Understanding and Applying the ANSI/ ISA 18.2 Alarm Management Standard Abstract Alarm Management has become an ever-increasing topic of discussion in the power and processing industries. In 2003, ISA started developing a standard around this subject. After six years of hard work, the ANSI/ISA-18.2-2009 Management of Alarm Systems for the Process Industries standard was published. This paper reviews the scope, regulatory impact, requirements, recommendations, alarm definitions, and other details of the standard. Overview In this white paper, we will review the most Over the last several years, alarm management has important aspects of the scope, requirements, become a highly important topic, and the subject recommendations, and other contents of ISA- of a number of articles, technical symposia, and 18.2. However, there is no substitute for obtaining books. and understanding the full document. In 2003, ISA began developing an alarm 1. Purpose and Scope management standard. Dozens of contributors, The basic intent of ISA-18.2 is to improve from a variety of industry segments, spent safety. Ineffective alarm systems have often been thousands of hours participating in the documented as contributing factors to major development. PAS participated as both a section process accidents. The alarm system problems editor and a voting member. After six years of that ISA-18.2 addresses have been well known for work, the new ANSI/ISA-18.2-2009 Management nearly two decades. of Alarm Systems for the Process Industries There are several common misconceptions about (ISA-18.2) standard was released. It is available at standards. Standards intentionally describe the www.isa.org. minimum acceptable and not the optimum. By The issuance of ISA-18.2 is a significant event design, they focus on the “what to do” rather for the chemical, petrochemical, refining, than the “how to do it.” By design, standards do power generation, pipeline, mining and metals, not have detailed or specific “how-to” guidance. pharmaceutical, and similar industries using ISA-18.2 does not contain examples of specific modern control systems with alarm functionality. proven methodologies or of detailed practices. It sets forth the work processes for designing, The standard focuses on both work process implementing, operating, and maintaining a requirements (“shall”) and recommendations modern alarm system in a life cycle format. It will (“should”) for effective alarm management. also have considerable regulatory impact. Readers familiar with alarm management ISA-18.2 is quite different from the usual ISA literature should not expect to learn new or standard. It is not about specifying communication different information when reading the ISA-18.2. protocols between equipment, nor the detailed The key difference is that ISA-18.2 is a standard, design of control components. It is about the not a guideline or a recommended practice, and work processes of people. Alarm management it was developed in accordance with stringent is not really about hardware or software; it is ANSI methodologies. As such, it will be regarded about work processes. Poorly performing alarm as a “recognized and generally accepted good systems do not create themselves. ISA-18.2 engineering practice” (RAGAGEP) by regulatory is a comprehensive standard developed per agencies. ISA-18.2 is in the process of being stringent methods based on openness, balancing adopted as an International IEC standard (IEC of interests, due process, and consensus. These 62682 Ed. 1.0)1. components make it a “recognized and generally The ISA-18.2 committee is now working on accepted good engineering practice” from a creating additional explanatory and methodology regulatory point of view. information in follow-up ISA technical reports. These should be available in 2011. 1. See http://www.iec.ch/cgi-bin/procgi.pl/www/iecwww.p?wwwlang=e&wwwprog=pro-det.p&progdb=db1&He=IEC &Pu=62682&Pa=&Se=&Am=&Fr=&TR=&Ed=1.0 © PAS 2010 1 2. Does ISA-18.2 Apply to You? The important thing is that regulatory agencies The focus of ISA-18.2 is on alarm systems that have “general duty” clauses and interpretations. As are part of modern control systems, such as one example, consider OSHA 1910.119 (d)(3) (ii) DCSs, SCADA systems, PLCs, or Safety Systems. which states, “The employer shall document that It applies to plants with operators responding to equipment complies with recognized and generally alarms depicted on a computer-type screen and/ accepted good engineering practices.” This is or an annunciator. actually a regulatory acronym, RAGAGEP. This includes the bulk of all processes operating Codes, standards, and practices are usually today, specifically: considered “recognized and generally accepted good engineering practices.” In the OSHA • Petrochemical interpretation letter to ISA, a National Consensus • Chemical Standard, such as ISA-18.2, is a RAGAGEP. • Refining OSHA recognizes ANSI/ISA S84.01-1996 as • Platform an example.2 There exists a “Memorandum • Pipelines of Understanding” between OSHA and ANSI • Power Plants regarding these matters.3 • Pharmaceuticals • Mining & Metals There is little question ISA-18.2 is an example of RAGAGEP, and companies should expect Additionally, it applies whether your process is the regulatory agencies to take notice. Generally, continuous, batch, semi-batch, or discrete. The a regulated industry can be expected to either reason for this commonality is that alarm response comply with RAGAGEP or explain and show is really not a function of the specific process being they are doing something just as good or better. controlled; it is a human-machine interaction. The Indeed, OSHA has sought and received permission steps for detecting an alarm, analyzing the situation, from ISA to internally distribute ISA-18.2 to its and reacting are steps performed by the operator. inspectors. This was with the specific intent to be There is little difference if you are making (or able to easily cite it in investigations and used for moving) gasoline, plastics, megawatts, or aspirin. enforcement reasons. While many industries feel “We’re different!”, that is simply not the case when it comes to alarm The U.S. Chemical Safety Board (www.csb.gov) response. Many different industries participated will also be using ISA-18.2 as a resource in its in the development of ISA-18.2, recognized investigations. Other regulatory agencies are also this, and the resulting standard has overlapping becoming aware of ISA-18.2. The American applicability. Petroleum Institute (API) will soon release API RP-1167, Alarm Management Recommended ISA-18.2 indicates the boundaries of the alarm Practices for Pipeline Systems. This API document system relative to terms used in other standards, is in full alignment with ISA-18.2, and the Pipeline such as Basic Process Control System (BPCS), and Hazardous Materials Safety Administration Safety Instrumented System (SIS), etc. Several (PHMSA) generally adopts API recommended exclusions are listed to not contradict existing practices in their regulatory language. content in other standards. 4. Grandfathering 3. Regulatory Impact A grandfather clause used by other ANSI/ISA This paper is not intending to be a detailed clause- standards was also used in ISA-18.2. It is: by-clause interpretation of OSHA, EPA, DOT, PHMSA, or other regulations. The regulatory “For existing alarm systems designed and constructed in environment is complex and overlapping for accordance with codes, standards, and/or practices prior some industry segments. Many industries are to the issue of this standard, the owner/operator shall clearly covered by OSHA 1910.119 Process determine that the equipment is designed, maintained, Safety Management, which makes a few specific inspected, tested, and operated in a safe manner. The mentions of alarms. practices and procedures of this standard shall be applied to existing systems in a reasonable time as determined by the owner/operator.” 2. See http://www.osha.gov/pls/oshaweb/owadisp.show_document?p_table=INTERPRETATIONS&p_id=25164 3. See http://www.osha.gov/pls/oshaweb/owadisp.show_document?p_table=MOU&p_id=323 2 © PAS 2010 The two instances of “shall”, which are type of DCS. They are used to indicate when highlighted, indicate mandatory requirements. the alarm functionality is not working (generally This clause mimics language used in OSHA through an override mechanism of some sort). regulation 1910.119(d)(3)(iii). It is possible, and unfortunately common, to suppress an alarm outside of the proper work 5. Definitions in ISA-18.2 practices, and the detection of such undesirable An immense amount of work was done in situations is part of the Monitoring life cycle researching and carefully crafting various stage. definitions, while maintaining consistency between ISA-18.2 and other references. 7. The Alarm Management Life Cycle ISA-18.2 defines an alarm as “an audible and/or ISA-18.2 is written with a life cycle structure visible means of indicating to the operator an equipment comprised of ten stages (see Figure 1). They malfunction, process deviation, or abnormal condition are: requiring a response.” Alarm Philosophy: Documents the objectives 6. Alarm State Transitions of the alarm system and the work processes ISA-18.2 includes a to meet those moderately complex objectives. diagram depicting the Identification: alarm states and sub- Work processes states of “Normal”, deter mining “Unacknowledged”, which alarms are “Acknowledged”, necessary. “Returned-to-Normal”, and “Latched”. Of Rationalization: particular interest are The process the states of “Shelved”, of ensuring an “Suppressed by alarm meets the Design”, and “Out of requirements Service”. These have set forth in the specific meanings: alarm philosophy, including the tasks “Shelved” is an alarm Figure 1: The Alarm Management Life Cycle of prioritization, that is temporarily suppressed, usually via classification, settings determination, and a manual initiation by the operator, using a documentation. method meeting a variety of administrative requirements to ensure the shelved status is Detailed Design: The process of designing known and tracked. the aspects of the alarm so that it meets the requirements determined in rationalization and “Suppressed By Design” is an alarm in the philosophy. This includes some HMI intentionally suppressed due to a designed depiction decisions and can include the use of condition. This is a generic description that special or advanced techniques. includes such items as simple logic-based alarms and advanced state-based alarming Implementation: The alarm design is brought techniques. into operational status. This may involve commissioning, testing, and training activities. “Out of Service” is a non-functioning alarm, usually for reasons associated with the Operation: The alarm is functional. This stage Maintenance stage of the life cycle. An “Out includes refresher training, if required. of Service” alarm is also tracked via similar Maintenance: The alarm is non-functional administrative requirements to a shelved due to either test or repair activities. (Do not alarm. equate this life cycle stage with the maintenance The terms “suppress” and “alarm suppression” department or function.) are intentionally generic and not specific to a 3 © PAS 2010 Monitoring and Assessment: The alarm the operator first. But I can make this change system’s performance is continuously monitored without that and the alarm will remain online and reported against the goals in the alarm throughout.” philosophy. Management of Change Stage: Engineer: “So Management of Change: Changes to the alarm far, I haven’t actually changed anything. Before I system follow a defined process. type in and activate this new number for deadband, I mentally review the management of change Audit: Periodic reviews are conducted to maintain requirements for doing so. This specific type of the integrity of the alarm system and alarm change is covered in our alarm philosophy, and management work processes. our site procedures empower me to make this 7.1. Life Cycle Stages vs. Activities change as part of my authorized job duties. I do Do not confuse a life cycle stage with an activity. not have to seek any approval or signatures. I will Life cycle is a structure for the content of the ISA- have to document this change in the master alarm 18.2 document. It is not specifically or necessarily a database though.” list of activities to be accomplished in a particular Implementation Stage: Engineer: “Now I order. actually change the deadband. I type in the new For example, in a matter of minutes an engineer number and hit ‘Enter.’ Done!” could sit down and resolve a single nuisance Rationalization Stage4: Engineer: “Since I have chattering alarm. That task could involve going the proper security access, I will add this new through several different life cycle stages as part deadband setting into the master alarm database of performing the activities associated with a along with my name, date, and reason. I will also simple task. Consider the following: make a note in the weekly nuisance alarm tracking Monitoring Stage: Engineer: “Well today, I am report about this one. As long as I am here looking spending some time fixing nuisance alarms. Which at this alarm, I note it is configured as a Priority of my alarms are on the most frequent alarm list? 3. That seems reasonable, but let’s just check the Ah, there’s one – a chattering high-value alarm on online master alarm database for the reasons that the column pressure.” resulted in that priority assignment. Hmmm, they look pretty good. If they did not, I could not Identification Stage: Engineer: “Ah yes, I change them myself. I need the Prioritization team happen to remember that we need this alarm as take a look at it. Any change in priority requires part of our quality program; however my job notification to the operators.” today is to make it work correctly and eliminate the chattering behavior, not to decide whether to Monitoring Stage: Engineer: “Part of my work get rid of it or not. So I don’t have to research process for this is to continue to look at the alarm as to whether it was originally specified by some data to see if this deadband setting change solved particular process like a PHA.” the problem. I will add this one to my tracking and follow-up list.” Detailed Design Stage: Engineer: “Let’s check the configuration of this alarm. There’s nothing In a few minutes, several different life cycle unusual about it. Hmmm, I see that the alarm stages were briefly visited in accomplishing this deadband on this point is set to zero. That’s one example task. In understanding and applying certainly not a proper thing and could easily ISA-18.2, do not get overwrought about trying to lead to chattering behavior. Let’s examine some figure out which life cycle stage you are in at any process history and alarm history, and consult a point in time. It is a requirements structure, not a good book on alarm management to determine a work process sequential checklist. more appropriate deadband setting.” In 2006, PAS published The Alarm Management Operation Stage and Maintenance Stage: Handbook, which provided a proven seven-step Engineer: “Now I am going to alter the alarm methodology for solving an alarm system problem deadband to a new setting. Hmmm, do I have and accomplishing effective alarm management. to take the point off-scan to do that? Not in this There is no conflict between this seven-step case, on this DCS. If I did, I would have to tell approach and the ISA-18.2 life cycle methodology; 4. Documentation is a part of the Rationalization stage of the life cycle 4 © PAS 2010 there is only some different nomenclature and 8.2. Highly Managed Alarms task arrangement. The committee thought it desirable to explicitly define one class of alarms. A variety of 8. The Alarm Philosophy Life Cycle designations were considered, from “critical” to Stage “vital” to “special” to “super-duper.” “Highly ISA-18.2 recognizes that an alarm philosophy Managed Alarms” or HMAs was chosen as document is a key requirement for effective the term. The intent is to identify the alarms alarm management. A table lists topics which that must have a considerably high level of are noted as either mandatory or recommended administrative requirements. for inclusion. Remember that a standard describes the minimum acceptable, not the Now, there is no requirement to have or use optimum. this classification. However, if you do, if you state “this classification in my philosophy is per The major mandatory contents of the alarm the ISA-18.2 usage of Highly Managed”, then philosophy include roles and responsibilities, you must document and handle a multitude of alarm definition, the basis for alarm special administrative requirements in a precise prioritization, HMI guidance, performance way according to the standard. monitoring, management of change, training, etc. The various mandatory requirements for HMAs are spread over several sections throughout There are no surprises in the list except for two ISA-18.2. These include: concepts not previously included in the Alarm Management lexicon, “alarm classification” • Specific shelving requirements, and “highly managed alarms”. such as access control with audit trail • Specific “Out of Service” alarm 8.1. Alarm Classification requirements, such as interim Alarm classification is a method for assigning protection, access control, and audit and keeping track of various requirements trail for alarms, mostly administrative ones. For • Mandatory initial and refresher example, some alarms may require periodic training with specific content and refresher training, while others may not. The documentation same could be true for testing, maintenance, • Mandatory initial and periodic reporting, HMI depiction, and similar aspects. testing with specific documentation Alarm classes are defined and used to keep • Mandatory training around track of these requirements. It is mandatory in maintenance requirements with ISA-18.2 to define alarm classes. specific documentation • Mandatory audit requirements This is a slightly unusual thing for a standard. Normally, standards tell you what to do but not PAS’ advice is to specifically avoid the usage of how to do it, or to require a specific method. this alarm classification. You might choose to For example, the standard could have simply have your own similar classification, and then stated, “Identify and track alarms that require choose only the administrative requirements periodic testing.” There are a variety of methods you deem necessary for those alarms. These to successfully do this and a classification will probably be only a subset of the ISA-18.2 structure is only one of them. However, the listing for HMAs. committee elected to require a classification 9. The Alarm System Requirements structure, though it need not be an onerous Specification (ASRS) one. There are no specific class requirements This non-mandatory section basically says that and no minimum number of class definitions if you are buying a new control system, it is specified. PAS recommends the “keep it a good idea to write down your requirements simple” approach and have a straightforward and evaluate vendor offerings and capabilities class structure with minimal variations. against them. Specific deficiencies in the chosen system can drive the acquisition or creation of third-party or custom solutions. 5 © PAS 2010 The ASRS then becomes a useful document for mandatory contents of the rationalization stage system testing and acceptance. are for specific alarm documentation and alarm classification. 10. The Alarm Identification Life Cycle Stage The section is quite short since it intentionally This section of ISA-18.2 notes that different avoids listing specific methods for effective and methods are used to initially identify the need for efficient rationalization. Some examples of such some alarms. All modern control systems have a methods are planned for one of the follow-up lot of built-in alarm capability; perhaps more than ISA technical reports. a dozen types of alarms available for some point types. 12. The Basic Alarm Design Life Cycle Stage In some cases, the need for use of one of those This section describes the common capabilities of types or the creation of a specific alarm via custom control system alarm functionality and how they logic or calculation may be driven from a variety relate to the alarm state diagram. There is some of process-related sources. These are the usual non-mandatory advice about the proper usage of list of studies such as a Process Hazard Analysis some alarm types and some alarm configuration (PHA), Layer of Protection Analysis (LOPA), capabilities, such as deadband and delay time. Failure Mode and Effects Analysis (FMEA), etc. 13. Human-Machine Interface (HMI) 11. The Alarm Rationalization Life Cycle Design for Alarm Systems Stage This section describes the desired functionality for This life cycle stage consists of several activities. indicating alarms to the operator. Since there is a Most people familiar with alarm management current ISA standard in development specifically concepts think of rationalization as the specific about HMIs (ISA-101), this section is intentionally activity of a team reviewing an alarm system and limited. making decisions about usage, priority, setpoints, etc. In ISA-18.2, the word is used to indicate a Some items discussed (with little detail), include: collection of activities that may be done in a • Depiction of alarm states, priorities, variety of ways. and types The activities are as follows: • Alarm silencing and acknowledgement • Ensuring alarms meet the criteria set • Alarm shelving, designed forward in the alarm philosophy suppression, and out of service conditions • Justifying the need for the alarm and depiction • Marking for deletion alarms that • Alarm summary display functionality should not exist • Other alarm-related similar displays • Determining the appropriate alarm and functionality • type • Alarm sounds • Determining the appropriate alarm • Alarm information and messages setpoint or logical condition • Alarm annunciators • Determining the proper priority • Documenting any special design Many functionality items are listed as mandatory considerations for an alarm or recommended. The major mandatory items • Documenting any advanced alarming are for specific depiction of various alarm-related capabilities desired for an alarm conditions, and specifically required HMI screens • Documenting relevant information and functionality. These items are typically within such as operator action, consequences, the capabilities of most modern control systems. etc. It is noted at the start of the section that some • Determining the alarm’s classification described features are not possible in some control systems. You can still be in compliance with the Note all of the activities listed above include both standard if you have such a system. the cases of review of already existing alarms or consideration of potential new alarms. The major I would estimate that the ISA-101 standard on 6 © PAS 2010 HMI is several years from issuance. It actually They are as follows: might turn out to be just a technical report than • Planning a standard; this is uncertain. In the meantime, • Training for new systems and if you want more detailed information modifications on creating proper and effective operator • Testing and validation for new graphics, we recommend our latest book The systems and modifications High Performance HMI Handbook, as well as the • Documentation of training and ASM Consortium Guidelines for Effective Operator testing Display Design. 16. The Operation Life Cycle Stage 14. Enhanced and Advanced Alarm This section deals with mandatory requirements Methods and non-mandatory recommendations for This is an informative section providing an in-service and operating alarms. The areas overview of alarm features and capabilities that addressed are: are usually a bit beyond the standard capability of a control system. This section notes that • Alarm response procedures usage of such advanced capabilities may require • Alarm shelving, including additional design work and support. documentation • Operator refresher training, including These types of advanced methods briefly documentation discussed include the following: • Information linking 17. The Maintenance Life Cycle • Logic-based alarming Stage • Model-based alarming This section is not about the maintenance • Alarm attribute modification department or the maintenance function. • Externally enabled systems It is about the condition where an alarm • Logical alarm suppression/ has been removed from service specifically attribute modification for testing or repair. The section covers • State-based alarming mandatory requirements and non-mandatory • Model-based alarming recommendations for the following: • Non-control room considerations • Moving alarms in and out of the (such as remote alarm notification) Maintenance stage of the life cycle, • Paging, e-mailing, and remote including notification, tracking, and alerting systems documentation • Supplementary alarm systems • Interim procedures for when alarms • Continuously variable alarm are out of service thresholds • Periodic testing of alarms, including • Batch process alarm record-keeping considerations • Refresher training for personnel • Training, testing, and auditing involved with alarm repair or testing systems • Alarm validation in regard to • Alarm attribute enforcement equipment replacement 15. The Implementation Life Cycle Stage 18. The Monitoring and Assessment This section covers the activities and Life Cycle Stage requirements around implementing a new This is the stage in which alarm system alarm system or implementing desired changes performance is measured and reported. The to an existing one. The areas covered generally intent is to verify that the other life cycle stages have both mandatory requirements and non- are successful in creating an alarm system that mandatory recommendations. is effective. 7 © PAS 2010 It is mandatory that alarm system performance be The items covered are: measured and compared against goals identified • Changes subject to management of in the alarm philosophy. Four clearly defined change terms are used in this section: “monitoring”, • Change review process requirements “assessment”, “audit”, and “benchmark”. including the consideration of Several analyses are described and recommended technical basis, impact, procedure and for alarm system performance measurement. A documentation modifications, review, non-mandatory table indicating recommended and authorization performance goals and metrics is provided. The • Ensuring changes are in accordance with numbers allow for possible modifications, and are the alarm philosophy as follows: • Temporary changes • Implementation of changes “The target metrics in the following sections are approximate • Change documentation requirements and depend upon many factors (e.g. process type, operator and recommendations skill, HMI, degree of automation, operating environment, • Alarm decommissioning types and significance of the alarms produced). Maximum recommendations acceptable numbers could be significantly lower or perhaps • Alarm attribute modification slightly higher depending upon these factors. Alarm rate requirements and recommendations alone is not an indicator of acceptability.” The analyses described are: 20. The Audit Life Cycle Stage The Audit stage involves a more comprehensive • Average annunciated alarm rate per review of not only the performance of the operating position (per day, per hour, per alarm system itself, but also of the various work 10 minutes, with acceptability numbers) processes associated with it. The section covers • Peak annunciated alarm rates per the nature of audits, items to be examined, and operating position some recommendations around practices, such as • Alarm floods (calculation methods and interviews and action plans. recommendations) • Frequently occurring alarms 21. Summary • Chattering and fleeting alarms ISA-18.2 is an important standard and will • Stale alarms undoubtedly result in a significant safety • Annunciated alarm priority distribution enhancement for the process industries. It validates (alarm occurrences) and embodies practices that industry experts and • Alarm attributes priority distribution leading manufacturing companies have advocated (alarm configuration) for many years. The publication of ISA-18.2 • Unauthorized alarm suppression has significant regulatory consequences, and • Alarm attribute monitoring (for companies are advised to become familiar with its unauthorized change) contents. In deciding the particular measures and About the Author performance numbers, the committee did Bill Hollifield is the considerable research to achieve consensus. PAS Principal Alarm Several analyses with problematic concerns were Management and HMI intentionally left out. Recommendations for the Consultant. He is a voting reporting of alarm system analyses are provided. member of the ISA SP- 18 Alarm Management 19. The Management of Change Life committee and the Cycle Stage American Petroleum This section deals with mandatory requirements Institute’s committee and non-mandatory recommendations for change developing API-1167 Recommended Practices for of the alarm system. Alarm Management of Pipeline Systems. Bill is also the coauthor of The Alarm Management Handbook, The High-Performance HMI Handbook, and the Electric 8 © PAS 2010 Power Research Institute’s Alarm Management and Annunicator Application Guidelines. Bill has international, multi-company experience in all aspects of Alarm Management along with many years of chemical industry experience with focus in project management, chemical production, and control systems. Bill holds a Bachelor’s Degree in Mechanical Engineering from Louisiana Tech University and an MBA from the University of Houston. He’s a pilot, and builds furniture (and the occasional log home in the Ozarks) as a hobby. About PAS PAS (www.pas.com) improves the automation and operational effectiveness of power and process plants worldwide by aggregating, contextualizing, and simplifying relevant information and making it universally accessible and useful. We provide software and services that ensure safe running operations, maximize situation awareness, and reduce plant vulnerabilities. Our comprehensive portfolio includes solutions for Alarm Management, Automation Genome Mapping, Control Loop Performance Optimization, and High- Performance Human-Machine Interfaces. PAS solutions are installed in over 1,000 industrial plants worldwide. Contact PAS: 16055 Space Center Blvd., Ste. 600 Houston, TX 77062 +1.281.286.6565 [email protected] 9 © PAS 2010 Maximize Operator Effectiveness: High Performance HMI Principles and Best Practices Part 1 of 2 A PAS White Paper Version 3.0 Bill Hollifield Principal Alarm Management and HMI Consultant, PAS Hector Perez High Performance HMI Product Manager, PAS High Performance HMI 3.0 - Part 1 | Cover © PAS 2015