Text

Supplement to License Amendment Request to Revise the Licensing and Design Basis to Incorporate the Replacement of Existing Safety-Related Analog Control Systems with a Single Digital Plant Protection System (PPS)- Human Factors
	ML23095A223
Person / Time
Site:	Limerick
Issue date:	04/05/2023
From:	David Helker; Constellation Energy Generation
To:	; Office of Nuclear Reactor Regulation, Document Control Desk
Shared Package
ML23095A222	List: ML23095A223;
References
	Download: ML23095A223 (1)
	v • d • e

200 Exelon Way Kennett Square, PA 19348 www.ConstellationEnergy.com ATTACHMENT 1 TRANSMITTED HEREWITH MAY CONTAIN INFORMATION CONTROLLED BY THE DEPARTMENT OF ENERGY UNDER ITS REGULATIONS at 10 CFR PART 810.

ATTACHMENT 1 TRANSMITTED HEREWITH CONTAINS PROPRIETARY INFORMATION - WITHHOLD UNDER 10 CFR 2.390 10 CFR 50.90 April 5, 2023 U.S. Nuclear Regulatory Commission Washington, DC 20555-0001 ATTN: Document Control Desk Limerick Generating Station, Units 1 and 2 Renewed Facility Operating License Nos. NPF-39 and NPF-85 NRC Docket Nos. 50-352 and 50-353

Subject:

Supplement to License Amendment Request to Revise the Licensing and Design Basis to Incorporate the Replacement of Existing Safety-Related Analog Control Systems with a Single Digital Plant Protection System (PPS)-

Human Factors Engineering Conceptual Verification Results Summary Report

References:

1. Constellation Energy Generation, LLC (CEG) letter to the U.S. Nuclear Regulatory Commission (NRC), "License Amendment Request to Revise the Licensing and Design Basis to Incorporate the Replacement of Existing Safety-Related Analog Control Systems with a Single Digital Plant Protection System (PPS)," dated September 26, 2022 (NRC Agencywide Documents Access and Management System (ADAMS) Accession No. ML22269A5690).

2. U.S. Nuclear Regulatory Commission (NRC) letter to Constellation Energy Generation, LLC (CEG), Limerick Generation Station, Unit Nos. 1 and 2 -

Acceptance of Requested Licensing Action Re: Replacement of Existing Safety Related Analog Control Systems with a Single Digital Plant Protection System (EPID L-2022-LLA-0140), dated December 9, 2022 (ADAMS Accession No. ML22339A064).

ATTACHMENT 1 TRANSMITTED HEREWITH MAY CONTAIN INFORMATION CONTROLLED BY THE DEPARTMENT OF ENERGY UNDER ITS REGULATIONS at 10 CFR PART 810, and PROPRIETARY INFORMATION -

WITHHOLD UNDER 10 CFR 2.390.

When separated, the cover letter is decontrolled.

Supplemental HFE CV RSR Docket Nos. 50-352 and 50-353 April 5, 2023 Page 2 ATTACHMENT 1 TRANSMITTED HEREWITH MAY CONTAIN INFORMATION CONTROLLED BY THE DEPARTMENT OF ENERGY UNDER ITS REGULATIONS at 10 CFR PART 810.

ATTACHMENT 1 TRANSMITTED HEREWITH CONTAINS PROPRIETARY INFORMATION - WITHHOLD UNDER 10 CFR 2.390

3. Constellation Energy Generation, LLC letter to U.S. Nuclear Regulatory Commission, Supplement to License Amendment Request to Revise the Licensing and Design Basis to Incorporate the Replacement of Existing Safety-Related Analog Control Systems with a Single Digital Plant Protection System (PPS)-Human Factors Engineering Conceptual Verification Results Summary, dated February 8, 2023 (ADAMS Accession No. ML230039A116)

In accordance with 10 CFR 50.90, Constellation Energy Generation, LLC (CEG) requested a License Amendment Request (LAR) to replace the Limerick Generating Station, Units 1 and 2 existing safety-related analog control systems with a single digital Plant Protection System (PPS) (Reference 1). NRC accepted the LAR for review on December 9, 2022 (Reference 2).

In Reference 1, CEG described supplemental information that needed to be updated at a later time. In Reference 2, NRC acknowledged a schedule for required supplemental information. In Reference 3, CEG provided the Human Factors Engineering Conceptual Verification Results Summary Report (HFE CV RSR). The HFE CV RSR was classified by the Department of Energy (DOE) as Official Use Only (OUO), Exemption Class 3, Export-Controlled Information, and Exemption Class 4, Commercial/Proprietary and may be considered exempt from public release under the Freedom of Information Act (5 U.S.C.

552(b)).

Subsequent to Reference 3, NRC informed CEG that the submittal was inadequate in that it did not identify the Westinghouse Electric Corporation (WEC) and CEG proprietary information.

This supplemental letter contains the original HFE CV RSR proprietary report submitted in Reference 3 (Attachment 1), the redacted non-proprietary HFE CV RSR, Revision 1 (Attachment 2), the WEC affidavit (Attachment 3) and the CEG affidavit (Attachment 4).

The HFE CVR RSR provided in Attachment 1 contains information proprietary to WEC and CEG. Attachment 3 includes an affidavit signed by WEC, the owner of the proprietary information. Attachment 4 includes an affidavit signed by CEG, the owner of the proprietary information. The affidavits set forth the basis upon which the information may be withheld from public disclosure by the NRC, and it addresses with specificity the considerations listed in paragraph (b)(4) of 10 CFR 2.390 of the NRCs regulations. WEC and CEG request that the WEC and CEG proprietary information in Attachment 1 be withheld from public disclosure in accordance with 10 CFR 2.390. Future correspondence with respect to the proprietary aspects of the application for withholding related to the WEC and CEG

Supplemental HFE CV RSR Docket Nos. 50-352 and 50-353 April 5, 2023 Page 3 ATTACHMENT 1 TRANSMITTED HEREWITH MAY CONTAIN INFORMATION CONTROLLED BY THE DEPARTMENT OF ENERGY UNDER ITS REGULATIONS at 10 CFR PART 810.

ATTACHMENT 1 TRANSMITTED HEREWITH CONTAINS PROPRIETARY INFORMATION - WITHHOLD UNDER 10 CFR 2.390 proprietary information or the WEC or CEG affidavits provided in Attachment 3 and 4 should reference this request letter. may also contain information controlled by the Department of Energy under its regulations at 10 CFR Part 810. This information is bounded by the proprietary withholding redactions and does not appear in the non-proprietary Attachment 2.

CEG has reviewed the information supporting a finding of no significant hazards consideration, and the environmental consideration, which was previously provided to the NRC in the Reference 1 letter. CEG has concluded that the information provided in this supplemental letter does not affect the bases for concluding that the proposed license amendments do not involve a significant hazards consideration under the standards set forth in 10 CFR 50.92. In addition, CEG has concluded that the information in this supplemental letter does not affect the bases for concluding that neither an environmental impact statement nor an environmental assessment needs to be prepared in connection with the proposed amendments.

This supplemental letter contains no regulatory commitments.

In accordance with 10 CFR 50.91, "Notice for public comment; State consultation,"

paragraph (b), CEG is notifying the Commonwealth of Pennsylvania of this supplemental letter by transmitting a copy of this letter to the designated State Official.

If you have any questions regarding this submittal, then please contact Frank Mascitelli at Francis.Mascitelli@constellation.com.

I declare under penalty of perjury that the foregoing is true and correct. Executed on this 5th day of April 2023.

Respectfully, David P. Helker Sr. Manager - Licensing Constellation Energy Generation, LLC

Supplemental HFE CV RSR Docket Nos. 50-352 and 50-353 April 5, 2023 Page 4 ATTACHMENT 1 TRANSMITTED HEREWITH MAY CONTAIN INFORMATION CONTROLLED BY THE DEPARTMENT OF ENERGY UNDER ITS REGULATIONS at 10 CFR PART 810.

ATTACHMENT 1 TRANSMITTED HEREWITH CONTAINS PROPRIETARY INFORMATION - WITHHOLD UNDER 10 CFR 2.390 Attachments: 1. INL/RPT-23-71063, Revision 0, Limerick Safety-Related Instrumentation and Controls Upgrade, Human Factors Engineering Conceptual Verification Report, dated February 2023 (proprietary)

2. INL/RPT-23-71063, Revision 1, Limerick Safety-Related Instrumentation and Controls Upgrade, Human Factors Engineering Conceptual Verification Report, dated March 2023 (non-proprietary)

3. WEC Affidavit CAW 23-002

4. CEG Affidavit for INL/RPT-23-71063 Revision 0 cc: USNRC Region I, Regional Administrator w/ attachments USNRC Project Manager, LGS "

USNRC Senior Resident Inspector, LGS "

Director, Bureau of Radiation Protection - Pennsylvania Department of Environmental Protection w/o attachment 1

Attachment 1 License Amendment Request Supplement Limerick Generating Station, Units 1 and 2 Docket Nos. 50-352 and 50-353 INL/RPT-23-71063, Revision 0, Limerick Safety-Related Instrumentation and Controls Upgrade, Human Factors Engineering Conceptual Verification Report, dated February 2023 (proprietary)

Attachment 2 License Amendment Request Supplement Limerick Generating Station, Units 1 and 2 Docket Nos. 50-352 and 50-353 INL/RPT-23-71063, Revision 1, Limerick Safety-Related Instrumentation and Controls Upgrade, Human Factors Engineering Conceptual Verification Report, dated March 2023 (non-proprietary)

INL/RPT-23-71063 Limerick Safety-Related Instrumentation and Control Upgrade Human Factors Engineering Conceptual Verification Report February 2023 Paul J. Hunton Senior Research Scientist Casey R. Kovesdi Human Factors Scientist Jeffrey C. Joe Senior Human Factors Scientist This document redacts proprietary information as identified by both Constellation and Westinghouse. Redactions are presented in the text in brackets with a superscript identifying whether the redacted information is proprietary to Constellation (C) or Westinghouse (W). This document contains no Idaho National Laboratory, Constellation, or Westinghouse proprietary information.

DISCLAIMER This information was prepared as an account of work sponsored by an agency of the U.S. Government. Neither the U.S. Government nor any agency thereof, nor any of their employees, makes any warranty, expressed or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness, of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. References herein to any specific commercial product, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation, or favoring by the U.S. Government or any thereof. The views and opinions of authors expressed herein do not agency necessarily state or reflect those of the U.S. Government or any agency thereof.

INL/RPT-23-71063 Limerick Safety-Related Instrumentation and Control Upgrade Human Factors Engineering Conceptual Verification Report Paul J. Hunton Senior Research Scientist Casey R. Kovesdi Human Factors Scientist Jeffrey C. Joe Senior Human Factors Scientist February 2023 Idaho National Laboratory Nuclear Science and Technology Idaho Falls, Idaho 83415 http://www.inl.gov Prepared for Constellation Energy Generation Under Cooperative Research and Development Agreement 21CRA5

REVISION LOG Rev. Date Affected Pages Revision Description 1 03/16/2023 All Proprietary information was removed. No further changes were made to the document and pagination was preserved.

CONTENTS ACRONYMS AND DEFINITIONS ........................................................................................................... vi

1. PURPOSE AND SCOPE .................................................................................................................... 1

2. INDEPENDENT TEAMS TO ENABLE HUMAN-SYSTEM INTERFACE DEVELOPMENT ............................................................................................................................... 3 2.1 Human-System Interface Design and Procedure Modification Team...................................... 3 2.1.1 Role ............................................................................................................................. 3 2.1.2 Team Members ........................................................................................................... 3 2.2 Human Factors Engineering Process Team ............................................................................. 5 2.2.1 Role ............................................................................................................................. 5 2.2.2 Team Members ........................................................................................................... 6 2.3 Human-System Interface and Procedure Validation Team ...................................................... 8 2.3.1 Role ............................................................................................................................. 8 2.3.2 Team Members ........................................................................................................... 8 2.4 Simulator Team ........................................................................................................................ 8 2.4.1 Role ............................................................................................................................. 8 2.4.2 Team Members ........................................................................................................... 9

3. INPUTS TO ENABLE CONCEPTUAL VERIFICATION ............................................................. 11 3.1 Human-System Interface Display Design .............................................................................. 11 3.1.1 Overall Process ......................................................................................................... 11 3.1.2 Human-System Interface Design for Conceptual Verification ................................. 13 3.2 Modification of Procedures .................................................................................................... 18 3.3 Refined Control Room Layout and Conceptual Verification................................................. 18 3.4 Simulation Environment ........................................................................................................ 20 3.5 Other Considerations.............................................................................................................. 21

4. CONCEPTUAL VERIFICATION WORKSHOP PERFORMANCE.............................................. 22 4.1 Objectives............................................................................................................................... 22 4.2 Overview of the Method to Perform Conceptual Verification ............................................... 22 4.3 Manual Actions Evaluated by Conceptual Verification ......................................................... 24 4.3.1 Task Analysis Workshop Scope as it Relates to Conceptual Verification ................ 24 4.3.2 Bounding of Conceptual Verification and Preliminary Validation Efforts............... 26 4.4 Inputs to Conceptual Verification .......................................................................................... 29 4.4.1 Scenario Identification and Simulator Exercise Guide Development ....................... 29 4.4.2 Operational Sequence Diagrams ............................................................................... 30 4.4.3 Timeline Analysis Method ........................................................................................ 30 4.4.4 Acceptance Criteria for Conceptual Verification and Preliminary Validation ......... 32 4.5 Protocol to Ensure Readiness for Conceptual Verification .................................................... 33 4.5.1 Review and Confirm Impacted Manual Operator Actions to be Evaluated .............. 33 iii

4.5.2 Review and Confirm Scenarios................................................................................. 34 4.5.3 Confirm Completeness of Type and Number of Plant Protection System and Ovation Displays ....................................................................................................... 34 4.5.4 Confirm Completeness of Procedure Changes ......................................................... 35 4.5.5 Establish Time Available for Manual Actions identified in Section 4.3.2 as Applicable ................................................................................................................. 35 4.5.6 Identify and Document the Task Sequences for Manual Actions Identified in Section 4.3.2.............................................................................................................. 35 4.5.7 Perform Dry Run....................................................................................................... 35

5. CONCEPTUAL VERIFICATION EXECUTION AND RESULTS ................................................ 36 5.1 Execution of Scenarios........................................................................................................... 36 5.2 General Results Against Review Criteria .............................................................................. 36 5.3 Conceptual Verification Summary of Results........................................................................ 38 5.3.1 Credited Manual Actions in the Limerick Generating Station Licensing Basis .......................................................................................................................... 38 5.3.2 Additional Manual Operator Actions Evaluated ....................................................... 40 5.4 General Human-System Interface Style Guide Comments .................................................... 42 5.5 Human-System Interface and Procedure Items Identified During Conceptual Verification ............................................................................................................................ 43

6. REFERENCES.................................................................................................................................. 44 Appendix A: Key HSI Style Guide Attributes for Conceptual Verification HSI Development ................. 45 Appendix B: Human-System Interface Displays Developed for Conceptual Verification ......................... 59 Appendix C: Simulator Exercise Guides .................................................................................................. 131 Appendix D: Scenario Operational Sequence Diagrams and Results for Conceptual Verification and Preliminary Validation Manual Actions................................................................................... 303 Appendix E: Comments to Displays and Procedures Developed for Conceptual Verification ................ 315 Appendix F: Navigation Click Structure for PPS and DCS ...................................................................... 333 iv

FIGURES Figure 1. HFE phases covered in NUREG-0711, HFE Program Review Model, Revision 3 (Reference 4). ............................................................................................................................... 1 Figure 2. Required information for display development. .......................................................................... 11 Figure 3. Flow diagram for developing new HSI displays (and procedure modifications). ....................... 11 Figure 4. Notional MCR layout incorporating TA key findings (from Reference 4). ................................ 19 Figure 5. Current MCR layout used as input for CV. ................................................................................. 19 Figure 6. Simulation environment for CV compared to the current MCR layout ...................................... 21 Figure 7. CV and PV HFE process. ............................................................................................................ 23 Figure 8. NUREG-1852 timeline guidance for evaluating manual operator actions. ................................. 30 Figure 9. NRC timeline template used for evaluating manual operator actions. ........................................ 33 Figure 10. HFE Process Team global comments to draft CV HSI displays. .............................................. 43 TABLES Table 1. Design and Qualification Requirements for Type A, Category 1 PAMS Instrumentation. .......... 16 Table 2. UFSAR tasks and D3 tasks significantly impacted by the modification as identified for the TA workshop [4]................................................................................................................... 25 Table 3. Manual operator actions credited in the LGS Licensing Basis impacted by the modification. ............................................................................................................................... 27 Table 4. Additional manual operator actions impacted the modification that were evaluated. .................. 28 Table 5. CV observed times for manual operator actions credited in the LGS Licensing Basis impacted by the modification. .................................................................................................... 39 Table 6. CV observed times for additional manual operator actions impacted the modification that were evaluated. ........................................................................................................................... 40 v

ACRONYMS AND DEFINITIONS ADS Automatic Depressurization System AER Auxiliary Equipment Room AOA Automated Operator Aid ATWS Anticipated Transient Without Scram CCF Common-Cause Failure CEG Constellation Energy Generation CMA Credited Manual Action CV Conceptual Verification D3 Defense in Depth and Diversity DCS Distributed Control System (non-safety) which is implemented using the Emerson Ovation platform DPS Diverse Protection System DOE Department of Energy ECCS Emergency Core Cooling System EOP Emergency Operating Procedure HFE Human Factors Engineering HSI Human-System Interface HSSL Human Systems Simulation Laboratory HUD Heads-Up Display I&C Instrumentation and Control ICS Industrial Control System INL Idaho National Laboratory ISSM Information System Security Manager ISV Integrated System Validation LGS Limerick Generating Station Units 1 and 2 LOCA Loss of Coolant Accident MCR Main Control Room NRC Nuclear Regulatory Commission (United States)

NSSSS Nuclear Steam Supply Shutoff System OSD Operational Sequence Diagram PAMS Post-Accident Monitoring System PPS Plant Protection System (safety-related which is implemented using the Westinghouse Common Qualified [Common Q] platform)

PRA Probabilistic Risk Assessment PV Preliminary Validation PRO Plant Reactor Operator RCIC Reactor Core Isolation Cooling RHR Residual Heat Removal vi

RO Reactor Operator RPS Reactor Protection System RPV Reactor Pressure Vessel SEG Simulator Exercise Guide SR Safety-Related SRO Senior Reactor Operator SRV Safety Relief Valve TA Task Analysis TCA Time-Critical Action Time Available The total time identified for operators to complete an identified action in:

Licensing commitments as listed in Table 3 of this document

Other documents (which are not licensing commitments)

Time to Perform The time necessary to perform the specific manual action once it is determined by operators that the action needs to be performed TMI Three Mile Island TSA Time Sensitive Action UFSAR Updated Final Safety Analysis Report V&V Verification and Validation VDU Video Display Unit (a hardware device to present software displays) vii

Page intentionally left blank viii

Limerick Safety-Related Instrumentation and Control Upgrade Human-System Interface Conceptual Verification Report

1. PURPOSE AND SCOPE This document is a results summary report that describes the human-system interface (HSI) design activities performed in preparation for and the results from performing a conceptual verification (CV) workshop on those HSIs. The purpose of the CV workshop was to verify that the HSIs being developed for the Limerick Generating Station (LGS) Safety-Related (SR) Instrumentation and Control (I&C)

Upgrade Project, along with associated procedure changes, are progressing in towards enabling a Preliminary Validation (PV) in accordance with:

INL/RPT-22-68693, Human Factors Engineering Program Plan for Constellation Safety-Related Instrumentation and Control Upgrades [Reference 2], Section 6.12.1, Human-System Interface Design.

INL/RPT-22-68995, Human Factors Engineering Combined Functional Requirements Analysis, Function Allocation, and Task Analysis for the Limerick Control Room Upgrade: Results Summary Report, [Reference 4] Section 7.1, Static Workshop - Conceptual Verification.

NUREG-0800, Standard Review Plan for the Review of Safety Analysis Reports for Nuclear Power Plants: LWR Edition, [Reference 1] Attachment A, Guidance for Evaluating Credited Manual Operator Actions of Revision 3 of Chapter 18, was also leveraged to support the CV workshop.

The CV workshop activity is being performed as part of the HSI Design Phase as well as an early part of the Verification and Validation Phase of the Human Factors Engineering (HFE) Program as highlighted in Figure 1.

Figure 1. HFE phases covered in NUREG-0711, HFE Program Review Model, Revision 3 (Reference 4).

1

The prototype displays and navigation strategy created for Section 5.1.1.2.3 and commented on in Section 5.1.2.4.4.3 in the Task Analysis (TA) workshop [Reference 4] were used as a starting point for more refined displays used for the CV workshop. The HSI Design and Procedure Modification Team (Section 2.1) utilized INL/RPT-22-68558, Human-System Interface Style Guide for Limerick Generating Station [Reference 5], to develop these more refined displays. The displays used during the CV were also evaluated against the HSI Style Guide [5] by the Idaho National Laboratory (INL) HFE Process Team (Section 2.2).

The HSI design CV by the HSI and Procedure Validation Team (Section 2.3) occurred during a static HSI workshop held at the INL during the week of December 5, 2022. Scenario walkthroughs were performed using navigable, static displays driven by the INL Human-System Simulation Laboratory (HSSL). The workshop allowed operators to navigate through the updated HSIs, using modified procedures, in the context of a partial scope main control room (MCR). The partial scope MCR was arranged to provide the proper relative arrangement of new and existing HSIs so that the MCR modifications provided by this upgrade could be evaluated in the proper operational context.

HSI physical layouts, display attributes, and HSI design navigation strategy were evaluated along with updated procedures. This was done using a series of scenarios focused on important human actions identified as requiring credited manual actions (CMA). Credited manual operator actions in the LGS Licensing Basis as impacted by the LGS SR I&C Upgrade Project were identified by Constellation Energy Generation (CEG) personnel. CEG personnel also identified additional manual operator actions to be evaluated for a more comprehensive evaluation of impacts of the LGS SR I&C Upgrade Project. These additional items are not being added to the LGS Licensing Basis by their inclusion in CV (or PV).

CV workshop outputs include:

Operational sequence diagrams (OSDs) and associated CV timing results, as captured in Appendix D.

CV timing results, as summarized in Section 5.3. This summary captures the estimated time to perform and time to implement for CMA and additional manual actions being evaluated using the HSIs with related procedure changes developed for this upgrade. This output satisfies the CV review criteria described in Section 5.2. It also provides reasonable assurance that a dynamic execution of the same scenarios and OSDs in PV (and integrated system validation [ISV]) will produce timing results that meet the specific acceptance criteria as presented in Section 4.4.4.

The identification of issues associated with the HSI design or procedures, including those that may challenge the ability of operators to perform the actions correctly and reliably within the time available. These issues are provided in Appendix E, which also identifies HSI Style Guide compliance issues that need to be dispositioned.

These outputs extend the results of TAs into the HSI design and Task Support Verification. The outputs will be used to refine OSDs and scenarios and enable an HSI design and procedure development iteration to support the satisfactory performance of PV. PV will provide CEG with high confidence through additional Task Support Verification that the times observed for credited manual operator actions will satisfy the success criteria for ISV.

2

2. INDEPENDENT TEAMS TO ENABLE HUMAN-SYSTEM INTERFACE DEVELOPMENT 2.1 Human-System Interface Design and Procedure Modification Team 2.1.1 Role The role of the HSI Design and Procedure Modification Team is twofold. Their first role is to create the HSI design concept to produce design inputs. Their second role is to then design HSIs to conform those inputs as well as to established HFE principles. This includes:

Identifying acceptable HSI hardware modifications, including:

- Which existing HSIs are being modified as part of the upgrade

- Which existing HSI are being relocated (but not otherwise modified) as part of the upgrade

- Where new HSIs provided by the upgrade are located, including:

Placement of video display units (VDUs) and associated peripherals Placement and operating characteristics of any new hardware or switches

Identifying the content, layout, and navigation strategy of electronic displays developed for VDUs to enable operators to monitor and operate plant systems impacted by the upgrade

Identifying the complete list of CMA impacted by the upgrade

Developing HSIs in accordance with the project HSI Style Guide [5], as developed by the HFE Process Team.

Their second role is to identify and propose procedural changes to enable plant operation based on the post-modification state.

2.1.2 Team Members The HSI Design and Procedure Modification Team includes LGS personnel from the engineering and operations departments. These individuals collectively are:

Knowledgeable of the I&C legacy and HSI design being upgraded

Experienced in plant operations using the legacy design and HSIs

Knowledgeable of the capabilities and enhanced functionality of the upgraded design and HSI tools offered by the Plant Protection System (PPS) implemented using the Westinghouse Common Q platform and the Distributed Control System (DCS) implemented on the Emerson Ovation platform

Knowledgeable of existing operating procedures and procedure writing guides to modify procedures to reflect the use of upgraded design.

Members of the Limerick HFE Design and Procedure Modification Team with these qualifications are:

Scott Schumacher, Engineering

- Bachelor of Science in Nuclear Engineering and Engineering Physics from Rensselaer Polytechnic Institute

- ANSI-3.1 SRO Boiling Water Reactor Certification for Management, LGS, PA

- Emergency Core Cooling System, System Manager, LGS (10 years)

- Operations Support Staff, LGS (4 years)

- Reactor Operator Instructor, Knolls Atomic Power Laboratory, NY (3 years) 3

- United States (U.S.) Navy Submarine Electronics Technician, Nuclear (7 years: S5W, S6W, S8G designs)

Paul Krueger, Operations

- Bachelor of Science in Chemistry from the University of Wisconsin-Green Bay

- Radiochemical Technician, Point Beach Nuclear Plant (4 years)

- Auxiliary Operator, Point Beach Nuclear Plant (6 years)

- Equipment Operator, LGS (4 years)

- Reactor Operator, LGS (4 years)

- Senior Operations Specialist (4 years)

- Boiling Water Reactor Owners Group Emergency Procedures Committee Member (4 years)

Vice Chairman (2 years)

Other I&C engineering personnel who assisted the HSI Design and Procedure Modification Team by providing technical insights into the capabilities of both the existing I&C systems being replaced and the new PPS and DCS include:

Mark Samselski, Project Engineer for the LGS SR I&C Upgrade Project

- Bachelor of Science in Electrical Engineering, Wilkes University

- Master of Business Administration, Villanova University

- Systems Engineer, Instrumentation Engineering, LLC (2 years)

- Senior Engineer, Nuclear Automation, Westinghouse Electric Company, LLC (5 years)

- Consulting Engineer, Nuclear Automation, System One (1 year)

- Consulting Engineer, Naval Surface Warfare Center, McKean Defense Group (1 year)

- Design Engineer, Nuclear, LGS (1 year)

- Lead Engineer, Generator Rewind & Voltage Regulator Project, LGS (4 years)

- Lead Engineer, LGS SR I&C Upgrade Project (3 years)

Michael Foote

- Bachelor of Science in Electrical Engineering, Norther Illinois University

- ANS Senior Reactor Operator CertificationPressurized Water Reactor

- Exelon (now CEG) (17 years)

Engineer, Braidwood Station, Rapid Response Engineer, Braidwood Station, Electrical Systems Sr. Staff Engineer, CEG CDO I&C Analytical Group Sr. Staff Engineer, CEG Fleet I&C Systems Engineering Manager, Braidwood Station Mechanical Design Balance of Plant Systems Rapid Response 4

The HSI Design Team also includes:

CORYS

- CORYS is the organization contracted by LGS to maintain and support their ANSI 3.5 simulator used for training and qualification. They are a simulation company with over 30 years of experience in creating sophisticated models of complex systems for the nuclear power industry.

They have performed major upgrades on most of the nuclear power plant simulators in the U.S.

- CORYS has the responsibility to develop HSI graphics displays based on input from the Limerick HFE Design Team members. These displays will be used for the CV workshop. Modifications to these displays will be made using findings from the CV workshop to support the PV workshop.

- Since LGS PPS displays produced by Westinghouse cannot be directly leveraged for ISV in the LGS simulator, CORYS will also produce high-fidelity facsimiles of the production PPS displays to be used in the LGS plant by Westinghouse, as described in the next point, for HFE ISV in the LGS simulator as well as for operator training and evaluation in the LGS simulator.

Westinghouse

- Westinghouse is the platform vendor for both the Common Qualified Platform (Common Q) being used for the PPS and the Emerson Ovation platform being used for the DCS for the LGS SR I&C Upgrade Project at LGS.

- Westinghouse will render the HSIs identified and produced as the output of the PV workshop for both the PPS and DCS. The DCS HSIs produced by Westinghouse will also be directly leveraged for the HFE ISV.

2.2 Human Factors Engineering Process Team 2.2.1 Role The role of the HFE Process Team is to ensure that the project establishes and then executes the HFE Program Plan [2]. This includes:

Developing and coordinating the execution of the Project HFE Program Plan [2] using Revision 3 of NUREG-0711 [3], Human Factors Engineering Program Review Model as a basis as established by CGS. The HFE Program Plan was reviewed and approval by CGS.

Developing the LGS SR I&C Upgrade Project HSI Style Guide [5] which was reviewed and approved by CGS.

Evaluating HSIs created by the HSI Design Team properly incorporate the Project HSI Style Guide

[5] and consider the findings of other HFE products developed during the HFE Planning and Analysis Phase of the Project including:

- INL/RPT-22-68703, Human Factors Engineering Operating Experience Review of the Constellation Limerick Control Room Upgrade: Results Summary Report [Reference 9].

- The balance of HFE Planning and Analysis Phase activities as captured in Reference 4 as appropriate.

Developing methodologies and execution plans for and providing process support to execute Project HFE Design and Verification and Validation (V&V) activities in accordance with the HFE Program Plan [2].

Documenting the methodologies, execution plans, and results of HFE Design and V&V activities, which are reviewed and accepted by CGS.

Evaluating HSI physical modifications from an HFE perspective, leveraging NUREG-0700, Human-System Interface Design Review Guidelines, Revision 2 [Reference 10]. Arrangement 5

recommendations by the HFE Process Team are iterated with the HFE Design Team to create a result that is physically implementable (addressing constructability issues, such as wiring constraints, physical constraints, seismic requirements, etc.) while addressing HSI accessibility per Reference 10 to the maximum extent practicable.

2.2.2 Team Members The HFE Process Team is led by researchers from INL that are subject matter experts in HFE program development and execution. INL HFE Process Team members along with their qualifications are:

Jeffrey Joe, Distinguished Human Factors Research Scientist

- Master of Science in Social Psychology from the University of Utah

- 22 years of relevant HFE experience

- Expertise in the areas of human factors research and development, HFE, human performance improvement, human reliability analysis, safety culture, organizational development, public energy policy, social, and industrial and organizational psychology

- Extensive business development and project management experience managing U.S. Department of Energy (DOE) projects, and work for others and strategic partnership program projects for the U.S. Nuclear Regulatory Commission (NRC), the National Aeronautics and Space Administration, and commercial utilities

Casey Kovesdi, Human Factors Research Scientist

- Master of Science in Human Factors Psychology at University of Idaho

- 10 years of combined HFE experience and 7 years of relevant nuclear HFE experience

- Human Factors Scientist and Engineer at INL Principal Investigator in human-technology integration and HFE for U.S. DOE Light Water Reactor Sustainability Program Leads research and development activities specific to HFE in nuclear power plant modernization HFE experience specific to HSI design for nuclear power plant main control rooms Technical expertise in NUREG-0700 and HFE methods, including usability testing, TAs, and human performance measurement Supported five major U.S. nuclear power plant digital MCR modification projects SC-5 Institute of Electrical and Electronics Engineers (IEEE) Standards Committee Standards Champion for IEEE Std 845(Evaluation Human-System Performance in Nuclear Power Generating Stations and Other Nuclear Facilities)

Author of 28 conference and journal papers and 23 technical reports in HFE

- Human Factors Engineer at Battelle Memorial Institute Lead and supported HFE activities to support regulatory submissions of Class III medical devices (devices responsible for sustaining or supporting life)

Facilitation and analysis of formative and validation HFE studies Developed reports to support applicants usability engineering files HFE lead in data management and analysis following ISO 13485

Paul Hunton, Senior Research Scientist

- Bachelor of Science in Electrical Engineering from Gonzaga University

- 32 years of relevant nuclear experience (operations, I&C design, and HFE)

- Naval Nuclear Operations 6

Naval Nuclear Plant Engineer and Supervisor of In-Hull Training Engineering Officer of the Watch qualified Shift Supervisor qualified Trained naval nuclear plant operators at two prototype nuclear plants Senior nuclear operations supervisor responsible for all aspects of nuclear plant operation Drill coordinator for nuclear plant training

- Naval Nuclear Design Engineering (CVN-78, USS Gerald R. Ford) Engineering Supervisor MCR Design HSI design Development of prototype simulators to validate design concepts Design of the digital Propulsion Plant Monitoring & Control System for CVN-78

- Commercial Nuclear Design Engineering (AP1000)

Operations and Control Centers Project Manager for AP1000 MCR layout Supervisor for the development of HSI tools, including the AP1000 Wall Panel Information System, Computerized Procedure System Responsible for addressing Design Acceptance Criteria and Inspections, Tests, Analysis, and Acceptance Criteria for the AP1000 Design Control Document Chapter 18, Human Factors Engineering in support of NRC Design Certification for Revision 17 of the AP1000 Design Control Document Principal Engineer for the Digital Instrumentation and Control Standard Platform Project for three nuclear facilities including the definition and implementation of the HFE Program Plan at each of those facilities (with the support of INL)

- Senior Research Scientist at INL HFE process development I&C digital modernization Digital Infrastructure

Jeremy Mohon, Human Factors Researcher

- Master of Science in Applied Cognitive Psychology and Human Factors at the University of HoustonClear Lake

- 3 years of relevant HFE experience as an HFE Researcher HFE experience in 3D modeling MCRs for Light Water Reactor Sustainability Control Room Modernization projects HFE experience specific to HSI design for nuclear power plant main control rooms Technical expertise in NUREG-0700 and HFE methods, including usability testing, TAs, and human performance measurement Supported four major U.S. nuclear power plant digital MCR modification projects

Chloe Peterson, San Miguel, Human Factors and Reliability Intern

- Master of Science in Experimental Psychology, PhD Candidate

- 3 years of experience supporting HFE in nuclear applications.

7

2.3 Human-System Interface and Procedure Validation Team 2.3.1 Role The HSI and Procedure Validation Team is made up of qualified and licensed LGS Operations personnel. They represent the ultimate end-users of the HSIs developed as part of the LGS SR I&C Upgrade Project as well as the modified procedures produced to enable HSI use. Their training and operations experience provide the necessary qualifications to evaluate whether the modified HSIs and procedures acceptably promote plant operation. The performance of the HSI and Procedure Validation Team members when running scenarios for CV and PV is evaluated only with respect to whether the HSIs and procedures produced by the HSI Development and Procedure Modification Team can be used to affect necessary plant control and monitoring. By their qualification as plant operators, they have already demonstrated this capability within the legacy LGS MCR.

2.3.2 Team Members Members of the Validation Team include the following members of the LGS Operations Department:

Kris StrausserShift Manager and Shift Technical Advisor Roles

- Reactor Operator (4 years)

- FIN Senior Reactor Operator (1 year)

- Senior Reactor Operator (4 years)

- Shift Manager (7 years)

Sagar PatelSenior Reactor Operator (SRO) Role

- Bachelor of Science in Mechanical Engineering, Drexel University

- Senior Engineer (Systems Engineering) at LGS (5 years)

- ANSI Boiling Water Reactor SRO Certification, LaSalle Generating Station

- SRO at LGS (9 years)

Wes HenneReactor Operator (RO) and Plant Reactor Operator (PRO) Role

- Naval Nuclear Submarine Electrician and Engineering Watch Supervisor (2 years in each role)

- LGS Nuclear Equipment Operator (5 years)

- LGS RO (8 years on shift follows by 7 years in support of Engineering)

Kevin CoreyRO and PRO Role

- Naval Nuclear Electrician, Nuclear Operator, Load Dispatcher (6 years)

- LGS Nuclear Equipment Operator (10 years)

- LGS RO (12 years) 2.4 Simulator Team 2.4.1 Role Simulator personnel serve two roles. The first is an engineering activity to provide for the capability to accurately develop an integrated simulation that models physical plant operating characteristics, plant I&C characteristics, and interactive HSI capabilities to provide an immersive simulator environment for training and qualifications. These personnel work with the simulator vendor (CORYS at LGS) and Westinghouse to implement these three capabilities. For the CV workshop, the HSI Design Team (LGS simulator personnel in conjunction with CORYS) provided static, electronically navigable versions of digital HSIs that were loaded into the simulator by the simulator engineering personnel. For PV, updated displays reflecting changes incorporated to disposition CV comments and continued design refinement 8

will be loaded and dynamically linked to the simulator plant and I&C models. This will facilitate the performance of PV in a near-full scope, dynamic simulator environment.

The second role is to run the simulator during CV and PV and assess the ability of the operators to use the upgraded HSIs to successfully perform identified scenarios following predeveloped simulator exercise guides (SEGs). While the new HSI displays and navigation were static for CV, the simulator model was still used during the CV scenario walkthroughs and talkthroughs. Initial conditions were loaded for each scenario by simulator operations training personnel. At the beginning of each CV scenario, simulator training personnel initiated the event per the appropriate SEG. The simulator provided audible alarms to MCR operators. Simulator personnel provided near real-time verbal descriptions of indications that operators would see on the new HSI displays. When MCR operators navigated to PPS and DCS displays and accessed existing indications and controls not impacted by the upgrade and simulated operator response actions, the simulator personnel performed those actions on the simulator model using the instructor station to affect the associated control actions. This kept each scenario moving in near real time.

Simulator personnel, who are qualified LGS simulator training personnel, then evaluated whether the MCR operators had completed the necessary tasks to address the events for each scenario per the SEG.

For PV, the simulator engineering and training personnel will perform similar activities. Simulator engineering personnel will load HSIs for PPS and DCS that have been updated by the HSI Design Team based upon CV comments and additional design efforts. This will include providing linkage between the PPS and DCS HSI displays and the plant model to make them dynamic. This will happen at CORYS and be validated by CEG. These will then be transferred to the INL HSSL. With dynamic displays, simulator training personnel will be able to run the updated simulator in the HSSL at INL in a manner that more closely resembles the LGS MCR training simulator performance. This will allow the simulator training personnel to focus more on evaluating the ability of the HSI Validation Team to use the HSIs created for the project to satisfy the acceptance criteria for PV.

2.4.2 Team Members Members of the Simulator Team include:

Simulator engineering personnel:

CEG:

Stuart McDonald

- Bachelor of Science in Nuclear Engineering, Pennsylvania State University

- Bachelor of Science in Mechanical Engineering, Pennsylvania State University

- EngineerPressurized Water Reactor Core Methods Development, Westinghouse (6 years)

- Simulator Software EngineerCEG (9 years)

INL:

Brandon Rice, HSSL Manager

- School of Information Technology at Ft. Gordon, Georgia

- 8 years of relevant experience

- Manages the design and implementation of the HSSL, which is used as a test bed for HFE, cybersecurity, and hardware-in-the-loop research

- Implements nuclear utility simulators into the HSSL from various vendors, which allows INL researchers and utility personnel to develop and perform V&V testing for INL partnerships

- Contributes to the development of new digital control system mockups using the Windows Presentation Foundation for V&V testing with vendors, engineers, and plant operators 9

- Principal investigator and pathway lead for the DOE Nuclear Energy Research program regarding modeling and simulation for nuclear power plants, which uses the HSSL to investigate how well a U.S. utility would respond to adversarial cyberattacks on its networks

Robert England

- Bachelor of Science in Computer Engineering from Brigham Young University

- 15 years of relevant nuclear experience (engineering, simulation, and laboratory research)

- Naval Reactors Facility Supported dry fuel storage process as a cognizant engineer Engineered process improvements through engineering work as well as six sigma process improvement training and exercises Quality assurance engineering work on procurement engineering, spent fuel canister certification, and helium leak testing

- INL Advanced Test Reactor System Engineer for both Reactor Process and Experiment Distributed Control Systems Developed, Implemented, and Tested control systems Supervised system migrations to Windows 7 environment Acted as the system engineering interface to the reactor simulator supporting hardware and software implementations of the simulation environment

- INL Industrial Control Systems (ICS) Information System Security Manager Led the implementation of a lab-wide ICS Cyber Assurance Program Led the stand-up of an ICS Demilitarized Zone Assisted in the creation of an Operational Technology Cybersecurity Awareness training course for the DOEs CyberFire Conference

- INL Instrumentation and Controls Researcher Lab Space Coordinator and Principal Researcher for the Monitoring, Diagnostics, and Automation Laboratory Lab Space Coordinator for the Human Systems Simulation Laboratory LGS simulator training personnel:

Eric RosaCV and PV

- Bachelor of Science in Mechanical Engineering, Kansas State University - Salina

- Product Design Engineer, Kansas Instruments, Council Grove, Kansas (4 years)

- Project Manager for Industrial Construction (6 years)

- Equipment Operator at LGS (7 years)

- RO at LGS (4 years)

- Senior Operations Training Instructor at LGS (5 years)

Evan StonePV

- Bachelor of Science in Physics, University of Pennsylvania - Millersville

- Equipment Operator, Three Mile Island (TMI) (7 years)

- RO, TMI (1 year)

- Operations Supervisor (SRO certification), TMI (1 year)

- Senior Operations Instructor (1 year) and Simulator Coordinator (1 year), LGS 10

3. INPUTS TO ENABLE CONCEPTUAL VERIFICATION 3.1 Human-System Interface Display Design 3.1.1 Overall Process Members of the HSI Design Team are uniquely familiar with how the relationship between operator and system inputs, I&C system program logic, and operator and system outputs, as shown in Figure 2, are impacted by the LGS SR I&C Upgrade Project.

Figure 2. Required information for display development.

The process for HSI display design for the LGS SR I&C Upgrade Project is shown in Figure 3.

Figure 3. Flow diagram for developing new HSI displays (and procedure modifications).

11

Figure 3 presents an iterative HSI design effort that ultimately results in the production of final HSI graphics display renditions using tools suited for this purpose. Procedure modification occurs in parallel following a similar process flow and is further presented in Section 3.2. Figure 3 has been slightly modified when compared to the similar figure in Section 6.2.1.1 of the HFE Program Plan [2]. These modifications clarify the steps in the process and do not change the overall intent or scope of work as described in the HFE Program Plan. The approach has six basic steps.

1. Identify the desired features and functions of the HSI displayswhereby insights are extracted from the Operational Experience Review [9] (to the extent there may be deficits in the existing HSI), the Functional Requirements Analysis and Function Allocation, and the TA (collectively captured in [4]).

2. The desired features and functions are used by the HSI Design Team to develop (and revise through iteration) HSI graphics displays. The initial development of HSIs graphic displays is shown in yellow in Figure 3. As these displays are iteratively created, evaluated, and refined, they become the product (Step 4 below) that is used by Westinghouse to create production graphics displays for the PPS and DCS (Step 5 below). The HSI Design Team uses the HSI Style Guide [5] as their skills and tools allow as part of HSI graphics display development.

3. The HSI graphics displays are evaluated for usability. This is shown in blue in Figure 3 as an iterative process. This evaluation has two fundamental components.

a. Operator Testing is the process of assessing the degree to which the designed system can be used effectively by the target user (operators) that collectively make up the HSI Validation Team. Success metrics range from user satisfaction to user performance. In the case of the usability evaluation of the PPS and DCS displays, the goal is foremost to ensure that operators understand and can operate the HSI elements. This includes monitoring plant through use of the displays, navigating between different displays in the PPS and DCS, and controlling parts of the plant using these HSIs. The usability evaluation is ideally formative, meaning it is used not only to verify the usability of the designed system but also to help specify the design in an iterative fashion.

Operator testing can range from walkthroughs with nonfunctional mockups to scenario testing using fully functional prototypes. The level of HSI display fidelity and functionality is a product of the resources of the HSI Design Team and the degree to which the new functionality diverges from current plant operations. Note that early operator testing at this stage will typically focus on the PPS and DCS HSI alone and not in the overall context of the control room. As the design matures, testing of the new PPS and DCS displays occurs in incrementally more complete control room mockup facilities:

from CV (static workshopthe subject of this report), to PV (dynamic workshop), and ultimately, to ISV.

b. Expert Review is the process where human factors subject matter experts from the HFE Process Team review the HSI. This review may follow specific usability criteria called heuristics or provide an overall impression of how the HSI would be used and any deficiencies they might note. Expert review also includes an evaluation of the PPS and DCS HSI compliance with the HSI Style Guide [5] and HSI review guidelines in NUREG-0700 [10]. Expert reviews are especially useful early in the design phase.

As the HSI design converges, Task Support Verification activities will be performed on PPS and DCS HSIs using procedures that have been modified to reflect the upgrades. Functional changes, such as the implementation of new control features (including automation), will require procedure changes.

HSI and procedure issues identified during Task Support Verification are then dispositioned.

12

4. At the conclusion of PV, sufficient HFE-validated PPS and DCS design input is created to bound the scope of the PPS and DCS HSI Display Specifications. PPS and DCS HSIs used to accomplish CV and PV will have been fully vetted by the process described in Steps 1-3 above.

5. Once the HSI graphic displays have been created by executing Steps 1-4 above, CEG and Westinghouse leverage this output to finalize the HSI design. HSIs will be rendered by Westinghouse in the appropriate platform (PPS and DCS) design tools. Production graphics displays are developed using design tools created for this purpose following Westinghouse software quality assurance practices. Other necessary displays needed to fully complete the design will be specified and implemented by the HSI Design Team and reviewed by the HFE Process Team, leveraging the lessons learned from Steps 1-4 above. The associated design specifications, which include these all these HSI graphics display renderings, are finalized.

Steps 4 and 5 represent design finalization, which is shown in green in Figure 3.

Procedure changes identified through this process are also finalized by CEG.

6. The finalized HSI display design and updated procedures will be used to complete ISV and Design Verification as shown in grey in Figure 3.

3.1.2 Human-System Interface Design for Conceptual Verification 3.1.2.1 Development of Graphics Displays PPS and DCS HSI graphics displays were developed for CV by the HSI Design and Procedure Modification Team based on their knowledge and experience and by leveraging:

The Project Operating Experience Review, Reference 9. The main takeaways from the OER were that the operators work as a team as they interact with each other and the I&C, especially when they are assessing the operating state of the reactor and need to process lots of information from the I&C.

While automation is highly desired in both the performance of highly repetitive tasks and in the synthesis of raw plant process data into operational information to help the crew operate more effectively, the OER also identified that the operator needs to maintain situation awareness and optimal levels of workload.

The Functional Requirements Analysis and Function Allocation and TA results as captured in Reference 4. This included leveraging the prototype graphics developed for the TA workshop.

The HSI Style Guide [5]. While the HSI Style Guide as written is technically correct, but it was found to be practically unwieldy for the HSI design to easily apply during HSI design to enable CV. In order to facilitate its use by the Design Team, a document that identified key HSI Style Guide attributes was developed by HFE Process Team for timely display development that was consistent with the requirements of Reference 5. This is captured in Appendix A. When preparing HSIs for PV and particularly for ISV, a more detailed evaluation of the adherence to Reference 5 will be performed by the HFE Process Team.

Knowledge of the capabilities of the existing design (both the I&C equipment and associated HSIs) as well as the capabilities of the new PPS and DCS I&C platforms and their associated HSI graphics packages.

Stakeholder need surveys and interviews. These activities communicated the generic capabilities of the new PPS and DCS to operations and maintenance personnel and provided them with an opportunity to propose potential functionality for both platforms. These surveys and interviews directly contributed to many of the most impactful design changes and AOAs.

HSI graphics displays developed and used for CV are captured in Appendix B. The displays created for CV represent the necessary subset of displays necessary to demonstrate the ability of the upgrade to 13

support the performance of the manual actions evaluated as described in Section 4.3 and to promote the overall situational awareness of the systems impacted by the upgrade. Attributes of these displays as refined by CV and PV will be incorporated into the remainder of the displays developed for both PPS and DCS and evaluated during ISV and Design Verification.

3.1.2.2 Graphics Display Navigation and Operation Strategy.

The navigation and operation strategy for both the PPS and DCS are driven from the top down. The PPS and DCS top-level navigation screens used for CV are shown in Appendix B, Figure B-1, and Figure B-56, respectively.

The basic navigation strategy for both the PPS and DCS is:

1. There is a top-level navigation display.

2. Each display has a persistent navigation button provided at the bottom left to return to each systems top-level navigation display.

3. It takes no more than two actions (pointing device clicks on display icons or touchscreen interactions with the same display icons) to navigate to a system, function-specific, or diagnostic display.

4. Specific sub-navigation or cross navigation to from one display to other functionally related displays is selectively enabled in predicable task specific displays where streamlined navigation is predictable and desirable. Sub-navigation is provided where appropriate in the bottom right of a display. For instance, cross navigation is provided from area temperature monitoring trends to the mechanical systems being monitored to facilitate transition from diagnosis to action without the need (but not precluding) backing out to top-level navigation.

5. To operate a component (e.g., start or stop a pump or open or close a valve), the operator selects the component on the screen using either the pointing device or touchscreen. This will cause a pop-up control to appear. The operator then uses the pop-up control to operate the component. Only one pop-up control can be used at any one time on any particular display as presented on an individual VDU.

6. Similar to Item 2, directly above both the PPS displays and DCS displays (minus the DCS heads-up displays (HUDs) and the DCS annunciator displays), there is a navigation button in the bottom left that allows the operator to have direct access to the respective systems transient response display.

These displays (Figure B-4 for PPS and Figure B-62 for DCS) were created to provide direct access to operators to functions that are performed to address plant casualties. Functions related to maintaining the key reactor parameters (Reactor Pressure Vessel [RPV] pressure and water level),

combating an Anticipated Transient Without Scram (ATWS) event, and addressing primary containment issues are provided. Additionally, actions associated with overriding automatic protective features in accordance with Emergency Operating Procedures (T-###s) for both the PPS and DCS are also provided. Finally, for the DCS transient response display provides a means for accessing and actuating automated operator aids (AOAs) that have been designed into the PPS and DCS to simplify operator response to specific, tedious, and constraining manual operations as part of the upgrade.

To take actions directly from the PPS and DCS transient response displays requires the operator to first select the enable controls button using either the pointing device or touchscreen. Once enable controls has been selected, the remaining controls on the respective displays can be actuated with a single action using the pointing device or touchscreen.

Since several control actions are typically taken from these displays at the same time, this prevents the need to confirm each individual control action once the display controls are enabled. After taking the necessary actions, the operator selects enable controls again to disable the actuation buttons on the display. If the operator navigates away from a transient response display, controls on that display are automatically disabled. These features are also provided for other displays where similar 14

functionality is needed (e.g., the DCS Safety Relief Valve [SRV] AOA control display [Figure B-63]).

For the PPS, there are several unique display navigation and operation characteristics. The PPS consists of four separate divisions (1, 2, 3, and 4). The RO and PRO workstations each contain one PPS VDU for each division. Because of divisional separation of functions on PPS, the PPS displays on each division can only operate those SR components associated with that division. The architecture of the PPS using the Westinghouse Common Q platform does permit presenting information to the operator from all four divisions on each individual division PPS VDU.

As a result of this, while the operator can see the full set of PPS indications on each divisionalized VDU and can navigate to the same set of displays on each division, the available controls on each divisionalized display are unique to that division. Only the controls available in a particular division are presented.

The bottom of the PPS displays also provides additional navigation to PPS status menu (Figure B-2) and trend displays menu (Figure B-37). These provide navigation to detailed PPS status displays and to trend displays as operator aids.

The overall presentation for the PPS and DCS navigation click structure is shown in Appendix F.

This shows that in order to navigate from any one screen in either the PPS or DCS to any other screen on the same system requires no more than two actions (mouse click or touch input on a touchscreen).

The DCS also provides the operator with several HUDs:

HUD-1: Reactor Status and Common Critical Parameters/Trends, Figure B-72.

HUD-2: Emergency Core Cooling System Channel A&C Status, Figure B-73

HUD-3: Emergency Core Cooling System Channel B&D Status, Figure B-74

HUD-4: Containment Status, Figure B-75

HUD-5: Diverse Protection System, Figure B-59 HUDs 1-4 are designed to promote improved overall situational awareness to facilitate improved operator performance and oversight and to more quickly identify whether or not monitored systems are performing optimally. The HUD 1-4 displays are presented on the corresponding four large screen DCS VDUs from left to right, as shown in Figure 5. The HUD displays primarily focus on presenting integrated information on plant systems used to maintain reactor and containment parameters. The information continuously presented at the top of HUD 1-4 was selected to provide the operator with a more comprehensive view of overall plant status. This allows the operators to see this overall plant status continuously while using the more detailed PPS and DCS displays to perform specific control actions and plant parameter monitoring functions. HUDs 1-4 are laid out (to the extent possible) to mirror the three primary emergency operating procedure (EOP) layout in the MCR, with the present reactor control to the left, containment parameter control in the middle, and containment isolation to the right.

HUDs 2 and 3 also provide a continuously displayed indication of post-accident monitoring system (PAMS) parameters with A-side PPS channels displayed on HUD-2 and B-side PPS parameters on HUD-

3. The majority of this information is displayed on the top-level banner and is uniquely marked with yellow bordering for easy identification. By associating PPS Channel A PAMS (and Emergency Core Cooling System [ECCS]) information on HUD-2 (with its own VDU) and PPS Channel B PAMS (and ECCS) on HUD-3 (with its own VDU), a degree of protection is provided should one of either of those two VDUs fail. Additionally, PAMS instruments are retrievable in two formats on PPS displays, either in a full list or in a large format, with the latter designed to be viewable from the SRO supervisory location as a redundancy.

15

HUDs 1-4 and the associated Ovation large screen VDUs, along with the four divisionalized PPS VDUs, address licensing commitments made in the LGS Updated Final Safety Analysis Report (UFSAR)

[6] Section 7.5, Information Systems Important to Safety, that address Regulatory Guide 1.97 Revision 2, Instrumentation for Light-Water-Cooled Nuclear Power Plants to Assess Plant and Environs Conditions During and Following an Accident, [16]. Section 7.5.2.5.1.1.2.2 of Reference 6, Analysis for Type A Variables, identifies six Type A variables for the LGS plants. Five of these are impacted by the upgrade:

RPV Pressure

RPV Water Level

Suppression Pool Water Temperature

Suppression Pool Water Level

Drywell Pressure These Type A variables provide information on the basis of which operators can take specified manual control actions. Table 7.5-3 of Reference 6 identifies the specific Type A sensors and indication methods for these five variables.

These Type A variables are also identified as Category 1 per Regulatory Guide 1.97 [16]. Category 1 provides the most stringent requirements and is intended for key variables. Table 7.5-2 from Reference 6 summarizes the LGS design and qualification criteria for the Regulatory Guide 1.97 display instrumentation and systems that provide indication in the MCR. The relevant portion of that table is reproduced in Table 1.

Table 1. Design and Qualification Requirements for Type A, Category 1 PAMS Instrumentation.

For the five Type A Category 1 variables impacted by the upgrade, all of seismic, single failure, environmental, power supply, and out-of-service intervals for the existing design are met by the PPS, as summarized in Table 7.5-2 of Reference 6.

Table 7.5-2 in Reference 6 also specifies the display type and method for these five Type A, Category 1 variables. Each of these two attributes is addressed below:

16

Display Type: The requirement is for these five variables is that they be provided continuously or on demand.

- In the current design, these five variables are provided continuously using dedicated, SR I&C devices (e.g., direct reading indicators or recorders). The PPS design presents all of these variables on demand to MCR operators on any of the eight PPS VDUs provided in the MCR.

This is because each of the four divisional displays for PPS can present information to the MCR operators from all four channels of the PPS. The operator need only to navigate to the appropriate PPS HSI display. Additionally, large format PPS PAMS displays have been created (see Figure B-39 through Figure B-42), which together allow for the direct presentation of these values so they can be read at a distance in the MCR if shown on the PRO or RO workstations.

- This information is also passed to the DCS via a unidirectional gateway. This enables the DCS to present this information continuously on the HUD-2 (Figure B-73) and HUD-3 (Figure B-74) displays as discussed above as well as presented on demand on other appropriate DCS displays as configured.

Display Method: Note 4 in Table 1 from Reference 16 further states, Where direct and immediate trend or transient information is essential for operator information or action, recording is provided on dedicated recorders. Otherwise, it is available on demand.

- For the new design, the recorder function of capturing and storing information over time is accomplished digitally by the PPS. This data is also passed to the DCS where it is also recorded.

- This information can be presented as a graphical trend on both PPS and DCS displays. The current design provides trends for the following variables using SR recorders that are continuously viewable:

RPV Pressure RPV Water Level Drywell Pressure Trend information is also presented on the DCS on HUD-1 (Figure B-72) as follows:

Space is allocated in HUD-1 to trend three values simultaneously. The timeframe for trending for these three values is selectable to 10 minutes, 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months , 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months , and 12 hours1.388889e-4 days 0.00333 hours 1.984127e-5 weeks 4.566e-6 months .

The top trend is reserved for RPV pressure.

The middle trend is operator selectable to present either:

Narrow Range RPV Level Wide Rage RPV Level Fuel Zone RPV Level The lower trend is operator selectable to present either:

Drywell or Suppression Pool Pressure (toggle)

Scram Discharge Volume Level Recirculation Seal Pressure Condenser Vacuum Thus, HUD-1 provides a means for the continuous display of the trends provided by the current design.

HUD-5 was created to address a beyond design basis Common-Cause Failure (CCF) of PPS. HUD-5 provides an aggregation of known good controls and indications used to perform a safe shutdown in the event of a loss of PPS coincident to an LGS UFSAR [6] Chapter 15 accident, as described in the Defense in Depth and Diversity (D3) analysis [7]. This approach eliminates the mental burden associated with trying to diagnose the degree of CCF or determining and memorizing what is usable on any particular display. The minimum compliment of indication and controls required for a D3 CCF is presented. The 17

five Type A Category 1 variables impacted by the modification are also presented on HUD-5 (Figure B-59). These are sourced in such a way that a CCF of the PPS will not impact these indications on HUD-5.

HUD-5 is normally not shown on one of the four large Diverse Protection System (DPS) VDUs, as shown in the current renditon of the post-modification layout presented in Figure 5. If, in the very unlikely and beyond design basis event of a CCF of the PPS, all PPS indications provided by HUDs-1 through 4 will be lost. HUD-1 is provided with a tile at the bottom left that calls up HUD-5. HUD-5 can also be accessed from any DCS Ovation VDU.

Finally, the DCS also provides for the digital representation of annunciator panel sections. Four of the DCS annunciator VDUs provided by upgrade are shown in Figure 5 below. A fifth is also being placed just outside the left side of Figure 5. The DCS annunciator displays presented on these VDUs reflect the modifications made to the annunciators as part of this upgrade. Some annunciators are eliminated, others are reorganized, and several new ones are added. The annunciator displays developed for CV are captured in Appendix B, Figure B-77-Figure B-81. These can also be accessed on other DCS VDUs using the annunciator navigation menu provided by Figure B-76.

3.2 Modification of Procedures In order to support the use of the new PPS and DCS HSIs and control features provided by the LGS SR I&C upgrade, impacted procedures also require revision. The LGS HSI Design and Procedure Modification Team has the responsibility to identify the procedures that need to be revised and to then make those revisions in accordance with the LGS procedures program. This generally follows a similar iterative process as that described in Section 3.1.1for HSIs.

For CV, draft procedure revisions were produced to enable the performance of the scenarios provided in Appendix D. During CV, issues associated with the draft procedures were identified and captured in the same configuration-controlled repository for HSI comments as described in Section 5.5 and recorded in Appendix E. Procedure items identified as potentially impacting the PV will be prioritized and dispositioned prior to PV.

Procedures used for PV will also be validated along with the HSIs. Any procedure issues identified during PV will be captured and dispositioned prior to ISV as described in Section 5.5.

Procedures impacted by the installation of PPS and DCS but not exercised by CV and PV will be revised in accordance with the LGS procedures program.

3.3 Refined Control Room Layout and Conceptual Verification TA workshop efforts in the Planning and Analysis Phase resulted in the notional layout shown in Figure 4.

18

Figure 4. Notional MCR layout incorporating TA key findings (from Reference 4).

After further collaboration with CEG, the MCR layout was further updated to reflect TA findings while accounting for constructability issues in the MCR. The latest MCR arrangement for the LGS SR I&C Upgrade Project is shown in Figure 5.

The arrangement in Figure 5 was developed by INL in collaboration with CEG. As with earlier INL-developed MCR arrangement versions, Figure 5 conforms to the HSI design interface guidelines provided by NUREG-0700 [10] as much as practicable based on the current LGS MCR layout. Considerations, such as reach, sight angles, and distance readability for the 5th percentile female (shown in Figure 5) and the 95th percentile male, were taken into account when placing new touchscreen VDUs and associated peripheral interfaces as well when relocating indications and controls that were moved to accommodate these new devices. Standardization of the relative location of PPS and DCS displays and physical interfaces for the RO and PRO workstations was supported as much as possible. These changes are outlined in Figure 5.

Figure 5. Current MCR layout used as input for CV.

19

3.4 Simulation Environment To best support the goals and to meet the review criteria for CV as captured in Section 5.1, researchers used control and display mockups in a hybrid simulator environment conjuction with qualified operators to derive time estimates to perform the manual operator actions evaluated as described in Section 4.3. Draft procedures developed as described in Section 3.2 to reflect PPS and DCS control system changes and use of the new PPS and DCS HSIs. While PPS and DCS displays created for CV were static, they were navigatable. They were also hosted on the same computer platform that will host the dynamic PV. This allowed for the Simulator Team member to run the plant model during the talkthrough and walkthrough. The Simulator Team member provided plant information that would be available on the HSIs and identified where it would appear (both alarms and indications). The Simulator Team member would also input control actions into the model when operators navigated to the proper PPS and DCS displays and simulated performing their control actions. This allowed for near real-time performance of scenarios developed to demonstrate that the time necessary to peform manual actions under study as identified in Section 4.3 could be properly accomplished.

For CV, the focus was primarly on those areas of the MCR that are most impacted by the upgrade.

This was done in conjuction with using the talkthrough and walkthrough technique. When operators needed to perform a function on legacy equipment that is not within the project scope and that was not represented in the facility used for CV, the operator would communicate that they needed to perform the function to the Simulator Team memberl The Simulator Team member would then put the necessary inputs into the model and report the action as complete in a time period approximating actual performance in the unit. This will also be done when necessary for PV, although the HSSL configuration for PV will reduce the need to do so.

Due to spatial limitations, the arrangement of areas of the MCR impacted by the upgrade was approximated. It was possible to provide the proper relative locations of the new VDUs and their associated peripherals with each other and with portions of the non-impacted MCR panels and consoles immediately adjacent to them in the actual MCR layout. The relative PPS and DCS locations in the room used for CV and the latest MCR control room arrangement are provided in Figure 6 20

1 2

5 3 5 4

Key:

1 - Upgraded Ovation DCS Annunciator Panels 2 - New Ovation DCS Group View Display VDUs (also referred to as HUDs) 3 - RO 5-Pack, including four divisionalized Common Q PPS VDUs and one Ovation DCS VDU 4 - PRO 5-Pack 5 - Existing benchboard indications and controls in close proximity to new HSIs Figure 6. Simulation environment for CV compared to the current MCR layout 3.5 Other Considerations In addition to NUREG-0711 [3] and NUREG-0800, Chapter, 18 [1] (particularly Attachment A), the HFE Process Team CV and PV reviewed IEEE Std 2411-2021, IEEE Guide for Human Factor Engineering for the Validation of System Designs and Integrated Systems Operations at Nuclear Facilities, Reference [15] when developing plans for CV and PV.

While some of the terminology contained in this report differs from that in Reference 15, the methodology contained herein is generally consistent with that presented in Reference 15. Of particular 21

note, Annex B of Reference 15 discusses the relationship between design testing and validation. CV, as captured in this report represents the transition between the design testing and validation testing of the HSIs and associated procedure modifications.

A degree of independence was established early in the project between the HSI Design and Procedure Modification Team, the HFE Process Team, the HSI and Procedure Validation Team, and the Simulator Team. This is described in Section 2. This actually occurred during the NUREG-0711 Planning and Analysis Phase. Initial prototype displays and procedures were developed by the HSI Design and Procedure Modification Team to support the TA workshop. Their use during the TA workshop informed the continued development and refinement of both sets of products that were then used for CV. The HSI and Procedure Validation Team provided feedback on these products based on their use during scenarios developed to exercise them. The HSI Process Team was independently charged with establishing and ensuring that an HFE Plan was developed and executed.

This iterative approach is consistent with Annex B of Reference 15. CV represents the end of design testing. HSIs and procedures used for CV represent the transition to the formal configuration control of these products for the project. Items identified in Appendix E will be formally dispositioned. Changes made to the HSIs or procedures as a result of the dispositioning of CV (and PV) will be described in the configuration-controlled version of Appendix E and affected on those impacted products. HSIs developed for and procedures modified by the project to accomplish CV following this process will be similarly configuration controlled. HSIs and procedures so modified to disposition items identified by both CV and PV will be provided to Westinghouse for coding following Westinghouse configuration control and quality processes.

To provide an additional degree of independence in the validation phase, members of the HSI and Procedure Validation Team used during the Planning and Analysis Phase through CV and PV will be replaced for ISV. This will provide a final, independent confirmation of the adequacy the HSIs and procedure changes prior to their installation and use at LGS.

4. CONCEPTUAL VERIFICATION WORKSHOP PERFORMANCE 4.1 Objectives As adapted from Reference 1, the objectives of the CV workshop were to demonstrate for CMA in the Licensing Basis impacted by the upgrade that:

The total observed time to perform the required manual actions is less than the specific time available captured in the Licensing Basis

That operators can implement the specific actions correctly within the established time to implement them as captured in the Licensing Basis.

4.2 Overview of the Method to Perform Conceptual Verification The CV and PV methodology builds off the results from the Functional Requirements Analysis &

Function Allocation workshop and TA workshops described in the HFE Combined Functional Requirements Analysis, Function Allocation, and Task Analysis Report [4]. This is shown in blue in Figure 7.

22

Figure 7. CV and PV HFE process.

Both CV and PV address the micro-level (i.e., detailed) TAs (as shown in beige in Figure 7) for Level 1 tasks (impacted tasks in the LGS UFSAR [6], D3 analysis [7], or Probabilistic Risk Assessment (PRA) [8] as identified in Section 4.3.2), but their focus differs. PV builds on the results of CV and serving as a confirmation of the validity of the time estimates derived in the CV analysis. CV, central to this results summary report, addressed the following:

Bounded the types and number of displays for PPS and Ovation necessary for operators to perform the manual actions identified in Section 4.3.2 and impacted tasks.

Identified necessary procedure changes to enable the use of these displays when performing the manual actions identified in Section 4.3.2 and impacted tasks.

Identified the existing overall time available from LGS documentation to complete each manual operator actions identified in Section 4.3.2. Note that some manual actions identified in Section 4.3.2 do not have an established time available.

Established the existing specific time to implement each manual operator actions identified in Section 4.3.2. Time to implement represents the time necessary for operators to perform the specific manual action once it is determined by operators that the action needs to be performed.

Developed scenarios and associated SEGs to permit a demonstration of the operators ability to perform the manual actions in Section 4.3.2. These SEGs leveraged the Operating Experience Review

[9] and the scenarios used for the Functional Requirements Analysis and Allocation and TAs [4].

Documented the sequence of operator actions required to navigate the PPS and Ovation systems and to perform the manual operation actions identified in Section 4.3.2. This included documenting the alarms, controls, displays, and equipment that would be available and functional during the subject event(s) necessary to accomplish the Level 1 task. Temporal OSDs were used to visualize these sequences.

Executed the scenarios in a partial scope simulator to demonstrate the performance of the manual operator actions identified in Section 4.3.2. The overall time to perform the manual operator actions and the specific time to implement those actions once it was determined to be necessary were both captured.

- For impacted operator actions in these scenarios as captured in Section 4.3.2, several data sources were collected to minimize bias. The HFE Process Team used the OSDs to track operator actions 23

and record times when they were accomplished. Members of the simulator executed the scenarios using the SEGs and established whether all necessary operator actions were completed to minimize bias. Scenario performance and post-scenario debriefs with the HSI and Procedure Validation Team were also recorded.

- A talkthrough and walkthrough protocol was used where operators were instructed to think aloud to permit the collection of verbal feedback of the tasks being performed by members of the HFE Process Team. This captured important cognitive elements important to the diagnosis and selection of an appropriate response.

Evaluated impacts to estimated times to perform and times to implement the credited operator actions, sequences of action, workload, situation awareness, and generalized usability of the PPS and Ovation.

The result of these evaluations for each manual action under study from Section 4.3.2 also considered performance shaping factors that affect the time to perform and time to implement (e.g., workload) and the potential for operator error (e.g., usability issues and human error traps). Communications, travel time, and work environment were considered using the scenarios.

Captured specific comments related to the HSIs and procedures used as inputs for CV. These will be dispositioned by the HSI Design and Procedure Modification Team.

4.3 Manual Actions Evaluated by Conceptual Verification 4.3.1 Task Analysis Workshop Scope as it Relates to Conceptual Verification For the TA workshop performed during the Planning and Analysis Phase of the HFE Program Review Model shown in Figure 1 from NUREG-0711 [3], the HSI Design and Procedure Modification Team reviewed operator actions as impacted by the LGS UFSAR [6], D3 analysis [7], and PRA [8]. It also included tasks that were screened and prioritized based on task difficulty, importance, and frequency scores as provided by LGS and captured in Appendix C of Reference 4.

This initial review of the three referenced documents generally identified impacted human actions.

Table 2 summarizes the UFSAR and D3 tasks significantly impacted by the modification as identified by the TA effort. All but the first and last two columns of Table 2 are directly reproduced from Reference 4.

24

Table 2. UFSAR tasks and D3 tasks significantly impacted by the modification as identified for the TA workshop [4].

TA Task Training DIF UFSAR Credited Referenced CV/PV LGS subject matter expert notes on Item Task # Actions in Chapter in D3? Scenario(s) tasks identified for the TA workshop

(info only) 15 as they relate to the CV workshop TA1 Place Residual Heat Removal (RHR) In 2031010101 11.70 15.1.6 Yes 8 Operations of RHR in various modes Shutdown Cooling Operation, Monitor & INADVERTENT demonstrated in other scenarios during Secure RHR SHUTDOWN the TA. This is not a credited manual COOLING action in the LGS Licensing Basis. It is OPERATION identified as a necessary capability identified in the D3 analysis [7]. This task is covered more completely in the CV/PV scenario listed at left.

TA2 (E-1) Actions For A Loss Of All AC Power 2000440501 14.58 15.2.6 LOSS OF AC No 5 This task overlaps with the credited W/O DG Start (Station Blackout) POWER manual action CV4 in Table 3. This task is covered more completely in the CV/PV scenario listed at left.

TA3 (T-111) Take Action for Alternate RPV 2001210502 13.62 15.6.6 FEEDWATER No 2, 5, 7, 9 Level Control/Level Restoration [A-12 Loss LINE BREAK of feedwater (normal and emergency)] [B- OUTSIDE PRIMARY 03 Loss of normal feedwater or normal CONTAINMENT feedwater system failure]

TA4 (T-117) Take Action for RPV Level / Power 2001220501 13.20 15.8 ANTICIPATED No 6 Control TRANSIENTS WITHOUT SCRAM TA5 Place RHR In Suppression Pool And 2033010401 12.14 Yes 2, 3, 4, 6, Design basis accident (DBA) loss of Drywell Spray Operation, Monitor and 7, 9 coolant accident (LOCA) and other Secure UFSAR accidents take credit for suppression pool sprays.

TA6 Manually Operate & Monitor Safety Relief 2390050401 11.20 Yes 1, 2, 4, 5, This task overlaps with CV2.

Valves 6, 7 TA7 Place RHR System In Suppression Pool 2032010101 7.31 Yes 1, 2, 4, 6, 7 UFSAR mentions this mode for Cooling Operation, Monitor and Secure inadvertent SRV opening which is where our Time-Critical Action (TCA) comes from.

This task overlaps with CV1.

25

Preparation for and execution of the TAs as documented in Reference [4] was occurring in parallel with License Amendment Request (LAR) presubmittal meetings being held between CEG and NRC staff.

One of the issues that presented itself during the presubmittal meetings was how to properly address the HFE aspects of the LGS SR I&C upgrade within the timeframe of the Alternate Review (AR) Process as presented in the Licensing Process Digital I&C Interim Staff Guidance (DI&C-ISG-06). Through those discussions, the scope and method to address HFE within the bounds of the AR process were more clearly bounded. The result of this was CEG choosing to leverage the guidance provided by Attachment A, Guidance for Evaluating Credited Manual Operator Actions of Revision 3 of Chapter 18, Human Factors Engineering, from NUREG-0800, Standard Review Plan for the Review of Safety Analysis Reports for Nuclear Power Plants: LWR Edition [1] to guide the preparations for and execution of CV and PV.

Choosing to leverage Attachment A of Reference 1 brought HFE efforts into clearer focus. It established the process of performing CV and PV in support of the LAR for this upgrade. It also more clearly bounded the CV and PV scope to focus on HSI changes that impact manual actions impacted by the upgrade that are credited in the LGS Licensing Basis.

Identification of the tasks in Table 2 allowed for the development of meaningful scenarios for the TA workshop. This, in turn, helped bound the development of prototype HSI displays for the TA workshop so that it could be executed in the Planning and Analysis Phase of NUREG-0711. Qualified operators were able to provide substantive feedback on those PPS and DCS displays during the TA workshop accomplish project objectives. This provided a basis for initiating the HSI design.

The actions, tasks, scenarios, and associated SEGs developed for the TA workshop provide a significant degree of overlap between the scope of the TA workshop as captured in Table 2 and the scope of CV and PV as captured in Table 3 and Table 4, as presented in Section 4.3.2. As can be seen in Table 2, the operator actions to perform TA1-TA7 can be mapped to one or more scenarios performed for CV and planned to be performed for PV. This shows a degree of enveloping coverage of tasks for CV that included both those identified for the TA workshop and the more refined list manual actions develop as described in Section 4.3.2. SEGs developed for the TA workshop were also highly leveraged to create those used for CV and PV.

The TA workshop enabled not only the HSI design but provided the strategic direction of the HFE process oriented toward CV and PV.

4.3.2 Bounding of Conceptual Verification and Preliminary Validation Efforts The process to perform CV and PV generally leverages the process outlined in Attachment A, Guideline for Evaluating Credited Manual Operator Actions of Reference [1]. CV leverages the discussion in Section 1, Analysis, in Attachment A of Reference 1, while PV will leverage Section 2, Preliminary Validation. As a result of this decision, a more focused evaluation LGS documentation by the HSI Design and Procedure Modification Team was made to identify manual actions of interest for CV and PV. The results of this effort are captured in the subsections below. The actions identified in the subsections below supplant those identified in Table 2 and were used for CV. These will also be used for PV.

4.3.2.1 Credited Manual Actions in the LGS Licensing Basis Through the review of LGS licensing documents impacted by the scope of the SR I&C Upgrade Project at LGS by the HSI Design and Procedure Modification Team (as assisted by LGS Licensing),

manual operations actions credited in the LGS Licensing Basis (credited manual actions [CMAs]) were identified and are listed in Table 3.

26

Table 3. Manual operator actions credited in the LGS Licensing Basis impacted by the modification.

Action Credited Manual Licensing Source Addressed Time Time to TA

Operator Action by CV/PV Available Perform Workshop Scenario Acceptance Existing Item from Number(s) Criteria Design Table 2 CV1 Place both loops OP-LG-102-106, Operator 1 [ ](C) [ ](C) TA7 Suppression Pool Response Time Program at Cooling in service LGS, TCA #64 following an UFSAR Chapter 15.1.4.2.1 inadvertent SRV opening to maintain suppression pool temperatures below TS limits CV2 Open S, H, M, E, OP-LG-102-106, Operator 2 [ ](C) [ ](C) TA6 K SRVs using Response Time Program at Division 3 power LGS, TCA #16 from Auxiliary NE-294, Specification for Equipment Room Post-Fire Safe Shutdown (AER) (note new Program Requirements for task will be from LGS, Rev 5 MCR using Division 3 PPS or Ovation display)

CV3 Inject Standby UFSAR Chapter 15.6.5 3 [ ](C) (2) [ ](C) (2) TA4(1)

Liquid Control RAI Response for Limerick (SLC) following AST implementation-T04602 DBA LOCA for pH control CV4 Station blackout OP-LG-102-106, Operator 5 [ ](C) [ ](C) TA2 action - if HPCI Response Time Program at auto started then LGS, TCA #62 secure HPCI UFSAR Chapter 15.12 within 10 minutes of SBO event (1) SLC injection was initiated during several scenarios during the TA workshop even though it was not the primary focus of those scenarios. Furthermore, per OP-AA-102-106, Operator Response Time Program, CV3 it is not a time-critical CMA. This is because time-critical CMAs are defined to have a time available less than or equal to [ ](C). It is included in Table 3 because it is required action for a design basis accident (DBA) loss of coolant accident (LOCA).

(2) The procedure directs this action not be performed until [ ](C) after and before [ ](C) hours after the initiating event.

Actual time to implement within this 10 hour1.157407e-4 days 0.00278 hours 1.653439e-5 weeks 3.805e-6 months time window will be short ([ ](C)minutes).

The source documents that the HSI Design and Procedure Modification Team reviewed to identify these impacted CMA include:

27

The LGS UFSAR [6], Chapter 15. The specific sections of the UFSAR from which individual items (CV1, CV3, and CV4) in Table 3 were identified are captured in the licensing source column of the table.

NE-294, Revision 5, Specification for Post-Fire Safe Shutdown Program Requirements for LGS, Rev 5 [Reference 11] from which CV2 in Table 3 was identified as captured in the licensing source column of the table.

Supporting documentation used to identify the time available and the time to perform for the existing plant prior to the modification for the credited manual tasks as listed in Table 3 include:

OP-LG-102-106, Operator Response Time Program at Limerick Generating Station [Reference 12].

Time-Critical Actions (TCAs) are those actions in the UFSAR LGS Licensing Basis that require CMA in specified time periods for specific casualties. Reference 12 provided this information for Items CV1, CV2, and CV 4 in Table 3. OSDs were created and evaluated for these for CV.

RAI Response for Limerick AST implementationT04602 [Reference 13]. This document established the Licensing Basis for CV3 during a DBA LOCA.

4.3.2.2 Additional Manual Operator Actions Being Evaluated In an effort to provide a more comprehensive coverage of impacts of the LGS SR I&C Upgrade Project on manual operator actions beyond the LGS Licensing Basis, the LGS HSI Design and Procedure Modification Team expanded the review of Reference 12 to impacted items identified in that document as Time Sensitive Actions (TCAs). As a result, CV5, CV6, and CV7 in Table 4 below were identified.

Table 4. Additional manual operator actions impacted the modification that were evaluated.

Action Additional Source Addressed Time Time to TA

Manual Operator by CV/PV Available Perform Workshop Actions Identified Scenario Acceptance Existing Item from for Evaluation Number(s) Criteria Design Table 2 CV5 Inhibit ADS (non- OP-LG-102-106, Operator 2, 4, 7 [ ](C) [ ](C) TA3 ATWS) Response Time Program at LGS, Time Sensitive Action (TSA) #7 PRA - AHU600DXI CV6 Initiate Emergency OP-LG-102-106, Operator 2, 9 [ ](C) [ ](C) TA3/6 Depressurization if Response Time Program at RPV level cannot LGS, TSA #9 be restored and PRA - AHUWS1DXI maintained above -

186" CV7 Inhibit ADS OP-LG-102-106, Operator 6 [ ](C) [ ](C) TA4 (ATWS) Response Time Program at LGS, TSA #13 PRA - AHUINXDXI The values for time available and time to perform in Table 4 are taken from Reference 12. These manual actions are identified in Reference 12 as being sourced from the LGS PRA [8]. If these actions are not performed by operators within the time available and time to perform listed in Table 4, this can negatively impact margins captured in the PRA. CV5, CV6, and CV7 from Table 4 are not part of the 28

LGS Licensing Basis and are not being added to the LGS Licensing Basis by this analysis. OSDs were also created and evaluated for these for CV to provide a more comprehensive evaluation of human actions beyond those in the Licensing Basis as captured in Table 3.

In addition to the items identified in Table 4, the HSI Design and Procedure Modification Team identified two additional operator interactions with the HSIs that would be prudent to evaluate. These address operator interactions for plant conditions outside of 100% power and address new failure modes assumed for the new system. Each is discussed in more detail below.

Operation of the Residual Heat Removal (RHR) system in the shutdown cooling mode was also identified as an additional manual action of interest as being impacted by the modification. This manual action is one of the few control functions impacted by the modification needed during shutdown operations. This action enables the removal of decay heat. A separate scenario with an associated SEG #8 were created to demonstrate that operators could effectively operate the RHR system in the shutdown cooling mode. There is no specific time available requirement to operate the RHR system in the shutdown cooling mode. Consequently, there was no OSD developed for this scenario. This scenario demonstrates that operators could operate the RHR system in the shutdown cooling mode with the new I&C systems and HSIs. This also ensured that TA1 from Table 2 was also addressed under CV to provide full coverage of tasks examined during the TA workshop occurred under CV. Examination of the task to operate the RHR system in the shutdown cooling mode is not being added to the LGS Licensing Basis as part of this modification. This also provides coverage of TA8 from Table 2. The performance of this scenario as part of CV and PV does not modify the LGS Licensing Basis as part of this modification.

A separate scenario and associated SEG #9 were created to demonstrate that operators could effectively cope with a significant representative DBA (a steamline rupture inside the drywell) with a simultaneous PPS failure that disables all Reactor Protection System (RPS), Nuclear Steam Supply Shutoff System (NSSSS), and ECCS functions. This PPS failure results from a common mode failure of the Common Q platform due to an unknown cause. There is no time available requirement to recover from the beyond design basis event of a complete loss of the Common Q platform. This scenario is to show that operators can use the DPS segment of the non-safety DCS in a timely manner to perform the necessary action (CV6) to address a significant DBA and establish a safe shutdown condition. A complete loss of the Common Q platform is a beyond design basis event that is not being added to the LGS Licensing Basis as part of this modification.

4.4 Inputs to Conceptual Verification 4.4.1 Scenario Identification and Simulator Exercise Guide Development A total of nine scenarios and associated SEGs were developed for performance during CV. SEGs developed for CV will also be used for PV. These SEGs were refined from the TA workshop and adapted to envelope CMA in the LGS Licensing Basis (Table 3), additional manual operator actions being evaluated (Table 4), and additional operator interactions with the HSIs needed for operations outside of 100% power and to address new failure modes assumed for the new system. The SEGs used for TA and adapted and expanded for use for CV and PV leverage the format and content existing SEGs used for operator training and qualification at LGS.

SEGs were not written simply to evaluate the specific manual action under evaluation in isolation.

Such a formulation would be contrived and not necessarily representative of how operators are trained and evaluated. Efforts were made to make the scenarios described in the SEGs more challenging. This was done to better represent situations that operators are presented with during training and evaluation simulator drills where multiple, unlikely, and potentially challenging failures occur. The intent of this effort was to evaluate the operators ability to perform the manual actions under study in circumstances with increased scenario complexity to frame the specific manual action under evaluation in that context. It is not intended that these more challenging scenarios alter the Licensing Basis for LGS in any way.

29

Specific SEGs used for CV, and which will be used for PV are captured in Appendix C.

4.4.2 Operational Sequence Diagrams For each manual action identified in Section 4.3.2 (with the excepetion of RHR operation in the shutdown cooling mode, as explained in Section 4.3.2.2), an associated OSD was developed.

The purpose of the OSDs are to investigate and illustrate the sequence of operator actions necessary in accomplishing each of these manual actions. The OSDs specifically capture the sequence of actions in terms of diagnosis and implementation with the use of available and functional alarms, controls, displays, and equipment. OSDs for each manual action identified in Section 4.3.2 were developed and are provided in Appendix D. These were generalized after CV to better reflect that operators have more than one path to successfully perform the manual action under review. The paths chosen by operators during CV fall within the generalized OSDs in Appendix D.

The OSDs created for the manual actions described in Section 4.3.2 for CV (and PV) establish the expected operator actions based upon existing plant procedures to perform these actions as modified by the HSI Design Team to reflect operate plant operation with the upgraded PPS and DCS I&C design and associated HSI design. Each OSD is documented at the level of detail necessary to identify the critical items needed to accomplish the manual action under study. As explained in Section 4.4.1, the manual actions under study are included in more complex scenarios to require action in a situation where workload is increased.

The OSDs identify the details with regard to the diagnosis of the problem (including detection and acknowledgement of alarms) as well as communication between operators. Travel times to areas of the control room not reproduced in facilities used to perform CV (and PV) are accounted for by the Simulator Team by using the simulator model to delay feedback for actions that would be performed by operators (the HSI and Procedure Validation Team) in those locations. Procedures to be used in each scenario were identified in the SEGs and in the OSDs.

The OSDs for each scenario are captured in Appendix D.

Observing scenario execution and recording times using the OSDs enable the HFE Process Team to verify that manual actions under study were properly performed. This enabled timeline analyses (Section 4.4.3) to ensure that those manual actions meet the necessary acceptance criteria (Section 4.4.4).

4.4.3 Timeline Analysis Method This analysis followed the Guidelines for Using Timelines to Demonstrate Sufficient Time to Perform the Actions, provided in Appendix A of NUREG-1852, Demonstrating the Feasibility and Reliability of Operator Manual Actions in Response to Fire [Reference 14].

Figure 8. NUREG-1852 timeline guidance for evaluating manual operator actions.

30

NUREG-1852, Section 3.2.2, Analysis Showing Adequate Time Available to Ensure Reliability provides the following generic criterion to address the reliability of operator manual actions:

For a feasible action to be performed reliably, it should be shown that there is adequate time available to account for uncertainties not only in estimates of the time available, but also in estimates of how long it takes to diagnose and execute the operator manual actions It should be shown that there is extra time available to account for such uncertainties. This extra time is a surrogate for directly accounting for sources of uncertainty in estimating the time available for the action and the time required.

For the CV (and PV) analysis:

Time Available

- Time Available to perform manual actions is defined in Figure 8.

Time Available = TAvailable = Tdiagnosis + TImplementation + TMargin For CMA:

TAvailable for CMA impacted by the upgrade in the Licensing Basis are identified in Table 3 along with the source for that commitment.

Additional Manual Actions Demonstrating Being Evaluated:

TAvailable for these manual actions impacted by the upgrade are identified in Table 4.

Evaluation of these actions is being demonstrated by LGS as good engineering practice and does not establish any additional licensing commitments.

Time Required

- The term time required as defined in NUREG -1852 as provided above is less than TAvailable. For a manual action to be successfully accomplished, it must be shown that the action can be completed prior to TAvailable.

- The term time required as defined in the references provided in Table 3 and Table 4 identifies the time to implement (TImplementation) for the existing design in NUREG-1852 as shown in Figure 8.

- For CV and PV:

The term time required (TRequired) is not used in the balance of this report. This is done to eliminate confusion between the two definitions provided directly above.

The term time to perform (TPerform) equals TDiagnosis + TImplementation. TPerform is what is compared to TAvailable in Section 4.3.2 to assess the overall successful performance of a credited manual action using the acceptance criteria provided in Section 4.4.4.

The term time to implement (TImplementation) is used to measure the specific time to perform the specific manual actions identified in Section 4.3.2 once it is determined by operators that those actions must be performed. Acceptance criteria for observed time to implement are provided in Section 4.4.4.

Taking into account the discussion above, there are two types of manual actions under study by CV and PV:

Type 1 Events: Events that present the operator with a direct indication (e.g., an inadvertent opening of a SRV, loss of off-site power)

- There is very little or no early/undetected period for these (before T0)

- Diagnosis Time = TDiagnosis= (T1 - T0 in Figure 8) is expected to be very short, on the order of a few seconds (Type 1 events are self-revealing with regard to cause and severity).

- Implementation Time = TImplementation = (T2 - T1 in Figure 8) is of primary interest for evaluation.

31

For this type of event, implementation is explicit and linear. A specific procedure (or set of procedures) are identified to combat such events (with a short TAvailable).

Tmargin is recognized to be short for Type 1 events in existing design as shown in Table 3.

- For Type 1 events, TPerform = TDiagnosis + TImplementation.

Type 2 Events: Where event identification reveals itself over time.

- An event occurs prior to T0: (e.g., a drywell leak of unknown size). There may be an early undetected period before T0 is reached. This time is variable based on the nature of the event.

- At T0, the event is detected by operators: indications are variable based upon the size of the leak.

While operators know an event is in progress at T0, operators likely do not know exactly what the event is or its severity.

Operators start taking generic actions at T0 to combat the event based on indications as they present themselves to the operators: to identify the leak location, to isolate the leak (if possible), and to make up RPV volume lost through the leak. Plant response to those actions ultimately reveal whether the leak is isolable and its size. This is the time to diagnose the event. Note:

These generic actions are variable based on the trends of all indications presented to and analyzed by operators. Operators may choose one procedure over an another or work procedures in parallel based on the interpretation of indications.

The time to perform these generic actions is therefore also variable depending upon how the operators chose to address the event in accordance with procedure. As stated in Attachment A to Chapter 18 of NUREG-0800, The estimated Time Available for operators to complete the credited action is sufficient to allow successful use of all applicable procedure(s).

These generic actions identify the specific nature of the casualty. At this point, T1 is reached. TDiagnosis is established (T1 - T0). This time is by its nature variable.

- Once T1 is reached, TImplementation can be discretely measured.

- For Type 2 events, TPerform = TDiagnosis + TImplementation.

Timelines, such as the one shown in Figure 8, are constructed for each identified manual action in Section 4.3.2. These timelines are informed by the OSDs and developed for each manual action under study. For CV, these timelines capture estimated time to perform and time to implement values as observed by performing walkthroughs and talkthrough with the HSI and Procedure Validation Team using navigable, static PPS and DCS displays as aided by the Simulator Team member operating the same simulator model used to drive the ANSI 3.5 training simulator used at LGS. For PV, these times will be more closely measured using a dynamic simulation where the HSI indications and controls are made active. For both CV and PV, TPerform is compared to TAvailable as shown in Table 3 and Table 4 to determine if the manual action under study can be completed to meet the acceptance criteria identified in Section 4.4.4.

4.4.4 Acceptance Criteria for Conceptual Verification and Preliminary Validation The acceptance criteria for CV and PV for either type of event with a defined TAvailable are below:

IF: MCR operators demonstrate:

- That TPerform = TDiagnosis + TImplementation as estimated in CV and shown in PV Does not exceed TAvailable for Type 1 events (Criterion A)

Does not exceed 50% of TAvailable for Type 2 events as estimated in CV and shown in PV (Criterion B) 32

This establishes a 50% TMargin for Type 2 events for this upgrade. This criterion is being applied by CEG as a good engineering practice to address potential TDiagnosis uncertainties consistent with the discussion in NUREG-1852 [14], Section B 2.2.4. Application of this criteria is applicable to this upgrade only.

- TImplementation for the new design does not exceed the TImplementation for the existing design (conservatively self-imposed by CEG) (Criterion C)

- TDiagnossis is not degraded based upon the expert judgment the HSI and Procedure Validation Team. (Note: it is expected that over time, TDiagnosis will improve through training and operator familiarization). (Criterion D)

THEN: the HSIs and procedures used in the scenarios for the event under study are satisfactory.

If any criteria from #1 directly above is exceeded, this must either be specifically justified as being acceptable or the HSIs. Or the HSIs and procedures revised as necessary to address the issue. Revised HSIs and procedures must then be regression tested prior to or during ISV.

Timelines generated for each manual action under evaluation for CV as identified in Section 4.3.2 are captured in Appendix D along with the associated OSD for each scenario where a manual action performance was observed. A template for these timelines is provided in Figure 9.

Figure 9. NRC timeline template used for evaluating manual operator actions.

4.5 Protocol to Ensure Readiness for Conceptual Verification The subsections below outline the protocol developed by the HFE Process Team to guide the execution of CV. The PV Protocol will be similar.

4.5.1 Review and Confirm Impacted Manual Operator Actions to be Evaluated

HFE Process Team: Verify with the HSI Design and Procedure Modification Team that the manual actions in Section 4.3.2 are the complete list of manual operator actions to be evaluated by CV and PV. (Completed.) Recovery from a loss of shutdown cooling was also identified as a representative additional manual action of interest impacted by the modification. This happened after the TA workshop and before CV preparations were completed. This manual action is one of the few control functions impacted by the modification that is needed during shutdown operations. This action enables the removal of decay heat. This manual operator action (but not a Licensing Basis credited manual control action) is provided by the modification and must be available when shutdown.

33

HFE Process Team: Verify with the HSI Design and Procedure Modification Team that the operator actions identified from the PRA as identified in the TA workshop are similar enough to the actions in the scenarios that they still do not require being included in the scenarios. (Completed)

If new actions are identified, perform the following:

HSI Design and Procedure Modification Team: Identify the source of any new credited or new additional manual operator actions for evaluation for CV and PV whether they be from the D3, UFSAR, PRA, or other. (Completed. The source for operation of RHR in the shutdown cooling mode is identified in Section 4.3.2.2 as an additional manual operator action.)

4.5.2 Review and Confirm Scenarios

HFE Process Team: Verify with the HSI Design and Procedure Modification Team that the scenarios identified in previous HFE activities reflects a complete and representative set of use cases to evaluate the impacted operator actions as identified in Section 4.3.2. (Completed. A scenario was added to address shutdown cooling as discussed above.)

If new actions are identified, perform the following:

HFE Process Team: Verify with the HSI Design and Procedure Modification Team that any new scenarios contain a SEG and the SEG is provided to INL prior to the workshop. (Completed. A new SEG was added for for operation of RHR in the shutdown cooling mode.)

HFE Process Team: Verify with the HSI Design and Procedure Modification Team that the scenarios identified in previous HFE activities reflect a complete and representative set of use cases to evaluate the impacted operator actions. (Completed. Scenarios performed in the TA workshop are enveloped by those performed by CV as shown in the CV and PV Scenario(s) column of Table 2.)

4.5.3 Confirm Completeness of Type and Number of Plant Protection System and Ovation Displays

HFE Process Team: Verify with the HSI Design and Procedure Modification Team that the PPS and Ovation displays required to perform the scenarios in the CV workshop have been rendered by CORYS. (Completed.)

HFE Process Team: Verify with CORYS that the PPS and Ovation displays rendered for CV followed Common Q and Ovation design conventions and apply the HFE guidance described in Appendix A: Key HSI Style Guide Attributes for Conceptual Verification HSI Development. (This step was completed, and issues identified [as captured in Section 5.4]. No deficiencies were of a nature that would substantively impact PV. The identified deficiencies were communicated to CORYS. Several deficiencies were corrected prior to CV. Others remain to be dispositioned.)

HFE Process Team: Verify with CORYS and LGS that the completed PPS and Ovation displays are provided to INL prior to the workshop and that these displays enable clickable navigation.

(Completed. Issues with navigation were found during the dry run before CV and were corrected prior to CV.)

If new actions are identified, perform the following:

HFE Process Team: Verify with the HSI Design and Procedure Modification Team that any new displays are identified, designed, and rendered prior to the CV workshop; apply Bullets 1-3 in Section 4.5.3. (Completed. All necessary PPS and DCS static and navigable displays were available for CV.)

34

4.5.4 Confirm Completeness of Procedure Changes

HFE Process Team: Verify with the HSI Design and Procedure Modification Team that the impacted procedures are completed and ready for the CV workshop. (Completed.)

If new actions are identified, perform the following:

HFE Process Team: Verify with the HSI Design and Procedure Modification Team that any new procedures are identified, revised, and sent to INL prior to the workshop. (Completed.)

4.5.5 Establish Time Available for Manual Actions identified in Section 4.3.2 as Applicable

HFE Process Team: Establish the time available for each impacted manual operator action by interviewing the HSI and Design and Procedure Modification Team. (Completed. This is completed as shown in Table 3 and Table 4.)

If new actions are identified, perform the following:

HSI and Design and Procedure Modification Team: Update Table 3 and Table 4. (N/A) 4.5.6 Identify and Document the Task Sequences for Manual Actions Identified in Section 4.3.2

HFE Process Team: Develop OSDs by using the input provided by the HSI Design and Procedure Modernization Team. This includes describing key subtasks performed in terms of detection, diagnosis, and implementation. This was provided through structured written requests and interviewing members of the HSI Design and Procedure Modification Team (Completed.).

HFE Process Team: Verify the completeness and accuracy of the OSDs by the HSI Design and Procedure Modification Team (Completed.).

4.5.7 Perform Dry Run

The HSI Design and Procedure Modification and HFE Process Teams: Perform a dry run by December 4, 2022. (Completed.)

- Logistics INL Simulator Team: Verify all hardware, software, and materials (e.g., presentations, procedures, forms, and agendas) are ready for workshop execution (Complete).

INL HFE Process Team: Verify all attendees are processed in the INL Badging System (Completed).

INL: Verify refreshments and lunches are prepared (Completed).

- HFE Process and HSI Design and Procedure Modification Teams: Walkthrough steps to be performed at the CV workshop. (Completed. Navigation issues when using static PPS and DCS displays was discovered and rectified. With this being the first opportunity to view the PPS and DCS displays across multiple VDUs and in context with each other and existing plant indications, the HFE Design and Procedure Modification Team began to note issues with the displays (consistency issues, gaps, errors, etc.). None were identified that would negatively impact CV in a meaningful way. Issues identified during the dry run were briefed to the HSI and Procedure Validation Team on their arrival. The HSI issue list was added to and electronically captured throughout CV as described in Section 5.5.)

- HFE Process Team: Prepare data collection tools, including data recording, and general notes.

(Completed.)

35

5. CONCEPTUAL VERIFICATION EXECUTION AND RESULTS 5.1 Execution of Scenarios CV was performed through execution of the Appendix C SEGs using the simulation facility provided by INL. Scenario execution was directed by a member of the Simulator Team through using a talkthrough and walkthrough process with the HSI and Procedure Validation Team that was augmented by the use of Limerick ANSI 3.5 simulator models. Initial conditions were set for each scenario. Operators (SRO, RO, and PRO) making up the HSI and Procedure Validation Team were then put in role to commence scenario execution.

Each particular scenario was then performed. For each scenario, the HSI and Procedure Validation Team navigated through and used preliminary HSIs, as captured in Appendix B: Human-System Interface Displays Developed for Conceptual Verification, along with draft procedures to demonstrate their ability to address the conditions presented to them in each of the SEGs. While the PPC and DCS displays used during CV were static, necessary plant information was provided by the Simulator Team member to the HSI and Procedure Validation Team (operators) in near real time. This was possible because the Simulator Team member was dynamically:

Providing plant data to the operators from the simulator model

Inputting the necessary control actions being performed by the operators based on their navigation and simulated use of the PPS and DCS static displays (along with the portions of the MCR HSI interface not impacted by the modification but made available to facilitate more comprehensive MCR interface).

While each scenario was being performed, the Simulator Team member was following the associated SEG and determining whether the necessary actions to address the problem presented to the HSI and Procedure Validation Team were being satisfactorily performed. Independently of this, the HFE Process Team was following scenario execution using the OSDs captured in Appendix D: Scenario Operational Sequence Diagrams and Results for Conceptual Verification and Preliminary Validation Manual Actions.

Using the OSDs and estimated timing results, the HFE Process Team created the simplified HSI and Procedure Validation Team Performance timelines captured for each scenario in Appendix D.

5.2 General Results Against Review Criteria Reference 1, Attachment A, Phase 1 (Analysis), Section 1.B. (Review Criteria) was leveraged by the HFE Process Team to establish the review criteria of the CV workshop. Selected review criteria and how each were generally addressed are discussed in this section.

For CMA in the LGS Licensing Basis as captured in Table 3 in Section 4.3.2.1 and for the additional manual operator actions being evaluated as captured in Table 4 in Section 4.3.2.2:

1. An analysis establishes the time available. The basis for the time available is documented.

Previous plant analysis as captured in Table 3 and Table 4 established the time available and time to implement.

2. The analysis of the time to perform and time to implement is based on a documented sequence of operator actions. The basis of the documented sequence of operator actions can be TAs, vendor-provided generic technical guidelines for EOP development, or plant-specific EOPs, depending on the maturity of the design.

OSDs were developed by the HFE Process Team with input from the HSI Design and Procedure Modification Team to document the necessary sequence of operator actions. This was done using existing procedures and modifying them to leverage the new PPS and DCS operating characteristics and HSIs. These OSDs were developed to a granularity to capture both the 36

estimated overall time to perform and estimated time to implement the specific manual actions identified in Section 4.3.2

3. Techniques to minimize bias are used when estimates of time to perform and time to implement are derived using methods that are dependent on expert judgment. Uncertainties in the analysis of time to perform are identified and assessed.

Actions for which time to perform and time to implement as studied by CV (and PV) are established as described in Item 1 directly above.

Uncertainties associated with measuring time to perform during CV and PV are addressed in the acceptance criteria provided in Section 4.4.4.

The Simulator Team member independently tracked the overall performance of the HSI and Procedure Validation Team in completing the necessary actions for each scenario. The Simulator Team member did not use the OSD(s) to execute each scenario (SEGs were used) nor did they track time for operators to complete activities described in the OSDs. Tracking actions in the OSDs and the time it took to diagnose and implement the necessary manual control actions under evaluation were performed by HFE Process Team during the execution of each scenario. The HFE Process Team performed the timeline analyses captured in Appendix D and summarized in Section 5.3.

4. The sequence of actions uses only alarms, controls, displays and equipment that would be available and functional during the subject event(s). The event and the regulatory guidance for analyzing the event typically define the alarms, controls, displays, and equipment that remain functional.

The sequence of actions along with the functional alarms, controls, displays, and equipment used by the HSI and Procedure Validation Team to address the subject events, as captured in Table 3 and Table 4, were identified in the OSDs.

5. The estimated time available for operators to complete the manual actions under study is sufficient to allow the successful use of all applicable procedure(s). This could involve the implementation of a single procedure, multiple procedures in parallel, or procedures in sequence. Where applicable, the review should address the possibility that symptom- and function-based EOPs may be necessary (e.g.,

instances in which event diagnosis may be particularly challenging).

Time available was established for manual actions under study as described in Item 1 directly above. OSDs developed for the CV workshop were initially written based on an assumed optimal path that would be taken by operators. During the performance of the SEGs for CV, it became apparent that the OSDs needed to become more general to permit the HSI and Procedure Validation Team to follow multiple paths allowed by procedures, including the EOPs to address the event(s) included in each of the SEGs. This is discussed in Section 4.4.2 above. The paths chosen by operators during CV fall within the generalized OSDs in Appendix D. These generalized OSDs will be used for PV. Several of the SEGs contain anomalies beyond the specific manual actions under study to make event diagnosis more challenging. The operators also used symptom-based EOPs.

Non-safety DCS AOAs greatly simplify several of the manual operator actions described in Section 4.3.2. Initiation of these DCS AOAs in several cases is all that is needed for the operator to complete the actions that the current design requires be manually controlled by SR I&C equipment. For CV and PV, operator response was deliberately negatively biased by requiring the HSI and Procedure Validation Team members use the manual controls provided by the PPS system and associated HSIs provided by the new design.

6. The initial operating staff size and composition assumed for the analysis of time to perform and time to implement is the same as the minimum staff defined in the plants Technical Specifications.

37

The operating staff size and composition is unchanged by the modification that implements the PPS and DCS upgrades.

7. If CMA require additional operators beyond the Technical Specification minimum crew, the justification for timely availability of the additional staffing is provided and the estimate of the time to perform and time to implement include any time needed for calling in additional personnel.

None of the manual actions examined during CV (either the CMA [Table 3] or the additional manual actions impacted by the modification [Table 4]) required additional operators beyond the Technical Specification minimum crew.

8. Action sequence analysis is conducted at a level of detail sufficient to identify individual task components, including cognitive elements such as the diagnosis and selection of appropriate response, and the associated performance shaping factors that affect time to perform and time to implement and the potential for operator error. Communications, travel time, and work environment are addressed.

OSDs created for CV as captured in Appendix D (which will be used for PV) meet the intent of this item. Necessary communications outside the MCR were facilitated by the Simulator Team.

Travel time within the MCR was also addressed by the Simulator Team member. This was done by delaying the report of system response to the operator to approximate the time it would take to take the remote action. The PPS and DCS design also help reduce communications and travel time. For example, the updated design, performance of CV2 in Table 3 can be accomplished directly in the MCR. Prior to the design modification, this action is performed by an equipment operator from the Auxiliary Equipment Room (AER). The time it takes for the equipment operator to go to the AER and communicate with MCR personnel for this action is eliminated.

Some scenarios were adjusted to drive operators to take the most time-consuming implementation path to complete the manual action under study. For example, when placing two loops of suppression pool cooling in service (for CV1 in Table 3), operators were required to perform this action manually from the PPS screens instead of using the AOA capability to perform this provided by the DCS.

9. The analysis identifies a time margin between the time to perform and time available to perform the action and documents the basis for the adequacy of the margin, including consideration of the uncertainty in the estimation of the margin.

The estimated time margins as described above are captured in the Observed HSI and Procedure Validation Team Performance Timelines provided for each scenario in Appendix D.

Using the same evaluation criteria for the additional manual actions being evaluated as captured in Table 4 of Section 4.3.2.2 does not imply that the Licensing Basis for CMA is being expanded to include these items.

5.3 Conceptual Verification Summary of Results 5.3.1 Credited Manual Actions in the Limerick Generating Station Licensing Basis Table 5 provides a summary of the time to perform and time to implement for CMA in the LGS Licensing Basis as observed during CV. Table 6 provides a summary of the time to perform and time to implement for the additional manual operator actions evaluated during CV.

As shown in Table 5 and Table 6, all the acceptance criteria identified in Section 4.4.4 were satisfied during CV. For both Table 5 and Table 6, Criterion B is being applied by CEG as a good engineering practice to address potential TDiagnosis uncertainties consistent with the discussion in NUREG-1852 [14],

Section B 2.2.4. Application of this criteria is applicable to this upgrade only.

38

Table 5. CV observed times for manual operator actions credited in the LGS Licensing Basis impacted by the modification.

Action Credited Manual Licensing Source Addressed Time Estimated Time to Estimated Criterion Criterion Criterion Criterion

Operator Action by CV/PV Available Time to Implement Time to A B C D and Perform Implement Event Scenario Acceptance Observed Existing Observed in Type Number(s) Criteria in CV Design CV CV1 Place both loops OP-LG-102-106, 1 [ ](C) 4.92 [ ](C) 4.53 minutes Pass N/A Pass Pass Suppression Pool Operator Response minutes [ ](C) [ ](C) No Type 1 Cooling in service Time Program at observed following an inadvertent LGS, TCA #64 difficulties SRV opening to maintain UFSAR Chapter in diagnosis suppression pool temp 15.1.4.2.1 below TS limits CV2 Open S, H, M, E, K OP-LG-102-106, 2 [ ](C) 22.15 [ ](C) 0.37 minutes Pass Pass Pass Pass SRVs using Division 3 Operator Response minutes [ ](C) [ ](C) [ ](C) No Type 2 power from AER (note Time Program at observed new task will be from LGS, TCA #16 difficulties MCR using Division 3 NE-294, Specification in diagnosis PPS or Ovation display) for Post-Fire Safe Shutdown Program Requirements for LGS, Rev 5 CV3 Inject Standby Liquid UFSAR Chapter 3 [ ](C) (1) 3 hours3.472222e-5 days 8.333333e-4 hours 4.960317e-6 weeks 1.1415e-6 months , [ ](C) (1) 0.15 minutes Pass Pass Pass Pass Type 2 Control following DBA 15.6.5 12.82 [ ](C) [ ](C) [ ](C) No LOCA for pH control RAI Response for minutes(2) observed Limerick AST difficulties implementation- in diagnosis T04602 CV4 Station blackout action - OP-LG-102-106, 5 [ ](C) 4.03 [ ](C) 1.07 minutes Pass N/A Pass Pass Type 1 if HPCI auto started then Operator Response minutes [ ](C) [ ](C) No secure HPCI within 10 Time Program at observed minutes of SBO event LGS, TCA #62 difficulties UFSAR Chapter in diagnosis 15.12 (1) Time available for CV3 is specified by the licensing commitment and procedure. Procedure delays action performance to occur after [ ](C) but before [ ](C) hours for a DBA LOCA (2) For CV3, the need to perform this action was identified early in the scenario. The procedure directs, however, that this action not be performed until 3 hours3.472222e-5 days 8.333333e-4 hours 4.960317e-6 weeks 1.1415e-6 months after the initiating event. Time was compressed in the simulator to the [ ](C) point and the time to perform the action was recorded as 12.82 minutes. The estimated time to implement was 0.15 minutes. A detailed timeline for this action was not developed.

39

5.3.2 Additional Manual Operator Actions Evaluated Table 6 provides a summary of the time for additional manual operator actions evaluated during CV as captured in Appendix D.

Table 6. CV observed times for additional manual operator actions impacted the modification that were evaluated.

Action Additional Manual Source Addressed Time Estimated Time to Estimated Criterion Criterion Criterion Criterion

Operator Actions by CV/PV Available Time to Implement Time to A B C D Identified for Perform Implement and Event Evaluation Scenario Acceptance Observed Existing Observed in Type Number(s) Criteria in CV Design CV CV5 Inhibit ADS (non- OP-LG-102-106, 2 [ ](C) 3.0 [ ](C) 0.42 minutes Pass Pass Pass Pass ATWS) Operator Response minutes [ ](C) [ ](C) [ ](C) No Time Program at observed Type 2 LGS, TSA #7 difficulties PRA - AHU600DXI in diagnosis 4 Task not Task not N/A N/A N/A N/A observed observed in in Scenario 4 Scenario 4

7 9.9 0.22 minutes Pass Pass Pass Pass minutes [ ](C) [ ](C) [ ](C) No observed difficulties in diagnosis CV6 Initiate Emergency OP-LG-102-106, 2 [ ](C) 3.5 [ ](C) 0.97 minutes Pass Pass Pass Pass Depressurization if RPV Operator Response minutes [ ](C) [ ](C) [ ](C) No level cannot be restored Time Program at observed Type 2 and maintained above - LGS, TSA #9 difficulties 186" PRA - AHUWS1DXI in diagnosis 9 Less 0.05 minutes Pass Pass Pass Pass than 1 [ ](C) [ ](C) [ ](C) No minute observed difficulties in diagnosis 40

Action Additional Manual Source Addressed Time Estimated Time to Estimated Criterion Criterion Criterion Criterion

Operator Actions by CV/PV Available Time to Implement Time to A B C D Identified for Perform Implement and Event Evaluation Scenario Acceptance Observed Existing Observed in Type Number(s) Criteria in CV Design CV CV7 Inhibit ADS (ATWS) OP-LG-102-106, 6 [ ](C) Less [ ](C) 0.67 minutes Pass Pass Pass Pass Operator Response than 1 Run 1 [ ](C) [ ](C) [ ](C) No Time Program at minute observed Type 2 LGS, TSA #13 difficulties PRA - AHUINXDXI in diagnosis 0.07 minutes Pass Pass Pass Pass Run 2 [ ](C) [ ](C) [ ](C) No observed difficulties in diagnosis 41

For CV5, this action was observed, and a time to perform and time to implement were recorded for two of the three scenarios (two and seven) listed in Table 6. For Scenario 4, the associated SEG describes the possibility that plant operators can take appropriate operator actions to address the event (Group 1 MSIV Isolation with Reactor Core Isolation Cooling [RCIC] and Control Rod Drive Issues) that preclude the need to inhibit ADS. This is what occurred. Consequently, no time to perform or time to implement for CV5 was observed during Scenario 4.

For CV7, the associated Scenario and SEG (6) was observed twice. This was done at the request of the HSI and Procedure Validation Team to practice the ATWS choreography again. The second run used a slightly different navigation method to reach the same displays to perform the necessary action. The navigation for the second run had one extra navigation step where the operators selected the transient response button, which is present on all PPS displays to then reach the same displays used in the first run.

A separate scenario and SEG (8) was created to demonstrate that operators could effectively operate the RHR system in the shutdown cooling mode. There is no specific time available requirement to operate the RHR system in the shutdown cooling mode. Consequently, there was no OSD developed for this scenario. This scenario demonstrated that operators could operate the RHR system in the shutdown cooling mode with the new I&C systems and HSIs. Examining the task to operate the RHR system in the shutdown cooling mode is not being added to the LGS Licensing Basis as part of this modification.

A separate scenario and SEG (9) was created to demonstrate that operators could effectively cope with a significant representative DBA (a steamline rupture inside the drywell) with a simultaneous PPS failure that disables all RPS, NSSSS, and ECCS functions. This PPS failure results from a common mode failure of the Common Q platform due to an unknown cause. There is no time available requirement to recover from the beyond design basis event of a complete loss the Common Q platform. HSI and Procedure Validation Team members demonstrated that the necessary action (CV6) to address the representative casualty (a steamline rupture inside the drywell) could still be satisfactorily accomplished in a timely manner through the use of the DPS Segment of the non-safety DCS to establish a safe shutdown condition. A complete loss of the Common Q platform is a beyond design basis event, which is not being added to the LGS Licensing Basis as part of this modification.

5.4 General Human-System Interface Style Guide Comments As CORYS was producing the HSIs to be used for CV, a sample set were provided to and reviewed by the HFE Process Team against the HSI Style Guide [5]. Global comments generated by this review are captured in Figure 10.

42

Global Comments for Displays Figure 10. HFE Process Team global comments to draft CV HSI displays.

These global comments along with specific comments against HSI displays provided by CORYS were discussed during a workshop held between the HFE Process Team and members of the HSI Design and Procedure Modification Team on November 21, 2022. The global comments and additional specific HFE Style Guide comments on provided displays have been captured in the HSI items identified during CV as described in Section 5.5.

5.5 Human-System Interface and Procedure Items Identified During Conceptual Verification Appendix E captures a total of 256 HSI and procedure items identified during preliminary HFE display reviews (Section 5.4), during the dry run prior to CV (Section 4.5.7) and the CV itself.

Appendix E, as provided in this report, is a snapshot of a living document. Appendix E is being maintained and configuration controlled by the HSI Design and Procedure Modification Team.

The HSI Design and Procedure Modification Team will categorize and prioritize the items in Appendix E to facilitate their disposition in the design. Only items that could significantly impact (positively or negatively) the PV need to be dispositioned before PV. Examples of items that are to be addressed before PV include (but are not limited to) significant changes to display navigation, display content changes that would impede operators from performing functions identified in Section 4.3.2, and operator procedure changes that impact PV scenario performance.

All HSI display and procedure comments are to be dispositioned by the HSI Design and Procedure Modification Team. These dispositions will be reviewed by the HSI Design and Validation Team for operational issues and by the HFE Process Team for HFE issues related to the HSI Style Guide [5].

HSI, procedure, or other issues identified during PV will be added to the configuration-controlled version of Appendix E. Items in Appendix E are to be dispositioned if at all possible before ISV. All dispositions need to be captured in live version of Appendix E and reviewed as described above.

Open items that exist prior to ISV are to be prioritized following the criteria in the HFE Program Plan

[2]:

Priority 1: Have direct, indirect, or potential safety or plant availability consequences and require resolution prior to modification being placed in service.

43

Priority 2: Potential consequences to plant performance operability or personal performance and formal disposition (resolution prior to the modification being placed in service, deferred resolution at next available opportunity, or accept as is) shall be documented.

Priority 3: Other (not meeting Priority 1 or Priority 2 criteria).

6. REFERENCES

1. NRC. 2016. Standard Review Plan for the Review of Safety Analysis Reports for Nuclear Power Plants: LWR Edition - Human Factors Engineering. NUREG-0800, Revision 3, Chapter 18.

2. Joe, J., P. Hunton, and C. Kovesdi. 2022. Human Factors Engineering Program Plan for Constellation Safety-Related Instrumentation and Control Upgrades. INL/RPT-22-68693, Idaho National Laboratory.

3. NRC. 2012. Human Factors Engineering Program Review Model. NUREG-0711, Revision 3.

4. Kovesdi, Casey et al. 2022. Human Factors Engineering Combined Functional Requirements Analysis, Function Allocation, and Task Analysis for the Limerick Control Room Upgrade:

Results Summary Report. INL/RPT-22-68995, Idaho National Laboratory.

5. Kovesdi, Casey. 2022. Human-System Interface Style Guide for Limerick Generating Station.

INL/RPT-22-68558, Idaho National Laboratory.

6. Limerick Generating Station Updated Final Safety Analysis Report (UFSAR). Revision 19.

7. Limerick Defense in Depth and Diversity Common Cause Failure Coping Analysis. WNA-AR-01074-GLIM, Westinghouse Electric Company.

8. Limerick Generating Station Probabilistic Risk Assessment Summary Notebook. LG-PRA-013, Revision 4.

9. Joe, J., P. Hunton, C. Kovesdi, and J. Mohon. 2022. Human Factors Engineering Operating Experience Review of the Constellation Limerick Control Room Upgrade: Results Summary Report. INL/RPT-22-68703, Idaho National Laboratory.

10. 2002. Human-System Interface Design Review Guidelines. NUREG-0700, Revision 2.

11. Specification for Post-Fire Safe Shutdown Program Requirements at Limerick Generating Station. Specification NE-294, Revision 5.

12. Operator Response Time Program at Limerick Generating Station. OP-LG-102-106, Revision 14.

13. LGS PIMS Commitment NBR-T04602, Source Document 1 - RAI Response for AST, Statement of Commitment per RAI for AST dated 10-10-05.

14. 2007. Demonstrating the Feasibility and Reliability of Operator Manual Actions in Response to Fire. NUREG-1852.

15. IEEE IEEE Guide for Human Factors Engineering for the Validation of System Designs and Integrated Systems Operations at Nuclear Facilities. IEEE Std 2411-2021, IEEE.

16. NRC. 1980. Instrumentation for Light-Water-Cold Nuclear Power Plants to Assess Plant and Environs Conditions During and Following an Accident. Regulatory Guide 1.97, Revision 2.

44

Appendix A: Key HSI Style Guide Attributes for Conceptual Verification HSI Development 45

Limerick Safety-Related Upgrade: HSI Design Review Guide Revision 2 This guide provides human factors engineering (HFE) design guidance to support CV/ PV activities, using select guidance from the HSI style guide (INL-RPT-22-68558) and associated technical guidance from NUREG-0700 (Revision 2) and APP-OCS-J1-002.

Revision Comment 1 Base Guidance 2 Per discussion Oct 11, 2022, additional guidance was identified including mimic design and process lines, and use of color specific to Limerick conventions.

46

[

](W) 47

[

](W) 48

[

](W) 49

[

](W) 50

[

](W) 51

[

](W) 52

[

](W) 53

[

] (W)

Ovation Color Palette.

The following colors are from Limerick TCS Display Design FRs and Guidelines (WNA-DS-02820-GLIM.pdf).

54

[

](W) 55

[

](W) 56

[

](W) 57

[

](W) 58

Appendix B: Human-System Interface Displays Developed for Conceptual Verification 59

Plant Protection System Displays Figure B-1: PPS Navigation Menu

[

] (C) 60

Figure B-2: System Safety Status

[

] (C) 61

Figure B-3: Bypass Menu

[

] (C) 62

Figure B-4: Transient Response

[

] (C) 63

Figure B-5: SCRAM Mechanical

[

] (C) 64

Figure B-6: SCRAM Instruments

[

] (C) 65

Figure B-7: SCRAM Logic Status

[

] (C) 66

Figure B-8: RCIC System

[

] (C) 67

Figure B-9: RCIC Instruments

[

] (C) 68

Figure B-10: RCIC Logic Status

[

] (C) 69

Figure B-11: HPCI System

[

] (C) 70

Figure B-12: HPCI Instruments

[

] (C) 71

Figure B-13: HPCI Logic Status

[

] (C) 72

Figure B-14: Pressure Control

[

] (C) 73

Figure B-15: ADS Instruments

[

] (C) 74

Figure B-16: ADS Logic

[

] (C) 75

Figure B-17: Core Spray Division 1

[

] (C) 76

Figure B-18: Core Spray Division 2

[

] (C) 77

Figure B-19: Core Spray Instruments

[

] (C) 78

Figure B-20: Core Spray Logic Status

[

] (C) 79

Figure B-21: RHR System Division 1

[

](C) 80

Figure B-22: RHR System Division 2

[

] (C) 81

Figure B-23: RHR System Division 3

[

] (C) 82

Figure B-24: RHR System Division 4

[

] (C) 83

Figure B-25: RHR Instruments

[

] (C) 84

Figure B-26: RHR Logic Status

[

] (C) 85

Figure B-27: NSSS

[

] (C) 86

Figure B-28: Containment Instruments 1

[

] (C) 87

Figure B-29: Containment Logic 1

[

] (C) 88

Figure B-30: Standby Logic Control System

[

] (C) 89

Figure B-31: MSIVS ad Drains

[

] (C) 90

Figure B-32: Sample

[

] (C) 91

Figure B-33: RWCU Status

[

] (C) 92

Figure B-34: Containment Atmosphere Control Overview

[

] (C) 93

Figure B-35: Primary Containment Instrument Gas

[

] (C) 94

Figure B-36: Reactor Enclosure and Refuel Floor HVAC Logic

[

] (C) 95

Figure B-37: Trends Menu

[

] (C) 96

Figure B-38: Post Accident Monitoring System Instruments

[

] (C) 97

Figure B-39: PAMS Large Format Division 1

[

] (C) 98

Figure B-40: PAMS Large Format Division 2

[

] (C) 99

Figure B-41: PAMS Large Format Division 3

[

] (C) 100

Figure B-42: PAMS Large Format Division 4

[

] (C) 101

Figure B-43: ECCS Visual Status

[

] (C) 102

Figure B-44: Isolation Visual Status

[

] (C) 103

Figure B-45: Core Cooling Visual Status

[

] (C) 104

Figure B-46: Primary Containment Visual Status

[

] (C) 105

Figure B-46: Secondary Containment Visual Status

[

] (C) 106

Figure B-47: Trips Visual Status and Return to Normal

[

] (C) 107

Figure B-48: ATWS

[

] (C) 108

Figure B-49: T-270

[

] (C) 109

Figure B-50: HPCI Steam Leak Detection Trends

[

] (C) 110

Figure B-51: RCIC Steam Leak Detection Trends

[

] (C) 111

Figure B-52: Cabinet Status

[

] (C) 112

Figure B-53: Scram Instruments Trends

[

] (C) 113

Figure B-54: Event List

[

] (C) 114

Figure B-55: Pipeway Steam Leak Detection Trends

[

](C) 115

Distributed Control System Displays Figure B-56: Ovation Graphics Navigation Menu

[

] (C) 116

Figure B-57: Redundant Reactivity Control System

[

[ (C)

Figure B-58: Diverse Protection System Menu

[

[ (C) 117

Figure B-59: Diverse Protection System HUD

[

[ (C)

Figure B-60: DPS Level and Containment Cooling

[

[ (C) 118

Figure B-61: DPS Pressure Control and Isolation

[

[ (C)

Figure B-62: Transient Response

[

[ (C) 119

Figure B-63: SRV AOA

[

[ (C)

Figure B-64: LP ECCS

[

[ (C) 120

Figure B-65: Redundant Reactivity Control System

[

[ (C)

Figure B-66: A RHR AOA

[

[ (C) 121

Figure B-67: B RHR AOA

[

[ (C)

Figure B-68: AOA Systems Menu

[

[ (C) 122

Figure B-69: Standby Liquid Control System

[

[ (C)

Figure B-70: Recirc

[

[ (C) 123

Figure B-71: CAC

[

[ (C)

Figure B-72: Reactor HUD-1

[

[ (C) 124

Figure B-73: A/C ECCS HUD-2

[

[ (C)

Figure B-74: B/D ECCS HUD-3

[

[ (C) 125

Figure B-75: Containment HUD-4

[

[ (C)

Figure B-76: Annunciator Menu

[

[ (C) 126

Figure B-77: 107 Reactor Annunciator

[

[ (C)

Figure B-78: 113 Cool A Annunciator

[

[(C) 127

Figure B-79: 114 Cool B Annunciator

[

[ (C)

Figure B-80: 115 PRI/SEC CONT Annunciator

[

[ (C) 128

Figure B-81: 116 AOA Annunciator

[

[ (C) 129

This Page is Intentionally Left Blank 130

Appendix C: Simulator Exercise Guides 131

[

] (C) 132

[

] (C) 133

[

] (C) 134

[

] (C) 135

[

] (C) 136

[

] (C) 137

[

] (C) 138

[

] (C) 139

[

] (C) 140

[

] (C) 141

[

] (C) 142

[

] (C) 143

[

] (C) 144

[

] (C) 145

[

] (C) 146

[

] (C) 147

[

] (C) 148

149

[

] (C) 150

[

] (C) 151

[

] (C) 152

[

] (C) 153

[

] (C) 154

[

] (C) 155

[

] (C) 156

[

] (C) 157

[

] (C) 158

[

] (C) 159

[

] (C) 160

[

] (C) 161

[

] (C) 162

[

] (C) 163

[

] (C) 164

[

] (C) 165

[

] (C) 166

[

] (C) 167

[

] (C) 168

[

] (C) 169

[

170

] (C) 171

[

] (C) 172

173

[

] (C) 174

[

] (C) 175

[

] (C) 176

[

] (C) 177

[

] (C) 178

[

] (C) 179

[

] (C) 180

[

] (C) 181

[

] (C) 182

[

] (C) 183

[

] (C) 184

[

] (C) 185

[

] (C) 186

[

] (C) 187

[

] (C)

[

188

] (C) 189

190

[

] (C) 191

[

] (C) 192

[

] (C) 193

[

] (C) 194

[

] (C) 195

[

] (C) 196

[

] (C) 197

[

] (C) 198

[

] (C) 199

[

] (C) 200

[

] (C) 201

[

] (C) 202

[

] (C) 203

[

] (C) 204

[

] (C) 205

[

206

] (C) 207

[

] (C) 208

[

] (C) 209

[

] (C) 210

[

] (C) 211

[

] (C) 212

[

] (C) 213

[

] (C) 214

[

] (C) 215

[

] (C) 216

[

] (C) 217

[

] (C) 218

[

] (C) 219

[

] (C) 220

[

] (C) 221

[

222

] (C) 223

[

] (C) 224

[

] (C) 225

[

] (C) 226

[

] (C) 227

[

] (C) 228

[

] (C) 229

[

] (C) 230

[

] (C) 231

[

] (C) 232

[

] (C) 233

[

] (C) 234

[

] (C) 235

[

] (C) 236

[

] (C) 237

[

] (C) 238

[

] (C) 239

[

] (C) 240

[

] (C) 241

[

] (C) 242

[

] (C) 243

[

] (C) 244

[

245

] (C) 246

[

] (C) 247

[

] (C) 248

[

] (C) 249

[

] (C) 250

[

] (C) 251

[

] (C) 252

[

] (C) 253

[

] (C) 254

[

] (C) 255

[

] (C) 256

[

] (C) 257

258

[

] (C) 259

[

] (C) 260

[

] (C) 261

[

] (C) 262

[

] (C) 263

[

] (C) 264

265

[

] (C) 266

[

] (C) 267

[

] (C) 268

[

] (C) 269

[

] (C) 270

[

] (C) 271

[

] (C) 272

[

] (C) 273

[

] (C) 274

[

] (C) 275

[

] (C) 276

[

] (C) 277

[

] (C) 278

[

] (C) 279

280

[

] (C) 281

[

] (C) 282

[

] (C) 283

[

] (C) 284

[

] (C) 285

[

] (C) 286

[

] (C) 287

[

] (C) 288

[

] (C) 289

[

] (C) 290

[

] (C) 291

[

] (C) 292

[

293

] (C) 294

[

] (C) 295

[

] (C) 296

[

] (C) 297

[

] (C) 298

[

] (C) 299

[

300

] (C) 301

Page intentionally left blank 302

Appendix D: Scenario Operational Sequence Diagrams and Results for Conceptual Verification and Preliminary Validation Manual Actions 303

Scenario #1: Stuck Open SRV / HPCI Steam Leak / T-103 Blowdown Operational Sequence Diagram Observed HSI and Procedure Validation Team Performance Timeline CV-1: Place RHR System in Suppression Pool Cooling

[

] (C) 304

Scenario #2: Loss of Division 1 DC / Loss of Feed / DW Leak / Low level Operational Sequence Diagram 305

HSI and Procedure Validation Team Performance Timelines CV 5: Inhibit ADS [non-ATWS]

[

] (C)

CV 6: Initiate Emergency Depressurization if RPV Level Cannot be Restored and Maintained above -186

[

] (C)

CV 2: Open S, H, M, E, K SRVs Using Division 3 Power from AER (note new task will be from the MCR using Division 3 PPS or Ovation display)

[

] (C) 306

Scenario #3: DBA LOCA/LOOP with D13 failure Operational Sequence Diagram HSI and Procedure Validation Team Performance Timeline CV3: Inject Standby Liquid Control Following a Design Basis Accident LOCA for pH Control For CV3, the need to perform this action was identified early in the scenario. Procedure directs, however, that this action not be performed until e hours after the initiating event. Time was compressed in the simulator to the three-hour point and the time to perform the action was recorded as 12.82 minutes. A detailed timeline for this action was not developed.

307

Scenario #4: Group 1 MSIV Isolation / RCIC and Control Rod Drive Issues Operational Sequence Diagram HSI and Procedure Validation Team Performance Timeline CV5: Inhibit ADS (non-ATWS)

For this scenario, operators were able to address the subject event following procedures in such a manner that manual action under study (CV5- Inhibit ADS [non-ATWS]) was not required to be performed. Consequently, no performance timeline was recorded. The action under study for this scenario as identified above was performed in scenarios 2 and 7.

308

Scenario #5: Station Blackout Operational Sequence Diagram HSI and Procedure Validation Team Performance Timeline CV4: Station blackout action - if HPCI auto started then secure HPCI within 10 minutes of SBO event

[

] (C) 309

Scenario #6: Control Rod Scram, Scram Discharge Volume Hi Level, ATWS, Turbine-Generator Trip, T-217 Termination Operational Sequence Diagram - Run 1 310

HSI and Procedure Validation Team Performance Timeline CV7: Inhibit ADS (ATWS)

[

] (C) 311

Scenario #7: LOOP / Ovation loss / DW Leak / Blowdown on Low Level Operational Sequence Diagram HSI and Procedure Validation Team Performance Timeline CV5: Inhibit ADS (non-ATWS)

[

] (C) 312

Scenario #8: Loss of Shutdown Cooling As discussed in Section 4.3.2.2, no OSD or associated HSI and Procedure Validation Team Performance Timeline was produced for this scenario.

313

Scenario #9: Steamline Rupture Inside DW/ All RPS, NSSSS, ECCS fail except Group 1 NSSSS and 'A' CS Loop Operational Sequence Diagram HSI and Procedure Validation Team Performance Timeline CV6: Initiate Emergency Depressurization

[

] (C) 314

Appendix E: Comments to Displays and Procedures Developed for Conceptual Verification 315