The Connection of Peak Alarm Rates to Plant

Incidents and What You Can Do to Minimize

Dustin Beebe,* Steve Ferrer, and Darwin Logerot
ProSys, Inc., PO Box 77182, Baton Rouge, LA 70879; steve.ferrer@prosys.com (for correspondence)
Published online 27 November 2012 in Wiley Online Library (wileyonlinelibrary.com). DOI 10.1002/prs.11539
Even after several years of trying, many plants still struggle
with controlling alarm floods. Static rationalization can
reduce your average number of alarms but without controlling the alarm floods, there is no help for the operator when
he needs it the most. This session will cover the justification
for alarm management from the safety and environmental
as well as economic perspective. 2012 American Institute of
Chemical Engineers Process Saf Prog 32: 7277, 2013

Keywords: alarm management; flood; peak alarm; rationalization; ISA 18.2; alarm metrics; CSB; EEMUA

INTRODUCTION

Most of the incident investigations performed by the

Chemical Safety Board (CSB) cite alarm floods as being a significant contributing cause to industrial incidents [1]. The British-based organizationEngineering Equipment & Materials
Users Association (EEMUA) came to the same finding in its
report from 1999 when it analyzed major incidents around
the world including Three Mile Island, Bhopal, and Texaco
Milford Haven [2]. Therefore, the connection of alarm floods
to incidents has been well documented for over 12 years
with very little progress made in industry. Many corporations
and plant locations are unsure of what to do next to control
alarm floods. This article is offered to show examples of
successful alarm management programs and how they successfully control alarm floods under all operating conditions.
What is an Alarm Flood?
An alarm flood has been defined by ISA 18.2 as being 10 or
more annunciated alarms in any 10-min period per operator [3].

Why do Alarm Floods Occur?

Over the last 30 years, the number and frequency of
alarms have changed with technology. In the old days of
pneumatic controls, installing a new process alarm had significant costs. Since the use of computer-based control systems, new alarms cost nothing. As a result, the number and
frequency of alarms has skyrocketed over the years. This
phenomenon has gotten to the point that a term was needed
to define the experience when numerous alarms are annunciating in a streaman alarm flood.
Alarm floods typically occur upon a change of state in the
process. This could be from run to shutdown or a change
from state A to state B. This is because alarm settings are historically configured for steady-state run conditions and variables change upon a change of state in the process. This phenomenon can affect hundreds or even thousands of alarms.
Therefore, when the process state changes, many, many
alarms can sound in a short period of time. The first alarm or
two are usually the most criticalalerting the operator to the
change. After this many unnecessary and redundant alarms,
resulting from the same root cause, are annunciated and
displayed to the operator. If another situation develops, these
alarms would be added to the existing flood of alarms
without any demarcation between the two root causes for
the operator.
What Makes Alarm Floods so Dangerous?
Process state changes are critical periods where operators
need their alarm system to be fully functional. Unfortunately,
these periods are exactly where alarm floods occur.
The fact that alarm floods can occur in a process control
room is problematic for three reasons:

A deluge of alarms can cause the operator to miss critical

What is Impacted by Alarm Floods?
Alarm floods can and do impact the following items:

Product quality
Operability or profitability of the process
Loss of equipment
Operator mistakes and confusion
Missed alarms due to operator distractions
Operator feeling acknowledging alarms themselves are an
appropriate response to the alarm

Loss of containmentenvironmental releases

Injury and loss of life in plant or community
The article was originally presented at the 8th Global Congress on Process
Safety Houston, TX, April 14, 2012

2012 American Institute of Chemical Engineers

72

March 2013

alarms

Floods of alarms can be a significant distraction while the

operator is trying to deal with upsets in the plant. At
times, the operator is forced to acknowledge alarms without review to silence alarms in order to think.
Floods can be an indication of larger systemic safety
issues
What is the Problem in Industry?
Most alarm management practices and procedures including the 7 Steps only show results in the area of average
alarm rates. Certainly, reducing average alarm counts is positive, however, reducing floods (peak rates) is vastly more important for everyoneoperators, managers, and community.
The reason this is true is that peak rates are responsible for
operators missing critical alarms and average rates are not.
Process Safety Progress (Vol.32, No.1)

Disastrous incidents affecting lives, property, and the environment can begin when an operator misses a single alarm.
Some managers have allowed high peak rates to be filtered out of reports because of upsets in the process.
Although this makes the results look better, filtering these
results can hinder actually resolving the problem because
those results are removed from the discussion. Many managers take these steps because they do not believe they can
achieve better results. This belief is false because the means
for producing results that meet ISA 18.2 metrics under all
operating results does exist today and has for many years.

Thought Equation for Managers

The EEMUA Publication 191 provided several high profile
examples where poor alarm system performance (floods)
contributed to financial loss, injuries or death, and environmental damage. In fact, survey results provided by plants
involved in catastrophic events, indicated that loss incidents
frequently involved the operator being overloaded with
alarm floods. The following equation has been proposed to
emphasize proper thinking and priority of alarm management projects for corporate managers and managers of industrial health, safety, and environmental departments:
Floods incidents loss

Figure 1. Average dollar loss per major incident by cause.

[Color figure can be viewed in the online issue, which is
available at wileyonlinelibrary.com.]

What is a Quality Alarm?

In short, a quality alarm is an annunciated process condition or event to which the operator can and should take corrective action in order to return the process to stable and
safe operation.
Quality Alarm Attributes

Every alarm should:

Conversely, control of alarm floods will result
incidents, less loss and as a resultlower risk.
plants have reported lower insurance rates as a
lower risk attributed to superior alarm management

in fewer
Industrial
result of
practice.

The Cost of Poor Alarm Management

The cost of poor flood control and alarm management is
huge and affects all areas: loss of containmentenvironmental, equipment damage, off spec products, loss of production,
and event injury or loss of life.
The ASM Consortium has estimated that the total loss due
to operator error is $10B per year in the United States alone.
They also report that 70% of process incidents occur during
start-up or shutdown. Therefore, when the process is changing from one state to another and alarm floods have the
greatest propensity to occur, it makes sense that lots of errors
would occur during alarm floods.
The EEMUA, when speaking about the impact of alarm
floods on catastrophic incidents said . . . they were a major
contributor, and the loss incidents frequently involved the
operator being overloaded with alarm floods [2].
The ARC Advisory Groups process automation challenges
indicate operational error is the leading cause category when
examining the average dollar loss per major incident (see
Figure 1) [4].

Be clear and relevant to the operator

Indicate an abnormal process condition or event
Have consequences of inaction
Have a defined response
Be unique
Normal and Abnormal

NormalThat which is both planned and expected

Startup/shutdown
Mode switching
Equipment swapping
Other planned operating procedures
AbnormalThat which is unplanned or unexpected

Emergency shutdowns
Equipment failures
Other unplanned process transitions
Affect of Operations on Quality Alarms

A quality alarm that is relevant during plant operation at

maximum rates may not be a quality alarm during other conditions. Plant operations are not staticalarm configuration
should not be either.
ALARM MANAGEMENT EXECUTION

OBJECTIVES OF ALARM MANAGEMENT

A common misconception in industry is that the objective

of alarm management is to reduce the number of alarms
annunciated to the operator. While the reduction in alarm
rates will almost always be a result of a well-designed and
implemented alarm management project, it is not the primary
objective. The objective of alarm management is to improve
the quality of alarms.Additionally, the goal is to provide
operators with a consistent and reliable alarm interface that
supports their efforts to safely, reliably, and efficiently operate the process.
Another way of stating these objectives is to provide the
operator with alarms that are necessary and meaningful but
not those that are unnecessary, confusing, or redundant.
Process Safety Progress (Vol.32, No.1)

The Good, the Bad, the Ugly

The way alarms are treated by shift supervisors and plant
managers has a strong bearing on how they are treated by
the panel operators. There is an old safety adage that says
the standard you get is the standard you are willing to walk
past [5].
Many companies have started collecting and reporting
alarm event data as a means of understanding how they rate
in comparison to other units, other locations, or to the ISA/
ANSI 18.2 metrics. Most plants are trying to develop an
understanding of their results as it relates to the standard.
Unfortunately, many plants are inconsistent in the collection of data and production of reports because of the man-

Published on behalf of the AIChE

DOI 10.1002/prs

March 2013 73

Table 1. Comparison of Results by Rationalization Method.

Point Summary
Number of Areas
Points
3rd Qtr 2010: Avg Alarm
Rate per 10 min
4th Qtr 2010: Avg Alarm
Rate per 10 min
3rd Qtr 2010: Peak Alarm
Rate per 10 min
4th Qtr 2010: Peak Alarm
Rate per 10 min

ISA 18.2
Metrics[2]

Dynamic
Rationalization

Static
Rationalization

Bad Actor
Management

2
3641
0.67

2
3327
0.83

2
2552
2

0.67

4.3

10

6.5

211

67

10

117

159

Blocks in yellow do not meet ISA 18.2 Metrics.

hours of effort required for the reports. Also, the priority of

alarm reporting projects are typically low and the engineer
assigned to the task is often pulled to take on a more important project. Many times the project dies when the engineer
never goes back to the project.
Recent advancements in alarm reporting software tools
now allow the data collection and reporting process to be
completely automated for an enterprise of multiple plant
locations, units, or consoles.
Some corporations have not developed a corporate alarm
philosophy document. Many have not updated alarm rate targets to the most recent ISA 18.2 Standard. As a result, plant
managers do not have the means to justify expenditures to
achieve better performing alarm rates including the control
of alarm floods because the targets do not require improvement from the poor results currently attained.
Once the actual alarm performance versus a standard is
known, remediation can be justified. In addition to funding,
these engineering projects are also appropriately prioritized
with the commitment necessary to get the project done.
Unfortunately, without proper funding for these projects, priority and commitment will not follow.
Alarm Rationalization Methodologies
Alarm rationalization is a process by which alarms are
reviewed. Rationalization is one element of an overall alarm
management project or program. It is the most important element of alarm management, and the approach used in
rationalization will be a prime determinant in the success or
failure of the overall effort. A number of practices have
emerged with the intent to reduce alarm rates. Most only
affect average alarm rates. In fact, the ASM Consortium
reported that peak alarm rate is not closely correlated with
the degree of rationalization [6]. Only one process, dynamic
alarm management, has proven to control peak alarm rates
(alarm floods).
Bad Actor Management

This process is typically performed on a handful of alarms

with the highest annunciation rates. Focus is to reduce alarm
rates not to evaluate or enable legitimate alarms. The risk is
that some legitimate alarms may be disabled without consideration for the overall process. Bad actor management can
reduce average rates but does nothing to reduce alarm
floods.

alarms configured qualify as a quality alarm, meeting all the

criteria set forth in Section What is a Quality Alarm?. For each
quality alarm, the team documents causes, consequences,
actions associated with the alarm, and any other pertinent
data that is desired. An important note is that a thorough
rationalization should include not just alarms currently configured but all potential alarms available for configuration. Many
times, the addition of one well-designed alarm can eliminate
the need for many others. Static alarm rationalization covers a
single state of the processusually the run state. Most processes have several states, therefore, when nonrun states are
current, multiple alarms can sound because system readings
do not match the run state set points. Static rationalization of
alarms typically results in a reduction in average alarm counts
without much difference in peak alarm rates (floods). This is
the type of rationalization that the ASM Consortium report
showed did not reduce alarm floods. Additionally, the data
we have collected also supports this argument.
Dynamic Rationalization

Dynamic (aka state-based or mode-based) rationalization

is alarm rationalization for more than one process state. Static
rationalizations can become dynamic when the question
When is added to the discussion for each point. As a result,
the increased cost for performing a dynamic rationalization
versus a static one is not as significant as one might think.
Additionally, using the answers generated from the when
questions allows engineers to properly configure alarm management software to enable and deactivate alarms appropriately for whatever the current state is for the process.
Answering the when question involves using operating
experience and process knowledge to determine the detectable operating states of each section of the plant. The team
determines key operating data and a logic structure which
will be utilized to identify the current state. Once the states
and logic are determined, it is a straightforward exercise to
determine when (during which operating states) each alarm
is to be active and inactive.
One caveat related to dynamic alarming is that sometimes
this method can actually cause floods to occur if state transitions are not designed well. It is important that the software
and methodologies for dynamic alarming provide for smooth
transitioning of both the selected state and alarm re-enabling.

Static rationalization is a systematic review of all alarms in

a plant. The goal of the rationalization is to insure that all

Comparison of Alarm Rationalization Methodologies

The data in Table1 were acquired from four different sites
using various rationalization methodologies. Shutdowns and
upsets occurred for each of the units during the time period.

74

DOI 10.1002/prs

Static Rationalization

March 2013

Published on behalf of the AIChE

Process Safety Progress (Vol.32, No.1)

The actual results generated from bad actor management

show very little improvement of either average or peak alarm
rates. In Table 1 below, none of the readings were even
close to the requirements for meeting the ISA 18.2 guidelines.
Static rationalization improves average alarm rates to where
they can often meet ISA 18.2 Metrics but peak alarm rates
(floods) show very little improvement at all before and after
static rationalization. Dynamic rationalization is the only successful means for controlling both average and peak alarm
rates to levels that meet or exceed ISA 18.2 Metrics. The
results shown in Table 1 indicate how significant dynamic
rationalization can be for a process.
RESULTS OF PROPER ALARM MANAGEMENT

The results that can be obtained using dynamic rationalization can eliminate a significant number of redundant
alarms thereby reducing distractions and load for the operators. Figure 2 is a comparison of data for the same time

Figure 2. Comparison of dynamic versus typical alarm management. [Color figure can be viewed in the online issue,
which is available at wileyonlinelibrary.com.]

period in the same process. The only difference being that

the green line was generated after the system was dynamically rationalized. The red line was generated during the
exact same event and timeline, showing alarms that would
have occurred had dynamic alarming not been implemented.
In the graph shown in Figure 2, the red line indicates that
without dynamic alarming, a flood of about 150 alarms
would have occurred between 8:48 and 9:03 or over about 5
min. Within that same 5-minute period, the green line shows
the actual alarm rate. Note that at about 8:58, three alarms
soundedone of which was a critical alarm, not related to the
original event, which could have led to a significant incident
if it were missed by operators. As a result of so few unnecessary alarms annunciating, the plant manager felt dynamic
alarm management played a major role in helping to avert a
significant, potentially catastrophic event from occurring.
The graph in Figure 3 shows about one month of alarm
rate data in 12-hour segments. Near the end of the month,
the unit tripped and was completely shutdown as a result.
This process state change would generally trigger hundreds
and in some cases, thousands of alarms in a very short period of time. Eliminating the redundant or normal shutdown
alarms accomplished many goals including improving the
effectiveness of the operator. In this case, the first 12-h period containing the trip experiences only 50 alarms. This significant reduction in alarms during a shutdown improved the
ability to spot critical alarms by making them more obvious
to the operator. Also, reduced distractions provide time for
the operator to think ahead of the process and avoid potential problems before they develop.
The graph in Figure 4 (shown below) is a close up of the
shutdown period highlighted in Figure 3. Please note that the
actual peak rates never approached the ISA 18.2 peak alarm
limit of 60 alarms per hour.

Justification and Practical Steps to Control

Alarm Floods
The items listed below are current thoughts as well as
some keys to the success of any alarm management project.

Figure 3. Example of flood control using dynamically managed alarm rates upon unit trip and shutdowndata in 12-hour segments. [Color figure can be viewed in the online issue, which is available at wileyonlinelibrary.com.]

Process Safety Progress (Vol.32, No.1)

Published on behalf of the AIChE

DOI 10.1002/prs

March 2013 75

Figure 4. Example of flood control using dynamically managed alarm rates upon unit trip and shutdowndata in hourly
segments.

However, these items will not accomplish much if the management has not made a commitment to project success.

Process Safety Management (PSM) dictates that industrial

facilities handling highly hazardous chemicals be designed
in accordance with accepted industry standards and with
recognized and generally accepted good engineering
practices. Alarm management is gaining widespread acceptance; ISA Standard 18.2 has been published and is in
use. Will this now carry the weight of a regulatory
requirement?
If your project justification requires alarm performance
data versus ISA 18.2 metrics, and you lack a means of producing the graphs, then purchase an enterprise level
alarm reporting tool that can automatically gather and
report alarm data versus metrics. Focus on alarm floods to
justify your project. Remember the equationFloods 5
incidents 5 loss.
Alarms system design is typically not considered as an integral part of the unit design philosophy, and as a result,
many more alarms are active in most plants than are necessary. The following question should be asked for each
alarmIs the alarm annunciation indicating a normal or
abnormal event? If the event is normal, the alarm is probably not needed. These issues are generally resolved during a good rationalization process.
Consider the current plant operating culture. In some
plants, there may be a culture of operating by alarm.
That is, few operating adjustments are made unless an
alarm sounds. Still others may have so many alarms
sounding that most of them are ignored. In a plant such
as either of these, the operating culture may need to experience a shift. After a sound alarm management project
is executed and the system is installed and activated, the
plant will usually experience a significant drop in the
number of annunciated alarms. The alarms that are
annunciated will usually indicate plant conditions that do
require attention. Ignoring alarms will no longer be a viable option. If in your plant the operators are attentive to
the process, usually make proper adjustments before
76

March 2013

Published on behalf of the AIChE

alarm conditions are reached, and respond promptly

when an alarm is received, then little culture change will
be necessary.
Use a qualified alarm rationalization facilitator with process experience. This role is often best filled by a contractor to minimize political considerations with operators.
The rationalization team should be made up of operations, process engineering and controls engineering along
with an experienced rationalization facilitator.
Treat alarm rationalization like any other engineering project including the resources to get it done. Quite often the
internal, unofficial projects lose steam and commitment
and are usually abandoned before results are produced.
If you do not have an Alarm Philosophy document, make
this the first task of the project. The Alarm Philosophy
document is central to how alarms are established, prioritized, and configured. Therefore, this document is important to the alarm rationalization process to insure it is consistent with plant or corporate philosophy.
Use advanced dynamic alarm management software that
includes effective state transition management.

Questions that Should be added to Request for

Proposal for Alarm Management Vendors
1. Is the alarm management facilitator an experienced process
engineer or professional engineer? Is the rationalization
work backed up by a professional engineering company?
2. The alarm management software must be able to gently
handle alarm changes from one operating state to another
through the use of transition management. This prevents
transitions of operating state from triggering alarm floods
of their own. Delay timers are not recommended for this
purpose because the alarm could be set to off when it is
really needed. Transitioning and enabling the alarm as
soon as it is needed in the process is the best solution.
3. Dynamic rationalization should include 100% of alarms.
Rationalizing only Bad Actors or only alarms that have
DOI 10.1002/prs

Process Safety Progress (Vol.32, No.1)

sounded in the last 6 months, leave the rationalization

incomplete and open to floods.
4. Is the alarm shelving tool configurable with automatic reenabling? Does the alarm shelving have intelligent re-enabling?
5. Seek three references from vendor customers having PSM
processes where they are actively meeting ISA 18.2 metrics under all operating conditions. Verify references via
direct contact.
CONCLUSION

Although progress has been reported in the reduction

of average alarm rates, only very few locations have seen
the necessary improvement in peak alarm rates or floods.
Incident investigations reported over the last 12 years
have indicated loss incidents frequently involved the operator being overloaded with alarm floods [2]. Therefore,
if this is true, the equation floods 5 incidents 5 loss is
true. As a result, it is fair to state that control of alarm
floods will lead to fewer loss incidents and as a result
fewer health, safety and environmental incidents and their
associated losses will occur.
Several cases were shown in this document that alarm
floods can be controlled successfully through all process
states. Managers must emphasize controlling floods and provide resources in order to achieve results that meet the ISA

Process Safety Progress (Vol.32, No.1)

18.2 metrics for peak rates. When we are able to consistently

achieve the metric for peak rates, our risk of incident and
loss is better controlled.
LITERATURE CITED

1. U.S. Chemical Safety BoardCSB, Investigations, available

at: www.CSB.gov/investigations/default.aspx, accessed
on February 2012.
2. Alarm SystemsA Guide to Design, Management and
Procurement, 2nd ed., 2007, Appendix 16The Cost of
Poor Alarm Performance, EEMUA Publication 191, ISBN
0 85931 155 4, Imprint Reference 7-2007, London U.K.
3. ANSI/ISA 18.22009, Management of Alarm Systems for
the Process Industries, International Society of Automation, 67 T.W. Alexander Drive, Research Triangle Park,
North Carolina 27709, USA.
4. L. OBrien, Process Automation Industry ChallengesARC
Advisory Group, 3 Allied Drive, Suite 212, Dedham, MA
02026, presented at Rockwell Automation Fair - PSUG
2010.
5. S. Gill, Critical Alarm Management: Connecting the
Dots, 8th Global Congress on Process Safety, Houston,
TX, 2012.
6. P. Andow and B. Zapata, Reducing Alarm Flood Severity, Highlights from the ASM Consortium, Honeywell
Users Group, Phoenix, AZ, 2008.

Published on behalf of the AIChE

DOI 10.1002/prs

March 2013 77