Alarm floods and plant incidents
Alarm floods and their contribution to industrial incidents can be controlled successfully through all process states
DUSTIN BEEBE, STEVE FERRER and DARWIN LOGEROT
Viewed : 22561
Most of the incident investigations performed by the US Chemical Safety Board (CSB) cite alarm floods as being a significant contributing cause to industrial incidents. In fact, alarm management has become identified as one of the key issues listed on the cover of recent CSB investigation reports. The British-based organisation Engineering Equipment & Materials Users’ Association (EEMUA) came to the same finding in its report from 1999 when it analysed major incidents around the world, including Three Mile Island, Bhopal and Texaco Milford Haven.1 Therefore, the connection of alarm floods to incidents has been well documented for over 12 years. On the whole, industrial progress controlling floods in those 12 years has been nil. Many corporations and plant locations are attempting to do so, but many engineers, including alarm management vendors, do not know what it takes to control floods under all operating conditions. This article shows examples of good alarm management programmes and how they successfully control alarm floods under all operating conditions.
Definition and impact of an alarm flood
An alarm flood has been defined by ANSI/ISA 18.2 as being 10 or more annunciated alarms in any 10-minute period per operator.2 Since ISA issued the 18.2 standard over two years ago, recent OSHA audits have reported that questions on the subject came up during inspections of the plant. An attorney presenting on the topic at the Global Conference on Process Safety 2012 stated that alarms and alarm management were now frequently coming up in audits. It is obvious that OSHA considers the ISA 18.2 standard to be “recognised and generally accepted good engineering practices” (RAGAGEP). As a result, plant managers should be ready to have their alarm performance scrutinised.
Obviously, plants that do not currently meet the ISA 18.2 guidelines under all operating conditions must remediate or face the consequences. The consequences that occur are not only when OSHA audits come to the plant. Consider these items:
• It is commonly reported that 70% of plant incidents occur on startup or shutdown. Shutdown periods are where many alarm floods occur because of the sudden changes from the run state. Could the occurrence of these incidents be caused by one or more critical alarms being “hidden” under the flood of hundreds of alarms typical during shutdown? What about startup after a shutdown where alarm floods have occurred? Until the alarms have cleared, the operators are flying blind without alarms until reactivated. What are the odds of an incident occurring when starting up your plant without alarms to annunciate?
• Are your safety-critical alarms immune to influence by alarm floods? Even special-sounding alarms can be missed when a cacophony of hundreds of flooding alarms are sounding
• What about product quality, plant profitability or equipment damage — have any of these issues suffered when an alarm flood was a significant distraction for the operator while operating the process?
• Has your plant ever performed an incident review to find that a critical alarm was missed? Was personnel action taken against the board operator for poor performance? Was the flood of alarms even considered as a distraction for the board operator?
• Does your plant have any data on how many alarms are missed due to distractions? How many redundant alarms annunciate — alarms with little or no meaning — at your plant? How many loss of containment incidents, injuries or worse can be tracked back to an alarm flood?
From the beginning
Over the last 30 years, the number and frequency of alarms have changed with technology. In the old days of pneumatic controls, installing a new process alarm had significant costs. Since the use of computer-based control systems, new alarms cost nothing. As a result, the number and frequency of alarms has increased significantly over the years. This phenomenon has reached a point where a term was needed to define the experience when numerous alarms are annunciating in a stream — an alarm flood.
Alarms are typically configured for a single operational state — run. Alarm floods typically occur upon a change of state in the process. This could be from run to shutdown or run to upset, or can even include a change from state 1 to state 2. This is because operating parameters change upon a change of state in the process and those changes cause the floods. This phenomenon can affect hundreds or even thousands of alarms. Therefore, upon process state changes, many alarms can sound in a short period of time. The first alarm or two indicate the initiating event, alerting the operator to the change. After this, many unnecessary and redundant alarms resulting from the same root cause are annunciated and displayed to the operator. If another situation develops, those alarms would be added to the existing flood of alarms without any differentiation between the two root causes for the operator. The operator is faced with evaluating these alarms for any process information they might provide, then acknowledging them. So many alarms can show up at once that this job can become very difficult. In fact, the observation has been made that so many alarms are going off that, by cause and effect, acknowledging alarms becomes the only response of the operator.
What is the problem?
The EEMUA, when speaking about the impact of alarm floods on catastrophic incidents, said “they were a major contributor, and the loss incidents frequently involved the operator being overloaded with alarm floods.”1
EEMUA Publication 191 provides several high-profile examples where poor alarm system performance (floods) contributed to financial loss, environmental damage, injuries or death. Based on this information, the following equality has been proposed to emphasise proper thinking and priority of alarm management projects for corporate managers, operations managers, and managers of industrial health, safety and environmental departments:
Floods = incidents = loss
Conversely, the control of alarm floods will result in fewer incidents, less loss and, as a result, lower risk. Industrial plants have reported lower insurance rates as a result of lower risk attributed to superior alarm management performance.
Add your rating:
Current Rating: 4