From alert to resolution (action framework)

Alerts without ownership are anxiety. Notifications without resolution are noise. If you want recommendations and agents to matter, you need a full loop—not a louder siren.

My role

I was the product manager shaping how this capability matured in- product: framing the problem with operators and engineering, turning a leadership initiative into prioritized outcomes, and keeping the mental model coherent across surfaces. The vision and formal initiative were set and launched by our CPO; I owned the product translation—what we build first, what we defer, and what “done” means in a mission- critical environment. Work spanned all of 2025 at BeyondAI, including engagements with operators such as Qatar Energy and QatarCool.

Screens, slices, and sequencing

A large part of my PM work on this track was scope slicing—turning a broad alerting charter into a sequenced set of screens and releases the org could execute without losing the thread. With design and engineering, we mapped six core surfaces: Draft Alerts, Alert Creation, Active Alerts, Rule Creation (modal), the Live Alerts dashboard, and Alert Details—then explicitly parked adjacent ideas (work orders, work-order history, asset health timeline) so they did not collapse the MVP.

We framed delivery in three passes. V1 was the crawl: credible tables, foundational authoring fields, and an early Live Alerts list that proved we could show real triggered work end to end. V2 concentrated the “serious ops” investment: the plant-wide summary, prioritization logic, investigation detail, richer lifecycle and audit expectations, and the notification behaviors that make the loop legible—the material that became the Alerts Dashboard requirements set. V3 pointed at maintenance integration and longitudinal asset views: valuable, but deliberately not allowed to steal bandwidth until the detect → notify → resolve spine was trustworthy in production contexts.

Alerts screens and user journey board: six primary screens across the top, with V1, V2, and V3 rows showing how scope was sliced for delivery. — **Strategic slicing.** Excerpt from working boards mapping alerting screens to V1 (MVP), V2 (operational dashboard and details), and V3 (maintenance and asset-health follow-ons). The goal was to ship value early while keeping a clear, shared path from authoring and rules through live triage, resolution, and audit—not a one-shot demo that collapses under real shift turnover.

Detect, notify, resolve

Industrial teams rarely suffer from a pure lack of signals. They suffer from a broken response chain: who owns this, what is the next step, did anything actually change, and how do we know it worked when the shift turns over?

The pattern that keeps recurring is three movements, in order:

Detect. Something meaningful happens—or is predicted. That might be rule-based, model-based, or manually raised. The design choice is not only sensitivity; it is classification: severity, urgency, and context stable enough that two operators on two shifts do not reinterpret the same event differently.
Notify. Delivery has to match operational reality: in-app for the control room, email for the off-shift engineer, SMS when time-to-act is short. The classic failure mode is not “we forgot email.” It is the unfiltered firehose that trains people to ignore the channel entirely.
Resolve. This is where many products quietly stop. They celebrate the red badge. Industrial work needs assignees, statuses, comments, attachments, escalation, and traceable history— so “we saw it” becomes “we did something about it,” with accountability that survives audits and turnover.

String those together and you get a sentence that sounds almost too simple: detect → notify → resolve. Simple to say. Hard to ship—because each step crosses data models, permissions, UX, and organizational politics.

Live alerts dashboard & details

A concrete slice of this work was the Alerts Dashboard under Live Operations: a real-time view of predictive maintenance-style alerts that are not tied to a single plan—aggregated across a plant or refinery so teams can see what fired, what matters most, and what to do next.

The product intent at the dashboard level was threefold:

Aggregate event-based alert metrics.
Prioritize what is most critical (urgency, open workload, time pressure).
Help users initiate preventive action, not just stare at a red count.

Summary (plant-wide overview): a top band with a configurable time window (presets such as last 7 / 30 / 90 / 365 days), plus headline metrics—total triggered alerts, counts in the most critical urgency band, open vs closed workload, work orders where that integration exists, and (where modeled) an estimated preventive-maintenance benefit in currency so leadership can reason about value—not only volume.

Process context: an interactive process flow (PFD-style) diagram where units show state at a glance (for example, clear when a unit has no active alerts vs when it has critical or open items). Directionally, the experience also called for hover tooltips on units that summarize what is triggered and deep-link into the relevant alert detail.

Alerts table: sortable and filterable, with core columns such as alert name, alert state (triggered vs normal), process unit, urgency, date triggered, and event status in the response lifecycle (for example new, acknowledged, in progress, closed). Rows link to a dedicated alert details experience. To reduce noise, the default posture was to emphasize triggered work: show triggered alerts first (including behavior analogous to “bubble up” when something enters mitigation), keep default sorting aligned to urgency, and offer a path to widen the lens to all alerts when the operator needs full inventory. Triage-oriented patterns—such as inline status changes from the grid, bulk lifecycle moves for acknowledge / in progress, urgency-based color cues, surfacing whether an alert has recommended actions and a path to the action list, and exploring staleness without cluttering the grid—were explicit inputs from operator-facing design review.

Alert details page: investigation and resolution in one place—timestamp, editable status, latest comment, selectable recommended preventive actions (often multi-select where there is no hard mutual exclusion), a threaded comment stream for cross-shift collaboration, and root cause charts: time series of the relevant tags/sensors with configured control limits and alert-zone shading so “why now?” is visible, with filters for time range and the specific trigger configuration when multiple triggers exist.

One open product tension we surfaced in requirements—common in industrial alerting—is instance churn vs stable ownership: an alert template can re-fire frequently, creating many instances, while operators often want one coherent thread per real-world issue. We documented that tradeoff (including separating trigger history from instance lifecycle history) so implementation and customer rollout did not pretend the ambiguity did not exist.

Authoring & publish semantics

Alerts share DNA with plan objectives in the underlying platform, but operator-facing language needed to stay consistent: Alert naming and descriptions in the UI rather than leaking legacy “objective” vocabulary where it would confuse the room.

Key labels (aligned with how plans use key labels) carry classification needs—including urgency-oriented grouping—without inventing a parallel taxonomy. Alert authoring deliberately omitted constraint groups where they did not match how alerts are composed, and it did not force a standalone “pick a tag” step when tags can already participate inside triggers and conditions.

Urgency semantics settled on a three-level model mapped to operator-meaningful language: Important, Urgent, and Critical (rather than generic low/medium/high alone). Draft vs live: publishing moves an alert into the live surface; published alerts remained editable so response and presentation can evolve without forcing a brittle unpublish cycle for every tweak.

Notification model

Notifications were specified to be event-driven and idempotent, with a deliberate noise budget: in v1, each alert-related event should produce one notification, not a duplicate storm on every backend tick.

Events in scope included, among others:

Alert first triggers (first instantiation—not every repeat pulse unless explicitly designed otherwise).
Status changes across the response lifecycle.
Comments on a live alert.
Assignment to users (with groups/roles called out as a forward path).
Staleness / escalation when an alert exceeds an expected response window (optional per-alert authoring: for example stricter windows for more critical urgency classes).

In-app delivery: real-time delivery via pub/sub (with polling fallback where needed), a header bell with unread badge, a feed of recent items with lazy loading, read/unread per user, and deep links that open the alert in Live Operations (optionally scrolled or highlighted). Email remained part of the channel mix for off-shift and externalized accountability.

Content structure was templated by event type (triggered, status change, comment, assignment, escalation) with tokenized fields such as title, timestamp, site/zone, urgency, status, and a short CTA to view the alert. Retention: notifications roll off the primary UI after a bounded window (on the order of weeks) while audit-oriented history is retained longer for investigations and admin visibility—consistent with how serious ops teams actually argue after the fact.

Sensor data quality

The alerting program assumed a harder problem than rules alone: if inputs lie, the loop lies. I wrote and socialized a product note on sensor data quality—requirements review and solution planning—so engineering, data, and design could agree on what “trustworthy detection” means before we scaled alerts across sites.

Problem. The system effectively treated incoming sensor streams as reliable. That creates two symmetric failures: false alerts when rules fire on corrupt, stale, failed, or missing values (operators burn trust chasing ghosts), and missed events when the stack looks “healthy” but is actually blind—silence is ambiguous without explicit data-health semantics. A third failure mode is stale evaluation: rules that keep “deciding” on outdated samples as if nothing is wrong with the feed.

Requirements direction. Confirmed and in-flight themes included: visibility into sensor health from data- quality signals; a clear distinction between data issues vs process issues in what we show operators; gating alert behavior so new process alerts are not minted on untrusted data and open alerts do not continue to behave as if the underlying tags are reliable; surfacing evaluation as normal vs paused due to data quality; and handling short transient feed problems without a notification storm. Customer expectations for cleaning, imputation, or replacement of bad points were explicitly called out as a joint product/data concern.

Observed defect families in early datasets included spikes (noise or transmission errors), stagnancy (frozen values), extended zero runs (disconnection patterns), missing rows in the time series, and explicit BAD or non-numeric quality flags. Operating context mattered: ingestion roughly on a one-minute cadence with raw samples, downstream five-minute averaging for operational use, and rule evaluation on that averaged series—which raises a real design question (still open in planning): whether cleaning and flagging should anchor on raw streams, the averaged stream, or both with a clear contract.

Solution planning. We aligned on design principles such as: never confuse “no alert” with “healthy process” when the sensor path is compromised; make pause and resume legible; and prefer mechanisms that scale across many tags without bespoke heroics. On the technical side, the direction was to treat each referenced tag as having explicit quality state (for example reliable vs failed / flagged), with a cleaning or validation step before rule execution so alerts are not computed in a vacuum. When quality is bad, evaluation should move to a paused or suspended posture rather than pretending the last good number is still speaking for the plant.

UX paths. We sketched two slices. A labels-first approach adds explicit copy such as sensor issue and evaluation paused in context—fast to ship, lighter on lifecycle affordances. A stronger pattern (the recommended next slice) introduces a dedicated sensor / data-quality alert narrative while process alerts enter a suspended state, so operators can triage “instrumentation broke” separately from “the process misbehaved.” A decision matrix and follow-ons covered defaults for grace windows, messaging standards, and engineering integration points across Live Operations, open and idle alert lists, and detail views—without shipping ambiguity about what the room decided.

Hypothetical scenario (simulated)

The following is a composite, anonymized illustration inspired by real operating patterns (e.g. district cooling or process plants). It is not a literal transcript of a single customer event.

A rule encodes a breach: supply temperature on a critical loop drifts more than an agreed band from setpoint for longer than a grace window. The alert engine classifies it as a production-impacting deviation (not merely informational), attaches the affected asset hierarchy and location, and stamps an expected response-time target based on alert metadata.

Notify: the control-room surface raises an in-app alert with severity, short context, and a link into the rule context; simultaneously, the overnight engineer receives email because the event falls in their routing recipe. The channel mix is intentional— not everyone gets everything.

Resolve: the shift lead acknowledges ownership, status moves from open to in progress, and a short thread captures what was tried (setpoint check, valve command history, adjacent equipment state). A root-cause view helps isolate which rule block fired and what upstream conditions contributed. When the loop is back within limits and verified, the alert closes with traceable history—so the next shift does not replay the same debate.

What shipped

Engineering and design aligned to shared requirements that covered the dashboard, details experience, authoring semantics, notification policy, and sensor data quality planning—so “detect → notify → resolve” was not a slogan but a checklist against concrete screens and trustworthy inputs.

A new rule encoding component and an alert creation surface built from composable rule blocks.
Alert metadata: severity/urgency, recipients, ties to asset hierarchy and location, and expected response-time definitions (including escalation/staleness direction).
Live Operations dashboard patterns: summary band, unit-level process overview, and a triage-oriented alerts grid with paths into investigation.
Response lifecycle tracking, including open vs closed alerts, cross-shift continuity, and space for comments and escalation—not just a one-shot notification.
Root cause analysis views with rule isolation and charting that encodes limits and alert context—not only that it fired.
In-app notification mechanics (feed, read state, deep link) and email aligned to operational roles and recipes.
Sensor data quality thread: requirements synthesis, quality-state and pre-rule validation concept, alert gating and pause semantics, defect taxonomy (spikes, gaps, stagnancy, flags), and UX options (labels-first vs sensor alert + suspended process alerts) for consensus with engineering and design.

Why this matters for AI

Because every ambitious feature—recommendations, copilots, agents— eventually asks the same question: what happens after the system speaks? If the answer is “someone reads a paragraph and hopes,” you do not have operations. You have a workshop.

A serious stack needs events that can be tied to actions, with lifecycles that do not break when the first version of a dashboard ships. Different surfaces will mature at different rates. The product job is to preserve one coherent story for users even when the implementation is split across teams and quarters.

If you are framing this for leadership, emphasize risk reduction and cycle time. If you are framing it for practitioners, emphasize one place to see accountability—not another feed that substitutes motion for progress.

Traction

The product is demoable today for current engagements moving through BeyondAI’s sales pipeline—where a credible detect → notify → resolve story is often the difference between “interesting model” and “something we can run.”

Closing

I care about this loop because it is the substrate everything else plugs into. Copilots can suggest; agents can propose. But if the organization cannot resolve, the smartest model in the world still decays into theater. The PM work here is unglamorous and essential: make the boring parts real, so the innovative parts can be trusted.