Reduction of Nuisance Alarms by Implementing the Alarm Management Lifecycle, A Focus on Rationalization

  • Home
  • Reduction of Nuisance Alarms by Implementing the Alarm Management Lifecycle, A Focus on Rationalization

Reduction of Nuisance Alarms by Implementing the Alarm Management Lifecycle, A Focus on Rationalization

Author: Melissa Westbrook, Instrumentation & Electrical Engineering Team Leader, Consulting Engineer I

Nuisance alarms have become a common occurrence in control rooms throughout the process industries. They quickly become an irritating distraction to operators. ANSI/ISA 18-2, Management of Alarm Systems for the Process Industries, defines a nuisance alarm as an alarm that annunciates excessively, unnecessarily, or does not return to normal after the corrective action is taken. Nuisance alarms have the potential to lead to lack of confidence in a particular alarm, in the alarm system as a whole, or create an unmanageable condition where an operator may miss a valid alarm as they are inundated with invalid ones. The key to eliminating nuisance alarms is a well-designed and maintained alarm management system.

As an example of the impact of a nuisance alarm, I recall an incident with financial and productivity impact of a steam generation system. A condensate return system had a hydrocarbon detector to monitor for oil ingress. During normal operation, a boiler operator received a high hydrocarbon warning alarm, and silenced it without action where it remained as a standing alarm on the operating console as the operator moved on to their other duties. A few hours later, the oily condensate had mixed with the boiler feedwater supply, the boiler drum level control became erratic, and the boiler’s burner management system (BMS) tripped on low water level.

Why would an operator fail to act on this alarm? The detector correctly identified the abnormal hydrocarbon levels, the alarm annunciated at the operator console with sufficient time to take action, and the operator was familiar with the process of segregating contaminated condensate. This day could have been steady-state, business as usual, but it wasn’t. The hydrocarbon detector had frequent, sporadic failures that generated excessive nuisance alarms. Additionally, the hydrocarbon detector was often out of service for maintenance for extended periods of time, which generated a standing alarm. The operator had many experiences with this spurious alarm distracting them from their tasks, but never experienced this alarm indicating an abnormal situation requiring their response. Over time, the frequent nuisance alarm had essentially conditioned the operator to ignore it. In alarm management circles, people liken events like these to the familiar story, “The Boy who Cried Wolf.”

Financial, environmental, and most significantly, safety impact of nuisance alarms is not uncommon within industry. This contaminated boiler feedwater supply scenario caused plantwide disruptions due to steam supply instability. There are other cases in industry where alarm floods and inefficient alarm systems contributed to major incidents. In the Layers of Protection Model (Figure A, Operator Intervention Layer), the alarm system is the tool that notifies the operator that a process upset has occurred so they can take action to mitigate the upset. If the operator responds correctly, the process returns to a normal state. If the operator is not able to respond in time or doesn’t respond effectively, the process upset continues to escalate to the Safety Instrumented System layer until the consequence the alarm was intended to prevent – a trip – occurs.

Figure B: Alarm Management System Lifecycle

Poorly designed alarm systems can be more of a distraction than a benefit. The ANSI/ISA 18-2 and IEC 62682 standards, both titled Management of Alarm Systems for the Process Industries, establish the alarm management lifecycle steps required during design, operation, and maintenance (Figure B). In the United States, adherence to the requirements of the ANSI/ISA 18-2 standard is considered recognized and generally accepted good engineering practice (RAGAGEP).

The focus of this article is alarm rationalization, which is Step C of the monitoring and management of change loop in the alarm management system lifecycle. During alarm rationalization, each proposed and existing alarm is evaluated to determine whether it meets the definition of an alarm as established by the alarm philosophy, Step A. An alarm is an audible and/or visible means of indicating to the operator an equipment malfunction, process deviation, or abnormal condition requiring a timely response. Each condition requiring operator action must be alarmed using the best indication of the abnormal condition.

Rationalizing each alarm and potential alarm can be a daunting task. Before starting a rationalization project, it is imperative to have a well-developed alarm philosophy. Think of the alarm philosophy as the design plan and rationalization as applying this design to individual alarms; without the plan, results will be misguided and inconsistent. A typical alarm rationalization project scope is all the alarms under an operator’s span of control or the alarms (including proposed alarms) for a particular unit or process area. Rationalization is typically conducted using a workshop-style approach with a core team comprised of an experienced operator (or two), the process engineer, the controls engineer, and a knowledgeable facilitator. The results are documented in the master alarm database (MADB) as alarms are rationalized.

The facilitator develops a standard methodology, based on the alarm philosophy, to efficiently work through each step while ensuring consistency. For each alarm, the rationalization team must justify that the alarm criteria as established in the alarm philosophy are met. Documenting the likely cause of the alarm and response procedure will rely heavily on the input of experienced operators and is an ideal opportunity to capture institutional knowledge. Steps for the operator to take to confirm the alarm is valid, such as specific field checks or cross-checks against other process parameters, should be documented in the MADB. In the example of the high hydrocarbon alarm, a documented operator response procedure and specific field measurements to cross-check the validity of the alarm would have led to a very different outcome. The determination of alarm limits, hysteresis, and special handling techniques will require data analysis and calculations; the basis for these should be captured in the MADB. It is also important to include in the MADB the justification for eliminating any existing alarms as a result of the rationalization process.

Establishing the alarm priority ensures that if there is more than one alarm in a short period, the operator has clear direction on which alarm to work on first. The matrix used for this analysis is designed for alarm prioritization, and it follows a familiar risk-based approach that is used in other process safety evaluations. An example of an alarm prioritization matrix based on the maximum severity consequence modified by urgency is shown as Figure C. There are also other prioritization methods commonly used in industry; the specific alarm prioritization matrix to be used during rationalization is developed as part of the alarm philosophy document. The rationalization team and facilitator should prioritize some representative alarms as an orientation to the prioritization matrix and to verify the results. The alarm philosophy may also establish rule-based alarm prioritization such as assigning all alarms indicating an immediately dangerous to life or health (IDLH) condition to the highest alarm priority.

Figure C: Example of an Alarm Prioritization Matrix Using Maximum Severity Consequence Modified by Urgency

Desire to improve safety and productivity is usually the initiating driver to embark on an alarm management program. Performing alarm rationalization guided by the alarm philosophy will ensure that operators have the information and time needed to evaluate and respond to alarms appropriately. A bang-bang approach focused on reducing “top 10 most frequently occurring alarms” can take a stab at eliminating the low hanging fruit, but without the alarm philosophy and a consistent rationalization process, the overall impact will be limited. This article focused on the rationalization step, but each of the steps in the alarm management lifecycle are critical in ensuring the alarm system is an efficient, sustainable tool. An effective alarm system that follows the lifecycle approach established by ANSI/ISA 18-2 and has fully rationalized alarms will shift operator’s perspective on the role of the alarm system and allow them to make the most productive – and safest – decisions.

For more information, please submit the form below:

Newsletter Archive

Access all of our previously published Industry Insights Newsletter articles:

Recently Published

Improving Reliability of Bolted Flanged Joints

Author: Robert C. Davis, P.E., Consulting Engineer II

ASME VIII-1 Appendix 2 flange design rules states flanges should be sufficiently robust to withstand the stresses produced by operating loads; however, what happens if those flanges leak during operation?. Do you know what options are available to reduce or eliminate the potential risk of leakage in bolted flange joints? In this article, Bob Davis introduces several options to evaluate bolted flange designs with the goal of minimizing the risk of leakage without risking damage to any of the joint components.

Read More »

SIMFLEX-IV: A Modern Pipe Stress Engineering Solution

Authors: Donald L. Brown, Ph.D., Consulting Researcher I; Edrissa Gassama, Ph.D., Senior Researcher II; Daniel Spring, Ph.D., Group Head Consulting Researcher I

SIMFLEX-IV, the latest update to E2G’s cloud-based piping stress analysis software, will help you prevent potential failures by improving the structural integrity of piping systems and supporting structures. In a single run, you will be able to assess sustained, occasional, and displacement stresses at every data point throughout the piping system. This article introduces you to fast and easy ways to integrate advanced static and dynamic piping stress analysis into your daily workflow.

Read More »

Hammered Pipe Still Standing: Is It Fit for Service?

Author: Kraig S. Shipley, P.E., Piping & Fired Heaters, Principal, Engineer I

Steam piping systems that are not adequately controlling condensate levels may experience a steam hammer event, which is when a slug of condensate is propelled at high velocity down the piping system. When the large dynamic slug force hits an elbow or pipe cap, it can displace the piping system or slide the pipe shoes off the structural members. In this case study, Kraig Shipley discusses a recent consulting project that used SIMFLEX-IV to determine if a steam header was still fit -for -service after a steam hammer event.

Read More »
Process Safety Management & Mechanical Integrity in the Hazardous Materials Processing & Handling World

PSM and Mechanical Integrity in the Hazardous Materials Processing and Handling World

Author: Jim McVay, Mechanical Integrity Team Leader

When well implemented, a mechanical integrity program will reduce failures, extend equipment life, increase operating limits, and optimize maintenance and inspection budgets. In this article, Jim McVay introduces several of the elements you need to consider when developing a successful mechanical integrity program and explains how everyone plays a role in the effective implementation.

Read More »
Generic selectors
Exact matches only
Search in title
Search in content
Post Type Selectors
Pages
Industry Insights Newsletter Articles
Events
Library Items