At one time, I worked in a large continuous process plant that had alarms coming in constantly. The operators could hit the “Silence” button in their sleep. We had a case where a process flow was accidently diverted to the wrong tank, and it eventually filled and overflowed the tank. Even though the tank had redundant level transmitters and we had one of the more alert panelboard operators on shift, the rising level was not noticed until the tank overflowed and was noticed by a field operator. The panelboard operator had silenced two high alarms, two hi-hi alarms, two “over” alarms, and two range alarms over the course of two hours but had failed to recognize that there was a problem.
Concept: Enable alarms on instruments that matter and on process non-conformances that the operator can do something about. Having alarms for the sake of having alarms only ensures that ALL alarms will be ignored—even the ones that matter.
Details: Alarm management has become all the rage lately, and with good reason. The proliferation of instrumentation busses has provided access to a plethora of information, and because everything is now typically alarmed, the operators are being buried under a barrage of alarms. When faced with a constant stream of annunciation, most operators quickly become numb and increasingly just hit “Silence.” Critical alarms are lost in the noise and are routinely missed.
Ironically, there was an advantage to the relay annunciator panels built into the old control room panelboards. There were only so many points available, so only the critical alarms made the list. With the advent of computers, EVERYTHING can be alarmed, and unfortunately that is exactly what happens.
An engineer has several ways to address this problem, and many books have been written on the subject. Addressing this expansive topic in a few pages is not possible, but here is a brief list of suggestions that can help reduce the problem of too many alarms.
- Enable alarms on instruments that matter.
- If an operator cannot do something to resolve the situation, there is no point in alarming it.
- Program “smart” alarms. Automatically disable alarms on out-of-service equipment. Add conditional logic that generates a common alarm when a piece of equipment trips rather than generating 10 or 15 alarms that essentially indicate the same condition. (For instance, if a boiler trips it makes little sense to alarm the trip, low gas flow, low gas pressure, low air flow, etc.) One piece of information that IS useful, however, is “first out” trip information. Many operators use the alarm list to determine what tripped the equipment. If the first out information can be indicated on a graphic, the operators do not need to see the individual alarms.
- Segregate the alarms and deliver the information to the appropriate audience. The operators do not need to see most calibration and/or maintenance alarms, but the maintenance department does. Generate an alarm report to Maintenance, but just indicate a possible problem to the operator so he or she can be aware of it.
- Change from alarms to indicators. If a process is running out of spec but not in a critical range, then it may make more sense to indicate this condition as a color change on the graphic instead of than firing an alarm that must be acknowledged.
- Monitor alarms and routinely eliminate “bad actors.” In most cases, a large percentage of alarms is created by a handful of points. An occasional review of the most active alarms will allow the plant to identify these points and modify the programming to reduce their frequency or address their cause. Doing this can dramatically reduce the total alarm count without requiring much effort.
Watch-Outs: Many control systems default to having all the alarms enabled. On a new system, it may make more sense to enable none of the alarms initially and add them back as necessary.
Exceptions: Some plants do not allow the operators to suppress alarms because they are concerned that critical alarms will be turned off and never restored. One solution to this problem is to allow operators the ability to suppress alarms, but program the alarms to automatically restore after some appropriate period of time. In this way, a broken instrument can be silenced for a shift while repairs are made.
Insight: One plant only enabled setpoint alarms when a controller was in automatic. (Such alarms annunciate when the process variable is beyond the allowable range around the current setpoint.) High and low alarms were not enabled unless the controller was in manual. This method provided increased alarming when a loop was in manual but did not generate alarms on a point in automatic unless it deviated too far from setpoint.
Rule of Thumb: Alarm management is a never ending effort. Routinely review the plant’s alarm list, and try to eliminate or address points that appear too often. When configuring new systems, include some means of smart alarm management into the design.