AT-E - Practical Alarm Management for Engineers and Technicians
The manual focuses on simple and practical information for personnel ranging from operators all the way up to supervisors, engineers and managers.
Download Chapter List
Fundamental Principles of Alarm System Management
Fundamental Principles of Alarm System Management
1.1 An alarm system
In industrial plants and installations, control systems are used to monitor and control processes. Control Systems, whether a conventional Control Desk or a Computer/PLCs System with SCADA or a Distributed Control System (DCS), provides man-machine -interface to monitor and control the plant equipment and processes. In a conventional Control Desk based control system, push buttons, controller key-pads, mimic panel with indication lamps, alarm annunciator panel, buzzers/hooters, etc. are part of the man-machine interface. In Computer/PLCs based SCADA systems or Distributed Control Systems Visual Display Units (VDU), touch screens, screens/displays, keyboards, printers, software pen-recorders, video copiers, etc. are part of the man-machine interface.
Alarm Systems are an integral part of the man-machine interface. An alarm system consists of both hardware and software including, field signal sensors, transmitters, alarm generators & handlers, alarm processors, alarm displays, annunciator window panels, alarm recorders and printers. Alarm systems, whether hardwired or software configured, play an important role in monitoring and controlling industrial plants and enable equipment to run automatically with control systems. Alarm systems indicate the abnormal conditions and problems of the plant and equipment to the operators, enabling them to take corrective action and bring the plant/equipment back to normal conditions. Alarm systems relay signals to the operators in the form of audible sound, visual indications in different colors and/or continuous or blinking text messages, etc.
An alarm system brings the following to the notice of the operator:
- Problems that need operator attention
- Process changes that require corrective action
- Unsafe operating conditions before Emergency Shut-down of plant
- Hazardous conditions
- Deviations from desired/normal conditions
An alarm system also assists an operator in:
- Maintaining the plant, equipment and processes within normal and safe operating conditions
- Correcting dangerous and hazardous conditions that arise in the plant before Emergency Shut-down is initiated by the Emergency Shown System. This results in increased plant/equipment safety and also improves plant/equipment availability.
- Recognizing a hazard well in advance in order to take corrective action to avoid hazards.
- Better understanding of complex processes & plant conditions and to identify deviations from desired normal operating conditions.
1.2 Functions of the plant or process operator
An alarm system assists the operators in monitoring and controlling the plant, equipment and processes, within safe and normal operating conditions. In order to design a suitable alarm system, it is important to understand the functions of the operator who monitors and controls the equipment and processes in the plant.
Generally, the functions of a plant operator are inclusive of the following activities but are not limited to them:
- Safe and normal operation of plant/equipment
- Production at optimum levels
- Identification of abnormal, hazardous and unsafe plant/equipment conditions and taking corrective action
- Fault identification and communication of faults to maintenance
The priorities of the above mentioned functions and tasks for a plant operator change with the changing conditions of the plant, such as:
- During start-up
- Plant under stabilization
- During plant running in normal condition
- Plant in abnormal conditions
- Plant in emergency shut-down
- Plant in planned shut-down
- Plant or sub-section of plant in manual mode of operation
- Plant in automatic mode of operation
A typical graphical presentation of changing plant conditions and changing functions and priorities of a plant operator is shown in Figure 1.1. The plant condition is represented as a complex function of various process/equipment parameters (x1, x2, x3, …., xn) on y-axis with respect to time (t) on x-axis. The plant condition is said to be normal when all the process/equipment parameters (such as, pressure, temperature, flow, level, concentrations, equipment vibration, equipment safety, dust/gas emissions, etc.) are within normal operating ranges. During normal plant running conditions, the main function of the plant operator is to monitor the processes and equipment conditions and optimize the process/equipment parameters so that the plant is run at an optimum level resulting in optimum productivity, minimum power consumption, low production cost, and environmentally safe operations.
Changing plant conditions and changing functions & priorities of the plant operator
When all the process and equipment parameters (of which the plant condition is a complex function) are in optimum operating ranges, the plant is said to be running in optimum condition in the targeted range. This condition is achieved under normal plant operation with the help of automatic control systems which are capable of minimizing disturbances and maintaining all the critical process and equipment parameters in the desired operating ranges.
The function of the operator, when the plant is running in the targeted range, is to monitor the processes and equipment parameters and make fine adjustments in the controller set points. In such a situation, carefully configured/designed alarms are provided to draw the attention of the operator to enable him to make such fine adjustments. It is important to ensure that such alarms for fine adjustments should not become a nuisance during plant start-up, plant abnormal condition and during plant stoppages and shut-downs.
When there are major disturbances in the processes and equipment parameters due to equipment failures, change in composition of raw material/fuel, etc. the plant condition may become abnormal or upset and the automatic control system may not be able to control such disturbances without an operator’s intervention. Alarms are required to attract the attention of the operator in order for him to intervene and take corrective action to bring the plant back to normal conditions.
In case the abnormal condition of the plant and equipment is not corrected by the operator within the specified time, the plant condition may worsen further. In this instance, it may not be safe to run the plant and equipment without risking damage to the plant, equipment or people, or a poor quality production. In such an emergency condition, the Emergency Shut-Down System, if it exists, intervenes and the abnormal plant section or equipment is shut down by the ESD system safely. If there is no ESD system for the plant and equipment, it is the prime function of the operator to monitor abnormal conditions, search for the relevant alarms, and take corrective actions to return the plant or equipment to normal conditions or to shut down the plant or equipment safely.
However, in practice, the functions of an operator can be very complex in nature during an abnormal plant or equipment condition. In order to return the plant or equipment to normal operating conditions, the operator’s corrective actions may involve several different tasks and some of them may be simultaneous. Typical activities of an operator during an abnormal condition of the plant are shown in Figure 1.2. The operator’s activities and the corrective actions required may also change from one abnormal condition to another. The time available for an operator to respond to an abnormal condition depends on the nature of the process time delays and dynamics. During abnormal plant conditions, alarms are quite useful tools for the operator to take corrective action under time pressure and stress, to return the plant to its normal condition.
As alarm requirements differ under different plant conditions, it is important that the alarms configured and presented are context sensitive or plant condition sensitive. Some signals may be required as alarms during normal plant running, but the same may not be relevant during plant start-ups and other operational conditions. A critical analysis of signals to be used for deriving alarms is required while designing an alarm system; also required is the logical processing of these signals for generating alarms in relevant plant operational conditions.
Typical operator activities during an abnormal condition of the plant
At the same time, it is important to clearly identify the functions of an operator for maintaining plant safety and integrity during all operational conditions. In highly automated plants with automatic protection and controls in place, there is always scope for operator intervention. Such conditions should be clearly identified and while designing the alarm system, it must be clearly determined and defined how the alarm system will help the operator in such abnormal or emergency conditions to take appropriate corrective actions.
1.3 Functions of an alarm system
The main function of an alarm system is to direct the attention of an operator towards the plant abnormal conditions that need timely assessment and/or timely corrective action(s). An alarm system alerts, informs and guides an operator regarding an abnormal situation and helps him to take timely corrective action to bring back the plant to a normal condition.
When an abnormal condition arises, the alarm system raises an alarm in the form of an audible warning, flashing or blinking alarm indication and an alarm message. The alarm provides information about the problem or about the abnormal condition and its details. In a good alarm system, guidance or help messages on how to respond and take corrections are also provided. An ideal alarm system also provides feedback on the corrective actions taken by the operator in response to the alarm. Such feedback is generally provided on supplementary display screens that can be accessed by selecting an alarm in the alarm list.
1.4 An effective alarm system
When designing an effective alarm system, it is important to consider the following key points:
1.4.1 Present only relevant and useful alarms to the operator
An effective alarm system presents only the alarms that help an operator in monitoring and controlling the plant and equipment rather than being a nuisance or hindrance. The operator’s time and attention should not be diverted by the alarms which do not require any response or an intervention from the operator and can be ignored. Otherwise there is a possibility of the “Cry Wolf” effect and the operators may lapse into a frame of mind that the alarms can be ignored.
Therefore, when designing an effective alarm system, it is important that each and every alarm that is configured and presented to an operator should be useful and relevant to the operator. This means that a change in the condition of the plant or equipment which requires maintenance personnel to take corrective or preventive action but is not relevant to an operator running the plant, should not be configured and presented as an alarm.
In a cement plant with a 1000 kW H.T. motor for a Vertical Roller Grinding Mill, it is important to monitor the motor bearing and winding temperatures. The temperatures of both the drive-end & the non-drive end bearings and of six winding temperatures of the H.T. motor are measured with RTDs; the RTDs signals are terminated on a RTD input card of the DCS. The temperatures are recorded in a DCS System for the historical archive.
The following alarms are set for the H.T. motor bearing or winding temperatures:
For each bearing:
- High Alarm at 800C (alarm to alert the electrician to check the bearing)
- High Alarm at 1000C (to trip the H.T. motor)
For each winding:
- High Alarm at 800C (alarm to alert the electrician to check the winding)
- High Alarm at 1000C (to trip the H.T. motor)
In the example, the alarms configured for the H.T. motor bearings and windings temperatures are relevant for the electricians who have to monitor and maintain the H.T. motor. The plant operator will be more interested in the alarms related to the Vertical Roller Grinding Mill such as feed rate, mill outlet material temperature, mill outlet draft, etc. which are relevant to him for operating the mill at optimum levels.
1.4.2 Each alarm should have a defined response from the operator
For an alarm system to be effective, every alarm should have a defined response from an operator. The response should be in the form of a preventive and/or corrective action or an acknowledgement. At times, the response to an alarm can be conditional. Some alarms such as "plant start-up sequence completed” or “equipment stopped/tripped” inform the operator to change his response, i.e., how he is monitoring or paying attention to the plant or equipment. There may not be any immediate action required, but a purely mental response from an operator is important to make such cognitive change.
It is important that each and every alarm should have some response that should be clearly identified and defined during the design stage. If a response for every alarm is identified and defined during the design stage, it helps in formulating alarm response procedures and training operators. If a response to an alarm cannot be defined or identified, such signals should not be configured or presented as an alarm. These signals, which provide only event information or signal state change, will get confused with the alarms which require an operator to pay attention and respond. There are many events which occur in a plant that are only informative in nature; these events should not be configured and reported as alarms. Such events should be recorded separately as history and presented as separate Events List Displays.
1.4.3 Allow adequate time for an operator to respond to an alarm
As discussed previously, the operator is expected to respond to every alarm. It is essential to allow adequate time for an operator to respond to an alarm as defined. To allow an operator to respond in a timely fashion, the alarm should be given in advance, allowing enough time for the operator to take corrective action and to rectify the problem or fault. At the same time, the rate of the alarms should not exceed the capability of the operator to respond to these alarms.
It should also be remembered that the operator’s functions include many other activities and responsibilities apart from responding and handling alarms. As the time required for handling other activities imposes constraints on alarm handling workload, the process control system for the plant, plant-sections, man-machine interface and the alarm system should be designed in such a way that the overall functions of an operator are manageable.
An average workload (W) imposed on an operator by the alarm system is determined as follows:
W = R. T ……..1.1
R = average rate of alarms presented
T = average time taken to respond to the alarm
While designing an alarm system, human limitations and ergonomic factors must be taken into account to make the alarms system effective.
Example 1-2: Manageable alarms:
In a plant, a DCS based Alarm Management System presents alarms to the operator at an average rate of 1 alarm per 120 seconds. It takes the operator an average of 40 seconds to respond to each alarm.
The average workload (W) imposed on the operator by DCS Alarm Management System is:
W = (1 / 120) (40) = 40 / 120 = 0.333 = 33.3 %
This means, on an average, the plant operator has to devote a 1/3rd of his time attending and responding to the alarms presented by the Alarm Management System.
Example 1-3: Over-loaded alarms:
In another plant, a mimic panel with indication Lamps and Alarm Annunciator Panel-based Alarm System presents alarms to the operator at an average rate of 1 alarm per 40 seconds. The plant operator takes on average 30 seconds to respond to each alarm.
In this case the average workload (W) on the operator imposed by the alarm system is:
W = (1 / 40) (30) = 30 / 40 = 0.75 = 75 %
In this plant, 75% of the operator’s time is consumed by the alarm system. The operator is overloaded with alarms.
1.4.4 Configure and present only a good alarm
To design an effective alarm system, it is equally important that only a good alarm is configured and presented as an alarm to an operator. Some of the characteristics of a good alarm are as follows:
- It must be relevant and not a spurious alarm
- It must be presented in a timely fashion: not in advance before the operator response is needed, nor too late, leaving no time for the operator to respond or take corrective action
- It must draw the attention of the operator towards important problems
- It must clearly identify the problem and indicate the action (s) to be taken
- It must be understandable. The alarm message should be clear and easy to understand
- It must indicate the priority of the problem
- It must be unique. It should not be a duplication of another alarm creating redundancy and increasing the alarms load on an operator