HMI Design Is an FDS Specification, Not an Aesthetic Choice
The most common misunderstanding about HMI design in a GMP context: treating the HMI as a front-end cosmetic layer that can be designed by whoever has time, reviewed informally, and adjusted without consequence. In a validated SCADA system the HMI design is a set of FDS functional specifications — FUNC-HMI-001 through FUNC-HMI-00X — each with defined acceptance criteria that are tested at OQ. The HMI is not decorative. It is the operator's primary interface with the process, and the design decisions made during development directly affect whether operators can respond correctly to process conditions and alarms.
This has practical consequences for the engineering team. The HMI design must be frozen as part of the FDS before development begins. Post-FAT HMI changes — even cosmetic ones like moving a label or changing a background colour — are change control events if they affect any validated element. An HMI screen redesign (moving from one layout to another, changing the navigation structure) is a Type 1 major change requiring QA Manager approval and re-test. This is not bureaucratic obstruction — it is what "validated state" means for the HMI layer.
The Colour Standard — Why Consistency Is Testable
The colour standard for a GMP SCADA HMI must be defined in the FDS and applied consistently across every screen. "Consistently" means exactly — not approximately. A conductivity value that displays green on the overview screen and teal on the process area screen is an inconsistency that an OQ tester must raise as a deviation. The colour standard is not a preference — it is a specification that informs operator response: an operator who sees yellow knows what it means, and what it means must be the same on every screen.
The five-colour standard — grey (off/inactive), green (running/normal), yellow (warning), red (alarm/critical), blue (manual mode) — covers every equipment and process state. The standard must be defined in the FDS with explicit RGB or hex values, not just colour names. "Green" interpreted by one developer as RGB(0,200,0) and by another as RGB(50,150,50) produces an inconsistent result that fails the colour standard test. The FDS specifies the exact colour code. The SCADA developer implements it. The OQ tester checks it against the FDS specification screen by screen.
This is not a theoretical concern. At FAT and OQ on pharma SCADA projects, colour inconsistencies between screens are regularly raised as deviations. Common examples: the alarm banner uses a slightly different red than the process value alarm indicator; a pump status indicator uses a different shade of green on the maintenance screen than on the overview screen; a manual mode indicator is blue on one screen and purple on another because a developer used a slightly different hex value. Every deviation must be corrected and re-tested before the protocol is closed. Define the exact hex values in the FDS and build a colour palette file for the SCADA project that developers reference — do not rely on visual approximation.
The Main Overview Screen — What It Must Show
The main overview screen is the most important screen in the system from a GMP perspective. It is where the operator spends most of their time. It must provide a complete situational awareness picture without requiring any navigation. The FDS must specify exactly what the main overview displays — not "relevant process information" but each element explicitly.
The required elements for a GMP process SCADA main overview are not arbitrary. They represent the minimum information an operator needs to make a correct response decision at any moment:
- All critical quality parameter current values with colour-coded status indicators: Conductivity, temperature at all monitoring points, TOC, distribution pressure — displayed simultaneously on one screen, without scrolling. An operator who must navigate to see a critical parameter is an operator who may miss an alarm.
- Active alarm count and highest-priority active alarm: The alarm banner must show not just that alarms exist but how many and what the highest priority is. An operator who sees "3 alarms" and cannot immediately see that one of them is Critical may not respond with the urgency required.
- System operational mode: Normal, Startup, Shutdown, Sanitization, Maintenance — displayed as a labelled indicator with the appropriate colour. An operator who does not immediately know what mode the system is in may take an inappropriate action.
- Distribution loop status: Supply or divert-to-drain. This is a critical quality state — a loop in divert mode means potentially non-conforming water is being rejected. It must be visible on the overview without navigating to a detail screen.
- Sanitization cycle status: Active or inactive, and if active, which phase. An operator who cannot see at a glance that a sanitization cycle is running and which phase it is in may attempt manual operations that conflict with the cycle sequence.
The FDS specification must include a display update rate: "Display updates maximum every 2 seconds" is an example of a testable specification. A display that updates every 10 seconds while the process changes every second is not providing real situational awareness. The update rate is tested at OQ — the tester triggers a parameter change and measures the time to display update.
Navigation Design and the 3-Click Rule
The 3-click rule is a common usability principle that has been given FDS status in GMP SCADA design: any screen in the system must be reachable from the main overview within 3 clicks or touch interactions. This is not a preference — it is a testable acceptance criterion. The OQ test (OQ-061) navigates five specific screen pairs and counts the clicks. All five must reach their destination in 3 or fewer interactions. Any screen that requires 4 or more clicks from the overview is a navigation deviation.
The navigation structure must be specified in the FDS as a hierarchy: Overview → Process Area → Equipment Detail → Configuration popup. The FDS must state explicitly that the active alarm summary and process trend screens are accessible within 1 click from any screen via a permanently visible toolbar. This "1-click from anywhere" requirement for alarms and trends is a safety design — an operator in the middle of a configuration task must be able to reach the alarm summary without navigating back through the hierarchy.
Two navigation requirements that must be in the FDS and are frequently missed:
- Breadcrumb trail: All non-overview screens must display a breadcrumb trail showing the navigation path (e.g., Overview / Generation Area / Storage Tank / Temperature Control). An operator who has navigated into a detail screen must always be able to see where they are in the system hierarchy without having to remember their navigation path.
- Back navigation on all screens: Every screen must have a back navigation control. An operator should not have to use the overview as a hub for every navigation step — they should be able to step backwards through their navigation history.
Simulation and Maintenance Mode Indicators
Two HMI design requirements that most first-project engineers underspecify — both have direct GMP compliance implications.
Simulation mode indicator: When a GMP-critical tag is in simulation mode (a forced software value substituting for the real sensor reading), the HMI display of that tag must carry an unambiguous simulation indicator. In the SDS the typ_AI_GxP UDT includes a b_Simulated flag — when this flag is true, the HMI must display the tag value with a clear visual indicator that it is simulated. A yellow hatched border, a "SIM" label overlaid on the value, or a simulation banner are all acceptable approaches. What is not acceptable is displaying a simulated value with no visual distinction from a real value. An operator who acts on a simulated value believing it to be a real process value is a patient safety risk.
Maintenance mode indicator: When an instrument or control loop is in maintenance mode (out of service, manually controlled), the HMI must show the out-of-service state clearly. The blue colour standard covers the manual mode state. But the out-of-service state also requires a text indicator — "OUT OF SERVICE" or "MAINTENANCE" — that is visible at the equipment detail level and summarised at the overview level (either via a maintenance mode count indicator in the status bar or via a dedicated maintenance mode summary screen accessible in 1 click).
What the FDS Must Specify for HMI
The FUNC-HMI sections of the FDS must be specific enough to serve as OQ acceptance criteria. Reviewing the FDS against this checklist before QA approval avoids deviations at FAT and OQ.
- Exact colour codes (hex or RGB) for all five status states — not colour names
- Main overview screen content listed element by element with engineering units specified
- Display update rate in seconds — specific value, not "real-time"
- Navigation hierarchy defined: all four levels named with example screen names
- 3-click rule stated explicitly as a testable requirement
- Alarm and trend screens accessible within 1 click from any screen via permanent toolbar — stated explicitly
- Breadcrumb trail required on all non-overview screens
- Back navigation required on all screens
- Simulation mode visual indicator — description of the indicator design
- Maintenance / out-of-service visual indicator — description with reference to blue colour standard
- Engineering units displayed on all process value indicators — no raw counts or percentages without unit context
The FDS-SYS-001 FUNC-HMI-001 specifies the main overview screen content element by element: all critical quality parameter values with colour-coded status indicators, active alarm count and highest-priority alarm, system operational mode, distribution loop status, and sanitization cycle status with current phase — all displayed simultaneously without scrolling, updating every 2 seconds maximum. The five-colour standard (Grey = Off/Inactive, Green = Running/Normal, Yellow = Warning, Red = Alarm/Critical, Blue = Manual Mode) is defined in FUNC-HMI-001 and applies uniformly across all screens. FUNC-HMI-002 specifies the navigation hierarchy, the 3-click rule as a testable requirement, the 1-click access from any screen to alarm summary and trends via permanent toolbar, the breadcrumb trail requirement, and back navigation on all screens. The OQ-SYS-001 OQ-061 test case verifies the 3-click rule: five screen pairs navigated from the Main Overview, click counts recorded, pass criterion is all five reachable in 3 or fewer clicks with breadcrumb trail visible. The SDS-SYS-001 Section 4 documents the SCADA screen architecture including the simulation indicator implementation for tags with b_Simulated = TRUE.