered in Paris, France, supports the Halden Reactor Project (HRP) in Halden, Norway. The research conducted at Halden is approximately evenly balanced between nuclear fuels research and process controls research.

The basis for each finding, or lesson learned, is as important as the finding itself. The strength of the evidence is what distinguishes reasonable speculation from empirical observatton. As this is an important dimension associated with the lessons learned, the type of work done to support reported statements is included with the listings of individual lessons learned, which are generally based on literature studies, surveys, experiments, or experience in the field.

It should be stressed at the outset that the Halden Reactor Project is not a regulatory body and thus the research and development activities it conducts are not aimed particularly at discovering characteristics of nuclear process control that need to be regulated to ensure the public's health and safety. Nevertheless, safety is a recurring theme in the advanced process control techniques under scrutiny in the Halden laboratories. However, the NRC is a regulatory body (as are other Project participants) with a mandate to protect the public's health and safety and is therefore clearly interested in the potential regulatory implications of the work conducted at the Halden Reactor Project. This report therefore aims to provide a summary of the work conducted at the Halden Reactor Project in the form of a categorized list of "lessons learned" specifically relevant to regulatory organizations. The Halden Reactor Project has not endorsed this report; however, at the Halden Programme Group meeting on October 18 and 19, 1988, the NRC was authorized to publish this report.

1.2 A ~egulatory Lesson Learned The lessons learned of signifo:ant regulatory interest are those for which there may be sufficient basis or justification for restricting the application of specific techniques or methods so that the current levels of safety are maintained. Regulatory organizations need to know if methods or techniques have been discovered through the work at Halden that are so good that they should be required or so bad that they should be prohibited. Of course, other factors, such as the newness or the surprise of the finding, may be necessary before the creation of a new requirement is justified.

1.1 A Lesson Learned In this report, it has been assumed that research and development can be considered as the testing and evaluation of possible solutions to problems. Thus, for the purposes of th is review; a "lesson learned" is a statement that deals with whether a proposed solution (be this an approach or a technique) works or not. This report, therefore, consists of lists of statements based on findings extracted from Halden reports where each statement provides an evaluation of a method or technique for solv-

Lessons learned can also be of regulatory use when the strength of the basis is not enough to justify a new requirement. To meet current requirements, utilities and manu-

facturers usually have a \Vide range cf possible approaches-some acceptable and others unacceptable to regulatory authorities. If a lesson learned does not have the support and qualities necessary to be a new requirement, it could support a regulatory opinion on the acceptability of the approach without further work. 1

NUREG- 1361

To consider all the reports that could be useful, au available reports published after 1975, and a few potentially useful reports published before that date, were reviewed. Since the issuance of HWRs began in the fall of 1980, all HWRs were reviewed. In addition, a small collection of bilateral and commercial reports that were made available was reviewed. The reports reviewed are listed in Chapter 13.

1.3 Intended Use of This Report The potential regulatory uses of this effort can be divided into several ar~as depending on the safety significance of and support for the results of the work conducted at the Halden Reactor Project. If the work at Halden uncovered an aspect of process control that was of great and immediate safety significance to even one nuclear power plant, immediate regulatory action might be necessary. If the work at Halden found safety issues in the area of process control for which no requirements had been issued, if there was a potential for decreasing the plant's safety, and if the Halden work provided a basis or justification for restricting the approaches implemented, then a new requirement might be needed. If the work could not support immediate regulatory actions or new requirements on its own, it is still useful as an evaluation of methods and techniques for accomplishing a function.

To supplement the reports, several members of the Halden and IFE staffs were interviewed. These discussions were intended to clarify the reports and to extract experience not documented in the published reports. Many of the lessons learned that were written on the basis of the reports were edited as a result of these interactions with the staff and several lessons learned were the direct result of the interviews.

1.5 Methodology

The report, therefore, lists those findings that could potentially lead to regulatory action. It is expected that regulatory organizations would use these lessons learned in any combination of three possible ways: (1) to formulate new requirements, if appropriate; (2) as part of evaluations of acceptable methods to accomplish a function; and (3) as exploratory work on techniques and methods without necessarily accepting the Halden R1eactor Project's judgment or evaluation as final.

The methodology applied to this task was intended to obtain useful results based on the resources available. The domain studied was large enough to require a disciplined approach to ensure either completeness or the identification of what had been accomplished and what reports were not reviewed. To achieve this goal, a two-step process was used. First, the published reports were used to account for the work at Halden. In some cases, additional sources such as interviews with Halden staff members were used where necessary and available. Second, the reports were categorized into subject areas for discussion of individual lessons learned with experts on the subject matter and for presentation of the final lessons learned. This grouping of reports was reviewed by the Halden group leaders responsible for the various subjects within the process controls area.

It should be stressed that the NRC is not expe1cted to take any immediate regulatory action based on this report. It is also not expected to create any new regulations based

solely on this report. However, this report will be used as input to the normal regulatory processes and may be issued as guidance, based on research and development, on the techniques and methods to accomplish thle functions explored.

1.6 Discussion of Categories 1.4 Reports Used in This Surviey

There is a philosophical difference between the NRC approach to organizing regulations concerning the operation of a nuclear power plant and the organization of the research and development work at Halden. This is not a conflict but a result of the differences between regulatory bodies concerned with requiring minimum acceptable systems and practices and research and development organizations exploring methods and techniques to improve on current designs.

The reports used for this task document the basis for the lessons learned and include all types of Halden reports. Basically three types of reports are issued by the Halden Reactor Project. Halden Project Reports (HPRs) are the official reports of the Project. Halden Work Reports (HWRs) and the earlier Halden Internal Reports (HIRs) are less formal reports of work plans or status reports generally for use within the Project. Bilateral. reports are the results of work contracted between the Project and one of its members. These reports are not immediately available to other Project members without being released by the contracting member. The Institutt for Engeriteknikk (IFE), the commercial part of the Project, contracts with industry directly on some projects. The reports resulting from these contractual arrangements are treated like bilateral reports. NUREG- 1361

The Halden Reactor Project efforts are basically research and development of systems organized around a model descnbing operator behavior in a nuclear power plant with supporting work on related subjects. The operators are viewed as routinely passiflg through four phases while controlling the plant. These are the detection phase, diagnosis phase, strategy planning phase, and finally, implementation of the strategy. The research and development 2

projects at Halden can be described in terms of these phases and are part of a long-term plan to improve operator performance by providing aids to be used during all of these phases.

(4) Surveillance systems: This category includes the lessons learned pertaining to techniques for monitoring, processing, and presenting information based on larger portions of the plant than single parameters or alarms of the previous category.

The NRC regulatory approach is to organize guidance and regulation from an external view of the operators. The regulatory questions are then: (1) what instruments and controls are necessary, (2) how· they should be designed from a ergonomic standpoint, and (3) what advisory systems must be in place, such as a shift technical advisor, emergency response facilities, and procedures for acceptable operator performance. This approach results in guidance and regulations on such topics as alarms, instruments and controls, and a safety parameter display system (SPDS).

(5) Automatic controls: This category includes the les-

sons learned pert£1init1g !o the automation of some control functions of the plant. (6) Computer-based procedures: This category includes the lessons learned from the efforts in computerizing operator procedures to provide better operator aids. Because this does not involve the presenting of plant process information but preplanned guidance to operators, the characteristics of the subject and therefore the lessons learned justified a separate category.

These two approaches to the same subject should fully cover the subject. The categories used in this report follow the lines of the regulatory approach. This should make the product easy to use by regulatory organizations and should provide a consistency check for the Halden Reactor Project because its view of the common subject is different from that of the NRC.

(7) Control room redesign: This category includes the lessons learned from thelFE contracts to redesign control rooms. (8) Operator stress: This category includes the lessons learned from the work on the effects of operator stress, which was originally carried out under a bilateral agreement, and the results of which were released to the Project members.

1.7 Categories of Lessons Learned After the reports were initially categorized and the categories were discussed with Halden section leaders, the categories of lessons learned listed below evolved. These categories were used for both the review of the Halden reports and the grouping of the lessons learned. The corresponding number of reports and lessons learned is presented in Table 1.

(9)

Training with simulawrs: This category includes the lessons learned from the experience with training using simulators.

(10) Reliability of computer-based systems: This category includes the lessons learned on the reliability of computer systems, on which all of the systems and techniques discussed in previous categories are based.

(1) General man-machine interface: This category includes the reports that address the overall interface but do not fit into any of the more specialized categories. Although there were several reports in this area, there were only a few lessons learned of gen· eral interest concerning the man-machine interface. These were integrated into other categories where they belong as specific lessons learned.

(11) Miscellaneous: This category includes a small group of lessons learned that did not fit into the other areas and generally represents single reports on isolated topics.

(2) Computer-based control rooms: This category serves as the basis for almost all the others. It is the lessons learned on the basic development and use of com· puter-based control rooms; that is, it includes only those lessons learned on the use of computer-based techniques for the display of information to operators and on the acceptance of commands from op· erators, but does not include any on the processing oi the information before its presentation.

1.8 Layout of the Report Findings or lessons learned are listed in Chapters 2 through 11 under the category headings shown in Table 1. Alongside each finding is the Halden report from which the finding was extracted and a statement indicating the broad type of evidence, for example, survey, experiment, and review, supporting the finding. Because of the large number of findings falling into Category 2, "computerbased control rooms,'' findings have been additionally classified by means of asterisks to indkate if they are of particular importance or novelty.

(3) Alarm handling: This category includes t he lessons learned pertaining to the systems and techniques for processing alarms for presentation to operators.

3

NUREG-1361

Table 1 Distribution of th•~ Halden Reactor Project reports and lessons learned Number of reports reviewed*

Lessons·learned topic

12

General man-machine intc~rface Computer-based control riooms Alarm handling Surveillance systems Automatic controls Computer-based procedures Control room redesign Operator stress Training with simulators Reliability of computer-ba1sed systems Miscellaneous Total

Number of lessons learned

o••

20 17

107

22

15 22 8 6 8

19

12 1 7 15

32

19

16

24

~

--4

150

24

•&ch report was counted once. Several reports addressed multiple topics.

.. Incorporated into other categ1:>ries.

2

In this report, however, it was decided to simply include a

COMPUTER-BASED CONTROL ROOMS

short statement alongside each finding indicating its general origin, in addition to a specific reference to the original source report where available. In this way the reader can adjudge the weight to be given to each individual lesson.

Almost half of all the regulatory lessons learned fall in the category "computer-based control rooms." Tbe 107 findings originate from 20 reports that descnbe o•..er 10 years of experience in design, use, and experimentation within this broad topic area.

Because of the large number of findings in this category, an additional classification indicating particular "novelty or importance" has been applied and this has been indicated in the listing of findings as follows:

Because of the large number of lessons learned in this category, some further categorization was necessary to help identify those lessons learned worth purnuingand to provide a more useful presentation scheme. 1lhe first approach was to rank the items so that discussions with the Halden staff members could be focused on the: most interesting and important lessons. For this ranking, two qualitative classification scales were used: "strength of evidence" and "importance or novelty.''

a finding that is both novel and particularly important within a regulatory context

•

a finding that is either particularly novel or important within a regulatory context

After discussions were held with the Halden staff to clarify the lessons learned, the lessons were organized into smaller groups or subcategories under the main heading "computer-based control rooms." It was found convenient to group them either in terms of the technique used for accomplishing a particular function or in terms of the particular function itself. The chosen subcategories and the distribution of findings within each category are shown in Table 2.

For "strength of evidence," the following numerical classification was used initially: (1) Some, but not much; it was observed a few times in

use or from one small experiment; a year or so of experience with a system using the technique.

(2) Not well understood; usually happens buJt not all the time; some experimental support; 3 to 5 years of ·experience.

It should be noted that many findings reported in this section originate in a series of reports describing an exercise carried out in the early seventies when an experimental control room was installed at the Halden Reactor. This control room permitted control of the reactor by means of several color cathode ray tubes (CRTs), and the process was manipulated using function keyboards and tracker balls. The findings are based on informal observations

(3) Strong opinion with many years of experience; happens almost all the time; undocumented survey of operators; or a major experiment. (4) Large documented survey or several documented experiments. NUREG-1361

••

4

Table 2 Subcategories within the category "computer·based control rooms" Number of lessons learned

Subcategory General man-machine interface issues Overall design considerations Use of color Presenting parametric data Presenting alarms Presenting groups of parameters or alarms in CRT formats Hardware issues Total and interviews during this period, and no attempt was made to gather quantitative data on operator errors or on time taken to carry out operations using the computer system.

11

27 14 17 10 15

_u 107 (MMis), and some findings may be viewed as reasons for using a computer-based MMI approach. The major point is that computers can support a wide range of techniques for the presentation of information and input of operator commands. Nevertheless, this flexibility can allow the development of disadvantageous features as well as advantageous options. The remaining groups of lessons learned in the category "computer-based control rooms" provide guidance or suggestions on avoiding poor designs in the development of computer-based MMI systems.

2.1 General Man-Machine Interface Issues The lessons learned under this subcategory concern the overall use of computer-based man-machine interfaces

Lessons

Page

Basis

••

(1)

Computer-based instrumentation seemed to provide better overview capabilities than conventional instrumentation.

HWR-34 Small survey

13

••

(2)

Operators do not have to lose their "feel" for the plant due to computerization.

HWR- 34 Small survey

13

••

(3)

Problems from bad design of computer-based instrumentation accentuate difficulties in use.


2

••

(4)

Computer monitoring of all plant parameters is more effective than HPR- 202 lnformal study operators scanning instruments. Many more parameters can be checked than have traditionally been alarmed in conventional control rooms. (Note: This assumes alarm filtering to prevent overloading the operators.)

••

(5)

It is easier to learn how to handle a process with a multicolor CRT than with conventional instruments.


••

(6)

Using CRTs with tracker ball and keyboard does not hamper operator fault detection.

HWR-152 Experiment

•

(7)

A listing of topics to be considered in the design of interactive computer-based systems should be compiled from a number of sources.

HWR-149 Review

•

(8)

Operators can become bored with computer-based control rooms due to less activity necessary with centralized information and interpreted process information. For example, there is less physical activity necessary than in a large conventional control room.

HPR- 202 Informal study

5

45

2 Abstract

36

NUREG- 1361

Lessons

*

*

Basis

Page

HWR-34 Small survey

12

(10) Extremes in attitudes for and against computerization are tempered with use, but system design can aggravate attitudes. Prolonged negative attitudes were the exception rathier than the rule.

HWR-34

12

(11) There seems to be little systematic or consistent difference in terms of

HWR-178

(9)

Older ope!".ators generally take longer to adapt to computer-based instrumentation and controls.

operator performance between several input/output systems: CRT + function keys + tracker ball, conventional pushbuttons; mimics + pushbuttons, and CRT with pushbuttons.

Small survey 40

Experiment

terns, including the need to establish a philosophy of information handling, the need to incorporate the user into the design process, and the need for a flexible design to allow eventual changes.

2.2 Overall Design Considerations The findings under this subcategory pertaining to design address the planning stage of computer-based MMI sys-

Basis

Lessons

Page

Some displays should be task/procedure oriented.

Interviews

To improve user acceptance, send prospective users to a similar plant using the same or similar system.

HWR-25 Informal field study

9

** (3)

Hire consultants as advocates for the users' needs. "Computer specialist firms are not useful for this task.

HWR-25 Informal field study

10

** (4)

It is not wise to base presentation modes only on laboratory subjects (i.e., inexperienced) because experience can significantly affect operator preferences.

Small survey

"'* (1) ** (2)

HWR-35

7

**

(5)

To address eye strain concerns, operators should be able to adjust lighting intensity, contrast, and g1eneral background illumination.

HWR-62 Descriptive report

4

**

(6)

i;:ven after careful study and design, grouping of controls and function buttons needed to be changed. Therefore, designs should expect and plan for change.


4

Involvement of experienced users is a major contributor to the success of a computer-based system.


5

The tracker ball works well as an XY pointing device.

HPR-202

** (7)

**

(8)

39

Informal study

** (9)

Correct and consistent software jfunctions can be much more important to operators than refinements in color character resolution, layouts, etc.

**

(10) Careful design of displays can reduce the number of CRTs necessary,

**

(11) All plant variables available within a computer-based system should

which can provide both operational and economic benefit. be available to the operators, not just a limited set.

NUREG- 1361

6

HPR-202 Informal study

39

HPR-202 Inforrnal study

40


42

Lessons

Page

Basis

**

(12) A consistent approach to information handling must be established that includes the method operators will use to access plant information and the standards for the MMI.

HPR-221.17 Informal study

7

**

(11\

HPR-221.17

0,,

, ~ -,

Rlinlrino __, ... _&-a-...--...0 _,:inil .. .. _. flR-221.17

9

Informal stutly

**

(6)

Picture complexity should be kept small but balanced with the number of pictures necessary to display all the required information.

HPR-221.17 l.;.formal study

**

(7)

Apparent display complexity is inversely proportional to famil.tarity with the display; that is, operators Learn to use complex mimics.

Interviews

*

(8)

For CRT drawings, use a minimum standard set of symbols simplified where necessary as long as the function of the l>)'mbols is known, for example, generic valve symbol rather than ball, gate, stop/check, motor operated, or air-operated valve symbols. (This may be a function of the graphic system in use at the time.)

HPR-221.17

Do not use frames unless their purpose is to communicate something. Pictures without frames arc "cleaner."


3

HPR-221.17

4

*

(9)

*

(10) Avoid skewed lines as interconnection between symbols.

9

4

Informal study

Informal study

*

(11) CRT diagrams should provide references to plant documentation.


40

*

(12) For low-resolution displays, the maximum number of plots on CRT is four.

HPR-221.17 lniormal study

11

(13) Brightness is useful for highlighting.

HWR-35 Small survey

7

(14) There is no evidence supporting graphic presenlations over textual. (Note this does not correspond with field experience.)

HWR-35 Smail survey

3

(15) The use of a system mimic sometimes creates problems particularly on

HWR-152 Experiment

38

crowded panels. (Note this does not correspond with field experience.)

computer-based control rooms. The lessons learned in the area of time response reflect the experience in keeping operators comfortably in control of the reactor plant systems while. they are using the computer-based controls.

2.7 Hardware Issues The final group of findings contains guidance on computer response times and miscellaneous hardware items from the Project's experience with building and using

Basis

Lessons /1 \

\ .l)

**

(2)

Status repot1s are necessary in computer s-ystems supporting operators

'I 'Y'T /'O

Page

..

Fl\

.li VY .t\-0£.

't

if the response time is more than 1 second.

Desc;nptive report

CRTs can have significant problems with glare.

HPR-202 Infonnal study

11

38

NUREG- 1361

Lessons (3)

Basis

Page

Adjacent CRTs should be updated s:imultaneously to avoid the significant distraction of sequential updating.


38

•• (4)

The operator must have feedback from commands within 1 second and the function performed within 2 seconds to feel in positive control of the plant.


39

•

(5)

CRT monitor quality is very important to maintenance of focus and convergence.

HPR- 221.17 Informal study

9

•

(6)

Even small pushbuttons should not be shiny due to problems with reflections distracting operators.


38

*

(7)

A successful cursor is a yellow cross three characters wide.


9

•

(8)

Updates of displays at 1-second intervals is too slow for some instruments, for example, reactor p1eriod/startup rate.


41

(9)

Black text on lighted blue indicatom is difficult to read even with good contrast.


38

(10) Incandescent lighting is preferable to fluorescent lighting due to flicker problems with CRTs.


38

(11) Conventional instruments fail: meters stick, pushbuttons jam, and

HWR-152 Experiment

35

(12) Liquid crystal displays (LCDs) have unacceptable contrast for control room use.

HWR-152 Experiment

36

(13) Light emitting diode (LED) display:s have acceptable contrast for control room use. There can, howe'Ver, be severe problems with liquid-quartz displays.

HWR-152 Experiment

36

**

removable pushbutton covers fall off.

2.8 Source Reports HPR-202

(1977)

"Development of a Computer and Color Display Based Control Room (OPCOM) for Experimental Operation of 1the Halden Reactor"-Informal observation of operator attitudes to the installation of a color ICRT-based process control and supervision system (OPCOM) at the Halden Reactor during 1973.

HPR-221.17

(1978)

"Design of Pictures and Use of Colours and Symbols for a CRT Based Supervision System" -Guidelines from informal observations.

HPR-263

(1980)

"Development of Guidelines and Recommendations for Colour Display Based Information Presentation Systems"-Suggested guidelines and informal studies.

HWR-25

(1981)

"Retrofitting of Control Rooms with Computer-Based Systems"-Account of retrofitting exercise.

HWR-34

(1981)

"Attitudes Towards Computer-Based Communication Devices Within Process Industries" -Qualitative sUirvey of operators before and after installation of computerized interfaces.

HWR-35

(1981)

"Experience from VDU-Presented Information"-Qualitative survey of operators before and after installation of computerized interlaces.

NUREG-1361

12

HWR-62

(1982)

"Display-Based Operator Communication Systems-Experience and Future Potentials"- Descriptive account of installation of communication and display systems.

HWR-149

(1985)

"Comprehensive Human Factors Engineering Checklist for the Evaluation of Interactive Computer-Based Systems" -Literature survey of checklist evaluation techniques for interface design.

HWR-152

(1985) ' r

"Conventional Instrumentation in the Advanced Control Room-Exneriment 1: A Comoarison of Operator Performance Using Three Display Modes"-Formal e;periment compar~g performance with advanced and traditional interfaces.

HWR-178

(1986)

"Conventional Instrumentation in the Advanced Control Room-Experiments 2 and 3: Further Comparisons of Operator Performance When Using Differing Display and Control Modes"-Formal experiment as HWR-152 above.

3

~

3.1 Alarm Filtering

ALARM HANDLING

Alarm filtering basically means not passing on to the op~ eratorthose conditions or events that would be expected as normal plant behavior for the current situation. This results in far less alarms, and therefore a clearer picture of the situation is presented to the operator.

This section provides those findings related to techniques for handling and presenting alarms. Alarms are reports either of changes in plant status or of parameters going outside prescribed limits, are normally transient, and are considered of higher priority than the routine, continuously displayed process parameters and system status. "Handling'' refers to the computer processing of the changes in plant status and of the parameters before their presentation. The basic regulatory questions in this area are (1) what conditions or events should be alarmed and (2) how should those alarms be presented to the operator appropriately in regard to their severity.

The heart of alarm filtering is the method of defining the current situation from which to judge what is expected. The traditional system with alarm situations defined and fixed by the system designers can be viewed as being at one end of the spectrum of approaches. This includes the common static setpoints for alarms and does not include filtering. The first step in alarm filtering is to link the definition of the current situation to the mode of the plant. This results in a small number of fixed definitions of a current situation and yet has a very significant effect on the number of alarms in the control room. The next step is to make the definition more dynamic by basing it directly on plant parameters and determining for each alarm whether reaching the designer's limit is a condition to be reported or not. An example is: if a valve necessary for flow is shut, then the low-flow alarm is not really an alarm condition. The next step is to allow the alarm limits themselves to vary with the plant conditions. This allows the monitoring of behavior with respect to a simple model of the parameters' expected behavior. This technique is being used in early fault detection, that is, the detection of anomalies before they reach the fixed alarm limits, and is discussed in Chapter 4.

At Halden, and in the countries belonging to the Organization for Economic Cooperation and Development (OECD), significant work has been done on improving alarm systems and has generally meant the application of computers to the handling and display of alarms. The OPCOM system (operator communication) was developed as the initial test of a computer-based control room and had many innovations, including dynamic filtering and some alarm generation. This initial effort was further developed at the Halden Reactor Project into the HALO system (handling of alarms with logic). This system both filters and generates alarms. While the alarm-handling systems in the OECD countries apparently have a target reduction factor of 2, the HALO system has demonstrated reductions by a factor of between 4 and 10. As an example, in an experimental scenario with 200 alarms in the first 10 seconds, the HALO system filtered this down to only 12 meaningful alarms.

3.2 Alarm Generation The other concept in alarm handling is to generate alarms ~.LJ oy creanng a1arms rnr expecieo conumons or events that do not occur or (2) by processing individual, low-level alarms into new alarms with a higher information content. An example of the first technique is to generate an alarm if all control rods do not reach their fully inserted limits within a prescribed time after a scram. An example of the /1 \. ...

Two complementary techniques in alarm handling have emerged. Both build on the current concept of an alarm. The first is generally known as alarm filteringand the second as alarm generation.

13

• •

...

"-

..

...

. . ...

NUREG-1361

second technique is to collect the low discharge pressures from individual main feed pump~ and report los::; of a train or all main feed, when appropriate, rather than report three individual feed pump low discharge pres:sures and require operators to interpret their meaning.

of a hierarchy. Work is continuing on overviews and mimics with embedded alarm information. f

3 4 Observations In the area of presenting alarms on CRTs, there seems to

3.3 Alarw

P. ese:ltation

be a significant relationship between the number of alanns displayed at one time and the sophistication of the handling system necessary to get the messages to the operator. This seems to be due to the fact that operators can handle only a certain amount of sequential information. Above this point, operators tend to ignore new alarms in favor of the alarms first presented. It has been demonstrated that the performance of operators may decrease significantly when there is more than one CRT page of listed alarms. When the number of low-level alarms is less than this limit, a simple listing is sufficient. When the number of low-level alarms exceeds this limit, alarm filtering is a technique that reduces the number of displayed alarms and improves operator performance. It may be that operator performance is good until the number of filtered alarms exceeds one CRT page. For these conditions, graphic presentation techniques seem to be adequate for presenting the information.

The subject of alarm presentation includes two areas not addressed by many of the lessons learned. Besides the initial and direct display of alarms, the- Halden staff feels that the operator should be able to call up more detailed information than is available when the technique is used simply to alert the operator to the alann condition. The use of a computer-based control room can make this a simple task. The staff also expects that the control room would be equipped with an event recorder that would record the alarms in the order in which they were received. This information might not be of immediate use during a transient but would be necessary for a full understanding of the event at a later frne. The basic problem in the area of alarm presentation is how to present the alarms to the operator so that their number is not overwhelming. Computer-based systems for organizing the alarms for presentation have been built and studied. Linear lists, two- and ~hrce-tier hlierarchies, and combinations with srr:iphics and overviews as well as conventional atann tiles have been studied. Recent experimental results have been fairly conclusive. Operators generally like the use of graphic ove views and do not like systems that require pa!!ing throu~h even only two levels

It must be noted that this "one CRT page" limit has not been directly investigated and is therefore not well defined. Also, it is not believed that the handling and presentation techniques for an alarm system should be changed on the basis of the number of alarms, rather the system should be designed for the potential maximum number of alarms.

Le!\sons

Basis

Page

(1)

Appropriate overview dLc;plays can guide operators to the correct format, and embedded alafTT' inform:1tion can be eat;ily related to other alarm information.

HPR-331 Experiment

34

(2)

Alann filtering. that is, separating expected alarm signals from others, is effective; that is, it reduces alarm"" by a factor of 4-10 times.

HWR-24

12

(3)

Alarm filtering is relatively incq>ensive; that is, a large part of the work is relatively easy. T e project described took 6-12 person-months overall, for a reduction factor of 4- \0 ti:mes.

HWR-24 Description of HALO concept

16

(4)

Alarm filtering can improve diagnostic accuracy with statistically significant results.

HWR- 83 Experiment

19

(5)

Alarm filtering has only positive effects on operator diagnostic performance.

HWR-83 Experiment

19

(6)

An alarm overview display can significantly improve diagnosis.

HWR-83 Experiment

19

(7)

There is considerable ongoing work on the application of computers in alarm systems for Mclear power p 1'1nts among Halden Project (TTP) members.

HWR-176 Survey

50

NUREG-1361

14

Description of HALO concept

Page

Lessons

Basis

(8)

Computerized alarm systems are being installed with the object of improving economy, efficiency, and safety in HP member countries.

HWR-176 Survey

50

(9)

The typical development time for computerized alarm systems is 4 years.

HWR- 176

50

Survey (10) There is a general (international) lack of guidance and requirements for alarm systems.

HWR- 176 Survey

50

(11) Alarm lists are routinely presented in time order.

HWR-176

51

(12) Attention-getting devices used, in order of preference, are audible alarms, flashing, and color coding.

HWR-176 Survey

51

(13) Some form of alarm suppression or filtering with a target of SO-percent reduction is a common feature among HP members.

HWR-176 Survey

51

(14) When there is less than one page of alarms, a simple list of alarms can be just as effective as a sophisticated alarm presentation system with respect to alerting the operator and aiding detection.

HWR- 134 Experiment

21

(15) When the number of alarms, in a text-based system, is greater than can be shown on one display page, then advantages in alarm filtering can be observed.

HWR-134 Experiment

21

(16) When the number of alarms is more than can be shown on one display page and

HWR- 134 Experiment

21

HPR-331 Experiment

34

(18) Operators tend to focus on early indications of a transient and may neglect alarms occurring later as a result of a secondary disturbance.

HWR-142 Experiment

59

(19) The use of blinking together with color changes to indicate alarm conditions can become a nuisance and therefore ineffective- particularly if the area of the display, which is blinking, is relatively large.

HWR-134 Experiment

22

(20) A graphic approach to alarms with 1 overview and 15 second-level system alarm group display formats was easily adapted to by operators.

HWR- 134 Experiment

22

(21) There is disagreement on whether cleared alarms should be automatically removed from the display.

HWR-134 Experiment

23

(22) There is a disagreement over the need to acknowledge all alarms presented to operators.

HWR- 134 Experiment

23

(23) There is disagreement on whether the compression of alarm lists should be automatic or manually initiated.

HWR-134 Experiment

23

(24) Operators expect immediate silencing of audible alarms on command. Even relatively short computer processing delays, of the order of I second, were unacceptable to operators.

HWR- 134 Experiment

23

(25) Onerators considered the HALO svstem easv to learn. easv to use. and heluful in th~ -di~gn~;is ;;d -ha~dli~g of tr~nsi~~ts. -. -- ' ., ' •

HWR-134 Experiment

25

(26) When there were 100 or more alarms and independent plant failures, the symbolic display of filtered alarms had advantages over text display of filtered alarms- probably because the overview display "insisted" that a new alarm situation had occurred which should be acknowledged.

HWR- 134 Experiment

21

alarms originate from several different plant systems, the value of graphic mimic displays is noticeable. (17) An advantage of sophisticated alarm-handling systems is that they can increase the

"signal to noise ratio" so that new alarm situations are acknowledged faster and more effectively.

15

NUREG- 1361

Lessons

Basis

(27) Alarm filtering of only 50 percent, for a number. of transient events, yielded f cw statistically significant operator ped'ormance differences.

HWR-142 Experiment

58

(28) Although not demonstrated by systematic performance differences, the operators clearly preferred a symbolic display of alarms over textual displays.

HWR-142 Experiment

59

(29) Operators seemed to find the three-level alarm display hierarchy, under test, rather cumbersome.

HWR-142 Experiment

59

(30) Computer-based alarm systems can dire:ct operators to the particular system display, where the specific alarmed parameter is located, more effectively than conventional alarm tiles.

HPR-331 Experiment

34

(31) It is not sufficient to rely on operators knowing which format contains an alarmed parameter without guidance.

HPR- 331 Experiment

34

(32) Operators can locate a disturbed variable more quickly using a CRT display when the alarm information is included by means of color coding of the parameter value.

HPR-331 Experiment

34

Page


(1987)

"A Comparison of Operator Performance When Using Either an Advanced Computer-Based Alann System or a Conventional Annunciator Panel"-Large-scale experiment involving 10 operators coping with complex fault scenario on a full-scope pressurized-water-reactor (PWR) simulator.

HWR-24

(1981)

"Handling Alarms with Logic (HALO) and Other Operator Support Systems"-Description of HALO alarm concept.

HWR-83

(1982)

"A Preliminary Evaliuation of the HALO System for Alarm Handling"-Preliminary experiment investigating operator performance when fault finding on compact PWR simulator.

HWR-134

(1984)

"An Experimental Comparison of Three Computer-Based Alarm Systems: Design. Procedure and Execution"-Large-scale experiment involving seven two-person crews coping with transients on a full-scope PWR simulator with different modes of alarm presentation.

HWR-142

(1985)

"An Experimental Comparison of Three Computer-Based Alarm Systems- Results and Conclusions"- Large-scale experiment as above.

HWR-176

(1986)

"Survey on Compute:rized Alarm and Annunciator Systems" -Survey of Project members on their current use andl plans for application of computer-based alarm systems.

4

those pertaining to responding to alarms or precursors to alarms. They include those pertaining to systems to monitor core physics. safety function monitoring systems, and a technique. called early fault detection. to monitor plant behavior and recognize abnormalities before they reach alarm conditions.

SURVEILLANCE SYSTEMS

The category "surveillance systems" pertains to computer-based systems that monitor plant ·operations. The lessons learned were not included in the category "alarm handling" because they are more g~:neral than NUREG-1361

16

4.1 Core Surveillance

system is lacking, operators must have the ability to process a large amount of detailed information in order to achieve the nebulous goal of safety.

Core surveillance systems are intended for use by plant engineers responsible for the economic management of the reactor core and do not provide operators with any significant safety-related information. Therefore, there are no significant regulatory lessons learned from this work other than the additional experience derived from the effort to develop another c-0mputer-based system for use in nuclear power plants.

It should be noted that a safety function monitoring system is not just a safety parameter display system (SPDS), because it does not just provide operators with a localized place to get the value of a set of significant plant safety parameters. An SFDS requires operators to interpret the readings to judge the safety of the plant. Asafetyfunction monitoring system provides a measurement of the plant's status in meeting the safety functions and does not require interpretation by operators; therefore, it would reduce the cognitive load on operators during emergencies.

4.2 Safety Function Monitoring A safety function monitoring system monitors several parameters and develops a measure of margin in maintaining a safety function . Safety functions arc a small number of relatively high-level activities or conditions that must be maintained to protect the public's health and safety. These functions can be significantly different depending on the different approaches to their definition.

4.3 Early Fault Detection A new technique for monitoring plant behavior and detecting anomalies before they reach alarm conditions is in the early stages of experimentation at Halden. This technique entails the comparison of process data with small models associated with specific parameters to see if the behavior of the parameters in small localized areas is as expected. As an example, a small model supporting a p ressure instrument could check that t he pump is on and the necessary valves are open upstream and could check the temperature of the fluid as part of its model for evaluating whether the pressure was abnormal or not. When carried out to a relatively detailed level throughout a system, the surveillance system can separate causes from their effects and note trends before the parameters reach their traditionally fixed alarm setpoints. Experiments have been begun to evaluate the usefulness of such a system and to evaluate methods of presenting this new information to operators in a useful form.

The system that is undergoing experiments at Halden is Combustion Engineering's critical safety monitoring system (CFMS); the lessons learned from this work are expected to apply to other safety function monitoring ~)'S· terns. The primary lesson learned is that if operators are intended to control a relatively vague plant characteristic like safety, then providing them with a measurement of their success in reaching or maintaining that goal is useful in guiding their actions. This was demonstrated for the usually ill-defined subject of safety by the development of a set of safety functions based on many plant parameters and then providing a system that could provide a measure of the margins to those safety functions. It was shown that providing operators with this information reduced the time that the safety functions were endangered. If such a

Lessons

Basis

(1)

The use of a safety function monitoring system reduces the time some of the safety functions are in the alarm condition.

HPR- 312 Major experiment

26

(2)

Safety function monitoring systems are more useful in general areas than for guiding specific operator actions.


26

(3)

Operators think a safety function monitoring system provides useful information for operators.


26

(4)

Operating crews miss some activities independent of the use of a safety function monitoring system.

HWR-111 Major experiment

115

(5)

Operators think learning to use a safety function monitoring system is easy.

HWR-111 Major experiment

173

(6)

Operators wanted more information in integrated process status overview (IPSO).

HWR-171 System specification

17

Page

3

NUREG- 1361

Lessons

Basis

(7)

Core surveillance as an online tool pwvides commercial benefit due to improved operation based on a model of fuel failure using real data.

HWR- 32 System description

1

(8)

Core surveillance is an online tool to provide savings from the use of a fuel-failure model with real data for improved operation while keeping fuel-failure probability low.

HWR-32

1

System description

(9)

Core surveillance systems are concerned with commercial not safety aspects of the operation of the plant.

(10) Comparison of process parameters wifh a process model can detect deviations in

Page

Interviews HWR- 141

25

HWR- 141

14

(12) A large-screen visualization of the plant process used as an overview, with only a very small number of key plant parameters and little detailed alarm information, was surprisingly effective for detection and diagnosis.

HWR-158 Experiment

9

(13) An integrated process status overview (IPSO) system was used more during passive monitoring than during planned evolutions or handling of transients.

HWR-184 Experiments

37

(14) Operators wanted more process and alarm information than was provided in an integrated process status overview (IPSO).

HWR-184 Experiments

38

(15) Operators liked the use of a large-screen overview of process status.

HWR-184 Experiments

39

pedormance earlier than static limits on plant variables.

(11) The predictive part of a core surveillamce system (SCORPIO) has been useful to the plant physicists for load changes and extending operations.


(1984)

''The Experimental Evaluation of the Critical Function Monitoring System-Executive Summary" -Summary account of the installation and experimental evaluation of the CFMS (SPDS) system at the Loviisa power plant in Finland.

HWR-32

(1981)

"Core Surveillance Systems: Development at the Halden Project and Within Signatory Organizations" - Review of system development.

HWR-111

(1983)

"The Experimental Validation of the Critical Monitoring System" - Detailed description of data analysis in the CFMS experimental evaluation at Loviisa.

HWR-141

(1985)

"Early Fault Detection Using Process Models and Improved Presentation Techniques''-Prototype system description and specification.

HWR-158

(1986)

"Integrated Process Status Overview (IPSO): Status Report" - Description of implementation of prototype large-screen overview display and proof-of-principle experiment.

HWR-171

(1987)

"Specification for a Nuclear Power Plant's Process Overview Display" -System description and specification for the HALO II ala.rm overview.

HWR-184

(1987)

"Further Evaluation Exercises with the Integrated Process Status Overview-IPSO" -Description of two, rather more detailed experiments with the large-screen overview display.

NUREG-1361

18

5

AUTOMATIC CONTROLS

for fuel experiments. The lessons learned, therefore, primarily address techniques to develop control systems for the core based on models of the core's behavior. The findings are based on simulation studies or experiments with different control techniques.

Because the Halden Reactor Project began as a fuels research effort, automation at the Project has been primarily directed at improving the control of the environment

Lessons

Basis

Page

(1)

It is possible to find simple linear models which describe essential plant dynamics for a wide range of power operation (50-90 percent) with relatively small parameter changes.

HPR-204 Experimental simulation

(2)

The choice of objective function is important because under transient conditions very different control sequences and therefore core behavior can result.

HWR-42 Desk study

7

(3)

There has been little work done on objective functions for core optimization in the area of combining economy and safety goals.

HWR-42 Desk study

7

(4)

Predictive control systems without feedback to correct for inaccurate knowledge of initial conditions can lead to nonoptimal or even erroneous control sequences.

HWR-42 Desk study

8

(5)

The multilevel core control system (MCCS) is not suitable for online applications but is more suitable for offline applications due to calculational delays.

HWR-42 Desk study

8

(6)

Direct digital control for preplanned maneuvers is superior to manual methods in both accuracy and speed of operation.

HPR-135 Control study

38

(7)

Transfer between automatic control and manual control c;an be "bumpless."

HPR-135 Control study

38

(8)

The success of the direct digital control system was due in part to the quality of the man-machine interface.

HPR- 135 Control study

38

(9)

The first power control and flux distribution control system at Halden used a least-squares minimization of a performance function.

HPR-149 Tests with reactor

29

(10) A control algorithm using an extension of linear quadratic control theory to cover a wide range of variables of nonlinear systems was much less sensitive to the differences between the process and model as compared to an ordinary state variable feedback control system.

HPR-164 Simulation study

27

(11) A linear control system can be extended to control a nonlinear process by introducing some artificial state variables (drift terms).


42

(12) The sensitivity of a linear control model to variations and nonlinearities of a process can be reduced by the use of artificial state variables called drift terms.


42

(13) Artificial state variables (drift terms) can be introduced into a linear control system to (a) improve the process estimation for linear processes and accurate models and (b) compensate for discrepancies between the process and model due to nonlinearities and/or an inaccurate model.


42

(14) A Halden-designed reactor protection system (RPS) was installed in a German boiling-water reactor (BWR) in the spring of 1976, and initial testing was successful.

HPR-201 InitiaJ use of system

42

HPR- 204

27

(15) It is possible to control a BWR simulator over a wide power range by means of a c.ontrol s.nit:ihlP. hv ------ -- :il!10rithm --0- ---..... ..,__ h;:ispif ----- on - - onP. - - - sinolP. .... - -o"'- ,_ __.,__... _ linP.:ir - --- moclP.I c.omnlP.mP.ntP.UHWC1lC Ut;Vt:OIUJJlllCllL J;:) LUC

customer's specification because they are not easily recognized during development and are a potential source of common mode failures. (16) The time needed for a tool-aided software-reliability analysis is substantially less than the time needed for a manual analysis.

27

lJDD

'l'l'l

J.J.C .l'--Jk,J

110 J..L7

Major experiment HWR-211 Use of system

28

NUREG-1361

Lessons

Basis

Page

(17) Analysis of the control and data flow using SOSAT tools gives hints on insufficiencies in the realization of the programs previously tolerated or not observed.

HWR- 211 Use of system

28

(18) Back-to-back testing of diverse programs is an effective way to detect program faults.

HWR-210 Experiment

49

(19) Manual inspection is not as effective. as back-to-back testing with diverse software.

HWR-210 Experiment

49

(20) Uniform random data over the whol·e input spectrum is an easy and very effective testing technique.

HWR- 210 Experiment

49

(21) There is currently no good correlation between various software metrics and the number of program faults.

HWR- 210 Experiment

58

(22) Software reliability growth models are very difficult to apply when the number of detected faults is low.

HWR- 210 Experiment

69

(23) Almost all program bugs of the diverse software were independent or negatively correlated.

HWR-210 Experiment

80

(24) The distribution of program faults w.as about as expected based on the theory, that is, exponentionally distributed.

HWR-210 Experiment

81


(1975)

"DEMP-Decentrnlized Modular Process Computer System"

HPR-266

(1980)

''The Use of a Fotmal Language for the Specification of Computer Programmes"

HPR-323

(1985)

"PODS-The Project on Diverse Software"

HWR-210

(1987)

"Software Testing and Evaluation Methods-The STEM Project"

HWR-211

(1987)

''Tools for Standardized Software Safety Assessment-The SOSAT Project"

safety significance of equipment failures. Although this work was done in support of the general effort on computer-based procedures, the results relate to safety assumptions and lead to a justification for allowing longer repair times when safety systems fail in the safe direction.

11 MISCELLANEOUS LESS·O NS LEARNED This category contains the lessons learned that did not fit into the other categories because they wer·e culled from single reports on topics within the process controls area that were not part of a large project.

In addition, this category includes findings related to software studies carried out at the Project.

The reports in this category contained evaluations of the effects of the usual conservative approach to assessing the

NUREG-1361

28

•

,

Lessons

Basis

(1)

A safety system failure that is in the safe direction (typical for fail-safe designs) should support longer repair time limits than allowed under the assumption that all failures reduce plant safety.

HWR-109 Probabilistic risk assessment study

29

(2)

Pattern-recognition techniques c.an be successfully used to detect anomalies in some signal sources.

HPR-264

14

Software study

Page

(3)

The programming language PUM86 is easy to learn and use, is self-documenting, and is readable but has significant limitations in that it does not support prioritization of tasks (interrupts) and convenient data structures (arrays greater than two dimensions).

HWR- 108 Software study

34

(4)

The mathematical concept of "fuzzy sets" is not better for automatic selection of display variables than using two levels of setpoints (abnormal + alarm levels) and then displaying preselected variables with auxiliary information available.

HPR-180 Software study

15

11.1 Source Reports HPR- 180

(1975)

"Investigation of a Method for Automatic Selection of Information in Operator Communication Systems" - Use of fuzzy set theory for plant diagnosis.

HPR- 264

(1980)

"Application of Pattern Recognition Principles in Noise Analysis Surveillance Systems"-Statistical techniques for noise analysis.

HWR- 108

(1983)

"Experience with Implementation of Operator-Process Communication Software on Microcomputer-Based Systems"-Descriptive account of software implementation.

HWR- 109

(1983)

"Effects of Different Failures on the Safety and Availability of a Nuclear Power Plant"

12

SUMMARY

while controlling the process. More than 200 lessons learned are listed. Of these there are more lessons in the basic area of computer-based control rooms than in the classes of operator support systems such as alarm handling, surveillance systems, automatic controls, or computer-based procedures. Reliability of the computerbased systems is being explored, and there are some lessons learned in that area as well as in the areas of operator training using simulators and operator stress.

This report contains the regulatory lessons learned from work performed at the Halden Reactor Project in the area of process controls over approximately the last 10 years. The lessons learned are of potential regulatory use as support for new requirements, as part of regulatory evaluations of the acceptability of the methods and techniques evaluated at the Project, and as exploratory research and development of new approaches to improve operator performance. The lessons learned are listed with references to reports issued at Halden and are grouped into categories based on an external view of the information and control needs of operators rather than an internal model of the phases operators may go through

13

REPORTS REVIEWED

The Halden reports reviewed are listed in the following sections according to type. In addition, the category into which they fell is specified.

29

NUREG-1361

13.1 Process Control-Related H:alden Project Reports HPR-135

"Direct Digital Control of the HBWR Using Conventional Control Methods." K. Netland, B. B. Thomassen, U.S. Jq,rgensen

1971 AlITOMATIC CONTROLS HPR-137

"Data Handling and Presen1tation Systems at Hte-HaldetTReactor Projergensen, S. Hval, J. Pettersen 1983 SURVEIU.ANCE SYSTEMS

HPR-300

"Principles of a Training Programme for the NORS Simulator!' S. Baker, E. C. Marshall 1983 TRAINING WITH SIMULATORS

HPR-301

"NORS-The Full Scope Research Simulator." E. Stokke, F. Pettersen 1983 TRAINING WITH SIMULATORS

HPR-302

"Data Management in Large-Scale Simulator Experiments." G. Hunt, E. Hollnagel, E. C. Marshall 1983 MISCELLANEOUS

HPR-303

"The Experimental Evaluation of the Critical Function Monitoring System-The Training Programme." E. C. Marshall, E. Hollnagel, L. Touminen 1983 TRAINING WITH SIMULATORS

HPR- 312

"The Experimental Evaluation of the Critical Function Monitoring System-Executive Summary." E. Hollnagel, G. Hunt. E. C. Marshall 1984 SURVEIU.ANCE SYSTEMS

HPR-323

"PODS-The Project on Diverse Software." M. Barnes, P. G. Bishop, B. Bjarland, G. Dahll, D. Esp, P. Humphreys,J. Lahti, S. Yoshimura, A. Ball, O. Hatlevold 1985 RELIABILITY OF COMPUI'ER-BASED SYSTEMS

HPR-331

"A Comparison of Operator Performance When Using Either an Advanced Computer-Based Alarm System or a Conventional Annunciator Panel." C. S. Reiersen, E. Marshall, S. Baker 1987 ALARM HANDLING/COMPUI'ER-BASED PROCEDURES

HPR-332

"Stress and the Nuclear Control Room Operator-A Literature Review." S. M. 'Baker, E. C. Marshall 1987 OPERATOR STRESS

13.2 Halden Work Reports HWR- 5

"Report on Workshop Meeting on Simulators for Testing COSS's." 1981 SURVEILLANCE SYSTEMS

HWR-6

"Workshop on Strategies for Handling Cautionary and Warning Alarms." 1981 ALARM HANDLING

HWR- 23

"A Candidate Approach to Computer-Based Alarm Handling System (HALO)." P. Visuri, F. 0wre 1981 ALARM HANDLING 33

NUREG-1361

HWR-24

"Handling Alarms with l.o·gic (HALO) and Other Operator Support Systems." P. Visuri, B. B. Thomassen, F. 0wre 1981 ALARM HANDLING

HWR-25

"Retrofitting of Control Rooms with Computer-Based Systems." J. Hol, G. 0hra, E. Edsberg, F. Pettersen 1981 COMPUTER-BASED CONTROL ROOMS

HWR-29

"The Functioning of the Operating Crew in Complex Control Systems."

E. Edsberg, B. B. Thomassen 1981 AlITOMATIC CONTROLS HWR-30

HWR-31

"Computerized Operation Manual for Safety Technical Specifications." Halden Project, ASEA-ATOM (Sweden), Austria 1981 COMPUTER-BASED PROCEDURES "Process Description of the NORS Simulator."

I. Leikkonen 1983 TRAINING WITH SIMULATORS HWR-32

HWR-33

"Core Surveillance Systems: Development at the Halden Project and Within Signatory Organizations." K. Haugset, R. Moen, U.S. Jcprgensen, 0. Berg 1981 SURVEILLANCE SYSTEMS "Human Factor's Enginee1ring in Control System Design."

E. Edsberg 1981 GENERAL MAN-MACHINE INTERFACE HWR-34

"Attitudes Towards Computer-Based Communication Devices Within Process Industries." M. Homlgren 1981 COMPUTER-BASED CONTROL RbOMS

HWR-35

"Experience from VDU-P1resented Information." M. Holmgren 1981 COMPUTER-BASJED CONTROL ROOMS/OPERATOR STRESS/TRAINING WITH SIMULATORS

HWR-38

"Report of the Workshop on Computer-Based Operating Procedures and Maintenance Status Information." Workshop Report 1981 COMPUTER-BASED PROCEDURES

HWR-42

"Status Report on Predictive Core Control Optimization at the Halden Project." 0. Berg, I. Leikkonen 1981 AUTOMATIC CON1ROLS

HWR-43

"Minutes of the Workshop and HPG Subcommittee Meeting on Alarm Handling."

P. Visuri (Editor) 1981 ALARM HANDLING HWR-53

"NORS Status Report." E. Stokke 1982 TRAINING WITH SIMULATORS

HWR-56

"The Core Surveillance System SCORPIO." 0. Berg, K. Haugset, S. Hval, R. Moen, U.S. Jcprgensen 1983 SURVEILLANCE SYSTEMS

NUREG- 1361

34

HWR-58

''The Core Surveillance System SCORPIO: Status and Future Work." 0. Berg, K. Haugset, R. Moen, U.S. Jrgensen 1982 SURVEILLANCE SYSTEMS

HWR-60

"Control Desk Design-Use of Touch Sensitive Screens in Operator Process Interfaces." T. Hveding 1982 GENERAL MAN-MACHINE INTERFACE

HWR-61

"Description of Data Types in the Validation of the Critical Safety Monitoring System.;; E. Hollnagel 1983 ALARM HANDLING

HWR-62

"Display-Based Operator Communication Systems-Experience and Future Potentials." T. Palmgren (Editor) 1982 COMPUTER-BASED CONTROL ROOMS

HWR-65

"Fully Graphic Colour Displays-State of the Art Study as Basis for the Selection of a Graphic Controller for the HP Experimental Facility." M. Pehrsen, T. Hveding 1982 COMPUTER-BASED CONTROL ROOMS

HWR-66

"Experimental Use of Decision Tables in Computerized Operation Manuals for Safety Technical Regulations Applied in the Forsmark-I Nuclear Power Plant." F. Dworzak, A. Nedelik 1982 COMPUTER-BASED PROCEDURES

HWR-71

"Report of the Workshop on Human Factors Experiment and Validation of Operator Aids." E. C. Marshall (Editor) 1982 GENERAL MAN-MACHINE INTERFACE

HWR-77

''The Methodology of the CFMS Project." E. Hollnagel, E. C. Marshall 1982 ALARM HANDLING

HWR- 80

"Methodologies for Developing Alarm Logic in the HALO System." F. 0wre, K. Tamayama 1982 ALARM HANDLING

HWR-83

"A Preliminary Evaluation of the HALO System for Alarm Handling." E. C. Marshall 1982 ALARM HANDLING

HWR-90

''The NORS/HALO System: Background & Methodology for Experiment 1." E. Hollnagel, F. 0wre 1984 ALARM HANDLING

HWR-94

"Preliminary Study for a HALO Alarm System Implementation on the NORS Simulator." F. 0wre, S. Molteberg, S. Nilsen, K. Porkholm 1983 ALARM HANDLING

HWR- 96

"Man-Machine Interface Design Using Multilevel Flow Modelling." S. Yoshimura. E. Hollnal!el. N. Prfttorius -1983 GENERAL MAN-MACHINE INTERFACE ~

HWR- 100

~

-

,

"Guidelines for Requirements Specification with Version 2 of the X-Language." G. Dahll, J. Lahti 1983 RELIABILITY OF COMPlITER-BASED SYSTEMS

35

NUREG-1361

HWR-103

"Report from the Workshop on Use of the New Simulator Facility." G. Hunt 1984 MISCELLANEOUS

HWR-104

"Functional Description of the Decenteralized Software/Hardware System Supporting the Supervision and Operation of the NORS Simulator- Status & Prospects." J. A.H. M. van Nes, G. Skjerve 1983 RELIABILITY OF COMPUI'ER-BASED SYSTEMS

HWR-106

"Improvements in Decision Tables by Application of Boolean Expressions." F. Dworzak 1983 COMPUTER-BASED PROCEDURES

HWR-107

"Software Tools Simplifying the Implementation of Operator Communications Systems in Process Control Rooms." C. V. Sundling, S. Nilsen 1983 COMPUTER-BASED CONTROL ROOMS

HWR-108

"Experience with Implementation of Operator-Process Communication Software on MicrocomputerBased Systems." M. Pehrsen, 0. Falmyr 1983 MISCELLANEOUS

HWR- 109

"Effects of Different Failures on the Safety and Availability of a Nuclear Power Plant." H. Oppolozer, G. Sonneck 1983 MISCELLANEOUS

HWR-110

"Report on the Workshop on Computerization of Procedures & Information Presentation Principles." Workshop Meetings 1984 COMPUTER-BASED PROCEDURES

HWR-111

"The Experimental Validation of the Critical Function Monitoring System." E. Hollnagel, G. Hunt, E. C. Marshall 1983 SURVEILLANCE SYSTEMSffRAINING WITH SIMULATORS

HWR-112

"Cognitive Systems Engineering in Operator Modelling." E. Hollnagel 1984 OPERATOR STRESS:

HWR-113

"COSSI: CRIEPI On-Site Simulator Outline of Specification." H. Okamoto, H. Fukumoto, S. Yoshimura, O. Evjen, I. Leikkonen, E. Stokke 1982 TRAINING WITH SD®LATORS

HWR-114

"Report from the Pilot Experiment on Multilevel Flow Modelling Displays Using the GNP-~imUlator." E. Hollnagel, G. Hunt, N. Pr~torius, S. Yoshimura 1984 GENERAL MAN-MACHINE INTERFACE

HWR-116

"A Conceptual Framework for the Description and Analysis of Man-Machine System Interaction." E. Hollnagel 1984 OPERATOR STRESS

HWR-118

'"The Specification Language X-Version 3.0." J. Lahti, G. Dahll 1984 RELIABILITY OF COMPUTER-BASED SYSTEMS

HWR-129

"Outline of a Model for the Man-Machine Process Control System." E. Hollnagel 1984 OPERATOR STRESS

NUREG- 1361

36

HWR-131

"Diagnostic Rule Generation- Operator Interviews in Nuclear Power Plant Control Rooms." S. Baker 1984 AUTOMATIC CONTROLS

HWR-133

"On the Direct and Hierarchical Methods in Optimal Core Control." I. Leikkonen 1984 AUTOMATIC CONTROLS

HWR-134

"An Experimental Comparison of Three Computer-Based Alarm Systems: Design, Procedure and Execution." S. Baker, E. Hollnagel, E. Marshall, F. 0wre 1984 ALARM HANDLING

HWR-135

"Programmable Touch Panel Keyboard Prepared for Dynamic Display." T. Hveding, H. K. Karlsen, A Tiegen 1985 GENERAL MAN-MACHINE INTERFACE

HWR-136

"Introduction to the NORS Simulator-A Self-Tutored Training Programme." E. C. Marshall, S. M. Baker, L Leikkonen 1985 TRAINING WITH SIMULATORS

HWR- 137

"An Operator Training Programme for Experiments with the NORS Simulator." S. M. Baker, E. C. Marshall 1985 TRAINING WITH SIMULATORS

HWR-138

"SPEX-A Tool To Support the Specification with the X-Language." J. Lahti 1985 RELIABILITY OF COMPUTER-BASED SYSTEMS

HWR- 139

"HAMMLAB-Establishment and Initial Operating Experience." E. Stokke 1985 MISCELLANEOUS

HWR-140

"Process Report on the Halden Project's Work in the SOSAT Project." G. Dahl! 1985 RELIABILITY OF COMPUTER-BASED SYSTEMS

HWR-141

"Early Fault Detection Using Process Models and Improved Presentation Techniques." 0. Berg, 0. Evjen, U.S. Jrgensen, J. Kvalem, I. Leikkonnen 1985 SURVEILLANCE SYSTEMS

HWR-142

"An Experimental Comparison of Three Computer-Based Alarm Systems-Results and Conclusions." S. M. Baker, D. Gertman, E. C. Hollnagel, C. Holstrm 1985 ALARM HANDLING

HWR-143

"Proposal for the Development of a Computerized Procedure System.'' G. Dahll, K. Haugset, S. R. Nilsen, F. 0wre 1985 COMPUTER-BASED PROCEDURES

HWR-144

"Guidelines for the Specification in the X-Language." G. Dahlli J. Lahti 1985 RELIABILITY OF COMPUTER-BASED SYSTEMS

HWR-145

"Keyboard Concentrator." T. Hveding, H. K. Karlsen, A Teigen 1985 MISCELLANEOUS 37

NUREG- 1361

HWR-146

"CAMPS-Computer Systems Applying Microcomputer Structures for Process Presentation and Control." C-V Sundling, K. Arnesen 1985 COMPUTER-BASEJD CONTROL ROOMS

HWR-147

"Installation of the Core Surveillance System SCORPIO at the Ringhals Nuclear Power Plant." W. Aaser, T. Andersson, 0. Berg, N. T. Fcprdestrcpmmen, S. Hval, U.S. Jcprgensen 1985 TRAINING WITH SIMULATORS

HWR-148

"A Survey of Man-Machin1e Evaluation Methods." E. Hollnagel 1985 GENERAL MAN-MACHINE INfERFACH

HWR-149

"Comprehensive Human Factors Engineering Checklist for the Evaluation of Interactive ComputerBased Systems." D. I. Gertman 1985 COMPUTER-BASEJD CONTROL ROOMS

HWR-152

"Conventional Instrumentation in an Advanced Control Room-Experiment 1: A Comparison of Operator Performance Using Three Display Modes." S. M. Baker, C. Holstrcpm, E. C. Marshall 1985 COMPUTER-BASED CONTROL ROOMS

HWR-156

"Functional Requirements to a System for Computer-Aided Procedures." F. 0wre 1986 COMPUTER-BASED PROCEDURES

HWR-158

''Integrated Process Status Overview (IPSO): Status Report." D. I. Gertman, P. Gaudio, S. Nilsen, J. Burns 1986 SURVEILLANCE SYSTEMS

HWR-171

"Specification for a Nuclear Power Plant's Process Overview Display." C. S. Reiersen, 0. Evjen, G. Molteberg 1987 SURVEil...LANCE SYSTEMS

HWR-173

''Transformation of a X-SPEX to Other Computers." J. Lahti 1986 RELIABILITY OF COMPUTER-BASED SYSTEMS

HWR-174

"Combination of Numeric and Symbolic Processing in Fault Detection and Diagnosis." 0. Berg, M. Yokobayashi 1986 SURVEILLANCE SYSTEMS

HWR-175

"Operator Information Needs During Accidents, Influence of Cognitive Elements and Cognitive Shaping Factors (CSF)." D. I. Gertman 1986 OPERATOR STRESS

HWR-176

"Survey on Computerized Alarm and Annunciator Systems." D. I. Gertman, F. 0wre, E. C. Marshall, A. Verle 1986 ALARM HANDLING

HWR-178

"Conventional Instrumentation in the Advanced Control Room-Experiments 2 and 3: Further Comparisons of Operator Performance When Using Differing Display and Control Modes." S. Baker, C. Holmstrcj>m, E. C. Marshall, C. S. Reiersen 1986 COMPUTER-BASED CONTROL ROOMS

NUREG-1361

38

HWR- 180

"PROLA, a Language Specifically Designed for Use in Computerized Procedure Applications." J. S. Larsen 1986 COMPUTER-BASED PROCEDURES

HWR-182

"The First Prototype of the Computer Assisted Operator Manuals (COPMA)." S. Nilsen 1986 COMPUTER-BASED PROCEDURES

HWR- 183

"The Elicitation of Expert Knowledge." S. M. Baker, E. C. Marshall 1987 AUTOMATIC CONTROLS

HWR- 184

"Further Evaluation Exercises with the Integrated Process Status Overview-IPSO}' C. Reiersen, S. M. Baker, E. C. Marshall, A. Verle, D. I. Gertman 1987 SURVEILLANCE SYSTEMS

HWR- 190

"Functional Requirements Specification for the Operation System (HOPES) of the Halden Project Simulation Facility." J. Kvalem, J. S. Larsen 1987 TRAINING WITH SIMULATORS

HWR-203

"An Instructor and Operation System for Training and Research Simulators." L. I. Kristiansen, J. Kvalem, P. Nikkinen 1987 TRAINING WITH SIMULATORS

HWR-204

"Early Fault Detection Demonstrated on the NORS Feedwater System." 0. Berg, R. E. Grini, T . Johansen, M. Lilja 1987 SURVEILLANCE SYSTEMS

HWR- 205

"A Preliminary Specification for a Multifunctional Support System in Emergency Management, Applying Expert System Techniques." 0. Berg, J. S. Larsen, T. Westgaard, C. Holstnpm, H. Andersson, S. Jakobsson, R. Heinonen, T. Kukko 1987 MISCELLANEOUS

HWR-206

"Reviewing Computer-Based Information Retrieval and Presentation for a Nuclear Power Plant Control Room with Mixed Instrumentation." J. H ol, B. Thomassen 1987 CONTROL ROOM REDESIGN

HWR-207

"Basic Design Criteria for Computer-Based Information Systems in Control Rooms with Mixed Instrumentation." B. Thomassen, J. Hol, G. 0hra, F. Pettersen 1987 COMPUTER-BASED CONIROL ROOMS

HWR-208

"Simulators for Evaluating Operator Pedormance." S. Baker, E. Marshall 1987 TRAINING WITH SIMULATORS

HWR-209

"Computer Aided Procedure Execution." J. S. Larsen, E . J. Lund, S. R. Nilsen, F. 0wre 1987 COMPUTER-BASED PROCEDURES

HWR- 210

"Software Testing and Evaluation Methods- The STEM Project." M. Barnes, P. Bishop, B. Bjarland, G. Dahll, D. Esp, J. Lahti, H. Vlisuo, P. Humphreys 1987 RELIABILITY OF COMPUTER-BASED SYSTEMS

HWR-211

"Tools for Standardized Software Safety Assessment- The SOSAT Project." G. Dahll, G. Glfte, M. Kersken, U. Mainka, J. Mrtz, O. Nordland, B. Suliga 1987 RELIABILITY OF COMPUTER-BASED SYSTEMS 39

NUREG-1361

HWR-212

"The Integrated Surveillance and Control Systems ISACS." K. Haugset 1987 SURVEILLANCE SYSTEMS

HWR-213

"'The NORS Success Path Monitoring System-SPMS." P. G. Gaudio, E. C. Marshall, F. 0wre 1987 SURVEILLANCE S:YSTEMS

HWR-214

''1be Oseberg 'Training Si.Jmulator." E. Stokke, Aa. Solie, C. Sundling, M. Pehrsen, P. Kristiansen, I. Leikkonen 1987 'TRAINING WITH SIMULATORS

13.3 Institutt for Energiteknikk (IFE) and Bilateral Reports IFE

"A Study of Operators' Roles and Tasks in a German Nuclear Power Plant." H. Andersson, E. Edsberg, B. Thomassen, J. Wirstad 1982 GENERAL MAN-lVCACHINE IN'TERFACE

Bilateral

"Methods Used for Review of Alto Lazio NPP Control Room (Ansaldo IMP)." J. Hol, B. B. Thomassen 1987 GENERAL MAN-MACHINE INfERFACE

Bilateral

"Report on Gullfaks A Simulator Course m- Discussion and Comments." S. Baker, E. Marshall 1987 'TRAINING WITH SIMULATORS

Bilateral

"Evaluation of SPDS Functions in Selected Disturbances." E. Hollnagel, I. Leikkonen 1985 SURVEILLANCE SYSTEMS

Bilateral

"Computer-Supported Process Control Rooms." 1982 COMPUTER-BASED CONTROL ROOMS

Bilateral (Statoil) 1002

"Man-Machine Interface and Human Reliability Assessment." G. Dahll, O. Falmyr, N. Fcf>rdestrcf>mmen, M. Pehrsen 1982 GENERAL MAN-MACHINE INTERFACE

Bilateral 1003

"Recommended Practices for Man-Machine Interface Design in VDU-Based Operator Process Communications Systems." J. Trengereid, A. Appleha.ns, P. Visuri, S. Baker 1982 COMPUTER-BASED CONTROL ROOMS

Bilateral

"Final Review Report of Ansaldo Impianti's PSAS for Alto Lazio Nuclear Power Plant" B. B. Thomassen, G. 0hra 1982 ALARM HANDLING

1004 Bilateral 1006

"Evaluation of the Fire and Gas Matrix Panel in the Gullfak:s Control Room." S. Baker, J. Hol, B. B. Thomassen, G. 0hra 1982 GENERAL MAN-MACHINE INTERFACE

Bilateral 1015

"Review Criteria Handbook-Methodology for Reviewing Formats and Man-Machine Communication for a Generic Nuclear Power Plant." B. B. Thomassen, J. Hol 1986 COMPUTER-BASED CONTROL ROOMS

NUREG-1361

40

Bilateral 1016

"Basic Design Criteria for Computer Based Information Systems in Hybrid Control Rooms." B. B. Thomassen, J. Hol 1986 COMPUTER-BASED CONTROL ROOMS

Bilateral (CEGB)

"Stress and the Nuclear Control Room Operator-A Literature Review." S. M. Baker, E. C. Marshall 1987 OPERATOR STRESS

41

NUREG-1361

U.S. NUCLEAR REGU L ATORY COMMISSION

NRC FORM 335 (2·89) NRCM 1 102,

320 1. ~202

1. REPORT NUMBER IA..!vned by NRC. Adel Vol .. Supp., Rey., end Addendum Numbers, If .,,y.)

BIBLIOGRAPHIC DATA SHEET (see

instruct ions on the reverseJ

NUREG-1361

2. TITLE AND SUBTITLE

Lessons Learned in Process Control at the Halden Reactor Project

3.

DATE REPORT PUBLISHED

1

MONT H

December

YEAR

1989

4. FIN OR Gl~ANT NUMBER

6. TYPE OF REPORT

5. AUTHOR(S)

Technical

W. G. Kennedy

7. PERIOD COVERED l/nclusi vc Dares!

1974 - Apri l 1987 8. PER FOR M ING ORGAN IZATION - NAM E AND ADDRESS

/ If NRC. provide Division, Offi ce or Region. U.S. Nuclear Rgulatory Comminion, and m ailing address: it conrracwr. provid•

name and mal/ittg address. J

Office of Nuclear Reactor Regulat ion Office of Nuclear Regulatory Research U.S . Nuclear Regulatory Commiss ion Washington, DC 20555 9. SPONSOR ING ORGAN I ZATION - NAM E AND ADDR ESS i ff NRC. rype ..Same as above ..; H conrracror; provide NRC Division. Office or R• gion, U.S. Nuctsar Reg"latory Commi»ion. and malling address. I

Same as above . 10. SUPPLE MENTARY NOTES

Prepared in cooperation with the OECD Halden Reactor Project, Halden, Norway. 11. ABSTRACT 1200 word• or l ess!

Th i s report provides a list of those fiDdings part icularly relevant to regulatory authorities that can be derived from the research and deve lopment activities in computerized process control conducted at the Halden Reactor Project . The report was prepared by a staff member of the U.S. Nuclear Regulatory Commission working at Halden. It identifies those results that may be of use to regulatory organizations in three main areas : as support for new requirements, as part of regulatory eva luations of the acceptability of new methods and techniques, and in exploratory research and development of new approaches to improve operator performance. More than 200 findings arranged in nine maJor categories are presented . The findings were culled from Halden Reactor Project documents, which are listed in the report.

12. KEY WOROS/DESCR :PTORS (Ust words orphrose. that will assist researcher> In locating the report. /

Human Factors Process Controls Nuclear Power Plant Control Rooms Alarm Handling Survei l lance Systems Automation

Computer-based Procedures Operators Stress Training Software reliability

13. A VAILABI LI TY STATE MEN T

Unlimited

14. SECU RITY CL ASSl f ICATlON

frhis Page!

Unclassified /This Repon /

Unclassified 15. NUMBER OF PAGES

16. PRICE

NRC FORM 335 (2·89)

Lessons Learned in Process Control at the Halden

Lessons Learned in Process Control at the Halden

Suggest Documents

lessons learned from halden project research on human system ...

Appreciating Lessons Learned lessons learned

An Intelligent Lessons Learned Process - Semantic Scholar

Decisionmaking Process Matters: Lessons Learned ...

Lessons Learned in - MDPI

Lessons Learned in Remediation

Lessons Learned

Chlamydia trachomatis Infection Control Programs: Lessons Learned

AutoAdmin Project at Microsoft Research: Lessons Learned

Lessons Learned from WiMAX Deployment at INEA

Lessons Learned at Starbucks - Pinellas County

lessons learned in integrated product and process design education

lessons learned in integrated product and process design ... - CiteSeerX

A new approach to managing Lessons Learned in PMBoK process ...

The Dubai Process - Lessons learned and implications for third ...

Lessons learned from the AFLY5 RCT process ... - Semantic Scholar

“Supporting the Transition Process: Lessons Learned and ... - ICTY

Lessons Learned from the Design Process of a ...

Lessons learned in Liberia: preliminary

Lessons Learned in Geotechnical Engineering

The GRIFFIN Project: Lessons Learned

Lessons Learned in the Development and ...

The GRIFFIN Project: Lessons Learned

Teaching Lessons Learned: The ExCEEd