Alarm system management procedures


#1

Alarm systems alert operators to plant conditions, such as deviation from normal operating limits and to abnormal events, which require timely action or assessment.

Alarm systems are not normally safety related, but do have a role in enabling operators to reduce the demand on the safety related systems, thus improving overall plant safety.

However, where a risk reduction of better than 10-1 failures on demand is claimed then the alarm system, including the operator, is a safety related system which requires a suitable safety integrity level (SIL 1 or SIL 2 as defined by BS IEC61508).

EEMUA 191 ‘Alarm systems - a guide to design, management and procurement’ considers alarm settings, the human interface (alarm presentation), alarm processing and system management controls for both safety related and other alarm systems. It provides the following guidance in regard to safety related alarm systems:

  • The alarm system should be designed in accordance with IEC 61508 to SIL 1 or 2, with the designated reliability;
  • The alarm system should be independent from the process control system and other alarms unless it has also been designated safety related;
  • The operator should have a clear written alarm response procedure for each alarm which his simple, obvious and invariant, and in which he is trained;
  • The alarms should be presented in an obvious manner, distinguishable from other alarms, have the highest priority, and remain on view at all times when it is active;
  • The claimed operator workload and performance should be stated and verified.

Alarms which are not designated as safety should be carefully designed to ensure that they fulfil their role in reducing demands on safety related systems.

For all alarms, regardless of their safety designation, attention is required to ensure that under abnormal condition such as severe disturbance, onset of hazard, or emergency situations, the alarm system is remains effective given the limitations of human response. The extent to which the alarm system survives common cause failures, such as a power loss, should also be adequately defined.

Further guidance is available in EEMUA 191 ‘Alarm systems - a guide to design, management and procurement’, and CHID circular CC/Tech/Safety/9.

Alarm settings

The type of alarm and its setting should be established so as to enable the operator to make the necessary assessment and take the required timely action. Settings should be documented and controlled in accordance with the alarm system management controls.

Human interface (alarm presentation)

The human interface should be suitable. Alarms may be presented either on annunciator panel, individual indicators, VDU screen, or programmable display device.

Alarms lists should be carefully designed to ensure that high priority alarms are readily identified, that low priority alarms are not overlooked, and that the list remains readable even during times of high alarm activity or with repeat alarms.

Alarms should be prioritised in terms of which alarms require the most urgent operator attention.

Alarms should be presented within the operators field of view, and use consistent presentation style (colour, flash rate, naming convention).

Each alarm should provide sufficient operator information for the alarm condition, plant affected, action required, alarm priority, time of alarm and alarm status to be readily identified.

The visual display device may be augmented by audible warnings which should at a level considerably higher than the ambient noise at the signal frequency. Where there are multiple audible warnings, they should be designed so that they are readily distinguished from each other and from emergency alarm systems. They should be designed to avoid distraction of the operator in high operator workload situations. Where both constant frequency and variable frequency (including pulsed or intermittent) signals are used, then the later should denote a higher level of danger or a more urgent need for intervention.

Alarm processing

The alarms should be processed in such a manner as to avoid operator overload at all times (alarm floods). The alarm processing should ensure that fleeting or repeating alarms do not result in operator overload even under the most severe conditions. A number of alarm processing techniques include filtering, deadband, debounce timers, and shelving, are described in EEMUA 191 ‘Alarm systems - a guide to design, management and procurement’.

The presentation of alarms should not exceed that which the operator is capable of acting upon, or alternatively the alarms should be prioritised and presented in such a way that the operator may deal with the most important alarms without distraction of the others. Applicable alarm processing techniques include grouping and first-up alarms, eclipsing of lower grade alarms (e.g. suppression high alarm when the high-high activates) suppression of out of service plant alarms, suppression of selected alarms during certain operating modes, automatic alarm load shedding and shelving.

Care should be taken in the use of shelving or suppression to ensure that controls exist to ensure that alarms are returned to an active state when they are relevant to plant operation.

Alarm system management procedures

Management systems should be in place to ensure that the alarm system is operated, maintained and modified in a controlled manner. Alarm response procedures should be available, and alarm parameters should be documented.

The performance of the alarms system should be assessed and monitored to ensure that it is effective during normal and abnormal plant conditions. The monitoring should include evaluation of the alarm presentation rate, operator acceptance and response times, operator workload, standing alarm count and duration, repeat or nuisance alarms, and operator views of operability of the system. Monitoring may be achieved by regular and systematic auditing.

Matters which are not worthy of operator attention should not be alarmed.

Logging may be a suitable alternative for engineering or discrepancy events to prevent unnecessary standing alarms. A system for assessing the significance of such logged events to ensure timely intervention by maintenance personnel may be required.