WO1991006960A1

WO1991006960A1 - Advanced nuclear plant control complex

Info

Publication number: WO1991006960A1
Application number: PCT/US1989/004899
Authority: WO
Inventors: Kenneth Scarola; David S. Jamison; Richard M. Manazir; Robert L. Rescorl; Daryl L. Harmon
Original assignee: Combustion Engineering, Inc.
Priority date: 1989-11-02
Filing date: 1989-11-02
Publication date: 1991-05-16
Also published as: KR920702895A; KR100191566B1

Abstract

An advanced control room complex for a nuclear power plant, including a discrete indicator and alarm system (72) which is nuclear qualified for rapid response to changes in plant parameters and a component control system (64) which together provide a discrete monitoring and control capability at a panel (14-22, 26, 28) in the control room (10). A separate data processing system (70), which need not be nuclear qualified, provides integrated and overview information to the control room and to each panel, through CRTs (84) and a large, overhead integrated process status overview board (24). The discrete indicator and alarm system (72) and the data processing system (70) receive inputs from common plant sensors and validate the sensor outputs to arrive at a representative value of the parameter for use by the operator during both normal and accident conditions, thereby avoiding the need for him to assimilate data from each sensor individually. The integrated process status board (24) is at the apex of an information hierarchy that extends through four levels and provides access at each panel to the full display hierarchy. The control room panels are preferably of a modular construction, permitting the definition of inputs and outputs, the man machine interface, and the plant specific algorithms, to proceed in parallel with the fabrication of the panels, the installation of the equipment and the generic testing thereof.

Description

ADVANCED NUCLEAR PLANT CONTROL COMPLEX

BACKGROUND OF THE INVENTION

The present invention relates to apparatus and methods for monitoring and controlling the operation of commercial nuclear power plants.

Conventionally, commercial nuclear power plants have a central control room containing equipment by which the operator collects, detects, reads, compares, copies, computes, compiles, analyzes, confirms, monitors, and/or verifies many bits of information from multiple indicators and alarms. Conventionally, the major operational systems in the control room have been installed and operate somewhat independently. These include the monitoring function, by which the components and the various processes in the plant are monitored; control, by which the components and the processes are intentionally altered or adjusted, and protection, by which a threat to the safety of the plant is identified and corrective measures immediately taken.

The result of such conventional control room arrangement and functionality can sometimes be information overload or stimulus overload on the operator. That is, the amount of information and the variety and complexity of the equipment available to the operator for taking action based on such extensive information, can exceed the operator's cognitive limits, resulting in errors.

The most famous example of the inability of operators to assimilate and act correctly based on the tremendous volume of information stimuli in the control room, particularly during unexpected or unusual plant transients, is the accident that occurred in 1978 at the Three Mile Island nuclear power plant. Since that event, the industry has focused considerable attention to increasing plant operability through improving control room operator performance. A key aspect of that improvement process is the use of human engineering design principles.

Advances in computer technology since 1978 have enabled nuclear engineers and control room designers to display more information, in a greater variety of ways, but this can be counterproductive, because part of the problem is the overload of information. Improving "user friendliness" while maintaining the quantity and type of information at the operator's disposal has posed a formidable engineering challenge. SUMMARY OF THE INVENTION

It is thus an object of the present invention to provide apparatus and method for nuclear power plant control and monitoring operations having the characteristics of concise information processing and display, reliable architecture and hardware, and easily maintainable components, while eliminating operator information overload. This objective should be accomplished while achieving enhanced reliability, ease of operation, and overall cost effectiveness of the control room complex.

The solution to the problem is accomplished with the present invention by providing a number of features which are novel both individually and as integrated together in a control complex.

The complex includes six major systems: (1) the control center panels, (2) the data processing system (DPS) , (3) the discrete indication and alarm system (DIAS) , (4) the component control system consisting of the engineered safeguard function component controls (ESFC) and the process component controls (PCC) , (5) the plant protection system (PPS) , and (6) the power control system (PCS) . These six systems collect data from the plant, efficiently present the required information to the operator, perform all automatic functions and provide for direct manual control of the plant components.

The control complex in accordance with the invention provides a top-down integrated information display and alarm approach that supports rapid assessment of high level critical plant safety and power production functions; provides guidance to the operator regarding the location of information to further diagnose high level assessments; and significantly reduces the number of display devices relative to conventional nuclear control complexes. The complex also significantly reduces the amount of data the operator must process at any one time; significantly reduces the operational impact of display equipment failures; provides fixed locations for important information; and eliminates display system equipment used only for off normal plant conditions.

It is known that the nuclear steam supply system can be kept in a safe, stable state by maintaining a limited set of critical safety functions. The present invention extends the concept of the critical plant safety functions to include critical plant power production functions, in essence integrating the two functions so that the information presentation to the operator supports all high level critical plant functions necessary for power production as well as safety.

The information display hierarchy in accordance with the invention includes a "big board" integrated process status overview screen (IPSO) at the apex, which provides a single dedicated location for rapid assessment of key information indicative of critical plant power production and safety functions. Further detail on the sources and trends of normal or abnormal parameter changes are provided by the DIAS. Both IPSO and the DIAS provide direct access and guidance to additional system and component status information contained on a hierarchy of CRT display pages which are driven by the DPS.

The IPSO continually displays spatially dedicated information that provides the status of the plant's critical safety and power production functions. This information is presented using a small number of easily understood symbolic representations that are the results of highly processed data. This relieves the operator of the burden of correlating large quantities of individual parameter data, systems or component status, and alarms to ascertain the plant functional conditions. The IPSO presents the operator with high level effects of lower level component problems. The IPSO relies primarily on parameter trend direction, e.g., higher, lower, an alarm symbol color and shape, to convey key information. These are supplemented by values for selected parameters. The IPSO presents consolidated, simplified information to the operator in relatively small quantities of easily recognized and understood information.

Furthermore, the IPSO compensates for the disadvantage inherent in recent industry trends towards presenting all information serially on CRTs, by enabling the operator to obtain an overview, or "feel" of the plant condition. Display of plant level overview on a large-format dedicated display addresses two additional operational concerns. First, operator tasks often require detailed diagnostics in very limited process areas. However, maintaining concurrent awareness of plant-wide performance is also necessary. Rather than relying on multiple operators in the control room to monitor respective indicators and the like on spatially separated panels, the IPSO can be viewed from anywhere in the control room and thus provides an operator a continuous indication of plant performance regardless of the detailed nature of the task that may be requiring the majority of his attention.

In the preferred implementation, IPSO supports the assessment of the power and safety critical functions by providing for each function, key process parameters that indicate the functional status. For each function, key success pads are selected with the status of that success path displayed. The IPSO clearly relates functions to physical things in the plant. The critical functions are applied to power production, normal post trip actions, and optimal functional recovery procedures. The second level in the display information hierarchy in accordance with the present invention is the presentation of plant alarms from the DIAS. A limited number of fixed, discrete tiles are used with three levels of alarm priorities. Dynamic alarm processing uses information about the plant state (e.g., reactor power, reactor trip, refueling, shut-down, etc.) and information about system and equipment status to eliminate unnecessary and redundant alarms that would otherwise contribute to operator information overload. The alarm system provides a supplementary level of easily understood cueing into further information in the discrete indicators, CRTs and controls. Alarms are based on validated data, so that the alarms identify real plant process problems, not instrumentation and control system failures.

The alarm features include providing a detailed message through a window to the operator upon the acknowledgment of an alarm and the ability to group the alarms without losing the individual messages. The tiles can dynamically display different priorities to the operator. The acknowledgment sequence insures that all alarms are acknowledged while at the same time reducing the operator task loading by providing momentary tones, then continuous alarm, followed by reminder tones to insure that the alarms are not forgotten. The operator has the ability to stop temporarily alarm flashing to avoid visual overload, and resume the flashing to insure that the alarm will eventually be acknowledged.

The discrete indicators in the DIAS provide the third level of display in the hierarchy of the present invention. The flat panel displays compress many signal sources into a limited set of read-outs for frequently monitored key plant data. Signal validation and automatic selection of sensors with the most accurate signal ranges are also employed to reduce the number of control panel indicators. Information read-outs are by touch-screen to enhance operator interaction and include numeric parameter values, a bar form of analog display, and a plot trend.

Various multi-range indicators are available on one display with automatic sensor selection and range display. The automatic calculation of a valid process representation parameter value, with the availability of individual sensor readings at the same display, avoids the need for separate backup displays, or different displays for normal operation versus accident or post-accident operation.

Moreover, in another preferred feature of the invention, the parameter verification automatically distinguishes failed or multiple failed sensors, while allowing continued operation and accident mitigation information to the operator even if the CRT display is not available. Furthermore, the normal display information can be correlated to a qualified sensor, such as that used for post-accident monitoring purposes.

At the information display level associated with control of specific components, dynamic "soft" controllers are provided with component status and control signal information necessary for operator control of these components. For the ESFC system, this information includes status lamp, on-off controls, modulation controls, open-closed controls, and logic controls. For the PCCS, the information includes confirm load, set points, operating range, process values, and control signal outputs.

In the fourth level of the information hierarchy, dynamic CRT display pages are complementary to all levels of spatially dedicated control and information and can be accessed from any CRT location in the control room, technical support center, or emergency operations facility. These displays are grouped into a three level hierarchy that includes general monitoring (level 1) , plant component and systems control (level 2) , and component/process diagnostics (level 3) . Display implementation is driven by the DPS and duplicates and verifies all discrete alarm and indicator processing performed in the DIAS.

In the preferred implementation of the invention, the indicator, alarm, and control functions for a given major functional system of the plant are grouped together in a single, modularized panel. The panel can be made with cutouts that are spatially dedicated to each of the displays for the indicators, alarms, controls, and CRT, independent of the major plant functional system. This permits delivery, installation, and preliminary testing of the panels before finalization of the plant specific logic and algorithms, which can be software modified late in the plant construction schedule. This modularization is achievable because the space required on the panel is essentially independent of the major plant functional system to which the plant is dedicated.

Both the alarms and indicators can be easily modified in software. The number of indicators and alarm tiles that can be displayed to the operator are not significantly limited by the available area of the panel, so that standardization of panel size and cutout locations for the display windows is possible. BRIEF DESCRIPTION OF THE DRAWINGS

These and other objects and advantages of the invention are described in connection with the preferred embodiment of the invention, with reference to the accompanying drawings, in which:

Figure 1 is an illustration of a nuclear control room complex in accordance with the invention;

Figure 2 is a schematic diagram of the intersystem communication associated with the invention;

Figures 3(a) and 3(b) show a first type, and 3(c) and 3(d) a second type, of modular panel in accordance with one feature of the invention;

Figure 4 is an illustration of the primary system display page directory available on the CRT screen in accordance with the invention;

Figures 5 and 6 illustrate the preferred component symbols and shape coding used with the CRT and IPSO display in accordance with the invention;

Figure 7 is a typical discrete indicator display with trend format in accordance with the invention, for pressurizer pressure and level;

Figure 8 is a indicator display for the system pressure and level menu pages associated with the indicator of Figure 7;

Figure 9 is a schematic representation of the alarm presentation in accordance with the present invention;

Figure 10 is a typical display page depicting the alarm presentation on a first level display page menu option in accordance with the invention; Figure 11 is a diagrammatic summary of the work stations of the complex shown in Figure 1, categorized by first level display page set;

Figure 12 is an illustration of the typical display page directory depicting display pages containing alarm information;

Figure 13 is an illustration of the type of information provided on the CRT as alarm support after alarm acknowledgement;

Figure 14 is an illustration of the categorized alarm listing available to the operator on the CRT;

Figure 15 is a typical alarm tile grouping for the reactor coolant system/seal alarm tiles associated with the discrete indication and alarm system;

Figure 16 is an illustration of the alarm tile display for the reactor coolant pumps, in which one tile has been actuated;

Figure 17 is an illustration of the alarm display after acknowledgement of the actuated alarm of Figure 16;

Figure 18 is an illustration of the alarm display available upon the operator's touching the alarm status area of the display shown in Figure 17;

Figure 19 is an illustration of the CRT display for the primary system;

Figure 20 is an illustration of the CRT display for a second level page based on the first level page shown in Figure 19;

Figure 21 is an illustration of a third level display page obtainable from the second level page shown in Figure 20;

Figure 22 is an illustration and explanation of the display page menu option regions on the CRT displays; Figure 23 is an illustration of a typical CRT display page depicting alarm tile representations;

Figure 24 is a diagram showing the relationships of the CRT display page hierarchy;

Figure 25 is an illustration depicting the integrated process status overview;

Figure 26 is a diagrammatic description of the symbols used to convey trending information on the integrated process status overview;

Figure 27 is a schematic representation of the integrated information presentation available with the present invention;

Figure 28 is a block diagram related to Figure 2, showing the relationships of the major systems constituting the control room complex of the present invention;

Figure 29 is a block diagram showing the inputs and outputs associated with the discrete indicator and alarm system portion of the present invention;

Figure 30 is a schematic representation of the use of validated sensor data for monitoring and control in accordance with the invention;

Figure 31 is a functional diagram of the engineered safety features system and the component control system with associated interfaces as preferably arranged in accordance with the present invention;

Figure 32 is an illustration of a typical display page directory associated with the critical function monitoring available through the data processing system of the present invention;

Figure 33 is an illustration of a first level critical function display page associated with the hierarchy shown in Figure 32; -12-

Figure 34 is an illustration of a first level critical function display page after a reactor trip;

Figure 35 is an illustration of a typical second level critical function display page associated with the inventory control system; and

Figures 36(a) and 36(b) are diagrammatic representations of the typical prior art instrumentation and control design process, and the accelerated design process available in accordance with the use of modular panels in accordance with the present invention, respectively.

DESCRIPTION OF THE PREFERRED EMBODIMENT

I. Overview Description of Control Complex Figure 1 shows a control room complex in accordance with the preferred embodiment of the present invention. The heart of the main control room 10 is a master control console 12 which allows one person to operate the nuclear steam supply system from the hot standby to the full power condition. It should be appreciated that the control room, equipment and methods described herein, may be advantageously used with light water reactors, heavy water reactors, high temperature gas cooled reactors, liquid metal reactors and advanced passive light water reactors, but for present purposes, the description will proceed on the basis that the plant has a pressurized water NSSS. For such an NSSS, the master control console 12 typically has five panels, one each for the reactor coolant system (RCS) 14, the chemical volume and control system (CVCS) 16, the nuclear reactor core 18, the feed water and condenser system (FWCS) 20, and the turbine system 22. As will be described more fully below, the monitoring and control for each of these five plant systems, is accomplished at the respective panel in the master control console.

Immediately overhead behind the core monitoring and control panel 18, is a large board or screen 24 for displaying the integrated process status overview (IPSO) . Thus, the operator has five panels and the overhead IPSO board within easy view while sitting or standing in the center of the master control console 12.

To the left of the master control console is the safety related console 26, typically including modules associated with the safety monitoring, engineered safeguard features, cooling water, and similar functions. To the right of the master control console is the auxiliary system console 28 containing modules associated with the secondary cycle, auxiliary power and diesel generator, the switch yard, and the heating and ventilation system.

Preferably, the plant computer 30 and mass data storage devices 32 associated with the control room are located in distributed equipment rooms 31 to improve fire safety and sabotage protection.

The control room complex 10 also has associated therewith, a shift supervisor's office 34, which has a complete view of the control room, an integrated technical support center (TSC) 36 and viewing gallery outside the control area, and other offices 38 in which paper work associated with the operation of the plant may be performed. Similarly, desk, tables, and the like 40 are located on the control room floor for convenient use by the operators. A remote shut-down room 42 (Figure 2) is also available on site for post-accident monitoring purposes (PAM) .

Figure 2 is a schematic of the information links between the plant components and sensors, which for present purposes are considered conventional, and the various panels in the main control room. It is evident from Figure 2 that information flows in both directions through the dashed line 46 representing the nuclear steam supply system and turbo generating system boundary. NSSS status and sensor information 48 that is used in the plant protection system 50 and the PAMS 58, passes directly through the NSSS boundary 46. Control signals 52 from the power control system pass directly through the NSSS boundary. Other control system signals 60,62 from the engineered safeguard function component control system 56 and the normal process component control system 64, are interfaced through the NSSS boundary via remote multiplexors 6. Each of the plant protection system, ESF component control system, process component control system, power control system and PAMs, is linked to the main control room 42, to each other, to the data processing system (DPS) 70 and to the discrete indication and alarm system (DIAS) 72.

Figure 2 illustrates one significant aspect of the present invention, namely, the integration of monitoring, control and protection information, during both normal and accident conditions, so that the operator's task in determining an appropriate course of action is considerably simplified. The way in which this is accomplished will be described in the following sections.

II. Panel Overview

Figures 3(a) and 3(b) is schematic of a sit/stand panel such as the reactor coolant system panel 14 from the master control console 12 in accordance with one embodiment of the invention. Figure 3(c) and 3(d) show an alternative embodiment for stand up only. The substantially flat upper portion or wall 74 of the panel is vertically oriented and the substantially flat lower or desk portion 76 is substantially horizontal, with the monitoring and alarm interfaces carried by the upper portion, and the control interfaces carried on the lower portion.

The alarm mode (see Figures 9, 15-18) includes alarm interface 78 having a multiplicity of tiles 80 each having a particular acronym or similar cue associated therewith, whereby an alarm condition is indicated by the illumination of that tile and the generation of an accompanying audible signal. The operator is required to acknowledge the alarm by either pushing the tile or some other interface provided for that purpose. The number of tiles associated with a particular panel is dependent on the number of different alarm conditions that can arrive with respect to the monitored system, e.g, the reactor coolant system. Typically, hundreds of such tiles are associated with each panel. The alarms are prioritized into three (3) alarm classes (Priority 1, Priority 2, and Priority 3, prompting immediate action, prompt action and cautionary awareness) . Ths RCS panel alarms are equipment status and mode dependent (Normal RCS, Heatup/Cooldown, Cold Shutdown/Refueling and Post Trip) . When a high priority alarm actuates coincidentally with a low priority alarm on the same parameter, the lower priority alarm is automatically cleared. On improving conditions, the higher priority alarm will flash and sound a reset tone. The operator will acknowledge that the higher priority alarm has cleared. If the lower priority alarm still exists, its alarm window or indicator will turn on in the acknowledged state after the operator acknowledges that the higher priority alarm has cleared.

The second monitoring interface are the process variable indicators, for example reactor coolant hot and cold leg temperatures, pressurizer level and pressure, etc. Discrete indicators (see Figures 7 and 8) provide an improved method of presenting the RCS panel parameters. Some RCS panel parameters require continuous validated display and trending on the master control console. Plant process and category 1 parameters like pressurizer level and RCS cold leg temperature fall into this category. Other RCS panel parameters are used less frequently. The discrete indicators provide indication on parameters needed for operation when the Data Processing System (CRT information displays) is unavailable. These include Regulatory Guide 1.97 category 1 and 2 parameters, parameters associated with priority 1 or priority 2 alarms, other parameters needed for operation due to inaccessibility of local gages and parameters that the operator must view for surveillance when the Data Processing System is unavailable for a period of up to twenty-four (24) hours. These less frequently viewed parameters would be available on discrete indicators, with a menu available by operator selection. The menu would show alphanumeric listings of available data points. Lastly, parameters displayed on process controllers need not be available on discrete indicators.

Additionally, a CRT display 84 generates an image of the major vessels, pipes, pumps, valves and the like associated with, e.g., the reactor coolant system, and displays the alarms and values of the parameters which may be shown in bar, graph, trend line or other form on the other displays 78,82 (see Figures 4-6, 10, 12-14 and 19-23) . From this CRT, the operator has access to essentially all NSSS information. The information is presented in a three level structured hierarchy that is consistent with the operator's system visualization. Figure 4 illustrates the primary page directory, which contains all CRT pages related to the functions of the RCS panel.

In the control portion 76 of the panel, a plurality of discrete, on-off switches 86 are provided at the left, for example, each switch pattern being associated with a particular reactant cooling pump whose operating parameters are displayed immediately above it, and analog control interfaces which can be in the form of conventional dials or the like (not shown) , or touch screen, discrete control as indicated at 88.

Process controllers are provided on the RCS panel to provide the operator with the ability to automatically or manually control process control loops. The process controllers allow control of throttling or variable position devices (such as electro-pneumatic valves) from a single control panel device. Process controllers are used for closed loop control of the following RCS panel process variables: pressure level, pressurizer pressure, RCP Seal Injection Flow and RCP Seal Injection Temperature. Process controllers are designed for each specific control loop utilizing the Nuplex 80+ generic display and control features.

In a conventional control room, each process control loop has its own control device, usually referred to as a MANUAL/AUTO Station. For example, the RCP Seal Injection Sub-System has five process control loops, a seal injection flow control loop for each of the four RCPs and a seal injection temperature control loop for the entire sub-system. These five control loops each have their own MANUAL/AUTO station which occupy a large amount of control panel space and make cross loop comparisons cumbersome. Although these five process loops are controlled independently, process variations in one controlled parameter affect the other four process parameters. Conventional MANUAL/AUTO stations make it difficult for the operator to simultaneously interact with the five MANUAL/AUTO stations.

The RCS panel process controllers for similar processes (related by function or system) are operated from a single control station, called a process controller. This single control station saves panel space, accommodates convenient cross channel checking and allows easier control loop interaction for multiple related controls.

Component control features (i.e., actuation of switches controls) provide the primary method by which the operator actuates equipment and systems on the RCS panel. The RCS panel has forty-three components controlled from momentary type switches. Each switch contains a red status indicator for active or open and a green status indicator for inactive or closed. Blue status indicator lights/switches are used to indicate and select automatic control or control via a process controller. In addition to color coding, the red switch is always located above the green switch to reinforce color distinction. Each switch generates an active control signal when depressed and is inactive when released. Each switch is backlit to indicate equipment status/position.

Process display formats use standard information placement for similar processes, and equipment. Fluid system piping representations are where possible standardized, top to bottom, left to right, and avoidance of crossovers. Incoming and outgoing flow path connections are placed at the margins. Related data is grouped by task and analysis specifications for comparison, sequence of use, function, and frequency. Process representations/layout are based on the operator's process visualization to maximize the efficiency of his data gathering tasks. The operator's visualization of a system is often based on diagrams used with learning materials and plant design documentation associated with system descriptions.

Graphic information is presented on display page formats to aid in rapid operator comprehension of processes. Graphic information includes the use of bar graphs, flow charts, trends, and other plots, (e.g., Temp. vs. Press.) .

Bar graphs are primarily used to represent flows, pressures and levels. Since level corresponds to a tank, the bar graph is placed with consistent spatial orientation with respect to the tank symbol. Level bar graphs are oriented vertically. Flow bar graphs when used are oriented horizontally. Bar graphs are also helpful for comparison of numeric quantities.

Flowcharts are used when they aid in the operator's process visualization. Flowcharts are helpful for understanding control system processes wuch as the Turbine Control System. Operators learning materials for process control systems are frequently in a flowchart format, and thus a similar format on a display page is easy to comprehend.

Trends are used on display page formats when task analysis indicates that the operator should be informed about parameter changes over time. Additionally, the operator is able to establish trends of any data base points in the plant computers data base. In some situations, task analysis may indicate that more than one trend is important to monitor process comparisons. In other situations such as heatup/cooldown curves, two parameters may be placed on the different ordinate axis of a graph.

When more than one trend curve occupies the same coordinate axes, two ordinate vertical axes can be used for parameters that have different units. Scale labels are divisible by 1, 2, 5 or 10. Tick mark between sale labels are also divisible by 1, 2, 5 or 10. Trended information is typically presented on display pages with a scale of 30 minutes. However, the operator is able to adjust the scale to suit his needs. Logarithmicaxes may be established using multiples of 10. If full range is less than 10, an intermediate range label is located to fall near the middle of the scale. Different colors are used for trends occupying the same coordinates. When multiple curves use a common scale, the scale is gry and the curves are color coded. When multiple ordinate scales are used, they are color coded in correspondence to the curve. The colors used for trends will not include the alarm color or normal status color to avoid associated process parameter with normal or alarm conditions.

Color is used to aid the operator in rapidly discriminating between different types of information. Since the benefits of color coding are more pronounced with fewer colors, coding on informational displays (i.e., IPSO, CRTs, alarm tiles) is limited to seven colors. In addition, color coded information has other representational characteristics to aid in discrimination of data and discrimination by color deficient observers.

The following colors are used in the information display to represent the following types of information. The colors used have been carefully selected to yield satisfactory contrast for red-green deficient color observers.

Color Representation Characteristics

Black Background color.

Green Component Off/Inactive, Valve

Closed and Operable.

Red Component On/ ctivated, Valve Open and Operable.

Yellow Alarm Status-Good attention-getting color.

Grey Text, labels, dividing lines, menu options, piping, inoperable and non-instrumented valves, graph grids, and other applications not covered by other coding conventions. Light Blue Process parameter values.

White System's response to operator touch, e.g., menu selection until appropriate system response occurs.

Shape coding is used in the information system to aid the operator to identifying component type, operational status, and alarm status. Component shape coding is based on symbology studies which included shape coding questionnaires given to nuclear power plant personnel. Figs. 5 and 6 show the shapes used to represent components in the control room. An attribute of shape, hollow/solid, is reflective of the status of the component. Hollow shape coding indicates that the component is active, whereas solid shape coding is used to represent inactive components. An example of shape coding for a pump and valve is described as follows. Pump A hollow pump indicates that the pump has been activated by the operator ot automatic control signal. A solid pump indicates that the pump has been deactivated by the operator or automatic control signal. Valve A hollow valve indicates that the valve is fully open and a solid valve indicates that the valve is fully closed. A valve not fully open or closed has a mixed solid/hollow shape, i.e., left side solid/right ride hollow. Information coding on valves is provided by these additional characteristics/representations: Valve Open and Operable - Red Color Coding. Valve Closed and Operable - Green Color Coding. Non-Instrumental Valve - Grey Color Coding (Position is

Operator Inputted) . Valve Not Operable - Grey Color Coding with Alarm

Coding (see Section 8) . Loss of Indication - Grey Color Coding with Alarm

Coding and mixed hollow/solid shape. Information associated with safety related concerns is integrated as a part of the control room information to allow the operator to use safety related information, where possible, during normal operation. This is a better design from a human factor's view than that of previous control rooms because in stressful situations, people tend to use information that they are most familiar with.

In many situations, safety related parameters are only a subset of the parameters that monitor a particular process variable. Operators of present control room designs typically use control or narrow range indications during process control and should use separate safety related indications when monitoring plant safety concerns. In this invention, the parameters typically used for monitoring and control are validated for accuracy against the safety related parameter(s) , where available. If a parameter deviates beyond expected values from the associated safety related.information, a validation alarm is presented to the operator. In response to an alarm condition, the operator can review the individual channels associated with the parameter on either a diagnostic CRT page or the discrete indicator displaying that parameter. At this time, he can select the most appropriate sensor for display. The operator is informed when the validation algorithm is able to validate the data. The resultant output of the validation algorithms are used on IPSO, the normally display format of a discrete indicator, and the higher level display pages on the CRT display system that contain the parameter. The Regulatory Guide 1.97 category 1 information is also displayed, by discrete indication display, at a single location on the safety monitoring panel.

Critical Function and Success Path (availability and performance) information throughout the information hierarchy (see Figures 10, 24, 25, 26, 27, 32-35). Alarms provide guidance to unexpected deviation in critical functions as well as success path unavailability or performance problems. Priority 1 alarms alert the operator to the inability to maintain a critical function as well as the inability of a success path to meet minimum functional requirements. Lower priority alarms provide subsystem/train and component unavailability or poor performance.

IPSO provides overview information that is most useful for operator assessment of the Critical Functions Priority 1 alarms associated with the Critical Functions or Success Paths supporting the critical function are presented on IPSO critical function matrix. Supporting information relating to these alarm conditions is available by using the alarm tiles or the critical function section of the CRT display page hiearchy.

The critical function section of the display page hierarchy contains the following information: Level 1 Display Page - "Critical Functions: this page provides more detail on the critical function matrix presented on IPSO. Specifically, more detail on alarm conditions (descriptor, priority) . This will help guide the operator to the appropriate level two critical function display page. A 2nd level page exists for each of the 12 critical functions. Each page contains:

The critical function information provided on the 1st level display page that is associated with the critical function. Information related to success path availability and performance of the success paths that can support that critical function.

- High level information presented using a mimic format with the critical function/success path related information.

- A time trend of the most representative critical function parameter.

The 3rd level display pages in the critical function hierarchy are a duplicate of display page existing elsewhere in the hierarchy. For example, a safety injection display page display page under Inventory Control also exists within the primary section of the display page hierarchy.

III. DISCRETE INDICATOR AND ALARM SYSTEM A. Discrete Indicators

The discrete indicators provide an improved method of presenting safety related parameters. Major process parameter such as Regulatory Guide 1.97 Category 1, require continuous validated display and trending on the master control console. The discrete indicators also provide indication and alarms on parameters needed for operation when the Data Processing System (DPS) is unavailable. These include Regulatory Guide 1.97 Category 1, 2 and 3 parameters, parameters associated with priority 1 or priority 2 alarms, and other surveillance related parameters. Though the DPS is a highly reliable and redundant computer system, its unavailability is considered for a period of up to twenty-four hours. The less frequently viewed parameters are available on discrete indicators, with a menu available by operator selection.

Each discrete indicator has the capability to present a number of parameters associated with a component, system, or process. The discrete indicators present various display formats that are based on fulfilling certain operator information requirements.

When monitoring or controlling a process such as pressurizer pressure (see Figures 7 and 8) , it is desirable that the operator use a "process representation" value in the most accurate range. For this type of information, the discrete indicator presents a bold digital value and an analog bar graph of the validated average of the sensors in the most accurate range. This validated data is checked against post-accident monitoring indication (PAMI) sensors when applicable. When in agreement with the PAMI, the indicator may be used for post-accident monitoring. This has the advantage of continuing to allow the operator to utilize the indicator he is most familiar with and uses on a day-to-day basis. The operator, upon demand, can display any individual channel on the discrete indicator digital display. The use of validated parameters is a benefit to operators by reducing their stimulus overload and task loading resulting from presentation of multiple sensor channels representing a single parameter.

When the parameter cannot be validated, the discrete indicator displays the sensor reading that is closest to the last validated value. A validation alarm is generated for this condition. The discrete indicator continues to display this sensor's value until the operator selects another value for indication. The field on the discrete indicator that usually read "valid" displays "fault sel" in reverse image. This indicates that the value is not validated and has been selected by the computer. This indicates that the operator should review the available sensors that can be used for the "process representation". If the operator makes a sensor selection (which is enabled by a validation fault or failure of the "valid" signal to agree with PAMI) , the field with "fault sel" will be replaced by the message "Operator Select", which is displayed in reverse image. When the validation algorithm can validate the data and all faults have cleared, the validation fault alarm will clear and the algorithm will replace the "fault select" or "operator select" "process representation" with the "valid" "calculated signal".

Parameters that are required for monitoring the overall performance of plant processes or responding to priority 1 or 2 alarms are provided on discrete indicators. The most representative process parameter is the normally displayed value. Through menu options, the operator can view the other process related parameters.

There are ten discrete indicators identified for the RCS panel. The indicators are:

6. RCS

7. ^Thθt

8. ^Tcold

9. Pressurizer Pressure 10. Pressurizer Level

Figure 7 illustrates a typical discrete indicator for a "process representation". On the left side of the display validated pressurizer pressure is shown. The display includes the following: digital "process representation" value with units of measurement (2254 psig) , quality of the display (VALID) , indication that the display is acceptable for post accident monitoring (PAMI) , bar chart with the process value, a 30 minute trend, normal operating range (NORMAL) , instrument range (1500-2500) and units of measurement for the bar chart (psig) .

In the upper right hand corner of the PRESS display, there are two buttons, "CRT" and "MENU", when touched the selected button backlights, indicating selection. When the operator removes his hand, the actual selection is processed. The "CRT" button changes the CRT menu options on the CRT located at the same panel as the discrete indicator where the button is pushed. This "CRT" option identifies the CRT pages most closely associated the parameters on the discrete indicator.

The "MENU" button selects the discrete indicator menu (Figure 8) . The upper section of the menu page is nearly identical to the normal display. It contains digital "process representation" value with units of measurement (2254 psig) , quality of display (valid) , indication that the display is acceptable for post accident monitoring (PAMI) , CRT and MENU buttons. The lower section of the menu page contains selector buttons for all sensor inputs and "calculated signals" of this discrete indicator. The selector button backlight when touched, indicating selection. When the operator removes his finger, the actual processing of the selection takes place. There are 13 buttons for pressure: four for 0-1600 psig pressurizer pressure: P-103, P-104, P-105 and P-106, six for 1500-200 psig pressure: P-101A, P-101B, P-101C, P-101D, P-100X and P-100Y, two for 0-4000 psig RCS pressure: P-190A and P-190B and one for the "calculated signal", pressure: CALC PRESS (presently selected) . When selected, the "Calc Press" button displays the "calculated signal" (i.e., the output of the algorithm) . At present, the "calculated signal" of the algorithm is a "valid" signal. If the algorithm were to fail and select an individual sensor for the "calculated signal", the "calid" message would be replaced by the message "fault select". This message "fault select" would be displayed in reverse image on the discrete indicator. This message would be displayed on the discrete indicator any time "CALC PRESS" is selected until the algorithm outputs a "VALID" signal to replace the "FAULT SELECT" sensor.

To change the display, the operator would touch the button containing the sensor he wished to view. For example: by touching the button marked "P-103", the digital display would display the output from the 0-1600 psig range sensor P-103. The message "VALID" below the digital value would be replaced by the message "P-103". Additionally, the "PAMI" message would be removed because P-103 is not a PAMI sensor. The button "ANAL/ALARM OPER SEL" selects the signal used for the "process representation" in DIAS. It selects whatever sensor is displayed on the digital display. The signal select button gives the operator the option to "operator select" any of the sensors for analog display and alarm processing when a fault exists, such as:

1. When validation fails and a "FAULT SELECT" sensor is selected or the "process representation".

2. When the "Valid" output does not correlate to the PAMI sensor(s) .

If a fault were present and the operator elected to select P-103 for the "process representation", he would select the menu, select P-103 for display and then touch the "ANAL/ALARM OPER SEL" button. The message below the digital display would read "P-103 OP SEL" in reverse image. Any time P-103 was selected for display, it would have the message "OP SEL" displayed in reverse image, indicating that the output from P-103 is being used for the "process representation". After selecting an "operator select" sensor for the "process representation", it is expected that the operator will depress the button marked "ANALOG DISPLAY". This would return the analog and trend display with the message "OP SEL" in reverse image.

The "ANAL/ALARM OPER SEL" button is not normally displayed on the discrete indicator menu page; it automatically displays when the "operator select permissive" is enabled after a fault. The "ANAL/ LARM OPER SEL" button is removed from the menu page when the "operator select permissive" is disabled after all faults are corrected. The button "ANALOG DISPLAY" removes the menu page and replaces it with the bar graph (analog) and trend display for whatever sensor or "calculated signal" is currently selected as the "process representation" (normally the "valid" calculated signal" output) .

Other validated process parameter discrete indicators operate in an identical manner.

Menu driven discrete indicators contain all level 1 and 2 displays for a functional group of indication.

To reduce an operator's task laoding and to reduce his stimulus overload, a generic validation algorithm is used. This algorithm takes the outputs of all sensors measuring the same parameter and generates a single output representative of that parameter, called the "Process Representation". A generic validation approach is used to ensure that it is well understood by operators. This avoids an operator questioning the origin of each valid parameter.

This generic algorithm averages all sensors [(A,B,C and D) (sensor quantity may be parameter specific) ] and deviation checks all sensors against the average. If the deviation checks are satisfactory, the average is used as the "Process Representation" and is output as a "valid" signal. If any sensors do not successfully pass the deviation check against the average, the sensor with the greatest deviation from the average is taken out and the average is recalculated with the remaining sensors. When all sensors used to generate the average deviation check satisfactorily against the average, this average is used as the "valid process representation". This "valid process representation" is then deviation checked against the post-accident monitoring system sensors (if present) . If this second deviation check is satisfactory, the "process representation" is displayed with the message "Valid PAMI" (Post-Accident Monitoring Indication) , indicating that this signal is suitable for monitoring during emergency conditions, since it is in agreement with the value as determined by the PAMI sensors. As long as agreement exists, this indicator may then be utilized for post-accident monitoring rather than utilizing the dedicated PAMI indicator. This provides a Human Factors Engineering advantage of alliowing the oerator to use the indicator he normally uses for any day-to-day work and which he is most familiar with.

The validation process, as described, reduces the time an operator takes to perform the tasks related to key process related parameters. To insure timely information, all validated outputs are recalculated at least once every two seconds. Additionally, redundancy and hardware diversity is provided in the calculating devices insuring reliability.

The following section describes the algorithm and display processing on the DIAS and CRT displays.

1. The "process representation" will always be displayed on the applicable DIAS display and/or CRT page(s) where a single "process representation" is needed as opposed to multiple sensor values. Each plant process parameter will be evaluated individually to determine the type of display required and location (DIAS and CRT or CRT only) .

2. The "process representation" is always a "valid" value unless there is a: a. "Fault Select" value or b. "Operator Select" value. Both of these are explained below.

3. The "process representation" is always used for alarm calculations and trending (where a single value is normally trended) . This can be "valid" , "fault select" or "operator select" data, depending on the results of the algorithm calculations as described below.

4. Using a menu on DIAS or the CRT, the operator may view any of the values (A,B,C,D or calculated output) without changing the "process representation".

5. A "Fault Select" value will be displayed automatically as the "process representation" when the validation algorithm is unable to yield "valid" data. The "fault select" value is the output of the sensor closest to the last "valid" signal at the time validation initially failed.

On DIAS (if applicable) , this information will be labeled "fault select". On the CRT(s) graphic pages, this information will be preceded by an asterisk(*) to indicate suspect data. "Fault Select" will be indicated in the "point poke" data base message. The "fault select" "process representation" is automatically returned to a "valid" process representation" when the validation algorithm is able to calculate "valid" data.

6. An "operator select" sensor may be selected for the "process representation" only when there is a: . a. "Validation Fault" or b. "PAMI Fault". The "operator select" "process representation" will replace the "valid" or "fault select" "process representation". On DIAS (if applicable) , this information will be labeled "operator select". On the CRT(s) , this information will be preceded by an asterisk(*) on graphic displays and labelled "operator select" in the data base. The "operator select" "process representation" is automatically replaced by the calculated "valid" signal when both the "Validation Fault" and the "PAMI Fault" clear.

It should be appreciated that the discrete validation is accomplished using a generic algorithm that is applicable to different parameters. In this manner, the operators understand how the validated reading has been determined for every parameter and, again, this reinforces their confidence. This algorithm always has an output and allows the operator selection for display when validation is not possible. The discrete indicators continuously display all vital information yet allow easy access via a function or organized menu system to enable the operator to access less frequently needed information. There is no need for separate backup displays, since the backups are integrated in the subsidiary levels of retrieval. Such displays vastly reduce the amount of indicator locations required on the panel and yet provide all vital indication in a easy to use format, thereby reducing stimulus overload. B. Alarm Processing and Display:

Another feature of the monitoring associated with each panel, is the reduction of the numer of alarms that are generated, in order to minimize the operator information overload. Cross channel signal validation is accomplished prior to alarm generation, and the alarm logic and set points are contingent on the applicable plant mode.

The alarms are displayed with distinct visual cueing in accordance with the priority of the required operator response. For example, priority 1 dictates immediate action, priority 2 dictates prompt action, priority 3 is cautionary, and priority 4, or operator aid, is merely status information.

The types of alarm conditions that exist within each category are described below:

Priority 1

1. Conditions that may cuase a trip in less than 10 minutes.

2. Conditions that may cause major equipment damage.

3. Personnel/Radiation hazard.

4. Critical Safety Function violation.

5. Immediate Technical Specification Action . Required.

6. First-Out Reactor/Turbine Trip. Priority 2

1. Conditions that may cause a trip in greater than 10 minutes.

2. Technical specification action items that are not Priority 1.

3. Possible equipment damage. Priority 3

1. Sensor deviations.

2. Equipment status deviations.

3. Equipment/process deviations not critical to operation. The alarms are displayed using techniques that help the operator quickly correlate the impact of the alarm on plant safety or performance. These techniques include grouping of displays which highlight the nature of the probe rather than the symptom denoted by the specific alarm condition. Another is the fixed spacial dedication of alarm displays allowing pattern recognition. Another is the plant level pictorial overview display on the IPSO board which shows success paths and critical functions impacted by the priority 1 alarms.

The alarms are displayed using techniques that help the operator quickly correlate the impact of the alarm on plant safety or performance. These techniques include grouping of displays which highlight the nature of the problem rather than the symptom denoted by the specific alarm condition. Another is the fixed spatial dedication of alarm displays allowing pattern recognition. Another is the plant level pictorial overview display on the IPSO board which shows success paths and critical functions impacted by the priority 1 alarms.

To insure that all alarms are recognized by the operator without task overload, all alarms can be either individually acknowledged, or acknowledged in small functionally related groups. All alarms can be acknowledged at any control panel. Momentary audible alerts for alarm state changes require no operator action to silence. Periodic momentary audible reminders are provided for unacknowledged conditions. The operator can affectuate a global alarm stop flash which will automatically resume in time, to allow for deferred acknowledgement.

In addition to alarms, an information notification category "Operator Aids" has been established for information that may be helpful for operations but is not representative of deviations from abnormal conditions. Conditions classified as "Operator Aids" include: channel bypass conditions, approach to interlocks and equipment status change permissive.

Some parameters have more than one alarm on the same parameter (i.e.. Seal Inlet Temperature Hi Hi and Hi) . To limit the operator's required response, the lower priority is automatically cleared without a reset tone or slow flash rate when the higher priority alarm actuates after actuation of the lower priority alarm. The Hi Hi alarm will be acknoweldged by the operator; therefore, the operator acknowledgement of the cleared lower priority alarm is unnecessary. When the condition improves to the point where the higher priority alarm clears, the condition will sound a reset tone and the alarm window will flash slowly. The operator will acknowledge that the higher priority alarm has cleared. If the lower priority alarm condition still exists, its alarm window or indicator will turn on in the acknowledged state after the operator acknowledges that the higher priority alarm has cleared. If the condition improves such that it clears both the high and low priority alarms before operator acknowledgement, then operator acknowledgement of the cleared high priority alarm will also clear the lower priority condition.

A key feature of the alarm system is its mode dependent and equipment status dependent logic. These features combine to greatly reduce the number of alarms received during significant events and limit those alarms to conditions that actually represent process or conditions that actually represent process or component deviations pertinent to the current plant state. Mode and equipment dependency is implemented both through alarm logic changes and setpoint changes. An alarm of mode dependency is the reduction in the low pressurizer alarm setpoint to avoid a nuisance alarm on a normal reactor ring. Equipment dependent logic is used to actuate a low flow alarm only when an upstream pump is supposed to be operating.

Four modes have been selected which correspond to significant changes in the alarm logic based on the plant state. These modes are:

1. Normal operation

2. Heatup/cooldown.

3. Cold shutdown/refueling.

4. Post-trip.

The alarm modes are manually entered by the operator with the exception of the post-trip mode. Upon a reactor trip, the alarm logic automatically switches to the post-trip mode with no operator action required. All equipment dependent alarm features are actuated automatically without operator action.

The RCS panel has over 200 conditions that can cause an alarm. To reduce the operator's stimulus overload due to the quantity of alarms and improve his alarm comprehension, many alarms are grouped into subfunctional groups (Figure 15) . The subfunctional group alarm tiles have a variety of related alarm messages that are read on the panel alarm message window (adjacent to the alarm tile) or CRT. In cases where key process related parameters are alarmed, there is a single alarm message for each alarm tile (i.e., RCS Pressure Low) . This single alarm message allows the operator to quickly identify the specific process relates problem.

Each alarm tile can be in one of the following states:

1. Unacknowledged Alarm - If there is an unacknowledged alarm associated with an alarm tile, the alarm tile will flash at a fast rate (i.e., 4 times/sec using a 50/50 duty cycle). This condition takes precedence over all other alarm tile states for group alarms.

2. Cleared Alarm/Return to Normal - When an alarm condition clears, the corresponding alarm tile flahses at a slow rate (i.e., 1 time/sec using a 50/50 duty cycle) until this condition has been acknowledged. This condition takes precedence over the remaining two states for grouped alarms.

3. Alarm - If an alarm condition exists and alarm states 1 and 2 above do not exist, then the alarm tile is lit.

4. No Alarm - If there is no alarm condition associated with an annunciator tile, then the alarm tile is not lit. To indicate that the alarm tile's bulb is functioning, a lamp test feature is provided. Alarm information is identified by a unique color, yellow. Grey color coding is used for Return to Normal conditions. Shape coding is used to identify alarm priority, i.e., 1, 2 or 3. A single bright color is used for alarm information to maximize the attention-getting quality of this information. The shape coding used for identifying alarm priorities uses representational features of decreasing levels of salience. Shape coding of alarm priorities also allows retention of priority information for Return to Normal conditions. The format for alarm representations is shown in Figure 9.

For priority 1 alarms, the alarm tiles, mimic diagram components, symbols, process parameters, and menu option fields have their descriptor presented in reverse image (i.e., blue letters on a yellow background) using the alarm color coding. The descriptor is presented in blue to provide good contract fopr readability. In addition, the alarm tiles and menu option fields on the CRT use the same representation.

For priority 2 alarms, the alarm tiles, mimic diagram parameters, components, menu options, and symbols have a thin (1 line) box using the alarm color code around their descriptor, which is yellow on a black background.

For priority 3 alarms, the alarm tiles, mimic diagram parameters, components, menu options, and symbols have brackets around their descriptors. For all alarms, English Descriptors on the CRT's message line are also represented with the alarm representation formats when they are in alarm. Each CRT page in the data processing system provides the operator with an overview of the existence of any unacknowledged alarm conditions and a general overview of where they exist within the plant. The standard menu provided with each display page contains the IPSO and all first level display pages as menu options (see Figure 10 menu region) . These menu option fields provide the existence of unacknowledged alarms in their sector of the display page hierarchy and their alarm status/priority by using the alarm highlighting featuresas described above. If an alarm tile is in alarm, a first level display page menu option field in the menu options shows that an alarm condition exists in an associated area of the display page hierarchy. The alarm tiles are categorized into the first level display page set as shown in Figure 11.

In addition to alarm information represented on the first level display page menu options, the following display page features are also used to represent the existence of alarms.

Display page menu options that provide access to levels 2 and 3 display pages are lit with the above described alarm representation if information on corresponding page is in larm (e.g. , if an unacknowledged alarm exists, the display page menu option is highlighted to show the highest priority unacknowledged condition) .

The operator can call up a display page directory containing a pictorial diagram of the display pages in a hierarchical format associated with a first level display page (see Figure 12) . Each of the level 2 and 3 display pages represented on this diagram provide alarm notification if information on that display page is in an unacknowledged alarm state. This alarm information is most useful for determining where alarms exist within an area of the display page hierarchy. For example, the operator would be notified by the display page menu that an unacknowledged alarm(s) exists in the auxiliary systems by grey alarm shape coding (return to normal) and slow flashing of alarm coding on the "AUX" menu option field. He can then access that directory/hierarchy to see what page(s) contains alarm information by touching the menu option "DIRECTORY" followed by "AUX". When the Auxiliary display directory comes up, the field(s) representing the display page(s) that contains the alarm condition(s) will be highlighted. The desired page that contains the alarm information is accessed by touching the flashing field.

The descriptors of components and plant data on the process display pages are alarm coded and flashed to provide indication of alarms and their acknowledgement status. A component's descriptor can provide this alarm information if a parameter associated with the component is in alarm. This is true even if the parameter in alarm is not represented on the display pages, e.g., low pump lube oil pressure is represneted by alarm coding of the associated component's symbol. To view the exact information that is in alarm, the operator can access a lower level display page, or use the alarm system features that are described later.

Each category 1 and 2 alarm annunciator tile may notify the operator of more than one possible alarm condition. To quickly determine the actual alarm condition, a message window is provided on each -43-

workstation. By depressing an unacknowledged alarming annunciator tile, an English description of the specific alarm condition is provided on the message window. The alarm tile remains flashing until all alarm conditions associated with the alarm tile have been acknowledged. The English descriptors of additional alarms can be accessed by redepressing the alarm tile.

At the same time that a message appears on the message window, an alarm message line is presented on the bottom of the display page on the workstation's CRT (see Figure 13) . The alarm message contaings the following information: Time, Priority, Severity (e.g., Hi, Hi-Hi) , Descriptor, Setpoint, and real time process value (coded as described to show the alarm priority and alarm condition) . If additional unacknowledged alarms exist that are associated with the tile, the number of additional unacknowledged alarms is specified within a circle at the right hand side of the message area (see Figure 13). In addition to this alarm message, menu options/fields appear on the display page menu (Region 4) and provide direct access to the display pages that can be used to obtain supporting or diagnostic information of the alarm condition. The display.regions are shown in Figure 22.

The alarm tiles that are in alarm can be accessed and acknowledged on any workstation CRT in a mechanism similar to accessing and acknowledging the alarms via the alarm tiles. By selecting the "Alarm Tiles" menu option followed by an alarming display page menu option, i.e., first level display page set (region 3) , ^• the alarm tiles that are in alarm, that are associated with the display page, are provided in region 4 of the display page menu. One (1) tile is depicted and a touch target that provides access to other tiles. The operator acknowledges and reviews these CRT alarm tiles by touch and obtains alarm messages and supporting display page touch targets in the same format as described earlier for the panel alarm tiles. This means of responding to alarming alarm tiles is most useful for responding to alarms at workstations that are remote to the operator's location.

All alarm conditions associated with an annunciator tile are held in a buffer. The buffer containing alarm conditions is arranged in the following format:

1. First-In Unacknowledged

2.

N Last-In Unacknowledged

N+l First-In Cleared/Return to Normal

N+2

n Last-In Cleared/Return to Normal n+A Acknowledged Alarms n+2

Depressing an alarm tile provides access to the alarm condition that is at the top of the buffer.

Acknowledging unacknowledged alarms moves these alarm conditions to the bottom of the buffer. Acknowledging cleared alarms drops them from the buffer. Previously acknowledged alarm(s) (n+l, +2,...) can be reviewed when there are no unacknowledged or cleared unacknowledged alarm conditions present. Upon reviewing these alarms, they move to the bottom of the buffer. Alarm messages for priority 3 alarms and operator aids are only generated by the computer and only appear on the message line of the CRT page; there will be no English descriptor provided on the message window. One annunciator tile is provided at each annunciator workstation for all priority 3 alarms and 1 alarm tile is provided on the workstation for operator aids that are associated with these workstation.

When an alarm condition changes priority, the following changes occur in the alarm handling system. When a higher priority alarm comes in on the same parameter, the previous alarm is automatically cleared (i.e., no operator acknowledgement necessary since he will need to acknowledge the higher priority condition) without a reset tone or slow flash rate. When an alarm condition improves to the point where the high priority alarm clears, the operator will need to acknowledge that the higher priority alarm has cleared; however, if the lower priority alarm still exists, it will turn on (upon operator acknowledgement of the higher priority cleared condition) and automatically go to the acknowledged state (i.e., no operator action required) . The new lower priority alarm condition will be observed by the operator when reading the alarm message in response to clearing the highest priority alarm.

The invention provides a means of listing, categorizing alarms and accessing supporting display pages. In this system, alarms are provided on alarm listing display pages. The categories of alarms in this listing are as follows (see Figure 14) : A) First Level Display Page Set (Major Plant System/Function Groupings)

B) Control Room Workstation

C) Alarm tiles

A workstation's alarm tiles in alarm are listed by priority. Alarms associated with the alarm tiles are listed as they are contained in the alarm tile's alarm buffer.

These alarm categories provide alarm data consistent with operator's information needs in response to alarm conditions. When accessing the Categorized Alarm Listing, the operator can easily select the data in the category he wishes to see. Using the "Alarm List" menu option followed by a display page feature that represents alarm condition(s) , the operator can view the specific alarm conditions that he is interested in. Three examples of accessing alarm data in the categorized list follow.

1) The operator selects the "Alarm List" menu option followed by the "Elec." menu option. This accesses the categorized alarm listing beginning with the electrical alarms.

2) If the operator wishes to view alarms associated with a specific alarm, e.g. , RCPIA, he selects the following menu options:

"Alarm Files"

"Primary" The display page's menu changes to a representation of the alarm tiles that are in alarm and are associated with the Primary Systems (see Figure 14) . At this time, the operator can request one of two different types of information formats associated with the displayed alarm tiles: A. Categorized Alarm List - The operator selects "Alarm List" followed by the tile, e.g., "RCPLA", menu option. The categorized alarm list is accessed with RCPIA alarms at the top of the page.

B. Alarm Messages - The operator can use the alarm tile menu options in the same method that the control panel alarm tiles are used. The selection of an alarm tile menu option provides the alarm message and a menu with display pages that can provide supporting information about the alarm condition.

Alarm information is also provided on all process display mimic diagrams which contain a component or parameter which is in an alarm condition. Color, and shape coding is used to indicate alarm conditions, as described earlier. Parameters in alarms that are associated with a component can cause the represented component's descriptor to be highlighted to indicate an alarm condition if the parameter is not visible on the display page, e.g. , pump lube oil pressure may not be listed on a level two display page, so the pump's descriptor may be alarm coded. If the operator desires to see the exact alarm condition associated with a component, he would access the appropriate lower level display page. Alternatively, he could touch the "Alarm Tiles" menu option followed by touching the component's descriptor and respond to the alarm using alarm tile representations. This action also accesses menu options associated with display pages that provide more detail about the component.

The following means of alarm acknowledgement is provided with the invention. 1) Alarm acknowledgement via the annunciator tiles - Alarms can be acknowledged by depressing alarming/unacknowledged annunciator tiles or a CRT annunciator tile representation. This action changes the annunciator tile from a flashing condition to a solid condition when all alarm conditions associated with the tile have been acknowledged and silences any audible sound (described later) associated with the alarm condition. Alarm messages are viewed on the message window (when using the physical tile) and the workstation's CRT message line (see Figure 16) .

2) Alarm acknowledgement using alarm listing pages - Alarms can be acknowledged on the categorized listing by touching alarm tile touch targets associated with the alarm tile categories (see Figure 14) . Upon touching the alarm tile's representation, all alarms associated with that tile are acknowledged. This means of alarm acknowledgement may be the most useful for acknowledging multiple alarms remote to the operator's location.

Each of these methods of alarm acknowledgement clears unacknowledged alarm indicators in the other alarm formats.

When an alarm condition clears, the operator needs to be notified. Notification is accomplished by flashing the annunciator tiles and associated process display page information at a slow rate. Acknowledging or resetting the cleared alarm indications takes place in a mechanism similar to acknowledgement of new alarms, i.e., touching an alarm tile or CRT alarm representation/feature. Distinct sounds/tones are provided in the control room to indicate the following alarm information:

1. Unacknowledged Priority 1 or 2 Alarms.

2. An Alarm Reminder Tone for Priority 1 or 2 Unacknowledged or Cleared Conditions.

3. Cleared Priority 1 Alarms, or Cleared Priority 2 Alarms.

An audible alarm, tone 1 or 3, is only present for 1 second and tone 2 will repeat periodically, once every minute, until all new or cleared alarms are acknowledged.

In situations where multiple unacknowledged alarms exist, the operator needs to direct his attention at the highest priority new alarm conditions. In this situation, all other unacknowledged alarms, i.e., new priority 2, 3 and all cleared alarm conditions, are added noise that distracts the operator from most important alarm conditions. In the control room, a "STOP FLASH" and "RESUME" button exists at the MCC, ACC and ASC. When the "STOP FLASH" button is depressed, the alarm system's behavior exhibits the following characteristics:

- All new/unacknowledged priority 2, 3 and operator aid features change from a fast flash rate to a steady highlighted condition, i.e., tiles and CRT alarm representations.

Any cleared alarm conditions, i.e., slow flash rate, are not presented as alarm information.

- Any new alarm condition or cleared alarm condition coming in after the "STOP FLASH" button has been activated, is normally displayed to the operator (i.e., flashing). However, the operator may redepress the alarm "STOP FLASH" button to suppress these conditions. The alarm reminder tone informs the operator about any unacknowledged new or cleared alarm conditions that exist. To identify these conditions for acknowledgment, the operator selects a "resume" button which returns all unacknowledged and cleared conditionε to their normal representational alarm status.

The alarm suppression button is backlit after selection to show that the alarm suppression feature is active.

So that the operator can provide quick, direct access to supporting information thereby enhancing the operator response to alarm conditions, a single operator action provides alarm acknowledgement, display of alarm parameters, and selection options for CRT display pages appropriate for the alarm condition.

The invention provides redundancy and diversity in alarm processing and display such that the operators have confidence in intelligent alarm processing techniques and such that plant safety and availability are not impacted by equipment failures. Priority 1 and 2 alarms are processed and displayed by two independent systems. Two-system redundancy is invisible to the operators through continuous cross-checking and integrated operator interfaces.

Figures 16-18 show a schematic alarm response using the tiles in accordance with the invention. The illustrated group of tiles is associated with the reactor coolant pump seal monitoring in the reactor cooling system panel shown in Figure 3. The priority 2 seal/bleed system trouble alarm is illuminated to alert the operator, who then can read a more complete message in the message window, which indicates a high control bleed-off pressure. Such a message is provided for priority 1 and 2 alarms. The same message in more complete form is displayed on the panel CRT. The CRT also identifies menu options that indicate useful supporting display pages. Alternatively, the operator may directly access a listing of all the alarms in a particular group.

Thus, overview of the alarm conditions is provided with the tiles, and the detail is provided with the associated messages. A given alarm is rendered more or less important at a particular point in time, depending on the equipment status and the mode of operation of the NSSS. Alarm handling is reduced by validation of the parameter signals, and clearing automatically lower priority alarms when one of the higher priority alarms is actuated on the same condition.

IV. DATA PROCESSING SYSTEM

A. The CRT Display

The CRT shown in the center of the panel in Figure 3 is part of the data processing system which processes and displays all plant operational data. Thus, it is linked to all other instrumentation and control systems in the control room.

Figures 2, 28 and 30 schematically show the relationship of the data processing system with the control system, plant protection system, and discrete indication and alarm system. The data processing system recieves from the control system, the same sensor data that is used by the control system for executing the control logic. Likewise, it receives from the discrete indication and alarm system the validated sensor data that is used by the discrete indication and alarm system for generating the discrete alarms and displays. The plant protection system does not use internally validated data for its trip logic, and this "raw" signal is for each channel passed along to the data processing system which performs its own signal validation logic on the plant protection system signals, and passes on the internally validated signal to the validated signal comparison logic. In that functional area, the validated signals from the control system, the plant protection system and the discrete indication and alarm system are compared and displayed on the CRT. It should be appreciated that both the validated signal from the comparison logic and the validated signal from the plant protection system are available for display on the CRT.

Thus, the CRT display within each panel includes signal validation and all CRTs in the plant are capable of accessing any information available to the other CRTs in the plant. Moreover, on any given CRT, the alarm tile images from any other panel may be generated and the alarms acknowledged. Detailed display indicator windows may be accessed as well. The CRTs have a substantially real time response, with at most a two-second delay.

The CRT display pages contain all the power plant information that is available to the operator, in a structured, hierarchic format. The CRT pages are very useful for information presentation because they allow graphical layouts of power plant processes in formats that are consistent with operator visualization. In addition, CRT formats can aid operational activities, where appropriate, by providing trends, categorized listing, messages, operational prompts, as well as alert the operator to abnormal processes. The primary method the operator obtains information formats on the CRTs is through a touch screen interface which operates in a known manner. The touch screens are based on infrared beam technology. Horizontal and vertical beams exist in a bezel mounted around the face of each color monitor. When the beams are obstructed by the user, the coordinates are cross-referenced with the display page data base to determine the selected information.

Messages and Supporting Display page option touch targets can be accessed onto panel CRTs by touching other panel features, e.g., discrete indicators and alarm tiles. IPSO is available as a display page and forms the apex of the display page hierarchy. Three levels exist below IPSO, where each level of the hierarchy provides consistent information content to satisfy particular operational needs. The structure of the hierarchical format is based on assisting the operator in the performance of his tasks as well as providing quick and easy access to all information displayed via the CRTs. The display formats on the top level provide information for general monitoring activities, while the lowest level formats contain information that is most useful for supporting diagnostic activities.

Level 1 display pages provide information that is most useful for general monitoring activities associated with a major plant process. These display pages inform the operator of major system performance and major equipment status and provide direction to lower level display pages for supportive or diagnositc information. The level 1 display pages are as follows: 1) Primary Systems (example, see Figure 19)

2) Secondary Systems

3) Power Conversion

4) Electrical Systems

5) Auxiliary Systems

6) Critical Functions

Level 2 display pages provide information that is most useful for controlling plant components and systems. These pages contain all information necessary to control the system's processes and functions. Parameters which must be observed during controlling tasks appear on the same display, even though they may be parts of other systems. Proposed operating procedures or guides for controlling components are utilized for determining which parameters to display. Figure 20 is a sample display for Reactor Coolant Pump 1A and IB Control. The operator would normally monitor the "Primary System" display page to assess RCS performance. If the operator wishes to operate or adjust RCP 1A or IB, the operator would access the control display page. All information for Reactor Coolant Pump Control is on the control display to preclude unnecessary jumping between display pages.

Level 3 display pages provide information that is most useful for diagnostic activities of the component and processes represented in level 2 display pages. Level 3 display pages provide data useful for instrument cross-channel comparisons, detailed information for diagnosing equipment or system malfunctions, and trending information useful for determining direction of system performance changes, degradation or improvement. Figure 21 shows a diagnostic display of the Seal and Cooling section of RCP1A; the pump portion, the supporting oil system, and the motor section are presented on a separate display page due to display page information density limits. Display page access is accomplished through the use of menus placed on the bottom of the display pages. Each display page contains one standard menu format that provides direct, i.e., single touch, access to all related display pages in the information hierarchy. The menu has fields (see Figure 10) where display page title are listed. By selecting a field (a thru j), the specified display page is accessed. The menu option fields associated with a display page includes the following (see Figure 22) .

1) The next higher level (when applicable) display page in the hierarchy, item (c) . This feature is more meaningful on a 3rd level display page since the next higher level page is a level 2 display page which is not normally on the menu.

2) Display pages of systems that are connected to or support the process of the presently displayed page (h,i) .

3) All six first level display pages (b,c,d,e,f,g) .

4) The IPSO display page (a) .

5) The last page viewed on the monitor (j).

To access a display page described by a menu option, the operator would select the menu option (a-k) by touching the desired menu option field on the monitor. The menu option is highlighted (using black letters on a white background) until the display page appears. Since the menu options provide direct access to a minimum set of display pages in the display page hierarchy, alternate means are available for quickly accessing other display pages. Three options are available to the operator: (1) Display Page Access Using Alarm Tiles - This mechanism for display page access may be most useful for obtaining display pages associated with the workstation's process. By pressing a workstation alarm tile, region 4 of the workstation CRT's display page menu changes to a new menu with display page options associated with the alrm tile's descriptor. For example, an RCP1A alarm tile provides menu options associated with RCP 1A. The desired display page will then be a direct access menu option.

(2) Accessing CRT Information from the Discrete Indicators - Each discrete indicator has a CRT access touch target. This button provides for access to supporting information for the process parameter that is presently displayed on the discrete indicator. By touching the CRT target on the discrete indicator, region 4 of the menu options on the workstation's CRT changes to menu options containing display pages with supporting and diagnostic information associated with the process parameter.

(3) Display Page Access Using a Display Page Directory - Any display page of the display page hierarchy can be accessed using the presently displayed menu. For example, if the operator is viewing the Feedwater System display page and wants to access the CVCS display page, the following sequence takes place (refer to Figures 22 and 4) :

The operator selects "by touch" the "DIRECTORY" menu option (option 1 on Figure 22) followed by the "PRIMARY" menu option (option b on Figure 22) . This accesses the primary section of the display page hierarchy from the display page library (see Figure 4) . Each display page within the primary section of the display page hierarchy is a touch target on this display page, and now the operator can select the CVCS display page. Any page in the display page hierarchy can be accessed using this feature. The "DIRECTORY" menu option is followed by the desired hierarchy associated with one of the six first level display pages, menu options b,c,d,e,f or g on Figure 22. In addition to the menu options described above, menu options exist for "LAST PAGE", "ALARM LIST", "ALARM TILES", "OTHER", and horizontal paging options ("Keys"). The "LAST PAGE" (option j on Figure 22) provides direct access to the last page that was on the monitor. This iε very useful to operators for comparison of information between two display pages, or retrieval of information that the operator was previously involved with.

The "ALARM LIST" (option n on Figure 22) provides for quick access to the alarm listing display pages.

The "ALARM TILES" (option m on Figure 22) provides for quick access toi alarm tile representations of active alarm tiles in the area above Region 4(see Figure 23) of the workstation's CRT menu. This allows an operator to access alarm information associated with specific tiles on any workstation's CRT. This method of alarm access is further deεcribed in Section 5 of thiε document.

The "OTHER" (option k on Figure 22) provides access to display pages or information that does not fall into the categories of information described by the presently displayed menu options. B. IPSO

Another part of the data procesεing system is the integrated process status overview (IPSO board) . Although the number of displays and alarms stimulating the operator at any one time can be considerably reduced using the panels having the discrete alarm, discrete display, and CRT displays described above, the number of stimuli is still relatively high and, particularly during emergency operations, may cause delay in the operator's understanding of the status and trends of the critical systems of the NSSS. A single display is needed that preεents only the highest level concerns to the operator and helps guide the operator to the more detailed information as it is needed. Although some attempts have been made in the past to present a large board or display to the operator, such displays to date have not included a significant consolidation of information in the nature to be described below.

The IPSO board presents a high level overview of all high level concerns including overview of the plant state, critical safety and power functions, symbols representing key systems and processes, key plant data, and key alarms. IPSO information includes trends, deviations, numeric values of most representative critical function parameters, and the existence and system location of priority 1 alarms including availability and performance status for systems supporting the critical functions. This is otherwise known as success path monitoring. The IPSO board also can identify the existence and plant area location of other unacknowledged alarms. Thus, IPSO bridges the gap between an operator's tendency toward system thinking and a more desirable assessment of critical functions. This compensates for reduction in the dedicated displays to help operators maintain a field plant conditions. It also helps operators maintain an overview of plant performance while being involved in detailed diagnostic tasks. IPSO provides a common mental visualization of the plant process to facilitate better communication among all plant personnel.

In Figure 25, the condition illustrated is a reactor trip. At the instance illustrated, the temperature rise in the reactor is 27° and the average temperature rise iε higher than desired and rising as indicated by the arrow and "+". The pressurizer pressure is higher than deεired, but it is falling. Likewise, the steam generator water level is higher than desired but falling.

Figure 24 shows a CRT display page hierarchy wherein the IPSO is at the apex, the first level display page set contains generic monitoring information for each of the secondary, electrical, primary, auxiliary, power conversion and critical function systems, the second level of display pages relates to system and/or component control, and the third level of display pages provides details and diagnostic information. IPSO is a continuous display visible from any control room workstation, the shift supervisor's office, and Technical Support Center. The IPSO is centrally located relative to the master control console. The IPSO also exists as a display page format that is accessible from any control room workstation CRT as well as remote facilities such as the Emergency Operations Facility. The IPSO large panel format is 4.5 feet high by 6 ffet wide. Its location, above and behind the MCC workstation, is approximately 40 feet from the shift supervisor's office (the furthest viewable point) .

One of the beneficial aspects of IPSO is the use of IPSO information to support operator responεe to plant disturbances, particularly when a disturbance effects a number of plant functions. IPSO information supports the operator's abaility to respond to challenges in plant power production as well as safety-related concerns.

IPSO supportε the operator's ability to quickly assess the overall plant's process performance by providing information to allow a quick asseεεment of the plant'ε critical εafety functionε. The concept of monitoring plant power and εafety functionε allows a categorization of the power and εafety-related plant processeε into a manageable set of information that is representative of the various plant processes.

The critical functions are:

Function

1. Reactivity Control

2. Core Heat Removal

3. RCS Heat Removal

4. RCS Inventory Control

5. RCS Presεure Control

6. Steam/Feed Conversion

7. Electric Generation

8. Heat Rejection

9. Containment Environment Control

10. Containment Isolation

11. Radiological Emissions Control

12. Vital Auxiliaries

A 3x4 alarm matrix block containing a box for each critical function exist in the upper right hand corner of IPSO (see Figure 25) . The matrix provides a single location for the continuous display of critical function status. If a priority 1 alarm condition exists that relates to a critical function, the corresponding matrix box will be highlighted in the priority 1 alarm presentation technique. Critical Function alarms are representative of one of the following priority 1 conditions:

Failure to satisfy the safety function status checks, (post-trip) . - Poor performance of a success path/system that is being used to support a critical function. An undesirable priority 1 deviation in a power production function (pre-trip) . Unavailability of a safety system (less than minimum availability as defined by Reg. Guide 1.47) .

The 3x4 matrix representation is an overview summary of the lεt level critical function diεplay page information. The operator obtains the details associated with critical function and Success Path alarms in the Critical Function section of the display page.

Each critical function can be maintained by one or more plant systems. Information on IPSO is most representative of the ability of supporting systems to maintain the critical functions. For some critical functions, the overall status of the critical function can be assessed by a most representative controlled parameter(s) . For these critical functions, the process parameter's relationship to the control setpoint(s) and indication of improving or degrading trendε iε represented on IPSO to the right of the parameter's descriptor.

An arrowhead is used if the integral of the parameter's value is greater than an acceptable narrow band control value, indicating that the parameter iε moving toward or away from the control εetpoint. The arrowhead's direction, up or down, indicates the direction of change of the procesε parameter. If these parameters deviate beyond normal control bounds, a plus or minus sign is placed above or below the control εetpoint representation.

The following bases were used for the εelection of parameterε or other indications that are used on IPSO to provide the monitoring of the overall status of the critical functions.

1. Reactivity Control

Reactor power iε the only parameter displayed on the IPSO as a means of monitoring reactivity. Using Reactor Power, the operator can quickly determine if the rods have inserted. He can also uεe Reactor Power to determine the general rate and direction of reactivity change after εhutdown. Reactor Power is displayed on IPSO with a digital representation because a discrete value of this parameter is most meaningful to both operators and administrative personnel. The IPSO also provides an alarm representation on the reactor vessel if there is a priority 1 alarm condition associated with the Core Operating Limit Supervisory System.

2. Core Heat Removal

A representative Core Exit Temperature and Subcooled Margin are the parameters presented on IPSO for determining if Core Heat removal is adequate. If Core Exit Temperature is within limits, then the operator can be assured of maintaining fuel integrity. The Subcooling Margin is used because it gives the operator the temperature margin to bulk boiling.

Core Exit Temperature is represented on IPSO by using a dynamic representation (i.e., trending format), since there is a distinct upper bound that defines a limit to core exit temperature, and setpoints for representational characteristics can be easily defined.

Subcooled Margin is also represented on IPSO using a dynamic representation since there is a lower bound which defines an operational limit for maintaing εubcooling. 3. RCS Heat Removal

T_H, T_c, S/G Level, and T_ave are uεed on IPSO to provide the operator the ability to quickly assess the effectiveness of the RCS Heat Removal Function.

In order to remove heat from the Reactor Coolant, S/G Level must be sufficiently maintained so that the necessary heat transfer can take place from the RCS to the steam plant. A dynamic representation is used so the operator can observe degradiations or improvements in deviant condition at a glance.

TJJ and T_c are used on IPSO because they are needed by the operator to determine how much heat is being transferred from the reactor coolant to the secondary syεtem. A digital value of theεe parameters is used since a quick comparison of these parameters is desired for observing the delta T. In addition, an indication of their actual values are used often and would be helpful to an operator in locations where the discrete indicator displaying T_n and T_c is not easily visible. T_ave is presented on IPSO using a dynamic representation to allow quick operator asseεsment of whether this controlled parameter is within acceptable operating bounds.

4. RCS Inventory Control

Pressurizer Level is presented on the IPSO using a dynamic representational indication to allow the operator to quickly access if the RCS has the proper quantity of coolant and observe deviations in level indicative of improving or degrading conditions.

5. RCS Presεure Control

Preεsurizer Presεure and Subcooled Margin iε used aε the indicationε on IPSO to determine the RCS Preεεure Control.

A dynamic repreεentation iε uεed on IPSO to notify the operator of changing preεεure conditionε that may indicate RCS depressurization or over pressurization.

A dynamic repreεentation is used on IPSO for saturation margin. A saturation condition in the RCS can adversely affect the ability to control pressure by the pressurizer. Also, if pressure is dropping, the subcooled margin monitor representation on IPSO depicts a decrease in the margin to saturation.

6. Steam/Feed Conversion

The processes associated with Steam/Feed Conversion can be quickly asεessed by providing the following information on IPSO:

(a) Feedwater and Condenεate Syεtem Statuε Information (i.e., operational status, alarm status)

(b) Steam Generator Levels, Dynamic Representation

(c) Steam Generator Safety Valve Statuε

(d) Atmospheric Dump Valve Status

(e) Main Steam Isolation Valve Status

(f) Turbine Bypass System Status 7. Electric Generation

The processes associated with Electric Generation can be quickly assessed by providing the following information on IPSO:

(a) Plant net electric output, digital value.

(b) Alarm information for deviations in important processes associated with the main turbine and turbine generator.

(c) Power distribution operational and alarm status to the plant busses and site grid.

8. Heat Rejection

The processeε aεεociated with heat rejection can be quickly aεεeεsed by providing the following information on IPSO:

(a) Circulation water system status.

(b) Alarm information for critical deviations in condenser pressure conditions.

9. Containment Environment Control

Containment Presεure and Containment Temperature are the parameterε which are uεed on the IPSO to monitor the control of the Containment Environment. Theεe are preεented on IPSO using a dynamic representation to allow assessment of trending and relative values. The Containment Pressure variable is used on the IPSO to warn the operator about an adverse overpressure situation which could be the result of a break in the Reactor Coolant System. The Containment Temperature also helps indicate a possible break in the Reactor Coolant System; it also can indicate a combustion in the Containment Building.

10. Containment Isolation

The Containment Isolation Safety function is monitored on the IPSO with a Containment Isolation εyεtem εymbol representation. This symbol will be driven by an algorithm which presentε the effectiveness of the following containment isolation εituations when the asεociated conditionε warrant containment isolation:

Containment Isolation Actuation

Safety Injection Actuation

Main Steam Isolation

Containment Purge Isolation

11. Radiological Emissions Control

Radiation symbols exist on IPSO which preεents notification of high radioactivity levels such aε inεide containment, and (2) radiation associated with radioactivity release paths to the environment, these symbolε will only be preεented on IPSO when high radiation levelε exiεt. Theεe indications are presented in the alarm color in a location relative to the senεor in any of the following situations occurs:

- High Containment Airborne Radiation

High Activity Aεεociated, with Any Releaεe Path

- High Coolant Activity

12. Vital Auxiliarieε

Vital Auxiliarieε are monitored on IPSO by providing the following information:

(a) Diesel Generator Status

(b) Status of Power Distribution within the Power Plant

(c) Instrument Air System Status

(d) Service Water System Status

(e) Component Cooling Water System Status

The syεtemε represented on IPSO are the major heat transport path syεtemε and εystems that are required to support the major heat transport process, either power or safety related. These systems include systems that require availability monitoring per Reg. Guide 1.47, and all major success paths that support the plant Critical Functions.

The following systems have dynamic representations on IPSO:

CCW - Component Cooling Water

CD - Condensate

Cl - Containment Isolation

CS - Containment Spray

CW - Circulating Water

EF - Emergency Feedwater

FW - Feedwater

IA - Instrument Air

SDC - Shutdown Cooling

RCS - Reactor Coolant

SI - Safety Injection

SW - Service Water

TB - Turbine Bypass

System Information presented on IPSO includes systems operational status, change in operational status (i.e., active to inactive, or inactive to active) and the existence of a priority one alarm(s) associated with the system. Alarm information on systemε can alεo help inform an operator about success path related Critical Function alarms.

Priority 1 alarm information is also presented on IPSO by alarm coding the descriptors of the representative featureε on IPSO aε deεcribed above. V. INTEGRATION OF CONTROL ROOM Figure 27 preεents an overview of the integrated information presentation available to the operator in accordance with the invention. From the integrated proceεε status overview or board, the operator may observe the high priority alarms. If the operator is concerned with parameter trends, he may view the discrete indicators. If he iε intereεted in the εyεtem and component εtatus, he may view the settingε on the system controls. Thus, the IPSO information is displayed either on the board or at the panel CRT, and the other information from the operator's panel or any other panel, is available to the operator on his CRT. From the IPSO overview, the operator may navigate through the CRT or DIAS display pages. Moreover, the operator has direct acceεε to either of these types of information from any of the control panels and when a system control is adjuεted or set, the results are incorporated into the other alarm and display generatorε in the other panelε.

As shown in Figures 2 and 28-31, in general overview, the integration of the system means that each panel including the main console, the safety console, and the auxiliary console, includes a CRT which is driven by the data proceεεing system. The data processing system utilizes the plant main computer and, although being more powerful, it is not as reliable as the DIAS computerε (which may be diεtributed microprocessorε-baεed on mini-computer baεed) . Alεo, it iε slower because it iε menu driven and performε many more computations. It is uεed primarily for conveying the moεt important information to the operator and thuε important alarm tileε can be viewed on each CRT and acknowledged from any CRT. Any information available on one CRT is available at every other CRT. The alarm system and indicator system for a given panel is related to the controls, and the discrete (i.e., quick and accurate) aspects of the alarm indicator, and controls of that panel are not available at any other panel.

Basically, information is categorized in three ways. Category 1 information must be continuously displayed at all times and this is accomplished in DIAS. Category 2 information need not be continuously available, but it must nevertheless be available periodically and this is also the responsibility of DIAS. Category 3 information is not needed rapidly and is informational only, and that is provided by the DPS. In the event of the failure of DPS, some esεential information iε provided by DIAS. The DPS and DIAS are connected to the IPSO board by a display generator. From the IPSO, the operator can obtain detailed information either by going to the panel of concern, or paging through the CRT displays.

It should be appreciated that DIAS and DPS do not necesεarily receive inputs for the same parameters, but, to the extent they do receive information from common parameters, the sensors for these parameters are the same. Moreover, the validation algorithms used in DIAS and DPS are the same. Furthermore, the algorithms used for the discrete alarm tiles and the discrete indicators include as part of the computation of the "representative" value, a comparison of the DIAS and DPS validated values.

Figure 29 is a block diagram repreεenting the discrete indicator and alarm system in relation to other parts of the control room signal processing.

The DIAS syεtem preferably is segmented so that, for example, all of the required discrete indicator and discrete alarm information for a given panel is processed in only one εegment. Each segment, however, includes a redundant processor. The information and processing in DIAS 1 is for category 1 and 2 information which is not normally displayed directly on IPSO. IPSO normally receiveε itε input from the DPS. However, in the event of a failure of DPS, certain of the DIAS information is then sent to the IPSO diεplay generator for preεentation on the IPSO board.

It should also be appreciated that both DIAS and the DPS utilize sensor output from all sensors in the plant for measuring a given parameter, but that the number of sensors in the plant for a given parameter may differ from parameter to parameter. For example, the pressurizer pressure is obtained from 12 senεors,whereas another parameter, for example, from the balance of plant, may only be measured by two or three senεors. Some systemε, εuch aε the plant protection εyεtem, do not employ validation because they must perform their function aε quickly as possible and employ, for example, a 2 out of 4 actuation logic from 4 independent channels. In the event the validation for a given parameter differε aε determined within two or more εystems, an alarm or other cue will be provided to the operator through the CRT.

One of the significant advantages of the present invention is that the DPS need not be nuclear qualified, yet it can be confidently uεed because it obtainε parameter values from the same sensors as the nuclear qualified DIAS. These are validated in the same manner and a comparison is made between the validated DPS parameters and the validated DIAS parameterε, before the DPS information iε diεplayed on the CRTs or the IPSO. The nuclear qualification of the alarm tileε and windows, and the discrete indicator displays in the DIAS are preferably implemented using a 512X256 electroluminescent display panel, power conversion circuitry, and graphics drawing controller with VT text terminal emulation, such as the M3 electroluminescent display module available from the Digital Electronics Corporation, Hayward, California. The control function of each panel is preferably implemented using discrete, distributed programmable controllers of the type available under the trademark "MODICON 984" from the AEG Modicon Corporation, North Andover, Massachusetts, U.S.A. Thus, the computational basis of the DIAS is with either distributed, discrete programmable microprocessors or mini computers, whereas the computational basis of the DPS is a dedicated main frame computer.

The ESF control system and the process component control system are shown schematically in Figure 3, whereas the plant protection εyεtem iε preferably of the type based on the "Core Protection Calculator" system such as described in U.S. Patent 4,330,367, "System and Process for the Control of a Nuclear Power System", issued on May 18, 1982, to Combustion Engineering, Inc. , the disclosure of which is hereby incorporated by reference.

Another aspect of integration is the capability to diεplay the critical functionε and succesε path in IPSO aε deεcribed above. Since the major εafety and power generating εignal and εtatus generators are connected to both DIAS and DPS, the operator may page through the critical functions in accordance with the display page hierarchy shown in Figures 32 through 35. In Figure 33, the operator iε informed that the emergency feed is unavailable in the reactant coolant syεtem. In Figure

34, the operator is informed that the emergency feed is unavailable and the reactor is in a trip condition. Under these circumstances, the operator must determine an alternative for removing heat from the reactor core and by paging to the second level of the critical function display page which, although εhown for inventory control, would have a comparable level of detail for heat removal. Thiε type of information with this level of detail and integration is available for all critical functions under εubstantially all operating conditions, not only during accidentε.

VI. PANEL MODULARITY:

It εhould be appreciated that, as mentioned above, the discrete tile and message technique significantly reduces the εurface area required on the panel to perform that particular monitoring function. Similarly, the diεcrete diεplay portion of the monitoring function, including the hierarchical pages, is condensed relative to conventional nuclear control room syεtemε. The control function on a given panel can be consolidated in a similar fashion.

Thus, a feature of the present invention is the physical modularity of each panel constituting the master control console, and more generally, of each panel in the main control room. In essence, the space required for effective interface with the operator for a given panel, beco eε independent of the number of alarms or displays or controls that are to be accessed by the operator. For example, as εhown in Figure 3, εix locationε on each εide of the CRT may be allocated for alarm and indicator display purposes. Preferably, the top two on each side are dedicated to alarms and the other four on each side dedicated to the indicator display. An identical layout is provided for each panel in the control room.

This permits significant flexibility and cost savings during the construction phase of the plant because the hardware can be installed and the terminals connected early in the construction schedule, even before all system functional requirements have been finalized. The software based systems are shipped early with representative software installed to allow preliminary checking of the control room operations. Final software installation and functional testing are conducted at a more convenient point in the construction schedule. This method can accelerate plant construction schedules for the instrumentation and control systems significantly. Since the instrumentation and control requirements for a given plant are often not finalized until late in the plant design εchedule, the preεent invention will in almoεt every case significantly reduce costly delays during construction. This is in addition to the obvious cost savings in the ability to fabricate uniform panels, both in the engineering phase normally required to select the locations of and lay out the alarms and displays, and in the material savings in fabricating more compact panels. Furthermore, such modularity in the plant facilitates the training of operators and, when operators are under stress during emergencies, should reduce operator error because the functionality of each panel is spatially consistent.

Thus, each modular control panel has spatially dedicated discrete indicators and alarms, preferably at leaεt one spatially dedicated discrete controller, a CRT, and interconnections with at least one other modular control panel or computer for communication therewith. For example, communication via the DPS includes, among other things, the ability to acknowledge an alarm at one panel while the operator is located at another panel, and the automatic availability at every other panel of information concerning the system controlled at one panel.

Figure 36 (a) illustrates the conventional sequence for furniεhing instrumentation and control to a nuclear power plant and 36(b) the sequence in accordance with the invention. Conventionally, the input and outputs are defined, the necesεary algorithms are then defined, and these specify the man machine interface. Fabrication of all equipment then begins and all equipment is installed in the plant at substantially the same time before system testing can begin. In contraεt, the modularity of the present invention permitε fabrication of hardware to begin immediately in parallel with the definition of the input/output. Likewise, the hardware can be installed and generically teεted in parallel with the definition of the man machine interface and the definition of the algorithms that are plant specific. The hardware and software are then integrated before final testing. In a conventional nuclear installation, the equipment is installed during the fourth year of the entire instrumentation and control activity, whereas with the present invention, equipment can be installed during the second or third year.

With further reference to Figure 2, the process component control syεtem and the engineered εafety features component control system use programmable logic controllers similar to the Modicon equipment mentioned above including input and output multiplexors and asεociated wires and cabling, all of which can be shipped to the plant before the plant specific logic and algorithms have been developed. This equipment is fault tolerant.

The data procesεing system uses redundant plant main frame computers, along with modular software and hardware and associated data links. Such hardware can be delivered and the modular software that is specific to the plant installed, just prior to integration and system testing.

The DIAS also uses input/output multiplexors and a fault tolerant arrangement, with programmable logic processors or mini-computers, with the same advantages as deεcribed with reεpect to the proceεs control and engineered safety features control systems

Claims

1. An indicator εyεtem for displaying the value of a plant operating parameter to an operator in a control room of a nuclear power plant, the plant including a plant protection system having a plurality of process parameter sensors each of which generates one of a first set of respective value εignals (PI,

P2, ...Pn) for the same process parameter and a plant control syεtem having a plurality of proceεs parameter sensors each of which generates one of a second set of respective value εignals (Cl, C2,...Cn) for said same process parameter, and means for transmitting all said signals in digital form to the control room, wherein the indicator syεtem compriseε: a digital processor located in the control room for receiving and procesεing all εaid signals and generating a third set of display signals commensurate with the value signal of each senεor, respectively, and a fourth display signal composed from said third set of signalε and commensurate with a representative value of the parameter; an operator interface coupled to the digital processor and including display means for selectively generating images of numeric values commensurate with said third set of display signals and said fourth display signal.

2. The indicator system of claim 1, wherein the digital processor includes logic means for composing said fourth signal from said third signals by discarding any of the signals in said third set of signals that deviates from the average value of the third set by more than a predetermined amount.

3. The indicator system of claim 1, wherein the operator interface includes a single display screen and wherein said means for generating images generates a first page image of numeric values commensurate with the fourth signal and a second page image of numeric values commensurate with the third set of signals.

4. The display system of claim 1, wherein said operator interface includes means for selectively displaying images of only the third set of signals, only the fourth signal, or both the third set and fourth signal.

5. The display system of claim 1, wherein the digital processor includes means for storing values of the fourth signal during a period of real time, and the means for generating a dispaly includes a screen for displaying the fourth signal and a trend graph of the fourth signal during said period of time.

6. A method for generating in a control room, a representative value of a process parameter in a nuclear power plant, the plant including a first plant system having a plurality of process parameter sensors from each of which the first system generates a first set of respective measurement value signals (PI, P2, Pi,...Pn) for the same process parameter and a second plant system having a plurality of process parameter sensors from each of which the second system generates a second set of respective measurement value signals (Cl, C2, Ci,...Cm) for said same process parameter, wherein the method comprises the steps of: conveying all said measurement value signals in digital form to a digital processor; storing a tolerance; in the digital procesεor, computing a weighted average of all value signals (PI, P2, Pi,...Pn) and (Cl, C2, Ci, ...Cm) ; comparing each of the value signals with the sum of said weighted average and said tolerance; determining whether one or more value signals Pi,Ci, fall outside said sum; recomputing the weighted average excluding any values that fall outside said sum as a validated average; and displaying the validated average in the control room as a representative value of the parameter.

7. The method of claim 6, wherein the step of displaying includes selectively displaying the validated average on one display screen and each of the value signals (PI, P2, Pi,...Pn) and (Cl, C2, Ci,...Cm) on another display εcreen.

8. An alarm εyεtem for alerting the operator of a nuclear power plant of abnormal operating conditions, the plant including a plurality of proceεε parameter εenεors each of which generateε a condition signal for a given process parameter, wherein the alarm system comprises: a digital processer including means responsive to the condition signalε, for computing a single representative condition signal for the parameter; a display interface coupled to the digital proceεsor, the interface including, a first screen area for displaying the images of a plurality of alarm tiles in a normal state and in an activated εtate that includeε a conciεe meεεage within the activated tile image, at leaεt one of the tile images and associated messages relating to said parameter. meanε for εtoring an alarm activation threshold for an abnormal condition of the parameter, means for comparing the representative condition signal with the threshold and activating at least one of the tiles relating to said parameter condition when the threshold is exceeded.

9. The alarm system of claim 8, wherein the display interface includes a second screen area for displaying a textual message which is more complete than said concise message and identifies the origin of the abnormal condition.

10. The alarm system of claim 8, wherein the first screen area contains only one tile image for a given abnormal condition of a given parameter.

11. A console for the control room of a nuclear power plant, wherein the console is constructed from a plurality of panels and each panel comprises: a substantially flat vertically oriented upper portion for mounting plant monitoring display devices and a transversely extending, substantially flat lower portion for mounting plant control interfaces; a relatively large, first display interface device located substantially centrally in the upper portion, for displaying integrated images and textual information concerning monitoring and control of the plant; a plurality of a second type of uniformly εized, relatively smaller display interface devices located on both sides of the first large interface device, at least one of the second type adapted for displaying images of alarm tiles and at least another of the second type adapted for displaying images of process variable indicators; an alarm processor including means for generating images of alarm tileε on one of the εecond type of interface deviceε and programmable alarm logic means for activating an alarm upon the occurence of a predetermined relationεhip of alarm input εignalε; an indication proceεεor including meanε for generating imageε of proceεε indicator inεtrumentation on the other of the second type of interface device and programmable indicator logic means for computing process parameter values in responεe to input signals from process senεors.

12. An integrated process statuε overview system for a nuclear power plant, the plant including, a plurality of plant components and connecting fluid lines, a plant protection εystem having a plurality of process parameter sensors each of which generates a protection syεtem raw value εignal for a given process protection parameter of the components or lines, a plant control syεtem having a plurality of process parameter senεors each of which generates a control syεtem raw value εignal for a given process control parameter of the components or lines, at leaεt some of the protection parameters also being control parameterε, wherein the integrated overview system comprises: a data processing system coupled to the plant protection system and the plant control syεtem, and including logic meanε for computing a validated protection system signal from the plurality of protection system raw signalε for each parameter that is unique to the protection system, computing a validated control system signal from the plurality of control system raw signalε for each parameter that is unique to the control system, and computing a validated common system signal from the plurality of protection system and control system raw signals for each parameter that is in both systems, and an indicator and alarm system coupled to the plant protection system and the plant control system and including logic means for computing a validated protection system signal from the plurality of protection system raw signalε for each parameter that iε unique to the protection εyεtem, computing a validated control system signal from the plurality of control system raw signals for each parameter that is unique to the control syεtem, and computing a validated common system signal from the plurality of protection system and control syεtem raw εignals for each parameter that is in both syεtems, a screen display for generating an image of the major components and connecting fluid lines in the plant for which the protection system and control system parameters are sensed; means computing a representative value of a process parameter from the validated signals for the parameter and projecting the parameter representative value adjacent the image of the repective component or line; means for projecting a first symbol adjacent at least the projected representative value indicating whether the value is greater or less than the normal range limits for the parameter; means for projecting a second symbol adjacent the first symbol indicating whether the value is increasing or decreasing in magnitude.

13. The overview εtatuε system of claim 12 including, means for projecting a plurality of alarm tile images on the screen, each alarm tile corresponding to a condition associated with a parameter of the protection or control syεtem; means responεive to at least one representative value, for visually emphasizing the tile image of an alarm when the condition associated with said alarm exceeds a threshold.

14. The overview status syεtem of claim 12 including, meanε reεponsive to the protection syεtem and the control εyεtem, for projecting εymbolε on the εcreen that are indicative of the combination of components and fluid lines that are available for performing a plurality of plant critical functions relating to plant safety and power production, including reactivity control, core heat removal, steam/feed conversion, and electric generation.

15. The overview εtatus system of claim 14, wherein the critical functions include reactor coolant system heat removal, reactor coolant system inventory control, and secondary system heat rejection.

16. A control room complex for a nuclear power plant, the plant having a multiplicity of components and sensors outside of the control room, the complex comprising: a main control room having at least one console which includes parameter indicatorε for displaying values of plant operating parameters, alarms for warning of an abormal condition in a parameter or component, controllers for operating components and indicating the status of the controlled component, a screen for generating visual images of fluidly connected components, values of associated operating parameters, and component status, and means for manually tripping the reactor; a first type of digital processor means associated with the parameter indicators, alarms, and controllers; a second type of digital processor means asεociated with the screen; a plant protection system and associated third type of digital processing means, responsive to at least some of the plant senεorε, for automatically tripping the reactor upon the occurrence of an unεafe event; a εafeguardε system for controlling at least some of the plant components upon the occurrence of an unsafe event; a component control system for controlling the plant components during normal operation; a power control system for controlling reactor power level; means for transmitting data from the protection system, the safeguards system, the component control system, and the power control system to each of the first and second digital processor meanε; meanε in each of the first and second types of digital .processing means for independently computing representative values of plant parameters; means for transmitting data between the firεt and. second types of digital processor means; meanε associated with the second type of procesor, for providing εaid εcreen with diεplay values of operating parameters that are based on the comparison of the representative values.