Successful alarm rationalization combines both art and science. From the scientific point of view, rationalization follows a systematic process that applies alarm management principles to determine whether an alarm is justified (needed) and to document its basis (cause, consequence, corrective action, time to respond) and settings (priority, setpoint) in a master alarm database. If the alarm cannot be justified, or it does not have sufficient basis, then it would be deactivated.
There is something more to successful rationalization than just following the science. There is an art to it. If you have ever participated in a rationalization with a skilled experienced facilitator (a master of the art), you will know what I mean.
I have seen situations where engineers believe they understand the science of rationalization only to end up with rubbish as a result (and they might not even realize it). In one case, elimination of an alarm led to a loss of primary containment. Turns out the operators relied on this “non-alarm” to tell them when to stop filling a tank.
Not fully understanding the art and science of rationalization can lead to mistakes. Below are some common mistakes as shared by exida’s rationalization masters. Continue reading or click on the webinar excerpt to hear the discussion.
Consequence of Inaction:
- Incorrectly use the Ultimate Consequence (from the PHA) instead of the Direct Consequence (which is the event that the operator prevents from occurring via their response). Using the Ultimate Consequence during prioritization will cause the alarm to be higher priority than is truly warranted and exaggerates its importance.
- Consider multiple failures especially of other protections layers (e.g., SIS or a pressure relief valve); it should be assumed that other protection layers will function as designed.
- Incorrectly propagate the deviation upstream and downstream through multiple vessels in series. Generally speaking, impact should just consider the nearest vessel.
- Define generic actions that are not helpful to the specific situation (e.g., “Investigate and take necessary action”) or have not fully fleshed out alarm’s justification.
- Should be actions that serve to correct the abnormal situation (“Call Controls Engineer” does not).
- Alarms with “soft” corrective actions such as these may not really meet the criteria for being an alarm. This is why it is important to define the valid types of corrective actions in the alarm philosophy.
- Does not represent the root cause (e.g., cause of LAHH103 as “High Level” would be incorrect). Instead, it should be something like “drain valve closed”.
- Documents “every” potential cause rather than the top two or three most likely causes.
Time to Respond (Allowable Response Time)
- Allowable response time represents “the time from the activation of the alarm until the last moment the operator action will prevent the consequence”
- It is NOT “how quickly do we want the operator to respond”
- It is NOT “how long will it take the operator to respond”
- Incorrect and inconsistent interpretation of time to respond may cause the prioritization to be wrong; an alarm that should be low priority could be set to high priority by estimating time to respond incorrectly.
To learn more about alarm rationalization, check out the complete exida webinar.