By Russel Treat, CEO, EnerSys Corporation
With the implementation of the PHMSA Control Room Management (CRM) Rule in 2012, pipeline operators and control room managers have become familiar with the fundamentals of alarm management.
In the first few years after implementation of CRM, the industry embraced steps
to minimize alarm floods for pipeline controllers and support controllers, to enhance situational awareness. Now, pipeline operators are working to continually advance their alarm management programs, to increase operations and safety.
Planning, testing, and refining your alarm management program is critical to support effective alarm response and emergency response in a pipeline control room.
Ultimately, every pipeline operator’s goal is to achieve business objectives without harm. A proactive approach to alarm management supports this goal by providing these benefits:
The word “alarm” is used in our industry to mean many things. Therefore, an effective alarm management program requires a clear set of definitions to support everyone being on the same page. Here is a set of recommended definitions.
Definitions
Abnormal Operating Conditions (AOC) is a term to describe an operating condition of the pipeline outside the normal operating parameters, but which is not yet an emergency. Creating a program that clearly identifies AOCs is critical to successful alarm management.
Alarms are a visible and/or audible means of indicating to the pipeline controller that an abnormal operating condition exists, which requires the controller’s response — without which, a bad outcome will occur. It is important to note that most SCADA/HMI tools call all notifications “alarms.” The alarm management program definition of an alarm is one that “requires action.”
Alarm Management is the process of ensuring that the alarms are optimally selected, designed, prioritized and documented. In practice, each operator should take a holistic approach to alarm management, including policy and procedure for alarm rationalization, alarm logging, alarm-related shift handover actions, alarm analysis, compliance and continual improvement of the alarm management program. The PHMSA Control Room Management Rule (49 CFR Parts 192 and 195) and API 1167 provide guidance on implementing an alarm management program.
The PHMSA Control Room Management Rule (49 CFR Parts 192 and 195) and API 1167 provide guidance on implementing an alarm management program.
Alarm Rationalization is the process of documenting the alarm-specific processes to verify, diagnose, determine causes for and take the appropriate course of action to respond to an alarm.
Alarm Response is a specified course of action for the pipeline controller, when presented with an alarm through the SCADA system on their HMI display. Ideally, the controller will follow the rationalized procedure.
An Alarm Response Sheet (ARS) is a critical element of alarm response, and it indicates what the alarm is, the cause of the alarm, how to verify the cause and what actions should be taken, given the cause.
Alerts are not alarms. An alert is a notification that does not require action. Said another way, an “alert” is a notification that is not an “alarm.”
Emergency Response is a specified course of action that takes place when an emergency is identified. In some cases, an alarm advances from alarm response to emergency response. The goal is to expedite mitigation and minimize consequences, by following a clear path to address the emergency situation.
Operating Condition represents the state of a pipeline system as either “normal,” “abnormal” (AOCs) or “emergency.”
Considering that effective alarm and emergency response is supported by effective situational awareness and an effective alarm management program, the purpose of this paper is to address the relationship between alarm and emergency response.
Alarm Response
The ultimate goal of alarm response is to prevent escalation to emergency response.
To achieve that goal, operators and control room managers need to have a clear plan for how controllers should respond to each alarm. An important starting point is the severity of the alarm.
When an operator or control room manager sets up alarm rationalization, they will set severity scores as critical, high, medium and low. The severity is based on the possible adverse consequences if the alarm is not managed and the speed at which the process changes.
By setting a severity score, alarms can be pre-sorted, such that the fastest-moving, highest risk situation is managed first. In addition, the alarm annunciation can be linked to a specified course of action (ARS) for the controller.
The less time there is to respond, the greater the adverse consequence.
By pre-defining the order of presentation to the controllers, operators can manage each controller’s workflow, distribute other alarm responses to additional controllers and enhance each controller’s ability to respond appropriately to an alarm.
Emergency Situation
While there are many types of emergency situations, one of the most severe is a loss of containment, either in the form of a pipeline leak or rupture. The result is a risk to public safety and the environment.
Operators should evaluate their ability to support the five priorities shown below when managing a pipeline incident (via API):
The control room has a distinct role in supporting the priorities. Controllers or control room managers are often first to detect the indication of a potential emergency.
Upon recognition, the control room should initiate shutdown or isolation procedures. Operators should then support incident command, which includes mobilizing personnel, notifying first responders and facilitating communication in a proactive manner.
While the control room may detect an emergency condition, they generally do not handle incident command. The primary role of the control room is to expedite response and help mitigate the outcome. Incident command often takes place in the field and is led by operations.
Emergency Response
If you are moving from alarm response to emergency response, it’s because the situation went beyond the alarm limit to an adverse consequence. Essentially, the alarm response was not sufficient to anticipate and address the situation.
It’s important to note that not every emergency response escalates in a clear path, from normal operating condition to abnormal operating condition to emergency. Sometimes, a third-party event or a weather emergency creates enough impact to advance the response directly from normal to emergency.
The key is having a plan to quickly and efficiently address an emergency situation to minimize consequence — regardless of whether an event advanced linearly from alarm response to emergency response or if it bypassed alarm response directly to emergency response.
When you are in an emergency response condition, the alarm management program can be extended to support emergency response in the following ways:
The alarm management program supports a controller’s ability to understand exactly what actions to take. By having mechanisms in place to support controller response, the overall emergency response process is accelerated to minimize consequences.
Operators and control room managers should be thinking about these actions in advance. They should be recorded, made available to controllers and connected to each alarm.
Routine Analysis
Valuable information can be gleaned from each alarm situation in normal, abnormal, and emergency operating conditions to analyze alarm response and emergency response.
As part of a monthly alarm analysis required by PHMSA, operators should review areas of concern. They should be asking questions about the amount of activity for each controller, the number of alarms in the system, whether alarm flood is impacting controller response, and whether alarm rationalization needs to be improved to accelerate and expedite the alarm response.
Operators should also look for bad actors. In other words, triggers that generated a high number of alarms in the SCADA system. The goal is to remove these bad actors from the system so that controllers can maintain focus on actual alarms, meaning alarms associated with an AOC.
Another critical element of the review process is understanding the relating consequence to the location. Alarms in High-Consequence Areas (HCAs) should have a higher priority. HCAs can be identified through GIS or a mapping system.
Once identified, operators should map the proximity of main line valves to HCAs, tie this information to alarm rationalization, and help controllers understand when to shut down and isolate the pipeline segment in an AOC or emergency situation. Ultimately, the goal is to minimize the potential for and the consequence of adverse outcome.
Rather than a controller trying to remember the locations of HCAs or spending valuable time researching locations, the controller should have the information at their fingertips to effectively respond to the alarm, preferably on the alarm response sheet.
Remember that emergencies generally cause alarm activation:
Communication
An underlying theme of effective alarm management is effective communication for alarm response and emergency response. The communication structure is to initiate incident command, isolate the incident, and follow communication protocol. The question is who should be involved in this process?
In 2018, PHMSA presented an important clarification to the CRM Rule about Roles and Responsibilities in normal, abnormal, and emergency situations. In this clarification, PHMSA called for pipeline operators to clearly identify and designate the individuals with the ability and authority to direct the actions of a controller or supersede the authority of a controller.
When communication is initiated, there should be a plan for who should be notified – whether internal supervisors, external first responders, or third parties. If an incident is occurring at a site where there are interconnected parties, then you need a plan to notify the interconnected party.
For example, if the incident is near an HCA and there is a power plant coming off a transmission line, then you will need to isolate the line, which impacts the fuel feed for a power plant.
This type of scenario requires communication activity that may or may not be part of the incident command structure. That’s why it’s critical to define roles and responsibilities within your alarm management program to help controllers understand what information to communicate and to whom to communicate the information. This way, the controller can take the appropriate action in a given situation.
Conclusion
Remember that you cannot control alarm activation and you cannot control what emergencies occur. However, you can plan. You can control your alarm set points, your alarm analysis, your alarm rationalization and your emergency response planning.
At EnerSys, we developed a software tool to help pipeline operators and control room managers support alarm management for alarm response and emergency response. P&GJ
Russel Treat is CEO of EnerSys and the host of “Pipeline Technology Podcast.”