User interfaces should empower operators

THE 1994 EXPLOSION and fires at the Texaco Milford Haven Refinery (U.K.) injured 26 people and caused around £48 million damage as well as significant production loss. The government investigation found these key user interface (UI) problems:

• There were too many alarms and they were poorly prioritized.
• The control room displays did not help the operators understand what was happening.
• There had been inadequate training for dealing with a stressful and sustained plant upset.

In the March 23, 2005, Texas City, TX BP Amoco Refinery explosion, 15 workers were killed and 170 injured when a column was overfilled, overheated, and overpressurized on startup. In its self-conducted 47-pp “Fatal Accident Investigation Report,” BP Amoco suggested several proposals for corrective actions. These included:

• Conducting an independent third-party study of existing alarm systems to identify deficiencies and make improvements
• Installing a high-level alarm on the column base level and a flow indication on the column overhead relief line
• Reviewing the engineering structure to simplify the interface between Engineering and Operations
• Establishing the sanctity of the control room (i.e., removing distractions.), and reviewing staffing procedures.

The Holistic User Interface
The operator interface played a major role in both of these disasters. Ian Nimmo, P.E. IEng MIIE (CEI), and president, User Centered Design Services LLC, points out three problems that demand industry-wide attention. First, the quantity of system alarms overpowers the operator with unimportant information. Second, the GUI design has its own issues. The over-designed “Christmas Tree” HMI screen with flashing lights and zillions of colors needs simplification while old-style DCS text-based readouts need to be changed to easy-to-see graphical objects such as meters and strip charts. Third, human factors such as environment, length of shift and distraction levels must be reconsidered from a safety point of view.

Alarms
Dal Vernon Reising, principal research scientist, Honeywell ACS, asks, “What would your day be like if you got one email per minute?” Says Reising, “In studies the ASM Consortium conducted among its members, several manufacturers reported seven to eight hours each month where operators received 100 or more alarms in a 10 minute period.” And yet the Engineering Equipment & Materials Users’ Association (EEMUA) recommends that operators handle no more than one alarm every 10 minutes during normal operation, and not more than ten alarms in the first ten minutes following a major plant upset. Says Yokogawa’s productivity solutions consultant, Fred Woolfrey, “Even the best operator in the world, who knows the software and the process, can’t function with an alarm every minute.”

Nimmo says that engineers often design systems with unnecessary alarms because building alarms is easy and free. Today’s DCS offers more than 7,000 alarms, most of which can be built into the software for free without having to install an additional sensor or transmitter.

What can be done to empower the operator—rather than overpower him? Many vendors realize this is a major issue and are coming up with plans of attack. One such tool is Alarm Hiding, which locates and filters the alarm, based on the alarm’s condition. According to Roy Tanner, ABB System 800xA manager, the alarm is hidden until it’s absolutely necessary to reveal it.

This is not rocket science for machine designers, and according to Rockwell Automation IPB marketing programs manager, Don Steffens, alarm management should be built into the system design, starting at the controller level. “Alarms for missing power should be suppressed in the engineering design. The same is true for one alarm that may trigger 100 more alarms—the ‘waterfall effect’,” Steffens said. The operator only needs to see the initial cause—not the additional 100 alarms. According to Renée Brandt, product marketing manager for Visualization Products, Wonderware, large numbers of alarm bursts can be stored, historized, and analyzed—allowing the operator to determine which alarms need the quickest response. Alarm trees allow the grouping of alarms by hierarchy to discover the critical ones. Pareto charts can also be used to determine which alarms are frequent and which need greater attention.

Two additional problems with alarms can be caused by operator perception—both of which are dangerous. First is ignoring a crucial alarm because it only shows up once or twice, is barely noticed, and doesn’t seem important among several other alarms (this was considered a major issue in the Texaco disaster.) The second is not believing an important alarm because the instrument reading seems too far off to be at all credible. Says Bob Shepard, Invensys Process Systems, “The problem at BP stems from what I call ‘cognitive lockup.’ At BP Amoco, six operators were so concerned with how to get rid of all the material filling up the column that they missed the bigger picture.”