Physical Address
304 North Cardinal St.
Dorchester Center, MA 02124
IEC 61839:2000 — Nuclear Power Plants: Control Room Functional Analysis
Systematic Functional Analysis and Operator Task Assignment for Nuclear Control Rooms
Key Insight
IEC 61839:2000 establishes a systematic methodology for functional analysis of nuclear power plant control rooms, defining how functions should be identified, analyzed, and allocated between automatic systems and human operators to achieve safe and efficient plant operation.
IEC 61839:2000 establishes a systematic methodology for functional analysis of nuclear power plant control rooms, defining how functions should be identified, analyzed, and allocated between automatic systems and human operators to achieve safe and efficient plant operation.
1. Scope and Methodology Overview
IEC 61839:2000 specifies a methodology for the functional analysis of main control rooms and supplementary control rooms in nuclear power plants. The standard addresses three interrelated activities: functional analysis (identifying what functions must be performed to operate the plant safely), assignment of functions (deciding whether each function is performed by automatic systems, human operators, or a combination), and task analysis (breaking down assigned functions into specific tasks with defined information and control requirements). The methodology is intended to be applied during the design of new control rooms and can also be used for upgrades to existing control rooms. The functional analysis approach is independent of the specific technology used for the control room — it applies equally to conventional analog control rooms and modern digital HSI-based control rooms.
Relationship to Other Standards
IEC 61839 provides the functional analysis methodology that feeds into the control room design process defined in IEC 60964 (design requirements) and IEC TR 61832 (design guidance). The human factors engineering process in IEC 60964 references IEC 61839 as the source for function analysis and allocation activities.
IEC 61839 provides the functional analysis methodology that feeds into the control room design process defined in IEC 60964 (design requirements) and IEC TR 61832 (design guidance). The human factors engineering process in IEC 60964 references IEC 61839 as the source for function analysis and allocation activities.
2. Functional Analysis Process
The standard defines a structured functional analysis process consisting of several sequential stages. The process begins with plant-level functional decomposition and progressively details functions down to the level where clear allocation decisions can be made.
| Analysis Stage | Input | Output | Key Activities |
|---|---|---|---|
| 1. Plant function identification | Plant design basis, safety analysis report | Comprehensive function list | Review safety functions, production functions, support functions |
| 2. Function classification | Function list | Classified functions by safety category | Apply IEC 61226 classification criteria |
| 3. Function decomposition | High-level functions | Sub-functions to task level | Hierarchical decomposition into executable actions |
| 4. Function allocation | Decomposed functions | Allocation to operator, automation, or shared | Apply allocation criteria and trade-off analysis |
| 5. Task analysis | Allocated operator functions | Detailed task descriptions | Information needs, control actions, performance criteria |
| 6. Staffing assessment | Task analysis output | Staffing requirements per shift | Workload analysis, crew size determination |
2.1 Function Identification and Classification
The first stage involves identifying all functions necessary for safe plant operation. Functions are identified from the plant design basis, safety analysis, operating procedures, and regulatory requirements. Each function is then classified according to its safety significance using the categories defined in IEC 61226 — Category A (safety-critical, required for reactor shutdown and heat removal), Category B (safety-related, supporting safety functions), and Category C (non-safety, related to normal operation). Functions are also categorized by their temporal characteristics: continuous (e.g., monitoring), on-demand (e.g., initiating emergency cooling), periodic (e.g., testing), and event-driven (e.g., accident response). This classification guides subsequent allocation decisions, with Category A functions receiving the most rigorous analysis and verification.
2.2 Function Allocation Criteria
The allocation of functions between automatic systems and human operators is a critical design decision. The standard provides allocation criteria based on the relative strengths and limitations of humans and machines. Functions should generally be allocated to automatic systems when they require: rapid response (less than 3 seconds), high precision and repeatability, execution in hazardous environments, or management of multiple simultaneous parameters. Functions should generally be allocated to human operators when they require: pattern recognition and diagnosis, response to unanticipated situations, application of experience and judgement, or actions that require understanding of context. For shared functions, the standard defines the operator’s role as supervisor, with automatic systems performing routine control but operators having the authority to override automatic actions when necessary. The allocation process must be documented with clear rationale for each allocation decision, and the resulting allocation must be validated through integrated system testing.
Engineering Best Practice
When performing function allocation for safety-critical functions, always consider the “clumsy automation” trap — allocating too many functions to automation can leave operators with poor situation awareness and degraded skills for handling the rare cases where manual intervention is needed. A balanced allocation with operator-in-the-loop for key safety decisions is generally superior to full automation of safety functions.
When performing function allocation for safety-critical functions, always consider the “clumsy automation” trap — allocating too many functions to automation can leave operators with poor situation awareness and degraded skills for handling the rare cases where manual intervention is needed. A balanced allocation with operator-in-the-loop for key safety decisions is generally superior to full automation of safety functions.
3. Task Analysis and Staffing Determination
Following function allocation, detailed task analysis is performed for all functions assigned to human operators. Task analysis identifies the information needed, the control actions required, the decision-making steps, and the communication and coordination requirements for each task.
| Task Analysis Element | Description | Method | Outcome |
|---|---|---|---|
| Information requirements | What data the operator needs | Information needs analysis | Display and alarm specifications |
| Control requirements | What actions operator must take | Action sequence analysis | Control device and layout requirements |
| Decision requirements | What decisions operator must make | Decision-action diagramming | Procedure and training specifications |
| Communications | Coordination with other operators/teams | Communication analysis | Intercom, procedure coordination |
| Performance criteria | Time and accuracy requirements | Time-line analysis | Validation acceptance criteria |
| Error analysis | Potential operator errors and recovery | Human error analysis (HEA) | Error-tolerant design features |
3.1 Staffing Assessment Methodology
Staffing assessment determines the minimum number of control room operators required to safely operate the plant under all conditions, including design-basis accidents and single-operator-out scenarios. The assessment uses workload analysis to evaluate the total demand placed on operators during normal operations, anticipated operational occurrences, and accident conditions. Workload is assessed using standardized methods including timeline analysis (measuring task demand against available time), secondary task techniques, and subjective rating scales such as NASA-TLX. The staffing assessment must demonstrate that the proposed crew size can manage the most demanding credible scenario within the available time while maintaining sufficient situation awareness and communication. Industry practice for modern nuclear plants typically results in crew sizes of 3-5 operators per shift in the main control room, supplemented by shift technical advisors and supplementary operators.
Common Deficiency
A frequently observed weakness in functional analysis is insufficient consideration of operator cognitive workload during fault diagnosis. While physical task workload (control manipulations, navigation) is relatively easy to quantify, cognitive workload (diagnosis, decision-making under uncertainty) is harder to assess but can be the dominant workload component during accident conditions. Cognitive task analysis methods should be specifically applied to diagnosis and decision-making tasks.
A frequently observed weakness in functional analysis is insufficient consideration of operator cognitive workload during fault diagnosis. While physical task workload (control manipulations, navigation) is relatively easy to quantify, cognitive workload (diagnosis, decision-making under uncertainty) is harder to assess but can be the dominant workload component during accident conditions. Cognitive task analysis methods should be specifically applied to diagnosis and decision-making tasks.
3.2 Integration with Control Room Design
The outputs of functional analysis, function allocation, and task analysis directly inform the control room design. Information requirements drive the display system design, including alarm presentation format and prioritization. Control requirements determine the type, placement, and coding of control devices. Communication requirements define the layout of workstations to support crew coordination. The staffing assessment determines the number of operator positions and the control room layout. The standard emphasizes that functional analysis is not a one-time activity but must be iteratively refined as the control room design progresses, with increasing levels of detail at each design stage. Changes to the design that affect function allocation or task requirements must trigger reconsideration of the earlier analyses.
4. Frequently Asked Questions
Q1: How does IEC 61839 differ from IEC 60964?
IEC 60964 provides the overall design requirements for nuclear power plant control rooms, covering the complete design process from concept to validation. IEC 61839 focuses specifically on the functional analysis and allocation methodology — the front-end analysis activities that determine what the control room must achieve and how functions are divided between automation and operators. IEC 61839 provides the inputs needed to apply IEC 60964.
Q2: Can IEC 61839 be applied to control room modernization projects?
Yes. The standard explicitly addresses application to existing control room upgrades. For modernization projects, the functional analysis should start with a baseline assessment of the existing function allocation, identify deficiencies and improvement opportunities, and develop a target allocation for the modernized control room. The transition strategy between the existing and target allocations must address operator training, parallel operation, and cutover planning.
Q3: What is the role of the function allocation criteria in preventing automation surprises?
Automation surprises occur when operators lose awareness of automatic system actions and are caught off guard by unexpected automatic behavior. The allocation criteria address this by requiring that (1) operators be informed of automatic actions through clear indications, (2) automatic systems have predictable and observable behavior, (3) operators retain the ability to monitor and override automatic actions, and (4) the allocation decision documentation includes explicit consideration of operator situation awareness.
Q4: How is staffing adequacy validated?
Staffing adequacy is validated through integrated system validation using full-scope simulators. Representative crews of licensed operators perform realistic scenarios covering normal operations, anticipated transients, and design-basis accidents. Performance is measured against predefined criteria for task completion time, error rate, communication effectiveness, and situation awareness. If the crew fails to meet criteria in any scenario, either the staffing level is increased, the function allocation is revised, or the HSI design is improved to reduce workload.
