A
bbreviations
possibly valuable information. It is a human characteristic that a single
negative experience requires many positive experiences to cancel it
out and this carries over into alarms too. An alarm once shown to be
false, will carry that designation far into the future and be ignored.
Alarms that are, unknown to the operator, truly false demand as
much attention from the operator as the alarms later determined to
be true so take away diagnosis time and delay the taking of action.
Timeliness of event notification matters in that late notification
erodes diagnosis time and delays action but also allows the process
disturbance more time to gain momentum so that a larger corrective
action may become necessary to return to normal.
Events that occur without being alarmed would be of the high-
est concern. Plants in general protect against this by having alarms
defined on many more variables than some unknown (and probably
unknowable) minimum. Few have in place any effective review pro-
cess to identify unalarmed events that did not develop into recognis-
able events. For those that did become recognisable a subsequent
HAZOP is likely to add alarms to more variables without necessarily
taking the time to determine whether the event should have been
identified by existing alarms had they been properly set.
Measuring alarm quality
Three essential quality attributes of an effective alarm system are:
Low percentage of false alarms - ie alarms that annunciate to re-
quest action when none is necessary. Limits placed inside the bound-
Control systems and automation
it is always to be performed then consideration could be given to
automating it and removing it as an alarm - thus reducing the load
on the operator. The immediate cause of the request for intervention
could be:
• Recognised or unrecognised sensor (eg sticking level indicator)
or equipment failure
• A consequence of another operator action such as leaving a
cascade or output in manual
• An external cause such as weather or security breach
• A combination of events too improbable to have been envisaged
• A false alarm because of badly-positioned alarm limits
Immediate alarmquality issues would be whether the alarmor alarms
were the most appropriate in helping the operator to diagnose the
cause of the event to understand how the situation arose and whether
the alarms gave timely notification.
The information available to the operator for diagnosis is the
identity of the alarm(s), their location on the process flow diagram
(PFD) and the time-order in which they annunciated if more than
one alarm is present. Time-order (sequence-of-events) of alarms is
often valuable in diagnosing unusual events but can be made very
confusing if alarm limits are poorly set so that some alarms annunci-
ate early and others late (or never) and therefore not in the sequence
that might be expected from the PFD.
Alarms that annunciate very early are likely to be labelled as ‘false’
or ‘bad actors’ and not be associated with the later better-set alarms
recognised as belonging to the same event, thus losing a piece of
AQI - Alarm Quality Index
DCS - Distributed Control System
EEMUA - Engineering Equipment & Materials Users' Association
ISA - International Society of Automation
HAZOP - Hazard and Operability
LGO - Light Gas Oil, a major constituent of Diesel Fuel
PFD - Process Flow Diagram
PLC - Programmable Logic Controller
5
December ‘13
Electricity+Control
