The Justification for HMI Change

You’ve saved all your overtime money you make as a DCS board operator and used it for flying lessons! You’ve learned to fly in a modern small single-engine aircraft. It utilizes a glass panel – the instrument functions are shown on two large LCD screens. These screens and the information embedded in them and accessible by them comprise a highly sophisticated HMI. For several years now, the old “steam gauge” type of instruments have been replaced with such modern avionics, even in simple trainer aircraft.

As you began your flight, the HMI assisted you through a comprehensive pre-flight checklist, engine start (with diagnostics), communications with Air Traffic Control (ATC), and even displayed an airport taxi diagram as a moving map showing your position.

An hour into your solo cross-country flight, the HMIs moving map shows you at the proper altitude and on-course. Even small deviations are quite easy to detect and correct. Real-time satellite weather is depicted and you have chosen a course keeping you away from a cold front.

Shortly after changing from the left wing fuel tank to the right (and in a highly unlikely and rare case) you experience a total loss of power from the engine. During this highly stressful Abnormal Situation, the HMI comes to your aid in several important ways. It is designed to be useful in an abnormal situation.

  • Your first priority is to maintain control of the aircraft and maximize your options. Your primary flight display immediately indicates your targeted best engine-out gliding airspeed, in case you had forgotten because of the stress! You immediately begin decelerating to this speed by gaining altitude, which will maximize your available gliding distance.
  • There is no need to begin a frantic search of your paper charts. Your moving map display shows all of the nearest airports with their distances and directions. A circle is calculated and depicted around your current position. It indicates your maximum gliding range based upon your current altitude, your current and best glide speed, and even the direction and magnitude of the winds in the area. You note you have several miles of gliding distance available and there are 3 airports within range.
  • You select the nearest airport, hit 2 buttons, and the autopilot turns to take you straight in that direction while holding your best glide speed. This is a great assistance while you proceed with the engine restart checklist.
  • You do not have to fumble around for the Emergency Operations chapter and checklists in the aircraft flight manual. You do not have to rely on your memory of those procedures. The HMIs Emergency Page shows an engine restart checklist designed for your specific engine, with the steps to recover from the most common problems.
  • You quickly execute the steps displayed. Changing back to the original fuel tank restores full engine power. This was one of the first things on the emergency checklist. Knowing there is either bad fuel or a mechanical problem with the right fuel tank, you proceed to the nearest airport you selected for a precautionary landing. All of the information about the airport is now displayed on your screen – runway lengths, directions, radio frequencies, and availability of maintenance.
  • You were already in contact with ATC, but if you had not been, their proper radio frequency is selectable based on your current GPS-derived location. Additionally, the universal emergency frequency, 121.5, is a single button-press away, as is the 7700 emergency transponder code. You call ATC and request a destination change for a precautionary landing and inform them of your situation.
  • You make an uneventful landing. You know maintenance services are available at this airport, because it was shown on the HMI. If they weren’t, you could have diverted to another airport still within a safe distance.

G1000 Dual-Screen Integrated Avionics in a Small Aircraft

Figure 1: Garmin ® G1000 Dual-Screen Integrated Avionics in a Small Aircraft

Once on the ground, you have some coffee in the pilot’s lounge. You are something of a student of aviation history and you know aircraft instrumentation has come a long way in the past decade. Amazing functionality is available, even in small planes, that not even the most expensive airliners had a few years ago. The HMI of your plane was pre-programmed to actually help you in the stressful situation when you needed it the most, with the right information, portrayed in the right manner, and with the right automation.

On the ground…

The next week, you return to your job on the DCS board, using a multi-million dollar DCS to control a half-billion dollar chemical process. All is well, but then there is a recycle compressor trip. Dozens of alarms begin sounding simultaneously. The alarm display becomes a useless, distracting, scrolling list. The pressure on the upstream and downstream units swings wildly. Unless you handle this situation quickly and correctly, a total shutdown will occur and production loss will easily exceed $100,000.

  • Your process control HMI was created when the DCS was installed 20 years ago. It was hurriedly designed and hasn’t changed much throughout its life. Your control displays are essentially little more than P&IDs with a bunch of live numbers sprinkled on them (similar to Figure 2).
  • The procedure for handling a recycle compressor trip is contained somewhere in a six-foot set of books in the next room. You don’t bother to go try to find it – there isn’t time. You know it hasn’t been updated and projects have changed the recycle system anyway.
  • Luckily you have many years of experience and have handled this upset before. You know the controls you need to manipulate are spread out on eight different displays. There are no displays at all designed to specifically help you in this situation.
  • You have confidence you can handle this upset. As you begin your response, you have a fleeting thought, wondering what the outcome would be if this upset happened on the next shift – when the new guy is on duty.

Figure 2: Typical Process Industry Graphic

You successfully handled the upset and avoided a total shutdown. You reflect on how different the situation was in the airplane and here at work. You have a lot of ideas for improving the DCSs HMI, but you know the person who knew how to modify the graphics left two years ago. Besides, there’s never time or money around here to improve things like this.

The next week a different upset happens while the new guy is on shift. The resulting total unit shutdown costs $320,000 of lost production.

There is no question that industrial HMI improvement is possible, and needed. The issue is always, “What’s the payback?” Management has been reluctant to pay for re-design of the alarm management system and the HMI as they felt they had already paid for the design once and could not see justification in paying again. Even so, management generally knows bad design has impacted operator performance and thus production.

However, another fair question to ask is, “Where was the dollar justification to install a poor HMI?” Is it a good idea to run a multimillion dollar facility with an operator interface that often impedes proper operation? Do you drive with your parking brake on? Of course not.

“If you think safety is expensive, try having an accident.”

Industry adage

A good HMI will facilitate proper operating techniques and a poor one will impede them. Many HMIs encourage “operating by alarms.” The operator monitors – to a varying extent – what is going on in the process, but most of the attention is based upon checking the almost continuous string of alarms coming in and adjusting the process in response to them.

Imagine you are on an airliner. The pilot heads in a general direction towards the destination. When the “Left-of-Course” alarm goes off, he turns to the right. Then, the “Too-High” alarm comes on and he begins a descent. When the “Right-of-Course” alarm comes on, he turns back to the left. This is followed by the “Too-Low” alarm and he pulls up. Would this provide for a smooth, economical ride? Would you fly this airline again? Doubtful. Yet many processes are operated in just this fashion – running by alarms.

Figure 3: “Operating By Alarm”

This is certainly not the paradigm in modern aviation. The pilot is continually monitoring course, speed, and altitude and making small adjustments to minimize the deviation long before any alarm would come in. The modern HMI (See Figure 1) is specifically structured to aid in situation awareness by these sorts of features:

    • Moving-map GPS technology showing exact aircraft location, course, and speed relative to airspace boundaries, navigational aids, depicted roads, towns, lakes, airports, and other terrain features.
    • Displays clearly showing and warning of proximity to rising terrain, obstacles, and other nearby aircraft, including voice alerts.
    • Flight path deviations are continuously and clearly depicted. “Synthetic Vision” shows a generated view of the nearby terrain and course progress, even when the aircraft is embedded in clouds and the pilot has no outside visual references.
    • Continuously-received satellite weather information (including lightning) can be overlaid on the mapping display.
    • At-a-glance monitoring graphics for engine function are provided, along with interactive checklists for normal operation and emergencies.
    • Access is provided to an embedded, detailed, and updated support information database about destinations, with information on runway arrangement, radio frequencies, fuel and maintenance facilities, and even the local restaurants.
    • Analog and digital information is carefully chosen and each type is used and displayed where appropriate.
    • Alarms in the cockpit are quite infrequent. This type of instrumentation and HMI is now common on newer small, single-engine aircraft where the entire airplane costs much less than a single industrial DCS. The situation awareness of the pilot has been multiplied many times by these advances, making the aircraft more reliable, effective, and safe. Industrial HMIs lag far behind the aviation industry.

Buttons, Complexity, and Crashes

Aviation HMI technology has had its own technological growing pains. Early, numeric-entry-and-display-based Flight Management Systems (without graphic displays) were complex to program and read and this complexity helped lead to accidents.

An FMS input error led to American Airlines Flight 965 to collide with a mountain in South America. Korean Airlines flights KAL 902 (in 1978) and KAL 007 (in 1983) were both shot down by the Soviets, when navigational errors led to airspace violation. There are many other examples.

The phrase “lack of situation awareness” is common in fatal aircraft accident reports. However, the aviation industry is generally much better at collectively learning from safety-related mistakes than the process industries.

There is now recent and process-industry-specific data as to the significant potential for improved operation based on proper HMIs. A study was performed by the Abnormal Situation Management (ASM) Consortium ® and Nova Chemicals.

In this study, twenty-one experienced operators were tested using traditional graphics vs. graphics designed in accordance with many of the principles in this book. Using a sophisticated simulator, operators had to detect and respond to identical malfunction and upset scenarios. The results were clear. Using a High Performance HMI, more operators were able to consistently detect abnormal situations well in advance of alarms. The events were dealt with in far less time and with a much higher success rate.

High Performance HMI Benefits

Figure 4: High Performance HMI Benefits

Based on historical incident and upset rates, the anticipated annual savings by switching to a High Performance HMI were determined to be $800,000/year for one ethylene plant. There is clearly a financial return on investment for such efforts, along with a step change in the potential capability to avoid incidents and accidents (See the References section for the study information).

The ASM® Consortium estimates abnormal situations account for more than 20 billion dollars per year lost in just the U.S. economy. From 3% to 8% of industrial capacity is lost to such situations. It is estimated that 20% – 25% of this loss can be recovered with proper implementation of High Performance HMIs (and thus better situation awareness) and proper alarm management methods. These areas are linked and best results are obtained when both are addressed.

The processing industries in general make investments where the ROI is quantifiable and predictable, as exemplified by widespread investments in advanced process control. When it comes to investments related to mitigation of loss, the industry is historically slower to move, with a good example being the area of alarm management. Alarm management was recognized as a clear operational and safety issue as early as 1994 by industry leaders. However, it is only since 2003 that alarm management improvement has become an industry-wide best practice initiative.

The improvement of HMIs seems to be tracking the same timeline. It will be unfortunate if ten more years are required to widely recognize the influence of poor HMIs as a contributing factor to safety and operational mishaps.

The purpose of a High Performance HMI is to enable you to run smoothly and efficiently, as well as help you detect, diagnose, and respond to abnormal situations at the earliest possible moment and with minimum adverse consequences.

So, does your HMI embody concepts and abilities resembling the modern avionics shown earlier? Does it consistently and logically provide the operator all of the information needed for optimum process operation or is it closer to providing the much poorer “situation awareness” of the HMI for this other flying machine?
Commando Cody HMI (Poor HMI or not, wouldn’t you want one of these?)

Figure 5: Commando Cody HMI (Poor HMI or not, wouldn’t you want one of these?)

Related Posts:

Leave a Comment