I came across an interesting blog post the other day…
Talk about operating blind. A great picture shows the status of the control room in the Fukushima Dai-Ichi Unit 2 reactor…Nothing is working (besides the lights)!
All of the computer monitors are blank. The clock is…
Throughout history, total solar eclipses have been a significant event. In primitive societies, eclipses were viewed with fear or as important omens. In the US, the upcoming “Great American Solar Eclipse” is creating much excitement. From buying “official” eclipse-viewing glasses, to paying $1500 or more for…
The March / April 2020 issue of Intech contains an excellent article by Nick Sands and Donald Dunn, the co-chairs for the ISA-18 committee.
The article reviews some of the most frequently asked questions on alarm management:
The International Electrotechnical Commission (IEC) has just published the first edition of IEC 62682 “Management of alarm systems for the process industries,” a global standard on alarm management. This new global standard was developed based on the ANSI/ISA-18.2 standard of the same name, which was published in 2009.…
Creating an alarm philosophy document is often the entry point into the ISA-18.2/IEC 62682 alarm management lifecycle. Many tasked with developing one are discouraged by its length and the barriers it creates. When it comes to using the philosophy document, a common concern is that if the document…
It finally happened. Alarm management problems at the plant led to an incident and now management wants action. You have “volunteered” to put together a plan to execute alarm rationalization. You need to create a defendable estimate of how long rationalization will take…
Todd Stauffer, Director of Alarm Management at exida, takes you through a key part of the Alarm Rationalization process called Alarm Objective Analysis (AOA).
You will learn how to determine what alarms you need (and which one’s you don’t), how to eliminate nuisance alarms, and safely reduce the number of…
Successful alarm rationalization combines both art and science. From the scientific point of view, rationalization follows a systematic process that applies alarm management principles to determine whether an alarm is justified (needed) and to document its basis (cause, consequence, corrective action, time to respond) and settings (priority, setpoint) in a…
From an operations point of view, one of the significant parts of the ISA-18.2 and IEC 62682 alarm management standards is the endorsement of alarm response procedures. An alarm response procedure, otherwise known as “Alarm Help” or “Alarm Response Manual”, is defined as guidance for response to an alarm (e.g., operator action,…
In an ideal world, every alarm in a process control system would indicate a malfunction or abnormal condition that required operator action. In the real world, alarms that are irrelevant or annunciate excessively—otherwise known as nuisance alarms—can pop up occasionally to quite frequently. They pose a risk to the successful…
One of the more important tasks in the alarm management lifecycle is auditing of the alarm system configuration. Auditing preserves your investment in rationalization, checks for changes that bypassed the MOC process, and helps you to maintain the integrity of the alarm system. Oh, and it also required per the…
As discussed in What do Nuisance Alarms, the 80-20 Rule, and Mental Models Have in Common?, there are typically a handful of alarm points (10 to 20) that create the majority of notifications (50-80%) to the operator (referencing the 80-20 rule). These nuisance alarms are affectionately called “bad actors”…
As discussed in Part I, bow tie diagrams provide an easy-to-understand visual representation of risk management information (hazards, potential consequences, barriers, degradation factors and controls). In this article we examine the applicability of bow ties to alarm management.
According to the CCPS book “Bow Ties in Risk Management”, there…
Study after study finds that something like 80% of industrial incidents (give or take) are caused by Human Error. Incidents involving human error often include a failure of the operator to respond to an alarm, which is often directly or indirectly caused by nuisance alarms. Poor alarm management has multiple…
An interesting question arose recently when creating an FSM plan:
Does the ISA-18.2 standard on alarm management address the claiming of the operator’s response to alarms as a layer of protection?
Not specifically, however the ISA-18.2 standard does require that alarms are rationalized, and that alarm system performance is…
US Chemical Safety Board cites lack of Alarm Philosophy, Alarm Rationalization, and State-Based Alarming as Contributing Factors to Blowout in Oklahoma
On January 22, 2018, a blowout and rig fire at the Pryor Trust gas well killed five workers, who were inside the driller’s…
Alarm floods are periods of alarm activity during which the alarm rate is greater than the operator can effectively manage (e.g., when the operator receives ≥10 alarms in 10 minutes). During a flood situation awareness is compromised and alarms are likely to be missed. In the eleven minutes prior to the explosion at…
Are alarm classes defined in your alarm philosophy document (APD) as required by the ISA-18.2 standard? The use of classes (classification) is a new alarm management concept for many. If your APD was created before June 2009, chances are alarm classes are not defined.
Alarm classification…
As the name implies, the purpose of Safe Operating Limits (SOL) is to define the limits beyond which a process will not intentionally be operated and at which troubleshooting ceases, replaced by pre-determined actions to bring the process to a safe state. Pretty important information. I am sure this is why…
Situation: There are three operator consoles (positions) in the same control room. There is one general alarm horn that goes off whenever a new alarm comes in from any one of the three consoles. The horn draws the attention of each of the three operators.
Question: How are the ISA-18.2…
It finally happened. Alarm management problems at the plant led to an incident and now management wants action. You have “volunteered” to put together a staffing plan to execute alarm rationalization. You have heard it can be a resource-intensive process, so you want to…
Contrary to what you might have guessed, the “Defeat of the Situation Awareness Demons” is not a new video game on XBOX or Playstation. It is a set of eight (8) factors which undermine effective Situation Awareness. It can be applied to operators in process plants to characterize human error…
Industry Benchmark Survey on Alarms as Safeguards and Independent Protection Layers (IPLs)
exida recently conducted an industry benchmark survey on the practices for the use of alarms as safeguards and IPLs. With over 200 safety practitioners from around the world providing responses, you can use the survey findings to compare…
In the book “Outliers”, Malcolm Gladwell popularized the notion that to become an expert in a field requires putting in 10,000 hours of practice.
The emerging picture from studies of expertise is that ten thousand hours of practice is required to reach the level of mastery associated with being a…
Which one of these layers of protection (operator response to alarm, relief valves, dikes, and safety instrumented systems) is not like the other?
Operator response to alarm (Operator Intervention), because of the “Human” factor.
It is very difficult to calculate the probability of…
Similar to the thought experiment “If a tree falls in a forest and no one is around to hear it, does it make a sound?”, we ask - If an alarm is generated, and the operator fails to acknowledge it, was it really an alarm? A prevalence of unacknowledged alarms…
The new and updated version of the ISA-18.2 standard (ANSI/ISA-18.2-2016, Management of Alarm Systems for the Process Industries) has now been officially released. This supersedes the original edition (2009). The new version incorporates feedback from 6+ years in the "field" and includes some updates based on the IEC 62682 international…
The ISA-18.2 committee on alarm management has launched a new working group (WG7) that is focused on developing a standard, recommended practice, or technical report on the application of alarm management to process plants utilizing multiple packaged equipment systems. The work will be based on and complement the existing Read More of This Blog
The purpose of an alarm is pretty straightforward - to draw the operator’s attention to an abnormal situation that requires action in order to prevent an undesired consequence. Alarms that don’t meet this principle often become nuisance alarms. A nuisance alarm is defined as:
“an alarm that annunciates excessively, unnecessarily,…
Understanding operator decision-making is a good first step in improving operator effectiveness. Operator decision-making depends on the person (their level of expertise) and the situation (how familiar). A popular behavioral model from Rasmussen proposes that operator response can be broken into three levels; skill-based behavior, rule-based behavior, and knowledge-based behavior as shown in the…
Alarm Overload…Nuisance Alarms…Alarm Floods…Incorrectly Prioritized Alarms…. These alarm management problems are all too common in the modern Distributed Control System (DCS).
Why is this? In the “olden” days (read panel boards and alarm lightboxes), there was considerable thought put into what alarms were necessary because there was limited real estate…
The increasing global adoption of alarm management standards (ISA-18.2 and IEC 62682) is bringing the importance of alarm rationalization to the forefront. Rationalization is defined as the “process to review potential alarms using the principles of the alarm philosophy, to select alarms for design, and to document the rationale for…
On July 27, the US Chemical Safety Board (CSB) issued a Factual Update on their investigation into a release of water containing a toxic gas (hydrogen sulfide) and subsequent fatal injuries sustained at the Aghorn Operating Waterflood Station. While it is typically not a good idea to comment on investigations that…
Alarms were originally shown on Piping and Instrumentation Diagrams / Drawings (P&IDs) to document hardware requirements for installation in a (panelboard) control room. This was important because there was limited real estate in the control room for the alarms (displayed on Panalarms and light boxes) and there was a real…
Recently I was reading The Manufacturing Operations Technology Viewpoints blog and came across an interest post on Alarm Management that cites exida’s Alarm Management cheat sheet. The blog post entitled The Crossroads of Alarm Management and Process Safety is a great summary for any one who…
That is the question.
When your alarm does not meet the definition as defined in the ISA-18.2 standard and/or the criteria established in your alarm philosophy document, it is not an alarm.
By ISA-18.2 definition “an alarm is an audible and /or visible means of indicating…
Most everyone has heard of the “80-20 rule”. It asserts that for many situations, roughly 80% of the effects (outcomes) come from 20% of the causes (inputs). This rule was first proposed in the early 1900s by Vilfredo Pareto, who was an Italian engineer, sociologist, economist, political scientist, philosopher, and…
The ISA-18.2 and IEC 62682 standards define an alarm as an “audible and/or visible means of indicating to the operator an equipment malfunction, process deviation, or abnormal condition requiring a timely response”. One of the reasons why alarm systems are out of control (alarm overload, nuisance alarms) is…
We are going to continue discussing the results from exida’s recently published industry benchmark survey on the practices for the use of alarms as safeguards and IPLs. Over 200 safety practitioners from around the world provided responses. This entry will discuss the relationship between alarms identified as safeguards and those…
Alarm classification is a process for grouping alarms that have a common set of requirements for areas like training, maintenance, testing, management of change, and reporting. It could, for example be used to identify Safety (Related) alarms that are used for functional safety purposes. Classification is also a required output of alarm rationalization per the ISA-18.2 and IEC 62682 alarm management standards. Despite this, many alarm management projects ignore classification or misinterpret what it is to be used for (it’s not the same as alarm priority or alarm type). Additionally the usage and benefit of Highly Managed Alarms (HMA) is not well understood.
This presentation will review the purpose of alarm classification, how to define alarm classes, and how to assign alarms to classes. It will also discuss the origin and purpose of Highly Managed Alarms, and their associated requirements. Lastly it will present application examples of classification (including “Safety Alarms”) and the benefits that can be realized by end users.
If you are just getting started with alarm management or need a refresher, then this webinar is for you. We will cover the most important concepts and principles of alarm management as taken from industry standards (ISA-18.2, IEC 62682) and guidelines (EEMUA 191, ASM). Tune in to learn the following:
Why there are so many alarms configured in a typical system
How to determine when an alarm is needed (and when it is not appropriate)
How to determine when alarms are redundant
How to define a useful limit for an alarm (alarm setpoint)
How to manage alarms that are special (such as those used for safety)
How many alarms can an operator get (and still do their job)
How to let the operator know which alarm to respond to first
How to let the operator know what action to take for an alarm
How to determine whether you have alarm management issues
How to make sure the alarm occurs only when it is supposed to
Don’t get started on the wrong track. This presentation shows how to begin creating an effective alarm management program that complies with the ISA-18.2 / IEC 62682 standards. Performing a thorough alarm system performance benchmark and gap assessment is often the first step in creating a sustainable alarm management program and gaining management buy-in. This presentation discusses tools, techniques, and methodologies for characterizing current performance, identifying systematic issues, and identifying (as well as closing) gaps compared to ISA-18.2 / IEC 62682.
This joint presentation between exida and SyTech will demonstrate how tools such as XLReporter can make it easy to measure alarm system performance. Combine this tool with exida’s alarm management expertise and see how easy it is to set a course for improved alarm management.
Co-presented by: Peter Kaprielian, Chief Technology Officer at SyTech
Yokogawa has a long and rich history of “firsts” in the world of distributed control systems (DCS). They were one of the first suppliers to include alarm shelving, for example, long before it became required alarm management functionality per the ISA-18.2 / IEC 62682 standards. Despite this, many Yokogawa users don’t leverage the alarm management capabilities that are available to them. The purpose of this presentation is to discuss alarm management tools and capabilities that can be used to comply with the ISA-18.2 / IEC 62682 alarm management lifecycle, to reduce unwanted shutdowns (trips), reduce risk, and improve operator effectiveness. Highlights include discussion of how to analyze alarm system performance, perform rationalization, use eclipsing, alarm shelving, load shedding, alarm flood suppression, and present “Alarm Help” to the operator (alarm response procedures). Examples will be shown from CAMS, SILAlarm, exaquantum ARA and AMD, exapilot, and exaplog.
In an ideal world, every alarm would indicate a malfunction or abnormal condition that required operator action. In the real world, alarms that are irrelevant or annunciate excessively—otherwise known as nuisance alarms— can overload operators with nonessential noise and desensitize them to the importance of alarms (“I can ignore this alarm….”). The presence of nuisance alarms is a common contributor to alarm management incidents.
Alarm shelving provides a way for the operator to manage these nuisance alarms safely and securely. Shelving provides a controlled mechanism for the operator to temporarily remove a nuisance alarm from view until the underlying problem can be addressed. It is such an important tool for alarm handling that it is now required control system functionality per ISA-18.2-2016 and IEC 62682 (Management of Alarm Systems for the Process Industries). As a result, more and more control systems have added this as a standard feature.
One of the important tasks defined in the ISA-18.2 / IEC 62682 alarm management lifecycle is to audit the alarm configuration settings in the control system (actual) versus those that have been specified during rationalization and are documented in the master alarm database (target). This webinar will discuss the Auditing and Enforcement process including why it should be done and how it can complement (but not make up for) the MOC process. We will discuss what alarm parameters are most important to audit and why. We will also review the pro’s and con’s of different methods for auditing and for enforcement.
This webinar discusses current industry practices around the use of alarms as safeguards and layers of protection as established by a recent benchmark survey of over 200 safety practitioners from around the world. Areas explored in the survey and will be discussed include:
Typical and maximum claimed risk reduction
Considerations used to determine whether an alarm can be credited with risk reduction
How often IPL alarms are determined to be invalid or ineffective in operation
Practices for display and annunciation through a Human Machine Interface (HMI)
Key results and conclusions will also be presented as well as recommendations on where industry should focus on improvement.
Whenever we talk about the management of a chemical plant, our perception would be focusing on how to run the chemical process; how to manage the operations; how to manage the raw materials for the process, etc.
However, in my experience, the importance of data and information management is usually overlooked. I often see missing P&IDs; modifications to the process without any documentation; changed alarm setpoints without any record, just to name a few.
This is a series of webinars that aims to introduce everyone to Functional Safety (IEC 61511 and IEC 61508) and Alarm Management (ISA 18.2/IEC 62682), with the supplement of the fundamentals from Data Science and Data Analytics.
This week we are going to investigate the Data Management Lifecycle in Data Science and see how the various concepts are closely related to the Functional Safety Lifecycle and Alarm Management Lifecycle.
The main output of an Alarm Rationalization is the Master Alarm Database: an authorized database with alarm attributes which are reviewed and confirmed by a professional team. After the Rationalization, the next step in the ISA 18.2 lifecycle is to proceed into the Advanced Alarming Designs.
Before proceeding, it is a good idea to take a pause and review the rationalization. Here I would like to employ the methodologies from Data Science.
Data Visualization is a very essential phase in Data Science. It is to provide insights for Data Analysis or even Machine Learning directions.
This is a series of webinars that aims to introduce everyone to Alarm Management based on ISA 18.2/IEC 62682, with the supplement of the fundamentals from Data Science and Data Analytics.
This webinar presents how to create an alarm management continuous improvement program for Emerson DeltaV System Owners that follows the ISA-18.2 alarm management lifecycle. Tools will be demonstrated to analyze alarm system performance and pinpoint poorly performing alarms (DeltaV Analyze), rationalize the poor performers (SILAlarm), and automatically update the DeltaV configuration with the new alarm settings (priority, limit, hysteresis, suppression time, etc.). It also illustrates how operator alarm response procedures (containing the cause, consequence, corrective action, and time to respond) can be created automatically from the rationalization results and made available to the operator online using DeltaV Alarm Help.
Bow Tie Diagrams, which have becoming increasingly popular over the last 20 years, provide a powerful and easy-to-understand way to visualize how a company controls risks to prevent major accident hazards. They illustrate the relationships between hazards, causes, potential consequences, the barriers in place to prevent the event or mitigate the results, and the degradation factors that might cause a barrier to fail. This webinar will provide an overview of the Bow Tie methodology and how it might be applied to alarm management. Content will be drawn from the new CCPS book “Bow Ties in Risk Management: A Concept Book for Process Safety” and other references. Specific examples include the Buncefield UK explosion / fire and the Gas Well Blowout and Fire at the Pryor Trust Well.
The period after an equipment trip or shutdown is one of the most stressful and challenging times for operators. Part of the challenge stems from alarm floods; when the operator gets more alarms than they can respond to. If unabated, alarm floods can lead to a loss of situation awareness, the missing of alarms, operator error, or an incident. Alarm floods are one of the hardest alarm management issues to solve.
This presentation will discuss how you can eliminate alarm floods by designing and implementing alarm flood suppression logic in the control system. It will cover the best practices for design and implementation from ISA-18.2 / IEC 62682. It will show how to implement alarm flood suppression automatically in a DeltaV system using SILAlarm and pre-defined control modules. It will also show examples of how suppression can be implemented in Siemens PCS 7, Rockwell PlantPAx, and Yokogawa Centum systems.
With increased focus on risk management and regulatory compliance, companies are looking to develop and implement alarm management programs that follow good engineering practices and improve operations. But where to start? This webinar will discuss a seven-step program, based on the ISA-18.2 alarm management lifecycle, which drives continuous improvement without overtaxing your plant resources. Specific topics include:
· developing an alarm philosophy
· alarm rationalization
· implementing designed suppression and alarm shelving
· creation of alarm response procedures
· monitoring & assessment of alarm system performance
It will also show the quantifiable business results that can be achieved from an effective alarm management program.
Alarm Management was often neglected in the past until after installation and commissioning of the control system. This led to alarm overload, nuisance alarms, turning off of the alarm system, and some dangerous start-ups. It is no longer acceptable in today’s environment for many end users to start up without having applied alarm management best practices beforehand (e.g., EEMUA 191 and ISA-18.2). It is becoming increasingly common to perform alarm rationalization, a process for determining which alarms are valid / necessary and documenting their priority / limit / cause / consequence / corrective action, early in a project such as during FEED.
This webinar will present:
The alarm system and Human Machine Interface (HMI) are the main interfaces for process plant operators to monitor and control the process. This webinar will discuss HMI Design practices that can help improve the operator’s response to abnormal situations based on human factors considerations. It will discuss techniques for optimizing situation awareness before, during, and after an upset. It includes best practices in the configuration of process graphics and the alarm system taken from the ISA-18.2 and ISA-101 standards. It also references the work of Micah Endsley, the ASM Consortium, and the Center for Operator Performance.
Creation of an alarm philosophy document is the cornerstone for development and sustainability of an effective alarm management program and the first stage in the ISA-18.2 alarm management lifecycle. The alarm philosophy document establishes the guidelines for how to address all aspects of alarm management at a site - including roles & responsibilities, rationalization, design, operations, maintenance, testing, training, and management of change. This webinar will discuss one successful methodology for creating a philosophy that minimizes the time and resource commitment of plant personnel. It will also review some of the key content that should be included and the typical decisions that must be made when creating the document.
According to numerous industry studies, human failure contributes to upwards of 80% of industrial accidents. New incidents continue to occur that bear a striking resemblance to previous incidents. This means we are not effectively learning from history. The purpose of this webinar is to review selected process industry incidents where operator response to an alarm was a contributing factor. It will examine the incidents through the lens of Human Factors Engineering to seek new insights and lessons learned to improve operator performance. The presentation will identify the possible type(s) of human error (slips, lapses, mistakes, or violations) for each incident and review how cognitive biases, situation awareness demons, and mental model failures may have contributed to the operator’s response.
Making the Most of Alarms as a Layer of Protection
Management of change (MOC) is recognized as a crucial activity in OSHA’s process safety management regulation. It also a stage in the ISA-18.2 / IEC 62682 alarm management lifecycle. In this webinar, we will explore how
MOC is conducted in the context of Alarm Management. We will look at the basic flow of MOC and consider situations where improper changes to the alarm system can create a hazardous situation. Finally the webinar will look at how having a built-for-purpose tool like SILAlarm can support implementation of MOC associated with rationalization
This webinar will review the best practices documented in TR3 – Basic Alarm Design, one of the series of technical reports created to supplement the ISA-18.2 standard on alarm management. Application of basic alarm design techniques, such as alarm deadband and on/off delay have been shown to significantly reduce alarm load on the operator (by 45 – 90% in one study). The webinar will discuss the best practices around the use of deadband, on / off delay, and PV filtering. Other areas of discussion include the use of alarm states in control logic, re-alarming, alarm latching, and considerations for selecting the appropriate alarm type.
The adoption of standards on alarm management (ISA-18.2 and IEC 62682) have introduced a new term into the lexicon of automation professionals - the “master alarm database,” which is defined as the “authorized list of rationalized alarms and associated attributes.” In this webinar we will talk about what a master alarm database (MADB) is, how one is created, what information it should/could contain, how it can be used to create alarm response procedures, and how it can be integrated into a management of change process. We will also look at how it can be used to document the results of alarm rationalization (e.g., alarm priority, classification, limit, cause, consequence, and corrective action) and other useful design data (e.g., safe operating limits, associated interlocks, maximum design temperatures/pressures). Additionally the webinar will examine how the MADB can be used as the source for updating the control system with the optimized alarm settings resulting from rationalization.
“Closing the Holes in the Swiss Cheese Model”
Layers of protection for abnormal event management can be modeled as slices of swiss cheese according to James Reason. An operator’s response to an alarm is one of the first layers of protection to prevent a hazard from escalating to an incident. This presentation discusses a two-part approach to maximizing the operator’s reliability when responding to abnormal situations (“closing the holes in the swiss cheese layer”).
The first part focuses on following the best practices in the alarm management standards ANSI/ISA-18.2-2016 and IEC 62682. Examples include alarm rationalization to ensure all alarms are meaningful and to capture “tribal knowledge”, prioritization to help operators determine which alarms are most critical, alarm classification, monitoring of alarm system performance metrics, and creation of alarm response procedures. The second part addresses the impact of human factors on operator performance; including how nuisance alarms and alarm floods can lead to errant mental models, attention tunneling, misplaced salience and overall loss of situation awareness. We will also discuss how often “operator error” is really the underlying cause of alarm management incidents.
Nuisance alarms are alarms that don’t meet the definition or purpose of an alarm according to the ISA-18.2 / IEC 62682 alarm management standards. Defined as alarms that annunciate excessively, unnecessarily, or do not return to normal after the correct response is taken, nuisance alarms can be the operator’s worst nightmare. They can clutter the alarm summary display, increase operator stress, desensitize the operator, and cause them to lose situation awareness. Nuisance alarms can create a culture where it becomes necessary and acceptable for operators to ignore alarms.
This presentation will discuss the dangers of nuisance alarms from a human factors point of view and will discuss techniques for eliminating them (rationalization), as well as handling them when they occur (alarm shelving). It will talk about how nuisance alarms affect operator decision making and how to change a culture where the ignoring of alarms has become standard practice.
Modern control systems make it easy (maybe too easy) to add alarms without significant effort, cost, or consideration for whether they are truly needed. This has led to alarm systems that often hinder, rather than help, operators by subjecting them to nuisance alarms, alarm floods, incorrectly prioritized alarms, and general alarm overload. Alarm rationalization, a proven alarm management technique and one of the stages of the ISA-18.2 / IEC 62682 alarm management lifecycle, can help address these issues and create an optimal, effective alarm system.
The presentation will touch on best practices for rationalization as well as the most common pitfalls. It will also demonstrate how effective alarm rationalization can lead to reduced downtime, reduced operational risk (insurance premiums), and reduced cost of operations, while improving operational discipline and operator effectiveness.
“Safety Alarms” (aka Safety Related Alarms) are commonly used as safeguards or independent protection layers to prevent the escalation of hazardous scenarios. Despite this simple purpose, there is a wide range in the interpretation of what a safety alarm is, its requirements and how it should be managed. Some schools of thought advocate that safety alarms have a risk reduction > 10 and must be implemented in a safety instrumented system (SIS) that is compliant with IEC 61511. Others would say that all alarms implemented in an SIS are safety alarms. Still others would say that safety alarms can be implemented in a BPCS, and they may be assigned a risk reduction factor ≤ 10.
This webinar will highlight the current “body of knowledge” contained in ISA-18.2, EEMUA 191, UK HSE’s OG47, IEC 61511, and ISA-84. It will also discuss where industry is heading in terms of new guidance, interpretations, and requirements. Organizations such as the UK HSE, NAMUR, and ISA are updating existing guidelines or developing new ones. ISA is developing a new standard on Safety Controls, Alarms and Interlocks (ISA-84-91.03).
This webinar will discuss how to identify what is a safety alarm (and what this means to the end user). It will also discuss how risk reduction, safety integrity level, identification as a safeguard or independent protection layer, and use as a mitigation or prevention barrier, impacts requirements.
How to Implement an Effective Alarm Management Program for your DeltaV System” (Emex 2016)
Has the alarm horn become the nemesis of your operators? This presentation from the 2016 Emersob Exchange describes how to create (build) an effective and sustainable program using ISA-18.2’s alarm management lifecycle (the blueprint) and DeltaV’s alarm management capabilities (the tools). It shows how following the program will allow you to address common alarm management issues (alarm overload, nuisance alarms, alarm floods, incorrectly prioritized alarms) and create a control room environment that maximizes operator performance, improves process safety, and drives operational discipline.
Are your operators overloaded with alarms or do they ignore nuisance alarms? Do you want to improve your alarm management practices, but don’t know where to start? This presentation discusses how to create an effective and sustainable program using the alarm management lifecycle of the IEC 62682 / ISA-18.2 standards. This unique seven-step process can be applied to brownfield and greenfield applications, independent of control system platform. It includes steps for benchmarking initial performance and identifying systematic issues, developing an alarm philosophy, performing alarming rationalization and implementing the results, creating alarm response procedures, applying advanced alarming techniques, measuring ongoing performance, and performing audits to ensure system integrity.
The presentation will show how following the program will allow you to address common alarm management issues (alarm overload, nuisance alarms, alarm floods, incorrectly prioritized alarms) and create a control room environment that maximizes operator performance, improves process safety, and drives operational discipline. Examples will be taken from multiple control system platforms including Emerson DeltaV, Rockwell PlantPAx, Honeywell Experion, Yokogawa Centum, and Siemens PCS 7.
Whenever we talk about alarm data in control systems for the process industry, we cannot avoid the management of an alarm database, else the alarm system will be a mess. Hence, we often see unorganized processes with up to thousands of alarms per day. The mishap is more than a nuisance for the daily operation of the plant, but it is also with safety implications. This is a series of webinars that aims to introduce everyone to Alarm Management based on ISA 18.2/IEC 62682, with the supplement of the fundamentals from Data Science and Data Analytics.
This week, we are talking about the root causes of alarms. We will explore the philosophy of the 5 whys in data analysis and how it is used in alarm management.
Working from home and keeping a safe distance are the norms in this surreal period of time. We often get requests from our clients about conducting remote workshops, like HAZOP, LOPA or alarm rationalization workshops. Today I would like to focus on alarm rationalization and sharing the challenges we face during remote workshops. In the end, I will make a few suggestions about the keys to organizing a successful remote workshop.
Development of an Alarm Philosophy document (APD) is one of the first and most important tasks in creating an effective alarm management program (and it is required by the ISA-18.2 and IEC 62682 standards). This webinar will discuss what topics should be addressed in an alarm philosophy (as required or recommended in the standards). It will also provide “tips and tricks” and “lessons learned” based on exida’s experience in the field and based on the ISA-18.2 Technical Report on Alarm Philosophy (which exida helped write). It will discuss which areas of the APD may depend on control system functionality and which areas are control system-agnostic. Specific examples will be covered such as prioritization, classification, use of Highly Managed Alarms, alarm suppression, and the use of alarm response procedures.
The concept of an alarm management lifecycle was first introduced with the ISA-18.2 standard. It has been reaffirmed with the release of the IEC 62682 international standard on alarm management. In this webinar we will examine the stages of the lifecycle to understand the key activities, requirements, and recommendations in each. We will also show how following the alarm management lifecycle can address common alarm management issues such as nuisance alarms, stale alarms, alarm floods, alarm overload and incorrectly prioritized alarms. We will review how to use the lifecycle to create an effective alarm management program that is sustainable and effective over time.
Poor alarm management is one of the leading causes of unplanned downtime, contributing to over $20B in lost production every year, and of major industrial incidents such as the one in Texas City. Developing good alarm management practices is not a discrete activity, but more of a continuous process (i.e., it is more of a journey than a destination). This paper will describe the new ISA-18.2 standard -“Management of Alarm Systems for the Process Industries”. This standard provides a framework and methodology for the successful design, implementation, operation and management of alarm systems and will allow end-users to address one of the fundamental conclusions of Bransby and Jenkinson that “Poor performance costs money in lost production and plant damage and weakens a very important line of defense against hazards to people.” Following a lifecycle model will help users systematically address all phases of the journey to good alarm management. This paper will provide an overview of the new standard and the key activities that are contained in each step of the lifecycle.
Collection and Utilization of process safety metrics is an important tool for driving improved safety. Tier 3 leading indicators (challenges to safety system) indicate failures of process safety management systems and highlight areas that should be improved to prevent a more serious event. Safe Operating Limit (SOL) exceedances are a commonly used Tier 3 leading indicator. Surprisingly, there are many different approaches used in industry to calculate safe operating limits and to apply them. This inconsistency potentially diminishes the usefulness of SOL exceedances as an effective indicator.
This paper discusses current industry practices around the determination and application of safe operating limits as established by a recent benchmark survey of over 150 safety practitioners from around the world. Areas explored in the survey of SOLs include; methodology for calculating, how / where information is stored, how / when established values are reviewed and audited, usage as a Process Safety Management Leading indicator, integration with operations (training, documentation), identification and tracking of when exceedances have occurred, and actions taken on exceedance. Key results and conclusions will be presented as well as recommendations on where industry should focus on improvement.
Alarms and operator response are one of the first layers of defense in preventing a plant upset from escalating into an abnormal situation. The new ISA 18.2 standard on alarm management recommends following a lifecycle approach similar to the existing ISA84/IEC 61511 standard on functional safety. This paper will highlight where these lifecycles interact and overlap, as well as how to address them holistically. Specific examples within ISA 18 will illustrate where the output of one lifecycle is used as input to the other, such as when alarms identified as a safeguards during a process hazards analysis (PHA) are used as an input to alarm identification and rationalization. The paper will also provide recommendations on how to integrate the safety and alarm management lifecycles.
Apply the ISA-18.2 Standard on Alarm Management to design, implement, and maintain an effective alarm system.
Tackle distractions that impair operator performance and process efficiency.
Process alarms, coupled with operator action, are frequently cited as a safeguard in a Process Hazard Analysis (PHA) and an Independent Protection Layers (IPL) in a Layer of Protection Analysis (LOPA), but does the alarm management system really support the safeguard/IPL?
According to ISA-18.2 / IEC 62682 an alarm must indicate an equipment malfunction, process deviation, or abnormal condition that requires a timely operator action. If no action is taken, then the alarm is either invalid or the operator is not doing their job. Both scenarios represent a breakdown in operational discipline for alarm management as does the presence of nuisance alarms and alarm floods. This breakdown in operational discipline for alarms has been cited as a contributing factor in many significant safety incidents, some of which will be analyzed in this paper. If operational discipline for alarms is lacking, then it is very possible that the desired risk reduction for a process alarm used as an IPL will not be achieved and the probability of an ineffective operator response will increase.
As systems have evolved from hardwire to computer control, alarms have become easier and less expensive to implement leading to more and less purposeful alarms. Operators must contend with multiple alarms at one time with only their experience to determine priority. Alarms may be added to or removed from a control system without proper management of change. Systems may include alarms for which there is no possible action, or inadequate action time. What can an organization do to take control of their process alarms and improve operational discipline?
Layers of protection for abnormal event management can be modeled as slices of swiss cheese according to James Reason [1]. An operator’s response to an alarm is one of the first layers of protection to prevent a hazard from escalating to an incident. This paper will present best practices for maximizing the operator’s reliability for understanding and responding to abnormal situations as adapted from the alarm management standards ANSI/ISA-18.2-2016 and IEC 62682. Examples include alarm rationalization to ensure all alarms are meaningful and to capture “tribal knowledge”, prioritization to help operators determine which alarms are most critical, and creation of alarm response procedures. The treatment of safety alarms, which are those that are deemed critical to process safety or to the protection of human life or the environment, will be specifically highlighted.
The paper will also discuss key human factors considerations for maximizing operator situation awareness (SA) by preventing SA “demons”; such as developing an errant mental model of the process, attention tunneling, data overload, and misplaced salience. As such the resolution of issues which inhibit operator performance, such as nuisance alarms and alarm floods, will also be discussed.
Stop using operator error as an excuse. Apply human factors considerations to improve your alarm system and help operators respond to alarms effectively.
Alarms play a significant role in maintaining plant safety by notifying operators of an equipment malfunction, process deviation, or abnormal conditions that requires a timely response . Alarms are one of the first layers of protection for preventing a hazard from escalating to an incident or accident. They work in conjunction with other independent protection layers (IPLs) such as relief valves, dikes, and safety instrumented systems (SIS).
Recent industrial accidents at Texas City, Buncefield (UK) and Institute, WV have highlighted the connection between poor alarm management and process safety incidents. At Texas City key level alarms failed to notify the operator of the unsafe and abnormal conditions that existed within the tower and blowdown drum. The resulting explosion and fire killed 15 people and injured 180 more.1 The tank overflow and resultant fire at the Buncefield Oil Depot resulted in a £1 billion (1.6 billion USD) loss. It could have been prevented if the tank’s high level safety switch, per design, had notified the operator of the high level condition or had automatically shut off the incoming flow.2 At the Bayer facility (Institute, WV) improper procedures, worker fatigue, and lack of operator training on a new control system caused the residue treater to be overcharged with Methomyl - leading to an explosion and chemical release.
In an ideal world, every control system alarm would indicate a malfunction or abnormal condition that required operator action.
In reality, alarms that are irrelevant or annunciate excessively— otherwise known as nuisance alarms—pop up from time to time. They pose a risk to successful operation of the plant because they overload operators with nonessential noise and desensitize them to the importance of alarms (“I can ignore this alarm because I know nothing will happen”).
Alarm shelving provides a way for the operator to manage these nuisance alarms safely and securely. In fact, it is such an important tool for alarm handling that it is now required control system functionality per ISA-18.2-2016 and IEC 62682 (Management of Alarm Systems for the Process Industries).
In this ebook, we will address the benefits of implementing alarm shelving, address common alarm shelving concerns, discuss the considerations for implementing shelving effectively, and compare important features provided by common control systems.
Using the ISA-18.2 standard can help process engineers understand, simplify, and implement a sustainable alarm management program.
Congratulations. You’ve been assigned the task of establishing an alarm management program for your facility. So where and how do you begin? This article presents four practical tips for starting an effective and sustainable alarm management program that
conforms to the tenets of a relatively new process industry standard for alarm management published by ISA.
Alarms and operator response to them are one of the first layers of protection in preventing a plant upset from escalating into a hazardous event. This paper discusses how to evaluate and maximize the risk reduction (or minimize the probability of failure on demand) of this layer when it is considered as part of a layer of protection analysis (LOPA).
The characteristics of a valid layer of protection (Specific, Auditable, Independent and Dependable) will be reviewed to examine how each applies to alarms and operator response. Considerations for how to assign probability of failure on demand (PFD) will be discussed, including the key factors that contribute to it (e.g., operator’s time to respond, training, human factors, and the reliability of the alarm annunciation / system response). The effect of alarm system performance issues (such as nuisance alarms and alarm floods) on operator dependability (and probability of failure on demand) will be reviewed. Key recommendations will be drawn from the ISA-18.2 standard “Management of Alarm Systems for the Process Industries”.
Some of the significant process industries incidents occurred by overflowing vessels, including BP Texas City and Buncefield. In many overflow incidents, alarms were designed to signal the need for operator intervention. These alarms may have been identified as safeguards or layers of protection, but they did not succeed in preventing the incident. This paper reviews several overflow incidents to consider the alarm management and human factors elements of the failures.