When process-manufacturing facilities started changing their control rooms from analog panels to modern DCS displays, plants justified the new control systems by reducing the number of operators by about 75%. “We knew they added a lot of capability and flexibility,” said Nicholas Sands, senior manufacturing technology fellow, global alarm management leader, and process control engineer, DuPont Safety and Construction. He is also co-chair of the ISA 18 standard committee and a 2019 inductee into the Control Process Automation Hall of Fame.
“We threw together the new HMI [human-machine interface] to look like the old panel control rooms,” Sands explained in a presentation at this week’s Honeywell Users Group Americas 2019 in Dallas. “But we gave the operator more tags and data points and alarms. It used to be $5,000 to add an alarm on the panel board. Then, with the new system, they didn’t cost anything.”
Managers, engineers and operators went alarm-crazy. “If we weren’t using all the alarms, we weren’t getting our money’s worth out of the DCS,” Sands reminisced. And soon, HMIs became overrun with so many alarms that operators couldn’t even see the ones that required immediate corrective action. Eventually, a procedure and a lifecycle map were needed to streamline the alarms and develop a continuous-improvement process for review.
“The reason for alarm management is to improve safety and business performance,” explained Sands. “When I started with DuPont, we’d have a high alarm and a low alarm when a pump turned on or off.” The alarm would go on when the tank hit the high level, and another would activate when it hit the low level, which just added to the onslaught of unnecessary alarms. “Get rid of the alarms you don’t need, so you can see the ones you do,” said Sands. This ultimately became part of the audit function, one of the 10 steps in the alarm-management lifecycle that is part of ISA 18.2.
According to ISA 18.2, an alarm is “an audible and/or visible means of indicating to the operator an equipment malfunction, process deviation or abnormal condition requiring a timely response.”
The alarm must indicate a problem, not a normal process condition, explained Sands. “There must be a defined operator response to correct the condition, and the action must be for the short term,” he said, “in minutes, not days.”
As co-chair of the ISA 18 committee, Sands led the group that developed the alarm management lifecycle standard for new facilities and existing plants. It builds on the works of the Abnormal Situation Management Consortium and the Engineering Equipment and Materials Users Association. The alarm-management lifecycle is a continuous-improvement process, designed to be a best practice for control system maintenance.
It comprises 10 steps, three of which can be points of entry. The philosophy step is a good place to start for new facilities or systems. However, brownfield systems can begin with the monitoring-and-assessment step or the audit step.
Alarm-management philosophy is the guide for all alarm-management activities at a site. “A written philosophy is necessary to maintain an alarm system over time,” explained Sands. “Philosophy doesn’t have to be your first step, but it’s usually a good place to start.” Philosophy identifies what you want to achieve. It includes definitions, performance goals, roles, responsibilities and methods for rationalization activities. Sands recommended eight to 10 pages for the philosophy document.
Identification is the step where you insert your method for finding out if and where you want an alarm, determining whether it’s a quality, safety, environmental or regulatory reason.
Rationalization is when you decide if it really is going to be an alarm. “In our results, about 50% of the alarms went away,” said Sands. “And 80% of our priorities changed.” Rationalization includes classification, prioritization and documentation. Sands’ words of advice: Be careful not to jump ahead and do the detailed design during the rationalization.
Detailed design has three parts: basic alarm design, which includes alarm types, dead bands and delays; HMI design, which includes indications and summaries; and advanced alarm design, which includes designed suppression.
Implementation is the process of putting the alarm or alarm system into operation. “Training and testing are key activities,” said Sands. “Safety systems are mostly testing and some training. Alarm priorities are flipped—mostly training and some testing.”
Operation is when the alarm is in service and performing its function. “Shelving and removal from service are key processes to define for operations,” explained Sands. “You can use shelving to track out-of-service and in-service. Shelving is for the operator and by the operator.”
Maintenance is when the alarm is out of service for repair, replacement or testing. “Testing and return to service are key activities in maintenance,” he said. “You can track how long it takes, and you can return it to service after the repair.”
Monitoring and assessment are the tracking of the alarm system performance vs. objectives in the philosophy. “An unmonitored alarm system is almost always broken,” said Sands. “Monitoring is a key requirement of ISA 18.2. That requirement has changed what every control system supplier offers. The data tells you what needs to be fixed.”
Management of change administers the authorization for modifications to the alarm system. “Each change is reviewed and approved prior to implementation. Changes should follow the steps of the lifecycle,” he explained. “Once we’ve done steps 1-8, we don’t want to let that go uncontrolled. The data will drive that continuous-improvement loop.”
Audit is the periodic check that the alarm system is meeting the objectives and procedures are followed. “Audit drives changes to the alarm philosophy,” said Sands, bringing the lifecycle full circle. “Compare the performance metrics to the targets.”
Get news like this in your inbox. Sign up for the Control Update newsletter.