See discussions, stats, and author profiles for this publication at: https://www.researchgate.

net/publication/222664859

Human factors approach for evaluation and redesign of human–system

interfaces of a nuclear power plant simulator

Article  in  Displays · July 2008

DOI: 10.1016/j.displa.2007.08.010

CITATIONS READS

56 182

5 authors, including:

Paulo Victor R. de Carvalho Isaac J. A. L. Santos

Nuclear Engineering Institute Comissão Nacional Energia Nuclear, Brazil
98 PUBLICATIONS   691 CITATIONS    20 PUBLICATIONS   326 CITATIONS   

SEE PROFILE SEE PROFILE

José Orlando Gomes Marcos Borges

Federal University of Rio de Janeiro Federal University of Rio de Janeiro
69 PUBLICATIONS   831 CITATIONS    241 PUBLICATIONS   1,856 CITATIONS   

SEE PROFILE SEE PROFILE

Some of the authors of this publication are also working on these related projects:

Situated Modeling and Analysis of the Regulation System of Outpatient Consultations in Federal Hospitals in Rio de Janeiro: the effects
of the regulatory process in the execution of the Brazilian National Policy for Hospital Care View project

Fuzzy developments for choosing and priorizing work improvement setting in energy transmission lines View project

All content following this page was uploaded by Paulo Victor R. de Carvalho on 08 December 2017.

The user has requested enhancement of the downloaded file.

This article appeared in a journal published by Elsevier. The attached
copy is furnished to the author for internal non-commercial research
and education use, including for instruction at the authors institution
and sharing with colleagues.
Other uses, including reproduction and distribution, or selling or
licensing copies, or posting to personal, institutional or third party
websites are prohibited.
In most cases authors are permitted to post their version of the
article (e.g. in Word or Tex form) to their personal website or
institutional repository. Authors requiring further information
regarding Elsevier’s archiving and manuscript policies are
encouraged to visit:
http://www.elsevier.com/copyright
 Author's personal copy

Available online at www.sciencedirect.com

Displays 29 (2008) 273–284

www.elsevier.com/locate/displa

Human factors approach for evaluation and redesign

of human–system interfaces of a nuclear power plant simulator
Paulo V.R. Carvalho a,*, Isaac L. dos Santos a, Jose Orlando Gomes b,
Marcos R.S. Borges b, Stephanie Guerlain c,1
a
National Nuclear Energy Commission/Nuclear Engineering Institute, Cidade Universitária, Ilha do Fundão, Rio de Janeiro, RJ 21945-970, Brazil
b
Graduate Program in Informatics-NCE&IM, Federal University of Rio de Janeiro, Cidade Universitária, Ilha do Fundão, Rio de Janeiro, RJ, Brazil
c
Systems and Information Engineering Department, University of Virginia, Charlottesville, VA 22904-4747, USA

Received 7 August 2007; accepted 15 August 2007

Available online 21 August 2007

Abstract

Nuclear power production is a safety-critical process where ultimate execution of process change decisions lie with the operators. Thus
it is important to provide the best possible decision support through effective supervisory control operator interfaces. This requires a
human factors/ergonomics approach in the modernization of analog instrumentation and control systems of the existing nuclear power
plants. In this article, we describe how this approach is being used for modernization of the ANGRA I power plant. Using a cognitive
task analysis (CTA) approach, we observed operators working on an advanced control room of a nuclear power plant digital simulator
and noted several opportunities for improvement in the human/system interfaces related to the graphics design, alarm systems and pro-
cedure integration. A redesigned prototype was constructed as an alternative to the current simulator and hardcopy procedure manuals.
The design improves upon the graphical layout of system information and provides better integration of procedures, automation and
alarm systems. The design was validated by expert opinion and a scenario-based comparison.
Relevance to industry: Human factors/ergonomics are not playing the role they deserve in the design of process control systems mak-
ing them less controllable than they could be if human factors were adequately incorporated. The use of human factors approach in the
design of process control systems throughout the industry presents many opportunities for improvements with regard to system effec-
tiveness, efficiency, reliability and safety.
 2007 Elsevier B.V. All rights reserved.

Keywords: Interface design; Nuclear power plant operation; Cognitive task analysis

1. Digital interface design for nuclear power plants
Nuclear power plant (NPP) control room operators
observe and manipulate an extremely complex system. In
the past, this required walking along a large control panel,
taking readings from gauges and adjusting knobs and
levers. Many of today’s control rooms have been upgraded
such that these control panels have been replaced or aug-
mented with visual display units (VDUs). Unlike the old
analog control rooms, in the new ‘‘advanced’’ interfaces
*
Corresponding author. Tel.: +55 21 22098196.
E-mail address: paulov@ien.gov.br (P.V.R. Carvalho).
1
Senior Member, IEEE.
all operators can access almost all the information about
the plant from his/her workplace [25]. Digitization of pre-
vious analog human–system interfaces imposes new coordi-
nation demands on operational teams (e.g. the need for
communication to construct situation awareness) leading
to new situations of human–human and human–system
interaction. In order to run such systems effectively, effi-
ciently and safely, (often conflicting goals) much research
has been developed taking into account human perfor-
mance, technological possibilities, types/levels of automa-
tion in a system, design of human–machine interfaces,
etc. (see [22,24,29,16]).
This research is connected to the control room modern-
ization process of the ANGRA I nuclear power plant. This

0141-9382/$ - see front matter  2007 Elsevier B.V. All rights reserved.
doi:10.1016/j.displa.2007.08.010
 Author's personal copy
274 P.V.R. Carvalho et al. / Displays 29 (2008) 273–284
plant is a Westinghouse, 600 megawatt (MWE) pressurized
water reactor designed in the 1960s that requires continual
modernization. The overall research aim is to investigate
how advanced (digital) interfaces should be evaluated
and designed in order to be used in the modernization of
the analog instrumentation and human/system interface
(HSI) systems. As such, this research focused on the devel-
opment of operator support systems during emergency sit-
uations. In particular, we focused on crucial safety
problems related to the design and layout of the graphics
on the screen, the layout and informativeness of the alarm
system, and the integration of electronic procedures into
the control/display environment.
1.1. The alarm problem
It has been said that nuclear plant operation is charac-
terized by 99% boredom and 1% panic. The 99% boredom
of continuous normal operation requires effective surveil-
lance and long-term control strategies. The 1% panic
requires means and measures that are entirely different
from those that are adequate for normal or slightly dis-
turbed situations. Situations like alarm flooding are well
known [27,28,4], but the HSI designers of nuclear plants
or large chemical complexes still design alarm systems to
function well only during normal operation. As such, in
this research we focused on how the simulator operators
deals with alarms during emergency situations.
1.2. Graphics design
Nachreiner et al. [16] used the following quote – The
control room displays did not help the operators to under-
stand what was happening – from a major accident in a
chemical process plant [10] as an indication that, at least,
not all process control graphic interfaces represent the state
of the art in human factors/ergonomics design approach.
Nachreimer et al. (op. cit.) also claimed that, especially in
the design of VDU-based control system (graphic screens)
human factors or ergonomics principles already known
must be applied according to the existing legislation in
European countries. In this research, we focused on the
design and layout of the graphics on the simulators screens,
and the integration of electronic procedures into the con-
trol/display environment.
1.3. Digital procedures in nuclear power plants
Due the overwhelming complexity of NPP systems and
the potential risks involved, during emergency situations,
the operators have to run the plant according to the written
procedures – the emergency operating procedures (EOP).
There are at least four major issues relating to procedure
design:
• Procedure design must be technically correct according
to a thorough understanding of the process and scenario
of events.
• Procedure tasks shall be conceived in a timely manner,
according to the dynamic of the physical processes and
the cognitive capability of the operators [1].
• Procedure format shall be conceived for easy compre-
hension by the operators.
• Procedures must be executed without mistakes.
Past NPP accidents were related to paper procedures
and, at least to some extent, to the four issues mentioned
above. The US NRC inspected the procedures of all
USA NPPs after the Tree Mile Island (TMI) accident,
and demanded that power plant utilities improve their pro-
cedures [13]. Since paper procedures are static documents,
they have inherent weaknesses in integrating process infor-
mation and in confirming the proper executions. With the
advance of computer and information technologies, digital
(computerized) procedures have been introduced to cope
with those issues effectively. COMPRO [14], N4 Procedure
system [23] are the typical examples of digital procedure
components developed in 1980s and 1990s. However, digi-
tal procedure components have not been used in real NPPs
operation. The reasons because digital procedures in
nuclear industry have not been widely used contrary to
what happens in other industrial sectors such as chemical,
oil and aeronautic are not so clear. Some people claim that
if digital procedures could have been implemented in other
industries safety critical industrial sectors, then this would
already have been done in the nuclear industry [18]. Some
others claim that due the complexity and diversity of the
tasks in nuclear operation, these tasks cannot be easily
automated in a digital procedure component. The major
drawbacks already identified are inappropriate level of
automation, hidden logic, frequent context switching and
difficulties in understanding procedures [12]. Then, it is
very important to understand the uncertain effect of differ-
ent design possibilities for alarm systems and emergency
procedures to be changed from manual (alarm windows,
paper procedures) to fully automatic (or not) in the
advanced control room design.
1.4. The human-centered design approach
The HSI (graphics, alarm system and procedure) design
of advanced interfaces (specially in the analog to digital
transition) must use a human-centered approach, in order
to exploit the technical innovations for the optimum
human–artifact interactions, aiming at improving the
appropriateness of the technological solutions [9]. Innova-
tions in technology should be used to enhance the shared
human intelligence and the possibilities for human to inter-
act with the environment. The HSI and procedure design is
especially important in processes of modernization of old
analog instrumentation and control systems. As noted by
many authors (e.g., [2,30]), the development of technology
 Author's personal copy
P.V.R. Carvalho et al. / Displays 29 (2008) 273–284
is usually comprehended from the point of view of its capa-
bility of replacing human work by automation. Yet, by
improving measurements, transmission, copying and repre-
sentation of information, new technology also increases the
role of information displays as the mediator between the
human actor and the object of activity. Advanced controls
that automate large portions of control tasks complicates
interpretation of the state of the environment and calls
for improved intellectual skills. Hence, it is the new tech-
nology’s ability of to inform that paradoxically emphasizes
the role of the human and the need of the human-centered
approach for HSI design.
Some of the most important consequences of a transi-
tion from the traditional analogue instrumentation and
control technology to digital technology transition with
regard to the HSI are:
• Large amounts of process information and an abun-
dance of alarm information in disturbance situations
challenge the operators’ comprehension of the process
state and its expected course in operational situations.
The term ‘‘situation awareness’’ is often used for this
complex of activities [5,6].
• The space for information presentation is small which
necessitates a sequential use of information (the keyhole
effect; [27,8]).
• ‘‘Soft control’’ is expected to increase secondary tasks
which may increase mental effort and work load [21,28].
• Feedback from the system must be optimized. Too fast
and inappropriate feedback may increase mental load
[19,20].
• Systems may fail, understanding the functions of auto-
mated systems must be ensured [20].
• Identifying, correcting and recovering from errors may
become more difficult which endangers the reliability
of the sociotechnical system [20].
2. Research setting
The simulator in which this study had been carried out
simulates in an advanced (digital) control room nuclear
power plant physical processes that are similar to the
ANGRA I Brazilian first constructed nuclear power plant.
The construction of ANGRA I started in 1972, the first
criticality (the first fission reaction in the reactor core)
occurred in 1982, and the plant commercial operation
started in 1985. Since then, it has generated 40 million
MWh of electric energy. After the solution of some opera-
tional problems in at the beginning of the operation, the
plant nowadays presents maintains an excellent perfor-
mance level (see Fig. 1) according to the most stringent cri-
teria of international nuclear organizations such as the
World Association of Nuclear Operators – WANO.
These performance figures justify the implementation of
the modernization and life extension program for this
plant, which, in the next phase, will involve replacing the
275
Fig. 1. Performance levels of the plant under study.
steam generators. After that, an upgrading of the instru-
ments and controls (I&C) and HSI systems is planned,
because the actual analog control room and instrumenta-
tion systems are very difficult to maintain.
In order to support the application of the human-cen-
tered design approach in the HSI design of the Brazilian
NPPs, the Brazilian Nuclear Energy Commission (CNEN),
together with the International Atomic Energy Agency
(IAEA) and the Korea Atomic Energy Research Institute
(KAERI) developed an experimental facility for HSI
design and human factors research and development, the
Human System Interface Laboratory (LABIHS). The
LABIHS facility conducts research on human–system
interaction in the nuclear power domain. Its goal is to
improve user interface support for operator tasks, with
the intention of promoting safer and more efficient NPP
operation after the modernization processes.
3. Materials and methods
In this research, we use LABIHS to investigate the nat-
ure of operator–system interaction during abnormal events
in order to contribute to operational safety and efficiency
through enhanced decision support system design. LABI-
HS consists of an advanced control room, an experi-
menter’s gallery room and other auxiliary rooms. The
advanced control room consists of nuclear reactor simula-
tor software, graphical user interface design software, a
hardware/software platform to run and provide the ade-
quate communication between these software systems,
and the operator interface – VDUs and controls needed
to operate the simulated process (Fig. 2).
To simulate the plant under study, a Westinghouse
PWR digital compact simulator is used. A compact simula-
tor, according to IAEA TECDOC 995 definition provides a
means of operations training in a simplified form.
Although modeling scope and fidelity are equivalent to a
full scope simulator, the scope of simulation is typically
limited and the full control room is not replicated [11].
An Integrated Hardware/Software Platform runs the simu-
lator program and transfers data throughout the comput-
erized environment. The basic operator workplace is
formed by four VDUs, each one with a mouse and
keyboard. An overview display, based on direct beam
 Author's personal copy

276 P.V.R. Carvalho et al. / Displays 29 (2008) 273–284

Process and Operation HF experiments Evaluation

PWR OPERATOR’S Human Data base

COMPACT VDUs Factors - Events
SIMULATOR Overview measures - Audio/Vídeo Analysis tools
Controls - Eyetracking

HUMAN SYSTEM
0 DLQ & RQWINTERFACE
URO5 RRP - HSI
Experimenter Gallery

+ 6, - Scenarios Experimental
- Operator VDUs - Configuration Results
- Overview displays - Observation
- Alarm displays - Control
- COSS

Text objectives Experiments

Fig. 2. LABIHS functional description.

projector, is also provided in the control room. A graphical – Chemical and Volumetric Control System.
user interface design tool (GUI) for HSI design is also – Feedwater System.
available for development and testing of different types of – Main Steam System.
interfaces. The Instructor Station complements the LABI- – Auxiliary Feedwater System.
HS architecture. The instructor station system uses a win- – Turbine and Condensers.
dow-based multitasking menu-driven interface to provide – Residual Heat Removal System.
real time data and commands related to the simulated envi- – Instrumentation and Power Control Systems.
ronment. Using the instruction station event scenarios can – Reactor Regulating System.
be simulated, including (small) loss of coolant accidents, – Reactivity Control System.
total loss of electrical supply, steam generator tube rupture – Emergency Core Cooling System.
and reactivity accidents. Fig. 3 presents the basic LABIHS – Containment System.
architecture. – Reactor Protection System.
The simulator covers all operation modes or plant
states, such as start-up, full power or steady state opera- Each one of the systems above was designed to be dis-
tion, cold shutdown and hot shutdown. The plant systems played in the LABIHS HSI using the Goal Tree-Success
simulated are: Tree (GTST) method [15] that was originally developed
to model deep knowledge about complex industrial sys-
– Reactor Vessel and Control Rods. tems, particularly for the matter of fault diagnosis. In order
– Reactor Coolant System. to design the HSI displays using GTST, the goals and the

Fig. 3. LABIHS architecture.

 Author's personal copy
P.V.R. Carvalho et al. / Displays 29 (2008) 273–284
Fig. 4. Function based display model using GTST.
functions of the each system are represented by the goal
tree part of the resulting model, and the physical structure
and the relationships among variables are treated by the
successive part of the model and presented as display pages
(Fig. 4). In order to maintain the similarity with the plant
under study, the basic design requirement was to keep
the automation level in the new digital interface exactly
the same as it was in the original interface (the plant HSI).
3.1. Performance evaluation methodology
Cognitive task analysis (CTA) based on field studies
(observation, interviews, scenario evaluation) is the meth-
odological framework used to evaluate the performance
in the LABIHS HSI. During 30 h of observations, we
observed how the operators interacted with the simulated
PWR in various modes of operation. We paid particular
attention to the tasks dictated by the procedure manual
and to the operators’ actual activity. We searched for par-
ticular deficiencies in the support of operator response to
Fig. 5. LABIHS control room.
277
abnormal system states, then we redesigned the operator
interface to improve upon the graphical layout of the infor-
mation, the navigation across screens, the alarm presenta-
tion, acknowledgement and response, and to integrate
these with computer-based procedures that dynamically
correspond with real-time system information. Compre-
hensive debriefing interviews with the operators and super-
visor were carried out to validate the findings.
Participants. One operator crew participated in this
research under different operating conditions: start up,
planned shutdown and in postulated accidents. The LABI-
HS control room operating crew is composed of only three
operators (different from the reference plant that has five
operators) – the Shift Supervisor, Reactor Operator (RO)
and the Secondary Circuit Operator (SCO). The panel
operator that exists in the reference plant because of the
bigger size of analog control panel, and Foreman responsi-
ble for administrative tasks are represented in the simulator
crew. The Shift Supervisor has a deep background in
nuclear engineering (D. Sc.), participated in the LABIHS’s
HSI design and has extensive experience in the simulator
operation. The RO and SCO are instrumentation techni-
cians who have been trained in LABIHS operation for
2 years before this study but have no previous experience
in the reference plant operation.
Observation procedure. The LABIHS is equipped with a
ceiling-mounted camera which captures the majority of the
room, including the two operators’ stations and the main
presentations screen (Fig. 5). For this study, we also placed
a tripod-mounted Mini-DV camcorder to record whichever
operator would be likely to have the most active role. We
also occasionally employed a hand-held digital camera to
film particular details of interest that were not sufficiently
captured by the other two cameras.
The research team, with three analysts, was divided to
pair up with the employees of the simulator. One analyst
 Author's personal copy
278 P.V.R. Carvalho et al. / Displays 29 (2008) 273–284
accompanied the primary operator; the second accompa-
nied the secondary operator; and the third accompanied
the simulator supervisor. However, in many of the cases,
the operators conducted the simulations without the
supervisor present. In these cases, one analyst observed
the overall proceeding and attempted to capture the com-
munications and interactions between the two operators.
The operation of a nuclear power plant falls under four
basic phases: startup, normal operation, shutdown and
incidents/trips (unplanned automatic shutdown)/accidents.
Although important events occur in all modes of opera-
tions, we focused on periods of higher activity. After dis-
cussion with the operators, we learned that startup
induces the most activity, providing the best opportunity
to build familiarity with the system. The startup phase
can be further sub-divided into four steps. Although these
steps are not an inherent part of the physical system, they
are clearly present in the minds of the operators and are
reflected in the procedures, and thus constitute an impor-
tant cognitive division of the system as a whole:
1. Cold Shutdown to Hot Shutdown.
2. Hot Shutdown to Hot Standby.
3. Hot Standby to 2% Power (‘‘Plant Startup’’).
4. Operations greater than 2% Power.
After observing startup simulations, we then observed
several simulated incidents and accidents. During the
startup phase observations, we encouraged the operators
to verbalize their goals, actions and concerns to improve
our understanding of the technical system. However, dur-
ing the simulated accidents, we tried not to interfere with
the operators so as to elicit true response behavior. During
the simulated accidents, the supervisor and two senior
LABIHS researchers were also present. This led the opera-
tors,to justify their actions verbally after the scenario was
completed. We did not study the shutdown phase in depth,
due to time limitations and its similarity to startup.
Heuristic and scenario-based evaluation. Based on the
observations results, we evaluated the original LABIHS dis-
plays using heuristic techniques, [17]. The heuristic
evaluation focused on evaluating the graphic designs, usabil-
ity and consistency of the existing displays and the navigation
among screens. We also noted the use of non-computer-based
information (e.g., paper procedures). The goal of the analysis
was to determine whether the current tools supported opera-
tor tasks as observed. The new displays, developed after the
study recommendations, were preliminary evaluated using
a scenario-based performance comparison, using the original
design as a performance benchmark.
4. Results
4.1. Graphic design evaluation
Fig. 6 shows a typical control screen for one subsystem of
the plant, in this case, the Chemical and Volume Control Sys-
Fig. 6. CVCS Simulator Interface Screen.
tem (CVCS). Multiple objects with bright, contrasting colors
compete for the operator’s attention on the cluttered screen.
In many places in the interface, red is associated with a state
of alarm or failure. However, this association is undermined
by the red color of some valves, pumps, and indicators which
are operating normally (red means valve closed; the same
color pattern used in the reference plant). Additionally, the
red components are highly salient, even when the compo-
nents do not require operator’s attention.
Excessive labels contribute to clutter. For example, the
blue R. . . C. . . P. . . (RCP) Seal information box displays
the same variables for each of the three RCP seals, but uses
nine labels – one for each variable display field. It increases
the visual distance between readouts, making comparisons
of the values more difficult.
The high salience of the large pump icons detracts from
the operator’s ability to perceive other elements on the
screen. They are not frequently manipulated and they only
display two pump states (on and off).
The sharp contrast between the white lines representing
the pipes which connect system elements and the black back-
ground contributes to the clutter of the screen without pro-
viding much information. The lack of distinction between
pipes with and without flow does not contribute to the prin-
ciple of pictorial realism, i.e., that a visual representation
should accurately symbolize the entity it is intended to repre-
sent [3]. To determine the path of coolant, operators must
trace the white line pumps through which the line passes to
ensure that all are open or on, respectively.
The white-on-black color scheme is also used for pump
and valve labels, as well as the system variable values. The
similarity in color detracts from the salience of these labels
and values. While the on/off color distinction is clear, there
is no redundant indicator of a valve’s state, nor does the
interface support the synthesis of individual valve states
into an overall depiction of flow; each valve must be
independently analyzed, increasing the operator’s cognitive
load.
 Author's personal copy
P.V.R. Carvalho et al. / Displays 29 (2008) 273–284
Label legibility is poor due to all-capital text. This also
increases label’s space requirement without providing addi-
tional information.
Also, the shine used to produce the 3D graphical effects
for the tanks and reactor core decreases contrast and
reduces legibility for the white labels that overlay these
graphics.
4.2. Alarm system evaluation
When an abnormal state of a variable occurs, the simu-
lator initiates an audible alarm, as well as a flashing red
‘‘Alarm Set’’ indicator at the top right corner of the screen
(Fig. 7). This arrangement reproduces in the simulator the
main alarm annunciation tiles used in the reference plant.
The alarms are located on two separate alarm screens.
They are arranged as tiles in a grid where active alarms
are indicated by a flashing red tile. The existing system does
not support quick alarm identification. The alarm set indi-
cator does not provide any detailed information about the
nature of the alarm which is sounding (the same situation
that occurs in the actual plant). The operator must always
navigate to both alarm screens to determine which alarms
were activated. Additionally, the grid arrangement has no
apparent organization or order. Related alarms are not
grouped on the screen nor are alarms divided logically
across the two alarm screens. Finally, all alarms are dis-
played identically, making it difficult to distinguish between
alarms on the basis of severity and importance. All alarms
are annunciated by the same sound.
4.3. Procedure evaluation
Procedures guide the operators as they face unfamiliar
situations. The simulator uses hardcopy procedure manu-
als in the form of one-dimensional checklists and step-by-
step guides. Non-compliance with procedures was observed
Fig. 7. Alarm screen.
279
frequently. Operators often improvised around the formal
procedures to achieve their system goals, which in some
cases can enhance system safety [26]. We observed one
operator consistently using a hand-written sheet to aid
him through various procedures. The procedures are often
constraint-based, requiring the operator to maintain multi-
ple system variables within a specified range. The current
interface does not support this task. Instead, it relies on
the operator’s cognitive ability to monitor system variables
and recall acceptable ranges which change frequently dur-
ing operation. For example, one procedure requires the
operator to locate two variables, manually (or mentally)
calculate the difference, and judge whether the difference
exceeds a safe upper bound which depends on the current
mode of operation. Finally, the layout of data in the simu-
lator is inadequate for perceiving and comparing the rate at
which a variable of interest is arriving at its limit.
4.4. Study limitations
The study was conducted on a compact simulator used
to investigate HSI design possibilities. While the simulator
does simulate all major NPP subsystems, it lacks some
details which may affect operations in the actual plant envi-
ronment; therefore, operator actions will differ from
actions in the reference plant, even when using a digital
HSI. In an actual plant situation, there are many interac-
tions with the physical system, operators on the floor,
maintenance, the chemical department, management and
other stakeholders who are not represented in the simula-
tor at this stage. Many operations were observed without
the presence of the supervisor, leaving only two operators
due to staffing constraints; however, because the supervisor
is largely responsible for managing the complexity of the
above-mentioned components which are not modeled in
the simulator, his absence was not detrimental to the oper-
ations, his strictly operational roles were carried out by the
two operators.
5. Recommendations for a new HSI prototype
The redesigned interface is based on the deficiencies
noted in the previous section. They include improved aes-
thetics and mock-up designs of new functionality. While
we have not coded the components into the simulator soft-
ware, we do not expect significant compatibility problems.
The components consist of borders, text boxes and colors –
all of which are supported by the simulator’s graphics
builder software. The component functionality is also
expected to be compatible, as it largely mimics functions
(such as linking, highlighting and displaying real-time sys-
tem variable values) observed in the original simulator.
5.1. Graphic design improvements
We propose several changes to the schematic-based con-
trol screens (for an example, see Fig. 8). These aim to
 Author's personal copy
280 P.V.R. Carvalho et al. / Displays 29 (2008) 273–284
Fig. 8. Improved Simulator Interface Screen (CVCS) with CFL alarm.
improve operator situational awareness, and reduce the
likelihood of human error. We remedied the overload of
red icons by updating the valve and pump color scheme.
Grey is used to reduce salience of closed valves and pumps
which are off. Redundant coding is provided by rotating
closed valves perpendicular to the pipe, while open valves
remain parallel. The size of the pump icons is reduced.
While still easy to locate, the off pumps and closed valves
do not attract unnecessary attention from a broad over-
view. The frequently manipulated variable flow valves
remain unchanged, providing distinction that helps the
operator to quickly locate them. We also simplified the
controls for the green ‘‘Makeup Mode’’ control box in
the center of the screen. The circular indicators now serve
as buttons as well as indicators, obviating the need for
the grey buttons. Also, now only the indicator showing
the current mode is lit green. The other indicators which
were previously red are toned down to black, so that they
do not distract the operator. The RCP seal information
box has also been simplified to bring the variable displays
into closer visual proximity, and excessive labels have been
removed to decrease clutter. The pipes have been re-col-
ored to decrease the salience of pipes which with no coolant
flow and to emphasize the pipes with flow. Pipes with cool-
ant flow are bolded and shaded the same color green as the
switched-on pumps and open valves. As a result, the emer-
gent feature is a green circuit where there is flow of reactor
coolant. The pipes with no flow have been subdued from
white to grey so that they will not interfere with the reading
of labels and variables.
Issues with the legibility of labels were addressed by
using mixed-case fonts which use less space and provide
redundant coding of written information: the shape of
the words provides another cue for recognition, aside from
the sequence of the letters. To further aid legibility, the 3D
graphical tanks, pressurizer, and reactor core were replaced
with simpler, flat representations. This allows for increased
legibility of the labels, as well as the inclusion of a graphical
indicator for the fluid level in the Volume Control Tank
(VCT), Pressurizer (Prz) and Reactor Core. The graphical
indicator does not require much visual space on the screen,
and provides the operator with redundant information on
the fluid level of the component. Understanding the con-
text of a reactor core coolant level of 6.5 m, for example,
is aided by the blue bar showing the level of fluid relative
to full (top) and empty (bottom) states.
5.2. Alarm system improvements
The prototype includes an extensive revision of the ori-
ginal alarm system. The major changes are captured in the
revised alarm screen (Fig. 9). The alarms have been divided
into two panels, distinguishing reactor and turbine trip
alarms from all others. Within each panel the alarms are
organized by the location of their activator in the system.
For example, the charging flow indicator is located on
the CVCS screen and hence, on the alarm screen, it is under
the CVCS column heading. Each alarm tile is a dynamic
interface component. This reduces the required number
of alarm tiles, allowing all of them to fit on one screen.
Instead of a button each for pressurizer pressure high
and pressurizer pressure low, the redesign simply uses pres-
surizer pressure. Depending on the alarm (high or low), the
alarm tile displays the appropriate text. Each sounding
alarm tile also keeps track of how many seconds since
the alarm was set off using a small counter in the upper-left
corner of the tile. The trend graphs on the alarm screen
saves time and provides better diagnostic information.
The acknowledging system has also been improved to
allow single-alarm acknowledgement (by clicking on a
sounding alarm tile) while retaining the ‘‘ACK’’ button
to acknowledge all alarms.
Each alarm tile acts as a link; clicking the sounding
alarm tile navigates to the appropriate screen. On the rele-
vant screen, a red box flashes several times, drawing atten-
tion to the area triggering the alarm (Fig. 8). Additionally,
the alarms relating to the current screen are displayed in
chronological order of occurrence as tiles to the right of
the schematic diagram. Clicking on these tiles flashes the
red box several times box around the area of concern.
The navigation buttons have been revised to provide easier
access to all the operations screens. While the system is in
an alarm state, the related navigation buttons at the bot-
tom of the screen are displayed in red, effectively doubling
as an alarm overview. Clicking on the red alarm button
navigates to the alarm screen (Fig. 9).
5.3. Procedure and emergency guidance improvements
Due to strict procedural adherence requirements,
instead of requiring decision support, operators often ben-
efit from tools that reduce errors of omission. The Proce-
dure Guidance Component (PGC) supports operator’s
process control effectiveness, by converting the procedure
manual into an online, navigable guide (Fig. 10). Clicking
 Author's personal copy

P.V.R. Carvalho et al. / Displays 29 (2008) 273–284 281

Fig. 9. The revised alarm screen.

right. The operator may scroll up or down through the flow

4.0 Procedures
diagram and response instructions using the click and drag
4.1 Continue RCS heat… DESCRIPTION technique common to document viewer applications. The
4.6 When RCS pressure is above 140 continuity provided through the scrolling feature obviates
4.2 Increase RCS pres… kg/cm2, ensure the following:
the need for page turning, which takes time and artificially
4.3 If any RCP’s have b… 4.6.1 Verify pressurizer permissive divides what, in reality, is a continuous process. The logic
P-11 status light off. OK that runs the simulator can be used to support the EGC.
4.4 The letdown flow… 4.6.2 Verify pressurizer SI and
steam line pressure SI are Because some decision nodes are based on system vari-
4.5 When RCS pressu… unblocked on trip status panel. ables, the system can often suggest an appropriate decision
OK
4.6 When RCS pressu… 4.6.3 Verify PORV block clears when
based on the current system state. The system’s suggestion
RCS pressure goew above is displayed in a green box to the right of the flow diagram
4.7 Place the auxiliary… 153.6 kg/cm2. VERIFY and above the response instructions. It includes the sug-
4.8 Align the steam du… gested action and the rationale for proposing it. In addi-
tion, the operator can trace the decision path because the
4.9 Continue heatup u… RELEVANT VARIABLES AND LINKS
system fades the paths which have not been taken to a neu-
4.10 Verify minimum sh… Link to RCS screen tral grey, leaving a bold black decision path. Digitizing the
Current RCS pressure 144 kg/cm2 emergency procedures enables the implementation of addi-
4.11 Verify the following…
tional support features. The response instructions often
4.12 Review to ensure… involve ‘‘if-then’’ statements. For example, if the pressur-
izer level reaches 8 m, then open valves X and Y. Because
Fig. 10. Procedure Guidance Component. the simulator knows system variable values, it can guide
‘‘if-then’’ decision-making by placing a red box around
on any procedure in the left column produces a detailed ‘‘then’’ actions when the ‘‘if’’ conditional is met. The Pro-
text description of the procedure. It also reports relevant cedure and System Overview (PSO) screen was created to
system statistics and links to useful screens elsewhere in display the PGC and the EGC (Fig. 11). The operator
the simulator. This tool adds interactivity to what was pre- may tab between the PGC and the EGC, which reduces
viously only a hardcopy procedure manual. short-term memory requirements when compared to hard-
The second component, the Emergency Guidance Com- copy procedures. On the right side of the PSO, graphical
ponent (EGC), is used during emergencies in which the representations of relevant variables are displayed. These
root problem is unknown. The EGC is a reworking of are dictated by the current procedure. For example, during
the Strategic Manual Operations flow diagrams provided a Loss of Coolant Accident (LOCA) the system will keep
by LABIHS (for example, see Fig. 11). Clicking on event track of main system pressure, pressurizer pressure, and
objects on the left provides response instructions on the so forth. In addition to providing support during emergen-
 Author's personal copy
282 P.V.R. Carvalho et al. / Displays 29 (2008) 273–284
Fig. 11. Procedure and System Overview screen displaying the EGC.
cies, it aids accident prevention by supporting operator
awareness. In the hardcopy procedures, decision nodes
do not have any response instructions because they are
implicitly ‘‘if-then’’ nodes. The digital version shows these
‘‘if-then’’ relationships efficiently by displaying them in the
response instructions panel. The response instructions of
action nodes include ‘‘if-then’’ relationships as well. Some
‘‘if’’ statements refer to the system state (e.g., if valve X
is open) while others ask the operator to wait for a variable
to reach a set point before taking action. Unlike the hard-
copy version, the new system displays these variables prox-
imally and outlines in red the response instructions when
the ‘‘if’’ conditions are met [7].
5.4. Scenario evaluation of new prototype
The prototype has not yet been implemented, so sce-
nario-based evaluation was used. To gauge performance,
we evaluated the design using two representative scenarios.
The LABIHS interface design provided the performance
benchmark.
Stuck Valve Incident Scenario. The first scenario is a
hypothetical incident involving a stuck valve with a mal-
functioning indicator in the interface. In this scenario, the
FV122 valve is in automatic mode and closed (correctly)
due to high pressure in the pressurizer. When the pressur-
izer pressure drops, the FV122 valve is supposed to reopen.
However, the valve is stuck closed. The interface (due to a
glitch) incorrectly displays it as open. The initial symptom
of this issue is the sounding of the Charging Flow Low
(CFL) alarm. In the original design, when the alarm sounds
one or both operators navigate to both of the alarm
screens, noting the CFL alarm. One operator must then
use the main menu to navigate to the CVCS screen to
diagnose the problem. Seeing FV122 ‘‘open’’ and automatic,
the operator may check FV616 and the charging pumps.
Seeing these open and on, respectively, the operator may
check the Volume Control Tank (waiting to see up or down
movement). At this point the operator may request field
verification of the computer readings. This would identify
that FV122 is closed, contrary to the interface display.
In the redesigned interface, only the reactor operator
goes to the alarm screen because the alarm bar shows that
the problem is in the CVCS screen, which is the reactor
operator’s responsibility. With only one alarm screen,
one click allows the operator to observe the CFL alarm.
The alarm arrangement and tile timer informs the operator
which screens to go to and how long the alarm has been
sounding. The trends on the alarm screen give a graphical
representation of the magnitude of the problem, whether it
is likely to become worse, and, if so, at what rate. With just
these trends, the operator may begin to hypothesize the
root problem even before navigating to the CVCS screen.
For example, the Volume Control Tank graph displaying
a downward trend coupled with the low charging flow
could indicate a leak on the outflow side, whereas an
upward trend could indicate a closed valve on outflow side.
At this point the operator navigates to the CVCS screen to
diagnose the problem. The operator can go to the CVCS
screen by clicking on the blinking alarm instead of having
to use the main menu. Upon arrival, the flashing red box
will direct the operator’s attention to the alarm’s trigger,
in this case the charging flow indicator. Depending on
the simulator logic, the grey colored piping may show that
flow is not going through FV122, pin-pointing the root
problem.
Loss of Coolant Accident Scenario. A loss of coolant
accident (LOCA) occurs when there is a pipe rupture in
 Author's personal copy
P.V.R. Carvalho et al. / Displays 29 (2008) 273–284
the Reactor Coolant System (RCS). This causes the reactor
to trip (shutting down power production) automatically.
The operators are tasked with bringing the system under
control by following a LOCA flow diagram procedure. Cur-
rently this diagram is available in hardcopy and portable
document format. The format requires the operator to shuf-
fle among various pages. The flow diagrams and the
response instructions are located on separate pages, either
requiring the operator to flip back and forth at least once
per node or to take up desk space by laying them side by
side. The standard hardcopy procedures are bound, there-
fore requiring the flip method. Given a mediumbreak LOCA,
to get to step 12 of the diagram requires at least 4 flips
between the diagram pages and the response pages and
viewing 23 pages (2 diagram pages and 21 response pages).
The redesign addresses this issue by putting the flow dia-
gram and the currently selected node’s response instruc-
tions. The redesign requires no page turns, and since it is
linked to the alarm system, the operator does not have to
search for the appropriate binder or page number.
5.5. Extensions
Further testing is required to validate the claimed bene-
fits of the redesign. This would entail implementing the
prototype into the simulator for testing in multiple scenario
simulations. In some sessions, the original design with
hardcopy procedures would be used, providing a perfor-
mance benchmark. Our design strategy must ultimately
be tested in an actual nuclear power plant interface. This
would be a substantially more complex problem due to
added variables not represented in the compact simulator.
6. Conclusions
The human factors/ergonomics requirements for com-
plex industrial system design, evaluation and validation
should be applied in the design process in which the system
is produced, and in the system itself. In this research we inves-
tigate a part of the produced system (the human system inter-
face – HSI) in order to validate the design solutions taken
during the design phase. The methodology used was based
on field studies and observations of the operators’ perfor-
mance in the LABIHS simulators. Performance evaluations
based methods can be used considering the fact that the
appropriateness of a given system expresses itself in the qual-
ity of the overall performance of the system is assessed.
Normally, performance evaluation is something that is
carried out towards the end of a given design process.
The LABIHS facility aims to conduct the performance
evaluation sooner in the design process. A specific goal of
LABIHS is to enable the evaluation of system performance
as early as possible. Considering that the reference plant
I&C has not started yet this objective is already achieved
in this research.
Even considering that is very difficult to say when the
performance of the joint cognitive system is at an
283
acceptable level, our evaluation has shown some improve-
ment possibilities in the HSI original design. Some of them
are related to basic ergonomic design principles like:
• displays with information that are difficult to read (inad-
equate font sizes and formats, color contrast etc.);
• cluttered or overloaded displays with many numeric
information – graphic information would be better;
• inadequate icons size considering their function;
• confusing and unstructured presentation of displays
with set points and actual parameter values, leaving
the task of searching and detecting such deviations to
the operator, instead of directly showing deviations of
actual values from set points;
• static information presentation where a presentation of
past dynamics (e.g. trends) and future developments of
process parameters (prediction) would be required for
an effective task performance;
• mix of different media to present operational informa-
tion – digital displays and paper procedures – requiring
different cognitive resources to cope with.
As expected the performance evaluation has shown
that the design solutions used (alarm systems, proce-
dures, graphic displays) actually have an affect on the
usage. Considering that, we claim that the design solu-
tions should be made considering the appropriate use
of the system, emphasizing that work practices in com-
plex industrial settings should not be based on the notion
of human as the weakest link in the system and in apply-
ing the left over principle. We need systems that support
actions of human operators, and their ability to adapt
and adjust to novel situations. To do so, systems must
be designed considering that the user, and the usage of
the system need to be taken account of in all the phases
of the design process, from the design of process technol-
ogy to the design of user interfaces, in a user-centered or
activity based design process.
Acknowledgements
The authors gratefully acknowledge the support of
National Advice of Scientific and Technological Develop-
ment (CNPq – Conselho Nacional de Desenvolvimento
Cientı́fico e Tecnológico) and CAPES/FIPSE. The research
was performed at Instrumentation and Human Reliability
Division of the Nuclear Engineering Institute, Brazil
(DICH/IEN).
References
[1] ANSI/ANS 58.8, Time Response Design Criteria for Safety-Related
Operator Actions, US, American Nuclear Society, 1994.
[2] L. Bainbridge, Ironies of Automation, in: J. Rasmussen, K. Duncan,
J. Leplat (Eds.), New Technology and Human Error, John Wiley&
Sons, Chichester, 1987.
[3] D. Besnard, D. Greathead, A cognitive approach to safe violations,
Cognitive Technology Work 5 (2003) 272–282.
 Author's personal copy
284 P.V.R. Carvalho et al. / Displays 29 (2008) 273–284
[4] P.V.R. Carvalho, M. Vidal, I.L. Santos, Safety implications of some
cultural and cognitive issues in nuclear power plant operation,
Applied Ergonomics 37 (2) (2006) 211–223.
[5] M.R. Endsley, Toward a theory of situation awareness in dynamic
systems, Human Factors (1995) 3732–3764.
[6] M.R. Endsley, D.J. Garland (Eds.), Situation awareness, Analysis
and Measurement, Lawrence Erlbaum, Mahwah, New Jersey, 2000.
[7] S. Guerlain, P. Bullemer, Critiquing team procedure execution, in:
Proceedings of the IEA/HFES 2000 Congress, 2000.
[8] S. Guerlain, Navigating software systems, in: G. Allen (Ed.), Applied
Spatial Cognition, Lawrence Erlbaum Associates, Mahwah, NJ, 2007.
[9] P. Hancock, M. Chignell, On human factors, in: J. Flach, P.
Hancock, J. Caird, K.J. Vicente (Eds.), Global Perspectives on the
Ecology of Human–Machine Systems, Lawrence Erlbaum Associates,
Hillsdale, NJ, 1995, pp. 14–53.
[10] HSE (Health and Safety Executive) (Eds.), The explosion at the
Texaco Refinery, Milford Haven, 24 July 1994, A report of the
investigation by the Health and Safety Executive into the explosion
on the Pembroke Cracking Company Plant at the Texaco Refinery,
Milford Haven on 24 July 1994, HSE Books, London, 1997.
[11] IAEA-TECDOC-995, Selection, specification, design and use of
various nuclear power plant training simulator, Viena, International
Atomic Energy Agency, 1998.
[12] Y. Jung, Y. Shin, I. Park, An incremental objective achievement
model in computerized procedure execution, Reliability Engineering
and System Safety 70 (2) (2000).
[13] G. Lapinsky, Lessons learned from the special inspection program for
emergency operation procedures NUREG-1358, US, Nuclear Regu-
latory Commission, 1988.
[14] M.H. Lipner, S.P. Kerch, Operational benefits of an advanced
computerized procedures system, IEEE, US, 1995.
[15] M. Modarres, Functional Modeling for Integration of Human–
Software–Hardware in Complex Physical Systems, 4th Functional
Modeling Workshop, Athens, June 1996.
[16] F. Nachreiner, P. Nickel, I. Meyer, Human factors in process control
systems: the design of human–machine interfaces, Safety Science 44
(2006) 5–26.
[17] J. Nielsen, Usability Engineering, Academic Press, Boston, 1993.
[18] Y. Niwa, E. Hollnagel, M. Green, Guidelines for computerized
presentation of emergency operating procedures, Nuclear Engineering
and Design (1996) 167.
View publication stats
[19] D.A. Norman, The ‘problem’ with automation: inappropriate
feedback and interaction, not ‘overautomation’, in: D.E. Broad-
bent, A. Baddeley, J.J. Reason (Eds.), Human Factors in Hazard-
ous Situations, Clarendon Press, Oxford, England, 1990, pp.
569–576.
[20] J. O’Hara, Overview of different types of control rooms and their
human system interface solutions, Presented at International Summer
School on Design and Evaluation of Human System Interfaces,
Halden, Norway, 3/1–28, 2003.
[21] D. Pirus, Human–system interfaces, Types and principles. Presented
at International sum-mer school on Design and Evaluation of
Human–System Interfaces, Halden, 9/1–69, 2003.
[22] R. Parasuraman, T.B. Sheridan, C.D. Wickens, A model for types
and levels of human interaction with automation, IEEE Transactions
on Systems, Man, and Cybernetics. Part A: Systems and Humans 30
(2000) 286–297.
[23] L. Reynes, G.A. Beltranda, Computerized control room to improve
nuclear power plant operation and safety, Nuclear Safety 31 (4)
(1990).
[24] T.B. Sheridan, Humans and automationSystem Design and Research
Issues, Wiley/HFES, Santa Monica, 2002.
[25] K. Vicente, R. Mumaw, E. Roth, Cognitive Functioning of Control
Room Operators – Final Phase, AECB 96-175, Atomic Energy
Canadian Bureau, Ottawa, Ontario, Canada, 1997.
[26] D. Woods, Cognitive demands and activities in dynamic fault
management: abductive reasoning and disturbance management, in:
N. Stanton (Ed.), Human Factors in Alarm Design, Taylor &
Francis, London, 1994, pp. 63–92.
[27] D. Woods, Toward a theoretical base for representation design in the
computer medium: ecological perception and aiding human cogni-
tion, in: J. Flach, P. Hancock, J. Caird, K.J. Vicente (Eds.), Global
Perspectives on the Ecology of Human–Machine Systems, Lawrence
Erlbaum, Hillsdale, NJ, 1995, pp. 157–188.
[28] D. Woods, The alarm problem and direct attention in dynamic fault
management, Ergonomics 38 (11) (1995) 2371–2393.
[29] D. Woods, Decomposing automation: apparent simplicity, real
complexity, in: R. Parasuraman, M. Mouloua (Eds.), Automation
and Human Performance: Theory and Applications, LEA, Mahwah,
1996, pp. 1–17.
[30] S. Zuboff, In the Age of the Smart Machine, Basic Books, New York,
1988.