1、AU these procedures are accredited by the American National Standards Institute, Inc., as meeting the criteria for American National Standards. The consensus committee that approved the standard was balanced to ensure that competent, concerned, and varied interests have had an opportunity to partici
2、pate. An American National Standard is intended to aid industry, consumers, govern mental agencies, and general interest groups. Its use is entirely voluntary. The existence of an American National Standard, in and of itself, does not preclude anyone from manufacturing, marketing, purchasing, or usi
3、ng products, processes, or procedures not conforming to the standard. By publication of this standard, the American Nuclear Society does not insure anyone utilizing the standard against liability allegedly arising from or after its use. The content of this standard reflects acceptable practice at th
4、e time of its approval and publication. Changes, if any, occurring through developments in the state of the art, may be considered at the time that the standard is subjected to periodic review. It may be reaffirmed, revised, or withdrawn at any time in accordance with established procedures. Users o
5、f this standard are cautioned to determine the validity of copies in their possession and to establish that they are of the latest issue. The American Nuclear Society accepts no responsibility for interpretations of this standard made by any individual or by any ad hoc group of individuals. Requests
6、 for interpretation should be sent to the Standards Department at Society Headquarters. Action will be taken to provide appropriate response in accordance with established procedures that ensure consensus on the interpretation. Comments on this standard are encouraged and should be sent to Society H
7、eadquarters. Published by American Nuclear Society 555 North Kensington Avenue, La Grange Park, Dlinois 60525 USA Copyright 1995 by American Nuclear Society. All rights reserved. Any part of this standard may be. quoted. Credit lines should read “Extracted from American National Standard .ANSY.ANS-5
8、8.8-1994 with permission of the publisher, the American Nuclear Society.“ Reproduction prohibited under copyright convention unless written permission is granted by the American Nuclear Society. Printed in the United States of America Foreword (This Foreword is not a part of .American National Stand
9、ard for Time Response Design Criteria for Safety Related Operator Actions, ANSJ/ANS-58.8-1994, but is included for information purposes only.) The criteria contained in this standard establish timing requirements to be used in the design of safety-related systems for nuclear power plants. These crit
10、eria are used to determine whether safety-related systems can be initiated by operator action or require automatic initiation. The time response criteria given in this standard adopt time intervals and other restrictions to ensure that adequate safety margins are applied to system and plant design a
11、nd safety evaluations. Guidance for design of associated instrumentation, controls, indicators, and enunciators necessary for operator action is provided. The scope of this standard is limited to safety-related operator actions associated with those design basis events (DBEs) that result in a reacto
12、r trip and are required to be analyzed in safety analysis reports* (SARs). This limits the resulting requirements for potential automation by adhering to known safety-related operator actions. Should the scope of the SAR be expanded, this standard should be applied to new DBEs which require safety-r
13、elated operator actions. It is beyond the model and data base of this standard to use its timing requirements to calculate actual operator action times. In actual practice, the operator should be capable of reacting to DBEs correctly and performing the safety-related operator actions in less time th
14、an specified by the criteria in this standard. The criteria are not intended to serve as a basis for plant stafimg or actual operator action times in procedures or training, but could provide useful input to these operational considerations. Where analysis credits safety-related operator actions to
15、meet the criteria of this standard, the actions should be regarded as time-critical tasks. Human factors professionals should consider the implications of such results and ensure that time critical tasks can be readily performed in the actual system design. The application of these criteria may indi
16、cate the need for system design modifica tions or automation of some actions that are intended by designers to be performed by the operator. However, it is not intended that automation be pursued for applica tions that would exceed the state of the art or be so complex as to jeopardize plant safety
17、without reasonable assurance that such automation of operator actions has an overall beneficial effect in terms of increased nuclear safety. Early drafts of the criteria in this standard were based on an extension of the “ten minute rule“ that had gained some acceptance in the industry. Some reviewe
18、rs of these drafts felt strongly that this approach was an inadequate time allowance for some cases. After meetings with the Nuclear Regulatory Commission (NRC) and SC-6 of the Nuclear Power Engineering Committee (NPEC) of the Institute of Electrical and Electronics Engineers, Inc. (ffiEE), the Work
19、ing Group for Operator Actions decided to adopt the more comprehensive and, in some cases, more conservative requirements reflected in the criteria set forth in this standard. The response times embodied in ANS-58.8-1984 criteria were based on simulator measurements of operator performance and plant
20、 data collected from actual events. The measurement programs were conducted by General Physics Corporation, under the sponsorship of the Electric Power Research Institute (EPRI), and by Westing-* Regulatocy Guide 1.70, “Standard Format and Content of Safety Analysis Reports for Nuclear Power Plants,
21、“ specifies DBEs. -i-house Electric Corporation. The test subjects represented skill levels ranging from initially qualified operators to experienced operators performing requalification training. Operators responses to various anticipated operational occurrences and accident situations were measure
22、d to determine the promptness of their actions. The data were collected automatically and later reduced through the use of statistical methods. These empirical data provide a basis for the standard to define time intervals of sufficient length for operator responses at a 95% confidence level The dat
23、a do not allow assignment of a given confidence level that the operator action will necessarily be correct. However, it is assumed that if the intervals used meet the time criteria of the standard, then other performance-shaping factors (e.g., training level, panel layout, procedures) might dominate
24、 the factor of “time available“ in their combined influence on the probability of operator error. This revision of the standard reflects a detailed review of additional data that became available since 1984. The purpose of this review was to determine whether the data validated the time tests of the
25、 standard or whether revisions were indicated in either the time tests or the philosophical basis of the standard. The new data were collected by EPRI as part of the Operator Reliability Experiment (ORE). The purposes of the ORE project were (1) to develop models of operator reliability for control
26、room decisions and actions; (2) to obtain data to validate the models, mainly through the use of plant simulators; and (3) to enable quantification of post-TMI benefits from changes in control room design, procedures, training, and operator aids. The Accident Prevention Group (APG) analyzed the ORE
27、data. A brief outline of this analysis is provided in the Appendix. The review of the APG analysis by the Working Group ANS-58.8 members determined that the analysis results validated the standards required response times and suggested simplifications in its methodology. The Working Group believes t
28、hat future studies should be directed to data collection, analysis, and interpretation to test a perceived trend of system-based procedures toward shortening or eliminating the time interval the operator has to diagnose the event and actions to be taken (Tidiasnoei) and lengthening the fixed and var
29、iable sub-intervals of the time the operator has to perform the_ actions (Tl.,perato,.). For a description of Tidiasnoei and Tioperator please refer to Section 2 of this standard. Two significant changes have been made to the methodology: (1) Simplification of the terminology used to define the disc
30、rete time points and time intervals incorporating the time tests of the previous revision of this standord (Time Tests 1 and 2) into the appropriate time intervals. In the text of the standard, Time Test 1 is incorporated in Tlmasnoei and Time Test 2 is incorporated in TI.,perator (2) Unidirectional
31、 colculation of the time points and intervals from the beginning of the DBE to the conclusion of the DBE. In the previous version of this standard, calculations were necessary from both the beginning and the conclusion of the DBE. This standard has been reviewed by IEEEINPEC/SC-7, as the coordinatin
32、g body for nuclear industry human factors standards. That panel has approved this revision. -ii-The members of Working Group ANS-58.8 who prepared this standard are: R. A. Hill, Chairman. General Electric Company E. J. Fuent, Commonwealth Edison Company R. B. Fuld, ABB/Combustion Engineering J. J. K
33、ramer, U.S. Nuclear Regulatory Commission H. G. OBrien, Martin Marietta Energy Systems, Inc. The following individuals participated as ad hoc members of the Working Group for technical consultation purposes: P. Moieni,Accident Prevention Group J. W. Moore, Lawrence Livermore National Laboratory A. S
34、ingh, Electric Power Research Institute A. J. Spurgin, Accident Prevention Group The membership ofMC-1, Light Water Reactor Criteria Management, at the time it reviewed and approved this standard was as follows: J. T. Luke, Chairman, Florida Power see American National Standard Guide for the Applica
35、tion of Human Fac tors Engineering to Systems, Equipment, and Facilities of Nuclear Power Generating Stations, ANSI/IEEE 1023-1988 4. 2. Definitions action. One or more operator manipulations or automatic actuations. One or more actions are necessary to accomplish a safety-related function. discrete
36、 time points. The time points during the course of a DBE that define the time inter vals evaluated in an analysis of operator re sponse times. These points are defined below and are illustrated in Figure 1. 2 (1) start of event (tSt). The time at which the DBE begins. (2) indication of event (tiDd).
37、 The time at which information is readily available, e.g., one or more alarm(s) or display indica tion(s) to the plant operators to indicate a DBE has occurred. (3) earliest credited action (tEcA The earliest time following nd at which credit for the initiation of a safety-related opera tor action c
38、an be taken. (4) manual action initiated (tMAI). The point in time at which the analysis credits the initiation of an operator action. (5) safety-related action completed The time at which the safety-related opera tor action is evaluated (see Section 4) to be completed. (6) safety-related function c
39、ompleted (tSFC). The time at which an indication is received that a safety-related system has performed its required safety-related func tion. (7) event limit (tu.,.). The earliest time at which a limiting design requirement would be exceeded if a safety-related function has not been completed. (For
40、 some DBEs, im may occur several times due to multiple limiting design requirements or recurring limiting design requirements). limiting design requirements. A limiting design requirement is the limiting value of a design parameter that ensures that the conse quences of any DBE do not result in: (1)
41、 Violation of plant nuclear safety criteria, including off-site radiological dose criteria 1, 2, or (2) Unacceptable degradation of plant compo nents that are required to mitigate the consequences of a DBE. (A single DBE may have more than one limiting design requirement.) manipulation. A discrete e
42、lement of an action. operator error. In the context of the single failure criterion, a single incorrect or omitted action by a human operator attempting to per form a safety-related action in response to an initiating occurrence. Subse.quent manipulations that are consistent with the results of the
43、initiat ing error are not considered additional. (For example, if in a sequence of actions a component was aligned incorrectly, resulting in reduced (instead of increased) flow, all subsequent opera tor manipulations consistent with having re duced flow would be regarded as part of the original oper
44、ator error, not as additional errors.) other operator actions. Operator actions that are not required by plant emergency procedures following a DBE. plant condition (PC). Categorization of events in terms of their likelihood of occurrence for the purpose of establishing nuclear safety criteria. The
45、following categories apply: Plant Condition PC-1 PC-2 PC-3 PC-4 PC-5 Best Estimate Frequency of Occurrence (F) per Reactor Year Normal Operations F 1o1 10“1 F 10“2 10“2 F 10-4 10-4 F 10-6 CoO tst tlnd DBE initiation DBE indication -Figure 1 Definition of Discrete lime Points tECA tMAI tSAC Earliest
46、time Manual Safety for operators action actions to take credited initiated completed action Figure2 Definition of lime Intervals tSFC tLim Safety function Design requirement completed limit -TlmtiDn . : Tldiqnolil . : Tle1111 . : Tloperator -: Tlproeell . : Tllllfe1 value was based on the time from
47、event alarm until the operator reset safety injection. Both statistical techniques described above yielded 95% probability values that were less than 20 minutes. TI.,perator values were determined through the use of the fixed plus variable time model The safety-related function evaluated was the swi
48、tchover to cold-leg recirculation. The fixed sub-interval time was the time from the refueling water storage tank low-level alarm to the first step in the switchover procedures. The variable sub-interval time was the average time required to perform 217 discrete manipulations necessary to complete t
49、he switchover action. The above statistical techniques, at a 95% probability value, indicated a fixed sub-interval ofTI.,perator value of 1.5-2.0 minutes and a variable sub-interval ofTI.,perator value of 40-90 seconds. 10 American National Standard ANSI/ANS-58.8-1994 4. Accident Prevention Group Program EPRI Operator Reliability Experiments (ORE) developed models of operator reliability for control room decisions and actions from simulator experiments for use in quantifying post-TMI benefits. APG analyzed these data and the models to determine their relevance t
