PETRONAS TECHNICAL STANDARDS

DESIGN AND ENGINEERING PRACTICE

ALARM MANAGEMENT GUIDELINES

PTS 32.30.60.19 DECEMBER 2008

© 2010 PETROLIAM NASIONAL BERHAD (PETRONAS) All rights reserved. No part of this document may be reproduced, stored in a retrieval system or transmitted in any form or by any means (electronic, mechanical, photocopying, recording or otherwise) without the permission of the copyright owner

TABLE OF CONTENTS
1.0 1.1 1.2 1.3 1.4 2. 3. 3.1 3.2 3.3 3.4 3.5 3.6 3.7 3.8 4. 4.1 4.2 4.3 4.4 4.5 4.6 4.7 4.8 4.9 4.10 4.11 4.12 4.13 5.0 6.0 7.0 8. 9. 10. 11. INTRODUCTION ...............................................................................................................1 SCOPE AND OBJECTIVES ..............................................................................................1 DISTRIBUTION, INTENDED USE AND REGULATORY CONSIDERATIONS....................1 DEFINITIONS....................................................................................................................1 ABBREVIATIONS..............................................................................................................5 CODES AND STANDARDS ................................................................................................7 ALARM GUIDELINES .........................................................................................................8 ALARM PARAMETERS SHALL NOT BE ALTERED WITHOUT PROPER MANAGEMENT OF ..........................................................................................................8 ALARMS ARE NOT A SUBSTITUTE FOR AN OPERATOR'S ROUTINE SURVEILLANCE OF UNIT ................................................................................................8 AN ALARM MUST REQUIRE IMMEDIATE ACTION BY THE OPERATOR ........................8 THERE SHALL NOT BE MULTIPLE ALARMS THAT PROMPT THE SAME OPERATOR ACTION ............................................................................................................................9 ALARM PRIORITY DEFINES THE DEGREE OF URGENCY OF CORRECTIVE ACTION BY THE OPERATOR ........................................................................................................9 ALARMS SHOULD PROVIDE TIMELY ADVICE THAT THERE ARE PROBLEMS REQUIRING OPERATOR INTERVENTION.....................................................................10 AN ALARM SHOULD HELP THE OPERATOR TO QUICKLY IDENTIFY THE CAUSE OF A PROBLEM ...................................................................................................................10 SIGNALS WHICH DO NOT QUALIFY AS ALARMS.........................................................10 ALARM MANAGEMENT PROCESS .................................................................................11 ALARM MANAGEMENT PHILOSOPHY ..........................................................................13 IDENTIFICATION ............................................................................................................13 ALARM RATIONALIZATION............................................................................................13 ALARM DESIGN .............................................................................................................15 IMPLEMENTATION.........................................................................................................26 OPERATION ...................................................................................................................26 PERFORMANCE MONITORING .....................................................................................26 MAINTENANCE ..............................................................................................................28 ASSESSMENT................................................................................................................28 MANAGEMENT OF CHANGE .........................................................................................28 ALARM MANAGEMENT PROCESS LOOPS ...................................................................29 ALARM DOCUMENTATION ............................................................................................30 ALARM HISTORY RETENTION ..................................................................................30 PRIORITY ASSIGNMENT ...............................................................................................31 BENCHMARKING, PERFORMANCE METRICS AND REPORTING................................32 ALARM PRESENTATION................................................................................................34 AUDIBLE SIGNALS CONSIDERATIONS..........................................................................35 TRAINING ........................................................................................................................36 ROLES AND RESPONSIBILITIES...................................................................................37 REFERENCES................................................................................................................38

APPENDICES APPENDIX 1: ALARM REVIEW FORM .....................................................................................39 APPENDIX 2: DCS ALARM PRIORITIZATION RISK ASSESSMENT MATRIX ..........................40

PREFACE
PETRONAS Technical Standards (PTS) publications reflect the views, at the time of publication, of PETRONAS OPU(s)/Division(s). They are based on the experience acquired during the involvement with the design, construction, operation and maintenance of processing units and facilities. Where appropriate they are based on, or reference is made to, national and international standards and codes of practice. The objective is to set the recommended standard for good technical practice to be applied by PETRONAS' OPU(s) in oil and gas production facilities, refineries, gas processing plants, chemical plants, marketing facilities or any other such facility, and thereby to achieve maximum technical and economic benefit from standardisation. The information set forth in these publications is provided to users for their consideration and decision to implement. This is of particular importance where PTS may not cover every requirement or diversity of condition at each locality. The system of PTS is expected to be sufficiently flexible to allow individual operating units to adapt the information set forth in PTS to their own environment and requirements. When Contractors or Manufacturers/Suppliers use PTS they shall be solely responsible for the quality of work and the attainment of the required design and engineering standards. In particular, for those requirements not specifically covered, the Principal will expect them to follow those design and engineering practices which will achieve the same level of integrity as reflected in the PTS. If in doubt, the Contractor or Manufacturer/Supplier shall, without detracting from his own responsibility, consult the Principal or its technical advisor. The right to use PTS rests with three categories of users: 1) PETRONAS and its affiliates. 2) Other parties who are authorised to use PTS subject to appropriate contractual arrangements. 3) Contractors/subcontractors and Manufacturers/Suppliers under a contract with users referred to under 1) and 2) which requires that tenders for projects, materials supplied or - generally - work performed on behalf of the said users comply with the relevant standards. Subject to any particular terms and conditions as may be set forth in specific agreements with users, PETRONAS disclaims any liability of whatsoever nature for any damage (including injury or death) suffered by any company or person whomsoever as a result of or in connection with the use, application or implementation of any PTS, combination of PTS or any part thereof. The benefit of this disclaimer shall inure in all respects to PETRONAS and/or any company affiliated to PETRONAS that may issue PTS or require the use of PTS. Without prejudice to any specific terms in respect of confidentiality under relevant contractual arrangements, PTS shall not, without the prior written consent of PETRONAS, be disclosed by users to any company or person whomsoever and the PTS shall be used exclusively for the purpose they have been provided to the user. They shall be returned after use, including any copies which shall only be made by users with the express prior written consent of PETRONAS. The copyright of PTS vests in PETRONAS. Users shall arrange for PTS to be held in safe custody and PETRONAS may at any time require information satisfactory to PETRONAS in order to ascertain how users implement this requirement.

PTS 32.30.60.19 December 2008 Page 1

1.0 1.1

INTRODUCTION SCOPE AND OBJECTIVES
This document describes the guidelines for the management of Distributed Control System (DCS) alarms within PETRONAS plants, both new and existing. The objectives of this guideline are: • Establish the work processes in alarm management for PETRONAS; • Provide engineering guidelines for consistent and efficient alarm configuration; and • Achieve world class alarm system performance for all areas by implementing the work processes described. This guideline shall apply to all audible and visual alarms generated by the DCS on the operator consoles. This PTS is developed together with the Technical Professionals and experienced plant personnel of Skill Group 14. The Custodian of this PTS shall be consulted or any deviation.

1.2

DISTRIBUTION, INTENDED USE AND REGULATORY CONSIDERATIONS
Unless otherwise authorised by PETRONAS, the distribution of this PTS is confined to companies forming part of PETRONAS group and to contractors and manufacturers/suppliers nominated by them.

1.3 1.3.1

DEFINITIONS GENERAL DEFINITIONS
The Contractor is the party which carries out all or part of the design, engineering, procurement, construction, commissioning or management of a project or operation of a facility. The Principal may undertake all or part of the duties of the Contractor. The Manufacturer/Supplier/Vendor is the party which manufactures or supplies equipment and services to perform the duties specified by the Contractor or the Plant Owner. The Plant Owner is the PETRONAS instrumentation party responsible for the operation and maintenance of the equipment, who in turn, is responsible to the plant management. The Principal is the PETRONAS party which initiates the project (new or revamp) and ultimately pays for its design and construction. The Principal will generally specify the technical requirements. The Custodian is the originator and technical owner of this PTS. The word Shall indicate a requirement. The word Should indicate a recommendation.

PTS 32.30.60.19 December 2008 Page 2

1.3.2

TECHNICAL DEFINITIONS Absolute alarm
An alarm generated when a set limit is exceeded.

Acknowledge
The operator action that confirms recognition of an alarm.

Activate
The process of enabling an alarm functions within the alarm system.

Adjustable Alarm
An alarm for which the limits are changed, automatically or manually, based on operating conditions.

Alarm
An audible and/or visible means of indicating to the operator an equipment malfunction, process deviation, or abnormal condition requiring a response. .

Alarm class
A grouping, or class, used to specify design, operation, monitoring and audit requirements for an alarm.

Alarm condition
The indication of the type and level of an alarm.

Alarm deadband
The range through which an input must be varied from the alarm limit necessary to clear the alarm.

Alarm flood (Alarm Shower)
A period of time with a greater number of alarms than the operator can effectively manage.

Alarm group
A set of alarms associated with a process unit or within a process area.

Alarm limit (Alarm trip point, Alarm setpoint)
The threshold value or discrete state of a process variable that triggers the alarm indication (see alarm setpoint).

Alarm log
The historical record of alarm messages.

Alarm management (Alarm system management)
The processes and practices for determining, documenting, designing, operating, monitoring, and maintaining alarm systems.

PTS 32.30.60.19 December 2008 Page 3

Alarm philosophy
A document that establishes the basic definitions, principles, and processes to design, implement, and maintain an alarm system.

Alarm priority
The level of importance assigned to an alarm within the alarm system to indicate importance (e.g. seriousness of consequences) and urgency.

Alarm summary
A display that lists alarm with selected information, such as date, time, priority, and alarm condition.

Alarm system
The collection of hardware and software that detects an alarm state, transmits the indication of that state to the operator’s attention, and records changes in the alarm state.

Alert
An audible and/or visible means of indicating to the operator an equipment or process condition that requires awareness and that action may be needed when time permits.

Bypass
To manually modify a function to prevent its activation. (This term is used to describe instrumented functions other than alarms.)

Control system
A system that responds to input signals from the equipment under control and/or from an operator and generates output signals that cause the equipment under control to operate in the desired manner.

Chattering alarm
An alarm that repeatedly transitions between the alarm state and the normal state. For example, any parameter that crosses its alarm threshold three (3) times or more within a one (1) minute period.

Clear
An alternate description of the state of an alarm that has transitioned to the normal state.

Console
The interface for an operator to monitor the process, which may include multiple displays or annunciations.

Deviation alarm
An alarm generated when the difference between two analog values exceeds a set limit. Disabled Alarm An alarm that is disabled by the operator such that the alarm will not be generated even though the base alarm condition is present.
Note : Uncontrolled disabling of alarm(s) is not allowed.

PTS 32.30.60.19 December 2008 Page 4

Discrepancy alarm
An alarm generated by error between the comparison of an expected plant or device state to its actual state (e.g. when a motor fails to start after it is commanded to the ON state).

Dynamic alarming
The automatic modification of alarms based on process state or conditions.

First-out alarm (First-up Alarms)
An alarm method, in a multiple-alarm scenario, of determining which alarm occurred first.

Initiating event
A malfunction, failure or other condition that can cause an alarm indication.

Latching alarm
An alarm that remains in alarm state after the process has returned to normal and requires an operator action beyond acknowledgement before it will clear.

Nuisance alarm
An alarm that transitions from the normal state to the alarm state more frequently than the response action is needed.

Operator
The primary person responsible for ensuring the process parameters are maintained within limits.

Operator response time
The time between the annunciation of the alarm and when the operator takes the correct action in response to the alarm.

Operator-set alarm
An alarm in which the setting may be manually adjusted by the operator to suit his needs.

Out-of-service
A state that suppresses the alarm indication so that maintenance can be performed.

Plant state
A defined state of operation of a process plant (e.g., shutdown, start-up, operating).

Prioritization
The process of assigning to an alarm a level of importance, or priority, which can be implemented within the alarm system.

Rate-of-change alarm
Alarm generated when a limit value for the rate of change of a process parameter d(PV)/dt is exceeded.

Rationalization
The review of a potential alarm against the principles of the alarm philosophy to establish and document the rationale and design requirements for the alarm.

PTS 32.30.60.19 December 2008 Page 5

Remote alarm
An alarm from a remotely operated facility or a remote interface.

Reset
The operator action that unlatches a latched alarm.

Re-triggering alarm
An alarm that is automatically re-annunciated to the operator under certain conditions.

Return to normal
The alarm system indication that an alarm condition has transitioned to the normal state.

Shelve
To prevent the transmission of the alarm indication to the operator through a controlled methodology initiated by the operator. The controlled methodology shall be determined by the OPU.

Stale alarm
An alarm that remains in the alarm state for 24 hours or more.

Standing alarms
A measure of the number of stale alarms.

Station
A single human machine interface within the operator console.

Suppress
To prevent the indication of the alarm to the operator when the base alarm condition is present, initiated automatically by logic or manually by the operator.

Unacknowledged
An alarm in the alarm state which has not been acknowledged by the operator.

1.4

ABBREVIATIONS
AMT ASM® MOC DCS EEMUA HAZOP IPF P&ID SS RAM ACK - Alarm Management Team - Abnormal Situation Management® - Management Of Change - Distributed Control System - Engineering Equipment and Materials Users Association - Hazard & Operability Study - Instrumented Protective Function - Piping & Instrumentation Diagram - Shift Superintendent - Risk Assessment Matrix - Acknowledge or Acknowledged

PTS 32.30.60.19 December 2008 Page 6 BPCS cGMP CLR HMI PFD PHA PIMS RTN SIL SIF SIS UNACK - Basic Process Control System - Current Good Manufacturing Practice - Clear - Human Machine Interface - Process Flow Diagram or Probability of Failure on Demand - Process Hazards Analysis - Plant Information Management System - Return To Normal (see definition) - Safety Integrity level - Safety Instrumented Function - Safety Instrumented System - Unacknowledged

PTS 32.30.60.19 December 2008 Page 7

2.

CODES AND STANDARDS
There are no codes or standards related to alarm management yet established at the time this guideline is written. The Instrument Society of America is currently drafting the ISA SP18.02 Instrument Signals and Alarms Standard. The standard is in final review stage and is due for release in 2008. However, the EEMUA Publication No. 191, published in 2007, entitled "Alarm Systems, A Guide to Design, Management and Procurement" is widely accepted in the industry as the reference document for alarm management. Pending the establishment of an international standard on alarm management, pertinent recommendations found in the EEMUA document shall be the reference for this guideline, together with the ASM® Consortium Guidelines on Effective Alarm Management Practices Version 5, which documents the best practices for alarm management.

PTS 32.30.60.19 December 2008 Page 8

3.

ALARM GUIDELINES
Alarms are signals annunciated to the operator typically by an audible sound and by some form of visual indication on the operator display, both of which differs according to the alarm priority. Alarms are important in that they help the operator to monitor deviations from desired operating conditions which may lead to the hazardous situations. Alarms help the operator to maintain the plant within a safe operating envelope. The general philosophy for configuring an alarm should be any one or more of the following:b. c. d. the alarm shall indicate a need for Operator intervention the alarm shall indicate when a control system can no longer control the alarm shall indicate the need for timely Operator response

Alarms shall not be configured if the intent cannot be met by any of the above three. In order to ensure that alarms remain relevant and helpful to the operator, each configured alarm in the DCS shall comply with the following set of guidelines:

3.1

ALARM PARAMETERS SHALL NOT BE ALTERED WITHOUT PROPER MANAGEMENT OF Change (MOC)
Modifications to existing alarms or additions of new alarms shall be part of MOC, where proper justification and an alarm design review are required.

3.2

ALARMS ARE NOT A SUBSTITUTE FOR AN OPERATOR'S ROUTINE SURVEILLANCE OF UNIT operation
Process changes that should be caught by operators during their normal monitoring of the process, and pose no safety issues, shall not be alarmed. The alarm system should be an aid for the operator, not a replacement. Operators are expected to investigate alarms occurring by accessing the appropriate graphic and reviewing trends. The normal and expected process conditions shall not be alarmed. i.e. Sequence process or ON/OFF control

3.1.2

3.1.3 3.1.4

3.1.5

3.3
3.3.1 3.3.2 3.3.3

AN ALARM MUST REQUIRE IMMEDIATE ACTION BY THE OPERATOR
Alarms shall not be configured for which there is no Operator’s corrective action possible. The action required in response to each alarm shall be specified. The consequence of the action not being taken shall be specified in the Alarm Reference Database (sect. 4.4) All alarms are important and should be acted upon as soon as possible.

3.3.4

PTS 32.30.60.19 December 2008 Page 9

3.4

THERE SHALL NOT BE MULTIPLE ALARMS THAT PROMPT THE SAME OPERATOR ACTION
Redundant instrumentation due to shut down systems will either a. not be alarmed, b. use logic to prevent multiple alarms, or c. have alarm on deviation between the primary (alarmed) variable and other instruments. Common alarms should be created for multiple alarms on different variables that require the same response If there are many alarm points, determine which is the best to use based on factors such as measurement reliability, minimization of nuisance alarms, speed of initiation, close logical association with the problem cause. Alarms shall be configured within the DCS controller or Input/output block in order to avoid any redundant alarm, as follows : 1. Loop with Controller – All alarm shall be configured in the controller block inclusive with analog input alarm, analog output and bad input. Loop without Controller- Alarm shall be configured in the individual Digital input or output block, analog input or output block block i.e.

3.3.5

3.3.6

3.3.7

3.3.8

2.

3.5

ALARM PRIORITY DEFINES THE DEGREE OF URGENCY OF CORRECTIVE ACTION BY THE OPERATOR
The degree of urgency of an alarm at any instant, and thus its priority, are dependant on these factors: a. The severity of the consequences (in safety, environmental and economic terms), of failing to take the corrective action associated with the alarm (refer Appendix 2). The time available and required for the corrective action to be performed (Process Safety Time – refer Figure 2) and to have the desired effect.

3.3.9

b.

3.5.2

Thus, the order in which an operator should take corrective action when a number of alarms are present shall be based on the alarm priorities, where the alarm with the highest priority shall receive operator attention (see Section 5 for Priority Assignment). Each alarm priority shall be configured with a different audible sound, with the highest ‘pitch’ sound reserved for Emergency / Urgent priority and so forth. Note: Muting of alarms is not allowed.

3.5.3

PTS 32.30.60.19 December 2008 Page 10

3.6

ALARMS SHOULD PROVIDE TIMELY ADVICE THAT PROBLEMS REQUIRING OPERATOR INTERVENTION

THERE

ARE

3.6.1

An alarm setpoint shall be configured to give the operator at least 5 minutes to take corrective action. The alarm setpoint shall depend on the ‘process safety time’, which is defined as the time between the process value reaching the alarm setpoint and the consequences occurring if not acted upon under normal operating conditions. This time gap depends on the normal rate of change of the process value e.g. a small tank with high receiving flow shall have a lower high level alarm setpoint than a large tank with small receiving flow.

3.7

AN ALARM SHOULD HELP THE OPERATOR TO QUICKLY IDENTIFY THE CAUSE OF A PROBLEM
Clear and understandable alarm tag descriptors are important to help identify the cause. Consistent abbreviations shall be used so that it is clearly understood by all operators. An alarm tag’s Associate Display parameter shall be configured to provide quick access to the relevant schematic.

3.6.2 3.6.3 3.6.4

3.8

SIGNALS WHICH DO NOT QUALIFY AS ALARMS
The following signals do NOT qualify as alarms but may be classified as "journal" or “message” signals • Status change of switches through automatic sequence i.e starting or stopping pumps or opening/closing valves as normal (on/off) control behaviour. Status changes of switches manually initiated by panel operators such as a maintenance override switch / bypass switch, manual trip command etc. Status change of operating mode by automatic sequence or manual initiation e.g. TSA (Temperature Swing Adsorbers) sequence Status change of control mode by automatic sequence or manual initiation i.e. MANUAL-AUTO, AUTO-CASCADE Generally, system alarms shall not be alarmed in the DCS, unless deemed critical for Operator’s action.

However if the maintenance override switch / bypass switch is located and operated outside the control room, its initiation shall be alarmed. Common bypass alarm shall be sent to DCS.

PTS 32.30.60.19 December 2008 Page 11

4.

ALARM MANAGEMENT PROCESS
Alarm systems are part of the safety systems of process plants. They indicate undesired or potentially unsafe situations to the operator. Alarms are always linked to human follow-up. Therefore, the foremost principle when designing or reviewing alarm systems is recognition of the human factors involved. A human is generally not capable of dealing with huge information overloads. The human may also make mistakes or act too late. Therefore human intervention should only be assumed to provide a limited reduction of risks. Alarm management process is intended to guide users to a safe, cost effective and consistent design and implementation of alarms in an instrumentation system (DCS, IPF panels, F&G panels, local panels etc.). The overall objective of the alarm management system is to provide the operator with: • • • an adequate set of warning facilities during normal operation. the ability to recognise the most important alarms during upsets. to provide adequate guideline to perform corrective action

whilst minimising, as far as is reasonably practicable: • • • • standing alarms; nuisance alarms; chattering alarms; alarm floods.

In an ideal situation the few alarms that occur are understood and handled properly by the operator. Each of these alarms are genuine, not duplicated and not repetitive, and call for an action for which the operator has sufficient time, even during plant upset or trip situations. A process plant typically requires the following types of alarms: • • • • • Process alarms Trip (IPF) alarms F&G alarms Common alarms from packaged units Diagnostic alarms (from SIS, DCS, Fieldbus etc.)

Not all alarms and messages should necessarily be routed to the operator. Other recipients of alarms and messages, such as DCS/SIS maintenance engineer, should also be considered. The alarm management / rationalisation study should therefore also consider the various alarm recipients, their availability etc. When the configuration of an existing installation is reviewed, it is also necessary to balance the effort expended in the review against the potential improvements to be gained. In practice, this means that the process starts by identifying the Bad Actors of alarms followed by the highest priority of alarms and so forth. The assigned alarm priorities in the DCS are only used to distinguish between the kinds of activity to be executed.

PTS 32.30.60.19 December 2008 Page 12 The alarm management process covers the design and maintenance activities from philosophy to management of change. The process is useful in identifying the requirements and roles for implementing an alarm management system. This process flowchart shows the essential steps, in implementing the alarm management system. PHILOSOPHY / POLICY / MANUAL

IDENTIFICATION

RATIONALIZATION

MOC

DESIGN

IMPLEMENTATION & TRAINING

MAINTENANCE

OPERATION

PERFORMANCE MONITORING

ASSESSMENT

FIGURE 1 : ALARM MANAGEMENT PROCESS

PTS 32.30.60.19 December 2008 Page 13

4.1

ALARM MANAGEMENT PHILOSOPHY
An Alarm Management Philosophy is required for all plants, both new and existing as well as projects. Prior to designing a new alarm system or modifying an existing system, some basic groundwork is required. Generally the first step is the development of an alarm management philosophy that documents the objectives of the alarm system and the processes to meet those objectives. For new systems the alarm philosophy serves as the basis for the alarm system requirements specification. The philosophy starts with the basic definitions and extends them to operational definitions using principles. The definition of alarm priorities, classes, performance metrics, performance limits, and reporting requirements are determined based on the objectives, definitions, and principles. The schemes for presentation of alarm indications in the HMI, including use of priorities, are also set in the alarm philosophy, which shall be consistent with the overall HMI design. The philosophy specifies the processes used for each of the life cycle stages, such as the threshold for the management of change process and the specific requirements for change. The philosophy is maintained to ensure consistent alarm management throughout the life cycle of the alarm system.

4.2

IDENTIFICATION
In the identification stage, the alarms configured in the plant control system are to be evaluated. An alarm list to be generated from the DCS. In addition, it is also necessary to vet through all of HAZOP reports, IPF review reports and incident investigation reports to identify a list of conditions that need to be protected by operator intervention.

4.3

ALARM RATIONALIZATION
Rationalization is the process of reconciling each individual alarm against the principles and requirements of the alarm philosophy. The exercise involves reviewing and documenting each alarm which exists in the DCS for the particular unit. In this process, form as per Appendix 1 shall be used to address the following questions: 1. 2. 3. 4. 5. 6. 7. 8. What is the purpose of the alarm i.e. what is the potential hazard or event is the alarm intended to prevent? What are the causes of the alarms? What action is required by the operator? What are the consequences of the operator failing to respond to the alarm? How quickly is the operator required to respond? How long will it take for the operator’s action to have the required effect? How likely is it that the operator will be able to prevent the event or hazard? Does the alarm comply with the agreed philosophy?

This information is critical to improve alarm clarity to the operator. Once the consequences and the response time has been documented, alarm priority must be assigned based on the matrix of consequences versus priorities. The result will also be used to generate alarm response documentation and in defining alarm retention. The completed forms constitute the alarm narratives for the project/plant/OPUs. The overall alarm narratives shall be endorsed by the plant management as per clause 9.0.

PTS 32.30.60.19 December 2008 Page 14 Documents / tools required for this exercise are: 1. 2. 3. 4. 5. Updated P&ID for the unit Control and/or Safeguarding narratives, design documents HAZOP and IPF Classification results Updated DCS alarms, setpoints and tag list Plant Historian (e.g. PIMS) database to view process trends

An Alarm Management Team (AMT) shall be formed which comprises of: 1. 2. Alarm Management Team Leader (Operation Engineer) who shall monitor and manage the overall progress of the team. Alarm Management Coordinator/Facilitator (Instrument and Control Engineer) who shall facilitate the alarm rationalization process and compile and execute all the changes required. Operation and Process Technologist Representatives (Panel men/operator from 2 different shifts and Process Technology engineer) who shall discuss and rationalize the alarms. Maintenance Subject Matter’s Representative (Instrument and Control engineer/technician, Electrical and/or Mechanical engineer/technician) who shall help the review especially in equipment related alarms.

3.

4.

The AMT shall develop a detailed plan and schedule to for alarm rationalization review. The process of alarm rationalization is as follows: 1. 2. 3. 4. Using DCS database, determine the existing alarm parameters for the tag. Also from the DCS database, review most frequent alarms, if applicable. From the P&ID, reconcile the selected DCS alarm tag.. Rationalize an alarm parameter by entering it into the Alarm Reference Database. The database shall be configured as per Appendix 1. Refer to narratives or other supporting documents to help determine the purpose, causes, corrective actions, consequences and finally the priority of the alarm. Qualify the alarm parameter against the alarm guidelines (Section 5). If the alarm parameter does not meet the guidelines, decide what the required changes are. Repeat steps (4) and (5) for each alarm parameter for the tag. Continue for the next tag on the DCS database and/or P&ID until all the selected alarms for the unit have been reviewed. Compile all the changes required and raise MOC to obtain proper approvals Modifications shall be implemented by the instrument /control engineer. An Alarm Review Form shall be printed from the Alarm Reference Database such as Filemaker and signed by the AMT. (example format in Appendix 1).

5.

6. 7.

8. 9. 10.

Every alarm shall be accompanied with an Alarm Review Form as per Appendix 1.

PTS 32.30.60.19 December 2008 Page 15

4.4

ALARM DESIGN
The design stage includes evaluation of the basic configuration of alarms in the DCS, the design of graphics and other HMI for alarms and the advance/intelligent method for alarm management- 4.4.2 (the use of Alarm Management System for example). This process also includes obtaining feedback from operators, as well as defining the testing methods of the alarm system functions. In addition, one of the key deliverable of this stage is to develop the Alarm Reference Database. This document identifies what the alarm is, how it is configured, why it is there, what the operator is supposed to do about it and what are the consequences of failing to perform the actions. Once the necessary approvals have been obtained, the new alarm configurations are implemented in the DCS. This process includes training for the Operator and initial testing of the alarm system functions.

4.4.1

SETTING OF ALARM SETPOINTS
A full review of alarm setpoints and dead bands is a time-consuming exercise. However experience has shown that too often alarm settings are set incorrectly or even beyond the constraints of the process or equipment the alarm should protect. Each alarm setting and its rationale should therefore be re-established. The general rule is that the alarm setpoint, i.e. the value at which it is activated, should be as far from the normal value as practicable whilst still giving adequate protection and ample operator response time. Whenever an alarm setting is made, a number of questions should be answered and documented, as follows. See also Figure 2. • At what value does a hazard or concern arise, i.e. what is the constraining value? This could be a relief valve setting, an IPF trip setting, an equipment design limit, a catalyst temperature limit, the pH at which corrosion accelerates, the temperature at which coke formation in the tubes accelerates, etc. What is the inaccuracy of a constraint? For example, a relief valve may already start to open at 99 % of its set pressure. How fast is the value likely to approach this point? This is the highest credible rate of change. How much time does the panel or field operator need to complete the actions that aim to reverse the process? How much will the process continue to rise following the completion of the operator action? This is the process dead time. How wide is the operating band under normal and routinely abnormal conditions? What is the expected inaccuracy of the sensor and receiving switch used to generate the alarm?

PTS 32.30.60.19 December 2008 Page 16 What is the dead-time of the sensor and signal processing? • How many features (e.g. alarms, trips, relief valves) have to be fitted in the gap between the edge of the normal operating band and the constraining value at which a hazard or concern arises?

The design stage includes evaluation of the basic configuration of alarms in the DCS, the design of graphics and other HMI for alarms and the advance method for alarm management (the use of Alarm Management System for example). This process also includes obtaining feedback from operators, as well as defining the testing methods of the alarm system functions. One of the key deliverable of this stage is to develop the Operator Alarm Response Manual, as per Section 4.3. Once the necessary approvals have been obtained, the new alarm configurations are implemented in the DCS. This process includes training for the operator and initial testing of the alarm system functions.

Figure 2 Parameters involved in establishing the alarm setting

In all cases the alarm shall be set such that: • • No alarm occurs within the normal process fluctuations and signal noise. There is sufficient operator response time

PTS 32.30.60.19 December 2008 Page 17 The process does not exceed the equipment or process constraint assuming correct and timely operator action and a worst but credible process dead time. Uncertainties/Inaccuracies in the equipment or process constraints are taken into account.
Note: Uncertainties/Inaccuracies in the process measurement – at the point of the desired alarm setting are taken into account. A particular consideration applies to low flow alarms, where the flow measurement comes from a dP-based device such as an orifice plate or venturi meter. The measurement on the DCS appears linear but the original input signal has a (flow)2 characteristic. This means that an alarm set at 10 % of flow range corresponds to only 1 % of DP input signal, which could potentially be disabled by a zero error arising from the meter or its process hook-up. On the other hand, under some circumstances a higher setting might increase the risk of nuisance alarms. The setting of low flow alarms therefore involves a balance between avoiding such alarms and retaining measurement accuracy.

Another consideration applies to measurements that are influenced by specific properties of the medium such as the liquid and vapor density for dP and displacer type level measurements, the density for orifice type flow meters, etc. In these cases the worst case of all foreseeable operating modes including start-up and shutdown modes shall be considered. If conflicts arise between the factors influencing the correct alarm setting, it may become impossible to set an acceptable alarm setting. In these cases there are the following options: • Redesign the process / equipment. This is the most desirable but often impractical solution. Set the alarm setting at a level closer to the normal operating conditions. Accept that spurious alarms will occur under some operating conditions. This option reduces the confidence in the alarm and affects the probability that the operator would initiate the required actions in the event of a genuine alarm. This is the least desirable option. • Set the alarm setting at a level closer to the constraints. Accept that the operator may not have enough time to prevent the hazardous event in all cases (e.g. in the event of a rapid upset). This option does not reduce the confidence in the alarm but affects the probability that the operator would complete the required action in time. As well as defining the alarm setting, the expected accuracy of the switch point shall also C). be defined (e.g. 210 ° C!2° The switching inaccuracy is the maximum allowable difference between the actual process parameter and the alarm setting at the moment the alarm activated. It includes the inaccuracy of the sensor, signal processing, switch amplifier, A/D converter etc. The inaccuracy does not include any possible dynamic effects whereby the measurement lags behind the actual process parameter. A typical accuracy would be 2 % of instrument span.

PTS 32.30.60.19 December 2008 Page 18

4.4.2

INTELLIGENT ALARM MANAGEMENT
Intelligent alarm management technique should be applied to enhance effectiveness of alarm handling by operators as well to prevent the occurrence of alarm flooding especially in the event of process upset. Intelligent alarm management however, needs to be properly studied and evaluated prior to implementation since its misapplication could lead to masking of critical alarm event which can lead to unfavorable situation. There are various intelligent alarm management techniques available. For repeating or fleeting alarms, the following methods should be used : 4.4.2.1 Optimizing the alarm deadband for analogue measurements. The alarm hysteresis deadband should be carefully selected for each individual alarm. The deadband should be set according to the type of measurement and its application. (e.g. a narrow deadband should be set for measurement with slow response time such as temperature etc.) DCS default value set at 1% of range value. However, this should be verified or readjusted on a case-by-case basis. Deadbands shall be specified in Engineering Units for improved resolution. Typically the values shall be as per Table 1. Table 1 - Typical Dead band values Type of Process Variable Dead band Equivalent To Flow Level Liquid Pressure Gas Pressure Temperature 5 % of Span 5 % of Span 5 % of Span 2 % of Span o 1 % of Span or 2 C whichever is less

4.4.2.2 Increasing the delay timer for digital measurements to reduce intermittent signals. The common values shall be referred as per Table 2. Table 2 - Default signal filter time constants st Type of Process 1 order time constant De-bouncer timer Variable (digital signals) Flow 2s 15 s Level 2s 60 s Liquid Pressure 1s 15 s Gas Pressure 1s 15 s Temperature 0s 60 s

Other techniques require more detailed study and may also be implemented. The following describes the 3 most accepted methods:

PTS 32.30.60.19 December 2008 Page 19 4.4.2.3 Shelving Shelving is a facility where an alarm is temporarily inhibited by the operator to prevent an alarm from being displayed to him when it is a nuisance. This technique requires easy operator access to a list of shelved alarms and unshelving facility. Shelved alarms shall be automatically unshelved at a predetermined time before the shift change over. Time to automatically unshelf the alarms shall be determined by OPUs. The maximum number of shelved alarms per operator should be 30. 4.4.2.4 Static Alarm Suppression Static alarm suppression is used to suppress alarms which are always active but not relevant for a particular process unit or major equipment when it is shutdown for maintenance. This technique requires the configuration of soft keys to activate logic which will disable/enable the particular group of alarms in the unit or equipment. Operators often find alarm systems difficult to manage when relatively large numbers of alarms are permanently or semi-permanently activated. There is the risk of any new alarm remaining unnoticed and the standing alarms cannot be "meaningful" to the operator. In order to minimise the number of standing alarms, static alarm suppression is required. Care has to be taken in grouping the tags to be suppressed. Sometimes there are tags within a section that Operations prefers to watch and alarm even when the rest of the unit is down, e.g. charge drum vacuum or pressure. Alarms that are always active when a process unit or a large piece of equipment is shut down are statically suppressed. Static alarm suppression shall be implemented on one plant section, process unit or equipment item at any one time. Static suppression shall never rely on manual selection only. A redundant process signal shall always be part of the suppression logic to confirm that the unit/equipment is out of service and to remove the suppression when it is put back in service. Only after the manual suppression command and the suppression permissive states have been met shall static alarm suppression be allowed. Process signals that are part of permissive logic shall be redundant so that there is no single point of failure that could lead to the inadvertent suppression of alarms or to leaving alarms inadvertently suppressed. Voting shall be such that: • Two or more independent process measurements are used, such as the feed to a column, tray temperature or valve position. Correlated measurements with a high probability of common cause failure (e.g. plugged line) are not used. Deadbands are used on the voting permissive (i.e. independent process measurements) to prevent mode cycling. Signals with bad PVs are excluded from voting.

PTS 32.30.60.19 December 2008 Page 20 Switching on the static alarm suppression shall only be possible when defined process permissive is met. These conditions differ for each alarm suppression group. The static suppression shall be automatically switched off and a message to the operator shall be generated when the defined process conditions are no longer satisfied

Figure 3 Static Alarm Suppression Alarms generated in the DCS from analogue inputs that are suppressed through this functionality shall be visible to the operator in the process graphic’s individual tag faceplate. (e.g. as a blue measurement). The actual alarm condition is not visible (in general no buzzer, no alarm in the alarm list, no alarm to the printer, system or measurement faults not visible). The alarm status, however, is still available on the individual tag’s faceplate. When the alarm suppression for a group is released, the suppressed alarms are not to be regenerated (not sounding the buzzer, flashing etc.). When defining static alarm suppression groups, the following data shall be recorded:• Static Alarm Suppression Group and Group descriptor A reference tag name of the group and Group descriptor to allow reference and proper administration. Permissive Boolean statement with the (DCS) tags and conditions (signals) that have to be "true" to permit the static suppression to be switched ON. This includes the condition (alarm, H alarm, LL alarm etc.). Static Suppression Group This is a list of instrument tags to be suppressed.
NOTES: 1 The static alarm suppression may not differentiate between H or L or LL alarms, Bad PV etc.. All alarms associated with the listed tag number may be suppressed. This is done to prevent alarms being generated due to maintenance activities on the shut down section. EXAMPLE: What are the consequences of a block valve leaking, allowing undetected flow into the idle equipment/process? If they are undesirable, the high pressure alarm should be left active.

PTS 32.30.60.19 December 2008 Page 21 4.4.2.5 Dynamic Alarm Suppression Dynamic alarm suppression is used to suppress alarms following a trip or process upset. The first alarm in a defined group is triggered, shown in the alarm list and printed in the alarm printer with subsequent alarms in the group suppressed. This minimizes the number of alarms appearing following a trip, thus eliminating alarm flooding and helping operator respond better to the alarm. A soft switch shall be provided to enable dynamic alarm suppression. Triggers shall be redundant (i.e. a “confirmed” trigger) so that there is no single point of failure that could lead to the inadvertent suppression of alarms or to leaving alarms inadvertently suppressed.
NOTE: A trigger is usually not the trip transmitter exceeding the trip setting but rather the trip command to the unit or equipment, i.e. the soft signal internal in the safety PLC. However the trip may fail partly or completely so that a confirmation of the trip action is required to trigger suppression. For example, not only the compressor trip command is used as trigger but also the running contact as confirmation.

Trigger voting shall be such that: • Two or more independent process measurements are used, such as the feed to a column, tray temperature or valve position. Correlated measurements with a high probability of common cause failure (e.g. plugged line) are not used. Dead bands are used on the voting permissive (i.e. independent process measurements) to prevent mode cycling. Signals with bad PVs are excluded from voting.

Dynamic suppression will be automatically turned off after a configurable time period (default 30 min) or when all trigger alarms return to normal. See Figure 4.

Figure 4 Dynamic Alarm Suppression

PTS 32.30.60.19 December 2008 Page 22 A timer will be started when the first of the group’s trigger alarms is received. Once the timer has expired any new alarm in the group will sound the buzzer but existing alarms will remain suppressed. If the new alarm is a trigger, it will restart the timer, reinstating a further (30 min) period of dynamic suppression. The operator can choose to manually suppress the alarm group, by means of static alarm suppression, at this time if appropriate. However, the grouping for static alarm suppression is not necessarily the same as the grouping for dynamic alarm suppression. The alarm state sequence diagram for alarms that are in a dynamic alarm suppression group is shown in Figure 5.

Figure 5 Dynamic Suppression Alarm State Diagram

The performance of the alarm suppression logic shall be such that it suppresses subsequent alarms within 4 s after the trigger. This is the time for the trip system to respond to a trip condition, final elements to reach their safe position and the process response to generate the next alarm. The available 4 s includes signal transmission via gateways and various nodes on the control system network. For alarms that come faster after a trigger, part of the suppression logic may have to be implemented in the IPS using the "first-up" signal as the trigger. The process graphics will show the actual alarm condition for all suppressed alarms. The condition of auto suppressed trip alarms is also visible on the Cause & Effect matrix graphics. Where triggers are Trip initiators, the trigger shall be disabled when the MOS is switched ON. Likewise the dynamic alarm check shall be disabled for the point as well. If an alarm in a group is not generated even though it is expected to come on as a consequence of a trip, a common fault alarm is raised to the operator. This is a common alarm for the group, not one related to each suppressed alarm. If the operator wishes to know which alarm did not come on, the alarm suppression graphic will have to be consulted.
NOTE: This fault alarm is also available when the dynamic alarm suppression is not enabled.

PTS 32.30.60.19 December 2008 Page 23 When dynamic alarm suppression groups are defined, the following data shall be recorded: • Dynamic alarm Group name and description The dynamic alarm suppression group is usually a subset of the tags associated with the equipment safeguarding system (a UZ block). The Group name should be selected to show the relation with the system, e.g. 016UZ-250. Delay before alarm on check The “Delay Before Alarm On Check” (the delay time the control system allows before checking to determine whether all expected alarms, marked dynamic, have in fact been activated) is to be 60 seconds greater than the largest individual dynamic suppressed alarm “Time for Alarm to Come Up”. Each and every alarm tag marked with a cross in the “dynamic” box should always alarm when each and every trigger is activated. Dynamic suppression Switch Off delay The “Dynamic Suppression Switch Off Delay” should always be 1800 s unless the Delay Before Alarm On Check is 1800 s or more. Dynamic Grouping Comments Comments may be added to clarify particular issues for future reference. Dynamic Suppressed Tag numbers For each of the Dynamic Suppressed Tag numbers the following is to be recorded:Tag number and service description as taken from the tag number database A check box indicating whether the tag number also serves as a trigger A check box indicating whether the alarm needs to be dynamically checked Time for Alarm to Come Up The time when alarm is expected to be activated after system trigger (seconds). If the time is less than 4 s, a remark is to be added “Fast suppression logic required” as discussed above.
NOTES: 1. Group Trigger alarms will almost always be trip alarms or drive failure indicators. If the group trigger is not an alarm (e.g. a motor running status) and therefore not in the database, the tag should be added. All new trigger tags added that are not alarms should be “record only”. 2. In some instances dynamic suppression will need to be applied to groups not related to a particular equipment safeguarding system. For these cases a new dynamic suppression group tag number shall be defined. The tag may be based upon sequence logic blocks (KS blocks) or on the major trigger tag for a group. For example, if the major trigger tag for a group not related to a safeguarding system was 214LZA555 then the dynamic suppression group tag could be 214UL555 (U standing for Multivariable). A trigger alarm can be suppressed. However the actual trigger shall not be suppressed.

3.

PTS 32.30.60.19 December 2008 Page 24 4.4.2.6 Dynamic Mode Dependent Alarm Settings Dynamic mode dependent alarm setting may be required to further reduce the meaningless alarm rate. Mode dependent alarm settings may be required where systems have distinct operational modes that require distinct alarm settings. This is for instance the case for furnaces having a normal mode and a decoke mode. Also the burner management system may have Oil firing mode, a Gas firing mode and a dual firing mode. A dryer will have an operating and a regeneration mode. A crude distiller may have different alarm settings depending on the crude being processed. With dynamic mode dependent alarm settings, the alarm settings of analogue or digital points are changed according to the detected mode of operation or are available in the form of batch recipes in the case of sequential (batch) programming. The mode switching is detected from a set of process parameters and may also involve a manual switch.

Figure 6 Dynamic Mode Dependent Alarm Settings Upon a detected mode change, the new set of alarm settings is automatically downloaded into the DCS point. These new settings will be applicable until the next mode change is detected or the dynamic mode dependent alarm setting enable switch is disabled. When disabled the default set of settings is downloaded into the DCS point automatically. See Figure 3. Sensors used for mode detection shall be redundant (i.e. a “confirmed” mode) so that there is no single point of failure that could lead to the inadvertent alteration of alarm settings or to leaving alarms inadvertently incorrect.

PTS 32.30.60.19 December 2008 Page 25 Mode detection voting shall be such that: • Two or more independent process measurements are used, such as the feed to a column, tray temperature or valve position. Correlated measurements with a high probability of common cause failure (e.g. plugged line) are not used. Dead bands are used on the voting permissives (i.e. independent process measurements) to prevent mode cycling. Signals with bad PVs are excluded from voting.

If none of the defined modes are detected (e.g. because of conflicting mode signals), the default mode shall be selected automatically. The default mode settings table contains the most conservative alarm settings, i.e. those settings that would alarm approaching a constraint in any mode; for high alarms the lowest of all mode settings and for low alarms, the highest. Obviously this could lead to many spurious alarms. Dynamic mode dependent alarm settings shall not be applied to IPFs and their prealarms since these settings are based on the excursion of safe operating envelopes that should not be mode dependent. Where pre-alarms are also used to alarm excursion from the normal operating envelope, they may have dynamic mode dependent alarm settings. Alarm setting changes (each mode change) shall be logged in the DCS for each point When dynamic mode dependent alarm setting groups are defined, the following data shall be recorded: • Mode dependent alarm setting group tag name and descriptor A reference tag name of the group and group descriptor to allow reference and proper administration The group name and description should give a reference to the system (e.g. furnace) having different operating modes. Various modes names and descriptors A reference tag name of the mode and operating mode name to allow reference and proper administration Permissive and comments For each mode, a Boolean statement with the (DCS) tags and conditions (signals) that have to be "true" or "false" to detect the mode switch to be made. This includes the condition (alarm, H alarm, LL alarm etc.). Conditions may include timers to limit the time during which a particular mode may be on. Mode dependent alarm setting group with default settings This is a list of the instrument tags (and attributes such as L, HH etc.) to be manipulated including the default settings. Alarm settings for each defined mode This is a list of alarm settings for each instrument tag defined in the dynamic alarm settings group. Such a list should be prepared for each mode of operation defined in the list of operating modes.

PTS 32.30.60.19 December 2008 Page 26 • Comments Comments may be added for each instrument tag to clarify particular issues for future reference.

The lists “various modes“, “mode dependent alarm setting group”, “alarm settings for each defined mode” and “comments” are best combined in tabular form with the instrument tags listed vertically in the first column and the default and mode dependent settings listed in subsequent columns. 4.4.2.7 Alarm Suppression in Batch Operations A special class of suppression is commonly found in sequential control programs, e.g. for batch operations. Such programs should follow a standard way of enabling / disabling alarms that can be expected to occur.
EXAMPLE: - Start pump - Wait until flow reaches Alarm value + x % - Enable low flow alarm - ... - Disable low flow alarm - Stop pump

4.5

IMPLEMENTATION
Implementation is the stage where the design is put into service. This process includes training for the operator and initial testing of the alarm system functions. This process is one step in addressing alarm clarity.

4.6

OPERATION
Operation is the stage when the alarm is in service and effectively reporting abnormal conditions to the operator.

4.7

PERFORMANCE MONITORING
Performance monitoring is the periodic collection and analysis of data from alarms in the operation life cycle stage. Without monitoring, it is almost impossible to maintain an effective alarm system. This process shall be automated to take place frequently. Monitoring is the primary method to detect problems such as nuisance alarms, stale alarms, and alarm floods. The DCS vendor Alarm Management Software, shall be used as the tools for this process. A systematic review shall be conducted to analyse the most frequent alarms logged by the Alarm Management Software. The review process is detailed out as follows. 4.3.1.1 ‘Most Frequent Alarms’ Review – Nuisance Alarm Reduction Repeating alarms i.e. the same alarm raising and clearing repeatedly over a period may be generated in several ways e.g. noise on a process variable when it is near an alarm setting, real high frequency fluctuations of a process variable or repeated action of on-off control loops.

PTS 32.30.60.19 December 2008 Page 27 The intent of this review is to analyze and quickly eliminate repeating alarms especially alarms due to faulty equipment or incorrect settings. This review shall be conducted every two weeks as part of the AMT work process. A list of the most frequent alarms shall be generated and discussed during the review. The review process shall follow Figure 1a. : Start

Select Most Frequent Alarms

Yes

Faulty Equipment

No SAP Actual Process

Review DCS/Alarm Setting/ Alarm Deadband

No

Change Effect Safety / products

Alarm Setting Change via MOC

Yes

Alarm Rationalization Process

Fig 1a: Alarm Review Flowchart 1. Select the most frequent alarm and determine the cause(s) and originating equipment.

2.

3. 4. 5. 6. 7.

PTS 32.30.60.19 December 2008 Page 28 Based on the cause(s), determine the action that must be taken to eliminate or reduce the alarm occurrence e.g. : a. If it is due to faulty equipment, the Shift Supervisor to raise notification in SAP. b. If normal operation is near the alarm setting, consider reducing the alarm deadband or changing the alarm setting, only if this does not affect the process safety time. Qualify the alarm against the alarm guidelines described in Section 3. If the alarm parameter does not meet the guidelines, decide what the required changes are. Continue to review the most frequent alarms. Compile the rest of the changes required and raise MOC to get the proper approvals. Modifications shall be implemented by the Instrument/control engineer as per the configuration guidelines. Data on each Alarm Review Form shall be updated into the Alarm Reference Database.

4.8

MAINTENANCE
Maintenance is a necessary step in the alarm life cycle. The process measurement instrument may need maintenance or some other component of the alarm system may need repair. The repair frequency could be scheduled or determined by monitoring. Periodic testing is also a maintenance function. During the maintenance stage, when the alarm is not in operation, the panel operator shall have alternative means of being alerted. Every plant shall have a documented testing philosophy and written test procedures for testing of alarms. As a minimum, Urgent alarms shall be tested during every DOSH shutdown. In the event that the alarm requirement has been identified through IPF Studies, the required testing frequency shall be followed. Every test shall be recorded with the date of test, the unique alarm tag, personnel who have conducted the test, the approving authority and the results of the test.

4.9

ASSESSMENT
Assessment is a periodic audit of the alarm system and the alarm management processes detailed in the alarm management philosophy. The assessment may determine the need to modify processes, the philosophy, the design guidance, or the need to improve the organization’s discipline to follow the processes.

4.10

MANAGEMENT OF CHANGE
Management of Change is the structured process of approval and authorization to make additions, modifications, and deletions of alarms from the system. Changes may be identified by many means, including operator suggestions and monitoring. The change process should feed back to the identification stage to ensure that each change is consistent with the alarm philosophy.

PTS 32.30.60.19 December 2008 Page 29 Changing the setting or configuration of alarms may alter many aspects of the operator’s task in responding to them. This may, in turn, require corresponding changes to schematic displays, operating procedures or other work practices so that an overall consistency is maintained. As such, any changes (new, modify or delete) of alarm setpoints and priorities must be initiated through MOC. Prior to approval of the MOC, an Alarm Review Form must be filled for each change. This is to ensure that: 1. The alarms are justified and properly designed with respect to setpoint, priority and associated displays. Impact to existing logic design and multiple operator displays due to the changes in the alarm settings are extensively reviewed prior to implementation. Data on each Alarm Review Form shall be updated into the Alarm Reference Database.

2.

3.

4.11

ALARM MANAGEMENT PROCESS LOOPS
The alarm management process flowchart of Figure 1 shows the relationship between the major stages. Included are three loops with significant importance in alarm management. These loops maintain and improve the alarm system.

4.11.1 MONITORING AND MAINTENANCE LOOP
The operation-monitoring-maintenance loop is the daily or weekly process of analyzing the monitored data to determine what unauthorized changes have been made and what instruments need to be repaired. This process can be simple or very complex depending on the automation systems or safety systems used.

4.11.2 MONITORING AND MANAGEMENT OF CHANGE LOOP
The management of change loop is a less frequent, but very necessary process of identifying changes to the alarm system based on analysis of the monitored data. Changes may be identified through other means as well, such as operator suggestions. Changes to nuisance alarms may be initiated through monitoring. Through monitoring, alarm floods may also be identified. The management of change process can be used to implement advanced alarm management technique to suppress the alarm floods. There is no set frequency for this loop: it happens on demand.

4.11.3 ASSESSMENT LOOP
The assessment-philosophy loop is a 5 year periodic audit of the implementation of the alarm philosophy and all of the processes described there. Through audits on training and alarm response, improvements in alarm clarity can be identified as well as changes to the processes and alarm philosophy.

PTS 32.30.60.19 December 2008 Page 30

4.12

ALARM DOCUMENTATION
An Alarm Reference Database shall be established using readily available and user friendly database software e.g. Filemaker. The alarm database shall be updated quarterly to show the latest alarm settings as configured in the DCS. Each completed Alarm Review Form and the changes made shall be updated into the database. A history of the changes made to each alarm parameter shall be available via this database. A full set of alarm system documentation (similar to an IPF requirements specification according to PTS 32.80.10.12) shall be kept as built containing: • • • • • • Overall alarm philosophy The alarm template definitions Alarm settings, rationale and related constraints Alarm narratives resulting from the alarm studies The decision “alarm or IPF?” Alarm suppression design, permissive, etc.

Where possible, the use of automatic documentation tools from the DCS Alarm Management Software is encouraged.

4.13

ALARM HISTORY RETENTION
The alarm history shall be retained for not less than one year.

PTS 32.30.60.19 December 2008 Page 31

5.0

PRIORITY ASSIGNMENT
The primary purpose of prioritization is to make it easier for the operator to identify important alarms when a number of them occur together. In assigning the priority of an alarm, these factors must be considered: 1. 2. The severity of the consequences (in safety, environmental and economic terms), of Operator failing to take the corrective action associated with the alarm. The time available (from the onset of the alarm setpoint) and required for the corrective action to be performed and to have the desired effect.

In essence, the prioritization of an alarm shall be based on the expected consequences that the operator can prevent by responding appropriately to it. When performing an alarm review and/or alarm rationalization,, the team shall use the Alarm Prioritization Risk Matrix (Appendix 2). and follow the steps below: 1. Determine the hazards that may occur if corrective action is not taken in response to an alarm. Identify the safety, environmental and economic consequences of the hazards. Determine the response time available to the panel man before the hazards occur. Assign the alarm priority based on the RAM.

2. 3. 4.

Note that there maybe mitigation systems ‘upstream’ of the alarm, for example, relief valves or emergency shutdown systems, which are designed to prevent the hazards from occurring. In order for prioritization to be effective, the relative frequency of occurrence of different alarm priorities should reduce with increased priority. Thus, during system design, alarms should be configured with the following priority distribution: Table 3 Priority Settings Percentage of total configured alarms a target of 5% and no more than 10%, or 2 to 3 emergency alarms per piece of major equipment a target of 10% and no more than 20% the rest, i.e. a target of 85% and no less than 70%

Priority Urgent High Low

PTS 32.30.60.19 December 2008 Page 32

6.0

BENCHMARKING, PERFORMANCE METRICS AND REPORTING
Benchmarking provides a means of: 1. 2. 3. Measuring the effectiveness of the alarm system as it stands Defining the required degree of improvement Measuring the degree of improvement actually achieved.

The benchmark asks a number of important questions about the alarm system configuration and behavior, and includes a questionnaire of the operators on their experience of the alarm system. Typically, the following are measured: 1. 2. 3. 4. 5. 6. 7. 8. Number of standing alarms in normal operation Number of alarms per operator Number of alarms per control loop Number of alarms per protected event Ratio of emergency: high: low priority alarms New alarm rate in normal operation New alarm rate in typical disturbance Number of chattering alarm

To acquire this information, the use of an independent plant DCS vendor based Alarm Management Software is recommended. There is also a requirement to analyze events during some typical disturbances, where the Alarm Management Software provides the distinct advantage of an automatic alarm data collection and analysis tool. The results from this bench-mark would indicate which of the two improvement steps previously discussed is needed. Success criteria of the initiative will be derived from the bench-marking result above. A selection of alarm performance metrics shall be used to measure the performance of PETRONAS DCS alarm systems. The metrics shall include: 1. 2. 3. Average alarm rate per 10 minutes, per hour and per day Peak alarm rate per 10 minutes Percentage of 10 minutes periods in a day with fewer than 5 alarms

The metrics data shall be compared to the EEMUA benchmark to continually assess PETRONAS alarm systems performance. For a plant in steady state or stable operation, the average alarm rate per 10 minutes will determine the following risks and categorization (from EEMUA recommendations):

PTS 32.30.60.19 December 2008 Page 33 Table 4 Steady State Alarm Rates Average Alarm Rate in Steady-state Operation, per Acceptability Categorization 10 minute period More than 10 alarms Very likely to be unacceptable More than 5 but less than 10 Likely to be over-demanding More than 2 but less than 5 Possibly over-demanding 1 or more but less than 2 Manageable Less than 1 alarm Very likely to be acceptable

Performance and Risk Inefficient / High risk

Medium performance and risk Efficient / World Class, Low risk

For a plant experiencing an upset, the number of alarms displayed in 10 minutes following the upset will determine the following risks and categorization (from EEMUA recommendations): Table 5 Alarm Rates During Upset Conditions Number of alarms displayed in 10 minutes following a Acceptability Categorization major plant upset Definitely excessive and very More than 100 alarms likely to lead to operator abandoning use of the system 20-100 Hard to cope with 10-20 Possibly hard to cope with Under 10 Should be manageable Very likely to be acceptable but may be difficult if several of the alarms require a complex operator response. Efficient / World Class

Performance and Risk Inefficient / High risk

Medium performance and risk

Less than 1 alarm

Efficient / World Class, Low risk

The metrics shall be calculated from alarm data captured in the Alarm Management System, using the Frequency Analysis and Alarm Rates modules. Hence, it is critical to ensure that the Alarm Management System is continuously capturing alarms from the DCS. Monthly Alarm System Performance reports shall be generated through Alarm Management System, which includes the alarm activity trend over the month including the most active points and the distribution of alarm priorities. A summary report for all areas shall also be generated.

PTS 32.30.60.19 December 2008 Page 34

7.0
7.1

ALARM PRESENTATION
The operating philosophy used in most control rooms is the “Management by Awareness” principle where: The panel operator will regularly need to scan overviews of process conditions, which may be presented by means of standard displays or custom graphics. Display structures and hierarchy shall be designed to facilitate this activity. Situations requiring fast action by panel operator are indicated by the DCS system through means of an alarm management system, with direct access to associated displays. To attract the operator’s attention, in order for him to take corrective actions, the presentation of process graphics shall be carried out. In addition, the following table shall be applied. Situation In alarm but suppressed Not in alarm but suppressed Background colour Soft white Soft white Colour of the value Blue Black

7.2

The following should be considered when incorporating alarms into DCS operator displays: Color coding for displays should be muted or altered such that the alarms’ visual indicators are more salient and not masked by other color-coding. On process graphics, blinking text should not be used to indicate alarms as this makes it difficult for the operator to read the text. unacknowledged

Alarms should be displayed by a changing box outline around the text or by using icons. The color of the box outline or icons shall change according to the condition below: Table 6 Alarm Colour Codes Alarm Priority Urgent High Low Unacknowledged Red (Blinking) Orange (Blinking) Magenta (Blinking) Acknowledged Red (Static) Orange (Static) Magenta (Static)

PTS 32.30.60.19 December 2008 Page 35

8.

AUDIBLE SIGNALS CONSIDERATIONS
The audible of alarm information should be designed such that the operator is more aware of alarms at higher priorities, providing a hierarchy of awareness from the highest to the lowest level of alarm. The audible tone alarm shall be separated clearly between plant area (i.e. Process and utility)

PTS 32.30.60.19 December 2008 Page 36

9.

TRAINING
Training is a key area that induces change to improve human reliability and lower the probability of failures or during abnormal situations. Training would generally be required under the following circumstances : 1. 2. 3. 4. Startup of a new system Implementation of alarm changes New Operators Annual Refresher

Items for training 1. 2. 3. 4. 5. 6. 7. 8. 9. Alarm philosophy Alarm priority definitions Alarm presentation features Defined alarm responses Procedures for handling alarm floods Site MOC process as it relates to alarms Alarm setting audit and enforcement Performance metrics Alarm testing procedures

Specific training on Urgent alarms shall be provided to Console Operators at a minimum frequency of once per year. Operators shall be tested on: 1. 2. 3. 4. Understanding of the alarms Mechanism of annunciation Consequence of missing the alarms Operator’s response

PTS 32.30.60.19 December 2008 Page 37

10.

ROLES AND RESPONSIBILITIES
Plant Manager • Approval of Alarm Management Philosophy. • Review and approval of any future amendments to this philosophy. Manager, Operations • Approval of DCS alarm settings changes as per MOC approval process. • Allocation of budget for the execution of alarm management activities, if required. • Responsible for the development of alarm management strategy to reduce alarms to the world class benchmark. Manager, Maintenance • Responsible for the execution of maintenance strategy to reduce alarms within the area. • Ensure the approval of notifications registered in SAP, i.e. request for rectification work related to alarm management activities. • Allocation of asset maintenance manpower for the execution of alarm management activities, if required. Operation Engineer / Process Engineer • Responsible in leading the Alarm Management Team. • Responsible for the execution of operation strategy to reduce alarms within the area. • Allocation of operation manpower for the execution of alarm management activities, if required. Shift Supervisor (SS) • Ensure all panel operators understand and follow their roles and responsibilities as outlined in this philosophy. • Notify in SAP any abnormal alarms and any alarms which is a result from an equipment failure. • Inform relevant parties (Maintenance, Instrument Engineer) if an alarm is overloading a particular operator. Panel Operator • React immediately to an alarm with the proper corrective action. • React immediately to the alarm with the highest priority. • Inform SS if he is overloaded and unable to react to a particular alarm. • Inform SS if there are any abnormal alarms. Instrument/Control Engineer • Monitor DCS system alarms and take corrective action immediately. • Propose solutions based on the inherent capabilities of the DCS to solve any alarm problems. • Execute the alarm changes required on the DCS as approved by MOC • Lead any major changes on the DCS alarm system. • Update the alarm reference database with any Alarm Review Forms (generated either from alarm rationalization / review • Generate and distribute the Alarm System Performance reports for each unit • Generate and distribute the 20 most frequent alarms report for each area bi-weekly.

PTS 32.30.60.19 December 2008 Page 38 Reliability Engineer • Responsible for reviewing the Alarm System Performance report for each Asset Team monthly. • Responsible for tracking alarm management activities based on Alarm System Performance report for each Asset Team.

11.

REFERENCES
Human Machine Interface in a Control Room Management of Change(Guidelines) Alarm System – A Guide to Design, Management and Procurement Management of Alarm Systems for the Process Industries Alarm Management ASM® Consortium Guidelines Effective Alarm Management Practices PTS 32.00.00.11 PTS 60.2201 EEMUA 191 2007 Draft ISA – 18.02 – 2008.04.01 DEP 32.80.10.14-Gen Revision 5

PTS 32.30.60.19 December 2008 Appendix 1

APPENDIX 1: ALARM REVIEW FORM

Alarm Review Form
Author: Issue Date: Review Date:

Instructions:
• The Alarm Review Form shall be filled up and agreed by the following minimum mandatory participants: Operations Engineer, Panel Operator, Process Engineer and Instrument Engineer Complete all sections IDENTIFICATION Alarm Parameter

Tag Number Tag Description Alarm Setpoint (Current)

Alarm Setpoint (New) RATIONALIZATION

Purpose (List the purpose(s) of the alarm)

Causes (List the cause(s) or precursor(s) of the alarm and list any tags which may help identifying the cause(s)

Corrective Actions (Define operator action required to return the process to ‘normal’)

Consequence (define consequence(s) of the alarm event when no corrective action is taken to return the process to
‘normal’

PRIORITY
Determine the priority of the alarm from the DCS Alarm Prioritization Matrix. Record the consequence and response below

Consequence Category Economics Health and Safety Environment Resulting Priority

Consequence Class

Response Class

PTS 32.30.60.19 December 2008 Appendix 2

APPENDIX 2: DCS ALARM PRIORITIZATION RISK ASSESSMENT MATRIX
Available Response Time SHORT < 5 mins

PRIORITY CLASS
L L L
No/Slight Effect (<10k)

Response Class

M M L
Minor Effect (10-100k)

E M M
Medium Effect (100k-1M)

*E *E *M
Major Effect (1M to 10M)

*E *E *E
Extensive (>10M)

MEDIUM

5-15 mins

LONG Consequence Category

>15 mins

ECONOMICS HEALTH & SAFETY ENVIRONMENT

No/Slight Injury

Minor Injury

Major Injury

Single Fatality

Multiple Fatalities

No/Slight Effect

Minor Effect

Local Effect

Major Effect

Massive

CONSEQUENCE CLASS

NEGLIGIBLE

LOW

MEDIUM

HIGH

EXTREME

E – Emergency / Urgent / High M - Medium L – Low Note : *M and *E - priority class that is driven by Health & Safety and / or Environment shall be escalated to IPF Layer Classification.
ECONOMICS (Repair and Production Loss Expressed in USD) Consequence No/Slight Effect Description/Definition Estimated cost less than USD10K or no disruption to unit production

Minor Effect

Estimated cost between USD10K to USD100K or brief disruption

Medium Effect

Estimated cost between USD0.1M to USD1M or partial shutdown, can be restarted

Major Effect

Estimated cost between USD1M to USD10M or partial operation loss

Extensive

Estimated cost more than USD10M or substantial/total loss of operation

PTS 32.30.60.19 December 2008 Appendix 2
HEALTH AND SAFETY Consequence No/Slight Injury Description/Definition Nor affecting work performance or causing disability Affecting work performance, such as restriction to activities (RWC) or a need to take a few days to fully recover (Lost Workday Case, LTI). Limited health effects which are reversible e.g. skin irritation, food poisoning Affecting work performances in the longer term such as prolong absence of work (including Permanent Partial Disability). Irreversible health damage without loss of life e.g. noise induced hearing loss, chronic back injuries. From an accident or occupational illness (poisoning, cancer)

Minor Injury

Major Injury

Single Fatality Multiple Fatalities

From an accident or occupational illness (poisoning, cancer)

ENVIRONMENT Consequence No/Slight Effect Description/Definition No environmental damage or local environmental damage. Within the fence and within systems. Negligible financial consequences Contamination. Damage sufficiently large to attack the environment. Single exceedance of statutory or prescribe criterion. Single complaint. No permanent effect on environment Limited loss of discharges of known toxicity. Repeated exceedance of statutory or prescribed limit. Affecting neighborhood Severe environmental damage. The company is required to take extensive measures to restore the contaminated environment to its original state. Extended exceedance of statutory or prescribed limits. Persistent severe environmental damage or severe nuisance extending over a large area. In terms of commercial or recreational use or nature conservancy, a major economic loss for the company. Constant, high exceedance of statutory or prescribed limits

Minor Effect

Local Effect

Major Effect

Massive

Sign up to vote on this title
UsefulNot useful