Computerised procedures and parallel information to guide the operator5 April 2002
The Beznau nuclear power plant in Switzerland was the first with full implementation of the Westinghouse Compro system for emergency operating procedures as well as normal
F Portmann, NOK Kernkraftwerk Beznau, Doettingen, Switzerland and M H Lipner, Westinghouse Electric Company, Monroeville, PA, USA
To help plant operators assess the overall status of a plant in either normal or emergency conditions, Westinghouse has developed a CRT-based computerised procedures system, designated Compro. Compro utilises written procedures as the basis for textual displays and prompts which guide operators through procedures while providing parallel information about relevant plant parameters. By presenting this information in parallel, the operator always sees where he is in the context of the overall plant response. Compro provides an environment using major control room graphic displays and procedures together in an integrated fashion.
NOK's Beznau nuclear power plant in Switzerland was the first to fully implement the Compro system in emergency operating procedures (EOPs). In 2000 the Swiss regulatory authority HSK approved the use of Compro for the Beznau main control room; in fact the system had been used for training in the plant simulator since 1997. As part of a major control room modernisation, NOK replaced the main plant computer and added sophisticated graphic displays and an advanced alarm system, in addition to implementing Compro. The resulting enhancement of plant situation awareness provided by these state-of-the-art tools enabled Beznau to maintain its status as one of the most efficient nuclear plants in the world.
NOK recognised that the addition of these advanced systems required a different approach to that of operating the plant. Effectively to utilise the features and to maximise the benefits available by implementing these new human-machine interface systems, NOK developed an operational model that more closely aligned the updated roles of the control room personnel with the capabilities inherent in the systems. Specifically, executing the EOPs with the computer-based procedures system involved creating and implementing a new paradigm. This involved a more efficient utilisation of the control board operators, elevating their required duties from those of equipment operators to system managers and maintaining a high degree of communication in the control room - absolutely essential for safe transient recovery.
A benefit of the system is that the computer and the operator roles complement each other for a more accurate implementation of the procedures, resulting in enhanced situation assessment by the operator. In addition, the system simultaneously monitors multiple plant parameters, brings all procedural information to one location, and provides detailed record keeping capability of the procedure execution.
The purpose of the online, data-driven system is to guide the user step-by-step through procedures by monitoring appropriate plant data, processing the data by identifying the recommended course of action, and providing necessary parallel information, which allows the user to assess other plant conditions requiring attention, such as 'notes', 'cautions' and 'foldout page' items.
The user's primary roles are monitoring the progression of plant procedures while maintaining a clear picture of the state of the plant, implementing control actions on the control board when they are required, and watching for unsafe plant conditions. The user retains both authority and responsibility for power plant operation - Compro is user-paced, advancing only if instructed to do so by the user.
The system operates on a two-CRT workstation. Procedural information appears on the first screen and supporting or supplementary procedural information appears on the second screen. Pull-down menus, located along the top of the main screen, allow access to supporting information.
The computerised procedures system provides benefits in the man-machine and control room integration areas. Procedure information is online and updated continuously. The operator becomes more vigilant, since a large amount of procedurally required information is available more or less instantaneously.
The cognitive demands placed on the operators are reduced, since all required procedural information is displayed, including the status of the current high level step (figures currently not available) (point 3, Figure 1); supporting substep/subsubstep information (point 4, Figure 1); contingency information (point 5, Figure 1); high-level safety information (point 7, Figure 2); and parallel information violations (points 8 and 9, Figure 2).
Compro supports the operator by displaying the status of previous procedure steps directly above the currently active procedure step (point 1, Figure 1). The system displays upcoming procedure steps directly below the currently active procedure (point 2, Figure 1). Showing historical and future steps gives the operator a guide to where he is in the current procedure.
The demand on operator time is decreased, since procedural calculations, such as selecting points from curves and selecting the correct rows from tables, are performed online. However, the system allows for more in-depth operator examination of the procedure database through the "displays" menu option at the top of the screen (point 11, Figure 2). For example, although the system computes values from curves and displays this information to the operator at the relevant point in the procedures, the system also has the capability to display the curve itself with the present value noted.
The operator (point 6, Figure 1) paces the computer. The user prompts are also context dependent, giving the operator the proper options at the correct point in the procedure execution (point 10, Figure 2).
Dual-headed workstations (Figure 3) expand the windows environment to support the co-ordination of procedural actions and process response. Procedure information, (point 14, Figure 3), alarm information (point 15, Figure 3) and graphic display information (point 18, Figure 3) may be simultaneously viewed, reinforcing the operator's understanding of the impact of procedural actions on the plant. In this environment, a single cursor/mouse interacts with both CRTs (point 16, Figure 3).
Beznau operational model
The Beznau shift supervisor, who typically works through the specified paper-based emergency procedures, handles technical emergencies. The control-board operators obtain the parameters required in the procedures. Introduction of Compro changed the method of operation for the shift team. Therefore a user concept developed under the new operational model outlined rules for the shift supervisor, the desk operators and the engineers-on-call to follow. Defining each team member's role and responsibilities explicitly ensured that the system was optimal and that conventional equipment was included in the process.
Malfunctions and emergencies are divided into phases, beginning with reactor trip:
• Starting phase - reactor trip until the arrival of the engineer-on-call in the main control room (MCR)
• Contact phase - arrival of the engineer-on-call in the MCR
• Confirmation phase - verification of the computerised procedures information
• Monitoring/support phase - continuation of independent equipment monitoring
• Secondary phase - actions performed to mitigate the transient.
After the reactor has tripped, the shift supervisor opens the Compro application on his or her computer station and works through the EOP, designated as E-0: Reactor Trip or Safety Injection, alone. The desk operators carry out duties in their respective work areas and monitor the plant independently, based on the alarm system and conventional equipment. In the event of a divergence from the predefined projected status, they initiate corrective measures and notify the shift supervisor.
Using conventional equipment, the shift supervisor implements "key steps", which either confirm or question the validity of the Compro procedure. In the latter case Compro is switched out.
Key steps are selected according to the following criteria:
• Including an event-related switch to a different procedure as a result of certain parameters
• Identifying a critical step according to the EOPs
• Containing parameters that are verifiable with the conventional equipment.
The number of key steps for each procedure is less than 10. This concept allows the E-O emergency procedure to be processed efficiently, usually within five minutes, but within a maximum of 10, up to the point where the transition to the event-related procedure is initiated.
The contact phase begins with the arrival of the engineer-on-call in the MCR, usually within 15 minutes. The shift supervisor informs the engineer-on-call of events observed and progress in following the emergency procedures.
The shift supervisor continues the execution of the procedure.
Engineers-on-call obtains an overview of the plant status, based on the critical safety functions (CSF). They independently and primarily use conventional equipment for their observations and, based on the symptoms observed, make a decision about the required event-related procedure. They compare their decision with the procedure initiated by the shift supervisor, thereby either confirming or questioning the validity of Compro. In the latter case Compro is switched out.
The shift team's method of operation under Compro is largely identical to the confirmation phase. The shift supervisor requests a confirmation of the key-step parameters from the conventional equipment by contacting the operators in their respective work areas. The operators obtain parameters from the equipment and report back.
Using conventional equipment to reproduce the computer-based analysis ensures the proper functioning and monitoring of Compro on a regular basis. The use of Compro is cancelled if conventional equipment parameters differ. The engineer-on-call verifies the procedure and confirms the key steps.
The secondary phase begins with the emergency staff's power to act, which takes 30 to 60 minutes. As this point in time, the emergency staff is in charge of handling the emergency. The shift team and the engineer-on-call follow emergency procedures as described in the preceding phases. An additional engineer-on-call at the MCR supports the duty engineer. In addition, an engineer-on-call provides the emergency staff with data from the plant computer information system, a procedure designed to relieve pressure on main control room personnel.
Switching to paper procedures
The use of Compro stops if conventional equipment cannot reproduce the computer-based analysis. Invalid parameters in the plant information database or unavailable screen displays require intervention. Once it has been determined that Compro should not continue being used in the transient recovery, the team continues with the paper version of the emergency procedures.
Since the shift supervisor and the board operators work more independently with the computerised procedures system, a structured communication system was developed. High-level communication ensures that the entire MCR team is in sync with regard to the emergency procedures. Each member of the operational model has the following communications functions:
• Informs the crew of the progression through the emergency procedures
• Informs the crew of any transfers within the various procedures
• Relays to the desk operators any actions required by the procedures in the form of instructions with a specific goal. The level of detail of these instructions is determined by the complexity of the activity
• Issues instructions to read the conventional equipment with regard to the key steps
• Provides information about measures initiated within the scope of their responsibility
• Informs shift supervisor of any observations that are of importance for the initiated procedure
• Informs shift supervisor of actions taken.
• Reports on the parameters obtained from the conventional equipment related to the key steps.
Provides information during the confirmation phase about the validity of Compro based on an evaluation using conventional equipment.
The operational model developed by NOK illustrates that new technology can be effectively and efficiently introduced into an existing nuclear plant when the plant staff is willing to adapt to new systems and embrace higher standards for operators. The original intent of replacing the plant computer system evolved into a main control room functional upgrade that provided major improvements for the operational team. The roles and responsibilities of the control room personnel have been raised to a level where desk operators are system managers, independently supervising their portions of the plant during emergency events. The shift supervisor is free to focus on a higher level of plant response to an event. The cognitive level of the control room is elevated as a whole by allowing the system to perform more of the information processing tasks involved with the execution of the EOPs. The enhanced situation awareness resulting from the new operational paradigm increases the potential for identifying and subsequent mitigating of plant transients.
Other Compro sites
The first application of the system was at a coal-fired power plant in Pennsylvania (see panel above) where it was applied to the start-up procedure. Another nuclear plant in the Czech Republic will also be using the Compro system for emergency operating procedures.
An evolved version of the system is being used in the Czech Republic for a variety of normal operating procedures, including primary side sequences, secondary side sequences and valve testing sequences. The system will also be used for turbine startup at a nuclear plant in Sweden.