The Connection of Peak Alarm Rates to Plant

Incidents and What You Can Do to MinimizeDustin Beebe Steve Ferrer and Darwin LogerotProSys Inc PO Box 77182 Baton Rouge LA 70879 steveferrerprosyscom (for correspondence)

Published online 27 November 2012 in Wiley Online Library (wileyonlinelibrarycom) DOI 101002prs11539

Even after several years of trying many plants still strugglewith controlling alarm floods Static rationalization canreduce your average number of alarms but without control-ling the alarm floods there is no help for the operator whenhe needs it the most This session will cover the justificationfor alarm management from the safety and environmentalas well as economic perspective 2012 American Institute of

Chemical Engineers Process Saf Prog 32 72ndash77 2013

Keywords alarm management flood peak alarm ration-alization ISA 182 alarm metrics CSB EEMUA

INTRODUCTIONMost of the incident investigations performed by the

Chemical Safety Board (CSB) cite alarm floods as being a sig-nificant contributing cause to industrial incidents [1] The Brit-ish-based organizationmdashEngineering Equipment amp MaterialsUsersrsquo Association (EEMUA) came to the same finding in itsreport from 1999 when it analyzed major incidents aroundthe world including Three Mile Island Bhopal and TexacoMilford Haven [2] Therefore the connection of alarm floodsto incidents has been well documented for over 12 yearswith very little progress made in industry Many corporationsand plant locations are unsure of what to do next to controlalarm floods This article is offered to show examples ofsuccessful alarm management programs and how they suc-cessfully control alarm floods under all operating conditions

What is an Alarm FloodAn alarm flood has been defined by ISA 182 as being 10 or

more annunciated alarms in any 10-min period per operator [3]

What is Impacted by Alarm FloodsAlarm floods can and do impact the following items

bull Product qualitybull Operability or profitability of the processbull Loss of equipmentbull Operator mistakes and confusionbull Missed alarms due to operator distractionsbull Operator feeling acknowledging alarms themselves are an

appropriate response to the alarmbull Loss of containmentmdashenvironmental releasesbull Injury and loss of life in plant or community

Why do Alarm Floods OccurOver the last 30 years the number and frequency of

alarms have changed with technology In the old days ofpneumatic controls installing a new process alarm had sig-nificant costs Since the use of computer-based control sys-tems new alarms cost nothing As a result the number andfrequency of alarms has skyrocketed over the years Thisphenomenon has gotten to the point that a term was neededto define the experience when numerous alarms are annun-ciating in a streamndashan alarm flood

Alarm floods typically occur upon a change of state in theprocess This could be from run to shutdown or a changefrom state A to state B This is because alarm settings are his-torically configured for steady-state run conditions and varia-bles change upon a change of state in the process This phe-nomenon can affect hundreds or even thousands of alarmsTherefore when the process state changes many manyalarms can sound in a short period of time The first alarm ortwo are usually the most criticalndashalerting the operator to thechange After this many unnecessary and redundant alarmsresulting from the same root cause are annunciated anddisplayed to the operator If another situation develops thesealarms would be added to the existing flood of alarmswithout any demarcation between the two root causes forthe operator

What Makes Alarm Floods so DangerousProcess state changes are critical periods where operators

need their alarm system to be fully functional Unfortunatelythese periods are exactly where alarm floods occur

The fact that alarm floods can occur in a process controlroom is problematic for three reasons

bull A deluge of alarms can cause the operator to miss criticalalarms

bull Floods of alarms can be a significant distraction while theoperator is trying to deal with upsets in the plant Attimes the operator is forced to acknowledge alarms with-out review to silence alarms in order to think

bull Floods can be an indication of larger systemic safetyissues

What is the Problem in IndustryMost alarm management practices and procedures includ-

ing the lsquolsquo7 Stepsrsquorsquo only show results in the area of averagealarm rates Certainly reducing average alarm counts is posi-tive however reducing floods (peak rates) is vastly more im-portant for everyonendashoperators managers and communityThe reason this is true is that peak rates are responsible foroperators missing critical alarms and average rates are not

The article was originally presented at the 8th Global Congress on ProcessSafety Houston TX April 1ndash4 2012

2012 American Institute of Chemical Engineers

72 March 2013 Process Safety Progress (Vol32 No1)

Disastrous incidents affecting lives property and the envi-ronment can begin when an operator misses a single alarm

Some managers have allowed high peak rates to be fil-tered out of reports because of upsets in the processAlthough this makes the results look better filtering theseresults can hinder actually resolving the problem becausethose results are removed from the discussion Many manag-ers take these steps because they do not believe they canachieve better results This belief is false because the meansfor producing results that meet ISA 182 metrics under alloperating results does exist today and has for many years

Thought Equation for ManagersThe EEMUA Publication 191 provided several high profile

examples where poor alarm system performance (floods)contributed to financial loss injuries or death and environ-mental damage In fact survey results provided by plantsinvolved in catastrophic events indicated that lsquolsquoloss incidentsfrequently involved the operator being overloaded withalarm floodsrsquorsquo The following equation has been proposed toemphasize proper thinking and priority of alarm manage-ment projects for corporate managers and managers of indus-trial health safety and environmental departments

Floods frac14 incidents frac14 loss

Conversely control of alarm floods will result in fewerincidents less loss and as a resultmdashlower risk Industrialplants have reported lower insurance rates as a result oflower risk attributed to superior alarm management practice

The Cost of Poor Alarm ManagementThe cost of poor flood control and alarm management is

huge and affects all areas loss of containmentmdashenvironmen-tal equipment damage off spec products loss of productionand event injury or loss of life

The ASM Consortium has estimated that the total loss dueto operator error is $10B per year in the United States aloneThey also report that 70 of process incidents occur duringstart-up or shutdown Therefore when the process is chang-ing from one state to another and alarm floods have thegreatest propensity to occur it makes sense that lots of errorswould occur during alarm floods

The EEMUA when speaking about the impact of alarmfloods on catastrophic incidents said lsquolsquo they were a majorcontributor and the loss incidents frequently involved theoperator being overloaded with alarm floodsrsquorsquo [2]

The ARC Advisory Grouprsquos process automation challengesindicate operational error is the leading cause category whenexamining the average dollar loss per major incident (seeFigure 1) [4]

OBJECTIVES OF ALARM MANAGEMENTA common misconception in industry is that the objective

of alarm management is to reduce the number of alarmsannunciated to the operator While the reduction in alarmrates will almost always be a result of a well-designed andimplemented alarm management project it is not the primaryobjective The objective of alarm management is to improvethe quality of alarmsAdditionally the goal is to provideoperators with a consistent and reliable alarm interface thatsupports their efforts to safely reliably and efficiently oper-ate the process

Another way of stating these objectives is to provide theoperator with alarms that are necessary and meaningful butnot those that are unnecessary confusing or redundant

What is a Quality AlarmIn short a quality alarm is an annunciated process condi-

tion or event to which the operator can and should take cor-rective action in order to return the process to stable andsafe operation

Quality Alarm AttributesEvery alarm should

bull Be clear and relevant to the operatorbull Indicate an abnormal process condition or eventbull Have consequences of inactionbull Have a defined responsebull Be unique

Normal and AbnormalNormalmdashThat which is both planned and expected

bull Startupshutdownbull Mode switchingbull Equipment swappingbull Other planned operating procedures

AbnormalmdashThat which is unplanned or unexpected

bull Emergency shutdownsbull Equipment failuresbull Other unplanned process transitions

Affect of Operations on Quality AlarmsA quality alarm that is relevant during plant operation at

maximum rates may not be a quality alarm during other con-ditions Plant operations are not staticndashalarm configurationshould not be either

ALARM MANAGEMENT EXECUTION

The Good the Bad the UglyThe way alarms are treated by shift supervisors and plant

managers has a strong bearing on how they are treated bythe panel operators There is an old safety adage that sayslsquolsquothe standard you get is the standard you are willing to walkpastrsquorsquo [5]

Many companies have started collecting and reportingalarm event data as a means of understanding how they ratein comparison to other units other locations or to the ISAANSI 182 metrics Most plants are trying to develop anunderstanding of their results as it relates to the standard

Unfortunately many plants are inconsistent in the collec-tion of data and production of reports because of the man-

Figure 1 Average dollar loss per major incident by cause[Color figure can be viewed in the online issue which isavailable at wileyonlinelibrarycom]

Process Safety Progress (Vol32 No1) Published on behalf of the AIChE DOI 101002prs March 2013 73

hours of effort required for the reports Also the priority ofalarm reporting projects are typically low and the engineerassigned to the task is often pulled to take on a more impor-tant project Many times the project dies when the engineernever goes back to the project

Recent advancements in alarm reporting software toolsnow allow the data collection and reporting process to becompletely automated for an enterprise of multiple plantlocations units or consoles

Some corporations have not developed a corporate alarmphilosophy document Many have not updated alarm rate tar-gets to the most recent ISA 182 Standard As a result plantmanagers do not have the means to justify expenditures toachieve better performing alarm rates including the controlof alarm floods because the targets do not require improve-ment from the poor results currently attained

Once the actual alarm performance versus a standard isknown remediation can be justified In addition to fundingthese engineering projects are also appropriately prioritizedwith the commitment necessary to get the project doneUnfortunately without proper funding for these projects pri-ority and commitment will not follow

Alarm Rationalization MethodologiesAlarm rationalization is a process by which alarms are

reviewed Rationalization is one element of an overall alarmmanagement project or program It is the most important ele-ment of alarm management and the approach used inrationalization will be a prime determinant in the success orfailure of the overall effort A number of practices haveemerged with the intent to reduce alarm rates Most onlyaffect average alarm rates In fact the ASM Consortiumreported that lsquolsquopeak alarm rate is not closely correlated withthe degree of rationalizationrsquorsquo [6] Only one process dynamicalarm management has proven to control peak alarm rates(alarm floods)

Bad Actor ManagementThis process is typically performed on a handful of alarms

with the highest annunciation rates Focus is to reduce alarmrates not to evaluate or enable legitimate alarms The risk isthat some legitimate alarms may be disabled without consid-eration for the overall process Bad actor management canreduce average rates but does nothing to reduce alarmfloods

Static RationalizationStatic rationalization is a systematic review of all alarms in

a plant The goal of the rationalization is to insure that all

alarms configured qualify as a quality alarm meeting all thecriteria set forth in Section What is a Quality Alarm For eachquality alarm the team documents causes consequencesactions associated with the alarm and any other pertinentdata that is desired An important note is that a thoroughrationalization should include not just alarms currently config-ured but all potential alarms available for configuration Manytimes the addition of one well-designed alarm can eliminatethe need for many others Static alarm rationalization covers asingle state of the processmdashusually the run state Most proc-esses have several states therefore when nonrun states arecurrent multiple alarms can sound because system readingsdo not match the run state set points Static rationalization ofalarms typically results in a reduction in average alarm countswithout much difference in peak alarm rates (floods) This isthe type of rationalization that the ASM Consortium reportshowed did not reduce alarm floods Additionally the datawe have collected also supports this argument

Dynamic RationalizationDynamic (aka state-based or mode-based) rationalization

is alarm rationalization for more than one process state Staticrationalizations can become dynamic when the questionlsquolsquoWhenrsquorsquo is added to the discussion for each point As a resultthe increased cost for performing a dynamic rationalizationversus a static one is not as significant as one might thinkAdditionally using the answers generated from the lsquolsquowhenrsquorsquoquestions allows engineers to properly configure alarm man-agement software to enable and deactivate alarms appropri-ately for whatever the current state is for the process

Answering the lsquolsquowhenrsquorsquo question involves using operatingexperience and process knowledge to determine the detecta-ble operating states of each section of the plant The teamdetermines key operating data and a logic structure whichwill be utilized to identify the current state Once the statesand logic are determined it is a straightforward exercise todetermine when (during which operating states) each alarmis to be active and inactive

One caveat related to dynamic alarming is that sometimesthis method can actually cause floods to occur if state transi-tions are not designed well It is important that the softwareand methodologies for dynamic alarming provide for smoothtransitioning of both the selected state and alarm re-enabling

Comparison of Alarm Rationalization MethodologiesThe data in Table1 were acquired from four different sites

using various rationalization methodologies Shutdowns andupsets occurred for each of the units during the time period

Table 1 Comparison of Results by Rationalization Method

Point SummaryISA 182Metrics[2]

DynamicRationalization

StaticRationalization

Bad ActorManagement

Number of Areas 2 2 2Points 3641 3327 25523rd Qtr 2010 Avg Alarm

Rate per 10 min1 067 083 2

4th Qtr 2010 Avg AlarmRate per 10 min

1 067 1 43

3rd Qtr 2010 Peak AlarmRate per 10 min

10 65 211 67

4th Qtr 2010 Peak AlarmRate per 10 min

10 7 117 159

Blocks in yellow do not meet ISA 182 Metrics

74 March 2013 Published on behalf of the AIChE DOI 101002prs Process Safety Progress (Vol32 No1)

The actual results generated from bad actor managementshow very little improvement of either average or peak alarmrates In Table 1 below none of the readings were evenclose to the requirements for meeting the ISA 182 guidelinesStatic rationalization improves average alarm rates to wherethey can often meet ISA 182 Metrics but peak alarm rates(floods) show very little improvement at all before and afterstatic rationalization Dynamic rationalization is the only suc-cessful means for controlling both average and peak alarmrates to levels that meet or exceed ISA 182 Metrics Theresults shown in Table 1 indicate how significant dynamicrationalization can be for a process

RESULTS OF PROPER ALARM MANAGEMENTThe results that can be obtained using dynamic rationali-

zation can eliminate a significant number of redundantalarms thereby reducing distractions and load for the opera-tors Figure 2 is a comparison of data for the same time

period in the same process The only difference being thatthe green line was generated after the system was dynami-cally rationalized The red line was generated during theexact same event and timeline showing alarms that wouldhave occurred had dynamic alarming not been implemented

In the graph shown in Figure 2 the red line indicates thatwithout dynamic alarming a flood of about 150 alarmswould have occurred between 848 and 903 or over about 5min Within that same 5-minute period the green line showsthe actual alarm rate Note that at about 858 three alarmssoundedndashone of which was a critical alarm not related to theoriginal event which could have led to a significant incidentif it were missed by operators As a result of so few unneces-sary alarms annunciating the plant manager felt dynamicalarm management played a major role in helping to avert asignificant potentially catastrophic event from occurring

The graph in Figure 3 shows about one month of alarmrate data in 12-hour segments Near the end of the monththe unit tripped and was completely shutdown as a resultThis process state change would generally trigger hundredsand in some cases thousands of alarms in a very short pe-riod of time Eliminating the redundant or normal shutdownalarms accomplished many goals including improving theeffectiveness of the operator In this case the first 12-h pe-riod containing the trip experiences only 50 alarms This sig-nificant reduction in alarms during a shutdown improved theability to spot critical alarms by making them more obviousto the operator Also reduced distractions provide time forthe operator to think ahead of the process and avoid poten-tial problems before they develop

The graph in Figure 4 (shown below) is a close up of theshutdown period highlighted in Figure 3 Please note that theactual peak rates never approached the ISA 182 peak alarmlimit of 60 alarms per hour

Justification and Practical Steps to ControlAlarm Floods

The items listed below are current thoughts as well assome keys to the success of any alarm management project

Figure 2 Comparison of dynamic versus typical alarm man-agement [Color figure can be viewed in the online issuewhich is available at wileyonlinelibrarycom]

Figure 3 Example of flood control using dynamically managed alarm rates upon unit trip and shutdownndashdata in 12-hour seg-ments [Color figure can be viewed in the online issue which is available at wileyonlinelibrarycom]

Process Safety Progress (Vol32 No1) Published on behalf of the AIChE DOI 101002prs March 2013 75

However these items will not accomplish much if the man-agement has not made a commitment to project success

bull Process Safety Management (PSM) dictates that industrialfacilities handling highly hazardous chemicals be designedin accordance with accepted industry standards and withlsquolsquorecognized and generally accepted good engineeringpracticesrsquorsquo Alarm management is gaining widespread ac-ceptance ISA Standard 182 has been published and is inuse Will this now carry the weight of a regulatoryrequirement

bull If your project justification requires alarm performancedata versus ISA 182 metrics and you lack a means of pro-ducing the graphs then purchase an enterprise levelalarm reporting tool that can automatically gather andreport alarm data versus metrics Focus on alarm floods tojustify your project Remember the equationmdashFloods 5incidents 5 loss

bull Alarms system design is typically not considered as an in-tegral part of the unit design philosophy and as a resultmany more alarms are active in most plants than are nec-essary The following question should be asked for eachalarmmdashIs the alarm annunciation indicating a normal orabnormal event If the event is normal the alarm is prob-ably not needed These issues are generally resolved dur-ing a good rationalization process

bull Consider the current plant operating culture In someplants there may be a culture of lsquolsquooperating by alarmrsquorsquoThat is few operating adjustments are made unless analarm sounds Still others may have so many alarmssounding that most of them are ignored In a plant suchas either of these the operating culture may need to ex-perience a shift After a sound alarm management projectis executed and the system is installed and activated theplant will usually experience a significant drop in thenumber of annunciated alarms The alarms that areannunciated will usually indicate plant conditions that dorequire attention Ignoring alarms will no longer be a via-ble option If in your plant the operators are attentive tothe process usually make proper adjustments before

alarm conditions are reached and respond promptlywhen an alarm is received then little culture change willbe necessary

bull Use a qualified alarm rationalization facilitator with pro-cess experience This role is often best filled by a contrac-tor to minimize political considerations with operators

bull The rationalization team should be made up of opera-tions process engineering and controls engineering alongwith an experienced rationalization facilitator

bull Treat alarm rationalization like any other engineering pro-ject including the resources to get it done Quite often theinternal unofficial projects lose steam and commitmentand are usually abandoned before results are produced

bull If you do not have an Alarm Philosophy document makethis the first task of the project The Alarm Philosophydocument is central to how alarms are established priori-tized and configured Therefore this document is impor-tant to the alarm rationalization process to insure it is con-sistent with plant or corporate philosophy

bull Use advanced dynamic alarm management software thatincludes effective state transition management

Questions that Should be added to Request forProposal for Alarm Management Vendors

1 Is the alarm management facilitator an experienced processengineer or professional engineer Is the rationalizationwork backed up by a professional engineering company

2 The alarm management software must be able to gentlyhandle alarm changes from one operating state to anotherthrough the use of transition management This preventstransitions of operating state from triggering alarm floodsof their own Delay timers are not recommended for thispurpose because the alarm could be set to off when it isreally needed Transitioning and enabling the alarm assoon as it is needed in the process is the best solution

3 Dynamic rationalization should include 100 of alarmsRationalizing only lsquolsquoBad Actorsrsquorsquo or only alarms that have

Figure 4 Example of flood control using dynamically managed alarm rates upon unit trip and shutdownndashdata in hourlysegments

76 March 2013 Published on behalf of the AIChE DOI 101002prs Process Safety Progress (Vol32 No1)

sounded in the last 6 months leave the rationalizationincomplete and open to floods

4 Is the alarm shelving tool configurable with automatic re-enabling Does the alarm shelving have intelligent re-ena-bling

5 Seek three references from vendor customers having PSMprocesses where they are actively meeting ISA 182 met-rics under all operating conditions Verify references viadirect contact

CONCLUSIONAlthough progress has been reported in the reduction

of average alarm rates only very few locations have seenthe necessary improvement in peak alarm rates or floodsIncident investigations reported over the last 12 yearshave indicated lsquolsquoloss incidents frequently involved the op-erator being overloaded with alarm floodsrsquorsquo [2] Thereforeif this is true the equation floods 5 incidents 5 loss istrue As a result it is fair to state that control of alarmfloods will lead to fewer loss incidents and as a resultndashfewer health safety and environmental incidents and theirassociated losses will occur

Several cases were shown in this document that alarmfloods can be controlled successfully through all processstates Managers must emphasize controlling floods and pro-vide resources in order to achieve results that meet the ISA

182 metrics for peak rates When we are able to consistentlyachieve the metric for peak rates our risk of incident andloss is better controlled

LITERATURE CITED

1 US Chemical Safety BoardndashCSB Investigations availableat wwwCSBgovinvestigationsdefaultaspx accessedon February 2012

2 Alarm SystemsndashA Guide to Design Management andProcurement 2nd ed 2007 Appendix 16ndashThe Cost ofPoor Alarm Performance EEMUA Publication 191 ISBN0 85931 155 4 Imprint Reference 7-2007 London UK

3 ANSIISA 182ndash2009 Management of Alarm Systems forthe Process Industries International Society of Automa-tion 67 TW Alexander Drive Research Triangle ParkNorth Carolina 27709 USA

4 L OrsquoBrien Process Automation Industry ChallengesmdashARCAdvisory Group 3 Allied Drive Suite 212 Dedham MA02026 presented at Rockwell Automation Fair - PSUG2010

5 S Gill Critical Alarm Management Connecting theDots 8th Global Congress on Process Safety HoustonTX 2012

6 P Andow and B Zapata Reducing Alarm Flood Sever-ity Highlights from the ASM Consortium HoneywellUsers Group Phoenix AZ 2008

Process Safety Progress (Vol32 No1) Published on behalf of the AIChE DOI 101002prs March 2013 77