"Alarm rationalization provides many benefits, but it’s resource-heavy, requiring a multi-disciplined team of people. Alarm management is an ongoing process. You're never done because you have to go back and review. There's no set it and forget it," says Marc Eilbeck, process engineer at BHGE in Liverpool, U.K.
Want your operators to sharpen their focus on process safety? Get rid of distractions—principally nuisance alarms. Sounds simple, but identifying, rationalizing and disabling unhelpful alarms buried deep in many process applications can be tricky and potentially hazardous if not handled properly.For instance, Baker Hughes, a GE company (BHGE), and its specialty chemicals plant near Liverpool, U.K., have been manufacturing corrosion inhibitors, demulsifiers and flow aids since 1986. Its batch processes are overseen by a Siemens SIMATIC PCS 7 process automation system that was installed in 2010 and manages about 2,500 I/O points.
"We started our alarm management program in January 2017 with the number one goal of helping the operators run the plant more safely," said Marc Eilbeck, process engineer at the BHGE plant. "This is achieved by identifying true alarms, eliminating nuisance alarms, prioritizing alarms based on relative importance, and providing clearer alarm response instruction to the operator—all of which help to better comply with U.K. Health and Safety Executive (HSE) regulations."
Eilbeck and Todd Stauffer, PE, alarm management director at exida, presented "Alarm management is a journey, not a destination—the BHGE alarm management journey with PCS 7" on the opening day of Siemens Automation Summit 2018 in Marco Island, Fla.
Identify requirements
"The initial phase of the program included a gap analysis (against EEMUA 191 Guideline, 3rd edition, released in 2013) and bad actor knockdown leveraging the Siemens Storage Plus tool," explained Stauffer. "EEMUA has guidelines on using alarms for process safety which have been adopted and are monitored proactively by the HSE." The company also consulted the ISA-18.2 alarm management standard, as well as HSE, NAMUR, OSHA and other regulatory materials to establish the requirements for its own alarm management effort. For example, the HSE/COMAH (Control of Major Accident Hazards) toolkit questionnaire asks:
- Are safety-critical alarms clearly distinguished and separately displayed (and hardwired)?
- How are the alarms prioritized?
- Does the system work currently (discussed with the operators)? Are key performance measures for the system (e.g. alarm rates) recorded and tracked?
- Are there repeating (nuisance) alarms in normal or upset conditions?
- Is there an adequate alarm log/history? How is the information used?
Eilbeck and his colleagues also worked with exida and other BHGE facilities to better understand relevant legislation, and create a corporate alarm philosophy document (APD) of their own. "The philosophy document clarifies relevant standards, provides clearer guidance on the strategic approach to alarm management for all sites throughout the business, and defines requirements for the use of alarm response procedures and alarm shelving," added Stauffer.
Categorize by consequence
Eilbeck reports the alarm management team was initially faced with 10,000 configurable alarms at the Liverpool plant and handling more than 4.5 alarms every 10 minutes; an alarm flood is defined as 10 alarms in 10 minutes. "We wanted to get down to two alarms or less in 10 minutes as recommended by ISA and EEMUA," said Eilbeck. "We leveraged PCS 7’s alarm locking capability, incorporating it into a standard operating procedure (SOP). The alarm-locking tool allowed us to lock out alarms on out of service equipment, for example equipment requiring maintenance, and so reduce our alarm bad actors. This really helped with improving alarm management KPIs.”
Once the team completed the yearlong process of defining their alarm goals, establishing "before" metrics, benchmarking alarm system performance, creating their APD and developing SOPs for alarm locking, they began the continuous improvement process of alarm rationalization, advanced alarm design including suppression, implementation, and alarm system performance monitoring and assessment.
The rationalization at the Liverpool chemical plant started this past February with classifying and prioritizing alarms, and determining appropriate operator responses. "The alarm philosophy document details the criteria used to define what a true alarm is, and rationalization is going through all your alarms and making sure they meet these criteria," said Stauffer. "At its most basic, the ISA 18.2 and IEC 62682 standards define an alarm as 'an audible and/or visual means of indicating to the operator an equipment malfunction, process deviation or other abnormal condition requiring a (timely) response.' "
Stauffer added the main criteria for what is a valid alarm include:
- Does it indicate a malfunction, deviation, or abnormal condition?
- Does it require a timely operator action in order to avoid defined consequences?
- Does it provide the operator with adequate time to respond?
- Is it unique (or are there other alarms that indicate the same condition)?
- Is it the best indicator of the root cause of the abnormal situation?
"If it doesn't meet these criteria, then it's not an alarm," added Stauffer. “If it's useful information to the operator, we can make it an alert, prompt or message, and present it to the operator on a different display from alarms.”
The BHGE team also evaluated different alarm consequences to determine how alarms should be prioritized, and chose to use a standard process hazard analysis (PHA) risk matrix and consequence assessment method to rank how serious an alarm would be compared to predefined criteria. "Using the same consequence criteria as PHAs, and determining alarm priority based on potential consequences and time to respond, provides a consistent, objective approach for prioritizing alarms, so operators know which to respond to first," said Stauffer.
One of the most important alarm classifications is highly managed alarms (HMA). For BHGE, this includes any alarm that provides risk reduction. The HMA classification can be applied to safeguards in PHAs, independent protection layers (IPL) in layers of protection analyses (LOPA), or just safety-related alarms. "An HMA is an alarm that's been identified as providing a given measure of risk reduction as determined by LOPA and PHA studies," explained Stauffer. "HMAs have additional design, management of change (MOC) and maintenance requirements that aren't applicable to general alarms. They also require added training, testing, documentation, auditing and the provision of interim systems/procedures when taken out of service."
Ready, set, rationalize!
Stauffer added the actual alarm rationalization process begins with the "knock out" criteria for identifying and/or disabling bad alarms. These include:
- Check alarm validity;
- Determine consequence of inaction;
- Document cause, confirmation, and corrective actions; and
- Document operator response time.
Once these criteria have been met, an alarm is:
- Assigned an alarm priority;
- Assigned an alarm classification;
- Reviewed to determined if it has the appropriate alarm setpoint or threshold;
- Verified for remainder of alarm attributes; and
- Assessed to see if it needs special handling.
Tools, such as exida's SILAlarm software for alarm rationalization, guide users through this process, and documents the results in a master alarm database. The master alarm database was populated with all alarms and associated settings by exporting alarm configurations from PCS 7’s Process Object View interface, mapping/converting those files, and loading them into SILAlarm according to specified parameters.
Results of rationalization
Consequently, Eilbeck reported that the BHGE alarm team recently completed rationalization of 6,430 configured alarms in three weeks. The plant is also planning to upgrade to the latest version of PCS 7, Version 9, this coming November. This will allow them to make use of PCS 7’s Alarm Help feature, whereby alarm response information can be provided to the operator directly from the results of rationalization.
Before the rationalization, the Liverpool plant had 6,430 alarms with 5,106 enabled and 1,324 disabled. After rationalization, it has 6,468 alarms, with 4,145 enabled, 2,323 disabled. A total of 2,193 alarms were rationalized out (approximately one third). Some alarms were added stemming from a thorough review of P&IDs as part of the rationalization process. Alarms that did not meet the necessary criteria were either disabled or changed to an alert (673), prompt (3), message (10) or set to log (340).
Eilbeck added some lessons learned during alarm rationalization include:
- Maintain an action register;
- Keep note of the rules applied and why;
- Keep cause/consequence/corrective actions generic (without tag names), which make it easier to copy results from one unit to another;
- Rationalize one reactor from each class, and then copy results to other reactors in the same class; and
- Rationalization is a knowledge capture process. New staff can learn a lot from the senior operators by participating in this activity.
"After rationalization, the question may be asked 'Is that it?' The answer is "That's not it," said Eilbeck. "Alarm rationalization improves safety and provides many other benefits, but it's resource-heavy, requiring a multi-disciplined team of people. You're also never done because you have to come back and review to address new issues that pop up. There's no set it and forget it."
Likewise, following a rationalization project, its results can capture information for alarm response procedures, such as "alarm help" in PCS 7, and help create alarm response manuals for training and documentation.
"EEMUA191 states that, 'Alarm management will result in better alarm systems that are more usable and result in safer and more cost effective operations,' " added Eilbeck. "This means reduced demand on operators. The alarm management process can also identify process safety and maintenance issues, while bad-actor reviews can identify process improvements that may optimize and deliver economic and safety benefits. In addition, providing prioritization to operators can help them ‘see the woods for the trees’ in times of abnormal conditions, while operator response information can direct them down the right path to take the necessary corrective action."