Event vs Alarm vs Fault - Critical Distinctions
🎯 Learning Objective: Understand the critical distinction between Events, Alarms, and Faults. This is one of the most misunderstood concepts in telecom operations, yet essential for NOC engineers and OSS designers.
How Events Are Classified: Event → Alarm or Just Event?
Not every raw event becomes an alarm. OSS systems use classification rules to decide which events require operator attention and which are just informational.
| Raw Event Example | Classification | Why? | Action |
|---|---|---|---|
| "Fan speed changed from 3000 to 3100 RPM" | Event only | Normal operation, no problem | Log it, no alert |
| "Fan failed, temperature rising" | Alarm (Major/Critical) | Actionable - equipment at risk | Create ticket, alert engineer |
| "Interface state: DOWN" | Depends on context | If no redundancy → Alarm. If redundant path working → Minor or Event | Correlation determines severity |
| "CPU usage: 45%" | Performance metric / event | Below threshold, normal range | Store for trending |
| "CPU usage: 95% for 10 minutes" | Performance Alarm (TCA) | Threshold exceeded, risk of failure | Alert, investigate |
| "User jdoe logged into router" | Security Event | Normal operation, just log | Audit log only |
| "Failed login attempt × 100 from same IP" | Security Alarm | Possible brute force attack | Alert security team |
| "Fiber cut detected at location X" | Root cause fault / Critical alarm | Major service impact | Immediate dispatch, service impact analysis, customer notifications |
Event = log it, don't wake anyone. Alarm = wake someone (severity determines urgency). Fault = find and fix the root cause.
Classification Factors
- Severity potential - Could this become Critical?
- Customer impact - Are paying customers affected?
- Redundancy - Is there a backup path?
- SLA commitment - Does this breach an SLA?
- Context - Maintenance window vs normal operation
- Frequency - One-off vs repeating pattern
Classification Methods
- Static rules - "If event type = LINK_DOWN, create alarm"
- Threshold-based - "If CPU > 80% for 5 min, raise alarm"
- Correlation-based - "Suppress if parent alarm exists"
- ML-based (AIOps) - Learn patterns of what matters
- Business rules - "VIP customers trigger higher severity"
The Core Distinction
Event
Something happened. Any state change, notification, or occurrence in the network.
Alarm
An actionable abnormal condition requiring monitoring, investigation, escalation, or remediation.
Fault
The underlying problem that caused one or more alarms. The root cause.
Alarms are often symptoms. Faults are the root cause. Good OSS systems help operators avoid treating symptoms individually and instead identify the underlying issue affecting the network.
Event → Alarm → Fault Hierarchy
Event
Raw notification: "Link down notification"
Alarm
Actionable: "Critical: Link Down"
Fault
Root cause: "Fibre cut"
Not every event becomes an alarm. Not every alarm reveals the root fault immediately. Events may be filtered, enriched, and classified into alarms; correlation and RCA then help identify the most likely underlying fault.
Alarm Severity Levels (NOC Reference)
| Severity | Meaning | Typical Response |
|---|---|---|
| Critical | Service outage affecting multiple customers | Immediate response, 24/7 escalation |
| Major | Severe degradation, limited outage | High priority, < 1 hour response |
| Minor | Partial issue, non-urgent | Normal queue, routine investigation |
| Warning | Potential issue, threshold crossing | Monitor, investigate if persists |
| Cleared | Condition resolved | Close ticket, verify resolution |