Operator Effectiveness – Alarm Management

Authored by: Benjamin Fricaud

Supratik Pathak
Lester Childs

Keywords: alarm management, power plant, power generation, control, parent-child, rationalization,
prioritization, classification, alarm management lifecycle

ABSTRACT:
This paper describes the development and key features of an alarm philosophy following ISA18-
2 guidance on a combined cycle power plant to rationalize and minimize the alarms and have a more
performing & usable alarm system.

Examples and conclusions are based on General Electric’s (GE) power plant design experience.

Background is provided on alarm management history, the challenges and the target for an efficient
alarm system.

High level concepts and associated solutions are explained. The benefits of the rationalization and
specific advanced techniques advantages are presented.

The conclusion is that a combined cycle power plant alarm system developed by the plant designer can
provide very high quality results and long-term operating and maintenance advantages as it benefits
from the engineering knowledge.

BACKGROUND:
In the days of analog controls, alarms systems were designed to have limited number of alarms and
configuration of additional alarms were expensive since each alarm point required extra hardware and
wiring. Hence plant designers used to put considerable effort to create very effective alarms. An old
Thermal Power Plant in India from late 80’s supplied by GEC, with a boiler capacity of 275tph had only
approximately forty four (44) configured alarms for Boiler Controls and around fifty (50) alarms for
Burner Management.

With the advent of modern digital controls, configuring alarms became easy and without any
incremental cost. This results into a huge amount of configured alarms at the design stage. The quantity
of information/alarms displayed even during a normal operation became phenomenal (up to several
thousand a day for a typical combined cycle plant). For many of these alarms there is no action required
from the operator. This lead to an increase in the number of incidents as operator could not identify the
important information to act on in the flood of alarms. An efficient alarm philosophy aims to show to
the operators the right information, at the right time, so they can act fast, avoid incidents and optimize
plant operation.
OBJECTIVE:
According to ISA-18.2 an alarm is “an audible and/or visible means of indicating to the operator an
equipment malfunction, process deviation, or abnormal condition requiring a response.” It is evident
from this definition that an alarm shall require an operator response.

Best Practice: A status change that does not require any operator response can be defined as an event
or alert instead of an alarm. (ref: Principles of alarm system design Feb-11, YA-711, Norwegian
Petroleum Directorate)

With power plants now operating with fewer or relatively new operators it becomes increasingly
difficult for the operator to comprehend the process status and control system actions of the modern
automated power plant. In the event of an equipment malfunction, process deviation or abnormal
condition requiring operator action, the alarm system should augment the operator by providing alarms
at a rate that allows him/her to have time to recognize the abnormal situation, and provide adequate
time for the operator to carry out his/her responses. Rate of incoming alarm can be considered as an
important performance measurement for an alarm system.

Principles of alarm system design Feb-11, YA-711, Norwegian Petroleum Directorate provides a guideline
on the Average Alarm rates for a steady state operation and during major plant upsets.

Alarm rates in steady state operational conditions:

Alarm rate (average) Consequence

More than 1 alarm per minute
One per 2 minutes
Manageable
Less than one per 10 minutes
Alarm rates during major plant upset:
Very likely to be unacceptable
Likely to be over-demanding
One per 5 minutes
Very likely to be acceptable

Alarm rate (average) Consequence

More than 10 alarms per minute
2-10 per minute
Less than one per minute
Definitely excessive and very likely to lead to Operator
abandoning the use of the system
Hard to cope with
Should be manageable, but may be difficult if several
alarms require a complex operator response

The new ANSI/ISA standard “ISA-18.2” on alarm management provides recommendations on an

efficient design, implementation, operation and maintenance of an alarm management system for a
modern Power generation industry.

The standard describes an alarm management lifecycle for efficient management of alarm system.
ALARM MANAGEMENT LIFECYCLE
According to ISA-18.2 “The alarm management lifecycle covers alarm system specification, design,
implementation, operation, monitoring, maintenance and change activities from initial conception
through decommissioning.”

Philosophy

Identification

Rationalization
Management of
Change
Detailed Design
Audit
Implementation Execution against
the alarm Philosophy

Operation Monitoring &

Assessment
Maintenance

GE has incorporated the industry recommendations in it’s newest application of the Mark* VIe power
plant control system. The application to a combined cycle power plant is discussed along with the
industry recommendations below.

PHILOSOPHY:
Alarm Philosophy: this is the stage of Alarm Management lifecycle where the objective of the alarm
system is defined and processes are formulated to meet these objectives.

Best Practice: Alarm philosophy for the plant should be created before the detailed design of the plant
is executed.

ISA-18.2 standard provides an exhaustive Alarm State Transition diagram illustrating possible states of
alarm suppression as “Shelved”, “Suppressed by Design” and “Out-of-service”.
“Shelved” is an alarm state when an alarm is temporarily suppressed by the operator.
Alarm shelving is integrated with GE’s Alarm Management system and it allows an operator to
temporarily suppress alarms from the Alarm Viewer filtered alarm display, and from HMI screens that
display alarms. When an alarm is being shelved, the operator is prompted to enter an expiration time
for the shelving and a comment as to why the alarms are being shelved. Once the alarms are shelved,
the expiration time and the shelved time are used to determine when the shelved alarm is un-shelved.
When the expiration time expires, the alarms again display on the alarm viewer. The shelving has been
authorized in GE philosophy on all plant equipment that is redundant or not mandatory for a safe plant
operation.

“Suppressed by Design” according to ISA-18.2, is an alarm state when an alarm is suppressed by an

operating condition(s) or plant states.
For example-1, if a pump is not running it is obvious that there would not be any discharge flow. The low
discharge flow alarm condition can be suppressed in the event the pump is not running.
For example-2, in the event of an emergency shutdown by the operator, the alarm system should auto-
adjust to this changed scenario and only present information that is relevant, such as pump failing to
stop, etc. The large number of expected alarms coming in from pumps stopping, low pressure, low flow
etc., are irrelevant as alerts/warnings in this situation and may be suppressed from alarm viewer.

“Out of Service” according to ISA-18.2 is an alarm state that is used to manually suppress alarms when
they are removed from service, typically for maintenance. An out of service alarm is under the control of
maintenance and is noted on the Alarm Viewer.

Primary difference between Shelving and Out of service is the fact that Shelving is a method where
alarms are suppressed using controlled methods such as automatic un-shelving of the alarm after a
predefined time duration whereas Out of Service is a method where alarms are suppressed manually by
the operator through the Alarm Interface and it requires an operator action to return the alarm to
service state.

The standard is briefly described here but the entire standard document ISA-18.2 should be referred
before applying to an alarm management system.

The first step while developing an alarm philosophy is to ensure each type of annunciation is properly
defined with examples: events, diagnostics, alerts and the several levels of alarm. In the alarm
philosophy, for example, the alert refers to items that are not actionable like alarms linked to
automated protective actions or with a very low priority level. This ensures a common wording and
categorization of alarms and avoids misunderstanding or wrong interpretation.

This alarm philosophy can also be enlarged to the maintenance team. Indeed the necessary information
needed by the maintenance team is not the same as what an operator would require. The alarm
management system must also provide the necessary features to optimize the maintenance so that it is
possible to focus on the troubleshooting of a specific failure.

IDENTIFICATION:
At this stage using specific laid down methods like a standard alarm database, potential alarms are
collected.
Rationalization:
As per ISA-18.2, “the rationalization stage reconciles the identified need for an alarm or alarm system
change with the principles in the alarm philosophy”

This step consists in setting common rules so that alarms are consistently rationalized plant wide. Those
rules defines each information associated with the alarm and how alarm are prioritized (with identical
criteria based on urgency and consequence of inaction), classified (based on localization and functional
aspects). In GE’s philosophy, associated to each alarm, operator guidance is provided with the
description of the potential cause of the alarm, the operator action should launch for each potential
cause, as well as the consequence if he does not react. This helps to ensure that alarms are meaningful,
actionable and drive to a more interactive alarm system.

Alarm Rationalization is integrated into GE’s alarm management system it and provides a guide for
reviewing, justifying and documenting the design of each alarm. This aids in the life cycle management
of alarms.

Detailed Design:
At the design stage, based on requirements identified during rationalization, attributes for every alarm is
specified.

Alarm Set-points – Alarm set-points should be configured based on information documented in the
rationalization stage.

Alarm Dead-bands – Alarm dead-band is defined as the percentage of the measurement range and
when measured variable crosses the alarm set-point into normal operating range by the defined alarm
dead-band only then the alarm transitions to normal state.

Signal Type Dead-band

(Percent of Operating Range)
Flow Rate ~ 5%
Level ~ 5%
Pressure ~ 2%
Temperature ~ 1%
(ref: ISA-18.2 document)

Alarm On-delay & Off-delay – Alarm on-delay and off-delay attributes help minimize chattering alarms
by ensuring the measured variable is in alarm state or out of alarm state for a pre-defined period of
time.

ISA-18.2 provides a good starting point of alarm delays for different processes

Signal Type Delay Time (On or Off)

Flow Rate ~ 15 seconds
Level ~ 60 seconds
Pressure ~ 15 seconds
Temperature ~ 60 seconds
(ref: ISA-18.2 document)

Best Practice: Defining appropriate Alarm dead-bands along with alarm delays for all the Analog Alarms
might be helpful in minimizing nuisance alarms while ensuring safe operation of the plant.

ISA-18.2 also calls for Human Machine interface design for Alarm Systems that provides alarm
indications and related functionality to operator.

GE’s Control System provides an Alarm Viewer interface for operator to view the live alarms,
acknowledge and reset alarms, apply filters, etc…

GE’s new HMI Screens provide interface for the operator to Acknowledge Alarm, Set Alarm Out of
Service, Silence and Shelve an Alarm from the screen without going to the Alarm Viewer interface
Best Practice: Optimizing redundant alarms – in systems having redundant I/O’s, alarm state should be
designed to reduce number of alarms. For example, if an HRSG trip logic has redundant inputs (two of
three inputs be true), then the associated alarm should be designed to be true only when two out of the
three inputs are active

The next step is the use of advanced technics. The alarm management system can dynamically filter the
process alarms through a filter of each parameter defined during the rationalization effort. A global
parent child relationship between alarms has been developed. Two alarms have a parent-child
relationship if they have related causes and the child alarm is uninformative whenever the parent alarm
is active because it is an inevitable consequence of the parent alarm. The child may in fact be misleading
about its root cause. Several examples can be provided such as: an alarm on a pressure measurement
downstream a pump being the child of the electrical fault alarm of the pump, a high level alarm being
the child of a very high level alarm.

Another advanced technic which is very simple but can bring a lot of value is the shelving. Indeed in a
power plant it is not unusual to have redundant equipment’s or accessories systems switched off during
maintenance for several days or weeks. In this particular case being able to hide temporarily in a
controlled manner the alarms linked to these systems is a key alarm reduction feature.

Implementation:
ISA-18.2 specifies implementation as the stage of the alarm lifecycle which is transition from design to
operation. This is the stage when the alarm system is commissioned/ installed and is brought into
operational state. Typically following activities are performed at this stage-
  Operator training on usage of the alarm system
 Testing and documentation of newly configured alarms and modifications to existing alarms

GE practice is to have a plant wide simulation set that can also be used to ensure optimized
implementation real operation scenarios including failures.

Operation:
This is the stage of the alarm lifecycle when the alarm system is active and is able to indicate an
abnormal condition to the operator.

Maintenance:
This is the stage of the alarm lifecycle when the alarm or the alarm system is taken out of service for the
purpose of testing or repair.

ISA-18.2 specifies for appropriate interim alarms or procedures for alarms that are taken out of service
for an extended duration of time. The standard also recommends notifying the operator when alarms
are returned to service and interim alarms and procedures are removed.

ISA-18.2 also recommends for periodic training for maintenance personnel on the maintenance
requirement of alarms.

Monitoring & Assessment:

This is the stage of the alarm lifecycle where overall performance of the alarm system and individual
alarms are continuously monitored with respect to the goals set in the alarm philosophy stage.

An alarm system performance typically deteriorates over time on account of aging of measurement
sensors and change in process conditions. It is here that the Alarm system performance measurement
comes to rescue by determining when corrective action is necessary.

Alarm System Performance Metrics: ISA-18.2 provides several metrics for measurement of Alarm
System Performance.

Average Annunciated Alarm rate per Operating Position

 ISA-18.2 provides a guideline on average alarm rates that are very likely to be accepted
 The standard also specifies that sustained operation above maximum manageable
guideline indicates the alarm system is generating alarms that is more than that an
operator can handle which increases the likelihood of alarm getting missed

Peak Annunciated Alarm rate per Operating Position

 For peak alarm rate, annunciated alarms are counted in regular 10-minute intervals
 ISA-18.2 recommended target for a one month of data is that less than ~1% of the 10-
minute intervals should contain more than 10 alarms
 Alarm Floods

 ISA-18.2 provides a calculation method and recommendation on Alarm Flood

 In the event of alarm flood, the alarm system is highly likely to be in-effective in assisting
the operator

Frequently Occurring Alarms

 ISA-18.2 recommends a review of most frequent alarms at regular intervals

Chattering and Fleeting Alarms

 ISA-18.2 recommends to eliminate chattering and fleeting alarms

 There is no acceptable quantity of chattering and fleeting alarms

Best Practice: Chattering and fleeting alarms should be identified and eliminated using the Alarm
Management Processes.

Stale Alarms

 Alarms that remain in effect continuously for > 24hrs may be considered as Stale Alarm
 ISA-18.2 recommends proper rationalization of Stale Alarms

Annunciated Alarm Priority Distribution

 Alarm priority assists operator in providing proper response

 ISA-18.2 provides a guideline on distribution of alarm priorities

Alarm System analyses should be properly reported and actions should be taken on problems identified
by the alarm system analyses.

GE’s alarm management system provides a comprehensive measurement and reporting for:

 Alarm Performance Metric Report

 Alarms Per Day
 Alarms Per Hour
 Alarms Per Ten Minutes
 Alarm Flood Report
 Top Most Frequent Alarms
 Chattering Alarms
 Stale Alarms
Alarm performance metric report

Percentage of Days Containing More than 10000 Alarms

Total Days 32

65.6% Exceeds Threshold (21 'Days')

34.4% Under Threshold (11 'Days')
Alarm per day – Bar & Pie Chart
 Alarms 205 - (6.2%) Others 3122 - 93.8%

Alarm flood report – pie chart Alarm flood report – pie chart

Chattering Alarm statistics

ISA-18.2 further recommends assessment of the information from Alarm System Performance
Monitoring against stated goals and performance guidelines. The standard also recommends for an
Audit of the effectiveness of the work practices used for administration of the alarms system and
Benchmarking to audit alarm system for the purpose of identifying gaps/problems and developing
improvement plans.

Management of Change:
This is the stage of the alarm lifecycle that covers requirements for alarm system changes with respect
to addition of new alarms, alarm attribute modification, authorization and documentation.

According to ISA-18.2 “The management of change process ensures that the appropriate stages of the
alarm management lifecycle are applied to alarm system changes”.

Audit:
This is the stage of the alarm lifecycle which is conducted periodically to maintain the integrity of alarms
system and alarm management processes.

The above described alarm philosophy has been applied to a plant wide combined cycle configuration.
The benefits of the alarm system can be summarized with the following results: about 80% static alarm
reduction (becoming alerts only), more than 45% of the alarms are involve in a parent child relationship
which will provide a dynamic benefit.

Conclusion:

Lastly a key factor for the success of an alarm philosophy is user confidence. The user must be assured
that is the alarm system is providing all of the relevant information and not hiding or deleting
information. In GE’s implementation information is being reformatted and filtered. Access to all of the
system information is available when the operator or I&C technicians have the time to digest the details.
The alarm system can be fully tested and validated during engineering phase to prove its efficiency and
minimize risks on site. Indeed GE performs plant wide simulations with starting, stopping and default
scenario where alarms behavior is verified.

Alarm is an interface that the Control System uses to inform an operator about an abnormal situation in
the plant. ISA 18.2 provides a detailed guideline on how to provide a very effective alarm management
system. Following this standard plant designers worldwide are providing highly optimized alarms for
safe operation of the plant but as the plant ages these parameters set at the design phase need re-
evaluation. Alarm Management is a continuous process and should be followed on regular intervals in
order to have effective alarms till the time plant gets de-commissioned.

References:

 ANSI/ISA - 18.2 – 2009, Management of Alarm Systems for the Process Industries, ISBN: 978-1-
936007-19-6
 Understanding and Applying the ANSI/ISA 18.2 Alarm Management Standard, PAS 2010
 Principles for alarm system design, February 2001, YA-711, Norwegian Petroleum Directorate