Avoid the Domino Effect

Most process plants constantly strive to improve their operations. The performance of operators and the alarm system can markedly impact the quest to bolster safety, minimize unplanned downtime, increase productivity and achieve other gains. Help is on the way from a new International Society of Automation (ISA) standard. "Management of Alarm Systems for the Process Industries," ISA-18.2, provides a framework for the successful design, implementation, operation and management of alarm systems [1]. (The about-80-page document was approved on June 23, 2009, and is available at isa.org.) This article offers an overview of the standard with a focus on how it will impact plants.

The Importance of Alarm Management
With production running ever closer to equipment and facility operating limits, proper alarm management has never been more crucial. Poor alarm management is a main cause of unplanned downtime, which costs plants more than $20 billion in lost production every year [2]. It also has significantly contributed to some of the worst industrial accidents on record (including Three Mile Island, Bhopal, Milford Haven and Texas City), which led to injury, loss of life, equipment and property damage, fines and harm to company reputation.

Today operators receive a large amount of data from their console displays about process performance. They must be able to make quick decisions to keep operation in its normal or target range. The alarm system should notify operators to take action when the process risks crossing a performance boundary (Figure 1). Failure to promptly and effectively respond can lead to off-specification product, a process upset, an unplanned shutdown or an accident.

The connection between problems in alarm management and process safety accidents was a motivator for developing ISA-18.2. Both the U.S. Occupational Safety and Health Administration and the U.K. Health and Safety Executive have identified the need for improved industry practices to prevent incidents. It's widely anticipated that ISA-18.2 will achieve the status of recognized and generally accepted good engineering practice (RAGAGEP) by both insurance companies and regulatory agencies. As such, it becomes the expected minimum practice at sites, especially if an incident does occur. The standard contains a clause that allows for past practice but this doesn't exempt companies from monitoring their alarm systems to demonstrate acceptable performance.

A Never-Ending Journey
Good alarm management isn't a one-time activity but a process that requires continuous vigilance from operations, engineering and maintenance teams. Consequently the standard has been structured according to the alarm management lifecycle (Figure 2), which is similar in many respects to the standard governing process safety, ANSI/ISA-84.00.01-2004 Part 1 (IEC 61511-1 Mod). ISA- 18.2 covers the various stages in the lifecycle (see Table 3):

Philosophy. An important and often first step is creating an alarm philosophy document. It will guide all alarm management activities at a site and is critical for helping plant staff maintain the alarm system over time. It's the alarm management "bible," outlining practices and procedures for how to classify and prioritize alarms, what colors to use to indicate an alarm in the human machine interface (HMI), and how to manage changes to configuration. The document also should establish key performance benchmarks like acceptable alarm load for operators.

What it means. An alarm philosophy document is the cornerstone of an effective alarm management program. It's also important for demonstrating compliance to the standard and for facilitating internal discussions with major stakeholders. For new plants, alarm philosophy should be fully defined and approved before commissioning.

Process Condition Model Figure 1. The particular status of operations should trigger specific control system actions. Source: Ref. 1.

Identification. What is and isn't an alarm? How do you know whether you should alarm an input from the field? ISA-18.2 provides clear guidance. It defines an alarm as "an audible and/or visible means of indicating to the operator an equipment malfunction, process deviation or abnormal condition requiring a response. The italics underscore an important alarm- management principle: if an operator doesn't need to respond, then don't provide an alarm! Pretty simple… Following this cardinal rule will eliminate a large portion of potential alarm-management problems.

Many sources -- e.g., process and instrumentation drawings (P&ID), operating procedure reviews, process hazards analysis (PHA), safety requirement specifications (SRS), hazard and operability studies (Hazops), incident investigations and quality reviews -- can help identify candidate alarms. You also can use alarms to indicate process performance boundaries such as off-target or pre-upset (Figure 1).