SCADA Alarm Management and Rationalization

The Alarm Management Problem

Alarm overload is the most common operational issue in SCADA systems. Studies consistently show that operators in poorly managed systems receive 1,000-2,000 alarms per day per operator position, far exceeding the human capacity to respond effectively. ISA-18.2 recommends a maximum of 6 alarms per hour during normal operations and no more than 10 per hour during upset conditions. When operators are overwhelmed by alarms, they develop "alarm fatigue" and begin to ignore or acknowledge alarms without taking action, creating serious safety and operational risks.

The 2005 Texas City refinery explosion, the Deepwater Horizon disaster, and numerous pipeline incidents have been linked to alarm management failures. Regulatory bodies including OSHA, PHMSA, and the Chemical Safety Board have emphasized alarm management as a critical element of process safety management.

ISA-18.2 and IEC 62682 Standards

ISA-18.2 (Management of Alarm Systems for the Process Industries) and its international equivalent IEC 62682 define the alarm management lifecycle:

• Philosophy: Establish organizational principles for alarm system design and management
• Identification: Determine what conditions require alarms based on process hazard analysis
• Rationalization: Systematically review each alarm to define its purpose, setpoint, priority, response procedure, and consequence of inaction
• Design: Implement alarms in the SCADA system following rationalization documentation
• Operation: Monitor alarm system performance against KPI benchmarks
• Maintenance: Periodically review and update alarms as process conditions change
• Monitoring and Assessment: Continuous KPI tracking with management of change for alarm modifications

Alarm Rationalization Methodology

Master Alarm Database

The first step is documenting every configured alarm in a master alarm database (MAD). For each alarm, record the tag name, alarm type (high, low, deviation, rate of change), current setpoint, priority level, cause, consequence of inaction, corrective action, and response time requirement. This database becomes the living document that governs alarm system changes.

Priority Assignment

Alarm priority should be based on the consequence of inaction and the available response time:

• Critical (Priority 1): Immediate safety or environmental hazard requiring response within minutes. Examples: H2S detection, high-high pressure, fire detection.
• High (Priority 2): Significant operational or safety consequence requiring response within 15-30 minutes. Examples: pump vibration alarm, tank high level.
• Medium (Priority 3): Moderate operational consequence with response within 1-4 hours. Examples: compressor maintenance due alarm, communication failure to non-critical site.
• Low (Priority 4): Minor operational impact, informational. Examples: instrument drift warning, backup battery low.

ISA-18.2 recommends a priority distribution of approximately 5% critical, 15% high, 30% medium, and 50% low. Systems where most alarms are marked critical or high indicate poor prioritization.

Bad Actor Analysis

Bad actor analysis identifies the alarms that generate the most activations. Typically, the top 10 "bad actor" alarms account for 50-80% of total alarm load. Common causes of chattering or nuisance alarms include setpoints too close to normal operating values, insufficient deadband (hysteresis), instrument noise or failing sensors, process variability not accounted for in alarm design, and alarms that were added reactively after incidents without proper engineering analysis.

Alarm Reduction Techniques

Deadband Optimization

Deadband (hysteresis) prevents an alarm from repeatedly activating and clearing when a process variable oscillates near the setpoint. A common starting point is 1-2% of the measurement span, but optimal deadband depends on process dynamics. A pressure transmitter spanning 0-1000 PSI might use a 10 PSI deadband, preventing nuisance alarms when pressure fluctuates between 495-505 PSI around a 500 PSI setpoint.

Alarm Shelving and Suppression

Alarm shelving temporarily removes an alarm from the operator's view during known conditions such as equipment maintenance, process startup, or instrument calibration. Shelved alarms should have automatic time limits (typically 8-24 hours) and be tracked in a shelving log. Permanent suppression removes alarms that provide no actionable information, but should require management of change approval.

State-Based Alarming

State-based alarming adjusts alarm setpoints and priorities based on the current operating state. A compressor station has different normal operating parameters during startup, steady-state operation, and shutdown. Alarms that are meaningful during steady-state may be nuisances during startup. Implementing state-based alarming requires defining operating states, mapping alarm parameters to each state, and automating state transitions.

Alarm KPI Benchmarks

ISA-18.2 and EEMUA Publication 191 define key performance indicators for alarm systems:

• Average alarm rate: Target less than 6 per operator per hour during normal operations. Greater than 12 per hour is overloaded.
• Peak alarm rate: Target less than 10 per operator per 10-minute period during upsets.
• Chattering alarms: Less than 1% of configured alarms should chatter (activate and clear more than 3 times in 1 minute).
• Stale alarms: Less than 5% of active alarms should remain active for more than 24 hours.
• Priority distribution: Approximately 5% critical, 15% high, 30% medium, 50% low.
• Alarm floods: Less than 4 per month (more than 10 alarms in 10 minutes).

NFM Consulting performs alarm management assessments for SCADA systems across Texas, analyzing alarm performance against these benchmarks and developing rationalization plans to bring systems into compliance with ISA-18.2.