CEUR Proceedings 4th Workshop HCP Human Centered Processes, February 10-11, 2011
Human centered design for nuclear power plant control room modernization
Paulo V. R. Carvalho (paulov@ien.gov.br), Jose O. Gomes (joseorlandogomes@terra.com.br), Marcos
R. S. Borges (mborges@nce.ufrj.br)
Graduate Program in Informatics
Federal University of Rio de Janeiro
Cidade Universitária, Rio de Janeiro, Brazil
Abstract The goal of this article is to describe a human centered
approach to evaluate and design control room interfaces
The use of nuclear power plants to produce electric energy of safe-critical systems. The research aims the
is a safety-critical process where ultimate operational modernization of nuclear power plant control rooms in
decisions still relies with the control room operators. Thus
the design of the graphic interfaces, the layout and
it is important to provide the best possible decision support
through effective supervisory control interfaces. A human
informativeness of the alarm system, and the integration
centered design approach, based on cognitive task analysis of electronic procedures into the control/display
methods, was used to observe the operators training on the environment (Carvalho et al., 2008).
nuclear power plant simulator of the Human System Many nuclear power plants (NPP) around the world are
Interface Laboratory (LABIHS). We noted deficiencies in modernizing with new systems and equipment such as
graphic interface design, alarm system and in the upgrading the instrumentation and control (I&C) system
integration between the computerized interfaces and the from analog to digital technology. Generally, as part of
hardcopy (paper) procedures. A new prototype of the these upgrades, control rooms are being modernized and
interface including graphics, alarms and digital procedures
computer-based interfaces are being introduced, such as
was designed as an alternative to the current hardcopy
procedure manuals. The design improves upon the
software-based process controls, touch-screen interfaces,
graphical layout of system information and provides better computerized procedures, and large-screen, overview
integration of procedures, automation, and alarm systems. displays.
The new design was validated by expert opinion and a This research is connected to the life extension process
performance comparison with the existing design. of a Brazilian nuclear power plant. The plant is a
Westinghouse, 600 MWE pressurized water reactor
Introduction designed in the 60s that suffers a continuous
In control theory, systems can be modeled as modernization and life extension processes. This overall
interrelated components that maintain the system’s research aim is to investigate how advanced (digital)
stability by feedback loops of information and control. interfaces can be used in the modernization of the analog
The plant’s overall performance has to be controlled in instrumentation and human/system interaction (HSI).
order to produce with safety, quality, and low cost. In This article is divided as follows. In the next section we
such an arrangement both controllers (human and review the modernization approach based on control
automatic) play fundamental roles such as to establish room modernization. The third section is dedicated to
system goals, to know the system status, and its behavior methods and materials used in the research of human
in the near future. This is done through continuous factors in NPP operations. Section 4 presents the results
observation/feedback/communication loops where the and a set of recommendations for a new interface aimed
agents construct their system model of behavior in order to modernization of control rooms. Section 5 presents the
to compare with system status, to be able to act on the evaluation of the new interface design, focusing on
system to produce the desired outcomes. In this control human factors, and section 6 presents a discussion and
mode, the human operator has a supervisory role related some lessons learned. Finally, Section 7 concludes the
to the automatic controller. The operator has access to paper.
system state information, using the control room
indicators, VDUs, strip charts, alarms and the automation Human centered interface design in NPP
controller status, and may have direct ways to manipulate control room modernization
the controlled process, and automatic systems interact The nuclear power plant control room operators
with some sections of the plant rapidly and reliably. observe and manipulate an extremely complex system.
However, automatic systems cannot cover the whole The task requires walking along a large control panel,
operational range of the plant including design basis taking readings from gauges and adjusting knobs and
events. For example, if the configuration of the plant levers. Many of today’s control rooms have replaced or
changes for maintenance or accidents, the applicability of augmented older, more cumbersome control panels with
the controller might be limited. In that case, humans set visual display units (VDUs) with graphic interfaces.
up an operational strategy, supervise the automatic VDUs can simplify the human machine interface, but
systems, and control the plant manually as necessary. they also introduce new design challenges. Digitalization
Therefore there is a need of a human centered approach of previous analog man-machine interfaces imposes new
in the modernization of current analog interfaces of coordination demands on the operational teams (Vicente
nuclear power plant control rooms. et al., 1997). These issues lead to new situations of
human-human and human–system interaction. In order to
25
CEUR Proceedings 4th Workshop HCP Human Centered Processes, February 10-11, 2011
run such system effectively, efficiently, and safely, much specific activities that should take place during the
research has been developed taking into account human system design. These activities are: 1) to understand and
performance, new technological possibilities, and specify the context of use; 2) to specify the user and
types/levels of automation in a system, design of human– organizational requirements; 3) to produce design
machine interfaces etc. (e.g. Sheridan, 2002; Nachreiner solutions and to evaluate designs against requirements.
et al., 2006). The human-centered design process should start at the
After the Three Mile Island (TMI) accident in 1979 earliest stage of the project (e.g. when the initial concept
NPP regulators around the world recommend the use of for the product or system is being formulated), and
human centered approach to human systems interface should be repeated iteratively until the system meets the
design to ensure that the man-machine interfaces, control requirements. It is not sufficient to verify the quality with
room layout, procedures, training and other human which the design process is carried out (concerned with
related issues meet the task performance requirements, whether certain design phases were carried and certain
and are designed to be consistent with human cognitive documents produced to meet the design requirements).
and physiological characteristics (Rouse, 1984). The Considering that the in human-centered design approach,
human aspects related to the control room design such as technology should be comprehended from the point of
operating experience review, function analysis and view of providing tools for human activity (Flach et al.,
allocation, task and activity analysis, staffing 1995), it requires a dynamic performance evaluation, to
qualifications, training, procedures should be developed, assess the appropriateness of this technology in the aimed
designed, and evaluated on the basis of a systems use.
analysis that uses a "top-down" approach, starting at the
"top" of the hierarchy with the plant’s high-level mission Materials and methods
and goals (O'hara & Brown, 2004). The construction of the NPP under study started in
However, most of the modernization processes has 1972, the first criticality of the nuclear reactor occurred
been driven to a large extent by the technology. The in 1982 and the plant commercial operation started in
modernization of the turbine control in the NPP under 1985. Since then, it generated 40 million MWh of electric
study can be viewed an example of technological driven energy. Into the modernization and life extension plant
approach. A new computerized turbine control system program an upgrading of I&C and Human System
was purchased to replace the old analog controllers. Interface (HSI) systems is planned.
Although the new system perform its functions better In order to support the application of the human
than the old one, it is also true that the installation of centered design approach in the modernization of the
computer screen and keyboard along with the analog Brazilian NPPs, the Brazilian Nuclear Energy
instruments in the hardwired panel, as shown in figure 1, Commission (CNEN), developed an experimental facility
lead to human-system interaction problems. for human system interface design and human factors
research and development, the Human System Interface
Laboratory (LABIHS). LABIHS facility is ready to
conduct NPP operators’ performance evaluations, and
research on human-system interaction in complex
domains. The LABIHS consists of an advanced control
room, an experimenter’s gallery room and other auxiliary
rooms. The advanced control room has nuclear reactor
simulator software, graphical user interface design
software, a hardware/software platform to run and
provide the adequate communication between the
software, and the operator interface - VDUs and controls
needed to operate the simulated process.
To simulate the plant under study, a Westinghouse
PWR type digital compact simulator is used. In this
simulator, modeling scope and fidelity are equivalent to a
Figure 1: Turbine display and keyboard together with full scope simulator, but the full control room is not
analog instrumentation. replicated. An Integrated Hardware/Software Platform
runs the simulator program and transfers data throughout
The human-centered approach exploits the technical the computerized environment. The basic operator
innovations to achieve an optimum human – artifact workplace is formed by 4 VDUs, each one with mouse
interactions, aiming at improving the appropriateness of and keyboard. An overview display, based on direct
the technological solutions (Hancock & Chignell, 1995). beam projector, is also provided in the control room. A
The human centered approach to the design of human- graphical user interface design tool (GUI) for HSI design
system interfaces considers the impacts of the is also available for development and testing of different
introduction of new technology on the humans in the types of interfaces. The Instructor Station complements
system and on the overall behavior of the system, from LABIHS architecture. The LABIHS control room is
the beginning and continuously throughout the design shown in figure 2.
process (Brunélis & Blaye, 2008). The approach requires
26
CEUR Proceedings 4th Workshop HCP Human Centered Processes, February 10-11, 2011
Participants
One operator crew participate in this research under
RO different operating conditions: start up, planned shutdown
and in postulated accidents. The LABIHS control room
SCO operating crew is composed by 3 operators: the Shift
Supervisor, Reactor Operator (RO) and the Secondary
Circuit Operator (SCO). The Shift Supervisor have a
deep background in nuclear engineering, participated in
paper SS the LABIHS’s HSI design, and have a huge experience in
procedures the simulator operation. The RO and SCO are
instrumentation technicians who have been trained in
LABIHS operation for 2 years before this study. They
have no previous experience in the reference plant
operation.
Figure 2: LABIHS control room. RO means Reactor
operator, SCO Secondary system operator, SS Shift The operation of nuclear power plants
supervisor
The operation of a nuclear power plant falls under four
Research method basic phases: startup, normal operation, planned
shutdown, and emergency operation that begins after
In this research, we use LABIHS to investigate the reactor automatic shutdown, when incidents/accidents
nature of operator–system interaction in a digital occur. Although important events occur in all modes of
interface during abnormal events to contribute to operations, we focused the observation on periods of
operational safety and efficiency through enhanced higher activity, such as startup and emergency operation.
interface design. We use the interface evaluation Under normal conditions, NPP operations are well
procedure proposed by Hollnagel (1985) because it is coordinated and based on procedural instructions. In this
consistent with most of human-machine interface ‘‘nominal’’ operating mode, the SS reads the procedural
evaluation requirements in the Human Factor instructions aloud to the RO and SCO who then execute
Engineering (HFE) guidelines and programs that are the instructions (Carvalho et al, 2006).
currently used in nuclear industry, such as NUREG -0700
rev1 (O’Hara et al, 1996) and NUREG-0711 (O’Hara et Performance evaluation
al., 1994). The evaluation procedure has three phases.
The first phase is the conceptual evaluation of the During 30 hours of direct observations, we observed
interface. It can be carried out by experts using tools like how the operators interacted with the simulated PWR in
task analysis; operational experience review in similar various modes of operation. The LABIHS is equipped
systems; safety analysis reports; functional specification; with a ceiling-mounted camera which captures the
drawing showing displays, panels, workstation, graphical majority of the room, including the two operators’
interfaces and diagrams showing flows of information. In stations and the main presentations screen (fig. 2). We
the second phase an heuristic evaluation is made based on placed a tripod-mounted Mini-DV camcorder to record
some well known interface evaluation criteria (eg. whichever operator would be likely to have the most
Nielsen, 1993). The system is represented by samples active role. A hand-held digital camera was used to film
taken from preliminary performance recordings, using particular details of interest that were not sufficiently
results of runs with the real system or prototype. It is a captured by the other two cameras.
static simulation. It concentrates on the way in which the The research team, with 3 analysts, was divided to pair
information is presented to the operator and involves up with the employees of the simulator. One analyst
some form of basic system operator interaction. In the accompanied the primary operator; the second
third phase, the entire process is simulated, and the accompanied the secondary operator; and the third
operators’ performance is evaluated. In this phase accompanied the simulator supervisor. The operation of a
operators have a degree of psychological involvement nuclear power plant fall under 4 basic phases: startup,
and we can see how they react to the simulated process in normal operation, shutdown, and incidents/trips
a realistic manner. It requires a simulated work setting, a (unplanned automatic shutdown)/accidents. Although
detailed experimental planning, including training, data important events occur in all modes of operations, we
acquisition, analysis systems such as computer logs focus on periods of higher activity - startup and
(process state, process events), operator log (human incident/accident.
machine interface events, keyboard, mouse) and audio, During the startup phase observations, we encouraged
video recorder (verbal protocols, communication). the operators to verbalize their goals, actions, and
A final evaluation occurs during the plant concerns to improve our understanding of the technical
commissioning tests in the plant site. At that moment any system. However, during the simulated accidents, we
changes in control room interfaces will much more tried not to interfere with the operators so as to elicit true
difficult and costly than it would be in the early phases response behavior. During the simulated accidents, the
(Santos et al., 2005). supervisor and two senior LABIHS researchers were also
present. This placed noticeably increased pressure on the
27
CEUR Proceedings 4th Workshop HCP Human Centered Processes, February 10-11, 2011
operators, and also led them to justify their actions Also, the shine used to produce the 3D graphical effects
verbally after the scenario was completed. for the tanks and reactor core decreases contrast and
We paid particular attention to the tasks dictated by the reduces legibility for the white labels that overlay these
procedure manual and to the operators’ actual activity. graphics. There are many different unit names for the
We search for particular deficiencies in the support of same physical variable (e.g., gallons/minute, liters/second
operator response to abnormal system states, and then we and Kg/second), and are many variables without units.
redesigned the operator interface to improve upon the The positions of variable values display and related
graphical layout of the information, the navigation across components (pumps, valves) are not uniform among
screens, the alarm presentation, acknowledgement and displays, and the same lack of uniformity and consistence
response, and to integrate these with computer-based appears on the graphical representation of the plant
components. Some plant components are not correctly
procedures that dynamically correspond with real-time
identified and labels positions and formats are not
system information. Comprehensive debriefing
consistent across displays.
interviews with the operators and supervisor and was There are also many problems related to navigation
carried out to validate the conclusions taken. among displays. The navigation process using the arrow
buttons is not clear, because operators don’t know the
Results and recommendations for display they will go on and the History/Previous buttons
modernization are not working properly (indicating the previous
navigated displays). The interface design does not
Graphical interface design highlight which elements (e.g., pumps, valves) can be
manipulated, which are locked out or which are
Figure 3a shows a typical control screen of the original automatic. The operator may be operating under the
interface for one subsystem of the plant, in this case, the assumption that a certain valve can be manipulated,
Chemical and Volume Control System (CVCS). Multiple finding out latter, when trying to manipulate the valve,
objects with bright, contrasting colors compete for the that this it is not possible.
operator’s attention on the cluttered screen. In many Operators show difficult with the navigation using
places in the interface, red is associated with a state of graphic links. Links between some displays do not
alarm or failure. However, this association is undermined represent clearly the process flow. Therefore operators
by the red color of some valves, pumps, and indicators always returned to the Main Menu display, searching for
which are operating normally (red means valve closed; the adequate navigation button, because they prefer the
the same color pattern used in the reference plant). navigation buttons rather than graphic links. This back
Additionally, the red components are highly salient, even and forth situation augments navigation time between the
when the components do not require operator’s attention. displays.
Excessive labels contribute to clutter. For example, the Plant component control (ON, OFF, START,
blue RCP Seal information box displays the same INCREASE, DECREASE, STOP) starts with a mouse
variables for each of the three RCP seals, but uses nine click on the equipment icon (valves, pumps). After that, a
labels – one for each variable display field. It increases pop-up window appears on the screen, showing the
the visual distance between readouts, making respective control buttons. Then, the control operation
comparisons of the values more difficult. The high should be carried out by clicking on the respective
salience of the large pump icons detracts from the control button. However, observing the control actions of
operator’s ability to perceive other elements on the the operators in valves and pumps, we note that
screen. They are not frequently manipulated and they sometimes the pop-up windows appeared on the process
only display two pump states (on and off). The sharp viewing area of the displays (not in the control panel
contrast between the white lines representing the pipes area), covering plant variables, and interfering with the
which connect system elements and the black background readings of displayed information.
contributes to the clutter of the screen without providing The redesigned interface (fig. 3 b) is based on the
much information. The white-on-black color scheme is deficiencies noted in the evaluation. They include
also used for pump and valve labels, as well as the improved aesthetics and mock-up designs of new
system variable values. The similarity in color detracts functionality. While we have not coded the components
from the salience of these labels and values. Flow into the simulator software, we do not expect significant
directions of are not clearly indicated. The lack of compatibility problems. The components consist of
distinction between pipes with and without flow does not borders, text boxes, and colors – all of which are
contribute to the principle of pictorial realism, i.e., that a supported by the simulator’s graphics builder software.
visual representation should accurately symbolize the The component functionality is also expected to be
entity it is intended to represent. To determine the path of compatible, as it largely mimics functions (such as
coolant, operators must trace the white line pumps linking, highlighting, and displaying real-time system
through which the line passes to ensure that all are open variable values) observed in the original simulator.
or on, respectively. While the on/off color distinction is Issues with the legibility of labels were addressed by
clear, there is no redundant indicator of a valve’s state, using mixed-case fonts which use less space and provide
nor does the interface support the synthesis of individual redundant coding of written information: the shape of the
valve states into an overall depiction of flow; each valve words provides another cue for recognition, aside from
must be independently analyzed, increasing the the sequence of the letters. To further aid legibility, the
operator’s cognitive load. Label legibility is poor due to 3D graphical tanks, pressurizer, and reactor core were
all-capital text. This also increases label’s space replaced with simpler, flat representations. This allows
requirement without providing additional information.
28
CEUR Proceedings 4th Workshop HCP Human Centered Processes, February 10-11, 2011
for increased legibility of the labels, as well as the of the screen. The circular indicators now serve as
inclusion of a graphical indicator for the fluid level in the buttons as well as indicators, obviating the need for the
Volume Control Tank (VCT), Pressurizer (Prz), and Grey buttons. Also, now only the indicator showing the
Reactor Core. The graphical indicator does not require current mode is lit green. The other indicators which
much visual space on the screen, and provides the were previously red are toned down to black, so that they
operator with redundant information on the fluid level of do not distract the operator. The RCP seal information
the component. Understanding the context of a reactor box has also been simplified to bring the variable
core coolant level of 6.5 meters, for example, is aided by displays into closer visual proximity, and excessive labels
the blue bar showing the level of fluid relative to full have been removed to decrease clutter. The pipes have
(top) and empty (bottom) states. (see fig. 3 b). been re-colored to decrease the salience of pipes which
with no coolant flow and to emphasize the pipes with
flow. Pipes with coolant flow are bolded and shaded the
same color green as the switched-on pumps and open
valves. As a result, the emergent feature is a green circuit
where there is flow of reactor coolant. The pipes with no
flow have been subdued from white to Grey so that they
will not interfere with the reading of labels and variables.
Alarm system design
When an abnormal state of a variable occurs, the
simulator initiates an audible alarm, as well as a flashing
red “Alarm Set” indicator at the top right corner of the
screen in use. The alarm indicators are located on two
separate specific alarm screens. They are arranged as tiles
in a grid where active alarms are indicated by a flashing
red tile (fig 4 a). This arrangement reproduces in the
simulator the main alarm annunciation tiles used in the
Figure 3a: Original simulator CVCS display. reference (analog) interface of the real plant. The existing
system does not support quick alarm identification. The
text descriptions on the alarms tiles are written in English
abbreviations, which may cause delays in the
identification for Portuguese speaking operators. The
alarm set indicator does not provide any detailed
information about the nature of the alarm which is
sounding (the same situation that occurs in the actual
plant). The operator must always navigate to both alarm
screens to determine which alarms were activated.
Additionally, the grid arrangement has no apparent
organization or order. Related alarms are not grouped on
the screen nor are alarms divided logically across the two
alarm screens. Finally, all alarms are displayed
identically, making it difficult to distinguish between
alarms on the basis of severity and importance. All
alarms are annunciated by the same sound.
The new prototype interface includes an extensive
revision of the original alarm system. The major changes
are captured in the revised alarm screen (fig. 4 b). The
Figure 3b: Graphical improvements on CVCS screen. alarms have been divided into two panels, distinguishing
reactor and turbine trip alarms from all others. Within
The changes aim to improve operator situational each panel the alarms are organized by the location of
awareness, and reduce the likelihood of human error. We their activator in the system. For example, the charging
remedied the overload of red icons by updating the valve flow indicator is located on the CVCS screen and hence,
and pump color scheme. Grey is used to reduce salience on the alarm screen, it is under the CVCS column
of closed valves and pumps which are off. Redundant heading. Each alarm tile is a dynamic interface
coding is provided by rotating closed valves component. This reduces the required number of alarm
perpendicular to the pipe, while open valves remain tiles, allowing all of them to fit on one screen. Instead of
parallel. The size of the pump icons is reduced. While a button each for pressurizer pressure high and
still easy to locate, the off pumps and closed valves do pressurizer pressure low, the redesign simply uses
not attract unnecessary attention from a broad overview. pressurizer pressure. Depending on the alarm (high or
The frequently manipulated variable flow valves remain low), the alarm tile displays the appropriate text. Each
unchanged, providing distinction that helps the operator sounding alarm tile also keeps track of how many
to quickly locate them. We also simplified the controls seconds since the alarm was set off using a small counter
for the green “Makeup Mode” control box in the center in the upper-left corner of the tile. The trend graphs on
29
CEUR Proceedings 4th Workshop HCP Human Centered Processes, February 10-11, 2011
the alarm screen saves time and provides better Digital procedure system design
diagnostic information. The acknowledging system has Procedures guide the operators as they face unfamiliar
also been improved to allow single-alarm situations. The simulator uses hardcopy procedure
acknowledgement (by clicking on a sounding alarm tile), manuals in the form of one-dimensional checklists and
while retaining the “ACK” button to acknowledge all step-by-step guides. Non-compliance with procedures
alarms. was observed frequently. In these situations, operators
often improvised around the formal procedures to achieve
their system goals, which in some cases can enhance
system safety. We observed one operator consistently
using a hand-written sheet to aid him through various
procedures. The procedures are often constraint-based,
requiring the operator to maintain multiple system
variables within a specified range. The current interface
does not support this task. Instead, it relies on the
operator’s cognitive ability to monitor system variables
and recall acceptable ranges which change frequently
during operation. For example, one procedure requires
the operator to locate two variables, manually calculate
the difference, and judge whether the difference exceeds
a safe upper bound which depends on the current mode of
operation. Finally, the layout of data in the simulator is
inadequate for perceiving and comparing the rate at
which a variable of interest is arriving at its limit.
Due to strict procedural adherence requirements,
Figure 4a: Original alarm screen. instead of requiring decision support, operators often
benefit from tools that reduce errors of omission. The
ALARM Ack Reset
RES
Procedure Guidance Component (PGC) supports
Rod Control
PWR RANGE HI FLUX PWR RANGE HI FLUX
Reactivity RHR
CTMT PRESS HI SI RCS FLOW LO AT HI
RCS FWS
PRZ HI PRESS RCT PRZ LO PRESS & P-7 SG 1,2,3 WTR LEVEL TBN OVERSPEED HI
MS/TS Condenser
CONDENSER
operator’s process control effectiveness, by converting
the procedure manual into an online, navigable guide
MANUAL RCT TRIP OT∆T RCT TRIP MANUAL SI RCT TRIP TBN TRIP P-4 VACCUM LO TBN
RATE RCT TRIP HI SETPT RCT TRIP RCT TRIP PWR RCT TRIP TRIP RCT TRIP LO-LO RCT TRIP TBN TRIP
TRIP
SOURCE RANGE HI PWR RANGE HI FLUX INTMD RANGE HI RCS FLOW LO AT LO PRZ HI LEVEL RCT SG 1,2,3 WTR LEVEL MSL PRESS LO ISO TBN TRIP & P-7 RCT
OP∆P RCT TRIP
FLUX RCT TRIP LO SETPT RCT TRIP
Rod Control
FLUX RCT TRIP
RHR RCS
PWR RCT TRIP TRIP
CVCS
HI-HI TBN TRIP
FWS
SI RCT TRIP TRIP
Condenser
(Fig. 5). Clicking on any procedure in the left column
INTMD RANGE HI
FLUX ROD STOP
CONT BANK LO-LO CCWS OUTLET TEMP
LIMIT HI
CTMT SUMP LEVEL
CTMT SPRAY
ACTUATED
PRZ CONT LEVEL
HEATER
PRZ PRESS
L/D HX OUTLET
FLOW
RCP SEAL INJ WTR
FLOW LO
FW PUMP
SG 1,2,3 LEVEL LO DISCHARGE HEATER
PRESS HI
CONDENSATE
STORAGE TK LEVEL produces a detailed text description of the procedure. It
POWER RANGE
OVERPOWER ROD
STOP
TWO OR MORE ROD
AT BOTTON
INSTRUMENT AIR
PRESS LO
CTMT AIR TEMP HI
CTMT PHASE B ISO
ACTUATED
RCS 1,2,3 Tavg HI PRT TEMP HI
L/D HX OUTLET
TEMP HI
RWST LEVEL LO-LO
SG 1,2,3 STM/FW
FLOW DEVIATION
FW TEMP HI CONDENSER LEVEL
also reports relevant system statistics and links to useful
0:05
CONT BANK D FULL
ROD WITHDRAWAL
Reactivity Electrical
CTMT MOISTURE HI CTMT RAD HI
RCS 1,2,3 Tavg /
AUCT Tavg HI / LO
PRT PRESS HI
RHX L/D OUTLET
TEMP HI
CHARGING FLOW
CONT FLOW LOW
MSIV TRIPPED FW PUMP TRIP
CONDENSER ABS
PRESS HI screens elsewhere in the simulator. This tool adds
AXIAL POWER
DISTRIBUTION LIMIT
Tref/AUCT Tavg HI /
LO
GEN BRK OPEN CTMT PRESS HI ACCUM TK PRESS PRZ PORV OPENING RCS 1,2,3 FLOW LO VCT LEVEL VCT PRESS
MSL PRESS RATE HI
STEAM ISO
MSL 1,2,3 PRESS
RATE
CONDENSATE PUMP
FLOW LO interactivity to what was previously only a hardcopy
CVCS
RCP 1,2,3 TRIP AFW (MD) ACTUATED
procedure manual.
L/D HX outlet flow L/D HX outlet temperature RHX L/D outlet temperature VCT level
The second component, the Emergency Guidance
Component (EGC), is used during emergencies in which
the root problem is unknown. The EGC is a reworking of
-25 -20 -15
RCP Seal INJ water flow
-10 -5 0 -25 -20
RWST level
-15 -10 -5 0 -25
0
-20
Charging flow cont flow
-15 -10 -5 -25
0
-20
VCT pressure
-15 -10 -5
the Strategic Manual Operations flow diagrams provided
-25 -20 -15 -10 -5 0
by LABIHS (for example, see Fig. 6). Clicking on event
objects on the left provides response instructions on the
-25 -20 -15 -10 -5 0 -25 -20 -15 -10 -5 0 -25 -20 -15 -10 -5 -25 -20 -15 -10 -5 right. The operator may scroll up or down through the
flow diagram and response instructions using the click
and drag technique common to document viewer
Figure 4b: Redesigned alarm screen.
applications. The continuity provided through the
scrolling feature obviates the need for page turning,
Each alarm tile acts as a link; clicking the sounding
which takes time and artificially divides what, in reality,
alarm tile navigates to the appropriate screen. On the
is a continuous process. The logic that runs the simulator
relevant screen, a red box flashes several times, drawing
can be used to support the EGC. Because some decision
attention to the area triggering the alarm. Additionally,
nodes are based on system variables, the system can often
the alarms relating to the current screen are displayed in
suggest an appropriate decision based on the current
chronological order of occurrence as tiles to the right of
system state. The system’s suggestion is displayed in a
the schematic diagram. Clicking on these tiles flashes the
green box to the right of the flow diagram and above the
red box several times box around the area of concern.
response instructions. It includes the suggested action and
The navigation buttons have been revised to provide
the rationale for proposing it. In addition, the operator
easier access to all the operations screens. While the
can trace the decision path because the system fades the
system is in an alarm state, the related navigation buttons
paths which have not been taken to a neutral grey,
at the bottom of the screen are displayed in red,
leaving a bold black decision path. Digitizing the
effectively doubling as an alarm overview. Clicking on
emergency procedures enables the implementation of
the red alarm button navigates to the alarm screen (fig. 4
additional support features. The response instructions
b).
often involve “if-then” statements. For example, if the
pressurizer level reaches 8 meters, then open valves X
and Y. Because the simulator knows system variable
values, it can guide “if-then” decision-making by placing
30
CEUR Proceedings 4th Workshop HCP Human Centered Processes, February
Procedure 10-11,
and System Overview 2011
Variable & Trends
LOCA Guidance Procedure Guidance
7
Suggested
no Reset RP signals “JR 41/42” 10
RHR pumps in operation Next Action
(RCS pr. < 9 bar)
Continue Small-break
LOCA/LOCA in PZR steam
space; press. > 9 bars. 9
Continue Large/Medium-break LOCA
a red box around “then” actions when the “if” conditional 8
RHR pumps in the reflood/sump
recirculation mode make up the outflow
through the break at coolant pressure
< 9 bar.
If: PRZ lvl
2.10 m
PRZ level < 2.28 m
is met. RCS pressure droped < 9 bar
within 200 sec
yes
Then:
Large-break LOCA
C. press. = Ctm. Address action node 10
Medium-break no Press.; MS press.
LOCA Poss. > 4 bar.
If:
9
PZR level > 2.28 m
yes
PZR level < 2.28 m Then:
Address action node 12
4.0 Procedures no
Reset RP signals “JR 41/42” 10 End “If”
__________________________________
Display
4.1 Continue RCS heat… DESCRIPTION Raise PZR level to about 8 m by
spraying from “JDH*
11
PRZ CTout
lvl
4.6 When RCS pressure is above 140 VCT MS
pr
4.2 Increase RCS pres… kg/cm2, ensure the following: Bypass emergency core cooling
RCS
pr
PRZ
pr
12
criteria Tavg
4.3 If any RCP’s have b… 4.6.1 Verify pressurizer permissive
P-11 status light off. OK Mai Plan C– Alar ROD RHR RCS CVC FWS Cond Reac Elec.
n P . tvty
4.4 The letdown flow… 4.6.2 Verify pressurizer SI and
t m S
steam line pressure SI are
4.5 When RCS pressu… unblocked on trip status panel.
OK
Figure 6: Procedure and System Overview screen
4.6 When RCS pressu… 4.6.3 Verify PORV block clears when displaying the EGC.
RCS pressure goew above
4.7 Place the auxiliary… 153.6 kg/cm 2. VERIFY
4.8 Align the steam du… Evaluation of the new interfaces
4.9 Continue heatup u… RELEVANT VARIABLES AND LINKS We evaluated operator performance in the new
designed interface (figure 6) during accident simulations
4.10 Verify minimum sh… Link to RCS screen
Current RCS pressure
(Loss of Coolant Accidents – LOCA and Steam
144 kg/cm2
4.11 Verify the following… Generator Tube Rupture - STGR). A LOCA occurs when
there is a pipe rupture in the Reactor Coolant System and
4.12 Review to ensure…
the STGR accident occurs when there is a leak in the
steam generator tubes. The old LABIHS interface design
provided the performance benchmark.
Initially we measure the time that operators need to
Figure 5: Procedure component guidance.
identify the accident using both interfaces. The time
interval between automatic reactor shutdown (reactor
The Procedure and System Overview (PSO) screen was
trip) and the correct accident identification is very
created to display the PGC and the EGC (Fig 6). The
important for a safer operation (Carvalho & Oliveira,
operator may tab between the PGC and the EGC, which
2009). When the reactor is tripped, the operators carry
reduces short-term memory requirements when compared
out the standard post trip actions, according to emergency
to hardcopy procedures. On the right side of the PSO,
procedures to identify what accident happened, in order
graphical representations of relevant variables are
to define adequate actions to keep the system under
displayed. These are dictated by the current procedure.
control and minimize the damage that the accident may
For example, during a Loss of Coolant Accident (LOCA)
cause. Using the data obtained from simulator logs it was
the system will keep track of main system pressure,
possible to measure the time interval from the reactor trip
pressurizer pressure, etc. In addition to providing support
until the correct accident identification in both interfaces.
during emergencies, it aids accident prevention by
The time spent by the operators to identify the LOCA
supporting operator awareness.
and SGTR accidents, through the existing interfaces, was
In the hardcopy procedures, decision nodes do not have
362 seconds and 490 seconds, respectively. The time
any response instructions because they are implicitly
spent by the operators to identify the LOCA and SGTR
“ifthen” nodes. The digital version shows these “if-then”
accidents, through the new interfaces, was 338 seconds
relationships efficiently by displaying them in the
and 428 seconds, respectively. The results show that the
response instructions panel. The response instructions of
time interval from the reactor trip until the identification
action nodes include “if-then” relationships as well.
of the SGTR and LOCA accident decreased when the
Some “if” statements refer to the system state (e.g., if
operators used the new interfaces to identify the accident.
valve X is open) while others ask the operator to wait for
The number of screens used during the identification also
a variable to reach a set point before taking action. Unlike
change. In the existing LABIHS interface the SCO used
the hardcopy version, the new system displays these
13 screens to identify the LOCA and 25 to identify the
variables proximally and outlines in red the response
STGR. In the new interface this numbers fall to 8 and 10,
instructions when the “if” conditions are met.
respectively, showing a considerable reduction in
navigation actions.
In another experiment, after the LOCA identification,
operators are tasked with bringing the system under
control by following a LOCA flow diagram procedure.
Currently this diagram is available in hardcopy and
portable document format. The format requires the
operator to shuffle among various pages. The flow
diagrams and the response instructions are located on
separate pages, either requiring the operator to flip back
and forth at least once per node or to take up desk space
by laying them side by side. The standard hardcopy
31
CEUR Proceedings 4th Workshop HCP Human Centered Processes, February 10-11, 2011
procedures are bound, therefore requiring the flip rarely correspond to what was anticipated when the task
method. Given a medium-break LOCA, to get to step 12 was developed, thereby rendering the task description or
of the diagram requires at least 4 flips between the operational procedures unworkable (Hollnagel, 2006).
diagram pages and the response pages and viewing 23 Therefore, using the traditional observational methods it
pages (2 diagram pages and 21 response pages). Using is very difficult for the observers to capture the multiple
the new design, operators can see the flow diagram, the actions pathways of real work activities, describing the
currently selected node’s response instructions and the many simultaneous tasks and tasks adaptations that
alarm screen together (fig. 7). The redesign requires no people have to do to cope with reality.
page turns, and because it is linked to the alarm system, Another methodological difficult is the
the operator does not have to search for the appropriate collective/collaborative characteristic of the work done in
binder or page number to carry out the actions.
a NPP control room. The observation procedure normally
used is suitable when there is one observer and one
worker. However, most work done in control rooms
involves multiple operators who use many different
cooperative mechanisms (Vidal et al, 2010). Therefore,
for an adequate observation of the real work, we need
tools to support an observation procedure in which many
observers, in collaboration, are able to observe the
activities of many subjects (Junior et al, 2010).
Conclusions
The human centered approach in complex industrial
Figure 7: Operator working with the redesigned system design, evaluation and validation should be
interfaces. applied in the design process in which the system is
produced, and in the system itself. In this research we
Discussion and lessons learned investigate the human system interface of a nuclear
We believe that the performance evaluation of the power plant simulator to compare design solutions during
operators` activities in real work is absolutely necessary the early design phase. The methodology used was based
for human system interface evaluation in nuclear on observations of the operators’ performance in the
industry. LABIHS simulator. Performance evaluations based
Activity can defined as the set of behaviors and methods can be used considering the fact that the
appropriateness of a given system expresses itself in the
resources that operators use to accomplish their goals
quality of the overall performance of the system is
during daily work. Traditional ethnographic methods
assessed. Normally, performance evaluation is something
enable the understanding of activities through that is carried out towards the end of a given design
observation of communications, gestures and postures. process. The LABIHS facility aims to conduct the
Using ethnographic methods, an observer locates classes performance evaluation earlier in the design process. A
of behavior that are recognizable and repeated during specific goal of LABIHS is to enable the evaluation of
work. The methods also allows the observers to identify system performance as early as possible. Considering that
not only the previous described tasks (prescribed work), the reference plant human system interface design has not
but also side activities not formulated in the frame of the formally started yet, this objective was already achieved
task description (Marmaras and Pavard, 1997). The data with this research. Even considering that is very difficult
obtained through direct observation, or with the aid of to say when the performance of a cognitive system is at
cameras and audio recorders, is the set of signals picked an acceptable level, our evaluation has shown some
up by the operators in the information field and how they improvement possibilities in the existing design. Some of
use these signals to manipulate the control room them related to basic human factors design principles
interfaces. A further analysis of the data set obtained, can such as:
show how operators transform the interface information • Displays with information that are difficult to
into actions and decisions (Carvalho et al., 2006). read (inadequate font sizes and formats, color
However, the most of methods currently used contrast etc.);
(including we use in this research) were adequate for • Cluttered or overloaded displays with many
describing individual activities developed in a well- numeric information – graphic information
defined sequence. However, the work in a NPP control would be better;
room involves multiple and often conflicting (in goals • Inadequate icons size considering their function;
• Confusing and unstructured presentation of
and time) lines of activities (Carvalho et al, 2006). There
displays with set points and actual parameter
are many differences between prescribed and described
values, leaving the task of searching and
tasks and real work activities (how the tasks are actually detecting such deviations to the operator, instead
done). Even in a rigid work setting like nuclear power of directly showing deviations of actual values
plants, the actual work in control rooms is characterized from set points;
by adaptations, improvisation and ad hoc procedure • Static information presentation where a
modifications (Carvalho et al., 2007; La Porte & Thomas, presentation of past dynamics (e.g. trends) and
1995) because the work demands and resources available future developments of process parameters
32
CEUR Proceedings 4th Workshop HCP Human Centered Processes, February 10-11, 2011
(prediction) would be required for an effective Hollnagel, E. (1985). A Survey of man-Machine System
task performance; Evolution Methods. (HWR 148) Norway: OECD
• Mix of different media to present operational Halden Reactor Project.
information – digital displays and paper Hollnagel, E. (2006). Task Analysis: why, What and
procedures – requiring different cognitive How. In: G. Salvendry (Ed.) Handbook of Human
resources to cope with. Factors and Ergonomics-3rd ed. New Jersey: John
As expected the performance evaluation has shown that Wiley & Sons.
the design solutions used (alarm systems, procedures, Junior L. C., Borges M., Carvalho, P., (2010) A Mobile
graphic displays) actually have effects on the usage. Computer System to Support Collaborative
Therefore we reinforce the claim of the human factors Ethnography: An Approach to the Elicitation of
and ergonomics community that the design solutions Knowledge of Work Teams in Complex Environments.
should be made considering the appropriate use of the Lecture Notes in Computer Science, Volume
system, emphasizing that work practices in real settings. 6257/2010, 33-48.
What we really need are systems that support actions of La Porte, T. & Thomas, C. (1995) Regulatory
human operators, and their ability to adapt and adjust to Compliance and the Ethos of Quality Enhancement:
novel situations. To do so, systems must be designed Surprises in Nuclear Power Plant Operations, Journal
considering that the user, and the usage of the system of Public Administration Research and Theory, n.5, pp.
need to be taken account in all the phases of the design 109-137.
process, from the design of process technology to the Marmaras, N. and Pavard, B. (1997). A Methodological
design of user interfaces, in a user-centered or activity- Framework for Development and Evaluation of
based design process. Systems Supporting Complex Cognitive Tasks.
Journées Europénees des Techniques de
Acknowledgments I`Informatique, 8, 13-20.
Nachreiner F., Nickel P., Meyer I. (2006). Human factors
The authors gratefully acknowledge the support of the
in process control systems: The design of human–
Brazilian Research Council (CNPq) and of Rio de Janeiro
machine interfaces. Safety Science,44, 5-26.
Research Support Foundation (FAPERJ). The research
Nielsen, J. (1993) Usability Engineering. Boston:
was performed at Instrumentation and Human Reliability
Academic Press.
Division of the Nuclear Engineering Institute, Brazil
O´Hara J., Higgins J., Stubler W., Goodman C.,
(DICH / IEN).
Eckinrode R., Bongarra J. and Galletti G. (1994).
Human factors engineering review program model
References (NUREG-0711 rev.1). Washington.D.C.: US Nuclear
Brunélis, T., and Blaye, P. (2008). Towards a human Regulatory Commission.
centred methodology for dynamic allocation of O´Hara J., Brown W., Stubler W., Wachtel J. and
functions. Proceedings of the Third International Persensky J. (1996). Human-system interface review
Conference on Human Centered Processes (HCP guideline (NUREG-0700 rev.1). Washington.D.C.: US
2008) (pp. 243-256). Nuclear Regulatory Commission.
Carvalho, P., Santos, I., Gomes, J., Borges, M., Guerlain, O'hara J. & Brown M. (2004). Incorporation of human
S. (2008). Human factors approach for evaluation and factors Engineering analyses and tools into the design
redesign of human–system interfaces of a nuclear process for digital control Room upgrades (BNL-
power plant simulator. Displays 29, 273-284. 72801-2004-CP). New York: Brookhaven National
Carvalho P., Vidal, M.C. ; Carvalho, E. F., 2007, Nuclear Laboratory.
power plant communications in normative and actual Santos, I. J. A., Carvalho, P.V., Grecco, C. H., Victor, M.
practice: A field study of control room operators' and Mol, A. C. (2005a). A Methodology for Evaluation
communications. Human Factors and Ergonomics in and Licensing of Nuclear Power Plant Control Rooms.
Manufacturing, 17 (1) 43–78. In Proceedings of the 2005 International Nuclear
Carvalho, P., Vidal, M., Santos, I. (2006). Safety Atlantic Conference, INAC, Santos, SP, Brazil.
implications of some cultural and cognitive issues in Sheridan, T. (2002). Humans and Automation System
nuclear power plant operation. Applied Ergonomics 37 Design and Research Issue. Santa Monica:
(2), 211-223. Wiley/HFES.
Carvalho, P., Oliveira, M. (2009). A computerized tool to Vicente, K., Mumaw R., Roth, E. (19997). Cognitive
evaluate the cognitive compatibility of the emergency Functioning of Control Room Operators – Final
operational procedures task flow. Progress in Nuclear Phase. Ottawa: Atomic Energy Canadian Bureau.
Energy, 51,409-419. Vidal, M.C.R., Carvalho P.V.R., Santos M., Santos, I.J.L.
Flach J., Hancock P., Caird J., Vicente K. (Eds.) (1995). 2009, Collective work and resilience of complex
Global perspectives on the ecology of human-machine systems. Journal of Loss Prevention in the Process
systems. Hillsdale, N. J.: Lawrence Erlbaum Industries, 22, 537-548.
Associates.
Hancock P. & Chignell M. (1995). On human factors. In:
J. Flach, P. Hancock, J. Caird, K.J. Vicente, (Eds.)
Global perspectives on the ecology of human–machine
systems. Hillsdale, N.J.: Lawrence Erlbaum
Associates,14-53.
33