10/11/2009
Control room design
Control room d esign This This Tech Techni nical cal Measu Measure res s Docu Docum ment ent refers to code codes, s, stand standards and and best best practice actice appl applica icabl ble e to to the design of control rooms. Related Technical Measures Documents are: [1] Control sys systems tems [1]
Al arm s / Tri ps / I nte rl ock s[2] [3] Emergency response / spill spill control [3] [4] Plant layout [4]
The The relev elevant Lev Level 2 Crit Criter eria are: [5] 5.2.1.7(41)[5] [6] 5.2.1.8[6] [7] 5.2.1.12(68) [7]
General Ge neral princ iples Ther There ar are tw two major ajor aspect aspects s of control room design sign that hat shoul should d be tak taken en into into accou account in the Saf Safety ety Report these are: the suitability of the structure of the control room to withstand possible major hazards events; and and the layout of control rooms and the arrangement of panels, VDUs etc to ensure effective ergonomic operation of the plant in normal circumstances and in an emergency.
Control room structure For large plants, control rooms are likely to be situated in separate buildings away from the process plant which they serve. For medium or small plants control rooms may be within the plant building or control panels may be located local to the plant. Whatever the location, control rooms should be designed to ensure that the risks to the occupants of the control room are within acceptable limits and that it is suitable for the purposes of maintaining plant control, should the emergency response plan require it, following any foreseeable, undesirable event within the plant. E vents that may affect the control c ontrol room are: Vapour Cloud Explosions (VCEs) Boiling Liquid Expanding Vapour Explosions (BLEVEs) P ressure bursts bursts E xothermic xothermic reactions Toxi Toxic c gas gas rel relea eases ses Fires, including pool fires, jet fires, flash fires and fire balls. The The threat eat from rom expl explosi osion ons s and and pressur essure bursts shou should ld be consi conside dered red in the stru structural desi design gn of control building. A methodology for this is presented in the recent CIA/CISHEC guidance CIA Guidance for the location and design of occupied building on chemical manufacturing sites. This considers the vulnerability of the building to possible overpressures associated with particular events. Buildings should be designed to withstand an overpressure that will ensure that risks to individuals within the building building are below acceptable limits. limits . P articular attention should be given to the prov provision is ion of windows, the presence of heavy equipment on roofs (e.g. air conditioners) and the ability of internal fixtures to withstand the building shaking. If windows are present, consideration should be given to the use of laminated or polycarbonate glass, to prevent serious injury to occupiers of the control room in the event of an overpressure. ALA A LARP RP principles should be applied in these considerations cons iderations and cost benefit used to determine if additional measures should be applied. In consideration of toxic gas releases the control room should provide a safe haven for its occupants. This This will will inclu include de arr arrangi anging ng that the build uildin ing g is ad adequa equate tely ly seale sealed d to prev revent ent ing ingress ress of gases gases to to lev levels els of concentration that will affect the health and thereby the ability of the operators to maintain control of the plant. Careful consideration of the building ventilation system is required to ensure that air intakes are situated away from areas that may be affected or to arrange that there is no air intake during an incident, preferably by closure of an automatic valve linked to a gas analyser. Measures for protection from fires should ensure the control room will withstand thermal radiation effects without collapse and that smoke ingress is controlled. Materials of construction should be fire resistant for the duration of any possible fire event. Smoke ingress may be controlled in a similar manner to toxic gas ingress. E ach of these meth methodologies odologies s hould be applied to control rooms rooms within buildings as well as s eparate control buildings. Control panels on the plant itself cannot be so easily be protected, therefore diversity and redundancy should be applied to ensure that plant control can be maintained in an emergency. Risk Assessments should be undertaken to demonstrate that primary and secondary (domino) risks are within acceptable limits.
Human factors/ factors/ergonomics ergonomics Operators should be able to demonstrate that appropriate human factors considerations have been given to the design, commissioning, and operation of control rooms under both normal and abnormal
hse.gov.uk/…/techmeascontrol.htm
1/6
10/11/2009
Control room design plant operating conditions to reduce the frequency of human error due to control room deficiencies. It is vitally important that a control room and its operators are considered as a whole system and not in isolation of each other. For example a well designed control room for use by 4 operators is dangerous when staffed by 3 operators. S imilarly, the best-trained operators cannot guarantee high reliability in a poorly designed control room. Factors to be taken in account are included on the following paragraphs.
Environmental issues Layout Control room dimensions should take into account the 5th and 95th percentile user. The design of the control room should be derived from an appropriate task analysis method, such as link analysis or hierarchical task analysis. Emergency exits should accommodate egress by the 99th percentile user. Access and egress should be considered for disabled operators. Adequate access should be provided throughout the control room. However, the layout should discourage flow from general circulation areas to ensure that necessary lines of sight are not obscured. If there are a number of control rooms operating on the same system they should adopt similar layouts to ensure consistency. Operational links between control room operators, such as communications and lines of site should be considered during the design stage. The layout should not hinder verbal and non-verbal communication and should facilitate team working. The layout of the control room should reflect the allocation of responsibility and the requirements for supervision. The layout should be effective under high and low staffing levels. Circulation of all personal should be achieved with the minimum of disruption to operators. Where supervisory positions will increase the amount of personnel circulation, it is recommended that these positions are located close to main entrances. Distances between workstations should mean that operators are not sitting within each other’s ‘intimate zones’. As a guide the minimum spacing distance should be between 300 - 700 mm.
Maintenance Adequate access should be provided so that inadvertent operation of equipment during maintenance is not possible. Behind panel equipment should be appropriately coded to reduce the potential for human error.
Thermal environment Temperature and airflow should be adjustable. As a guide, ‘comfortable’ temperature for office work should be between 18.3°C and 20.0°C with airflow between 0.11 and 0.15 m/s.
Visual environment Lighting should be such that it does not create veiling reflections on VDUs or other reflective surfaces that require monitoring. The type of lighting should be adequate for the task. i.e. for office work a lux (lux is the unit of illuminance - measured using a light meter at the work surface) figure of between 500 - 800 is suggested. There should be no perceptible flicker from strip lighting. It is desirable to provide adjustable lighting for control rooms that are manned 24 hours a day. During night-time operation lighting is often dimmed. Windows in control rooms should not cause veiling reflections on reflective surfaces. Adequate means of blocking out direct sunlight should be provided.
Aud ito ry en vir on men t The average noise level within the control room shall not exceed 85 dB(A) during the length of the working day. For office work a noise level below 40 dB(A) is not desirable as it can cause interference between operators. Prolonged, very low or very high frequency noises should be avoided. Noise levels should not interfere with communications, warning signals, mental performance (i.e. be distracting).
Man Machin e Interface (MMI) For mental workload, conditions of over and under-arousal should be avoided. The duration of tasks that have an associated low or high level of mental workload should be limited. Both these extremes will increase the likelihood of human error affecting the system. The design of the MMI should be based on a full Task Analysis. An interface should provide the operator with the general following information:
hse.gov.uk/…/techmeascontrol.htm
2/6
10/11/2009
Control room design After initiating an action within a system the operator should be clearly informed of the result of their action. If there is a delay in the system that prevents the operator from being informed of the result of his/her action, the system should inform the operator of this fact. If an action is made in error then it should be possible to reverse such an action where it would not be detrimental to plant safety to do so. The system should inform the operator of any deviations from safe operating levels.
Alarm s All employees and contractors on site should know what each alarm means and what the required response is, if the cause of the alarm has the potential to affect them. An alarm should reset automatically if the fault that generated it is rectified. Alarm messages should be presented in a standard format, based upon existing conventions. Alarm messages should clearly inform the operator of the reason for the alarm. Following an alarm response required by the operator should be clear. The coding of alarms should not be based purely on colour, as colour blind operators will be unable to recognise what the alarm indicates. Alarm signals should be at least 10 dB(A) over the background noise of the control room. Alarms should not prevent effective communication within the control room. An alarm log should be provided to for diagnostic purposes. The design of the alarm system should prevent masking and flooding of alarms. Masking is where one alarm noise masks a similar sounding alarm preventing the operator from detecting the signal. Flooding happens when a system alarms which has a ‘knock on’ effect on other related systems, the result of which is the triggering of myriad other alarms - flooding the control room with sound.
Coding techniques Coding should follow international conventions. Arbitrary coding by operators can actually propagate, rather than mitigate, human error if not carried out correctly. Coding should be consistent across plant. Coding should be used appropriately. Example methods of coding are: Colour Flash Brightness Inverse video/highlighting Sound frequency Sound type Shape 2D/3D Symbols Coding should be used redundantly where colour is one of the coding methods.
Designing displays Text The language used should always be capable of being easily understood by the operator. Active rather than passive language should be used. Text should be left justified. Sans serif fonts s hould be used as these have been found to be the most legible. An example of a sans serif font is Arial.
Labels Labelling should be used consistently across plant. Labels should be used appropriately. The relationship between labels and the equipment they refer to should be clear. Labels should be easily read. Standard abbreviations should be used where abbreviations are required.
Display devices Display devices should be appropriate for the type of information they are presenting. Display devices should be grouped logically to improve signal detection. It is recommended that formal task analysis methods be performed to determine the optimum arrangement for displays and their associated controls. The relationship between a control and its associated display should be obvious. The operator should be able to easily understand display feedback. The response to this feedback should be obvious, wherever possible. The control method provided for navigation around displays should be appropriate for the task.
Graphics
hse.gov.uk/…/techmeascontrol.htm
3/6
10/11/2009
Control room design Appropriate presentation methods should be used for information. A simple guide is presented below: Method
Advantage
Numeric
Bar charts/analogue dials
Pictorial displays
Trend displays
Disadvantage
Accurate quantitative information Quickly read
Cannot illustrate rate of change or approach to limit Rapidly changing data is unreadable Difficult to locate individual data items if presented in a list or table.
Easy to check whether data is within limits Possible to mark alarm limits Displays rate of change well. Easily compared to other similarly presented data. Provides at a glance appreciation of operating conditions
Movement can potentially distract operators. Slow read time. Inaccurate if numerical value has to be derived.
Ideal for showing plant configurations. Can improve operator situational awareness of plant.
Operator’s mental model of the plant may differ from the mimic. Can be very difficult to learn.
Ideal for presenting continuously changing information. Presents rate of change in an easily understood format. Good for comparing data plots Provides historical data over time
Inaccurate if numerical value has to be derived. Only four parameters can be displayed
Mimics should follow current conventions for symbols etc. Mimics should be user tested prior installation to ensure that they are compatible with the end users mental model of the plant.
Controls Controls should be appropriate for their use. A table is presented below which provides guidance on the most appropriate controls for different tasks: Control operation
Pushbutton
Footswitch
Toggle switch
Rocker switch
Rotary selector
Discrete Activate on/off
G
G
VG
VG
P
Discrete Select three states
A
·
F
P
VG
Discrete Select multistate
A
·
P
Knob
·
P
Joysti ck
·
Thumbwheel
Crank
·
Handwheel
·
Lever
·
Pedal (pivot)
·
Pedal (thrust)
·
G
VG
Continuous Set/adjust
Sli der
VG
F
VG
G
F
F
G
G
VG
G
G
Continuous Control/track Exert Force Speed of operation
VG
Inherent visual feedback
P
F
hse.gov.uk/…/techmeascontrol.htm
VG
VG
F
G
P
4/6
10/11/2009
Control room design Controls should conform to the user’s stereotype. Controls should not obscure labels or displays. Layout of controls should be compatible with anthropometric guidelines.
Ant hr op om etry Reach Control desk/panels should conform to reach distances for the 5th percentile operator.
Seating Seating should be anthropometrically sound and should be usable by both 5th and 95th percentile operators. Adjustment should be provided to allow the operator set up the chair to a configuration that is comfortable. Seating should not promote a slumped posture.
Posture The workstation should be designed so that it allows the operator to regularly change their posture or move around the room. This should not however, be during primary control duties or during an emergency scenario.
International Codes of Practice CIA Guidance for the location and design of occupied building on chemical manufacturing sites, CIA/CISHEC, 1998. ‘Process plant hazard and control building design: An approach to categorisation’, CIA, 1990. AP I RP 752 Management of hazards associated with location of process plant buildings, American Petroleum Institute, 1995. HS(G)176 The storage of flammable liquids in tanks [8], HSE, 1998. Paragraph 191 provides guidance on the requirements for communications between the control and loading/off-loading operations. HS(G)28 Safety advice for bulk chlorine installations [9], HSE, 1999. Paragraph 111 recommends that well instrumented plants for bulk chlorine installations should have a continuously manned control room. Paragraph 192 recommends that emergency instructions s hould be provided on plant and in the main control room. Paragraph 256 recommends that emergency alarms and sensors giving a visual display of chlorine concentrations in air should be provided on plant and in the main control room. HS(G)30 Storage of anhydrous ammonia under pressure in the UK : spherical and cylindrical vessels[10], HSE, 1986. Paragraph 88 recommends that pressure and liquid levels with storage tanks s hould be transmitted to control rooms. HS(G)40 Safe handling of chlorine from drums and cylinders[11], HSE, 1999. Paragraph 59 recommends that remotely operated s hut-off valves and manual overrides should be located outside the control room. Paragraph 82 recommends that emergency instructions s hould be provided on plant and in the main control room. Paragraph 115 recommends that emergency alarms and sensors giving a visual display of chlorine concentrations in air should be provided on plant and in the main control room. HS(G)186 The bulk transfer of dangerous liquids and gases between ship and shore [12], HSE, 1999. Paragraph 197 recommends operating points for pumps should be located both in the control room and on the berth. Paragraph 257 considers the advantages and disadvantages of controlling cargo transfer from on plant or the main control room. CHIS 2, ’Emergency is olation of process plant in the chemical industry’, HSE, 1999. The Guidance recommends that isolation should be affected from the control room, with alarms provided on plant and in the control room. L26, ‘Display screen equipment work. Health and Safety (Display Screen Equipment) Regulations 1992’, HS E, 1992. Paragraphs 40 to 48 give recommendations on working environment, s uch as lighting etc. BS EN 894-1 : 1997 Safety of machinery. Ergonomics requirements for the design of displays and control actuators. Part 1. General principals for human interactions with displays and control actuators, British Standards Institution. BS EN 894-2 : 1997 Safety of machinery. Ergonomics requirements for the design of displays and control actuators. P art 2. Displays, British S tandards Institution. BS 3693 : 1992 Recommendations for the design of scales and indexes on analogue indicating instruments’, British Standards Institution. BS EN 60073 : 1997 Basic and safety principles for man-machine interface, marking and identification. Coding principles for indication devices and actuators, British Standards Institution. BS 7445 : 1991 Description and measurement of environmental noise, P arts 1, 2, and 3, British Standards Institution. Defence Standard 00-25, ‘Human factors for designers of equipment. P art 7. Visual displays ’, Issue 1, MoD, 1986. EPRI - NP 3659, Kincade, R. G. and Anderson, J ., ‘Human factors guide for nuclear power plant control room development’, Essex Corporation, 1984. ISO/DIS 11064-3 (Draft), ‘Ergonomic design of control centres’, P arts 1, 2, and 3, 1997.
hse.gov.uk/…/techmeascontrol.htm
5/6
10/11/2009
Control room design NURE G/CR-5908 BNL-NUREG-52333, ‘Advanced human systems interface design review guidance’, U.S. Nuclear Regulatory Commission, Washington DC, USA, 1994. NURE G-0700, ‘Human-system interface design review guidelines’, Revision 1, U.S . Nuclear Regulatory Commission, Washington DC, USA, 1996.
Further reading Mecklenburgh, J .C. , ‘P rocess plant layout’, George Godwin, 1985. Ball, P.W. Ed, ‘The guide to reducing human error in process operations’, The Human Factors In Reliability Group, The SRD Association, 1991. Pheasant, S., ‘Bodyspace - anthropometry, ergonomics and the design of work’, Taylor & Francis, London, 1996. Oborne, D. J ., ‘E rgonomics at work’, Second Edition, Wiley, New York, 1989. Corlett, E. N. and Clark, T. S ., ‘The ergonomics of workspaces and machines - A design manual’, Second Edition, Taylor & Francis, London, 1995.
Case studies illustrating the importance of Control room design Flixborough (Nypro UK) Explos ion (1/6/1974)[13] Havkong Incident (23/1/1993)[14] Shell - Stanlow (20/3/1990)[15] Texaco Refinery - Milford Haven - Explosion and Fires (24/7/1994)[16]
Link URLs in this page 1. Control systems http://www.hse.gov.uk/comah/sragtech/techmeascontsyst.htm 2. Alarms / Trips / Interlocks http://www.hse.gov.uk/comah/sragtech/techmeasalarm.htm 3. Emergency response / spill control http://www.hse.gov.uk/comah/sragtech/techmeasspill.htm 4. Plant layout http://www.hse.gov.uk/comah/sragtech/techmeasplantlay.htm 5. 5.2.1.7(41) http://www.hse.gov.uk/comah/sram/index.htm 6. 5.2.1.8 http://www.hse.gov.uk/comah/sram/index.htm 7. 5.2.1.12(68) http://www.hse.gov.uk/comah/sram/index.htm 8. HS(G)176 The storage of flammable liquids in tanks http://www.hse.gov.uk/comah/sragtech/docspubguid.htm 9. HS(G)28 Safety advice for bulk chlorine installations http://www.hse.gov.uk/comah/sragtech/docspubguid.htm 10. HS(G)30 Storage of anhydrous ammonia under pressure in the UK : s pherical and cylindrical vessels http://www.hse.gov.uk/comah/sragtech/docspubguid.htm 11. HS(G)40 Safe handling of chlorine from drums and cylinders http://www.hse.gov.uk/comah/sragtech/docspubguid.htm 12. HS(G)186 The bulk transfer of dangerous liquids and gases between ship and shore http://www.hse.gov.uk/comah/sragtech/docspubguid.htm 13. Flixborough (Nypro UK) Explosion (1/6/1974) http://www.hse.gov.uk/comah/sragtech/caseflixboroug74.htm 14. Havkong Incident (23/1/1993) http://www.hse.gov.uk/comah/sragtech/casehavkong93.htm 15. Shell - Stanlow (20/3/1990) http://www.hse.gov.uk/comah/sragtech/casestanlow90.htm 16. Texaco Refinery - Milford Haven - Explosion and Fires (24/7/1994) http://www.hse.gov.uk/comah/sragtech/casetexaco94.htm
hse.gov.uk/…/techmeascontrol.htm
6/6
