-PUBLIC-

N-2900 REV. A ENGLISH 03 / 2015

Alarm Management

Procedure

This Standard replaces and cancels its previous revision.

The CONTEC - Authoring Subcommittee provides guidance on the
interpretation of this Standard when questions arise regarding its contents. The
Department of PETROBRAS that uses this Standard is responsible for adopting
and applying the sections, subsections and enumerates thereof.

Technical Requirement: A provision established as the most adequate and

which shall be used strictly in accordance with this Standard. If a decision is
CONTEC taken not to follow the requirement (“non-conformity” to this Standard) it shall be
Comissão de Normalização based on well-founded economic and management reasons, and be approved
Técnica and registered by the Department of PETROBRAS that uses this Standard. It is
characterized by imperative nature.
Recommended Practice: A provision that may be adopted under the conditions
of this Standard, but which admits (and draws attention to) the possibility of
there being a more adequate alternative (not written in this Standard) to the
particular application. The alternative adopted shall be approved and registered
by the Department of PETROBRAS that uses this Standard. It is characterized
by verbs of a nonmandatory nature. It is indicated by the expression:
[Recommended Practice].
Copies of the registered “non-conformities” to this Standard that may contribute
to the improvement thereof shall be submitted to the CONTEC - Authoring
SC - 10 Subcommittee.

Industrial Automation and
Instrumentation
Proposed revisions to this Standard shall be submitted to the CONTEC -
Authoring Subcommittee, indicating the alphanumeric identification and revision
of the Standard, the section, subsection and enumerate to be revised, the
proposed text, and technical/economic justification for revision. The proposals
are evaluated during the work for alteration of this Standard.

“This Standard is exclusive property of Petróleo Brasileiro S. A. -

PETROBRAS, internal application and PETROBRAS Subsidiaries and
shall be used by its suppliers of goods and services under contracts or
similar under the conditions established in Bidding, Contract, Agreement
or similar.
The use of this Standard by other companies / organizations / government
agencies and individuals is the sole responsibility of the users..”

Introduction
PETROBRAS Technical Standards are prepared by Working Groups - WG
(consisting specialized of Technical Collaborators from Company and its Subsidiaries), are
commented by Company Units and its Subsidiaries, are approved by the Authoring Subcommittees -
SCs (consisting of technicians from the same specialty, representing the various Company Units and
its Subsidiaries), and ratified by the Executive Nucleus (consisting of representatives of the Company
Units and its Subsidiaries). A PETROBRAS Technical Standard is subject to revision at any time by its
Authoring Subcommittee and shall be reviewed every 5 years to be revalidated, revised or cancelled.
PETROBRAS Technical Standards are prepared in accordance with PETROBRAS Technical
Standard N-1. For complete information about PETROBRAS Technical Standards see PETROBRAS
Technical Standards Catalog.

PROPERTY OF PETROBRAS 26 pages, Index of Revisions and WG

 -PUBLIC-

N-2900 REV. A ENGLISH 03 / 2015

Summary

Foreword.................................................................................................................................................. 4 

1 Scope................................................................................................................................................... 4 

2 Normative References ......................................................................................................................... 4 

3 Terms and Definitions.......................................................................................................................... 4 

4 Symbols and Abbreviations ................................................................................................................. 8 

5 Alarm Philosophy................................................................................................................................. 8 

5.1 Objective ................................................................................................................................ 8 

5.2 Basic Requirements ............................................................................................................... 8 

5.3 Alarm Prioritization ................................................................................................................. 8 

5.4 Alarm Class .......................................................................................................................... 11 

5.5 Performance Indicators ........................................................................................................ 12 

6 Alarm Management Life Cycle .......................................................................................................... 12 

6.1 Identification and Rationalization ......................................................................................... 13 

6.2 Detail Design and Implementation ....................................................................................... 14 

6.2.1 Characteristics of an Alarm System ............................................................................. 14 

6.2.2 Implementation of Processing Strategies in the Alarm Systems ................................. 15 

6.2.3 Alarm System Interface Design Practices.................................................................... 19 

6.3 Commissioning and Training................................................................................................ 21 

6.4 Operation and Monitoring ..................................................................................................... 22 

6.5 Management of Change, Maintenance and Audit................................................................ 22 

Annex A - Examples of Consequences to the Asset and Operational Continuity ................................. 23 

Annex B - Procedure for Alarms Rationalization ................................................................................... 24 

Figures

Figure 1 - Alarm Deadband ..................................................................................................................... 6 

Figure 2 - Example of Suppression of Alarms Configured for the Same Variable ................................ 16 

Figure B.1 - Procedure for Alarms Rationalization ................................................................................ 24 

2
 -PUBLIC-

N-2900 REV. A ENGLISH 03 / 2015

Tables

Table 1 - Allowable Response Time ........................................................................................................ 9 

Table 2 -  Determination of Priority by Risk to Assets / Operational Continuity (See Examples -

Annex A)................................................................................................................................. 10 

Table 3 - Priority Determination by Risk to the Environment ................................................................ 10 

Table 4 - Priority Determination by Risk to Personnel Safety ............................................................... 11 

Table 5 - Summary of Recommended Metrics for Alarm Performance ................................................ 12 

Table 6 - Alarms Documentation ........................................................................................................... 13 

3
 -PUBLIC-

N-2900 REV. A ENGLISH 03 / 2015

Foreword

This Standard is the English version (issued in 07/2015) of PETROBRAS N-2900 REV. A 03/2015. In
case of doubt, the Portuguese version, which is the valid document for all intents and purposes, shall
be used.

1 Scope

1.1 The purpose of this Standard is to define the alarm management philosophy of PETROBRAS. This
Standard may be complemented with a specific philosophy of each business segment of the
Company.

1.2 This Standard applies to project, operation and maintenance of alarm systems in PETROBRAS
Units.

1.3 This Standard applies to procedures started from the date of its issue.

1.4 This Standard contains Technical Requirements and Recommended Practices.

2 Normative References

The following referenced documents are indispensable for the application of this document. For dated
references, only the edition cited applies. For undated references, the latest edition of the referenced
document applies.

PETROBRAS N-2595 - Critérios de Projeto, Operação e Manutenção de Sistemas

Instrumentados de Segurança em Unidades Industriais;

PETROBRAS N-2782 - Applicable Techniques to Industrial Risk Analysis;

IEC 62682 - Management of Alarm Systems for the Process Industries.

NOTE For documents referred in this Standard and for which only the Portuguese version is
available, the PETROBRAS department that uses this Standard should be consulted for any
information required for the specific application.

3 Terms and Definitions

For the purposes of this document, the following terms and definitions apply.

3.1
alarm
any audible or visual mean that indicates an abnormal condition associated with the process or
equipment and that requires an action in a limited time

NOTE The term equipment also applies to systems and instruments.

3.2
deviation alarm
an alarm generated when the difference between two analogical values exceeds a limit (e.g.: deviation
between redundant instruments or deviation between the process variable and setpoint)

4
 -PUBLIC-

N-2900 REV. A ENGLISH 03 / 2015

3.3
discrepancy alarm
an alarm generated by the error between the comparison of an expected state of the plant or
equipment and its real state (e.g.: motor start failure when it is commanded)

3.4
nuisance alarm
an alarm announcing excessively, unnecessarily, or which does not return to its normal state, even
after operator action

3.5
chattering alarm or fleeting alarm
an alarm that transits between the annunciation condition and the disable condition, in a short period
of time

3.6
stale alarm
an alarm that remains active continuously for long periods of time (usually 24 hours)

3.7
alert
a signaling less important than the alarm, characterized by operational conditions that require
attention, and whose actions shall be taken whenever time allows

3.8
alarm annunciation
a function of the alarm system to draw the operator’s attention on the alarm

3.9
alarm activation
a state in which the alarm condition is true

3.10
alarm flood
a condition during which the alarm rate is larger than that which may be effectively managed (e.g.:
more than 10 alarms in 10 minutes interval)

3.11
bad-actors
the alarms that, during a specified time interval, present a much higher number of annunciations than
the others

3.12
alarm deadband
the range in which the state of the alarm is not altered, regardless of the variation of the signal
(Figure 1).

5
 -PUBLIC-

N-2900 REV. A ENGLISH 03 / 2015

Alarm Return to
activation normal

Alarm state

Alarm setpoint

Dead
band

PV

Time

Figure 1- Alarm Deadband

3.13
alarm class
an alarm group with common management requirements as test, training, announcing, audit, etc

3.14
Return to Normal (RTN)
the state in which the condition for alarm announcing has ceased to exist

3.15
event
a change in the conditions of the plant, equipment or a variable

3.16
alarm philosophy
the documentation that establishes the basic definitions, principles and procedures to design,
implement and maintain an alarm system

3.17
alarm management
the processes and practices to conceive, design, document, operate, monitor and maintain an alarm
system

6
 -PUBLIC-

N-2900 REV. A ENGLISH 03 / 2015

3.18
alarm group
a set of alarms, determined by some logical criteria of grouping, such as: physical location, function,
system, etc

3.19
alarm priority
the relative importance attributed to an alarm within an alarm system to indicate the urgency of a
response

3.20
rationalization
the process of alarm analysis to justify and document their conception and/or use based on the alarm
philosophy

3.21
acknowledge - ACK
an action that confirms the acknowledgment of the alarm annunciation

NOTE It does not mean resolution of the alarm reason.

3.22
shelve
action initiated by the operator to temporarily suppress an alarm, with controlled mechanisms to
remove this suppression

3.23
alarm system
a set of hardware and software that enables the detection of alarm states, annunciation, and also
record theirs changes

3.24
suppression
any mechanism to prevent the annunciation of the alarm when the abnormal condition is present

3.25
allowable response time
the maximum time between the alarm annunciation and the beginning of a corrective action on the
process, regardless where the action will be executed, to avoid the consequences of the abnormal
condition. Reference: Figure 4 of IEC 62682

3.26
alarm timer
minimum time which the variable must remain continuously beyond its setpoint value, so that the
alarm is announced

NOTE This timer may be applied also to remove the alarm annunciation

3.27
alarm setpoint
a threshold value of a process variable or discrete state that announces the alarm

7
 -PUBLIC-

N-2900 REV. A ENGLISH 03 / 2015

4 Symbols and Abbreviations

ESD - Emergency Shutdown;

HAZOP - Hazard and Operability Study;
HMI - Human Machine Interface;
IPL - Independent Protection Layer;
LOPA - Layers of Protection Analysis;
PV - Process Variable;
SCADA - Supervisory Control and Data Acquisition System;
DCS - Distributed Control System;
SIS - Safety Instrumented System;
BPCS - Basic Process Control System;
ART - Allowable Response Time;
CPU - Central Processing Unit.

NOTE This document shall use the term BPCS to generally refer to automation architectures
adopted in different business segments of the company, replacing terms such as SCADA,
DCS and other similar systems.

5 Alarm Philosophy

5.1 Objective

5.1.1 The definition of a philosophy for an alarm system has the following goals:

— to ensure consistency and uniformity of the alarm management for all company plants;
— to ensure alignment with management goals and objectives;
— to provide inputs for the specification, implementation, operation, monitoring and
maintenance of a robust and efficient alarm system.

5.1.2 The alarm system does not replace the SIS, but it helps the operator to take actions that will
prevent plant shutdown caused by safety instrumented system action, decreasing its demand.

5.2 Basic Requirements

In order to comply with the definition, an alarm shall be designed considering human limitations, and
shall have the following features:

— relevance: shall have a defined operational significance; if no response is associated with

the signal which generates the alarm, such signal shall not be an alarm;
— singularity: the same information shall not be represented by two different alarms,
avoiding duplication of response procedures that can confuse and overload the operator;
— adequate response time: no alarm shall be announced so much before its response or
too late for the corrective actions be taken;
— degree of importance: every alarm shall have a priority to facilitate the operator’s
decision-making;
— clarity: the alarm message shall be easy to understand and focus on the description of
the problem.

5.3 Alarm Prioritization

5.3.1 All alarms shall be prioritized so that their interface be properly designed considering the
characteristics previously presented.

8
 -PUBLIC-

N-2900 REV. A ENGLISH 03 / 2015

5.3.2 Alarms shall be prioritized based on the allowable time for the operator’s response, and the
impacts caused on the plant when no response is taken. These impacts may be related to loss of
production and assets, environment damage and personnel safety, considering, within these
categories, the alarms defined to comply with local legislation or company’s internal policies.

5.3.3 During the assessment of these impacts, the protective layers which are available on the plant
at the time of analysis shall be considered for alarms whose operator response has not been classified
as IPL. These protective layers may be safety instrumented functions or mechanical protective
devices such as safety relief valves.

NOTE 1 The lack of adequate protection layer tends to leave to a high priority alarm. The availability
of a well designed SIS, for example, tends to reduce the impact associated with the
environment and personnel safety, and to increase the impact associated with production
loss, since in the lack of operator response to the alarm will leave the SIS to demand. High
priority alarms may indicate an eventual need to revise the upper protection layers. The
impact of an alarm status changed to an alert, or an alarm removal, should be verified in
other analyzes (e.g.: HAZOP, safety instrumented functions classification).
NOTE 2 The same criterion applies to plants that were not subject to LOPA study.

5.3.4 Alarms whose operator response has been classified as IPL shall be prioritized disregarding the
presence of any protective layers.

5.3.5 Criteria for Alarm Prioritization

5.3.5.1 The criteria presented below shall be applied to each alarm. This analysis results in an alarm
priority, which can be used to lead the operator to choose which alarm shall be dealt first, when two or
more alarms are announced simultaneously.

5.3.5.2 Determination of ART (Allowable Response Time)

5.3.5.2.1 Table 1 shall be used to determine the allowable response time.

Table 1 - Allowable Response Time

ART Criterion
Long More than 10 minutes and less than an hour
Medium Between 3 and 10 minutes
Short Less than 3 minutes

5.3.5.2.2 For response times longer than one hour, any abnormal signaling shall be considered as an
"ALERT".

5.3.5.2.3 For periods of time shorter than 1 minute, it shall be evaluated if the operator’s action can be
performed accordingly. In case this action is not possible, it shall be foreseen an automatic actuation.
For periods of time between 1 and 3 minutes, special alarm annunciation mechanisms and special
training for the operation staff shall be considered in order to respond to the abnormal event.

9
 -PUBLIC-

N-2900 REV. A ENGLISH 03 / 2015

5.3.5.3 Determination of Priority

5.3.5.3.1 The alarm priority shall be determined from the allowable response time to the operator
regarding the alarm, and the impact on the plant if the operational action is not applied. This analysis
shall be performed using the Tables 2 to 4, when applicable. The highest priority value obtained shall
be adopted. The consequence severity categories are aligned with PETROBRAS N-2782.

Table 2 - Determination of Priority by Risk to Assets / Operational Continuity (See

Examples - Annex A)

Consequence ART
severity Description/ characteristics
Long Medium Short
categories
Catastrophic damage which may lead to
V Catastrophic Critical Critical Critical
industrial plant loss
Severe damage to the systems (large time
IV Critical High High Critical
to repair)

III Medium Moderate damage to the systems Medium Medium High

II Marginal Light damage to the systems/ equipments Low Low Medium

Light damage to equipments without

I Negligible Low Low Low
affecting operational continuity

Table 3 - Priority Determination by Risk to the Environment

Consequence ART
Severity Description/ characteristics
Long Medium Short
Categories
Severe damage in sensitive areas or
V Catastrophic Critical Critical Critical
extending to other places

IV Critical Severe damage with localized effect High Critical Critical

III Medium Moderate damage High High Critical

II Marginal Light damage Medium High High

I Negligible Insignificant damage Low Low Medium

10
 -PUBLIC-

N-2900 REV. A ENGLISH 03 / 2015

Table 4 - Priority Determination by Risk to Personnel Safety

Severity ART
categories of Description/ characteristics
Long Medium Short
consequences

V Catastrophic Multiple plant inside or outside fatalities Critical Critical Critical

Plant inside fatality or plant outside serious

IV Critical Critical Critical Critical
injury
Plant inside serious injuries or plant outside
III Medium High Critical Critical
light injuries

II Marginal Light injuries Medium High High

I Negligible Cases of first aid at most Low Medium Medium

5.3.5.3.2 Capacity increase or adaptations of new facilities in existing plants shall revise its
prioritization criteria according to this Standard.

5.4 Alarm Class

5.4.1 An alarm class is utilized to characterize alarms with common management requirements, for
example, defined frequency of test, maximum time for maintenance and be subject to audit.

5.4.2 The specific requirements of an alarm class shall be defined in the alarm documentation.

5.4.3 It is not mandatory that an alarm belongs to an alarm class, however, an alarm may belong to
one or more classes.

5.4.4 Alarm whose operator response is considered an independent protection layer (IPL).

5.4.4.1 Alarms may be utilized as an independent protection layer from studies of LOPA. These
alarms shall be part of an alarm class.

5.4.4.2 The alarm belonging to this class shall:

a) be designed so that any condition present in a plant will distort its announcement, for
example, in a steam line rupture scenario, there may be false indication of a high level
due to bubbles formation in the liquid phase, and the low-level alarm in the steam
generator may not accuse the deviation immediately;
b) be labeled differently and be distinguishable from other alarms;
c) have a specific operational procedure in response thereto, considering that the operator
action shall be enough to avoid undesired impact;
d) be inserted in established training, maintenance and audit programs.

5.4.5 The prioritization of an alarm which belongs to a class shall be performed according to 5.3.

11
 -PUBLIC-

N-2900 REV. A ENGLISH 03 / 2015

5.5 Performance Indicators

The recommended values for performance indicators are shown in Table 5. [Recommended
Practice]

Table 5 - Summary of Recommended Metrics for Alarm Performance

Alarms performance metrics

based on a period, of at least, 30 days
Metric Goal

Alarms announced by operating position Acceptable Maximum manageable

Alarms announced per day ~ 144 ~ 288

Alarms announced per hour ~ 6 (average) ~ 12 (average)

Alarms announced by period of 10 minutes ~ 1 (average) ~ 2 (average)

Percentage of hours with incidence higher than

~ < 1%
30 alarms
Percentage of periods of 10 minutes with
~ < 1%
incidence higher than 10 alarms
Maximum number of alarms in a period of 10
≤ 10
minutes
Percentage of time that the alarm system remains
~ < 1%
in flood condition
Percentage contribution of the 10 most frequent ~ < 1 % to a maximum of 5 %, with action plans
alarms over the total alarms to correct deficiencies
Zero. Action plan shall be implemented to
Amount of chattering or fleeting alarms
correct any occurrence
Less than 5 per day, with action plan for
Amount of stale alarms
correction
~80 % Low, ~15 % Average, ~5 % High,
Priority distribution of announced alarms
~1 % Critical
Alarms shall not be suppressed without
Unauthorized suppression of alarms
authorization and control mechanisms
No alarm attribute shall be changed without
Unauthorized change of alarms attributes authorization mechanisms or management of
change
NOTE 1 Each Unit shall have a suppressed alarm control procedure. The control procedure shall
include justification for suppression, time of suppression, authorization competence and
mitigation measures.
NOTE 2 Although the priorities distribution of configured alarms may be different from the
announced alarms, it shall be pursued for the same statistical distribution in the alarms
rationalization.

6 Alarm Management Life Cycle

“Alarm Management” is a process that can be observed as a cycle, as presented by IEC 62682. Alarm
management shall comprises the basic and detail design of the plant, the configuration and test of
digital systems, and the plant’s operation and maintenance.

12
 -PUBLIC-

N-2900 REV. A ENGLISH 03 / 2015

6.1 Identification and Rationalization

6.1.1 All alarms shall be rationalized and documented.

6.1.2 Alarms included on Instruments Process Data Sheets shall be defined by the responsible of the
area (process, utilities, equipment, etc.) during the basic design of the plant.

6.1.3 The basic design shall offer, at least, the following information: the initiating cause, operational
action, operator response time, the impact or consequence of non-operational intervention, alarm
priority and strategies for suppression, if applicable.

6.1.4 Alarms not listed in the Process Data Sheets (e.g. alarm of low ratio between two flow rates)
shall also be documented.

6.1.5 The executive design shall prepare a specific document for alarms containing, at least, the
information on Table 6.

Table 6 - Alarms Documentation

Information Description

TAG Identification of the alarm

Description Description of the alarm
Initiating Cause(s) Factor(s) that initiate an abnormal situation
Operational procedure due to the identification of the
Action
abnormal situation
Time allowable between the alarm annunciation and the
Allowable Response Time moment the operator shall initiate the corrective action,
according to the field “ART” at Table 1
Consequence on the plant in case the action is not
Impact
executed
Relative importance assigned to an alarm within an alarm
Alarm priority
System to indicate the urgency of the response
Alarm group with common management requirements as
Alarm Class
test, training, announcing, audit, etc., if applicable

Strategy for suppression Condition in which the alarm can be suppressed

Limit value, or discrete state of a process variable that start

Alarm setpoint
the alarm
Timer Alarm timer, if applicable

Deadband Alarm deadband, if applicable

Notes Applicable notes

6.1.6 The alarms documentation shall be consolidated and continuously updated by those
responsible for plant operation.

13
 -PUBLIC-

N-2900 REV. A ENGLISH 03 / 2015

6.1.7 Signals that have been reclassified from alarms to events shall be kept on the alarms
documentation for traceability purpose.

6.1.8 Minimize the use of 2 levels of alarms (e.g. high and high-high, low and low-low). Two levels of
alarms shall only be applicable if the associated operational actions are different.

6.1.9 A SIS demand can often be avoided by an action initiated to reestablish the normal operational
condition, thus characterizing the need for a pre-trip alarm. Such alarm shall be set in a way that the
operator can actuate in order to avoid the SIS actuation.

6.1.10 After a SIS actuation, actions are often required in order to provide a faster, cheaper and safer
reestablishment of the plant’s operational condition, thus characterizing the need of a trip alarm.

6.1.11 Announcements that may be characterized as alerts shall also be included in the alarm
documentation for traceability purposes. In this case, it is suggested to indicate such condition as a
note.

6.1.12 It is recommended to perform the rationalization of alarms with the participation of process,
automation safety, and operation teams. During the analysis of some equipment such as compressors
and fired heaters, the specialists of the respective areas should be invited. [Recommended Practice]

6.1.13 During the conception of the alarms, it is recommended to consider the operational feedback
and good practices adopted in the unit. The hazard and operability study (HAZOP) of the plant is also
an opportunity for rationalization. [Recommended Practice]

6.1.14 The alarm rationalization process shall be executed whenever new alarms are conceived.

6.1.15 For existing plants, the rationalization process shall review the existing alarms and, if
necessary, include new alarms. As a result of the revision, an alarm can be removed or have its
characteristics (priority, setpoint, suppression logics, etc.) changed.

6.1.16 The rationalization procedure is presented in Annex B.

6.1.17 The documentation of the alarm shall be supplied for the Unit and updated according to the
management of change process.

6.2 Detail Design and Implementation

6.2.1 Characteristics of an Alarm System

6.2.1.1 The plant’s alarm systems shall incorporate the following requirements:

— capability to differentiate alarms, alerts and events;

— capability to differentiate alarms by priority;
— capability to announce alarms by different means (color, symbols or sounds);
— capability to filter alarms by group and class;
— functionalities for alarm shelving;
— capability to suppress alarms;
— capability to configure dead band or timer;

14
 -PUBLIC-

N-2900 REV. A ENGLISH 03 / 2015

— capability to set off alarms with guidance messages to the operator and batch actions;
— capability to monitor and to assess the alarm performance;
— capability to generate reports.

6.2.1.2 As part of the alarm system, a data collection system shall be made available for statistical
processing of alarms, preferably in real time, in order to enable the assessment of the plant’s
performance against abnormal situations and the management of alarms throughout the plant’s
lifetime.

6.2.1.3 All information concerning the alarms of the plant shall be incorporated into this database
system, which shall document all the alarm history, allowing for its update during the management of
change process.

6.2.1.4 A storage mechanism and an alarm system database retention policy shall be foreseen.

6.2.2 Implementation of Processing Strategies in the Alarm Systems

6.2.2.1 Strategies for alarm processing shall be implemented in the BPCS configuration level for
suppression of alarms in real time, enabling the rational availability of information to the operator,
minimizing the amount of alarms and increasing plant reliability.

6.2.2.2 The processing strategies shall be implemented based on knowledge of the plant and
equipment in order to always take them to a better state of operational reliability.

6.2.2.3 Processing Strategies

6.2.2.3.1 Alarms Associated with Automatic ON-OFF Controls

Actions associated with equipment’s automatic on-off controls or open-close on-off valve shall operate
according to the following strategy: when the equipment is controlled and it properly responds to the
command, no alarm shall be activated. This action shall be characterized as an event.

EXAMPLE 1

Automatic start up of a backup pump - when a backup pump starts automatically by low
pressure at discharge, the low pressure alarm shall be announced only after an adjustable
time, which considers the pressure recovery transient caused by the pump start up. If the
pressure is not recovered after this time, the alarm shall be announced. The operating status
of the backup pump shall be announced as an event.

EXAMPLE 2

Automatic liquid drainage in vessels - when a controller commands the valve opening due to
a high level in a vessel, neither the command nor the valve opening itself shall generate an
alarm; the alarm shall be announced in case the valve is not opened after an expected time,
or if the level reaches a value above the setpoint value for automatic opening of the valve.

15
 -PUBLIC-

N-2900 REV. A ENGLISH 03 / 2015

6.2.2.3.2 Alarms Configured in the same Variable

6.2.2.3.2.1 When there are two levels of alarms for the same process variable, the second alarm shall
suppress the first. Thus, high-high (HH) alarms shall suppress high (H) alarms, and low-low (LL)
alarms shall suppress low (L) alarms.

6.2.2.3.2.2 This suppression shall be applied for two alarms associated with one single instrument.

6.2.2.3.2.3 The acknowledgement of a high-high (HH) or low-low (LL) alarm shall imply the
acknowledge of the High (H) or Low (L) alarm, respectively.

HH

PV

Time

Figure 2 - Example of Suppression of Alarms Configured for the Same Variable

6.2.2.3.2.4 In Figure 2, the evolution of the process variable (PV) is shown. As time goes by, the PV
value goes from normal to high (H) then to high-high (HH), and returns to high (H) and normal:

— when the process variable reaches the H setpoint, the high alarm shall be announced;
— when it reaches the HH setpoint, the high-high alarm shall be announced, and the high
alarm shall be suppressed;
— when the condition for the high-high alarm annunciation ceases to exist, the high alarm is
announced once again;
— when the value returns to normal, the high alarm shall no longer be announced.

6.2.2.3.3 Deviation Alarms

6.2.2.3.3.1 When a measuring point has more than one sensor, it is recommend to configure the
detection of divergences between these measures. [Recommended Practice]

16
 -PUBLIC-

N-2900 REV. A ENGLISH 03 / 2015

6.2.2.3.3.2 These deviations shall be characterized as alerts when the response time is
undetermined. The setting value for the detection of the deviation between the sensors shall consider
the maximum uncertainty between instruments and the need of timer in order to avoid nuisance
alarms.

6.2.2.3.4 Discrepancy Alarms

Alarms shall be configured to detect inconsistency between the command and its actuation.

EXAMPLE 1

Failure on the motor start-up command shall be considered as a discrepancy alarm.

EXAMPLE 2

Failure on the command of control or ON-OFF valves shall be considered as a discrepancy

alarm, as well as a spurious closing or opening of the valve.

NOTE The indication associated with limit switches of control or ON-OFF valves shall not be
configured as an alarm when the indication is in accordance with the command issued. This
shall be part of a plant’s event list.

6.2.2.3.5 Alarms associated to Instrument or System Failure

6.2.2.3.5.1 The priority of alarms associated with the failure of the sensor or transmitter may be set
considering the service performed by this instrument [Recommended Practice]

6.2.2.3.5.2 An interface should be provided to indicate all the instruments in the failure state, sorted
by the priority of the alarm associated with each instrument. [Recommended Practice]

6.2.2.3.5.3 CPU failures and communication failures between digital systems shall be kept as alarms.

6.2.2.3.6 “Package” Unit Alarms

Only the alarms or a summary of alarms that require an action of the control room operator shall be
issued from the equipment supplied by third parties (e.g. compressors) to the alarm list in the BPCS.

6.2.2.3.7 Alarms and Equipment State

6.2.2.3.7.1 Alarms shall be set according to the of the equipment. The following states may be
characterized for a equipment: under start-up, steady operation, shutdown and out-of-service. Thus,
alarms that apply just to the equipment under steady operation shall be suppressed when they are on
startup, shutdown or out-of-service states. [Recommended Practice]

6.2.2.3.7.2 The detection of the steady operating condition of a equipment may be automatic,
according to one or more operational variables, or may be informed by the operator.

EXAMPLE 1

A fired heater in out-of-service state shall not alarm lack of feed.

17
 -PUBLIC-

N-2900 REV. A ENGLISH 03 / 2015

EXAMPLE 2

The lack of flame on pilots and burners of a fired heater and boiler shall alarm only after an
actual demand of flame.

EXAMPLE 3

An overcurrent alarm on pump motors shall be suppressed for a predetermined time during
the start-up of the pump.

EXAMPLE 4

Unexpected shutdown of a pump shall generate an alarm associated with the abnormality
which caused the shutdown. The pump shutdown initiated by the operator shall not generate
any alarm.

6.2.2.3.8 Alarms Associated with Redundant Instruments

Alarms generated by redundant instruments shall be displayed as a single alarm when the abnormal
condition occurs. All alarms, however, shall be registered.

EXAMPLE

When, for a single variable, there is an instrument associated to a control loop and
3 instruments associated with the SIS (for example: sensors in a 2oo3 voting scheme), a
single alarm shall be announced when any of those instruments accuse the abnormal
situation. Detail screens may display, however, all the alarms associated with each
instrument.

6.2.2.3.9 Alarms and SIS

Alarms preceding a trip event, and related to the trip, shall be suppressed when the trip occurs.

6.2.2.3.10 Related Alarms

When two or more alarms are closely related, only one of them shall be announced.

EXAMPLE

Suppress the second alarm generated between low flow rate and low pressure in the pump
discharge if there is only one single operational action to treat both alarms.

6.2.2.3.11 Deadband

Deadbands are recommended to reduce the number of nuisance alarms. The values shall be adjusted
based on operational experience according to the process variable.

6.2.2.3.12 Timer

6.2.2.3.12.1 There shall be considered 2 parameters for alarm timers: one for the annunciation
(on-delay) and another to remove the annunciation (off-delay).

6.2.2.3.12.2 This timer shall be different from the mechanism that performs the noise signals filtering
in transmitters.

18
 -PUBLIC-

N-2900 REV. A ENGLISH 03 / 2015

6.2.2.3.12.3 The reference value for all types of measured variable is 5 s, and may be different for the
alarm annunciation or its removal.

6.2.2.3.12.4 The values of these timers are an initial reference. Adjustments on values shall be
performed based on operational experience, especially in terms of the available response time for the
operator.

6.2.2.3.13 Automatic Alarm Acknowledgement

6.2.2.3.13.1 Low priority alarms may be automatically acknowledged by the BPCS, when the
condition for the alarm annunciation no longer exists. [Recommended Practice]

6.2.2.3.13.2 Other priority alarms can be acknowledged preferably by the operator. [Recommended
Practice]

6.2.2.3.13.3 Alarms without auto acknowledgement, when unsuppressed, can return to the same
state at the moment of its suppression. [Recommended Practice]

6.2.2.3.14 Shelved Alarms

6.2.2.3.14.1 Shelving actions shall be registered at the BPCS. The minimum information which shall
be included in this record are: initial and final date of suppression, maximum permissible time period in
this state, and justification for the suppression.

6.2.2.3.14.2 The criteria for alarm shelving shall be defined in a specific philosophy for the plant. This
philosophy shall include the maximum acceptable time period for alarm shelving and the definition of
responsibilities of the involved staff.

6.2.2.3.14.3 Implementation of timers are recommended to count the time in shelved status or the
remaining time to unshelve the alarm. [Recommended Practice]

6.2.2.3.14.4 The removal of the shelving condition is recommended to be automatic after the
expiration of the suppression period. [Recommended Practice]

6.2.3 Alarm System Interface Design Practices

6.2.3.1 The highest priority alarms shall be detached audibly and visually from lower ones.

6.2.3.2 Critical priority alarms may also be announced in the same way as the high priority ones
according to the criteria adopted in the plant.

6.2.3.3 It is suggested the use of alarm annunciator panels, directly connected to the controllers
output module for the critical priority alarms of the plant. [Recommended Practice]

6.2.3.4 The alarm list shall be separated from the event list in the HMI and shall contain the alarms of
all priorities.

19
 -PUBLIC-

N-2900 REV. A ENGLISH 03 / 2015

6.2.3.5 Alarms that are classified as IPL shall be presented separately from other alarms by, for
example, the TAG, description, symbol, sound, color, or even the physical location.

6.2.3.6 The alarms shall be listed per state, starting from not acknowledged alarms, and sorted
chronologically. There shall also be possible to filter or sort them by priority, state, group, class and
type of alarm.

EXAMPLE

Group of Alarms: system alarms, instrument failure, process alarms, etc.

6.2.3.7 The annunciation of the alerts shall be inserted in the alarms list. In case of sorting by priority,
the alerts shall be listed after the low-priority alarms. The annunciation of the alert shall have a visual
an audible treatment different from the alarm.

6.2.3.8 The indication of an instrument or equipment failure shall be configured as an alarm or alert,
depending on the urgency to call up the maintenance team.

6.2.3.9 Out-of-service and under maintenance instrument alarms shall be grouped. The inclusion in
this group shall be controlled.

6.2.3.10 Alarms shall also be grouped and presented filtered by area of the plant. These groups can
be presented in different operation stations depending on how the operation responsibility of the
various areas of the plant is distributed.

EXAMPLE 1

In offshore production plants, the following groups may be implemented per operation
station:

— Production and Fire & Gas;

— Facilities and Fire & Gas;
— Ship and Fire & Gas.

EXAMPLE 2

In refinery plants, the following groups may be implemented per operation station:

— Distillation Unit;
— FCC Unit;
— Utilities;
— Transfer and Storage.

6.2.3.11 For upstream plants, alarms shall be grouped also according to the emergency shutdown
levels (ESD) of the offshore platforms. These alarms are:

— ESD-3 alarms, fire and gas and other alarms that are identified as critical priority ones;
— alarms that precede the occurrence of the ESD-2, identified as high priority alarms;
— ESD-2 and ESD-1 alarms, identified as medium priority alarms;
— other alarms identified as low priority ones.

6.2.3.12 The alarm message shall be clear and guide the operator's attention to the problem needed
to be treated. Pop-up windows shall not be used to display the alarms considering the large number of
windows that might compromise the identification of the abnormal situation.

20
 -PUBLIC-

N-2900 REV. A ENGLISH 03 / 2015

6.2.3.13 The messages shall contain at least the following information: date, time, TAG, description,
the alarm priority and alarm state.

6.2.3.14 The description shall inform the location in the plant or equipment, and the equipment service
in the plant. Abbreviations, when used, shall be standardized and applied uniformly throughout the
plant.

6.2.3.15 It shall be adopted standard colors and terminologies for the alarms, in order to reduce
diversity. Static and non animated information shall be configured with smooth colors. Alarm
information shall have stronger colors so it is possible to detect abnormalities through contrasts.

6.2.3.16 Alarm messages shall not blink, causing difficulty for these to be read clearly.

6.2.3.17 Distinct interfaces shall be provided according to the responsible in charge for the alarms.

EXAMPLE

Alarms whose responsibility is the operation team, and alarms whose responsibility is the
maintenance team.

6.2.3.18 The alarm and its corresponding acknowledgment shall be available on all consoles
associated with the monitoring of the same plant.

6.2.3.19 Alarms removed from the alarm summary by shelving shall also be listed on a separate
interface and be presented with the same features of the alarms listed in the main summary list.

6.2.3.20 It may be considered a flexibility to hide TAGs of instruments and equipment through an
operator switch command in order to decrease the amount of information in the HMI, making easier
the alarm visualization. [Recommended Practice]

6.3 Commissioning and Training

6.3.1 Tests on the alarm system shall be performed during the instruments commissioning in the
BPCS. These tests shall include verification of the alarm’s actuation for the respective configured
setpoint and the suppression strategies.

6.3.2 It shall be foreseen training in the alarm management philosophy and rationalization process
for:
— operators and plant design technicians (process and instrumentation/automation
specialists);
— responsibles for plant evaluation technicians (engineers and operators);
— systems integration and implementation technicians;
— instrumentation and automation maintenance technicians.

6.3.3 Foresee training in a plant statistical analysis tool for alarms to: [Recommended Practice]

— operators;
— responsibles for plant evaluation and maintenance technicians.

21
 -PUBLIC-

N-2900 REV. A ENGLISH 03 / 2015

6.4 Operation and Monitoring

6.4.1 Statistical alarm analysis shall be part of the operational routine, and its monitoring frequency
shall take place at least once a month.

6.4.2 The main indicators to be assessed during the alarm system operation are:

— the most frequent alarms per period of time (every ten minutes, hour, day, week, and
month) per operational position;
— average duration of each alarm;
— distribution of alarms per group;
— distribution of alarms per priority;
— alarm floods;
— amount of unacknowledged alarms;
— amount of suppressed alarms.

6.4.3 From these data, actions shall be taken to achieve the metrics specified in this Standard.

6.5 Management of Change, Maintenance and Audit

6.5.1 Any required changes concerning setpoint values, alarm suppression, cancellation or inclusion
of an alarm, strategies of digital system configuration, etc, shall be controlled.

6.5.2 The responsibility for the alarm system performance shall be assigned to the operation team,
and may be shared with the process, automation and maintenance teams. An operational group shall
be formed with members from each discipline for performance monitoring, corrective actions
implementation and improvements in the alarms system.

6.5.3 A group to manage the alarm system shall be created to ensure that the philosophy and
practices adopted are uniformly applied in all existing plants and for those that may be designed in the
future for the Unit.

6.5.4 Periodic audits shall be conducted in order to check the philosophies and practices in course or
even to identify the need to review them against feedbacks from the design, operation and
maintenance areas.

22
 -PUBLIC-

N-2900 REV. A ENGLISH 03 / 2015

Annex A - Examples of Consequences to the Asset and Operational Continuity

A.1 Negligible Consequences (financial loss up to US$ 100 000)

— relief of minor amounts of fluids;

— cavitation in conventional pumps.

A.2 Marginal Consequences (financial loss between US$ 100 000 and US$ 1 000 000)

— production out of specification;

— possibility of damage in essential and non-essential equipment, caused by long term
duration events, but does not requiring quick intervention of the operator.

A.3 Medium Consequences (financial loss between US$ 1 000 000 and US$ 10 000 000)

— disturbance in the utility area affecting other areas, as liquid injection into gas streams as
to the fuel gas system;
— relief of large amounts of fluids;
— overflow of process fluids;
— feed reduction or stop of production of the unit up to 60 minutes;
— cavitation in high-speed pumps or multi-stage pumps;
— damage on non-essential equipment with no reserve.

A.4 Critical Consequences (financial loss between US$ 10 000 000 and US$ 100 000 000)

— abrupt relief of large amount of mass causing violent release of energy, as sudden
depressurization in high pressure systems;
— product solidification in large lines requiring costly corrective actions;
— mechanical damage to compressors, with no reserve, due to liquid income;
— stop of production or feed to the unit higher than 60 minutes;
— need for costly repairs on essential equipment with reserve;
— need for low cost repairs on essential equipment with no reserve.

A.5 Catastrophic Consequences (financial loss higher than US$ 100 000 000)

— temperature excursion in exothermic reactions out of control;

— overpressure in systems where the safety instrumented function is the final protection;
device, due to the impossibility of installation of a safety relief device;
— shutdown of the plant for unpredictable time;
— explosion of fired heaters and boilers;
— need for costly repairs on essential equipment with no reserve.

23
 -PUBLIC-

N-2900 REV. A ENGLISH 03 / 2015

Annex B - Procedure for Alarms Rationalization

Start alarm rationalization

Describe the following data of the

alarm identification (tag) alarm type
possible causes and possible impacts

Is there at least one action that N

the operator must perform to treat Treat as EVENT
this alarm?

Describe the actions that shall be

performed by the operator so that the 4
condition that activated the alarm
return to its normal condition

Implement an automatic
Do the time to the operator perform Y
action
the actions, require less
than one minute?

Select, in the table “Allowable

response time”, the time required by
the operator to perform all actions

1 2

Figure B.1 - Procedure for Alarms Rationalization

24
 -PUBLIC-

N-2900 REV. A ENGLISH 03 / 2015

1 2

Y
Is the response time higher than
Treat as an ALERT
1 hour?

Select the priority in the table "Risks

to Assets / Operational Continuity”
considering the defined response time
(if applicable)

Select the priority in the table “Risks

to the Environment” considering the
defined response it (if applicable)

Select the priority in the table “Risks

to personnel safety " considering the
defined response time (if applicable)

The priority of the alarm shall be the

higher priority found among the three
priorities identified previously (assets/
operational continuity, environment,
and personnel safety, if applicable)

3 2

Figure B.1 - Procedure for Alarms Rationalization (Continuation)

25
 -PUBLIC-

N-2900 REV. A ENGLISH 03 / 2015

3 2

N
Record that the alarm does
Is alarm suppression allowed?
not allow suppression

inform the suppression strategy

Is the value of the alarm setting very close Change the alarm set point
Y
to the operating point and this may cause or implement processing
the alarm activation more frequently? strategies

End the alarm rationalization

Figure B.1 - Procedure for Alarms Rationalization (Continuation)

26
 -PUBLIC-

N-2900 REV. A ENGLISH 03 / 2015

INDEX OF REVISIONS

REV. A
Affected Parts Description of Alteration

1.1 Revised

1.2 Included

2 Revised

3.2 up to 3.4 Revised

3.5 and 3.6 Included

3.7 and 3.8 Revised and renumbered

3.9 Included

3.10 Revised and renumbered

3.11 and 3.12 Renumbered

3.13 Included

3.14 Revised and renumbered

3.15 up to 3.19 Renumbered

3.20 Revised and renumbered

3.21 Renumbered

3.22 and 3.23 Revised and renumbered

3.24 Renumbered

3.25 Revised and renumbered

3.26 Included

3.27 Revised and renumbered

4, 5.1.1, 5.1.2, 5.2 and
Revised
5.3.3
5.3.4 Included

5.3.5 up to 5.3.5.1 Renumbered

5.3.5.2 and 5.3.5.2.1 Revised and renumbered

5.3.5.2.2, 5.3.5.2.3 and
Renumbered
5.3.5.3
5.3.5.3.1 Revised and renumbered

Tables 2, 3 and 4 Revised

5.4 Included

IR 1/2
 -PUBLIC-

N-2900 REV. A ENGLISH 03 / 2015

REV. A
Affected Parts Description of Alteration

5.5 Renumbered

5.5.1 and Table 5 Included

6 Revised

6.1 Included

6.1.2 Revised and renumbered

6.1.3 and 6.1.4 Revised

6.1.5, Tables 6 and
Included
6.1.6
6.1.7 Revised and renumbered

6.1.8 up to 6.1.6.1.10 Renumbered

6.1.1.11 Revised

6.1.12 and 6.1.13 Revised and renumbered

6.1.14 up to 6.1.17 Renumbered

6.2.1.1 up to 6.2.1.4 Revised

6.2.2.3.3.2, 6.2.2.3.7.1,
6.2.2.3.11, 6.2.2.3.12 Revised
and 6.2.2.3.12.4
6.2.2.3.3.14 up to
Included
6.2.2.3.3.14.4
6.2.2.3.5 Included
6.2.2.3.6 up to
Renumbered
6.2.2.3.12
6.2.2.3.13 Revised and renumbered
6.2.2.3.14 up to
Renumbered
6.2.2.3.19
6.2.2.3.20 renumbered

6.3.1 up to 6.3.1.3 Revised

6.4.3 and Annex A Revised

Annex B Revised

IR 2/2