C

CONTROL ROOMS ARE A KEY ASPECT OF

the safety and efficiency of nuclear power plants
(NPPs). Their design and the operational prac-
tices they support are key aspects of modernizing
existing NPPs and meeting the high safety and
availability targets set for advanced plant designs.
This article presents a brief history of NPP con-
trol room development, followed by a discussion
of control room improvements planned for the
next generation of NPPs.

Development of
Control Room Design
The design of NPP control rooms for civilian
power production has its origins in process control
industries, such as chemical, and from nuclear
navies from which many of the personnel came.
The first “power production” NPPs entered service
during the late 1950s and early 1960s. For the pur-
pose of this article, we begin with the early designs
in North America that emerged in the late 1950s in
© EYEWIRE

the United States and in the early 1960s in Canada.

These plants are representative of commercial

november/december 2006 1540-7977/06/$20.00©2006 IEEE IEEE power & energy magazine 43

 NPPs that were designed solely for power production. This
article will focus on the operator interface of control rooms and
how the hardware and software supports this operation.
Early control rooms were designed for centralized control
by a small group of operators and managers. These control
rooms contained large sit-stand control panels with many
conventional instrumentation and control (I&C) devices such
as pushbuttons, meters, and backlit window tiles for display-
ing alarms. Examples of these early reactors include a single
unit plant at Commonwealth Edison’s Dresden site that
entered service in 1957 (United States) and Atomic Energy of
Canada’s Nuclear Power Demonstration unit that went into
service in 1962 and was followed by the first commercial unit
in 1968 at Douglas Point.
A photograph of staff in the Douglas Point control room is
shown in Figure 1; it shows instrumentation typical of early
control rooms.
In these early control rooms, almost all automatic plant
control functions were implemented using analog technology.
In some cases, computers were used to a limited extent. For
example, at Douglas Point, computers were used to monitor
and display reactor channel temperatures.
These control rooms provided a comfortable “officelike” envi-
ronment for the operations staff and also contained facilities and
equipment needed for emergency response. Telephones, radios,
meeting space, and plant paging could be done from the control
room or areas contained within the control complex. This greatly
facilitated a strong centralized command and control capability
that could efficiently manage all plant conditions, a feature that
has been retained to this day and is an important area for contin-
ued enhancement in new plant designs. For example, the central-
ization of responsibilities has been extended in some advanced
pressurized water reactors (PWRs), with the addition of monitor-
figure 1. The control room at Douglas Point (circa 1968).
44 IEEE power & energy magazine
ing and control of radioactive waste. This is the waste generated
while the reactor is at power and does not impact the need for
long-term storage. The addition of computerized monitoring
tools for advanced CANDU (Canadian deuterium uranium)
control rooms enhances the ability of control room staff to
accomplish existing responsibilities (e.g., equipment status
monitoring for tracking what equipment is in or out of service).
Drivers of Control Room Evolution
As control rooms evolved from those early designs, there
were many drivers of change. For example, operating expe-
rience with the early plants identified areas of improvement,
such as the need for improved alarm systems and better
monitoring of reactor status. As there is today, there was
then a constant stream of new technology that had greater
functionality and better reliability that designers were anx-
ious to utilize. Some of this technology was developed by
the nuclear industry itself for custom applications, while
others were developed for nonnuclear process control appli-
cations that nonetheless afforded advancements for nuclear
applications. A good example of this was the rapid advance-
ment in plant computer technology. This provided the
opportunity to introduce significant enhancements in func-
tionality over their analog predecessors.
Additionally, the backdrop of industry drivers was augment-
ed by regulatory changes that were aimed at continually improv-
ing nuclear safety. For example, many regulators required the
addition of dedicated postaccident monitoring instrumentation
and a dedicated safety parameter display system (SPDS) to facil-
itate monitoring of key nuclear safety parameters associated with
control, cooling, and containment of the reactor.
These drivers combined with industrial growth resulted in
unprecedented growth for nuclear power during the 1970s.
This provided a fertile ground for evolving control room
designs. As the industry built more plants, there was a steady
evolution of control room designs that used the lastest avail-
able technology. This was a slow, steady evolution compared
to the plantwide modernization projects of today, where sig-
nificant control room upgrades may occur.
The era of new build NPPs drew to a close in North Ameri-
ca by the mid-1980s due to a combination of factors ranging
from a general economic downturn to sufficient generation
supply through the memory of long construction cycles and
poor cost and schedule control with the early units. Addition-
ally, the industry was further hurt by incidents such as the
well-known event at the Three Mile Island (TMI) plant in
Pennsylvania during 1979. After TMI, only existing orders for
new NPPs were completed, some orders were cancelled, and
no new orders have been placed in North America since then.
Although accidents such as TMI hurt the industry, lessons
learned did result in notable improvements in control room
design and operation. One such important lesson pertained to
the need for greater attention to the human-factors aspects of
control room design, particularly in the area of information
presentation: what to display and how best to do it in order to
november/december 2006
better assist operators in making safety related decisions. The
post-TMI era saw regulators codify requirements for the
incorporation of human factors into control room designs.
Perhaps, the best known example of this was the U.S.
Nuclear Regulatory Commission (NRC)’s publication of
NUREG-0700 for the review of control room designs.
A plant that reflects control room design in North America
at the end of the boom period of the 1970s and 1980s, is the
four-unit station at Darlington on the north shore of Lake
Ontario (owned by Ontario Power Generation). This multi-
unit control room (Figure 2) contains the centralized control
facilities for all four units. Although considerably more
advanced than its predecessors, many of the features of early
plants can still be seen, such as the large “stand-to-operate”
panels and the numerous alarm windows on the top of each
panel. Darlington units are particularly noteworthy because
they make extensive use of computer control and display
using centralized control computers (as opposed to distrib-
uted, see the “Nonsafety Platform: The Distributed Control
System” section). The application of computer control has
also been fully extended to the two independent shutdown
systems, and at Darlington, they are fully computerized from
reactor trip to display, alarm, and testing functions.
The incorporation of numerous cathode ray tubes (CRTs)
for display and control can also be seen. In fact, this control
room uses an early form of touch-sensitive CRTs (i.e., light
pen activated) as the primary means of monitoring and con-
trolling the plant, a feature that is used today in advanced
plant designs in France and Japan and is planned for
advanced plants in North America.
Drivers of Advanced
Control Room Designs
With no new orders for NPPs in North America, advanced NPP
control room design requirements have been developed for plant
retrofits and large-scale plant moderizations. These requirements
resulted in the introduction of new and better ways to support
plant operations and to provide a solid basis for the advanced
plant designs currently being developed by many vendors.
figure 2. The Darlington 4 unit control room.
november/december 2006
In terms of plant design for operation, advanced plant
requirements are considerably more specific and demanding.
Utilities, regulators, and investors are all requiring designs
that are safer and more efficient than their predecessors. With
respect to the design for operation, some of these drivers
include the need to improve:
✔ operational efficiency
✔ staffing costs
✔ immunity to human performance deficiencies.
On the technology front, there is the the need to provide
equipment that is:
✔ readily available and likely to be so for many years
✔ simpler, less complex
✔ easy to repair and replace
✔ more functional
✔ cost attractive.
These requirements for advanced control room designs
are also driven by very practical and tangible activities in
countries outside of North America. For example, Korea
has designed an advanced PWR and has contracted to
build it, while Japan has designed and built advanced
boiling water reactors (BWRs). Both include advanced
control rooms. Additionally, some plant modernizations
include significant upgrades to their main control rooms
(MCRs) and are, for example, replacing old control room
instrumentation with new computer-driven display sys-
tems. Figure 3 shows the control room development facil-
ity at Atomic Energy of Canada Limited (AECL), where
issues related to introducing advanced control room fea-
tures, such as large screen displays and touch sensitive
displays, and integrating them with traditional control
room instrumentation are investigated.
These successful advances in control room design also
serve as a driver for the development of new control
rooms, particularly in North America where advanced
designs are under development and the prospects to build
an advanced plant have never been better. In the sections
that follow, the opportunities to satisfy these drivers of
change with the technology of today are discussed.
figure 3. AECL’s control room development facility.
IEEE power & energy magazine 45
 Technology Advances
Instrumentation and Control Systems
The nuclear industry’s instrumentation and control (I&C)
technology has evolved continuously from the analog (and
early digital) systems that were employed to build current
generation nuclear power plants to the digital technology
used in many other process industries. For current generation
plants, many different systems were needed for protection,
control, and monitoring, resulting in a myriad of different
I&C equipment in the plant. Today’s plants and moderniza-
tions can typically be implemented with only two primary
digital I&C systems: nonsafety and safety systems.
Nonsafety Platform:
The Distributed Control System
Commercially available distributed control systems (DCSs)
combine the functionality of current generation plant comput-
ers and control systems with video-based human-machine
interface (HMI) devices that provide improved operational
functionality to that previously existing on control boards.
Typically, a DCS is composed of 1) geographically distributed
digital controllers for process control, 2) computational
servers for extensive computer processing such as required for
nuclear application programs, 3) gateways providing links to
external systems, 4) a plantwide database, 5) operator stations
featuring redundant full-function information/control video
display units (VDUs), and a plantwide data highway or net-
work connecting all of these. A commercial DCS generally
serves as the nonsafety platform for modern I&C implementa-
tions since they may not cost effectively meet the qualification
criteria for safety systems. The HMI resources associated with
a DCS are described below.
Digital Safety System Platforms
Safety system technology has similarly transitioned from ana-
log devices to digital protection, control, and monitoring. A
safety system platform differs from the nonsafety platform
because of meeting 1) stringent reliability requirements; 2)
seismic (e.g., IEEE Class 1E or IEC Category A), environ-
mental, and electromagnetic compatibility qualification crite-
ria; and 3) more stringent software design standards. The
plant’s HMI also must include safety-related monitoring and
control devices to allow protection and safety system control
independent of the nonsafety DCS. Typically, safety system
HMI is designed to allow safe shutdown and accident mitiga-
tion from a combination of:
1) qualified displays allowing safety-related soft control,
protection system operations (such as implementing
bypasses), and postaccident monitoring (per IEEE
Standard 497-2002 or Regulatory Guide 1.97)
2) fixed-position switches for reactor trip and system-
level engineered safety feature actuation
3) fixed-position switches for a minimum set of compo-
nent controls.
46 IEEE power & energy magazine
Human Machine Interfaces
Though I&C technology has experienced significant change
over the last few years, it is the change in HMI technology
that is the primary reason for the shift to more compact
nuclear plant control rooms. This is a result of both the exten-
sion of video-based HMI devices, including large screen dis-
plays, as well as improved processing and presentation
through HMI resources such as advanced alarm systems and
computerized procedures.
Displays and Soft Control
A fundamental feature of video-based HMI technology is the
ability to develop a set of operational displays using a stan-
dard set of display objects, conventions, and navigation
methods. Furthermore, these displays can be made available
to multiple plant locations, including primary operating
facilities (such as the main or remote control rooms) and
supporting facilities such as the technical support center or
local control stations. The DCS environment provides the
capability to create 1) system mimics, 2) function-based dis-
plays, 3) operator task displays 4) trends, graphs, and logs,
5) nuclear application program displays, and 6) diagnostic
displays and other specialized display types. These new dis-
plays afford the opportunity to display more information in
more meaningful ways to users, both in operations (e.g.,
enhancing operator decision making) and technical support
(e.g., enhanced performance monitoring).
One HMI feature necessary to implement increasingly
more compact control rooms is “soft control.” Soft control
refers to the capability to perform plant control functions
through software-driven, virtual devices rather than panel-
mounted devices such as conventional switches or
manual/auto stations. Soft control of nonsafety components
and processes is easily implemented using the inherent capa-
bilities of a DCS. Soft control of safety system components
and processes is not so simple. A number of alternatives exist
to implement soft control of safety components using video-
based HMI. To achieve a truly uniform HMI for all normal
controls, “universal” soft control offers multichannel control
of safety components and processes through the same DCS
displays as for nonsafety components. Though operationally
preferred, this strategy challenges criteria related to the inter-
action between safety and nonsafety I&C. An alternative that
is less challenging from an I&C standpoint is to use multi-
channel, qualified video devices that are part of the safety
platform operating in conjunction with the DCS worksta-
tions. A final alternative is to use qualified video devices for
safety soft control independent of the DCS. This alternative is
often used as a limited functionality, safety-related backup to
one of the first two alternatives.
Computerized Procedures
Computerized (i.e., electronic) procedures are also critical to
designing a compact control room and, arguably, provide the
greatest benefit to improved operations. By replacing the
november/december 2006
paper medium procedures, including emergency operating
procedures, the new electronic procedures can be fully inte-
grated with the other DCS-based HMI resources and infor-
mation and controls. Computerized procedures allow the
operator and computer to complement each other for more
accurate and efficient execution of procedures. In particular,
an operator’s mental workload can be reduced since informa-
tion needed for procedure execution can be colocated with
the procedure steps in an appropriate format. Computerized
procedures provide a significant operational benefit by moni-
toring continuously applicable or parameter-dependent steps
for their applicability and then notifying the operator when
they should be performed. This relieves operators of the bur-
den of remembering these background steps while actively
performing other steps and improves the likelihood that the
steps will be performed in a timely fashion. A set of paper-
based, backup procedures are typically provided to address
the unlikely event of a DCS failure. A computerized proce-
dure system also provides the tools for procedure mainte-
nance and configuration control.
Alarms
Use of a DCSs capability for computer-based processing and
video presentations as the primary means to generate, handle,
and present alarms provides the opportunity to improve on cur-
rent generation alarm systems and meet the requirements of the
latest standards, e.g., IEC-62241. The primary means of pro-
cessing, presenting, and handling alarms is through the DCS-
driven VDUs at each operator console. Alarms can be
Auxiliary Panel
Diverse Actuation
System (DAS) Panel
Primary Dedicated
Safety Panel
Senior
Reactor
Operator
Console
Shift
Supervisor
Office
figure 4. Westinghouse’s AP 1000 advanced control room.
november/december 2006
integrated with other HMI resources for a unified presentation
of alarm information to all operation personnel. The flexibility
afforded through video displays allows alarm information to be
presented using a variety of alarm lists as well as through inte-
gration in plant mimic displays. Direct links to electronic alarm
response procedures are feasible. Fixed-position, continuously
visible alarms are typically integrated with a large screen dis-
play overview but may be presented on a limited set of dedicat-
ed alarm VDUs. Alarm presentation in the safety-related HMI
is typically limited to those necessary for accident mitigation
and safe shutdown.
Large Screen Displays
Large screen display technology is making significant
advances in both size and resolution. Now large screen
devices of 67-in, 70-in, and even 100-in diagonal are avail-
able and can be used in seamless arrangements to create a
complete wall display. SXGA resolution (1,400 × 1,050) is
available for most large screen sizes. In a compact control
room, such large screen displays are installed in front of oper-
ator consoles to provide continuously visible information
(and possibly controls), helping operators maintain situation
awareness during both normal and emergency operations.
They are configured in a combination of fixed displays (typi-
cally including a plant mimic) and selectable screens that
allow anyone in the operating staff to select a display for
large screen viewing. The fixed portion often includes key
high-level alarms, critical function status (which includes
meeting continuously visible display requirements for safety
Info Wall P
rma a
tion nel
Sys
tem
Reactor
Operator
Secondary Console
Dedicated
Safety Panel Printer
IEEE power & energy magazine 47
 parameter display systems), engineered safety feature system
availability and performance status, key protection system
information, and integrating information such as plant mode
or the current procedure in use. Large screen displays are
usually driven by the nonsafety DCS.
Figure 4 shows an artist’s concept of an advanced control
room that may be built in North America as part of new plant
build programs currently underway. The technology and
compact, video-based design is also typical of advanced con-
trol rooms being implemented in Taiwan and Korea. It illus-
trates many of the advanced features that are discussed in
this article, including VDU-based operator control through a
DCS, large screen displays for plant overview, advanced
alarm handling, and enhanced support for control room staff
through dedicated control and monitoring consoles.
Human Factors
Process and Design Standards
The design of a compact control room and video-based HMI
still relies on meeting design standards and performing a com-
prehensive human factors engineering (HFE) program in con-
junction with the HMI design activities. Activities for an HFE
process are defined in nuclear industry standards such as IEEE
Standard 1023-2004 and IEC 964. Regulatory review criteria
for a human-factors program are defined in USNRC NUREG-
0711. A typical HFE program includes 1) operating experience
review, 2) function requirements analysis and function alloca-
tion, 3) task analysis, 4) staffing assumptions, 5) integration with
the human reliability analysis, procedures development, and
training, and 6) HFE verification (both task support and design)
and integrated system validation. In addition, HMI design is
guided by HFE design criteria, such as that contained in the
recent revision to NUREG-0700 and industry guidance such as
the Electric Power Research Institute (EPRI) “Advanced Light
Water Reactor Utility Requirements Document.”
Summary
This article has provided a historical perspective of NPP
control room development and a discussion of features typi-
cal of advanced control rooms being employed for the next
generation of NPPs. Both HMI technology advances and the
application of HFE principles and processes through a com-
prehensive program have contributed to the industry’s
advancement to where it is today. As the renaissance of
nuclear power gains momentum, the continuing evolution of
control room design and HMI technology will provide
unique challenges as well as opportunities to further improve
plant operations.
For Further Reading
Standard Criteria for Accident Monitoring Instrumentation
for Nuclear Power Generating Stations, IEEE Standard 497-
2002, 2002.
“Instrumentation for light water cooled nuclear power
plants to assess plant and environmental conditions during
48 IEEE power & energy magazine
and following an accident.” US Nuclear Reg. Comm. Wash-
ington, DC, Regulatory Guide 1.97, 1983.
Recommended Practice for the Application of Human
Factors Engineering to Systems, Equipment, and Facilities of
Nuclear Power Generating Stations, IEEE Standard 1023-
2004, 2004.
Design for Control Rooms of Nuclear Power Plants, Stan-
dard IEC 964, 1989.
“Advanced light water utility requirements document,”
Elec. Power Res. Inst., Palo Alto, CA, 1992.
“Human system interface review guidelines,” US Nuclear
Reg. Comm., Washington, DC, Rep. NUREG-0700, Rev. 2,
2002.
“Human factors engineering program review model,” US
Nuclear Reg. Comm., Washington, DC, Rep. NUREG-0711,
Rev. 2, 2004.
Biographies
J. Scott Malcolm is the manager of the electrical, control, and
instrumentation branch within the CANDU services at Atomic
Energy of Canada. Formerly a principal design specialist in
human factors engineering (HFE) at AECL, he is responsible
for a wide range of engineering services, including control cen-
ter modifications and support to advanced control room
designs. He has 22 years of experience in control room design,
including five years outside the nuclear industry in naval sur-
face ship design. He is currently supporting several major proj-
ects, including a major plant rehabilitation at the CANDU 6
station in New Brunswick, Canada, the control room design for
the Advanced CANDU Reactor, and the new CANDU 6
Enhanced design. He was a key developer of the process for
incorporating HFE into the Canadian nuclear industry, includ-
ing a strong focus on the development of control room func-
tionality and supporting technology. He is a member of the
IEEE and currently is the vice chair of the Nuclear Power
Engineering Committee. He is also active in international
design standards and is currently the Canadian Chief Delegate
to the International Electrotechnical Commission, Technical
Committee 45 on nuclear instrumentation.
Daryl L. Harmon is a fellow engineer responsible for
the design of advanced human-machine interface (HMI)
systems at Westinghouse Electric Company. He has 28
years of experience in the nuclear industry designing and
developing HMIs and compact control rooms. He is current-
ly the HMI technical coordinator for the AP1000 compact
control room design program. He has been responsible for
the USNRC design certification of the ABB CE Nuplex
80+ Advanced Control Complex and has consulted exten-
sively on the Korean Next Generation Reactor control room
design. He is a member of the IEEE and currently is the
chair of Working Group 6.1 of the Nuclear Power Engineer-
ing Committee’s (NPEC) Subcommittee 6. He holds a B.S.
in nuclear engineering and an M.S. in mechanical engineer-
ing from Rensselaer Polytechnic Institute in Troy, New
York. He currently owns 16 U.S. patents. p&e
november/december 2006