I recently received an enquiry from a customer.  He asked if I know of any technical resource that specifies a limitation on the number of alarms that can be considered as an IPL.  The rationale being that there comes a point where an operator is exposed to so many IPL alarms that he will not be able to properly respond to them.  This was quite a thought provoking questions because I had never considered the issue simply limited to IPL alarms.  As a member of the ISA 18 committee that developed the ISA 18.02 standard, which is currently in the process of being reviewed and adopted as an IEC standard, I had always considered to total number of alarms that the operator is exposed to, and not just the ones that have the additional classification of being an IPL.  As I explained, all alarms need to be responded to, and it is very likely the some non-IPL alarms will actually have a higher criticality than IPL alarms due to a short time available for response.  My reply is paraphrased below.

I’m not aware of any national or international standard, recommended practice, or technical report that will specifically set a limitation on only IPL alarms.  Generally speaking, limiting the consideration of alarm loading to only IPL alarms would not tell the whole story, as EVERY alarm needs to be responded to, not just the IPL alarms.  Furthermore, I suspect that many of the IPL alarms would actually get a lower priority than non-IPL alarms due to the ample time that is usually available to respond to IPL alarms, whereas other non-IPL alarms may have very short time frames available in which to perform a mitigative action.

With respect to metrics for alarm performance in general (not just IPL alarms) an operator can be considered ‘overloaded’ if they are receiving an alarm more than once every 5-10 minutes.  In general 5-10 minutes is what is required to respond to an alarm, so if alarms are being activated at a rate that is faster than the operator’s ability to respond, the operator will not be finished with the first alarm response before the second alarm comes in, and so on.  This then leads to an overall out of control situation.  Metrics for operating loading can be found in EEMUA 191 and ISA 18.02 (which is on its way to becoming IEC 62682).

Another “design phase” problem, is that there is really no way of know what the alarm annunciation rate will be ahead of time.  You can guess, based on the number of configured alarms, but the number and priority distribution of configured alarms almost never is consistent with actual annunciations from a running plant.  What is required, during operation, is the tracking of alarm activations and comparison against metrics to ensure that the alarm system is behaving as designed, and that the operator can handle the “real” load that is being presented to him.

As far as I’m concerned whether an alarm is IPL or not is not really relevant with respect to the design of the alarm system and decision making with respect to operator loading.  What is of most importance is that the operator can respond to the actual alarm rate that he is presented with, during normal operation and during upsets.  Establishing this is a matter of measuring alarm activations and comparing against metrics in EEMUA 191 and ISA 18.02.