Prioritization. Alarm priority indicates criticality and which alarms to respond to first. To ensure consistency, the philosophy defines the prioritization methodology, which typically is based on the severity of the potential consequences and the time available to respond.
Management of change. The document must spell out processes for reviewing and authorizing alarm system changes, including whether operators can disable alarms or change their limits from the human machine interface (HMI).
Performance metrics. The philosophy defines KPIs such as the ones in Table 2.
MEASURE SYSTEM PERFORMANCE
Most alarm analysis packages provide reports that allow easy comparison of measured performance versus metrics. A "bad actor" alarm report often will show that a few modules or tags cause a disproportionate number of alarms. Use such information as a starting point for improving alarm system performance.
Systematically review existing or candidate alarms to ensure they meet the criteria established in the philosophy and to document their design. This is a team activity, similar to a hazard and operability study, involving at a minimum production/process engineers, control engineers and operators. Industry best practices spell out the steps in the process:
Check alarm validity. Ensure each alarm:
• indicates a malfunction, deviation or abnormal condition;
• requires a timely operator action to avoid defined consequences;
• is the best indicator of the root cause of the abnormal situation; and
• is unique, i.e., no other alarms also signal the same condition.
Any alarm not meeting these criteria can be removed, reducing the number presented to the operator.
Determine consequence of inaction. Identify the direct and immediate result of failing to manage the alarm. Consider only direct repercussions, not what could happen based upon a series of failures. For example, not dealing with a safety-critical alarm might lead to the trip of a safety instrumented system, not the hazardous event itself.
Any alarm without significant consequences, e.g., that only generates another alarm, may not be needed.
Document cause, confirmation and corrective actions. Identify the most likely causes of the alarm and other process measurements the operator can use to confirm the alarm is real. Where an alarm response entails shutting down production, operators may want to verify the action truly is necessary before executing it. Spell out the action the operator should take, such as closing a valve or starting a backup pump, to correct the abnormal situation (Figure 1); acknowledging the alarm doesn't count.
Any alarm not requiring an operator response isn't valid and can be removed.
Multiple alarm conditions sharing the same operator action may indicate redundant alarms, in which case one can be eliminated.
Document operator response time. Estimate the amount of time available between alarm activation and the last moment operator action will prevent the consequence. Compare this to the time needed by the operator to detect the alarm, diagnose the problem and complete all actions comprising the response.
If time required exceeds time available, replace the alarm with an automated response (interlock).
Assign alarm priority. Evaluate the impact of the potential consequences in key areas like safety, environmental and financial, along with operator response time. The worse the repercussions and shorter the response time are, the higher the priority should be.
This results in objective and consistent prioritization of alarms with highest priority assigned only to truly critical alarms.
Alarm classification. Record what category is appropriate for the alarm. An alarm classified as "safety critical" likely will have different requirements for training and testing frequency than the average process alarm.