Safety Case Toolkit

Human Machine Interface Assessment

The expectations of the Office for Nuclear Regulation (ONR) with respect to Human Machine Interface (HMI) design, provision and assessment, are set out in the Safety Assessment Principles (SAPs). In particular SAP EHF.7 refers to User Interface.

  • EHF.7: Suitable and sufficient user interfaces should be provided at appropriate locations to provide effective monitoring and control of the facility in normal operations, faults and accident conditions.

The interfaces should include those used in out-of-normal states in addition to the normal operations overview screens, and switches and dials. The alarms system should be included in an HMI assessment and should follow Engineering Equipment and Materials Users Association (EEMUA) guidance, and in particular EEMUA 191. Several paragraphs of the SAPs should be consulted in relation to the topic of User Interface including:

Paragraph 453 which states:

Appropriate locations include central control rooms, local plant control stations, locations where maintenance and / or testing is carried out and locations identified for monitoring or control within the facility’s emergency preparedness and response arrangements (e.g. site emergency control centres (see paragraph 783)).

Paragraph 454 which states:

User interfaces, which may be analogue or digital, include controls, indications, alarms, recording instruments, overview displays, mimics, communication equipment, computer-based procedures, computerised operator support systems, intelligent decision aids and reconfigurable displays and controls. Plant equipment such as valves, emergency supply connection points and similar plant and equipment are also considered to be user interfaces.”

Paragraph 455 which states:

User interfaces should be designed to ensure compatibility with the psychological and physical characteristics of the intended users and to facilitate reliable human performance. Interfaces and equipment should be clearly labelled.”

Paragraph 456 which states:

User interfaces should:

  • provide sufficient, unambiguous information for the operator to maintain situation awareness in all operating modes and in fault and accident conditions (e.g. the behaviour and status of the automated plant control systems);
  • provide a conspicuous early warning of any changes in parameters affecting safety;
  • provide a means of signalling safety system challenges and of confirming that the safety system has initiated and achieved its safety functions;
  • support effective diagnosis of plant deviations;
  • enable the operator to determine and execute appropriate actions including those needed to overcome failures of automated safety systems or to reset a safety system after its operation; and
  • support communication between personnel located in the same or different operating locations, including locations external to the facility or site.”

When conducting an assessment of HMI there are several important system interface elements that should be addressed in addition to the ergonomic assessment of the interface and are important to the design of an intuitive system HMI. These elements are covered by the SAPs as follows:

  • EHF.1: Integration within design, assessment and management (Human Factors Integration (HFI)).
  • EHF.2: Allocation of safety actions (allocation of function).
  • EHF.5: Task analysis (Hierarchical Task Analysis (HTA) used as part of Human Error Analysis (HEA) and HTA).
  • EHF.6: Workspace design.
  • ESS.13: Confirmation to operating personnel.

In particular, ESS.13 states:

There should be direct means of confirming to operating personnel:

  • that a demand for safety system action has arisen;
  • that the safety systems have operated (actuated) fully and correctly; and
  • whether any limiting condition (operating rule) has been exceeded which takes the safety system beyond its substantiated capability (see Principle ESS.10).”

Ergonomic Assessment

The ergonomic assessment should consider the design of the interfaces and how these support the personnel to carry out their tasks. Consideration should be given to:

  • Time: Can the task be done safely in the time scheduled in the operating procedure?
  • Environment: Is the lighting luminescence suitable and the position of the lights appropriate to avoid creating glare on displays and panels? Is the air quality (temperature, humidity and free from hazardous particles) suitable for the type of work required, sedentary monitoring or active maintenance?
  • Reach: Can the elements of the HMI be reached by the personnel allocated to work in the area? Will future personnel be accommodated by the design, for example 5th percentile female to 95th percentile male?
  • Visibility: Are the HMI interfaces visible and identifiable? Are panels and plant clearly labelled where and how appropriate? Is labelling in a font size and style that is readable? Are lines of sight such that personnel are able to carry out their tasks without discomfort?
  • Accessibility: Is the HMI in a location and position that is accessible by personnel without discomfort or risk to musculoskeletal harm?
  • Physicality: Does the HMI pose any risk to human limits of physical norms of strength or flexibility? Does performing a task require specific tools or equipment?
  • Intuitiveness: Does the HMI support the personnel at the specified level of training, qualification and experience to make the correct choices?
  • Feedback: Does the HMI provide feedback to the personnel to confirm a selection was made?
  • Situation Awareness: Does the HMI provide information in a way that supports personnel situation awareness?
  • Alarms: Do the alarms provide identifiable notification to personnel at a level audible to the location?
  • Safety: Does Personal Protective Equipment (PPE) need to be worn and what effect does it have on any of the elements above?

Design of HMI for new additions to existing plants and all new plants should ensure the relevant British Standards are used. Those relating to HMI are:

  • BS EN IEC 60964: 2019 Nuclear Power Plants. Control Rooms. Design.
  • IEC 60960 Functional Design Criteria for a Safety Parameter Display System for Nuclear Power Stations.
  • BS EN 60965: 2016 Nuclear Power Plants. Control Rooms. Supplementary Control Room for Reactor Shutdown Without Access to the Main Control Room.
  • IEC 61226 Nuclear Power Plants. Instrumentation and Control Important to Safety. Classification of Instrumentation and Control Functions.
  • BS EN 61227: 2016 Nuclear Power Plants. Control Rooms. Operator Controls.
  • IEC 61771 Nuclear Power Plants. Main Control Room. Verification and Validation of Design.
  • BS EN 61772:2013 Nuclear power plants. Control rooms. Application of Visual Display Units
  • BS EN 62241:2015 Nuclear power plants. Main control room. Alarm functions and presentation.
  • BS EN ISO 9241-210: 2019 Ergonomics of Human-System Interaction.
  • BS EN ISO 11064 (ALL PARTS) Ergonomic Design of Control Centres.

Additional Information & Guidance

  • ONR, Safety Assessment Principles for Nuclear Facilities, 2014 Edition Revision 1 (January 2020).
  • EEMUA, Alarm systems - a Guide to Design, Management and Procurement (EEMUA Publication 191), 2013.