Darwin Logerot, Stephen Reilly
“By failing to prepare, you are preparing to fail.” – Benjamin Franklin
The need for managing alarms in an industrial plant stems from advances in control systems technology and resulting increasing sophistication/complexity of systems. With increasing controls complexity comes increasing numbers of configurable alarms. Alarms system design is typically not considered an integral part of the unit design philosophy, and as a result, many more alarms are active in most plants than are necessary. Operators’ time is sometimes, especially in upset conditions, consumed with answering a flood of alarms rather than dealing with the upset condition and returning the plant to normal operation or at least a safe state. As a result, many plants are implementing alarm management in one form or another.
So for proper preparation, here are some basic questions to ponder before embarking on an alarm management project.
1. Why should I do it?
Perhaps a more appropriate question is “Can I afford NOT to do it?” Recent trends in the refining and chemical industry are aimed at doing more with less. Fewer operators with a wider range of responsibility for each operator is becoming commonplace. In addition, there has also been a trend toward increasingly complex and sophisticated control systems. This brings with it a tendency toward more points and a resulting increase in configured alarms. Fewer operators coupled with more alarms produces information overload. The important information—the alarm the operator really needs to see—is easily buried.
In addition, Process Safety Management (PSM) dictates that industrial facilities handling highly hazardous chemicals be designed in accordance with accepted industry standards and with “recognized and generally accepted good engineering practices”. Alarm management is gaining widespread acceptance; ISA Standard 18.2 has been updated and is widely in use. In some cases, this now carries the weight of a regulatory requirement. In some facilities, PSM managers are taking responsibility for alarm management, taking over from the control group and operations managers.
2. What will be the scope of my project?
Some may attempt to embark upon a project that just covers the top “bad actor” alarms. Cover the worst ones this month, the next bad batch next month, etc. The thinking here is to get the most bang for the buck and not to try to tackle a large project, especially if manpower is limited.
But, this line of thinking misses an essential point, that is, that the alarm system is an integral part of the control system, which itself is an integral part of the chemical process as a whole. Taking a holistic approach to alarm management will result in a more effective project. This approach evaluates each and every alarm in a unit, considering the alarm configuration, the control system, and the chemical process as parts of a unified whole. In this line of thinking, how the alarm system affects the process (and its operators) and vice versa are taken into consideration. In effect, this becomes an alarm design project as opposed to simply alarm management.
3. Can I do it alone, and if not, with whom should I work?
The short answer here is probably not. If your facility is like most, the staff is at or near the point of overload; any new project, especially one as labor intensive as a complete alarm management review, cannot be handled with existing staff levels. In addition, if the primary team members are not well-versed in the principles of alarm management, then the project may not ever get off the ground. It is usually in the best interest of the facility to plan to hire a qualified alarm management consultant. Otherwise, the results may not be worth the cost of the project. You do however need to have an alarm management champion or champions at the site and they need to take over when the consultant leaves for day to day tasks.
In considering who the consultant should review the work with, a multidisciplinary alarm management team will be most effective in achieving optimum results. Representatives from operations, control engineering, and process engineering are essential. In addition, technical specialists from other areas, such as maintenance, mechanical engineering, electrical, instrumentation, etc., should be available for consultation as needed. Another important team member is the project leader / facilitator, an experienced alarm management professional. The project leader should be a degreed Chemical Engineer, someone who has a good, broad understanding of chemical and refining processes.
All team members need not be present at all times during the rationalization meetings. As a minimum, the project leader and operations representative(s) should be full-time team members; the others can be part-time participants.
4. Do I understand what’s going on behind the scenes, among other technical considerations?
When an alarm rationalization is conducted, revisions and suggestions are made and agreed-upon at the generic, basic level, but without the understanding of how such alarm properties as a trip point or priority are specifically configured within the control system, the results will fail to be implemented and get off the ground!
Whoever becomes the project leader should be able to answer some detailed questions. How many alarm types are configured in the control system? How is each alarm type defined? Which alarm properties can be (directly) modified on the spot, and which ones require a planned system restart to properly load the changes?
Once that’s known, it will also help to be aware upfront of where your potential changes might be restricted or denied. Are any interlocks tied directly to alarm active statuses or trip points? Are any alarms referenced as PHA safeguards or LOPA IPLs in plant documentation that would require extensive approval to change?
5. Should my alarm configuration be static?
Is the chemical process static? If not, the alarm configuration shouldn’t be either! This is probably the number one problem with existing alarm configurations in refineries and chemical plants today. The alarms are designed for a running unit, operating at or near steady state. But, how does the process start up or shut down? What happens during normal transitions? How about regenerations? Furnace decoking? Alternate unit feeds and/or products?
A well-designed alarm system will consider each of the above scenarios and will include some form of dynamic management that is capable of changing alarm settings as it detects a new operating state. Transition management between operating states is also a key element of a well-conceived and designed configuration. For instance, when the state selector detects that the unit has reached its run state, if ALL process alarms are enable instantaneously, then a flood of useless alarms may result—all process parameters may not have cleared their alarm limits.
If you’ve performed a static rationalization, all is not lost however. The design can be reviewed and dynamic alarm logic can be added.
Bottom line is this: don’t expect a static alarm configuration to perform well for a plant that is by no means static!
6. How will I manage alarm disabling?
What happens when an alarm is meaningless or becomes a nuisance? A bad switch or transmitter can cause the alarm to sound unnecessarily. Or, the transmitter is correct, but the process condition does not indicate a true problem (equipment may be down or bypassed). Or worse, the alarm can sound repeatedly, creating a nuisance distraction for the operator. Too often, problem alarms are easily disabled by the operator and then are forgotten. The result is that the root cause of the problem is not addressed, and the alarm will not be available when it is really needed.
A better solution is to allow operators to shelve alarms, using a software tool designed for this purpose. The shelving tool will temporarily disable problem alarms but will not allow them to be forgotten. Shelved alarms are kept on an easily retrievable list, and periodic reminders and reports can be configured.
7. What effect will alarm management have on operating culture?
This answer depends significantly on the current operating culture. In some plants, there may be a culture of “operating by alarm”. That is, few operating adjustments are made unless an alarm sounds. Still others may have so many alarms sounding that most of them are ignored. In a plant such as either of these, the operating culture may need to experience a shift. After a sound alarm management project is executed and the system is installed and activated, the plant will usually experience a significant drop in the number of annunciated alarms. As a result, operators used to waiting for alarms to make process moves will need to pay closer attention to plant conditions. Those who are accustomed to ignoring most alarms they receive will need to change that practice as well. The alarms that are annunciated will usually indicate plant conditions that do require attention. Ignoring alarms will no longer be a viable option. If in your plant the operators are attentive to the process, usually make proper adjustments before alarm conditions are reached, and respond promptly when an alarm is received, then little culture change will be necessary.
Of course, most operating plants are between the extremes indicated by the examples above. The amount of culture adjustment necessary will vary with each location and unit. What is important to note is that after alarm management, prompt response to all annunciated alarms will be needed. Also, this prompt response will be better facilitated by a well-designed alarm configuration.
8. How will I maintain the integrity of my alarm configuration?
Unauthorized changes can adversely affect performance of even a well-designed alarm configuration. For this reason, a good audit and enforcement tool is essential. Such a tool will regularly review alarm settings against approved values and will report discrepancies. If the user desires, it will also enforce important alarm settings back to their approved values.
9. Is the completion of my project the end of my alarm management effort?
In a word, no. Alarm management is not defined by the beginning and end of a single project but can and should be an ongoing effort in any plant. When the initial project is done, there will inevitably be some adjustment required. The initial alarm configuration is seldom the final optimum, and continuous improvement opportunities will always be present.
In addition, alarm configuration impacts should be included in the site’s Management of Change program. Any time the plant is revised, the alarm system should be revised accordingly. If this is not done, then the advantages gained in the initial alarm management project could easily be lost.
Another consideration is the potential blending of alarm management efforts into a unit’s PHA revalidations. Some of the questions that the alarm management team asks itself are similar if not exactly the same as those asked by the PHA team. What are the potential causes of a deviation that triggers an alarm? What are the consequences of inaction? What action is expected to correct the problem? And, process alarms are often listed as safeguards in the PHA documentation. Problems can arise if the alarm management team decides that a particular alarm isn’t needed, but the PHA team included it in their documentation.
10. How will I measure success?
There are a number of metrics available that are generally accepted as measurement tools for alarm management projects. Number of alarms received per unit time, peak alarm rates, and alarm flood analysis are all important measurements of success of any alarm management effort. There are a number of software tools on the market to aid a plant in developing these key statistics. But, there are some caveats that should be applied to any analysis based on metrics. First, an absolute metric alone is not a valid measurement of an alarm system’s performance. Application of an absolute metric can be inaccurate, because this method generally ignores site-to-site and unit-to-unit differences. The more important validation of success is the before vs. after picture for a unit. How much improvement did I gain from the effort?
Also, the truly important metrics are very difficult to measure. How many, or what percentage, of the alarms received were relevant to the operator? Conversely, how many could have been ignored without consequence? Were any important process deviations missed? In other words, how many alarms were needed but not sounded? These answers can only be obtained from operator interviews or some other manual data gathering effort.
Also, metrics must never be used as a basis to compromise an alarm management process. If at the end of a well-designed, rational process, the results should violate some pre-established metric limits, then it is more appropriate to re-evaluate the metric or consider reallocation of operator responsibilities. There is an important distinction between a standard of measure used to assess the final results of a process and a justification to compromise that process.
With these questions confidently answered, your alarm rationalization project is all set! Your preparation will have served you well, minimizing the efforts needed to backtrack or clarify specifics, leaving a more-than-satisfactory experience for all involved.