Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
By Nick Sands
Topic Highlights
Alarm System Practices
Alarm Philosophy
Rationalization
Design
Training
Monitoring
Management of Change
Alarm System Problems
Nuisance Alarms
Stale Alarms
Alarm Floods
Alarm Clarity
Alarms for Safety
18.1 Introduction
The term alarm management refers to processes and practices for determining, documenting,
designing, monitoring, and maintaining alarm messages from process automation and safety systems.
Alarm system performance issues have contributed to many significant incidents in the process indus-
tries, with an estimated cost over $13B USD each year in the U.S. alone [Ref. 1].
The issues with alarm systems are well known, as are the practices to address those issues. Practices
will be discussed first, followed by the main issues of alarm management and the application of the
practices to those issues. The last section mentions the limitations of alarms for risk reduction.
change. Alarm system improvement projects can be implemented without a philosophy, but the sys-
tems tend to drift back toward the previous performance. Maintaining an effective alarm system
requires the discipline to follow these practices.
The philosophy begins with the basic definitions and extends those to operational definitions with the
principles of the alarm system. The philosophy should define such things as the number of levels of
alarm, the types of alarms allowed, and the assigned alarm priorities.
Alarm: An audible or visible means of indicating to the plant operator an equipment or process mal-
function of abnormal condition [Ref. 2].
Each safety related alarm must be tested prior to start-up and, thereafter, at an explicitly
documented frequency.
Alarm system performance must be monitored on a daily basis and corrective action taken
when performance limits are not met.
All additions, modifications, and deletions of alarms must follow a management of change
procedure.
Principles like these are critical to an alarm philosophy. They provide the standards against which all
potential alarms are tested. A well-defined set of principles will yield a consistent and useful set of
alarms.
18.2.2 Rationalization
Rationalization is the process of examining one alarm at a time against the principles and criteria
defined in the alarm philosophy. The product of rationalization is a set of consistent, well-documented
alarms. The documentation supports both the design process and operator training.
Rationalization begins with identifying the signal, the rationale for the alarm and the associated
action. If the alarm is consistent with the philosophy, it is prioritized based on consequences and
response time. Any further requirements for the alarm design are captured as well.
The alarm philosophy will capture information for each alarm, such as the basic control system infor-
mation:
Tag
Alarm type
Description
Units/states
Setting/alarm state
The tag is the tag number of the alarm in the database. The alarm type describes the alarm as high,
low, or a discrete state. The description is for the tag, from the same tag database. The units are the
engineering units for an analog type value, and the states are the discrete states of a digital value. The
setting is the analog alarm limit or the discrete state that generates the alarm.
Chapter 18: Alarm Management 231
Some information is necessary to document the alarm for procedures and training:
Consequence of deviation
Corrective action
Time for response
Consequence category
Basis
This information is required to train operators to respond to the alarmspecifically what action is nec-
essary, and how fast must it be completed before the consequence results. Documenting the basis for
the alarm allows re-evaluation of the consequences, especially with process changes.
Priority
Retention period
Report requirements
Notification requirements
This information specifies properties of the alarm. The priority in the operator interface is a critical way
to designate the importance of the alarm. The alarm record may need to be kept for a certain period of
time, included in certain reports, or the alarm may be set up to trigger e-mail, pager, or voice mail
messages. These functions are defined in the philosophy, and the rationalization identifies individual
alarms that require these functions.
Example
A new tank containing flammable materials has the following alarms identified:
18.2.3 Design
The design phase utilizes the rationalized alarms and design guidance. Design practices are often docu-
mented in a separate guidance document specific to the type and generation of the control system. As
systems change, the guidance should be updated to reflect features and limitations of the control sys-
tem. Design practices fall into three areas: the basic configuration of alarms, the human-machine
interface (HMI), and advanced techniques for managing alarms.
232 RELIABILITY, SAFETY AND ELECTRICAL IV
The guidance on basic configuration may include default settings for alarm deadbands, alarm practices
for redundant transmitters, timing periods for discrete valves, alarm practices for motor control logic,
and the methods for handling alarms on bad signal values. Many alarm system problems can be elimi-
nated with good basic configuration practices.
Deadband: the change in process value from the alarm point in the reverse direction of the alarm nec-
essary to clear the alarm state.
The guidance on the HMI may include alarm priority definitions, alarm color codes, alarm tones,
alarm groups, alarm summary configuration, and graphic symbols for alarm states. Alarm functions
are only one part of the HMI, so it is important that these requirements fit into the overall HMI design
philosophy. The consistent use of color for alarms is often listed as a principle.
A common component of the HMI design guide is a table of alarm priorities, alarm colors, and alarm
tones. Some systems have the capability to show shapes or letters next to alarms. This is a useful tech-
nique for assisting color blind operators in recognizing alarm priorities.
Beyond the basic configuration and HMI design, there are many techniques to reduce the alarm load
on the operator and improve the clarity of the alarm messages. These techniques range from first-out
alarming to state-based alarming to expert systems for fault diagnosis. The techniques allowed should
be defined in the alarm philosophy, along with the implementation practices in the design guide.
First-out (First-up): A sequence feature that indicates which of a group of alarm points operated first
[Ref. 3].
Alarm suppression: Use of condition-based logic to determine that an alarm should not occur when
the base alarm condition is present.
State-based alarming: Use of measurements or models of the equipment or plant operating state to
suppress alarms when they are not needed and activate alarms in the operating states to which they
are relevant.
Dynamic prioritization: Use of measurements or models of the equipment or plant operating state to
change alarm priority based on the current operating state.
Testing is a common requirement when the design is implemented. Testing requirements vary with
the type of alarms. Initial and periodic testing requirements should be documented in the rationaliza-
tion so the accommodations for testing can be made in the design step.
18.2.4 Training
Training is an essential step in developing an alarm system. Since an alarm exists only to notify the
operator to take an action, the operator must know the corresponding action for each alarm, as
defined in the alarm rationalization. A program should be in place to train operators on these actions.
Documentation on all alarms should be easily accessible to the operator. Beyond the alarm specific
training, the operator should be trained on the alarm philosophy and the HMI design. A complete
training program includes initial training and periodic refresher training.
Chapter 18: Alarm Management 233
18.2.5 Monitoring
Monitoring alarm systems is a critical step in alarm management. Since each alarm requires operator
action for success, overloading the operator reduces the effectiveness of the alarm system. Instrument
problems, controller performance issues, and changing operating conditions will cause the perfor-
mance of the alarm system to degrade over time. Monitoring and taking action to address bad actors
can maintain a system at the desired level of performance.
The alarm philosophy should define report frequencies, metrics, and thresholds for action. Common
measurements include:
Measurement tools allow reporting of the metrics at different frequencies. Typically, there are daily
reports to personnel responsible to take action, and weekly or monthly reports to management. The
type of data reported varies, depending on the control system or safety system and the measurement
tool.
Distinct limits to trigger action should be set on the measurements. These limits are dependent on the
type of process and the resources to take corrective action. If the action limits are too relaxed, they will
not be effective. If they are too aggressive, they will be ignored. The performance metrics are usually
calculated per operator position or operator console.
Example
Alarm measurement triggers points and actions:
The Engineering Equipment Materials and Users Association (EEMUA) Publication 191, Alarm Systems:
A Guide to Design, Management, and Procurement, provides guidance on metrics for performance classifi-
cation. As above, these metrics are calculated per operator since they are related to the operators abil-
ity to process alarms.
While some alarms provide safety warnings, there is a key difference between an alarm system and a
safety system. The alarm function always requires an operator to take action. The safety function is
almost always designed to function without the operator. One consequence of this difference is that
the alarm systems effectiveness is limited by the operators ability to respond correctly to each alarm.
An operator can be overwhelmed as the rate of alarms or the complexity of the response increases.
When the process control system is used for safety related alarms, monitoring can maintain the alarm
system performance. Even with monitoring, the risk reduction factor for the basic process control sys-
tem (BPCS), including the process alarms, is limited to 10 unless the system is treated as a safety
instrumented system [Ref. 6].
18.5 References
1. Nimmo, Ian. Abnormal Situation Management.