You are on page 1of 9

Understanding and Applying the ANSI

/
ISA 18.2 Alarm Management Standard
Abstract
Alarm Management has become an ever-increasing topic of discussion in the power and processing
industries. In 2003, ISA started developing a standard around this subject. After six years of hard work, the
ANSI/ISA-18.2-2009 Management of Alarm Systems for the Process Industries standard was published.
This paper reviews the scope, regulatory impact, requirements, recommendations, alarm definitions, and
other details of the standard.
Overview In this white paper, we will review the most
Over the last several years, alarm management has important aspects of the scope, requirements,
become a highly important topic, and the subject recommendations, and other contents of ISA-
of a number of articles, technical symposia, and 18.2. However, there is no substitute for obtaining
books. and understanding the full document.

In 2003, ISA began developing an alarm 1. Purpose and Scope
management standard. Dozens of contributors, The basic intent of ISA-18.2 is to improve
from a variety of industry segments, spent safety. Ineffective alarm systems have often been
thousands of hours participating in the documented as contributing factors to major
development. PAS participated as both a section process accidents. The alarm system problems
editor and a voting member. After six years of that ISA-18.2 addresses have been well known for
work, the new ANSI/ISA-18.2-2009 Management nearly two decades.
of Alarm Systems for the Process Industries
There are several common misconceptions about
(ISA-18.2) standard was released. It is available at
standards. Standards intentionally describe the
www.isa.org.
minimum acceptable and not the optimum. By
The issuance of ISA-18.2 is a significant event design, they focus on the “what to do” rather
for the chemical, petrochemical, refining, than the “how to do it.” By design, standards do
power generation, pipeline, mining and metals, not have detailed or specific “how-to” guidance.
pharmaceutical, and similar industries using ISA-18.2 does not contain examples of specific
modern control systems with alarm functionality. proven methodologies or of detailed practices.
It sets forth the work processes for designing, The standard focuses on both work process
implementing, operating, and maintaining a requirements (“shall”) and recommendations
modern alarm system in a life cycle format. It will (“should”) for effective alarm management.
also have considerable regulatory impact.
Readers familiar with alarm management
ISA-18.2 is quite different from the usual ISA literature should not expect to learn new or
standard. It is not about specifying communication different information when reading the ISA-18.2.
protocols between equipment, nor the detailed The key difference is that ISA-18.2 is a standard,
design of control components. It is about the not a guideline or a recommended practice, and
work processes of people. Alarm management it was developed in accordance with stringent
is not really about hardware or software; it is ANSI methodologies. As such, it will be regarded
about work processes. Poorly performing alarm as a “recognized and generally accepted good
systems do not create themselves. ISA-18.2 engineering practice” (RAGAGEP) by regulatory
is a comprehensive standard developed per agencies. ISA-18.2 is in the process of being
stringent methods based on openness, balancing adopted as an International IEC standard (IEC
of interests, due process, and consensus. These 62682 Ed. 1.0)1.
components make it a “recognized and generally
The ISA-18.2 committee is now working on
accepted good engineering practice” from a
creating additional explanatory and methodology
regulatory point of view.
information in follow-up ISA technical reports.
These should be available in 2011.
1. See http://www.iec.ch/cgi-bin/procgi.pl/www/iecwww.p?wwwlang=e&wwwprog=pro-det.p&progdb=db1&He=IEC
&Pu=62682&Pa=&Se=&Am=&Fr=&TR=&Ed=1.0
© PAS 2010 1

” This is or an annunciator. megawatts. enforcement reasons. and Hazardous Materials Safety Administration Safety Instrumented System (SIS).gov/pls/oshaweb/owadisp.3 • Pharmaceuticals • Mining & Metals There is little question ISA-18. Generally.2. plastics.” 2.2 to its and reacting are steps performed by the operator. analyzing the situation. or discrete.S. standards was also used in ISA-18. is a RAGAGEP. batch.2 is on alarm systems that have “general duty” clauses and interpretations. It is: by-clause interpretation of OSHA. or other regulations. actually a regulatory acronym. This API document system relative to terms used in other standards.osha. See http://www. content in other standards. continuous. 4. SCADA systems.show_document?p_table=INTERPRETATIONS&p_id=25164 3. practices and procedures of this standard shall be applied to existing systems in a reasonable time as determined by the owner/operator. and companies should expect Additionally. • Refining OSHA recognizes ANSI/ISA S84. Alarm Management Recommended ISA-18. See http://www. such as ISA-18. The American applicability. or Safety Systems.” In the OSHA • Petrochemical interpretation letter to ISA.2 There exists a “Memorandum • Pipelines of Understanding” between OSHA and ANSI • Power Plants regarding these matters. Many industries are to the issue of this standard. that is simply not the case when it comes to alarm The U. consider OSHA 1910. While many industries feel “We’re different!”. This includes the bulk of all processes operating Codes. and operated in a safe manner. PHMSA. or aspirin. PLCs.119 Process determine that the equipment is designed. which states. The regulatory “For existing alarm systems designed and constructed in environment is complex and overlapping for accordance with codes.2 as a resource in its in the development of ISA-18.2.2 Apply to You? The important thing is that regulatory agencies The focus of ISA-18. etc.2 indicates the boundaries of the alarm Practices for Pipeline Systems. the owner/operator shall clearly covered by OSHA 1910.2. standards. inspectors. a National Consensus • Chemical Standard. Other regulatory agencies are also this. DOT.show_document?p_table=MOU&p_id=323 © PAS 2010 2 . specifically: considered “recognized and generally accepted good engineering practices.gov) response.2. Grandfathering 3.gov/pls/oshaweb/owadisp. it applies whether your process is the regulatory agencies to take notice. and practices are usually today. Several (PHMSA) generally adopts API recommended exclusions are listed to not contradict existing practices in their regulatory language. Chemical Safety Board (www. such as one example. RAGAGEP.119 (d)(3) (ii) DCSs.2. This was with the specific intent to be There is little difference if you are making (or able to easily cite it in investigations and used for moving) gasoline. The Indeed. from ISA to internally distribute ISA-18. Regulatory Impact A grandfather clause used by other ANSI/ISA This paper is not intending to be a detailed clause. which makes a few specific inspected. The a regulated industry can be expected to either reason for this commonality is that alarm response comply with RAGAGEP or explain and show is really not a function of the specific process being they are doing something just as good or better. semi-batch. “The employer shall document that It applies to plants with operators responding to equipment complies with recognized and generally alarms depicted on a computer-type screen and/ accepted good engineering practices.csb. it is a human-machine interaction.2. Safety Management. and the Pipeline such as Basic Process Control System (BPCS). and the resulting standard has overlapping becoming aware of ISA-18. tested.2 is an example of RAGAGEP. OSHA has sought and received permission steps for detecting an alarm. Many different industries participated will also be using ISA-18. is in full alignment with ISA-18. Petroleum Institute (API) will soon release API RP-1167. controlled. recognized investigations. The mentions of alarms.01-1996 as • Platform an example. maintained. and/or practices prior some industry segments. As are part of modern control systems. EPA. Does ISA-18. standards.osha.

process deviation. testing.2 defines an alarm as “an audible and/or ISA-18. An “Out includes refresher training. This includes some HMI intentionally suppressed due to a designed depiction decisions and can include the use of condition. into operational status. to suppress an alarm outside of the proper work 5. They malfunction. determining “Unacknowledg ed”.2 includes a to meet those moderately complex objectives. usually for reasons associated with the Operation: The alarm is functional. “Out of Service” is a non-functioning alarm. diagram depicting the Identification: alarm states and sub- Work processes states of “Normal”. This may involve commissioning.) are intentionally generic and not specific to a © PAS 2010 3 . definitions. settings determination. The Alarm Management Life Cycle ISA-18. This stage Maintenance stage of the life cycle. and “Latched”.2 is written with a life cycle structure visible means of indicating to the operator an equipment comprised of ten stages (see Figure 1). the alarm functionality is not working (generally This clause mimics language used in OSHA through an override mechanism of some sort). the aspects of the alarm so that it meets the requirements determined in rationalization and “Suppressed By Design” is an alarm in the philosophy. Definitions in ISA-18. indicate mandatory requirements. Alarm State Transitions of the alarm system and the work processes ISA-18.2 practices.” Alarm Philosophy: Documents the objectives 6. that is temporarily suppressed. of ensuring an “Suppressed by alarm meets the Design”. This is a generic description that special or advanced techniques. and unfortunately common. (Do not alarm. and training activities. using a documentation. regulation 1910. and a manual initiation by the operator.The two instances of “shall”. usually via classification. It is possible. equate this life cycle stage with the maintenance The terms “suppress” and “alarm suppression” department or function. “Returned-to-Normal”.2 and other references. and “Out of requirements Service”. Of Rationalization: particular interest are The process the states of “Shelved”. while maintaining consistency between ISA-18. necessary. They are used to indicate when highlighted. which are type of DCS. which alarms are “A c k n o w l e d g e d ” . method meeting a variety of administrative requirements to ensure the shelved status is Detailed Design: The process of designing known and tracked. of Service” alarm is also tracked via similar Maintenance: The alarm is non-functional administrative requirements to a shelved due to either test or repair activities. if required.119(d)(3)(iii). 7. and the detection of such undesirable An immense amount of work was done in situations is part of the Monitoring life cycle researching and carefully crafting various stage. including the tasks “Shelved” is an alarm Figure 1: The Alarm Management Life Cycle of prioritization. or abnormal condition are: requiring a response. includes such items as simple logic-based alarms and advanced state-based alarming Implementation: The alarm design is brought techniques. These have set forth in the specific meanings: alarm philosophy.

I note it is configured as a Priority of my alarms are on the most frequent alarm list? 3. I will also simple task. I mentally review the management of change Audit: Periodic reviews are conducted to maintain requirements for doing so.” philosophy. I could not Identification Stage: Engineer: “Ah yes. do not get overwrought about trying to lead to chattering behavior. Activities change as part of my authorized job duties. our site procedures empower me to make this 7. I would have to tell approach and the ISA-18. There’s nothing In a few minutes. more appropriate deadband setting. and consult a point in time. That seems reasonable. As long as I am here looking spending some time fixing nuisance alarms. actually change the deadband. I am report about this one. Let’s examine some figure out which life cycle stage you are in at any process history and alarm history. Which at this alarm. however my job notification to the operators.” list of activities to be accomplished in a particular Implementation Stage: Engineer: “Now I order.1. Before I system follow a defined process. do I have and accomplishing effective alarm management. If I did. This specific type of the integrity of the alarm system and alarm change is covered in our alarm philosophy. Hmmm. That’s one example task. in a matter of minutes an engineer number and hit ‘Enter. there’s one – a chattering high-value alarm on online master alarm database for the reasons that the column pressure. That task could involve going the proper security access. and reason. several different life cycle unusual about it. not have to seek any approval or signatures. PAS published The Alarm Management Operation Stage and Maintenance Stage: Handbook.2. If they did not. Hmmm. Consider the following: make a note in the weekly nuisance alarm tracking Monitoring Stage: Engineer: “Well today. Any change in priority requires part of our quality program.” the problem.2 life cycle methodology. Life Cycle Stages vs. I will add this new through several different life cycle stages as part deadband setting into the master alarm database of performing the activities associated with a along with my name. Hmmm. 4. on this DCS. I see that the alarm stages were briefly visited in accomplishing this deadband on this point is set to zero. But I can make this change system’s performance is continuously monitored without that and the alarm will remain online and reported against the goals in the alarm throughout. I will Life cycle is a structure for the content of the ISA. which provided a proven seven-step Engineer: “Now I am going to alter the alarm methodology for solving an alarm system problem deadband to a new setting. they look pretty good. I do Do not confuse a life cycle stage with an activity. have to document this change in the master alarm 18. It is not specifically or necessarily a database though. So I don’t have to research process for this is to continue to look at the alarm as to whether it was originally specified by some data to see if this deadband setting change solved particular process like a PHA. type in and activate this new number for deadband. Management of Change Stage: Engineer: “So Management of Change: Changes to the alarm far. I need the Prioritization team happen to remember that we need this alarm as take a look at it.Monitoring and Assessment: The alarm the operator first. not to decide whether to Monitoring Stage: Engineer: “Part of my work get rid of it or not. I type in the new For example. but let’s just check the Ah. I will add this one to my tracking and follow-up list. date. Documentation is a part of the Rationalization stage of the life cycle © PAS 2010 4 . not a good book on alarm management to determine a work process sequential checklist.2 document.’ Done!” could sit down and resolve a single nuisance Rationalization Stage4: Engineer: “Since I have chattering alarm.” today is to make it work correctly and eliminate the chattering behavior. I change them myself. and management work processes. In understanding and applying certainly not a proper thing and could easily ISA-18. I haven’t actually changed anything. It is a requirements structure.” In 2006. to take the point off-scan to do that? Not in this There is no conflict between this seven-step case.” resulted in that priority assignment.” Detailed Design Stage: Engineer: “Let’s check the configuration of this alarm.

such as interim Alarm classification is a method for assigning protection. HMI depiction. you must document and handle a multitude of alarm definition. These to successfully do this and a classification will probably be only a subset of the ISA-18. mostly administrative ones. and “highly managed alarms”. committee elected to require a classification structure. standards tell you what to do but not PAS’ advice is to specifically avoid the usage of how to do it. However. testing with specific documentation Alarm classes are defined and used to keep • Mandatory training around track of these requirements. from “critical” to Stage “vital” to “special” to “super-duper. this alarm classification. The Alarm System Requirements one. • Mandatory initial and periodic reporting. Normally. There are no specific class requirements Specification (ASRS) and no minimum number of class definitions This non-mandatory section basically says that specified.2 structure is only one of them. You might choose to For example. this classification. PAS recommends the “keep it if you are buying a new control system. The Alarm Philosophy Life Cycle designations were considered. if you do. The documentation same could be true for testing.2 recognizes that an alarm philosophy Managed Alarms” or HMAs was chosen as document is a key requirement for effective the term. Specific deficiencies in the chosen system can drive the acquisition or creation of third-party or custom solutions. or to require a specific method. some alarms may require periodic training with specific content and refresher training. etc.1. not the Now.” “Highly ISA-18. “alarm classification” • Specific shelving requirements. The various mandatory requirements for HMAs are spread over several sections throughout There are no surprises in the list except for two ISA-18. Highly Managed Alarms task arrangement. then philosophy include roles and responsibilities. “Identify and track alarms that require choose only the administrative requirements periodic testing. for inclusion.2. Remember that a standard describes the minimum acceptable. specific documentation • Mandatory audit requirements This is a slightly unusual thing for a standard. though it need not be an onerous 9. However. and audit and keeping track of various requirements trail for alarms. maintenance.2 to define alarm classes. the listing for HMAs. and then stated. it is simple” approach and have a straightforward a good idea to write down your requirements class structure with minimal variations. Alarm Classification requirements. monitoring. It is mandatory in maintenance requirements with ISA-18. if you state “this classification in my philosophy is per The major mandatory contents of the alarm the ISA-18. The intent is to identify the alarms alarm management.” There are a variety of methods you deem necessary for those alarms. © PAS 2010 5 . For • Mandatory initial and refresher example.there is only some different nomenclature and 8. the standard could have simply have your own similar classification. access control.2. and similar aspects. The committee thought it desirable to explicitly define one class of alarms. the basis for alarm special administrative requirements in a precise prioritization. training. and evaluate vendor offerings and capabilities against them. there is no requirement to have or use optimum. HMI guidance. management of change. while others may not. performance way according to the standard. A variety of 8. These include: concepts not previously included in the Alarm Management lexicon.2 usage of Highly Managed”. such as access control with audit trail • Specific “Out of Service” alarm 8. A table lists topics which that must have a considerably high level of are noted as either mandatory or recommended administrative requirements.

setpoints. capabilities. Layer of Protection Analysis (LOPA). perhaps more than ISA technical reports. These are the usual non-mandatory advice about the proper usage of list of studies such as a Process Hazard Analysis some alarm types and some alarm configuration (PHA). and types The activities are as follows: • Alarm silencing and acknowledgement • Ensuring alarms meet the criteria set • Alarm shelving. the word is used to indicate a Some items discussed (with little detail). Failure Mode and Effects Analysis (FMEA). designed forward in the alarm philosophy suppression. You can still be in compliance with the Note all of the activities listed above include both standard if you have such a system. 13.2. priorities.The ASRS then becomes a useful document for mandatory contents of the rationalization stage system testing and acceptance. this section is intentionally activity of a team reviewing an alarm system and limited. The major mandatory items • Documenting any advanced alarming are for specific depiction of various alarm-related capabilities desired for an alarm conditions. Some examples of such some alarms. include: collection of activities that may be done in a • Depiction of alarm states. The Alarm Rationalization Life Cycle Design for Alarm Systems Stage This section describes the desired functionality for This life cycle stage consists of several activities. the need for use of one of those This section describes the common capabilities of types or the creation of a specific alarm via custom control system alarm functionality and how they logic or calculation may be driven from a variety relate to the alarm state diagram. The Alarm Identification Life Cycle Stage The section is quite short since it intentionally This section of ISA-18. There is some of process-related sources. such as deadband and delay time. These items are typically within such as operator action. variety of ways. etc. etc. All modern control systems have a methods are planned for one of the follow-up lot of built-in alarm capability. Since there is a Most people familiar with alarm management current ISA standard in development specifically concepts think of rationalization as the specific about HMIs (ISA-101). priority.2 notes that different avoids listing specific methods for effective and methods are used to initially identify the need for efficient rationalization. consequences. 10. 12. a dozen types of alarms available for some point types. The Basic Alarm Design Life Cycle Stage In some cases. etc. The major I would estimate that the ISA-101 standard on © PAS 2010 6 . the capabilities of most modern control systems. making decisions about usage. and out of service conditions • Justifying the need for the alarm and depiction • Marking for deletion alarms that • Alarm summary display functionality should not exist • Other alarm-related similar displays • Determining the appropriate alarm and functionality • type • Alarm sounds • Determining the appropriate alarm • Alarm information and messages setpoint or logical condition • Alarm annunciators • Determining the proper priority • Documenting any special design Many functionality items are listed as mandatory considerations for an alarm or recommended. the cases of review of already existing alarms or consideration of potential new alarms. Human-Machine Interface (HMI) 11. are for specific alarm documentation and alarm classification. It is noted at the start of the section that some • Determining the alarm’s classification described features are not possible in some control systems. indicating alarms to the operator. In ISA-18. and specifically required HMI screens • Documenting relevant information and functionality.

In the meantime. testing. and remote Maintenance stage of the life cycle. e-mailing. The areas overview of alarm features and capabilities that addressed are: are usually a bit beyond the standard capability of a control system. and auditing • Refresher training for personnel systems involved with alarm repair or testing • Alarm attribute enforcement • Alarm validation in regard to equipment replacement 15. • Externally enabled systems It is about the condition where an alarm • Logical alarm suppression/ has been removed from service specifically attribute modification for testing or repair. The areas covered generally intent is to verify that the other life cycle stages have both mandatory requirements and non. including These types of advanced methods briefly documentation discussed include the following: • Information linking 17. including considerations record-keeping • Training. It actually They are as follows: might turn out to be just a technical report than • Planning a standard. we recommend our latest book The systems and modifications High Performance HMI Handbook. This section notes that • Alarm response procedures usage of such advanced capabilities may require • Alarm shelving. as well as the • Documentation of training and ASM Consortium Guidelines for Effective Operator testing Display Design. tracking. The Monitoring and Assessment This section covers the activities and Life Cycle Stage requirements around implementing a new This is the stage in which alarm system alarm system or implementing desired changes performance is measured and reported. The section covers • State-based alarming mandatory requirements and non-mandatory • Model-based alarming recommendations for the following: • Non-control room considerations (such as remote alarm notification) • Moving alarms in and out of the • Paging. alerting systems including notification. The Operation Life Cycle Stage 14. are successful in creating an alarm system that mandatory recommendations. 16.HMI is several years from issuance. including additional design work and support. is effective. and • Supplementary alarm systems documentation • Continuously variable alarm • Interim procedures for when alarms thresholds are out of service • Batch process alarm • Periodic testing of alarms. documentation • Operator refresher training. this is uncertain. The Implementation Life Cycle Stage 18. • Training for new systems and if you want more detailed information modifications on creating proper and effective operator • Testing and validation for new graphics. The Maintenance Life Cycle • Logic-based alarming Stage • Model-based alarming This section is not about the maintenance • Alarm attribute modification department or the maintenance function. Enhanced and Advanced Alarm This section deals with mandatory requirements Methods and non-mandatory recommendations for This is an informative section providing an in-service and operating alarms. © PAS 2010 7 . The to an existing one.

the committee did Bill Hollifield is the considerable research to achieve consensus. The High-Performance HMI Handbook. including the consideration of Several analyses are described and recommended technical basis.2 is an important standard and will • Stale alarms undoubtedly result in a significant safety • Annunciated alarm priority distribution enhancement for the process industries. non-mandatory table indicating recommended and authorization performance goals and metrics is provided. The section covers • Peak annunciated alarm rates per the nature of audits. and the Electric © PAS 2010 8 . items to be examined. Four clearly defined change terms are used in this section: “monitoring”. and “benchmark”. and • Alarm attribute monitoring (for companies are advised to become familiar with its unauthorized change) contents. The publication of ISA-18. but also of the various work 10 minutes.2 • Unauthorized alarm suppression has significant regulatory consequences. and operating position some recommendations around practices. operator and recommendations skill. PAS Principal Alarm Several analyses with problematic concerns were Management and HMI intentionally left out.” The analyses described are: 20. It validates (alarm occurrences) and embodies practices that industry experts and • Alarm attributes priority distribution leading manufacturing companies have advocated (alarm configuration) for many years. with acceptability numbers) processes associated with it. degree of automation. In deciding the particular measures and About the Author performance numbers. “audit”. process type. Recommendations for the Consultant. • Alarm decommissioning types and significance of the alarms produced). per hour. • Change review process requirements “assessment”. The Management of Change Life committee and the Cycle Stage American Petroleum This section deals with mandatory requirements Institute’s committee and non-mandatory recommendations for change developing API-1167 Recommended Practices for of the alarm system. Alarm Management of Pipeline Systems. It is mandatory that alarm system performance be The items covered are: measured and compared against goals identified • Changes subject to management of in the alarm philosophy. The • Ensuring changes are in accordance with numbers allow for possible modifications. member of the ISA SP- 18 Alarm Management 19. Bill is also the coauthor of The Alarm Management Handbook. HMI. procedure and for alarm system performance measurement. A documentation modifications. per alarm system itself. review. operating environment. such as • Alarm floods (calculation methods and interviews and action plans. The Audit Life Cycle Stage The Audit stage involves a more comprehensive • Average annunciated alarm rate per review of not only the performance of the operating position (per day. impact. recommendations) • Frequently occurring alarms 21.g. Alarm rate requirements and recommendations alone is not an indicator of acceptability. He is a voting reporting of alarm system analyses are provided. Summary • Chattering and fleeting alarms ISA-18. and are the alarm philosophy as follows: • Temporary changes • Implementation of changes “The target metrics in the following sections are approximate • Change documentation requirements and depend upon many factors (e. Maximum recommendations acceptable numbers could be significantly lower or perhaps • Alarm attribute modification slightly higher depending upon these factors.

multi-company experience in all aspects of Alarm Management along with many years of chemical industry experience with focus in project management. PAS solutions are installed in over 1.286. chemical production. Ste. Bill has international. contextualizing. TX 77062 +1.pas.. maximize situation awareness. About PAS PAS (www.Power Research Institute’s Alarm Management and Annunicator Application Guidelines.com) improves the automation and operational effectiveness of power and process plants worldwide by aggregating. and simplifying relevant information and making it universally accessible and useful. He’s a pilot. and builds furniture (and the occasional log home in the Ozarks) as a hobby. Automation Genome Mapping. Control Loop Performance Optimization. and reduce plant vulnerabilities. Contact PAS: 16055 Space Center Blvd.281. 600 Houston.6565 info@pas. Bill holds a Bachelor’s Degree in Mechanical Engineering from Louisiana Tech University and an MBA from the University of Houston. Our comprehensive portfolio includes solutions for Alarm Management. and control systems.com © PAS 2010 9 . We provide software and services that ensure safe running operations. and High- Performance Human-Machine Interfaces.000 industrial plants worldwide.