Development of an advanced human–machine interface for next generation nuclear power plants

Development of an advanced human–machine interface for nextgeneration nuclear power plants

Soon Heung Changa,*, Seong Soo Choia, Jin Kyun Parka, Gyunyoung Heoa, Han Gon Kimb

aDepartment of Nuclear Engineering, Korea Advanced Institute of Science and Technology, 373-1 Kusong-dong, Yusong-gu, Taejon 305-701, South KoreabCenter for Advanced Reactors Development, Korea Electric Power Research Institute, 103-16 Munji-dong, Yusong-gu, Taejon 305-380, South Korea

Received 15 April 1998; accepted 24 August 1998

Abstract

An advanced human–machine interface (HMI) has been developed to enhance the safety and availability of a nuclear power plant (NPP)by improving operational reliability. The key elements of the proposed HMI are the large display panels which present synopsis of plantstatus and the compact, computer-based work stations for monitoring, control and protection functions. The work station consists of fourconsoles such as a dynamic alarm console (DAC), a system information console (SIC), a computerized operating-procedure console (COC),and a safety system information console (SSIC). The DAC provides clean alarm pictures, in which information overlapping is excluded andalarm impacts are discriminated, for quick situation awareness. The SIC supports a normal operation by offering all necessary systeminformation and control functions over non-safety systems. In addition, it is closely linked to the other consoles in order to automaticallydisplay related system information according to situations of the DAC and the COC. The COC aids operators with proper operatingprocedures during normal plant startup and shutdown or after a plant trip, and it also reduces their physical/mental burden through softautomation. The SSIC continuously displays safety system status and enables operators to control safety systems. The proposed HMI hasbeen evaluated using the checklists that are extracted from various human factors guidelines. From the evaluation results, it can be concludedthat the HMI is so designed as to address the human factors issues reasonably. After sufficient validation, the concept and the design featuresof the proposed HMI will be reflected in the design of the main control room of the Korean Next Generation Reactor (KNGR).q 1999Elsevier Science Ltd. All rights reserved.

Keywords:Advanced control room; Human–machine interface; Information processing; Alarm processing; Procedure computerization

1. Introduction

A nuclear power plant (NPP) has been developed underthe principles pursuing safety as the most important goalfrom inception because of the consequences from the poten-tial release of radioactive materials. One of the importantprinciples is ‘proven technology’ which is that all tech-nologies related to safety of an NPP should be verifiedand validated at the same or related industries. This impor-tant principle has contributed to enhancement of NPPsafety, of course. However, from the early 1980s, it hasbeen recognized that NPP designers cannot adopt remark-ably progressing new technologies, especially computerscience, digital control, human factors engineering, andartificial intelligence, properly because of the ‘proventechnology’ principle.

The TMI accident demonstrated that the operator cannothandle various and voluminous information from conven-tional alarm tiles, indicators, and control devices duringemergency conditions [1]. In addition, a number of potentialweaknesses have been found through operating experiencereview [2]. Therefore, the necessity to develop a main con-trol room (MCR), which is simpler and easier to operate, hasbeen increased.

According to this necessity, large programs on advancedcontrol rooms (ACRs) are underway in several countries.Three important trends in the evolution of ACRs are (1)increased automation, (2) the development of compact,computer-based work stations, and (3) the development ofintelligent operator aids. These trends are reflected in theNuplex 80þ developed by ABB-CE as the MCR of System80þ which was designed with the intention of evolution-arily upgrading existing control rooms, because incorpor-ating radically different operator functions would be morelikely to create unforeseen problems [3]. The redesign of

0951-8320/99/$ - see front matterq 1999 Elsevier Science Ltd. All rights reserved.PII: S0951-8320(98)00073-8

* Corresponding author. Tel.: +82-42-869-3816; Fax: +82-42-869-3810;E-mail: [email protected]

Reliability Engineering and System Safety 64 (1999) 109–126

human–machine interfaces (HMIs) in the MCR of the N4developed by EdF [4] and in the MCR of AP600 developedby Westinghouse [5] was achieved using digital technology.The human factors engineering and plant operatingexperiences were also integrated in these designs. The inter-national team of boiling water reactor (BWR) manu-facturers, which consists of GE, Hitachi and Toshiba, hasdeveloped an advanced BWR control room. It was designedto aim to reduce the risk of operator errors by incorporatinginterruptible automatic control procedures for routine plantfunctions [6]. The ACR for advanced pressurized waterreactors (PWRs), which has been developed jointly byfive Japanese PWR utilities and the Mitsubishi group,was designed to realize a better work environment whereoperators would be able to carry out cognitive tasks throughworkload reduction and human error reduction [7]. TheIntegrated Surveillance and Control System (ISACS),which has been developed as a part of the OECD HaldenReactor Project, has the design idea that effective inte-gration of advanced operator support systems to improvesafety and efficiency in plant operation is the properdirection of control room development [2]. The PRISCAsystem [8] in use in the KONVOY plant offers the operatora large selection of process information displayed on a 23 4matrix of eight cathode-ray tubes (CRTs), and the MCR forSizewell B, Britain’s first PWR, was designed to minimizemanual controls by increasing the level of automation andadopting modern digital technology [9]. In Korea, severaloperator support systems have been developed which can beutilized as kernel software for an ACR [10,11] and the MCRbased on digital technology and human factors engineeringis under development for the Korean Next GenerationReactor (KNGR).

In those MCRs, digital technology and automation enableone or two operators to operate an NPP in a normal state. Inaddition, human factors are incorporated in the design ofcontrol room layout and information presentation. However,there are some issues most frequently associated with ACRs[12]. They include (1) increase in the operator’s cognitiveworkload associated with managing the interface, (2) diffi-culty navigating through and finding important informationpresented in visual display units (VDUs), (3) difficultyunderstanding how advanced systems work, (4) great shiftsin operator workload in the event of a computer failure, and(5) loss of operator vigilance, pattern recognition ability,and skill proficiency. There are no obvious solutions forthese issues and each country should address these problemsunder consideration of their characteristics.

In this paper, an advanced HMI is proposed specificallyfor Korean operators by addressing the issues associatedwith ACRs. The target plants of the HMI are Yonggwangnuclear unit 3, 4 because they would be the prototype of theKNGR. The design goals for the proposed HMI are to (1)reduce operators’ physical/mental workload, (2) eliminatehuman errors that can affect plant safety and availability asmuch as possible, (3) design monitoring and control

functions simply and consistently, and (4) assure the highestpossible reliability of the control room. To accomplish thesegoals, a set of design principles have been established asfollows:

1. Compact, computer-based work stations which enableoperators to operate a plant in seated positions shouldbe provided, and they should be placed to bettercommunication among operating crews.

2. Large display panels (LDPs) should be equipped, whichpresent synopsis of plant status, and can be visible fromoperating crews’ seated positions.

3. Monitoring and control functions should be digitalutilizing microprocessors, and a redundant operatorwork station should be provided to accommodate thefailure of an operator work station.

4. Separate hardware and software should be used formonitoring and control functions in a work station toavoid data communication bottlenecks and to maintainsimple control system designs. However, monitoring andcontrol functions should be closely linked in view ofinteraction with operators.

5. Control of safety systems should be separated from thatof non-safety systems using different hardware andsoftware.

6. Spatially dedicated hardwired switches should beequipped for essential functions such as reactor tripand safety injection to shutdown a plant safely in thecase of complete failure of digital control.

7. The type and quantity of information required foridentifying plant status should be decided on the basisof the means–end abstraction hierarchy of system func-tions, and the skill-rule-knowledge framework should beconsidered as a basis for determining the form of infor-mation in the interface [13–15]. Information related tosystems, alarms, and procedures should be presentedusing the Korean alphabet to an appropriate degree tobetter coincide with the Korean operators’ cognition.

8. Alarm processing should be incorporated to allow theoperator to quickly correlate alarm impacts on plantsafety and performance by eliminating and suppressingspurious or unnecessary alarms and by prioritizingactivated alarms.

9. Operating procedures should be computerized with aview to reducing the operator’s physical/mentalworkload during procedure execution.

2. Configuration of the human–machine interface

2.1. Main control area

The discussion will be focused on the main control areaexcluding the shift supervisor’s office and the technicalsupport center to concentrate attention on the HMI. Theproposed HMI consists of four LDPs, two operator work

110 Soon Heung Chang et al./Reliability Engineering and System Safety 64 (1999) 109–126

stations, one supervisor work station, one safety advisorwork station, and one auxiliary control station, as shownin Fig. 1.

The position and orientation of each work station weredetermined to allow the visibility of the LDPs everywhere inthe MCR and to facilitate communication among operatingcrews.

2.2. Large display panel

The LDPs are placed on the front wall of the MCR andpresent common information to the operating staff in orderto prevent a lack of communication, to increase competencyas an operating crew, and to maintain operations at normalplant states without other information sources. Thefollowing plant information is presented via the LDPs:

1. Critical function alarms that indicate functionalanomalies related to plant safety and performance

2. Trip alarms that inform the operator of the first-out alarmjust before reactor trip

3. Safety-related status such as engineering safety featuresrelated system actuation

4. System alarms representing system-wide abnormalitiesor non-normal system status

5. Mimic diagram of the nuclear island and the turbineisland with key operating variables

6. Operators’ sharing information such as reactor coolantpressure versus hot-leg temperature curve (P-T curve) orRankine cycle

2.3. Work station

2.3.1. Operator work stations and supervisor work stationOn these work stations, the tasks that can be performed

are identical. Some CRTs and flat display panels (FDPs) arelocated on the upper portions of the work stations and arededicated to plant monitoring while some FDPs, switches,and buttons are arranged in the middle portions of the workstations and are dedicated to interaction with the HMI orplant control.

The two operator work stations can be used inde-pendently, and all monitoring and control functions forplant operation can be executed on a single operator workstation. Therefore, one operator work station is dedicated toplant operation in a normal state and the other work stationscan be used for only monitoring. The second operator workstation takes part in operation when the primary operatorwork station in use fails to function or when many control

Fig. 1. Advanced human–machine interface overview.

111Soon Heung Chang et al./Reliability Engineering and System Safety 64 (1999) 109–126

tasks are required. In case two operator work stations are inuse, the operators’ tasks are definitely allocated betweenthese two work stations. It is when two operator workstations fail to function or one operator work station failsto function while two are required that the supervisor workstation is employed for plant control.

As shown in Fig. 1, the operator work station is composedof four consoles: dynamic alarm console (DAC), systeminformation console (SIC), computerized operating-procedure console (COC), and safety system informationconsole (SSIC).

The roles of the DAC are the processing and presentationof multiple activated alarms as well as the offer of alarmrelated information and abnormal operating procedures.Nuisance alarms are eliminated and unnecessary alarmsfor status identification are suppressed among activatedones. And then the remaining activated alarms areprioritized through system-oriented and mode-orientedprioritization. The processed alarms are expressed in aclear and compact form of presentation or meaningfulinteraction with the operator.

In case of the SIC design, the most important design goalthat should be embodied in the SIC is easiness of plantmonitoring and process control tasks performed byoperators. In other words, the SIC should provide operatorswith appropriate information in a form which is directlyusable to carry out their tasks. For this purpose, the‘means–end abstraction hierarchy’ concept is consideredto support monitoring tasks, and the ‘skill-rule-knowledgebased behavior’ concept is considered to determine theappropriate form of information that is consistent withoperators’ behavior. The SIC displays simplified pipingand instrument diagrams (P&IDs) to provide the operatorwith system information required for plant monitoring. Theoperating status of equipment/components, active paths, andnecessary operating variables are dynamically displayed inthe P&IDs. Control actions are also performed using theP&IDs, which provides a good sense of control becausethe effect of a control action can be displayed to operatorsso that they may get immediate feedback from the plant.The SIC is closely linked with the DAC and the COC topresent related P&ID information under the request of theseconsoles.

In the COC, the general operating procedures (GOPs) fornormal plant startup/shutdown and the emergency operatingprocedures (EOPs) for plant safe shutdown are elec-tronically displayed and traced. Each step of the procedureis presented in the form of a flowchart with detailedinstructions, and the P&ID related to the procedure is auto-matically displayed on the SIC to facilitate the operator’scontrol actions, if necessary.

The SSIC continuously displays safety system status onthe four FDPs. It also enables operators to control safetysystems. In case of the SIC, although it can provide all theinformation of safety systems and non-safety systems,control over safety systems is not permitted on it.

2.3.2. Safety advisor work stationThis work station is equipped for a safety advisor, a tech-

nical advisor, and other operating crews who will participatein operation during an emergency state. The safety advisorwork station can participate in plant operation when thereare no other available work stations or another work stationonly is available while two are required. There is anoperation support console at this work station which is notavailable at the other ones, because this console aims atsupporting a safety/technical advisor in evaluating plantstatus or equipment/component states for useful advice onoperation but it has nothing to do with plant monitoring andcontrol functions directly. The operator aids that theoperation support console provides are composed of a per-formance diagnosis module, an event diagnosis module, anda malfunction diagnosis module.

The performance diagnosis module has the followingfunctions: (1) calculating current performance indices andchecking whether the performance of an NPP is degraded bymathematical analysis, (2) diagnosing the cause of degrada-tion using Bayesian belief network, and (3) optimizing plantoperational strategy. The main objective of the eventdiagnosis module is to identify events using wavelets andpattern matching in order to support operators’ symptom-based diagnosis. The malfunction diagnosis module hasbeen developed for rotating systems such as a reactorcoolant pump, a turbine generator and so on. The majorfunctions of this module are (1) on-line monitoring ofsystem conditions, (2) prediction of system failure, (3)identification of the root causes of failures, and (4) advisingoptimal treatment.

2.3.3. Auxiliary control stationThis station is designed to control the essential functions

required for plant safe shutdown should controls on thework stations become inoperative. The control devices onthis station adopt hardwired logic for diversity purposes inorder to avoid a common mode failure with the workstations. The auxiliary control station also has a safety para-meter display system on the top portion of it in order tocontinuously display Regulatory Guide 1.97 category 1, 2,3 parameters [16].

3. Development strategies of advanced human–machineinterface

The functional structure of the proposed HMI is shown inFig. 2. For the whole spectrum of reactor operation includ-ing emergency response, the operator can monitor the plantstatus on the LDPs, the SIC, the SSIC, and the SPDS. TheDAC covers abnormal and plant transient events throughalarm information processing, while, during normal plantstartup/shutdown or after a reactor scram, the COC providesthe operator with the computerized operating procedures ona plant-specific basis.


3.1. Plant status monitoring and control

3.1.1. Key informationThe LDPs present dynamic display of key operating

information so as to maintain the operator’s continuousawareness of plant-wide status regardless of the detailednature of his/her current operating task and to provide theproper coordination and direction of control operation. Thekey information was selected considering the followingaspects:

1. Should the information be monitored in ‘electricitygeneration’ and ‘safety’ respects?

2. Should the information be grasped before the operatorstarts tasks after operating crews’ shift?

3. Is the information frequently used during plantoperation?

The following information selected is displayed on theLDPs as the key information.

3.1.1.1. Critical function alarms related to plant safety andperformance.The critical function alarm consist of thecritical safety function (CSF) alarms indicating functionalanomalies related to safety, and the critical performancefunction (CPF) alarms indicating those related to plantperformance. The CSF is classified into nine functionssuch as core heat removal, subcriticality, primary coolantinventory, primary pressure, primary heat removal,containment (CTMT) environments, CTMT isolation,vital auxiliaries, and environmental radiation emission

monitoring. The CPF is composed of nine functions suchas heat generation, heat transfer, fuel treatment, steamgeneration, steam supply, steam condensation, feedwatersupply, thermal to mechanical, and mechanical toelectrical. The trip alarm panel and the safety relatedstatus indicators are also dedicated to the LDPs.

3.1.1.2. System alarms.These alarms notify the anomaliesof front line systems and support systems. Because a logicalhierarchical structure is established between these systemalarms and individual alarms activated from plantequipment/components, system alarms can alert theoperator not only to individual alarm activation within asystem but also to the impact of their abnormalities.

3.1.1.3. Key operating variables.The two middle LDPsalways display key operating variables of the nuclearisland and the turbine island with simplified system mimicdiagrams. The selected key variables are listed in Table 1.

3.1.1.4. Operators’ sharing information.It is sometimesnecessary for operating crews to share the trends of mainplant parameters of P&IDs. This is important in that sharedinformation can provide operating crews with clear,concise, and continuous reference for communication.Thus, the right-hand side LDP is designed to be a variabledisplay system to output any displays depending on theoperator’s intention.

The key information on the LDPs is presented in various

Fig. 2. Functional diagram of advanced human–machine interface.


formats including symbol, text and graph, and color codingis consistently used to indicate the degree of alarm impact,the operating status of equipment/components, and thedeviations from normal ranges of quantitative variables.

3.1.2. System informationMost of operations are accomplished depending on the

system information provided on the SIC except when theplant is in an emergency state or when urgent control isrequired. The displays used for monitoring and control func-tions are arranged in a hierarchy. This hierarchy is used fordetermining the contents and structure of the interface, andis constructed on the basis of the functional analysis report[17] in which all plant systems are analyzed by systemexperts with respect to their functions. This hierarchyconsists of four levels (such as operational goals, criticalfunctions, system-level functions and equipment/component-level functions), and each level corresponds toabstract function, generalized function, physical function,and physical form of the means–end hierarchy, respec-tively. Operators can monitor plant status more easily

because this hierarchy can provide them with clear andsystematic paths. In addition, in order to determine theappropriate form of information that is displayed in theSIC, skill-rule-knowledge based behaviors are considered.In general, skill- or rule-based behavior of the operator isappropriate in routine situations and does not involvereasoning process. Because of this, in a skill-basedbehavioral domain, operators could perform their tasksusing information for reference (i.e. required) and actual(i.e. current) status/value for a target component or a processvariable. Thus, a table that compares reference and actualvalues could be a useful format for skill-based behaviors. Inaddition, because information that can give familiar patternsto operators would be required in rule-based behaviors, notonly comparisons between reference and actual values butalso trend graphs that can provide operators with historicaldata may be needed. Knowledge-based behavior, however,requires deep knowledge of a plant, such as current status ofsystems/components that are interrelated with a targetsystem/component and active flow paths, etc.

On the basis of the above considerations, to support not

Table 1Key operating variables displayed on the large display panels

Characteristic Nuclear island Turbine island

Parameter Reactor power SG pressureRCS hot-leg temperature SG levelRCS cold-leg temperature Main steam pressurePRZR pressure Main steam flowPRZR level Main feedwater flowLetdown flow Auxiliary feedwater flowLetdown flow backpressure Condensate storage tank levelVolume control tank level Moisture separator and reheater levelBoric acid charging flow rate Condenser levelBoric acid storage tank level Deaerator storage tank levelSafety injection flowShutdown cooling heat exchanger

outlet temperatureRWST levelReactor vessel levelCTMT pressureCTMT temperatureCTMT spray flow rateCTMT sump levelCTMT spray additive tank levelCTMT hydrogen concentration

Status Reactor coolant pump SG PORVPRZR heater Main steam line isolation valvePRZR PORV Feedwater isolation valveLetdown isolation valve Feedwater pumpCharging isolation valve Auxiliary feedwater pumpSafety injection pump Condensate pumpCTMT isolation valve Auxiliary feedwater isolation valveCTMT spray pumpCTMT spray additive pump

CTMT: containment.PORV: power operated relief valve.PRZR: pressurizer.RWST: refueling water storage tank.SG: steam generator.


only skill- or rule-based behaviors but also knowledge-based behaviors of operators, P&ID format is selected asthe default format in the SIC design. In a P&ID, informationfor skill- or rule-based behaviors, such as comparisonsbetween reference and actual values or trend graphs ofprocess variables, are displayed. In addition, informationfor knowledge-based behaviors, such as statusinformation that can provide operators with active flowpaths or current status of individual system/componentthat can be affected by the status of interrelated systems,are displayed.

Besides, because operators perform emergency operationsusing the COC, information display formats of the COC arealso determined by skill-rule-knowledge based behaviors.That is, if current tasks to be carried out belong to skill-orrule-based behaviors, then a table that contains comparativeresults between reference and actual values and trend graphsare displayed on the CRT of the COC. In addition, the COCis designed so various information that could be helpful toperform knowledge-based tasks can be provided withoperators. For example, summarized tables, trend graphs,P-T curve are displayed on the CRT of the COC, and

Fig. 3. Hierarchical structure of plant information.

Fig. 4. Equipment-level P&ID display for non-safety system monitoring.


active paths or interrelated systems/component status areautomatically displayed on the CRT of the SIC.

The operator interaction CRT of the DAC and that of theCOC can be utilized as an auxiliary facility to maximize theusage of a display device if the plant is not in an abnormal/emergency operation.

3.1.2.1. Plant monitoring.The system information on theSIC includes (1) operating status of plant systems,equipment, and components, (2) operating variables, and(3) on-line condition monitoring results on plantcomponents. The plant information is organized in a four-level hierarchy, as shown in Fig. 3, and any information ofthe hierarchy can be accessed by three steps via thefollowing sequence:

The level 1 items result from the classification of theoperational goals and the level 2 items constitute the criticalfunctions of the level 1 ones. On the CRT of the SIC, thelevel 1 items are displayed in menu forms and their statesare dynamically changed according to the plant status to

inform the operator of the functional losses. If the operatorselects a level 1 item, the corresponding success path isdisplayed. The success paths aid the operator in quicklyidentifying the location where abnormal conditions aredetected within systems by flashing related systems on thepaths. The relations between upper level items and thirdlevel systems on the success paths are logically organized.

On the success path, if the operator selects one system,the equipment-level P&ID related to the selected system isprovided on the CRT of the SIC, as shown in Fig. 4. Thedetailed information of an operating variable or equipmentcan be obtained by clicking the corresponding position.

In addition to hierarchical information access, a directaccess method is provided considering the user’s profile.That is, the required P&ID would be immediately displayedby inputting the designators of equipment/components.

3.1.2.2. Equipment-level control.Control tasks are closelycoupled with monitoring to improve control efficiency andto reduce human errors. A control action is performed using

Table 2Major controls in nuclear power plants

Control system Controlling parameter Controlled parameter

Power control system CEA position Reactor powerPRZR pressure control system PRZR heaters and spray flow PRZR pressurePRZR level control system Charging pumps and letdown valves PRZR levelFeedwater control system Positions of feedwater control valves and pump speed SG levelSteam bypass control system Positions of steam bypass valves Secondary pressure

CEA: control element assembly.PRZR: pressurizer.

Fig. 5. Equipment-level P&ID display for safety system monitoring.


controlling parameters and controlled parameters shown inTable 2. These parameters are displayed in the P&IDs andcontrolled using soft control. The effect of a control action isdisplayed in the same P&ID for the operator to confirmfeedback from the plant. In addition, the required prestartconditions are automatically checked before equipment isstarted if it is to be controlled.

3.1.3. Safety system informationMonitoring and control actions that are related to safety

systems are performed on the SSIC. The SSIC consists offour FDPs as shown in Fig. 5.

The lower two FDPs display the simplified equipment-level P&IDs required for safety system status monitoringand control, and the upper left FDP displays supplementaryinformation such as trend graphs, and the upper rightFDP displays important alarms or status information ofthe corresponding safety system. Similar to the SIC, theoperating status of equipment/components, active paths,and necessary operating variables are dynamicallydisplayed in the P&IDs of the SSIC, and control actionsover safety systems are performed in a similar way to theSIC.

3.1.4. Backup or safety related system controlThe hardwired auxiliary control station is equipped

between two operator work stations to bring the plant tosafe shutdown and keep it there, under all operating condi-tions, in case the controllable work stations are unavailable.

The following tasks only can be executed on this station:reactor trip, safety injection, auxiliary feedwater systemstartup, containment isolation and containment spray,main steam line isolation, and normal feedwater pumptrip. These tasks cannot be executed by interlock whenother work stations are used for plant operation. Operatorscan use information provided on the LDPs and on the SSICwhen they operate the plant in the auxiliary control station.

The safety parameter display system (SPDS) is located inthe upper portion of the auxiliary control station. The objec-tive of the SPDS is to monitor reliable plant parameters inabnormal/emergency states. So the parameters in the SPDSare displayed using plant signals from post accidentmonitoring system, and composed on the basis of thecategories in Regulatory Guide 1.97. The two upper FDPsof the SPDS consist of category I and III parameters respec-tively and the two lower FDPs are dedicated to category IIparameters. Each FDP has two level structures. Top leveldisplays show the small trend graph of each parameter withcolor coding depending on the signal ranges. When a para-meter is selected in the top level display, the correspondingsub-level display pops up to provide the detailed informa-tion containing time, train/loop, and digital signal status,etc. Fig. 6 shows the CRT display of the SPDS.

3.2. Alarm processing and presentation

Conventional alarm systems have an advantage that allactivated alarms can be perceived without the operator’s

Fig. 6. CRT display of the safety parameter display system.


efforts because all alarms are spatially dedicated. But theyalso have the following shortcomings:

1. If there are so many alarms presented under special situa-tions such as design basis accidents, they would bebeyond the operator’s recognition capability. So thealarm system may be of no use because of an informationavalanche.

2. The operator has difficulty in identifying actual plantstatus early and accurately because there is no distinctionbetween important and unimportant alarms.

To overcome these shortcomings, improved alarm pro-cessing schemes have been proposed and implemented withadvanced computer technologies [18–20]. In the proposedHMI, dedicated alarm tiles are used together with a CRT-based alarm system including various alarm processinglogic.

3.2.1. Alarm hierarchy establishmentThe aim of an organized alarm hierarchy is to improve the

operators’ ability to utilize alarm information because CRTmedia with limited display area cannot accommodateparallel presentation such as alarm tiles. The operatingexperiences and the EPRI utility requirement documents[21] have shown that the alarm information organized byfunction or system is advantageous for situation awareness.The alarm hierarchy is constructed on the basis of the plantfunctional analysis to meet the consistency with the search-ing hierarchy of plant operation information. The alarmhierarchy has three levels as follows:

1. Plant alarms: critical function alarms related to theperformance and safety of the plant,

2. System alarms: system alarms that indicate system-levelabnormalities,

3. Individual alarms: individual alarms that indicate theanomalies of equipment or components.

The hierarchy is established in order to show the propa-gation of alarm impact from equipment level to plantfunctional level. The individual alarms are similar to thoseof conventional alarm systems. System alarms are activatedby the activation logic considering system roles and indi-vidual alarms. Similarly plant alarms have the activationlogic considering functional essentialness and systemalarms. Through the alarm hierarchy, situation awarenesscapability can be improved on the CRT-based alarm consolebecause upper level alarms have the integral concepts oflower level alarms.

3.2.2. Individual alarm processingBasically alarm processing reflects the ‘dark board at

power’ concept. From the existing alarm systems, it iswell known that there is strong inter-relationship betweenthe number of generated alarms and operators’ errors.Therefore the ‘dark board at power’ concept is a kind ofstrategy to improve situation awareness capability and a

method to reduce operators’ errors. After individual alarmsare generated, nuisance alarms are eliminated, followed bythe suppression of unnecessary alarms or acquiring andunderstanding plant status. Finally, the residual alarms areprioritized.

3.2.2.1. Elimination and suppression.Temporary alarmsmay happen in plant transients or upsets that inducemomentary physical disturbances. These nuisance alarmsare unnecessary and should be eliminated. In the proposedHMI, possible momentary alarms that may occur due tostartup of equipment such as pumps or cooling fans, areeliminated using time delays. After the elimination ofnuisance alarms, the following alarms, that do notcontribute significant new information or are not urgent,are suppressed:

1. Consequential alarms that result from coexisting causalalarms,

2. Level precursors that usually occur when there are two ormore setpoints on the same process parameter,

3. Mode dependent alarms that are meaningless in thecurrent operational mode,

4. State dependent alarms originating from a piece ofequipment or a subsystem that is not in use,

5. Status indicators that provide only operation information.

3.2.2.2. Prioritization.The priority in the DAC is assignedby two methodologies. The one is the system-orientedprioritization that evaluates individual alarms consideringurgency of recovery actions and severity of their impacts,and the other is the mode-oriented prioritization consideringsystem roles in accordance with plant operational modes.And then, the final priority of an individual alarm isdetermined on the basis of the priority logic matrixsynthesizing the system-oriented priority and the mode-oriented priority.

The system-oriented prioritization aims to identify theimportance of the alarm within the system to which itbelongs. In this step, the importance of the system itself inplant function is not considered. The priority is determinedfrom three points of view: equipment/component role,severity of alarm impact, and response type.

1. Equipment/component role is classified into ‘essential’ ifthe equipment/component to which the alarm belongsplays an essential role in accomplishing the main func-tion of the related system. Otherwise, ‘support’ isassigned.

2. Severity of alarm impact is divided into ‘severe’,‘middle’, and ‘slight’ according to the impact of thesetpoint of the alarm on the equipment to which itbelongs. ‘Severe’ means that the setpoint violation maythreaten the operability of the related equipment.‘Middle’ means that the setpoint violation may degradethe performance of the related equipment. ‘Slight’


indicates sensor deviation or equipment status deviationthat is not significant to operation.

3. Response type is classified into ‘urgent manual’, ‘follow-up manual’, and ‘just confirmative’. Response type is‘urgent manual’ if the operator’s manual action isimmediately required for the function recovery. On theother hand, if the operator’s recovery action is allowed tobe delayed, the type is ‘follow-up manual’. ‘Just con-firmative’ means that the operator’s verification only isneeded without manual actions.

To assign a mode-oriented priority, the essentialness ofall systems in the plant should be analyzed according toplant operational modes. In the DAC, six plant operationalmodes are recognized, as shown in Table 3 [22].

This prioritization is not directly associated with theimportance of the alarm itself. In this step, each system isclassified into two types: essential system and supportsystem.

1. A system is classified into an essential system if the plantsafety or performance is directly jeopardized whenthe system is removed from service in the currentoperational mode.

2. A support system is defined as a system that operatescontinuously or periodically in the current operationalmode, and its anomaly or inoperability cannot give riseto immediate impacts to the plant.

The essentialness of systems can be identified from thefunctional analysis which was accomplished for the alarmhierarchy establishment. The priority logic matrix is able tooffer the quantification method of alarm prioritization that isvery qualitative. In the priority logic matrix the rank alloca-tion method synthesizing the system-oriented priority andthe mode-oriented priority is used. The priority logic matrixis shown in Table 4. The allocated rank is divided into threecategories in accordance with its property, and this is thefinal priority.

3.2.2.3. Knowledge base construction.A knowledge basefor alarm processing may be exceedingly large and complexbecause the proposed HMI adopts the various alarmprocessing techniques. Therefore the construction and thevalidation of the knowledge base is not easy generally.Considering these difficulties, the knowledge base inputtool for alarm (KIT-A) has been developed, which

supports a modal input method to reduce input errors andto enhance the maintenance flexibility of a knowledge base.The KIT-A has the following features:

1. The KIT-A can handle all types of existing alarm proces-sing techniques and create a knowledge base used in theDAC.

2. The functional level of the KIT-A is composed of fourlevels to operate alarm prioritization as well as alarmelimination/suppression. The description of each func-tional level is shown in Fig. 7. The functional level 1,2, and 3 are for prioritization and the functional level 4 isfor elimination/suppression.

3. All the alarm elimination/suppression methodologies inthe KIT-A are expressed and processed with four dataitems, that is ‘suppression technique name’, ‘initialcheck time’, ‘final check time’, and ‘suppression logic’.

4. The syntax-based editor using the graphic user interfacehas been implemented to reduce work errors.

Alarm processing knowledge base for Yonggwangnuclear unit 3, 4 has been constructed by the KIT-A tooperate the DAC.

3.2.3. Alarm presentationAlarm information may be dynamically changed accord-

ing to plant status should be provided irrespective of theoperator’s intervention. On the basis of this principle, inthe proposed HMI, dedicated alarm tiles and two CRTsare used for meaningful interaction with alarm information.

The plant alarms, the system alarms and the trip alarmsare provided on the LDPs using the dedicated alarm tiles.Two CRTs consist of the alarm list exclusive CRT and theoperator interaction CRT. They are adopted to solve theshortcomings under CRT-based display, that is the difficultyof dedicated display. Display items to accommodate theseproblems are selected and are allocated to each CRT. Thepurpose of the alarm list exclusive CRT is for the continuousmonitoring of the highest priority alarms. Because thenavigation to other displays is possible in the CRT-basedconsole, the alarm list exclusive CRT should be provided forthe operator’s continuous monitoring. In the operator inter-action CRT, the operator can get the whole informationrelated to alarm processing. Information that is presentedin the operator interaction CRT is as follows:

1. Individual alarms are listed in activated time order. The

Table 3Classification of plant operational modes

Mode number Description Reactivity condition % Rated thermal power Average coolant temperature

1 Power operation $ 0.99 . 5% Tavg $ 1778C2 Startup $ 0.99 # 5% Tavg $ 1778C3 Hot standby , 0.99 0 Tavg $ 1778C4 Hot shutdown , 0.99 0 998C , Tavg , 1778C5 Cold shutdown , 0.99 0 Tavg # 998C6 Refueling # 0.95 0 Tavg # 578C


Table 4Priority logic matrix used in the dynamic alarm console

Static prioritization Dynamic prioritization Final priority

Equipment role Impact severity Response type System Role

Essential Severe Urgent manual Essential 1Support 2

Essential Severe Follow-up manual Essential 1Support 2

Essential Severe Just confirmative Essential 1Support 2

Essential Middle Urgent manual Essential 2Support 3

Essential Middle Follow-up manual Essential 2Support 3

Essential Middle Just confirmative Essential 2Support 3

Essential Slight Urgent manual Essential 2Support 3

Essential Slight Follow-up manual Essential 2Support 3

Essential Slight Just confirmative Essential 3Support 3

Support Severe Urgent manual Essential 2Support 3

Support Severe Follow-up manual Essential 2Support 3

Support Severe Just confirmative Essential 3Support 3

Support Middle Urgent manual Essential 3Support 3

Support Middle Follow-up manual Essential 3Support 3

Support Middle Just confirmative Essential 3Support 3

Support Slight Urgent manual Essential 3Support 3

Support Slight Follow-up manual Essential 3Support 3

Support Slight Just confirmative Essential 3Support 3

Fig. 7. Functional levels of the knowledge base input tool for alarm.


alarm list takes four items, that is ‘time’, ‘system desig-nator’, ‘alarm description’, and ‘priority’. Fig. 8 showsthe individual alarm list on the operator interaction CRT.The individual alarm list can be rearranged with respectto system or priority when there is the operator’s request.When the individual alarm list is sorted out by system,the P&ID of the selected system is displayed on the SICautomatically.

2. The alarm response procedure is provided when theoperator selects an alarm in the individual alarm list.

3. Abnormal operating procedures that are linked withsystem alarms are provided.

4. The operator can get information of suppressed alarms atany time. Suppressed alarms can also be sorted out bysystem.

5. All the alarms dedicated to the LDPs, that is plant alarms,system alarms and trip alarms, are displayed.

6. Ringback function that informs of the disappearance ofalarms is achieved by dimming the colors of alarmstrings.

7. Paging technique is used to display activated alarms overmultiple pages.

8. Audible tone is generated with a new alarm activation, todraw the operator’s attention.

3.3. Computerization of operating procedures

When an NPP is in a normal state, the operator performs

routine monitoring and control actions to maintain the systemcondition. These tasks are not too complex to cause muchcognitive burden or human errors over one or more operators.This means that a single operator is able to operate a plantduring a normal state. It is during normal plant startup andshutdown or after a rector trip that most of the operators havefelt a physical/cognitive over burden [23].

The hard copy operating procedures exist for virtually allaspects of reactor operation including emergency response.These procedures which are written sequentially, however,may not be possible to implement in the situation wheremany complex knowledge-based tasks should be performedsimultaneously. Because of that, the computerized pro-cedure systems have been developed in active areas[11,24–26]. In the proposed HMI, both GOPs and EOPsare computerized in the COC to support the operator incoping with plant events.

3.3.1. Computerization strategiesProcedure tasks are composed of monitoring, decision-

making, and control. The main activities of monitoring areperception and judgment. This monitoring can be classifiedinto two categories as follows. Simple monitoring is asimple observation of parameter values or equipment/component status by the human sensory systems. Cognitivemonitoring is an observation that needs complex inference,such as the interpretation of the time trends of operatingvariables or the prediction of their future trends.

Fig. 8. Individual alarm list on the operator interaction CRT.


The operating procedures require decisions which mustbe made on a plant- and event-specific basis. Thesedecisions include the diagnostic tasks required to performappropriate optimal recovery operations and the decisionpoints to choose the proper strategy when alternativeresponse strategies are available.

Control is a direct action that aims at driving the plant to adesired state. Control can be classified into two categories asfollows. Binary control is a selective action between binarystates such as the open/close of valves or the start/stop ofpumps. Analog control is a complex action to control pro-cess variables such as temperature, pressure, and level,intentionally. Even if this action seems to be qualitative,the actual tasks for analog control are the proper manipula-tion of valves/pumps or the adjustment of control valves inmost cases.

One of the basic principles in the design of the COC isthat the operator shall retain control and shall be the finalauthority whether or not to proceed. So the increased auto-mation through hard automation, whose purpose is tosubstitute sequence master controls for existing manual con-trols, has not been pursued whereas soft automation, whosepurpose is to support the operator by providing various plantprocess information in a timely manner, has been achievedsubstantially. That is, simple monitoring is accomplished bya computer and the operator has only to acknowledge oroverride its results. Regarding cognitive monitoring anddecisions, they are up to the operator because they havesome qualitative tasks that are difficult to computerizereliably. Trend information or a P-T curve is provided tosupport the operator’s task instead. This cooperativeapproach can maintain the operator’s awareness of thedetailed plant situation and also maintain his or her alertness

through appropriate workload level. In case of control,although control actions are not permitted on the COC,the related P&ID is automatically displayed on the SIC inaddition to the values of operating variables and their trendinformation on the COC. So the operator does not have totake additional cognitive burden due to the navigation overplant information and can get the feedback information thatcould be used to confirm whether a control action is appro-priate or not. The P&ID information on the SIC includes thestate of the system related to the target equipment for con-trol, the states of equipment, and active paths, before andafter control actions.

3.3.2. Structure of the COCAs shown in Fig. 9, the internal structure of the COC

consists of the procedure database, the COC kernel, andthe COC HMI.

The procedure database contains operating procedure lists,procedure flow logic, instruction logic, and backgroundtasks, etc. The COC kernel handles information from theprocedure database and on-line data from the plant pro-cess computer, and displays the processed results on theCOC HMI. The kernel also receives manual check resultsor acknowledgment signals on the decision of a compu-ter, from the operator through the COC HMI, and reflectsthem in the selection of the next instruction that needs tobe done.

This kernel-based approach gives much flexibility indeveloping and maintaining computerized proceduresystems. It is not necessary to modify the other partsof the COC except the procedure database in casesome changes have been made over the operatingprocedures.

Fig. 9. Structure of the computerized operating-procedure console.


3.3.3. Procedure presentationThe computerized procedure display on the COC is

shown in Fig. 10. At the left-top of the display, the pro-cedure name to be currently performed is displayed andthe step number with its performer is indicated at theright-top. The right-middle window is the step-descriptionwindow that displays the detailed instructions in relation tothe corresponding step. This window also informs the operatorwhether the current instruction rule is satisfied or not tosupport quick judgment. Here the expected plant responsesand actions are presented in the left column whereas theactions for unsatisfied instructions in the right column. InFig. 10, the step-description window shows the followinginstructions:

1. Verify whether the main steam lines should be isolated ornot. If the lines do not have to be isolated, proceed to thestep 16.0.

2. If the main steam lines should be isolated, verify themain steam lines isolation valves and the bypass valvesare closed. If not, close the valves manually.

The plant parameters related to the current instruction aredynamically displayed on the right-middle window if theoperator clicks the instruction. In addition, the right-middlewindow provides operators with radio buttons to receivetheir manual check results, and its sub-level windowpresents the trends of plant parameters and the P-T curve

to analyze the temperature and pressure relation for thesubcooling margin.

As the purpose of the step-description window is to dis-play the current step in detail, it is difficult to predict thenext actions depending on plant states. To overcome thisproblem, the flowchart window at the left-middle displaysthree categories of steps. The first section displays theprevious step, before the current step, which has alreadybeen taken by the operator. The middle section displaysthe current step that is being taken, and the last sectiondisplays the next step to be taken.

The bottom panel of the display is composed of three seg-ments for efficient dialogue with the operator. In the firstsegment, there is provision to allow the operator to retracecertain sequences of steps to review operational track. Themeans for acknowledging the results of a computer and forpaging technique are given in the second segment. In the thirdsegment, the functions for reminding the operator of back-ground tasks including continuous action steps and safetyfunction status check, for listing the COC logging, and foropening other procedures to be performed are provided.

4. Evaluation of the human–machine interface

Human factors related problems should be consideredappropriately from the early design phase to the development

Fig. 10. Procedure display on the computerized operating-procedure console.


phase of the HMI. This means that the HMI should bedesigned and evaluated through the whole design phase inorder to maximize the performance of operators’ primarytasks (process monitoring, decision-making and process con-trol), and to minimize their errors and workload. For thispurpose, HMI designers have been faced with the problemsof (1) designing an HMI to address human factors issuessatisfactorily, and (2) evaluating the efficacy of a designedHMI.

Regarding the proposed HMI, the static evaluation hasbeen applied. Here, the static evaluation means the onebased on the checklists that are extracted from guidelinesand research reports on HMI design because these guide-lines and research reports can offer proper directions ofHMI design by incorporating practical experience with

theoretical/empirical studies. The static evaluation isadvantageous in view of the fulfillment of design require-ments in that this evaluation makes it easy to get designfeedback from the evaluation results.

To establish evaluation criteria, the operating experiencesrelated to conventional alarm systems, information displaysystems, process control systems and operating proceduresof NPPs have been surveyed from the operating experiencereview reports [27,28]. Table 5 shows the brief results of theoperating experience review.

Based on the review results, five evaluation criteria, suchas consistency, task compatibility, minimization ofoperator’s workload, flexibility for the change or adjustmentof displayed information, and minimization of operators’accidental activation are identified. Then the check items,

Table 5The brief results of the operating experience review

HMI Problems

Alarm system No prioritization (a lot of alarms that have similar or nuisance meaning)Excessive number of alarms during disturbancesUnorganized or unstructured alarms that make difficulty to get integrated or clear features of current statusLack of flexibility to change the system or display configuration (rearranging activated alarms with respect to systems orpriorities)

Information display system Inconsistent designLack of flexibility to change the amount of displayed informationDifficulty to get direct usable information (task incompatibility)Functionally ungrouped or unstructured information

Process control system Inconsistent designLack of flexibility to change the amount of displayed informationMismatching between control device positions and component functionsLack of barriers to avoid accidental activation

Operating procedures Inappropriate information with emergency operating procedures (difficulty to get direct usable information)

Table 6Check items for static evaluation

Check item

General Are consistent interface design conventions for all display features, such as labels or symbols, evident from one display to another?Is information requested by operators available on the current display screen?Is all information displayed to operators in directly useable form according to the characteristics of currently performing tasks?Can operators handle the amount of displayed information to meet task requirements?Do overlays distract or interfere with the observation or interpretation of displayed information?

LDP Does the LDP provide the display of a limited number of key operating parameters?Does the LDP provide the display of high-level derived quantities that depend on a particular logic algorithm, if such information directlysupports the use of the LDP?Does the LDP provide the spatially dedicated display of certain key alarms or similar alarm-like information that need to be brought to theoperator’s attention?

DAC Are the alarm generation criteria coincident with the ‘dark board at normal power’ concept?Are alarms presented in a manner that prioritizes them so that the operator’s response can be caused on their relative importance or urgencyand the time within which the operator must take action?Is there the alarm information logical structure so as to provide integrated or clear features of current status?

COC Do the procedures normally provide on the same display as the procedure the parameters necessary for the operator to make each decisionrequired?Are the procedures coordinated with use of controls required for the procedures?Do the procedures provide a function for floating step monitoring to reduce the operator’s workload?

SIC and SSIC Do the SIC and the SSIC include all information that are provided on the LDP?Are demand indications, such as power to solenoid valve or pressure to an air actuator, supplied only if operators require them?Is a continuous indication for control or throttling valves provided so that the operator has an immediate feedback of a control action?

SPDS Are dedicated displays available to provide continuous indication of at least the minimum set of parameters necessary to assess the safetystatus of the plant?


which can evaluate whether these evaluation criteria areproperly embodied in the proposed HMI, are extractedfrom various materials [21,29–32]. The total number ofthe extracted check items is,90, and a part of them areshown in Table 6.

Up to now, the static evaluation using the checklists hasbeen performed, and the evaluation results have beenreflected to refine the HMI design from the previous one[33].

In case of the SIC, one of the most significant designchanges is the spatial dedication of information that isneeded by operators. In the previous design, demand infor-mation (such as trend information) that is requested byoperators during a task execution is provided on the samedisplay screen using popup window, and some portion ofdisplayed P&ID is overlaid by it. However, according to thestatic evaluation results, this overlay is not appropriatebecause it may increase operator’s memory load. Thus, toavoid information overlay, some display area is dedicated todemand information, and Fig. 4 shows a dedicated displayfor trend information.

With regard to the DAC, the logical structures on whichthe activation of plant alarms and system alarms is based aremodified for operators to be aware of current situationsynthetically and clearly. In the previous HMI, alarmhierarchy consists of four levels, and plant alarms andsystem alarms are activated from simple bottom-uppropagation by individual alarm activation. However,according to the results of the static evaluation, the previousapproach turned out to be ineffective in giving meaningfulinformation within acceptable cognitive workload because alot of high-level alarms might be activated during transients.Thus, plant alarms and system alarms are so changed as tobe activated by the elaborate activation logic. In case of thesystem alarms, they are activated considering system rolesand individual alarms. Similarly, the plant alarms have anactivation logic considering their functional essentialnessand system alarms. In addition, both plant alarms andsystem alarms are prioritized into three levels.

Regarding the COC, the static evaluation results revealedthat monitoring function for floating steps should be treatedcarefully. These floating steps are those that are cued byspecific symptoms, such as containment pressure. Theyfloat on the back of operating procedures and should beperformed whenever related symptom set is observedbecause these floating steps take a high priority over thesteps in procedures. This means that monitoring of thesefloating steps will increase operators’ workload or memoryload because they should pay attention to monitor them inparallel with the ongoing procedure steps. Thus, monitoringfunction for floating steps is added in the COC. Toaccomplish this function, the COC periodically monitorsthe conditions of floating steps and informs the operatorof monitoring results.

In addition to the static evaluation, the dynamic evaluationincluding alarm processing capability verification and

response time comparison is planning to be made, if themock-up of the proposed HMI is integrated with the full-scopesimulator in Korea Electric Power Research Institute.

5. Conclusions

The advanced HMI for next generation nuclear powerplants has been developed and demonstrated. The keyelements of the proposed HMI are the LDPs which presentsynopsis of plant status and the compact, computer-basedwork stations or monitoring, control and protection func-tions. The work station consists of four consoles: a dynamicalarm console (DAC), a system information console (SIC), acomputerized operating-procedure console (COC), and asafety system information console (SSIC). The LDPsprovide a spatially dedicated, continuously viewable, inte-grated mimic presentation of plant status and the compact,computer-based work stations enable a single operator tooperate an NPP during a normal state with the followingfeatures:

1. All operating information is displayed in Korean asmuch as possible to help operators’ comprehension, con-sidering their Korean culture. The configuration of thework stations and the layout of the CRT displays weredesigned by focusing attention on the importance of theoperators’ role for NPPs.

2. Alarm hierarchy was established on the basis of thephysical and functional importance of alarms to showthe propagation of alarm impact from equipment levelto plant functional level. In addition, alarm informationis logically processed from generation to presentation.

3. The operating procedures are electronically displayedwith requisite plant information and are traced with theinteraction of the operator. During stressful conditionssuch as normal startup/shutdown or emergency opera-tions, the related P&ID information is automaticallyprovided on the SIC without time-consuming informationnavigation by linking the SIC with the DAC and the COC.

The proposed HMI has been evaluated statically toreview whether it is properly designed to deal with humanfactors issues reasonably. Based on the results of the staticevaluation, the irrelevant designs have been modified tomeet the related human factors guidelines.

In conclusion, a key advantage of the proposed HMIwould be its capability to support intelligent decisionmaking by the operator for the whole spectrum of reactoroperation, especially in interpretation and planning innon-routine situations such as handling plant disturbances.

Acknowledgements

The authors would like to acknowledge the auspices ofKorea Electric Power Corporation for the development of


the advanced human–machine interface. We also wish toexpress our appreciation to the KNGR man–machine inter-face design team in Korea Electric Power Research Institutefor their sincere support.

References

[1] Kim IS. Computerized systems for on-line management of failures: Astate-of-the-art discussion of alarm systems and diagnostic systemsapplied in the nuclear industry. Reliability Engineering and SystemSafety, 1994;44:279–295.

[2] Haugset K, Berg O, Bologna S, Fordestrommen NT, Kvalem J, NelsonWR, Yamane N. Improving safety through an integrated approach foradvanced control room development. Nuclear Engineering andDesign, 1992;134:341–354.

[3] Ridolfo F, Harmon D, Scarola K. The Nuplex 80þy advanced controlcomplex from ABB Combustion Engineering. Nuclear Safety,1993;34(1):64–75.

[4] N4: The 1500MWe PWR nuclear island technical description.Framatome, 1993;340.1.

[5] Westinghouse Electric Corp., AP600 standard safety analysis report,Revision 0. San Francisco, CA: US Department of Energy, 1992:18.9-1.

[6] Ross MA. Advanced control rooms: balancing automation andoperator-responsibility. Nuclear Engineering International,1993;March:37–39.

[7] Yamamoto Y, Kubota Y, Itotagawa T, Matsuzawa K, Ichimura Y,Tani M, Sakaue T, Saito M. Development of advanced main controlconsole. In: Proc. ANP’92 International Conference on Design andSafety of Advanced Nuclear Power Plants, Tokyo, Japan, 25–29October 1992;42.1-1.

[8] Aleite W. Testing time for Siemens/KWU’s PRINS/PRISCA at Isar IIand Emsland. Nuclear Engineering International, 1988;November.

[9] Boettcher DB. Man–machine: how Sizewell B matches up to EPRIrequirements. Nuclear Engineering International, 1993; November:52–54.

[10] Cheon SW, Kim HG, Kim WJ, Min BK, Chang SH, Chung HY.Development of an expert system for failure diagnosis of primarysystem components. Nuclear Technology, 1992;97(1):1–15.

[11] Chang SH, Kang KS, Choi SS, Kim HG, Jeong HK, Yu CU.Development of the on-line Operator Aid SYStem OASYS using arule-based expert system and fuzzy logic for nuclear power plants.Nuclear Technology, 1995;112:266–294.

[12] O’Hara JM, Hall RE. Advanced control rooms and crew performanceissues: implications for human reliability. IEEE Transactions onNuclear Science, 1992;39(4):919–923.

[13] Rasmussen J. Information processing and human–machine inter-action: an approach to cognitive engineering. Amsterdam: ElsevierScience, 1986.

[14] Rasmussen J. Skills, rules and knowledge: signals, signs and symbols,and other distinctions in human performance models. IEEETransactions on Systems, Man and Cybernetics, 1983;SMC13(3):257–266.

[15] Vicente KJ, Rasmussen J. Ecological interface design: theoreticalfoundations. IEEE Transactions on Systems, Man and Cybernetics,1992;22(4):509–606.

[16] US Nuclear Regulatory Commission, Instrumentation for light-water-cooled nuclear power plants to assess plant and environs conditionsduring and following an accident. Regulatory Guide 1.97, Revision 3,Washington, DC, 1983.

[17] Koo IS et al. Function analysis of nuclear power plants for developingof man–machine interface system for next generation reactor, Tech-nical Report, KAERI/TR-494/95, Korea Atomic Energy ResearchInstitute, February 1995.

[18] Kim IS, O’Hara M. Classification of alarm processing techniques andhuman performance issues. Proc Nuclear Plant Instrumentation,Control and Human–Machine Interface Technologies, 1993;April:465–469.

[19] Coreym FS, Ettinger B, Ketchel J. Control room annunciatorsystem replacement specification and evaluation of alarm suppres-sion and diagnostic schemes. Proc Nuclear Plant Instrumentation,Control and Human–Machine Interface Technologies, 1993;April:65–71.

[20] Kim IS. Computerized systems for on-line management of failures: astate-of-the-art discussion of alarm systems and diagnostic systemsapplied in the nuclear industry. Reliability Engineering and SystemSafety, 1994;44:279–295.

[21] EPR Advanced Light Water Reactor Utility Requirements Document,Man–Machine Interface Systems, vol. II, Ch. 10, 1993.

[22] Korea Electric Power Corp., Yonggwang nuclear units 3 & 4 finalsafety analysis report, Seoul, 1993.

[23] Iwaki K. Control room design and automation in the advanced BWR.In: Proc. International Symposium on Balancing Automation andHuman Action in Nuclear Power Plants, Munich, 9–13 July1990;399–412.

[24] Lipner MH, Orendi RG. Issues involved with computerizingemergency operating procedures. In: Proc. AI 91: Frontiers inInnovative Computing for Nuclear Industry, Jackson, WY, 15–18September 1991;556–565.

[25] Bhatnagar R, Miller DW, Hajek BK, Stasenko JE. An integratedoperator advisor system for plant monitoring, procedure management,and diagnosis. Nuclear Technology, 1990;89:281–317.

[26] De Vlaminck M, Martin E, Van Dyck Cl, Leboutte F, de Viron F. Aknowledge-based system to support nuclear power plant operators. In:Proc. EPRI Expert System Applications for the Electric PowerIndustry, Phoenix, AZ, 8–10 December 1993.

[27] ABB-CE. Operating experience review for system 80þ MMI design,NPX80-IC-RR790-01, Rev. 00, February 1992.

[28] US Nuclear Regulatory Commission, TMI-2 lessons learned taskforce final report, NUREG-0585, October 1979.

[29] US Nuclear Regulatory Commission, Human–system interface designreview guideline, NUREG-0700, Revision 1, Washington, DC, 1995.

[30] EPRI Research Project, Human factors guide for nuclear power plantcontrol room development, EPRI-NP-3659, August 1984.

[31] US Nuclear Regulatory Commission, Human factors engineeringguidance for the review of advanced alarm system, NUREG/CR-6105, September 1994.

[32] Dougherty E. Context and human reliability analysis. ReliabilityEngineering and System Safety, 1993;41:25–47.

[33] Choi SS, Park JK, Hong JH, Kim HG, Chang SH, Kang KS.Development strategies of an intelligent human–machine interfacefor next generation nuclear power plants. IEEE Transactions onNuclear Science, 1996;43(3):2096–2114.


Documents

Development of an advanced human–machine interface for next generation nuclear power plants