🖥️ HMI Design Best Practices for SCADA Systems

Why HMI Design Matters

The human-machine interface is the operator window into the process. Poor HMI design contributes to operator errors, slow abnormal situation response, and alarm floods that overwhelm attention. Studies by the EPRI and the Abnormal Situation Management Consortium estimate that 40-70% of industrial incidents involve operator error, and poor display design is a leading contributor. High-performance HMI methodology, codified in ISA-101 and EEMUA 191, addresses this directly by shifting from colorful artistic displays to information-dense context-rich low-clutter displays optimized for rapid anomaly detection.

ISA-101 Display Hierarchy

ISA-101 defines a four-level display hierarchy. Level 1 is the site/plant overview showing the entire facility health at a glance using aggregate KPIs and overall status. Level 2 is the unit/process area overview covering major unit operations across 20-40 displays. Level 3 is process unit detail displays with piping and instrumentation-based views showing all measurements, setpoints, and control loops for a specific unit. Level 4 is equipment detail showing single equipment items, tuning parameters, trend histories, and maintenance data.

Most operators work at Level 2-3 during normal operations, drilling to Level 4 for diagnostics. Level 1 allows supervisors to monitor the whole facility in parallel. Navigation between levels must be consistent, fast (ideally one or two clicks), and predictable. Operators should never have to search for a display.

High-Performance HMI Color Philosophy

Traditional SCADA displays use bright saturated colors for equipment states: green pumps running, red stopped, yellow in standby. This looks visually appealing but is cognitively inefficient. HP-HMI inverts this approach. The background is medium gray at approximately 30% brightness, normal operating equipment is dark gray or muted earth tones, and color is reserved exclusively for abnormal conditions. Any splash of color on a display is immediately attention-grabbing. An alarm or deviation stands out without the operator having to mentally filter through a rainbow of normal colors.

Specific color conventions in HP-HMI: red for high priority alarms or process safety alarms; yellow/amber for medium priority alarms; light blue or cyan for operator actions in progress; white for currently selected or active elements. Equipment states are shown with shape and text labels rather than color changes. Trend lines use distinct line styles in addition to color to remain distinguishable for color-impaired operators.

Alarm Management: EEMUA 191 and ISA-18.2

Alarm management is one of the most critical and most poorly executed aspects of SCADA/HMI design. ISA-18.2 (Management of Alarm Systems for the Process Industries) and EEMUA Publication 191 define best practices. Key metrics: the acceptable steady-state alarm rate is fewer than one alarm per 10 minutes per operator; the maximum manageable rate during an upset is approximately 10 alarms per 10 minutes. Many industrial systems far exceed these limits, creating alarm floods that paralyze operators during the exact moments when rapid correct response is most critical.

Alarm rationalization is the process of reviewing every configured alarm against criteria: does it require operator action, is it unique and not a consequence of another alarm, is it actionable within the available response time, and does it have an appropriate setpoint? Many SCADA systems have alarms configured for points where no operator action is possible or appropriate. These should be removed or reclassified as events/logs rather than alarms.

Alarm priority classification should reflect consequence, not just deviation magnitude. A Priority 1 critical alarm requires operator response within minutes to prevent safety, environmental, or major production consequences. Priority 2 high requires response within 10-30 minutes. Priority 3 medium requires response within an hour. Informational events that require logging but no response should not be alarms at all. Priority distribution should approximate 5% P1, 15% P2, 80% P3. Many systems invert this with too many high-priority alarms that operators learn to ignore.

Trend Display Design

Trends are the single most powerful diagnostic tool available to a process operator. Effective trend displays follow several principles. Show related variables on the same trend such as flow, pressure, and valve position for a control loop, using dual y-axes when unit ranges differ significantly. Display a time window that matches the process dynamics. A fast-responding temperature control loop might need a 1-hour window; a large vessel level might need 8-24 hours to reveal meaningful patterns. Include setpoints and control output on the same trend so operators can see cause-and-effect relationships.

Trend groups should be pre-configured for common diagnostic scenarios rather than requiring operators to build custom trends under pressure during an upset. Typical pre-configured groups include control loop performance (PV, SP, Output), unit heat balance (feed rate, temperatures, product quality), and equipment condition monitoring (vibration, temperature, differential pressure). Trends should retain a minimum of 30 days of history at process scan rate to support incident investigation.

Faceplates and Control Interaction

Faceplates are the popup windows operators use to interact with individual control loops, changing setpoints, switching between Auto/Manual/Cascade modes, and adjusting output. Faceplate design should be standardized across all loops in a facility. The faceplate must clearly show the current PV, SP, and output value; the current mode; and any alarms active on the loop. Setpoint and output entry fields must require a confirmation step to prevent accidental changes from a single keystroke or mouseclick.

Critical loops related to safety or high-consequence equipment should require a second acknowledgment or a separate operator authority level to change setpoints. The faceplate should also link directly to the associated trend group and alarm history so operators can understand context before making changes.

Situational Awareness and Display Navigation

Research on situational awareness identifies three levels: perception (what is happening), comprehension (what it means), and projection (what will happen next). HMI displays should support all three. Supporting perception means showing current values prominently and using deviation bars showing distance from normal operating range rather than just current values. Supporting comprehension means grouping related information, showing cause-effect relationships, and providing context about whether a trend is good, bad, or normal for this operating mode. Supporting projection means including predictive elements like ramp-to-target time displays, batch countdown timers, and dynamic limit indicators that show when a variable will reach a limit at its current trajectory.

Navigation design should include a consistent display header with facility name, display name, date/time, and operator ID; a navigation panel for moving between display hierarchy levels; and a global alarm summary always accessible from any display. Touchscreen-compatible designs require larger target sizes per ISA-101 guidance compared to mouse-operated workstations.