Physical Address
304 North Cardinal St.
Dorchester Center, MA 02124
IEC TR 61902-1998 – Nuclear Power Plants: Control Room Design Principles and Practices
💡 This technical report provides a comprehensive framework for the design of main control rooms in nuclear power plants, emphasizing human factors engineering as a fundamental safety parameter rather than an afterthought.
1. Scope and Rationale
IEC TR 61902-1998 establishes design principles for main control rooms (MCRs) in nuclear power plants, addressing layout, instrumentation, alarm systems, human-machine interfaces, and environmental conditions. The report is grounded in the recognition that the control room is the central decision-making hub during both normal operations and accident conditions, and that design-induced operator errors have been a contributing factor in major nuclear incidents including Three Mile Island (1979) and Chernobyl (1986).
The report applies to both new plant designs and upgrades to existing facilities, covering conventional analog control rooms as well as modern digital instrumentation and control (I&C) systems. It integrates principles from IEC 60964 (design of control rooms) and IEC 61772 (visual display units) while adding specific guidance on verification and validation through human factors engineering.
⚠ A key lesson from industry operating experience is that control room modernization programs — particularly the transition from analog to digital interfaces — are high-risk activities. IEC TR 61902 emphasizes that any modification must be subjected to a human factors verification process equivalent to that required for new designs, as even seemingly minor changes in display layout or alarm logic can induce operator confusion under stress conditions.
2. Control Room Layout and Workspace Design
2.1 Physical Arrangement
The standard defines a functional zoning approach for control room layout. Zone 1 (primary control area) contains the reactor operator and turbine operator consoles with direct line-of-sight to the main safety parameter display system (SPDS). Zone 2 (supervisory area) accommodates the shift supervisor position with overview displays and communication facilities. Zone 3 (support area) includes the technical support center, safety engineer station, and administrative workstations. The layout must ensure that any operator can reach any control within their zone within 3 seconds under seated conditions, and that a clear, unobstructed view of the SPDS is available from all operator positions.
2.2 Console and Display Ergonomics
Operator consoles must be designed with adjustable viewing angles, anti-glare surfaces, and consistent control-display relationships. The standard specifies that primary alarm indicators should be located within a 30-degree cone of the operator’s forward line of sight, and critical safety controls must be positioned within a 0-70 cm reach envelope from the operator’s seated position. All displays must use a consistent color coding scheme: red for alarm/urgent, yellow for caution/abnormal, green for normal/operating, blue for advisory/information, and white for neutral/background. Color-vision deficiency considerations are addressed by ensuring that no critical information is conveyed by color alone — all color-coded information must have redundant shape or text encoding.
| Design Parameter | Requirement | Rationale |
|---|---|---|
| Primary control reach envelope | 0-70 cm from seated position | 5th-95th percentile anthropometry |
| Primary alarm field of view | Within 30-degree cone | Foveal vision response time |
| Console viewing angle | 15-35 degrees below horizontal | Reduces neck fatigue |
| Display luminance ratio | Max 3:1 (task:surrounding) | Prevents visual adaptation errors |
| Ambient illumination | 200-500 lux (general) | IEC 60964 recommendation |
| Ambient noise level | Max 45 dB(A) | Speech intelligibility requirement |
| Control actuation force | 2-15 N (pushbuttons) | Prevents inadvertent operation |
3. Alarm Management and Information Processing
3.1 Alarm Philosophy
The report specifies a structured alarm management philosophy designed to prevent alarm floods — a condition that contributed to operator overload during the Three Mile Island accident. Alarms are categorized into three priority levels: Priority 1 (immediate operator action required to prevent fuel damage or personnel injury), Priority 2 (prompt action required to prevent system damage or degradation), and Priority 3 (awareness-only alarms for abnormal conditions requiring eventual attention). The standard mandates that the steady-state alarm rate in the control room shall not exceed one alarm per 10 minutes during normal operation, with a maximum alarm flood rate of 10 alarms per 10 minutes during transient conditions. A dedicated alarm suppression system must be provided to automatically inhibit nuisance alarms during plant startups and shutdowns.
3.2 Computerized Operator Support Systems
The report addresses the integration of computerized operator support systems (COSS) including safety parameter display systems, emergency operating procedure (EOP) tracking systems, and computerized procedure systems. These systems must be designed with separate, independent data acquisition paths from the plant protection system to ensure that a failure of the COSS does not affect the safety I&C systems. The report recommends that computerized procedures be displayed on dedicated flat-panel displays positioned adjacent to the primary controls, with automated step tracking and compliance verification. However, the final decision to execute any procedure step must always remain with the operator — the COSS is advisory only.
✅ Engineering Insight: The alarm rate specification (one per 10 minutes steady state, maximum 10 per 10 minutes during transients) is one of the most challenging requirements to meet in practice. Achieving this requires careful alarm rationalization during plant design: each potential alarm must be justified by a documented alarm rationale, and unnecessary alarms (estimated at 40-60% of initial alarm lists in many plants) must be systematically eliminated or reclassified to lower priorities.
4. Verification and Validation Through Human Factors Engineering
IEC TR 61902 requires a comprehensive human factors engineering (HFE) program throughout the control room design lifecycle. The HFE program consists of five phases: (1) Planning and analysis — identifying operator tasks, defining performance requirements, and establishing acceptance criteria. (2) Design integration — incorporating HFE requirements into design specifications, reviewing vendor proposals for human factors compliance. (3) Design verification — conducting walkthroughs, task analyses, and expert reviews of the control room design. (4) Design validation — full-scope simulator testing with licensed operators under normal, abnormal, and accident scenarios. (5) Implementation and operational feedback — monitoring operator performance during commissioning and early operation, with systematic collection of human performance data. The report specifies that validation testing must demonstrate that the operating crew can safely shut down the plant and maintain it in a safe condition following a design-basis accident without exceeding acceptance criteria for operator response time or error rate.
5. Frequently Asked Questions
Q1: Is IEC TR 61902 applicable to control room upgrades in existing plants?
A: Yes, the report explicitly applies to both new designs and upgrades. For existing plants, a graded approach is recommended: the extent of HFE verification and validation should be proportional to the scope and safety significance of the modification.
Q2: How does this report relate to the post-Fukushima control room requirements?
A: Post-Fukushima requirements for additional control room instrumentation (e.g., portable equipment connections, severe accident instrumentation) complement rather than replace the principles in IEC TR 61902. Many regulators now require supplemental hardening of control room equipment against extreme external events.
Q3: What is the recommended control room staffing level?
A: The report does not prescribe staffing levels but provides the framework for task-load analysis to determine appropriate staffing. Typically, nuclear plants operate with a minimum crew of three in the main control room: a reactor operator, a turbine operator, and a shift supervisor.
Q4: How should computerized procedures be validated?
A: The report recommends validation through full-scope simulator testing with representative crews, measuring both objective performance (task completion time, error rate) and subjective workload (NASA-TLX or similar assessment). A minimum of three crews should participate in validation tests to capture operator-to-operator variability.
