By Russel Treat, CEO, EnerSys Corporation
the implementation of the PHMSA Control Room Management (CRM) Rule in 2012,
pipeline operators and control room managers have become familiar with the fundamentals
of alarm management.
the first few years after implementation of CRM, the industry embraced steps
minimize alarm floods for pipeline controllers and support controllers, to enhance
situational awareness. Now, pipeline operators are working to continually advance
their alarm management programs, to increase operations and safety.
testing, and refining your alarm management program is critical to support effective
alarm response and emergency response in a pipeline control room.
every pipeline operator’s goal is to achieve business objectives without harm. A
proactive approach to alarm management supports this goal by providing these
word “alarm” is used in our industry to mean many things. Therefore, an
effective alarm management program requires a clear set of definitions to
support everyone being on the same page. Here is a set of recommended
Operating Conditions (AOC) is a term to describe an operating condition of the
pipeline outside the normal operating parameters, but which is not yet an
emergency. Creating a program that clearly identifies AOCs is critical to successful
a visible and/or audible means of indicating to the pipeline controller that an
abnormal operating condition exists, which requires the controller’s response —
without which, a bad outcome will occur. It is important to note that most
SCADA/HMI tools call all notifications “alarms.” The alarm management program
definition of an alarm is one that “requires action.”
is the process of ensuring that the alarms are optimally selected, designed, prioritized
and documented. In practice, each operator should take a holistic approach to
alarm management, including policy and procedure for alarm rationalization,
alarm logging, alarm-related shift handover actions, alarm analysis, compliance
and continual improvement of the alarm management program. The PHMSA Control
Room Management Rule (49 CFR Parts 192 and 195) and API 1167 provide guidance
on implementing an alarm management program.
PHMSA Control Room Management Rule (49 CFR Parts 192 and 195) and API 1167
provide guidance on implementing an alarm management program.
is the process of documenting the alarm-specific processes to verify, diagnose,
determine causes for and take the appropriate course of action to respond to an
Response is a specified course of action for the pipeline controller, when
presented with an alarm through the SCADA system on their HMI display. Ideally,
the controller will follow the rationalized procedure.
Response Sheet (ARS) is a critical element of alarm response, and it indicates
what the alarm is, the cause of the alarm, how to verify the cause and what
actions should be taken, given the cause.
are not alarms. An alert is a notification that does not require action. Said
another way, an “alert” is a notification that is not an “alarm.”
Response is a specified course of action that takes place when an emergency is identified.
In some cases, an alarm advances from alarm response to emergency response. The
goal is to expedite mitigation and minimize consequences, by following a clear
path to address the emergency situation.
Condition represents the state of a pipeline system as either “normal,”
“abnormal” (AOCs) or “emergency.”
that effective alarm and emergency response is supported by effective situational
awareness and an effective alarm management program, the purpose of this paper
is to address the relationship between alarm and emergency response.
ultimate goal of alarm response is to prevent escalation to emergency response.
achieve that goal, operators and control room managers need to have a clear
plan for how controllers should respond to each alarm. An important starting
point is the severity of the alarm.
an operator or control room manager sets up alarm rationalization, they will
set severity scores as critical, high, medium and low. The severity is based on
the possible adverse consequences if the alarm is not managed and the speed at
which the process changes.
setting a severity score, alarms can be pre-sorted, such that the
fastest-moving, highest risk situation is managed first. In addition, the alarm
annunciation can be linked to a specified course of action (ARS) for the
less time there is to respond, the greater the adverse consequence.
pre-defining the order of presentation to the controllers, operators can manage
each controller’s workflow, distribute other alarm responses to additional
controllers and enhance each controller’s ability to respond appropriately to an
there are many types of emergency situations, one of the most severe is a loss
of containment, either in the form of a pipeline leak or rupture. The result is
a risk to public safety and the environment.
should evaluate their ability to support the five priorities shown below when
managing a pipeline incident (via API):
control room has a distinct role in supporting the priorities. Controllers or
control room managers are often first to detect the indication of a potential
recognition, the control room should initiate shutdown or isolation procedures.
Operators should then support incident command, which includes mobilizing
personnel, notifying first responders and facilitating communication in a
the control room may detect an emergency condition, they generally do not
handle incident command. The primary role of the control room is to expedite
response and help mitigate the outcome. Incident command often takes place in
the field and is led by operations.
you are moving from alarm response to emergency response, it’s because the situation
went beyond the alarm limit to an adverse consequence. Essentially, the alarm
response was not sufficient to anticipate and address the situation.
important to note that not every emergency response escalates in a clear path,
from normal operating condition to abnormal operating condition to emergency.
Sometimes, a third-party event or a weather emergency creates enough impact to
advance the response directly from normal to emergency.
key is having a plan to quickly and efficiently address an emergency situation
to minimize consequence — regardless of whether an event advanced linearly from
alarm response to emergency response or if it bypassed alarm response directly
to emergency response.
you are in an emergency response condition, the alarm management program can be
extended to support emergency response in the following ways:
alarm management program supports a controller’s ability to understand exactly
what actions to take. By having mechanisms in place to support controller
response, the overall emergency response process is accelerated to minimize
and control room managers should be thinking about these actions in advance. They
should be recorded, made available to controllers and connected to each alarm.
information can be gleaned from each alarm situation in normal, abnormal, and emergency
operating conditions to analyze alarm response and emergency response.
part of a monthly alarm analysis required by PHMSA, operators should review
areas of concern. They should be asking questions about the amount of activity
for each controller, the number of alarms in the system, whether alarm flood is
impacting controller response, and whether alarm rationalization needs to be
improved to accelerate and expedite the alarm response.
should also look for bad actors. In other words, triggers that generated a high
number of alarms in the SCADA system. The goal is to remove these bad actors
from the system so that controllers can maintain focus on actual alarms,
meaning alarms associated with an AOC.
critical element of the review process is understanding the relating consequence
to the location. Alarms in High-Consequence Areas (HCAs) should have a higher
priority. HCAs can be identified through GIS or a mapping system.
identified, operators should map the proximity of main line valves to HCAs, tie
this information to alarm rationalization, and help controllers understand when
to shut down and isolate the pipeline
segment in an AOC or emergency situation. Ultimately, the goal is to minimize
the potential for and the consequence of adverse outcome.
than a controller trying to remember the locations of HCAs or spending valuable
time researching locations, the controller should have the information at their
fingertips to effectively respond to the alarm, preferably on the alarm
that emergencies generally cause alarm activation:
underlying theme of effective alarm management is effective communication for
alarm response and emergency response. The communication structure is to
initiate incident command, isolate the incident, and follow communication
protocol. The question is who should be involved in this process?
2018, PHMSA presented an important clarification to the CRM Rule about Roles
and Responsibilities in normal, abnormal, and emergency situations. In this
clarification, PHMSA called for pipeline operators to clearly identify and
designate the individuals with the ability and authority to direct the actions
of a controller or supersede the authority of a controller.
communication is initiated, there should be a plan for who should be notified –
whether internal supervisors, external first responders, or third parties. If
an incident is occurring at a site where there are interconnected parties, then
you need a plan to notify the interconnected party.
example, if the incident is near an HCA and there is a power plant coming off a
transmission line, then you will need to isolate the line, which impacts the
fuel feed for a power plant.
type of scenario requires communication activity that may or may not be part of
the incident command structure. That’s why it’s critical to define roles and
responsibilities within your alarm management program to help controllers
understand what information to communicate and to whom to communicate the
information. This way, the controller can take the appropriate action in a
that you cannot control alarm activation and you cannot control what emergencies
occur. However, you can plan. You can control your alarm set points, your alarm
analysis, your alarm rationalization and your emergency response planning.
EnerSys, we developed a software tool to help pipeline operators and control
room managers support alarm management for alarm response and emergency
is CEO of EnerSys and the host of “Pipeline Technology Podcast.”