32.30.60.19

PETRONAS TECHNICAL STANDARDS

ALARM MANAGEMENT GUIDELINES

PTS 32.30.60.19

SEPTEMBER 2012

2012 PETROLIAM NASIONAL BERHAD (PETRONAS) All rights reserved. No part of this document may be reproduced, stored in a retrieval system or transmitted in any form or by any means

(electronic, mechanical, photocopying, recording or otherwise) without the permission of the copyright owner.

This revision of PTS 32.30.60.19 Alarm Management Guidelines (September 2012) has been updated to incorporate PETRONAS Lessons Learnt, Best Practice and new information issued by relevant industry code and standards.

The previous version of this PTS 32.30.60.19 (December 2008) will be removed from PTS binder / e-repository from herein onwards.

The custodian of this PTS is: Name: Shah Rizal Dahlan Tel. No: 03-27836124 Please direct any questions regarding this PTS to the above-named.

Document Approval

Revision History

Rev No. Reviewed by Approved by Date

PTS Circular 2012 32.30.60.19

PTS No: 32.30.60.19 PTS Title: Alarm Management Guidelines

TABLE OF CONTENTS

1. INTRODUCTION.........................................................................................................................1

1.1 SCOPE AND OBJECTIVES.......................................................................................................11.2 DISTRIBUTION, INTENDED USE AND REGULATORY CONSIDERATIONS...................11.3 DEFINITIONS...............................................................................................................................11.4 ABBREVIATIONS........................................................................................................................6

2. CODES AND STANDARDS.......................................................................................................7

3. ALARM GUIDELINES.................................................................................................................8

3.1 ALARM PARAMETERS SHALL NOT BE ALTERED WITHOUT PROPER MANAGEMENT OF CHANGE ........................................................................................... 8 3.2 ALARMS ARE NOT A SUBSTITUTE FOR AN OPERATOR'S ROUTINE SURVEILLANCE OF UNIT OPERATION. ........................................................................... 8 3.3 AN ALARM MUST REQUIRE IMMEDIATE ACTION BY THE OPERATOR .................. 8 3.4 THERE SHALL NOT BE MULTIPLE ALARMS THAT PROMPT THE SAME OPERATOR ACTION .......................................................................................................................... 9 3.5 ALARM PRIORITY DEFINES THE DEGREE OF URGENCY OF CORRECTIVE ACTION BY THE OPERATOR .......................................................................................... 9 3.6 ALARMS SHOULD PROVIDE TIMELY ADVICE THAT THERE ARE PROBLEMS REQUIRING OPERATOR INTERVENTION ...................................................................... 10 3.7 AN ALARM SHOULD HELP THE OPERATOR TO QUICKLY IDENTIFY THE CAUSE OF A PROBLEM ............................................................................................................ 10 3.8 SIGNALS WHICH DO NOT QUALIFY AS ALARMS ................................................. 10

4. ALARM MANAGEMENT PROCESS.......................................................................................11

4.1 ALARM MANAGEMENT PHILOSOPHY................................................................................134.2 IDENTIFICATION......................................................................................................................134.3 ALARM RATIONALIZATION....................................................................................................134.4 ALARM DESIGN........................................................................................................................154.5 IMPLEMENTATION...................................................................................................................264.6 OPERATION...............................................................................................................................264.7 PERFORMANCE MONITORING............................................................................................264.8 MAINTENANCE.........................................................................................................................284.9 ASSESSMENT...........................................................................................................................284.10 MANAGEMENT OF CHANGE.................................................................................................284.11 ALARM MANAGEMENT PROCESS LOOPS.......................................................................294.12 ALARM DOCUMENTATION....................................................................................................304.13 ALARM HISTORY RETENTION.............................................................................................30

5. PRIORITY ASSIGNMENT.........................................................................................................31

6. BENCHMARKING, PERFORMANCE METRICS AND REPORTING....................................32

7. ALARM PRESENTATION........................................................................................................34

8. AUDIBLE SIGNALS CONSIDERATIONS...............................................................................35

9. TRAINING..................................................................................................................................36

10. ROLES AND RESPONSIBILITIES.......................................................................................37

11. REFERENCES.......................................................................................................................38

APPENDIX 1: ALARM REVIEW FORM..........................................................................................39

APPENDIX 2: DCS ALARM PRIORITIZATION RISK ASSESSMENT MATRIX..........................40

Summary of Changes Markup and Revision Information Insertion : Bold Deletion : Strikethrough in Bold Replacement : Strikethrough in Bold with subsequent replacement in Bold Section Changes

1.4 ABBREVIATIONS Added the following to the list of Abbreviations: ISA- International Society of Automation

2. CODES AND STANDARDS

Updated existing clause: There are no codes or standards related to alarm management yet established at the time this guideline is written. The Instrument Society of America is currently drafting the ISA SP18.02 Instrument Signals and Alarms Standard. The standard is in final review stage and is due for release in 2008. However, the EEMUA Publication No. 191, published in 2007, entitled "Alarm Systems, A Guide to Design, Management and Procurement" is widely accepted in the industry as the reference document for alarm management. Pending the establishment of an international standard on alarm management, pertinent recommendations found in the EEMUA document shall be the reference for this guideline, together with the ASM Consortium Guidelines on Effective Alarm Management Practices Version 5, which documents the best practices for alarm management.

The alarm management philosophy in this PTS is based on alarm management Best Practices, such as those defined in EEMUA 191 and ISA 18.02.

Section Changes

3.1 ALARM PARAMETERS SHALL NOT BE ALTERED WITHOUT PROPER MANAGEMENT OF CHANGE

Updated existing clause: Modifications to existing alarms or additions of new alarms shall be part of MOC, where proper justification and an alarm design review are required. Refer to Figure-1 Alarm Management Process.

4.2 IDENTIFICATION

Updated existing clause: In the identification stage, the alarms configured in the plant control system indicated in the P&ID or configured in the plant control system are to be evaluated. An alarm list to list shall be generated either from the Instrument database or from the DCS. In addition, it is also necessary to vet through all of HAZOP reports, IPF review reports and incident investigation reports to identify a list of conditions that need to be protected by operator intervention.

4.3 ALARM RATIONALIZATION

Updated existing clause: Rationalization is the process of reconciling each individual alarm against the principles and requirements of the alarm philosophy. The exercise involves reviewing and documenting each alarm which exists in the DCS or as indicated in the P&ID for the particular unit. The process of alarm rationalization is as follows: 1. Using DCS database determine the existing alarm parameters for the tag. and P&ID generated alarm database to determine the alarm parameters for the tag.

11. REFERENCES Updated the list of references:

Human Machine Interface in a Control Room

PTS 32.00.00.11

Management of Change(Guidelines) PTS 60.2201Alarm System A Guide to Design, Management and Procurement

EEMUA 191 2007

Management of Alarm Systems for the Process Industries Alarm Management ASM Consortium Guidelines Effective Alarm Management Practices

Draft ISA 18.02 2008.04.01

ANSI/ISA-18.02-2009

DEP 32.80.10.14-Gen

Revision 5

PREFACE PETRONAS Technical Standards (PTS) publications reflect the views, at the time of publication, of PETRONAS OPU(s)/Division(s). They are based on the experience acquired during the involvement with the design, construction, operation and maintenance of processing units and facilities. Where appropriate they are based on, or reference is made to, national and international standards and codes of practice. The objective is to set the recommended standard for good technical practice to be applied by PETRONAS' OPU(s) in oil and gas production facilities, refineries, gas processing plants, chemical plants, marketing facilities or any other such facility, and thereby to achieve maximum technical and economic benefit from standardisation. The information set forth in these publications is provided to users for their consideration and decision to implement. This is of particular importance where PTS may not cover every requirement or diversity of condition at each locality. The system of PTS is expected to be sufficiently flexible to allow individual operating units to adapt the information set forth in PTS to their own environment and requirements. When Contractors or Manufacturers/Suppliers use PTS they shall be solely responsible for the quality of work and the attainment of the required design and engineering standards. In particular, for those requirements not specifically covered, the Principal will expect them to follow those design and engineering practices which will achieve the same level of integrity as reflected in the PTS. If in doubt, the Contractor or Manufacturer/Supplier shall, without detracting from his own responsibility, consult the Principal or its technical advisor. The right to use PTS rests with three categories of users:

1) PETRONAS and its affiliates. 2) Other parties who are authorised to use PTS subject to appropriate contractual

arrangements. 3) Contractors/subcontractors and Manufacturers/Suppliers under a contract with users

referred to under 1) and 2) which requires that tenders for projects, materials supplied or - generally - work performed on behalf of the said users comply with the relevant standards.

Subject to any particular terms and conditions as may be set forth in specific agreements with users, PETRONAS disclaims any liability of whatsoever nature for any damage (including injury or death) suffered by any company or person whomsoever as a result of or in connection with the use, application or implementation of any PTS, combination of PTS or any part thereof. The benefit of this disclaimer shall inure in all respects to PETRONAS and/or any company affiliated to PETRONAS that may issue PTS or require the use of PTS. Without prejudice to any specific terms in respect of confidentiality under relevant contractual arrangements, PTS shall not, without the prior written consent of PETRONAS, be disclosed by users to any company or person whomsoever and the PTS shall be used exclusively for the purpose they have been provided to the user. They shall be returned after use, including any copies which shall only be made by users with the express prior written consent of PETRONAS. The copyright of PTS vests in PETRONAS. Users shall arrange for PTS to be held in safe custody and PETRONAS may at any time require information satisfactory to PETRONAS in order to ascertain how users implement this requirement.

PTS 32.30.60.19September 2012

Page 11. INTRODUCTION

1.1 SCOPE AND OBJECTIVES This document describes the guidelines for the management of Distributed Control

System (DCS) alarms within PETRONAS plants, both new and existing. The objectives of this guideline are:

Establish the work processes in alarm management for PETRONAS; Provide engineering guidelines for consistent and efficient alarm configuration; and Achieve world class alarm system performance for all areas by implementing the

work processes described.

This guideline shall apply to all audible and visual alarms generated by the DCS on the operator consoles.

This PTS is developed together with the Technical Professionals and experienced plant

personnel of Skill Group 14. The Custodian of this PTS shall be consulted or any deviation.

1.2 DISTRIBUTION, INTENDED USE AND REGULATORY CONSIDERATIONS Unless otherwise authorised by PETRONAS, the distribution of this PTS is confined to

companies forming part of PETRONAS group and to contractors and manufacturers/suppliers nominated by them.

1.3 DEFINITIONS

1.3.1 General Definitions The Contractor is the party which carries out all or part of the design, engineering,

procurement, construction, commissioning or management of a project or operation of a facility. The Principal may undertake all or part of the duties of the Contractor.

The Manufacturer/Supplier/Vendor is the party which manufactures or supplies

equipment and services to perform the duties specified by the Contractor or the Plant Owner.

The Plant Owner is the PETRONAS instrumentation party responsible for the operation

and maintenance of the equipment, who in turn, is responsible to the plant management. The Principal is the PETRONAS party which initiates the project (new or revamp) and

ultimately pays for its design and construction. The Principal will generally specify the technical requirements.

The Custodian is the originator and technical owner of this PTS. The word Shall indicate a requirement. The word Should indicate a recommendation.


Page 2 1.3.2 Technical Definitions Absolute alarm An alarm generated when a set limit is exceeded. Acknowledge The operator action that confirms recognition of an alarm. Activate The process of enabling an alarm functions within the alarm system. Adjustable Alarm An alarm for which the limits are changed, automatically or manually, based on operating

conditions. Alarm

It is an audible and/or visible means of indication to the operator on equipment malfunction, process deviation or abnormal condition requiring a response.

Alarm class A grouping, or class, used to specify design, operation and monitor as well as audit

requirements for an alarm. Alarm condition The indication of the type and level of an alarm. Alarm deadband The range through which an input must be varied from the alarm limit necessary to clear

the alarm. Alarm flood (Alarm Shower) A period of time with a greater number of alarms than the operator can effectively

manage. Alarm group A set of alarms associated with a process unit or within a process area. Alarm limit (Alarm trip point, Alarm setpoint) The threshold value or discrete state of a process variable that triggers the alarm

indication (see alarm setpoint). Alarm log The historical record of alarm messages. Alarm management (Alarm system management) The processes and practices for determining, documenting, designing, operating,

monitoring, and maintaining alarm systems.


Page 3 Alarm philosophy A document that establishes the basic definitions, principles, and processes to design,

implement, and maintain an alarm system. Alarm priority The level of importance assigned to an alarm within the alarm system to indicate

importance (e.g. seriousness of consequences) and urgency. Alarm summary A display that lists alarm with selected information, such as date, time, priority, and alarm

condition. Alarm system

The collection of hardware and software that detects an alarm state, transmits the indication of that state to the operators attention, and records changes in the alarm state.

Alert An audible and/or visible means of indicating to the operator an equipment or process

condition that requires awareness and that action may be needed when time permits. Bypass To manually modify a function to prevent its activation. (This term is used to describe

instrumented functions other than alarms.) Control system A system that responds to input signals from the equipment under control and/or from an

operator and generates output signals that cause the equipment under control to operate in the desired manner.

Chattering alarm An alarm that repeatedly transitions between the alarm state and the normal state. For

example, any parameter that crosses its alarm threshold three (3) times or more within a one (1) minute period.

Clear An alternate description of the state of an alarm that has transitioned to the normal state. Console The interface for an operator to monitor the process, which may include multiple displays

or annunciations. Deviation alarm An alarm generated when the difference between two analog values exceeds a set limit. Disabled Alarm An alarm that is disabled by the operator such that the alarm will not be generated even

though the base alarm condition is present.

Note : Uncontrolled disabling of alarm(s) is not allowed.


Page 4 Discrepancy alarm An alarm generated by error between the comparison of an expected plant or device

state to its actual state (e.g. when a motor fails to start after it is commanded to the ON state).

Dynamic alarming The automatic modification of alarms based on process state or conditions. First-out alarm (First-up Alarms) An alarm method, in a multiple-alarm scenario, of determining which alarm occurred first. Initiating event A malfunction, failure or other condition that can cause an alarm indication.

Latching alarm An alarm that remains in alarm state after the process has returned to normal and

requires an operator action beyond acknowledgement before it will clear. Nuisance alarm An alarm that transitions from the normal state to the alarm state more frequently than

the response action is needed. Operator The primary person responsible for ensuring the process parameters are maintained

within limits. Operator response time The time between the annunciation of the alarm and when the operator takes the correct

action in response to the alarm. Operator-set alarm An alarm in which the setting may be manually adjusted by the operator to suit his

needs. Out-of-service A state that suppresses the alarm indication so that maintenance can be performed. Plant state A defined state of operation of a process plant (e.g., shutdown, start-up, operating). Prioritization The process of assigning to an alarm a level of importance, or priority, which can be

implemented within the alarm system. Rate-of-change alarm Alarm generated when a limit value for the rate of change of a process parameter

d(PV)/dt is exceeded. Rationalization The review of a potential alarm against the principles of the alarm philosophy to establish

and document the rationale and design requirements for the alarm.


Page 5 Remote alarm An alarm from a remotely operated facility or a remote interface. Reset The operator action that unlatches a latched alarm. Re-triggering alarm An alarm that is automatically re-annunciated to the operator under certain conditions. Return to normal The alarm system indication that an alarm condition has transitioned to the normal state.

Shelve To prevent the transmission of the alarm indication to the operator through a controlled

methodology initiated by the operator. The controlled methodology shall be determined by the OPU.

Stale alarm An alarm that remains in the alarm state for 24 hours or more. Standing alarms A measure of the number of stale alarms. Station A single human machine interface within the operator console. Suppress To prevent the indication of the alarm to the operator when the base alarm condition is

present, initiated automatically by logic or manually by the operator. Unacknowledged An alarm in the alarm state which has not been acknowledged by the operator.


Page 6

1.4 ABBREVIATIONS ACK - Acknowledge or Acknowledged

AMT - Alarm Management Team

ASM - Abnormal Situation Management

BPCS - Basic Process Control System

CLR - Clear

DCS - Distributed Control System

EEMUA - Engineering Equipment and Materials Users Association

HAZOP - Hazard & Operability Study

HMI - Human Machine Interface

IPF - Instrumented Protective Function

ISA - International Society of Automation MOC - Management Of Change

P&ID - Piping & Instrumentation Diagram

PFD - Process Flow Diagram or Probability of Failure on Demand

PHA - Process Hazards Analysis

PIMS - Plant Information Management System

RAM - Risk Assessment Matrix

RTN - Return To Normal (see definition)

SIF - Safety Instrumented Function

SIL - Safety Integrity level

SIS - Safety Instrumented System

SS - Shift Superintendent

UNACK - Unacknowledged


Page 72. CODES AND STANDARDS

The alarm management philosophy in this PTS is based on alarm management Best Practices, such as those defined in EEMUA 191 and ISA 18.02.


Page 83. ALARM GUIDELINES Alarms are signals annunciated to the operator typically by an audible sound and by

some form of visual indication on the operator display, both of which differs according to the alarm priority.

Alarms are important in that they help the operator to monitor deviations from desired

operating conditions which may lead to the hazardous situations. Alarms help the operator to maintain the plant within a safe operating envelope. The general philosophy for configuring an alarm should be any one or more of the following:-

a. the alarm shall indicate a need for Operator intervention b. the alarm shall indicate when a control system can no longer control c. the alarm shall indicate the need for timely Operator response

Alarms shall not be configured if the intent cannot be met by any of the above three. In order to ensure that alarms remain relevant and helpful to the operator, each

configured alarm in the DCS shall comply with the following set of guidelines:

3.1 ALARM PARAMETERS SHALL NOT BE ALTERED WITHOUT PROPER MANAGEMENT OF CHANGE

Modifications to existing alarms or additions of new alarms shall be part of MOC, where

proper justification and an alarm design review are required. Refer to Figure-1 Alarm Management Process.

3.2 ALARMS ARE NOT A SUBSTITUTE FOR AN OPERATOR'S ROUTINE SURVEILLANCE OF UNIT OPERATION.

3.2.1 Process changes that should be caught by operators during their normal monitoring of

the process, and pose no safety issues, shall not be alarmed. 3.2.2 The alarm system should be an aid for the operator, not a replacement. 3.2.3 Operators are expected to investigate alarms occurring by accessing the appropriate

graphic and reviewing trends. 3.2.4 The normal and expected process conditions shall not be alarmed. i.e. Sequence

process or ON/OFF control

3.3 AN ALARM MUST REQUIRE IMMEDIATE ACTION BY THE OPERATOR 3.3.1 Alarms shall not be configured for which there is no Operators corrective action possible. 3.3.2 The action required in response to each alarm shall be specified. 3.3.3 The consequence of the action not being taken shall be specified in the Alarm Reference

Database (sect. 4.4) 3.3.4 All alarms are important and should be acted upon as soon as possible.


Page 9

3.4 THERE SHALL NOT BE MULTIPLE ALARMS THAT PROMPT THE SAME OPERATOR ACTION

3.4.1 Redundant instrumentation due to shut down systems will either

a. not be alarmed, b. use logic to prevent multiple alarms, or c. have alarm on deviation between the primary (alarmed) variable and other

instruments. 3.4.2 Common alarms should be created for multiple alarms on different variables that require

the same response 3.4.3 If there are many alarm points, determine which is the best to use based on factors such

as measurement reliability, minimization of nuisance alarms, speed of initiation, close logical association with the problem cause.

3.4.4 Alarms shall be configured within the DCS controller or Input/output block in order to

avoid any redundant alarm, as follows :

1. Loop with Controller All alarm shall be configured in the controller block inclusive with analog input alarm, analog output and bad input.

2. Loop without Controller- Alarm shall be configured in the individual block i.e.

Digital input or output block, analog input or output block

3.5 ALARM PRIORITY DEFINES THE DEGREE OF URGENCY OF CORRECTIVE ACTION BY THE OPERATOR

3.5.1 The degree of urgency of an alarm at any instant, and thus its priority, are dependant on

these factors:

a. The severity of the consequences (in safety, environmental and economic terms), of failing to take the corrective action associated with the alarm (refer Appendix 2).

b. The time available and required for the corrective action to be performed (Process

Safety Time refer Figure 2) and to have the desired effect.

3.5.2 Thus, the order in which an operator should take corrective action when a number of alarms are present shall be based on the alarm priorities, where the alarm with the highest priority shall receive operator attention (see Section 5 for Priority Assignment).

3.5.3 Each alarm priority shall be configured with a different audible sound, with the highest

pitch sound reserved for Emergency / Urgent priority and so forth. Note: Muting of alarms is not allowed.


Page 10

3.6 ALARMS SHOULD PROVIDE TIMELY ADVICE THAT THERE ARE PROBLEMS REQUIRING OPERATOR INTERVENTION

3.6.1 An alarm setpoint shall be configured to give the operator at least 5 minutes to take

corrective action. The alarm setpoint shall depend on the process safety time, which is defined as the time between the process value reaching the alarm setpoint and the consequences occurring if not acted upon under normal operating conditions. This time gap depends on the normal rate of change of the process value e.g. a small tank with high receiving flow shall have a lower high level alarm setpoint than a large tank with small receiving flow.

3.7 AN ALARM SHOULD HELP THE OPERATOR TO QUICKLY IDENTIFY THE CAUSE OF A PROBLEM

3.7.1 Clear and understandable alarm tag descriptors are important to help identify the cause. 3.7.2 Consistent abbreviations shall be used so that it is clearly understood by all operators. 3.7.3 An alarm tags Associate Display parameter shall be configured to provide quick access

to the relevant schematic.

3.8 SIGNALS WHICH DO NOT QUALIFY AS ALARMS The following signals do NOT qualify as alarms but may be classified as "journal" or

message signals

Status change of switches through automatic sequence i.e starting or stopping pumps or opening/closing valves as normal (on/off) control behaviour.

Status changes of switches manually initiated by panel operators such as a

maintenance override switch / bypass switch, manual trip command etc. Status change of operating mode by automatic sequence or manual initiation e.g.

TSA (Temperature Swing Adsorbers) sequence Status change of control mode by automatic sequence or manual initiation i.e.

MANUAL-AUTO, AUTO-CASCADE Generally, system alarms shall not be alarmed in the DCS, unless deemed critical for

Operators action. However if the maintenance override switch / bypass switch is located and operated

outside the control room, its initiation shall be alarmed. Common bypass alarm shall be sent to DCS.


Page 114. ALARM MANAGEMENT PROCESS

Alarm systems are part of the safety systems of process plants. They indicate undesired

or potentially unsafe situations to the operator. Alarms are always linked to human follow-up. Therefore, the foremost principle when designing or reviewing alarm systems is recognition of the human factors involved. A human is generally not capable of dealing with huge information overloads. The human may also make mistakes or act too late. Therefore human intervention should only be assumed to provide a limited reduction of risks.

Alarm management process is intended to guide users to a safe, cost effective and

consistent design and implementation of alarms in an instrumentation system (DCS, IPF panels, F&G panels, local panels etc.).

The overall objective of the alarm management system is to provide the operator with:

adequate set of warning facilities during normal operation. the ability to recognise the most important alarms during upsets. to provide adequate guideline to perform corrective action

whilst minimising, as far as is reasonably practicable:

standing alarms; nuisance alarms; chattering alarms; alarm floods.

In an ideal situation the few alarms that occur are understood and handled properly by

the operator. Each of these alarms are genuine, not duplicated and not repetitive, and call for an action for which the operator has sufficient time, even during plant upset or trip situations.

A process plant typically requires the following types of alarms:

Process alarms Trip (IPF) alarms F&G alarms Common alarms from packaged units Diagnostic alarms (from SIS, DCS, Fieldbus etc.)

Not all alarms and messages should necessarily be routed to the operator. Other

recipients of alarms and messages, such as DCS/SIS maintenance engineer, should also be considered. The alarm management / rationalisation study should therefore also consider the various alarm recipients, their availability etc.

When the configuration of an existing installation is reviewed, it is also necessary to

balance the effort expended in the review against the potential improvements to be gained. In practice, this means that the process starts by identifying the Bad Actors of alarms followed by the highest priority of alarms and so forth.

The assigned alarm priorities in the DCS are only used to distinguish between the kinds

of activity to be executed.


Page 12 The alarm management process covers the design and maintenance activities from

philosophy to management of change. The process is useful in identifying the requirements and roles for implementing an alarm management system. This process flowchart shows the essential steps, in implementing the alarm management system.

FIGURE 1 : ALARM MANAGEMENT PROCESS

PHILOSOPHY / POLICY / MANUAL

IDENTIFICATION

RATIONALIZATION

DESIGN

IMPLEMENTATION & TRAINING

ASSESSMENT

MAINTENANCE PERFORMANCE MONITORING

MOC

OPERATION


Page 13

4.1 ALARM MANAGEMENT PHILOSOPHY An Alarm Management Philosophy is required for all plants, both new and existing as

well as projects. Prior to designing a new alarm system or modifying an existing system, some basic

groundwork is required. Generally the first step is the development of an alarm management philosophy that documents the objectives of the alarm system and the processes to meet those objectives. For new systems the alarm philosophy serves as the basis for the alarm system requirements specification.

The philosophy starts with the basic definitions and extends them to operational

definitions using principles. The definition of alarm priorities, classes, performance metrics, performance limits, and reporting requirements are determined based on the objectives, definitions, and principles. The schemes for presentation of alarm indications in the HMI, including use of priorities, are also set in the alarm philosophy, which shall be consistent with the overall HMI design.

The philosophy specifies the processes used for each of the life cycle stages, such as

the threshold for the management of change process and the specific requirements for change. The philosophy is maintained to ensure consistent alarm management throughout the life cycle of the alarm system.

4.2 IDENTIFICATION In the identification stage, the alarms indicated in the P&ID or configured in the plant

control system are to be evaluated. An alarm list shall be generated either from the Instrument database or from the DCS. In addition, it is also necessary to vet through all of HAZOP reports, IPF review reports and incident investigation reports to identify a list of conditions that need to be protected by operator intervention.

4.3 ALARM RATIONALIZATION Rationalization is the process of reconciling each individual alarm against the principles

and requirements of the alarm philosophy. The exercise involves reviewing and documenting each alarm in the DCS or as indicated in the P&ID for the particular unit. In this process, form as per Appendix 1 shall be used to address the following questions:

1. What is the purpose of the alarm i.e. what is the potential hazard or event is the

alarm intended to prevent? 2. What are the causes of the alarms? 3. What action is required by the operator? 4. What are the consequences of the operator failing to respond to the alarm? 5. How quickly is the operator required to respond? 6. How long will it take for the operators action to have the required effect? 7. How likely is it that the operator will be able to prevent the event or hazard? 8. Does the alarm comply with the agreed philosophy?

This information is critical to improve alarm clarity to the operator. Once the

consequences and the response time has been documented, alarm priority must be assigned based on the matrix of consequences versus priorities. The result will also be used to generate alarm response documentation and in defining alarm retention.


Page 14 The completed forms constitute the alarm narratives for the project/plant/OPUs. The

overall alarm narratives shall be endorsed by the plant management as per clause 9.0. Documents / tools required for this exercise are:

1. Updated P&ID for the unit 2. Control and/or Safeguarding narratives, design documents 3. HAZOP and IPF Classification results 4. Updated DCS alarms, setpoints and tag list 5. Plant Historian (e.g. PIMS) database to view process trends

An Alarm Management Team (AMT) shall be formed which comprises of:

1. Alarm Management Team Leader (Operation Engineer) who shall monitor and manage the overall progress of the team.

2. Alarm Management Coordinator/Facilitator (Instrument and Control Engineer) who shall facilitate the alarm rationalization process and compile and execute all the changes required.

3. Operation and Process Technologist Representatives (Panel men/operator from 2 different shifts and Process Technology engineer) who shall discuss and rationalize the alarms.

4. Maintenance Subject Matters Representative (Instrument and Control engineer/technician, Electrical and/or Mechanical engineer/technician) who shall help the review especially in equipment related alarms.

The AMT shall develop a detailed plan and schedule to for alarm rationalization review.

The process of alarm rationalization is as follows:

1. Using DCS database and P&ID generated alarm database to determine the alarm parameters for the tag.

2. Also from the DCS database, review most frequent alarms, if applicable. 3. From the P&ID, reconcile the selected DCS alarm tag.. 4. Rationalize an alarm parameter by entering it into the Alarm Reference

Database. The database shall be configured as per Appendix 1. Refer to narratives or other supporting documents to help determine the purpose, causes, corrective actions, consequences and finally the priority of the alarm.

5. Qualify the alarm parameter against the alarm guidelines (Section 5). If the

alarm parameter does not meet the guidelines, decide what the required changes are.

6. Repeat steps (4) and (5) for each alarm parameter for the tag. 7. Continue for the next tag on the DCS database and/or P&ID until all the selected

alarms for the unit have been reviewed. 8. Compile all the changes required and raise MOC to obtain proper approvals 9. Modifications shall be implemented by the instrument /control engineer. 10. An Alarm Review Form shall be printed from the Alarm Reference Database

such as Filemaker and signed by the AMT. (example format in Appendix 1). Every alarm shall be accompanied with an Alarm Review Form as per Appendix 1.


Page 15

4.4 ALARM DESIGN The design stage includes evaluation of the basic configuration of alarms in the DCS, the

design of graphics and other HMI for alarms and the advance/intelligent method for alarm management- 4.4.2 (the use of Alarm Management System for example).

This process also includes obtaining feedback from operators, as well as defining the

testing methods of the alarm system functions. In addition, one of the key deliverable of this stage is to develop the Alarm Reference

Database. This document identifies what the alarm is, how it is configured, why it is there, what the operator is supposed to do about it and what are the consequences of failing to perform the actions.

Once the necessary approvals have been obtained, the new alarm configurations are

implemented in the DCS. This process includes training for the Operator and initial testing of the alarm system functions.

4.4.1 Setting of Alarm Setpoints A full review of alarm setpoints and dead bands is a time-consuming exercise. However

experience has shown that too often alarm settings are set incorrectly or even beyond the constraints of the process or equipment the alarm should protect. Each alarm setting and its rationale should therefore be re-established.

The general rule is that the alarm setpoint, i.e. the value at which it is activated, should

be as far from the normal value as practicable whilst still giving adequate protection and ample operator response time.

Whenever an alarm setting is made, a number of questions should be answered and

documented, as follows. See also Figure 2.

At what value does a hazard or concern arise, i.e. what is the constraining value? This could be a relief valve setting, an IPF trip setting, an equipment design limit, a catalyst temperature limit, the pH at which corrosion accelerates, the temperature at which coke formation in the tubes accelerates, etc.

What is the inaccuracy of a constraint? For example, a relief valve may already

start to open at 99 % of its set pressure. How fast is the value likely to approach this point? This is the highest credible

rate of change. How much time does the panel or field operator need to complete the actions

that aim to reverse the process? How much will the process continue to rise following the completion of the

operator action? This is the process dead time. How wide is the operating band under normal and routinely abnormal

conditions? What is the expected inaccuracy of the sensor and receiving switch used to

generate the alarm?


Page 16What is the dead-time of the sensor and signal processing?

How many features (e.g. alarms, trips, relief valves) have to be fitted in the gap

between the edge of the normal operating band and the constraining value at which a hazard or concern arises?

The design stage includes evaluation of the basic configuration of alarms in the DCS, the

design of graphics and other HMI for alarms and the advance method for alarm management (the use of Alarm Management System for example).

This process also includes obtaining feedback from operators, as well as defining the

testing methods of the alarm system functions. One of the key deliverable of this stage is to develop the Operator Alarm Response

Manual, as per Section 4.3. Once the necessary approvals have been obtained, the new alarm configurations are

implemented in the DCS. This process includes training for the operator and initial testing of the alarm system functions.

Figure 2 Parameters involved in establishing the alarm setting

In all cases the alarm shall be set such that:

No alarm occurs within the normal process fluctuations and signal noise. There is sufficient operator response time


Page 17 The process does not exceed the equipment or process constraint assuming

correct and timely operator action and a worst but credible process dead time. Uncertainties/Inaccuracies in the equipment or process constraints are taken into

account.

Note: Uncertainties/Inaccuracies in the process measurement at the point of the desired alarm setting are taken into account. A particular consideration applies to low flow alarms, where the flow measurement comes from a dP-based device such as an orifice plate or venturi meter. The measurement on the DCS appears linear but the original input signal has a (flow)2 characteristic. This means that an alarm set at 10 % of flow range corresponds to only 1 % of DP input signal, which could potentially be disabled by a zero error arising from the meter or its process hook-up. On the other hand, under some circumstances a higher setting might increase the risk of nuisance alarms. The setting of low flow alarms therefore involves a balance between avoiding such alarms and retaining measurement accuracy.

Another consideration applies to measurements that are influenced by specific properties of the medium such as the liquid and vapor density for dP and displacer type level measurements, the density for orifice type flow meters, etc. In these cases the worst case of all foreseeable operating modes including start-up and shutdown modes shall be considered.

If conflicts arise between the factors influencing the correct alarm setting, it may become impossible to set an acceptable alarm setting. In these cases there are the following options:

Redesign the process / equipment. This is the most desirable but often

impractical solution. Set the alarm setting at a level closer to the normal operating conditions. Accept

that spurious alarms will occur under some operating conditions. This option reduces the confidence in the alarm and affects the probability that

the operator would initiate the required actions in the event of a genuine alarm. This is the least desirable option.

Set the alarm setting at a level closer to the constraints. Accept that the operator

may not have enough time to prevent the hazardous event in all cases (e.g. in the event of a rapid upset).

This option does not reduce the confidence in the alarm but affects the probability that the operator would complete the required action in time.

As well as defining the alarm setting, the expected accuracy of the switch point shall also

be defined (e.g. 210 C ! 2 C). The switching inaccuracy is the maximum allowable difference between the actual

process parameter and the alarm setting at the moment the alarm activated. It includes the inaccuracy of the sensor, signal processing, switch amplifier, A/D converter etc. The inaccuracy does not include any possible dynamic effects whereby the measurement lags behind the actual process parameter.

A typical accuracy would be 2 % of instrument span.


Page 18

4.4.2 Intelligent Alarm Management Intelligent alarm management technique should be applied to enhance effectiveness of

alarm handling by operators as well to prevent the occurrence of alarm flooding especially in the event of process upset. Intelligent alarm management however, needs to be properly studied and evaluated prior to implementation since its misapplication could lead to masking of critical alarm event which can lead to unfavorable situation.

There are various intelligent alarm management techniques available. For repeating or

fleeting alarms, the following methods should be used :

4.4.2.1 Optimizing the alarm deadband for analogue measurements.

The alarm hysterisis deadband should be carefully selected for each individual alarm. The deadband should be set according to the type of measurement and its application. (e.g. a narrow deadband should be set for measurement with slow response time such as temperature etc.) DCS default value set at 1% of range value. However, this should be verified or readjusted on a case-by-case basis.

Deadbands shall be specified in Engineering Units for improved resolution. Typically the values shall be as per Table 1.

Table 1 - Typical Dead band values

Type of Process Variable Dead band Equivalent To Flow 5 % of Span Level 5 % of Span

Liquid Pressure 5 % of Span Gas Pressure 2 % of Span Temperature 1 % of Span or 2 oC whichever is less

4.4.2.2 Increasing the delay timer for digital measurements to reduce intermittent signals.

The common values shall be referred as per Table 2.

Table 2 - Default signal filter time constants

Type of Process Variable

1st order time constant De-bouncer timer (digital signals)

Flow 2 s 15 s Level 2 s 60 s

Liquid Pressure 1 s 15 s Gas Pressure 1 s 15 s Temperature 0 s 60 s

Other techniques require more detailed study and may also be implemented. The following describes the 3 most accepted methods:


Page 19 4.4.2.3 Shelving

Shelving is a facility where an alarm is temporarily inhibited by the operator to prevent an alarm from being displayed to him when it is a nuisance. This technique requires easy operator access to a list of shelved alarms and un-shelving facility. Shelved alarms shall be automatically unshelved at a predetermined time before the shift change over. Time to automatically unshelf the alarms shall be determined by OPUs. The maximum number of shelved alarms per operator should be 30.

4.4.2.4 Static Alarm Suppression

Static alarm suppression is used to suppress alarms which are always active but not relevant for a particular process unit or major equipment when it is shutdown for maintenance. This technique requires the configuration of soft keys to activate logic which will disable/enable the particular group of alarms in the unit or equipment.

Operators often find alarm systems difficult to manage when relatively large numbers of alarms are permanently or semi-permanently activated. There is the risk of any new alarm remaining unnoticed and the standing alarms cannot be "meaningful" to the operator. In order to minimise the number of standing alarms, static alarm suppression is required. Care has to be taken in grouping the tags to be suppressed. Sometimes there are tags within a section that Operations prefers to watch and alarm even when the rest of the unit is down, e.g. charge drum vacuum or pressure.

Alarms that are always active when a process unit or a large piece of equipment is shut down are statically suppressed.

Static alarm suppression shall be implemented on one plant section, process unit or equipment item at any one time. Static suppression shall never rely on manual selection only. A redundant process signal shall always be part of the suppression logic to confirm that the unit/equipment is out of service and to remove the suppression when it is put back in service. Only after the manual suppression command and the suppression permissive states have been met shall static alarm suppression be allowed.

Process signals that are part of permissive logic shall be redundant so that there is no single point of failure that could lead to the inadvertent suppression of alarms or to leaving alarms inadvertently suppressed.

Voting shall be such that:

Two or more independent process measurements are used, such as the

feed to a column, tray temperature or valve position. Correlated measurements with a high probability of common cause failure

(e.g. plugged line) are not used. Deadbands are used on the voting permissive (i.e. independent process

measurements) to prevent mode cycling. Signals with bad PVs are excluded from voting.


Page 20Switching on the static alarm suppression shall only be possible when defined process permissive is met. These conditions differ for each alarm suppression group. The static suppression shall be automatically switched off and a message to the operator shall be generated when the defined process conditions are no longer satisfied

Figure 3 Static Alarm Suppression Alarms generated in the DCS from analogue inputs that are suppressed through this

functionality shall be visible to the operator in the process graphics individual tag faceplate. (e.g. as a blue measurement). The actual alarm condition is not visible (in general no buzzer, no alarm in the alarm list, no alarm to the printer, system or measurement faults not visible). The alarm status, however, is still available on the individual tags faceplate.

When the alarm suppression for a group is released, the suppressed alarms are not to

be regenerated (not sounding the buzzer, flashing etc.).

When defining static alarm suppression groups, the following data shall be recorded:-

Static Alarm Suppression Group and Group descriptor A reference tag name of a group and Group descriptor to allow reference and

proper administration. Permissive Boolean statement with the (DCS) tags and conditions (signals) that have to be

"true" to permit the static suppression to be switched ON. This includes the condition (alarm, H alarm, LL alarm etc.).

Static Suppression Group This is a list of instrument tags to be suppressed.

NOTES: 1 The static alarm suppression may not differentiate between H or L or LL alarms, Bad PV etc.. All

alarms associated with the listed tag number may be suppressed. This is done to prevent alarms being generated due to maintenance activities on the shut down section.

EXAMPLE: What are the consequences of a block valve leaking, allowing undetected flow into the idle

equipment/process? If they are undesirable, the high pressure alarm should be left active.


Page 214.4.2.5 Dynamic Alarm Suppression

Dynamic alarm suppression is used to suppress alarms following a trip or process upset.

The first alarm in a defined group is triggered, shown in the alarm list and printed in the alarm printer with subsequent alarms in the group suppressed. This minimizes the number of alarms appearing following a trip, thus eliminating alarm flooding and helping operator respond better to the alarm.

A soft switch shall be provided to enable dynamic alarm suppression. Triggers shall be redundant (i.e. a confirmed trigger) so that there is no single point of

failure that could lead to the inadvertent suppression of alarms or to leaving alarms inadvertently suppressed.

NOTE: A trigger is usually not the trip transmitter exceeding the trip setting but rather the trip command to the

unit or equipment, i.e. the soft signal internal in the safety PLC. However the trip may fail partly or completely so that a confirmation of the trip action is required to trigger suppression. For example, not only the compressor trip command is used as trigger but also the running contact as confirmation.

Trigger voting shall be such that:

Two or more independent process measurements are used, such as the feed to a column, tray temperature or valve position.

Correlated measurements with a high probability of common cause failure (e.g.

plugged line) are not used. Dead bands are used on the voting permissive (i.e. independent process


Dynamic suppression will be automatically turned off after a configurable time period

(default 30 min) or when all trigger alarms return to normal. See Figure 4.

Figure 4 Dynamic Alarm Suppression


Page 22A timer will be started when the first of the groups trigger alarms is received. Once the timer has expired any new alarm in the group will sound the buzzer but existing alarms will remain suppressed. If the new alarm is a trigger, it will restart the timer, reinstating a further (30 min) period of dynamic suppression. The operator can choose to manually suppress the alarm group, by means of static alarm suppression, at this time if appropriate. However, the grouping for static alarm suppression is not necessarily the same as the grouping for dynamic alarm suppression. The alarm state sequence diagram for alarms that are in a dynamic alarm suppression group is shown in Figure 5.

Figure 5 Dynamic Suppression Alarm State Diagram

The performance of the alarm suppression logic shall be such that it suppresses subsequent alarms within 4 s after the trigger. This is the time for the trip system to respond to a trip condition, final elements to reach their safe position and the process response to generate the next alarm. The available 4 s includes signal transmission via gateways and various nodes on the control system network. For alarms that come faster after a trigger, part of the suppression logic may have to be implemented in the IPS using the "first-up" signal as the trigger. The process graphics will show the actual alarm condition for all suppressed alarms. The condition of auto suppressed trip alarms is also visible on the Cause & Effect matrix graphics. Where triggers are Trip initiators, the trigger shall be disabled when the MOS is switched ON. Likewise the dynamic alarm check shall be disabled for the point as well. If an alarm in a group is not generated even though it is expected to come on as a consequence of a trip, a common fault alarm is raised to the operator. This is a common alarm for the group, not one related to each suppressed alarm. If the operator wishes to know which alarm did not come on, the alarm suppression graphic will have to be consulted.

NOTE: This fault alarm is also available when the dynamic alarm suppression is not enabled.


Page 23 When dynamic alarm suppression groups are defined, the following data shall be

recorded:

Dynamic alarm Group name and description The dynamic alarm suppression group is usually a subset of the tags associated

with the equipment safeguarding system (a UZ block). The Group name should be selected to show the relation with the system, e.g. 016UZ-250.

Delay before alarm on check The Delay Before Alarm On Check (the delay time the control system allows

before checking to determine whether all expected alarms, marked dynamic, have in fact been activated) is to be 60 seconds greater than the largest individual dynamic suppressed alarm Time for Alarm to Come Up. Each and every alarm tag marked with a cross in the dynamic box should always alarm when each and every trigger is activated.

Dynamic suppression Switch Off delay The Dynamic Suppression Switch Off Delay should always be 1800 s unless

the Delay Before Alarm On Check is 1800 s or more.

Dynamic Grouping Comments Comments may be added to clarify particular issues for future reference. Dynamic Suppressed Tag numbers For each of the Dynamic Suppressed Tag numbers the following is to be

recorded:- Tag number and service description as taken from the tag number

database A check box indicating whether the tag number also serves as a trigger A check box indicating whether the alarm needs to be dynamically

checked Time for Alarm to Come Up The time when alarm is expected to be activated after system trigger

(seconds). If the time is less than 4 s, a remark is to be added Fast suppression logic required as discussed above.

NOTES: 1. Group Trigger alarms will almost always be trip alarms or drive failure indicators. If the group is

not an alarm (e.g. a motor running status) and also not in the database, the tag should be added. All new trigger tags added that are not alarms should be record only.

2. In some instances dynamic suppression will need to be applied to groups not related to a

particular equipment safeguarding system. For these cases a new dynamic suppression group tag number shall be defined. The tag may be based upon sequence logic blocks (KS blocks) or on the major trigger tag for a group. For example, if the major trigger tag for a group not related to a safeguarding system was 214LZA555 then the dynamic suppression group tag could be 214UL555 (U standing for Multivariable).

3. A trigger alarm can be suppressed. However the actual trigger shall not be suppressed.


Page 244.4.2.6 Dynamic Mode Dependent Alarm Settings

Dynamic mode dependent alarm setting may be required to further reduce the meaningless alarm rate. Mode dependent alarm settings may be required where systems have distinct operational modes that require distinct alarm settings. This is for instance the case for furnaces having a normal mode and a decoke mode. Also the burner management system may have Oil firing mode, a Gas firing mode and a dual firing mode. A dryer will have an operating and a regeneration mode. A crude distiller may have different alarm settings depending on the crude being processed. With dynamic mode dependent alarm settings, the alarm settings of analogue or digital points are changed according to the detected mode of operation or are available in the form of batch recipes in the case of sequential (batch) programming. The mode switching is detected from a set of process parameters and may also involve a manual switch.

Figure 6 Dynamic Mode Dependent Alarm Settings

Upon a detected mode change, the new set of alarm settings is automatically downloaded into the DCS point. These new settings will be applicable until the next mode change is detected or the dynamic mode dependent alarm setting enable switch is disabled. When disabled the default set of settings is downloaded into the DCS point automatically. See Figure 3.

Sensors used for mode detection shall be redundant (i.e. a confirmed mode) so that there is no single point of failure that could lead to the inadvertent alteration of alarm settings or to leaving alarms inadvertently incorrect.


Page 25 Mode detection voting shall be such that:

Two or more independent process measurements are used, such as the feed to a column, tray temperature or valve position.

Correlated measurements with a high probability of common cause failure (e.g.

plugged line) are not used. Dead bands are used on the voting permissive (i.e. independent process


If none of the defined modes are detected (e.g. because of conflicting mode signals), the default mode shall be selected automatically. The default mode settings table contains the most conservative alarm settings, i.e. those settings that would alarm approaching a constraint in any mode; for high alarms the lowest of all mode settings and for low alarms, the highest. Obviously this could lead to many spurious alarms. Dynamic mode dependent alarm settings shall not be applied to IPFs and their pre-alarms since these settings are based on the excursion of safe operating envelopes that should not be mode dependent. Where pre-alarms are also used to alarm excursion from the normal operating envelope, they may have dynamic mode dependent alarm settings. Alarm setting changes (each mode change) shall be logged in the DCS for each point When dynamic mode dependent alarm setting groups are defined, the following data shall be recorded:

Mode dependent alarm setting group tag name and descriptor A reference tag name of the group and group descriptor to allow reference and

proper administration The group name and description should give a reference to the system (e.g. furnace) having different operating modes.

Various modes names and descriptors A reference tag name of the mode and operating mode name to allow reference

and proper administration Permissive and comments For each mode, a Boolean statement with the (DCS) tags and conditions

(signals) that have to be "true" or "false" to detect the mode switch to be made. This includes the condition (alarm, H alarm, LL alarm etc.). Conditions may include timers to limit the time during which a particular mode may be on.

Mode dependent alarm setting group with default settings This is a list of the instrument tags (and attributes such as L, HH etc.) to be

manipulated including the default settings. Alarm settings for each defined mode This is a list of alarm settings for each instrument tag defined in the dynamic

alarm settings group. Such a list should be prepared for each mode of operation defined in the list of operating modes.


Page 26 Comments Comments may be added for each instrument tag to clarify particular issues for

future reference.

The lists various modes, mode dependent alarm setting group, alarm settings for each defined mode and comments are best combined in tabular form with the instrument tags listed vertically in the first column and the default and mode dependent settings listed in subsequent columns.

4.4.2.7 Alarm Suppression in Batch Operations

A special class of suppression is commonly found in sequential control programs, e.g. for batch operations. Such programs should follow a standard way of enabling / disabling alarms that can be expected to occur.

EXAMPLE: - Start pump - Wait until flow reaches Alarm value + x % - Enable low flow alarm - ... - Disable low flow alarm - Stop pump

4.5 IMPLEMENTATION

Implementation is the stage where the design is put into service. This process includes training for the operator and initial testing of the alarm system functions. This process is one step in addressing alarm clarity.

4.6 OPERATION Operation is the stage when the alarm is in service and effectively reporting abnormal

conditions to the operator.

4.7 PERFORMANCE MONITORING Performance monitoring is the periodic collection and analysis of data from alarms in the

operation life cycle stage. Without monitoring, it is almost impossible to maintain an effective alarm system. This process shall be automated to take place frequently. Monitoring is the primary method to detect problems such as nuisance alarms, stale alarms, and alarm floods.

The DCS vendor Alarm Management Software shall be used as the tools for this

process. A systematic review shall be conducted to analyze the most frequent alarms logged by the Alarm Management Software. The review process is detailed out as follows.

4.3.1.1 Most Frequent Alarms Review Nuisance Alarm Reduction

Repeating alarms i.e. the same alarm raising and clearing repeatedly over a period may be generated in several ways e.g. noise on a process variable when it is near an alarm setting, real high frequency fluctuations of a process variable or repeated action of on-off control loops.


Page 27The intent of this review is to analyze and quickly eliminate repeating alarms especially alarms due to faulty equipment or incorrect settings. This review shall be conducted every two weeks as part of the AMT work process. A list of the most frequent alarms shall be generated and discussed during the review. The review process shall follow Figure 1a. :

Fig 1a: Alarm Review Flowchart

1. Select the most frequent alarm and determine the cause(s) and originating

equipment.

Start

Select Most Frequent Alarms

SAP

Alarm Rationalization

Process

Alarm Setting

Change via MOC

Actual Process

Review DCS/Alarm Setting/

Alarm Deadband

Faulty Equipment

Change Effect

Safety / products

No

Yes

Yes

No


Page 282. Based on the cause(s), determine the action that must be taken to eliminate or

reduce the alarm occurrence e.g. : a. If it is due to faulty equipment, the Shift Supervisor to raise notification in SAP. b. If normal operation is near the alarm setting, consider reducing the alarm

deadband or changing the alarm setting, only if this does not affect the process safety time.

3. Qualify the alarm against the alarm guidelines described in Section 3. If the alarm parameter does not meet the guidelines, decide what the required changes are.

4. Continue to review the most frequent alarms. 5. Compile the rest of the changes required and raise MOC to get the proper

approvals. 6. Modifications shall be implemented by the Instrument/control engineer as per the

configuration guidelines. 7. Data on each Alarm Review Form shall be updated into the Alarm Reference

Database.

4.8 MAINTENANCE

Maintenance is a necessary step in the alarm life cycle. The process measurement instrument may need maintenance or some other component of the alarm system may need repair. The repair frequency could be scheduled or determined by monitoring. Periodic testing is also a maintenance function. During the maintenance stage, when the alarm is not in operation, the panel operator shall have alternative means of being alerted. Every plant shall have a documented testing philosophy and written test procedures for testing of alarms. As a minimum, Urgent alarms shall be tested during every DOSH shutdown. In the event that the alarm requirement has been identified through IPF Studies, the required testing frequency shall be followed. Every test shall be recorded with the date of test, the unique alarm tag, personnel who have conducted the test, the approving authority and the results of the test.

4.9 ASSESSMENT

Assessment is a periodic audit of the alarm system and the alarm management processes detailed in the alarm management philosophy. The assessment may determine the need to modify processes, the philosophy, the design guidance, or the need to improve the organizations discipline to follow the processes.

4.10 MANAGEMENT OF CHANGE

Management of Change is the structured process of approval and authorization to make additions, modifications, and deletions of alarms from the system. Changes may be identified by many means, including operator suggestions and monitoring. The change process should feed back to the identification stage to ensure that each change is consistent with the alarm philosophy.


Page 29 Changing the setting or configuration of alarms may alter many aspects of the operators

task in responding to them. This may, in turn, require corresponding changes to schematic displays, operating procedures or other work practices so that an overall consistency is maintained. As such, any changes (new, modify or delete) of alarm setpoints and priorities must be initiated through MOC. Prior to approval of the MOC, an Alarm Review Form must be filled for each change. This is to ensure that:

1. The alarms are justified and properly designed with respect to setpoint, priority and

associated displays. 2. Impact to existing logic design and multiple operator displays due to the changes

in the alarm settings are extensively reviewed prior to implementation.

3. Data on each Alarm Review Form shall be updated into the Alarm Reference Database.

4.11 ALARM MANAGEMENT PROCESS LOOPS

The alarm management process flowchart of Figure 1 shows the relationship between the major stages. Included are three loops with significant importance in alarm management. These loops maintain and improve the alarm system.

4.11.1 MONITORING AND MAINTENANCE LOOP The operation-monitoring-maintenance loop is the daily or weekly process of analyzing

the monitored data to determine what unauthorized changes have been made and what instruments need to be repaired. This process can be simple or very complex depending on the automation systems or safety systems used.

4.11.2 MONITORING AND MANAGEMENT OF CHANGE LOOP The management of change loop is a less frequent, but very necessary process of

identifying changes to the alarm system based on analysis of the monitored data. Changes may be identified through other means as well, such as operator suggestions. Changes to nuisance alarms may be initiated through monitoring. Through monitoring, alarm floods may also be identified. The management of change process can be used to implement advanced alarm management technique to suppress the alarm floods. There is no set frequency for this loop: it happens on demand.

4.11.3 ASSESSMENT LOOP The assessment-philosophy loop is a 5 year periodic audit of the implementation of the

alarm philosophy and all of the processes described there. Through audits on training and alarm response, improvements in alarm clarity can be identified as well as changes to the processes and alarm philosophy.


Page 30

4.12 ALARM DOCUMENTATION An Alarm Reference Database shall be established using readily available and user

friendly database software e.g. Filemaker. The alarm database shall be updated quarterly to show the latest alarm settings as configured in the DCS.

Each completed Alarm Review Form and the changes made shall be updated into the

database. A history of the changes made to each alarm parameter shall be available via this database.

A full set of alarm system documentation (similar to an IPF requirements specification

according to PTS 32.80.10.12) shall be kept as built containing:

Overall alarm philosophy The alarm template definitions Alarm settings, rationale and related constraints Alarm narratives resulting from the alarm studies The decision alarm or IPF? Alarm suppression design, permissive, etc.

Where possible, the use of automatic documentation tools from the DCS Alarm Management Software is encouraged.

4.13 ALARM HISTORY RETENTION The alarm history shall be retained for not less than one year.


Page 315. PRIORITY ASSIGNMENT The primary purpose of prioritization is to make it easier for the operator to identify

important alarms when a number of them occur together. In assigning the priority of an alarm, these factors must be considered:

1. The severity of the consequences (in safety, environmental and economic

terms), of Operator failing to take the corrective action associated with the alarm. 2. The time available (from the onset of the alarm setpoint) and required for the

corrective action to be performed and to have the desired effect.

In essence, the prioritization of an alarm shall be based on the expected consequences that the operator can prevent by responding appropriately to it.

When performing an alarm review and/or alarm rationalization,, the team shall use the

Alarm Prioritization Risk Matrix (Appendix 2). and follow the steps below:

1. Determine the hazards that may occur if corrective action is not taken in response to an alarm.

2. Identify the safety, environmental and economic consequences of the hazards. 3. Determine the response time available to the panel man before the hazards occur.

4. Assign the alarm priority based on the RAM.

Note that there maybe mitigation systems upstream of the alarm, for example, relief

valves or emergency shutdown systems, which are designed to prevent the hazards from occurring.

In order for prioritization to be effective, the relative frequency of occurrence of different

alarm priorities should reduce with increased priority. Thus, during system design, alarms should be configured with the following priority distribution:

Table 3 Priority Settings

Priority Percentage of total configured alarms Urgent a target of 5% and no more than 10%, or 2 to 3 emergency alarms

per piece of major equipmentHigh a target of 10% and no more than 20%Low the rest, i.e. a target of 85% and no less than 70%


Page 326. BENCHMARKING, PERFORMANCE METRICS AND REPORTING Benchmarking provides a means of:

1. Measuring the effectiveness of the alarm system as it stands 2. Defining the required degree of improvement

3. Measuring the degree of improvement actually achieved.

The benchmark asks a number of important questions about the alarm system configuration and behavior, and includes a questionnaire of the operators on their experience of the alarm system.

Typically, the following are measured:

1. Number of standing alarms in normal operation 2. Number of alarms per operator 3. Number of alarms per control loop 4. Number of alarms per protected event 5. Ratio of emergency: high: low priority alarms 6. New alarm rate in normal operation 7. New alarm rate in typical disturbance 8. Number of chattering alarm

To acquire this information, the use of an independent plant DCS vendor based Alarm Management Software is recommended. There is also a requirement to analyze events during some typical disturbances, where the Alarm Management Software provides the distinct advantage of an automatic alarm data collection and analysis tool. The results from this bench-mark would indicate which of the two improvement steps previously discussed is needed. Success criteria of the initiative will be derived from the bench-marking result above. A selection of alarm performance metrics shall be used to measure the performance of PETRONAS DCS alarm systems. The metrics shall include:

1. Average alarm rate per 10 minutes, per hour and per day 2. Peak alarm rate per 10 minutes 3. Percentage of 10 minutes periods in a day with fewer than 5 alarms

The metrics data shall be compared to the EEMUA benchmark to continually assess PETRONAS alarm systems performance.

For a plant in steady state or stable operation, the average alarm rate per 10 minutes will

determine the following risks and categorization (from EEMUA recommendations):


Page 33Table 4 Steady State Alarm Rates

Average Alarm Rate in Steady-state Operation, per 10 minute period

Acceptability Categorization

Performance and Risk

More than 10 alarms Very likely to be unacceptable

Inefficient / High risk

More than 5 but less than 10 Likely to be over-demanding Medium performance and risk

More than 2 but less than 5 Possibly over-demanding1 or more but less than 2 Manageable

Less than 1 alarm Very likely to be acceptable Efficient / World Class, Low risk

For a plant experiencing an upset, the number of alarms displayed in 10 minutes

following the upset will determine the following risks and categorization (from EEMUA recommendations):

Table 5 Alarm Rates During Upset Conditions

Number of alarms displayed in 10 minutes following a major plant upset

Acceptability Categorization

Performance and Risk

More than 100 alarms

Definitely excessive and very likely to lead to operator abandoning use of the system

Inefficient / High risk

20-100 Hard to cope with Medium performance and risk

10-20 Possibly hard to cope withUnder 10 Should be manageable

Less than 1 alarm

Very likely to be acceptable but may be difficult if several of the alarms require a complex operator response. Efficient / World Class

Efficient / World Class, Low risk

The metrics shall be calculated from alarm data captured in the Alarm Management

System, using the Frequency Analysis and Alarm Rates modules. Hence, it is critical to ensure that the Alarm Management System is continuously capturing alarms from the DCS.

Monthly Alarm System Performance reports shall be generated through Alarm

Management System, which includes the alarm activity trend over the month including the most active points and the distribution of alarm priorities. A summary report for all areas shall also be generated.


Page 347. ALARM PRESENTATION

7.1 The operating philosophy used in most control rooms is the Management by

Awareness principle where: The panel operator will regularly need to scan overviews of process conditions, which

may be presented by means of standard displays or custom graphics. Display structures and hierarchy shall be designed to facilitate this activity.

Situations requiring fast action by panel operator are indicated by the DCS system

through means of an alarm management system, with direct access to associated displays.

To attract the operators attention, in order for him to take corrective actions, the

presentation of process graphics shall be carried out. In addition, the following table shall be applied.

Situation Background colour Colour of the value In alarm but suppressed Soft white Blue Not in alarm but suppressed Soft white Black

7.2 The following should be considered when incorporating alarms into DCS operator

displays: Color coding for displays should be muted or altered such that the alarms visual

indicators are more salient and not masked by other color-coding. On process graphics, blinking text should not be used to indicate unacknowledged

alarms as this makes it difficult for the operator to read the text. Alarms should be displayed by a changing box outline around the text or by using icons.

The color of the box outline or icons shall change according to the condition below:

Table 6 Alarm Colour Codes

Alarm Priority Unacknowledged Acknowledged Urgent Red (Blinking) Red (Static) High Orange (Blinking) Orange (Static) Low Magenta

(Blinking) Magenta (Static)


Page 358. AUDIBLE SIGNALS CONSIDERATIONS

The audible of alarm information should be designed such that the operator is more aware of alarms at higher priorities, providing a hierarchy of awareness from the highest to the lowest level of alarm.

The audible tone alarm shall be separated clearly between plant area (i.e. Process and utility)


Page 369. TRAINING

Training is a key area that induces change to improve human reliability and lower the probability of failures or during abnormal situations.

Training would generally be required under the following circumstances:

1. Startup of a new system 2. Implementation of alarm changes 3. New Operators 4. Annual Refresher

Items for training

1. Alarm philosophy 2. Alarm priority definitions 3. Alarm presentation features 4. Defined alarm responses 5. Procedures for handling alarm floods 6. Site MOC process as it relates to alarms 7. Alarm setting audit and enforcement 8. Performance metrics 9. Alarm testing procedures

Specific training on Urgent alarms shall be provided to Console Operators at a minimum frequency of once per year. Operators shall be tested on:

1. Understanding of the alarms 2. Mechanism of annunciation 3. Consequence of missing the alarms 4. Operators response


Page 3710. ROLES AND RESPONSIBILITIES

Plant Manager Approval of Alarm Management Philosophy. Review and approval of any future amendments to this philosophy.

Manager, Operations Approval of DCS alarm settings changes as per MOC approval process. Allocation of budget for the execution of alarm management activities, if required. Responsible for the development of alarm management strategy to reduce alarms to

the world class benchmark. Manager, Maintenance Responsible for the execution of maintenance strategy to reduce alarms within the

area. Ensure the approval of notifications registered in SAP, i.e. request for rectification

work related to alarm management activities. Allocation of asset maintenance manpower for the execution of alarm management

activities, if required.

Operation Engineer / Process Engineer Responsible in leading the Alarm Management Team. Responsible for the execution of operation strategy to reduce alarms within the area. Allocation of operation manpower for the execution of alarm management activities,

if required.

Shift Supervisor (SS) Ensure all panel operators understand and follow their roles and responsibilities as

outlined in this philosophy. Notify in SAP any abnormal alarms and any alarms which is a result from an

equipment failure. Inform relevant parties (Maintenance, Instrument Engineer) if an alarm is overloading

a particular operator.

Panel Operator React immediately to an alarm with the proper corrective action. React immediately to the alarm with the highest priority. Inform SS if he is overloaded and unable to react to a particular alarm. Inform SS if there are any abnormal alarms.

Instrument/Control Engineer Monitor DCS system alarms and take corrective action immediately. Propose solutions based on the inherent capabilities of the DCS to solve any alarm

problems. Execute the alarm changes required on the DCS as approved by MOC Lead any major changes on the DCS alarm system. Update the alarm reference database with any Alarm Review Forms (generated

either from alarm rationalization / review Generate and distribute the Alarm System Performance reports for each unit Generate and distribute the 20 most frequent alarms report for each area bi-weekly.

Reliability Engineer Responsible for reviewing the Alarm System Performance report for each Asset

Team monthly. Responsible for tracking alarm management activities based on Alarm System

Performance report for each Asset Team.


Page 38 11. REFERENCES

Human Machine Interface in a Control Room PTS 32.00.00.11Management of Change(Guidelines) PTS 60.2201Alarm System A Guide to Design, Management and Procurement

EEMUA 191 2007

Management of Alarm Systems for the Process Industries

ANSI/ISA-18.02-2009


Appendix 1APPENDIX 1: ALARM REVIEW FORM

Alarm Review Form Author: Issue Date: Review Date:

Instructions: The Alarm Review Form shall be filled up and agreed by the following minimum mandatory participants:

Operations Engineer, Panel Operator, Process Engineer and Instrument Engineer Complete all sections

IDENTIFICATIONTag Number Alarm Parameter

Tag Description

Alarm Setpoint (Current) Alarm Setpoint (New)

RATIONALIZATIONPurpose (List the purpose(s) of the alarm) Causes (List the cause(s) or precursor(s) of the alarm and list any tags which may help identifying the cause(s) Corrective Actions (Define operator action required to return the process to normal) Consequence (define consequence(s) of the alarm event when no corrective action is taken to return the process to normal

PRIORITYDetermine the priority of the alarm from the DCS Alarm Prioritization Matrix. Record the consequence and response below

Consequence Category

Consequence Class Response Class

Economics

Health and Safety

Environment

Resulting Priority


Appendix 2APPENDIX 2: DCS ALARM PRIORITIZATION RISK ASSESSMENT MATRIX

Res

pons

e C

lass

Available Response

Time PRIORITY CLASS

SHORT < 5 mins L M E *E *E

MEDIUM 5-15 mins L M M *E *E

LONG >15 mins L L M *M *E

Con

sequ

ence

C

ateg

ory

ECONOMICS No/Slight Effect (10M)

HEALTH & SAFETY No/Slight Injury Minor Injury Major Injury Single Fatality Multiple Fatalities

ENVIRONMENT No/Slight Effect Minor Effect Local Effect Major Effect Massive

CONSEQUENCE CLASS NEGLIGIBLE LOW MEDIUM HIGH EXTREME

E Emergency / Urgent / High M - Medium L Low Note : *M and *E - priority class that is driven by Health & Safety and / or Environment shall be

escalated to IPF Layer Classification.

ECONOMICS (Repair and Production Loss Expressed in USD)

Consequence Description/Definition

No/Slight Effect Estimated cost less than USD10K or no disruption to unit production

Minor Effect Estimated cost between USD10K to USD100K or brief disruption

Medium Effect Estimated cost between USD0.1M to USD1M or partial shutdown, can be restarted

Major Effect Estimated cost between USD1M to USD10M or partial operation loss

Extensive Estimated cost more than USD10M or substa