There are two major aspects of control room design that should be taken into account in the Safety Report these are:
- the suitability of the structure of the control room to withstand possible major hazards events; and
- the layout of control rooms and the arrangement of panels, VDUs etc to ensure effective ergonomic operation of the plant in normal circumstances and in an emergency.
Control room structure
For large plants, control rooms are likely to be situated in separate buildings away from the process plant which they serve. For medium or small plants control rooms may be within the plant building or control panels may be located local to the plant. Whatever the location, control rooms should be designed to ensure that the risks to the occupants of the control room are within acceptable limits and that it is suitable for the purposes of maintaining plant control, should the emergency response plan require it, following any foreseeable, undesirable event within the plant.
Events that may affect the control room are:
- Vapour Cloud Explosions (VCEs)
- Boiling Liquid Expanding Vapour Explosions (BLEVEs)
- Pressure bursts
- Exothermic reactions
- Toxic gas releases
- Fires, including pool fires, jet fires, flash fires and fire balls.
The threat from explosions and pressure bursts should be considered in the structural design of control building. A methodology for this is presented in the recent CIA/CISHEC guidance CIA Guidance for the location and design of occupied building on chemical manufacturing sites. This considers the vulnerability of the building to possible overpressures associated with particular events. Buildings should be designed to withstand an overpressure that will ensure that risks to individuals within the building are below acceptable limits. Particular attention should be given to the provision of windows, the presence of heavy equipment on roofs (e.g. air conditioners) and the ability of internal fixtures to withstand the building shaking. If windows are present, consideration should be given to the use of laminated or polycarbonate glass, to prevent serious injury to occupiers of the control room in the event of an overpressure. ALARP principles should be applied in these considerations and cost benefit used to determine if additional measures should be applied.
In consideration of toxic gas releases the control room should provide a safe haven for its occupants. This will include arranging that the building is adequately sealed to prevent ingress of gases to levels of concentration that will affect the health and thereby the ability of the operators to maintain control of the plant. Careful consideration of the building ventilation system is required to ensure that air intakes are situated away from areas that may be affected or to arrange that there is no air intake during an incident, preferably by closure of an automatic valve linked to a gas analyser.
Measures for protection from fires should ensure the control room will withstand thermal radiation effects without collapse and that smoke ingress is controlled. Materials of construction should be fire resistant for the duration of any possible fire event. Smoke ingress may be controlled in a similar manner to toxic gas ingress.
Each of these methodologies should be applied to control rooms within buildings as well as separate control buildings. Control panels on the plant itself cannot be so easily be protected, therefore diversity and redundancy should be applied to ensure that plant control can be maintained in an emergency. Risk Assessments should be undertaken to demonstrate that primary and secondary (domino) risks are within acceptable limits.
Operators should be able to demonstrate that appropriate human factors considerations have been given to the design, commissioning, and operation of control rooms under both normal and abnormal plant operating conditions to reduce the frequency of human error due to control room deficiencies.
It is vitally important that a control room and its operators are considered as a whole system and not in isolation of each other. For example a well designed control room for use by 4 operators is dangerous when staffed by 3 operators. Similarly, the best-trained operators cannot guarantee high reliability in a poorly designed control room.
Factors to be taken in account are included on the following paragraphs.
- Control room dimensions should take into account the 5th and 95th percentile user.
- The design of the control room should be derived from an appropriate task analysis method, such as link analysis or hierarchical task analysis.
- Emergency exits should accommodate egress by the 99th percentile user.
- Access and egress should be considered for disabled operators.
- Adequate access should be provided throughout the control room. However, the layout should discourage flow from general circulation areas to ensure that necessary lines of sight are not obscured.
- If there are a number of control rooms operating on the same system they should adopt similar layouts to ensure consistency.
- Operational links between control room operators, such as communications and lines of site should be considered during the design stage.
- The layout should not hinder verbal and non-verbal communication and should facilitate team working.
- The layout of the control room should reflect the allocation of responsibility and the requirements for supervision.
- The layout should be effective under high and low staffing levels.
- Circulation of all personal should be achieved with the minimum of disruption to operators.
- Where supervisory positions will increase the amount of personnel circulation, it is recommended that these positions are located close to main entrances.
- Distances between workstations should mean that operators are not sitting within each other’s ‘intimate zones’. As a guide the minimum spacing distance should be between 300 – 700 mm.
- Adequate access should be provided so that inadvertent operation of equipment during maintenance is not possible.
- Behind panel equipment should be appropriately coded to reduce the potential for human error.
- Temperature and airflow should be adjustable. As a guide, ‘comfortable’ temperature for office work should be between 18.3°C and 20.0°C with airflow between 0.11 and 0.15 m/s.
Lighting should be such that it does not create veiling reflections on VDUs or other reflective surfaces that require monitoring.
The type of lighting should be adequate for the task. i.e. for office work a lux (lux is the unit of illuminance – measured using a light meter at the work surface) figure of between 500 – 800 is suggested.
There should be no perceptible flicker from strip lighting.
It is desirable to provide adjustable lighting for control rooms that are manned 24 hours a day. During night-time operation lighting is often dimmed.
Windows in control rooms should not cause veiling reflections on reflective surfaces. Adequate means of blocking out direct sunlight should be provided.
The average noise level within the control room shall not exceed 85 dB(A) during the length of the working day.
For office work a noise level below 40 dB(A) is not desirable as it can cause interference between operators.
Prolonged, very low or very high frequency noises should be avoided.
Noise levels should not interfere with communications, warning signals, mental performance (i.e. be distracting).
Man Machine Interface (MMI)
For mental workload, conditions of over and under-arousal should be avoided. The duration of tasks that have an associated low or high level of mental workload should be limited. Both these extremes will increase the likelihood of human error affecting the system. The design of the MMI should be based on a full Task Analysis.
An interface should provide the operator with the general following information:
- After initiating an action within a system the operator should be clearly informed of the result of their action.
- If there is a delay in the system that prevents the operator from being informed of the result of his/her action, the system should inform the operator of this fact.
- If an action is made in error then it should be possible to reverse such an action where it would not be detrimental to plant safety to do so.
- The system should inform the operator of any deviations from safe operating levels.
- All employees and contractors on site should know what each alarm means and what the required response is, if the cause of the alarm has the potential to affect them.
- An alarm should reset automatically if the fault that generated it is rectified.
- Alarm messages should be presented in a standard format, based upon existing conventions.
- Alarm messages should clearly inform the operator of the reason for the alarm.
- Following an alarm response required by the operator should be clear.
- The coding of alarms should not be based purely on colour, as colour blind operators will be unable to recognise what the alarm indicates.
- Alarm signals should be at least 10 dB(A) over the background noise of the control room.
- Alarms should not prevent effective communication within the control room.
- An alarm log should be provided to for diagnostic purposes.
- The design of the alarm system should prevent masking and flooding of alarms. Masking is where one alarm noise masks a similar sounding alarm preventing the operator from detecting the signal. Flooding happens when a system alarms which has a ‘knock on’ effect on other related systems, the result of which is the triggering of myriad other alarms – flooding the control room with sound.
- Coding should follow international conventions. Arbitrary coding by operators can actually propagate, rather than mitigate, human error if not carried out correctly.
- Coding should be consistent across plant.
- Coding should be used appropriately.
- Example methods of coding are:
- Inverse video/highlighting
- Sound frequency
- Sound type
- Shape 2D/3D
- Coding should be used redundantly where colour is one of the coding methods.
- The language used should always be capable of being easily understood by the operator.
- Active rather than passive language should be used.
- Text should be left justified.
- Sans serif fonts should be used as these have been found to be the most legible. An example of a sans serif font is Arial.
- Labelling should be used consistently across plant.
- Labels should be used appropriately.
- The relationship between labels and the equipment they refer to should be clear.
- Labels should be easily read.
- Standard abbreviations should be used where abbreviations are required.
- Display devices should be appropriate for the type of information they are presenting.
- Display devices should be grouped logically to improve signal detection. It is recommended that formal task analysis methods be performed to determine the optimum arrangement for displays and their associated controls.
- The relationship between a control and its associated display should be obvious.
- The operator should be able to easily understand display feedback.
- The response to this feedback should be obvious, wherever possible.
- The control method provided for navigation around displays should be appropriate for the task.
- Appropriate presentation methods should be used for information. A simple guide is presented below:
- Mimics should follow current conventions for symbols etc.
- Mimics should be user tested prior installation to ensure that they are compatible with the end users mental model of the plant.