Physical Address
304 North Cardinal St.
Dorchester Center, MA 02124
IEC TR 61911:2003 โ Nuclear Power Plants โ Control Rooms
Engineering principles for main control room design, human-system interface, and operator performance in nuclear facilities
📌 Scope: IEC TR 61911:2003 provides technical guidance on the design, evaluation, and validation of control rooms for nuclear power plants. It addresses human factors engineering (HFE), human-system interface (HSI) design, alarm management, information display, and the systematic verification and validation (V&V) processes required for licensing.
1. Human Factors Engineering and Control Room Architecture
IEC TR 61911 establishes a human-factors-centred approach to control room design, recognizing that operator performance is the ultimate determinant of plant safety during abnormal and emergency conditions. The standard defines a lifecycle HFE process that begins with concept design and continues through detailed design, implementation, and operational feedback.
The control room architecture is structured around several key functional areas: the main control room (MCR) for normal and emergency operations, the remote shutdown station (RSS) as a diverse backup, the technical support centre (TSC) for emergency management coordination, and local control stations (LCS) for specific equipment operation. Each area has defined communication pathways, information priorities, and staffing requirements.
| Control Room Area | Primary Function | Minimum Staffing | Design Basis Event |
|---|---|---|---|
| Main Control Room (MCR) | Normal operation, accident management | 2-3 operators + shift supervisor | Design basis accidents (DBA) |
| Remote Shutdown Station (RSS) | Diverse backup to MCR | 1-2 operators | MCR evacuation scenarios |
| Technical Support Centre (TSC) | Emergency response coordination | 3-5 technical staff | Beyond design basis accidents |
| Local Control Stations (LCS) | Local equipment operation | 1 per station | Equipment-level faults |
⚠️ Engineering Consideration: The allocation of functions between human operators and automated systems must follow a systematic decision process. Functions that require pattern recognition, flexible response to unanticipated events, and value-based judgment should remain with human operators. Functions requiring rapid, precise, and consistent responses — such as reactor trip initiation or safety injection actuation — are typically automated with manual backup available.
2. Human-System Interface and Alarm Management
The HSI design requirements in IEC TR 61911 emphasize situation awareness, workload management, and error tolerance. The standard specifies that information presentation should follow a hierarchy of importance: safety-critical parameters (e.g., reactor coolant system pressure, core power level) must be continuously displayed on dedicated indicators, while non-safety information can be presented on demand via computerized display systems.
Alarm management is treated as a critical HFE element. The standard requires a structured alarm philosophy that includes alarm prioritization (at least three levels: emergency, warning, and advisory), alarm shelving for expected transient conditions, and alarm flood prevention during major plant upsets. A key design requirement is that the alarm system must present no more than 10 alarms per minute during steady-state operation and must provide effective suppression during design basis events to prevent operator overload.
| Alarm Priority | Color Code | Operator Response Time | Examples |
|---|---|---|---|
| Emergency | Red (flashing) | Immediate (< 1 minute) | Reactor trip, LOCA, SGTR |
| Warning | Yellow (steady) | Prompt (1 – 10 minutes) | High pressurizer level, turbine vibrations |
| Advisory | White (steady) | As available (> 10 minutes) | Maintenance reminders, mode changes |
✅ Engineering Insight: Modern control rooms for Generation III+ reactors (e.g., AP1000, HPR1000) have moved to fully digital HSI platforms with large-screen overview displays. IEC TR 61911 provides the foundational HFE requirements for these designs. The standard’s emphasis on diverse indication — providing at least two independent means of determining critical safety parameters — has been a key factor in the high safety performance of modern nuclear plants.
3. Verification, Validation, and Licensing Support
IEC TR 61911 defines a comprehensive V&V program for control room designs. Verification confirms that the design meets specified requirements, while validation confirms that the design supports safe and effective operation under realistic conditions. The standard requires integrated system validation using full-scope simulators with certified plant models, performed by licensed operators under the supervision of human factors specialists.
The V&V process encompasses HFE task analysis, HSI design review, dynamic simulation testing, and formal operator-in-the-loop evaluations. Performance measures collected during validation include: time to complete critical tasks, error rates, operator workload (measured using NASA-TLX or similar instruments), and situation awareness (measured using SAGAT or SART methodologies). The standard mandates that validation results be documented as part of the licensing basis for the plant.
🔥 Critical Design Challenge: One of the most demanding validation scenarios specified in the standard is the “post-trip return to power” event — where operators must stabilize the reactor after an automatic scram and then safely return to power operation. This scenario tests HSI usability under high-stress conditions, alarm system effectiveness during transient suppression, and operator training adequacy. Validation criteria typically require the crew to stabilize the plant within 30 minutes with no safety limit violations.
4. Frequently Asked Questions
Q1: How does IEC TR 61911 relate to the NUREG-0711 standard?
A: IEC TR 61911 and NUREG-0711 (Human Factors Engineering Program Review Model) share similar HFE lifecycles but serve different regulatory contexts. IEC TR 61911 is the international IEC standard used in non-US markets, while NUREG-0711 is the US Nuclear Regulatory Commission guide. Both adopt a structured HFE process including planning, analysis, design, and V&V phases, though the detail level and acceptance criteria differ based on regulatory requirements.
Q2: What is the minimum number of alarms permitted during a design basis accident?
A: IEC TR 61911 does not specify a fixed minimum or maximum number, but establishes performance-based criteria. During a design basis accident, the alarm system should not present more than the operator team can effectively process — typically no more than 100 actively displayed alarms at peak, with the rate of new alarms not exceeding 20 per minute. Alarm suppression and prioritization must prevent operators from missing critical safety alarms amongst non-essential indications.
Q3: Does the standard cover computerized procedures (COP)?
A: Yes, the standard provides guidance for computer-based procedure systems that display emergency operating procedures (EOPs) and abnormal operating procedures (AOPs) on HSI screens. Computerized procedures must include: step tracking and completion verification, automatic parameter comparison against procedure setpoints, and a clear indication of the active procedure step. The V&V process must specifically evaluate COP usability under simulated accident conditions.
Q4: How should the remote shutdown station (RSS) be designed differently from the MCR?
A: The RSS is a diverse backup designed to bring the plant to and maintain it in a safe shutdown state if the MCR becomes inaccessible. IEC TR 61911 requires the RSS to be functionally independent from the MCR (separate power supplies, cabling routes, and HSI equipment). While the RSS need not replicate all MCR functions, it must include all safety-related controls and indications needed for hot shutdown and cold shutdown operations. The RSS typically uses simplified, hardwired controls rather than the full digital HSI suite of the MCR.
