hazards equal trips or alarms or both/media/documents/subject groups/safety_lo… · hazards equal...

IChemE SYMPOSIUM SERIES NO. 153 # 2007 Clive Timms

HAZARDS EQUAL TRIPS OR ALARMS OR BOTH†

Clive Timms

Strathayr, Rhu-Na-Haven Road, Aboyne, Aberdeenshire, AB34 5JB; e-mail: [email protected]

Anyone who has been involved in the application of IEC 61508 and IEC 61511by undertaking the

Safety Integrity Level (SIL) determination for Safety Instrumented Systems (SIS) will appreciate

the amount of effort and tenacity that is required to undertake the task. SIL determination of

Safety Instrumented Systems, or shut down systems as they are traditionally called, requires con-

siderable commitment and tenacity to get the job done, but it is like climbing to the top of a hill only

to be faced with a mountain when we come to consider what is involved in reviewing or configuring

a typical alarm system.

A medium sized process facility may have a few hundred or so primary Safety Instrumented

Functions (SIF) or trips configured into a Safety Instrumented System. These need to be assessed

and assigned an appropriate SIL, but the number of alarms configured into a process control system

(PCS) that need to be assessed and prioritised can often run into the thousands. The requirements

for alarms usually involve different disciplines such as instruments, process, maintenance and the

operators themselves. The latter often have the misconception that their life will be easier if they

have alarms on everything.

There is synergy between safety instrumented functions and alarms because they both make

a contribution to reducing the risk of having unwanted events, and both need an assigned their

appropriate criticality. It is also important to be able to determine when an alarm should

be upgraded to a trip to provide automatic protection, and conversely, when a trip can be down-

graded to alarm status.

A SIF is engineered to provide protection against a hazard caused by some kind of failure, and

has a concise and automatic role to play when a process moves out of its normal operating envelope.

Using good practice to comply with the IEC 61508/61511 standards, a risk assessment can be

undertaken to determine its criticality or Safety Integrity Level (SIL).

An alarm function works through the human interface to provide an early warning that the

process has moved away from the normal operating envelope to:

. Alert the operator to disturbed plant conditions;

. Provide indication of further developments that may need attention;

. Trigger a trained operator response.

Alarms normally contribute to the overall risk reduction along with a number of different

risk reducing layers, and the criticality of an alarm should also be assessed in order to set its

priority.

This paper will detail various methods of criticality assessment which have been successfully

applied to set the appropriate priority, identify the critical alarms that need to be upgraded to trips

and to rationalise those of no value. It will also cover the use of software tools which can significantly

reduce the effort involved in this process.

KEYWORDS: alarms, trips, prioritisation, rationalisation, SIF, SIL, risk

INTRODUCTIONAnyone who has been involved in the application of IEC61508[1] and IEC 61511[2] and the Safety Integrity Level(SIL) determination for Safety Instrumented Systems (SIS)will appreciate the amount of effort and tenacity that isrequired to undertake the task. SIL determination ofSafety Instrumented Systems, or shut down systems asthey are traditionally called, requires considerable commit-ment and tenacity to get the job done, but it is like climbingto the top of a hill only to be faced with a mountain when we

†#2007 Clive Timms.

1

come to consider what is involved in reviewing or configur-ing a typical alarm system.

A medium sized process facility may have a fewhundred or so primary Safety Instrumented Functions (SIF)or trips configured into a Safety Instrumented System.These need to be assessed and assigned an appropriate SIL,but the number of alarms configured into a process controlsystem (PCS) that need to be assessed and prioritised canoften run into the thousands. The requirements for alarmsusually involve different disciplines such as instruments,


process, maintenance and the operators themselves. The latteroften have the misconception that their life will be easier ifthey have alarms on everything. Thus the demand for morealarms, along with the ease of configuration afforded byPCS’s, regularly leads to a proliferation of alarms. In otherwords, alarm configuration can all too easily get out of hand.

There is synergy between safety instrumented func-tions and alarms because they both make a contribution toreducing the risk of having unwanted events, and bothneed an assigned criticality. It is also important to be ableto determine when an alarm should be upgraded to a tripto provide automatic protection, and conversely, when atrip can be downgraded to alarm status.

A SIF is engineered to provide protection against ahazard caused by some kind of failure, and has a conciseand automatic role to play when a process moves out of itsnormal operating envelope. Using good practice to complywith the IEC 61508/61511 standards, a risk assessment canbe undertaken to determine its criticality or Safety IntegrityLevel (SIL). This risk assessment and is related to the conse-quences that would occur if the SIF were to fail on demandand the frequency of a demand. The consequences can beany combination of safety, societal, financial and environ-mental impact.

An alarm function works through the humaninterface – ‘A Methodology for Alarm Classification andPrioritisation’ – Timms[3] – to provide an early warningthat the process has moved away from the normal operatingenvelope to:

. Alert the operator to disturbed plant conditions,

. Provide indication of further developments that mayneed attention,

. Trigger a trained operator response.

Alarms normally contribute to the overall risk reductionalong with a number of different layers the overall schemeof risk reduction Figure 1, the criticality of the alarmshould also be assessed in order to set an appropriate pri-ority. It makes sense to assess the criticality of an alarm in

Figure 1. Typical ri

2

a similar way to a SIF but based on the consequences thatwould follow if the alarm fails or is missed by the operator.

However, the contribution that an alarm makes to riskreduction can become clouded if the operator cannot ident-ify the important alerts against a background of alarm pro-blems. The three main problem areas that can potentiallycompromise safety, production and the environment are:

. Nuisance alarms.

. Standing alarms.

. Alarm avalanches or floods.

Nuisance alarms and standing alarms are usuallycaused by instrument faults, out-of-service equipment orinappropriate limit and/or dead-band settings. They canbe relatively easily identified and rectified by maintenanceor adjusting the configuration parameters. However, alarmavalanches or floods are usually the result of consequentialor secondary events following a primary event, and the morealarms that are configured; the more there are to appearbefore an operator in a plant upset condition. The problemfor the operator is how to distinguish between the primaryinitiating event and the secondary consequence events.

The primary objective must therefore be to rationalisethe alarm system to a configuration which alerts the operatorto alarms in order of importance, so as to give him/her thebest chance to take corrective action. Inability to take correc-tive action can have significant safety, economic and environ-mental consequences. We must also eradicate those alarmsthat serve no purpose as this will significantly reduce thealarm overload. This can be achieved by a well defined meth-odology, and the effort can be significantly reduced by enga-ging specialist software tools as discussed later.

THE UK HSE POSITIONThe UK HSE often uses the Texaco Refinery explosion in1994 as the prime example of how the poor applicationalarms and human factors can result in serious incidents.This paper is not going to regenerate the UK HSE findings,but their position on alarm handling has been made very

sk reduction layers


clear. They have produced an UK HSE information sheet‘Better alarm handling’[4] to provide some basic guidance,and the Hazardous Installations Directorate (HID) haveoutlined their strategy with respect to inspection andenforcement, and their expectations with respect to usersand designers, in an article entitled ‘Better alarm handling –a practical application of human factors’[5] published in theMeasurement and Control magazine (March 2002).

In both publications the UK HSE guidance provides asimple 3-stage approach:

. Find out if you have a problem

. Decide what to do and take action

. Manage and check what has been done

The HSE also reference the EEMUA guide[6] as ‘the nearestthing to a standard currently available’.

UNDERTAKING AN ALARM RATIONALISATION

EXERCISE

AVOID THE COMMON PITFALLSThe initial reaction when faced with alarm problems canoften be to look for ways of using technology to suppressunwanted alarms. PCS vendors are eager to demonstratehow sophisticated their technology can be and committheir customers to using these techniques. There may bepossible scenarios where suppression of alarms is simple(e.g. main and standby equipment with auto changeover)but as a rule, the more complex the plant then the morecomplex the suppression scenarios, leading to very timeconsuming and complicated solutions. It is also all tooeasy to loose the focus due to the complexity, and this

Figure 2. Typical

3

could result in flawed logic for the scenarios and hence com-promise the alarm integrity.

An alarm flood reduction will almost certainly requirea rationalisation exercise to challenge each alarm and reducethe number of configured alarms. In essence, an alarmreview following the methodology outlined below in con-junction with software tools to aid the process willachieve the most significant benefits. Channelling effortsinto this type of activity should be the first priority.

SOFTWARE TOOLS WILL HELPThe quantity of data to be manipulated, sorted and rational-ised will often be considerable, and can amount to thousandsof alarms on a modest size process facility. It makeslittle sense to undertake an alarm review as a paperexercise, since dealing with large numbers of alarms willsimply overwhelm those involved in the process, and thefinal paper report will be hard to manage and update as itwill only represent a snapshot in time It can be temptingto use spreadsheets to manipulate the data, but they arenot the most appropriate solution since they do not havethe integrity or sorting power afforded by database basedapproaches.

In this context, it is sensible to invest in the aid of agood software application tool as the first step to managingand maintaining your alarm configuration, and the integrityof a ‘master’ alarm database. Experience shows that the besttools are database based with a good user interface to facili-tate the manipulation and sorting of the large quantities ofdata involved in an alarm review. They will save consider-able time and effort in the execution of the process. Figure 2shows an example of a typical alarm data form which could

alarm data form


be manually populated, but the advantage of a databasestructure, is that it can be pre populated from existing list-ings, or by bulk data exchange vehicles from the currentPCS configuration, such as simple spreadsheets.

Each alarm will then have an entry in the master data-base with the typical parameters shown in Figure 2. Theseparameters are the ‘keys’ for the sorting and grouping ofalarms to aid the all important prioritisation and rationalis-ation process that then follows. It is also very important tobe able to handle alarms that appear on more then oneannunciation device e.g. a Fire and gas alarm may haveprimary annunciation on the Fire and gas systems and sec-ondary annunciation on a PCS.

Some tools can be PCS system specific, but the bestchoice will be an open system tool with the capability ofimporting an alarm configuration from any PCS, via a suit-able data exchange or conversion.

An appropriate tool should then be capable of per-forming the following:

. Importing the PCS alarm configuration;

. Handling multiple annunciation;

. Sorting on various alarm parameters such as type, group,measurement;

. Selection by parameter or type;

. Cloning new alarms from existing alarm template;

. Cloning a selection from an existing template;

. Performing alarm prioritisation;

. Producing alarm metrics;

. Maintaining the master database configuration;

. Exporting alarm configuration to the PCS;

. Producing reports and statistics.

METHODOLOGYThe methodology for undertaking an alarm review detailedin this paper embraces both the EEMUA[6] and the UKHSE[4] guidance, but it has been enhanced to offer a verypractical and pragmatic step-by-step approach to achievinga high degree of success on established brown field facilitiesor proposed green field developments.

It will also describe how software based tools cansignificantly improve the process.

THE TEAMIt is essential to set up an optimal alarm review team toprovide productivity and quality of output. A small teamis recommended for alarm reviews:

– a process engineer, preferably with operational experi-ence, to interpret process design information and toensure that the design intent is not compromised;

– a control room operator, preferably from the facilityunder review, to provide information on operatorrequirements and likely plant dynamics and to ensurethat the alarms provided meet the needs of operationalpersonnel;

– an automation and control engineer, preferably withexperience of the relevant type of PCS, to advise on

4

aspects of implementation and to ensure that the pro-posed alarm changes are correctly described forimplementation personnel.

For large review studies, it may be desirable to assign a teamleader or facilitator to ensure that the correct balance isstruck between effort and results. Such a person must havea good understanding of the alarm review objectives andmethodology, and should preferably have previous experi-ence of alarm reviews.

PLANNINGIt is anticipated that there will be eight main review phases:

1. Management Plan.2. Preparation of documentation and data sourcing.3. A review of alarm system performance.4. Categorising and functional grouping of alarms.5. Prioritisation and rationalisation.6. Assessing results and findings.7. Other considerations e.g. alarm suppression.8. Implementation of the changes.

A planning schedule should be set up for each phase.

MANAGEMENT PLANThere has to be management buy in before an alarm reviewcan proceed, as significant time and resource have to becommitted. Remember that alarms that are missed or notacted on by the operator can lead to trips so it helps todevelop a rationale for the alarm review which defines theproblem with an analysis of the following:

– Details of the number and frequency of trips– Estimates of the cost of loss production– Details of unsafe consequences (e.g. near misses, inju-

ries)– Details of any environmental impact (e.g. increased

flaring)

Provide estimates of the cost and duration of the review andpredicted payback from improved performance and presentthis to management. Once they understand the economicsthen approval should be forthcoming.

PREPARATION OF DOCUMENTS AND DATA

SOURCINGThe following documents must be available at the start ofthe review:

– alarm schedule in suitable electronic format;– P&I diagrams;– shutdown Cause and Effect drawings;– details of fire & gas system;– details of any controlled sequences;– configuration details for any complex points, such as

digital composites;– a list of standing alarms during typical steady operation;– alarm journal print-outs following typical upsets.


The following documents would also be useful:

– a definition of the PCS network configuration;– a definition of any application programs handling data

within the PCS.

To minimise delays, all preparatory work should be doneprior to the team convening so that no valuable time islost during the review process.

A REVIEW OF ALARM SYSTEM PERFORMANCEUsing alarm journal printouts or output from other dedicatedlogging facilities, review the existing alarm system perform-ance in order to identify alarm frequency, nuisance alarmsources and standing alarms. Whatever type logging facilityis used it must be fast enough to provide true sequence ofevents recording (SER). Logging facilities on PCSsystems can fail to have sufficient speed and buffer capacityto capture the real time snapshot of events resulting in SERoverload and indeterminate time stamping.

Each nuisance alarm should be subjected to a detailedreview to determine if it caused by a fault or inadequacy in ameasurement instrument or the actual alarm configuration.If it is the latter then the alarm trigger point and dead-band should be checked to see whether adjustment ofthese parameters would eliminate the problem.

If possible, obtain logs of alarm performance under avariety of process upset conditions as this will provide anindication of the number of alarms generated and the

Figure 3. Alarm categor

5

frequency at which they are generated. Compare thesefigures with Appendix 11 of the EEMUA guidelines[6]

which sets out guidance on performance metrics.The majority of standing alarms materialise from

spared equipment which is not running spared or thatoperate intermittently. List any associated alarms that willbe active when the equipment is shut down, or put onstand-by, as a source of generating standing alarms whenthe plant is operating normally. These will be prioritisedas outlined in the next section.

CATEGORISING AND FUNCTIONAL GROUPING

OF ALARMSThe alarm schedule must be broken down into selected orbatches or categories to match the major functional groupsof alarms that can be considered as single entities duringthe review e.g. all alarms of a specific type within acertain area such as fire or gas. This will significantlyreduce the time involved in the next phase which will beactual prioritisation and rationalisation process.

This categorisation exercise is where the use of soft-ware tools can provide a powerful aid to the facilitationand preparation of a comprehensive the alarm schedule.Providing the selected tool has a comprehensive dataselection structure, similar to that shown in Figure 3, it isa simple matter to sort alarms on a wide range a of predefined parameters such as tags, alarm groups, alarm types

isation and selection form


(e.g. High, high high, low, low low, open, closed, not open,not closed), measurement types, annunciation device, alarmpriority, plant unit, equipment code etc. The user can alsodefine specific parameters on which a selection is made.

Each grouping is prioritised as a single entity asdetailed in the next section.

It is likely that many of the alarms to be consideredduring an alarm review process will not be covered, bythe functional groups as discussed above. However, thesewill be readily revealed from a database and they willhave to be reviewed individually.

DETERMINE PRIMARY ANNUNCIATIONIt is also important to determine the primary point of annun-ciation for each alarm e.g. the PCS, Fire and Gas panel, indi-vidual graphic tile etc., as many alarms are often repeatedand this is a common source of alarm overload. Alarms mayalso have different priorities at each annunciation location.

For example, a fire alarm may be given a high priority onthe fire and gas annunciation but is only required to changegraphical status colours and be event recorded within the PCS.

THE PRIORITISATION AND RATIONALISATION

PROCESSBefore attempting to prioritise an alarm it is necessary tounderstand the purpose of the alarm and the message thatit conveys to the operator, as this determines the requiredoperator action.

The required action must be clearly defined and theconsequences of no action determined and described. Noaction may be as a result of a failure of the alarm itself orfrom the operator failing to respond but the consequenceswill be the same.

Determining the no action consequences is funda-mental to establishing the criticality of the alarm. Thealarm purpose, the required operator action and the conse-quences of no action are recorded and form part of theaudit trail for setting the priority as shown in Figure 4.

The EEMUA guidelines[6] Appendix 5 details twomethods for prioritising alarms as ‘Taking the Maximum

Figure 4. Record of alarm purpo

6

Consequence’ and ‘Summating Consequences’. Bothmethods are available in the Asset Integrity ManagementSILAlarmTM software package and are explained below.

TAKING THE MAXIMUM CONSEQUENCEIEC 61508 SIL determination is a risk-based assessment ofthe consequences that would arise from a SIF failing tooperate correctly, where risk is a combination of probabilityof occurrence and the degree of harm arising from the con-sequence. The maximum consequence method uses asimilar approach for setting alarm priorities but it isfocused entirely on consequences, since the regularity ofthe alarm occurrence has no bearing on its priority i.e. an“Emergency” alarm will indicate an emergency conditionwhether it occurs once a year or once in ten years. The pri-ority of the alarm should be set purely on the severity of theconsequences of an unwanted event occurring.

Therefore, if operators are presented with highest pri-ority alarms, they will also be addressing those with theworst potential consequences.

The EEMUA Guideline[6] ‘Taking the maximum con-sequence’ method has also been enhanced by the author inthe SILAlarmTM tool to strengthen its practical application,and provide a consistent and transparent interchangebetween alarms and automatic SIF protection criticality.

It will highlight those instances where an alarm doesnot provide sufficient risk reduction, and automatic protec-tion is required.

The prioritisation process assesses the consequencesresulting from of an alarm failing, for some technicalreason, or is missed by the operator. This assessment con-siders the following factors:

. the consequences of the resulting event in terms of per-sonnel safety, financial loss and environmental impact;

. in the case of personnel safety, the probability of person-nel being present in the danger zone at the time.

As an example, if a plant trip were to occur after an alarmwas missed, then this could result in financial consequencesfrom lost production. The priority is then based on the sever-ity of the consequences.

se and required operator action

Figure 5. Consequence graphs


Figure 5 shows an example set of consequence graphsbased on the EEMUA Personnel Safety, Financial Loss andEnvironmental Damage graphs. They have been slightlyadapted to help with practical application and the par-ameters for each graph are described below.

PERSONNEL SAFETY GRAPHThe selections that are made for operator response (R),safety consequences in terms of the degree of severity (S),journal requirements (J) and presence in the danger zone

Figure 6. Personnel safe

7

(T) factors that are selected to establish the safety priorityare described in the table of Figure 6. Examples of thesafety consequence factors S0 through to S4 are shown inthe table of Figure 6 and these represent the scale ofinjury or fatality that could result if an alarm fails or ismissed by an operator.

An assessment of R2 or R1, S4 resulting in a priorityP5 indicates that the alarm is equivalent to or greater than aSafety Integrity Level 1 and serious consideration should begiven to provide automated protection.

ty consequence graph

Figure 7. Financial consequence graph


FINANCIAL LOSS GRAPHThe Financial Loss Graph is shown in Figure 7 and operatorresponse capability parameters R0, R1 and R2 andjournal requirements J0/J1 are exactly the same as in thePersonnel Safety graph. Examples of the financialloss consequence factors F0 through to F4 are shown inthe table of Figure 7 and these represent the total financialloss that could result if an alarm fails or is missed by anoperator.

Financial losses are the combination of consequenceson production loss, equipment damage and repairs thatcould result if an alarm fails or is missed by an operator.They can be described in qualitative degrees of severity orcalibrated in quantitative cash terms.

ENVIRONMENTAL GRAPHThe Environmental Graph is shown in Figure 8 and operatorresponse capability parameters R0, R1 and R2 and journalrequirements J0/J1are exactly the same as in the PersonnelSafety graph. Environmental consequences parameters E0through to E4 are the degree of damage that could becaused to the environment if an alarm fails or is missed byan operator. They can also be described in qualitativedegrees of severity or calibrated in limits set by local environ-mental regulations. Examples of environmental consequence

Figure 8. Environmen

8

factors for making the environmental impact priorityassessment are shown in the table of Figure 8. It is alsoworth remembering that damaging the environment canhave a considerable impact upon company reputation, asmany large organisations have discovered after causing anenvironmental incident. Public reaction can impact on aloss in product sales for a considerable time after an eventand this should also be factored into the financial losses.

THE FINAL PRIORITYThe final alarm priority selected is the highest priority fromthe Safety, Financial and Environmental:

Where priority

P ¼ max (PS, PF, PE) (1)

Decisions need to be made on how the actual alarmannunciation in terms of the audio and visual alert thatwill be activated to alert the operator. Too many variationsof both only lead to confusion and, although it is not theintention of this paper to go into the human factors issues,it is important to have a clear set of requirements foralarm presentation.

The alarm priority types and their respective configur-ation attributes are described in Table 1. They indicate a

tal consequence graph

Table 1. Alarm priority and attributes

Alarm priority Alarm annunciation and display attributes

P0 No alarm is required.

P1 No alarm annunciation, but the change of state is recorded in alarm and event journals.

P2 A “Low Priority” alarm with an audible tone is generated and the change of state is recorded in alarm and event

journals. The alarm is displayed on the Alarm Summary displays if it is within a PCS.

P3 A “Medium Priority” alarm with an audible tone is generated (a different tone to P2 “Low Priority” alarms) and

the change of state is recorded in alarm and event journals. The alarm is displayed on the Alarm Summary

displays, if it is within a PCS, and the Alarm Annunciation display if configured.

P4 A “High Priority” alarm with an audible tone is generated (a different tone to P2 and P3 priority alarms) and the

change of state is recorded in alarm and event journals. The alarm is displayed on the Alarm Summary displays,

if it is within a PCS, and the Alarm Annunciation display if configured.

P5 A “Critical” alarm with an audible tone is generated (a different tone to that used for P2, P3 and P4 alarms) and the

change of state is recorded in alarm and event journals. Alarms of P5 priority should not be configured

within a PCS environment as the equivalent SIL 1 or greater. The alarm facility used should have the

appropriate PFD. Full consideration should be made to provide automatic protection.

Table 2. Weighted total consequence and priority

Weighted total consequence, C2 Priority

C2 ,900 Low

900 , C2 , 6,000 Medium

6,000 , C2 , 150,000 High

C2 . 150,000 Critical


range of alarm requirements from no alarm required ‘P0’,through to the most stringent priority ‘P5’.

The alarm priority annunciation and display attributesthat are provided are offered only as guidance for implemen-tation, and individual interpretation is possible providing thedesign ensures that there is appropriate segregation andpresentation at the human machine interface.

SUMMATING CONSEQUENCESThis EEMUA[6] method is a more complex approach thatrequires far more detailed consideration. The consequencesof an alarm failure, with respect to safety (CS), environ-mental (CE) and financial (CF) consequences, all have tobe converted into common units. In order to achieve thiscommon unit of conversion the safety and environmentalconsequences have to be expressed mathematically interms of risk.

An example of the conversion factors could be asfollows:

CS ¼ 10E6�(safety consequences in

terms of risk of injury)(2)

CE ¼ 10E6�(environmental consequence in

terms of risk of injury)(3)

CF ¼ 1�(financial consequences

in pounds)(4)

These are then summed:

C1 ¼ CSþ CEþ CF (5)

An assessment is then made as to whether the alarm is‘time critical’ based on whether there the required operatorresponse time and this is used to increase the weighting ontime critical alarms e.g. if the required operator responsewas within 3 minutes:

9

IF (alarm is time critical) THEN

C2 :¼ 3�C1 (weighting on response time applied) (6)

ELSE

C2 :¼ C1 (7)

The final priority distribution determines the priorityand examples of the weighted total consequence areshown in Table 2.

The Summating the Consequences method is far moretime consuming than the consequence graph method andthis could preclude it from very large alarm reviews.However, the methodology can be implemented as a soft-ware application with facilities for user specific calibrationand this significantly reduces the time involved. Figure 9shows how the required conversions and algorithms canbe implemented in software to simplify the prioritisationprocess.

Most process control system (PCS) vendor packageshave no tools or structured approach to setting alarm priori-ties, and they tend to be far more focussed on dealing withsuppression techniques and standing alarms than gettingdown to the root causes. Discussion on these points follows.

DEALING WITH STANDING ALARMSFrom the P&IDs, identify items of equipment that are startedand/or stopped automatically. Review whether the tags that


perform these automatic functions will generate nuisancealarms. If this is the case, identify a way of avoiding thisso that normal operation does not generate any alarms, butdeviation from expected operation is detected and alarmed.

Review each alarm to establish whether it can bereduced to “Journal” priority. If this is not possible, then setthe priority in accordance with the consequence of failuremethod. If any alarms remain with “Emergency” or “High”priority, review whether it is acceptable for these alarmseither to be left as standing alarms or inhibited by the operatorunder procedural control. If neither is acceptable, then ident-ify another PCS tag or combination of tags that indicates thatthe piece of equipment is out of commission and use this as acriterion for masking the alarm. Confirm that this will notmask the alarm under any other undesirable circumstances.Document the proposed changes and any associated logic.

ASSESSING THE RESULTS AND IMPLEMENTING

THE FINDINGSIt is important to review the results and finding of an alarmreview to check that the right balance has been madebetween alarm numbers and the respective distribution ofpriorities. Sort the alarms into their priority groups andcompare the results with the distribution in existence priorto the review. Figure 10 shows a distribution of alarm priori-ties generated from the results of a typical alarm reviewusing a database application software tool.

If the alarm priority distribution indicates an imbal-ance of higher priority alarms this can be normalised byselecting groups of alarms and applying a revised priorityassessment to a whole group.

The EEMUA[6] guidance for new alarm systemdesign advises a target distribution as shown in Table 3.

Figure 10. Alarm p

10

All alarms with a P0 priority can be removed from thealarm configuration. All ‘P1’ alarms can have their operatorannunciation capability removed but they retain their statuschange as a record in the alarm journal.

Experience shows that the majority of alarms config-ured into a typical PCS will fall into the ‘P0’ (no alarmrequired) and ‘P1’ (journal only) following a prioritisationreview. Thus the major part of the simplification and ration-alisation of the alarm configuration is going to be achievedby attending to these two alarm types.

Alarms with priorities ‘P2–P4’ should beimplemented with the configuration attributes as describedin Table 3. Alarms with the ‘Critical’ priority ‘P5’ requirecareful treatment since they indicate a SIL requirement ofSIL1 or greater. The provision of automatic protectionshould be considered to replace the dependence on thealarm and successful operator action for each P5 alarm. Ifautomatic protection is not possible, then the alarm mustbe engineered to achieve the appropriate probability offailure on demand (PFD) in line with IEC 61508 require-ments. The EEMUA[6] accepted PFDavg for an alarm withoperator intervention is ,0.01 which is only equivalent toSIL 1.

OTHER CONSIDERATIONSSuppression techniques tend to be the main focus of PCSvendors since they invariably have all kinds of smart soft-ware techniques to implement suppression, and they arekeen to sell this capability to their clients. This paper doesnot intend to cover the options of static and dynamicalarm suppression in detail because it is a complex subjectarea that requires careful implementation and, in theauthor’s opinion, should only be considered as a last

riority distribution

Table 3. Priority distribution for system configur-

ation – EMMUA

Priority band

Alarms configured

during design

Critical About 20 altogether

High 5% of total

Medium 15% of total

Low 80% of total


resort. It is anticipated that the requirement to consider theseoptions will be minimised, if not eliminated, by a thoroughalarm review.

STATIC ALARM SUPPRESSIONIf operators still find difficulty with the quantity of standingalarms present, following the alarm rationalisation, thenconsideration can be given to the implementation of staticalarm suppression. This will minimise the number of stand-ing alarms that are generated when a process unit or largepiece of equipment is shut down. In order to suppress theselected alarms, a defined set of process permissives haveto be satisfied in conjunction with a with an ‘enable’ staticsuppression status condition.

DYNAMIC ALARM SUPPRESSIONIf the number of alarms generated following a trip is stillunacceptable, following the alarm rationalisation, thendynamic suppression can be considered so that the first upalarm in a pre defined group audibly alerts the operator, reg-isters in the alarm list and is printed. All other subsequentalarms in the group do not activate any audible alert; theydo not register in the alarm list and are not printed.Dynamic suppression on an alarm group should automati-cally de-activate after a defined period of time followingthe first up alarm, so that any new alarm that then followsalerts the operator and re-starts the suppression period.

CONCLUSIONSThere is no doubt that alarm management requires consider-able effort, commitment and tenacity. However, by focuss-ing effort on an alarm review and rationalisation process,

11

then experience shows that this will return a significant,and perhaps even a dramatic, improvement in alarm per-formance to achieve better than 90% of the availablebenefits. There will possibly be some alarms that needfurther analysis but having filtered them out by the reviewprocess they should only represent the remaining 10% ofeffort.

Avoid using suppression techniques for unwantedalarms until a full alarm review and rationalisation studyhas been completed, since it may not be necessary oncethe system configuration has been improved.

The review and rationalisation methodology has beenapplied on facilities with .15,000 configured alarms whereindividual operators were required to accept alarms every 15seconds under steady production conditions. Typically, over50% of the configured alarms have been removed, and byalso attending to the nuisance alarms the alarm rates havebeen reduced to 15–20 minute intervals. Perhaps mostimportantly the spurious shutdowns resulting from missedalarms have seen improvements from weekly plant trips tono trips for over six months. This results in a very, very sig-nificant payback.

Making full use of software tools will substantiallyreduce the effort involved in an alarm review by typically.50%, whilst the electronic version of an alarm databasewill provide data integrity along with ease of maintenanceand change control over the full life cycle.

REFERENCES1. BS IEC 61508 – Functional Safety of Electrical/Elec-

tronic/Programmable Electronic Safety-Related Systems

(1998-2000).

2. BS IEC 61511 – Functional Safety: Safety Instrumented

Systems for the Process Industry Sector (2003).

3. ‘A Methodology for Alarm Classification and Prioritisa-

tion’ – C Timms – IEE People in Control Conference

1999.

4. ‘Better alarm handling’ – UK HSE information sheet –

Chemicals Sheet No. 6

5. ‘Better alarm handling – a practical application of human

factors’ – John Wilkinson and Dr Debbie Lucas - Measure-

ment and Control Volume 35.

6. ‘Alarm systems – A guide to design management and

procurement’ – EEMUA publication No. 191.

hazards equal trips or alarms or both/media/documents/subject groups/safety_lo… · hazards equal...

Documents