De-mystifying alarm management standards
What is Alarm Management? Definition of Alarm Management. The EEMUA 191 definition of Alarm Management is “The processes and practices for determining, documenting, designing, monitoring, and maintaining alarm systems” to ensure safe, reliable operations.
Viewed : 284
This simple definition encapsulates the primary function of an alarm management system but only scratches the surface of what is required to ensure that your alarm system meets the relevant standards which are increasingly relied on as the basis for modern alarm system configuration.
The primary function of the alarm system is to ensure that operators are notified of an abnormal situation that requires actions be taken to prevent or mitigate the potential consequences that could occur if the abnormal situation goes undetected. This makes Alarm Management an essential layer of protection.
Layers of Protection
The concept of Layers of Protection is to provide Independent Layers of Protection around hazardous processes to reduce the risk of undesired consequences such as fire, toxic releases etc. (Refer to Figure 1). Alarm Management is, therefore, a Layer of Protection (LOP) and often used in Safety Integrity Level (SIL) analysis.
The intent of these alarms is to warn operators of an impending abnormal situation, which can often have safety related consequences. In determining the average Probability of Failure on Demand for a SIL loop that contains an alarm as a LOP, the probability of the operator failing to adequately respond to the alarm must be considered. Some plants assign an unrealistic probability of failure, especially where the alarm rates have been over the “maximum manageable” metric as identified in the EEMUA 191 and ISA 18.2 standards. This has the potential to make the SIL design for a loop inaccurate. How do these standards impact the design of an Alarm Management System?
Alarm Management Standards
There are several Alarm management Standards targeted to various industries. Starting with the Alarm Management Task Force (AMTF), a customer advisory board led by Honeywell in 1990, this group of industrial control system users quickly realised that alarm management issues were part of a bigger problem. This led to the formation of the Abnormal Situation Management Consortium or ASM™ (ASM is a registered trademark of Honeywell). The ASM Consortium researched numerous factors that impact how configuration of the alarm system impacts the operator’s situational awareness and ability to identify and react to abnormal situations.
The ASM Consortium published numerous documents over the years on best practices in alarm management, operator effectiveness, and operator situational awareness, many of which are available for download (see www.asmconsortium.org for more information). The ASM Consortium also contributed to the creation of the first version of EEMUA 191 by providing data from member companies and editing of the standard prior to it’s first publication in 1999. Since that time two standards have emerged as the primary guides for Alarm Management;
• ISA 18.2-2016 “Management of Alarm Systems for the Process Industries” (2016)
• EEMUA Publication 191 “Alarm Systems – Guide to design, management and procurement” 3rd Edition (2013)
Other notable standards include;
• IEC 62682 “Management of Alarm Systems for the Process Industries” (Published in 2014 as an internationalised adaptation of ISA 18.2)
• API 1167 – “Pipeline SCADA Alarm Management” (2010)
• PHMSA (CFR 192.631/CFR 195) – “Control Room Management for gas and hazardous liquid” (2009)
Why is Alarm Management Important?
In a nutshell: People, Planet, Profits. People: Protecting the safety of employees working in and around processing plants and the community at large is the responsibility of the company and its management. This is also the primary function of any alarm system, which must be configured to identify situations that may pose a health or safety risk and to notify operations personnel in time to allow them to ensure the situation is addressed and personnel in the area are alerted to the hazard.
Planet: Environmental releases of any kind carry with them a potential risk to the health of people both within and outside the confines of the plant as well as hefty fines from environmental regulatory bodies. Harm to the planet’s environment has become nearly as important to avoid as harm to personnel in and around the plant. The installation of sensors and analysers to monitor processes which may potentially release chemicals into the environment has dramatically increased in recent years. Alarm systems must be configured to recognise and alert operations to conditions that might lead to a potential release of a regulated substance.
Profits: Stakeholders in any plant have invested time, reputation, and resources to develop and/or operate a facility that delivers profits to its stakeholders. A poorly configured alarm system more frequently leads to unnecessary shutdowns, quality issues, equipment damage and production deferment all of which have an impact on profitability. In addition, the previous risks to People and Planet each have the potential to carry significant and often crippling financial impacts from fines or litigation.
No senior manager or corporate executive wants a failure in one of these areas to occur on their watch. Add to this the risks that a failure in any of these areas poses to the reputation and viability of a plant, especially in a highly competitive market, and the importance of a good Alarm Management strategy that is competently implemented and consistently maintained is increasingly obvious and necessary.
Abnormal Situations cost industry millions or even billions of dollars every year. Over the last 30+ years there have been a number of plant incidents that have been partly attributed to poor alarm management practices which have tragically resulted in injury and death of personnel, significant environmental impact, and huge financial losses. Some examples are the Longford Gas Explosion in 1998, the Texas City Oil Refinery Explosion in 2005, and the Deepwater Horizon Oil Platform in 2010 which not only claimed 11 lives but has cost BP over $60 billion dollars in fines, settlements, and lost production and created the worst environmental disaster in U.S. history.
Issues that Impact Alarm Management
There are several issues that can impact the effectiveness of an Alarm Management system. Any one of these has the potential to severely impact the alarm system and the operator’s situational awareness as a result. Alarm rates that are beyond the operator’s ability to process often render the alarm system useless. High alarm rates are typically caused by one of the following issues, all of which should be identified, evaluated, and addressed.
Failure to correctly identify an Alarm
As simple as it may sound, one of the biggest problems found in most control systems is the failure to correctly identify what an Alarm is. When developing an Alarm Philosophy, one of the first things required is to provide a clear definition of what constitutes an alarm. Early control systems, that relied on panel displays, were costly to implement and difficult to change. Modern control systems rely on smart instrumentation, network connectivity and often wireless communication.
This makes adding alarms much easier and far less costly. The result has been a proliferation of potential alarms many of which often fail to meet the definition of an alarm based on the industry standards.
All standards agree that an alarm must meet specific criteria before it is configured to annunciate and display to an operator. ISA 18.2 defines an alarm as an “audible and/or visible means of indicating to the operator an equipment malfunction, process deviation, or abnormal condition requiring a timely response”. In other words, an alarm notifies the operator that something in the process has occurred which has some undesirable consequences and that requires the operator take actions to mitigate the issue in a timely manner. For example, the alarm system is not to be used to notify the operator that a pump started when it was supposed to, but rather that the pump was supposed to start but did not so the operator can take necessary actions in time to mitigate the consequences of the pump not starting.
Add your rating:
Current Rating: 3