Advice on implementing ANSI/ISA standards for operator interfaces
Greg: The operator is on a moment-to-moment to basis, making sure the process is safe, reliable and productive. It appears to me that the operator interface developed for the original distributed control systems in the 1970s did not improve much for the next 20 years. If anything, they were going in the wrong direction and getting too colorful and complicated, providing distractions rather than a clear path to the operator task needed. Fortunately, there's been a significant effort starting about 20 years ago and including research by the Center for Operator Performance (COP), an alliance of academia, process manufacturers and automation suppliers. Most important, there is now a practical guide via the ANSI/ISA-101.01-2015 standard, “Human Machine Interfaces for Process Automation Systems.” This standard has considerable synergy with ANSI/ISA-18.2-2016, “Management of Alarm Systems for the Process Industry.” These standards are critical for improving the performance of operators, enabling them to better do the tasks needed for abnormal conditions, operational states and production objectives, increasing process safety, efficiency and capacity. The implications extend well beyond the displays to training and control system configuration besides the operator interface. All automation professionals should take advantage of ISA Standards. ISA members can view a standard for free online by clicking on “View ISA Standards: A Member Benefit,” and logging in with the email and password for their ISA membership account.
Stan: In the June 2016 “Control talk,” we were fortunate to have Nick Sands, DuPont Technology Fellow and ISA Fellow, help us understand important aspects of the ISA Standard on Alarm Management. We build on this need to help the operator by getting input from Bonnie Ramey, DuPont senior process control engineer and expert in human-machine interface (HMI).
Greg: What is a high-level view of what the ISA standard on HMI does?
Bonnie: It might be easier to first understand what the standard doesn’t do. It doesn’t give specifics for colors or shapes or tools. ISA-101 is not about the details of a display. What it does do is provide guidance for the entire HMI lifecycle, from design to operation. This includes general principles, display types, display hierarchy and user interaction. The lifecycle is different than that described in ISA-18.2 for alarm management and ISA-84.01-2004 for safety instrumented systems (SIS). In the HMI lifecycle, building the displays comes after understanding the user requirements, and developing the system standards to meet those requirements. The system standards are the HMI philosophy, style guide and toolkit. The ISA101 committee has started on technical reports that will provide more detailed guidance on developing an HMI philosophy and how to apply the standard to mobile devices.
[sidebar id =1]
Stan: What are some of the challenges in applying ISA-101?
Bonnie: I see two challenges. Using the standard to create an HMI philosophy, for example, is just as tricky as actually making the conversion of the graphics in the control room. In our business, we have many different control rooms with many different levels of automation. Gathering the control engineers together to develop an HMI philosophy, and agree to designs for the console, the displays and the HMI system itself takes a lot of time and energy. So of course, the control engineers face that time and discipline challenge. Just as tricky, though, is getting the end user operators to accept the change from what they’ve always had to the something new. Change is hard. Even though the goal is to enable more effective safety, quality, productivity and reliability in the operation of the process, people are always hesitant to accept it simply because they do not want to change anything. At our site, I have trained more than 50 operators on the migration from “free form” to applied HMI design, and I found that 99% of the operators understand and accept the value of the change once they are trained on working examples in their areas. So, it’s all fear and worry about change until the training happens.
[sidebar id =2]
Greg: In some COP studies I participated in, we were surprised how, with better HMI design, people with no experience in the process or the automation system could do as well or better than the most experienced operators.
Bonnie: We've seen the same thing here. For example, we have a batch process operation onsite where there's little to no advanced automation. Each step of the process is controlled by automated sequences. Operators have a graphic view of the process, but instead of controlling flow valves or pumps like most chemical process operators, these operators merely use pushbuttons to stop and start various stages of the batch process. As such, their graphics are quite simple, so that area was where we first migrated to graphic displays that used our new design guide. After these same batch operators completed the training on the new displays and features in the HMI, I was able to walk them over to one of the most advanced control-oriented panels on the site, and ask them to identify the highest priority alarm in that process (a process that they had never seen before). Each of these operators was able to navigate to the highest priority alarm, and tell me the corrective actions necessary to mitigate the consequence. Because the console design, system design and display style guides followed our own HMI philosophy in both control rooms, every one of the batch operators could perform the corrective action as well as the most seasoned operators in the advanced process. A well designed HMI should make it that easy for even the newest operator to retrieve help or supporting information for the task at hand. This improved HMI, coupled with operator training, promotes quicker understanding, and simplifies tasks to enable new operators to perform just as well as seasoned operators. This is extremely important considering the aging nature of our workforce and the need for new operators to be effective from the “get-go” with minimal experience in the particular process and control room.
Stan: What are tell-tale signs of a poor HMI design?
Bonnie: Poor HMI design includes a dark room with Christmas-tree graphics showing lots of colors, ornaments, blinking lights and constant noise. We have a control room on-site that is laid out into three different process control centers for three different processes. Process A is in the darkest part of the room. The ceiling light bulbs have been removed so the operators have a better view of the 10 screens with black-background graphics. The graphics have a rainbow of colors, not only to indicate different process lines (like water versus steam, for example), but also the same color that's used to indicate the highest-priority alarm is used throughout these black graphics to indicate that a field device is off or closed. Blinking lights indicate rotating equipment. The alarm is sounding every minute or two, the list of alarms is multiple pages, and the silence button is still employed as the operator keeps one hand on the keyboard throughout the entire shift. Walk 10 feet to the right into Process B: better lighting, gray graphics, no noise, no blinking, no problem. The operator sits at a table a few feet away from the console. The alarm page has a handful alarms, and when new alarms come in, the first button pushed is a navigation button to allow the operator to orient the alarm in the process. If necessary, a button appears on each graphic to allow the operator to distinguish process lines from service lines to help orient them. Acknowledging the alarm only happens after the operator has popped up the additional help. Move 10 feet more to the right and you walk into the “mix.” Process C is struggling to accept the change. Half of the graphics are gray; half are black. Half of the graphics use the alarm colors solely for alarms; half of the graphics still use that primary red to indicate that a pump is off, whether it's supposed to be off or not. Not only is finding alarms tricky in this control room, but finding devices is just as tricky since the old graphics have no logical, left-to-right flow standard. So in the same room, you witness the good, the bad and the ugly. The tell-tale signs of poor HMI design are everywhere. It’s up to the control engineer to make standards part of the design, and implement those standards as a part of the never-ending goal of improving operator excellence, uptime and quality.
Greg: How does the operator get to see more and more detail as needed?
Bonnie: The display hierarchy is the key. The hierarchy has a broader view with limited detail at the highest level, and more detail for a more focused area at each deeper level. It’s quite like using Google maps and moving from city view to street level. Each level supports different activities, and provides the information relevant to those activates. The hierarchy is also collapsible, which is to say that not everyone needs all four of the levels described in ISA-101.
Level 1 is generally the highest level of the hierarchy, providing a console overview of the area of responsibility for an operator. The intent of the level 1 overview display is much more for situational awareness than operation. The display would have key performance indicators (KPIs) and trends on how the area is operating. Often, level 1 displays do not support actual process changes because the information to support those changes is not included. These displays are based more on dashboards than P&IDs.
Level 2 is generally a unit or system overview, covering only part of the area covered by the level 1 display. The purpose of the level 2 display is to support both situational awareness and operating tasks. The most common operating tasks can usually be executed from these displays, while still maintaining a broad view of the process.
Level 3 displays generally look more like the P&ID-based graphics of the past. These displays are designed more for task support than situational awareness. They support detailed tasks like startup and shutdown. But still not all process information may be needed on these displays. We often employ our ‘level 3 rule,” which is that every tag that alarms, interlocks or controls will be assigned to a level 3 display. We also include indications needed to complete tasks or procedures using the level 3 displays. Often there are indications not needed on the level 3 displays.
Level 4 displays are for detailed tasks and troubleshooting. These displays are very focused, perhaps on a single piece of equipment like a compressor, or a single task like swapping polymer filters.
You should be getting a picture of how the hierarchy is designed to support the operator, providing them the right information they need for right tasks.
Stan: Do you show the signals between the controllers, valves and measurements and the relative location of the field components? As an automation engineer, this is important for my understanding, but most of the graphics I've seen simply show digital values for measurements and possibly not even the valve positions. For split-range outputs, process variables computed or selected from several measurements, cascade control, and loops where relative measurement location is important, I think there's a significant loss in understanding for the process and automation engineers or maintenance technicians, but I recognize a lot of signal lines might be a distraction to the operators.
[sidebar id =3]
Bonnie: Signal lines can indeed be distracting to operators, so a good HMI should enable a toggle button to turn those lines off or on at the operator’s command. Still, there are process areas where controls are very tricky to understand, and these signal lines become more important. We have a multi-stage process that involves flow distribution and level control among several tanks. One tank is only used when the primary tank’s level is greater than X%, while two other tanks have primary and secondary level control when level is below the X% trip point. When process rates change, level control action gets faster, and the potential to overflow increases rapidly. In the old HMI, operators merely had a view of several faceplates in a row, representing each of the tank levels, much like the 1980s control rooms with 352 controllers on a wall. Clearly presenting the signal lines—or control action lines—to the operators on this washing part of the process has allowed the operator to easily orient to the tank with the greatest potential to overflow. He can manipulate the valves to redirect flow accordingly. As a result of having this signal information, we've reduced our tank overflow situations by more than 50%, which subsequently improved our uptime. We show dashed gray signal lines except for the very simple flow loops where the valve is just downstream of the flowmeter. The operator can choose to turn the dashed lines on or off.
Greg: How do you provide more intelligent trend charts? Most of the default trend charts from a faceplate aren’t useable because they don’t have a time scale or a process variable or manipulated variable scale that reveals the trajectory. You can always zoom in to see noise. What's needed is an understanding of where the process has been, where it's going, and the slope of approach or excursion. Toward this end, the simple computation of a value one deadtime into the future for critical process values can be very helpful in providing greater understanding by operators and engineers providing technical support. The “Control Talk” blog post on June 28, 2012, “Future PV values are the future” provides the insight and details on what can be done to know where a process is headed. The “Control talk” blog post on July 26, 2012, “Checklist for loop analysis by trend charts” provides some guidance on scaling, compression and historian update rates. This post should help make sure you can choose what's best for control system analysis and tuning, and not what an IT person decides based on information storage economics nowhere near as significant as process performance. I'm amazed how engineers don't try and overrule IT decisions.
I think there's also a much greater need to understand the number of significant digits to display because people can be obsessed with matching values to an unreasonable degree, losing sight of the bigger picture, and even leading to improper tuning that focuses more on the use of integral action to eliminate inconsequential offsets. This has even lead to the use of integral action in positioners to make the actual valve position more exactly match the signal, leading to limit cycles and a lower gain setting, resulting in reduced proportional action and a less immediate response to the demands of the process loop.
Bonnie: The trend charts on levels 3 and 4 have an intelligent selection of variables besides the best variable value and time scaling for the process area or unit operation. Applying the level 1 hierarchy is a great way to show operators where the process has been, where it is now, and where it is likely to go next.
[sidebar id =4]
Stan: How should sites proceed to take advantage of ISA-101?
Bonnie: Besides the obvious need of studying and understanding the standard, the site needs to take on the responsibility of understanding the functional requirements and tasks of each process area. While implementation of distributed control systems in the 1980s enabled a spider web of two-way data paths, another spider web of unforeseen consequences fell upon us. The industry technology was changing faster than the standards could be developed, much less employed, and processes suffered unexpected or unforeseen consequences. Clearly, when HMI systems are deployed without a supervisory philosophy or design standard, the system becomes free-form, making KPIs like uptime, quality and reliability more and more difficult to achieve. ISA-101 wasn’t written to specify exactly which shape, console or color scheme to use. It was written to guide control engineers through a responsible design process for their own HMI system. It starts by understanding there is a lifecycle for the entire HMI system, and the ISA-101 standard demonstrates how to manage the HMI accordingly. Once the HMI system standards are agreed on and accepted at the site, the most important stage in the lifecycle becomes operator training. If at first you don’t succeed, train, train again. At our site, the first step in taking advantage of ISA-101 was for the control engineers to agree to develop our own philosophy and design guide. We then began implementing the graphics that met our design standards as steadily as possible. We did not shortcut or hurry through the training. Read the standard. Develop your philosophy. Know your process’s functional requirements. Develop your design guide for the system and for the displays. And when it’s time to implement, engage and train the end user at every opportunity.
Greg: Good HMI practices can impact the entire automation system and possibly even the process design. There may even be considerations for batch and continuous control system design, as discussed in the September 2016 “Control talk” column with ProSys president Dustin Beebe, “Continuous improvement of continuous processes,” about making the most out of the ISA-106 standard on procedural automation and state-based control.
We as automation engineers should take much greater advantage of what ISA standards have to offer. I highly recommend viewing the ISA Mentor Program Jan. 25, 2017, webinar by Nick Sands, “The Amazing Secret World of ISA Standards.” For continuing and more extensive value, check out the ISA Interchange Site: ISA Mentor Program's webinar playlist, question and answer posts, and “background.”
Top 10 non-consoling things said at an operator console
- (10) These displays are prettier than my Christmas tree
- (9) I want more digits on the digital displays
- (8) I don’t care where the temperature is going, I just want it to exactly match the setpoint
- (7) The number of alarms is alarming
- (6) Each loop has 5 alarms
- (5) I need to turn off my hearing aid
- (4) I learned everything I need to know in my aerospace Control Theory course
- (3) This reactor is about to take off
- (2) I just need to see the Bode Plots and Nyquist Plots
- (1) I gotta get out of this place if it is the last thing I ever do
[sidebar id =5]