Nuisance alarms have become a common occurrence in control rooms throughout the process industries. They quickly become an irritating distraction to operators. ANSI/ISA 18-2, Management of Alarm Systems for the Process Industries, defines a nuisance alarm as an alarm that annunciates excessively, unnecessarily, or does not return to normal after the corrective action is taken. Nuisance alarms have the potential to lead to lack of confidence in a particular alarm, in the alarm system as a whole, or create an unmanageable condition where an operator may miss a valid alarm as they are inundated with invalid ones. The key to eliminating nuisance alarms is a well-designed and maintained alarm management system.
As an example of the impact of a nuisance alarm, I recall an incident with financial and productivity impact of a steam generation system. A condensate return system had a hydrocarbon detector to monitor for oil ingress. During normal operation, a boiler operator received a high hydrocarbon warning alarm, and silenced it without action where it remained as a standing alarm on the operating console as the operator moved on to their other duties. A few hours later, the oily condensate had mixed with the boiler feedwater supply, the boiler drum level control became erratic, and the boiler’s burner management system (BMS) tripped on low water level.
Why would an operator fail to act on this alarm? The detector correctly identified the abnormal hydrocarbon levels, the alarm annunciated at the operator console with sufficient time to take action, and the operator was familiar with the process of segregating contaminated condensate. This day could have been steady-state, business as usual, but it wasn’t. The hydrocarbon detector had frequent, sporadic failures that generated excessive nuisance alarms. Additionally, the hydrocarbon detector was often out of service for maintenance for extended periods of time, which generated a standing alarm. The operator had many experiences with this spurious alarm distracting them from their tasks, but never experienced this alarm indicating an abnormal situation requiring their response. Over time, the frequent nuisance alarm had essentially conditioned the operator to ignore it. In alarm management circles, people liken events like these to the familiar story, “The Boy who Cried Wolf.”
Financial, environmental, and most significantly, safety impact of nuisance alarms is not uncommon within industry. This contaminated boiler feedwater supply scenario caused plantwide disruptions due to steam supply instability. There are other cases in industry where alarm floods and inefficient alarm systems contributed to major incidents. In the Layers of Protection Model (Figure A, Operator Intervention Layer), the alarm system is the tool that notifies the operator that a process upset has occurred so they can take action to mitigate the upset. If the operator responds correctly, the process returns to a normal state. If the operator is not able to respond in time or doesn’t respond effectively, the process upset continues to escalate to the Safety Instrumented System layer until the consequence the alarm was intended to prevent – a trip – occurs.
Poorly designed alarm systems can be more of a distraction than a benefit. The ANSI/ISA 18-2 and IEC 62682 standards, both titled Management of Alarm Systems for the Process Industries, establish the alarm management lifecycle steps required during design, operation, and maintenance (Figure B). In the United States, adherence to the requirements of the ANSI/ISA 18-2 standard is considered recognized and generally accepted good engineering practice (RAGAGEP).
The focus of this article is alarm rationalization, which is Step C of the monitoring and management of change loop in the alarm management system lifecycle. During alarm rationalization, each proposed and existing alarm is evaluated to determine whether it meets the definition of an alarm as established by the alarm philosophy, Step A. An alarm is an audible and/or visible means of indicating to the operator an equipment malfunction, process deviation, or abnormal condition requiring a timely response. Each condition requiring operator action must be alarmed using the best indication of the abnormal condition.
Rationalizing each alarm and potential alarm can be a daunting task. Before starting a rationalization project, it is imperative to have a well-developed alarm philosophy. Think of the alarm philosophy as the design plan and rationalization as applying this design to individual alarms; without the plan, results will be misguided and inconsistent. A typical alarm rationalization project scope is all the alarms under an operator’s span of control or the alarms (including proposed alarms) for a particular unit or process area. Rationalization is typically conducted using a workshop-style approach with a core team comprised of an experienced operator (or two), the process engineer, the controls engineer, and a knowledgeable facilitator. The results are documented in the master alarm database (MADB) as alarms are rationalized.
The facilitator develops a standard methodology, based on the alarm philosophy, to efficiently work through each step while ensuring consistency. For each alarm, the rationalization team must justify that the alarm criteria as established in the alarm philosophy are met. Documenting the likely cause of the alarm and response procedure will rely heavily on the input of experienced operators and is an ideal opportunity to capture institutional knowledge. Steps for the operator to take to confirm the alarm is valid, such as specific field checks or cross-checks against other process parameters, should be documented in the MADB. In the example of the high hydrocarbon alarm, a documented operator response procedure and specific field measurements to cross-check the validity of the alarm would have led to a very different outcome. The determination of alarm limits, hysteresis, and special handling techniques will require data analysis and calculations; the basis for these should be captured in the MADB. It is also important to include in the MADB the justification for eliminating any existing alarms as a result of the rationalization process.
Establishing the alarm priority ensures that if there is more than one alarm in a short period, the operator has clear direction on which alarm to work on first. The matrix used for this analysis is designed for alarm prioritization, and it follows a familiar risk-based approach that is used in other process safety evaluations. An example of an alarm prioritization matrix based on the maximum severity consequence modified by urgency is shown as Figure C. There are also other prioritization methods commonly used in industry; the specific alarm prioritization matrix to be used during rationalization is developed as part of the alarm philosophy document. The rationalization team and facilitator should prioritize some representative alarms as an orientation to the prioritization matrix and to verify the results. The alarm philosophy may also establish rule-based alarm prioritization such as assigning all alarms indicating an immediately dangerous to life or health (IDLH) condition to the highest alarm priority.
Desire to improve safety and productivity is usually the initiating driver to embark on an alarm management program. Performing alarm rationalization guided by the alarm philosophy will ensure that operators have the information and time needed to evaluate and respond to alarms appropriately. A bang-bang approach focused on reducing “top 10 most frequently occurring alarms” can take a stab at eliminating the low hanging fruit, but without the alarm philosophy and a consistent rationalization process, the overall impact will be limited. This article focused on the rationalization step, but each of the steps in the alarm management lifecycle are critical in ensuring the alarm system is an efficient, sustainable tool. An effective alarm system that follows the lifecycle approach established by ANSI/ISA 18-2 and has fully rationalized alarms will shift operator’s perspective on the role of the alarm system and allow them to make the most productive – and safest – decisions.
For more information, please submit the form below: