SP-2036, Well Engineering General Operational Safety ... - Gui… · Web viewThe word Should...
54
Petroleum Development Oman L.L.C. Engineering and Operations Guidelines for Alarm Management And Rationalisation User Note: A controlled copy of the current version of this document is on PDO's EDMS. Before making reference to this document, it is the user's responsibility to ensure that any hard copy, or electronic copy, is current. For assistance, contact the Document Custodian or the Document Controller . Users are encouraged to participate in the ongoing improvement of this document by providing constructive feedback . Please familiarise yourself with the This document is the property of Petroleum Development Oman, LLC. Neither the whole nor any part of this document may be disclosed to others or reproduced, stored in a retrieval system, or transmitted in any form by any means (electronic, mechanical, reprographic recording or otherwise) without prior written consent of the owner. UNRESTRICTED Document ID: GU Dec-09 Filing Key: Business Control
Transcript of SP-2036, Well Engineering General Operational Safety ... - Gui… · Web viewThe word Should...
SP-2036, Well Engineering General Operational Safety Specification
Petroleum Development Oman LLC
Revision: 2.0
Effective: Dec-09
Petroleum Development Oman L.L.C.
UNRESTRICTEDDocument ID: GU-513
Dec-09Filing Key: Business Control
Engineering and OperationsGuidelines for Alarm Management And Rationalisation
User Note:
A controlled copy of the current version of this document is on PDO's EDMS. Before making reference to this document, it is the user's responsibility to ensure that any hard copy, or electronic copy, is current. For assistance, contact the Document Custodian or the Document Controller.
Users are encouraged to participate in the ongoing improvement of this document by providing constructive feedback.
Please familiarise yourself with the
Document Security Classification DefinitionsThey apply to this Document!
This page was intentionally left blank
i Document Authorisation
Authorised For Issue – December 2009
Document Authorisation
Document Authority
(CFDH)
Document Custodian
Document Controller
ii Revision History
The following is a brief summary of the 4 most recent revisions to this document. Details of all revisions prior to these are held on file by the issuing department.
Revision No.
Date
Author
Scope / Remarks
2.0
Dec–09
Salim Hinai, UES
Refer to Appendix 7 for Summary of Changes
1.0
Dec-05
M. Shujauddin / Salim Hinai
First Issue for Implemetation
iii Related Business Processes
Code
Business Process (EPBM 4.0)
EP.64
Design, Construct, Modify and Abandon Facilities
iv Related Corporate Management Frame Work (CMF) Documents
The related CMF Documents can be retrieved from the CMF Business Control Portal.
CP-114
Maintenance and Integrity Management - CoP
SP-1243
Corporate Philosophy for Control & Automation
TABLE OF CONTENTS
3iDocument Authorisation
4iiRevision History
4iiiRelated Business Processes
4ivRelated Corporate Management Frame Work (CMF) Documents
7Summary
81Introduction
81.1Background
81.2Scope and objectives
91.3Operational Excellence
101.4Alarm Response analysis
121.5Distribution, intended use and regulatory considerations
132Definitions and Meanings
132.1General definitions
132.2Specific definitions Include definitions for each alarm type
143ALARM RATIONALISATION REVIEW
143.1General Requirements
143.2Recommended Measures
163.3Alarm Management and Rationalisation Review Process
163.4Steps for Alarm Management and Rationalisation study
163.4.1Preparatory works
163.4.2Timing
173.4.3Required Documents
173.4.4Team Composition
173.4.5AMR Facilitator
183.4.6AMR Secretary
183.4.7Master alarm database and report
204ALARM PRIORITISATION GUIDELINES
204.1Assigning of Activities and Alarm Priorities
224.2Guidelines for Normal Distribution of Alarms among Priority Level
235ALARM SUPPRESSION – IMPLEMENTATION GUIDELINES
235.1Static alarm suppression
245.2Dynamic Alarm Suppression
265.3Dynamic mode dependent alarm settings
296OPERATOR’S HELP MENU
307ALARM MANAGEMENT PERFORMANCE MEASUREMENT
307.1The number of configured alarms per panel operator
317.2The average alarm rate per PANEL operator
317.3Indication of frequent alarms
317.4The Mean Time Between Alarm
317.5Number of alarms following a trip
327.6Number of standing alarms
327.7Benchmarking
337.8Improvement
337.9Overall Alarm Management process
378REFERENCES
38Appendix 1 – Typical ARM Info Pack
39Appendix 2 – AMR Report/Close Out Report
40Appendix 3 – AMR Work Process
42Appendix 4 – AMR Workshop Request
43Appendix 5 – Abbreviations
44Appendix 6 – Master Alarm Database to be used for Alarm Rationalization Exercise
45Appendix 7 – Summary of Changes
Summary
This document is created to provide a guide for the execution of Alarm Rationalisation Review of PDO facilities, in order to provide operator with meaningful alarms, i.e. an adequate set of warning facilities during normal and upset operation whilst minimising, as far as is reasonably practicable:
· Standing alarms
· Nuisance alarms
· Repeating alarms
· Alarms floods
· Bad PV alarms
· System Alarms
It thus:
1. Gives a brief overview on the Alarm Rationalisation review process and alarm prioritisation guidelines.
2. Contains specific PDO data which are necessary to ensure a fit-for-purpose and consistent approach to all alarm rationalisation review process.
3. Outlines the endorsement process of the recommendations and the close-out procedure.
4. Guides users to a safe, cost effective and consistent design and implementation of alarms in an instrumentation system (FCS, DCS, IPS panels (if any), F&G Panels, Local panels etc.
5. Gives a brief overview of the overall Alarm Management Process for new facilities and existing facilities.
This document shall always be used in conjunction with the Shell DEP 32.80.10.14-Gen Alarm Management, June’2007
1 Introduction
1.1 Background
It has been widely recognised that lack of a clear philosophy for “Alarm Management” on process plants controlled by a Distributed control system (DCS) or a Fieldbus based control system (FCS) often results in there being too many alarms, leading to problems with:
· Standing alarms;
· Nuisance alarms;
· Bad PV alarms;
· Frequently repeating alarms;
· Alarm floods;
· System alarms
· The operator’s inability to prioritise remedial actions.
Alarms, if not rationalised and managed can seriously impair the operator’s ability to manage the process. Alarms floods during upset conditions can cause a minor event to escalate into a more serious incident. This is contrary to the design intent, which should seek to assist the operator to control the plant, avoid upsets and mitigate the consequences of undesirable events.
The guidelines on setting alarm priorities are generally based on the actions the operator needs to perform upon the alarm. Practical experience has shown that establishing the alarm priority based on an assessment of risk and the consequence when the alarm is not actioned upon requires disproportional efforts in relation to the results. Moreover this risk-based approach often does not offer acceptable or reliable results.
Setting the priorities of alarms is meant to help the operator to prioritise his actions. However if the alarm rate is low, prioritisation is not required. If the alarm rate is high, the operational situation is already deteriorated to such an extent that the operator no longer uses the alarm system to assess the situation and to prioritise his actions. Hence just setting different alarm priorities have little practical relevance.
It is therefore felt that instead of spending efforts on setting alarm priorities, attention should be focussed on the ability of the alarm system to provide meaningful alarms under most or all the operating conditions including upset and trip conditions.
1.2 Scope and objectives
This document provides Guidelines for classifying the alarms, assigning of alarm priorities, reviewing the alarm configurations and guidelines for managing them.
The guidelines provided in this document are based on good industry practice rather than any national or international regulations or standards or codes of practice. Whilst there is presently no such document covering the configurations of FCS/ DCS alarm systems in general, some standards and codes of practice for machinery and other equipment may include specific requirements on alarm provisions. Under these circumstances, it may be necessary to adjust this methodology to maintain compliance with mandatory aspects of these codes and standards.
The overall objective is to review all alarms given their prime purpose, to ensure only meaningful alarms are provided and to achieve a significant improvement in the alarm system operability.
A “best practice” alarm system provides meaningful alarms under operating conditions including upset and trip conditions.
The Operator role varies considerably within PDO plants. There are 3 types of operator roles that have major impacts on alarm management:
1. Plants run with an Operator staffing the panel (manned, for 8 hrs minimum).
2. Plants run with Operators routinely making trips to wells etc. that may be 30 minutes drive or more from the panel. In this case, it is clear that no alarm should require quick action – unless the alarm is used to avoid automatic shutdowns where the Operator happens to be present when the alarm occurs.
3. There is also a Central Control Room (CCR) where Operators remotely monitor all PDO plants. It is clear that this case means that CCR Operators are effectively covering far more alarms than is reasonable – but they cannot act on many of them anyway due to their remote location. It may be appropriate to consider displaying only the higher-priority alarms at this location (e.g. Urgent and High as per Table 4.1).
This document defines the generic Alarm Guidelines for all PDO sites and will need to be augmented by other documents that cover system-specific considerations.
The guidelines provided in this document are based on established industry best practices and, in particular, the EEMUA 191 guidance. That guidance is primarily oriented to situations as per the first case above – where there is an Operator present at the panel
1.3 Operational Excellence
Currently operators spend 20 to 25% of their time on scheduled activities. The remainder of their time is spent on unscheduled re-active work responding to situations that actually should not have happened. This is visualised in Figure 1-1.
0%
20%
40%
60%
80%
100%
Handling trips
Handling the alarms
process upsets
Unscheduled activities
non
-
control
Scheduled activities
Normal
Normal
Good
Good
Excellent
Excellent
Figure 1-1: Percentage of time an operator spends on various activities
In Figure 1.1 the 'normal' shows the current state of affairs. A disproportional fraction of the time is spent on handling alarms. The fraction of time spent on correcting process upsets is even less than in the 'good' situation as the upset condition generates a lot of meaningless alarms that still need to be handled.
In a much-improved situation, the operator spends 50% of his time on pro-active activities. Ideally this percentage is even 80% as shown in the 'excellent' column.
The 'good' and 'excellent' are shown as targets to base the design of the alarm system on.
The alarm management methodology described in this paragraph aims at bridging the gap between the current state of affairs in most operating units and the good/excellent targets.
Of course apart from managing alarms properly, base layer control and IPF's should be optimised as well to allow the targets to be achieved.
1.4 Alarm Response analysis
When considering the design of an alarm system, it is reasonable to assume that operators and technicians are well trained and knowledgeable about the equipment they operate and maintain. The function of the alarm system is then to:
· Trigger a trained response to certain emergency conditions.
· Alert the operator to plant conditions that need consideration and possible action.
· Advise the operator of further developments that need action.
The aspect of 'acknowledge' and "consideration" - the analysis of the situation, the identification of the correct action and its execution or communication - is one that has been ignored in many past alarm system implementations. This results in cognitive overload for operators in upset situations and an increased potential for escalation. A good alarm system should assist the operator in evaluating the situation, which is fundamental to identifying the correct actions. Depending on the circumstances, these actions can be directed either at avoiding an event or mitigating its consequences.
This alarm handling process is visualised in Figure 1-2:
Alarm Response Improvement
trial and error
Normal condition
Alarm condition
Time for the response (or any other subsequent attempt)
to restore to a normal situation
Time to acknowledge the alarm (0.1
-
5 min)
Time to consider an initial response (0.1
-
5 min)
time
Improved Effectiveness of operator actions
intelligent disciplined trained staff applying
pre
-
decided validated knowledge &
practices
Figure 1.2: Alarm Response diagram
The process of "acknowledge" and "consideration" described above takes typically 0.1 to 5 minutes each. Taking an average figure of say 5 minutes for a complete response, the maximum alarms (i.e. the meaningful alarms) load that one operator can handle effectively is limited to around 1 alarm per 5 minutes. However considering that the operator has many additional tasks, the average number of alarms should be limited to the quantities as given in the table 1-1 below.
Table 1-1: Average number of alarms.
% of time spent on alarm handling
# of alarms that effectively can/should be handled
Normal (current)
Good
Excellent
40%
10%
4%
4 - 6 per hour
1 per 1 hour
1 per 2 hours
For the numbers above in the table, an upset situation will probably be ignored. However it is important not only to avoid unnecessary alarms during normal steady state conditions but also under upset conditions. It is also important for the operator to be able to access relevant plant information quickly and effectively, in order to speed up the process of responding to an alarm, and thus improves the effectiveness of his corrective actions as shown in Figure 1-2. The design of the operator control interface and the rapid and comprehensive availability of current and trended information are important facets of alarm system design.
The configuration of an alarm system is therefore a balancing act between giving the operator an extensive set of warning facilities for normal operation and the need to avoid information overload under upset conditions.
1.5 Distribution, intended use and regulatory considerations
Unless otherwise authorised by PDO, the distribution of this document is confined to Petroleum Development Oman and their nominated design and Construction contractors.
This document is intended for use in the oil and gas installations and production facilities, in conjunction with any type of operator’s alarm facility.
It shall form the basis of approach for Engineering and Operations, for the Alarm review and handling in the existing or new build facilities.
If national and/or local regulations exist in which some of the requirements may be more stringent than in this document, the Contractor shall determine by careful scrutiny, which of the requirements are the more stringent and which combination of requirements will be acceptable with regards to safety, environmental, economic and legal aspects. In all cases the Contractor shall inform the Principal of any deviation from the requirements of this document which is considered to be necessary in order to comply with national and/or local regulations.
Any queries relating this document such as technical content, scope and/or philosophy should be referred to CFDH, Control & Automation.
Any reader is invited to give his/her opinion, experience and suggestions for any improvement.
2 Definitions and Meanings
2.1 General definitions
The Contractor is the party, which carries out all or part of the design, engineering, procurement, construction, commissioning or management of a project or operation of a facility. If the contract allows, the Principal may undertake all or part of the duties of the Contractor.
The Manufacturer, Vendor, Supplier, Seller is the party which manufactures or supplies equipment and services to perform the duties specified by the Contractor.
The Principal is the party, which initiates the project and is ultimately accountable. The Principal will generally specify the technical requirements. The Principal may also include an agent or consultant who is authorised to act for, and on behalf of, the Principal.
The word Shall indicates a mandatory requirement.
The word Should indicates a strong recommendation.
2.2 Specific definitions
Alarm priority - A parameter that is set during the configuration of an alarm to match the perceived importance of an alarm. In the control system, the priority of an alarm is used to control how the alarm is presented to the operator. The IPF initiated alarms are also transmitted to the Control systems where the priority is defined.
In this document, the following priority descriptions are used:
· Emergency or Urgent priority (U).
A priority assigned to alarms that require immediate operator attention and action for emergency responses. This is meant for those emergencies or events that may lead to have major impact on the HSE e.g. a major environmental incident, unplanned unit shutdown and a major economic loss to the Company. These include Fire/Gas alarms and alarms tied to executive functions
· High priority (H).
A priority assigned to alarms that require very fast operator attention and action to prevent a major operational upset or shut down. This is meant for those events that are likely to lead to major process upset, plant/ unit shut downs, moderate economic loss and minor HSE issues.
· Low priority (L).
A priority assigned to alarms that do not require fast operator action, but which should nevertheless be brought to the operator’s attention. This is meant to cover those incidents that have minor significance. Delayed response should never pose a threat to Company’s HSE matters, or a stable operation of the unit
· Journal (J).
A Facility for recording time sequenced historical event. This meant to cover those incidents that result in deviation from normal operations, operational mode changes and status of equipment/ systems etc.
3 ALARM RATIONALISATION REVIEW
3.1 General Requirements
A formal Alarm management and rationalisation study is required to provide the operator with meaningful alarms, i.e. an adequate set of warning facilities during normal and upset operation whilst minimising, as far as is reasonably practicable:
· standing alarms;
· nuisance alarms;
· repeating alarms;
· alarms floods;
· bad PV alarms;
· System alarms
Summarising, alarm management is intended to guide users to a safe, cost effective and consistent design and implementation for alarms in an instrumentation system (FCS, DCS, IPS panels (if any), F&G panels, local panels etc.).
3.2 Recommended Measures
The following measures will improve alarm management such that alarms become more 'meaningful':-
· Setting Alarm priorities and Destination
The setting of alarm priorities such that the operator only gets alarms that he can actually take action on. For existing installations, this includes the downgrading of the alarm priorities or removal of the alarm function.
· Optimising alarm parameters
Alarm parameters such as filtering and dead-band allow the reduction of repeating alarms.
· Static alarm suppression
Alarms that are always in alarm when a process unit or a large piece of equipment is shutdown are suppressed.
· Dynamic alarm suppression
Alarms that always follow after a process trip are suppressed.
· Dynamic mode dependant alarm settings
Alarm settings are dynamically changed based on detected operational mode changes.
· Measuring alarm management performance
By measuring the performance of the alarm management, attention and effort can be focused to aspects of existing alarm systems such that it can be optimised with the minimum of effort. Alarm management performance is measured using benchmarks.
· Optimise Alarm ergonomics
By optimising the way alarms are presented to the operator, operator alarm handling may be greatly enhanced. This includes on-line alarm help.
· Better Use of Deadbands
Many existing systems use poor settings (e.g. 1% of EU range) for dead-bands on analogue PVs. The EEMUA 191 guidance suggests the following defaults:
· Flow:
5%
· Level:
5%
· Pressure:2%
· Temperature:1%
Increased values for dead-bands will often reduce the number of “repeating” alarms.
· Use of Alarm Delay Options
Delay the activation and/or the clearing of alarm messages:
· Delaying activation is particularly appropriate where “spikes” are often seen in analogue signals. The alarm is not displayed as active unless it violates the alarm limit for longer than a specified period of time.
· Delaying clearing is particularly appropriate when an alarm would otherwise cycle on and off due to small changes in an analogue signal. The alarm does not clear until a specified period of time has elapsed and the analogue value is still not violating the alarm limit.
Alarm rates can often be substantially reduced using these facilities. Alarm delay functionality is sometimes described as “debounce” functionality or “time dead-banding” functionality.
Alarm delay functionality is described in more detail in EEMUA 191
· Use of Alarm Shelving
This allows an Operator to temporarily move an alarm from the Alarm Summary to a “shelf” (another display) where the list of shelved alarms may be viewed at any time. The benefit is that the Alarm Summary is not filled by “standing alarms” that are well known to the Operator and reduce his effectiveness.
This also helps to reduce the number of standing alarms so that there will be less use of multiple pages of alarms on the Alarm Summary. (EEMUA 191 recommends that there should be less than 10 standing alarms and less than 30 shelved alarms).
Shelving functionality is described in more detail in EEMUA 191.
· Use of BAD VALUE Functionality
It has been observed that a disproportionate number of BAD VALUE alarms occur during upsets. This occurs because analogue values are driven to extreme ends of the instrument range during upsets. These extreme values may then violate the defined Minimum and maximum values for the measurement because of drift in the instrument calibration.
There are two distinct ways of reducing the number of BAD VALUE activations:
· Use of “extended range” functionality where available on the DCS. Extended range will avoid BAD VALUE alarms for small (e.g. typically a few %) drifts in calibration.
· During rationalization, the team should critically question the need for BAD VALUE alarms where the measurement concerned is not being used for control purposes. The priority of BAD VALUE alarms should also be considered in such cases – since it may be appropriate to route such alarms to maintenance staff but not to Operators.
· Use of Improved Alarm Displays
It is widely recognised (e.g. see EEMUA 191) that alarm display is an important aspect of “best practice” alarm management.
· Use of a Master Alarm Database
A “master alarm database” enables “capturing” of the as-agreed alarm configuration parameters from rationalization. It also allows for “enforcement” of that data when changes in the DCS values are detected during exception reporting.
The master alarm database can also support mode-based alarming (which may be required for effective alarm suppression) and electronic “Operator Help”.
3.3 Alarm Management and Rationalisation Review Process
The alarms review and rationalisation should be carried out as recommended in the flow chart in Appendix 3.
In principle, the review should take place for all the alarms. The IPF database / I/O list for the project can be extracted for preparing the master alarm database. However, in the case of existing installations, this may be done on a selection basis for those alarms that have been frequently seen as standing or nuisance alarms or full review of the facility as to suit the operational requirements.
Alarms shall be grouped on the basis of the process units that would help defining the static and dynamic alarm suppression groups. To speed up the review process, identical or similar alarms functions can be grouped and limited to one review for such a group. Eg. Causes of an ESD or Electrical Alarms or System alarms can be grouped together.
All applicable or related tags should be listed in the same alarm function sheet as applicable.
3.4 Steps for Alarm Management and Rationalisation study
It is essential to set up a structure to optimise team productivity and quality of output. Refer Appendix 1 for the AMR information package requirements and Appendix 3 for the AMR Study work process.
3.4.1 Preparatory works
To minimise delays, all preparatory work shall be done prior to the study.
The Master Alarm database should be pre-loaded with all information as defined in Appendix 6.
Once the team has started the alarm management and rationalisation study process no time should be lost doing work that could have been done in advance. A PC containing the master alarms database shall be available alongwith pre-requisites for generating a report after the Alarm Rationalisation Exercise.
3.4.2 Timing
The Alarm rationalisation review should be undertaken during detailed engineering phase of a project after IPF actions are closed-out, for existing installations, at any time when it is felt or demonstrated from actual events that:
· there are too many standing alarms;
· there are too many and/or too often nuisance / meaningless alarms;
· some alarms are frequently repeated causing flooding alarm lists, event recorders and alarm buffers;
· alarm floods occur during process upsets or trips;
· the operator has difficulty to evaluate the situation with increased potential for escalation.
3.4.3 Required Documents
The alarm management study essentially requires more or less the same set of documents used for the IPF classification exercise. Refer Appendix 1 for the list of documents required for the rationalization exercise.
3.4.4 Team Composition
The composition shall, as a minimum, be with the following members.
· Facilitator
· Secretary
· Operation’s representative
· Process engineer
· Control & Automation engineer
· DCS system Engineer and Instrument Maintenance Engineer, when required
The facilitator shall be from the Approved facilitator’s list maintained by the CFDH, Control & Automation.
The facilitator shall be well conversant with the Alarm management methodology. The task of the facilitator is to guide the team through the review process and to ensure that the discussions are sufficient enough to meet the objectives of the alarm study.
3.4.5 AMR Facilitator
The AMR leader shall be an experienced facilities engineer and thoroughly familiar with the AMR methodology. AMR leader’s task is to guide the rationalisation team through the methodology and ensure that each step is sufficiently debated and recorded to the satisfaction of all team members before proceeding to the next step.
Furthermore, the AMR leader should function as a facilitator, ensuring that each member provides input into the exercise and amongst others, end debates when these are no longer productive.
The AMR leader must have attended the at least one major AMR exercises before he/she can be considered as a potential leader. The candidate will be assessed by the CFDH C&A (UES) and if found competent he will be certified as a Leader.
The leader shall be completely independent from the design team for the facility being classified.
UES (CFDH, Control & Automation) approves the AMR leaders and is the authority responsible for appointing a leader for any AMR study.
3.4.6 AMR Secretary
The secretary is responsible to record all the alarm rationalization study review results and associated discussions. He/she should have a technical background and be fully conversant with the Alarm Rationalization study and the Master Alarm Database prepared for the project. There is no special certification requirement to be a secretary.
3.4.7 Master alarm database and report
For each alarm function, the following data shall be recorded to create function database:
· Purpose of the alarm
Briefly note the design intent of the alarm
· Alarm Type
Alarm types are classified into following categories. Alarm type shall be defined for each function during the study.
Standalone alarm
Pre alarm
Trip alarm
FGS alarm
System alarm
Fault alarm
Override alarm
Common alarm
Misc alarm
Diagnostic Alarm
· Consequence of No Action
Briefly note what is expected to happen if the alarm sounds and the operator takes no action at appropriate time. For pre alarms the consequence of no action should be the same as the IPF safe failure for the corresponding trip tag.
· Type of Activity
Select from Table 4-1 the appropriate type of activity, e.g. "Emergency, Plant shutdown, Normal Process Upset etc." The type of activity should be based on urgency of the required action.
The activity types are defined from the possible potential consequences so as to mean the preventive or corrective measures required.
· Most likely Required Operator Action
A brief description of what the operator is most likely (80% of the case) required to do upon hearing the alarm. In some instances plant operators will be unable to do anything upon hearing an alarm. In these instances the word "Nothing" should be entered. In that case the alarm should be an "operational message only".
· Less likely required Operator Action
A brief description of what the operator is less likely (20% of the case) to do when the most likely action is not appropriate.
Note: The list of types of activities may be extended or altered to suit local conditions and procedures.
Review if “Most likely and less likely” is required or it should be “required operator action” only.
· Refer Appendix 6 for Master Alarm Database format to be used during the Alarm Rationlization exercise.
After the Alarm Rationalization exercise, an alarm study report shall be made.
· Refer Appendix 2 for Alarm Rationalization Study report and close out report requirements. Any action items generated during the review exercise shall be logged and should be closed out during the course of the project.
· Refer Appendix 3 for the Alarm Rationalization work process. A copy of the final Alarm Rationalization results (Master Alarm Database-as in Appendix 6) is maintained by functional control and automation project support leader. On completion of the Alarm Rationalization exercise the pdf file of close-out report and the back-up of the Master Alarm Database shall be sent to functional control and automation project support leader.
4 ALARM PRIORITISATION GUIDELINES
4.1 Assigning of Activities and Alarm Priorities
For each alarm the activity type should be defined. The table below gives the typical example of the activity type and correspondingly the action type and priority.
Alarm priorities are to be assigned based on the required action upon receipt of alarm. All alarms, including system alarms shall be prioritised. Key factors in determining alarm priority shall be; time available for operator action, consequence of failure to take corrective action and if they are HSE-critical. Priority shall be distinguished by display location and/or colour according to the guidelines in the relevant standards.
Table 4.1: Assigning of activities & alarm priorities based on urgency of operator response.
Activity Type
Action Type
Priority
Fire
Immediate
Urgent
Gas release
Major rupture
Emergency
Plant shutdown
Fast
High
System failure to plant shutdown
Major equipment shutdown
Major process upset
Equipment trip/shutdown
Normal
Low
Normal process upset
MOS/OOS switching
System faults, but plant in operation
Stand by in operation
Record
Journal
Events
Set point changes
Mode changes
Operational messages
Raise work order (Note-6)
Notes:
1. The response time available from the alarm notification to take operational corrective action should be taken into account while determining the consequences and the priorities. In case the response time (e.g. buffer volume in separator) available is very short by which the operator’s corrective action is not possible, then the presence of that pre-alarm has no meaning and as such should be removed rather than assigning with high priority.
2. Switching actions such as starting or stopping pumps or opening/ closing valves as normal (on/off) control behaviour shall not be alarms.
3. Note that separate alarm analysis shall be carried out for each different setting as they have different functions and hence different actions to be taken upon alarm. For example, a high and low alarm to the same measurement may have different operation actions.
4. In case one setting has different required actions depending on the mode of operation, the severest case needs to be assigned. Alternatively, different alarms are to be configured with the same setting of which only one is active in the appropriate mode of operation. The others are then automatically suppressed.
5. Bad Value alarms, normally configured for over or under range signals, have a potential for generating nuisance alarm floods during process upsets. They should, therefore, be used with care and not given high priorities. However critical measurements, which can lead to major upsets or shut down on failure, can be considered for high priorities.
6. Journal is selected in case work order is to be raised through work management system. Messages to be repeated to specific engineers alarm summary (if available).Note that this feature is not used at present but is planned to be used in future with SAP.
Table 4-2: Alarm Priorities – Specific Requirements. Update based on Table 4-1
Alarm
priority
U
Urgent alarm (emergency)
Audible tone, printer log, events log, visual alarm, hardwired visual alarm & siren.
H
High priority Alarm
Audible tone, printer log, events log & visual alarm.
L
Low priority Alarm
Printer log, events log & visual alarm.
J
Journal
Events log.
Notes:
1) The priority U effectively means that a hardwired (e.g. Fire & Gas) alarm panel is required. In case hardwired mimic panel is not provided in the facility control room, then the alarm should be made available to the system/HMI, which has at least 8 hours power back-up.
4.2 Guidelines for Normal Distribution of Alarms among Priority Level
According to EEMUA publication No.191, Statistical guidelines for proportional prioritisation of Alarms should be as follows:
· less than 5% of all alarms Should be in a process unit should be High priority
· less than 15% of all alarms Should be in a process unit should be Medium priority
· Greater than 80 % of all alarms in a process unit should be Low priority.
Figure 4.3: Prioritize in Proportion
According to EEMUA Guideline the number of alarms of each priority--high, medium, low--should be proportioned as shown.
5 ALARM SUPPRESSION – IMPLEMENTATION GUIDELINES
5.1 Static alarm suppression
Operators often find alarm systems difficult to manage when larger quantities of alarms are (semi) permanent in alarm. There is the risk of any new alarm to stay unnoticed and the standing alarms cannot be 'meaningful' to the operator. Static alarm suppression is required in order to minimise the number of standing alarms (to achieve the benchmark as given in para 7.7).
&
Manual static
suppression command
Static suppression
permissives
for section ….
Static alarm suppression of section….
011FRCA
-
123
011PIA
-
011
011PIA
-
012
012FRCA
-
123
012PIA
-
011
011PIA
-
014
011GBA
-
012
011XA
-
011
011XZA
-
012
012FRA
-
120
013PIA
-
012
011PIA
-
014
Figure 5-1: Static Alarm Suppression
Alarms that are always in alarm when a process unit or a large piece of equipment is shut down are statically suppressed. Only after the manual suppression command and the suppression permissive are met, the alarms are suppressed.
Static alarm suppression shall be implemented on per a section (process unit, piece of equipment) of the plant, basis.
Switching on the static alarm suppression is only possible when defined process permissives are met. These conditions differ for each alarm suppression group. When, with static alarm suppression switched on, the defined process conditions are no longer satisfied, the static suppression is automatically to be switched off and a message to the operator is to be generated.
Alarms generated in the FCS/DCS from analogue inputs that are suppressed through this functionality show in the process graphic e.g. as a blue measurement. The actual alarm condition is not visible (in general no buzzer, no alarm in the alarm list, no alarm to the printer, system or measurement faults not visible). The alarm status however, is still available on the individual tag's faceplate.
When the alarm suppression for a group is released, the suppressed alarms are not to be
regenerated (not sounding the buzzer, flashing etc.)
When defining static alarms suppression groups, the following data shall be recorded:
· Static Alarm Suppression Group and Group name
A reference tag name of the group and Group name to allow reference and proper administration.
· Permissives
Boolean statement with the (FCS/DCS) tags and conditions (signals) that have to be 'true' to permit the static suppression to be switched ON. This includes the condition (alarm, H alarm, LL alarm etc.)
· Static Suppression Group
This is a list Instrument Tags to be suppressed.
Note: The static alarm suppression does not differentiate between H or L or LL alarms, Bad PV etc. All alarms associated to the listed tag number are to be suppressed. This is done to prevent alarms that are generated as a result of maintenance activities on the shut down section.
5.2 Dynamic Alarm Suppression
Operators often find alarm systems difficult to manage following a trip. The stress of the situation makes matters even worse. In order to minimise the number of alarms following the trip (to achieve the benchmark as given in para. 7.7) automatic and dynamic alarm suppression is required.
With dynamic alarm suppression, the first alarm in a group sounds the buzzer until silenced by the operator. It is shown on the alarm list and printed on the alarm printer. Subsequent alarms in the same group do not sound the buzzer, are not shown on the alarm list and are not printed.
Apart from the dynamic aspects, another difference between static suppression and dynamic suppression is that static suppression suppresses all alarms related to a tag while dynamic alarm suppression suppresses only one specific alarm. For example static alarm suppression suppresses both H, L and fault alarms while dynamic alarm suppression suppresses only H.
A soft switch shall be provided to enable dynamic alarm suppression.
Dynamic suppression will be automatically turned off after a configurable time period (default 30 min) or when all trigger alarms return to normal. See Figure 5-2.
Dynamic
suppression
initiators
(alarm = 1)
OR
etc.
Dynamic alarm
suppression of….
011FRCA
-
123 HH
011PIA
-
011 LL
011PIA
-
012 L
012FRCA
-
123 H
012PIA
-
011 L
011PIA
-
014 H
011GBA
-
012
011XA
-
011
011XZA
-
012
012FRA
-
120 L
013PIA
-
012 H
011PIA
-
014 H
etc.
&
Enable dynamic suppression
Suppress when ‘1’
Dynamic alarm
Check?
X
X
X
X
X
X
X
etc.
OR
Alarm
(=‘1’)
Alarm
Alarm
Alarm
Alarm
Alarm
Alarm
Delay on timer
y seconds
&
mismatch
alarm (=‘1’)
Dynamic alarm suppression
Dynamic alarm check
Dynamic
Suppression timer
Delay Before Alarm On Check
Note:
-
1) The actual trigger alarm shall not be suppressed.
2) This scheme does not show all logic required to obtain fully
functional dynamic alarm suppression.
pulse: T= X sec.
&
Figure 5-2: Dynamic Alarm Suppression
A timer will be started when the first of the group's trigger alarms is received. Once the timer has expired any new alarm in the group will sound the buzzer but existing alarms will remain suppressed. In case the new alarm is a trigger, it will restart the timer, reinstating a further (30 min) period of dynamic suppression. The operator can choose to manually suppress the alarm group, by means of static alarm suppression, at this time if appropriate. It shall be realised however that the grouping for static alarm suppression is not necessarily the same as the grouping for dynamic alarm suppression.
The performance of the alarm suppression logic shall be such that it suppresses subsequent alarms within 4 seconds after the trigger. This is the time for the trip system to respond to a trip condition, final elements to reach their safe position and the process response to generate the next alarm. The available 4 seconds includes signal transmission via gateways and various nodes on the control system network. For alarms that come faster after a trigger, part of the suppression logic may have to be implemented in the IPS using the 'first-up' signal as the trigger.
The process graphics will show the actual alarm condition for all suppressed alarms.
Where triggers are Trip initiators, the trigger shall be disabled when the MOS is switched ON. Likewise the dynamic alarm check shall be disabled for the point as well.
In case an alarm in a group is not generated while it is expected to come on as a consequence of a trip, a common fault alarm is raised to the operator. This is a common alarm for the group, not the one related to each suppressed alarm. In case the operator wishes to know which alarm did not come on, the alarm suppression graphic will have to be checked.
Note: Note that this fault alarm is also available when the dynamic alarm suppression is not enabled.
When defining dynamic alarm suppression groups, the following data shall be recorded:
· Dynamic alarm Group name and description
The dynamic alarm suppression group is usually a subset of the tags associated to the equipment safeguarding system (an UZ block). The Group name should be selected to show the relation with the system, e.g. 016UZ-250.
· Delay before alarm on check
The "Delay Before Alarm On Check" (the delay time the control system allows before checking to determine if all expected alarms, marked dynamic, have in fact activated) is to be 60 seconds greater than the largest individual dynamic suppressed alarm "Time for Alarm to Come Up". Each and every alarm tag, marked with a cross in the "dynamic" box, should always alarm when each and every trigger is activated.
· Dynamic suppression Switch Off delay
The "Dynamic Suppression Switch Off Delay, should always be 1800 seconds unless the Delay Before Alarm On Check is 1800 seconds or more.
· Dynamic Grouping Comments
Comments may be added to clarify particular issues for future reference.
· Dynamic Suppressed Tag numbers
For each of the Dynamic Suppressed Tag numbers the following is to be recorded:
- Tag number and service description as taken from the tag number database
- A check box indicating if the tag number also serves as a trigger
- A check box indicating if the alarm needs to be dynamically checked.
- Time for Alarm to Come Up
The “Time for Alarm to Come Up” is the estimated time (in seconds) expected for the alarm to reappear after the reset of group trigger If the time is less than 4 seconds, a remark is to be added "Fast suppression logic required" as discussed above.
Notes:
1. Group Trigger alarms will almost always be trip alarms or drive failure indicators. If the group trigger is not an alarm (e.g. a motor running status) and therefore not in the database the tag should be added. All new trigger tags added that are not alarms should be "record only".
2. In some instances dynamic suppression will need to be applied to groups not related to a particular equipment safeguarding system. For these cases a new dynamic suppression group tag number will need to be defined. The tag may be based upon sequence logic blocks (KS blocks) or on the major trigger tag for a group. For example if the major trigger tag for a group not related to a safeguarding system, was 214LZA555 then the dynamic suppression group tag could be 21 4UL555 (U standing for Multivariable).
3. A trigger alarm can be suppressed. However the actual trigger shall not be suppressed.
5.3 Dynamic mode dependent alarm settings
Dynamic mode dependent alarm setting may be required to further reduce the meaningless alarm rate. Mode dependant alarm setting may be required where systems have distinct operational modes that require distinct alarm settings. This is for instance the case for furnaces having a normal mode and a decoke mode. Also the burner management system may have Oil firing mode, a Gas firing mode and a combination of both (dual-firing mode). A dryer will have an operating and a regeneration mode. A crude distiller may have different alarm settings depending on the crude being processed.
With dynamic mode dependant alarm settings, the alarm settings of analogue or digital points are changed based on the detected mode of operation. The mode switching is detected from a set of process parameters and may also involve a manual switch.
Upon a detected mode change, the new set of alarm settings is automatically downloaded into the FCS/DCS point. These new settings will be applicable until the next mode change is detected or the dynamic mode dependant alarm setting enable switch is disabled. When disabled the default set of settings is downloaded into the FCS/DCS point automatically See Figure 5-3.
Dynamic alarm
setting of….
011FRCA
-
123 HH
011PIA
-
011 LL
011PIA
-
012 L
012FRCA
-
123 H
012PIA
-
011 L
011PIA
-
014 H
011GBA
-
012
011XA
-
011
011XZA
-
012
012FRA
-
120 L
013PIA
-
012 H
011PIA
-
014 H
etc.
Dyn
. alarm
setpoint
80%
0.5
Bara
1.3
Barg
83%
0.3
Barg
34
Barg
Open
10
20
20%
2
Barg
1.2
Barg
etc.
Dynamic alarm
setting of….
011FRCA
-
123 HH
011PIA
-
011 LL
011PIA
-
012 L
012FRCA
-
123 H
012PIA
-
011 L
011PIA
-
014 H
011GBA
-
012
011XA
-
011
011XZA
-
012
012FRA
-
120 L
013PIA
-
012 H
011PIA
-
014 H
etc.
Dyn
. alarm
setpoint
80%
0.5
Bara
1.3
Barg
83%
0.3
Barg
34
Barg
Open
10
20
20%
2
Barg
1.2
Barg
etc.
Xfer
Xfer
Dynamic alarm
setting of….
011FRCA
-
123 HH
011PIA
-
011 LL
011PIA
-
012 L
012FRCA
-
123 H
012PIA
-
011 L
011PIA
-
014 H
011GBA
-
012
011XA
-
011
011XZA
-
012
012FRA
-
120 L
013PIA
-
012 H
011PIA
-
014 H
etc.
Dyn
. alarm
setpoint
80%
0.5
Bara
1.3
Barg
83%
0.3
Barg
34
Barg
Open
10
20
20%
2
Barg
1.2
Barg
etc.
&
Enable dynamic
suppression
Dynamic alarm
setting of….
011FRCA
-
123 HH
011PIA
-
011 LL
011PIA
-
012 L
012FRCA
-
123 H
012PIA
-
011 L
011PIA
-
014 H
011GBA
-
012
011XA
-
011
011XZA
-
012
012FRA
-
120 L
013PIA
-
012 H
011PIA
-
014 H
etc.
Dyn
. alarm
setpoint
80%
0.5
Bara
1.3
Barg
83%
0.3
Barg
34
Barg
Open
10
20
20%
2
Barg
1.2
Barg
etc.
Mode A conditions
Default settings table
Mode A, B etc. settings table
Xfer
DCS point
011FRCA
-
123 HH
011PIA
-
011 LL
011PIA
-
012 L
012FRCA
-
123 H
012PIA
-
011 L
011PIA
-
014 H
011GBA
-
012
011XA
-
011
011XZA
-
012
012FRA
-
120 L
013PIA
-
012 H
011PIA
-
014 H
etc.
setpoint
80%
0.5
Bara
1.3
Barg
83%
0.3
Barg
34
Barg
Open
10
20
20%
2
Barg
1.2
Barg
etc.
Xfer
&
Mode B conditions
&
etc.
Mode C conditions
DCS control boxes
Figure 5-3: Dynamic mode dependent alarm settings
When none of the defined modes are detected, the default mode shall be selected automatically.
Dynamic mode dependant alarm setting shall not be normally applied to IPF's of SIL1 and above, since these settings are based on the excursion of safe operating envelops that should not be mode dependant. Where mode dependent settings are absolutely essential for some IPF’s of SIL1 and above, then the complete mode selection and control should be implemented in the IPS using special algorithms to assure the IPF class integrity. Where pre-alarms are also used to alarm excursion from the normal operating envelope, they may have dynamic mode dependent alarm settings.
Alarm setting changes (each mode change) shall be logged in the FCS/DCS for each point.
When defining Dynamic mode dependant alarm setting groups, the following data shall be recorded:
· "Mode dependant alarm setting " Group name and description
For each Mode, a reference tag name of the group and Group name shall be recorded and maintained to provide documentation and support system administration. The group name and description should give a reference to the system (e.g. furnace) having the different operating modes.
· Various Modes names and description
For each Mode, a reference tag name of the mode and operating mode name shall be recorded and maintained to provide documentation and support system administration.
· Permissives and Comments
For each Mode, a boolean statement shall be developed complete with the (FCS/DCS) tags and conditions (signals) that have to be 'true' or 'false' to detect the mode switch. This includes the condition (alarm, H alarm, LL alarm etc.). Conditions may include timers to limit the time a particular mode may be on.
· "Mode dependant alarm setting " Group with default settings
This is a list with Instrument Tags (and attribute such as L, HH etc.) to be manipulated including the default settings.
· Alarm settings for each defined mode
This is a list of alarm settings for each instrument tag defined in the dynamic alarm settings group. A detailed alarm setting list should be prepared for each dynamic mode of operation defined in the list identifying the various operating modes.
· Comments
Comments may be added for each instrument tag to clarify particular issues for future reference.
The lists "Various Modes", "Mode dependant alarm setting Group", "Alarm settings for each defined mode" and "Comments" are best combined in tabular form where instrument tags are listed vertically in the first column and the default and mode dependant settings are listed in subsequent columns.
6 OPERATOR’S HELP MENU
A good alarm system should assist the operator in evaluating the situation, which is fundamental to identifying the correct actions. Depending on the circumstances, these actions can be directed either at avoiding an event or mitigating its consequences.
This will help to improve the overall alarm response time as visualised in Figure 1-2.
Therefore ‘operator’s help’ should be available to each alarm. The operator may request for help by clicking on the alarm-line on the alarm summary or on the process graphics. A window should appear showing the data initially entered as recorded:
· Purpose of the alarm
· Consequence of No Action
· Type of Activity
· Most likely required Operator Action. (containing context sensitive buttons to check other data)
· Less likely required Operator Action (containing context sensitive buttons to check other data)
The data tables containing these help texts should be easily maintainable by an assigned operator acting to collect the best practices for alarm responses.
7 ALARM MANAGEMENT PERFORMANCE MEASUREMENT
The extent as to how successful the alarm system is in presenting the operator with meaningful alarms at an acceptable rate can be measured using benchmarks. Benchmarking the alarm system provides the means for possible improvement measures to those areas where the system is weakest and to those measures that score the highest effect.
This paragraph below gives an extract from the guidelines given by EEMUA for the measurement of the performance, i.e. the capability of the alarm system to provide 'meaningful alarms'.
The following benchmarks are recommended to be used to assess the alarm system performance:
· The number of configured alarms per panel operator
· The average alarm rate per operator
· Indication of frequent alarms
· The Mean Time Between Alarm
· Number of alarms following a trip
· Number of standing alarms
Following paragraphs discuss each of the benchmarks. These factors should be considered in any new design as well as during the audit of an existing system.
7.1 The number of configured alarms per panel operator
The more alarms that are configured per panel operator, the higher the average alarm rate will be. Therefore, by limiting the amount of alarms configured per panel operator, the more likely the average alarm rate will remain within acceptable limits.
If alarm suppression techniques can or will not be implemented the number of alarms should be limited to some 1000 per panel operator. The more this quantity is exceeded the more likelihood alarm management problems will exist.
When many more alarms are configured per panel operator, a check could be made on the number of alarms that should be expected to be configured per instrument. The values given in Table 7-1 below are only indicative, but provide an indication as to whether designers are likely to have installed too many or too few alarms on a plant.
Table 7-1: Guidance on alarms per instrument
Low
Average
High
Alarms per control valve
Alarms per analogue measurement
Alarms per digital measurement
1
0.5
0.2
4
1
0.4
6
2
0.6
The total number of alarms "Low", "Average" and "High" are calculated by adding the number of alarms to be expected per control valve, analogue measurement and digital measurement. Trip transmitters should also be counted as analogue measurement, trip switches (e.g. pressure switch) as digital measurement.
A controller (analogue measurement, controller and control valve) shall be counted as 'control valve' (without an additional analogue measurement).
The figures in Table 7-1 apply to continuous processes. For batch processes these values should not be used for benchmarking.
7.2 The average alarm rate per PANEL operator
The following Table 7-2 provides benchmarks for average alarm rates:
Long term average alarm rate in steady operation
Acceptability
More than 1 per minute
One per 2 minutes
One per 5 minutes
Less than one per 10 minutes
Less than one per hour
Less than one per 2 hours
Unacceptable
Over-demanding
(industry average in HSE survey)
Likely to be over demanding
Very likely to be tolerable
Good
Excellent
This table is based on an average response (acknowledge and consideration) time of 1 – 5 minutes for an alarm. As the operator also has other plant supervisory duties and tasks, and alarms may come in bursts rather than in a steady rate over longer time periods, the average alarm rate should be significantly less than 1 per 10 minutes.
7.3 Indication of frequent alarms
Often a very small number of alarms have a large contribution to the alarm rate. In some instances only 5% of the configured alarms contributed to 50% of the alarms generated! By analysing the frequency distribution of the alarms generated both in steady state and during upset conditions, one may achieve significant improvements in the performance of the alarm system with relative little effort.
7.4 The Mean Time Between Alarm
Often the same alarm is alarmed soon after corrective action has been taken. The mean time between a repeat alarm is an good indication of how successful remedial action has been. The benchmarks for MTBA are shown in Table 7-3.
Table 7-3: Benchmarks for MTBA
Mean Time between repeat alarm
Acceptability
Less than 3 day
Less than 1 month
Less than 1 year
more than I year
Unacceptable
requires urgent improvement
manage to improve
Good
7.5 Number of alarms following a trip
Operators often find alarm systems difficult to manage following a trip. The stress of the situation makes matters even worse. A good performance indication for proper alarm management is the number of alarms in the 1st 10 minutes following a trip.
The following Table 7-4, shows performance indicators for the number of alarms following a trip. The table is again based on an average of 1-5 minutes required to handle a meaningful alarm.
Table 7-4: Performance indication for the number of alarms following a trip
Number of alarms displayed in 10 minutes following a major plant upset
Acceptability
more than 100
20-100
under 20
Definitely excessive and very likely to lead to the operator abandoning use of the system.
Hard to cope with
Should be manageable - but may be difficult if several of the alarms require a complex operator response
7.6 Number of standing alarms
Operators often find alarm systems difficult to manage when larger quantities of alarms are (semi) permanent in alarm. There is the risk of any new alarm to stay unnoticed and the standing alarms cannot be 'meaningful' to the operator.
Alarm systems should have less than 10 standing alarms per operator. When the alarm system is capable of 'shelving' of alarms (Shelving is a facility where the operator is able to temporarily prevent an alarm from being displayed to him when it is causing him nuisance) the number of shelved alarms shall be less than 30 per operator.
7.7 Benchmarking
The performance of the completed alarm management system needs to be bench marked. For new projects this is best done as part of the integrated FAT, by defining typical alarm scenarios (simulation) and test if the alarm system will lead to information overload of the operator during normal, process upset and trip conditions. If the information leads to an overload situation as measured against benchmarks, the system needs to be refined and tested again.
The performance may be evaluated under actual field conditions if Operations report that the performance is still not satisfactory with changes implemented accordingly until desired improvements have been obtained. After the system is commissioned and fully operational, the alarm summary shall be evaluated and the findings summarised and compared against the benchmark values in table 7-5.
The performance of an alarm management system can be summarised and benchmarked in the Table 7-5.
Table 7-5: Score chart for alarm management systems
Performance Indicator
Score description
Score
Number of configured alarms per panel operator
( >> 3000
( 3000< Qty <1000
( < 1000
0
0.5
1
Average alarm rate per panel operator
( more than I per minute
( more than one per 10 minutes
( more than one per 1 hour
( more than one per 2 hour
0
0.5
1.5
3.5
Frequent alarms per panel operator
( 5% of configured alarms cause 50% of alarms
( 10% of configured alarms cause 50% of alarms
( 20% of configured alarms cause 50% of alarms
0
0.5
1.5
Average Mean Time between Alarms
( Less than 3 day
( Less than 1 month
( Less than 1 year
( more than 1 year
0
0.2
0.5
1
Alarms following a trip per panel operator
( more than 100
( 20-100
( under 20
0
1
2.5
Number of standing alarms per panel operator
( More than 30
( More than 10 and less than 30
( less than 10
0
1
1.5
Total score 1-10
Score
<7
: Not satisfactory, requires improvement.
7
: Average
8 to 9
: Good
10
: Excellent
7.8 Improvement
If the alarm system requires improvement on one or more areas (performance indicators as listed in Table 7-4) the proposed changes should first be evaluated for effectiveness.
This is completed by capturing the alarm scenarios followed by evaluating the effect of the proposed changes on the performance of the alarm system. E.g. when alarm suppression techniques are proposed to reduce the number of alarms following a trip, one should evaluate which alarms will be suppressed from the actual alarms presented to the operator following a number of trips (alarm scenarios) and to what extent this results in a significant improvement.
7.9 Overall Alarm Management process
The problems seen in FCS-based alarm systems are often too great to be addressed simply by reviewing one alarm parameter alone, such as priority assignments. It is usually necessary to:
· substantially reduce the total number of alarm points;
· reduce the frequency at which the remaining alarms are triggered;
· help the operator to recognise the most important alarms during an upset.
Ideally, all of the key parameters for any point should be reviewed by asking:
· Is an alarm on this point helpful to the operator?
· How will it behave in routine process upsets?
· How will it behave during start-ups, when alarm flooding is common?
· What priority setting should it be given?
· What is the optimum trigger point (i.e. the numeric setting of the alarm)?
· How wide a dead band can be set?
· Is there any advantage in a time delay or similar feature?
However, whilst a rigorous approach should be applied to the alarm configuration in a new‑build design, the effort required for a point-by-point review of all alarms in an existing installation can be prohibitive. Instead, a more pragmatic approach is needed, seeking to maximise the benefits from the effort applied.
The objective of the alarm management process is to provide a structured way to carry out alarm management. The process is different for new facilities and for existing facilities as shown in Figure below. Therefore alarm management may be split into 3 elements:
· For new installations: Alarm system design
· For existing installations: Alarm rationalisation or alarm system re-design
· During operation: Alarm handling.
Establish alarm system
KPIs
Alarm system
Basis of design
Existing
or new plant
For each alarm
KPIs OK?
Finished
yes
new
F&G alarms
Diagno
stic alarms
Alarm narrative
typicals
Manual trip alarms
Process alarms
Establish bad actors
DCS
Are
there obvious
bad actors?
no
Establish alarm system
KPIs
For each bad actor
yes
Start
KPIs OK?
yes
no
no
existing
Alarm work pr
ocess
(see Figure 4)
Design Alarm system
Alarm work process
(see Figure 4)
Update Alarm system
Establish overall alarm
philosophy
The overall alarm management process
New facilties:
For new facilities, the alarm system design is part of the engineering effort. In this case the aim is to realise an alarm system that performs satisfactorily from the initial start-up onwards. If this is not (yet) the case, the alarm system is further treated as an existing alarm system.
For a new facility the alarm system design process first defines the alarm philosophies and generic configurations. This again results in templates that include the handling of fire & gas alarms, diagnostic alarms, alarms related to manual trips and common alarms.
For new facility, all configured alarms shall either be assigned to one of the pre-defined alarm categories (templates) or analysed individually. Individual analysis is potentially a time-consuming exercise, hence the maximum use of templates.
For each configured alarm that does not fall into one of the predefined categories (templates), the review mainly establishes the priority (including whether the alarm is really required) and the optimum parameters such as setting, dead band and signal filtering. If required to achieve an acceptable performance, any required alarm suppression techniques are identified. Additionally the opportunity is taken to record the purpose of the alarm, the consequence of no action and the possible operator responses.
Following the realisation and commissioning of the alarm system, the performance of the alarm system is measured. If performance is satisfactory, the review process is completed. If performance is not acceptable the further improvement effort follows the same process as for an existing plant.
Two phases
The alarm study (or alarm review process) is split into two phases. The first phase of the alarm study is intended to establish whether an alarm is really necessary or appropriate, or whether the risk associated with the hazardous situation becomes ALARP with an alarm.
If there are doubts whether the risk is ALARP, the IPF method or HEMP method should be applied.
The first phase also establishes expected operator response times, process safety time and the severity of consequences if the alarm is not responded to. By means of Figure 10, the alarm priority is derived from the process safety time and the severity of the consequences.
The second phase of the alarm study establishes the required operator actions, suppression requirements and other relevant parameters.
Existing facilities:
For existing facilities, the alarm rationalisation and alarm system re-design aims to restore the performance of an existing alarm system to satisfactory levels. Quick gains are important and a more pragmatic approach is needed, seeking to maximise the benefits from the effort applied.
For an existing facility, the HAZOP study may not be complete or may be absent altogether. The alarm setting documentation may be incomplete and settings may have developed over time to levels that are ill advised. Therefore, for existing facilities, the alarm settings/ limits shall be confirmed and re-defined, based on an understanding of the process and equipment constraints, process dynamics, operator response times etc.
For existing facility the alarm rationalisation and alarm system re-design initially concentrates on bad actors that make a disproportionate contribution to the poor performance of the alarm system.
However, before the bad actors are analysed, alarm philosophies and generic configurations need to be agreed upon. This process produces templates for F&G alarms, diagnostic alarms (alarms that indicate possible malfunctioning of instruments or equipment that may not immediately result in a process upset), alarms related to manual trips and common alarms. These templates (generic configurations) allow these alarms to be applied in a consistent manner throughout the alarm listing without further detailed analysis..
For each bad acting alarm, the alarm work process mainly establishes the priority (including if the alarm is really required) and the optimum parameters such as setting, dead band and signal filtering. If required to achieve an acceptable performance, any required alarm suppression techniques are identified. Additionally, the opportunity is taken to record the purpose of the alarm, the consequence of no action and the possible operator responses.
The bad actor analysis is repeated until either the alarm system performance (KPIs) is acceptable or no obvious bad actors are left. In the latter case the improvement effort follows the same process as for a new plant.
8 REFERENCES
In this document, reference is made to the following main publications.
NOTEUnless specifically designated by date, the latest edition of each publication shall be used, together with any amendments/supplements/revisions thereto.
Document name
Document No.
PDO ref. No (if applicable)
STANDARDS
Human – Machine interface in a control room
DEP32.00.00.11-PDO
SP1192
Measurement Validation and Comparison
MF 94-0495
Classification and implementation of instrumented protective functions
DEP32.80.10.10-GEN, Oct.2001
Instrument engineering procedures
DEP32.31.00.10
Instruments for measurement and control
DEP32.31.00.32
Instrumented Protective systems
DEP32.80.10.30
Fire, Gas & Smoke detection system
DEP32.30.20.11
EUROPEAN STANDARDS
Generic standard on “Functional safety of Electric/ Electronic Programmable (E/E/PES) safety related systems”
IEC 61508
Specific standard for the Petrochemical industry on “Functional safety of Electric/ Electronic Programmable (E/E/PES) safety related systems”
IEC 61511
INDUSTRY PRACTICES
EEMUAEngineering Equipment & Materials Users Association
191
Appendix 1 – Typical ARM Info Pack
Typical AMR Info Pack
Documents / Information required for AMR
1. Process Engineering and Utility flow schemes (PEFS /UEFS)
2. Process flow schemes (PFS) and Process safeguarding flow schemes (PSFS)
3. Cause & Effect matrices including fire and gas detection system
4. IPF Classification report (for reference, if available).
5. Operating philosophy or plant operating manuals.
6. Control & Safeguarding narratives
7. List of alarm & trip set points (alarm & trip database)
8. Master Alarm Database
9. List of Standing Alarms during typical steady operation (applies to existing facilities)
10. Alarm Journal printouts following typical upsets (applies to existing facilities)
Appendix 2 – AMR Report/Close Out Report
TABLE OF CONTENTS
1.0Introduction
2.0Process Description
3.0AMR Team and Meeting Details
4.0AMR Basis & Assumptions
5.0Action points
Annexure
1. PSFS/PEFS
2. Cause & Effect Diagram.
3. Alarm Rationalisation database
4. Action Point Close out
5. Variance Logs
Appendix 3 – AMR Work Process
AMR Work Process
Activity
Action Party
ARRANGE AMR MEETING (6 weeks prior to actual AMR date)
Request UES for AMR Facilitator
PDO PE using AMR Web tool
Arrange AMR Secretary
Contractor / Consultant (Project Engineer)
AMR INFORMATION PACKAGE
Refer Appendix 1
for Typical AMR info pack
Contractor / Consultant
AMR MEETING PREPARATION
Function Identification
AMR Secretary in consultation with AMR Facilitator
Alarms into AMR Database (Master Alarm database)
AMR Secretary
Contractor / Consultant
AMR CLASSIFICATION MEETING
Invite participants
PDO PE
Arrange Facilities
Contractor / Consultant (Project Engineer)
DRAFT AMR CLASSIFICATION REPORT
Print AMR Classification sheets
Print of Action points
Note : Design team to proceed with close-out of AMR and action points on receipt of the above sheets
AMR Secretary (within 5 days)
AMR CLOSE-OUTS
Prepare AMR report including
Master Alarm Database
Alarm function database & report
Contractor / Consultant
Report review
PDO Project C&A Engineer
AMR ACTION CLOSE-OUT MEETING (if required)
Invite participants from the AMR
PDO / Contractor / Consultant (Project Engineer)
AMR FINAL REPORT
Compilation of the final report consisting of AMR worksheets, PEFS, C&E, Alarm Master Alarm Database, Alarm prioritisation etc.
Contractor / Consultant
Report Approval
PDO TA-2 Approval
Distribute copies to project team and issue one hardcopy (master) including electronic copy (pdf version, with links from Table of contents to individual section) of final report to UES
Contractor / Consultant (Project Engineer)
Alarm Rationalization Review Process
START
Collect
documents
Prepare alarms
data base
Make alarm
groups
Review and
classify alarms
Assign priorities
Evaluate the
results
Prepare report and
implementation plan
END
Preparation
classification
Close
-
out
Appendix 4 – AMR Workshop Request
Submit Work Shop
Request
Schedule Work Shop
Request
Complete Work Shop?
Issue Draft Report
Review Draft Report?
Issue Final Report
Upload Final Report at Live
Link
Final Completion
Re-Schedule Work Shop
Change Request
Cancel Work Shop
Send Review Comments
Documents
YES
NO
RE-VISIT
ACCEPTED
Legend
Custodian
Project Engineer
Appendix 5 – Abbreviations
ALARP
As Low As Reasonably Practicable
CFDH
Corporate Functional Discipline Head
DCS
Distributed Control System
EEMUA
Engineering Equipment & Materials Users Association
ESD
Emergency Shut Down
FCS
Field bus Control System
FGS
Fire, Gas and Smoke Detection System
HSE
Health, Safety, and Environment
IPF
Instrumented Protective Function
IPS
Instrumented Protective System
MAD
Master Alarm Database
PLC
Programmable Logic Controller
PV
Process Variable
SIL
Safety Integrity Level
AMR
Alarm Management and Rationalisation
Appendix 6 – Master Alarm Database to be used for Alarm Rationalization Exercise
Appendix 7 – Summary of Changes
Summary of Changes at Revision 2
The previous edition of this guideline Dec 2005. Other than editorial changes, the following are the main changes since that edition:
· Section 1.2 – Scope & Objectives - 3 types of operator roles included.
· Section 3.1 – System alarms included
· Section 3.2 – included – Deadbands, Alarm Delay options, Alarm Shelving, BAD VALUE Functionality, Improved Alarm displays, Master Alarm database.
Section 3.3 - Alarm Management and Rationalisation Review Process included as flow chart in Appendix 3.
· Section 3.4.1 & 3.4.3 – additional sub points included.
· Section 3.4.5 - AMR Facilitator & Section 3.4.6 - AMR Secretary included.
· Section 7.9 added
· Appendix 1 - Typical ARM Info pack included
· Appendix 2 - Typical ARM Report / Close-out Report included
· Appended 3 - AMR Work Process included
· Appendix 4 - AMR Workshop Request included
· Section 2.3 Abbreviations included in Appendix 5
· Appendix 6 - Master Alarm Database to be used for Alarm Rationalization Exercise included.
This document is the property of Petroleum Development Oman, LLC. Neither the whole nor any part of this document may be disclosed to others or reproduced, stored in a retrieval system, or transmitted in any form by any means (electronic, mechanical, reprographic recording or otherwise) without prior written consent of the owner.
Page 3
GU-513 - Guidelines for Alarm Management And Rationalisation
Printed 28/12/09
The controlled version of this CMF Document resides online in Livelink®. Printed copies are UNCONTROLLED.
_1147023438.ppt
Shell Global Solutions
Alarm Response Improvement
trial and error
Normal condition
Alarm condition
Time for the response (or any other subsequent attempt)
to restore to a normal situation
Time to acknowledge the alarm (0.1-5 min)
Time to consider an initial response (0.1 - 5 min)
time
Improved Effectiveness of operator actions
intelligent disciplined trained staff applying pre-decided validated knowledge & practices
_1147023653.ppt
Shell Global Solutions
Dynamic alarm
suppression of….
011FRCA-123 HH
011PIA-011 LL
011PIA-012 L
012FRCA-123 H
012PIA-011 L
011PIA-014 H
011GBA-012
011XA-011
011XZA-012
012FRA-120 L
013PIA-012 H
011PIA-014 H
etc.
Dynamic alarm
Check?
X
X
X
X
X
X
X
etc.
Dynamic
suppression
initiators
(alarm = 1)
OR
etc.
&
Enable dynamic suppression
Suppress when ‘1’
OR
Alarm
(=‘1’)
Alarm
Alarm
Alarm
Alarm
Alarm
Alarm
Delay on timer
y seconds
&
mismatch
alarm (=‘1’)
Dynamic alarm suppression
Dynamic alarm check
Dynamic Suppression timer
Delay Before Alarm On Check
Note:-
1) The actual trigger alarm shall not be suppressed.
2) This scheme does not show all logic required to obtain fully functional dynamic alarm suppression.
pulse: T= X sec.
&
_1147023709.ppt
Shell Global Solutions
Xfer
Xfer
&
Enable dynamic
suppression
Mode A conditions
Default settings table
Mode A, B etc. settings table
Xfer
Xfer
&
Mode B conditions
&
etc.
Mode C conditions
DCS control boxes
Dynamic alarm
setting of….
011FRCA-123 HH
011PIA-011 LL
011PIA-012 L
012FRCA-123 H
012PIA-011 L
011PIA-014 H
011GBA-012
011XA-011
011XZA-012
012FRA-120 L
013PIA-012 H
011PIA-014 H
etc.
Dyn. alarm
setpoint
80%
0.5 Bara
1.3 Barg
83%
0.3 Barg
34 Barg
Open
10
20
20%
2 Barg
1.2 Barg
etc.
Dynamic alarm
setting of….
011FRCA-123 HH
011PIA-011 LL
011PIA-012 L
012FRCA-123 H
012PIA-011 L
011PIA-014 H
011GBA-012
011XA-011
011XZA-012
012FRA-120 L
013PIA-012 H
011PIA-014 H
etc.
Dyn. alarm
setpoint
80%
0.5 Bara
1.3 Barg
83%
0.3 Barg
34 Barg
Open
10
20
20%
2 Barg
1.2 Barg
etc.
Dynamic alarm
setting of….
011FRCA-123 HH
011PIA-011 LL
011PIA-012 L
012FRCA-123 H
012PIA-011 L
011PIA-014 H
011GBA-012
011XA-011
011XZA-012
012FRA-120 L
013PIA-012 H
011PIA-014 H
etc.
Dyn. alarm
setpoint
80%
0.5 Bara
1.3 Barg
83%
0.3 Barg
34 Barg
Open
10
20
20%
2 Barg
1.2 Barg
etc.
Dynamic alarm
setting of….
011FRCA-123 HH
011PIA-011 LL
011PIA-012 L
012FRCA-123 H
012PIA-011 L
011PIA-014 H
011GBA-012
011XA-011
011XZA-012
012FRA-120 L
013PIA-012 H
011PIA-014 H
etc.
Dyn. alarm
setpoint
80%
0.5 Bara
1.3 Barg
83%
0.3 Barg
34 Barg
Open
10
20
20%
2 Barg
1.2 Barg
etc.
DCS point
011FRCA-123 HH
011PIA-011 LL
011PIA-012 L
012FRCA-123 H
012PIA-011 L
011PIA-014 H
011GBA-012
011XA-011
011XZA-012
012FRA-120 L
013PIA-012 H
011PIA-014 H
etc.
setpoint
80%
0.5 Bara
1.3 Barg
83%
0.3 Barg
34 Barg
Open
10
20
20%
2 Barg
1.2 Barg
etc.
_1298023531.vsd
�
�
�
Submit Work Shop Request�
Schedule Work Shop Request�
Complete Work Shop?�
Issue Draft Report�
Review Draft Report?�
Issue Final Report�
Upload Final Report at Live Link�
Final Completion�
Re-Schedule Work Shop �
Change Request�
Cancel Work Shop�
Send Review Comments Documents�
YES�
NO�
RE-VISIT�
ACCEPTED�
Legend
Custodian
Project Engineer�
�
�
_1147023590.ppt
Shell Global Solutions
&
Manual static
suppression command
Static suppression
permissives
for section ….
Static alarm suppression of section….
011FRCA-123
011PIA-011
011PIA-012
012FRCA-123
012PIA-011
011PIA-014
011GBA-012
011XA-011
011XZA-012
012FRA-120
013PIA-012
011PIA-014
_1147023519.ppt
Alarm Rationalization Review Process
START
Prepare alarms data base
Prepare report and implementation plan
END
Preparation
classification
Close-out
Collect documents
Make alarm groups
Review and classify alarms
Assign priorities
Evaluate the results
_1147023307.ppt
Shell Global Solutions
0%
20%
40%
60%
80%
100%
Handling trips
Handling the alarms
process upsets
Unscheduled activities
non-control
Scheduled activities
Normal
Normal
Good
Good
Excellent
Excellent
