alarm management meets sis - prosys€¦ · • summarize rules in alarm philosophy 19 alarm...
TRANSCRIPT
Standards
Certification
Education & Training
Publishing
Conferences & Exhibits
Alarm Management
Meets SIS
Darwin E. Logerot
ProSys, Inc.
2
Presenter
Darwin E. Logerot
– Senior Consulting Engineer, ProSys, Inc., Houston TX
– ChE, LSU, 1973
– 40+ yrs in chemicals, petrochemicals and refining
– Process engineering, operations, project management, controls,
alarm management
– Joined ProSys in 2006
– Voting member, ISA 18 committee
About ProSys
ProSys is an innovative professional engineering firm
specializing in the area of process control.
Areas of Expertise
– Dynamic Alarm Management
– Operator Interface
– Boundary Management
– Basic Control
– Advanced Control and Optimization
– State Based Control
– Dynamic Simulation
– Control System IT Support
3
Presentation Goals
• SIS alarm requirements
• Alarm concepts applied
– What makes sense
– What doesn’t make sense
• A unified approach to alarming SIS
4
SIS Alarm Requirements
• How many alarms must be configured per the SIS
Standard (ISA-84 Part 1) for an SIF?
– Zero
• How many alarms must be configured per the AM
Standard (ISA-18.2) for an SIF?
– Zero
• How many alarms are necessary for an SIF to correctly
perform its function?
– Zero
• So, if nary a single alarm is actually required, what
alarms make sense?
5
Alarms that Make Sense
– True or False?
• It’s a good idea to provide a pre-alarm before an SIS
must trip to alert the operator of an impending trip
– True
This gives the operator an opportunity to prevent the trip, keeping
the plant running and reducing the demand frequency on the SIF
• Each transmitter in a voting arrangement should alarm
individually
– False
Are we trying to keep our plants operating safely or do we just
throw multiple alarms at the operator?
6
Alarms that Make Sense
– True or False?
• Pre-alarm should always be on the BPCS control or
indicator tag rather than the SIS transmitters
– False
Choice of where to put the pre-alarm is up to the facility, and it’s
a good idea to document this in the Alarm Philosophy
• Disagreements among redundant SIS transmitters and
between SIS and BPCS should be alarmed
– True
With this alarm in place, there is no need for a pre-alarm on more
than one transmitter
7
Alarms that Make Sense
– True or False?
• First out alarm indicating the reason for a trip is a good
idea
– True
IMHO (in my humble opinion), there is no better way to announce
to the operator that a trip has been initiated
• SIS valve moving to trip position should be alarmed
– False
Going to the trip position is the expected response to an SIS trip
– better, provide a failed to trip alarm, which makes noise if the
valve doesn’t work as expected
8
Alarms that Make Sense
– True or False?
• If the console operator initiates an SIS bypass, this
should be alarmed
– False
Although a common practice, this alarm adds little or nothing to
the integrity of the system: “Hey Joe/Mary/Sam/Samantha, you
just pressed a button!”
• If a field operator or maintenance technician initiates an
SIS bypass, this should be alarmed
– True
This may come as a surprise to the console operator, so it’s not a
bad thing to annunciate
9
Alarms that Make Sense
– True or False?
• SIS Bypass re-alarms are a good idea
– Neutral
Bypass and shift changeover procedures exist, but do we follow
them 100%? This is a facility decision. If used, re-alarm shortly
after shift change
• If a bypass is in place, an alarm on the SIS transmitter at
the trip point is a good idea
– False
Why give the operator an alarm that isn’t reliable or won’t be
believed? Find an alternative monitoring plan
10
Alarms that Make Sense
– Unified Approach
• Provide warning of an impending trip
• Provide notification of an actual trip
• Provide warnings when problems (malfunctions) exist
• Don’t over-alarm (one problem, one alarm)
• Don’t alarm console operator actions
• Ensure the integrity of alarms identified as independent
protection layers (IPL)
11
Alarms that Make Sense
– Unified Approach
The pre-alarm
– Warns that a trip might be imminent
– Which transmitter?
– Facility decision
– Good place is median, min or max of voting transmitters
– Control transmitter is usually where operator focuses attention, but it
may be part of the malfunction
– If operator response to an alarm is an IPL, this may dictate the
placement of the pre-alarm
– Alarm setting – as for any alarm, provide a comfortable margin
from operating point, but also consider time to respond before
the trip
– If no good setting can be found, consider no pre-alarm
12
Operator Response to Alarm is IPL
• IPL requirements can dictate the placement of the pre-
alarm
• Alarm should be easily recognizable as an IPL – some
designation in the tag description
• Defined response procedures in place
• Operators trained on recognition and response
• Be careful that IPL is not in the middle of an alarm flood
• Test it
• Max one alarm as IPL per SIF – unless redundant
instrument, redundant control system and second human
13
Alarms that Make Sense
– Unified Approach
The trip alarm
– Use first out if available – gives annunciation of the
trip and the reason for the trip in one alarm
– Use trip signal from SIS if no first out
– Not a good idea to alarm the causes at the trip point –
there are often multiple causes, and some of the trip
conditions can occur as a result of the trip
14
Alarms that Make Sense
– Unified Approach
• If the SIS performs as designed, pre-alarm and trip alarm
are the only alarms that should annunciate
15
Alarms that Make Sense
– Unified Approach
Failure mode alarms
– Fail to trip – one or more final element did not change as
expected (usually valve failed to close or pump failed to stop) –
should be highest priority available
– Fail to reset – one or more final element did not move to
operating position as expected – this is much less serious, but an
alarm, probably lowest priority
– Transmitter deviations – one or more transmitters in a voting
scheme is not agreeing with the others – include BPCS
transmitter also
16
Alarms that Make Sense
– Unified Approach
• Failure mode alarms
– Transmitter failure – one or more transmitters in a voting scheme
has failed – no or bad reading, reading outside of extended
range
– Various SIS system issues – depends on SIS logic solver Vendor
– be careful with these, can be a source of multiple nuisance
alarms
• Caveat on failure alarms – if it can wait until Monday,
don’t annunciate it to the console operator, send it to
Maintenance if that route is available
17
Alarms that Make Sense
– Unified Approach
18
TT_XXX1
TT_XXX2
TT_XXX3
Median PVHPre-Warning
Alarm
PVHH
PVHH
PVHH
2oo3Interlock
Alarm
Redundant Instrument
Deviation Alarm
First Out
PVBAD AlarmOne for each transmitter
System Health Alarms
Field Bypass Alarm
Bypass Re-alarmat shift changeSafety System
Failed to Trip Alarm
Failed to Reset Alarm
TT_YYY TC_YYY
Summary
• Avoid the falses – don’t alarm console operator actions,
avoid multiple alarms
• Obey the trues – provide a unified, sensible alarm
configuration
• Pre-alarm
• First Out
• Failure modes
• Honor IPLs
• Summarize rules in Alarm Philosophy
19
Alarm Management meets SIS
Questions?
Comments?
20