“I’ve been to the promised land twice,” Nick Sands of DuPont, co-chair of the ISA18 Alarm Management Standard committee, proclaimed in his talk today at the Honeywell User Group Symposium going on this week in Phoenix. “Fifteen years ago, I worked at a plant where, with a much older generation DCS than we have now, we were able to get to the point where there were no alarms for days on end. I’ve been there again, and the new plant I’m working on will go there too.”
The promised land is the land of rational alarm management. Like most process engineers, Sands did not get there easily. “Once upon a time, there was a young engineer who happened on an exceedingly well-done alarm management situation. There was a process unit that used concentrated nitric acid. If there was a leak, trenches led the acid to a sump, where a pH analyzer was installed. At low pH, an alarm caused the operator to go look for the leak. A young engineer came along and put a pH control system in on the sump. The pipe leaked, but the alarm never went off because the young engineer had forgotten all about the alarm.”
“The alarm system is a key indicator of operational excellence.” DuPont’s Nick Sands discussed the importance of a comprehensive, life-cycle approach to alarm management.
He reminded his listeners about the progression from the old-fashioned panel wall and panel alarm annunciators to the current version of DCS. “Display space decreased while operator responsibility increased,” Sands said. This is costly, he noted, as he pointed out that the ASM Consortium estimates alarm issues cost industry $20 billion per year and are often cited as the proximate cause of many accidents.
The answer, Sands said, is to implement a life-cycle-based approach, as the ISA18 committee is recommending in its soon-to-be released standard.
There are two starting points, Sands explained. First is to develop an alarm management philosophy, including roles and responsibilities, definitions, guidance for rationalization, guidance for design, guidance for implementation and guidance for operation and maintenance. The philosophy should establish clear performance goals for monitoring, metrics with goals and action points and describe a management-of-change process and audit requirements, including frequency and areas of focus.
The other important step is to begin to monitor alarms. “I wouldn’t start without data. Get some system installed,” Sands said, “so you can see what is going on.”
Once you’ve established your philosophy, you can begin to identify potential alarms through P&ID reviews, operating procedure reviews, incident investigations and quality reviews, Sands said. Alarms should be set at optional performance boundaries. Alarms in normal operation range are nuisance alarms. Potential alarms are rationalized and documented. Classification and prioritization are included in rationalization. Sands defined classification as grouping alarms by management requirements (critical, Layers of Protection [LOPA], environmental, ISO quality, etc.) while prioritization is for the operator, grouped by urgency of response, consequence, time to respond and the kind of response required.
The ISA18 draft alarm management life cycle includes practices for new facilities and existing plants, builds on the work of ASM and EEMUA and includes practices to solve the common alarm problems.
“Your prioritization should be such that most of your alarms are low priority. Not all of your alarms should be priority A1,” Sands said. He described a “detailed design process” that should not be skipped. “Too often I hear people saying that they’ll get the upgrade done and then see what is going on. It is better to do the alarm management design up front and at the same time as the process control system is being designed.”
Then you move into operation mode, and you find out how well the designed alarms work. There are two very important modes here: suppression, which is any method to hide an alarm from the operator; and shelving, which temporarily prevents indication according to specific rules. The other mode is “out-of-service,” which removes the alarm from the operator and sends it to maintenance mode. “You need to know what ‘bad’ is,” Sands said, “and when you see it, get up out of your chair and go fix it.”
No alarm management life cycle is complete without an effective management of change (MoC) procedure and an audit component. Alarm management, Sands reiterated, is a process, not a project. “If you only fix one alarm a week,” he said, “you can gain a significant reduction in alarms after a time.”
“The alarm system is a key indicator of operational excellence,” Sands said, “It improves safety, reliability and efficiency. Don’t wait for incidents. Use the life-cycle approach.”