Physical Address
304 North Cardinal St.
Dorchester Center, MA 02124
IEC TS 61973: Nuclear Power Plants — Control Rooms — Human Factors Engineering and Design Requirements
✅ Standard at a Glance
IEC TS 61973, published in 2012 by IEC Technical Committee 45 (Nuclear instrumentation), provides a comprehensive technical specification for the design, evaluation, and validation of main control rooms in nuclear power plants. The standard establishes human factors engineering (HFE) requirements that ensure operators can safely and effectively control the plant during normal operation, anticipated operational occurrences, and accident conditions. It applies to both new nuclear power plant designs and back-fitting of existing control rooms.
IEC TS 61973, published in 2012 by IEC Technical Committee 45 (Nuclear instrumentation), provides a comprehensive technical specification for the design, evaluation, and validation of main control rooms in nuclear power plants. The standard establishes human factors engineering (HFE) requirements that ensure operators can safely and effectively control the plant during normal operation, anticipated operational occurrences, and accident conditions. It applies to both new nuclear power plant designs and back-fitting of existing control rooms.
🔌 1. Functional Architecture of Nuclear Control Rooms
1.1 Design Philosophy and Safety Principles
IEC TS 61973 is built on the fundamental principle that the control room is the central interface between human operators and the nuclear power plant. The standard adopts a defence-in-depth approach to control room design, recognizing three hierarchical levels of operator intervention:
| Design Level | Objective | Operator Role | Timeframe |
|---|---|---|---|
| Level 1: Normal Operation | Efficient plant control under all normal conditions | Supervisory monitoring, setpoint optimization, load following | Steady-state: continuous; transients: minutes to hours |
| Level 2: Anticipated Operational Occurrences (AOO) | Safe recovery from expected events (turbine trip, loss of feedwater, etc.) | Procedure-based response, system reconfiguration, parameter verification | Seconds to minutes |
| Level 3: Accident Conditions | Mitigation of design-basis and beyond-design-basis accidents | Symptom-based emergency procedures, severe accident management guidelines (SAMGs) | Minutes to days |
The standard mandates that the control room design must support the operator at all three levels without requiring physical relocation or use of different workstations. This unified design approach distinguishes modern nuclear control rooms (based on IEC TS 61973) from older designs where operators had to move between the main control room, the safety panel room, and the technical support centre during emergencies.
💡 Engineering Insight
A critical concept introduced by IEC TS 61973 is the Operator Task Load Analysis (OTLA). Unlike conventional HMI design standards that focus primarily on individual display quality, IEC TS 61973 requires a systematic assessment of the total cognitive and physical workload imposed on operators during each plant operating state. The standard specifies that the operator workload during a design-basis accident must not exceed 70% of the maximum sustainable workload level, leaving reserve capacity for unexpected events. This quantitative approach to workload management is one of the most advanced features of the standard and is directly derived from aviation industry practices (NUREG-0711 methodology).
A critical concept introduced by IEC TS 61973 is the Operator Task Load Analysis (OTLA). Unlike conventional HMI design standards that focus primarily on individual display quality, IEC TS 61973 requires a systematic assessment of the total cognitive and physical workload imposed on operators during each plant operating state. The standard specifies that the operator workload during a design-basis accident must not exceed 70% of the maximum sustainable workload level, leaving reserve capacity for unexpected events. This quantitative approach to workload management is one of the most advanced features of the standard and is directly derived from aviation industry practices (NUREG-0711 methodology).
1.2 Control Room Configurations
IEC TS 61973 recognizes two primary control room configurations, each with distinct design requirements:
Conventional hard-panel control rooms: These use dedicated physical switches, indicators, recorders, and annunciator tiles for each safety function. The standard requires that critical safety parameters (CSPs) be continuously displayed on dedicated hard-wired indicators that remain functional even under complete computer system failure. The layout must follow a functional grouping approach, with related systems (e.g., reactor protection, emergency core cooling, containment isolation) grouped together spatially.
Computer-based (soft-control) control rooms: These use large-screen overview displays, operator workstations with multiple VDUs, and computerized procedure tracking systems. IEC TS 61973 imposes stringent requirements on software-based systems, including the need for diversity and redundancy in the HMI hardware, graceful degradation of display functions, and independent hard-wired backup for safety-critical functions. The standard specifically mandates that no single computer failure can result in the loss of ability to monitor or control more than one safety group.
⚠️ Design Warning
A frequently underestimated requirement in IEC TS 61973 concerns alarm management. During accident conditions, a single initiating event can generate hundreds of alarms within seconds. The standard mandates a hierarchical alarm processing system that classifies alarms into three priority levels (urgent, prompt, general) and suppresses nuisance alarms through state-based filtering. Designers must demonstrate through validation testing that the alarm system does not generate more than 10 urgent alarms within any 10-second period following any design-basis initiating event. Exceeding this threshold requires redesign of the alarm logic or additional alarm suppression algorithms.
A frequently underestimated requirement in IEC TS 61973 concerns alarm management. During accident conditions, a single initiating event can generate hundreds of alarms within seconds. The standard mandates a hierarchical alarm processing system that classifies alarms into three priority levels (urgent, prompt, general) and suppresses nuisance alarms through state-based filtering. Designers must demonstrate through validation testing that the alarm system does not generate more than 10 urgent alarms within any 10-second period following any design-basis initiating event. Exceeding this threshold requires redesign of the alarm logic or additional alarm suppression algorithms.
💡 2. Human Factors Engineering Requirements
2.1 Ergonomics and Anthropometrics
IEC TS 61973 specifies detailed ergonomic requirements based on international anthropometric data (ISO 7250, IEC 60960) covering the 5th to 95th percentile operator population:
| Parameter | Requirement | Standard Reference |
|---|---|---|
| Console viewing distance | 400-800 mm (primary displays); up to 1000 mm (secondary) | ISO 9241-5 |
| Display screen angle | 15-40° below horizontal line of sight | IEC 60960 |
| Seat height adjustability | 380-500 mm range, with independent backrest adjustment | ISO 9241-5 |
| Control reach envelope | All critical controls within 650 mm of the operator’s shoulder pivot | IEC TS 61973 Clause 9.2 |
| Leg clearance under console | Minimum 450 mm height, 600 mm width, 600 mm depth | ISO 9241-5 |
| Ambient lighting (normal) | 200-500 lux at console surface, adjustable by zone | IEC TS 61973 Clause 8.3 |
| Ambient noise level | Maximum 45 dB(A) continuous, 55 dB(A) peak | ISO 11690-1 |
💡 Engineering Insight
One of the most challenging ergonomic requirements in IEC TS 61973 is the reach envelope for controls. In a modern soft-control room with touch-screen interfaces, the standard still requires that safety-critical actions can be performed without menu navigation exceeding two levels. This means that the safety display hierarchy must be designed so that all CSPs and their associated controls are accessible within two touches from the default overview screen. For a typical PWR plant with over 200 safety-related parameters, this requires exceptionally well-designed display navigation logic and often necessitates dedicated hard-wired quick-access buttons for the most critical functions (reactor trip, containment isolation, emergency boron injection).
One of the most challenging ergonomic requirements in IEC TS 61973 is the reach envelope for controls. In a modern soft-control room with touch-screen interfaces, the standard still requires that safety-critical actions can be performed without menu navigation exceeding two levels. This means that the safety display hierarchy must be designed so that all CSPs and their associated controls are accessible within two touches from the default overview screen. For a typical PWR plant with over 200 safety-related parameters, this requires exceptionally well-designed display navigation logic and often necessitates dedicated hard-wired quick-access buttons for the most critical functions (reactor trip, containment isolation, emergency boron injection).
2.2 Information Display and Coding
The standard establishes strict rules for information presentation to minimize operator error:
Colour coding: Red is reserved exclusively for alarm conditions requiring immediate operator action. Yellow/amber indicates caution or abnormal conditions not requiring immediate action. Green indicates normal operation. The standard prohibits the use of red for any non-safety information (e.g., system labels, decorative elements) to avoid confusion.
Digital vs. analogue presentation: IEC TS 61973 requires that rate-of-change information (e.g., reactor power ramp rate, pressurizer level trend) be displayed in analogue format (trend graphs, bar charts) rather than digital readouts, because human operators identify developing trends significantly faster from graphical representations. Digital readouts are preferred for precise setpoint verification.
Safety parameter display system (SPDS): The standard mandates a dedicated SPDS that continuously monitors and displays the critical safety functions: reactivity control, reactor coolant inventory, core heat removal, containment integrity, and radioactivity control. The SPDS must be independent of the normal plant computer system and powered from the emergency power supply.
💻 3. Verification, Validation, and Operational Experience
3.1 V&V Process Requirements
IEC TS 61973 mandates a comprehensive verification and validation (V&V) program for control room design, following a structured lifecycle approach:
| V&V Phase | Method | Participants | Acceptance Criteria |
|---|---|---|---|
| 1. Conceptual Design Validation | Task analysis, function allocation, preliminary HFE review | Human factors specialists, senior reactor operators | All safety functions allocated to at least one control mechanism |
| 2. Detailed Design Verification | Heuristic evaluation, expert review, walkthrough, control room mockup assessment |
HFE team, control room designers, training instructors | ≥90% of heuristic criteria satisfied |
| 3. Integrated System Validation | Full-scope simulator testing with representative scenarios | Licensed reactor operators (minimum 3 crews) | All safety functions performed correctly; operator workload ≤70% |
| 4. Operational Feedback Validation | Post-commissioning data collection, incident analysis, operator surveys | Operating crew, shift technical advisors, maintenance staff | <2 operator errors per 1000 operating hours attributable to HMI design |
The integrated system validation phase is considered the most critical. It must be conducted on a full-scope replica simulator with at least three complete operating crews, using a minimum of 12 validated scenarios that include normal startup/shutdown, AOOs, design-basis accidents, and beyond-design-basis events.
✅ V&V Best Practice
Experience from European Utility Requirements (EUR) and US EPR projects has shown that the most effective validation exercises use a combination of benchmark scenarios (standard events for cross-crew comparison) and anomaly scenarios (unexpected events that test adaptive problem-solving). The benchmark scenarios establish baseline performance metrics, while anomaly scenarios reveal design weaknesses that structured walkthroughs might miss. Modern control room designs for the EPR, AP1000, and VVER-1200 have all incorporated extensive simulator-based validation programs consistent with IEC TS 61973, often involving 18-24 months of iterative testing and redesign.
Experience from European Utility Requirements (EUR) and US EPR projects has shown that the most effective validation exercises use a combination of benchmark scenarios (standard events for cross-crew comparison) and anomaly scenarios (unexpected events that test adaptive problem-solving). The benchmark scenarios establish baseline performance metrics, while anomaly scenarios reveal design weaknesses that structured walkthroughs might miss. Modern control room designs for the EPR, AP1000, and VVER-1200 have all incorporated extensive simulator-based validation programs consistent with IEC TS 61973, often involving 18-24 months of iterative testing and redesign.
3.2 Transition from Conventional to Digital Control Rooms
IEC TS 61973 provides particular guidance for plants undergoing modernization from conventional analogue instrumentation to digital control systems. The standard emphasizes that digital upgrades must not simply replicate analogue HMI designs on computer screens — this “digitized analogue” approach is considered a design failure because it does not leverage the capabilities of digital systems (trending, alarm filtering, procedure integration) and often introduces new failure modes (software crashes, display lag, navigation complexity).
The recommended approach is to conduct a full HFE task analysis of the existing control room, identify the most significant sources of operator error and workload, and redesign the affected interfaces using a human-centred design process. IEC TS 61973 recommends a phased implementation where at least one complete safety channel is upgraded and validated before proceeding with the remaining channels.
❓ Frequently Asked Questions
❔ How does IEC TS 61973 relate to the IAEA safety standards for control rooms?
IEC TS 61973 is complementary to the IAEA safety standards (particularly IAEA SSR-2/1 and IAEA NS-G-1.3). While the IAEA standards establish the high-level safety objectives and functional requirements for control rooms, IEC TS 61973 provides the detailed engineering design requirements and HFE methodology to achieve those objectives. The technical specification also references and harmonizes with other IEC nuclear standards (IEC 60960, IEC 61772, IEC 62241) to form a complete control room design framework.
❔ What is the role of large-screen overview displays in IEC TS 61973?
The standard mandates a large-screen overview display (typically 2-4 m wide) that provides all operating crew members with a continuous, at-a-glance indication of overall plant status. The overview display must show at minimum: reactor power, coolant temperatures and pressures, containment conditions, and the key safety system statuses. It is not merely a convenience feature but a required element for crew situational awareness, particularly during accident conditions where individual operators may be focused on detailed procedures at their workstations. The overview display enables the shift supervisor to maintain overall plant awareness and coordinate crew actions effectively.
❔ Can IEC TS 61973 be applied to small modular reactors (SMRs)?
Yes, with adaptation. The HFE principles and V&V methodology of IEC TS 61973 are generally applicable to SMR control rooms. However, SMR designs often feature multiple-unit control rooms where a single operating crew monitors and controls several reactor modules simultaneously. This multi-unit concept imposes additional HFE requirements not fully addressed by the current edition of IEC TS 61973, particularly regarding operator attention allocation, alarm prioritization across units, and workload management. The standard is currently under review for potential updates addressing SMR-specific control room configurations.
❔ How does the standard address the use of computerized procedure systems?
IEC TS 61973 supports the use of computerized procedure systems (CPS) but requires that paper-based procedures remain available as a diverse backup. The CPS must display the current procedure step, track completion status, provide navigation between procedures, and automatically display relevant plant parameters. The standard cautions against excessive automation of procedure execution — the operator must remain active in the decision-making loop. Validation testing must demonstrate that CPS usage does not increase the time to perform critical safety actions compared with paper-based procedures.
