JAN-FEB 2018

Issue link:

Contents of this Issue


Page 23 of 53

SYSTEM INTEGRATION 24 INTECH JANUARY/FEBRUARY 2018 WWW.ISA.ORG best way to design the alarm to achieve the mitigation results previously envi- sioned? First, the rationalization team should not be forced to determine the difference between normal alarms and those that are truly critical. The critical ones should be clearly defined and documented by the hazards analysis, and their treatment should be defined in the alarm philoso - phy document. When done well, the doc- umentation should leave no doubt which alarms are intended to be IPLs. If the documentation is insufficient, there is a chance that an alarm will not be treated appropriately or be missed entirely. Second, the HAZOP team probably will not specify how the alarm should be implemented, given the limited in - formation available during that phase of the analysis. The rationalization team will have to review the hazard and determine what event triggers an alarm and what series of actions the operator should perform within the necessary time window to mitigate the situation. Not for the fainthearted A team cannot be expected to review every hazard, and also to design the mitigation solution through layers of protection and alarming. Though ideal, it is impractical for most companies. In reality, it is common for each team— HAZOP, LOPA, alarm rationalization, implementation—to function indepen - dently, probably at different times and with different people (figure 2). There will be multiple handoffs from stage to stage. With effective documentation, these handoffs do not become points where knowledge is lost. Because we are focusing on alarm rationalization, let's look at how this pro - cess works when dealing with safety- related alarms, many of which qualify as IPLs and figure into the larger SIS calcula - tions. Alarm rational- ization is a long and complex process, thoroughly docu - mented in ANSI/ISA-18.2, Management of Alarm Systems for the Process Industries (figure 3). Many elements factor into the discussion, particularly when working with the safety-oriented alarms designed to perform as IPLs. The alarm rationaliza - tion team has to understand the meth- odology followed by earlier teams to recognize the hazards and generate the alarm requirements. Few companies have enough people with the depth of skill, ex - perience, and time to do this—so outside assistance is often required. Because any alarm, by definition, has to have an associated operator action, all alarms require workflow manage- ment. Operators need to know alarm responses from memory, or at least be able to retrieve them very quickly. Anyone auditing the system will likely quiz operators to make sure they can respond correctly and promptly. This means those individuals need to be trained. This is especially true for safety alarms where there is probably a very stringent time-of-response require- ment. These alarms require the correct response within a specified time, or the opportunity to slow or stop escalation of the problem will be lost. Consequently, anyone on the alarm rationalization team must bring a vari - ety of skills and a thorough understand- ing of all the implications of the team's actions. The relationship between the BPCS and alarms within the SIS calcu - lations is complex. Not all alarms rec- ommended to help mitigate SIS-related hazards qualify as IPLs, so determining where credit is taken requires a deep understanding of these mechanisms. If alarms being brought into the safety system are not implemented correctly, the IPL loses its validity, along with any credit in the larger SIS calculations. This often happens on a practical basis, whether anyone recognizes it or not. If the alarm is not implemented correctly, there may be excessive demand placed on the SIS, causing it to not have the intended availability to mitigate the hazard. Alarm rationalization requires an en- gineering review before implementation, so alarms can be identified correctly, with each resulting alarm providing the pro - tection required to fulfill the HAZOP, IPL, and the associated SIL calculations. Of course, this element of alarm rationaliza - tion is only one facet of a larger process. Most companies cannot pull it off single handedly, given the complexity and risk associated with the effort, but outside consultants are available to assist. To understand the interplay of all these elements, everyone involved needs extensive process industry ex- perience. Facilities and process units often handle very dangerous products with serious potential hazards. Han- dling them well requires discipline to avoid conditions that could cause an incident. Team facilitators, whether employees or consultants, must make sure all participants in the chain of analysis, design, and implementation know what is required to meet safety expectations. Outside consultants, as neutral par- ticipants, can increase the likelihood of staying on track and avoiding internal HAZOP • Identify hazards • Judge severity • Estimate likelihood LOPA • Review HAZOP • Identify new hazards • Create IPLs • Recommend alarms Alarm rationalization • Design alarms • Design workflows • Integrate with SIS Consultants Figure 2. An experienced consultant provides continuity, so all ele ments are completed appropriately. Management of change Monitoring and assessment Audit Philosophy Identification Rationalization Detailed design Implementation Operation Maintenance Figure 3. ISA-18.2 outlines the entire life cycle for a given alarm.

Articles in this issue

Links on this page

Archives of this issue

view archives of InTech - JAN-FEB 2018