Understanding safety functions: Indicators and alarms

A man in a white hardhat and high-visibility vest stands in a large process plant control room holding a walkie-talkie and looking towards a screen with alarm annunciations displayed. The control panel has a large number of indicators and alarms. The control room is mostly white, so the man's vest, the instruments and displays pop in the image.

This is the final installment in the series on understanding safety functions.

When indicators and alarms come up in conversations between machinery controls engineers, large process plant control rooms like those shown at left often come to mind. While this is certainly true, there are many instances on smaller machines and assembly lines where alarms and indicators convey important information to workers.

The design of alarms and indicators is critical to conveying information in the simplest, most understandable way. This is especially true when that information is safety-related.

When assessing the risks related to your machine design, you may identify risks that could be reduced using alarms and indicators. How do you know if an alarm or indicator is safety-related and therefore is part of a safety function and which is just a regular control function? Safety functions are subject to ISO 13849-1 or IEC 62061, while regular control functions are not.

TL;DR

A safety function differs from a control function because its failure creates a higher risk to workers if it fails.

Safety functions include indicators and alarms that notify operators of process deviations to take corrective action. The triggering events of safety-related alarms and indicators should be logged for future analysis.

Ergonomics are crucial in designing indicators and alarms, considering human factors, such as physical, cognitive, and environmental aspects. Standards like ISO 7731, ISO 11428, ISO 11429, IEC 61310–1, IEC 60204–1, IEC 61131, and IEC 62061 guide the design of safety-related indicators and alarms.

Ergonomic design principles should be observed to prevent operator errors. Indicator lights and displays should follow standardized colours and provide clear information to operators. Flashing lights and displays can be used for emphasis, and illuminated push buttons should be appropriately colour-coded. The colour RED is universally recognized for emergency stop actuators. Safety-related indicators and alarms should be designed considering safety requirements and human factors.

What distinguishes a safety function from a control function?

If you’ve been following this series on safety functions, you may recall that a safety function is distinguished from a regular control function by increased risk to a worker when the safety function fails. ISO 13849-1:2015 [1] defines the term as follows,

3.1.20

safety function

function of the machine whose failure can result in an immediate increase of the risk(s)

[SOURCE: ISO 12100:2010, 3.30.]

The question that must be answered during the risk assessment is, “If this alarm or indicator fails to work when needed, is there an immediate increase in risk to the worker(s)?” If the answer is “yes,” the alarm or indicator is part of a safety function.

Indicators and alarms

The UK’s Health and Safety Executive (HSE) page on functional safety explains alarms in a process industry context on their website [2]:

Alarm systems are instrumented systems designed to notify an operator that a process is moving out of its normal operating envelope to allow them to take corrective action. Where these systems reduce the risk of accidents, they need to be designed to good practice requirements considering both the E,C&I design and human factors issues to ensure they provide the necessary risk reduction.

In certain limited cases, alarm systems may provide significant accident risk reduction, where they also might be considered as a SIS. The general benchmark of good practice for management of alarm systems is BS EN 62682 [4].
[2]

In this context, “E,C&I” stands for “Electrical, Control & Instrumentation,” and “SIS” stands for “safety instrumented system.”

Key ideas

The most important takeaway from the HSE guidance is the purpose of an alarm, which is to “…notify an operator that a process is moving out of its normal operating envelope to allow them to take corrective action.”

In this context, an indicator can accompany an alarm, like an amber or red rotating beacon. Indicators can precede an alarm, showing that a process is moving towards a limit but not exceeding the limit value. Once the alarm’s limit value is met, the alarm is triggered.

Alarm Logging

The triggering events for indicators and alarms should be logged. If you have ever watched shows like Meltdown: Three Mile Island [5], you will remember the dot matrix line printer in the control room spewing paper as it logged all the alarms occurring as the reactor systems failed. While this was appropriate in a 1970s nuclear reactor control room, it is rarely done in modern machinery control systems.

Nuclear Power Plant Control Room during Simulated Emergency Shutdown [6]

ISO 13849-1 does not address logging of indicator and alarm events, although some of the process control system standards do. The PLC or a supervising computer system should log triggering events for safety-related indicators and alarms. The date, time, triggering event, duration of the alarm or indication event, and the date and time when the alarm or indication event is resolved or cleared should all be included in the log. The log can be kept electronically if the data is maintained in a human-readable state. The logs can be used like an aircraft’s “black box” should an accident occur, providing clues about what happened in the hours and minutes leading up to the accident.

Ergonomics

Since indicators and alarms are fundamentally a machine-to-human interface, the ergonomic aspects of these signals must be considered.

The International Ergonomics Association (IEA) describes ergonomics on their website:

The word ergonomics — “the science of work” — is derived from the Greek ergon (work) and nomos (laws). The terms ergonomics and human factors are often used interchangeably or as a unit (e.g., human factors / ergonomics – HFE or EHF) a practice that is adopted by the IEA. The definition of ergonomics (or human factors) adopted by the IEA in 2000 is the scientific discipline concerned with the understanding of interactions among humans and other elements of a system, and the profession that applies theory, principles, data, and methods to design in order to optimize human well-being and overall system performance.

HFE takes into account physical, cognitive, sociotechnical, organizational, environmental and other relevant factors, as well as the complex interactions between the human and other humans, the environment, tools, products, equipment, and technology.
[7]

A Venn diagram with three overlapping circles. On the lower left is a pink-tinted circle identified as "physical factors", with a legend that includes human anatomy, physiology, anthropometrics and biomechanics. Moving in a clockwise direction, at the top is a blue-tinted circle identified as "cognitive factors", with a legend that includes perception, memory, reasoning, motor response, human-computer interaction, communication and teamwork. On the lower right is a yellow-tinted circle identified as "organizational factors." The legend includes participation, cooperation, socio-technical systems and environment. In the centre of the diagram where the three circles overlap is an area identified as HF/E for Human Factors/Ergonomics. — Venn diagram showing the overlapping factors making up the human factors/ergonomics discipline [7]

All areas of HF/E need to be considered when designing safety-related indicators and alarms.

Machinery-specific requirements

On the topic of ergonomics, [1, 4.8] provides these requirements,

4.8 Ergonomic aspects of design

The interface between operators and the SRP/CS shall be designed and realized such that no person is endangered during all intended use and reasonable foreseeable misuse of the machine [see also ISO 12100, EN 614-1, ISO 9355-1, ISO 9355-2, ISO 9355-3, EN 1005-3, IEC 60204-1:2005, Clause 10, IEC 60447 and IEC 61310].

Ergonomic principles shall be used so that the machine and the control system, including the safety related parts, are easy to use, and so that the operator is not tempted to act in a hazardous manner.

The safety requirements for observing ergonomic principles given in ISO 12100:2010, 6.2.8, apply.
[1, 4.8]

Since this article is part of a series focused on ISO 13849, a starting point for reviewing the requirements for indicators and alarms is clause [1, 5.1]. [1, Table 9] identifies indicators and alarms as a safety function and provides a list of standards that provide additional information. The list includes,

Some standards listed, like the IEC 61131 series, may not be as useful to machine designers as the other standards in this list.

ISO 12100 [8, 6.2.8] guides the application of ergonomic principles in the design of machinery. In the interest of brevity, only a brief excerpt of the clause is reproduced below, leaving out most of the text not directly related to indicators and alarms.

6.2.8 Observing ergonomic principles

Ergonomic principles shall be taken into account in designing machinery so as to reduce the mental or physical stress of, and strain on, the operator. These principles shall be considered when allocating functions to operator and machine (degree of automation) in the basic design.

NOTE Also improved are the performance and reliability of operation and hence the reduction in the probability of errors at all stages of machine use.

Account shall be taken of body sizes likely to be found in the intended user population, strengths and postures, movement amplitudes, frequency of cyclic actions (see ISO 10075 and ISO 10075-2).

All elements of the operator-machine interface, such as controls, signalling or data display elements, shall be designed to be easily understood so that clear and unambiguous interaction between the operator and the machine is possible. See EN 614-1, EN 13861 and lEC 61310-1.

The designer’s attention is particularly drawn to following ergonomic aspects of machine design.

…

g) Select, design and locate indicators, dials and visual display units so that they fit within the parameters and characteristics of human perception, information displayed can be detected, identified and interpreted conveniently, i.e. long-lasting, distinct, unambiguous and understandable with respect to the operator’s requirements and the intended use, and the operator is able to perceive them from the control position.
[8, 6.2.8]

In addition to the requirements in [8], IEC 60204-1, Safety of machinery – Electrical equipment of machines – Part 1: General requirements, [9] includes specific requirements for indicator lights and displays.

[9, 10.2.1] defines the standard colours for control actuators, like pushbuttons, knobs and handles.

Function	Colour	Notes
START/ON	WHITE, GREY, BLACK or GREEN with a preference for WHITE. RED shall not be used.
Emergency Stop and Emergency Switching Off	RED If a background exists immediately around the actuator, then this background shall be coloured YELLOW.	Includes supply disconnecting devices where it is foreseen that they are for use in an emergency. The combination of a RED actuator with a YELLOW background shall only be used for emergency operation devices.
STOP/OFF	BLACK, GREY, or WHITE with a preference for BLACK. GREEN shall not be used.	RED is permitted, but it is recommended that RED is not used near an emergency operation device.
Alternating START/ON and STOP/OFF actuators	WHITE, GREY, or BLACK The colours RED, YELLOW, or GREEN shall not be used.
Momentary / hold-to-run controls	WHITE, GREY, or BLACK The colours RED, YELLOW, or GREEN shall not be used.
Reset actuators	BLUE, WHITE, GREY, or BLACK GREEN shall not be used.	Where they also act as a STOP/OFF actuator, the colours WHITE, GREY, or BLACK are preferred with the main preference being for BLACK.
Abnormal conditions	YELLOW	For example, in the event of an abnormal condition of the process, or to interrupt an automatic cycle.
Where the same colour, WHITE, GREY, or BLACK, is used for various functions (for example, WHITE for START/ON and STOP/OFF actuators), a supplementary means of coding (for example, shape, position, symbol) shall be used for the identification of actuators.

Adapted from Actuator Colours [9, 10.2.1]

From an HF/E perspective, using standardized colours correctly helps users by allowing them to generalize their memories about the meanings of various colours in a machinery context. The more standardized the use of colours and symbols becomes in a facility helps to reduce errors due to confusion about the function of controls.

Again referring to [9]:

10.3 Indicator lights and displays

10.3.1 General

Indicator lights and displays serve to give the following types of information:

indication: to attract the operator’s attention or to indicate that a certain task should be performed. The colours RED, YELLOW, BLUE, and GREEN are normally used in this mode; for flashing indicator lights and displays, see 10.3.3.
confirmation: to confirm a command, or a condition, or to confirm the termination of a change or transition period. The colours BLUE and WHITE are normally used in this mode and GREEN may be used in some cases.

Indicator lights and displays shall be selected and installed in such a manner as to be visible from the normal position of the operator (see also IEC 61310-1).

Circuits used for visual or audible devices used to warn persons of an impending hazardous event shall be fitted with facilities to check the operability of these devices.

10.3.2 Colours

Indicator lights should be colour-coded with respect to the condition (status) of the machine in accordance with Table 4.

Indicating towers on machines should have the applicable colours in the following order from the top down; RED, YELLOW, BLUE, GREEN and WHITE.

10.3.3 Flashing lights and displays

For further distinction or information and especially to give additional emphasis, flashing lights and displays can be provided for the following purposes:

to attract attention;
to request immediate action;
to indicate a discrepancy between the command and actual state;
to indicate a change in process (flashing during transition).

It is recommended that higher flashing frequencies are used for higher-priority information (see IEC 60073 for recommended flashing rates and pulse/pause ratios).

Where flashing lights or displays are used to provide higher-priority information, additional acoustic warnings should be considered.

10.4 Illuminated push-buttons

Illuminated push-button actuators shall be colour-coded in accordance with 10.2.1. Where there is difficulty in assigning an appropriate colour, WHITE shall be used.

The colour of active emergency stop actuators shall remain RED regardless of the state of the illumination.

Courses

If you want to take an in-depth course on ISO 13849, we offer a course through our online training portal.

Get more information

If you are looking for a course on alarm management in process control systems, we do not offer one now, but exida.com has some excellent resources on YouTube and some formal training offerings on the topic.

Summing up

This article discusses indicators and alarms used in machinery safety functions.

A safety function is distinguished from a control function by the increased risk to a worker when the safety function fails. A safety function is a function of a machine whose failure can immediately increase risk. On the other hand, a control function is a regular function of a machine that does not pose an immediate increase in risk if it fails.

Indicators and alarms play a crucial role in safety functions by notifying operators when a process moves out of its normal operating range, allowing them to take corrective action. Indicators and alarms are designed to reduce the risk of accidents and must adhere to good practice requirements, considering design and human factors.

When it comes to safety-related indicators and alarms, certain standards provide guidance. These include ISO 7731, ISO 11428, ISO 11429, IEC 61310-1, IEC 60204-1, IEC 61131, and IEC 62061. These standards cover various aspects such as auditory and visual danger signals, indication, marking and actuation, and safety-related control systems.

Ergonomics also plays a vital role in designing indicators and alarms. Ergonomic principles should be applied to ensure the machine and control system, including safety-related parts, are easy to use and operators are not tempted to act in a hazardous manner. Standards like ISO 12100 guide the application of ergonomic principles, considering factors such as body sizes, movement amplitudes, and the design of indicators, dials, and visual display units.

Furthermore, specific requirements for indicator lights and displays are outlined in IEC 60204‑1. Standard colours are defined for control actuators, and indicator lights should be selected and installed to be visible from the operator’s normal position. Flashing lights and displays can be used for additional emphasis or to convey specific information, and illuminated push buttons should follow colour-coding guidelines.

References

[1] Safety of machinery – Safety-related parts of control systems – Part 1: General principles for design, ISO 13849-1. International Organization for Standardization (ISO). 2015.

[2] “Functional safety,” HSE. [Online]. Available: https://www.hse.gov.uk/eci/functional.htm. [Accessed: 28-Apr-2023].

[3] Chief Joseph Dam Power Station Columbia River Bridgeport, WA. LEDtronics.

[4] Management of alarm systems for the process industries, EN IEC 62682. European Electrotechnical Committee for Standardization (CENELEC), Brussels. 2023.

[5] Meltdown: Three Mile Island, seas. 1, Netflix, 2022.

[6] Nuclear Power Plant Control Room during Simulated Emergency Shutdown. William H. Calvin, 2012.

[7] “What is ergonomics (HFE)?,” The International Ergonomics Association, https://iea.cc/about/what-is-ergonomics/ (accessed Jun. 8, 2023).

[8] Safety of machinery — General principles for design — Risk assessment and risk reduction, ISO 12100. International Organization for Standardization (ISO). 2010.

[9] Safety of machinery – Electrical equipment of machines – Part 1: General requirements, IEC 60204–1. International Electrotechnical Commission (IEC), Geneva. 2016.

Additional resources

[10] J. Wilkinson and D. D. Lucas, “Better alarm handling — A practical application of human factors,” Measurement and Control, vol. 35, no. 2, pp. 52–54, 2002, doi: 10.1177/002029400203500204.

Better alarm handling

1 file(s) 3.88 MB

Download

[11] “Better alarm handling, Chemical Sheet No. 6,” Health and Safety Executive (HSE), London, UK. 1994.

Better alarm handling - HSE

1 file(s) 70.63 KB