Since time immemorial, philosophers have pondered this question -- “If a tree falls in the forest and there is no one to hear does it make a noise?” It involves one’s definition of noise. Is “noise” the audible vibration generated by an object in motion or is it a product of the preceptive human mind? With regard to the later, no alarm system is effective unless there is a timely and appropriate action in response. In other words, someone has to hear it.

An alarm system exists one reason; to give early warning of an impending event. Alarms can be as simple as the cowbell tied to the door of a country store or as sophisticated as those found in art galleries or large industrial installations. These systems can be so large and complex that they require full time staff to operate them.

Plant alarm systems serve at least two functions, 1) notify personnel of an abnormal condition regarding pressure or temperature and, 2) monitor the operation to let the operator know exactly what is going on. In this discussion we will use the term “alarm systems” to include both functions.  

To be effective an alarm system must meet a number of criteria and operate within certain parameters.

1) Specificity: Is the system specific with regard to the information it transmits? What is it really telling us versus what we actually want to know? For example, let us look at a relatively simple system intended to monitor the flow of cooling water in an industrial process unit. In this hypothetical installation the status of the coolant pump is indicated by a light that burns when the power is turned on. Now, what we really want to know is whether an adequate amount of cooling water is flowing through the system. Our simple alarm circuit does not speak to that. All we know is that if the switch is turned on, power is available up to the point where the indicator light is attached to the circuit. This may be in the switch box in the control room (not unlikely since it would involve the shortest run of wire between the light, the motor circuit and the control board), at the terminal block on the motor or any place in between. We have no hard evidence that the pump is actually operating. We may make an assumption that it is since the indicator light is lit. Then again, we all know what happens when we “assume.” It is possible that the indicator lamp is lit and the pump motor is turning but we do not know if water is flowing. Remember last week when those fellows digging near the cooling tower thought they hit something. And there was that bad wind storm last week that may have blown a plastic bag into the coolant sump without our knowledge. Murphy’s Law not withstanding, that bag might find its way into the induction line supplying the coolant pump. The indicator lamp is lit, the pump is turning like crazy but no coolant is being pumped into the cooling tower. Then, when the temperature of the reaction vessel exceeds the safe upper limit, we have a big “kaboom.”The investigation may, or may not, reveal the plastic bag in the induction line, meaning the control room operator will have a hard time convincing investigators that the alarm system indicated normal operation. To be effective such a system should specifically monitor what we need to know; namely, whether there is coolant flowing through the system. A flow detection device or, better yet, a flow meter would have informed the operator in time to determine the reason without havoc..

The converse can also be true. The indicator light may have burned out, giving a false indication that the pump is not operating when it is, this communicated by an irate maintenance man who opened the housing and got doused by a deluge of coolant, or worse.

2) Dependability: Can we depend on the system to do its job? In the aforementioned scenario the alarm system communicates with the operator by means of an illuminated indicator light. What assurance does the operator have that the system itself is working? Is the bulb in the indicator burned out and giving an incorrect reading. A better arrangement would be to have a two-light system, perhaps one green and one red. Either one light or the other would be “on” at all times. If neither light is burning we have a malfunction. The cause may be only a dead bulb but it needs to be investigated immediately. Malfunctions could be due to many things but there is also the possibility that it is trying to tell us that something is wrong.

3) Reliability: Can we depend on our system to do its job each and every time it is called upon? Alarm systems, by their very nature, are likely to actuate under unusual conditions. When this happens how does the system continue to function? Is there a backup power supply maintained on a regular basis? Does the equipment include a charging circuit for the batteries or do they have to be charged or changed on a regular basis? If so, is there an administrative mechanism to insure that this is done on schedule?

The advent of pro-active safety practices coupled with the improvement in equipment and process reliability has greatly increased industrial productivity. It has also decreased the number of reported alarms to the point that some operators has venever witnessed the sequence of events associated with an incident. Would this employee know what to do if there was an alarm? This uncovers the most vulnerable points in the alarm/monitoring protocol, the equipment-human interface.

The worst thing is the possibility of the system being taken for granted. Day after day workers come and go without giving thought to the alarm system on the back wall. Then, one day, the alarm goes off. “What happened? What’s that?” The air is full of questions. It is the second edge of a double edged sword. The only remedy is an improved and continuing training program. 

4) Adequate Response. Will the operator know what to do if the alarm/monitoring system indicates an abnormal condition and will he/she do it in a timely and appropriate manner?

An unannounced test of an alarm system can be most informative. Pull the main disconnect switch and see what happens. Hopefully, with experience and proper training the staff will implement an orderly response to the shutdown. But don’t count on it. Out of sight is out of mind during employee orientation or even when a new shift comes on duty. “That green light means that the coolant pump is on — if the red one comes on call maintenance.” No one thought to tell the new hire how to contact maintenance, especially at 3 a.m.on Sunday.  Also, familiarity breeds contempt. “Yeah, that coolant pump light has been blinking all afternoon – the pump is running so it must be something wrong with the alarm system. I wouldn’t worry about it.” Unfortunately this brief conversation has been the precursor to many an industrial incident. Alarm systems are developed and deployed to notify humans of abnormal conditions. If they are activated, by definition, an abnormal condition exists which must be investigated, its cause determined and the fault remediated. Whatever transpires must be documented and appropriate authority notified immediately. No alarm or change in indication should ever be ignored.    

5) Timeliness. Alarm systems must be programmed to give operators adequate time to respond and to allow whatever course of action implemented enough time to take effect. In our hypothetical coolant pump scenario if the interval between the indicator lamp dying and the temperature of the unit becoming supercritical is too short to allow for action such as dumping or flooding the reactor or activating a backup coolant pump little point exists in having an alarm at all. A temperature monitor with a temperature set point low enough to allow appropriate responseis better. Whether the coolant pump is running or not, what concerns us is the temperature of the reaction.

6) Independence. Alarm systems must be self-contained and, so far as is humanly possible, independent of outside circumstances. The alarm system for our coolant pump needs a standby power supply independent of commercial sources. In a power outage or interruption the alarm would continue to function, allowing operators to initiate remedial action or an immediate evacuation.

7) Free Standing.  Alarm systems should be designed to operate in a “free standing” mode during periods when the control room is not occupied or the operating personnel fail to respond to the alarm.

8) Familiarity. Those who operate an installation need to be familiar with the alarm system. If a horn sounds or a light blinks the operator needs to know what that means. It is not the time to call up a friend and ask “Hey Ed, I got a red light blinking in the upper right hand corner of my board and the horn is honking off the wall – what does that mean?” If the operator does not know by now he will find out very soon. Lots of training with hands on experience is all that ensures that those responsible for plant operations will respond to indications of an abnormal condition. That need for training is continuous. Updates, installation of new equipment and changes in process flow sheets make the control room a site of continuing change. Likewise, training needs to be updated constantly, particularly when significant changes are made in the operating protocol.

Sometimes modern alarm/monitoring systems are “smarter” than human operators. History bears this out. On April 16, 1947, a small fire broke out among bags of ammonium nitrate fertilizer in the hold of the ship Grandcamp as it lay docked at Texas City, TX. Had the vessel been fitted with an automatic deluge system that functioned properly the hold would have been flooded as soon as the temperature began to rise. A horrendous industrial accident would have been prevented.

Three-Mile Island is another case in point. According to Wikipedia, the accident began with failures in the non-nuclear secondary system, followed by a stuck-open pilot-operated relief valve in the primary system, which allowed large amounts of nuclear reactor coolant to escape. The mechanical failures were compounded by the plant operators who, due to inadequate training and other factors, failed to recognize the situation as a loss-of-coolant accident. In particular, a hidden indicator light led to an operator manually overriding the automatic emergency cooling system because it was mistakenly believed that too much coolant water was present in the reactor, causing the steam pressure release. As the reactor temperature rose, the system signaled the operators who failed to take the correct action. When a second alarm was ignored the computer went to the next option until, finally, it triggered an emergency shut down. No one was killed and injuries were minimal. Three-Mile Island was not a disaster but a success. The computerized system was able to overcome the operator errors. The long term effects on the local population have been the subject of much debate but all concerned will have to agree that the alarm/monitoring system deployed prevented a major nuclear disaster on the order of Hiroshima.

One can only speculate on the outcome if the fertilizer plant in West, TX, had been equipped with an alarm system which, in the absence of a timely response from the operators, would have activated a deluge system to extinguish that first small fire.   

 

Read more about Alarm Systems Monitors Sensors
0 Comments