Physical Address
304 North Cardinal St.
Dorchester Center, MA 02124
IEC 61772:2009 โ Nuclear Power Plants โ Control Rooms โ Application of Visual Display Units (VDUs)
💡 Key Insight: The three-level display hierarchy (overview, system, component) is a proven approach that balances information accessibility with cognitive load management in complex control environments.
⚠️ Critical Consideration: Alarm flooding remains one of the most challenging human factors problems in digital control rooms. Proper implementation of alarm filtering and prioritization per IEC 61772 is essential for operator effectiveness during plant upsets.
✅ Engineering Takeaway: Following the human factors guidelines in IEC 61772 for character sizes, contrast ratios, and color conventions significantly improves operator performance and reduces error rates in control room operations.
🔴 Design Risk: VDU displays that lack proper navigation aids and consistent screen layouts can cause operators to lose situation awareness, potentially missing critical alarms during emergency situations.
Scope and Display System Architecture
IEC 61772:2009 (Edition 2.0) specifies requirements for the application of visual display units (VDUs) in nuclear power plant control rooms. This standard addresses the design, evaluation, and implementation of VDU-based information display systems used by control room operators for plant monitoring and control. It covers both safety-related and non-safety-related displays, providing a comprehensive framework for modern digital control room interfaces.
The standard defines a hierarchical display structure consisting of three levels: Level 1 (plant overview displays providing a high-level summary of overall plant status), Level 2 (system or process displays showing detailed information about specific plant systems), and Level 3 (component or detail displays providing access to individual component parameters and control functions). This hierarchical approach ensures that operators can quickly access information at the appropriate level of detail without becoming overwhelmed by data.
A critical requirement is that safety-critical information must be available within a maximum of two operator interactions (e.g., screen touches or keystrokes) from the overview display. This design constraint ensures that operators can rapidly access vital safety parameters during emergency conditions when cognitive load is already high.
Alarm Presentation and Operator Information Management
The standard places significant emphasis on alarm management, requiring that VDU-based alarm systems follow a structured prioritization scheme. Alarms are categorized into three levels: critical alarms requiring immediate operator action, warning alarms requiring prompt awareness but not immediate action, and informational alerts requiring operator awareness. Each category must be visually distinct through color coding, annunciation patterns, and display positioning.
Alarm flooding protection is specifically addressed. The standard requires that alarm presentation systems include filtering, suppression, and shelving capabilities to prevent operator overload during plant upsets. A minimum of 200 alarms per 10-minute period is used as the threshold for defining an alarm flood condition, and the display system must provide tools to help operators prioritize and manage alarms during such events.
Information density guidelines are provided for VDU displays. The standard recommends that individual display pages should not exceed 30-40% information density (ratio of active information elements to total available display area) to maintain readability and operator situation awareness. Navigation aids such as consistent menu structures, page identification, and backtracking capabilities are required.
Human Factors Engineering and Usability Requirements
Human factors engineering is central to the VDU application requirements. The standard specifies minimum character sizes based on viewing distance (typically 20-25 arc minutes for primary information), contrast ratios (minimum 7:1 for critical displays), color conventions (red for danger/alarm, yellow for caution, green for normal), and refresh rates (minimum 10 Hz for dynamic process parameters).
The standard requires that VDU-based control systems incorporate protection against inadvertent operator actions. This includes confirmation dialogues for safety-critical actions, two-step action sequences for plant-level commands, and automatic timeout of incomplete command sequences. These protections help prevent operator errors that could lead to plant transients.
Usability testing is mandated as part of the design process. The standard specifies that VDU displays must undergo iterative usability evaluation with representative operators performing realistic tasks. Metrics for usability include task completion time, error rate, operator workload (measured using standardized tools such as NASA-TLX), and subjective satisfaction ratings. The iterative nature of usability testing ensures that design issues are identified and corrected before the control room becomes operational, significantly reducing the risk of human error during actual plant operations.
Technical Specifications Overview
| Display Level | Content | Update Rate | Access Time |
|---|---|---|---|
| Level 1 (Overview) | Plant status summary, key safety parameters | 1-2 s | 1 click |
| Level 2 (System) | System diagrams, alarm lists, trends | 0.5-1 s | 2 clicks |
| Level 3 (Component) | Component details, control interfaces | 0.2-0.5 s | 3 clicks |
| Alarm Display | Prioritized alarm list, status | <1 s (new alarm) | Always visible |
| Safety Parameters | Critical safety functions, RPS status | 0.1-0.5 s | 1-2 clicks |
Frequently Asked Questions
How does IEC 61772 address the transition from analog to digital control rooms?
The standard provides specific guidance for hybrid control rooms that combine traditional analog instrumentation with modern VDU-based displays. It requires that VDU displays be integrated into the overall control room design in a way that maintains operator situation awareness across both presentation media. Consistency in information coding, labeling, and navigation is emphasized to prevent confusion during the transition.
What are the requirements for VDU reliability in nuclear control rooms?
The standard requires that VDU systems used for safety-related functions have redundancy at multiple levels: dual power supplies, redundant display servers, and alternative display paths. Mean time between failures (MTBF) targets should be based on the safety classification of the displayed information, with safety-critical displays typically required to achieve MTBF exceeding 50,000 hours.
Can touchscreen interfaces be used for safety-critical controls?
Yes, but with significant restrictions. Touchscreens used for safety-critical functions must meet additional requirements including tactile feedback (audible or haptic), confirmation mechanisms, and protection against accidental activation through guard bands or two-step actions. The standard references IEC 60964 for additional requirements on safety-critical operator interfaces.
