- Email: [email protected]
Real-time information support for managing plant emergency responses
Progress in Nuclear Energy, Vol. 12, No. 3, pp. 267 284, 1983.
0149 1970/83 $0.00+.50 Copyright ~l) 1983 Pergamon Press Ltd.
Printed in Great Britain. All rights reserved.
REAL-TIME INFORMATION SUPPORT FOR MANAGING PLANT EMERGENCY RESPONSES D. G.
CAIN*,
R. J. LORD'I"and C. D. W1LKINSONt
*Electric Power Research Institute, Palo Alto, California 94303, U.S.A. 1"Institute of Nuclear Power Operations, Atlanta, Georgia 30339, U.S.A. (Received 9 August 1983) 1. BACKGROUND Examination into the causes of the 28 March 1979 accident at Three Mile Island Unit 2 (TMI-2) led the nuclear utility industry to rethink its approach to the safe operation of nuclear power plants. Prior to the accident the industry pursued the defense-in-depth concept by installing and maintaining highly reliable safety-related systems. Redundant and diverse components were used to ensure an acceptable degree of backup. Furthermore, it was felt, in general, that the reactor operating crew could only provide further assurance that the safety systems would perform their intended functions. The accident at TMI-2 proved otherwise. The Report of the President's Commission on the Accident at Three Mile Island t provides a detailed description of the accident along with the Commission's findings from its investigation into the causes of the accident. One somewhat surprising finding was that the fundamental problems at TMI were people-related problems and not equipment problems. People-related problems in this context encompass more than human error. They encompass items such as emergency operating procedures, training, control room design, and accident management. As an example of a people-related problem, consider the Commission's finding A.8.6: The information was presented in a manner which could confuse operations:
(iii) Several instruments went off-scale during the course of the accident, depriving the operators of highly significant diagnostic information. (iv) The computer printer registering alarms was running more than 2½ hr behind the e v e n t s . . . Moreover, the Commission's findings and recommendations regarding TMI-2 are, to a varying extent, applicable to other nuclear plants. Recognizing this, the nuclear utility industry has re-examined the information management systems in its plants. As a result, improvements beyond those stemming directly from the TMI-2 accident have been identified and are being incorporated. The TMI-2 accident pointed out the need to develop a systematic approach to managing plant emergency responses, to identify a better decision-making process, and to implement real-time information support for decision-making. This paper describes the overall process management function, identifies general information requirements for management of plant emergencies, describes the basic information systems now being incorporated and discusses future extensions and problem areas.
(i) Over 100 alarms went offin the early stages of the accident with no way of suppressing the unimportant ones and identifying the important ones
. . .
(ii) The arrangement of controls and indicators was not well thought out. Some key indicators relevant to the accident were on the back of the control panel. 267
2. ROLE OF THE PROCESS MANAGER To a major extent the focus of traditional nuclear power plant designs and operations in the U.S. has been with an operator acting as a controller, as opposed to a 'decision maker' and 'problem solver'. A prime objective is to significantly strengthen these capabilities to ensure that the operating crew can successfully deal with complex or unanticipated plant situations, and avoid the people-related problems such as occurred at TMI. The essential ingredient in achieving the objective is to realize that the decisionmaking process should be a dedicated function. That is, a crew member should be assigned, trained and
268
D.G. CAINet
equipped to carry out these tasks on a continuous basis. This must be achieved in the context of the existing control room, operating procedures, and information systems which are provided to support the decision-making process. The logical starting point is to vest the decision-making responsibilities in a 'process manager', to be served by the Shift Supervisor (SS) or Senior Reactor Operator (SRO). The process manager's job functions will be matched with manmachine capabilities to identify prospective information system applications, the operator model proposed by Rasmussen 2"3 is the analytical framework for this development. Single unit nuclear power plants are operated by crews typically consisting of a shift supervisor, a senior reactor operator (shift foreman), two reactor operators and two auxiliary operators. The process manager concept evolves from the notion that operating crews should be structured, with formal discrimination between the job functions of control room personnel. This is in contrast to an unstructured crew format where the SS or SRO essentially provides an 'extra pair of hands' in the control room 'U. In a structured crew the process manager is concerned with the recognition of plant occurrences, monitoring of overall plant processes and
al.
evaluation of alternative courses of action. The control board (reactor or balance of plant) operator is charged with the control and monitoring of certain groupings of equipment. He attends to this duty under the direction of the process manager. This structured crew hierarchy can be interpreted using Rasmussen's model of operator behavior by distinguishing skill, rule, and knowledge-based modes of plant-operator interaction. Refer to Fig. 1. According to this convention, skill-based behavior corresponds to system operation and manipulation as one might drive an automobile. Rule-based behavior describes actions associated with a pre-formulated task (e.g. plant emergency procedure). Knowledgebased behavior engages the process manager in a true problem-solving capacity and is goal-directed. The thrust of the present development is to upgrade the rule and knowledge-based capabilities in plant emergency situations. The advantage of structured crew arrangements is that all modes of interaction can be supported simultaneously, rather than in succession. Thus, control board operators will normally be acting in a skill or rule-based capacity, whereas the process manager will serve in the rule or knowledgebased mode of interaction. This structure provides good utilization of crew skills and ensures that
Goals
Process Manager Regime
I
(Knowledge Based Behavior)
Identification
Decision of Task
Planning Procedure
Recognition
Association State/Task
Stored Rules for Tasks
I
(Rule Based Behavior)
•.~
I Control Board Operator Regime
(Skill Based Behavior)
Feature Formation
I
-
J I
Automated SensoriMotor Patterns
i
J,
ttt
Sensory Inputs
tt
Time-Space Information
Fig. I. Rasmussen model of human data processing.
Actions
Real-time information support attention is paid to both the detailed and overall plant behavior. Generally it is believed that: (1) a structured crew will generally be superior at handling difficult or infrequent plant events and (2) a computerized system can be provided in the context of a structured crew format to further enhance this performance advantage. A computerized information system is the operating tool for the process manager, whose job function can be broken down into a listing of tasks, shown in Table 1. The process manager's performance can be enhanced by the intelligent processing of plant information, assuming there is good discrimination between the tasks machines do well and those in which humans excell 6. The power and sophistication of computers and colorgraphics display devices (and software) has reached a point where many functions can be automated. The level of automation should support process manager tasks, in the man/aided capacity. Refer to Fig. 2. The design concept for such a machine
269
can be developed, starting with a clear definition of a process manager's job tasks and overlaying these with a relative comparison of man-machine capabilities. The following discussion attempts to provide such a comparison at a generic level. The process-manager is principally charged with the 'problem-solving and decision-making' element of task performance, defined by Van Cott 7, applied to overall plant monitoring and control. Within this framework, it is possible to share the specific behavior between man and machine according to criteria developed by Swain 8. Table 2 shows a breakdown in terms of respective human/machine capabilities for this task element. Proper information system design accounts for the individual strengths of the m a n and machine to achieve enhanced problem-solving and decisionmaking capacity. Table 2 may be used to discriminate the machine-specific attributes: O n the basis of its raw computing power, the information system is allocated
Table 1. Process manager job tasks A. For Normal Operations (1) Assures that the plant is operated within applicable limits and in accordance with approved procedures. (2) Assures that the plant setup (i.e. system status) is maintained such that it will respond as expected to disturbances. (3) Globally integrates and oversees control actions; monitors and evaluates feedbacks. (4) Assures that the plant is operated as to minimize the likelihood and severity of disturbances. (5) Has responsibility (along with the other operators) for surveillance of margin to Technical Specifications: (a) Identifies Technical Specifications limiting conditions for operation; (b) Ifa Technical Specification is violated, the process manager is responsible for further actions within specified time limits. (6) Has responsibility (and authorization) for acknowledging that maintenance and surveillance operations are being coordinated with plant operations (e.g. institution and removal of blocks). B. For Emergency Operations (1) Monitor the status of critical safety functions: (a) Identifies safety functions being threatened. (b) Determines priorities if multiple critical safety functions are threatened or multiple disturbances occur. (c) Maintains overall plant perspective while local operators concentrate on specific operations. (2) Coordinates the termination and mitigation activities (a) Coordinates control or protection function. (b) Verifies that safety systems are performing their functions properly. (c) Correlates diverse instrumentation response. (d) Performs procedure selection and interpretation. (e) Determines steps required to recover from a plant event. (f) Has final responsibility for all short-term, decisions. (g) Globally monitors feedbacks from actions taken. (h) Monitors plant condition to assure that control and mitigative actions are effective. (i) Institutes alternative control strategies when necessary. (3) After assuring that the plant is in a safe condition, ascertains the cause of a disturbance by interpretation and evaluation of system response alarms, and relationships between indications. (4) Communicates with people outside the control room: (a) Receives advice from STA, other technical personnel, or management. (b) Recommends action to the appropriate individuals outside the control room. (5) Coordinates recovery (return plant to operation or shutdown plant).
270
D.G. CAIN et al.
Human Strengths
/
IN, ! \
\
/ Man/Aided
\
/
/ /
\\
/
N
\
/ /
t j
N
N\
\ \
,~, t /
Man/Mechanized
\
\
f-" \
\
\
\
/ \\\
/
// \
\
/
f
Man/Automatic
/ /
Human Limitations Machine Limitations
Machine Strengths
Fig. 2. Man/Machine participation in function implementation. exclusive responsibility--the user (process manager) is completely unburdened from any need to do computations. Equivalently, the user must provide the planning resources. In other task elements, man and machine both contribute as an essentially symbiotic combinations within the plant operating context. By matching machine capabilities against process manager job tasks in Table 2, a list of prospective information system functions may be constructed. Refer to Table 3. A parallel can be drawn between the reactor operator's use of the control board and the process
manager's interactions with a computer-based information system. The control board should be designed to facilitate operators' actions in the skill or rule-based mode, see Fig. 1. Correspondingly, a computer-based information system should aid the process manager acting in a rule or knowledge-based mode. The interfacing systems and crew members are fully complementary within a structured crew environment. The process manager and associated information system constitutes a major control room innovation. Realizing the risks inherent in precipitous changes to operating systems, it is prudent to carry out a gradual
Table 2. Man/Machine application to problem solving and decision making Task element
Machine capability
Analyze
Ability to handle complex operations
Calculate Choose Compare
Computational ability Deductive ability Ability to recall large amounts of precise data
Plan
Verify
Ability to monitor men or machines
Human capability Ability to perceive patterns and generalize, use judgement Inductive ability Ability to profit from experience Ability to improvise and adopt flexible procedures and arrive at new and completely different solutions to problems Sensitivity to a wide variety of stimuli
271
Real-time information support Table 3. Machine applications based on job tasks Job task number
Application function
Analysis/role
1.2 1.5
System Status Monitoring Technical Specification Monitoring
ILl ll.2b II.2c lI.2d II.3
Critical Safety Function Monitoring Demand/Response of Critical Systems Parameter Validation Procedures Monitoring Fault Diagnosis
introduction of new information systems technology, concurrent with the transformation from the traditional SS or SRO into the process manager. Initial steps in this direction are being taken in U.S. nuclear power plants by the introduction of the Safety Parameter Display Systems (SPDS) 9-11. An SPDS is intended to 'monitor the plant critical Safety Functions (CSFs) forming the basis of plant emergency operating procedures '12. Successful implementation of this process manager job task entails good coupling of the information system, training, and procedures. This integrated approach is a template for future extensions to the basic information system.
3. DEVELOPING A BASIC SYSTEM A logical and effective initial step can be taken in the development of information systems to support control room crew response to emergency conditions 13. A relatively simple safety parameter display system, properly integrated into the control room, can be an aid in highlighting the status of essential safety functions of the plant and focusing crew attention if any essential safety function is threatened. The nuclear utility industry has undertaken the development of guidelines for emergency operating procedures (EOPs) that relate to protection of essential safety functions. Procedures of this type allow a trained operating crew to respond to protect essential safety functions without the need to first identify the initiating factors of the event and then select the appropriate event-based procedure from the large number of existing procedures corresponding to preanalyzed plant events. In many abnormal and transient situations, it may not be practical or possible to rely on determining the event sequence or causative factors quickly. Emergency response procedures that correspond to the existence of certain symptoms in plant parameters
Ability to monitor men and machines Ability to recall large amounts of precise data Deductive ability Ability to monitor men and machines Ability to handle complex operations Ability to handle complex operations Deductive ability
or to threats to the maintenance of essential safety functions of the plant can be used to maintain or restore these functions regardless of the cause or sequence of an event. For example, if the ability to maintain core heat removal is lost or threatened, the operating crew would not have to identify the cause of the loss of heat removal prior to taking action. Instead, the operating crew would use an emergency response procedure that deals specifically with loss of core heat removal. Use of event-based response procedures can provide near-optimum response since a procedure can be formulated to correspond to each pre-analyzed event. On the other hand, even though symptom or function based response may not provide the most optimum response, it can assure that all appropriate resources are used to maintain essential safety functions of the plant. Even if an abnormal event is diagnosed as one of many pre-analyzed events and event-based response procedures are invoked, symptom or function based response can be an important backup. Procedures to protect essential safety functions can be used if the initial diagnosis of the event proves to be wrong, of if the event is complicated by errors or failures not addressed in the procedure for the pre-analyzed event. For emergency operating procedures to be effective and usable, they must be readily understood by the operating crew with knowledge of the plant situation and must be usable under the possible stress caused by an emergency. There must be a clear, consistent relationship between the EOPs and the specific control room information available to the operating crew. Information from control room instrumentation and controls must have the proper characteristics to support effective use of emergency procedures by the operating crew. Characteristics to be considered for the information to be presented, include type, format, location, timeliness, correctness, consistency, etc. Two of the important lessons learned from the accident at TMI-2 were that (1) existing EOPs focus
272
D.G. CAINet al.
more on event identification and event mitigation than on protection of essential or critical safety functions (CSF) and (2) the large number and locations of indicators and alarms that are active in emergency conditions make it difficult to focus on the status of CSFs. Fortunately, the number of CSFs is not large and the status can be determined from a few parameters. It is, therefore, possible to accomplish CSF status monitoring without major changes to control rooms. Various studies and evaluations, including those of the NSSS Users/Owners groups have shown that fundamental plant safety status can be determined from four to ten CSFs. Four example sets of CSFs appear in Table 4. To assist the nuclear industry in the development of symptom-oriented EPOs, each of the four NSSS Users/Owners groups have developed guidelines. Each of the four guidelines defines a set of generic CSFs and a generic methodology for maintaining/restoring CSFs when they are threatened for any reason. Clearly, as an aid for emergency response, the SPDS should provide indication of the status of the CSFs. There is a direct relationship between certain plant parameters and CSFs. Therefore, information should be available so that the operating crew can quickly determine the specific plant parameter(s) that are causing a CSF to be threatened. Tables 5 and 6 show examples of typical plant parameters that relate to CSFs for a hypothetical PWR and BWR, respectively. These examples are for illustration of concept; they do not represent 'preferred parameters sets' since each plant will determine appropriate parameters from analysis of plant-specific CSFs. The parameters related to SPDS display of CSFs should either be available in the SPDS or from instruments located nearby. Task
analysis methodology (i.e. detail analysis of control actions in emergency response) and human factors reviews should be used to assure that information presented in the SPDS or in nearby locations will be adequate for operating crew needs in following emergency procedures 14. In addition to information on CSF status and the plant parameters that determine CSFs, the operating crew should have information on the algorithms used to generate CSFs. An understanding of how the plant parameters are combined and manipulated to yield CSF status will provide information needed for a more complete understanding of CSF status in unusual situations that may occur. In developing the algorithms for CSF status indication in the SPDS, the following factors need to be considered: Completeness of the input parameters. Accuracy of setpoints. Correct use of logic (AND-gates, OR-gates, other weightings). Ability to modify algorithms--logic, parameters, setpoints--when lessons learned indicate the need for modification. Dependence of parameters/setpoints on reactor modes. To ensure that the logic provides an accurate status of the CSF, one must examine all of the relationships of a parameter to the associated CSF(s). Figures 3 and 4 illustrate this consideration with a somewhat trivial example. Each of these figures depicts an algorithm for monitoring an example CSF of Subcriticality at a BWR plant. The Fig. 3 algorithm is far from complete and satisfactory, since the CSF status light would indicate 'Red' in situations where a more detailed and
Table 4. Examples of Critical Safety Function structure Set 1 RPV control (integrity, coolant, reactivity)
Primary containment Secondary containment Radioactive release
Set 2 Lack of subcooled margin Overheating Overcooling Containment
Set 3 Subcriticality RCS integrity RCS inventory Core cooling Heat sink Containment
Set 4 Reactivity control RCS pressure control RSC inventory control Core heat removal RCS heat removal Containment isolation Containment temperature and pressure control Combustible gas control Indirect radioactivity Release control Maintenance of vital auxiliaries
Real-time information support Table 5. Hypothetical PWR CSF status parameters Critical safety function Reactor Cooland Inventory Subcritically
Core Cooling Reactor Coolant System Integrity Containment Integrity Heat Sink
Associated SPDS parameters Pressurizer Level Accumulator Tank Level Source Range Indication Power Range Indication Trip Breaker Status Control Rod H6 Rod Bottom Bistable Control Rod H10 Rod Bottom Bistable Control Rod K8 Rod Bottom Bistable Control Rod F8 Rod Bottom Bistable Core Exit Thermocouple Temperature (average) Subcooling Alarm Reactor Coolant Pump Status Reactor Coolant System Wide Range Pressure Reactor Vessel Cold Leg Temperature Containment Pressure Containment Hydrogen Level Containment Sump Level Core Exit Thermocouple Temperature (average) Residual Heat Removal Pump Status RHR Suction Valves Status RHR System Return Flow Bistable Steam Generator Narrow Level Steam Line Pressure Bistable Feedwater Isolation Valve Positions Safety Injection Pump Status Trip Breaker Status T-Average Bistable PORV Isolation Valves Status CCW Pump Status Auxiliary Feedwater Pump Status
Table 6. Hypothetical BWR CSF status parameters Critical safety function Containment of Radioactivity Primary Coolant System Integrity
Containment Integrity
Core Cooling and Heat Production Core Cooling and Head Production
Associated SPDS parameters Plant Ventilation Monitors Main Stack Monitor Drywell Floor Drain Sump Drywell Pressure Primary Coolant System Pressure Primary Coolant System Water Level Safety Relief Valve Positions Drywell Pressure Primary Coolant System Pressure Suppression Pool Level Secondary Containment Pressure Drywell Temperature Suppression Pool Temperature Primary Coolant System Pressure Primary Coolant System Water Level Core Spray Flow Core Flow Average Power Range Monitor Intermediate Range Monitor Source Range Monitor
273
274
D . G . CAIN et al.
ScramSignalPresent
~)
(
~ Red
Power_>3%
Green
Subcriticality CSF Status Light Fig. 3. Inadequately detailed logic for subcriticality critical safety function status light in a BWR.
Power~_3% ModeSwitchin"Run"
] ,(3-Sec) Delay
ScramSignalPresent
ModeSwitchin "Startup" ModeSwitchin "Shutdown" SourceRange MonitorsInserted SRMRodBlock BRsMa~ IoedAB~ '~i ed~ ~ ' ~ BistableActuated
]r,...
~
~
Red
Green
Subcriticality CSF StatusLight
Fig. 4. A more complete algorithm for subcriticality critical safety function status light in a BWR.
Real-time information support accurate logic would have it indicate 'Green'. The Fig. 4 algorithm is a more detailed version, which would provide a more accurate indication of the CSF status. A more complete example algorithm is shown in Fig. 5. This example is also for a subcriticality CSF, but considers a PWR instead o f a BWR. Though more complete than the previous example algorithms, it is only presented to illustrate a concept. To illustrate that there are other means of monitoring CSFs, Fig. 6 depicts 15 how a pressure-temperature (P-T) curve can be used to monitor the status of a Core Cooling and Pressure Control CSF for a PWR. It is evident that a strong interdependency exists between procedures, training, control room instrumentation (including SPDS) and the operating crew. This interdependency can be depicted as a triad shown in Fig. 7. As previously indicated, a task analysis is useful in achieving a proper relationship between procedures and the control room design. Similarly, a human factors survey is useful in developing the operating crew interface with the control room. Use of appropriate guidelines in preparation of procedures
275
helps to assure that the EOPs can be understood and applied effectively by the operating crew 16. The triad in Fig. 7 define the elements of a training program. There must be an element in the training program that addresses the operating crew-control room interface. This element provides the operating crew with the knowledge required for systems, plant, and emergency operations, and the skills required to monitor plant status and to operate controls. There also must be an element in the training program that addresses the operating crew-emergency operating procedures interface, This element provides the operating crew the knowledge and skills required to use the EOPs. Finally, there must be an element in the training program that addresses the interfaces and responsibilities within the operating crew. This element provides the knowledge and skills of crew interaction and crew management required for a sound response to emergencies. To provide further assurance that the trained operating crews, emergency operating procedures, and control room/SPDS elements and their interfaces
Source Range (SR) Off (< 5 CPS) Power Range (PR) >_3%
H6 on Bottom CRD H10 on Botto CRD K8 on Botto CRD F8 on Bottom ~J'
Red
Trip Breaker "A" Closed. Trip Breaker "B" Closed PR < 3% Trip Breaker "A" Open Trip Breaker "B" Open
IS>
Orange
SR on (~5CPS) SR Level -> 0.2 DPM Increasing
SR Level 20.2 DP Decreasing
Green
Subcriticality CSF Status Light
Fig. 5. Example of a more complete critical safety function monitoring altogrithm.
276
D . G . CAIN et al.
[--]
-
'...J
L-~i
I I I
I
1
|
Temperature Loss of heatsink
i
J
Temperature
Overcooling
I
I
16,650(2400)l i?
I
13,900(2000)
SS4 2 13 ~ I
6,900 (1000)
I
/ ,/
I
I
Temperature LOCA
lh I/2
,-4 / I I
L ~" t ~,ooo (16oo)
o
/
/
4,240(600) - - - 1 II I I 280 300 320 (536) (572) (608) Temperature{°C(°F)] Normal post-tripresponse
Fig. 6. Illustration of the use of P - T Curves for monitoring the critical safety function of core cooling and pressure control in a PWR.
Real-time information support
Task Analysis
277
Human Factors Survey
F EOP Writer Guidelines
Fig. 7. Emergency response triad.
contain no deficiencies, an evaluation of the triad should be performed. Evaluation and training drills should be sufficiently detailed and intensive to develop a high-level of assurance that the SPDS and all other elements of the triad will function together for effective emergency response.
4. INFORMATION SYSTEMS ENHANCEMENT The foregoing discussion on the SPDS was concerned with the integration of critical safety function monitoring systems with operator training and procedures. The motivation for this systems approach is that the SPDS is a priority safety improvement but this improvement is realizable only to the extent that the new computerized system is voluntarily and effectively used by control room operators. However, successful SPDS implementation can open the way for enhanced operator aids, using the integrated approach as a foundation for further development 17. It may be recalled that critical safety function monitoring was among a number of prospective process manager job tasks which might be served by a computerized information system (refer to Table 3). In general, U.S. utilities are procuring larger computer systems to monitor a greater number of plant variables than are needed for the simple SPDS function. This extra resource can be applied to the additional information system functions, provided the basic SPDS is supported by a sufficiently flexible hard-
ware/software design. Therefore, it may be possible to consider the SPDS as the kernel from which a more robust information system can evolve with time. The functional comparison between an SPDS and an enhanced information system might be shown in Table 7. An orderly progression of enhancements to the SPDS should proceed from simple to complex, and be structured so that the successive improvements build upon each other. A possible model for this improvement process is illustrated in Fig. 8. The SPDS is at one end of the application's spectrum designed to fulfill the NRC requirements. At the other end of the line of development is a fully integrated information system which incorporates all of the applications identified in the process manager's job analysis. Note that as the level of system development proceeds from right to left, the more plant data, computer resources, and software sophistication is required. The possible value/impact limitations of each successive improvement is a subject that will be addressed after the applications are more fully described. 4.1. Parameter validation
As the amount of data and the degree of data manipulation increases and the information presented to the process manager is formatted and concentrated to aid decision-making, the system's vulnerability to erroneous data is increased. This is due to the
278
D. G. CAINet al. Table 7. System function comparison SPDS
Enhanced system
GOAL:
Monitor Critical Safety Functions
BASIS: USER: SCOPE: FUNCTION:
5 l0 Safety Functions Operating Crew 20-30 Variables Information Assimulation
Availability and Safety Functions* Prevent, Detect and Mitigate Support Procedures and Training Operational Concept of Plant Shift Supervisor, Process Manager Defined by Functional Analysis Information Organization Analysis and Integration Prioritization and Alarming
* Inclusive of Critical Safety Functions.
pyramiding effect, where data is processed to obtain successive layers of derived or abstracted variables. It is important to recognize that the process manager deals with 'parameters' rather than 'sensors'. Therefore, it is appropriate to distinguish sensor validation from parameter validation in this context. Sensor validation encompasses the limit-checking and redundant sensor comparison techniques which have long been a part of process monitoring data acquisition systems. Parameter validation, on the other hand, represents a growing family of sophisticated techniques which rely on diverse information, systems modelling, and statistical inference Is-2°.
~
~"
o
Whereas signal validation can usually be performed by state-of-the-art data acquisition systems, parameter validation must generally be performed by the host computer. This will change with the introduction of inexpensive microprocessors. It is incumbent to describe this application in terms of a 'virtual' validation processor which could be implemented in a host (SPDS) computer. 4.2. Critical systems demand~response This application function arises from the need for the process manager to know that critical systems are . e°
Z
J
;¢
.f oT
.'~
/ //
ocy
/ ///
l l
0
Basic SPDS
$ Etc.
Fig. 8. Model enhancement process.
Enhanced Information System
Real-time information support functioning properly, given there has been a demand for their operation. The systems may or may not be started by automatic means. Demand/response of critical systems should be distinguished from determining stand-by readiness (system status monitoring) which requires substantially more input variables and associated logic. The process manager is concerned with system-level operation during an emergency. The control board, which primarily serves to indicate component status or operability, is not well-suited for this purpose. The task of monitoring critical systems is further complicated by both the different plant modes which dictate system functions, and the number of critical systems which may have to be monitored simultaneously. A critical system demand/response applications computer program depends on the principle of casuality. The computer algorithm maps the plant conditions to the system functional response through pre-specified demand logic. If the functional response is to inject water into a pipe and the flow parameter is positive (within specification) the system is assumed to be working; there is no need to monitor the upstream isolation valve position or pump discharge pressure. Summary information can be presented to the process manager as follows: no demand/no response; no demand/response; demand/no response; demand/ response. 4.3. Emergency operating procedures monitorinO The recent development of event-independent emergency operating procedures should greatly enhance operators' ability to deal with unanticipated or complex events. As mentioned in the previous section, the new procedures are structured so that the operator is not required to select a procedure on the basis of hypothesis (pre-diagnosis) or 'force' a developing event scenario into a pre-determined menu of event possibilities. The event-independent procedures have the potential of becoming a very powerful operations tool for dealing with plant emergencies. Nevertheless, the development of eventindependent procedures is not without its share of problems. Whereas the event-based procedures are an essentially linear set of steps, the new procedures tend to be rather convoluted. Depending on the developing plant conditions, the procedures direct the operator through successive levels of decision logic. The operator may become involved in iteration loops, and in some cases be using more than one procedure element at one time. Procedures monitoring software is designed to assist the process manager's task by continuously monitoring the plant status against the
279
emergency procedures 2t. This computer application function is highly dependent on subsidiary functions: demand/response of critical systems, parameter validation and critical safety function monitoring. 4.4. System status monitoring The process manager's ability to maneuver the plant (during normal and emergency conditions) is dependent upon his awareness of systems status. To a certain extent this can be accomplished by red/green color conventions on the control board. However, complex logic, systems interactions, and multiple system applications limit the effectiveness of this approach. A computerized system largely avoids these difficulties. This application function subsumes the function monitoring the demand/response of critical systems described previously. Here, however, much greater data resources is required to determine the stand-by readiness of critical systems. Critical systems used in an emergency are normally in a stand-by state, so that causality cannot be used. Furthermore, the status monitoring function may be defined to include non-critical plant systems, so that in terms of the number of systems involved, this is a very demanding computer application. 4.5. Technical specification monitoring The availability and performance of criticial plant systems is intimately tied to the plant's technical specifications established by the Nuclear Regulatory Commission. Technical specifications apply not only to these critical systems and equipment, but also to parameters which define the global status of the plant. The purpose of these specifications is preventive, intended to limit damage in the event a plant transient occurs. However intended, technical specifications have a strong influence on plant electrical production as a result of inadvertant non-compliance. Thus, technical specification monitoring can impact both safety and plant production. The myriad of technical specifications and the time elements intrinsic to many of them strongly supports some sort of a computerized monitoring function to warn the process manager of impending violations. This function depends on subsidiary applications functions, such as system status monitoring and parameter validation, which accounts for its higher rank in the orderly progression of system enhancements (Fig. 8). 4.6. Failure diagnosis This application function is commonly associated
D.G. CAXNet al.
280
with event-diagnosis. However, the development of event-independent procedures (function or symptom based) has significantly reduced the need for this diagnostic application. It should be possible to stabilize and maintain a plant for an appreciable time period without diagnosis. On the other hand, plant recovery cannot be achieved without fault or failure diagnosis, and isolation or repair. Sophisticated computer algorithms can be developed to monitor plant systems and determine failure. This, if successfully achieved, can greatly aid the process manager during a plant transient. If the failure diagnosis algorithm is fast enough, this application can apply to prevention as well as recovery. In a broad sense this application is the most difficult to implement in a present-day computer information system. 4.7. Prediction The ultimate function for a computer system is a
'look-ahead' capability for the purposes of accident prevention, rather than merely aiding mitigation. This, obviously is much more difficult to achieve than simply evaluating the plant condition 'as is'. Nevertheless, there are methods for limited extrapolation into the future, and it is practical to consider some level of prediction in advanced operator aids 22.
4.8. Impact of level of enhancement Ultimately the progression of enhancements will be influenced by the value/impact that each level of enhancement brings; it is reasonable to suggest that at some point the added level of sophistication and capability is not worth the cost and complexity. One of the major constraints is that a computerized information system must be significantly better than the ability of the process manager to use the information already present in the control room. In a sense, any prospective computerized aid is in competition with its
RX Level Vs Pressure
58 III In
~--,T~-~ "COND .~ -38
i
~llll-
~C~.~D~ --I~ i
'A~', /
c -qD
I
/
I I
1
--I~5
,'8,'~
T
'
mill
I L---qpm
"11 LPCS
I
Restore AndMaintain Water Level
1000 Pressure, PSIG450
,,,,11_11
RClC Diesels• • •
Fig. 9. Reactor control display.
RPVAndProcedure Containment Control
I 100TAF
RHRSWSys [] FireSys [] SBLCSys [] JockeySys []
281
Real-time information support intended use environment. Another constraint is the cost of inputting plant data. Plant data is an expensive commodity for computer applications, costing as much as $10,000 to access, install, and check-out a single data point. The 'art' of developing computerized operator aids has much to do with the clever use of the limited plant data that is available. An enhanced information system represents a balance of sophistication against cost and operator (process manager) capabilities. One such system provides automated emergency operating procedures monitoring for BWRs, and represents essentially the midway point between the two developmental extremes (see Fig. 8). A typical display provides critical safety function information, parameter validation indications, critical system demand/response, and emergency procedures guidance in an integrated format. The display in Fig. 9 is for the reactor control portion of the emergency procedures developed for Georgia Power's Plant Hatch. Parameter validation on a fully implemented system will use the parity space technique 19'23 to compare redundant and diverse plant information. This methodology is symbolically represented in the logic diagram shown in Fig. 10 and is presently being applied to BWR suppression pool parameters in a development program at EPRI. The demand/response of critical systems is implicit to the alarm convention (color change) and par-
X
1
(
ASensor1 ~ ' - I -
(
~/'/
( DSensor1 ~ ( DSens°r2 ~ DSensor3
N) Validated BEstimate
/
~ _ J , ( ~ ~)-.f ~ ~, [ BSensor2 J-
ameters provided in the mimic diagram in Fig. 9. The logic which drives the mimic representations is fully determined by the event-independent emergency operating procedures. An example of the emergency procedures logic applicable to this display is shown in Fig. 11. This diagram also illustrates the decision process the process manager must follow during a plant emergency. Similar diagrams also have been developed for containment control and contingency actions which are collateral to this procedure. The complexity of Fig. 11 is indicative of the problems which confront the process manager, who must interpret the procedures and direct control board operators in real time. To reduce this job task burden, BWR procedures logic has been encoded in the computer information system as an automated procedures tracking function. The procedures tracking algorithm works differently from the way a human would follow the procedures in the sense that the computer routine is state-driven and context independent. That is, the computer interprets the procedure as a network of inter-connected states. State identification is independent of the sequence of procedures' steps, i.e. has no memory. The overall program control is illustrated in Fig. 12. Procedures state identification is a function of the demand/response of critical plant systems. The logic which tracks the 'procedures state' also drives the
: cMOdelOfnt~ AnalyticA- -~ T X JMeasu~ eme' L~cMm°deln~fnt ~ AnalyticA ~ y ] Measuremel
:
-I ~
Validated DEstimate
t
Fig. lO. Parameter validation flow diagram.
Validated AEstimate
282
D . G . CAIN et al.
I-
RC/Q )
/ )
s~-s
I
I .....
I \ Ac~o
, s~s ~
( ........ I
( ........ ( ............
RPS s ~ , ~ so~no~
I
)
~
.........
I
{ ........ )
(
SIdlch In S h u l d o ~
) )
,g
(
( "o, c'--.'..%-g';.~.m...)
[ ........... I
o~,_,__ .o V
...... ~'-
)
)
)/_~
J I s c c s~,mm s ~ p RCIO-~
(
I ( ( (
.......
)
......... I I ....... ,)
( .....
c°'vanm~cY
NO 7
\/
I
)
I ....... .
Sl~e-~.3.a
.
.
.
I
,b
Rlset R ~ l o ,
)
.
.
(-->
.
.
Be RWCU, Coe~',~ A,Jto
s~p-s ~3
......... _ I
)
I ........
)
'
\!
' II I - ' ~ : ~ "
< ......... )11
s~p-s s i
I
~
s ~ -s ~.s V~ToA c~
I~ .... } I (---~=}__._.
Com~Nd
c~o ~
( ......, ) =-
I Fig. 11. Reactor control procedures flow diagram (courtesy of Carolina Power and Light).
I
Real-time information support
283
Data Acquisition Signal Validation Unit Conversions
New Time Step
1
Derive Key Plant and Systems Parameters
Plant Parameter Values
1
Actual State of Plant Systems
Desired State of Automatic Systems
i
I I I
Operating State of Safety Systems
Actual System Operating State
.~ Determine Location in EPGs
Desired System State I
D-
Alarm Status of Systems System Alarms
I_
~
Parameter Values Displays
I Messages
(Location + Actions)
Fig. 12. Procedures logic flow. display mimic elements. Refer to Fig. 9. A combination of alarm boxes and text messages are used to key operators to the appropriate locations in the hard copy procedures. 5. CONCLUSIONS The nuclear utility industry recognizes that realtime information systems have an important role to play in managing plant emergency responses. Since the accident at TMI-2, the role of the shift supervisor is shifting from that of a controller to that of a process manager. The type of information required by a process manager can be determined from a job task analysis. The tasks identified in the analysis can be allocated to the process manager and the information system based on their relative strengths in problem solving, decision making and information handling.
However, the extent to which the allocation is implemented is influenced by other considerations such as cost, schedule, space availability, etc. In other words, it may be impractical to allocate to the information system those tasks it can best perform. In the context of a minimum or basic system for use in managing plant emergency responses, an information system, called a safety parameter display system (SPDS), should be capable of monitoring the status of critical safety functions and their input parameters. Furthermore, the SPDS must be integrated with the existing plant control room, function based emergency operating procedures, and the trained operating crew. This integrated basic system can do much to improve the response of operating crews to emergencies for complicated events. Due to the tremendous power and versatility of modern computer systems, potential enhancements to
284
D.G. CAINet al.
the basic system are abundant. An enhanced system can validate input parameters, determine the demand/response of critical systems, monitor emergency operating procedures, monitor system status, monitor plant technical specifications and diagnose failures. The computer hardware necessary to implement these enhancements is available and the software is relatively straightforward. Proceeding in a step-wise fashion from an SPDS application to more complicated information systems allows for establishment of our experience base before proceeding with each management step. Benefit to cost evaluations for each level of information system application are important in establishing the level of system expansion that is appropriate for any specific plant.
REFERENCES
1. Kemeny J. (Chairman) (1979) Report of the President's Commission On The Accident at Three Mile Island, U.S. Library of Congress Catalog Number 79-25694, 29. 2. Rasmussen J. (1982) Skills, rules, and knowledge; signals, signs and symbols and other distinctions in human performance models (draft) IEE, Trans. MSC. 3. Rasmussen J. (1979) On the structure of knowledge--A morphology of mental models in a man-machine system context, Riso-M-2192. 4. Electric Power Research Institute (1982) Evaluation of safety parameter display concepts, EPRI NP-2239. 5. Long A. (1983) Computerized operator decision-aids (draft). Nuclear Safety. 6. Beltracchi L. (1983) Human factors in the design of information displays, Computers in Mechanical Engineering. 7. Van Cott H. (1981) Human performance data collection and assessment problems, 1981 IEEE Standards Workshop on Human Factors and Nuclear Safety. 8. SwainA. (1980)Design Techniques for lmproving Humans Performance in Production, (SANDIA)Albuquerque, New Mexico.
9. U.S. Nuclear Regulatory Commission (1982). Supplement 1 to NUREG 0737--Requirements for Emergency Response Capability (Generic Letter No. 8233). 10. Cain D. and Zebroski E. (1980). The conceptual design of a power plant safety panel, Nucl. Engng Int. 11. Nuclear Safety Analysis Centre (1982) Safety parameter display system for the Yankee Atomic Electric Company. NSAC 55. 12. Institute of Nuclear Power Operations (1983) Guidelines for an effective SPDS implementation program, SPDS implementation program, INPO 83-003 (NUTAC). 13. Berg C. (1983) Computer graphics displays: windows for process control, IEEE Transactions on Computer Graphics and Applications. 14. Frey P. and Kisner R. (1982) A Survey of methods for improving operator acceptance of computerized aids, NUREG/CR-2586. (ORNL). 15. Broughton T. and Walsh P. (1981) A real-time method for analyzing nuclear power plant transients, Nucl. Tech., 53. 16. Institute of Nuclear Power Operations (1982) Emergency operating procedures writing guideline, 1NPO 82-017. 17. Cain D. and Wilkinson C. D. (1980) Computerized operator support systems in nuclear power plants, PICA Conference. 18. Kitamura M. (1983) Use of analytic redundancy for surveillance and diagnosis in nuclear power plants, 5th Symposium on Power Plant K ynamics, Control and Testing, ( UT) Knoxville. 19. Electric Power Research Institute (1981) On-line power plant signal validation technique utilizing parity space representation and analytic redundancy, EPRI NP-2110. 20. Goodrich L., Good R. and Brower R. Automated data qualification, (draft) EG&G Idaho, DOE Contract No. DE-AC07-76IDO1570. 21. Cain D. (1983) Computerized emergency procedures monitoring for BWRs, Southern Conference. 22. Vanhuizen, J. and Griffith J. (1983) Predictor display concepts for use in nuclear power plant control, NUREG/CR-3703 (EG&G). 23. Ray A., Desai M. and Deyst J. (1983) Fault detection and isolation in a nuclear reactor, J. Energy 7, 1.
0149 1970/83 $0.00+.50 Copyright ~l) 1983 Pergamon Press Ltd.
Printed in Great Britain. All rights reserved.
REAL-TIME INFORMATION SUPPORT FOR MANAGING PLANT EMERGENCY RESPONSES D. G.
CAIN*,
R. J. LORD'I"and C. D. W1LKINSONt
*Electric Power Research Institute, Palo Alto, California 94303, U.S.A. 1"Institute of Nuclear Power Operations, Atlanta, Georgia 30339, U.S.A. (Received 9 August 1983) 1. BACKGROUND Examination into the causes of the 28 March 1979 accident at Three Mile Island Unit 2 (TMI-2) led the nuclear utility industry to rethink its approach to the safe operation of nuclear power plants. Prior to the accident the industry pursued the defense-in-depth concept by installing and maintaining highly reliable safety-related systems. Redundant and diverse components were used to ensure an acceptable degree of backup. Furthermore, it was felt, in general, that the reactor operating crew could only provide further assurance that the safety systems would perform their intended functions. The accident at TMI-2 proved otherwise. The Report of the President's Commission on the Accident at Three Mile Island t provides a detailed description of the accident along with the Commission's findings from its investigation into the causes of the accident. One somewhat surprising finding was that the fundamental problems at TMI were people-related problems and not equipment problems. People-related problems in this context encompass more than human error. They encompass items such as emergency operating procedures, training, control room design, and accident management. As an example of a people-related problem, consider the Commission's finding A.8.6: The information was presented in a manner which could confuse operations:
(iii) Several instruments went off-scale during the course of the accident, depriving the operators of highly significant diagnostic information. (iv) The computer printer registering alarms was running more than 2½ hr behind the e v e n t s . . . Moreover, the Commission's findings and recommendations regarding TMI-2 are, to a varying extent, applicable to other nuclear plants. Recognizing this, the nuclear utility industry has re-examined the information management systems in its plants. As a result, improvements beyond those stemming directly from the TMI-2 accident have been identified and are being incorporated. The TMI-2 accident pointed out the need to develop a systematic approach to managing plant emergency responses, to identify a better decision-making process, and to implement real-time information support for decision-making. This paper describes the overall process management function, identifies general information requirements for management of plant emergencies, describes the basic information systems now being incorporated and discusses future extensions and problem areas.
(i) Over 100 alarms went offin the early stages of the accident with no way of suppressing the unimportant ones and identifying the important ones
. . .
(ii) The arrangement of controls and indicators was not well thought out. Some key indicators relevant to the accident were on the back of the control panel. 267
2. ROLE OF THE PROCESS MANAGER To a major extent the focus of traditional nuclear power plant designs and operations in the U.S. has been with an operator acting as a controller, as opposed to a 'decision maker' and 'problem solver'. A prime objective is to significantly strengthen these capabilities to ensure that the operating crew can successfully deal with complex or unanticipated plant situations, and avoid the people-related problems such as occurred at TMI. The essential ingredient in achieving the objective is to realize that the decisionmaking process should be a dedicated function. That is, a crew member should be assigned, trained and
268
D.G. CAINet
equipped to carry out these tasks on a continuous basis. This must be achieved in the context of the existing control room, operating procedures, and information systems which are provided to support the decision-making process. The logical starting point is to vest the decision-making responsibilities in a 'process manager', to be served by the Shift Supervisor (SS) or Senior Reactor Operator (SRO). The process manager's job functions will be matched with manmachine capabilities to identify prospective information system applications, the operator model proposed by Rasmussen 2"3 is the analytical framework for this development. Single unit nuclear power plants are operated by crews typically consisting of a shift supervisor, a senior reactor operator (shift foreman), two reactor operators and two auxiliary operators. The process manager concept evolves from the notion that operating crews should be structured, with formal discrimination between the job functions of control room personnel. This is in contrast to an unstructured crew format where the SS or SRO essentially provides an 'extra pair of hands' in the control room 'U. In a structured crew the process manager is concerned with the recognition of plant occurrences, monitoring of overall plant processes and
al.
evaluation of alternative courses of action. The control board (reactor or balance of plant) operator is charged with the control and monitoring of certain groupings of equipment. He attends to this duty under the direction of the process manager. This structured crew hierarchy can be interpreted using Rasmussen's model of operator behavior by distinguishing skill, rule, and knowledge-based modes of plant-operator interaction. Refer to Fig. 1. According to this convention, skill-based behavior corresponds to system operation and manipulation as one might drive an automobile. Rule-based behavior describes actions associated with a pre-formulated task (e.g. plant emergency procedure). Knowledgebased behavior engages the process manager in a true problem-solving capacity and is goal-directed. The thrust of the present development is to upgrade the rule and knowledge-based capabilities in plant emergency situations. The advantage of structured crew arrangements is that all modes of interaction can be supported simultaneously, rather than in succession. Thus, control board operators will normally be acting in a skill or rule-based capacity, whereas the process manager will serve in the rule or knowledgebased mode of interaction. This structure provides good utilization of crew skills and ensures that
Goals
Process Manager Regime
I
(Knowledge Based Behavior)
Identification
Decision of Task
Planning Procedure
Recognition
Association State/Task
Stored Rules for Tasks
I
(Rule Based Behavior)
•.~
I Control Board Operator Regime
(Skill Based Behavior)
Feature Formation
I
-
J I
Automated SensoriMotor Patterns
i
J,
ttt
Sensory Inputs
tt
Time-Space Information
Fig. I. Rasmussen model of human data processing.
Actions
Real-time information support attention is paid to both the detailed and overall plant behavior. Generally it is believed that: (1) a structured crew will generally be superior at handling difficult or infrequent plant events and (2) a computerized system can be provided in the context of a structured crew format to further enhance this performance advantage. A computerized information system is the operating tool for the process manager, whose job function can be broken down into a listing of tasks, shown in Table 1. The process manager's performance can be enhanced by the intelligent processing of plant information, assuming there is good discrimination between the tasks machines do well and those in which humans excell 6. The power and sophistication of computers and colorgraphics display devices (and software) has reached a point where many functions can be automated. The level of automation should support process manager tasks, in the man/aided capacity. Refer to Fig. 2. The design concept for such a machine
269
can be developed, starting with a clear definition of a process manager's job tasks and overlaying these with a relative comparison of man-machine capabilities. The following discussion attempts to provide such a comparison at a generic level. The process-manager is principally charged with the 'problem-solving and decision-making' element of task performance, defined by Van Cott 7, applied to overall plant monitoring and control. Within this framework, it is possible to share the specific behavior between man and machine according to criteria developed by Swain 8. Table 2 shows a breakdown in terms of respective human/machine capabilities for this task element. Proper information system design accounts for the individual strengths of the m a n and machine to achieve enhanced problem-solving and decisionmaking capacity. Table 2 may be used to discriminate the machine-specific attributes: O n the basis of its raw computing power, the information system is allocated
Table 1. Process manager job tasks A. For Normal Operations (1) Assures that the plant is operated within applicable limits and in accordance with approved procedures. (2) Assures that the plant setup (i.e. system status) is maintained such that it will respond as expected to disturbances. (3) Globally integrates and oversees control actions; monitors and evaluates feedbacks. (4) Assures that the plant is operated as to minimize the likelihood and severity of disturbances. (5) Has responsibility (along with the other operators) for surveillance of margin to Technical Specifications: (a) Identifies Technical Specifications limiting conditions for operation; (b) Ifa Technical Specification is violated, the process manager is responsible for further actions within specified time limits. (6) Has responsibility (and authorization) for acknowledging that maintenance and surveillance operations are being coordinated with plant operations (e.g. institution and removal of blocks). B. For Emergency Operations (1) Monitor the status of critical safety functions: (a) Identifies safety functions being threatened. (b) Determines priorities if multiple critical safety functions are threatened or multiple disturbances occur. (c) Maintains overall plant perspective while local operators concentrate on specific operations. (2) Coordinates the termination and mitigation activities (a) Coordinates control or protection function. (b) Verifies that safety systems are performing their functions properly. (c) Correlates diverse instrumentation response. (d) Performs procedure selection and interpretation. (e) Determines steps required to recover from a plant event. (f) Has final responsibility for all short-term, decisions. (g) Globally monitors feedbacks from actions taken. (h) Monitors plant condition to assure that control and mitigative actions are effective. (i) Institutes alternative control strategies when necessary. (3) After assuring that the plant is in a safe condition, ascertains the cause of a disturbance by interpretation and evaluation of system response alarms, and relationships between indications. (4) Communicates with people outside the control room: (a) Receives advice from STA, other technical personnel, or management. (b) Recommends action to the appropriate individuals outside the control room. (5) Coordinates recovery (return plant to operation or shutdown plant).
270
D.G. CAIN et al.
Human Strengths
/
IN, ! \
\
/ Man/Aided
\
/
/ /
\\
/
N
\
/ /
t j
N
N\
\ \
,~, t /
Man/Mechanized
\
\
f-" \
\
\
\
/ \\\
/
// \
\
/
f
Man/Automatic
/ /
Human Limitations Machine Limitations
Machine Strengths
Fig. 2. Man/Machine participation in function implementation. exclusive responsibility--the user (process manager) is completely unburdened from any need to do computations. Equivalently, the user must provide the planning resources. In other task elements, man and machine both contribute as an essentially symbiotic combinations within the plant operating context. By matching machine capabilities against process manager job tasks in Table 2, a list of prospective information system functions may be constructed. Refer to Table 3. A parallel can be drawn between the reactor operator's use of the control board and the process
manager's interactions with a computer-based information system. The control board should be designed to facilitate operators' actions in the skill or rule-based mode, see Fig. 1. Correspondingly, a computer-based information system should aid the process manager acting in a rule or knowledge-based mode. The interfacing systems and crew members are fully complementary within a structured crew environment. The process manager and associated information system constitutes a major control room innovation. Realizing the risks inherent in precipitous changes to operating systems, it is prudent to carry out a gradual
Table 2. Man/Machine application to problem solving and decision making Task element
Machine capability
Analyze
Ability to handle complex operations
Calculate Choose Compare
Computational ability Deductive ability Ability to recall large amounts of precise data
Plan
Verify
Ability to monitor men or machines
Human capability Ability to perceive patterns and generalize, use judgement Inductive ability Ability to profit from experience Ability to improvise and adopt flexible procedures and arrive at new and completely different solutions to problems Sensitivity to a wide variety of stimuli
271
Real-time information support Table 3. Machine applications based on job tasks Job task number
Application function
Analysis/role
1.2 1.5
System Status Monitoring Technical Specification Monitoring
ILl ll.2b II.2c lI.2d II.3
Critical Safety Function Monitoring Demand/Response of Critical Systems Parameter Validation Procedures Monitoring Fault Diagnosis
introduction of new information systems technology, concurrent with the transformation from the traditional SS or SRO into the process manager. Initial steps in this direction are being taken in U.S. nuclear power plants by the introduction of the Safety Parameter Display Systems (SPDS) 9-11. An SPDS is intended to 'monitor the plant critical Safety Functions (CSFs) forming the basis of plant emergency operating procedures '12. Successful implementation of this process manager job task entails good coupling of the information system, training, and procedures. This integrated approach is a template for future extensions to the basic information system.
3. DEVELOPING A BASIC SYSTEM A logical and effective initial step can be taken in the development of information systems to support control room crew response to emergency conditions 13. A relatively simple safety parameter display system, properly integrated into the control room, can be an aid in highlighting the status of essential safety functions of the plant and focusing crew attention if any essential safety function is threatened. The nuclear utility industry has undertaken the development of guidelines for emergency operating procedures (EOPs) that relate to protection of essential safety functions. Procedures of this type allow a trained operating crew to respond to protect essential safety functions without the need to first identify the initiating factors of the event and then select the appropriate event-based procedure from the large number of existing procedures corresponding to preanalyzed plant events. In many abnormal and transient situations, it may not be practical or possible to rely on determining the event sequence or causative factors quickly. Emergency response procedures that correspond to the existence of certain symptoms in plant parameters
Ability to monitor men and machines Ability to recall large amounts of precise data Deductive ability Ability to monitor men and machines Ability to handle complex operations Ability to handle complex operations Deductive ability
or to threats to the maintenance of essential safety functions of the plant can be used to maintain or restore these functions regardless of the cause or sequence of an event. For example, if the ability to maintain core heat removal is lost or threatened, the operating crew would not have to identify the cause of the loss of heat removal prior to taking action. Instead, the operating crew would use an emergency response procedure that deals specifically with loss of core heat removal. Use of event-based response procedures can provide near-optimum response since a procedure can be formulated to correspond to each pre-analyzed event. On the other hand, even though symptom or function based response may not provide the most optimum response, it can assure that all appropriate resources are used to maintain essential safety functions of the plant. Even if an abnormal event is diagnosed as one of many pre-analyzed events and event-based response procedures are invoked, symptom or function based response can be an important backup. Procedures to protect essential safety functions can be used if the initial diagnosis of the event proves to be wrong, of if the event is complicated by errors or failures not addressed in the procedure for the pre-analyzed event. For emergency operating procedures to be effective and usable, they must be readily understood by the operating crew with knowledge of the plant situation and must be usable under the possible stress caused by an emergency. There must be a clear, consistent relationship between the EOPs and the specific control room information available to the operating crew. Information from control room instrumentation and controls must have the proper characteristics to support effective use of emergency procedures by the operating crew. Characteristics to be considered for the information to be presented, include type, format, location, timeliness, correctness, consistency, etc. Two of the important lessons learned from the accident at TMI-2 were that (1) existing EOPs focus
272
D.G. CAINet al.
more on event identification and event mitigation than on protection of essential or critical safety functions (CSF) and (2) the large number and locations of indicators and alarms that are active in emergency conditions make it difficult to focus on the status of CSFs. Fortunately, the number of CSFs is not large and the status can be determined from a few parameters. It is, therefore, possible to accomplish CSF status monitoring without major changes to control rooms. Various studies and evaluations, including those of the NSSS Users/Owners groups have shown that fundamental plant safety status can be determined from four to ten CSFs. Four example sets of CSFs appear in Table 4. To assist the nuclear industry in the development of symptom-oriented EPOs, each of the four NSSS Users/Owners groups have developed guidelines. Each of the four guidelines defines a set of generic CSFs and a generic methodology for maintaining/restoring CSFs when they are threatened for any reason. Clearly, as an aid for emergency response, the SPDS should provide indication of the status of the CSFs. There is a direct relationship between certain plant parameters and CSFs. Therefore, information should be available so that the operating crew can quickly determine the specific plant parameter(s) that are causing a CSF to be threatened. Tables 5 and 6 show examples of typical plant parameters that relate to CSFs for a hypothetical PWR and BWR, respectively. These examples are for illustration of concept; they do not represent 'preferred parameters sets' since each plant will determine appropriate parameters from analysis of plant-specific CSFs. The parameters related to SPDS display of CSFs should either be available in the SPDS or from instruments located nearby. Task
analysis methodology (i.e. detail analysis of control actions in emergency response) and human factors reviews should be used to assure that information presented in the SPDS or in nearby locations will be adequate for operating crew needs in following emergency procedures 14. In addition to information on CSF status and the plant parameters that determine CSFs, the operating crew should have information on the algorithms used to generate CSFs. An understanding of how the plant parameters are combined and manipulated to yield CSF status will provide information needed for a more complete understanding of CSF status in unusual situations that may occur. In developing the algorithms for CSF status indication in the SPDS, the following factors need to be considered: Completeness of the input parameters. Accuracy of setpoints. Correct use of logic (AND-gates, OR-gates, other weightings). Ability to modify algorithms--logic, parameters, setpoints--when lessons learned indicate the need for modification. Dependence of parameters/setpoints on reactor modes. To ensure that the logic provides an accurate status of the CSF, one must examine all of the relationships of a parameter to the associated CSF(s). Figures 3 and 4 illustrate this consideration with a somewhat trivial example. Each of these figures depicts an algorithm for monitoring an example CSF of Subcriticality at a BWR plant. The Fig. 3 algorithm is far from complete and satisfactory, since the CSF status light would indicate 'Red' in situations where a more detailed and
Table 4. Examples of Critical Safety Function structure Set 1 RPV control (integrity, coolant, reactivity)
Primary containment Secondary containment Radioactive release
Set 2 Lack of subcooled margin Overheating Overcooling Containment
Set 3 Subcriticality RCS integrity RCS inventory Core cooling Heat sink Containment
Set 4 Reactivity control RCS pressure control RSC inventory control Core heat removal RCS heat removal Containment isolation Containment temperature and pressure control Combustible gas control Indirect radioactivity Release control Maintenance of vital auxiliaries
Real-time information support Table 5. Hypothetical PWR CSF status parameters Critical safety function Reactor Cooland Inventory Subcritically
Core Cooling Reactor Coolant System Integrity Containment Integrity Heat Sink
Associated SPDS parameters Pressurizer Level Accumulator Tank Level Source Range Indication Power Range Indication Trip Breaker Status Control Rod H6 Rod Bottom Bistable Control Rod H10 Rod Bottom Bistable Control Rod K8 Rod Bottom Bistable Control Rod F8 Rod Bottom Bistable Core Exit Thermocouple Temperature (average) Subcooling Alarm Reactor Coolant Pump Status Reactor Coolant System Wide Range Pressure Reactor Vessel Cold Leg Temperature Containment Pressure Containment Hydrogen Level Containment Sump Level Core Exit Thermocouple Temperature (average) Residual Heat Removal Pump Status RHR Suction Valves Status RHR System Return Flow Bistable Steam Generator Narrow Level Steam Line Pressure Bistable Feedwater Isolation Valve Positions Safety Injection Pump Status Trip Breaker Status T-Average Bistable PORV Isolation Valves Status CCW Pump Status Auxiliary Feedwater Pump Status
Table 6. Hypothetical BWR CSF status parameters Critical safety function Containment of Radioactivity Primary Coolant System Integrity
Containment Integrity
Core Cooling and Heat Production Core Cooling and Head Production
Associated SPDS parameters Plant Ventilation Monitors Main Stack Monitor Drywell Floor Drain Sump Drywell Pressure Primary Coolant System Pressure Primary Coolant System Water Level Safety Relief Valve Positions Drywell Pressure Primary Coolant System Pressure Suppression Pool Level Secondary Containment Pressure Drywell Temperature Suppression Pool Temperature Primary Coolant System Pressure Primary Coolant System Water Level Core Spray Flow Core Flow Average Power Range Monitor Intermediate Range Monitor Source Range Monitor
273
274
D . G . CAIN et al.
ScramSignalPresent
~)
(
~ Red
Power_>3%
Green
Subcriticality CSF Status Light Fig. 3. Inadequately detailed logic for subcriticality critical safety function status light in a BWR.
Power~_3% ModeSwitchin"Run"
] ,(3-Sec) Delay
ScramSignalPresent
ModeSwitchin "Startup" ModeSwitchin "Shutdown" SourceRange MonitorsInserted SRMRodBlock BRsMa~ IoedAB~ '~i ed~ ~ ' ~ BistableActuated
]r,...
~
~
Red
Green
Subcriticality CSF StatusLight
Fig. 4. A more complete algorithm for subcriticality critical safety function status light in a BWR.
Real-time information support accurate logic would have it indicate 'Green'. The Fig. 4 algorithm is a more detailed version, which would provide a more accurate indication of the CSF status. A more complete example algorithm is shown in Fig. 5. This example is also for a subcriticality CSF, but considers a PWR instead o f a BWR. Though more complete than the previous example algorithms, it is only presented to illustrate a concept. To illustrate that there are other means of monitoring CSFs, Fig. 6 depicts 15 how a pressure-temperature (P-T) curve can be used to monitor the status of a Core Cooling and Pressure Control CSF for a PWR. It is evident that a strong interdependency exists between procedures, training, control room instrumentation (including SPDS) and the operating crew. This interdependency can be depicted as a triad shown in Fig. 7. As previously indicated, a task analysis is useful in achieving a proper relationship between procedures and the control room design. Similarly, a human factors survey is useful in developing the operating crew interface with the control room. Use of appropriate guidelines in preparation of procedures
275
helps to assure that the EOPs can be understood and applied effectively by the operating crew 16. The triad in Fig. 7 define the elements of a training program. There must be an element in the training program that addresses the operating crew-control room interface. This element provides the operating crew with the knowledge required for systems, plant, and emergency operations, and the skills required to monitor plant status and to operate controls. There also must be an element in the training program that addresses the operating crew-emergency operating procedures interface, This element provides the operating crew the knowledge and skills required to use the EOPs. Finally, there must be an element in the training program that addresses the interfaces and responsibilities within the operating crew. This element provides the knowledge and skills of crew interaction and crew management required for a sound response to emergencies. To provide further assurance that the trained operating crews, emergency operating procedures, and control room/SPDS elements and their interfaces
Source Range (SR) Off (< 5 CPS) Power Range (PR) >_3%
H6 on Bottom CRD H10 on Botto CRD K8 on Botto CRD F8 on Bottom ~J'
Red
Trip Breaker "A" Closed. Trip Breaker "B" Closed PR < 3% Trip Breaker "A" Open Trip Breaker "B" Open
IS>
Orange
SR on (~5CPS) SR Level -> 0.2 DPM Increasing
SR Level 20.2 DP Decreasing
Green
Subcriticality CSF Status Light
Fig. 5. Example of a more complete critical safety function monitoring altogrithm.
276
D . G . CAIN et al.
[--]
-
'...J
L-~i
I I I
I
1
|
Temperature Loss of heatsink
i
J
Temperature
Overcooling
I
I
16,650(2400)l i?
I
13,900(2000)
SS4 2 13 ~ I
6,900 (1000)
I
/ ,/
I
I
Temperature LOCA
lh I/2
,-4 / I I
L ~" t ~,ooo (16oo)
o
/
/
4,240(600) - - - 1 II I I 280 300 320 (536) (572) (608) Temperature{°C(°F)] Normal post-tripresponse
Fig. 6. Illustration of the use of P - T Curves for monitoring the critical safety function of core cooling and pressure control in a PWR.
Real-time information support
Task Analysis
277
Human Factors Survey
F EOP Writer Guidelines
Fig. 7. Emergency response triad.
contain no deficiencies, an evaluation of the triad should be performed. Evaluation and training drills should be sufficiently detailed and intensive to develop a high-level of assurance that the SPDS and all other elements of the triad will function together for effective emergency response.
4. INFORMATION SYSTEMS ENHANCEMENT The foregoing discussion on the SPDS was concerned with the integration of critical safety function monitoring systems with operator training and procedures. The motivation for this systems approach is that the SPDS is a priority safety improvement but this improvement is realizable only to the extent that the new computerized system is voluntarily and effectively used by control room operators. However, successful SPDS implementation can open the way for enhanced operator aids, using the integrated approach as a foundation for further development 17. It may be recalled that critical safety function monitoring was among a number of prospective process manager job tasks which might be served by a computerized information system (refer to Table 3). In general, U.S. utilities are procuring larger computer systems to monitor a greater number of plant variables than are needed for the simple SPDS function. This extra resource can be applied to the additional information system functions, provided the basic SPDS is supported by a sufficiently flexible hard-
ware/software design. Therefore, it may be possible to consider the SPDS as the kernel from which a more robust information system can evolve with time. The functional comparison between an SPDS and an enhanced information system might be shown in Table 7. An orderly progression of enhancements to the SPDS should proceed from simple to complex, and be structured so that the successive improvements build upon each other. A possible model for this improvement process is illustrated in Fig. 8. The SPDS is at one end of the application's spectrum designed to fulfill the NRC requirements. At the other end of the line of development is a fully integrated information system which incorporates all of the applications identified in the process manager's job analysis. Note that as the level of system development proceeds from right to left, the more plant data, computer resources, and software sophistication is required. The possible value/impact limitations of each successive improvement is a subject that will be addressed after the applications are more fully described. 4.1. Parameter validation
As the amount of data and the degree of data manipulation increases and the information presented to the process manager is formatted and concentrated to aid decision-making, the system's vulnerability to erroneous data is increased. This is due to the
278
D. G. CAINet al. Table 7. System function comparison SPDS
Enhanced system
GOAL:
Monitor Critical Safety Functions
BASIS: USER: SCOPE: FUNCTION:
5 l0 Safety Functions Operating Crew 20-30 Variables Information Assimulation
Availability and Safety Functions* Prevent, Detect and Mitigate Support Procedures and Training Operational Concept of Plant Shift Supervisor, Process Manager Defined by Functional Analysis Information Organization Analysis and Integration Prioritization and Alarming
* Inclusive of Critical Safety Functions.
pyramiding effect, where data is processed to obtain successive layers of derived or abstracted variables. It is important to recognize that the process manager deals with 'parameters' rather than 'sensors'. Therefore, it is appropriate to distinguish sensor validation from parameter validation in this context. Sensor validation encompasses the limit-checking and redundant sensor comparison techniques which have long been a part of process monitoring data acquisition systems. Parameter validation, on the other hand, represents a growing family of sophisticated techniques which rely on diverse information, systems modelling, and statistical inference Is-2°.
~
~"
o
Whereas signal validation can usually be performed by state-of-the-art data acquisition systems, parameter validation must generally be performed by the host computer. This will change with the introduction of inexpensive microprocessors. It is incumbent to describe this application in terms of a 'virtual' validation processor which could be implemented in a host (SPDS) computer. 4.2. Critical systems demand~response This application function arises from the need for the process manager to know that critical systems are . e°
Z
J
;¢
.f oT
.'~
/ //
ocy
/ ///
l l
0
Basic SPDS
$ Etc.
Fig. 8. Model enhancement process.
Enhanced Information System
Real-time information support functioning properly, given there has been a demand for their operation. The systems may or may not be started by automatic means. Demand/response of critical systems should be distinguished from determining stand-by readiness (system status monitoring) which requires substantially more input variables and associated logic. The process manager is concerned with system-level operation during an emergency. The control board, which primarily serves to indicate component status or operability, is not well-suited for this purpose. The task of monitoring critical systems is further complicated by both the different plant modes which dictate system functions, and the number of critical systems which may have to be monitored simultaneously. A critical system demand/response applications computer program depends on the principle of casuality. The computer algorithm maps the plant conditions to the system functional response through pre-specified demand logic. If the functional response is to inject water into a pipe and the flow parameter is positive (within specification) the system is assumed to be working; there is no need to monitor the upstream isolation valve position or pump discharge pressure. Summary information can be presented to the process manager as follows: no demand/no response; no demand/response; demand/no response; demand/ response. 4.3. Emergency operating procedures monitorinO The recent development of event-independent emergency operating procedures should greatly enhance operators' ability to deal with unanticipated or complex events. As mentioned in the previous section, the new procedures are structured so that the operator is not required to select a procedure on the basis of hypothesis (pre-diagnosis) or 'force' a developing event scenario into a pre-determined menu of event possibilities. The event-independent procedures have the potential of becoming a very powerful operations tool for dealing with plant emergencies. Nevertheless, the development of eventindependent procedures is not without its share of problems. Whereas the event-based procedures are an essentially linear set of steps, the new procedures tend to be rather convoluted. Depending on the developing plant conditions, the procedures direct the operator through successive levels of decision logic. The operator may become involved in iteration loops, and in some cases be using more than one procedure element at one time. Procedures monitoring software is designed to assist the process manager's task by continuously monitoring the plant status against the
279
emergency procedures 2t. This computer application function is highly dependent on subsidiary functions: demand/response of critical systems, parameter validation and critical safety function monitoring. 4.4. System status monitoring The process manager's ability to maneuver the plant (during normal and emergency conditions) is dependent upon his awareness of systems status. To a certain extent this can be accomplished by red/green color conventions on the control board. However, complex logic, systems interactions, and multiple system applications limit the effectiveness of this approach. A computerized system largely avoids these difficulties. This application function subsumes the function monitoring the demand/response of critical systems described previously. Here, however, much greater data resources is required to determine the stand-by readiness of critical systems. Critical systems used in an emergency are normally in a stand-by state, so that causality cannot be used. Furthermore, the status monitoring function may be defined to include non-critical plant systems, so that in terms of the number of systems involved, this is a very demanding computer application. 4.5. Technical specification monitoring The availability and performance of criticial plant systems is intimately tied to the plant's technical specifications established by the Nuclear Regulatory Commission. Technical specifications apply not only to these critical systems and equipment, but also to parameters which define the global status of the plant. The purpose of these specifications is preventive, intended to limit damage in the event a plant transient occurs. However intended, technical specifications have a strong influence on plant electrical production as a result of inadvertant non-compliance. Thus, technical specification monitoring can impact both safety and plant production. The myriad of technical specifications and the time elements intrinsic to many of them strongly supports some sort of a computerized monitoring function to warn the process manager of impending violations. This function depends on subsidiary applications functions, such as system status monitoring and parameter validation, which accounts for its higher rank in the orderly progression of system enhancements (Fig. 8). 4.6. Failure diagnosis This application function is commonly associated
D.G. CAXNet al.
280
with event-diagnosis. However, the development of event-independent procedures (function or symptom based) has significantly reduced the need for this diagnostic application. It should be possible to stabilize and maintain a plant for an appreciable time period without diagnosis. On the other hand, plant recovery cannot be achieved without fault or failure diagnosis, and isolation or repair. Sophisticated computer algorithms can be developed to monitor plant systems and determine failure. This, if successfully achieved, can greatly aid the process manager during a plant transient. If the failure diagnosis algorithm is fast enough, this application can apply to prevention as well as recovery. In a broad sense this application is the most difficult to implement in a present-day computer information system. 4.7. Prediction The ultimate function for a computer system is a
'look-ahead' capability for the purposes of accident prevention, rather than merely aiding mitigation. This, obviously is much more difficult to achieve than simply evaluating the plant condition 'as is'. Nevertheless, there are methods for limited extrapolation into the future, and it is practical to consider some level of prediction in advanced operator aids 22.
4.8. Impact of level of enhancement Ultimately the progression of enhancements will be influenced by the value/impact that each level of enhancement brings; it is reasonable to suggest that at some point the added level of sophistication and capability is not worth the cost and complexity. One of the major constraints is that a computerized information system must be significantly better than the ability of the process manager to use the information already present in the control room. In a sense, any prospective computerized aid is in competition with its
RX Level Vs Pressure
58 III In
~--,T~-~ "COND .~ -38
i
~llll-
~C~.~D~ --I~ i
'A~', /
c -qD
I
/
I I
1
--I~5
,'8,'~
T
'
mill
I L---qpm
"11 LPCS
I
Restore AndMaintain Water Level
1000 Pressure, PSIG450
,,,,11_11
RClC Diesels• • •
Fig. 9. Reactor control display.
RPVAndProcedure Containment Control
I 100TAF
RHRSWSys [] FireSys [] SBLCSys [] JockeySys []
281
Real-time information support intended use environment. Another constraint is the cost of inputting plant data. Plant data is an expensive commodity for computer applications, costing as much as $10,000 to access, install, and check-out a single data point. The 'art' of developing computerized operator aids has much to do with the clever use of the limited plant data that is available. An enhanced information system represents a balance of sophistication against cost and operator (process manager) capabilities. One such system provides automated emergency operating procedures monitoring for BWRs, and represents essentially the midway point between the two developmental extremes (see Fig. 8). A typical display provides critical safety function information, parameter validation indications, critical system demand/response, and emergency procedures guidance in an integrated format. The display in Fig. 9 is for the reactor control portion of the emergency procedures developed for Georgia Power's Plant Hatch. Parameter validation on a fully implemented system will use the parity space technique 19'23 to compare redundant and diverse plant information. This methodology is symbolically represented in the logic diagram shown in Fig. 10 and is presently being applied to BWR suppression pool parameters in a development program at EPRI. The demand/response of critical systems is implicit to the alarm convention (color change) and par-
X
1
(
ASensor1 ~ ' - I -
(
~/'/
( DSensor1 ~ ( DSens°r2 ~ DSensor3
N) Validated BEstimate
/
~ _ J , ( ~ ~)-.f ~ ~, [ BSensor2 J-
ameters provided in the mimic diagram in Fig. 9. The logic which drives the mimic representations is fully determined by the event-independent emergency operating procedures. An example of the emergency procedures logic applicable to this display is shown in Fig. 11. This diagram also illustrates the decision process the process manager must follow during a plant emergency. Similar diagrams also have been developed for containment control and contingency actions which are collateral to this procedure. The complexity of Fig. 11 is indicative of the problems which confront the process manager, who must interpret the procedures and direct control board operators in real time. To reduce this job task burden, BWR procedures logic has been encoded in the computer information system as an automated procedures tracking function. The procedures tracking algorithm works differently from the way a human would follow the procedures in the sense that the computer routine is state-driven and context independent. That is, the computer interprets the procedure as a network of inter-connected states. State identification is independent of the sequence of procedures' steps, i.e. has no memory. The overall program control is illustrated in Fig. 12. Procedures state identification is a function of the demand/response of critical plant systems. The logic which tracks the 'procedures state' also drives the
: cMOdelOfnt~ AnalyticA- -~ T X JMeasu~ eme' L~cMm°deln~fnt ~ AnalyticA ~ y ] Measuremel
:
-I ~
Validated DEstimate
t
Fig. lO. Parameter validation flow diagram.
Validated AEstimate
282
D . G . CAIN et al.
I-
RC/Q )
/ )
s~-s
I
I .....
I \ Ac~o
, s~s ~
( ........ I
( ........ ( ............
RPS s ~ , ~ so~no~
I
)
~
.........
I
{ ........ )
(
SIdlch In S h u l d o ~
) )
,g
(
( "o, c'--.'..%-g';.~.m...)
[ ........... I
o~,_,__ .o V
...... ~'-
)
)
)/_~
J I s c c s~,mm s ~ p RCIO-~
(
I ( ( (
.......
)
......... I I ....... ,)
( .....
c°'vanm~cY
NO 7
\/
I
)
I ....... .
Sl~e-~.3.a
.
.
.
I
,b
Rlset R ~ l o ,
)
.
.
(-->
.
.
Be RWCU, Coe~',~ A,Jto
s~p-s ~3
......... _ I
)
I ........
)
'
\!
' II I - ' ~ : ~ "
< ......... )11
s~p-s s i
I
~
s ~ -s ~.s V~ToA c~
I~ .... } I (---~=}__._.
Com~Nd
c~o ~
( ......, ) =-
I Fig. 11. Reactor control procedures flow diagram (courtesy of Carolina Power and Light).
I
Real-time information support
283
Data Acquisition Signal Validation Unit Conversions
New Time Step
1
Derive Key Plant and Systems Parameters
Plant Parameter Values
1
Actual State of Plant Systems
Desired State of Automatic Systems
i
I I I
Operating State of Safety Systems
Actual System Operating State
.~ Determine Location in EPGs
Desired System State I
D-
Alarm Status of Systems System Alarms
I_
~
Parameter Values Displays
I Messages
(Location + Actions)
Fig. 12. Procedures logic flow. display mimic elements. Refer to Fig. 9. A combination of alarm boxes and text messages are used to key operators to the appropriate locations in the hard copy procedures. 5. CONCLUSIONS The nuclear utility industry recognizes that realtime information systems have an important role to play in managing plant emergency responses. Since the accident at TMI-2, the role of the shift supervisor is shifting from that of a controller to that of a process manager. The type of information required by a process manager can be determined from a job task analysis. The tasks identified in the analysis can be allocated to the process manager and the information system based on their relative strengths in problem solving, decision making and information handling.
However, the extent to which the allocation is implemented is influenced by other considerations such as cost, schedule, space availability, etc. In other words, it may be impractical to allocate to the information system those tasks it can best perform. In the context of a minimum or basic system for use in managing plant emergency responses, an information system, called a safety parameter display system (SPDS), should be capable of monitoring the status of critical safety functions and their input parameters. Furthermore, the SPDS must be integrated with the existing plant control room, function based emergency operating procedures, and the trained operating crew. This integrated basic system can do much to improve the response of operating crews to emergencies for complicated events. Due to the tremendous power and versatility of modern computer systems, potential enhancements to
284
D.G. CAINet al.
the basic system are abundant. An enhanced system can validate input parameters, determine the demand/response of critical systems, monitor emergency operating procedures, monitor system status, monitor plant technical specifications and diagnose failures. The computer hardware necessary to implement these enhancements is available and the software is relatively straightforward. Proceeding in a step-wise fashion from an SPDS application to more complicated information systems allows for establishment of our experience base before proceeding with each management step. Benefit to cost evaluations for each level of information system application are important in establishing the level of system expansion that is appropriate for any specific plant.
REFERENCES
1. Kemeny J. (Chairman) (1979) Report of the President's Commission On The Accident at Three Mile Island, U.S. Library of Congress Catalog Number 79-25694, 29. 2. Rasmussen J. (1982) Skills, rules, and knowledge; signals, signs and symbols and other distinctions in human performance models (draft) IEE, Trans. MSC. 3. Rasmussen J. (1979) On the structure of knowledge--A morphology of mental models in a man-machine system context, Riso-M-2192. 4. Electric Power Research Institute (1982) Evaluation of safety parameter display concepts, EPRI NP-2239. 5. Long A. (1983) Computerized operator decision-aids (draft). Nuclear Safety. 6. Beltracchi L. (1983) Human factors in the design of information displays, Computers in Mechanical Engineering. 7. Van Cott H. (1981) Human performance data collection and assessment problems, 1981 IEEE Standards Workshop on Human Factors and Nuclear Safety. 8. SwainA. (1980)Design Techniques for lmproving Humans Performance in Production, (SANDIA)Albuquerque, New Mexico.
9. U.S. Nuclear Regulatory Commission (1982). Supplement 1 to NUREG 0737--Requirements for Emergency Response Capability (Generic Letter No. 8233). 10. Cain D. and Zebroski E. (1980). The conceptual design of a power plant safety panel, Nucl. Engng Int. 11. Nuclear Safety Analysis Centre (1982) Safety parameter display system for the Yankee Atomic Electric Company. NSAC 55. 12. Institute of Nuclear Power Operations (1983) Guidelines for an effective SPDS implementation program, SPDS implementation program, INPO 83-003 (NUTAC). 13. Berg C. (1983) Computer graphics displays: windows for process control, IEEE Transactions on Computer Graphics and Applications. 14. Frey P. and Kisner R. (1982) A Survey of methods for improving operator acceptance of computerized aids, NUREG/CR-2586. (ORNL). 15. Broughton T. and Walsh P. (1981) A real-time method for analyzing nuclear power plant transients, Nucl. Tech., 53. 16. Institute of Nuclear Power Operations (1982) Emergency operating procedures writing guideline, 1NPO 82-017. 17. Cain D. and Wilkinson C. D. (1980) Computerized operator support systems in nuclear power plants, PICA Conference. 18. Kitamura M. (1983) Use of analytic redundancy for surveillance and diagnosis in nuclear power plants, 5th Symposium on Power Plant K ynamics, Control and Testing, ( UT) Knoxville. 19. Electric Power Research Institute (1981) On-line power plant signal validation technique utilizing parity space representation and analytic redundancy, EPRI NP-2110. 20. Goodrich L., Good R. and Brower R. Automated data qualification, (draft) EG&G Idaho, DOE Contract No. DE-AC07-76IDO1570. 21. Cain D. (1983) Computerized emergency procedures monitoring for BWRs, Southern Conference. 22. Vanhuizen, J. and Griffith J. (1983) Predictor display concepts for use in nuclear power plant control, NUREG/CR-3703 (EG&G). 23. Ray A., Desai M. and Deyst J. (1983) Fault detection and isolation in a nuclear reactor, J. Energy 7, 1.