HMIs, buttons, indicators; usability and lockouts.
Good HMIs prevent incidents ratings never will. Define workflows and layouts so operators can read states, health, and alarms at a glance (342, 536). Specify call points/keys near HVM bollard arrays (345), clear error messages, and language/accessibility support (237). Permissions/lockouts protect safety (343, 355). Provide a screenshot/spec pack and run usability tests that roll into SAT (634–638) and training (737). Include one-sentence context that naturally links upward to the parent hubs (this section and the chapter hub). Add SIRA context with a link to SIRA Bollards (UAE) when relevant. Link installation pages only if helpful: What to Expect and Installation Guide.
Important: This is a general guide. For live projects we develop a tailored
Method Statement & Risk Assessment (MS/RA) and align with authority approvals (e.g., SIRA) where in scope.
524.1 Operator workflows
Design screens around tasks and states (545). Workflows reduce HVM bollard mistakes.
Start with real tasks: request entry, authorize, execute, and recover—mapped to a simple state machine and the Request→Authorize→Execute pattern. Keep lane context obvious (lane ID, mode, interlocks). Link each action to a visible outcome and a recovery hint so operators don’t guess under pressure.
Embed operator guardrails: show pending permissions, modes of operation, and any interlock inhibitions before a command is accepted. Cross-reference Operator Workflows & Error-Proofing and Control logic for automatic HVM Bollards for deeper patterns.
| Aspect | What matters | Where to verify |
|---|---|---|
| Task clarity | Single obvious next action; no hidden paths | Workflow patterns |
| Safety | Interlock prompts + inhibit reasons | Interlock matrix |
| Traceability | Operator ID, timestamped events | Alarm philosophy |
524.2 HMI layout & states
At-a-glance status, clear buttons, and lockouts. Good layout protects crash rated bollard interlocks (352).
Use a consistent top band for lane identity and live mode, a central status panel (ready, moving, fault), and a bottom command strip with guarded actions. Distinguish fail-safe (up) vs fail-secure (down) states and show any BMS/SCADA authority.
Commands must be deliberate: use confirmation dialogs for high-risk actions (e.g., Emergency Fast Operation) and disable buttons when the interlock matrix blocks them. For cyber resilience, avoid ambiguous icons; pair text labels with icons and keep a local “safe local mode” indicator.
524.3 Status/health indicators
Expose health, comms, and mode (544). Indicators help HVM bollard triage.
Surface the essentials: local/remote authority, communications link, KPI counters, and environmental alarms (over-temp, enclosure door open). Provide a compact “health tile” per lane with green/amber/red plus a drill-down to the Operational Dashboards page.
Record all faults in a COS log with timestamps (NTP-synced) and an operator-readable explanation so SAT witnesses can trace the event chain later.
524.4 Call points & key switches
Place within reach, visible in queues (345, 353). Proper siting speeds crash rated bollard access.
Mount field devices where queues naturally form, ensuring visibility within the driver cone and the pedestrian egress cone. Label clearly and align engravings with HMI terminology to avoid mode errors. Include protected bypass key switches for stewarded events (with time-limited authority).
Coordinate with Field Devices and Safety Signalling to keep legends consistent and to avoid mixed iconography.
524.5 Messages & errors
Plain language, numbered codes. Messages guide HVM bollard recovery (536).
Pair human-readable text with a short code (e.g., “L2-203: Loop-B occupied—clear lane”) and add an operator recovery hint. Distinguish latched messages from transient notes and show the inhibit reason when interlocks block a command.
Keep a consistent alarm taxonomy with severities and ownership routing per Alarm Philosophy. For authority submittals in the UAE, include bilingual messages if SIRA is in scope (SIRA Bollards (UAE)).
524.6 Language/accessibility
Local language, contrast, and font size (237). Accessibility reduces crash rated bollard misuse.
Provide language toggle (EN/AR as needed), high-contrast palettes, and scalable text that preserves button hit-areas. Use clear shapes and text labels—avoid color-only cues for status. Where audible cues are acceptable, add a short audible beacon for critical transitions.
524.7 Lockouts & permissions
Role-based actions and confirms (343). Lockouts protect HVM bollard safety.
Implement role-based control, from steward to supervisor to engineer, tied to an authorization hierarchy. Show which privileges are active and why a command is locked out. For maintenance, provide LOTO checklists and a very explicit “Safe Local Mode” banner with inhibited remote control.
Link to Safety circuits for automatic HVM Bollards and Modes of Operation to align logic and permissions.
524.8 Screenshots/spec pack
Include example layouts for review (539). Packs accelerate crash rated bollard approval.
Build a review pack: typical screens (home, lane detail, alarm, inhibit reasons), button legends, font sizes, and color keys. Add an ICD extract listing HMI-to-PLC tags, plus matrix row traceability to SAT steps. Store the pack under the project’s Integration Documentation.
524.9 Usability testing
Dry-runs with operators (631–636). Usability stabilizes HVM bollard ops.
Run task-based tests with real stewards and supervisors: raise/lower, emergency stop, override inhibited, recover from fault, hand over to remote SCADA. Capture timings and errors, then tune labels and flows. Fold results into Interlock Matrix Verification and SAT / Witness Procedure, and include a short user runbook in the Client Training Plan & Sign-Offs.
Related
External resources
- ASIS Security Risk Assessment Standard
- FEMA 426 / DHS Reference Manual
- NPSA Hostile Vehicle Mitigation
524 HMI & Local Controls — FAQ
What’s the minimum an HMI must show for a single bollard lane?
Lane ID, live mode (Auto/Manual/Maintenance/Emergency), ready/moving/fault state, interlock status with inhibit reason, and who currently has control (local/remote).
How do we prevent unsafe commands from the HMI?
Use the interlock matrix to disable buttons when conditions are unsafe, explain the inhibit reason, and require confirmations for high-risk actions like EFO.
Where should we place local push-button stations?
At natural queue points within the driver’s sightline, clearly visible to stewards, and coordinated with signage and beacons; keep legends consistent with the HMI.
How do we validate the HMI before SAT?
Run task-based usability tests with operators, log timings and errors, fix labels/flows, and map each test to a SAT witness step with screenshots in the integration documentation.