APR1400 SSAR-Ch18-Human Factors Engineering

APR1400 SSAR
Chapter 18
Human Factors Engineering
Contents
Page
18.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18.1-1

18.1.1 Scope of HFE Program . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18.1-1
18.1.2 Applicable HFE Principles, Requirements, and Guidelines . . . . . . . . . . . . . . . . . . . . 18.1-1
18.1.3 HFE Design Process Plan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18.1-3
18.1.4 HFE Design Process Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18.1-35
Appendix 18.1A Function Allocation Criteria
18.2 Main Control Room . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18.2-1

18.2.1 Main Control Room Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18.2-1
18.2.2 Main Control Room Environment and Communication . . . . . . . . . . . . . . . . . . . . . . 18.2-9
18.2.3 Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18.2-12
18.2.4 Information Display . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18.2-16
18.2.5 Alarms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18.2-34
18.2.6 Labeling and Demarcation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18.2-38
18.3 Remote Shutdown Room . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18.3-1

18.3.1 Remote Shutdown Room Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18.3-1
18.3.2 Remote Shutdown Room Layout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18.3-1
18.3.3 Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18.3-2
18.3.4 Information Display . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18.3-2
18.3.5 Alarm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18.3-2
18.3.6 Labeling and Demarcation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18.3-2
Tables
Page
18.1.4.1.4-1 MMI Design Team Composition (Phase II) . . . . . . . . . . . . . . . . . . . . . . . . . . . 18.1-59

18.1.4.1.4-2 MMI Independent Review Team Composition (Phase III) . . . . . . . . . . . . . . . . 18.1-60
18.1.4.1.4-3 MMI Design Team Composition (Phase II) . . . . . . . . . . . . . . . . . . . . . . . . . . . 18.1-61
18.1.4.1.4-4 MMI Independent Review Team Composition (Phase III) . . . . . . . . . . . . . . . . 18.1-62
18.1.4.2.2-1 Success Path . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18.1-63
18.1.4.2.2-2 Success Path Allocation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18.1-65
18.1.4.2.3-1 Decomposition Table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18.1-74
18.1.4.2.3-2 Display and Control Inventory Table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18.1-75
18.1.4.2.3-3 Pressurizer Press List . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18.1-76
18.1.4.2.3-4 Pressurizer Press Characteristics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18.1-77
i
APR1400 SSAR
Tables (Cont'd)
Page
18.1.4.2.3-5 Task Error/Behavior Implication/Comment . . . . . . . . . . . . . . . . . . . . . . . . . . . 18.1-78

18.1.4.2.3-6 MCR Minimum Inventory of Fixed Position Alarms, Displays and Controls . 18.1-79
18.1.4.2.3-7 Critical Operator Actions Identified from APR1400 PSA . . . . . . . . . . . . . . . . 18.1-84
18.1.4.4.1-1 Schedule and Participant for Suitability Verification/Integrated System
Validation (Phase II) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18.1-85
18.1.4.4.1-2 Total Number of HED for SV/PV (Phase II) . . . . . . . . . . . . . . . . . . . . . . . . . . . 18.1-86
18.1.4.4.1-3 Results of Subjective Rating (Phase II) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18.1-87
18.1.4.4.2-1 Integrated System Validations (Phase III) . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18.1-88
Validation (Phase III) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18.1-89
18.1.4.4.2-3 Total Number of HED for SV/PV (Phase III) . . . . . . . . . . . . . . . . . . . . . . . . . . 18.1-90
18.1.4.4.2-4 Results of Subjective Rating (Phase III) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18.1-91
18.1.4.4.2-5 Human Factors ACR Issues to APR1400 MMI . . . . . . . . . . . . . . . . . . . . . . . . 18.1-92
Figures
18.1-1 Placement of APR1400 MMI Design Team with regard to CARD

18.1-2 Overall APR1400 MMI Design Process
18.1-3 Relationship Between HFE Activities for MMI Development
18.1-4 Design Process of APR1400 Design Phase II MMI
18.1-5 Design Process of APR1400 Design Phase III MMI
18.1-6 Reference Design Process (Standard)
18.1-7 Hierarchical Task Analysis Diagram
18.2-1 First Candidate APR1400 Main Control Room
18.2-2 Second Candidate APR1400 Main Control Room
18.2-3 APR1400 Main Control Room
18.2-4a Main Control Room Viewing Angel
18.2-4b Main Control Room Viewing Angel
18.2-5 MCR Operator Maneuvering Space
18.2-6 Remote Shutdown Room & Remote Shutdown Console
ii
APR1400 SSAR
18 Human Factors Engineering

18.1 Introduction
This chapter documents the application of Human Factors Engineering (HFE) to the Man-Machine
Interface (MMI) design process to address relevant parts of General Design Criterion 19 of 10CFR50 and
10CFR52. This chapter demonstrates that accepted human engineering design principles and criteria have
been applied to the design of the MMI to assure safe operation of the plant.
APR1400 MMI is an integral part of the APR1400 standard design. APR1400 is an evolutionary upgrade
of successful and proven design. Changes in plant function are few, and have been made to improve
performance or mitigate known problems. Many of these improvements reflect the result of operating
experience and industry studies in a variety of disciplines, including human factors.
The APR1400 MMI design has evolved from the ABB-CE's Nuplex 80+ Advanced Control Center (ACC)
reference design. Nuplex 80+ was developed between 1987 and 1993 for the System 80+ U.S. ALWR
development program by ABB-CE. Design objective of the Nuplex 80+ ACC included incorporation of
HFE principles throughout the design process and establishment of operator needs through operator
experience review, function analysis, and functional task analysis. MMI improvements for Nuplex 80+
over conventional control rooms include plant overview display, success path monitoring, acceptable alarm
presentation and handling, continued plant operation with loss of either one of two drivers information
display systems, and integration of normal and accident monitoring displays.
The APR1400 design has evolved from the Nuplex 80+ reference, with specific modifications to
incorporate current HFE principles and meet recent regulatory requirements. MMI improvements for
APR1400 include large display panel that provides more comprehensive plant key information for plant
situation assessment, flexible interface for different plant conditions and different tasks using redundant
compact workstations and soft controls, and computerized procedures for efficient and error free procedure
operation. This chapter provides an overview of the MMI design process with detailed methods and results.
An overview of the MMI is provided in Section 18.2. Instrumentation and controls safety aspects of MMI
are described in Chapter 7.
18.1.1 Scope of HFE Program
This chapter of SSAR includes the HFE design of the Main Control Room(MCR), Remote Shutdown
Room(RSR), and Local Control Station(LCS) used for EOP. The objectives of HFE design are to minimize
the human error and to enhance the safety of the operation. The control room design is verified and
validated through the systematic design evaluations. Control room design is viewed as a process of
analysis, design and improving the design by resolving HEDs(Human Engineering Deficiency) that are
identified in the design process. Therefore, HFE program establishes the methods and process to identify
the HEDs. This method and process are implemented in parallel with the suitability evaluation of
regulatory body. Approved human factor principles are applied during this HFE design process.
Coordinations are made among MCR design, plant personnel training, shift crew composition, and the
development of operating procedures.
18.1.2 Applicable HFE Principles, Requirements, and Guidelines
18.1.2.1Principles and High-Level Requirements
The following high-level safety principles and criteria are applied in the design of the MMI.
A. KINS Safety Principle 3 : Consideration of Human Factors
18.1-1
APR1400 SSAR
C "Appropriate means and measures shall be taken to ensure that the capabilities and limits of human
performance are taken into account throughout the life of nuclear installations”
B. KINS General Safety Criteria II-9.2 Human Factors
"Human Factors associated with the plant workers and human-machine interface shall be taken into
account systematically in the design of nuclear facilities."
C "The possibility of human error in operation shall be minimized in design by facilitating correct
decisions and inhibiting wrong decisions of operators, by providing means for detecting and
correcting or compensating for error, and by allowing operators to have sufficient time for making
decisions and taking actions."
C. KINS General Safety Criteria II-30.2 Control Room
C "A control room shall be provided from which the nuclear power plant can be safely operated in
all its operational states and from which actions can be taken to maintain the plant in a safe state
under accident conditions.
C "Appropriate measures shall be taken to protect the operating personnel against accident hazards,
such as radiation exposures exceeding a specified limit or toxic gases so that access and occupancy
of the control room may be permitted under accident conditions.
C "At a remote shutdown control room, physically and electrically separated locations outside the
control room, equipment shall be provided with a design capability for prompt hot shutdown of
the reactor and for subsequent cold shutdown of the reactor in accordance with suitable procedure.
18.1.2.2Specific Requirements and Guidance
The following regulatory requirements and guidance are applied in the design of the MMI.
A. KINS Specific Safety Requirements Chapter 15 : Human Factors Engineering
B. KINS Safety Regulatory Guide (SRG) 9.10 : Bypassed and Inoperable Status Indication of
Protection System and Safety Related I&C System
C. KINS Safety Regulatory Guide (SRG) 9.13 : Instrumentation for Post Accident Monitoring
D. KINS Safety Regulatory Guide (SRG) 9.15 : Reliability of Control Room Annunciator Systems
E. KINS Safety Regulatory Guide (SRG) 11.4 : Habitability of a Control Room
F. KINS Safety Regulatory Guide (SRG) 15.1 : Human Factors Engineering Program Plan
G. KINS Safety Regulatory Guide (SRG) 15.2 : Human Factors Engineering Analysis
H. KINS Safety Regulatory Guide (SRG) 15.3 : Human Factors Engineering Design
I. KINS Safety Regulatory Guide (SRG) 15.4 : Human Factors Engineering Verification and
Validation
J. KINS-G-001 Safety Review Guide Chapter 18 : Human Factors Engineering
18.1-2
APR1400 SSAR
K. 10CFR50.34(f)(2)(iv)36, NUREG-1342, Supplement 1 of NUREG-0737, "SPDS Requirements"
18.1.2.3HFE Standards, Guidelines and Bases
HFE standards and guidelines used in the main control room design are included in the HFESGB(HFE
Standards, Guidelines and Bases). The HFESGB contains comprehensive HFE guidelines including the
guidelines of NUREG-0700 Rev. 1. The HFESGB contains the sources, references and bases of each
guideline. HFE analyses of MMI resources and control facility are based on HFESGB, too.
18.1.3 HFE Design Process Plan
18.1.3.1HFE Program Management Plan
The purpose of Human Factors Engineering (HFE) program management is to ensure that HFE is
successfully incorporated into the overall design and development activities of Korean Next Generation
Reactor Man-Machine Interface (APR1400 MMI). The present approach is focused on the process of MMI
development for control rooms including main control room (MCR), remote shutdown room (RSR), as well
as local control stations required for emergency operations.
18.1.3.1.1 Scope and Goals
18.1.3.1.1.1 Scope
The scope of this plan has been delimited, with justification, as follows.
C PWR - The present approach is specified for Pressurized Water Reactor (PWR) design programs,
to limit inclusion of regulations to those that are applicable to such designs.
C Control Room - The present approach is focused on the MMI development for control rooms
including main control room (MCR), remote shutdown room (RSR), and local control stations for
emergency operating procedure (EOP) operations. As workstation type MCR is to be developed
for APR1400. HFE considerations for computer-generated displays, and large display panel (LDP)
shall be emphasized.
C Applicable MMI - The present approach is applicable to the MMI for operations, accident
management, maintenance, test, inspection and surveillance in the control rooms mentioned above.
C Applicable Plant Personnel - The present approach is applicable to all the personnel who use MMI
in the control rooms mentioned above.
C Design and Construction Phase - The present approach is limited to design processes occurring
during design and construction phases of the facility. Operational issues that follow completed
design are out of the scope of the design process.
C Separate and Distinct Responsibilities - The present approach excludes management or review of
responsibilities that belong to other regulatory or programmatic scopes. Thus, while interaction
with the following areas through design activities is expected, these are not the particular
responsibility of HFE design process planning, management, or review; procedure technical
content or bases, staffing, training program development, licensing examinations, human reliability
analysis, quality assurance, fire protection, security, or emergency planning.
C Operating Procedure Development - Procedure guidelines are developed as input to the CP/OL
applicant procedure development program. They provide guidance for content (i.e., operations)
18.1-3
APR1400 SSAR
and not format (i.e., human factors). Thus the development of the procedure guidelines and their
contents is not a human factors-centered activities. Procedure format is instead accomplished as
part of the development and validation of the actual procedures by the CP/OL Applicant. For these
reasons, the human factors of procedure format are excluded from the scope of this plan. An MMI
for computerized operating procedure, besides a conventional paper procedure as a backup, is to
be developed for APR1400. Thus, corresponding HFE issues with respect to the MMI are
addressed as part of Task Analysis, MMI Design, Availability Verification, Suitability
Verification, and Integrated MMI Validation of APR1400 MMI design development.
C Training Program Development - Like procedure development, training of operators, maintainers,

and other personnel is not part of the design certification HFE program. Training is handled by
CP/OL Applicant programs and specialists in these areas. Training will be based on the entire
design and the nature of the tasks involved, not merely on human factors engineering.
18.1.3.1.1.2 Goal
Goals in APR1400 HFE program are identified for HFE process element planning and for human centered
design as described below.
Process Element Goals
Appendices of HFE program plan for APR1400 MMI define and provide bases for HFE design process
elements in terms of their goals, requirements and criteria. Goals represent the idealized function or
purpose of the element. Requirements, in contrast, are pragmatic and concrete, and operationalize the
goals. Criteria are objectively verifiable quantities or qualities of acceptability against which an item is
tested, to determine whether it meets the associated requirement.
Human-centered Design Goals
The NRC HFE Program Review Model identifies six generic Human-Centered Design Goals(HCGs).
These are general design objectives for the system MMI expressed in terms of human performance. Stated
as generalities, they are at some point to be objectively defined and to serve as criteria for test and
evaluation activities. The HCGs are as follows:
C The operating crew can accomplish all assigned tasks within system-defined time and performance
criteria.
C The system and allocation of functions will provide acceptable workload levels to assure vigilance
and to assure no operator overload.
C The system will support a high degree of operating crew situational awareness.
C Signal detection and event recognition requirements will be kept within the operators information
processing limits to minimize the need for operators to mentally transform data in order for it to
be used.
C The system will minimize operator memory load.
C The operator interfaces will minimize operator error and will provide for error detection and
recovery capability.
18.1.3.1.1.3 Technical Basis
18.1-4
APR1400 SSAR
The HFE program is performed in accordance with accepted industry standards, guidelines, and practices.
18.1.3.1.2 Team Organization and Responsibilities
The structure of the organization may change, but the functional nature of the APR1400 MMI design team
is retained through the change. With respect to the scope of the HFE program, the APR1400 MMI design
team is responsible for the following activities with regard to MMI design:
C Development of all HFE plans and procedures
C Oversight and review of all HFE design, development, test, and evaluation activities
C Initiation, recommendation, and provision of solutions for problems identified in the

implementation of the HFE activities
C Assurance that HFE activities comply with HFE plans and procedures
The MMI design team reports to the manager in charge of APR1400 design integration. The MMI design
team leader, who performs the function of technical project management for the human factors engineering
design process, is responsible for the overall MMI design and for the integration with the other design
features in APR1400 development.
The independent design review team for APR1400 MMI, which is separate from the MMI design team,
is a multi-disciplinary team comprised of personnel from several organizations. The design review team
is responsible for the review of MMI design and design documents, as well as providing comments based
on impact to their area of expertise. The team also participates in design review meetings related to key
MMI development.
18.1.3.1.3 Team Composition and Staffing
The MMI design team is comprised of personnel from a variety of organizations and disciplines. The
HFEPRM (NUREG-0711) defines composition of so-called "HFE design team" in its Appendix A, which
refers to the personnel responsible for HFE activities within the scope of plant design. The HFEPRM
describes area of expertise the HFE design team ought to have as well as a listing of minimum
qualifications. The MMI design team, which can be regarded as a subset of the HFE design team, includes
disciplinary expertise and qualifications described in Appendix A of the HFEPRM ( i.e., 'HFE Design
Team Composition' ) as necessary.
Typical contributions of the MMI design team members associated with each expertise are as follows:
A. Technical Project Management
C To develop and maintain the schedule for the HFE design process
C To provide technical direction and monitoring for the MMI design process
C To provide a central point of contact for management of the HFE design and
implementation process
B. Systems Engineering
C To provide knowledge of the purpose, operating characteristics, and technical

specification MMI components
18.1-5
APR1400 SSAR
C To provide input to HFE analyses especially function analysis and task analysis
C To participate in the development of procedures and scenarios for task analysis,

validation, and other analyses
C. I&C Engineering
C To provide detailed knowledge of the MMI design, including control and display
hardware selection, design, functionality, and installation
C To provide knowledge of information display design, content, and functionality
C To participate in the design, development, test, and evaluation of the MMI
C To participate in the development of scenarios for Human Reliability Analysis (HRA),

validation, and other analyses involving failures of the MMI information processing
systems
C To provide input to software quality assurance programs
D. Architect Engineering
C To provide knowledge of the overall structure of the plant including performance

requirements, design constraints, and design characteristics of the MMI design
C To provide knowledge of the configuration of MMI components
C To provide input to various analysis, especially function analysis, task analysis, and the
development of scenarios for task analysis and validation
E. Human Factors Engineering
C To provide knowledge of human performance capabilities and limitations, applicable

human factors design and evaluation practices, and human factors principles, guidelines,
and standards
C To develop and perform human factors analyses and participate in the resolution of
identified human factors problems
F. Plant Operations
C To provide knowledge of operational activities including task characteristics, MMI

characteristics, environmental characteristics, and technical requirements related to
operational activities
C To provide knowledge of operational activities in support of MMI activities such as

development of MMI components, procedures, and training programs
C To participate in the development of scenarios for HRA evaluations, task analyses, MMI
tests and evaluations, validation, and other evaluations
G. Computer System Engineering
18.1-6
APR1400 SSAR
C To provide knowledge of information processing associated with MMI displays and

controls
C To participate in the design and selection of computer-based equipment such as controls

and displays
C To participate in the development of scenarios for HRA, validation, and other analyses
involving failures of the MMI information processing systems
H. Plant Procedure Development
C To provide knowledge of operational tasks and procedure formats, especially as presented

in emergency procedure guidelines and operational procedures of current and predecessor
plants
C To participate in the developments of scenarios for task analyses, MMI tests and
evaluations, validations, and other evaluations
C To provide input for the development of procedure aids and computer-based procedures
I. Personal Training
C To coordinate training issues arising from MMI design activities
C To participate in the development of scenarios for task analyses, MMI tests and
evaluations, validation, and other evaluations
J. Systems Safety Engineering
C To identify safety concerns and perform a system safety hazard analysis
C To provide results of system safety hazard analysis to Probabilistic Safety

Assessment/HRA and human factors analyses
K. Maintainability/Inspectability Engineering
C To provide knowledge of maintenance, inspection, and surveillance activities including

task characteristics, MMI characteristics, human performance demands, environmental
characteristics and technical requirements related to the conduct of these activities
C To support design, development, and evaluation of the control room and other MMI
components throughout the plant to ensure that they can be inspected and maintained to
the required level of reliability
C To participate in the development of scenarios for MMI evaluations including task

analyses, MMI design tests and evaluations, and validation
L. Reliability/Availability Engineering
C To provide knowledge of MMI component and system reliability and availability and
assessment methodologies to the MMI development activities
C To participate in the development of scenarios for MMI evaluations, especially validation
18.1-7
APR1400 SSAR
C To provide input to the design of MMI equipment to ensure that it meets reliability goals
during operation and maintains the required level of availability
18.1.3.1.4 HFE Process and Procedures
General Design Process - The HFE process and procedures are developed to ensure that general HFE
principles and guidelines are successfully applied to the MMI design activities. The MMI design process
is illustrated in Figure 18.1-3. The design approach can be seen to be consistent with HFE methodology
described in NUREG-0711.
Design process approach for MMI design is as follows:
C The design process is iterative.
C HFE analyses such as operating experience review, functional requirement analysis and function
allocation analysis, task analysis are provided to the designers for incorporation into their
design.(Figure 18.1-3)
C Design evaluations using MMI dynamic mockup is used extensively to develop MMI design.
C Design reviews and design review meetings by each member in MMI team and by independent
reviewers are extensively used for interdisciplinary review and critiques.
C Standard MMI design is validated on full scope dynamic MMI mockup.
C Final MMI product will be validated on full scope simulator.
HFE activities are assigned to cognizant engineering group and each group assigns the activities to
individual members. MMI team leader governs the internal management of the team such as design review
meetings and project scheduling and make management decisions regarding HFE. HFE design decisions
are made through MMI team design review and design review meetings.
Process Management Tools - Tools are provided to facilitate communication across design disciplines
and organizations to enhance consistency and efficiency. Review and Comment System (RCS) and Issue
Tracking System (ITS) are the two typical process management tools for the development of MMI. The
RCS allows the MMI designers and independent reviewers to make comments and opinions on MMI
design and design documents. The ITS provides means to track design issues identified during the process,
as well as to review and comment on design documents. The master schedule is available.
Integration of HFE and MMI Design Activities - The HFE Standards, Guidelines and Bases (HFESGB)
document provides guidance to designers for MMI design development. In addition, some formal HFESGB
implementation is provided to confirm that the HFESGB is actually applied throughout the design,
contributing to MMI integration and suitability. The HFESGB application provides information processing
mechanism that encourages, even forces, designers to 1) use the HFESGB and 2) achieve an integrated
MMI format. The HFESGB also plays a role of human factors requirements and guidelines for the MMIs
out of the scope of this document e.g., technical support center (TSC), emergency operating facility (EOF),
and local control station (LCS) not for emergency operations. Thus, adequacy of design process focuses
on ensuring that the necessary functional content has been incorporated in design activities.
HFE Program Milestones - The MMI design team is responsible for the following six HFE elements: (a)
HFE program management, (b) operating experience review, (c) functional requirements analysis and
function allocation, (d) task analysis, (e) man-machine interface design, and (f) human factors verification
and validation; while other APR1400 organizations in the plant construction phase are responsible for other
18.1-8
APR1400 SSAR
HFE-related activities such as: (a) staffing, (b) human reliability analysis, (c) procedure development, and
(d) training program development. The MMI design team, however, interacts with the organizations in
order to ensure that their activities are effectively integrated with overall HFE activities for APR1400
development including MMI design activities.
Figure 18.1-3 shows relationships between HFE elements, HFE activities, products, and reviews. Details
about analysis and implementation plan for HFE elements such as OER, TA, FRA&FA, MMI design, and
human factors V&V are described in HFE elements implementation plan documents.
HFE Documentation - The scope of documentation includes HFE analysis plans and reports, MMI/MCR
functional requirements, MMI/MCR design descriptions(or reports), HFE standard guidelines and bases,
detail design specifications, and drawings. The MMI design team complies with the documentation
procedure established by project office. Plans and result reports of MMI design evaluations and
experiments officially performed to ensure the acceptability of MMI design are documented.
18.1.3.1.5 Issues Tracking System
An Issues Tracking System is used to address human factors issues that are identified throughout the life
cycle of the MMI design, development, and evaluation. The tracking system enables the documentation
and tracking of human factors issues that need to be addressed at some later time.
The issues tracking system receives input from the following sources: (a) operating experience review, (b)
design review and comment system, and (c) issues raised in other design activities such as design
integration meetings. Only unresolved issues from the sources are entered into the database developed for
MMI issues tracking system. For each issue entered into the database, the actions taken to address the issue
and the final resolution of the issue are documented. The MMI design team leader is responsible for the
maintenance and documentation of the issues tracking system. For each issue entered into the database,
a cognizant discipline is assigned to take the responsibility for resolution of the issue.
18.1.3.1.6 Technical Program
A description of technical aspects of the HFE program is provided in the implementation plans for the
following nine HFE elements: (a) operating experience review, (b) functional requirements analysis and
function allocation, (c) task analysis, (d) staffing, (e) human reliability analysis, (f) MMI design and
integration, (g) procedure development, (h) training program development, and (i) human factors
verification and validation.
Operating experience review identifies HFE related safety issues. The issues identified in operating
experience review provide input to MMI functional design as well as MMI detail design. Functional
requirement analysis and function allocation are two distinct activities to identify plant functions that must
be performed to satisfy plant safety objectives, and to analyze the requirements for plant control and the
assignment of control functions to human and/or machine, respectively. The results of functional
requirement analysis and function allocation activities provide input to MMI design related to critical
safety functions and their associated success paths. Task analysis identifies the task requirements for
accomplishing the functions allocated to them, and it also defines MMI requirements for task
accomplishment. The results of task analysis provides inputs to many of HFE elements - i.e., function
allocation, staffing, MMI design, procedure development, training program development, human factors
verification and validation. Human reliability analysis provides critical operator actions and error
mechanism, and those critical operator actions are extensively analyzed in task analysis. Although staffing
is a Conduct of Operations Element (COE) that is performed by the Construction Permit /Operating
License (CP/OL) applicant, a staffing assumption developed in early stage of MMI design is used,
modified as necessary, and validated throughout the life cycle of design and evaluation activities. For
procedure and training program development, which are also COE elements to be performed by CP/OL
18.1-9
APR1400 SSAR
applicant, inputs for them are provided to ensure that the HFE activities are effectively integrated into the
decision process on the procedure and training program development. Figure 18.1-3 shows relationships
between HFE elements, HFE activities, products, and reviews.
18.1.3.1.7 Independent Review Comment Summary
Review comments of independent reviewers, designers' responses to the comments, and reviewers' opinions
to the designers' responses are available in the official document, 'Independent Review Comments and
Resolution.' Many independent review comments are accepted and reflected to the MMI design as well as
design documents; which some are not accepted with justification. Unresolved issues from the comments
are entered into APR1400 MMI issues tracking system to address at some later date. Some of the key
comments from independent reviewers are as follows:
C It should be described how to manage and operate APR1400 ITS database.
C Description about APR1400 MMI design team composition should be based on the HFE team
composition requirement in HFEPRM (NUREG-0711), and the description should show that
APR1400 MMI design team meets the HFEPRM requirement.
C More detail description about process management should be added.
C Independent reviewers in KOPEC-NSSS should be added to the APR1400 MMI independent

review team.
18.1.3.1.8 References
1. KEPRI, Human Factors Engineering Program Plan for Korean Next Generation Reactor Man-
Machine Interface, Rev.1, 2000
2. KEPRI, Operating Experience Review Plan for Korean Next Generation Reactor Man-Machine
Interface, Rev.1, 2000
3. KEPRI, Functional Requirements Analysis and Function Allocation Plan for Korean Next
Generation Reactor Man-Machine Interface, Rev.1, 2000
4. KEPRI, Task Analysis Plan for Korean Next Generation Reactor Man-Machine Interface, Rev.1,
2000
5. KEPRI, Human Reliability Analysis Plan for Korean Next Generation Reactor Man-Machine
6. KEPRI, Human System Interface Design and Integration Plan for the Korean Next Generation
Reactor Man-Machine Interface, Rev.1, 2000
7. KEPRI, HFE Verification and Validation Plan for Korean Next Generation Reactor Man-Machine
8. US NRC, Human Factors Engineering Program Review Model (NUREG-0711), 1994
9. US NRC, Standard Review Plan for the Review of Safety Analysis Reports for Nuclear Power
Plants (NUREG-0800), 1997
18.1.3.2Operating Experience Review Plan
18.1-10
APR1400 SSAR
The goal of Operating Experience Review (OER) is to ensure that Human Factors Engineering (HFE)-
related problems and issues encountered in previous Man-Machine Interface (MMI) and control facility
design similar to the Korean Next Generation Reactor (APR1400) MMI design as well as other existing
nuclear power plant are successfully identified and analyzed so they are avoided in the APR1400 MMI and
control facility design development, or to ensure that they are retained in the case of positive features. OER
issues are provided to the MMI and control facility designers at the beginning of APR1400 Phase-II & III
design stages so that the incorporation of OER issues to the MMI design can be made.
The OER activities described in this document is a one time effort - separate from the plant-wide, formal
OER performed for the development of APR1400 - to reflect the operating experience into MMI design.
This document applies to all MMI resources including display, alarm, control, computerized procedure,
main control room , remote shutdown room , large display panel , as well as the local control stations
specified in the emergency procedure guideline .
18.1.3.2.2 Methodology
The methodology developed and utilized to support the detailed control room design review of existing
plants has been modified to support an analysis process for the APR1400 OER.
The OER is a two step process: (a) identification of OER issues, and (b) incorporation of OER issues into
the MMI design.
Identification of OER issues assures that the OER provides valuable input to the MMI design. Particular
emphasis is placed on relatively new aspects of the design, specifically, on the new design features of
APR1400 MMI such as the compact workstation and the computerized procedure system which are not
found in KSNP design nor in Nuplex 80+ design. The operating experiences of related MMI technology,
such as large screen display and touch sensitive screen, are also identified and analyzed.
Incorporation of OER issues is done by each designer to reflect the experience into the APR1400 MMI
design. The results of the incorporation efforts are documented, and the unresolved OER issues are added
into the APR1400 Issues Tracking System for future resolution.
Incorporation of operating experiences into APR1400 MMI design is achieved in two ways: (a) formal
OER activities of identifying issues and reflecting them into the MMI design, and (b) participation of
licensed reactor operators in MMI design process.
The comments of independent review team on the HFE OER plan are as follows:
- Require the detailed description on analysis methodology and scope
- Suggest the review scope of NUREGs
Most of the comments are not the technical point for OER performance enhancement and those are come
from the lack of design understanding. All comment were resolved by explanation and only modification
of description.
18.1-11
APR1400 SSAR
2. KEPRI, Operating Experience Review Plan for Korean Next Generation Reactor Man-Machine
18.1.3.3Function Requirements Analysis and Function Allocation Plan
The implementation plan is provided to satisfy process requirements of Element 3, "Functional

Requirements Analysis and Function Allocation" of the Human Factors Engineering Program Plan for
APR1400. This is done to describe the APR1400 approach to Functional Requirements Analysis (FRA)
and Function Allocation (FA), and to ensure that HF issues are systematically incorporated in the
APR1400 design, particularly regarding plant safety functions.
Element 3 of HFEPRM (NUREG-0711) specifies requirements for performing FRA&FA in support of

establishing and documenting design decisions with respect to the level of plant automation. Similar
analysis documentation requirements, with respect to function allocation decisions, are specified in Korean
Utility Requirements Document (KURD) and in industrial standard for MMI design (e.g., IAEA-TECDOC-
668, IEC 964, IEEE-1023, etc. ). The main issues have to do with describing the operation of the system,
and assigning activities to be performed by the human and/or by machine portions of the system. Although
most of such analyses and decisions are made by system designers, the trend to increased automation
brings continued HF concern for keeping the "operator in the loop" with an appropriate role.
The FRA&FA includes the systems and components which are: (1) important to safety, (2) required for
safe shutdown, or (3) provided for severe accident mitigation. Other systems and components are included
where need emerges for formal resolution of one or more FRA&FA issues in the design process.
The FRA&FA addresses the issues identified in OER and the modified functions from plant changes. This
description takes the form of a discussion, with specific references, of similarities to and differences from
similar designs which have been previously licensed for operation and have operating experience. This
"evolutionary" approach includes the following:
C Review of requirements applying to the issues of functional design and the allocation of functions
to human and/or machine control
C Description of critical safety functions & success paths in the design
C Identification of relevant changes from predecessor designs
C Statement of the operators' role in executing safety functions
C Identification of all legally mandated allocations
C Rationale for assigned allocations
C Function allocation criteria
The development of details satisfies the logic of Figure 4.1 in NUREG-0711, Element 3.
18.1-12
APR1400 SSAR
The following criteria, the resulting criteria after reviewing the requirements identified, are applied to
evaluate the acceptability of the allocation of control of safety functions in the APR1400 design.
1. 10 CFR 50
The allocations of critical safety functions are consistent with the mandated allocations identified from 10
CFR 50.
2. IEEE 603-1991
Not superseding the criteria of 10 CFR 50, the following additional allocation criteria result from the
requirements identified.
a) Justification for requiring initiation or control of any protective actions solely by manual
means, including assurance of necessary habitability, shall be documented.
b) In all other cases, means shall be provided to:
C automatically initiate and control protective actions
C and manually initiate all automatic protective actions (at the division level from
the control room)
3. NUREG/CR-3331
Not superseding the criteria of 10CFR50 and those resulting from IEEE 603-1991, the additional allocation
criteria resulting from NUREG/CR-3331 are applied to verify compatibility of the allocated functions with
human factors guidelines.
The major comments of independent review team on the FRA&FA implementation plan are as follows:
C Specify a reference plant for the FRA&FA.
C Specify fully the methodology of the FRA&FA so that the responsible designer can use it.
C Extend the review scope specified in Section 18.1.3.3.1
1. KHNP, YGN 3&4/UCN 3&4 Final Safety Analysis Report
3. KEPRI, Functional Requirements Analysis and Function Allocation Report for Korean Next
Generation Reactor Man-Machine Interface, Rev. 1, 2000
4. KEPRI, Functional Requirements Analysis and Function Allocation Plan for Korean Next
Generation Reactor Man-Machine Interface, Rev.1, 2000
18.1-13
APR1400 SSAR
18.1.3.4Task Analysis Plan
18.1.3.4.1.1 Scope
The following event sequences comprise a representative cross-section of operations for the APR1400
control room TA, including all Emergency Operating Procedures (EOP), some General Operating
Procedures (GOP), some Abnormal Operating Procedures (AOP) and some System Operating Procedure
(SOP). The marked (*) event sequences were analyzed during APR1400 standard design phase II and III,
and the other event sequences will be selected in APR1400 standard design phase III and construction
design phase.
1. EOPs
1) Optimal Recovery Guideline
A. Standard Post Trip Actions (*)
B. Diagnostic Actions (*)
C. Reactor Trip Recovery
D. Loss of Coolant Accident (*)
E. Steam Generator Tube Rupture (*)
F. Excess Steam Demand
G. Loss of Feedwater
H. Loss of Offsite Power (LOOP)
I. Station Blackout (LOOP without EDGs)
J. Anticipated Transient Without Scram
2) Functional Recovery Guidelines
A. Reactivity Control
B. Maintenance of Vital Auxiliary
C. Inventory Control
D. Pressure Control
E. RCS and Core Heat Removal
F. Containment Isolation
G. Containment Temperature and Pressure Control
18.1-14
APR1400 SSAR
H. Containment Combustible Gas Control
I. Long Term Actions
2. GOPs
A. Cold Shutdown to Hot Standby
B. Hot Standby to Minimum Load (nuclear startup) (*)
C. Recovery from Reactor Trip
D. Operating at Hot Standby
E. Turbine Startup and Synchronization of Generator (*)
F. Changing Load and Load Follow (if applicable)
G. Plant Shutdown to Hot Standby
H. Hot Standby to Cold Shutdown (*)
I. Reactor Coolant System Operation with Loops Partially Drained.
3. AOPs
A. Loss of Condenser Vacuum
B. Loss of Shutdown Cooling (*)
C. Fire in Control Room Forced Evacuation of Control Room (*)(Plant Shutdown outside the
MCR)
D. Malfunction of Pressure Control System
E. Hydrogen Explosion
4. SOPs
A. Reactor Coolant System (*)
B. CEDMCS
C. Shutdown Cooling System (*)
D. Safety Injection & Rapid Depressurization System (*)
E. Service Water / Component Cooling Water System (*)
F. Containment Isolation System
G. Containment Spray & Fan Cooler System (*)
18.1-15
APR1400 SSAR
H. Hydrogen Monitoring & Control System
I. Main Steam System (*)
J. Feedwater System (*)
K. Pressurizer Pressure Control System
L. CVCS (*)
M. Reactor Coolant Gas Vent System
N. Instrument Air System
O. Electrical Systems & Emergency Power Sources System
P. Reactor Protection System
Q. Auxiliary Feedwater System (*)
R. Condensate System (*)
S. Circulating Water System (*)
5. MMI and I&C Equipment Failure Sequences
A. Complete loss of IPS
B. Loss of power to a QIAS segment
18.1.3.4.1.2 Goals
Task Analysis (TA) is a general category of human factors analysis that examine detail human task
requirements. Performance of task analysis is specified in various regulatory documents such as Human
Factors Engineering Program Review Model (HFEPRM), NUREG-0711 and is formally required by the
Human Factors Engineering Program Plan (HFEPP). TA is iterative and are performed for the dynamic
mockup design in Phase-II and for APR1400 specific tasks in construction design.
TA is a means to ensure that necessary operator tasks can be successfully performed. The TA approach
functionally decomposes plant operations so that procedural tasks and decision processing can be analyzed
independent of particular hardware implementations. The completed TA will provide the following
analytic results for the MMI design:
A. Information and controls requirements , minimum inventory of alarms, displays and controls for
the control room man-machine interface.
B. Definition of the input, process, and output required by and of personnel.
ICRs define availability verification requirements.
Task analysis can also form the basis for:
C Providing a basis for staffing and job design.
18.1-16
APR1400 SSAR
C Providing detailed task requirements to support detailed procedure development.
C Identifying training requirements.
The TA methodology is presented in five(5) major steps:
A. Establish assumptions and bases.
B. Review input and design documentation.
C. Develop task decomposition and data framework.
D. Perform analysis.
E. Document results and conclusions.
Details on each of these steps are provided in the remainder of this section.
18.1.3.4.2.1 Assumptions and Bases
The assumptions on which the TA is based are specified as follows:
A. Evolutionary Design
The design activities are being conducted to produce the APR1400 nuclear power plant. It is an
evolutionary enhancement of a proven design - KSNP. The functions and features of the APR1400 design
are incremental revisions to this proven design, incorporating technological improvements and operating
experience through a systematic design process.
B. Operator's Role
As part of APR1400 design, MMIS is an advanced I&C implementation of existing man-machine interface
functions. Changes to the operators' role are minimal.
C. ICRs
Information and Control Requirements (ICRs) resulting from the TA are afforded by the systems-based
instrument and controls inventory and are verified to be available in the control room.
D. Event Sequences
Event sequences are representative examples of normal, abnormal, and emergency operating scenarios.
Event sequences are generic cases based on the combined operator requirements of expected plant
responses and proceduralized operating strategies (i.e., excluding complex interactions, error propagation,
and sabotage). The analysis of generic cases provides adequate data for the TA's evaluation of operator
behavioral requirements. Selected event sequences are specified and these sequences will be incorporated
in validation activities.
E. Level of Detail
Event sequences are detailed by evaluating the necessary operator tasks per the applicable procedure
18.1-17
APR1400 SSAR
guidelines along a time line. Event sequences identify decision points and basic decisions, but do not
pursue variations of these basic decisions into multiple contingencies.
F. Simple Additivity
The TA considers task elements to be additive and serially processed, unless otherwise noted. No general
consideration is given to complex interactions of steps or personnel in the TA. Formal evaluation of
interactions are performed as part of V&V activities.
G. Staffing
The TA considers staffing to be a form of workload capacity. Consistent with the concern for excessive
workload, staffing is conservatively assumed to be at the design basis minimum level specified for each
event sequence. However, staffing level will not impact the analysis unless a detailed evaluation (per
workload criteria of V&V) is made.
H. Environmental Hazards
The workspace environments in the main control room, remote shutdown room and local control stations
included in the TA remain habitable for all design basis events and scenarios.
18.1.3.4.2.2 Input and Design Documentation Review
APR1400 includes design enhancements and improvements to address experience gained from earlier plant
designs, and criteria provided by the Korean Utility Requirements Document (K-URD). Documents for
the APR1400 design have been reviewed to identify the plant processes, configurations, and modes of
operation.
In particular, system descriptions, technical specifications, and training materials provide the baseline for
describing the operational requirements of the modified systems in TA.
18.1.3.4.2.3 Hierarchical Task Analysis and Task Decomposition
Hierarchical Task Analysis (HTA) and Task Decomposition methods will be used as major TA
methodology. HTA produces a hierarchy of operations, and provides an effective means of stating how
work should be organized in order to meet a system's goals. HTA is more useful tool when the hierarchical
information such as operating procedure is not available. Task Decomposition is an information collection
tool which is used to systematically expand upon the basic description of the activities which must be
undertaken in each task element. The following hierarchical structure is used as the framework to
decompose event sequences into components:
Gross functions (Operating Procedure)
Subfunction
A) Task
1) Task Element
Each representative analysis data of these levels is detailed as follows:
18.1.3.4.2.4 Gross Function Level
18.1-18
APR1400 SSAR
Gross function level is the highest level of TA hierarchy. It includes top level statements of the procedure
such as purpose, entry condition, and termination condition. The gross function level of this analysis
specifies details that are associated with prerequisite conditions. The related data include:
A. Object - The purpose of procedure execution
B. Entry Condition - The condition that should be checked before entering the procedure execution
C. Termination Condition - The condition that should be checked before terminate the procedure
execution
D. Warning/Caution Message - The warning/caution message that should be considered in procedure

execution.
18.1.3.4.2.5 Subfunction Level
Subfunctions are high level statements of the operator's general purpose in performing a related set of
tasks. They specify a basic operating goal (e.g., "Maintain RCS Heat Removal") from the operator's
perspective. Each subfunction statement represents one or more tasks with a single main purpose, and may
be comprised in different situations by different sets of tasks. Functions appear within sequences in a
generic order of performance, per operating procedure guidelines.
The subfunction level of this analysis also specifies details that are associated with operation aids. The
related data include:
A. Error - A particular situation that operator can easily commit an error
B. Calculation Aids - An aids that operator can easily perform the calculations to be executed
mentally (e.g., boron concentration)
C. Graphical Aids - A graphic aids that operator can easily perform monitoring of process condition
(e.g., Trend Graph, X-Y Plot, Comparison Table/Graph).
18.1.3.4.2.6 Task Level
This level analyzes operator behaviors in terms of a generic, closed-loop information processing model.
It utilizes a simple but comprehensive data framework that can accommodate a large variety of specific
tasks. The model views a task as falling into one of four basic categories:
A. Collect - Collect or obtain needed information.
B. Plan - Evaluate, plan, calculate, decide (etc.) on a result or course of action based on collected or
otherwise known information.
C. Action - Perform the act or manipulation specified.
D. Feedback - Monitor the results of output actions and transmit the results back to the input; this
either verifies success or cues further processing and corrective action.
Tasks in a sequence tend to cycle through these categories, although well-designed and skillfully performed
tasks do not necessarily show four distinct components. The benefit of this framework is that it directs the
analyst's attention to the necessary components of deliberate, rule-based (i.e., procedural) behavior.
18.1-19
APR1400 SSAR
A single task is expressed by a task statement. A task statement includes two basic parts, which are 1) a
verb from the defined verb taxonomy (listed in the TA data base), and 2) the object of the verb, (a
parameter, component, etc.). For example:
Collect pressurizer pressure

(verb) (object)
These task statements then serve as the centerpiece around which the remaining task element data are
organized and documented.
The task level of this analysis also includes additional data that are associated with operation and cognitive
task information.
These data include:
C Task Entry Condition - The condition that should be checked before entering the task execution
C Task Behavior Implication - Operator's cognitive error resulted from the decisions to be made, the
evaluations to be performed or the calculations to be executed mentally at task level
18.1.3.4.2.7 Task Element Level
The task element level of this analysis specifies critical details that may be associated with each task
statement. These data complete the TA picture of task behavioral requirements; i.e., of how the task must
be performed. The additional data include:
A. Resource - MMI resources to perform the task (e.g., Alarm, Display, Control, LDP, LCP)
B. Criteria - Component status or process value to meet the task criteria (e.g., Start/Open, Stop/Close,
Process Value)
18.1.3.4.2.8 PRA and Critical Operator Actions
In addition to the representative event sequences in Section 18.1.3.4.1.1, the APR1400 PRA and associated
Human Reliability Analyses (HRA) are used to identify "Critical Operator Actions." These are operator
tasks indicated by PRA to make a significant contribution to total plant risk. The cutoff criterion for critical
operator actions divides events analyzed to significantly reduce risk from the residual events (i.e., those
with non-risk achievement). See HRA section for specific criteria. Critical operator actions are
incorporated as separate event sequences in the TA database. Findings from the associated HRA and TA
are dispositioned through the formal documentation and Issue Tracking System, per the requirements of
the HFEPRM.
18.1.3.4.2.9 Information and Control Requirements
The ICRs summarize the procedure-based parametric requirements for display and control variables
identified by the TA. Characteristics of a ICR include the following areas:
A. Device type
A recommendation for display/control type for each variable is provided, based on the TA results,
operating experience, human performance characteristics, and human factors guidance.
B. Range
18.1-20
APR1400 SSAR
The upper and lower value limits for the variable, as required for operations, are provided based on
transient performance figures.
C. Accuracy
The instrument accuracy required for each variable is provided based on operations requirements.
D. Units
The recommended unit of measure for each variable is provided, based on operational experience, industry
preference, and engineering judgment.
E. Precision
The display precision of each measured variable is provided based on operator task requirements.
18.1.3.4.2.10 Supplemental Analysis for MMI Design Support
If certain supplemental analysis is requested by MMI design team, after reviewing suitability of the
requisition, the related analysis may be implemented to support MMI design team.
18.1.3.4.2.11 Results Documentation
The TA data are stored on a database system to allow manipulation and updating of information. As
additions are made to the database, existing portions of the analysis are updated to reflect any changes to
the TA methodology. This ensures internal consistency of the final TA results, and of those results with
the APR1400 design. When completed, the TA database incorporates all event sequences specified in
Section 18.1.3.4.1.1, and the related results from the analysis of those sequences. The analysis results
report is developed to be use as a submittal document.
The major comments of independent review team and reviewers on the TA implementation plan are as
follows:
C Make the tie to the TA results being used as criteria for the Availability Verification of the design.
C This paragraph infers that link analysis will be done to evaluate the distribution and interactions
of the operator's panel transactions. This is true of conventional control rooms, but less applicable
to compact workstations, where an operator is not moving between panels. If link analysis is
retained it may best be used to identify interactions and distributions between different MMI
resources at the operator consoles.
C Another reason that should be identified for choosing the SGTR is the use of that event for the
Preliminary Validation for Phase II. This would properly demonstrate integration of the task
analysis results into the design process schedule.
Most comments were resolved by modification of description, and it is available in the official document,
Independent Review Comments and Resolution.
1. Combustion Engineering, Inc.,Generic Operator Information and Controls Requirements Review
18.1-21
APR1400 SSAR
Based on Combustion engineering Emergency Procedure Guidelines, CE-NPSD-299, July 1985.
2. Combustion Engineering, Inc., C-E Owners Group Generic Information and Controls
Characteristics Review, CEN-307, August 1985.
3. US NRC, Task Analysis of Nuclear Power Plant Control Room Crew, NUREG/CR-3371, 1983.
4. EPRI, Human Factors Guide for Nuclear Power Plant Control Room Development, NP-3659,
August 1984.
5. Combustion Engineering, Inc., Combustion Engineering Emergency Procedure Guidelines, CEN-

152, Rev. 3, 1987.
6. J. Rasmussen, Information Processing and Human Interaction, North-Holland, NY 1986.
7. S. Card, T. Moran, A. Newell, The Psychology of Human-Computer Interaction, Lawreence

Erlbaum: NH, 1983.
8. American National Standards Institute, "Time response Design Criteria for Safety-related Operator
Action," ANSI/ANS-58.8.
9. KEPRI, Task Analysis Plan for Korean Next Generation Reactor Man-Machine Interface, Rev.1,
2000
10. KEPRI, Task Analysis Report for Korean Next Generation Reactor Man-Machine Interface, Rev.1,
2000
18.1.3.5 Human Reliability Analysis Plan
Human Reliability Analysis (HRA) satisfies process requirements of Element 6, "Human Reliability
Analysis" of the Human Factors Engineering Program Plan for APR1400, and to specify the method for
integrating HRA with MMI design activities. In the HFE design, HRA is used to identify the critical
(important) operator actions that can affect plant safety and is updated to reflect improving design
characteristics. The critical operator actions identified in the HRA are addressed in the design of plant
MMIs in order to minimize the likelihood of personnel error and to provide for error detection and
recovery capability.
HRA refers to a set of techniques for quantifying and aggregating human error probabilities for
Probabilistic Safety Assessment (PSA). The purpose of HRA as an item of PSA is to identify and quantify
the contributions of various human actions to the overall plant risk of core damage and radioactive release.
The scope of PSA includes internal/external event analysis during full power operation, level 2 PSA, and
internal/external event analysis during low power and shutdown PSA. Thus, the scope of HRA activities
covers the full scope of PSA activities.
The interactions with other HFE elements are described as follows to provide an overview of how HRA
activities are integrated.
18.1-22
APR1400 SSAR
A. Element 4, Task Analysis - The critical operator actions identified by means of HRA/PRA must
be re-examined by task analysis.
B. Element 7, MMI design and Integration - Results of the MMI design activities are used to confirm
and/or refine HRA assumptions. Design considerations are made to the ICRs that are related to
critical operator actions to minimize the likelihood of operator error and provide for error detection
and recovery capability. Fixed position MCR MMIs are provided for critical operator actions in
safety console
C. Element 10, Human Factors Verification and Validation (V&V) - HRA performance assumptions
(e.g., actions to be performed, time within which they are completed) are validated as part of the
HFE integrated system validation.
The HRA method is initially assumed to be generic Technique for Human Error Rate Prediction (THERP)
data and methodology that is described in NUREG/CR-1278. Approaches to Performance Shaping Factors
(PSFs) and sensitivity study are described in the HRA section of PSA of Chapter 19.
HRA is minimally performed early in the design effort as an input to the HFE program and performed
again when the detailed design is available to better assess the influences of detailed task requirements and
performance shaping factors.
"Critical Operator Actions" are human actions found to have a significant impact on plant risk in the
overall PSA. Critical operator actions are identified based on a cost-benefit criterion representing a
significant change in plant safety. All human actions identified as critical operator actions by this criterion
are re-examined by task analysis and V&V activities.
For HRA, two criteria derived from PSA results are used to define important human actions:
Selection criteria for critical operator actions
C Risk Achievement Worth (RAW) ≥ 2.0, or
C Risk Reduction Worth (RRW) ≥ 1.05
Additionally, the following operator actions identified from HRA results are considered as critical operator
actions in the HFE program.
C Operator actions that estimate the time to completion is close to the time window available for
completion.
C Operator actions where the nature of the operator activities, or demands placed upon operators are
complex, unique, or potentially challenging.
C Operator actions needed to prevent a situation where conflicting safety goals may result.
C Operator actions that are deemed to be risk-important by the panel members based upon history
and the panel's expert opinion.
18.1.3.5.2 Results
After quantification of PSA model, the critical operator actions are identified. These operator actions are
listed and informed to the task analysts to re-evaluate task analysis in detail. The critical operator actions
are shown in Table 18.1.4.2.4-1.
18.1-23
APR1400 SSAR
The comments are discussed and resolved by modification of description, and they are available in the
official document; Independent Review Comments and Resolution.
2. A.D. Swain and H.F. Guttman, Handbook of Human Reliability Analysis with Emphasis on
Nuclear Power Plant Applications, NUREG/CR- 1278, S.N.L, 1983
3. US NRC, Reactor Safety Study ; An Assessment of Anticipated Risks in US Commercial Nuclear

Power Plants, WASH-1400, 1975
4. KEPRI, Human Reliability Analysis Plan for Korean Next Generation Reactor Man-Machine
18.1.3.6Man-Machine Interface Design and Integration Plan
The systematic design of Man-Machine Interface (MMI) and incorporation of Human Factor Engineering
(HFE) principles in the design is mandated by the HFE Program Plan (HFEPP). The goal of the MMI
design and integration plan (Reference 1) is to document a design method that ensures that the resulting
designs provide effective MMI based on state-of-the-art human factors principles.
The scope of MMI design includes the control room facilities and the MMI resources. The control room
facilities are Main Control Room (MCR), Remote Shutdown Room (RSR) and Local Control Stations
(LCS) specifically required in the Emergency Operating Procedure (EOP). MCR design includes
workstation, Safety Console (SC), and Large Display Panel (LDP). MMI resources are controls, alarms,
information display hierarchy, large display panel, procedure display. The Critical Function Monitoring
(CFM), Success Path Monitoring (SPM), Post Accident Monitoring Instrumentation (PAMI), and Bypassed
and Inoperable Status Indication (BISI) are implemented in the MMI resources in integrated fashion. These
resources constitute the elemental design from which plant system specific designs are implemented.
18.1.3.6.2 Basic (Reference) Functional Design
Based on the conceptual design, an Operations Philosophy is developed to inform cognizant engineering
groups of intended operational strategies using the control room facilities and MMI resources. It serves
to provide a common basis from which MMI designers and I&C system designers can consider the impact
of their systems' performance on operation.
The development of the Functional Requirements for MMI resources (or System Requirements for control
room facilities) is the activity where the functional and performance requirements for the MMI resources
and control room facilities are systematically developed. These requirements must be met by the design
of MMI resources and control room facilities. Reference design process is described in Figure 18.1-6.
The Functional Requirement (or System Requirement) documents are developed by the cognizant
engineering groups that are responsible for design of respective MMI resources (or for control room
facilities). The functional requirements include MMI functions, design bases, and performance
requirements. The MMI functions establish the high level goals and main tasks to be supported by the MMI
18.1-24
APR1400 SSAR
resources or the control facilities. The performance requirements represent high-level design goals and help
to clarify the functional designer's intent. They are high level requirements that may not be readily
verifiable by testing or other means, but are important considerations for meeting the goals defined in the
MMI function.
Sources of design requirements that are systematically evaluated during this process include the KURD,
related codes and standards, the OER issues, the Design Bases and the Operations Philosophy. Other
industry documents such as NRC NUREG's and EPRI technical reports are also reviewed for applicable
requirements. Related Nuplex 80+ and KSNP design documentation may contain requirements that should
be considered for the APR1400 design.
After the set of potential requirements is established, MMI resource designs are developed. Conceptual
designs are refined to meet the requirements. The MMI resource designs are made to conform to the
HFESGB including the MMI conventions. The MMI resources (or control room facility) designs are
documented in Design Reports (or System Descriptions). Functional Requirements, System Requirements,
Design Reports, and System Descriptions are input to I&C systems design.
18.1.3.6.3 HFE Standards, Guidelines, and Bases
The HFE Standards, Guidelines, and Bases (HFESGB) documents (Reference 2) is developed for each of
the MMI resources to facilitate the standard and consistent application of HFE principles to the design. The
HFESGB document contains a set of standards and conventions that are produced by tailoring generic HFE
guidances to the specific design of MMI and define how those HFE principles are applied. The HFE
guidances in NUREG-0700 Revision 1 and KSNP HFEG Revision 1 are addressed/included in the
HFESGB.
The HFESGB document provides:
C Specification of accepted HFE standard, guideline, and principles to which MMI conforms
C Statements of intended scope HFESGB and instructions for proper use of the HFESGB
C Specification of design conventions to which MMI conforms
C Justification for deviations from HFE guidelines, standard and principle based on documented
rationale such as trade study results, literature-based evaluations, demonstrated experience, and
tests and experiments
The HFESGB is also used as a checklist to perform the bottom-up human factors engineering suitability
verification activity of the design evaluations and human factors engineering verification and validation.
18.1.3.6.4 Task Related MMI Requirements
The primary means of identifying task related MMI requirements is through the functional task analysis
process (refer to the Task Analysis Plan). It is noted that task related MMI requirements primarily pertain
to detailed design.
In the detailed design process, the task related MMI requirements are: (1) developed in the task analysis
and from system requirements, (2) incorporated in the MMI designs as MMI design requirements and (3)
verified through the availability and suitability verification process. This includes requirements for range,
accuracy, precision, and units. All are iteratively verified through the availability verification process. In
addition, the suitability verification process specifically evaluates task performance of the individual
MMI(refer to the HFE V&V plan).
18.1-25
APR1400 SSAR
The results of other HFE program elements other than functional task analysis are also used as input and
bases to task related MMI requirements. Operator experience review, functional requirement analysis and
allocation, and critical operator action of HRA provide the basis for identifying the task related MMI
requirements needed to support human functions and tasks. The task related MMI requirements are
documented in the MMI specification documents. The collective results of the functional task analysis
activities identify the tasks (or operator functions) and operational information needed by the operator to
execute these tasks. For each MMI, a MMI specification is written. The MMI specification includes the
identification of the operator functions and their associated information needs to be supported by the MMI.
The features, dynamic characteristics, calculated values, and supporting algorithms are part of the MMI
specification.
Iterative design reviews by system designers, operator feedback during walk-through TA, suitability
verifications, and preliminary validations held during the MMI design process provide chances to verify
the completeness of the task related MMI requirements and to identify and correct omissions. The system
design documents as well as the systems designer's intent with regard to expected system operation are also
important input to the MMI design. The pipe & instrumentation diagrams, system descriptions, design data
(such as setpoints for alarm and control), and operational requirements represent one of the major input
to task related MMI requirements.
18.1.3.6.5 MMI Characteristics
The MMI design process has addressed incorporation of the general MMI characteristics that meet high
level HFE principles. Specifically a set of high level design principles were identified based on the lists
provided in NUREG 0700 Rev. 1, Safeware by Nancy Leveson, IAEA-TECDOC 812 and the Nuplex 80+
HFESGB. These high-level design principles include compatibility and minimization of secondary
workload. This list was then refined for inclusion in the HFESGB.
The MMI design identifies situations of high workload specifically through the TA and MMI evaluation
activities. The MMI evaluations are man-in-the-loop tests in a dynamic mockup or a full-scope simulator
depending upon design stages. Through this process, situations of unacceptable operator performance such
as high workloads and/or high operation errors are identified. The problems identified are addressed in the
MMI design by changing the design or by providing operator aids. This MMI evaluation activity addresses
the usability of MMI resources and allows areas of deficiency to be identified and addressed early in the
design process.
Determination of environmental conditions such as lighting, noise, ambient working temperature, radiation,
air quality, and humidity in the main control room, remote shutdown room, and at the local control stations
follows well-accepted standards from the field of industrial and human engineering. The worst credible
conditions that can be encountered by operators in the main control room are identified as outcome of
design basis scenarios. Effects on operator performance and the effects of extremes of the habitability
during degraded conditions are considered in the MCR design.
The physical layout of the control rooms follows established ergonomic guidelines including the
considerations of fatigue and alertness of the operators sitting at workstations.
18.1.3.6.6 Detail Design
A design specification and a detail design drawing (e.g. each screen display, each alarm processing
algorithm, etc.) are produced for each instance of MMI resource as a product of detail design process. The
design specification is the documented collection of design rationale for the particular screen or algorithm
including the task related MMI requirements. The design specifications do not include generic design
conventions that are already specified in the HFESGB and functional design documents such as functional
requirements and design reports.
18.1-26
APR1400 SSAR
Operator feedback and rationales for current KSNP control panel design are also major sources for the
design specification.
System descriptions are written for control room facilities as a product of detail design. These products
of detail MMI design provide input to the generation of I&C system specifications
18.1.3.6.7 MMI Simulator/Mockup Development
Dynamic mockups and a full scope simulator are constructed for MMI evaluations throughout the design
process to identify problems and find resolutions that are not readily achieved without simulating operation
scenarios. The dynamic mockups are used for resolution of the problems that are found through
evaluations, too.
Dynamic mockups are used to identify human performance issues such as high workload by running
scenarios with operators. They are also used to examine and verify physical layout aspects such as
availability of workspace, physical access, visibility, and related anthropometric issues. Walk-through
exercises are performed in dynamic mockups and a simulator to examine issues such as staffing levels and
procedure usage.
18.1.3.6.8 Evaluations of MMI Design
As an integral part of the MMI design and integration process, MMI design is evaluated, in an ongoing
fashion, to establish the adequacy of the MMI design early in the design process. These evaluations
include: (1) suitability verifications that verify task usability and conformance to the HFESGB, and (2)
preliminary validations using operators and dynamic mockup/simulator. Evaluations are performed for
usual situations when all MMIs function normally as well as for unusual situations when part of the MMIs
do not function normally.
The objectives of MMI evaluations include:
C To ensure that the MMIs are acceptable for task performance and conformance to the HFESGB
C To establish the adequacy of functional requirements that are produced in the general (reference)
functional design
C To identify the problems of the MMI design to be addressed before the final V&V when design
changes become more difficult
C To ensure that the MMIs includes all information and controls that are required to perform
operator tasks
C To ensure that extraneous controls and displays that are not required for the accomplishment of
any tasks are excluded
18.1.3.6.9 Specific MMI Characteristics Evaluations and Analysis
Design details or problems that are not well defined by available guidelines or whose resolutions are not
readily reached by MMI designers, are addressed by specific MMI characteristic evaluations using the
following methods:
C Analysis of operating experiences, literature analysis, and tradeoff studies
C Evaluation experiments using mockups or simulator
18.1-27
APR1400 SSAR
In these evaluations, emphases are placed on the MMIs that are newly introduced or are related plant
safety.
18.1.3.6.10 Documentation
High Level Design Requirements
The following high level design requirements are established and documented to be used by each cognizant
engineering group that is responsible for design of control room facilities and MMI resources:
C Conceptual Design Summary Report
C Design Bases
C Operation Philosophy
C MMI System Description
HFESGB
The HFESGB contains the following standards, guidelines and bases to be used by all cognizant
engineering groups that are responsible for design of control room facilities and MMI resources:
C High Level Human Factors Engineering Principles
C Visual Information and Coding Conventions
C Displays and Controls
C Alarm Systems
C Computerized Procedures
C Communication Systems
C Workspace environment
C Maintainability
Control Room Facility System Requirements
System Requirements of the following control room facility are established and documented to be applied
in MMI design:
C Main Control Room
C Remote Shutdown Room
Control Room Facility System Descriptions
System Descriptions of the following control room facility are established and documented to be applied
in MMI design:
18.1-28
APR1400 SSAR
C Main Control Room
C Remote Shutdown Room
MMI Resources Functional Requirements
Functional Requirements of the following MMI resources are established and documented to be applied
in MMI design:
C Control
C Alarm
C Information Display Hierarchy
C Large Display
C Procedure Display
C CFM/SPM
C BISI/PAMI
MMI Resources Design Reports
Design Reports of the following MMI resources are established and documented to be applied in MMI
design:
C Control
C Alarm
C Information Display Hierarchy
C Large Display
C Procedure Display
C CFM/SPM
C BISI/PAMI
MMI Resources Design Specifications
Design Specifications of the following MMI resources are established and documented to be applied in
MMI design:
C Soft Control Screens and Switch Control Panels
C Alarm algorithms
C Information Display
18.1-29
APR1400 SSAR
C Large Display
C Procedure Display
C CFM/SPM
Design Evaluation Reports
Results of design evaluation activities are documented in the following reports:
C APR1400 Phase II Suitability Verification /Preliminary Validation Report
C APR1400 Phase III Suitability Verification /Preliminary Validation Report(s)
C Construction Phase Suitability Verification /Preliminary Validation Report(s)
Specific Characteristic Evaluation Reports
Results of specific characteristic evaluation activities are documented in the following reports:
C APR1400 Phase III Specific Characteristic Evaluation Report(s)
C Construction Phase Specific Characteristic Evaluation Report(s)
HFE V&V Reports
The results of final V&V are documented in this report.
2. KEPRI, Human Factors Engineering Standards, Guidelines, and Bases for Korean Next Generation
Reactor Man-Machine Interface, Rev.1, 2000
3. Combustion Engineering, Inc., Nuplex 80+ Advanced Control Complex Design Bases, NPX80-IC-
DB790-01
4. Combustion Engineering, Inc System Description for Control Complex Information System for
Nuplex 80+, NPX80-IC-SD791-01
5. CESSAR-DC, Chapter 18, Amendment X
6. KEPRI, APR1400 MMI Conceptual Design Summary Report, Rev.0, 1997
7. KEPRI, APR1400 MMI Design Bases, Rev.1, 2000
8. US NRC, Human Factors Engineering Program Review Model, NUREG-0711, 1994
9. US NRC, Human-System Interface Design Review Guideline, NUREG-0700, Rev.1, 1996
10. Beranek, L.L., Revised Criteria for Noise in Buildings, Noise Control, Vol. 3, Nr.1,p. 19ff
18.1-30
APR1400 SSAR
11. Grandjean, E., Fitting the Task to the Man; An Ergonomic Approach, London: Taylor and Francis
Ltd., 1981
12. Van Cott and Kinkade, Human Engineering Guide to Equipment Design, Washington D.C.: U.S.
Government Printing Office, 1972
13. EPRI, Human Factors Guide for NPP Control Room Development, Final Report on Project 1637-1,
EPRI NO-3659, 1984
14. KEPRI, Korea Next Generation Reactor Utility Requirement Document, Vol.III. Chapter 10: Man-
Machine Interface Systems, 1998
15. IEC, Design for Control Rooms of Nuclear Power Plants, IEC 964, 1989
16. IEC, Operating Conditions for Industrial-Process Measurement and Control Equipment, IEC
Standard 654-1, 1979
18.1.3.7Human Factors Verification and Validation Plan
The verification and validation of the man-machine interface demonstrates operator task performance
capabilities and the capabilities to perform operator functions in the control room. All verification and
validation activities are performed under the conditions specified in the Human Factors Engineering (HFE)
Verification and Validation (V&V) Plan.
The HFE V&V Plan applies to all man-machine interface and workspace environment in the Main Control
Room, Remote Shutdown Room and those local control stations specified in the Emergency Procedure
Guidelines.
There are four distinct types of verification and validation activities; 1) Availability Verification, 2)
Suitability Verification, 3) Integrated System Validation, and 4) Final Plant Verification.
18.1.3.7.2 Availability Verification
Availability verification takes in two parts, Part 1 (availability analysis) and Part 2 (availability inspection).
The purpose of Part 1 is to assure the following:
A. System I&C inventory meet the following requirements:
C Information and control requirements (ICR) as specified in the task analysis,
C Mandated indication and control requirements in regulatory documents and,
C Fixed position MCR MMI is provided for credited safety function success path tasks
identified in the Probabilistic Safety Assessment (PSA) or EPG and,
B. After assuring the above requirements are met in the system I&C inventory, a checklist of system
I&C requirements applicable to the MCR, and local control stations specified in the EPG is
developed.
The purpose of Part 2 is to compare the as-designed MMI to the availability checklist produced by the Part
18.1-31
APR1400 SSAR
1 analysis, this includes:
A. Verifying and documenting that all System I&C Inventory identified on the Availability checklist
are available in the MMI design;
B. Identifying candidate MMI indications or controls for removal and addition.
18.1.3.7.3 Suitability Verification
Suitability verification addresses the issue of whether the form and arrangement of MMI indications and
controls supports operator task accomplishment. It roughly spans the gap between the questions of "Is the
needed information, and only the needed information, present?" (Availability) and "Does the design, in
terms of actual operators, using the full control room, the actual procedures, the real plant dynamics, etc.
actually work together as a whole?" (Validation). Suitability therefore overlaps somewhat with both these
areas of evaluative effort. The suitability verification is performed in two parts, each of which uses a
different approach. Part 1, (Suitability Analysis) uses a top-down approach, and Part 2 (Suitability
Inspection) uses a bottom-up approach.
Part 1 (Suitability Analysis) attempts to evaluate the appropriateness of the design selections in the context
of the big picture using a "top-down" approach. This view considers the overall system design, the nature
of real-world operator tasks, and the integration of the parts of the MMI into a coherent and easily used
whole.
Part 2 (Suitability Inspection) uses the control room design review guidelines found in the HFESGB as a
set of accepted and established criteria. These criteria are particularly useful for identifying individual item
discrepancies, such as inadequate letter sizes or lighting levels.
18.1.3.7.4 Integrated System Validation
18.1.3.7.4.1 MMI Design Validation
The purpose of design validation is to ensure that the sum of the various MMI features afforded by the
MCR, RSR, and any local control stations specified in the EPG provides a usable MMI ensemble that
supports the successful accomplishment of the operator's required tasks. Design validation will be
conducted using a facility that physically represents the MCR configuration and dynamically represents
the operating characteristics and responses of the design. Design validation includes operator interaction
with the ensemble and EPG or operating sequences to meet the following objectives:
C Validate ability to execute operator tasks required by procedure guidance;
C Validate the MCR configuration staffing assumptions and confirm the task analysis results;
C Validate time response for credited operator actions based on the safety analysis;
C Validate the allocation of functions and support for operating crew situational awareness;
C Validate operator communication and team interaction;
C Validate operation with MMI and I&C equipment failures;
C Validate HRA performance assumptions.
Each of the plant accident, abnormal, normal, system, and MMI and I&C equipment failure operating
18.1-32
APR1400 SSAR
sequences are performed on a facility that physically represents the MCR configuration and dynamically
represents the operating characteristics and responses of the design.
The design validation team are debriefed after each scenario to identify and define discrepancies. These
discrepancies are documented. The design validation activities are conducted until the completed control
complex is validated.
The design validation plan specifies:
C The validation methodology including required validation team personnel, required facilities and
resources, detailed operating scenarios which incorporate all critical tasks identified in the task
analysis from the PSA, performance measures, and data collection and analysis methodology.
C The acceptance criteria to be used during the validation. This will include relevant acceptance
criteria from the design validation provided through scenario-specific objective criteria.
C The schedule and milestones of the validation activities.
C The administrative procedures to govern validation activities including reporting and resolution
of findings.
18.1.3.7.4.2 Operating Ensemble Validation
An operating ensemble validation is performed to demonstrate the acceptability of the completed operating
ensemble (i.e., man-machine interface, plant-specific procedures, and operating staff). This provides
assurance that trained operators using final plant-specific procedures in the similar condition with as-built
control room such as full scope prototype or simulator, together form an effective operating ensemble.
Completion of the operating ensemble validation satisfies all requirements on the main control room and
remote shutdown room validation.
The operating ensemble validation exercises the final version of all plant-specific EOPs. In addition,
operating tasks for plant-specific equipment that is different from the certified design are performed using
appropriate scenarios and applicable procedures.
Methodology for operating ensemble validation is similar to that of MMI design validation.
18.1.3.7.5 HF Issue Resolution Verification
Verification is performed to ensure that the HFE issues identified during the design process have been
acceptably addressed and resolved.
18.1.3.7.6 Final Plant Verification
The purpose of final plant verification is to ensure the final product as built conforms to the verified and
validated design that resulted from the HFE design process. Final plant verification is a check to ensure
that the HFE issues identified during the design process have been acceptably addressed and resolved.
The general scope of final plant verification is the following for all applicable facilities:
C MMI hardware
C MMI software
18.1-33
APR1400 SSAR
C Communication
C Procedures
C Workstation and console configurations
C Design of the overall work environment
C Trained personnel
The final design should be documented in a design description document (e.g., a final report developed
during Availability Verification, Suitability Verification and Integrated System Validation process) that
the as built design is the design resulting from the design process V&V evaluations. This document can
then be used to conduct a final plant verification.
Aspect of the design that were not addressed in design process V&V will be evaluated using a walk-
through. Aspects of the design addressed by this criterion may include design characteristics such as new
or modified displays for plant-specific design features and features that can not be evaluated in a simulator
such as main control room lighting and noise.
The criteria for final plant verification is the in-plant HFE should conform to the design that resulted from
the HFE design process and V&V activities.
Most comments were resolved by modification of description, and it is available in the official document,
Independent Review Comments and Resolution
18.1.3.7.7.1 References
Machine Interface, Rev. 1, 2000
3. KEPRI, HFE Verification and Validation Plan for Korean Next Generation Reactor Man-Machine
18.1.4 HFE Design Process Results
18.1.4.1HFE Program Management
18.1.4.1.1 Team Organization and Responsibilities
The organization of the APR1400 MMI design team and its relation to the Center for Advanced Reactor
Development (CARD), the design organization, is depicted in Figure 18.1-1. The structure of the
organization may change, but the functional nature of the MMI design team is retained through the change.
As shown in Figure 18.1-1, the MMI design team reports to the manager in charge of design integration
in CARD. The MMI design team leader, who performs the function of technical project management for
the human factors engineering design process, is responsible for the overall MMI design and for the
integration with the other design features in APR1400 development.
The independent design review team for MMI, which is separate from the MMI design team, is a multi-
18.1-34
APR1400 SSAR
disciplinary team comprised of personnel from several organizations including KHNP, KOPEC, and
KAERI. The design review team is responsible for the review of MMI design and design documents, as
well as providing comments based on impact to their area of expertise. The team also participates in design
review meetings related to key MMI development.
18.1.4.1.2 Team Composition and Staffing
The MMI design team is comprised of personnel from a variety of organizations (i.e., KEPRI, KOPEC,
and ABB-CE) and disciplines. The HFEPRM (NUREG-0711) defines composition of so-called "HFE
design team" in its Appendix A, which refers to the personnel responsible for HFE activities within the
scope of plant design. The HFEPRM describes area of expertise the HFE design team ought to have as well
as a listing of minimum qualifications. The MMI design team, which can be regarded as a subset of the
HFE design team, includes disciplinary expertise and qualifications described in Appendix A of the
HFEPRM (i.e., 'HFE Design Team Composition') as necessary. Table 18.1.4.1.4-1 through Table
18.1.4.1.4-5 show disciplines and number of participants for MMI design team and independent review
team in Phase II and Phase III.
18.1.4.1.3 HFE Program Milestones
Figure 18.1-4 shows an overall MMI design process in APR1400 Phase-II
18.1.4.1.4 Implementation of Technical Program
Among these nine elements, the MMI design team is responsible for the following five elements - i.e.,
operating experience review, functional requirements analysis and function allocation, task analysis, MMI
design and integration, human factors verification and validation; while other organizations are responsible
for the other four elements - i.e., staffing, human reliability analysis, procedure development, and training
development. The MMI design team, however, interacts with the organizations in order to ensure that their
activities are effectively integrated with overall HFE activities for APR1400 development including MMI
design activities. Further details of the five HFE elements, for which the MMI design team is responsible,
are available in references [2], [3], [4], [6], and [7]. The details of the four HFE elements, for which the
MMI design team is not responsible, are available in references [1] and [5].
18.1.4.1.4.1 Scope of Technical Programs
A. Phase-II
The scope of APR1400 Phase-II HFE technical program was to develop basic(reference) standard design
including the following to support APR1400 SSAR :
- Development of HFE element implementation plan(OER, FRA&FA, TA, MMI Design and
Integration, HFE V&V)
- Analysis of OER, FRA&FA
- Trial application of Task Analysis methodology, MMI Design and Integration methodology for
small slice of dynamic mockup
- Development HFE Standard, Guidelines and Bases
- Development of MMI functional design and simplified implementation of design with partial
scope mockup
18.1-35
APR1400 SSAR
- Suitability Verification Analysis using the partial scope dynamic mockup
B. Phase-III
The scope of APR1400 Phase-III HFE technical program was to develop full scope dynamic mockup to
implement the standard design and to perform iterative design evaluations.
- Update design documents of Phase-II
- Analysis of further OER
- Trial application of Task Analysis methodology, MMI Design and Integration methodology for
dynamic mockup
- Upgrade the HFESGB with cognitive consideration
- Development of MMI functional design and simplified implementation of design with full scope
mockup
- Development of ACR (Advanced Control Room) Issues to be used for design evaluations
- Iterative design evaluations to test the ACR issues using the full scope dynamic mockup
18.1.4.2HFE Analysis for Design
18.1.4.2.1 OER Activities and Results
The OER is a two step process: (a) identification of OER issues, and (b) incorporation of OER issues into
the MMI design.
18.1.4.2.1.1 Identification and Disposition of OER Issues
OER issues are identified through following review and interview activities:
C Review of commonly referenced licensing documents and reports
C Literature review for the advanced MMI technology related to MMI design
C Interview with experienced operator
A. Review of commonly referenced licensing documents and reports
Existing OER issues and/or their resolution results of ABB-CE and US NRC activities are reviewed at an
early stage of MMI design in order to effectively input OER issues to the MMI design.
B. Document review
To avoid the demerit of advanced features of MMI, issues are identified through document review. The
documents reviewed include the following:
- Human Factors Engineering Program Review Model, NUREG-0711, 1994
- HFE Insights for Advanced Reactors based upon Operating Experience, NUREG/CR-6400, 1997
18.1-36
APR1400 SSAR
- Work Reports of Halden Reactor Project
- Technical documents of IAEA
- IEEE meeting proceedings
- Korean LERs and CRDR
Among the LER reports issued for the last 20 years from all NPPs in Korea, the ones related to human
error are reviewed. The total number of 41 LER reports have been reviewed and the results are
documented. And, CRDR result reports on KORI unit 1,2,3&4, and YGN unit 1&2 are included in the
scope of review for issue identification.
C. Operator interviews
Interviews with experienced operators of YGN site were performed to identify OER issues. Since YGN
unit 3&4 are the predecessor plants of APR1400, the operators in the plants were selected for interview.
In order to perform consistent and faithful interviews, questionnaires were developed prior to the
interviews.
Identified OER issues are disposed and then provided to the MMI designers. MMI designers confirm the
validity of the disposition.
In general, MMI design elements include:
C Control room (including MCR, RSR, and LCS)
C Information Display
C Control
C Alarm
C Procedure
C Communication
C Etc.
18.1.4.2.1.2 Result of Key OER Issues Identified
The major OER issues associated with each of the MMI design elements include:
A. Control room
- The location of each controller and related information are apart
- The shape of the MMI features are various even though those have same function
- Hard to track the history logging
B. Information display
18.1-37
APR1400 SSAR
- Lack of plant overview information
- Too much information is provided in parallel
- Information of same parameter is provided redundantly
C. Control
- Control signal could be actuated inadvertently
- Lack of standardization
- Hard to be supported by the other operators
- The feedback items to be witnessed are determined based upon the experience and
knowledge
D. Alarm
- Too many alarms are simultaneously actuated under emergency condition
- There are nuisance alarms
- It is hard to track the alarm source of a common alarm
E. Procedure
- There is burden to seek the related procedure
- It is inconvenient to verify the related information on a certain step
- When the steps are not proceeded sequentially, there is possibility to miss the step
F. Communication
- There is difficulty to communicate between MCR operator and local operator
- There are many dead spots at local, especially secondary area
- After reactor trip, telephone ring is burden to operator
G. Etc.
- In the way of OER, many issues besides the scope of MMI design gathered
18.1.4.2.1.3 Incorporation of OER issues into the MMI design.
These relevant issues on each MMI design features are incorporated into the MMI design as the design
requirements. Subsequently, each MMI designer applies these requirements to the MMI design.
18.1.4.2.2 FRA&FA Activities and Results
The APR1400 is an evolutionary design. It incorporates improvements that reflect experience gained from
18.1-38
APR1400 SSAR
the operation of KSNP. However, the major characteristics of the APR1400 physical plant remain similar
to and consistent with those of its forbearers. Such incremental improvement to a successful design reflects
a safe and conservative approach to engineering.
The critical functions and their success paths, and the operator's role in implementing them are compared
between KSNP and APR1400 to verify their similarity and consistency. The success paths are then
evaluated against the identified allocation criteria to verify the acceptability of the allocation of control
of safety functions in the design
A. Critical Safety Functions
Safety functions are physical processes, conditions, or actions relied on to maintain the plant within
acceptable design basis limits, i.e., to ensure safety shutdown, to maintain plant condition within safety
limits, to prevent core melt and to ensure radiation release do not exceed the limits of 10 CFR 100. These
functions may be performed by automatic or manual actuation and/or regulation, from passive system
performance or from natural feedback in the plant design.
The composition of the safety functions is relatively unchanged for a given type of plant design.
B. Success Paths
The success paths for the Critical Safety Functions (CSFs) have been developed.
A high level "functional" comparison of the major success paths for the KSNP and APR1400 CSFs is
provided in Table 18.1.4.2.2-1. The following CSFs are identified as added or as modified:
Hydrogen Ignitors and Passive Autocatalytic Recombiners (PARs) - The PARs have been added to
APR1400 for increased redundancy and diversity of the hydrogen control success paths, instead of
Hydrogen Recombiner in KSNP. For severe accident management, the PARs are complemented by the
hydrogen ignitors installed in local areas. A PAR is a passive system to recombine hydrogen and oxygen
on a catalytic surface following a LOCA. The enthalpy of reaction generates heat within a PAR, which
further drives containment mixing by natural circulation. Thus the incorporation of PAR in the design
represents an elimination of the operator role or responsibility from that of KSNP. Their operation does
not require frequent, rapid, unique, or complex actions. Some of PARs are credited as a safety system for
DBA and others are not for severe accident management. This PAR-based system is not part of the KSNP
design, but has been proven in operation on other plants. However, note that H2 Ignitors were incorporated
additionally in the KSNP (UCN 3&4) design. Thus, the incorporation of H2 Ignitors & PARs in the design
does not represent a significant change of the APR1400 and KSNP operators' role.
Non-safety-grade Alternate AC generator - The APR1400 provides a permanently installed Alternate

AC generator as a separate and diverse source of onsite generating capacity. The Alternate AC generator
increases the redundancy and diversity of the AC power success paths. The Alternate AC generator is a
non-safety-grade system. In KSNP (UCN 3&4), the system was credited as safety. However, the basic
functions of APR1400 Alternate AC generator and those of KSNP are similar.
C. Operator's Role and Safety Functions
The operator, along with automated systems and inherent and passive plant features, is a part of the
defense-in-depth approach to assure that safety functions are maintained. Specifically, the operators' role
in executing safety functions can be summarized as follows:
18.1-39
APR1400 SSAR
1. Monitor the plant to verify that the safety functions are being accomplished
2. Actuate and control those systems that are not fully automated
3. Intervene where the automatically actuated systems are not operating as intended
Item (1) represents a supervisory role for operators. Item (2) represents manual tasks that the operator is
normally expected to perform. Item (3) represents a back up role for operators; it implies the use of
automatic, passive or inherent system features as a first line of safety defense. Manual and automatic
allocations in safety system operation are identified. Detailed specification of the operators' role in
executing safety functions is provided by the actions and contingencies of the Emergency Procedure
Guidelines.
D. Allocation Data
To evaluate the acceptability of allocations to the operators' safety role, Table 18.1.4.2.2-2 provides a
summary of the safety function allocations in comparison to the criteria.
The data fields of Table 18.1.4.2.2-2 are defined as follows:
(1) Critical Functions & Success Paths - Per the contents of Table 18.1.4.2.2-1.
(2) Protective System or Commodity? - Whether or not this is a system relied on (i.e., credited) by
APR1400 SSAR Chapter 15 safety analyses to mitigate DBEs by performing the specified safety
function
(3) 10 CFR 50 Allocation Requirements - General or specific allocation requirements from 10 CFR
50
(4) NUREG/CR-3331 Allocation Requirements - The acceptance path resulting from application of
the criteria (see Appendix 18.3A)
(5) Auto Initiation - The equipment that generate automatic protective action that initiates a Protective
System to achieve the Safety Function
(6) Manual Initiation - Whether or not the operator is afforded with a means to manually initiate the
Protective Action
(7) Control Modes - After initiation, the manual and/or automatic elements of a control system
configuration maintain the safety function throughout the limiting DBE. These are categorized as
follows:
C Automatic (Auto): A configuration that is completely automatic without a means for

manual action.
C Automatic-AND-Manual (AAM): A configuration that can be provided both manually and

automatically. The operator has the capability to provide manual actuation at any time, but
does not have the capability to defeat the automatic actuation. This strategy tends to
increase the likelihood of executing the function. It implies manual control is redundant
to fully automatic control.
C Automatic-OR-Manual (AOM): A configuration that can be provided both manually and

automatically. The operator has the capability to select the mode of actuation, which can
18.1-40
APR1400 SSAR
defeat automatic actuation. This strategy tends to provide increased flexibility to the
operator.
C Automatic-XOR-Manual (AXM): A configuration that can be provided both manually and

automatically. There are sharing of actuation responsibilities between the human and
machine components. While there may be some functional overlap, there is not complete
redundancy. This actuation scheme exists because the operator has a continuous manual
interface that affects the actuation setpoint for the component.
C Manual: A fully manual configuration without a means for automatic actuation.
(8) Justification for solely manual initiation / control of protection (IEEE 603-1991) - For protective
systems, an explanation of why some portion of safety function has not been automated.
The results of the FRA&FA have aimed to provide a descriptive evaluation of the allocation of critical
safety functions in the design. The analysis assumes that existing plants of similar design with extensive,
successful operating histories are a valid reference point from which evolutionary changes and
improvements are evaluated. The conclusions of this evaluation are summarized as follows:
C Critical Safety Functions (CSFs) have not changed between KSNP and APR1400.
C CSF Success Paths and their Function Allocations, specified in Table 18.1.4.2.2-1 and Table
18.1.4.2.2-2, are similar in KSNP and APR1400; changes and additions have been few, and
afforded well-considered in improvements to overall plant performance.
C APR1400 meets safety-related requirements for allocation of function.
C APR1400 provides improvements through revised allocations to operator performance.
18.1.4.2.3 TA Activities and Results
The following sections provide an example of typical TA results for APR1400. The resources and MMI
used for this TA are based on YGN 3&4 units. This represents a preliminary application of the
methodology. The example evaluates an event sequence of Steam Generator Tube Rupture (SGTR) which
significant interest from the resolution of MMI design issue perspective. Other event sequences have been
incorporated in the TA database. When completed, the TA database will incorporate all event sequences
of specified in Section 18.1.3.4.1.1.
18.1.4.2.3.1 Functions / Tasks / Task Elements by Event
For the events in Section 18.1.3.4.1.1, event sequences are partitioned by gross function and subfunction.
Individual operator tasks are identified for each function in the next level breakdown. The next level of
decomposition identifies elements within tasks. This specifies information to be observed or manipulated
in order to perform the required actions. At this level of detail, required parameter variables are identified.
Figure 18.1-7 provides an example of hierarchical task analysis structure. All analyzed functions, tasks and
task elements are stored in TA database. An example of TA database is provided in Table 18.1.4.2.3-1.
18.1.4.2.3.2 Parameter Usage
The TA database is sorted to identify all required display and control inventory for SGTR event. This
allows the use of this information as a reference for display and control design. Table 18.1.4.2.3-2 lists the
parameters analyzed for RCS. As an example of the results of this effort, Table 18.1.4.2.3-3 is a listing of
parameter uses for pressurizer pressure in RCS. The remaining uses of pressurizer pressure for other
systems and the uses for other parameters can be sorted by the TA database.
18.1-41
APR1400 SSAR
18.1.4.2.3.3 Information and Control Requirements
TA activity related to determining Information and Control Requirements (ICRs) is to consolidate the
characteristics required for each parameter. As an example of these efforts, Table 18.1.4.2.3-4 gives the
characteristic and rationale for pressurizer pressure in the SGTR event. Similar sets of information can be
developed for the remaining task analysis parameters.
18.1.4.2.3.4 Error / Behavior Implication / Comments List
The TA database is sorted to identify the potential human error, complex operator's decision making, and
operator's comments on the design improvements. These are based on the operator interview. These data
are provided to the designer for MMI design enhancement. An example of error / behavior implication /
comments list is given in Table 18.1.4.2.3-5.
18.1.4.2.3.5 Minimum Inventory of Fixed Position Alarms, Displays and Controls
Based on the US NRC request, a subset of the identified alarms, displays, and controls is specified as the
MCR Minimum Inventory required to execute the EPGs (Table 18.1.4.2.3-6) and perform the PSA
Important (Critical) Tasks (Table 18.1.4.2.3-7). Within this scope, the following criteria are used to
identify Minimum Inventory entries.
Alarms and Displays
C Critical safety function status
C Preferred/credited success path performance indications
C Indications required to verify safe shutdown
C Reg. Guide 1.97 Category I variables
C Indications and alarms for PSA critical operator actions
Controls
C Preferred/credited success path component (i.e., in major flow path)
C Components required to perform safe shutdown
C Controls for PSA critical operator actions
The MCR Minimum Inventory is provided as fixed MMI. The term fixed position refers to the unique
location on LDP and the safety console for alarms, displays, and controls defined for the parameters in the
MCR Minimum Inventory.
Availability Verification assures consistency between these requirements and the completed system I&C
inventories, as well as between the system I&C inventories and the as-built MMI.
18.1.4.2.4 Staffing Assumption
The objective of the staffing analysis is to evaluate the adequacy of initial staffing levels, i.e., the number
and qualification of operating personnel in the APR1400 main control room.
18.1-42
APR1400 SSAR
Plant staffing is a Construction Permit/ Operating License (CP/OL) applicant responsibility. The CP/OL
applicant, i.e., the operating utility, addresses the staffing levels and qualifications of plant personnel,
including operations, maintenance, engineering, instrumentation and control technicians, radiological
protection technicians, security, and chemists. Thus responsibility for the staffing element belongs to the
CP/OL applicant, rather than the MMI designer.
In general, the analysis of staffing by the utility requires designer's input about the nature of the plant and
its control room. The utility, however, performs its own analyses based on its preferences and experience
with previous plant operation. Therefore, when necessary, APR1400 MMI design team interacts with the
organization responsible for training program development in order to ensure that the HFE activities
performed in the MMI design team are effectively integrated into the decision process on the plant staffing
levels. Those HFE activities include: operating experience review, functional requirements analysis and
function allocation, task analysis, human reliability analysis, MMI design and integration, and human
factors verification and validation.
The control room staffing assumption used in the development of the APR1400 MMI, which can be
referred to Section 18.2 (Main Control Room) and 18.3 (Remote Shutdown Room), is developed based on
the following information and references: (a) operating experiences with predecessor plants, (b) operating
experience review documents, (c) utility requirements and human factors guidelines relevant to APR1400
MMI design, and (d) government regulations. The initial staffing levels are iteratively evaluated for
acceptability, and modified as the APR1400 MMI design and evaluation proceeds.
18.1.4.3 MMI Design and Integration
18.1.4.3.1 Feasibility Study for Selection of General MMI Features
In the Phase I of APR1400 design development, Korean nuclear industry entities including KHNP, KAERI,
and KOPEC performed a comprehensive survey and review on the control rooms of advanced reactors in
the world including System 80+, French N4, Japanese APWR to establish the direction for the APR1400
control room design concept.
This survey revealed a clear and strong trend of employing advanced control room for the advanced
reactors throughout the world. The advanced control room was assessed to have flexibility to overcome
the limitation of conventional control room and provide more convenient MMI with improved operator aid.
18.1.4.3.2 Development of Utility Requirement Document
APR1400 participated in the development of U.S. EPRI Utility Requirement Document(E-URD) project
to use the results to APR1400. The participants of MMIS concluded that compact workstation type control
room is required for the advanced light water reactors. This was the same conclusion from feasibility study
performed in APR1400 Phase I. Then Korean Utility Requirements Document (K-URD) was developed
during APR1400 Phase-II with most of the requirements from E-URD retained.
18.1.4.3.3 General MMI Feature Selection and Conceptual Design
The initial stage of the APR1400 MMI design is development of conceptual design. The goal of this design
stage is to identify primary MMI features (i.e., MMI resources), their basic characteristics, and an initial
MCR layout.
The requirements of the K-URD and technical trends of nuclear power plant advanced control rooms of
U.S. ALWR and French N4 plant directed the transition towards a redundant compact workstation type
control room design. Compact workstation type control room was evaluated to be more flexible and
therefore provides more potential benefits than conventional control rooms for APR1400 that will be
18.1-43
APR1400 SSAR
operational in 21st century. APR1400 MMI has the following design features:
C Large Display Panel
C Advanced Alarm System
C VDU Based Information Display Hierarchy
C Computerized Procedure
C Soft Control
C Safety Console
As a starting point, these MMI features were reflected in the preliminary design that defines how the Man-
Machine Interface supports operator performance. The human performance requirements that each MMI
resource supports are identified and refined as part of the design process. Evaluations and analyses with
the dynamic mockups and reference plant operators are used to determine the adequacy of the MMI
resources design.
A preliminary conceptual design of the APR1400 MMI was developed using the Nuplex 80+ design as a
point of departure and moving toward a design that reflects the above advanced design features. This
allowed an evolutionary approach to creating the design from existing design.
The preliminary conceptual design was evaluated and refined during the Initial Development Program by
a multi-disciplined task force team. This task force team members include KEPRI engineers, KOPEC MMI
designers who have experience in KSNP MCR design and KSNP I&C system design, and ABB-CE
engineers who have experience in System 80+ MMI and I&C (Nuplex 80+) design. This was accomplished
through a process of design feature evaluations for each significant change to the Nuplex 80+ MMI and
I&C systems. The process included team discussions in "boiler room" meetings and design review
meetings, which included senior technical management and senior consultants. The results of these
conceptual design refinement activities are documented in the APR1400 Conceptual Design Summary
Report and APR1400 Design Bases. Design alternatives for a feature within an MMI resource (such as the
use of TFT-LCD flat panel display, trackball) will be evaluated before the procurement of MMI devices
to make best of the advancement of the computer based MMI devices. This evaluation will include human
factor/trade-off study, evaluation in the mockup, and operating experience review.
18.1.4.3.4 APR1400 Phase-II Design Development
The following design activities were performed to develop basic design of APR1400 MMI:
C Preliminary design
C Conceptual design
C Development of HFE element plans (HFE Program Plan, OER Plan, FRA/FA Plan, TA Plan, MMI
Design & Integration Plan, HRA Plan, Human Factors V&V Plan)
C Operating experience review
C Functional requirement analysis and function allocation analysis
18.1-44
APR1400 SSAR
C Development of the HFESGB
C Task analysis for selected KSNP scenarios (SGTR)
C Development of detail design for a selected KSNP scenario (SGTR)
C Development partial dynamic mockup using KSNP model based full scope simulator to run SGTR
scenario
C The initial iteration of design evaluation including suitability verification and preliminary
validation using the partial scope dynamic mockup
18.1.4.3.5 APR1400 Phase-III Design Development
APR1400 MMI detail design is performed by applying APR1400 MMI design characteristics and
conventions to KSNP plant system design for expanded scope of systems. The basic design developed in
phase II is refined through the iterations of deep slice detail design and design evaluations. The following
design activities are performed to develop detail design of APR1400 MMI:
C Update of phase II design documents to reflect the design changes and refinements
C Collection of KSNP MCR control panel design rationales
C Task analysis for comprehensive set of KSNP scenarios
C Development of detail design for comprehensive set of KSNP scenarios
C Development of full scope dynamic mockup using KSNP model based full scope simulator
C Design evaluations are conducted to assure acceptable task performance is maintained
C Specific MMI characteristics evaluations are performed to resolve issues that are identified in the
design evaluations of phase II or phase III using KSNP model based full scope dynamic mockup
18.1.4.3.6 MMI Mockup Development
Dynamic mockups that are driven by a full scope simulator are constructed for MMI evaluations
throughout the design process to identify problems and find resolutions that are not readily achieved
without simulation and operation scenarios. The dynamic mockups are used for resolution of the problems
that are found through evaluations, too.
Dynamic mockups are used to identify human performance issues such as high workload by running
scenarios with operators. They are also used to examine and verify physical layout aspects such as
availability of workspace, physical access, visibility, and related anthropometric issues. Walk-through
exercises are performed in dynamic mockups to examine issues such as staffing levels and procedure
usage.
18.1.4.3.7 APR1400 Construction Phase Design Development
APR1400 specific task analysis and APR1400 specific detail design are performed in this phase.
Additional design evaluations are conducted through construction phase to assure acceptable task
18.1-45
APR1400 SSAR
performance is maintained. Further specific MMI characteristics evaluations are performed to resolve
issues that are not resolved until the end of phase III using KSNP model based full scope dynamic mockup
or APR1400 specific full scope simulator. The APR1400 specific full scope simulator is also used for
procedure development, operator training, and HFE V&V of APR1400 MMI and procedure
18.1.4.3.8 Description of General MMI Features
Safe, reliable and efficient power generation from nuclear power plants is directly dependent upon rapid
and accurate monitoring and control of both thermal and nuclear processes. Information to support
operation needs to be readily available and in a format that supports the operator information requirements.
APR1400 control room information is available in a number of different formats which are consistent with
particular operator information requirements when performing operational tasks during plant evolutions
or responding to unexpected conditions. The operator can obtain plant information from a number of
sources in the APR1400 control room which include:
1. Large Display Panel(LDP) that provides plant level alarms, high priority system/component
alarms, and key plant parameters and status for evaluation of plant safety and power production
2. Information display hierarchy at workstations containing all power plant information
3. Computerized procedure displays that provide integrated presentation of procedure instructions,

associated process information, operator aids, and means to access controls to support context
sensitive procedure execution
4. Soft control displays
The information in the APR1400 control room is presented in a structured and hierarchical format to:
C Organize the information in logical and coherent manner
C Provide an arrangement that enhances the operator accessibility to both overview and detailed
information
The hierarchy of information is consistently applied throughout the control room to all workstations and
safety console. This makes the method of obtaining supporting information consistent and thus reduces
the level of effort required and the probability of human error.
At the top of the information hierarchy is the LDP. The LDP is a large display centrally located at the front
end of MCR that presents the alarms and information for highest level operational concerns. The LDP
allows a quick assessment of overall plant process performance. The entire APR1400 hierarchy is
developed with a consistent set of design conventions that are described in the following subsections.
The Information Processing System (IPS) drives process parameters and alarm status on workstation
information display hierarchy. The LDP is driven by the IPS.
The APR1400 alarms and information displays are designed to provide a reliable, unified, yet diverse man-
machine interface. High reliability is accomplished through use of redundancy within the QIAS-N and IPS
processing and data communications. Diversity is accomplished by using both IPS and QIAS-N to
independently calculate and display same validated process parameters and alarm conditions. The IPS
independently checks the output of QIAS-N and indicates discrepancies. Failure of any display processing
or communication component of either system does not prevent the operator from receiving all required
information for plant operation.
18.1-46
APR1400 SSAR
Standardized hardware is used for APR1400 information presentation that includes CRTs, flat panel
display devices and switches.
The monitoring and control features used in APR1400 MMI and their major characteristics are described
as follow:
Large Display Panel
C The overview display is legible from the workstations as well as from the probable locations of
observers or support personnel in MCR.
C Selected number of parameters and status that represent the critical safety functions and their
success paths are provided on fixed mimic section of the LDP.
C Plant level alarms that indicate the performance of Critical Safety Functions (CSF) and their
Success Paths are provided in the CFM/SPM alarm tiles in the LDP.
C CFM/SPM alarms in LDP are integrated with the emergency operating procedure deployment.
C The LDP provides the Bypassed and Inoperable Status Indication (BISI) at the system level for a
continuous indication of the bypassed and inoperable status of the system.
C The LDP provides system level alarms and component level alarms of high priority.
C Operators can display any format that are available at information displays on the variable display
section of the LDP to offer a useful facility for the presentation of process information on a less
permanent basis.
Workstation Information Display Hierarchy
The Workstation Information Display Hierarchy is an integrated presentation of APR1400 MMI process
information. The Workstation Information Display Hierarchy provides access to displays incorporating
system/component status, process parameters and alarm status/acknowledgement.
C The Information Display Hierarchy permits selectable access to any of its display pages within the
same VDU.
C The Workstation Information Display Hierarchy permits selection of display pages in other VDU
within the same workstation.
C The Workstation Information Display Hierarchy permits selection of component controllers or

process controllers at the associated soft control display
C The Workstation Information Display Hierarchy permits acknowledgement of alarms.
C The Workstation Information Display Hierarchy can be displayed in the variable section of LDP.
C The SPDS display pages are integrated in the Workstation Information Display Hierarchy.
Soft Control Display
C Soft Control display is a standard feature to control the system and components of the APR1400
Component Control System (CCS), Power Control System (PCS) and T/G control system.
18.1-47
APR1400 SSAR
C Soft Control display provides both continuous process control and discrete component control.
C Soft Control permits selection of operating modes, loop control signal, and loop setpoints.
C Soft Control display provides continuous displays of all process parameters being controlled.
Alarms
C Alarm list grouped in terms of priority is provided in the Workstation Information Display
Hierarchy.
C Alarm list grouped in terms of time of occurrence is provided in the Workstation Information
Display Hierarchy.
C Alarm acknowledgment is possible either at Information Display Hierarchy in workstations or at

the QIAS-N displays in the safety console.
C Alarms are presented in one of the following four states: new, existing, cleared, or reset.
C Alarms are prioritized and presented so that the operators' responses can be made based on their
relative importance or urgency.
C Alarm system is designed to minimize the number of alarms via several alarm reduction methods.
C The alarm processing and control at IPS is diverse and independent of that of QIAS.
C Alarm acknowledgment at one of IPS or QIAS automatically acknowledges the same alarm at the
other system.
Computerized Procedure Display
C Computerized Procedure provides overview pane where current step as well as the past steps and
future steps of the procedure are presented.
C Computerized Procedure provides instruction pane where detail instructions of the current step are
presented.
C Computerized Procedure provides integrated presentation of process information, control access,

and the instructions.
C Computerized Procedure supports the concurrent execution of multiple procedures.
C Computerized Procedure supports retrieving procedures.
C Cross-referencing to other procedures or other steps within the procedure are facilitated.
C Computerized Procedure keeps track of step execution status
C Computerized Procedure monitors the conditions related to the continuously applied steps.
C Hard copy procedures that are used when Computerized Procedure displays are not available, are
consistent to the Computerized Procedure displays to the extent possible.
18.1-48
APR1400 SSAR
Switch Configuration
C Switch Configurations utilize physical pushbuttons or compatible switches with backlit legend
status indicators.
C Switch Configurations permit on-line replacement and bumpless transfer.
C Switch Configurations are assigned to control panels based on plant systems, and are combined
into multiple groups of switches based on functional relationships.
18.1.4.3.9 MMI Design Interface for Procedure Development
18.1.4.3.9.1 Summary
The purpose of the procedure development process in HFEPRM is to develop and validate plant procedures
that are technically correct and meets human factors principles.
Procedure development is a Conduct-of-Operations Element (COE) that is performed by the Construction

Permit/Operating License (CP/OL) applicant, i.e., the operating utility. The CP/OL applicant is responsible
for development of plant procedures including operating, maintenance and administrative procedures. Thus
a procedure development program, meeting current licensing requirements for such, is a CP/OL action
item, and is not the responsibility of the MMI designer.
When necessary, however, the APR1400 MMI design team interacts with the organization responsible for
procedure development and provide input to ensure that the HFE activities performed in the MMI design
team are effectively integrated into the decision process on procedure development. This is further
emphasized by the inclusion of a computerized procedure system (CPS) for procedure display and
execution support in the APR1400 MMI design. CPS design decisions and characteristics, and lessons
learned from verification and validation activities will provide valuable input to the procedure development
program. Plant procedure experts who have experience in procedure development for conventional nuclear
power plants are participated in the development of CPS to make the best of their knowledge and expertise.
18.1.4.3.10 MMI Design Interface for Training Program Development
18.1.4.3.10.1 Summary
The purpose of the training program development process in the HFEPRM is to support development of
a training program that will effectively convey knowledge, skill, and abilities required for APR1400
operations to O&M (operational and maintenance) personnel.
Training program development is a Conduct-of-Operations Element that is performed by the Construction

Permit/ Operating License (CP/OL) applicant, i.e., the operating utility. The CP/OL applicant is
responsible for development of training program. Thus a training program development process, meeting
18.1-49
APR1400 SSAR
current licensing requirements for such, is a CP/OL action item, and is not the responsibility of the MMI
designer.
When necessary, however, the APR1400 MMI design team interacts with the organization responsible for
training program development and provide input to ensure that the HFE activities performed in the MMI
design team are effectively integrated into the decision process on training program development.
18.1.4.4HFE Verification and Validation of MMI Design
18.1.4.4.1 APR1400 Phase II Suitability Verification/Preliminary Validation
18.1.4.4.1.1 Purpose
To establish the adequacy of the APR1400 MMI design early in the design process, a human factors
evaluation is performed. The evaluation is performed through 1) SV that verify task usability and
conformance to the HFESGB and 2) PV using operators and dynamic mockup/simulator.
The objectives of these MMI evaluations include:
C To ensure that the MMIs are acceptable for task performance and conformance to the HFESGB.
C To establish the adequacy of functional requirements that are produced in the general (reference)
functional design.
C To identify the problems of the MMI design to be addressed before the final V&V when design
changes become more difficult.
18.1.4.4.1.2 Scope
The human factors evaluation for APR1400 Phase II are performed through a two step process: (1)
suitability verification (SV) and (2) preliminary validation (PV). The SV is performed on the major MMI
features in the MCR. The objective of SV is to confirm the design of the APR1400 MMI to HFE
principles, guidelines, and standards. A dynamic mockup for the operator workstation and Large Display
Panel (LDP) is used for the implementation of SV. Two-part methodology is applied. "Bottom-up"
approach applies the guidelines found in the HFESGB as elemental MMI criteria. "Top-down" approach
evaluates the appropriateness of the design selections in the context of the big picture. The evaluation
scope for major MMI features and associated functions are as follow:
C Workstation display,
C LDP,
C Soft Control,
18.1-50
APR1400 SSAR
C Alarm,
C CPS.
The PV ensures that the MMI design can be effectively operated by personnel. In the APR1400 phase II,
the PV is performed for only 'Steam Generator Tube Rupture', one of EOPs. Dynamic mockup for the
operator workstation and LDP is used for the implementation of PV.
18.1.4.4.1.3 Organization and Schedule
The schedule and participants for each activity are shown in Table 18.1.4.4.1-1.
18.1.4.4.1.4 Results
A. Human Engineering Discrepancy
An overall human factors evaluation was performed for the APR1400 MMI in Phase II. As a product of
the SV, Human Engineering Discrepancies (HEDs) are described in the HED Report form. Most of HEDs
in bottom-up SV are classified into detail HFE discrepancies, and major HEDs in top-down SV consist of
MMI design discrepancies related to workstation displays, LDP, soft control, alarm and CPS. And, the
major of HEDs in PV is as follows:
C Lack of trend (graphic) information in display design,
C Navigation of soft control,

C Usability of CPS,
C Workplace (visual angle of alarm CRT, location of CPS CRT), etc.
Total number of HED is 362 and the status is shown in Table 18.1.4.4.1-2.
B. Subjective Rating
A qualitative evaluation is performed for APR1400 MMI features with respect to their effectiveness in
supporting representative tasks that are associated with each of the MMI features (to determine which
design characteristic should be improved in next design phase). This approach is performed by proceedings
as follow:
C An operator is used as a subject and six MCR operators participate.
C Each subject practices the tasks specified in the Task Set through LDP, display, soft control, alarm,
and CPS.
C After performing the tasks, the subject rates each of the tasks by comparing between the YGN 3&4
MMI and APR1400 MMI in terms of how the MMI (e.g., LDP, display, soft control, alarm, and CPS)
feature supports the specified tasks.
The results of the subjective rating shown in Table 18.1.4.4.1-3. From the results in the table, it is
summarized as follows:
C About 78 % of the subjets rate the current MMI as 'improved' or 'as-good'.
C At least 90 % of the subjects rate the CPS as 'improved' or 'as-good'.
18.1-51
APR1400 SSAR
C About 42 % of the subjects rate the Soft Control 'needed improvement'.
18.1.4.4.2 APR1400 Phase III Suitability Verification/Integrated System Validation
18.1.4.4.2.1 Purpose
The HFE V&V activities have been performed in project phase III to contribute toward demonstrating the
appropriateness of the APR1400 MMI design, especially in the perspectives of the human factors issues
of the computer-based control room. The objectives of these evaluations include:
To determine that the APR1400 MMI features are acceptable for task performance and conformance to the
HFE design principles.
To establish the adequacy of functional requirements that are produced in the general (reference) functional
design.
To identify the problems of the MMI design to be addressed before the final V&V when design changes
become more difficult.
18.1.4.4.2.2 Scope
The human factors evaluation for APR1400 Phase III are performed through a two step process: 1) SV and
2) integrated system validation. The SV evaluates the issue of whether the form and arrangement of MMI
indications and controls and environment supports operator task accomplishment. This activity is to
determine whether the MMI provided by the displays, controls, and other control room features are
effectively designed to support task accomplishment. Two approaches are applied: Atop-down@ and
Abottom-up@ approaches. A Atop-down@ approach evaluates the appropriateness of the design selections
in the context of the big picture. This is a knowledge-based review that considers the overall system
design, the nature of real-world operator tasks, and the integration of the parts of the man-machine
interface into a coherent and easily used whole. A Abottom-up@ approach applies the HFESGB as elemental
MMI criteria.
The objective of the integrated system validation is to ensures that the sum of the various MMI features
provide usable work ensembles that support the successful accomplishment of the operator's required tasks
(i.e., to validate performance of the integrated MMI system for APR1400). Three stages of the iterative
design evaluation (i.e., Preliminary Validation (PV) 1, 2, and 3) and the Interim V&V have been performed
to accomplish the objective. The brief descriptions of these activities are summarized in Table 18.1.4.4.2-
1.
18.1.4.4.2.3 Organization and Schedule
The schedule and participants for each activity are shown in table 18.1.4.4.2-2.
18.1.4.4.2.4 Results
18.1.4.4.2.4.1 Human Engineering Discrepancy and Subjective Rating
Bottom-up SV and top-down SV were performed and HEDs of MMI design were identified. In APR1400
phase-III top-down SV, human factors specialists from universities were involved to identify HEDs from
diverse point of view. HEDs were identified an are being resolved and implemented into design and
dynamic mockup. Total number of HED is 254 and the ststus is shown in Table 18.1.4.4.2-3.
18.1-52
APR1400 SSAR
The results of the subjective rating for the MMI realized on the full scope dynamic mockup is provided
on Table 18.1.4.4.2-4. From the results in the table, it is summarized as follows:
C About 87 % of the subjects rate the current MMI as 'improved' or 'as-good'.
C About 100 % of the subjects rate of the LDP as 'improved' or 'as-good'.
C At least 88 % of the subjects rate of the CPS 'improved' or 'as-good'.
C About 20 % of the subjects rate of the Soft Control 'needed improvement'.
18.1.4.4.2.4.2 Evaluation Results of Integrated System Validation
A. PV 1
The first set in a series of PV has been completed by the end of 2000. The PV1 test set included five
integrated concept tests. The main purpose of the concept tests was to demonstrate that the basic approach
to the individual MMI resources was sound. In addition, the concept tests addressed various hypothetical
issues raised about the design, and identified remaining design problems and opportunities for design
improvement. The results and conclusions from PV1 are summarized for each concept test as follows:
Large Display Panel Test: This test demonstrated that the LDP alone permits experienced operators to
diagnose most design basis events without difficulty. Situation awareness was generally supported except
in the case of two segments where plant processes created naturally ambiguous indications (Loss of all
feed-water via feed-line break and excess steam demand). Operators uniformly felt that LDP improved
on the overall process view now presented by conventional control rooms. The LDP design concept is thus
judged acceptable, and the main issue of Situation Awareness is closed.
Soft Control Test: This test demonstrated that the soft control is basically adequate for performing various
feed-water control tasks in series (on a single controller) and in parallel (on two controllers). None of the
dual task combinations were found to create highly error-prone conditions. Operators found the general
characteristics of soft control appearance, behavior, and response to be similar to existing control room
equipment. However, some specific refinements to the mockup implementation and design were
recommended. Thus, the soft control design concept is judged acceptable.
Alarm System/Large Display Panel Test: This test demonstrated that the Alarm System (AS) list
displays are sufficient for processing alarm information. Operators showed mixed preferences for the basic
time-sequential list and the priority-categorized list, but found both lists to be compatible with their
experience so that they were natural to use. The prioritized list was rated generally to present lower
workload and lower task complexity, and may have a performance advantage over the basic list in high
alarm load (i.e. alarm avalanche) conditions. The AS design concept is thus judged acceptable, and the
main issue of prioritization effectiveness is closed.
Workstation Display/Soft Control Test: This test demonstrated that navigation on the workstation
display (WSD) is easy to learn and to perform. In addition, it was shown that, as in conventional control
rooms, the WSD provides an effective means to execute hardcopy emergency operating procedures. The
WSD design concept is thus judged acceptable, and the main issue of adequate navigation is closed.
Computerized Procedure System/Workstation Display/Soft Control Test: This test demonstrated that
the computerized procedure system (CPS) is also easy to learn and use. In addition, it was shown that
workload and task complexity are judged lower using the CPS to execute EOPs than using the paper based
procedure (PBP) to execute EOPs. Overall, operators judged the CPS to be a substantial improvement to
conventional procedures. The CPS design concept is thus judged acceptable.
18.1-53
APR1400 SSAR
B. PV 2
PV2 was the second set in a series of PV exercises in APR1400 phase III. The main purpose of PV2 was
to contribute to demonstrating that the integrated MMI resources are fundamentally sufficient for safe
operation. In addition, PV2 provided the opportunity to address various Advance Control Room(ACR)
related human factors issues (see Table 18.1.4.4.2-5), which were devised by reviewing the previous
theoretical studies and experiences of similar MMI development. In order to accomplish the objectives,
the tests were carried out by collecting the crews= performance. The tests were performed in a high-fidelity
simulator with four experienced KSNP crews. The results and conclusions from PV2 are summarized as
follows:
Overall Design: The results of PV2 showed no fundamental deficiencies in the basic APR1400 MMI
design concept. Some comments from the crews did not reflect problems with the basic design, instead
falling into two main categories: Relevant matters of detailed design implementation, or irrelevant matters
that can be traced to the temporary mockup implementation or the simulator behavior. From evaluation
of these comments and results, twenty-seven HEDs were identified.
Operator Performance: The performance was measured by the following methods: NASA Task Load
Index (NASA-TLX), Task Complexity Index (TCI), Korean Situation Awareness Index (KSAX). The
results of the analysis showed that the APR1400 MMI design had positive effects on the operator
performance. Operators= workload was rated as acceptable level during the normal and emergency
conditions. In the case of the operator=s situation awareness, there were significant differences between
the APR1400 MMI and conventional MMI: the crews rated having better situation awareness in the
APR1400 MMI than in the conventional MMI.
Human Factors ACR Issues: Comments and feedback, which were obtained from a group of subject
matter experts (SMEs), provided the primary means to confirm whether the ACR issues are or are not
actual issues in the APR1400 MMI design. In the PV2, a total of twenty-four issues were considered.
According to the results, thirteen issues were closed. The issues proposed for >open= were identified as
follows: searching for non-directed cues, supporting selection and formulation of actions, smooth transition
from cue to understanding, supporting control action, preventing tunnel vision, supporting verbal
communication between operators, and so on. The 'open' issues were evaluated in the PV3.
C. PV3
The main objectives of PV3 were: (1) to demonstrate that integrated APR1400 MMI resources are
effectively designed to support task accomplishment for safe operation, (2) to confirm that design changes
reflecting the results of PV2 are effective and do not introduce new problems, and (3) to verify the human
factors ACR issues. In order to accomplish the objectives, the tests were performed in a high-fidelity
simulator with four experienced KSNP crews. And four accident scenarios were given to each crew with
some familiarization sessions and the following data were collected: operators= ratings on ACR issues,
situation awareness, workload, and descriptions by SMEs= observation. The results and conclusions from
PV3 are summarized as follows:
Overall Design: Three aspects were considered to evaluate the overall design of APR1400 MMI, which
involved >overall performance=, >overall design consistency=, and >overall usability and acceptability=.
According to the results of the analysis, the APR1400 MMI received a favorable rating and all subject
crews successfully led the plant to safe conditions in all simulated scenarios. Therefore, it should be fair
to conclude that the APR1400 MMI system is well acceptable in the perspective of the overall design.
However, seven HEDs were identified. The design deficiencies of alarm system and soft control were
found and these were determined as HEDs to look at in the future evaluation activity.
18.1-54
APR1400 SSAR
Operator Performance: KSAX was used to evaluate situational awareness of operators. And, NASA TLX
was used to measure the workload of operators. In this evaluation, operators were requested to mentally
compare the measures achieved through the APR1400 MMI with that achieved through the conventional
MMI. The result of the analysis revealed that the APR1400 MMI contributed to situation awareness
significantly more than the conventional MMI. In the case of operators= workload, there was no significant
difference between the APR1400 MMI and the conventional MMI.
Human Factors ACR Issues: Twenty-seven ACR issues identified in the PV2 were aggregated into
twenty-one essential issues at a practical manageable level. Among these, nineteen issues were evaluated
in PV3. The results of the analysis showed that thirteen issues were >closed=. Among the issues, the
APR1400 MMI appeared significantly better than the conventional MMI in twelve issues. The issues
proposed for >open= were identified as follows: searching directed or non-directed cues, establishing and
maintaining situation awareness of events and anomalies, smooth transition from one MMI to another,
supporting the soft control for action implementation and confirmation, and supporting verbal
communication. The 'open' issues were evaluated in the interim V&V.
18.1-55
APR1400 SSAR
D. Interim V&V
The objectives of the Interim V&V were twofold: (1) to ensure the APR1400 MMI design can be
effectively operated by personnel within all performance requirements and (2) to resolve or verify all of
the identified ACR issues, HEDs, and questions or comments by KINS. In the Interim V&V, four crews
from KSNP participated with some training sessions and the following performance measures were
considered: transient management, situation awareness, workload, team interaction, and the crew=s overall
performance. And, the ACR issues were evaluated by using the subjective judgement of operators. The
results and conclusions of the Interim V&V are summarized as follows:
Transient Management: The ability of transient management was estimated through the objective
performance analysis using the plant parameter data (e.g., pressurize level, steam generator level, reactor
pressure, total steam flow, and so on). In addition, the completion time of standard post event action
(SPTA) and diagnosis event (DE) were measured to analysis the effects of CPS on operator=s transient
management compared with the PBP. The analysis results of the plant parameter data revealed that all
crews performed important mitigation tasks equally well, i.e., all of the crews participated in the test had
correctly diagnosed the problem for all testing scenarios. The only inappropriate operation was that all four
crews overfilled the respective S/G during the SGTR. However, this finding was caused by adapting
inappropriate tube rupture level in the process of simulation control, and then this was not a critical
problem. As a result, the operators in the APR1400 control room are able to manage the demands of the
transient without any problem.
In the case of the completion time of SPTA and DE, the crews were faster handling transients with the CPS
than with the PBP. The time varied depending on the scenario types and crews. However, these results
did not reflect better or worse performance of the transient management. The general consensus of the
operators was that in the perspectives of the task speed with guarantying accuracy, the CPS was a
beneficial support system for managing transient.
Operator Performance: KSAX was applied to evaluate the operator's situation awareness. The result of
the analysis revealed that there were significant differences on situation awareness between the APR1400
MMI and conventional MMI: the crews rated having better situation awareness in the APR1400 MMI.
NASA-TLX was used to measure the workload level of operators. In the case of operators= workload, there
was no difference between the APR1400 MMI and the conventional MMI.
The Observation Rating Form, Korean version of the HRP=s Crew Performance Rating Inventory, was used
to evaluate the crew=s operation performance. Each rating item consists of four sub-dimensions such as
solution path, control of plant, communication, and confidence. Statistical analyses were conducted for
the ratings with a null hypothesis that the overall performance of each crew maintains moderate level. The
result revealed that the crew maintained high level of the overall performance during the tests.
Team Performance and Interaction: Team performance and interaction was evaluated by means of
Behaviorally Anchored Rating System (BARS), that consists of following five dimensions:
communication, team spirit, openness, coordination as a crew, and task focus/decision making. Statistical
analyses were conducted for BARS ratings with a null hypothesis that the team interaction maintains
moderate level. The result of the analysis revealed that crew maintained high level of team interaction
during the tests. The raters (SMEs) pointed out that one explanation for maintaining high team interaction
of crews related to control room layout. That is, the design of the APR1400 MMI layout, placing the
operators near one another (i.e., wrap-around design) and providing a common overview display (i.e.,
LDP), improved team performance and interaction.
Human Factors ACR Issues: Six human factors ACR issues, which were determined as >open= through
the previous HFE V&V activities, were tested in the Interim V&V. The results of the analysis showed that
18.1-56
APR1400 SSAR
one issue was determined as >closed=. The >open= issues were identified as follows: searching for cues
(directed or non-directed), establishing and maintaining situation awareness of events and anomalies,
smooth transition from one MMI to another, and supporting for soft control for action implementation and
confirmation. Relevant to the >open= issues, the design deficiencies stood out as follows: (1) the number
of alarms (including flags) activated in event list during a serious plant transient, (2) an inappropriate
ergonomic design in alarm coding mechanism, and (3) the difficulty of reading the alarm messages. These
design issues will be recorded in the Issues Tracking System and will be re-evaluated in the plant
construction project.
18.1-57
APR1400 SSAR
Table 18.1.4.1.4-1 MMI Design Team Composition (Phase II)
Discipline Full-time members Part-time members

Technical Project Management 2
Systems Engineering 6
I & C Engineering 1
Architect Engineering 1
Human Factor Engineering 1 1
Plant Operations 2
Computer System Engineering 4 1
18.1-58
APR1400 SSAR
Table 18.1.4.1.4-2 MMI Independent Review Team Composition (Phase II)

Nuclear Engineering 1
I & C Engineering 2
Human Factor Engineering 3
Plant Operations 1
Computer System Engineering 2
Plant Procedure Development 1
Personal Training 1
Systems Safety Engineering 1
Maintainability/Inspectability
2
Engineering
Reliability/Availability
1
Engineering
18.1-59
APR1400 SSAR
Table 18.1.4.1.4-3 MMI Design Team Composition (Phase III)

Technical Project Management 2
I & C Engineering 4
Nuclear Engineering 1
Human Factor Engineering 5 6
Plant Operations 1
Personal Training 1
Maintainability/Inspectability
1
Engineering
Computer System Engineering 5
18.1-60
APR1400 SSAR
Table 18.1.4.1.4-4 MMI Independent Review Team Composition (Phase III)

Architect Engineering 1
Human Factor Engineering 2
Systems Safety Engineering 1
Reliability/Availability
1
Engineering
18.1-61
Table 18.1.4.2.2-1 Success Paths
Safety Grade Non-Safety Grade

Critical
Function
KSNP APR1400 KSNP APR1400
Reactivity Reactor Trip Reactor Trip Rod Control Rod Control
Control Safety Injection Safety Injection CVCS Boration CVCS Boration
Maintenance of Emergency Diesels Emergency Diesels Unit Transformers Unit Transformer Backfeed
Vital Auxiliaries AAC Generator Station Batteries Backfeed Alt. AC Generator
Station Batteries Station Batteries Station Batteries
Standby Aux. Transformers Standby Aux. Transformer
RCS Inventory Safety Injection Safety Injection CVCS Charging & letdown CVCS Charging & Letdown
Control
APR1400 SSAR
RCS Pressure Safety Injection Safety Injection PZR Heaters & Sprays PZR Heaters & Sprays
Control Reactor Coolant Gas Vent Reactor Coolant Gas Vent CVCS Charging & Letdown CVCS Charging & Letdown
Primary Reliefs Primary Reliefs CVCS Aux. Spray CVCS Aux. Spray
18.1-62
SG Steaming SG Steaming
Safety Depressurization Safety Depressurization and
System Vent System
Core Heat Removal Natural Circulation Natural Circulation Forced Circulation Forced Circulation
Safety Injection Safety Injection
RCS Heat Removal Auxiliary Feed Auxiliary Feed Main Feed Main Feed
Shutdown Cooling Shutdown Cooling Startup Feed Startup Feed
Safety Depressurization Safety Depressurization and
System Vent System
Table 18.1.4.2.2-1 Success Paths (Cont'd)

Critical Safety Grade Non-Safety Grade
Function KSNP APR1400 KSNP APR1400
Containment Penetration Penetration Flowpath Penetration Flowpath Penetration Flowpath
Isolation Flowpath Isolation Isolation Control Control
Containment Containment Spray Containment Spray Fan Coolers Fan Coolers

Environment H2 Recombiners PAR Reactor Containment H2 Reactor Containment H2
Purge Purge
H2 Ignitors H2 Ignitors, PAR
Radiation Emission Release Path Isolation Release Path Isolation Release Path Monitoring & Release Path Monitoring &
Control Control
APR1400 SSAR
18.1-63
Table 18.1.4.2.2-2 Success Path Allocations
CRITICAL
Allocation
FUNCTION Protective APR1400
Requirements
A. Reactivity Control System or
Commodity NUREG/ Auto Manual Justification for Solely Manual Init/cntl of
Success Paths 10 CFR 50 Control
CR-3331 Init Init Protective System (IEEE 603-1991)
Reactor Trip Auto
1b-d; 2; RPS
YES Init YES AAM -
9d, e APS
(GDC 20)
Safety Injection NO - 5; 9d, e SIAS YES AXM -
CVCS (boration) NO - 8 NO YES AOM -
APR1400 SSAR
Rod Control NO - 6 NO YES Manual -
18.1-64
Table 18.1.4.2.2-2 Success Path Allocations (Cont'd)
CRITICAL
FUNCTION Allocation APR1400
B. Maintenance of Vital Protective Requirements
Auxiliaries System or
Commodity
Success Paths 10 CFR 50 NUREG/ Auto Manual Control Justification for Solely Manual Init/cntl of
Emergency Diesel Auto init 1c-d; 2; LOOP
Generators (AC) YES (GDC 20) 9d, e, f SIAS YES AXM -
AFAS
Standby Aux Transformers Loss of
(Site AC) YES Auto init 1b-d; 2; Unit YES AXM
(GDC 20) 9d, e, f Main -
APR 1400 SSAR

Xfmr
18.1-65
Vital Station Batteries (DC) Auto init 1b-d; 2; Loss of

YES (GDC 20) 9d, e, f vital YES AXM -
AC
Alternate AC Generator NO - 5; 9d, LOOP YES AXM -
(AC) e, f
Unit Main Transformer (Site NO - 8 NO YES AOM -
AC)
Non-Vital Batteries (DC) Loss of -
NO - 1b; 2; Non- NO Auto
9d, e, f vital
AC

CRITICAL
Allocation
FUNCTION APR1400
Protective Requirements
C. RCS Inventory Control
System or
Commodity NUREG
Auto Manual Justification for Solely Manual Init/cntl of
Success Paths 10 CFR 50 / Control
Init Init Protective System (IEEE 603-1991)
CR-3331
Safety Injection Auto Init 1b-d; 2;
YES SIAS YES AXM
(GDC 20) 9d,e,f -
CVCS -
NO - 8 NO YES AOM
(Charging & Letdown)
APR1400 SSAR
CRITICAL Allocation
FUNCTION Requirements APR1400
D. RCS Pressure Control Protective
System or
Commodity
Success Paths 10 CFR 50 NUREG/ Auto Manual Control Justification for Solely Manual Init/cntl of
Safety Injection YES Auto init 1b-d; 2; SIAS YES AXM
(GDC 20) 9d,e,f -
Realtor Coolant Gas Vent System is credited for providing depressurization
(Safety Depressurization) ability to SCS entry conditions. Rapid response
is not required (cooldown typically takes 8-12
YES Auto init (1c); 6 NO YES Manual hours). But spurious system actuation could
(GDC 20) compromise safety. Thus, auto initiation is not
APR1400 SSAR
necessary or desirable. Operator actions
performed under normal MCR habitability
18.1-67
conditions.
PZR Heaters & Sprays NO - 5; 9d-f NO YES AOM -
CVCS
(Charging & Letdown Aux NO - 6 NO YES AOM -
Spray)
SG Steaming NO - 6 NO YES AOM -
Safety Depressurization NO - (1,3,5); 6 NO YES Manual -
System
Pressure Reliefs Pressur
YES Auto init 1b-d; 2 e NO Auto -
(GDC 20) Set
point

CRITICAL
Allocation
Requirements
E. Core Heat Removal System or
Natural Circulation Auto init
YES 1c, d; 2 Passive YES AXM
(GDC 20) -
Forced Circulation NO - 8 NO YES Manual -
Safety Injection DVI provides an added success path(not the
(Direct Vessel Injection) preferred means) for Core Heat Removal. For
DBEs. Loss of natural circulation may imply
prior RCS Pressure or inventory problems and
APR1400 SSAR
possible auto SI initiation but not for Heat
18.1-68
Auto init
YES (1c); 6 SIAS YES AXM Removal. With SI initiation. DVI lineup is
(GDC 20)
automatically established. Operator has
responsibility to evaluate Core Heat Removal
performance to modify SI lineup to best suit plant
conditions and to initiate and maintain heat sink
performance.
CRITICAL
Allocation
Requirements
F. RCS Heat Removal System or
Main Feed NO - 8 NO YES AOM -
Start Up Feed NO - 8 NO YES Manual -
Auxiliary Feed Auto &
Manual
init
1b-d; 2;
APR1400 SSAR
YES (GDC 20: AFAS YES AXM -
9e
50.34(f)(2)
18.1-69
(xii):
50.62(c)
Safety Depressurization -
NO - (1,3,5); 6 NO YES Manual
and Vent System
Shutdown Cooling SCS not initially useful as success path in DBEs
Auto
and inadvertent initiation is problematic: thus
YES init (1c); 6 NO YES AOM
manual operation is desirable. Actions performed
(GDC 20)
under normal MCR habitability conditions

CRITICAL
Allocation
Requirements
G. Containment Isolation System or
Penetration Flowpath Auto init
Isolation Manual
Reset 1b-d; 2;
YES CIAS YES AXM
(GDC 20: 9e -
50.34(F)
(2)(xiv)
Penetration Flowpath -
APR1400 SSAR
NO - 8 NO YES Manual
Control
18.1-70
CRITICAL
FUNCTION Allocation
Protective APR1400
H. Containment Requirements
Environment System or
Commodity
NUREG/ Auto Manual Justification for Solely Manual Init/cntl of
Containment Spray Auto init 1b-d; 2;
YES CSAS YES AXM
(GDC 20) 9e -
Fan Coolers NO - 8 NO YES AOM -
PAR NO - - NO NO - -
APR1400 SSAR
H2 Purge (3b, c; 4); -
18.1-71
NO - NO YES Manual
6
H2 Ignitors (1, 3, 5); -
NO - NO YES Manual
6
CRITICAL
Allocation
Requirements
I. Radiation Emission System or
Commodity NUREG/ Auto Manual Justification for Solely Manual Init/cntl
CR-3331 Init Init of Protective System (IEEE 603-1991)
Release Path Isolation Auto init
(GDC 20:
Hi Rad
YES 50.34(f) 1b-d; 2; 9e YES AXM
CIAS
(2) -
(xiv)(e)
APR1400 SSAR
Release Path Monitoring & -
NO - 8 NO YES Manual
Control
18.1-72
APR1400 SSAR
Table 18.1.4.2.3-1 Decomposition Table
EVENT: Steam Generator Tube Rupture

Task No 1.3.1
Task Description Verify PZR Level & Trend
Information/Alarm PZR Level Ind (NR: 15 - 70%)
Information Tag RC - LI - 110XA
Control
Control Tag
System RC
MCB PM05
Feedback
Error
Behavior Implication
Time
Comments
Remark
18.1-73
Table 18.1.4.2.3-2 Display and Control Inventory Table
Task No Task Description System Information/Alarm Information Tag Control Control Tag
1.3.1 Verify PZR LVL & Trend RC PZR LVL Ind RC-LI-110XA
(NR: 15-70%)
1.3.1 Verify PZR LVL & Trend RC PZR LVL Ind RC-LI-110YA
(NR: 15-70%)
1.3.1 Verify PZR LVL & Trend RC PZR LVL Rec RC-LR-110
1.3.3 Verify RCP Seal Inj/Bleed RC Bleed off Flow Ind RC-FI-156
off Flow (Flow Status)
APR1400 SSAR
18.1-74
1.4.1 Verify RCS Press Trend RC PZR Press Ind (2 CH) RC-PI-101A
(NR: 137-165Kg/cm2A)
1.4.1 Verify RCS Press Trend RC PZR Press Ind (2 CH) RC-PI-101B
(NR: 137-165Kg/cm2A)
1.4.1 Verify RCS Press Trend RC PZR Press Ind (2 CH) RC-PI-101C
(NR: 137-165Kg/cm2A)
1.4.1 Verify RCS Press Trend RC PZR Press Ind (2 CH) RC-PI-101D
(NR: 137-165Kg/cm2A)
18.1-74
Table 18.1.4.2.3-3 Pressurizer Press List
Task No Task Description System Information/Alarm Information Tag Control Control Tag
(NR: 137-165Kg/cm2A)
(NR: 137-165Kg/cm2A)
(NR: 137-165Kg/cm2A)
(NR: 137-165Kg/cm2A)
APR1400 SSAR
(NR: 137-165Kg/cm2A)
18.1-75
(NR: 137-165Kg/cm2A)
(NR: 137-165Kg/cm2A)
(NR: 137-165Kg/cm2A)
3.1 Verify PZR LVL & Press RC PZR Press Ind. RC-PI-102AA
(WR: less than128.3kg/cm2A)
3.1 Verify PZR LVL & Press RC PZR Press Ind. RC-PI-102BA
(WR: less than128.3kg/cm2A)
18.1-75
Table 18.1.4.2.3-4 Pressurizer Press Characteristics
(RC-PI-101A, RC-PI-101B, RC-PI-101C, RC-PI-101D, RC-PI-102AA, RC-PI-102BA)
Characteristic Rationale
Display Value A value is needed to access the parameter with the constraints or limits of PZR operation, such as
verification of RCS pressure trend, RCS cooling, PZR pressure, isolation of ESF signals,
depressurization and isolation of safety injection tank, and shut down cooling system entry conditions.
Range 19-165 The low value (19) is a minimum to monitor the status of SI pump. The high value (165) is the required
pressure to monitor the trend of RCS pressure.
Accuracy + or - 0.1 It is the required accuracy to access process condition, equipment status, and operation limits.
Units Kg/cm2 The unit which is familiar to operator should be used.
APR1400 SSAR
18.1-76
Table 18.1.4.2.3-5 Task Error / Behavior Implication / Comments
Task
Task Description System Task Error Behavior Comments
No
1.3.1 Verify PZR LVL & Trend RC Operator can confuse the It is inconvenient to LVL &
actual display value with the Trend compare PZR LVL
setpoint value. trend setpoint value between
two recorders because they
are not closely located.
(Close assignment or Two
pen recorder is
recommended.)
1.3.3 Verify RCP Seal Injection/ RC Operator calculates the total
APR1400 SSAR
Bleed off Flow bleed off flow manually
1.3.3 Verify RCP Seal Injection/ RC Operator calculates the total
18.1-77
Bleed off Flow bleed off flow manually

1.3.3 Verify RCP Seal RC Operator calculates the total
Injection/Bleed off Flow bleed off flow manually
1.3.3 Verify RCP Seal RC Operator calculates the total
Injection/Bleed off Flow bleed off flow manually
1.4.1 Verify RCS Press Trend RC When the RCS Press is out of
NR, operator can misjudge it
as the actual value is
maintained within the
allowable limit.
APR1400 SSAR
Table 18.1.4.2.3-6 MCR Minimum Inventory of Fixed Position Alarms, Displays and
Controls
Parameter Description Alarms Displays Controls

Off Site Bus Voltage Status X
Class 1E 120 Vac Instrument Panel Voltage
X X
Status
Class 1E 125 Vdc Control Center Voltage
X X
Status
24 kV Main Turbine Generator Output
X X X
Breaker Position
4.16 kV Class 1E Bus Breaker Positions
X X
(Supply)
4.16 kV Class 1E Voltage Status X X
4.16 kV Diesel Generator Output Breaker
X X
Position
4.16 kV Diesel Generator Start Control X X
4.16 kV Diesel Generator Synchroscope X X
4.16 kV Standby Auxiliary Transformer
X
Output Voltage Status
480 Vac Class 1E Voltage Status X X
Atmospheric Dump Valve Position X X
CEA Position X
CET X(1)
CIAS Actuation X X
CIAS Success Monitor X X(1)
CCW HX Inlet Valve Position X X
CCW HX Outlet Valve Position X X
CCW HX Outlet Flow X
CCW Pumps On/off X X
(1) Reg. Guide 1.97 Category 1 Instrumentation.
18.1-78
APR1400 SSAR
Controls (Cont'd)
Parameter Description Alarms Displays Controls *

CCW Surge Tank Level X
Containment Hydrogen Level (when analyzer
X X(1)
is in operation)
Containment Pressure X X(1)
Containment Radiation X X(1)
CSAS Actuation X X
Containment Spray Flow X
Containment Spray Pump on/off X X

Containment Spray Pump Discharge Valve
X X
Position
Containment Temperature X X
DVI Valve Position X X
AFAS Actuation X X
AFW Flow Control Valve Position X X
AFW Header Flow X
AFW Motor - Driven Pump on/off X X
AFW Pump Suction Pressure X
AFW Steam - Driven Pump on/off X X
AFW-to-SG Isolation Valve Position X X
AFW Storage Tank Level X X(1)
Hot Leg Injection Valve Position X X
IRWST Level X
18.1-79
APR1400 SSAR
Controls (Cont'd)

Main Control Room HVAC Isolation Dampers X X
Main Steam Radiation (Area Monitors & Line
X
Monitors)
Main Steam Safety Valve Position X
SG Safety Valve Position X
MSIS Actuation X X X
Auxiliary Building Ventilation Radiation X
Primary Coolant Radiation X X(1)
PZR Backup Heaters on/off X X
PZR Level X X(1)
PZR Pressure X X(1)
POSRV Position X X
RCP on/off X X
RCS Cold Leg Temperature X(1)
RCS Hot Leg Temperature X(1)
RCS Pressure X(1)
RCS Subcooling Margin X X(1)
Reactor Cavity Level X X(1)
Reactor Coolant Gas Vent Valve Position X X
Reactor Power (NI) X(1)
Reactor Trip (RPS) X X
18.1-80
APR1400 SSAR
Controls (Cont'd)

Reactor Vessel Level X X(1)
SCS Flow (While SCS is in Operation) X X
SCS Isolation Valve Position (& LTOP) X X X
SCS HX Bypass Valve Position X X
SCS HX CCW Supply/isolation Valve Position X X
SCS HX Bypass Inlet & Outlet Temperature (When
X
SCS is in Operation)
SCS HX Outlet Valve Position X X
SCS Pump on/off X X
SCS/CSS Pump Suction Cross-connect Valve

X X
Position
SCS/CSS Pump Discharge Cross-connect Valve
X X
Position
SIAS Actuation X X
SI Flow X
SI Pump on/off X X
SI Throttling Isolation Valve Position X X
Spent Fuel Pool Level X
Startup Rate (NI) X
CCW HX Essential Service Water Inlet Isolation

X X
Valve Position
CCW HX Essential Service Water Outlet Isolation
X X
Valve Position
CCW HX Essential Service Water Outlet Flow X
ESW Pump on/off X X
18.1-81
APR1400 SSAR
Controls (Cont'd)

SG Blowdown Sample Radiation X
SG Level X X(1)
SG Pressure X X(1)
Vacuum Pump Activity X
Turbine Trip X X
Charging Pump Status X X
BAMP Status X X
BAMP Suction and Discharge Valve Position X X
VCT Isolation Valve Position X X
BAST Gravity Feed Valves Position X X
Containment Water Level X X(1)
IRWST H2 Concentration X X(1)
SG Level Reference Leg Temperature X X(1)
IRWST Temperature X X(1)
HVT Level X X
18.1-82
APR1400 SSAR
Table 18.1.4.2.3-7 Critical Operator Actions Identified From APR1400 PSA
Description
Operator Fails to initiate Hot Leg Injection
Operator Fails to perform Aggressive Secondary Cooldown (for SGTR and small LOCA)
Operator Fails to maintain Secondary Heat Removal Operation (including align alternate water
source)
Operator Fails to align CVCS to fill IRWST Following SGTR
Operator Fails to perform Feed & Bleed Operation
Operator Fails to reclose ADVs on the Ruptured SG-2
Operator Fails to line up and start MFW Startup FW Pump P07
Operator Miscalibration Error of Bistables for SIAS
Operator Fails to do RCS Cooldown and Depressurization (in Transient Scenario)
Operator Fails to perform Shutdown Cooling Operation (Injection and Long Term Cooling)
Operator Fails to initiate Emergency Boration using Charging Pump within 1 Hour
Operator Fails to establish RCS Pressure Control
Operator Fails to actuate SIAS Component Manually
18.1-83
APR1400 SSAR
Table 18.1.4.4.1-1 Schedule and Participant for Suitability Verification/Integrated

System Validation (Phase II)
NO ACTIVITY PERIOD PARTICIPANT

1 SV Evaluation Team 98.08.25 - MMI team
Awareness Meeting - HF evaluation team
2 SV (Bottom-Up) 98.08.31 - 98.09.11 - HF engineers, 5
- HF engineer(ABB), 1
3 SV (Top-Down) 98.09.14 - 98.09.25 - HF engineers, 4
- Operation experts, 5
- HF engineer(ABB), 1
4 PV 98.10.19 - 98.10.23 - HF engineers, 4
- Operation experts, 2
- Trained operators, 5
5 Development of 98.10.26 - 98.11.30 - HF engineers, 3
SV Report - HF engineer(ABB), 1
18.1-84
APR1400 SSAR
18.1.4.4.1-2 Total Number of HED for SV/PV (Phase II)
Display LDP Control Alarm CPS Workplace Total

B-U SV 55 30 40 23 20 6 174
T-D SV 48 30 21 33 25 9 166
PV 5 1 2 0 12 2 22
Total 108 61 63 56 57 17 362
18.1-85
APR1400 SSAR
18.1.4.4.1-3 Results of Subjective Rating (Phase II)
RATING
Improved As-Good Degraded Unaccept
LDP 30.4% 49.6% 18.4% 1.6%
DISPLAY 12.4% 63.5% 22.3% 1.8%
SOFT CTRL 4.4% 53.1% 40.0% 2.5%
ALARM 36.0% 52.0% 12.0% 0%
CPS 47.2% 43.6% 7.7% 1.5%
TOTAL 26.1% 52.3% 20.1% 1.5%
18.1-86
APR1400 SSAR
Table 18.1.4.4.2-1 Integrated System Validation
Activity Objective Measure

- Task speed or rate
- To demonstrate basic adequacy for the
- Task accuracy or error
various MMI system
- Task completeness
- To identify remaining design problems
PV1 for remediable - Task complexity
- To build iterative experience and data - Situation awareness
from preliminary tests to final design
- Workload
validation
- Expert rating & comment
- - To demonstrate that combined MMI
systems are fundamentally sufficient for
safe operation
- Task complexity
- - To confirm that design changes since PV1
PV2 (and/or PV2) are effective and do not - Situation awareness
& introduce new problems - Workload
PV3 - - To identify of remaining problems and - Expert rating & comment
opportunities to improve the MMI system
design - System safety & performance
- - To evaluate high-level human factors

issues of the MMI system
- To ensure the APR1400 MMI design can
be effectively operated by personnel within - Transient management
all performance requirements proposed as - Situation awareness
relevant to the APR1400 MMI resources
Interim - Workload
- To resolve or verify all of the identified
V&V - Team interaction
HFE issues from the advanced control
room issues, HEDs, and questions or - Overall performance
comments by KINS.
- Operator=s subjective rating
18.1-87
APR1400 SSAR

Validation (Phase III)
No Activity Period Participants

2000.04.18 B 2000.09.22 HF Engineer 1
1 Bottom Up SV
2001.02.21 B 2001.08.03 (KOPEC)
MMI Design Team
HF Engineer 6
2 Top-Down SV 2000.07.19 B 2000.10.06
Process Expert 1
Operator 13
MMI Design Team
HF specialist 5
3 Top-Down SV II 2001.09.24 B 2001.11.04
Process Expert 1
Operator 3
MMI Design Team
HF Engineer 2
4 PV I 2000.10.18 B 2000.12.08
Process Expert 1
Operator 22
MMI Design Team
HF Engineer 2
5 PV II 2001.03.12 B 2001.04.14
Process Expert 2
Operator 15
MMI Design Team
HF Engineer 2
6 PV III 2001.08.07 B 2001.09.07
Process Expert 2
Operator 12
MMI Design Team
HF Engineer 2
7 Interim V & V 2001.11.19 B 2001.12.14
Process Expert 3
Operator 12
18.1-88
APR1400 SSAR
18.1.4.4.2-3 Total Number of HED for SV/PV (Phase III)
Work
Alarm CPS Display LDP SC Etc. Total
place
BUSV - - 16 7 8 - 11 42
BUSV II 1 12 1 - - - - 14
TDSV 25 15 19 18 20 16 - 113
TDSV II 18 13 13 3 - - - 47
PV I - - - - - - - -
PV II 9 5 2 3 3 5 - 27
PV III 4 1 2 - - - - 7
Interim 3 1 - - - - - 4
V&V
Total 60 47 53 31 31 21 11 254
18.1-89
APR1400 SSAR
18.1.4.4.2-4 Results of Subjective Rating (Phase III)
RATING
Improved As-Good Degraded Unaccept
LDP 89% 11% 0% 0%
DISPLAY 42.2% 40.2% 17.6% 0%
SOFT CTRL 43.3% 36.7% 18.3% 1.7%
ALARM 60.5% 26.0% 13.5% 0%
CPS 68.0% 19.6% 10.3% 2.0%
TOTAL 26.1% 52.3% 20.1% 1.5%
18.1-90
APR1400 SSAR
18.1.4.4.2-5 Human Factors ACR Issues Specific to APR1400 MMI
No Concerns Human Factors ACR Issues

Does AS support the operator in realizing the presence of and
1 Searching directed cues searching for directed cue information especially in plant
disturbances?
Do LDP and AS support the operator in searching for realizing the
Searching non-directed
2 presence of and searching for non-directed cue information
cues
especially in plant disturbances?
Observing status after cue Do AS, LDP, and WSDs support the operator in observing the plant
3
detection status after detecting alerting cues?
Establishing & Do LDP, and WSDs support the whole crew in understanding the
maintaining situation plant status especially in emergency operations including off
4
awareness of events & scenario operations, and also minor anomalies where the change in
anomalies plant status is subtle?
Establishing &
maintaining shared Does LDP support the whole crew in maintaining the shared
5
situation awareness of recognition on the plant status and operational activities?
operations
Do AS, LDP, WSDs, and CPS support the operator in selecting
Supporting selection and or formulating actions especially in emergency operations
6
formation of actions including off scenario operations, and also minor anomalies
where the change in plant status is subtle?
Does the link between AS and LDP support the operator in
Supporting smooth
smooth transition from detection of cues to understanding plant
7 transition from one MMI
success path especially in emergency operations including off
to another
scenario operations?
Does the link between AS and WS displays support the operator
Supporting smooth in smooth transition from detection of cues to situation awareness
8 transition from one MMI and understanding of plant status especially in emergency
to another operations including off scenario operations, and also minor
anomalies where the change in plant status is subtle?
Does the link between LDP and WSDs support the operator in
Supporting smooth
smooth transition between plant monitoring and actions
formation especially in emergency operations including off
to another
scenario operations?
Do WSDs support the operator in verifying information provided
10 Supporting CPS
by CPS?
Supporting action
Does the SC support the operator in verifying the implementation
implementation and
11 of control actions especially in parallel processing tasks and
confirmation of soft
situations where quick actions are necessary?
control
18.1-91
APR1400 SSAR
18.1.4.4.2-5 Human Factors ACR Issues Specific to APR1400 MMI (Cont'd)
No Concerns Human Factors ACR Issues

Do AS, LDP, WSDs, and CPS support the operator and the
Supporting control action whole crew in monitoring the results of control actions
12 confirmation of soft implemented by soft controls especially in emergency operations,
control parallel processing tasks and situations where quick actions are
necessary?
Do LDP and WSD support the operator in maintaining an
awareness of overall plant status especially in high workload or
13 Preventing tunnel vision
off scenario situations so that he or she is not confined with
tunnel vision?
Do WSD organization and navigation aids support the operator in
realizing where he or she is in the display hierarchy and how to
14 Preventing getting lost
reach displays he or she wants to select especially in high
workload or off scenario situations?
Does the system level design of computer system support the
Permitting prompt, smooth
operator in carrying out their tasks swiftly and smoothly
15 task performance of
especially in high workload scenario situations or continuous
system response
control tasks?
Does the design of control sequences (e.g., display call-up
Supporting smooth
sequences) support the operator in carrying out their tasks swiftly
and smoothly especially in high workload or off scenario
to another
situations?
Does the number of CRTs support the operator in carrying out
Supporting of the number
17 parallel processing especially in high workload or off scenario
of CRT
situations?
Organization and
Do WSD organization and navigation aids support the operator in
navigation of workstation
18 carrying out parallel processing especially in high workload or
displays to support
off scenario situations?
parallel processing
Do WSD and LDP support the operator in maintaining an
Supporting awareness of
19 awareness of control mode especially in high workload
control mode
situations?
Does the design of SC support the operator in maintaining an
Supporting awareness of
20 awareness of control mode especially in high workload
control mode
situations?
Do WSD and LDP support the operator in maintaining an
Supporting supervision of
21 awareness of control mode especially in high workload and off
automatic functions
scenario situations?
Does LDP support crew members in maintaining the shared
Maintaining shared
22 situation awareness especially in high workload and off scenario
situation awareness
situations?
Supporting available Do LDP and WSDs support the operator in obtaining enough
23
information information especially in off scenario situations?
18.1-92
APR1400 SSAR
18.1.4.4.2-5 Human Factors ACR Issues Specific to APR1400 MMI(Cont'd)
No Concerns ACR Issues

Does the layout of WSD, LDP, and other facilities support the
Supporting verbal crew members in exchanging verbal communications especially
24
communication in high workload situations or cooperative tasks attended by more
than one operators?
Does the layout of WSD, LDP, and other facilities support the
Supporting for verbal
25 crew members in exchanging verbal communications especially
communication
in emergency operations?
Supporting Do WSD provide a means that support the operators in
26 communication with communicating with outside control room staff members
outside MCR especially in emergency operations?
Does the system level computer support the operators in
Supporting operation with maintaining the ability to control the plant even when the
27
computer failure computer system is failed either partially or totally during
emergency operations?
18.1-93
CARD
Plant Design Other Group

Integration Group
MMI MMI Independent Other Design

Design Team Review Team Organization
Korea Hydro & Nuclear Power Co., Ltd.

Advanced Power Reactor 1400 SSAR
Placement of MMI Design Team

with regard to CARD
Figure 18.1-1
APR1400
Development Phase II Phase III Construction
Phases
HFE Design NRC/BNL ABB-CE Technology/Experience

Guidelines Halden Reactor Project APR1400 MMI Studies (Internal)
& Studies
APR1400 APR1400 MMI APR1400 MMI APR1400 Mmi Detail Design

Design Reference Design Detail Design & Implementation
SSAR Design Certification ITAAC

Licensing (Ch.18) Licensing Licensing Operating
Review Validation License
Simulation Partial Scope Full Scope Full Scope

KSNP Model Dynamic KSNP Model APR1400 Model
Facility
Mockup Dynamic Mockup Dynamic Simulator
Evaluations Suitability Standard Operating

& Validations Verification Design Ensemble
Validation Validation

Overall MMI Design Process
Figure 18.1-2
Integration Procedure
of HRA Development
Staffing Training Program

Assumptions Development
APR1400
OER
Displays
HFEPP Design
&
Verification
Controls
APR1400 HFE TA
Elements CPS
Implementation Design
Validation
Plan FRAFA
LDP
Plan Analyses HSI Design V&V

Relationship Between HFE Activities for MMI

Development
Figure 18.1-3
Operation Operation HFESGB Part Scope
Philosophy Philosophy TA
Preliminary Concept Functional Functional Part Scope

Start
Design Design Requirement Design Detail Design
SSAR HED Suitability Part Scope

END Resolution Analysis Mockup

Design Process of APR1400 Phase II MMI
Figure 18.1-4
Update KSNP
HFESGB TA
Update Full Scope

Additional Functional Mockup PV 1, 2 Interim
Start
OER Design Design V&V
ACR Issue
Develop-ment Independent
END
Evaluations

Design Process of APR1400

Design Phase III MMI
Figure 18.1-5
KSNP SSAR
Simulator - Ch. 18
Model - Ch. 7
Preliminary Dynamic Suitability Preliminary Standard

Reference Mockup Verification Validation Reference
Design - Top down Design
- Bottom up - MMI Resources
Design Report
- Control Facility
System Descript.
Feedback Design
& Review
Resolution
Suitability
Verification
Report
* : Documentation

Reference Design Process (Standard)
Figure 18.1-6
Hierarchical Task Analysis Diagram
Event: SGTR Sheet No: 1
SGTR
3 4
1 2 5 6
Verification of Determine &
Standard Post Diagnostic RCS Cooling & Shutdown
Diagnostic Isolate Affected
Trip Action Action Depressurization Cooling
Action S/G
1.1 1.3 1.4 3.2 3.3 3.4

1.2 1.5 1.6 1.7 3.1
Verify
Verify Verify RCS Verify RCS Subcooling Verify CNMT Verify
Maintain Vital Verify Core Verify RCS Verify CNMT Verify PZR
Reactivity Inventory Pressure Margine or Vessel Press Secondary
Power Heat Removal Heat Removal Status LVL & Press
Control Control Control S/G Press or Rad System
A B A B C D E
Sheet 2 Sheet 2 Sheet 3 Sheet 3 Sheet 3 Sheet 3 Sheet 3
2.1 2.3 2.4 2.5 5.1 5.2 5.3

2.2 2.6 2.7 2.8 4.1 4.2
Maintain Press Perform
Verify Verify RCS Verify RCS Verify Balance Subsequent RCS Cooling
Verify Vital Verify Core Verify RCS Verify CNMT Determine Isolate
Reactivity Inventory Pressure Secondary Between RCS Cooling for & Depress
Power Heat Removal Heat Removal Status Affected S/G Affected S/g
Control Control Control Sys Rad LVL and S/G Affected S/G Action
A B A B C D E A B C D F
Sheet 4 Sheet 4 Sheet 5 Sheet 5 Sheet 5 Sheet 5 Sheet 5 Sheet 6 Sheet 6 Sheet 6 Sheet 6 Sheet 6
2.5.2 2.5.3 2.5.4 2.5.5 6.2 6.3

2.5.1 6.1
S/G STM Packing Condenser Air Deaerator Rad Verify SCS Shutdown
MS Line Rad LTOP in
Blowdown Sys Exhaust Rad Ejector Rad Level Entry Cooling
Level Service
Rad LVL Level Level Condition Operation
Sheet 6

Hierachical Task Analysis Diagram
Figure 18.1-7
APR1400 SSAR
Appendix 18.1A
Function Allocation Criteria
The following guidelines and criteria are adapted from NUREG-CR/3331, "A Methodology for Allocating
Nuclear Power Plant Control Functions to Human or Automatic Control". The algorithm can be applied
at any level of detail; however, engineering judgment must be applied to determine when the design
description is sufficiently detailed for the purpose at hand. This provides an expedient framework for
designers and evaluators to verify appropriate allocations of plant control functions in any aspect of the
design.
1. Is automation mandatory ?
1.1 Are working conditions hostile to humans ?
1.2 Are tasks included which humans cannot perform ?
1.3 Is automation required by law or regulations ?
1.4 Is automation required to assure plant safety or protection ?
Yes(any) - Go to step 2.
No (all) - Go to step 3.
(If automation is required only in part, then the design description may detailed to
identify that part).
2. Is automation technically feasible ?
2.1 Are proven technologies available ?
2.2 Are the costs and development/delivery times acceptable ?
Yes(all) - Tentatively allocate to auto; go to step 9.

No (any) - Redefine the function(s), allocation, or engineering solution.
18.1A-1
APR1400 SSAR
3. Is human performance mandatory ?
3.1 Is automation technically infeasible ?
3.2 Is human required to retain policy-level or ultimate control ?
3.3 Is human required by law or regulation ?
Yes(any) - Go to step 4.
(If a human operator is required only in part, then the design description may be
detailed to identify that part).
4. Is human performance a feasible solution ?
4.1 Can humans perform the specified tasks ?
4.2 Are the costs and development/delivery times of the necessary support (e.g.,
procedures, training, etc.) Acceptable ?
Yes (all) - Allocate to human; go the step 11.

No (any) - Redefine the function(s), allocation, or engineering solution.
5. Is automation clearly preferable to human operators ?
5.1 Is automation technology well-established as suitable ? (i.e., effective, reliable,

cost-effective, etc).
5.2 Is human performance acknowledged as less satisfactory ?
Yes(all) - tentatively allocate to auto; go to step 9.

No (any) - Go to step 6. (If automation is preferable only in part, then expand the
design description sufficiently to identify that part).
6. Is human performance clearly preferable to automation ?
6.1 Is human performance regarded as clearly necessary, or superior to automation ?
Yes - allocate to human; go to step 11.

No- Go to step 7.
(If a human operator is preferable only in part, then the design description may be
detailed to identify that par).
18.1A-2
APR1400 SSAR
7. Is the segment a suitable candidate for automation ?
7.1 Is the segment comprised of mechanistic or repetitive tasks ?
7.2 Does the segment require sustained vigilance ?
7.3 Does the segment require extremely rapid or consistent responses ?
7.4 Is the segment comprised of well-defined and highly predictable conditions,

actions, and outcomes ?
7.5 Is the segment likely to be required at the same time as a large (i.e., excessive)
number of other tasks ?
7.6 Does the segment require the collection, storage, manipulation, or recall of data in
substantial amounts, or with high accuracy ?
Yes (any) - Tentatively allocate to auto; go to step 9.

8. Is the segment suitable for human operator performance ?
8.1 Is it within the realm of human strengths and capabilities ?
8.2 Will the task form an appropriate and satisfactory part of an operators job ? (i.e.,
cannot be trivial, demeaning, or comprised of leftovers).
8.3 Will allow the operator to maintain satisfactory workload ? (i.e., neither too high
nor too low)
Yes(all) - Allocate human; go the step 11.

No (any) - Go to step 10.
18.1A-3
APR1400 SSAR
9. Reconsider the tentative automatic allocations in terms of their negative impact on human
operator performance.
9.1 Would manual performance of the task help to keep the operator engaged with the
plant, informed of process status or prepared to plan and solve problems ?
9.2 Would manual performance of the task provide the operator with important
opportunities to develop or maintain valuable skills or knowledge ?
9.3 Will absolute implementation of the automatic feature(s) contribute to operator

under loading (e.g., boredom) ?
9.4 Would the option for manual control from the control room afford desired
flexibility ?
9.5 Would the option for manual control room afford desired flexibility ?
9.6 Would the option for manual control room be desirable for testing, maintenance, or
management of off-normal conditions ?
Yes (any) - Make a tentative allocation to automation with operator discretion. If

operator discretion is super ordinate (man selects auto or manual modes) then go to
step 11. If operator discretion is subordinate (man may initiate but not override
automatic action), go to step 12.
No (all) - Allocate to automation; go to step 12.
10. If any segments remain unallocated, apply the following criteria:
10.1 Comparative cost of human and automated options
10.2 Consistency with preceding design goals and selections
10.3 Available technologies
10.4 Customer preference
10.5 Operator acceptance
Or, redefine the function(s), allocation, or engineering solution.
If allocated to automation, go to step 9.

If allocated to human operator, go to step 11.
18.1A-4
APR1400 SSAR
11. Consider residual automated and control system support for the operator.
11.1 Data display and integration
11.2 Monitoring of limits and detection of abnormalities
11.3 Hierarchical access to indicating and control options
11.4 Automatic control of inner loops
11.5 "Fail safe" controls
11.6 (Etc.)
Complete any required documentation.
12. Consider the residual role of the human operator in support of the automated function:
12.1 Policy-level control (e.g., initiation of transitions to less conservative plant states)
12.2 Awareness of automatic system status, transitions, availability, etc.
12.3 Detection of abnormalities and management of failures, including those in

"hidden" or low - level features
12.4 Emergency initiation or shutdown
12.5 Override of selected interlocks under specified conditions
12.6 Removal of equipment from service
12.7 Status of local transfer or test switches
Complete any required documentation.
18.1A-5
APR1400 SSAR
18.2 Main Control Room
18.2.1 Main Control Room Configuration
The APR1400 Main Control Room (MCR) configuration was developed through an evolutionary process
beginning with the Nuplex 80+ reference design configuration. Considerations influencing the design
include plant system configurations for APR1400, post-TMI indication requirements, improved methods
of alarm and display, and the HFESGB. The following sections document the APR1400 staffing
assumption, relevance to the HFESGB, evaluation of configuration candidates, and design of the selected
APR1400 MCR configuration.
18.2.1.1 Definition of Terms
The discussion in this section and the rest of APR1400 SSAR employ the following definitions:
A. Main operating area
The area between and including control workstations (RO, TO and CRS workstation), safety
console and Large Display Panel (LDP) from which plant monitoring and control actions are
taken.
B. Main control room
The entire area including the main operating area, administrative offices, and storage rooms.
18.2.1.2 Staffing Assumption
The APR1400 MCR is designed to provide operational flexibility to accommodate a wide range of MCR
staffing requirements. A staffing assumption was established to allow design and validation of the MMIS.
The staffing assumption is indicated below with typical KHNP qualifications shown:
Number of Operator Position Title Qualification

1 Shift Supervisor (SS) SRO
1 Control Room Supervisor (CRS) SRO
1 Reactor Operator (RO) RO
1 Turbine Operator (TO) Qualified
1 Electrical Operator (EO) Qualified
1 Shift Technical Advisor (STA) Qualified
1 Shift Foreman (SF) Qualified
5 Local Operator (LO) Qualified
* SS and STA are assigned for two units
18.2.1.3 Workspace and MCR Configuration Criteria
The development and evaluation of MCR configurations require a comprehensive set of HFE criteria
related to workspace design.
Workspace and configuration criteria for APR1400 are based on requirements defined in the HFESGB for
APR1400 MMI. Specific configuration criteria utilized for design of the APR1400 MCR are listed below:
18.2-1
APR1400 SSAR
A. All of the MCR workstation/console are designed to accommodate the 5 percentiles to 95

percentiles of the adult Korean male.
B. At a sit-down workstation, an operator is able to monitor all plant information and control plant
processes from one seated location.
C. In the main operating area, operators have proper line of sight to all information and controls
relating to a task.
D. Operators are able to integrate and associate information and controls across workstations.
E. Adequate work surface (lay down space) is provided at, or near, MCR workstation/console for
paper based procedures, schematics and other documents without interfering with display viewing
or control manipulation.
F. All desks and chairs in MCR are designed for usability and comfort.
G. Chairs provided for sit down workstations and consoles have roller wheels for easy movement
within the workstation.
H. Operators have unimpeded physical access from one workstation in the configuration to another.
I. Adequate passage way between workstation and other work areas in the configuration is provided.
J. No obstacles (file cabinets and so forth) are located in offices and the main operating area to
ensure safe, and timely movement to main operating area.
K. Designated workspace is provided for the CRS, with unimpeded visual access to LDP and the main
operating area.
L. Adequate storage is provided for reference documents and drawings at a readily accessible
location.
M. Commodities such as storage for equipment and supplies are provided for personnel who work in
the MCR on a periodic basis.
18.2.1.4 Reference Design Configuration
The APR1400 MMIS design has been developed with review of the Nuplex 80+ design as well as the
French N4. The design approach is based on a compact workstation type MCR design where monitoring
and control activities are normally performed on selectable workstation display devices and soft controls.
Fixed indication information for plant overview and safety assessment is primarily supported by LDP
which is sized for viewing by operational staff in the main operating area.
18.2.1.5 Reference Design Evaluation Results
The first phase of the configuration development process evaluated Nuplex 80+ reference design
configuration and compact workstation design with respect to the operational requirements and the HFE
criteria identified previously. The following design considerations from the various reviewed designs were
applied to the APR1400 criteria:
A. The compact workstation design would use multiple identical and redundant workstations where
at each workstation one person has access to all information and controls necessary to safely
operate the plant.
18.2-2
APR1400 SSAR
B. The LDP has an increased role in the APR1400 design with respect to that provided in Nuplex
80+. In addition to providing overview and safety information the LDP provides fixed indication
of high priority alarms via alarm tile and incorporates a variable display section to support current
operating goals.
C. A Safety Console is provided for fixed position and qualified control switches and operator
modules for control of Core Protection Calculators, and the Plant Protection System. Additionally
this console provides indications and controls in support of maintenance activities and system and
instrument testing during normal operations and shutdown conditions.
18.2.1.6 Candidate Configurations and Evaluations
In meeting the design goals of APR1400 design several candidate configurations were analyzed. Design
issues associated with workstation layout included:
C Visibility and size of LDP
C Communication between operators and other MCR staff
C Working area at workstation, laydown space
C Maintainability of workstations
The following paragraphs discuss the various configurations which were evaluated. The first candidate
MCR design configuration as depicted in Figure 18.2-1 provides 4 redundant workstations, each of which
has capability to control all power plant processes. A typical utility staffing configuration of these
workstations is as follows:
C Left Front Workstation - Reactor Operator (RO)
C Right Front Workstation - Turbine Operator (TO)
C Left Rear Workstation - Control Room Supervisor (CRS)
C Right Rear Workstation - Shift Technical Advisor (STA)
In this design the normal use of the rear two workstations would be monitoring only. The workstation
identified as the STA workstation would only be staffed in a post trip situation. One of these two
workstations could be used for control if a failure occurred in either of the front two workstations.
Since in the first candidate design there were two alternate workstations that typically were not used for
control this was viewed as excessive, especially when one workstation provides the capability to operate
the plant.
The second candidate design is illustrated in Figure 18.2-2. This design provides 3 redundant workstations,
which provide similar functionality to the workstations in the first candidate. The workstation that was
assigned to the STA was reduced. To support communication between the typical operating crew, i.e. RO
and TO, a decision was made to link the 2 front workstations together. Doing this provides a design that
affords more flexibility in the LDP size and location since viewing angles to the LDP are more similar for
each of the two operators.
In this design a monitoring workstation was added to support the activities of the STA in a post-trip
18.2-3
APR1400 SSAR
condition as well as the informational requirements of supporting staff including equipment operators
during all plant operational states. Also added to the design was a safety console. This console replaces
the backup panel which was located below the LDP in the first candidate. This console provides added
functionality as described in Section 18.2.1.7.7. The next section describes the selected MCR design.
18.2.1.7 Functions and HFE Considerations for MCR Facilities
The configuration development process discussed in the previous section resulted in the MCR
configuration typified in Figure 18.2-3. The main operating area of this MCR are 3 control workstations,
the safety console and the monitoring workstation, additionally the MCR provides an LDP, tables and
desks, and staff offices.
The function and characteristics of each of these operational areas is discussed in this section. Important
HFE considerations relating to workspace design are also discussed. These include workspace visibility,
mobility, access, operator furnishings, and console profiles.
18.2.1.7.1 Control Workstations
Each of the 3 workstations is designed to be used by one operator. Each workstation provides devices for
access to all information and controls necessary for one person to monitor and control all processes
associated with nuclear plant operation and safety.
The front two workstations are linked together to provide good communications for the normal staffing
assignment of an RO and a TO. The third workstation is assigned to the CRS who uses the workstation
features for monitoring only. The third workstation would also serve as an alternate workstation to be used
for plant monitoring and control in the event of a failure of one of the front workstations (where monitoring
and control capability of a workstation was degraded). Each workstation contains:
C Multiple FPDs that support process monitoring and control with pointing devices
C Dedicated push-buttons for 2 divisions of reactor trip and ESF system level actuation. (at front
workstation group only), located at between the two workstations. A second set of push buttons
is located at the safety console.
C Laydown area for logs, drawings, paper procedures, etc.
18.2.1.7.2 Monitoring Workstation
The MCR includes a monitoring workstation to support the activities of STA in a post-trip condition as
well as the informational requirements of supporting staff including equipment operators. The monitoring
workstation is located in the main operating area as typified on Figure 18.2-3. The monitoring workstation
provides visibility of all main operating area workstations and supports verbal communication with
operators at the three control workstations and safety console.
The monitoring workstation is designed to accommodate two persons. The monitoring workstation fulfills
information needs through four (4) information displays and one(1) Qualified Indication and Alarm System
(QIAS)-N display, and visibility of the entire main operating area, including the LDP. The monitoring
workstation is assigned to the STA and SS who use the workstation features for monitoring only. The
monitoring workstation would also serve as an a alternate workstation to be used for plant monitoring and
control in the event of a failure of one of the control workstations.
18.2.1.7.3 Auxiliary Panel
18.2-4
APR1400 SSAR
The space for auxiliary panel is provided in the back of the LDP. The auxiliary panel contains fire
protection instrumentation, vibration monitoring instrumentation, etc.
18.2.1.7.4 Main Control Room Offices
The APR1400 MCR provides offices for MCR personnel not actively participating in operation activities
in the main operating area. This assures that the design of MCR offices is integrated with the overall
control room design philosophy.
Provisions of the MCR offices allow flexibility for utility preferences and accommodates varying plant
conditions and staffing requirements. The MCR offices include the following offices:
C Shift Technical Advisor Office
C Shift Supervisor Office
C Tagging Room
These offices are depicted on Figure 18.2-3. The tagging room serves as MCR entrance where access to
the MCR is controlled.
The MCR offices have a set of common characteristics based on the operational requirements of the MCR
and the HFESGB. These include visibility into the main operating area to allow monitoring of the activities
being performed and to allow intelligible verbal communication among the operating staff.
The operators can monitor the plant overview status information on the LDP without leaving the office.
This provides a fixed constant overview that directs to more detailed information on their information
displays if necessary. The MCR offices also provide easy and quick access to the main operating area
should the operations staff require assistance.
In addition to visual communication between the main operating area and the MCR offices, direct
telephone communication is also provided from the control workstations and monitoring workstation to
each office. To meet information requirements, the offices are each equipped with information displays
from which any information display page can be accessed including the LDP displays. Unique features of
each office will be discussed in the following sections. The Technical Support Center (TSC), which is
located adjacent to the MCR, serves as an MCR office during non-emergency situations to allow planning
sessions and accommodate visitors without MCR interference. The TSC is discussed in Section 13.3.
Shift Supervisor Office
The shift supervisor office is designed to allow him to coordinate activities throughout the plant and
perform his normal administrative duties. To facilitate this, communication is provided to local control
panels and the main operating area. Communication is also provided to external telephone service for use
during emergency conditions. The office location outside the main operating area allows him to interface
with plant personnel without interfering with operations activities within the main operating area.
Information displays are available in the shift supervisor's office.
Shift Technical Advisor Office
The office is provided for STA and other operations crew except for SS that is located in a MCR outside
the main operating area. It accommodates multiple individuals including RO, TO, EO, LOs, SF and STA.
With operators assigned to the workstations, this workspace accommodates the additional operating staff.
It supports performance of documentation, surveillance testing, coordination of maintenance activities and
18.2-5
APR1400 SSAR
other routine tasks. This office has information displays to provide plant information to the operating staff
or STA. It has adequate desk space for documentation tasks or interface discussions. The STA office also
contains a video hard-copy unit and two printers for support of operation in the main operating area. The
STA office is shown in Figure 18.2-3.
18.2.1.7.5 Main Control Room Furnishings
This section describes HFE considerations related to operator furnishings within the MCR. The following
issues are addressed: desks, chairs, procedure storage and laydown space.
The major MCR furnishing features are indicated on Figure 18.2-3.
Furniture
The main operating area is provided with sufficient quantities of tables, desks and chairs to support the
intended operational staff. A desk areas of workstations and table is provided as exemplified on Figure
18.2-3. The table and desk areas serves as workspace for operators in the main operating area but not
actively performing monitoring or control actions at the workstations. The desk's locations provide
visibility to the entire main operating area. The desk is designed in accordance with desk dimensions
required in the HFESGB. The desk height conforms to the HFESGB. Chairs are provided in the main
operating area at the workstations, desks, and at the safety console as exemplified on Figure 18.2-3. Each
chair is designed according to the requirements of the HFESGB for seated operator stations. Chairs have
adjustable heights and are on wheels to facilitate seated movement, particularly at the workstations.
Document Lay Down Space
Adequate space for laying down procedures, manuals and other reference materials while they are in use
is provided for in the APR1400 main operating area. Laydown space for longer term analysis efforts that
do not require control actions is provided at the main operating area desk.
Reference Document Storage
Adequate reference document storage is provided in the APR1400 MCR. Permanent storage space is
provided on both MCR desks and at the monitoring workstation as exemplified on Figure 18.2-3.
Additional storage and storage of large drawings are provided in the storage room outside the main
operating area. This is exemplified on Figure 18.2-3 and is convenient to the main operating area and MCR
offices. The operators support office also has space designed for document storage.
18.2.1.7.6 Workstation Profile
A panel profile to supporting seated operation is provided at each workstation and safety console. This
profile is based on anthropometric data including the 95th percentile Korean male to the 5th percentile
Korean male. The anthropometric data for this profile is based on the HFESGB.
18.2.1.7.7 Safety Console
The MCR includes a Safety Console (SC). The SC provides a station to accommodate a third MCR
operator during post trip events. The SC is located in the main operating area as shown in Figure 18.2-3.
The mini LDP installed on the SC provides the same 밼ixed position□ alarms and displays as LDP contains.
The SC provides the following indications, controls and alarms:
18.2-6
APR1400 SSAR
A. Minimum inventory of "fixed position" alarms, indications and controls necessary for the
following:
C Performance of EOP and safe shutdown with preferred/credited success path components
in the major flow path for each critical safety function
C Performance of critical operator actions from the Probabilistic Safety Assessment

(PSA)/Human Reliability Analysis (HRA).
B. All alarms, displays, and controls needed to perform periodic surveillance, testing, and
maintenance of all safety components controlled from the MCR.
The SC contains the following equipment:
C Multiple FPDs that are of same type as workstation FPDs
C QIAS-N displays
C QIAS-P (PAMI) displays
C PPS/CPC Operator Modules
C Reactor Trip and ESF System Level Actuation Switches
C Diverse manual switches
C Minimum Inventory of Fixed Position Switches
C DBE Mitigation FPDs
18.2.1.7.8 Fixed Position Control
The fixed position switches (so called 'Fixed Position Control') supporting the manual actuation or control
by operator are provided on the safety console, operator workstation and Remote Shutdown Console
(RSC).
The fixed position controls in the MCR consist of minimum inventory switches for Emergency Operating
Procedure(EOP), diverse manual ESF actuation switches and manual ESF system level actuation switches
to meet the requirements of SECY 93-087 Enclosure 1, Position Q. II. 4, and manual BOP ESF actuation
switches.
18.2-7
APR1400 SSAR
Minimum Inventory Control
Minimum inventory controls provide defense against the control workstation failure. The minimum
inventory controls are created by performing a Functional Task Analysis (FTA) to identify all controls
necessary to perform the primary action step for Emergency Operation Procedure (EOP), and identifying
the controls necessary to complete the PSA/HRA important tasks.
The minimum inventory controls involves the manual ESF system level actuation switches. The manual
ESF system level actuation switches are provided as input signals to execute ESF system actuation. Two
channels (B, D) of switches are provided at the safety console for manual ESF system level actuation. The
other two channels (A, C) of switches for manual ESF system level actuation are provided between the RO
and TO workstations.
Manual reactor trip switch is also included in the minimum inventory control category. Manual reactor trip
switches are provided for the operator to manually trip the reactor, and the signal from this switch de-
energies the Control Element Drive Mechanism(CEDM) coils, allowing all the Control Element
Assembly(CEA) to drop into core.
Diverse Manual ESF Switch
Diverse manual ESF switches are provided for protection against common mode failure of digital
equipment in ESF-CCS. These diverse manual ESF actuation switches are for a defense-in-depth and
diversity (DID&D) design against a common mode failure. The design is hardwired/diverse system level
actuation of the safety-related equipment bypassing the ESF-CCS. These switches are functionally and
physically independent from the ESF-CCS. They are located on the safety console in the MCR.
Manual BOP ESFAS Switches
Manual BOP ESFAS switches are provided for proper actuation of the BOP ESF HVAC systems and
equipment to mitigate the consequences of the fuel handling accidents in the containment building and the
fuel handling area as well as to provide a habitability condition for the plant operation perdonnel in the
MCR during all phases of the DBE.
18.2.1.7.9 Operator Modules
Operator Module is MMI device to provide the function of operation, maintenance, surveillance and testing
for the control room operator.
Class 1E channelized operator modules are provided on the safety console. One operator module is
assigned per safety channel (A, B, C, and D) and the operator modules are grouped as follows:
C Core Protection Calculator (CPC)
C Plant Protection System (PPS)
The CPC and PPS operator modules provide the function of control and indication for surveillance,
maintenance and testing.
1.8.2.1.7.10 DBE Mitigation FPDs
The DBE Mitigation FPDs are provided for mitigation and terminating DBE.
18.2.2 Main Control Room Environment and Communication
18.2-8
APR1400 SSAR
This section provides the design criteria which assure that proper HFE environmental and communication
principles are incorporated into the design. The criteria assure that the main operating area and MCR
offices are in accordance with design assumptions and accepted human engineering practice.
18.2.2.1 Environmental Design Criteria
The following are environmental criteria which the MCR design meets:
A. Humidity, Temperature and Ventilation
C Temperature and humidity levels are maintained within comport climate level in
accordance with the HFE criteria.
C HVAC is capable of introducing enough fresh air in accordance with HFE criteria
The air conditioning, heating, cooling and ventilation systems, described in Section 9.4, are designed to
meet these criteria.
B. Illumination
C MCR lighting design provides adequate workstation illumination in accordance with the
HFE criteria for the tasks being performed.
C Lighting levels are uniform throughout a given workstation.
C Task area luminance ratios and reflectance levels are in accordance with the HFE criteria.
The type of lights chosen and placement of lighting sources minimize glare.
C Adequate emergency lighting is provided with automatic activation in accordance with the
HFE criteria.
The lighting systems, described in Section 9.5.3, are designed to meet these criteria.
C. Auditory Environment
C Background noise levels are in accordance with the HFE criteria. Background noise does
not impair verbal communication.
C The MCR supports acceptable auditory design by minimizing distances for required
communication, keeping non-operating personnel out of the main operating area,
providing audible tones in the alarm system and none in other systems and providing
sound absorbing material in the control room.
D. Habitability
C Adequate personal storage is provided for MCR personnel.
C Adequate rest rooms, eating facilities and lounge areas are provided within easy access
of the MCR.
C A pleasant and comfortable decor is provided through color coordination, lighting, and
comfortable seating.
18.2-9
APR1400 SSAR
C Soft flooring is provided to lessen fatigue, when standing, and to reduce ambient noise.
Soft flooring selected is easily maintainable, resistant to fire and conducive to easy
movement of roller carts and chairs.
C Impact of MCR features (e.g., ceiling, walls, floors, workstation and other furnishings)
does not have a negative effect on ambient environmental conditions or habitability of the
MCR.
18.2.2.2 Communications Design Criteria
Voice communication inside and outside of the MCR is essential to the coordination of plant operations.
Various communication devices are used to ensure efficient voice transmission in the design. The
communication system design is described in Section 9.5.2. The following design criteria ensure correct
message interpretation and prompt operator response for these devices.
A. Both intra- and extra-MCR communication are provided by the communication system.
B. The HFESGB is followed for each communication device employed.
C. Instructions are provided for the use of each voice communications device, including alternatives,
if a specific device becomes inoperable. Instructions are co-located with each device in a readily
visible area.
D. Space is provided on MCR workstation/console in the main operating area for communication
devices.
E. Multiple communications devices at a workstation are coded to indicate circuit or function.
F. The type and placement of communications devices is compatible with all normal and emergency
tasks in plant operation.
G. Visual and manual access to communications devices is not obstructed by furniture or panels.
Communication devices are positioned in the MCR to minimize walking.
H. All device cords are sufficiently long to permit mobility around a workstation.
I. Response frequency is within the portion of auditory spectrum for intelligible hearing as per the
HFESGB. Automatic gain control for receivers is provided to account for unanticipated rises in
ambient noise levels.
J. Ringing of communication devices is only implemented where needed. Communication device

ringing does not interfere with and is not masked by other MCR auditory warning systems.
K. Communications devices are usable by personnel wearing protective gear where required.
L. Headsets are designed for comfortable extended wear.
M. Periodic maintenance steps are performed to ensure transmission systems are working properly.
N. Auditory signals are clear, unambiguous and consistent in meaning with other MCR
communications.
O. Systems used to transmit nonverbal auditory signals do not also transmit verbal communication.
18.2-10
APR1400 SSAR
18.2.2.3 Conformance to Design Requirements
18.2.2.3.1 Visibility Evaluation
Visibility permits general observation, and supports communication and coordination between operators.
A visibility evaluation was performed for the MCR configuration to ensure that the visibility requirements
identified in the operational requirements and the HFESGB were met. The visibility evaluation focused
on assuring that unobstructed visual access exists among all main operating area workstations and consoles
and from the MCR offices to required locations in the MCR. Visibility alone does not imply readability,
or support monitoring or direct supervision tasks.
Workstation Visibility
Acceptable visibility from the MCR workstations is ensured by demonstrating that the following line of
sight and visual access requirements were met. This is shown on Figure 18.2-4a and 18.2-4b.
C Adequate line of sight is provided for an operator seated at any workstation to other operators
located at other workstations.
C LDP is visible from the workstations and adequate visual angle exists in the vertical plane to
permit viewing it.
C Operators located at the safety console and the monitoring workstation have visibility to all control
room workstations, LDP, desks and other consoles.
C The monitoring workstation and MCR offices are visible from the workstations.
CRS Workstation Visibility
Acceptable visibility is demonstrated from the CRS workstation by the following visual access
considerations. These are shown on Figure 18.2-4a.
C All workstations and safety console are visible from the CRS workstation.
C MCR offices are visible from the CRS workstation.
C LDP is visible from the CRS workstation.
Monitoring Workstation Visibility
Acceptable visibility is demonstrated from the Monitoring workstation by the following visual access
considerations. These are shown on Figure 18.2-4a.
C All workstations are visible from the monitoring workstation.
C MCR offices are visible from the monitoring workstation.
C LDP is visible from the monitoring workstation.
Control Room Offices Visibility
Acceptable visibility is demonstrated from the MCR offices by the following visual access considerations.
These are also shown on Figure 18.2-4a.
18.2-11
APR1400 SSAR
C Unobstructed visual access exists to the MCR workstations from each office is provided for
general observation.
C LDP is visible from each office.
C The monitoring workstation is visible from each office.
18.2.2.3.2 Mobility Evaluation
An evaluation was performed to demonstrate that each member of the operating staff would have adequate
mobility within the main operating area and that circulation patterns in the main operating area would be
facilitated efficiently. Figure 18.2-5 exemplifies the main operating area dimensions and clearances for
typical operator work locations and traffic patterns. The following key mobility considerations are provided
by the MCR configuration:
A. Adequate operator maneuvering space is provided for seated operation at each of the workstations
(i.e., above 3 feet behind the operator without obstructions).
B. Adequate operator maneuvering space is provided for seated operation at the safety console.
C. Adequate operator maneuvering space is provided for seated operation at the CRS workstation and
monitoring workstation.
D. Adequate operator maneuvering space is provided at the main operating area desk.
18.2.2.3.3 Main Operating Area Access Evaluation
The MCR is designed to accomplish one key main operating area access function. The MCR configuration
permits rapid, direct access to the main operating area from any of the MCR offices. This is exemplified
on Figure 18.2-5. No hindrances are present to obstruct an operator's access to the main operating area. The
main operating area and MCR offices are located within the boundary of a secure area.
18.2.3 Control
Soft controls are used to provide control room operators with plant control capabilities, which replace
conventional dedicated push buttons and process controllers. The soft control consists of the ESF-CCS soft
control and the Process-CCS(P-CCS) soft control. The ESF-CCS soft control is used to control the safety-
related control components through the ESF-CCS, and the P-CCS soft control is used to control the non-
safety related control components through the Process-CCS.
The soft control allow the control of continuous process, discrete components, and other special controllers
such as control rods and turbine generators from the MCR and the RSC. The operator can control both
safety and non-safety components using the ESF-CCS control or P-CCS soft control on single workstation.
The use of soft control is essential to achieve compact workstations design.
The soft control emulates the various physical switches and analog control devices which populate
conventional plant control panels. The operator interacts with the ESF-CCS soft control via touch screen,
and interacts the P-CCS soft control via pointing device such as mouse. These soft controls, which are
software based, allow a standard interface device to assume the role of numerous control switches and
analog control devices via software configuration. The selection of components is possible from the
information displays.
The ESF-CCS soft control is implemented on the qualified touch screen-based FPD, and the P-CCS soft
18.2-12
APR1400 SSAR
control is implemented on each information FPD of the MCR and the RSC. Also the ESF-CCS soft control
and the P-CCS soft control are provided on the safety console to support the operator task of a
predesignated operator in post trip conditions as a means for controlling non-safety related equipment.
18.2.3.1 Control Display Presentation
Soft control is dynamic interactive graphics to monitor and manipulate process control functions. The
control template of a specific safety-related component comes out on the ESF-CCS soft control FPD when
the operator selects the symbol on the information display by the pointing device. The control template of
a non-safety related specific component also comes out on the information FPD when the operator selects
the symbol on the information display by the pointing device. Each soft control is designed with a
standardized graphic template to provide design and operational consistency. This design approach
minimizes potential for operator process control errors.
Soft control requires a pointing device to allow component control command(e.g., ON/OFF) selection.
The pointing device such as a mouse is also used to select the component control command (e.g., ON/OFF)
on the P-CCS soft control display. The ESF-CCS soft control use the touch sensitive FPD as pointing
device.
The soft control template for modulation component control provides loop operating mode (e.g., auto/
manual, remote/local), setpoint, demand output, process value, increase/decrease button and bar graph
necessary for the control of the modulating device.
The soft control template for discrete component control provides command selection targets(e.g.,
open/start button, close/stop button and auto/man selection button etc.) necessary for the control of discrete
devices. Uncontrollability status (e.g., trouble or disable) information is provided on the soft control
template for the control of discrete devices. The feedback are provided on the soft control template.
18.2.3.2 Switch Configuration
Switch configuration is applied to the fixed position switches located at safety console, operator
workstation and RSC to support the manual actuation or control by operator.
The following information regarding switch configuration is typically provided on the switch faceplate:
C Control option available (on, off, auto, etc.)
C Current component state (on, off, auto, etc.)
The name plate of each switch has an unambiguous identifier (e.g., tag number) of component name or
functional identifier (name of control).
In order to display all of this information on switch configuration, visual coding technique based on the
conventions established in the HFESGB is utilized.
The control option and component state convention used in switch configuration are similar to the
convention used in switch design for soft control as described in Section 18.2.3.1.
18.2.3.3 Conformance to HFE Requirement
The following high-level design principles are key to the soft control design.
Simplicity - MMI resources should represent the simplest design consistent with functional and task
18.2-13
APR1400 SSAR
requirements. Simplicity may be of particular importance to the soft control MMI resource. This is true
because the soft control is inherently more complex than the pushbutton switches of conventional control
rooms which it replaces. The number of actions to complete a task should be minimized. Complicating
factors for soft control include I&C constraints on the design (e.g. channel independence and potential use
of a confirm switch). Maintaining simplicity in the design minimizes the operator's secondary task burden.
This is particularly important in the soft control design, to maintain operator speed and accuracy for control
commands.
Task Usability - All MMI resources must be designed to meet task performance requirements. Task
usability is a primary focus for the soft control, since this device provides the majority of the control
capability available in the control room. In particular control task requirements are considered in
developing individual soft control formats. Control options encompass the entire range of controls
identified by the task analysis. Presentation of data, such as current component state, are provided in a
directly usable, unambiguous form. Soft control is designed to overcome conventional operation
inconvenience which comes from I&C constraints on the MMI design (e.g. channelized design).
Timeliness - Time response is a particularly important consideration for controls. Slow time response can
be a significant detriment to the usability for controls (i.e., soft control) if it is noticeable to the user. One
issue of specific concern in the soft control design is proper implementation of control system feedback
based on control selection. Timely feedback of the process response to control action, both for discrete and
modulating control, is also an important consideration. In APR1400 MMI, operators can readily determine
the current status of the control system, its desired status, and the result of control action through soft
control.
Error Tolerance, Control and Prevention - Error tolerance and control are an important consideration
for soft control. Specific features are considered for error prevention for critical or high-risk components
(e.g. letdown LTOP valves or containment spray operation). These typically have key lock switches or
switch covers in conventional control rooms. Sufficient means to accomplish the same protection is
provided for soft controls.
HFE Analysis of Soft Control
A. The Results of APR1400 Phase II
Phase II top-down SV analyzed the soft control's ability to support operational tasks including binary or
discrete control, jog control, modulation control, and system alignment or isolation. The evaluation looked
at time response, complexity issues and adequacy of component grouping. The results generally
demonstrated that soft control was usable for control tasks, with some specific issues to be resolved. HEDs
relating to the soft control were as follows: (1) consideration of navigation facilities for the soft control
device itself, which was later rejected in favor of improved navigation from a workstation display, (2)
inconsistent coding issues that were resolved by assuring conformance to the HFESGB and consistency
with other MMI resources, and (3) the need for improved rate of setpoint adjustment which was addressed
in Phase III.
Phase II bottom-up SV evaluated soft control for conformance to the HFESGB criteria. Significant soft
control HEDs related to (1) component identification, (2) time responsiveness of soft control, which should
be resolved through implementation improvements, and (3) increased secondary task burden for
multi-channel control tasks. Most of HEDs were resolved by design changes.
Soft controls were used for all controls as part of the operating ensemble during the phase II PV. The
major finding was that using the soft control, it took too many steps to display a target and to control
equipment or a process. This HED was the major cause of increasing the amount of operator workload.
The design deficiency was addressed in phase III by improving navigation to soft controls. Other HEDs
18.2-14
APR1400 SSAR
related to inconsistency of conventions and inconsistency between soft control and other MMI resources.
These were resolved by assuring conformance to the HFESGB and consistency with other MMI resources.
Even with the difficulties encountered using soft control, during preliminary validation exercises the
operators were able to successfully complete control actions to mitigate the emergency event.
B. The Results of APR1400 Phase III
The phase III top-down SV concentrated on evaluating HEDs from phase II analyses, functional
requirements and high level principles, and general soft control usability in the perspective of HFE issues.
HEDs were generally related to issues of soft control display salience, interaction with input device (i.e,
touch screen), design consistency, and method of information presentation. Most of HEDs were resolved
by design changes.
Through the phase III PV1, the concept test for soft control was performed to directly address its
effectiveness to support Atime-constrained tasks@. Actually, this test represents several distinct timing
issues (e.g. frequencies of soft control MMI input/output, net lag in control and feedback loops, and time
pressure imposed by multiple tasks). These issues overlap with numerous others, such as concerns for
display suitability, for increased serialization of formerly parallel control actions, for errors caused by dual
task performance, and for possible interference between dual tasks. Measures for soft control performance
employed in PV1 include task speed, task accuracy and completeness and workload. The major findings
were related to operator dissatisfaction with response time and reliability of the mockup soft control
implementation. The results of PV1 soft control testing demonstrated that the basic soft control concept
was acceptable for control, even in dual task situations.
A series of the integrated system validation tests (i.e., PV2, PV3, and interim V&V) were performed to
evaluate the appropriateness of the soft control in the perspectives on the human factors ACR issues.
Three issues were identified with respect to the soft control as follows: 1) supporting smooth transition
from soft control to another, 2) supporting control action implementation and confirmation, and 3)
supporting awareness of control mode. A principal source of evaluation was operator responses to
interview questionnaires. Using the subjective ratings of operators, especially in the PV3 and interim
V&V, the comparative analyses were performed for control tasks between the APR1400 soft control and
the main control board of the conventional plant. The results of the tests showed that the design of soft
control appropriately supported the operator in maintaining an awareness of control mode, especially in
high workload situation. This allows operators to identify the need for control actions and determine the
controls available for use. And, the coordination with other MMI resources supported operator=s
understanding of which plant component was being controlled, because it provided clear feedback
indicating which component was selected. Soft controls were well coordinated with process displays (i.e.,
workstation displays) so that operator can readily verify that the control actions have had the intended
effect on plant systems and processes. Furthermore, the workstation display hierarchy facilitates control
actions that must be performed in a swift and smooth succession by improving the design of the user
interface, such as minimizing the number of displays, minimizing the number of retrieval steps, and
providing sufficient number of display devices available for control actions. However, there stood out
some design deficiencies as follows: 1) requiring laborious tasks for series of rapid responses, 2) hiding
relevant information presented on the same workstation display, and 3) difficulty to perform multiple and
fine-tune control tasks. The design deficiencies were the major cause of the operators= dissatisfactions.
The first deficiency, which were found in PV2, were resolved by integrating the soft control devices into
a workstation display and verified their appropriateness through the PV3 tests. The remaining design
issues will be stored in the ITS and will be resolved and evaluated in the plant construction project.
18.2.4 Information Display
18.2.4.1 Large Display Panel
18.2-15
APR1400 SSAR
The presentation of plant processes on display page formats has led to a generally expressed concern that
the presentation of information on separate, relatively small formats which must be viewed independently
might prevent the operator from gaining an overall "feel" for plant status. In a typical nuclear power plant
the understanding of the whole plant process performance is gained by parallel processing of an array of
conventional instrumentation, i.e., by means of a sweeping glance around the control room. In the control
room a large display panel provides the information that the operator requires for quickly assessing overall
plant status. The LDP display is also available on any workstations in the MCR, Technical Support Center,
and Emergency Operations Facility.
18.2.4.1.1 LDP Characteristics and Features
The LDP provides the operator with information that allows him to determine overall operational and
safety status of the plant. The LDP presents high level process overview information by which an operator
can:
A. Provide a selected set of high level function indicators, trend for key parameters, PPS actuation
status flags and alarms to support operators situation awareness of the plant.
B. Provide continuous display of critical function and success path alarms to meet SPDS
requirements.
C. Provide prioritized alarm presentation emphasizing important alarms to organize operational

concerns.
D. Provide plant-wide system fixed mimic to alleviate display page navigation load and to support
crew coordination.
E. Provide flexible display areas in variable display section to meet the diverse information
requirements of different operators in different operational situations.
The LDP uses the same HFESGB for display design (i.e., dynamic symbols, color code, highlighting,
blinking, graphic layout and information coding features), that are used on the Information Display Pages.
18.2.4.1.2 Plant Functional Information on LDP
A primary benefit of the LDP is its capability to support operator response to plant disturbances,
particularly when a disturbance affects a number of plant functions. LDP information supports the
operator's ability to respond to challenges in plant safety. To that end, LDP allows the operator to assess
the overall plant's process performance by providing information to allow a quick assessment of the plant's
critical safety functions. The concept of monitoring plant safety functions requires a categorization of the
safety-related plant processes into a manageable set of information that is representative of the various
plant processes. The critical functions pertaining to the plant are:
1. Reactivity control
2. Maintenance of vital auxiliaries
3. RCS inventory control
4. RCS pressure control
5. Core heat removal
18.2-16
APR1400 SSAR
6. RCS heat removal
7. Containment isolation
8. Containment temp & press control
9. Containment H2 control
An alarm tile for each critical function is located at the LDP. The tile provides a single location for the
continuous display of the presence of alarms that jeopardize the specific critical function, by which
operator can:
A. Determine overall operating status via critical function alarm status and success path availability
and performance status
B. Organize operational concerns via a small number of symbolic representations resulting from
highly processed data
C. Establish priorities for operator actions via prioritized alarm status of critical functions and
availability/performance of success path
The alarm tile representation is an overview summary of critical function display page information. The
detail information about the alarms is available in any Information Display.
18.2.4.1.3 System Presentation on LDP
Mimic representation of the major heat transport path systems and systems that are required to support the
major heat transport process are presented on LDP. These systems include those that require availability
monitoring per Regulatory Guide 1.47, and all major success paths that support the plant critical functions.
System information presented on LDP includes system operational status, change in operational status (i.e.
active to inactive, or inactive to active) and the existence of alarms associated with the system. Process
variables required to assess the critical functions are also presented on LDP.
18.2.4.1.4 Alarms Presentation on LDP
LDP displays the following types of alarms:
A. Critical function alarms in alarm tile
B. Success path availability/performance alarms using alarm tiles
C. High priority process parameter/component alarms using alarm display convention
18.2.4.1.5 Variable Display Area on LDP
The overview information requirements for plant operations change based on plant operating conditions
and the needs of the operating crew. To address this informational requirement the LDP contains a variable
display area that may offer a useful facility for the presentation of process information on a less permanent
basis.
Alarm lists, trend displays etc., normally displayed on VDU screens could be projected on to the large
18.2-17
APR1400 SSAR
screen for information on a monitoring or discussion purposes amongst the operating crew. Operators are
able to display any display format available on the operator workstation on the LDP variable display area.
18.2.4.1.6 Conformance to HFE Requirements
The following design criteria are met in the LDP design.
Situation Awareness - Operator tasks often require detailed diagnostics in very limited process areas.
However, maintaining continuous awareness of plant-wide performance is necessary. This problem is
presently addressed by multiple operators and the continuous presence of a control room supervisor whose
job is to maintain this plant level awareness. The dedicated large display panel can be viewed from
anywhere in the control room and its simplicity and fixed format makes it easily understood at a glance.
Therefore, it provides an operator a continuous indication of plant performance regardless of the detailed
nature of the task that may be requiring the majority of his attention. Additionally process parameters such
as plant mode, reactor power, and generator power are displayed on the LDP so that operator can assess
the plant situation immediately.
Salience - The LDP has a significant amount of information to be provided to the operating crew. The LDP
uses relatively little information processing to compose information to higher levels of abstraction. Thus
the use of salience to convey relative importance of this information in a dynamic situation is important
to achieving the LDP intended purpose. Conversely the salience of static, non-data display should be
minimized for information presentation.
The information presentation methods should be consistent and standardized for all MMI resources.
Information system design including the LDP utilizes consistent conventions for presenting information
on all information presentation features. Guidance for the following representation methods have been
established in the HFESGB for use in all information presentation techniques.
A. Names and designators
B. Abbreviation and acronyms
C. Alphanumeric characters for labels and text

D. Color
E. Highlighting
F. Shapes/symbols
G. Analogs and graphs
H. Mimic
I. Scaling
J. Labels
K. Tables and lists
Readability - The LDP shall be visible and usable from the workstations in the MCR in order for the
overview to be useful in coordinating control room activities. Providing text of sufficient size and with
acceptable characteristics to permit viewing from expected MCR locations is critical to LDP's
effectiveness. HFESGB Lighting condition in the MCR can affect the readability of the LDP however
18.2-18
APR1400 SSAR
adjustability will provide the operators the ability to adjust the lighting levels to the values which provide
the best balance between brightness and glare.
HFE Analysis of LDP
Phase II top-down SV analyzed the LDP's ability to provide overview monitoring (or fixed-position
monitoring) with supporting of operational tasks in emergency and routine monitoring, detection,
determining plant status, and evaluating, diagnosing, action planning and checking effectiveness of actions
during off-normal conditions. During the off-normal situations, the evaluations were performed to the
following tasks: awareness of plant mode, inadequate core cooling, feedback for parametric, and
component or protection activity. The results generally demonstrated that the LDP was effective in
supporting these tasks and enabling operators to maintain awareness of the plant status. HEDs from phase
II top-down SV were related to 1) information availability issues that were resolved by adding information
to LDP and 2) information presentation issues that were resolved by assuring conformance to the HFESGB
and consistency with other MMI resources. A subjective rating of the LDP by test subjects resulted in
nearly 80% indicating that LDP provided improved than KSNP plants or as-good overview monitoring
capability as KSNP plants.
Phase II bottom-up SV evaluated LDP for conformance to the HFESGB criteria. Relatively minor HEDs,
such as component identification and labeling, were resolved by phase III design changes. One significant
HED related to the viewing angle for LDP was resolved by redesigning the viewing planes at the periphery
of the LDP to improve horizontal viewing angles in the Phase III design.
The LDP was used as part of the operating ensemble during the phase II PV. According to the test, the
operators brought up the lack of salience problems for LDP during the SGTR event. This resulted because
important information, such as reactor and turbine trip and ESF actuation, were dispersed in the mimic
section and not adequately grouped. As a resolution to this problem, the LDP now provides a separate ESF
section, which groups all ESF information and provides operators with the actuation status of ESF
actuation signals. Additionally the reactor trip and turbine trip information is provided via first-out alarms
that are located on the upper side of the LDP. Their size is relatively emphasized compare to other
dedicated displays in LDP. No other major findings were related to LDP use during the SGTR event.
Relatively minor HEDs relating to the design deficiencies of specific flow line connections and information
availability were resolved through the design improvement of the APR1400 phase III.
The phase III bottom-up SV evaluated LDP for conformance to the HFESGB criteria. Relatively minor
HEDs relating to the inappropriate use of abbreviations and acronyms were resolved through the design
change activities of the phase III. One significant HED related to the parameter unit was resolved by the
operators= performance measure during PV1 design concept test.
The first top-down SV in phase III concentrated on evaluating HEDs from phase II analyses, functional
requirements and high level principles, general LDP HFE issues, and other selected HFE issues. HEDs
were generally related to the needs for information, information location, improper labels, and symbol
shapes. Two issues were identified related to trend information on LDP. Resolutions were provided for
all of these issues. One HED, mimic arrangement inconsistency with the workstation displays, requires
additional evaluation. Subjective rating by the participants again resulted in LDP being as good or better
than conventional control rooms for task performance. The second top-down SV was performed to assess
the suitability of the graphic user interface design of LDP. The verification of the graphic user interface
design was based on the HFESGB and the review of human factors design principles. Based on the
evaluation, the background color of LDP was adjusted, and the general design guidelines were
18.2-19
APR1400 SSAR
recommended.
The phase III PV1 concept test for LDP directly addresses its effectiveness to support situation awareness.
The LDP test confirmed the ability of operators to develop situation awareness of critical events directly
from the LDP in a reasonable amount of time, even without a) knowledge of initial plant conditions, b) aid
of additional staff, or c) support by other MMI resources. Measures of LDP effectiveness included
time-to-diagnosis and completeness and correctness of diagnosis. The results of PV1 showed that LDP
was clearly favorable to conventional control rooms for providing overview information with both
objective and subjective measures. And, the LDP supports operator's prompt understanding of plant
conditions.
Based on the integrated system validation tests (i.e., PV2, PV3, and interim V&V), the appropriateness of
the LDP was evaluated in the perspective on the human factors ACR issues. Eleven ACR issues were
identified with respect to the LDP as follows: 1) searching non-directed cues, 2) observing the plant status
after cue detection, 3) establishing and maintaining situation awareness of events and anomalies, 4)
establishing and maintaining shared situation awareness of operations, 5) smooth transitioning from LDP
to another MMI systems, 6) supporting control action confirmation, 7) preventing from tunnel vision, 8)
supporting awareness of control mode, 9) supporting for supervision of automatic functions, 10) supporting
for maintaining shared situation awareness, and 11) supporting available sufficient information. A
principal source of evaluation was operator responses to interview questionnaires. Especially in the PV3
and interim V&V, the comparative analyses between the LDP and the conventional main control board
were performed by the subjective ratings of operators. The results of the test demonstrated that the
APR1400 LDP is as good or better than the conventional main control board. Although there was some
difficulty for understanding the plant status in minor anomalies where the change in plant status was subtle,
the LDP supported the operator in realizing the presence of and searching for non-directed cue information
especially in plant disturbances. During the tests, the operators understood the operation situation and
shared the plant status with available sufficient information. The performance level of situation awareness,
which was measured by KSAX, supported these results. The coordination with other MMI resources well
supported plant operation, because the LDP provided detailed and overview information to be used for
maintaining awareness of the status of the plant. When soft controls were used, for example, the LDP
allows to assess the status of the control system and to identify incorrect configuration. Therefore, the
above mentioned advantages facilitate the overall assessment of the plant=s status because many or all
equipment are visible at the same time, and support to prevent the keyhole effect and tunnel vision caused
mainly by the workstation display hierarchy. However, inappropriate ergonomic design factors (such as
color coding method, symbols type and size, and arrangement and layout) decreased the usability and
acceptability of the LDP. The design deficiency will be stored in the ITS and will be resolved and
evaluated in the plant construction project.
18.2.4.2 Workstation Information Display Hierarchy
Information Display Hierarchy provides dynamic display pages of plant parameters and alarms using color
graphic VDU so that an understanding of current plant conditions and status is readily ascertained.
Information display pages provide information important to monitoring, planning, controlling, and
obtaining feedback on control actions.
These display pages contain all the plant information that is available to the operator, in a structured
hierarchy. The information display pages are useful for information presentation because they allow
graphical layouts of the plant and process in formats that are consistent with the operator's visualization
of the plant. In addition information display formats are designed to aid operational activities of the plant
by providing trends, categorized listings, messages, operational prompts, as well as alerts to abnormal
process.
The MCR workstations use multiple display devices that allow simultaneous access to a variety of display
18.2-20
APR1400 SSAR
pages in Information Display Hierarchy. Each workstation includes four VDUs, to each of which any
display page in the Information Display Hierarchy can be assigned. Use of four VDU's also provides a
redundancy in the event of any VDU becoming unavailable.
A pointing device such as mouse is primary interface to navigate and access display pages in the hierarchy.
Keyboards are not used for information access on the all control room workstations during normal
operation. The information display hierarchy is driven by the Information Processing System that is
described in 7.7.1.7.
18.2.4.2.1 Contents and Organization
The APR1400 utilizes a large number of information display pages presented on VDUs in workstations
and safety console. The displays provide the operator with the necessary supporting data and information
to help operate the plant in a safe and efficient manner. The displays are organized into a hierarchical
structure to allow for logical and convenient access by the operator.
System Display
It is not feasible to provide operators with displays for all the specific situations that can arise in a nuclear
power plant because of its complex nature. The MMI provides, as a primary MMI resource for all
operations, general function displays such as first-order principle displays (mass/energy balance) rather
than displays for specific conditions and situations. System display hierarchy provides these general
functions. System displays provide indications, alarms, and controls in the same way as the control panels
of conventional control room provide operational information to the operators.
System display hierarchy consists of system mimic displays and their associated supporting pages. System
mimic display contains plant representation mimics with process parameters and component status for
operational use. The associated pages can be directly accessed from the system mimic displays and contain
the following types of information:
C Trends for the parameters that are included in the system display for evaluation of detailed behavior
of the parameters.
C Meters with normal ranges and setpoints for check reading, monitoring and diagnosis of the system
functions.
C Graphs with various forms to support quick assessment of conditions requiring evaluation of
multiple parameters/status. Graph includes PT curves, composite diagram representing the
acceptable region of RCP operation.
Function Display
Function displays support a limited set of plant operator functions or tasks that can not be adequately
supported by system display hierarchy or computerized procedure display. System display hierarchy can
not efficiently and expeditiously support operator functions that require information and control of multiple
systems (or success paths). For example, several success paths should be used by the operator to maintain
critical safety functions. Function displays are organized to provide a functional level view of the plant,
rather than a system level view and include plant mimics, parameter values, component/system status and
some instructions if necessary. In addition, these displays also allow access to display pages in system
display hierarchy and procedure display.
Procedure Display
18.2-21
APR1400 SSAR
Procedure displays consist of the set of plant specific computerized procedure. The scope of these
procedures includes: Emergency Operating Procedures (EOPs), General Operating Procedures (GOPs),
Abnormal Operating Procedures (AOPs), and Alarm Response Procedures (ARPs). These displays provide
the appropriate procedural information for operational usage and may include text, parameter values, flow
charts, access to other displays, and access to control display.
Aids Display
Aids displays are to provide complex graphical and calculation aids such as COLSS, Xenon Prediction and
Reactivity Balance Program or to provide information required to perform specific plant operation.
18.2.4.2.2 Display Page/Information Access
The operator's ability to access information and diagnose operational concerns with a VDU-based
information system is dependent on his ability to access appropriate display pages. It is important to limit
the need for the operator to "work the interface" (jump from one screen to another) in order to perform a
specific task. Display page access is fast, simple, consistent among the various display pages and easy to
use. Important indications and alarms, such as those in the LDP and frame of VDU are made available to
the operator without requiring operator's navigation.
Dedicated area are reserved on information display for the following information:
C Standard menus for display page directories, last page viewed, procedure display, supporting pages
C Display system/devices health check indication such as heart-beat icon
C Page title and page number for page identification
C Current date and time for operation
C System message area for operator feedback
The information that is physically and functionally related to particular display is accessed by single click.
Any display pages that are directly used for operation can be accessed by two clicks.
Multiple methods are provided to allow access to the workstation display set. The access mechanisms are
designed to allow convenient and rapid access to all workstation display pages by the operator.
Display Page Access Using Display Page Directory
Information display page access is accomplished primarily through the use of display page directory
located in the frame of the display pages. Via this approach, logically organized display menus and display
directories are utilized to allow the operator to maneuver to the desired display page(s). This methodology
has the added benefit of allowing the operator to observe the organizational and hierarchical relationships
among the display pages and display sets. Each display directory represents one display hierarchy. This
navigation method permits access to any system display with two clicks.
Direct Access
Via this approach, display pages may be accessed directly without navigating through the menu or
directory hierarchies. Two specific approaches are implemented as follows:
C Dedicated display access in which certain display pages, which are deemed important enough to
have an immediate access capability, is provided with a direct access mechanism.
18.2-22
APR1400 SSAR
C "Format Chaining" in which each display page within information display hierarchy is 'linked'
(associated) with other related display pages or soft control MMIs or other information (such as
technical data sheets). The "Format Chaining" process (which is activated via a simple VDU
interaction by the operator) allows rapid and convenient access to other display pages, information
or soft control MMIs, directly from the current display page. The following table shows typical
types of "Format Chaining" that are implemented for the workstation displays.
Source display Target display
Procedure System
Procedure Soft Control
Procedure Procedure
System System
System Soft Control
System Procedure
System Technical Data Sheet
Alarm (on Mimic Display) Alarm Response Procedure
Alarm (in Alarm List) Alarm Response Procedure

Alarm (in Alarm List) System
In addition to the above, the ability to directly access the previous display page is also provided. This
allows immediate recall of the previous display page and also provides a convenient mechanism for
"toggling" rapidly between two different display pages.
Control Link
The control link allows the operator to quickly select a controller on the soft control directly from the
Information Display. Format chaining for safety-related components 'links' controllable components that
appear on the ESF-CCS soft control FPD with their associated control template.
For non-safety related components, the format chaining 'links' controllable components that appear on the
Information FPD display pages with their associated soft control. This access mechanism, from information
display to soft control, is provided to simplify the control selection process and to reduce the mental
workload of device selection. Once the component (or process symbol) on a information display is
designated, the related control device is automatically selected on the corresponding soft control.
18.2.4.2.3 Historical Data Storage and Retrieval (HDSR)
All alarm information will be collected and stored by IPS. Alarm activity, i.e., time in, priority, time
acknowledged, time cleared and time reset, are stored along with the description of the alarm and any
pertinent information that may be required by the operator or the technical support center. It also stores
a record of trends for particular data points within the plant.
18.2-23
APR1400 SSAR
The following high-level design principles are key to the design of the workstation display hierarchy.
Consistency - IPS displays serve as the primary interface for access to plant information in the control
room. They present a diverse range of information from a variety of sources including application
programs. IPS displays are also a focal point in accessing other MMI resources, of particular note format
chains to soft control and CPS. In these widely varying roles and interaction with other MMI resources,
maintaining consistency in the navigation, conventions and information presentation formats within the
IPS displays and with other MMI is critical.
Task Usability - IPS displays are a primary source of obtaining information for plant operators in the
control room. They are designed with consideration of task requirements, as well as the intended users,
both at the control room workstations and in other locations. Providing directly usable information, not raw
data, is an important consideration due to the breadth of data that is available in the IPS. Other
considerations pertinent to IPS display design include limiting required memorization and providing
calculated information so that the operators are not required to perform repetitious calculations.
Structure/Organization - The IPS is the focal point for obtaining information for monitoring tasks in the
control room. In addition, due to the breadth of the IPS' scope, it has significantly more display pages than
other MMI resources. Because of this, careful consideration of the structure and organization of IPS
displays is warranted. The organization should be clear to the operators and based on straightforward bases,
such as the breakdown of plant systems and conformance to the plant P&IDs. Convenient access to other
information and displays through clearly defined navigation methods is also important to fulfilling the IPS'
function.
Feedback - During the design of IPS display pages, an important consideration is its role in providing
feedback to the operators regarding system changes and the effect of control actions. The IPS feedback role
is integrated with soft controls, since fixed location feedback from control switches is limited in the control
room.
HFE Analysis of the Information Display Hierarchy
Phase II top-down SV analyzed the ability of information displays to provide detailed monitoring in
support of operational tasks including emergency and routine monitoring, detection, determining plant
status, and evaluating, diagnosing, action planning and checking effectiveness of actions during off-normal
conditions. The evaluation looked specifically at adequacy of critical safety functions and success path
availability, navigation to desired display pages, and display formats and integration with other MMI
resources. The results generally demonstrated that information display hierarchy was effective in
supporting these tasks and enabling operators to obtain desired information. HEDs were related to 1)
inappropriateness of information availability location, such as lack of sensor failure indication, 2)
inconsistency with soft control interaction and information presentation, and 3) excessive waiting for a
display to be populated with dynamic data after it is drawn. These were resolved by redesigning the
information display hierarchy in the phase III and by assuring the conformance to the HFESGB and
consistency with other MMI resources. Herein, the third deficiency is an implementation problem, not a
design problem. A subjective rating of the workstation displays by test subjects resulted in over 75%
indicating that the workstation display hierarchy provided improved or as-good monitoring capability as
KSNP plants.
Phase II bottom-up SV evaluated the information display hierarchy for conformance to the HFESGB
criteria. HEDs were related to 1) only using vertical bar indicators, which was resolved by adding a
horizontal bar, 2) poor brightness ratio for certain symbols and buttons which was addressed by redesign
18.2-24
APR1400 SSAR
in the phase III design, 3) and inconsistency of selection and activation feedback mechanisms, which has
been modified in the Phase III design. Other relatively minor HEDs related to inconsistencies and specific
details of the information display hierarchy were addressed in the phase III design effort.
The information display hierarchy was used as an integral part of the operating ensemble during the phase
II PV for monitoring and soft control access. Operators brought up the lack of trend and graphical
information for parameters, such as cool-down rates and constructs such as a dynamic PT curve. To
resolve these issues information formats of the kind suggested were added to the display design. Other
similar specialized information will be identified through task analysis and future evaluation efforts.
Phase III bottom-up SV for the information display hierarchy addressed its to the HFESGB criteria. HEDs
were related to 1) abbreviation of automatic/manual, 2) display of breaker symbol status, and 3) display
of parameter unit were resolved by design changes.
The first top-down SV in phase III concentrated on evaluating the information display hierarchy from the
perspective of HEDs from phase II, functional requirements, high-level HFE principles and issues, and
human factors guidelines. HEDs were generally related to 1) needs for information not currently available
on the displays, 2) consistency of display information and consistency with soft control, 3) HFESGB
deviations such as color and page links and 4) tunnel vision. Resolutions were provided for those HEDs
not requiring further evaluation and were implemented. Subjective rating by the test subjects resulted in
the information display hierarchy being rated as superior to conventional MMI and remarkably superior
for performance flow, workload and training load. The second top-down SV was performed to assess the
suitability of the graphical user interface design of the information displays. The verification of the
graphic user interface design was based on the HFESGB, the review of human factors design principles,
and SME=s judgements. Based on the evaluation, the color of information displays was adjusted, and the
general design guidelines were recommended.
The phase III PV1 concept test for information displays addressed the effectiveness of display navigation.
This represents a number of related issues (e.g. efficiency of access, learnability, impact of errors and
getting lost, relations/links between pages and resources, etc). For the APR1400 MMIS, the greatest
navigation concern for the information displays is adequate support for plant control actions, particularly
actions related to safety. Workstation navigation was meaningfully addressed by testing its ability to
support procedure execution using soft control and hardcopy procedures. The results of PV1 showed that
navigation on the information displays was easy and clearly supported acceptable task performance for
both soft control and CPS.
A series of the integrated system validation tests (i.e., PV2, PV3, and interim V&V) were performed to
evaluate the appropriateness of the information displays in the perspectives on the human factors ACR
issues. Eight issues were identified with respect to the information displays as follows: 1) supporting
smooth transition from the information displays to another MMI resource, 2) supporting CPS, 3)
supporting control action confirmation, 4) preventing tunnel vision, 5) preventing from getting lost, 6)
organization and navigation for supporting parallel processing, 7) supporting supervision of automatic
functions, and 8) supporting sufficient information. A principal source of evaluation was operator
responses to interview questionnaires. Using the subjective ratings of operators, especially in the tests of
the PV3 and interim V&V, the comparative analyses were performed between the information displays and
the conventional main control board. The graphic-based information displays were useful to check the
plant status and help the operators to maintain good situation awareness. The general consensus of the
operators was that compared with conventional control room, it was easier to reach wanted information.
According to the opinions, the various trend displays for monitoring of plant status had been evaluated as
the most valuable feature during emergency operations. The system mimic displays were also valuable
to support operation tasks that require a detailed view of a particular system. The results of the tests also
18.2-25
APR1400 SSAR
demonstrated that information displays appropriately supports to operators for a variety short-term needs,
such as retrieving controls and taking control actions, and log-term needs, such as monitoring the status
of important variables. Furthermore, the information display hierarchy was well organized so that operator
can rapidly find the displays with the controls of interest and allows detailed and overview information to
be used together effectively. The results of the subjective ratings well support these results: The
information displays were rated as easier or better than in the conventional main control board.
18.2.4.3 Computerized Procedure Displays
The Computerized Procedure System (CPS) is a computerized operator support system that enables an
operating crew to execute procedures with much reduced secondary tasks. It presents an overview and
instructions of a procedure and related process information and controls that need to be cross-referenced
to execute the procedure. The procedure display is used for operator in conjunction with other types of
displays. The CPS is used in normal plant mode as well as in emergency modes. Backup hard copy
procedure is used when CPS is not available.
18.2.4.3.1 Operation with CPS
Basically the same operating process as that of conventional control room is maintained. A control room
supervisor (CRS) has the overall control over the execution of the procedure. An RO and a TO execute the
procedure steps that are assigned to them by the CRS. An EOP is executed by the operating crew in
coordination. Some procedures such as SOPs can be executed by a single operator. The CPS supports
coordination among operators when an operating crew executes single procedure by showing, at the
overview pane, the steps that the other operators are currently working on. CRS is in charge of
coordination by issuing verbal orders.
18.2.4.3.2 Display Location of Computerized Procedures
CPS procedures can be displayed in the following locations:
C CRS workstation
C RO workstation
C TO workstation
Switching the procedure display VDUs does not result in the loss of place keeping information. When
operator is not following a procedure, operator can use all the workstation displays for other purpose.
18.2.4.3.3 Multiple Procedures Execution
CPS supports the concurrent execution of multiple procedures. However, switching between procedures
is initiated by operator. Because operator is in charge of transition, procedure display provides adequate
information for operator to switch among them.
18.2.4.3.4 Procedure Initiation
There are multiple methods to initiate a procedure:
C Selecting a procedure among procedure list can initiate a procedure. Since all procedures are
categorized, operator can select a category to narrow down the search items.
C Executing an instruction in a procedure can initiate other procedure.
18.2-26
APR1400 SSAR
C Selecting a procedure in a system (mimic) display can initiate a procedure.
18.2.4.3.5 Place Keeping of Procedure Execution
CPS keeps track of steps in the procedure being executed. Every step can have one of the following states;
"Executed", "Being Executed", or "Not Executed". And the states are distinguished by appropriate coding.
From opening a procedure to closing the procedure, place keeping information is recorded and shown
subsequently.
18.2.4.3.6 Management of Continuously Applied Steps
Monitoring of the continuously applied steps are supported by CPS. As operator executes a procedure step
by step, the continuously applied step is registered to the CPS monitoring function. After the registration,
CPS continuously evaluates the registered step in background. Whenever the entry condition of the step
is met, procedure display informs operator of the fact.
18.2.4.3.7 Cross Referencing Aids
All the process information and control components that are cross referenced in the instruction, are
presented near the associated instructions so that operator can easily evaluate the instruction. System
(mimic) displays, graphs, and tables are directly accessed by format chains from procedure display.
18.2.4.3.8 Checking Aids
The entry condition of the current step and/or the completion of current step objectives are evaluated by
the computer based on the process information and/or operator actions per instructions. The operator has
ultimate control over the decision of computer and is able to override the computer's evaluation results The
operator initiates every transition among procedures and every transition among steps.
18.2.4.3.9 Procedure Display Format
The procedure display format follows the same HFESGB as other displays to ensure consistency in the
workstation displays. Procedure display is designed to improve operator's recognition of instructions and
situation awareness by presenting hierarchically organized instructions. The instructions are systematically
organized in a graphic form.
The following high-level design principles are key to the design of the CPS.
Consistency - The computerized procedure system is somewhat unique in the control room, in that it is
a MMI resource for which there is no predecessor KSNP design. In addition, it is a focal point for MMI
procedural execution including emergency operations. For these reasons consistency with the other MMI
resource conventions and navigation methods is critical to assure usability of the CPS.
Task Usability - As the normal method to use procedures in the control room, the CPS is arguably the
most task-oriented of all MMI resources. As such, it is particularly important to consider task usability
concepts to develop a suitable CPS design. This includes consideration of task goals and requirements,
normal and emergency conditions, appropriate presentation of information in directly usable forms, and
avoidance of unnecessary data or controls selections. The design of the CPS also requires cognizance of
procedure generation guidance to assure appropriate procedure format, and of plant procedure guidelines
(e.g. Emergency Procedure Guidelines) to assure appropriate content.
18.2-27
APR1400 SSAR
Operator-in-the-Loop - Keeping the operator in control of plant operation is important to 1) maintaining

his awareness of the detailed plant situation, and 2) maintaining his alertness through appropriate workload
level. With the processing capability of an electronic procedure platform there is a temptation to automate
procedure performance beyond current levels, provided by decision aids such as Critical Function
Monitoring. However, automation should not be added just because technology exists, but only to address
specific problems in procedure execution. More specifically, the CPS should not drive procedure
execution, as this responsibility remains with the operator. This guiding principle of CPS design is called
"operator leading".
Predictive Displays/Computer Decision Aids - Non-deterministic predictive aids (e.g., decision aids
based on artificial intelligence) should be avoided in the control room. Such systems may lead the operator
to be over-dependent on them in critical situations, and the correctness of their results cannot be assured.
In contrast, note that deterministic predictive displays that address specific problems (e.g., for xenon
transient response), are an acceptable means to improve total man-machine system performance. In CPS,
however, computer-based decision aiding is not of predictive nature, but is used primarily in a confirmatory
role. Again, the computer should not "lead" the operator or supplant his role. Indication that the computer
has reached a different conclusion for a logical step is appropriate.
HFE Analysis of CPS
Phase II top-down SV analyzed the CPS functions for their ability to allow operators to execute following
tasks: 1) selecting, retrieving and managing individual or multiple procedures, 2) reading instructions,
cautions and comments, 3) monitoring continuously applied and postponed steps, 4) planning actions, and
5) coordinating crew activities. And, the evaluation looked specifically at the adequacy of the procedure
structure including overview, presentation format, and interface with other MMI resources. The results
generally demonstrated that CPS was an effective resource to support procedure execution. A subjective
rating of the CPS by test subjects resulted in over 90% indicating that CPS provided improved than or
as-good capability to execute procedures as paper-based procedures. Relevant to the CPS, HEDs were
found as follows: 1) confusion in step numbering, 2) lack of support in tracking continuously applied steps,
and 3) inconsistencies, such as in the behavior of the monitoring window and color application. All of
these were resolved in the phase III design.
Phase II bottom-up SV evaluated the CPS for conformance to the HFESGB criteria. HEDs related to
logical ordering of the decision options available and group labeling for CPS display attributes were
resolved by phase III design changes.
The CPS was used as part of the operating ensemble during the phase II PV for execution of the SGTR
EOP. The results of the PV identified significant problems with the Phase II CPS design. The CPS-related
HEDs included (1) confusion regarding the 12 types of tasks identified in the CPS, (2) difficulty in seeing
information about previous steps, (3) divergence of operator's attention to CPS instead of necessary
monitoring, (4) location of the CPS being limited to the right most CRT in the workstation, (5) difficulty
in skipping and returning to steps, and (6) treatment of procedure cautions and notes being the same when
they should not be. These HEDs were resolved in the modified Phase III CPS design.
Phase III bottom-up SV for CPS addressed its conformance to the HFESGB criteria. All HEDs mainly
related to the inconsistency and inappropriateness of unit and resolved by revision of design.
The phase III top-down SV concentrated on evaluating HEDs from phase II analyses, functional
requirements and high level principles, and general HFE evaluation issues related to CPS. The general
18.2-28
APR1400 SSAR
result of the subjective ratings demonstrated that the test subjects shows a very positive impression of test
subjects towards using CPS for procedure execution. Relevant to the CPS, however, HEDs were found
as follows: 1) additional information needed for certain EOP steps, 2) the ability to return to previous steps
that are no longer satisfied, 3) use of CPS by the RO and TO, and 4) inconsistencies of design details.
Resolutions for the HEDs had been identified and were implemented.
The phase III PV1 concept test for CPS directly addressed its effectiveness to support "timely and accurate
procedure execution". This reflects concern with the speed-accuracy tradeoff in human performance.
Therefore, PV1 test was focussed on confirming that procedure execution through the CPS is sufficiently
fast and accurate. The results of the test demonstrated that the CPS was validated as an effective aid to
procedure execution. This was done through comparing the paper-based procedure execution with CPS
execution. Furthermore, the CPS was viewed subjectively as an improvement to paper-based procedures.
Subjects showed lower workload and task complexity with CPS. Crew coordination was rated as better
with CPS because all crew members could see what others were doing in the procedure.
A series of the integrated system validation tests (i.e., PV2, PV3, second top-down SV, and interim V&V)
were performed to evaluate the appropriateness of the CPS in the perspectives on the human factors ACR
issues. Three issues were identified to guarantee the appropriateness as follows: 1) supporting selection
and formation of actions, 2) supporting smooth transition from CPS to other MMI resources, and 3)
supporting control action confirmation. A principal source of evaluation was operator responses to
interview questionnaires and SME=s (i.e., human factors specialists and process experts) observation. The
results of the tests demonstrated that the CRSs were able to utilize the CPS to work through the EOPs
without any trouble. Many of the CRSs pointed out that the CPS was a beneficial support system. Also,
they commented that the CPS gave a lot of information without asking the operators, and it was faster
because the operator doesn=t have to run around. The SMEs observed the advantages of the CPS that
operators were able to keep pace with the event and transition smoothly between procedures. No evidence
of getting disoriented, losing place in the procedure, or having difficulty finding or navigating was
observed during the tests. They felt it allowed the CRSs to work through the procedure faster and more
accurately than with the PBP. Using the subjective ratings of operators, especially in the tests of the PV3
and interim V&V, the comparative analyses were performed between the CPS and conventional paper-
based procedures. The objective of the comparative analyses was to analyze the major impacts of the CPS
on performance measures as follows: situation awareness, workload, team interaction, and the operators=
subjective preferences. As a result, the performance measures were rated better in the CPS than in the
PBP. Especially, the results of the operators□ subjective preferences revealed that there were significant
differences, i.e., the operators rated higher in the CPS than in the PBP. However, the previous theoretical
studies and design experiences of the CPS pointed out that the CPS had an effect on crew communication;
the amount of communication between the CRS, RO, and TO went down, so that the reduced
communication can negatively impact their ability to maintain the situation awareness. These
apprehensions were mainly caused by the following reasons: With paper-based procedures the main
objective of communication is to obtain the information on the status of individual parameter values
between the CRS and the RO and TO. In the case of the APR1400, the CPS provides the plant parameter
data directly to the CRS. By removing the forcing necessity to communicate, the CPS results in reduced
communication. However, the SMEs observed that the reduced communication did not negatively impact
operators to maintain the situation awareness. On the contrary, the CPS could shift the content of
communication to a high a level that more directly addresses the status of the plant.
18.2.4.4 Safety Parameter Display System
The critical function and success path monitoring application programs in conjunction with the continuous
LDP display and the information display VDUs meet the Safety Parameter Display System (SPDS)
requirements for the MMI without using stand-alone monitoring and display systems. Since the main
intended use of SPDS is during relatively rare occurrences, human factors engineering suggests that the
operators will find that the use of data acquisition habits acquired and repeated during the normal operation
18.2-29
APR1400 SSAR
of the plant will be the most successful. A system in the control room that is used only during abnormal
situations may require a shift in mental focus as well as in data acquisition habits and subsequent analysis.
The operator interface to the plant is improved by integrating SPDS requirements into the overall man
machine interface design to avoid the need for another system that is infrequently used. The SPDS
functions are implemented in the Critical Function /Success Path Monitoring (CF/SPM) system. Critical
function and success path (availability and performance) information is integrated throughout the MMI
information hierarchy.
The following information displays/indications provide the operator with Critical Function/Success Path
information:
LDP
C Critical function/success path alarm indication
C Safety function status check selected
C Alarm and process parameter information depicting critical function and success path problems.
Information Display Hierarchy
Critical Function section of information display hierarchy and alarm information in lower level pages (i.e.,
2nd and 3rd level) depicting success path problems and critical function parameter problems.
The design, iterations of design evaluations, and verification and validations are performed for CF/SPM
as a part of overall design process that are described in the Human Factors Engineering Program Plan
(HFEPP), MMI Design and Integration Plan and HFE V&V Plan. The human factors principles in the
Human Factors Engineering Standard, Guidelines and Bases (HFESGB) are also reflected in the CF/SPM
design.
Alarms provide guidance to unexpected deviations in critical functions as well as success path
unavailability and or performance problems. CF/SPM alarm tiles in the LDP continuously provide
overview information that is most useful for operator assessment of the critical functions. Each critical
function alarm tile in the LDP highlights the presence of alarms that threatened the specific critical
function. The alarm indicates the highest priority of all related alarm conditions. Supporting information
is available by using the alarm tiles on the critical function section of the information display page
hierarchy.
The Qualified Indication and Alarm System (QIAS) processes and displays selected critical plant
parameters and component status. The QIAS does not process critical function and success path related
alarm algorithms as the IPS does.
The critical function section of the information display hierarchy contains the following information in an
organized, consistently formatted manner that supports rapid, concise understanding of the plant safety
status:
Level 1 Display Page
This "Critical Functions" overview page provides the same critical function alarm tiles as the LDP does.
The alarm information is provided to help guide the operators to appropriate Level 2 Critical Function
display page
18.2-30
APR1400 SSAR
The 2nd level display page is provided for each of the following nine critical functions:
C Reactivity control,
C Maintenance of vital auxiliaries
C Reactor coolant system inventory control,
C Reactor coolant system pressure control,
C Core heat removal
C Reactor coolant system heat removal,
C Containment isolation,
C Containment Temp. and Press Control
C Containment Combustible Gas Control
Each page contains:
C Information related to availability and performance of the success paths that can support that critical
function.
C High-level information presented using Resource Assessment Tree (RAT) format of each critical
function/success path.
The 3rd level display pages are the same plant mimic displays as those in the system display hierarchy. For
example, the safety injection display page under Inventory Control also exists within the system mimic
display hierarchy. These displays are used to satisfy the critical function represented by a Level 2 display
page.
Operator training program contains instructions on the use of the SPDS and the user's manual that contains
the instructions is available for operator reference in the control room.
Conformance to HFE/Regulatory Requirements
The following design criteria are met in the CF/SPM design.
A. Safety Parameter Display System (SPDS) requirements.
The MMI integrates normal and post accident displays related to the safety parameter display system
(SPDS). Critical safety function and success path monitoring algorithms and display are integrated into
the IPS. This allows the operator to use the same interface to access SPDS information as he uses during
normal operation. In conventional plants the SPDS is typically a back fit, stand alone system that is not
integrated with EOP execution.
CF/SPM system is also used as the data acquisition and display for the Emergency Response Facilities
18.2-31
APR1400 SSAR
(ERF), and as primary display of the Inadequate Core Cooling (ICC) variables.
B. Task Usability
The CF/SPM system is provided to present integrated plant information from which the operator may
quickly monitor and diagnose the safety status of the plant during abnormal and normal operations. The
CF/SPM system accomplishes this objective by monitoring the critical functions and by providing visual
and audible alarms when any of these critical functions is not being maintained.
The following is a summary of how the SPDS function complies with regulatory requirements:
1. The APR1400 MMI design provides a concise display of critical function and success path
performance indications to control room operators via the Information Processing System (IPS)
VDUs.
2. Critical function and success path performance information is provided through a dedicated IPS
critical function display page hierarchy. It is conveniently and rapidly available to control room
operators at any IPS VDU in the APR1400 control room. This includes those normally used by
operators at the RO, TO and CRS workstations as well as at the safety console.
3. The LDP is a fixed location display that continuously shows all critical function and success path
alarms and key critical function and success path parameters to the control room operators thus
meeting requirements for continuous display of SPDS information.
4. The IPS system, which provides the application programs for critical function and success path
monitoring for APR1400, has a reliability of greater than 99.99%.
5. The IPS accommodates the failure of any single hardware element so that no single failure will
disable any of its functions. The IPS is fully isolated from all safety systems.
6. The IPS MMI design is developed according to the systematic MMI design process defined in the
APR1400 HFEPP. It is designed using the comprehensive set of Human Factors Standards,
Guidelines and Bases that provide HFE guidance for all APR1400 MMI.
7. All five of the safety function elements (reactivity control, reactor core cooling and heat removal
from the primary system, reactor coolant system integrity, radioactivity control, and containment
conditions) and associated key parameters are included in the IPS Critical Function Monitoring
hierarchy. The scope of information in this hierarchy meets the functional scope required of the
SPDS to determine plant safety status.
8. The APR1400 Critical Function Monitoring function is developed in a complementary (parallel)

fashion with the development of APR1400 Emergency Operations Guidelines. Generic emergency
procedure guidelines are used during the design process.
18.2.4.5 Independent Review Comment Summary
Review comments of independent reviewers, designers' response to the comments, and reviewers' opinions
to the designers' responses are available in the official documents, " Independent Review Comments and
Resolutions."
Some of the key comments from independent reviewers are as follows:
C The alarm list formats forces the operator to sort them through acknowledged alarms and
18.2-32
APR1400 SSAR
unacknowledged alarms to determine the ones that still require his attention.
C The colors on the soft control display can not be reliably read from the seated position at
workstations due to its angle.
C If the software does not respond to an operator input quickly enough, the operator should be notified
that the entry was received and is being processed (e.g., hourglass).
C Line widths used on the LDP and in the flow diagrams on the CRTs does not reflect a hierarchy.
Currently all lines appear to have the same width. Varying line widths will help to visually organize
both the CRT displays and the LDP displays. The thickest lines should represent the largest pipes.
C Alarms on system mimic displays flash simultaneously with alarm list page. This causes no problem
when there is just a few alarms in the plant, but becomes problematic by disturbing operator's
information use when a large number of alarms are present.
C Variable sections of the LDP are located at both ends of the LDP rather than at central location.
This choice of locations is not appropriate to support the information sharing among operating crew.
18.2.5 Alarms
Alarm system is the primary control room interface to immediately alert the operator to out-of-tolerance
changes in plant conditions. The alarm warning system consists of three major functions; an auditory alert
function, a visual alarm function, and an operator response function. Together, these three functions are
designed to provide a preferred operational sequence for alarm warnings. Control room alarm system
follows HFESGB in order to be immediately and correctly noticed, accurately responded to in a timely
fashion, easily acknowledged and reset, and easily discriminated.
18.2.5.1 Alarm Prioritization and Coding
Alarms are presented in a manner, which prioritizes them so that the operator's response can be based on
their relative importance or urgency and the time within which the operator must take action. Alarms are
grouped into 3 priorities. In addition to these alarm priorities, there exists a separate category called "Flag".
Flag provides operational guidance information that is not representative of an undesirable process or
component condition.
Shape coding on alarm tiles, alarm descriptor, mimic diagram component descriptors, process parameter
descriptors, and directory/display page option fields is used to identify alarm.
18.2.2.5.1 Alarm Flash Rates
Flash rates are chosen according to industry guidelines in order to provide reflash ques and acknowledge
cues which are perceptually discriminable. New alarms is indicated by a fast flash rate and cleared alarms
are indicated by a slow rate.
18.2.5.1.2 Alarm Auditory Coding
Distinct sounds/tones are provided in the main control room to indicate alarm information.
18.2.5.2 Alarm Processing
The alarm system incorporates the following features:
18.2-33
APR1400 SSAR
A. Alarms are presented on grouped alarm tiles or workstation displays representations with dynamic
messages used to inform operators of specific conditions in alarm.
B. Alarms are based on applicability for plant operating mode. Alarm logic and setpoints are specific
for each of the following typical alarm modes:
C Plant operation/startup
C Hot standby/Hot shutdown
C Cold shutdown/refueling
The mode change is manually made with respect to both IPS and QIAS-N. When the IPS detects that a
mode change is appropriate, the system will prompt the operator to change alarm mode of IPS. Then
operator manually change the alarm mode of IPS. After that, alarm mode of the QIAS-N is also manually
changed. The change to hot standby/hot shutdown mode offer reactor trip is automatic for both systems.
Mode dependent alarms significantly reduce nuisance alarm generation.
C. Alarm logic and setpoints are based on equipment status, e.g., low discharge pressure is only
applicable when a pump is supposed to be running. This approach helps to significantly reduce the
number of nuisance alarms.
18.2.5.3 Alarm Presentation and Control
Alarms are presented or accessed with various formats or methods on LDP, Workstation displays and
QIAS-N Display.
A. Alarm presentation on LDP
Alarm information is presented on the LDP by alarm tile and parameter/component descriptor. Alarm tile
representations are used for critical function, success path alarms and system level alarm, and
parameter/component descriptors are used for process alarm on process mimic of the LDP. Each alarm
representation can present either priority 1, 2, or 3 conditions. Each alarm can notify the operator of one
or more possible alarm conditions relating to a system, component, or major process problem. For the
grouped alarms presented on LDP, specific alarm information is provided on alarm list of workstation
displays.
B. Alarm presentation and access on alarm list of workstation displays
Alarm list of workstation displays presents all alarm information associated with activated priority 1, 2,
and 3 alarms. This list provides various kind of lists including prioritized, operator established and
chronological alarm. The operator can acknowledge the alarm on this list.
C. Alarm presentation and access on process mimic display of workstation displays
The multiple methods of workstation displays alarm presentation allow the operators to utilize alarm
information in the most meaningful manner for a given function or task, and it also allows operators to
efficiently access, acknowledge, and diagnose any alarm. Alarm priority and status coding, as described
in Section 18.2.5.1, is applied when alarms are present on component/parameter alarm descriptor, directory
options, and display page menu options. The menus located at the workstation displays screen in the alarm
design provides the operator with an overview of the existence of any unacknowledged alarm conditions
and a general overview of where they exist by plant sector. If an alarm exists in a plant sector, the
18.2-34
APR1400 SSAR
corresponding directory page menu option flashes. This is the sector of the hierarchy where the display
page can be found that would best allow the alarm to be acknowledged.
D. Alarm presentation and access on QIAS-N display
Important alarm list is shown on the QIAS-N displays located on the safety console. The QIAS-N displays
alarms related with PAMI category 1 and 2 parameter, minimum inventory and operating support
information, which are mostly displayed on the LDP. Alarm acknowledgment is accomplished on these
displays by touching the alarm message.
E. Alarm acknowledgment
The MMIs allow significant flexibility in alarm acknowledgment to accommodate varying numbers of
alarms (single and multiple) and various methods by which the operator can acknowledge them. Alarm
acknowledgment in either IPS or QIAS-N display will acknowledge the same alarm in the other system.
18.2.5.4 Conformance to HFE Requirements
The following high-level design principles are key to the design of the alarm system.
Situation Awareness - The alarm system is a primary means that the operator has to maintain cognizance
of systems and processes that are not being directly monitored. Thus, the alarm system serves to maintain
an operator's situation awareness at a lower level than the "big picture" provided by the LDP. In this regard
it must address the range of possible plant conditions for which it must function. The alarm system
provides information through the absence, as well as presence, of alarms.
Information Presentation Format - Information format is particularly significant with regards to the
alarm system because operators have to deal with both many alarms during plant transients and accidents
and individual alarms during normal operations. Operators must maintain cognizance of alarms that are
still valid and those that have cleared. To accomplish the systems alerting function, careful consideration
of the parallel versus serial presentation of alarms is warranted. If all alarms are in parallel (e.g.
conventional control rooms), the operator cannot distinguish significant alarms from less important alarms.
If all are in series (e.g. only CRT access through selecting pages), the operator may not access important
alarms in a timely manner. A balance between the two is required and can be provided through the LDP
(parallel) and CRT alarm list pages (serial).
Unambiguity - It is particularly important to avoid ambiguity with respect to presentation of alarms.

Messages, both on fixed location alarm presentations and more detailed call-up messages, must be clear,
concise messages that cannot be interpreted in multiple ways by the operator. Sufficient information must
be provided in a form that is not too cryptic to assure that the intended meaning is conveyed
Salience - Salience is particularly relevant to the alarm system design because of the intended alerting
function of alarms. Alarms must compete successfully for the operator's attention with all other forms of
control room stimuli. In addition, alarms salience must be ordered to indicate the relative significance of
an individual alarm, hence its priority.
HFE Analysis of the alarm system
Phase II top-down SV analyzed the ability of alarm system to support operational tasks including alarm
detection, determining the significance of alarms and accessing supporting information for diagnosis and
alarm response planning. The evaluation looked specifically at the adequacy of alarm sounds, color and
18.2-35
APR1400 SSAR
shape coding, and alarm handling including acknowledgement and integration with other MMI resources.
The results generally demonstrated that the alarm system was effective in supporting tasks to enable
operators to remain cognizant of alarm conditions and handle alarms efficiently. A subjective rating of
the alarm system by test subjects resulted in nearly 80% indicating that provides improved than or as-good
alarming capability as KSNP plants. Major HEDs from the evaluation were related to 1) lack of salience
of some alarms on LDP, 2) confusion on alarm responsibility because the same alarm list was provided
to the RO and TO 3) the need for better distinction of first-out alarms, and 4) the need for improvement
in the alarm control features, particularly the capability of group acknowledgement. These and the other
HEDs were resolved through design changes for phase III.
Phase II bottom-up SV evaluated the alarm system for conformance to the HFESGB criteria. HEDs were
found as following design issues: 1) cluttered alarm list displays, 2) the need for flash rate optimization,
3) some inconsistencies in visual coding of alarms, and 4) simultaneous viewing of high priority alarms.
All of these and other HEDs were resolved in the phase III design.
The alarm system was used as part of the operating ensemble during the phase II PV. During the APR1400
phase II PV, the operators found it difficult to use the alarm lists because the viewing angle of the CRT
with respect to the rest of the workstation resulted in poor visibility of the screen and the implementation
of the alarm lists were not completely functional. The viewing angle of the alarm list CRT was resolved
during phase III by modifying the workstation configuration to permit a better viewing angle and allowing
alarms to be accessed on any workstation CRT by the operator's choosing.
Phase III bottom-up SV for the alarm system addressed its conformance to the HFESGB criteria. HED
related to using upper and/or lower case characters for alarm message was resolved by using mixed case
characters since it improves operator=s readability more.
The phase III top-down SV concentrated on the evaluation of the alarm system in the perspectives on the
functional requirements, high level design principles, and general HFE issues. Plant disturbance and
accident scenarios were used by operators to allow testing of the alarms' effectiveness. The results of the
evaluation demonstrated that the alarm system was effective in supporting tasks to enable operators to
remain cognizant of alarm conditions and handle alarms efficiently. A Subjective rating by the test
subjects was not favorable for the alarm system, which may have been caused by an incomplete
implementation of the mockup alarm system at the time of the test. HEDs requiring further design
improvement were found as follows: 1) the classification and nomenclature of flags, 2) accessibility of
suppressed alarms, and 3) modification of the prioritization method. Resolutions were identified for all
other HEDs and were implemented in the mockup.
The phase III PV1 concept test for the alarm system directly addresses its effectiveness to indicate alarm
significance based on prioritization. The high-level PV1 plan identified two significant alarm issues as
1) Does alarm prioritization facilitate recognition of more important alarms and 2) Does alarm
prioritization support viewing and cognizance of less important alarms? The alarm prioritization seeks
both to provide support for high-level goals (Issue 1) and to retain access to all valid low-level details
(Issue 2). It is difficult to avoid some tradeoff in support for operator cognizance at both levels. Because
it is an overarching topic with many implications in the alarm system design (including related aspects of
HF Availability and Suitability), prioritization was selected as the main issue for the alarm system concept
test. The results of PV1 indicate that alarm prioritization is acceptable and useful in particular
circumstances. The time-sequential alarm list was still the default means to perform initial event diagnosis,
even though prioritized lists were available.
A series of the integrated system validation tests (i.e., PV2, PV3, interim V&V, and second top-down SV)
and were performed to evaluate the appropriateness of alarm system in the perspectives on the human
18.2-36
APR1400 SSAR
factors ACR issues. Three issues were identified to guarantee the appropriateness of alarm system as
follows: 1) searching directed or non-directed cues, 2) observing the plant status after cue detection, 3)
supporting smooth transition from alarm system to other MMI resources, and 4) supporting confirmation
of control action. A principal source of evaluation was operator responses to interview questionnaires and
SME=s (i.e., human factors specialists and process experts) observation. Using the subjective ratings of
operators, especially in the tests of the PV3 and interim V&V, the comparative analyses were performed
between the APR1400 alarm system and the conventional tile alarm system. The results of analysis
showed that the operators performed well overall and were able to detect the disturbances and handle them
effectively. The alarm system, in conjunction with the LDP, supported the operator in observing the plant
status after detecting cues. Furthermore, many operators indicated that the alarm message lists were most
important useful for obtaining and/or understanding the sequence of alarms, i.e., what initiated an event
and how it progressed. However, as the number of new alarms became greater, especially in emergence
situations, it became difficult to find new alarm. Although alarm prioritization had the advantage of making
all information immediately available, operators pointed out that there was often little useful information
in the low-priority list, and they concern that an operator could become confused by the alarm list when
alarm avalanche occurred. The results of the subjective ratings showed that the operators rated the tile
alarm system to be better than advanced alarm systems when there were many alarms. Inappropriate
ergonomic design factors (such as alarm coding mechanism, the types of alarm sound, etc) negatively
affect the operators= subjective ratings. These design deficiencies will be stored in the ITS. Improved with
the design, the above mentioned issues will be evaluated in the plant construction project.
18.2.6 Labeling and Demarcation
Labeling and Demarcation design detail is described in the HFESGB.
18.2-37
RO WORKSTATION TO WORKSTATION
30'
8' 36'
LDP
BACKUP PANEL
6' 10'
10' 50'
12'(30) 14'(40)
13.4'(45) 27'(70)
11.55' 3.5' 11.55'
STAIRS 26.6'(70)
8' 13.5(45)
8'
11.7' 11.7'
NORMAL CONTROLS/WORKSTATIONS 2'
4' 8'
46'
ALTERNATE CONTROLS/WORKSTATIONS
45'
3.5'
3.67'
8' 8'
1' 46.88'
11.55'
9'
11.7' 11.7'
5.86'
SS WORKSTATION-POST-TRIP STA WORKSTATION-POST-TRIP

First Candidate APR1400

Main Control Room
Figure 18.2-1
Aux. Panels
Operator SS Office STA Office Tagging Room

Support
Room

Second Candidate APR1400

Main Control Room
Figure 18.2-2
APR1400 Main Control Room
Figure 18.2-3
Main Control Room Viewing Angle
Figure 18.2-4a
Main Control Room Viewing Angle
Figure 18.2-4b
MCR Operator Maneuvering Space
Figure 18.2-5
SODP
RSC
STAIRS
RSR
Table Table

Remote Shutdown Room &

Remote Shutdown Console
Figure 18.2-6
APR1400 SSAR
18.3 Remote Shutdown Room
18.3.1 Remote Shutdown Room Configuration
18.3.1.1Remote Shutdown Console Design Criteria
The Remote Shutdown Console (RSC) is a sit-down workstation in Remote Shutdown Room (RSR) with
the same console profile as the MCR workstations. System/device layouts on the console use the same
layout/format, where possible, as those same features are laid out on the MCR workstations. The criteria
for demarcations, color coding, and labeling used on the MCR workstations and console also apply to the
RSC.
18.3.1.2Remote Shutdown Console Design Description
The RSC is designed to provide an alternate control station which can be used to shutdown the plant in the
unlikely event that the main control room becomes uninhabitable. Sufficient instrumentation and controls
are provided to perform the following operations:
C Achieve prompt hot shutdown of the reactor, subsequently referred to as hot standby per standard
technical specifications (reactor subcritical at operating pressure and temperature)
C Maintain the unit in a safe condition during hot standby
C Achieve and maintain cold shutdown of the reactor from the RSC
Damage to equipment in the main control room does not preclude operation of any required equipment at
the RSC and a single failure in an active safety train does not preclude a safe plant shutdown from being
accomplished.
The design provides switches in RSC for transfer of control from the MCR to the RSR. See Section
7.4.1.1.10 for additional detail on transfer of control. The RSC design is based on the standard indication
and control methodologies, discussed in Section 18.3.2
The RSR is designed to provide operational flexibility to accommodate a wide range of RSR staffing
requirements. An operating staff is established to allow design and validation of the MMIS. The staffing
assumption is indicated with typical KHNP qualifications shown. That is, the RSR is operated by an RO
and a TO to bring the reactor to hot standby. Occasionally, however, two additional operators are
participated in the RSR operations. As a maximum 6 operators who are normal crew in MCR operation
are available for the subsequent operation.
18.3.2 Remote Shutdown Room Layout
RSR consists of RSC, Shutdown Overview Display Panel (SODP), and desk for operator supporting as
depicted in Figure 18.2-6.
The RSR configuration includes considerations for followings:
C Workspace for operator action is sufficient
C Adequate space for maintenance
C Test and evaluation for component and/or device are provided in RSR
18.3-1
APR1400 SSAR
18.3.2.1Remote Shutdown Console Arrangement
The arrangement of RSC is same as that of operator workstation in MCR, except MCR/RSR transfer
switches and operator modules which are not in the MCR. That is, the console consists as follows:
C Multiple FPDs that support process monitoring and control with pointing devices.
C Two (2) dedicated push-buttons for 2 division (A, C) of ESF system level actuation switch (MSIS)
C Six (6) dedicated switches for 6 division (A, B, C, D, N1 and N2) of MCR/RSR transfer switches
18.3.2.2Shutdown Overview Display Panel Arrangement
SODP is located on the RSC for display of plant overview status and, dedicated indications and alarms.
And the function, display elements and methods of SODP are same to those of LDP in MCR, except
variable displays. SODP provides the information that the operator requires for quickly assessing overall
plant status.
The information displayed by SODP are as follows:
C CF/ SPM, SFSC, and BISI status indications
C High priority alarms required for safe shutdown
The detailed design principle for SODP is same as that of LDP described in Section 18.2.4.1 for LDP.
18.3.3 Control
The principle for control is same as that of the MCR
18.3.4 Information Display
The principle for information is same as that of MCR.
18.3.5 Alarm
The principle for alarm is same as that of MCR.
18.3.6 Labeling and Demarcation
The principle for labeling and demarcation is same as that of MCR.
18.3-2

APR1400 SSAR-Ch18-Human Factors Engineering

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

APR1400 SSAR-Ch18-Human Factors Engineering

Uploaded by

Copyright:

Available Formats

APR1400 SSAR

18.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18.1-1

Appendix 18.1A Function Allocation Criteria

18.2 Main Control Room . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18.2-1

18.3 Remote Shutdown Room . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18.3-1

18.1.4.1.4-1 MMI Design Team Composition (Phase II) . . . . . . . . . . . . . . . . . . . . . . . . . . . 18.1-59

18.1.4.2.3-5 Task Error/Behavior Implication/Comment . . . . . . . . . . . . . . . . . . . . . . . . . . . 18.1-78

18.1-1 Placement of APR1400 MMI Design Team with regard to CARD

18 Human Factors Engineering

18.1.1 Scope of HFE Program

18.1.2 Applicable HFE Principles, Requirements, and Guidelines

18.1.2.1Principles and High-Level Requirements

A. KINS Safety Principle 3 : Consideration of Human Factors

B. KINS General Safety Criteria II-9.2 Human Factors

C. KINS General Safety Criteria II-30.2 Control Room

18.1.2.2Specific Requirements and Guidance

A. KINS Specific Safety Requirements Chapter 15 : Human Factors Engineering

E. KINS Safety Regulatory Guide (SRG) 11.4 : Habitability of a Control Room

J. KINS-G-001 Safety Review Guide Chapter 18 : Human Factors Engineering

K. 10CFR50.34(f)(2)(iv)36, NUREG-1342, Supplement 1 of NUREG-0737, "SPDS Requirements"

18.1.2.3HFE Standards, Guidelines and Bases

18.1.3 HFE Design Process Plan

18.1.3.1HFE Program Management Plan

18.1.3.1.1 Scope and Goals

C Training Program Development - Like procedure development, training of operators, maintainers,

Process Element Goals

Human-centered Design Goals

C The system will minimize operator memory load.

18.1.3.1.1.3 Technical Basis

18.1.3.1.2 Team Organization and Responsibilities

C Development of all HFE plans and procedures

C Initiation, recommendation, and provision of solutions for problems identified in the

18.1.3.1.3 Team Composition and Staffing

A. Technical Project Management

C To provide knowledge of the purpose, operating characteristics, and technical

C To participate in the development of procedures and scenarios for task analysis,

C To provide knowledge of information display design, content, and functionality

C To participate in the design, development, test, and evaluation of the MMI

C To participate in the development of scenarios for Human Reliability Analysis (HRA),

C To provide input to software quality assurance programs

C To provide knowledge of the overall structure of the plant including performance

C To provide knowledge of the configuration of MMI components

E. Human Factors Engineering

C To provide knowledge of human performance capabilities and limitations, applicable

C To provide knowledge of operational activities including task characteristics, MMI

C To provide knowledge of operational activities in support of MMI activities such as

G. Computer System Engineering

C To provide knowledge of information processing associated with MMI displays and

C To participate in the design and selection of computer-based equipment such as controls

H. Plant Procedure Development

C To provide knowledge of operational tasks and procedure formats, especially as presented

C To coordinate training issues arising from MMI design activities

J. Systems Safety Engineering

C To identify safety concerns and perform a system safety hazard analysis

C To provide results of system safety hazard analysis to Probabilistic Safety

C To provide knowledge of maintenance, inspection, and surveillance activities including

C To participate in the development of scenarios for MMI evaluations including task

C To participate in the development of scenarios for MMI evaluations, especially validation

18.1.3.1.4 HFE Process and Procedures

Design process approach for MMI design is as follows:

C The design process is iterative.

C Standard MMI design is validated on full scope dynamic MMI mockup.

C Final MMI product will be validated on full scope simulator.