Control Room Design Guidelines

by Editorial Staff
There are two major aspects of control room design that should be
taken into account in the Safety Report these are:

 the suitability of the structure of the control room to withstand

possible major hazards events; and
 the layout of control rooms and the arrangement of panels,
VDUs etc to ensure effective ergonomic operation of the plant
in normal circumstances and in an emergency.
Control room structure

For large plants, control rooms are likely to be situated in separate

buildings away from the process plant which they serve. For
medium or small plants control rooms may be within the plant
building or control panels may be located local to the plant.
Whatever the location, control rooms should be designed to ensure
that the risks to the occupants of the control room are within
acceptable limits and that it is suitable for the purposes of
maintaining plant control, should the emergency response plan
require it, following any foreseeable, undesirable event within the
plant.

Events that may affect the control room are:

Vapour Cloud Explosions (VCEs)


 Boiling Liquid Expanding Vapour Explosions (BLEVEs)

 Pressure bursts
 Exothermic reactions

 Toxic gas releases

 Fires, including pool fires, jet fires, flash fires and fire balls.

The threat from explosions and pressure bursts should be

considered in the structural design of control building. A
methodology for this is presented in the recent CIA/CISHEC
guidance CIA Guidance for the location and design of occupied
building on chemical manufacturing sites. This considers the
vulnerability of the building to possible overpressures associated
with particular events. Buildings should be designed to withstand an
overpressure that will ensure that risks to individuals within the
building are below acceptable limits. Particular attention should be
given to the provision of windows, the presence of heavy
equipment on roofs (e.g. air conditioners) and the ability of internal
fixtures to withstand the building shaking. If windows are present,
consideration should be given to the use of laminated or
polycarbonate glass, to prevent serious injury to occupiers of the
control room in the event of an overpressure. ALARP principles
should be applied in these considerations and cost benefit used to
determine if additional measures should be applied.

In consideration of toxic gas releases the control room should

provide a safe haven for its occupants. This will include arranging
that the building is adequately sealed to prevent ingress of gases to
levels of concentration that will affect the health and thereby the
ability of the operators to maintain control of the plant. Careful
consideration of the building ventilation system is required to
ensure that air intakes are situated away from areas that may be
affected or to arrange that there is no air intake during an incident,
preferably by closure of an automatic valve linked to a gas analyser.

Measures for protection from fires should ensure the control room
will withstand thermal radiation effects without collapse and that
smoke ingress is controlled. Materials of construction should be fire
resistant for the duration of any possible fire event. Smoke ingress
may be controlled in a similar manner to toxic gas ingress.

Each of these methodologies should be applied to control rooms

within buildings as well as separate control buildings. Control panels
on the plant itself cannot be so easily be protected, therefore
diversity and redundancy should be applied to ensure that plant
control can be maintained in an emergency. Risk Assessments
should be undertaken to demonstrate that primary and secondary
(domino) risks are within acceptable limits.

Human factors/ergonomics

Operators should be able to demonstrate that appropriate human

factors considerations have been given to the design,
commissioning, and operation of control rooms under both normal
and abnormal plant operating conditions to reduce the frequency
of human error due to control room deficiencies.

It is vitally important that a control room and its operators are

considered as a whole system and not in isolation of each other. For
example a well designed control room for use by 4 operators is
dangerous when staffed by 3 operators. Similarly, the best-trained
operators cannot guarantee high reliability in a poorly designed
control room.

Factors to be taken in account are included on the following

paragraphs.

Environmental issues

Layout

 Control room dimensions should take into account the 5th

and 95th percentile user.
 The design of the control room should be derived from an
appropriate task analysis method, such as link analysis or
hierarchical task analysis.
 Emergency exits should accommodate egress by the 99th
percentile user.
 Access and egress should be considered for disabled
operators.
  Adequate access should be provided throughout the control
room. However, the layout should discourage flow from
general circulation areas to ensure that necessary lines of sight
are not obscured.
 If there are a number of control rooms operating on the same
system they should adopt similar layouts to ensure
consistency.
 Operational links between control room operators, such as
communications and lines of site should be considered during
the design stage.
 The layout should not hinder verbal and non-verbal
communication and should facilitate team working.
 The layout of the control room should reflect the allocation of
responsibility and the requirements for supervision.
 The layout should be effective under high and low staffing
levels.
 Circulation of all personal should be achieved with the
minimum of disruption to operators.
 Where supervisory positions will increase the amount of
personnel circulation, it is recommended that these positions
are located close to main entrances.
 Distances between workstations should mean that operators
are not sitting within each other’s ‘intimate zones’. As a guide
the minimum spacing distance should be between 300 – 700
mm.
Maintenance

 Adequate access should be provided so that inadvertent

operation of equipment during maintenance is not possible.
 Behind panel equipment should be appropriately coded to
reduce the potential for human error.
Thermal environment

 Temperature and airflow should be adjustable. As a guide,

‘comfortable’ temperature for office work should be between
18.3°C and 20.0°C with airflow between 0.11 and 0.15 m/s.
Visual environment

Lighting should be such that it does not create veiling reflections on

VDUs or other reflective surfaces that require monitoring.

The type of lighting should be adequate for the task. i.e. for office
work a lux (lux is the unit of illuminance – measured using a light
meter at the work surface) figure of between 500 – 800 is
suggested.

There should be no perceptible flicker from strip lighting.

It is desirable to provide adjustable lighting for control rooms that

are manned 24 hours a day. During night-time operation lighting is
often dimmed.

Windows in control rooms should not cause veiling reflections on

reflective surfaces. Adequate means of blocking out direct sunlight
should be provided.

Auditory environment

The average noise level within the control room shall not exceed 85
dB(A) during the length of the working day.

For office work a noise level below 40 dB(A) is not desirable as it can
cause interference between operators.
Prolonged, very low or very high frequency noises should be
avoided.

Noise levels should not interfere with communications, warning

signals, mental performance (i.e. be distracting).

Man Machine Interface (MMI)

For mental workload, conditions of over and under-arousal should

be avoided. The duration of tasks that have an associated low or
high level of mental workload should be limited. Both these
extremes will increase the likelihood of human error affecting the
system. The design of the MMI should be based on a full Task
Analysis.

An interface should provide the operator with the general following

information:

 After initiating an action within a system the operator should

be clearly informed of the result of their action.
 If there is a delay in the system that prevents the operator
from being informed of the result of his/her action, the system
should inform the operator of this fact.
 If an action is made in error then it should be possible to
reverse such an action where it would not be detrimental to
plant safety to do so.
 The system should inform the operator of any deviations from
safe operating levels.
Alarms

 All employees and contractors on site should know what each

alarm means and what the required response is, if the cause of
the alarm has the potential to affect them.
 An alarm should reset automatically if the fault that generated
it is rectified.
  Alarm messages should be presented in a standard format,
based upon existing conventions.
 Alarm messages should clearly inform the operator of the
reason for the alarm.
 Following an alarm response required by the operator should
be clear.
 The coding of alarms should not be based purely on colour, as
colour blind operators will be unable to recognise what the
alarm indicates.
 Alarm signals should be at least 10 dB(A) over the background
noise of the control room.
 Alarms should not prevent effective communication within the
control room.
 An alarm log should be provided to for diagnostic purposes.
 The design of the alarm system should prevent masking and
flooding of alarms. Masking is where one alarm noise masks a
similar sounding alarm preventing the operator from detecting
the signal. Flooding happens when a system alarms which has
a ‘knock on’ effect on other related systems, the result of
which is the triggering of myriad other alarms – flooding the
control room with sound.
Coding techniques

 Coding should follow international conventions. Arbitrary

coding by operators can actually propagate, rather than
mitigate, human error if not carried out correctly.
 Coding should be consistent across plant.
 Coding should be used appropriately.
 Example methods of coding are:
 Colour
 Flash

 Brightness
 Inverse video/highlighting

 Sound frequency
 Sound type
  Shape 2D/3D
 Symbols
 Coding should be used redundantly where colour is one of the
coding methods.
Designing displays

Text

 The language used should always be capable of being easily

understood by the operator.
 Active rather than passive language should be used.
 Text should be left justified.
 Sans serif fonts should be used as these have been found to
be the most legible. An example of a sans serif font is Arial.
Labels

 Labelling should be used consistently across plant.

 Labels should be used appropriately.
 The relationship between labels and the equipment they refer
to should be clear.
 Labels should be easily read.
 Standard abbreviations should be used where abbreviations
are required.
Display devices

 Display devices should be appropriate for the type of

information they are presenting.
 Display devices should be grouped logically to improve signal
detection. It is recommended that formal task analysis
methods be performed to determine the optimum
arrangement for displays and their associated controls.
 The relationship between a control and its associated display
should be obvious.
 The operator should be able to easily understand display
feedback.
  The response to this feedback should be obvious, wherever
possible.
 The control method provided for navigation around displays
should be appropriate for the task.
Graphics

 Appropriate presentation methods should be used for

information. A simple guide is presented below:
 Mimics should follow current conventions for symbols etc.
 Mimics should be user tested prior installation to ensure that
they are compatible with the end users mental model of the
plant.