Professional Documents
Culture Documents
Project Title:
Project Number:
SECL P.O. Number:
Requisition Description:
Requisition Number:
Item Description:
Item Number
Doc.Number:
APPROVED
REVIEWED
WITH COMMENTS
RESUBMIT
SIGN
DATE
ORIGINATOR
CHECKED
APPD(PR)
D.K.YOON / J.S.PARK
S.H.CHO
K.T.KIM
09 JAN 2013
09 JAN 2013
09 JAN 2013
00
20121218
BH.HAM
HK.LEE
SB.LEE
REV
DATE
DESCRIPTION
MADE BY
CHECKED BY
APPROVED BY
[ 51 ]
Doc. No.
8015-0151-22-PO-45-0009-4236-J08-00409
DOCUMENT TITLE:
DOCUMENT REVISION:
REVISION DATE:
PROJECT NUMBER:
AUTHOR:
Rev. : 00
Date
Approvals:
EPM:
Date: Dec.18. 2012
Signature by the EPM Project Manager indicates that this document
has been reviewed and approved to be issued in accordance with
EPM internal quality procedures.
EPM:
Customer:
Date:
Signature by the Customer representative indicates that this
document has been reviewed and approved for EPM to use as a
basis for executing the Diluted & Concentrated West Qurna Phase 2nd
Phase Project.
Reference Documents:
Page : 2
Dec.18,2012
Rev. : 00
Doc. No.
8015-0151-22-PO-45-0009-4236-J08-00409
Date
Page : 3
Dec.18,2012
Revision History:
The following revision system is used:
Revision "P" Preliminary issue - EPM/Customer review.
Revision "00" (00, 01, 02 ... etc.) Issue For Approval (IFA). At this stage, the Customer approved the
document.
Revision "A" (A, B.. etc.) Approved For Construction (AFC) or Final after FAT
Revision
Revision Date
Author
Description
00
Dec.18.2012
BH.HAM
Doc. No.
8015-0151-22-PO-45-0009-4236-J08-00409
Rev. : 00
Date
Page : 4
Dec.18,2012
Table Of Contents:
Approvals: .................................................................................................................. 2
Revision History: ....................................................................................................... 3
Table Of Contents: .................................................................................................... 4
Reference Documents................................................................................................. 6
1
Introduction ....................................................................................................... 7
1.1
3.2
General..............................................................................................................................24
Pre-Alarms ........................................................................................................................26
Shutdown Alarms ..............................................................................................................26
Doc. No.
8015-0151-22-PO-45-0009-4236-J08-00409
4.5.4
4.5.5
4.5.6
4.5.7
4.5.8
4.5.9
4.6
Dec.18,2012
4.9
4.10
4.11
Date
Page : 5
4.7
4.8
Rev. : 00
Alarm Filtering............................................................................................... 35
Alarm and Event Logging .............................................................................. 36
Alarm Summary ............................................................................................ 38
5.2
Doc. No.
8015-0151-22-PO-45-0009-4236-J08-00409
Rev. : 00
Date
Page : 6
Dec.18,2012
REFERENCE DOCUMENTS
Document No.
Document Name
Purpose
EEMUA -191-1999
Alarm guidelines
Alarm guidelines
Doc. Title
Doc. No.
8015-0151-22-PO-45-0009-4236-J08-00409
Rev. : 00
Date
Page : 7
Dec.18,2012
INTRODUCTION
This document covers following aspects on DeltaV alarm philosophy and
management for the WQ-2 project
Alarm System Philosophy
Describes what the system is intended to do and the principles of how
the system will be designed and implemented
Alarm System Design Process
Describes what the alarm system includes and the process that is used
to define the alarm settings, alarm priority, required operator actions,
maximum response time, and alarm suppressions
Alarm System Implementation
Effective presentation of information during normal operation and during
complex process conditions such as plant upsets or trips. As a result of
alarm system implementation, a large number of nuisance alarms, and
duplicate alarms will be removed or avoid.
Alarm System Maintenance
System performance measurements in place to drive improvements
using a management of change process. The intent is to make the
alarm system sustainable
1.1
Description
Acknowledged Alarm
Active Alarm
Alarm
Alert
A signal to brought the operators aware about the condition, but that it is
no response immediate
Automatic Suppression
Cleared Alarm
Consequential Alarm
Doc. No.
8015-0151-22-PO-45-0009-4236-J08-00409
Term
Rev. : 00
Date
Page : 8
Dec.18,2012
Description
Disabled Alarm
Device
Event Log
Inhibited Alarm
Log
Manual Disable
Suppressed Alarm
Un-Acknowledged Alarm
Description
AOA
EEMUA
ESD
Emerson
ICSS
I/O
Input/Output
PCS
SIS
Table 1-2
Abbreviations and Acronyms
Doc. Title
Doc. No.
8015-0151-22-PO-45-0009-4236-J08-00409
Rev. : 00
Date
Page : 9
Dec.18,2012
2.1
Doc. No.
8015-0151-22-PO-45-0009-4236-J08-00409
Rev. : 00
Date
Page : 10
Dec.18,2012
Doc. No.
8015-0151-22-PO-45-0009-4236-J08-00409
Rev. : 00
Date
Page : 11
Dec.18,2012
Doc. No.
8015-0151-22-PO-45-0009-4236-J08-00409
3.1
Rev. : 00
Date
Page : 12
Dec.18,2012
3.1.2
3.1.3
Doc. Title
Doc. No.
8015-0151-22-PO-45-0009-4236-J08-00409
Rev. : 00
Date
Page : 13
Dec.18,2012
Engineered Alarms
Engineered alarms have been determined through the HAZOP reviews of the
process design.These alarms settings will identify when the process is moving
towards an unsafe operating condition.The alarm limits will be pre-set and not
permitted to be changed without the appropriate management of change
process review. These alarms are provided in the alarm and trip settings
document.This document will be used as the basis for alarm objectivity
analysis.
3.1.4
Operator Alarms
Operator alarms are operator configurable alarms to assist in running the plant
more efficiently. These alarms should never be safety related or related to
some other condition that has a serious impact on the plant or its surroundings
since such conditions are properly dealt with in the engineering alarms settings
or other protective systems. An alarm priority called operator will be
introduced in the system which will be lower than the low alarm priority.
3.1.5
Alarm Suppression
Alarm suppression is the way to temporarily disable annunciation of an alarm in
the DeltaV Operator Interface. This means that the suppressed alarm will not
set off the workstation alarm horn and will not be displayed in the alarm
summary or the alarm banner, but this alarm will still be registered in the
alarms/events log.
3.1.6
Chattering Alarms
Appropriate deadband must be selected for all alarms that are activated
repeatedly over a short period of time.This may involve the programming of a
deadband for analog trip values and a delay time for digital points. Concepts of
on-delay, off-delay, and deadband are explained in Section 5.1.9 of this
document.
3.1.7
Flooding Alarms
Flooding alarms are several alarms that are shown to the panel operator on the
alarm summary that allow the operator to take appropriate action over the
process.
3.1.8
Doc. Title
Doc. No.
8015-0151-22-PO-45-0009-4236-J08-00409
Rev. : 00
Date
Page : 14
Dec.18,2012
State-Based Alarming
Most alarms in a process unit pertain to the normal operating state of a piece
of equipment. Equipment often has several normal, but differing, operating
states. PCS alarm capabilities are normally only for a single-state, single-value
trip points, and priorities. Examples include startup, shutdown, product or feed
grade changes, half rate operation, etc.
3.2
3.2.1
Doc. No.
8015-0151-22-PO-45-0009-4236-J08-00409
Rev. : 00
Date
Page : 15
Dec.18,2012
Rev. : 00
Doc. No.
8015-0151-22-PO-45-0009-4236-J08-00409
Date
Page : 16
Dec.18,2012
None
Minor
Major
Severe
Any alarm wherein the failure of proper action to be taken can result in likely harm to a
person will be prioritized as high. Assumption is that other layers of protection
operate.
Doc. No.
8015-0151-22-PO-45-0009-4236-J08-00409
Impact
Category
None
Environmental
No Effect
Minor
Minimal exposure. No
impact. Does not cross
fence line. Contained
release. Little, if any,
clean up. Source
eliminated. Negligible
financial
consequences.
Event Type
Recordable, No
reporting to Alberta
Rev. : 00
Date
Of Production
Loss
No loss
Event costing
<$100,000, notification
only at operations
superintendent level
Dec.18,2012
Major
Severe
On-site H2S or
other release.
Contamination
causes some
non-permanent
damage. Event
Type
Reportable,
incident reported
as not violating
permit.
Uncontained release
of materials with
major environmental
impact and possible
third party impact.
Widespread neighbor
complaints. Exposed
to life-threatening
hazard. Disruption of
basic services.
Impact involving the
community.
Catastrophic property
damage. Extensive
cleanup measures
and financial
consequences.
Event Type
Reportable incident
reported as violating
permit.
Isolated neighbor
complaints.
Costs or Value
Page : 17
Event costing
loss of ~ half day
production,
notification at
operations
manager level
Event costing
>$n,000,000
(approximately one
day production
volume), notification
above operations
manager level
Table 2
Alarm Rationalization Consequence Grid
The assumptions in Table 3 below were considered while preparing the alarm
rationalization consequence grid above.
Assumption
Description
Probability
Multiple Failures
Doc. No.
8015-0151-22-PO-45-0009-4236-J08-00409
Assumption
Time to Respond
Rev. : 00
Date
Page : 18
Dec.18,2012
Description
(flaring) and/or economic (loss of product to the flare) impacts, but no personnel safety
impact. In terms of setting the appropriate alarm priority, it would not be appropriate to
say that the consequence would be that in the high pressure scenario, the relief device
would also fail, the vessel would rupture, and personnel could be injured (i.e. a
personnel safety impact).
Maximum time to respond is the time within which the operators can take action(s) to
prevent or mitigate the undesired consequence(s) caused by an abnormal condition.
This response time must include the action of outside personnel following direction
from the console operator.
To clarify, this is not how long it actually takes the operator to take the action. It is how
much time is available to take effective action from when the alarm sounds to when the
consequence is unavoidable.
The board operators ability to respond to an alarm in a timely fashion determines the
degree of success in preventing loss. The consequences of an uncorrected alarm
generally worsen with the passage of time.
During an abnormal condition, the board operator is confronted with making decisions
on numerous tasks that must be performed in an appropriate sequence. The timing
and the order of executing these tasks determines the outcome of the operators effort.
For example, if two process variables are deviating from normal and can potentially
cause the same significant loss, the operator must quickly decide which variable to
address first. In such a case, the operator must take action to address the variable that
is more volatile or can reach the point of loss in the shortest time.
Therefore, the shorter the time available to respond, the higher the priority of the alarm
will be, assuming equal consequences can result.
For each alarm being rationalized, and, for each area, the maximum time allowable to
respond will be identified. This value will allow the response time to be placed in one of
the following response time classes:
greater than 30 minutes
10 to 30 minutes
3 to 10 minutes
less than three minutes
Table 3
Assumptions
3.2.3
Doc. No.
8015-0151-22-PO-45-0009-4236-J08-00409
Rev. : 00
Page : 19
Date
Dec.18,2012
Potential Consequences
Urgency/Response
Time
No Effect
Production/Quality
Plant
Asset/Reliability
Safety/Environmental
>30 min
No alarm
Re-engineer alarm
Re-engineer
alarm
Re-engineer alarm
10-30 minutes
No alarm
Low
Low
Medium
3-10 minutes
No alarm
Low
Medium
Medium
No alarm
Medium
High
High
Table 4
Alarm Rationalization Grid
Include threshold for not alarming to over 30 minutes. In such a case, the
alarm should be redesigned to require action in a shorter time frame. Some
exceptions are acceptable.
Note that a maximum time allowable to respond of greater than 30 minutes
does not meet the criteria for an alarm. While an operator may have a time
horizon of several hours or more in adjusting process parameters and
monitoring their effects, it is inappropriate to sound an alarm for which no
action is required for more than 30 minutes. Alarms are to signal conditions
that require quick action and must have a characteristic of urgency. Something
that can be avoided for more than a half hour with no effect is not an event
requiring quick action.
This is not an absolute principle, and there will be exceptions. For example, an
alarm of the failure of a system that acts to protect the long-term health of
equipment, such as a corrosion inhibitor addition system. Failure to take action
on the alarm might not have consequences for weeks or months, but the
system is needed and the failure must be addressed, not forgotten about. The
general rule is that response to such an alarm should be the initiation of a
maintenance request before the end of the shift. The need for the alarm
system to retain a sense of urgency allows for such exceptions.
Doc. Title
Doc. No.
8015-0151-22-PO-45-0009-4236-J08-00409
Rev. : 00
Date
Page : 20
Dec.18,2012
4.1
Operator Alarms
Individual operators have a need for on-the-fly configuration of various
system reminders and functions. For example, tank levels when filling or
transferring, where the alarm limits do not correspond to the amount desired to
be moved. Operator change of the overall alarm system trip points has been
proven to be a problematic practice. The setting of individual preferences as
alarm limits results in sub-optimization of the process, causes shift-based
process variation, introduces non-rationalized alarms, and contributes to alarm
floods, and is therefore not in keeping with best practices.
WQ-2 Project , may address this need and problem by providing the operator
priority alarm. The settings and existence of these is controllable by the
operator. They are not rationalized. The same principles as for regular
alarming, however, should be followed, such as operator alarms being
configured only for events requiring action. Operator alarms should not be used
to replace surveillance of the process (running by alarms).
During periods of engineered alarm activation, the operator alarms can be
filtered from the alarm summary display and not interfere with the proper
response to rationalized alarms. There are six operator alarms available per
PCS control loop.
Doc. No.
8015-0151-22-PO-45-0009-4236-J08-00409
Rev. : 00
Page : 21
Date
Dec.18,2012
By default, these alarms are disabled from the system configuration. As the
systems are being commissioned, the control room operator can enter valid
alarm limits and enable the alarm as required to operate the process. Alarm
deadband is defaulted to 0.5%.
Alarm Name
Operator
Control
Default
Enable
Default
Alarm
Limit % of
Scale
Allowable
Priority Choice
Description
HI_HI_ALM
90
Engineer
Engineer high-high
alarm
HI_ALM
80
Operator
LO_ALM
20
Operator
LO_LO_ALM
10
Engineer
DV_HI_ALM
Operator
DV_LO_ALM
-5
Operator
Table 5
Summary of Operator Alarms Table Title
Indicates the default values if the alarm is not enabled on P&ID and control
narrative otherwise valid values are entered.
4.2
Engineered Alarms
Engineered alarms are not alterable by the operator. They are to provide
warning of conditions that require operator action in order to avoid a
recognized consequence.
There are six engineered alarms available per PCS control loop and indicator
point. The deadband for all engineered alarms and will be set at 0.5 % of the
engineered scale by default.
Alarm Name
Operator
Control
Default
Enable
Alarm
Setpoint % of
Scale
Priority
ENG_HI_ALM
ENG_LO_ALM
Description
N*
All are
determined via
rationalization
Engineered
high-high
alarm
N*
Engineered
high alarm
Doc. No.
8015-0151-22-PO-45-0009-4236-J08-00409
Rev. : 00
Date
Page : 22
Dec.18,2012
ENG_HI_HI_ALM
N*
Engineered
low alarm
ENG_LO_LO_ALM
N*
Engineered
low-low alarm
ENG_DV_LO_ALM
N*
Engineered
deviation high
alarm
ENG_DV_HI_ALM
N*
Engineered
deviation low
alarm
Table 6
Summary of Engineered Alarms
Table 6 Indicates the default values if the alarm is not enabled on P&ID and
control narrative otherwise valid values are entered.
Time Base
hh:mm:ss
Process
Variable KPa
Prorate PV for
60 Seconds
Deviation Alarm
Note: 5 Second
Scan for PV
12:00:00
50
12:00:05
50.1
Abs (50.1-50)*
(60/5) = 1.2
Clear
Clear
12:00:10
50.2
Abs (50.2-50.1)*
(60/5) = 1.2
Clear
12:00:15
51.1
Abs (51.1-50.2)*
(60/5) = 10.8
Active unacknowledged
12:00:20
51.1
Abs (51.1-51.1)*
(60/5) = 0
Clear unacknowledged
12:00:25
52.6
Abs (52.6-51.1)*
(60/5) = 18
Active unacknowledged
12:00:30
52.5
Abs (52.5-52.6)*
(60/5) = 1.2
Clear unacknowledged
Table 7
Deviation Alarm Example
4.3
Maintenance Alarms
There will be MAINT_HI, MAINT_LO. The MAINT priority will not show on the
operators normal alarm summary display.
Doc. No.
8015-0151-22-PO-45-0009-4236-J08-00409
Rev. : 00
Date
Page : 23
Dec.18,2012
4.4
Doc. No.
8015-0151-22-PO-45-0009-4236-J08-00409
Rev. : 00
Date
Page : 24
Dec.18,2012
4.5
4.5.1
General
Prior sections of this document refer to various types of alarms (operator,
engineered, conditional). It is important to understand that, for safety reasons,
all the safety pre-alarms and shutdown alarms are considered to be
engineered alarms. There is no provision to modify these alarms from the
DeltaV HMI, nor is there a manner (outside the proper overrides) to bypass or
turn off these alarms. All alarm values for an input device shall be visible from
the faceplates on the HMI for that device. Deadband values and range settings
are treated in a similar manner.
Doc. No.
8015-0151-22-PO-45-0009-4236-J08-00409
Rev. : 00
Date
Page : 25
Dec.18,2012
Doc. No.
8015-0151-22-PO-45-0009-4236-J08-00409
Rev. : 00
Date
Page : 26
Dec.18,2012
Pre-Alarms
Pre-alarms shall give the operator the opportunity to take corrective action
before a process shutdown occurs. Reset action is not required, and prealarms should not be defeated by maintenance overrides.
A device that is in pre-alarm shall be prioritized by the AOA team. Pre-alarm
acknowledgement is purely an HMI function, and once acknowledged the
device shall appear as solid alarm colour (non-flashing). If the device reverts to
normal before the operator has acknowledged the alarm, the device shall flash
in hatch alarm colour.
4.5.3
Shutdown Alarms
Shutdown initiators shall be trapped so that the operator, when troubleshooting,
can always find the source of the shutdown (in the event that the initiating
condition is only present for a short duration). Reset action is required.
Shutdown alarms are not defeated by maintenance overrides (although the
actual trip is prevented in such a case).
Doc. No.
8015-0151-22-PO-45-0009-4236-J08-00409
Rev. : 00
Date
Page : 27
Dec.18,2012
A ready to reset button shall be provided. This button will alert the operator
that the initiating condition(s) are normal (the deadband is satisfied) and the
interlock is ready to be reset.
A device that is in shutdown and has high priority when in alarm shall appear
flashing red on the HMI process screen. Shutdown alarm acknowledgement is
purely an HMI function, and once acknowledged the device shall appear as
solid red (non-flashing).
Shutdown alarms may be ganged for large pieces of equipment to reduce
alarm flooding. For example, a common furnace shutdown may be generated
on a furnace trip. The operator will use the safety instrumented function
displays to diagnose the cause of the problem.
4.5.4
4.5.5
4.5.6
Doc. No.
8015-0151-22-PO-45-0009-4236-J08-00409
Rev. : 00
Date
Page : 28
Dec.18,2012
typically maintenance type overrides, and are analogous to the MOS discussed
in the previous section.
Shutdown initiator overrides are often required for start-up. A typical example
would be for low flow shutdowns. MOS should not be used for such purposes,
since the application of these overrides would adversely affect the availability
calculations and hence safety. An operational override shall be used for these
requirements, and the override automatically de-activates under predefined
conditions. For the above low flow trip the operational override would have a
time-out function. In programming terms, this would be called a class B
override. In some cases it may be that the trip may need to return to a normal
process condition before de-activating. These types of overrides are referred to
as a class C override.
Some of these operational override need detailed process information. An
example would be the isolation of a feed to storage under high temperature
conditions. Since the lines are insulated the material may take some time to
cool down. There may be a conditional override based on another temperature
(a class C) together with a timed bypass (class B).
While a device is in a startup override mode (class B or C), the shutdown
alarms and pre-alarms shall be inhibited.
When a process is intentionally stopped, either through automatic logic or
manually, alarms that would normally be suppressed during startup are also
viewed as nuisance alarms while shutdown. Therefore, when a process is
intentionally stopped and an initiating device would cause an alarm, that alarm
will be inhibited by the SIS.
4.5.7
4.5.8
Conditional Alarm
The DeltaV conditional alarming feature provides the ability to easily add alarm
time delays and enable/disable alarms to minimize nuisance alarms. This is
Doc. No.
8015-0151-22-PO-45-0009-4236-J08-00409
Rev. : 00
Date
Page : 29
Dec.18,2012
functionality available to the PCS and SIS, however it is only available in the
SIS in certain cases. Refer to the SIS Configuration Specification for further
detail.
4.5.9
Digital Alarm
The DeltaV Digital Alarm will be from the digital input like Pressure, Level, Limit
switchs or another type on discrete input in PCS or SIS system.There will be
indication to the operator on the Level-3 process graphics
4.6
Alarm Priority
There are 12 possible alarm priority levels numeric values 4 through 15.The
highest priority value is 15 (it is used for the most important alarm). The lowest
priority value is 4. The alarm priorities configured for WQ-2 project are given in
Table 8.
An operator display will provide a list of all PCS module alarms currently
suppressed at any point in time. The operator cannot disable or suppress
engineered alarms.
Maintenance alert information will use two of the alarm priorities.This
information will not be shown on the alarm summary.
Priority
CRITICAL
WARNING
ADVISORY
Priority in
DeltaV
Priority
Level
Auto
Acknowledge
Auto
Acknowledge
Inactive
Horn Sound
S_CRITICAL
15
NO
NO
YES
E_CRITICAL
14
NO
NO
YES
F_CRITICAL
13
NO
NO
YES
F_WARNING
11
YES
YES
None
D_CRITICAL
10
YES
YES
None
D_WARNING
YES
YES
None
ADVISORY
YES
YES
None
Table 8
Alarm Priority Settings
4.6.1
Doc. Title
Doc. No.
8015-0151-22-PO-45-0009-4236-J08-00409
Rev. : 00
Date
Page : 30
Dec.18,2012
Alarm Importance
The acknowledged status of the alarm, the current alarm state, the priority
value, and the time stamp on the alarm determine the alarm's importance in
the system
1. Unacknowledged alarms have a higher importance than acknowledged
alarms.
2. After the acknowledgement status is considered, alarms that are still
active are considered more important than alarms that have already
cleared but have not been acknowledged by the operator yet.
3. When more than one alarm has the same acknowledgment status and
active status, alarm with higher priority value has the highest importance.
When more than one alarm has the same priority value, active status, and
acknowledgment status, the newer alarm has a higher importance.
For example, the most recent, acknowledged, active alarm with a priority value
of 15 is the most important alarm in the system. Then, a new alarm occurs that
is unacknowledged and has a priority value of 7. This new alarm is of higher
importance than an acknowledged alarm with a priority value of 15 because of
the acknowledgement status of the alarms.
4.7
Alarm Word
Category
Alarm Message
Any Alarm
ANY
SYSTEM
CFN
PROCESS
Change of State
COS
PROCESS
Change of state
Communication Error
COMM
INSTRUMENT
Communication error
Deviation Alarm
DEV
PROCESS
DISC_ALM
DISC_ALM
PROCESS
Discrete Device
FAILED
PROCESS
%P1
ENG_DEV_ALM
ENG_DEV
PROCESS
ENG_HIGH_ALM
ENG_HIGH
PROCESS
Doc. No.
8015-0151-22-PO-45-0009-4236-J08-00409
Alarm Type Name
Alarm Word
Category
Rev. : 00
Date
Page : 31
Dec.18,2012
Alarm Message
ENG_HIHI_ALM
ENG_HIHI
PROCESS
ENG_LOLO_ALM
ENG_LOLO
PROCESS
ENG_LOW_ALM
ENG_LOW
PROCESS
ENG_RATE_ALM
ENG_RATE
PROCESS
FLT
SYSTEM
IOF
INSTRUMENT
High Alarm
HIGH
PROCESS
HIHI
PROCESS
Low Alarm
LOW
PROCESS
LOLO
PROCESS
New Alarm
NEW
SYSTEM
OCD
INSTRUMENT
Over Range
OVER
INSTRUMENT
Rate of Change
RATE
PROCESS
Statistical Alarm
ERROR
SYSTEM
Under Range
UNDER
INSTRUMENT
ALARM
PROCESS
%P1
ALARM
PROCESS
%P1 %P2
Table 9 below. Each standard alarm is associated with one of these alarm
types.
Alarm Type Name
Alarm
Word
Category
Alarm Message
Any Alarm
ANY
SYSTEM
CFN
PROCESS
Change of State
COS
PROCESS
Change of state
Communication Error
COMM
INSTRUMENT
Communication error
Deviation Alarm
DEV
PROCESS
DISC_ALM
DISC_ALM
PROCESS
Discrete Device
FAILED
PROCESS
%P1
ENG_DEV_ALM
ENG_DEV
PROCESS
ENG_HIGH_ALM
ENG_HIGH
PROCESS
ENG_HIHI_ALM
ENG_HIHI
PROCESS
ENG_LOLO_ALM
ENG_LOLO
PROCESS
ENG_LOW_ALM
ENG_LOW
PROCESS
Doc. No.
8015-0151-22-PO-45-0009-4236-J08-00409
Alarm Type Name
Alarm
Word
Category
Rev. : 00
Date
Page : 32
Dec.18,2012
Alarm Message
ENG_RATE_ALM
ENG_RATE
PROCESS
FLT
SYSTEM
IOF
INSTRUMENT
High Alarm
HIGH
PROCESS
HIHI
PROCESS
Low Alarm
LOW
PROCESS
LOLO
PROCESS
New Alarm
NEW
SYSTEM
OCD
INSTRUMENT
Over Range
OVER
INSTRUMENT
Rate of Change
RATE
PROCESS
Statistical Alarm
ERROR
SYSTEM
Under Range
UNDER
INSTRUMENT
ALARM
PROCESS
%P1
ALARM
PROCESS
%P1 %P2
Table 9
Standard and Custom Alarm Types, Category, and Message
%P1 and %P2 represent the values of user-defined parameters. User-defined
parameters typically capture the value that caused the alarm, the limit value
that was in effect at the time the alarm was detected.
For example, the alarm description column would show High Alarm Value 50.5
Limit 45.0 in the alarm summary display.
By default, HH and LL alarms will NOT be configured for PCS alarms. They will
be configured only under the following conditions
The operator must take different and/or more severe actions for initial
alarm and combination alarm
There must be enough time in-between alarms to perform the
successful initial alarm corrective action before the combination alarm
trips
Experience shows that 90+% of all HI-HH and LO-LL combinations will be
eliminated during rationalization, if these principles are followed. If the HH or
LL alarm is actually used to trigger a trip (and is thus a trip notification alarm),
Doc. No.
8015-0151-22-PO-45-0009-4236-J08-00409
Rev. : 00
Date
Page : 33
Dec.18,2012
then it is allowed. The rule above is met because the action for the trip is
different than the action for the pre-trip.
4.8
Alarm Suppression
Alarm suppression is the way to temporarily disable annunciation of an alarm in
the DeltaV Operator Interface it means that the suppressed alarm will not set
off the workstation alarm horn and will not be displayed in the alarm summary
and in the alarm banner, but this alarm will still be registered in the
alarms/events log.
Note that suppression uses the OPSUP parameter. The use of this parameter
does not affect any interlock activity that is triggered by the alarm. The interlock
will function regardless of the value of OPSUP.
Alarm suppression is typically used when the operator needs to suppress a
single or small number of alarms. These alarms are typically considered
nuisance for the reason that maintenance personnel may be working on a
certain transmitter or device that causes the alarm to ring in and out frequently.
There are several ways to suppress an alarm, typically
From the detail display, activate the alarm suppression check box
From faceplate, right click on alarm box and select the alarm
From the alarm summary, right click on the alarm and select suppress
alarm
Shift supervisor level access will be required to suppress alarms.
Operators should check the suppressed alarm display at the start of every shift.
Alarms suppressed for sensor malfunction reasons must be unsuppressed
after sensor repairs are made.
Staff should periodically assess the duration of suppressed alarms and insure
the suppression process remains controlled.
All suppressed alarms will be displayed on the alarm suppression screen. This
graphic shows information similar to what is on the alarm summary, and will
look like this
Doc. No.
8015-0151-22-PO-45-0009-4236-J08-00409
Rev. : 00
Date
Page : 34
Dec.18,2012
Figure 1
Alarm Suppression Window
The procedure for un-suppressed alarm is typically done from the alarm
suppression screen by right clicking on the alarm and selecting un-suppressed
alarm or from the detail faceplate as described above. Un-suppressing an
active alarm will cause the alarm to be displayed in the alarm banner and alarm
summary screen.
Note: Suppressing an alarm only removes the alarm from the alarm banner
and alarm summary, but does not remove any interlocks or actions from this
alarm that have been configured in the control system.
4.8.1
4.9
Doc. Title
Doc. No.
8015-0151-22-PO-45-0009-4236-J08-00409
Rev. : 00
Date
Page : 35
Dec.18,2012
Alarm Filtering
Alarm filtering is typically used when the operator needs to view all the alarms
in a process plant area; a typical process area consists of the major equipment
like the SIH_05 and SIH_06.
The area alarm filtering icon
enables you to turn on the areas from which
we want to see alarms and to turn off the areas from which we do not want to
see alarms. An area that has been turned off is filtered.
Figure 2
Alarm Filter Window
The alarm filter is used to filter alarms in up to 100 plant areas by the following
procedure
1. Check the box next to an area to display that area's alarms in the alarm
banner, the alarm summary, and the alarm suppression screen.
2. Clear the check box to filter alarms by preventing that area's alarms
from being displayed in the alarm banner, the alarm summary screen,
the alarm suppression screen, and the alarm filter screen.
3. Click the all on button to see alarms from all areas that can be turned
on. Click the all off button to filter (that is, to prevent display of) alarms
from all areas.
4. Click an alarm area to see detailed information (for example, time of
alarm, module, description, parameter, alarm description, and message)
on the alarms for that area.
5. Click the description column in the detailed information area to open
the faceplate picture, the primary control picture, or both pictures for that
Doc. No.
8015-0151-22-PO-45-0009-4236-J08-00409
Rev. : 00
Date
Page : 36
Dec.18,2012
module. This is known as alarm direct access. Two buttons in the alarm
banner enable and disable alarm direct access.
The total count of unacknowledged alarms, active alarms, and suppressed
alarms for an area that is checked is displayed next to the plant area name.
The total number of alarms, the number of unacknowledged alarms, and the
number of suppressed alarms are shown across the top of the area alarm
details section. The details section of this picture uses the DeltaV alarm
summary object Whenever an area is being filtered or an alarm is being
suppressed, an indicator appears on the alarm acknowledge button on the
toolbar, as shown below
Indicator
Indicator Meaning
Indicates that one or more areas are being filtered out.
Table 10
Alarm Indicators
Alarm filtering only affects what is seen through the DeltaV HMI screens. It
does not affect the event chronicle database or the association between
workstations, users, and alarms that is defined in the PCS or the area keys
assigned in the user manager. Alarm filtering affects only the machine on
which the filter settings were made and is independent of the user. If you filter
alarms and then log off the machine, the next user to log on will not see alarms
from the areas that you filtered.
In this project, alarm segregation is done on each operator console according
to the area of operation to prevent alarm overload. Wherever helpful, alarms
should be segregated for annunciation to the operator.
4.10
Doc. No.
8015-0151-22-PO-45-0009-4236-J08-00409
Rev. : 00
Date
Page : 37
Dec.18,2012
alarms database for 30 days (available through the process history view) and
then purged into the text files located in the specified directories.
Process history view application on operator workstations shall be configured
to connect to application station when displaying alarms/events.
Figure 3
Alarms Collection Configuration on the ProPlus and Application Workstations
The application process history view provides a spreadsheet view of the events and
process alarms that occur. It also captures system events such as operator
changes, control module installations, and changes in device status. Each event
record is made up of fields such as date/time, event type, category, area, node,
module, etc
Doc. No.
8015-0151-22-PO-45-0009-4236-J08-00409
Rev. : 00
Date
Page : 38
Dec.18,2012
Figure 4
Alarm and Event Viewer
4.11
Alarm Summary
The DeltaV system software provides a visual tool for monitoring alarms called
the alarm summary link. The alarm summary link allows you to monitor,
acknowledge, and list alarms using a variety of filtering and sorting methods.
Alarm messages in the alarm summary link's display can be color-coded to
provide visual clues to the operators.
Alarms can be sorted as per the table below.
Attribute
Sorts Alarms By
Time In
Block Type
Module
Priority
The alarm priority, as defined for each block in the process database (low, medium,
or high).
Node
The node name where the alarm originated. The sort by node on is based on the
order the nodes appear in the network list in the SCU.
Doc. No.
8015-0151-22-PO-45-0009-4236-J08-00409
Attribute
Rev. : 00
Date
Page : 39
Dec.18,2012
Sorts Alarms By
Ack/Time
Acknowledgement and then by time in. When sorting alarms in descending order,
unacknowledged alarms appear before acknowledged alarms.
Ack/Priority
Table 11
Alarm Summary Parameters
Module alarm information is displayed in the alarm summary display until the
module value returns to a normal state and an operator has acknowledged that
alarm. The following figure shows a sample alarm summary screen.
Figure 5
Alarm Summary Screen
Note: Only priority and ACK columns background color changes based on alarm
priority
Doc. No.
8015-0151-22-PO-45-0009-4236-J08-00409
5.1
Rev. : 00
Date
Page : 40
Dec.18,2012
2.
3.
Doc. No.
8015-0151-22-PO-45-0009-4236-J08-00409
5.1.1
Rev. : 00
Date
Page : 41
Dec.18,2012
5.1.1.1
5.1.2
Design Metrics
Design metrics can be used during the alarm system design phase to check
whether the design is appropriate for the type of facility and determine the
effort that will be required to maintain the system over the lifetime of the plant.
As the complexity of the process increases, one would expect more alarms per
operator are required.
5.1.2.1
Operating Metrics
Each area of the plant will periodically assess the performance of its alarm
system. The assessment should occur monthly and include the following key
performance indicators
Average alarm rate (number of alarms per 10 minute period)
Alarm frequency distribution (for example, % of time at less than one, 110 and greater than 10 alarms/10 minute window)
Doc. No.
8015-0151-22-PO-45-0009-4236-J08-00409
5.1.2.2
Rev. : 00
Date
Page : 42
Dec.18,2012
5%
0% - EEMUA
Chattering Alarms
0 per day
0 per day
<= 3 / day
0 per day
Table 12
Benchmarks for Assessing Average Alarm Rates
Doc. No.
8015-0151-22-PO-45-0009-4236-J08-00409
Priority
Rev. : 00
Date
Page : 43
Dec.18,2012
Critical (Emergecy)
Very infrequently
High
Medium
Low
Table 13
Target occurrence rates of alarms of different priorities
Metric
Alarms per Control Valve
Low
Average
High
0.5
0.2
0.4
0.6
Table 14
Guidance on alarms per plant sub-system
What is important about these target rates is not only the ability of operators to
respond to alarms, but also the operators attention to the importance of the
alarm. The greater the number of high priority alarms compared to say low
priority alarms, the operator will over time discount the priority of alarms all
together and treat each with the same level of attention, thus defeating a key
feature of alarm systems.
Table15 provides current industry measurement of the long-term alarm rate
average for plants in steady sate operation.It can be easily seen that the
industry standard is well above what is recognized as an acceptable level, and
is significantly higher than the target maximum rate of one per 10 minute
shown in Table15.
Long term average alarm rate
in steady state operation
Acceptability
Manageable
Table 15
Benchmarks for assessing average alarm rates
Doc. No.
8015-0151-22-PO-45-0009-4236-J08-00409
Rev. : 00
Date
Page : 44
Dec.18,2012
Other dynamic alarm system metrics, such as the number of alarms following a
plant upset, the number of standing alarms and operator response times
provide tools to review and modify alarm systems to improve performance.
What is lacking at present is a relatively easy method of measuring alarm
system performance in terms that are not subject to intensive post mortem
studies of events or extensive alarm system data collection.It may remain a
fact of alarm system design and maintenance that the effort required for
continuous improvement is exhaustive, however the benefits can not be readily
argued without a link between operator action, production targets and dynamic
alarm activity.
5.1.2.3
5.1.2.4
Doc. No.
8015-0151-22-PO-45-0009-4236-J08-00409
5.1.2.5
Rev. : 00
Date
Page : 45
Dec.18,2012
5.1.2.6
Priority Distribution
The effective use of alarm priority can be checked by looking at the distribution
of alarms sorted by priority over a period of time. A large percentage of high
priority alarms indicates that the control system is not effectively keeping the
process within bounds, and that operator action is needed to avoid a significant
consequence. Either that, or the assigned priority is incorrect.
5.1.3
5.1.4
Doc. No.
8015-0151-22-PO-45-0009-4236-J08-00409
Rev. : 00
Date
Page : 46
Dec.18,2012
do not meet the real criteria for an alarm (there is no operator action to take)
and will become stale and contribute to alarm floods and confusion.
It is a best practice that all such normal operating states should not cause
alarms. Alarms should be produced only upon abnormal or unexpected events.
State-based methodologies produce dynamic alarm configurations based upon
the specific process & equipment conditions. Multiple alarm trip point and
priority settings are configured for appropriate alarms and enabled based on
plant state.
Two components are required for handling state based alarms a state detector
and a state enforcer. The detector uses available information (which can
include operator input if desired) to correctly identify the current operating state
of the equipment, while the enforcer actually makes the desired alarm
modifications. Neither of these tasks may be automated.
If multiple process states producing differing alarms are identified, these must
be documented during the alarm rationalization. State transitions requiring
alarm system modifications should be handled by one of the following methods
Fully automated transition, with no input required from the operator
Semi-automated transition, utilizing the operator to identify/confirm the
correct state and initiate the change
Manual transition, with changes identified and performed individually by
the operator
For fully automatic transitions, documentation and other indication must be
provided to communicate the current operating state to the operator. Automatic
transitions requiring operator initiation should include a failsafe to monitor the
process and return critical alarms to service.
The manual transitions shall be fully documented for the operator, and include
custom designed operating schematics or reports for review, and to approve
that all settings are correct.
Any software methodology for dynamic change of alarms must be robust and
have fail-safe mechanisms.
5.1.5
Doc. No.
8015-0151-22-PO-45-0009-4236-J08-00409
Rev. : 00
Date
Page : 47
Dec.18,2012
be presented to the operator at a rate faster than he/she can respond. Periods
of alarm activity with presentation rates higher than the operator can respond
are defined as alarm floods. When the operator experiences an alarm flood,
his/her effectiveness is diminished because important information could be
missed.
Alarm floods can make a difficult process situation much worse. In a severe
flood, the alarm system becomes a nuisance, a hindrance, or a distraction,
rather than a useful tool.
Flood suppression is the dynamic management of pre-defined groups of
alarms based on detection of equipment state and triggering events.
5.1.6
Doc. No.
8015-0151-22-PO-45-0009-4236-J08-00409
Rev. : 00
Date
Page : 48
Dec.18,2012
When inputs or outputs to an ESD system are bypassed for testing, such a
condition must be annunciated per standards and displayed to the operator on
the schematics.
5.1.7
Duplicate Alarms
Duplicate alarms, where several alarms on different process parameters
indicate the same abnormal situation, should be removed. In most cases, the
documentation and rationalization team shall select the best indicator of the
root cause and place the alarm on that device.
5.1.8
Consequential Alarms
WQ-2 Project facility process units are highly integrated systems with many
interrelations. A single alarm may propagate through other alarms in the
system. For example, a pump trip alarm may result in numerous low header
pressure or low feed flow alarms. Often a consequential alarm can be handled
by the same methods as duplicate alarms and voting alarms, or incorporated
into a state-based alarming strategy.
5.1.9
Chattering Alarms
To minimize chattering alarms, which activate repeatedly over a short period of
time, appropriate deadbands must be selected for all alarms. This may involve
the programming of a deadband for analog trip values, and a delay time or filter
for discrete points. Determination by historical performance is recommended.
Best practice starting points for design are listed in Table 16 below.
Signal Type
Deadband
Delay Time
Flow
2 sec
5%
15 sec
Level
2 sec
5%
60 sec
Pressure
1 sec
2%
15 sec
Temperature
0 sec
1%
60 sec
Table 16
Deadband and Delay Time
Delay time sometimes called a debounce timer is a selectable system
capability of some alarm types. An ON-DELAY requires that an alarm be in
effect for the specified number of seconds before it is initially annunciated to
Doc. No.
8015-0151-22-PO-45-0009-4236-J08-00409
Rev. : 00
Date
Page : 49
Dec.18,2012
5.1.11
5.1.12
5.2
Doc. Title
Doc. No.
8015-0151-22-PO-45-0009-4236-J08-00409
Rev. : 00
Date
Page : 50
Dec.18,2012
Management of Change
Having expended time and effort into determining proper alarm settings, these
must be maintained and not allowed to drift into other configurations. To
maintain the integrity of the alarm system, management of change procedures
must be in effect that address changes to alarm systems. Such changes must
be properly evaluated, authorized and communicated to all affected personnel
and shifts.
MOC procedures must define the minimum level to invoke appropriate
approvals and documentation.
Changes in alarm priority
Changes in alarm trip point
Creation of new alarms
Deletion of existing alarms
Change of alarm type
Change of alarm description or text message
Temporary suppression of alarms (an approved shelving methodology
must be used)
Point execution status (turning a sensor on or off)
Changes in alarm presentation on graphics
Additions of, modifications to, or updates to alarm handling capabilities
such as alarm shelving systems or state based alarming configuration
The following changes should be controlled in a way to ensure that only
authorized, knowledgeable people perform the changes.
Controller tuning parameters
Point ranges
Modification of logic points, interlocks, embedded programs, PCS
operating system software, and similar functions
The change system itself must be designed to accommodate the number of
certain types of changes that are necessary, without an over-burden of
paperwork, but without compromising safety.
Audit and enforcement software should be used to periodically check for
changes from the proper settings, to report such changes, and to restore the
system to the proper settings.
Doc. No.
8015-0151-22-PO-45-0009-4236-J08-00409
Rev. : 00
Date
Page : 51
Dec.18,2012
The proper settings reside in a master alarm database. The MOC system must
insure timely update of that database so that proper changes do not get
undone by the enforcement software.
Note that audit and enforcement software/methodologies must understand any
state-based, flood suppression, shelving, or other alarm handling strategies
being employed and work correctly in conjunction with them.
To emphasize, best practices support that the integrity of the overall alarm
system is of such importance as to require MOC around all alarm priorities,
including low. This is why a separate operator alert system/priority is a best
practice as well.
The alarm system champion for the area in question should be notified of any
and all alarm changes so that they can maintain the integrity of the alarm
system.
Exceptions that do not require an MOC include the operation of alarm handling
strategies of state based, flood suppression, or shelving as defined in this
philosophy document. Alterations to the configuration of these strategies
themselves, however, must be done utilizing MOC and proper review and
authorization.