Ecological Interface Design in the Nuclear Domain

Ecological Interface Design in the Nuclear Domain

(Parte 1 de 5)


Ecological Interface Design in the Nuclear Domain:

An Application to the Secondary Subsystems of a

Boiling Water Reactor Plant Simulator

Nathan Lau, Øystein Veland, Jordanna Kwok, Greg A. Jamieson, Member, IEEE, Catherine M. Burns, Alf Ove Braseth, and Robin Welch

Abstract—Accident investigations have revealed that unanticipated events are often precursors of major accidents. Unfortunately, conventional approaches to interface design for complex systems do not explicitly support problem solving during unanticipated events. Ecological Interface Design (EID) is a theoretical framework for designing computer interfaces that explicitly aims to support worker adaptation, especially during unanticipated events, leading to more robust user interfaces. However, limited verification and validation research in representative settings is impeding the adoption of the EID framework in the nuclear domain. This article presents an example by applying EID to the secondary side of a boiling water reactor plant simulator. The interface designers constructed abstraction hierarchy, causal, and part-whole models to acquire pertinent knowledge of the work domain and designed five ecological displays to represent the plant processes. These displays are analytically shown to contain visualization properties that could support monitoring and diagnosing unanticipated events in accordance to the claims of the EID framework. The analytical evaluation of the visualization features of the displays also illustrates that the EID framework could be applied to improve current verification practice. A companion article reports an empirical evaluation of these ecological displays to validate whether these properties could enhance operator performance.

Index Terms—Control room, ecological interface design,nuclear power plant.

L OW carbon emission and stable fuel supplies are rekindling interest in nuclear power [1]–[6]. At the same time,

Nuclear Power Plants (NPPs) are undergoing significant mod-

Manuscript received January 10, 2008; revised April 1, 2008. Current version published December 31, 2008. This work was supported by the Natural Science and Engineering Research Council (Canada) and the OECD Halden Reactor Project.

N. Lau and G. A. Jamieson are with the Department of Mechanical and Industrial Engineering, University of Toronto, Toronto, ON M5S 3G8, Canada (e-mail:;

Ø. Veland and A. O. Braseth are with the Division of Operations Centre, InstituteforEnergyTechnology,HaldenN-1751,Norway(;

J. Kwokwas with SystemsDesigns Engineering, University of Waterloo, Waterloo, ON N2L 3G1, Canada. She is now with Research In Motion, Ltd., Waterloo, ON N2L 5Z5, Canada (e-mail:

C. M. Burns is with Systems Designs Engineering, University of Waterloo,

Waterloo, ON N2L 3G1, Canada. (e-mail:

R. Welch was with the Division of Operations Centre, Institute for Energy

Technology, Halden N-1751, Norway. He is now with Prediktor, Fredrikstad N-1601, Norway (e-mail:

Color versions of one or more of the figures in this paper are available online at

Digital Object Identifier 10.1109/TNS.2008.2005979 ernization to both extend plant lifecycles and accommodate uprates [3], [7], [8]. This period of global and local change presents a unique opportunity for the industry to shift toward advanced technologies, including those that support the cognitive workload challenges of control room operators who hold ultimate responsibility for plant safety and efficiency.

Effective human-system interface design is increasingly acknowledged as necessary to support operators in achieving reliable and safe operation (e.g., [9]–[18]). Knowledge about interface design has been accumulating from both research and practice. Nevertheless, new human-system interfaces developed with this recent knowledge must undergo rigorous verification and validation to ensure safe NPP operations [19], [20].

The US Nuclear Regulator Commission [19] regards verification as an evaluation of whether the properties of a design product conform to regulatory standards and guidelines1 (also see [21]). Verification is often conducted through analytical means. On the other hand, validation assesses whether the performance of the product is in compliance with operational and safety goals or requirements of the regulators and industry [19], [20]. Validation is often comprised of a series of empirical studies evaluating the verified technologies.

A. Current Analysis Approaches for Interface Design and Types of Verification

Inthenucleardomain,human-systeminterfacesgenerallyundergo two types of verification–(i) human-system interface task support verification and (i) human factors engineering design verification [19]. Task support verification analytically evaluates whether the interface fulfills the criteria derived from task analyses, which identify information associated with those activities or actions that must be performed in order to meet higher level goals within a specific context [2]. Information identified by task analyses could also form the basis for design; and design approaches that rely primarily on task analysis are deemed “task-based”. Task-based approaches to interface design and task support verification together ensure the efficiency of the operator in performing “procedure guided tasks” or well-defined tasks under anticipated situations [23], in which decision making is largely rule-based (see, [19], [24]).

1Verification is sometimes more narrowly defined as an assessment of conformance between the final product and the design specification (e.g., [30]). Readers who prefer such a perspective may interpret the content of the article to be more relevant to validation than verification. More specifically, the application of the EID framework could improve validation rather than verification practice.

Authorized licensed use limited to: UNIV ESTADUAL PAULISTA JULIO DE MESQUITA FILHO. Downloaded on July 13, 2009 at 17:52 from IEEE Xplore. Restrictions apply.


Human factors engineering design verification analytically evaluates whether the interface accommodates human capabilities and limitations as reflected by design guidelines (e.g., [21]). Guidelines capture established findings in human factors research, particularly on syntactic issues (e.g., legibility/font size requirements), and reflect knowledge from operational experience (e.g., scale units and labeling specification). Thus, guidelines could directly inform interface design as well as verification. In addition, user-centered design methods that specify information based on operational experience may supplement guidelines to achieve design verification. In essence, guidelines and human factors engineering design verification together ensure that information on the interface is presented adequately for human perception.

B. Unanticipated Events and Knowledge-Based Tasks

The conventional design approaches (i.e., task-based, user-centered, and guideline-driven) and verification processes have seemingly led to interfaces with adequate performance and reasonably good safety records. However, accident investigations indicated that unanticipated, non-routine events are often precursors of serious accidents [14], [25]–[27], in which decision making is mostly knowledge-based. Unfortunately both task analysis and operational experience review do not explicitly and conceptually account for ill-defined tasks and unanticipated events [1], [23].

Control room operators are increasingly challenged by knowledge-based tasks, which are often ill-defined, involve reasoning about safety and operating goals, and managing the sometimes conflicting means of achieving those goals (see, [19]). As frequently occurring tasks become automated, system-wide complexities rise, leaving operators to manage unanticipated, ill-defined tasks [28], [29]. Even monitoring during normal operations is cognitively demanding, sharing many characteristics with active problem solving [29].

While effectively addressing the efficiency and safety concerns associated with procedure-guided and even “operational experience review-identified difficult” tasks [19], conventional design and verification approaches relying on task analysis, operational experience, and guidelines are not explicitly conceptualized to support the reasoning and problem solving that characterize knowledge-based tasks. Given the trend towards knowledge-based work (see e.g., [28]) and lessons learned from past accidents [18], the design and verification processes could be substantially improved if they offered guidance to help operators cope with knowledge-based or ill-defined tasks during unanticipated situations.

C. Work Domain-Based Approaches

Recent research on interface design increasingly emphasizes work domain-based approaches [28], [30]. Work domain-based approaches explicitly aim to support operators in performing ill-defined tasks during unanticipated situations (i.e., knowledge-based tasks; see knowledge-based behavior in [24]). These approaches capture information describing the system structures in terms of their functions within the overall environment or ‘ecology,’ in which the work is to be performed and goals achieved [2]. Over the past decade, several alternative frameworks with similar perspectives have emerged [17],

[31]–[3]. In essence, work-domain based approaches seek to improve the robustness of interfaces; that is, their effectiveness in supporting operators in coping with all events, including unanticipated ones [1], [23].

Interfaces generated from work domain-based approaches present information similar to those that are discovered through functional requirement analysis as mandated by regulators. “Functional requirement analysis is the identification of those functions which must be performed to satisfy the plant’s safety objectives” [19]. More specifically, [19] states that a functional requirement analysis is conducted to (1) determine the objectives, performance requirements, and constraints of the design, (2) define high-level functions to accomplish the objectives and desired performance, (3) define relationships between high level functions and plant systems, and (4) provides framework for understanding the role of the controllers2. This description reveals that the information discovered through functional requirement analysis coincides with those presented in interfaces following work domain-based approaches which often include purpose, constraint and relationship information on system structures (see [28]).

Though required by regulators for interface design input, functional requirement analysis is only prescribed as a means to specify the roles of operators, thereby setting the criteria for the information content for supporting operators in their respective roles [19]. In contrast, work domain-based approaches explicitly seek to present functional information on interfaces as means to support problem solving during unanticipated events in which pre-defined roles could limit operator adaptability in resolving disturbances.

Work domain-based approaches can theoretically improve current interface design and verification practices to ensure effective operator support for knowledge-based tasks. These approaches also appear viable as the analysis methods generate information that resembles those in functional requirement analysis. However, work domain-based approaches have yet to be widely practiced in industry. One factor precluding industry from gaining the knowledge and confidence necessary to adopt work domain-based approaches is a shortage of design, verification, and validation efforts based on these new interface design concepts. The literature offers very few proof-of-concept examples of work domain-approaches at the scale and complexity of industrial systems, and where examples exist in private industry they are typically protected as intellectual property. Apart from design practice, the literature also provides very few examples in which information identified by work domain-based methods forms the basis for interface design verification. Given the paucity of proof-of-concept examples, there are also virtually no validation studies of work domain-based approaches in process control systems. Consequently, it is unknown whether performance advantages deduced from theories or observed in laboratory environments are obtainable in practical settings.

D. Overview of the Current Study

To address this research issue, the University of Toronto, University of Waterloo and the OECD Halden Reactor Project es-

2See [28 Chapter 1] on how Work Domain Analysis might be applied for allocating functions to controllers.

Authorized licensed use limited to: UNIV ESTADUAL PAULISTA JULIO DE MESQUITA FILHO. Downloaded on July 13, 2009 at 17:52 from IEEE Xplore. Restrictions apply.

LAU et al.: ECOLOGICAL INTERFACE DESIGN IN THE NUCLEAR DOMAIN 3581 tablished a research program to assess the utility of a work domain-based approach—Ecological Interface Design (EID)—for the nuclear industry. The intent was to provide representative research results that speak to the selection, development, implementation, verification and validation of human-system interface technologies during upcoming NPP modernization and construction projects.

EID was selected as the work domain-based approach because, among comparable approaches, it offers the most substantial corpus of research available in the literature. Proof-ofconcept ecological interfaces have been reported in many domains and empirical support continues to accrue [34]. However, many of these studies are only marginally representative of industrial settings. Still, competing work domain-based approaches offer markedly fewer representative examples and less empirical support. This lack of detailed, representative application, verification, and validation studies in the open literature inhibits knowledge transfer, slowing down industry adoption of work domain-based approaches.

In this article, we report our efforts in designing ecological displays for the secondary side of a high fidelity nuclear plant simulator and verifying the conformance of the ecological displays to the EID framework. In describing the products of the EID framework, we aim to provide guidance and foster confidence in designing ecological displays. In verifying the conformance of the displays to the EID framework, we illustrate the potential contribution of applying work domain-based approaches as part of human-system interface verification to ensure the support of knowledge-based tasks. In a companion article [35], we report on our validation efforts involving an empirical evaluation of the ecological displays.

HAlden Man-machine laboratory BOiling water reactor

(HAMBO) [36], [37] was selected as the simulator platform for our research as it is a high-fidelity simulation of an operating, 1200 MW, boiling water reactor (BWR) plant. Developed for realistic testing of prototypes and systems prior to installation, HAMBO is sufficiently advanced and flexible to accommodate the complex, information-intensive graphics that typify ecological displays. It also operates at a scale and complexity comparable to the real plant, addressing concerns about the representativeness of research findings to actual practice. HAMBO has demonstrated high face validity in many previous human-system interface studies employing licensed operators [37]. Thus, the design and verification research on EID described in this article is applicable to the practical settings of nuclear plant operation. The article also provides a necessary foundation for future research, including attempts to validate that EID can deliver practical benefits to the nuclear industry.

The remainder of this article is organized as follows:

Section I describes the EID framework and reviews its application to industrial systems. Section I then describes and verifies the products of this study, namely the Work Domain Analysis for the secondary side of the BWR and the ecological displays, themselves. Finally, Section IV discusses contributions and insights gained though development and verification of ecological displays at the scale and fidelity of an operating NPP.

Fig. 1. Five-level abstraction hierarchy with the ‘why, what and how’ characterization. 8 76 m (600 600 DPI).

EID is a theoretical framework for designing human-computer interfaces for complex socio-technical systems [1], [12]. The EID framework relies on two fundamental activities: (1) defining information content based on psychologically relevant models of the work domain, and (2) representing information based on perceptual forms that are compatible with human cognitive capabilities [1], [12].

(Parte 1 de 5)