SAFETY CASE-ORIENTED ASSESSMENT OF HUMAN-MACHINE INTERFACE FOR NPP I&C SYSTEMS
A. Orekhova, V. Kharchenko •
National Aerospace University "KhAI", Kharkiv, Ukraine e-mail: nastva.orehova@rambler.ru. V.Kharchenko@khai.edu
V. Tilinskiy •
LTD "Westron", Kharkiv. Ukraine e-mail: tilinsky@westron.kharkov.ua
ABSTRACT
A safety assessment approach for human-machine interfaces (HMI) of Nuclear Power Plant (NPP) instrumentation and control systems (I&Cs) based on the Safety Case methodology is proposed. I&C assessment model is described taking into account human factor impact. Normative profile based on harmonization and standard requirements selection for choice of HMI safety assessment methods is developed. Ranking of major design principles of safe HMI is provided. Set of methods for comprehensive human machine interface safety assessment at life cycle stages is analyzed and adopted taking into consideration features of HMI safety attribute.
1 INTRODUCTION
To guarantee safety of nuclear power plants (NPP) it is required the modernization and development of new instrumentation and control systems (I&Cs). I&Cs functionality, reliability and effectiveness of human activities depend heavily on human-machine interfaces (HMI) [1. 2].Here's what's relevant now in the HMI field:
- human factor studies in order to reduce the likelihood of errors;
- analysis of the reliability of operator's actions associated with the risk assessment and taking into account the possible consequences;
- development of techniques for evaluation of safety [3].
An approach based on the Safety Case methodology [4] in assessing the security of critical systems has been extended. It involves a comprehensive assessment of the system and its software safety. As a result of work related analysis, the safety assessment of HMI in the Safety Case was not considered.
The work objective is an adaptation of the Safety Case methodology for the development of the integrated technique for the safety assessment of the HMI of critical systems. The paper is structured in the following way. The Section 2 represents general model of HMI as a object of safety assessment. Elements of Safety Case methodology are described in the Section 3. Regulatory requirements and normative base related to HMI safety are analyzed in the Section 4. The safety assessment methods are compared and adopted for HMI in the Section 5. The Section 6 concludes the paper.
2 FORMALIZATION OF OBJECT OF AN ASSESSMENT
Modern I&Cs of the NPP are complex systems of the distributed information processing. where HMI implementation is usually based on workstations. The main purpose of these HMI is to provide staff with the information on the status of the power unit systems, as well as an interface to control the actuators. Information is provided on the monitors of the Main Control Room (MCR) and workstations for personnel. Figure 1 presents a model of the human-machine system. Its
interface consists of two parts: hardware (HW) and software (SW). Besides monitors, HMI hardware may include a standard keyboard with a trackball or a mouse and a functional keyboard.
I&C
Figure 1. Model of object of an assessment.
Process displays are the core software components of HMI of the I&Cs. They represent plant process data grouped mostly by systems and organized in a multilevel hierarchical structure that allows to navigate among hierarchical levels, as well as within the levels and between the systems. In addition, process displays can be invoked via menu or functional keyboard.
Process displays provide all technological information to the operator in real time in form of symbolic circuits (animated snippets of technological schemes or equipment drawings), diagrams, histograms, tables, graphs, etc.
Detailed structure of the display system is provided at the design stage. HMI software model can have lots of levels (Fig. 1):
HMI = { STR, PER, ST, COMP, VD } ,
where STR - strategy; PER - capabilities; ST - structure; COMP - layout; VD - visual design.
The level of strategy (STR) defines objectives of the interface and the user needs; functional specifications and information requirements are determined at the level of Capabilities (PER), the level of ST is for interaction design and informational architecture; Layout (COMP) and visual design (VD) levels define the levels of information and visual design interface. As noted in [1], the main condition for achieving high quality HMI is to follow the standards.
3 METHODOLOGY OF SAFETY CASE
The safety assessment, based on Safety Case methodology includes a formal presentation of evidence, arguments and assumptions aimed at providing assurance that the HMI meets safety requirements, and safety requirements are adequate. At the same time attention should be paid to the logical arguments that will be used to demonstrate that the system is safe to use.
Purpose, which can be interpreted as testing requirement, is divided into sub-goals until one can identify tools, confirming that the sub-goal is achieved (Fig 2). Then these tools are used to verify the safety during development of the system.
Figure 2. Structure of the objectives.
It is important to plan for a Safety Case at the very beginning of the design process. Firstly, this will determine which evidence is necessary to collect and secondly, what should be used to support them in various stages of the life cycle. One problem is the choice of the depth and rigor of evidence. Some items of evidence may be more persuasive than others, and it must be considered when evaluating the effectiveness of the safety case as a whole.
Safety Case Report should contain all necessary information to assess the safety of HMI. The higher safety requirements the more details are required. Good quality Safety Case provides information to the extent and form that make the work of the expert comfortable in terms of reliability, availability, and ease of use. Typical content of the Safety Case includes:
System Description - defines the purpose of the evaluation, describes the system under consideration (the objectives, functions, structure, components, context of use) and its interaction with other systems. Quality Management Report - gives evidence that the requirements for the process of quality assurance have been met.
Safety management report suggests that an actions, defined in the safety plan, had been implemented. It should include the results of the various analyses, as well as a list of all identified hazards (Journal of Hazards).
Technical Safety Report - it explains technical principles, which provide safety. It should include reports to verify each component, including HMI.
Related Safety Cases - a document that contains references to any Safety Cases for other vital systems, related to the system under consideration.
Findings should be presented in the form of analysis of activities carried out by the developer, and why system attributes are sufficient.
To adapt this approach to the assessment of HMI, elements of Safety Case must be defined as part of the design, development and production, used for HMI of NPP I&Cs.
Figure 3 shows a conceptual model of the system safety assessment of HMI of NPP I&Cs [5]. The solution of the safety assessment problems of HMI of NPP I&Cs is complex and directly related to the modeling and analysis of the design process, specification requirements, the context of use and design.
The HMI safety model is constructed by analysis (profiling) of the regulatory framework. The choice of assessment methods directly depends on the safety profile and the stage of the life cycle of the HMI. Before using of different assessment methods, it is important to formalize the process of the upcoming evaluation. This will help to determine the best approach to effectively assess and select the most appropriate method or methods. Selecting of assessment methods should be
preferred to those methods which have tool support. Evaluation results have a direct impact on improving of the safety of HMI of NPP I&Cs.
PRODJECT INFORMATION
Dynamic scope: goals, objectives, equipment, environment Specification Design: structure, liront, style
v___J
Figure 3. Conceptual model of the safety assessment HMI I&C system in nuclear power plants.
General procedure of the Safety Case-oriented assessment is the following. At the first stage HMI safety requirement profile is developed (specified). The profile includes international and industry standards, and regulatory documents developed for various industry domains. The next stage is to determine the goals, objectives and characteristics for the HMI safety evaluation. There is an analysis and a choice of methods of an assessment which directly depends on a design stage, and also from earlier formulated purposes and problems of estimation. The most exact and reliable assessment can be obtained by applying several methods at the same time. The next stage is evaluation of HMI by tools implementing the chosen method. Finally, in the final stage we obtain the results of the evaluation in the form of certain reports and recommendations to improve the HMI. For this an expert combines the results obtained by different methods at the different stages of evaluation. The end result is highlighted in the safety case document, prepared for the evaluated system and HMI.
REGULATORY FRAMEWORK ANALYSIS
Safety assessment of HMI in the Safety Case is a multi-disciplinary problem. Its scientific rationale and solution requires knowledge of disciplines such as systems design, ergonomics and usability, human factors engineering, software engineering, safety and risk management. There is its own regulatory framework in each of these areas, which regulates approaches, processes, methods and tools for design and evaluation, which may be useful to create an effective methodology for integrated safety assessment of HMI. Fig. 4 shows possible profile-forming database of standards for the choice of methods and processes of NPP I&Cs safety assessment.
Basic design principles and requirements for HMI of NPP I&Cs are given in [6-7]. The same principles can be used as criteria for assessing the safety of I&Cs HMI. Nevertheless all these principles are important for proper HMI design, some of them may contradict with another, so a
compromise between different principles should be reached to ensure effective system design. That is why it is important to identify relative weight of the principles in comparison with other principles. Results of the expert analysis and ranking of these principles/criteria are given below.
Personnel Safety - this principle is ambiguous. In the broad sense, PS is a consequence of the implementation of its main purpose - to provide the safety of NPP. In this sense, it is an integral characteristic, which is inapplicable as a basic design principle. In a narrow sense - as an independent criterion - this principle can be attributed to the safety of I&Cs HMI only, which depends mostly on hardware components of the HMI and cannot deviate significantly under condition that I&Cs is built on modern technical means (for example a workstation monitor can affect user's vision, but all modern LCD monitors are rather similar from this point of view), so relative weight of this principle is rather low in comparison to other principles.
Cognitive Compatibility and physiological compatibility - these principles require physiological and psychological capabilities of the operator and the level of his training to be taken into account, when designing HMI. As main criteria, these principles allow us to estimate the quality of information, as well as ease of its perception, analysis and understanding. This is very important criteria for the human factor.
/ Requirements, methods, processes for assessing the l. HMI NPP l&C systems
requirements, methods, processes for safety assessment
/Requirements, methods," processes for software ' quality assessment
Figure 4.. Profile-forming base of standards.
Consistency is among high priority principles/criteria. Only mutual coherence feedback to the operator through different channels of information can allow him to make right decisions. Hierarchy of priorities of the informational sources must be clearly defined in case of conflicting data.
Situation Awareness is one of the most important principles, because it describes the ability of HMI to perform its basic function - to provide an understanding of the situation by the operator by providing him accurate information on the status of the systems.
Task Compatibility indicates that the system should meet users' requirement. This feature also is one of the most important, because the system must conform to its destination.
Error Tolerance and Control - priority of this principle depends on the class of the System. For systems important to safety, this characteristic has very high priority, because it can directly affect the safety of NPP.
Organization of HSI Elements - this principle ensures provision of the information to personnel in accordance with the distribution of roles in the power unit control, the most important
information relating to security should be available to all operational staff. This principle is important enough, but not critical.
The low-priority design principles include: Cognitive Workload, User Model Compatibility, Timeliness, Logical Structure, Controls Compatibility, Flexibility, Feedback, Simplicity of Design. All of these principles should be considered when designing HMI of the I&Cs, however, because the real HMI is a solution based on a compromise, which doesn't satisfy the above criteria completely, the greatest attention should be given to the high priority principles. There are some results of the safe HMI design principles ranking on Fig. 5.
I *Erjann-=iLaf=ty
■ Cognitive tome at ifcility
■ PlifiH != -izai
LCT^at.: ility
' 5irrp lioity of Design
'Cans'stancy
Principle
Weight
Primary 7-ssli Design
^ituat:in Jwcweneiz JTzl Compatibility
Principle
J atiqn Aware n e; 5
. -askCompatibility ) Use r Mod = I Comp atib ility
■ " reap ato n of =!=n--e^ts
logical.16<p i-cit Struct j re
■¡meliness
Lontrols/Djpiavs Compatibility
feedback
Primary Task Da sign Principle
Wegtit
1C
¡B
7
5 A £ 2 1 1
№
V Flexlt :lrty
User£uoance andSu^pcrt
Error To I: ranee and Control
Tas*Suppurt Principle
Figure 5. Design principles ranking. 4 CHOICE OF METHODS
To date, the task of choosing methods for safety assessment in the Safety Case was complicated by the large number of techniques of varying degrees of formality, complexity, ability to use of the life cycle stages, etc.
Since we discuss in this paper HMI software only, one can significantly limit the range of the analyzed approaches and methods. As part of UCD-design process of user-centered interactive systems, there is large number of methods relevant to usability [8, 9].
We believe these methods are the most effective at the pre-design gathering stage, at the stage of analysis of the use context (task analysis), as well as at the stage of verification and validation of the finished product (usability testing). Processes and methods of safety HMI evaluation, developed within a software engineering, are mainly focused on the metric evaluation of the finished product.
Methods of risk assessment are given in [10]. Risk assessment can be carried out with varying degrees of depth and detail. The use of one or more methods is possible. When selecting methods, the rationale for their suitability should be presented.
Methods must have the following features:
- to be scientifically sound;
- conform to the system under study;
- to give an understanding of nature and the nature of risk, how to control and process.
Method selection can be implemented based on the following factors:
- purpose of the evaluation;
- system development ;
- type of system;
- resources and opportunities;
- nature and degree of uncertainty;
- complexity of methods;
- ability to obtain quantitative data output;
- the applicability of the method;
- availability and accessibility of information for the system;
- needs of decision makers.
Table 1 shows the results of a comparative analysis of several method-candidates for Safety Case. Recommendations and the applicability of a specific technique throughout the risk assessment process of HMI have been considered when selecting methods.
Table 1. A comparative analysis of risk assessment methods.
Type of risk assessment methods Relevance of influencing factors Possibility of the use of the HMI
Resources, and capability Nature and degree of uncertainty Complexity
Checklists Low Low Low +
Preliminary analysis of the hazards Low High Average -
Scenario Analysis Average High Average -
Fault tree analysis (FTA) High High Average _
Analysis of the "tree" of events Average Average Average _
Analysis of the causes and consequences High Average High _
The analysis of types and the consequences of failures (FMEA and FMECA) Average Average Average +
Hazard and Operability Study (HAZOP) Average High High +
Reliability assessment of the operator (HRA) Average Average Average +
Multi-criteria decision analysis (MCDA) Low High Average +
"+" - applicable; "- " - no data
A possible profile of methods for Safety Case and the process of integrated safety assessment of HMI of NPP I&Cs at all stages of the life cycle is shown on Fig. 6.
Stage
Conception
Draft design
Result
sz
sz
Specification Goal
Functions Objectives
The prototype interface
Detailed design
Realization
\z
Interaction Information Design Visual Design
\z
Ready interface
Safety Case
Analysis of the technical specifications Task analysis (TA)
MCDA HAZOP
FMEA FTA
Metric assessment Usability Testing
Figure 6. Method of assessment of HMI I&Cs safety.
5.1. Multi-criteria decision analysis (MCDA).
The purpose of this analysis is to estimate the variety of options by applying a set of criteria. In the HMI case many prototypes can serve as such set of options.
The result of the analysis is to establish the order of preference of options available. While analysing, matrix of options and ranked and combined criteria are prepared, to provide an assessment for each option. This method is particularly useful at the early stages of design under uncertainty.
Analysis of the safety criteria has shown that, as a rule, they have the interval based on a quality and a character. The values of the most of them can be described by linguistic variables. Therefore, the safety assessment problem and selection of the best option in terms of safety criteria of the HMI of NPP I&Cs can be formulated as the problem of a fuzzy multi-criteria analysis of options [11]. Suppose we are given many options for HMI P = {P„P2,...,Pk} and safety criteria - set
G = GG2,...,Gn}, then the problem of multi-criteria analysis is to reorder the elements P based
on a set of criteria G. HMI version Pj e P is evaluated by criteria Gi e G by the number /uGj (Pj)
in the range [0,1]. The higher the number /uGj (Pj) the better option Pj for the criterion Gi, i = 1, n,
j = 1, k. Then, the criterion Gi can be represented by a fuzzy set Gi on the universal set of options P [11]:
r - ^¡(p2) PGi(Pk)}
l-^'-^.....-FTi , _ (1)
where Pj) is the degree of affiliation of the element Pj to the fuzzy set Gv
Building affiliated functions based on the twin comparisons is very convenient in finding the degree of affiliation of fuzzy set (1). When using this method, one must generate a matrix of twin comparisons of the results for each criterion. The total number of such matrices is equal to the number of criteria. The best option is the one that's best for all criteria simultaneously. Fuzzy solution D is the intersection of partial criteria (formula 3).
According to the fuzzy set D, the best option is the one with the highest degree of affiliation:
D= argmax (p.D(P1)' ^D(P2)' ^'^D(Pk)) When the criteria of non-equilibrium degree of affiliation of fuzzy sets D are found with the formula:
HD(Pj) = min^G^CP,))^,; = 1 ,k , (2)
where a1- coefficient of the relative importance of the criterion G0 a1 + a1 + ... + an = 1
fmini= ui ^Gi(Pi) mini= 1[;!T^Gi(P2) mini= M-Gj
D = G1nG2n.nGn= |---,---,...,---j (3)
Saaty method has become widely spread method to find the rank of criteria based on the matrix of the twin comparisons [11]. This approach campaign is about finding the approximate values of the vector of ranks, as the geometric mean values of each row of the matrix of twin comparisons. Thus obtained geometric mean values of the eigenvector are normalized by dividing by the sum of the geometric means.
5.2 Hazard and Operability Study (HAZOP)
The HAZOP method is a procedure for identifying potential or unforeseen hazards in the object due to a lack of information at the design/project stage or hazards manifested by abnormalities in the functioning of the system. The main objectives of this method are:
- making a complete description of an object or a process;
- systematic check of each part of the object or process in order to detect deviations from the project objectives;
- decision making on the possibility of hazards or problems, associated with these deviations.
The HAZOP process is a methodology of a good quality, based on control words, like questions about how design tasks or conditions of functioning may not be met at each stage of the project, process, procedures or a system. The composition and the interpretation of the control words can vary, depending on the object of analysis. The process usually has a team of specialists from different areas in the course of several meetings.
HAZOP method can be applied to HMI at various stages of a design or while the system is functioning. The possibility of using the HAZOP method for the HMI risk assessment is based on the fact that control words can be applied to the physical parameters and transmission of information. HAZOP allows you to explicitly take into account the causes and consequences of errors.
HAZOP study involves the following stages:
- identification of goals, objectives and scope of the study;
- acquisition of HAZOP study group;
- gathering the necessary documentation, drawings and descriptions of the technological process;
- dividing of the object of analysis into smaller elements and analysing them by using the collected documents and control words. Guidewords stimulate individual thinking and encourage brainstorming;
- it documents any abnormalities and related conditions. In addition, identification of the ways to find and/or to prevent rejection is detected. It's documented on the HAZOP worksheets. Examples of the guidewords deviation are shown in the table.
Guidewords can be applied to parameters such as:
- physical parameters;
- transfer of information;
- aspects of the operation.
Examples of deviations and the respective control words for HMI are shown in table 2.
HAZOP study can identify abnormalities that require the development of mitigation measures. In cases where mitigation measures are not obvious or very expensive, HAZOP study results allow identification of initiating events necessary for the further risk analysis. The HAZOP process allows
determination of different failure types, their causes and consequences. If deviations cannot be corrected, the risk of each such deviation should be evaluated.
HAZOP process can be applied to all types of the design goal deviations due to shortcomings of the project, the component(s), planned procedures, and personnel actions.
The method can be applied to various systems of mechanical, electronic, software, control systems for safety-critical facilities and computer systems (CHAZOP, Hazard and Operability Study management or Hazard and Operability study of computer-assisted tools).
Table 2. Deviations and associated guidewords for the HMI.
Type of deviation Guidewords HMI example
Negative No Data or signals do not pass
Quantitative deviations More Data is transmitted with higher speed than required
Less Data is transmitted with lower speed than required
Qualitative deviations As well as Error signal
Part of Incomplete data or signals
Reverse Reverse Inappropriate signals or data
Other than Incorrect signals or data
Time Early Signals come too soon
Late Signals come too late
Order or sequence Before Signals come earlier than required
After Signals come later than required
The advantages of the HAZOP method include the following:
- provides tools for the systematic and comprehensive research system, process or procedure;
- is conducted by experts from various fields;
- allows solution development and processing risks;
- applicable to a variety of systems, processes and procedures;
- can explicitly take into account the causes and consequences of human errors.
Successful use of HAZOP methodology applied to a complex object like an I&Cs HMI, with multiple links and relationships to other complex object, like an NPP, is very dependent on proper identification of goals, objectives and scope of the study.
Scope of study shall be very clearly idefined; any relationships with interfacing objects should be formalized to minimize number of study cases to a lowest reasonable number. Without such limitations number of study cases tends to increase beyond any reasonable limits and ambiguously cover safety study of related objects.
For example, from point of isolated HMI estimation in many cases it makes no sense to trace a single operator's fault in reading of specific process point value to its possible consequences on the plant side, because number of such consequences may be unlimited or undefined. Instead it makes sense to split process points into limited number of groups depending on their importance for plant safety in specific operation mode and establish a formal definition of hazards for every specific group.
5.3. Failure mode and effects analysis (FMEA)
FMEA methodology allows you to identify the nature of failures, mechanisms for their occurrence and impact. FMEA can be accompanied by a critical analysis, when the significance of each type is determined (FMECA). FMEA analysis is applicable to both systems, and their component, including software, SFME(C)A.
HAZOP process is similar to the FMEA. It allows failure modes identification, their causes and consequences. The difference is that HAZOP is carried out in reverse order of unwanted results and deviations to the possible causes and failure types, whereas FMEA starts with the failure type determination (Fig. 7).
Figure 7. Comparison of HAZOP and FMEA.
5.4. Recommendations to joint application of safety assessment methods of HMI
Obviously, no one of the above methods do not guarantee the accuracy of safety assessment in the process of designing HMI at all stages of the life cycle. It is also clear that the right choice and the sharing of different methods can increase completeness, confidence and cost-effectiveness of the analysis. Integration of qualitative and quantitative methods in the Safety Case should be performed on the basis of individual evaluation techniques with using selected criteria, and development the methodology for their joint use. Let us consider the profile of the methods proposed above in terms of compatibility and application to evaluate the safety HMI. Compatibility of methods is caused by their supplement and using the results of each other. At the initial stage of designing the concept of HMI is represented as a list of tasks and system requirements.
The problems of safety arising at this stage are caused by incompleteness and inconsistency of requirements with the principles recommended by normative documents. Assessment of specifications is carried out by an expert way, recommendations about revision of some important requirements for safety can be formulated as result of estimation. In the second stage of the design several prototypes of the HMI are developed, that implement the proposed concept. At this stage the assessment consists of a choice of the safest HMI, that in the best way takes into account the human factor and meets safety criteria. For HMI components (video frames) which provide the solution of critical tasks, in addition carried out a qualitative analysis of studies using HAZOP, which resulted in the identification of a possible deviation from the requirements and assessment of possible consequences. Features of interaction, configuration, information and visual design are specified at the stage of detailed design. Analysis of HMI can be supplemented by the methods of FMEA and FTA, which will allow to receive probabilities of a deviation (error) and gravity of consequences. Elements of the analysis are video frames and information flows. At the final stage for the ready HMI the usability testing is performed by the operator using simulator. A metric assessment of safety is also used. The results of these assessments must confirm the quality and safety of the finished product and design process.
5 CONCLUSION
Safety assessment of the I&C HMI is based on the Safety Case methodology, which allows us to improve the completeness and reliability of the integrated assessment at all stages of the life cycle from concept to finished product.
Rationale and methods selection is done by multidisciplinary profile-forming regulatory framework, which let us to combine the Safety Case methods in software engineering, risk assessment, human factor engineering and usability.
Rank of the design principles of the HMI safety has been implemented as a result of their analysis. Ranking was conducted with the participation of Westron company experts that has twenty years of experience in the developing safety critical I&C systems of NPPs. Nowadays these results are used at carrying out experiment to assessment HMI I&C system "Vulkan" on compliance to safety principles. Application of the techniques discussed above is planned to be used to evaluate the quality and safety of human-machine interfaces in the process of modernization and development of new NPP I &C.
Future research will be focused on the development of tools, means and techniques for evaluating HMI safety.
PREFERENCES
1. A. Anokhin, N. Nazarenko Designing interfaces //Biotehnosphere, 2010, № 2 (8), P. 21-27.
2. Xiaojun Wua, Qin Gaoa, Fei Songb, Pengbo Liub, Zhizhong Lia, Xiaolu Donga Evaluating FBTA-Based User Interface Design for digital Nuclear Power Plants // PSAM11/ESREL2012, Scandic Marina Congress Center, Helsinki, Finland, 2012.
3. N. Orekhova, V. Kharchenko Analysis of the requirements for interfaces NPP I&Cs / / Bulletin KNTU Named after P. Vasilenko. Engineering. Issue 102. "The problems of energy and Saving energy in agriculture of Ukraine. " - Kharkov: KhNTUA, 2010. - P. 109-111.
4. Andrashov A., Kharchenko V., Netkachova K.,et.al. Safety Case-Oriented Assessment of Critical Software: Several Principles and Elements of Techniques. Monographs of System Dependability. Dependability of Networks, Wroclaw, OWPW, 2010. - p. 11-25.
5. N.Orekhova,V. Kharchenko Safety assessment of NPP I&C HMI based on fuzzy multi-criteria analysis of options / / Computational Intelligence. Materials of first ISTC. -Cherkasy: Maklaut, 2011. - P. 219-220.
6. The safety assessment and independent verification for nuclear power plants. Manual / Series Safety Standard № NS-G-1.2 , Vienna, 2004. - 99 p.
7. Human-System Interface Design Review Guidelines, NUREG-0700, U.S. Nuclear Regulatory Commission Office of Nuclear Regulatory Research Washington, 2002, 659 p.
8. Bevan, N. International Standards for HCI and Usability. International Journal of HumanComputer Studies, 55 (4), 2006.
9. Ergonomic requirements for office work with visual display terminals (VDTs) - Part 11. Guidance on usability: ISO 9241, First edition, 15.03.1998. - 28 c.
10. Risk management - Risk assessment techniques: ISO/IEC 31010:2000.
11. D. Shtovba Design of fuzzy systems by means of MATLAB. -M.: Hot line - Telecom, 2007. -288 p.