Originally issued: February 21, 2023
Shaun Williamson, P.L.(Eng.), FS Eng (TÜV Rheinland), CFSE
Director of Engineering
Watchmen Instrumented Safety Experts Ltd.
The Buncefield industrial accident, which occurred on December 11, 2005, was one of the worst industrial accidents in the UK's history. The accident resulted in a massive explosion and fire at an oil storage depot in Hemel Hempstead, Hertfordshire, and caused significant damage to property and infrastructure, including nearby homes, offices, and factories. The explosion and fire also disrupted the supply of fuel to the entire southeast of England, causing widespread disruption. Fortunately, there were no fatalities at the Buncefield disaster. However, the incident did result in 43 injuries, with several people requiring hospital treatment. The total cost of the incident was estimated to be over £1 billion.
Poor alarm management was identified as a contributing factor in the Buncefield industrial accident. The alarm system was not adequately designed, and the operators were overwhelmed with alarms, resulting in a failure to recognize the severity of the situation. The alarm system was configured to generate a large number of low-priority alarms, which resulted in alarm floods that made it difficult for operators to identify and respond to critical alarms. As a result, operators failed to recognize the severity of the situation, and the incident escalated, leading to the explosion and fire.
The Buncefield industrial accident serves as a stark reminder of the importance of effective alarm management in preventing accidents. An effective alarm management system must be designed to ensure that operators receive only the alarms that require their attention, with those that require the most urgent response placed at the top of the list, with the priority and alarm description clearly communicated. The system should generate only alarms that are relevant and actionable, with clear instructions on how to respond to each alarm. This approach helps to reduce the number of nuisance alarms and avoid alarm floods, which can overwhelm operators and lead to a failure to recognize and respond to critical alarms.
Effective alarm management can play a crucial role in preventing accidents and minimizing the impact of incidents that do occur. By providing operators with timely and relevant information, an effective alarm management system can help to detect and respond to abnormal situations before they escalate into major incidents.
In a cost sensitive environment, it is important to understand that investing in an alarm management program comes with financial benefit. Here are 4 ways financial benefits can be realized:
In summary, the Buncefield industrial accident highlights the importance of effective alarm management in preventing accidents and minimizing the impact of incidents. By implementing an effective alarm management program, companies can improve their process safety performance and protect their people, the environment, and their assets. Reach out to Watchmen today to get started or to turbo charge your alarm management program.
> ANSI/ISA-18.2: Management of Alarm Systems for the Process Industries
> IEC 62682: Management of Alarm Systems for the Process Industries
Originally issued: August 17, 2022
Carsten Acker, P.L.(Eng.), FS Eng (TÜV Rheinland), CFSE, CSP
Director of Operations
Watchmen Instrumented Safety Experts Ltd.
Why Alarm Management
Have you ever experienced a plant upset which led to a flood of alarms coming in? Can you envision a rapidly expanding alarm list with seemingly no meaning and cryptic messaging for you to decipher? Your internal clock ticks silently in the back of your mind while you try to determine which alarm you should address first and try to recall how to respond to an alarm that only rings in once every couple of years. If you have experienced a similar issue, you would benefit from implementing an effective alarm management strategy.
Failure to respond to alarms is frequently listed as a contributing factor to industrial accidents, and for good reason. There are many stumbling blocks preventing operators from taking effective action when a process upset arises. Some examples include poor communication of the upset condition to operations, too many alarms at a given time, and a control system that issues alarms when no actual process upset is happening, thus contributing to complacency and distracting the operator from more important issues. Operator response to process and safety alarms are key components of most operating and safeguarding strategies. The complexity of these systems and number of alarms has grown rapidly creating new issues that were not prevalent a couple of decades ago. This increased level of information and demand on an operator’s attention can degrade the response to safety critical alarms.
Fortunately, standards have been developed to provide a roadmap for organizations to implement successful alarm management strategies. See ISA 18.2 or IEC 62682 as examples. Developing and effective alarm management philosophy should make use of a lifecycle management approach. This is meant to ensure the alarm is correctly engineered, configured, and maintained throughout the life of the facility until decommissioning. See the graphic below from ISA 18.2 which expands on this concept.
Not sure where to start? For new facilities, the process starts with an alarm management philosophy tailored to your organizational needs which provides you with your roadmap to a successful rollout with a high probability of success throughout the asset’s life. For existing facilities, consider starting with a benchmarking study to see where in the process you are, and what current headaches and issues you are experiencing. This may help justify the effort of implementing alarm management activities and help to make use of current processes that are working well in a new philosophy. It will be important to ensure a smooth transition to new processes without confusing the operators working with alarms. Engage operations and maintenance personnel on the process. Buy in is essential and the process will likely fail without their support. Benchmarking is a low-cost way to kick start your alarm management process for an existing facility and provide an immediate comparison against industry standard KPI’s.
In addition to developing a process for tracking KPI’s, managing alarm performance, and defining the scope for the subsequent alarm management activities, the philosophy is where a large percentage of the key discussions take place. The generation of a formal philosophy will result in many of the stakeholders getting to a certain level of understanding of the importance and benefits of generating such a procedure. Education should be provided during discussions to help stakeholders understand the benefits of effective alarm management and to realize the hazards of operating inconsistently and without such guidance. This effort is also helpful in re-enforcing the safety culture within an organization as effective alarming directly contributes to mitigating large scale industrial accidents. While not all organizations have a formal alarm management philosophy, it does go a long way to improve the availability of the affected assets which will likely aid in the internal funding of such an endeavor.
When generating an alarm management philosophy, there are many helpful standards to reference. The research put into these standards is quite comprehensive and the KPI’s defined are well articulated. Below are some items which must be included in a successful alarm management philosophy, but which many facilities fall short of achieving.
· What should the spread be between high, medium, and low priority alarms to operations? Published standards state that this should be 5 / 15 / and 80 percent respectively.
· How many alarms per hour should an operator see? Published standards state that this should be less than 12.
· How many stale alarms (an alarm which is in for long periods of time) should exist on any given day? Published standards state that this should be less than 5 and that an action plan to address these 5 should be in place. How does your facility stack up?
If the numbers above seem unattainable, it is likely that your facility’s alarm strategy needs some sprucing up. An alarm philosophy will ensure that alarm strategies to limit alarm quantities are properly deployed so that it is still effective and safe. Strategies such as proper automatic alarm suppression, first-out logic, deadband, and on/off delays can greatly reduce the quantity of alarms presented to the operator. Reducing the quantity of alarms will help the operator focus on what’s important which improves safety and plant availability.
By utilizing a standard approach, benefits also come in the form of consistency of messaging and prioritization between similar alarms. Common alarms can have common attributes such as MoC rigor requirements, testing frequency, and shelving capabilities which can be called out in a philosophy.
The alarm philosophy should also describe the high-level details which will bring the important alarms to the operators’ attention the quickest. Making sure the alarm descriptions are legible may sound like common sense but needs a consistent approach. Re-assigning notifications which need no operator intervention, or that are expected, to a different list aids in highlighting the important alarms. Examples of different classifications of notifications include Alarms, Alerts, Prompts, Messages, etc. Alarms are typically defined as unexpected events that requires the operator to take some sort of action. There are many other notification classifications that can be employed for events that do not fit that description. These can use a variety of different audible and visual means to get the proper response.
Consistent HMI design is important to ensure alarms are differentiated from normal process conditions. Consider that a large minority of the population is color blind. Providing guidance in deciding which operator support details should be documented can aid operations in troubleshooting and acting quickly and effectively to incoming alarms.
If you’re not able to implement an alarm management philosophy without having first witnessed an effective, standards compliant implementation, it’s important to utilize industry experts to guide you through the various pitfalls and provide insight on the impacts of the decisions being made.
If you’re in a facility optimization role, alarm management can be one of the cheapest ways to increase your plant availability. If you’re in a safety related role, empowering operators to take effective action is a simple but powerful enhancement. If you’re operating a facility, there are few other crowd pleasers better than alarm management to limit the annoying alarms which don’t have any benefit while allowing you to respond to alarms that matter.
Originally issued: September 9, 2022
Carsten Acker, P.L.(Eng.), FS Eng (TÜV Rheinland), CFSE, CSP
Director of Operations
Watchmen Instrumented Safety Experts Ltd.
This paper is intended to be an extension of Part 1 of the series – Alarm Management Motivation and Philosophy.
Reduce Alarm Quantities if Possible
Now that you’ve got an alarm management philosophy to follow, it’s time to step through the other lifecycle tasks. Looking at the alarms in the control system (whether currently operating or in the design stage) it’s important to know the rationale for the alarm. Is it safety critical, for equipment protection or for operability? Does the alarm provide value, or does it potentially just create a distraction for the operator? While it may seem to the untrained eye that operators should be aware of everything in the plant, the reality is that the operator has many issues to manage including maintaining production. Therefore, events that do not require the operator to act should not be mixed in with those that do. There are many techniques available to limit the quantity of alarms brought to the operators’ attention. Eliminating redundant alarms that require the same response is one effective option. Delegating non-urgent maintenance notifications to a separate maintenance list is another quick way to reduce alarm counts. Many other events such as change in state of equipment can simply be directed to an event log for reference if needed. Reducing the alarm quantities can have a profound reduction on the load placed on the operator. If a back-up pump starts due to an increased flow demand as part of normal operating scenarios, this may not need to be an alarm as the system has automatically compensated and the operator likely does not need to take any action. Likewise, do you need an alarm telling you the 100% spare pump is not running during normal operations? Do you need an alarm that a pump has stopped when you are the one that stopped it? Delegate these notifications to a sub list away from more important alarms.
Prioritize the Good Alarms
Alarm prioritization is intended to help an operator prioritize their response when multiple alarms come in at, or near the same time. If not effectively prioritized, the operator response time to alarms cannot be assured. Alarm prioritization is a facilitated activity that will assess rationalized alarms, weighing the consequence of inaction against the needed response time. Once effectively prioritized, high criticality alarms rates should be greatly reduced such that an operator can quickly prioritize their response during normal and upset conditions.
Your alarm management philosophy should show the rankings for an alarm which have an x and y axis for the severity of not responding to an alarm and the time available for operations to take action. The first component of prioritization takes into consideration response time. The less time available to respond, the higher the priority ranking that should be applied. One should consider re-engineering the design if operators are given a response time less than humanly possible. There are many other factors when determining how much time the operator has to respond. The operator response will need time to take effect before the process will shut down. Alarms are often used to indicate when the process is out of the normal operating range, so a timely response is often needed to prevent escalation to an unwanted condition. See the graphic below for an example of how a reaction to a process run-away can go and why consideration for timing is an important part of the process.
The second component of prioritization considers the potential hazard severity. The higher the severity of not responding to the alarm, the higher the priority. Unlike other process hazard assessments, alarm rationalization often assumes that the other safeguards will work. In most instances, missing an alarm will result in a process shutdown with economic impacts. Whenever possible, human response to an alarm should not be your last time of defense against a major accident. If this is the case, the design should be re-engineered. When prioritizing alarms, remember that 80% or alarms operators see should be low priority.
Once you’ve went live with the system, it’s important to look at how it is performing. Use your philosophy and/or alarm management standards as a benchmark to compare with your existing performance. It makes sense to pick off the low hanging fruit. Be careful not to just do that once and call it good. It’s important to review performance regularly over the life of the asset as facilities are always in a state of flux and are being optimized in other areas constantly.
Interview operators about the control system and ensure a basic training program is being deployed to new personnel. Some key issues for the ongoing alarm systems include access control, alarm shelving, and notification messaging. Make sure that the philosophy is followed which should detail the management of change requirements for modifying an alarm. Some alarms are not critical, and operators should be able to change these at will without a mountain of paperwork. The more burdensome the MoC requirement is, the less likely the paperwork will be done and the less likely the operator is to request that optimization, which degrades your facility performance.
Alarm shelving is a powerful tool operators have to deal with alarms. It needs to be understood when this is appropriate to use, so that safety and plant availability are not compromised. When an alarm is chattering or is under-going planned maintenance, operators can shelve an alarm. In the case of a chattering alarm, it should be brought to an engineers’ attention to rectify the chattering alarm. When used for maintenance, beware of extended alarm shelving. Alarm shelving should have appropriate time limits to avoid being left permanently bypassed by mistake.
The annunciation of an alarm should be very obvious to the operator when contrasted to normal processes. Grey scale HMI design with standardized alarm symbology will aid in the alarms getting the attention they deserve.
This paper is intended to bring awareness to the subject of alarm management and hopefully aid in understanding the benefits. PhD papers are available on the topic so the level of detail behind the standards used is incredible. Fortunately, they have been documented in a way that can be utilized by a lay person effectively. Using a trained specialist keeps the process moving effectively while properly capturing the team’s vast industrial experience. While some concepts can seem daunting, every step taken is a step in the right direction to improving safety and achieving operational excellence!
Watchmen Instrumented Safety Experts (WISE) is a Functional Safety Engineering company with specialized expertise in preventative and mitigative instrumented safety. Our expertise includes HAZOP & LOPA Facilitation, SIL / SIS Calculations and Consulting, Alarm Management, Fire and Gas Systems Engineering, Cyber Risk Management. Consult one of our experts for your instrumented safety project today.
Copyright © 2018 Watchmen Instrumented Safety Experts - All Rights Reserved.