Lessons for Successful Alarm Management. Important Design .. Statistical Process Control and Alarm Management. Background. Control. Alarm Management for Process Control. Douglas H. Rothenberg thenberg. A Best-Practice Guide for. Design, Implementation, and Use of Industrial. plants still use the alarm management philosophy developed by the engi- neering The age of digital process control transformed the role of the alarm. In the.
|Language:||English, Spanish, German|
|Genre:||Children & Youth|
|PDF File Size:||13.47 MB|
|Distribution:||Free* [*Regsitration Required]|
(). ANSI/ISA - Management of Alarm Systems for the Process Industries. . Alarms configured in the controller or FactoryTalk View A&E server. Duty of care also includes the provision of a control system that does not put the Alarm Management Standards – Are You Taking Them Seriously? 2. Table of. A Path Forward for DCS Alarm Management. Bill Hollifield . responded to the alarm bust by making numerous process changes (up to 35 in a 10 minute period .
Deviation alarm An alarm generated when the difference between two analog values exceeds a set limit. Disabled Alarm An alarm that is disabled by the operator such that the alarm will not be generated even though the base alarm condition is present. This term is used to describe instrumented functions other than alarms. For example. Console The interface for an operator to monitor the process. Uncontrolled disabling of alarm s is not allowed.
Alarm priority The level of importance assigned to an alarm within the alarm system to indicate importance e. Nuisance alarm An alarm that transitions from the normal state to the alarm state more frequently than the response action is needed. Operator The primary person responsible for ensuring the process parameters are maintained within limits. Dynamic alarming The automatic modification of alarms based on process state or conditions.
Initiating event A malfunction. Rationalization The review of a potential alarm against the principles of the alarm philosophy to establish and document the rationale and design requirements for the alarm. Operator response time The time between the annunciation of the alarm and when the operator takes the correct action in response to the alarm.
Plant state A defined state of operation of a process plant e. Operator-set alarm An alarm in which the setting may be manually adjusted by the operator to suit his needs. Prioritization The process of assigning to an alarm a level of importance. Latching alarm An alarm that remains in alarm state after the process has returned to normal and requires an operator action beyond acknowledgement before it will clear.
Out-of-service A state that suppresses the alarm indication so that maintenance can be performed. First-out alarm First-up Alarms An alarm method. Reset The operator action that unlatches a latched alarm. Shift Superintendent RAM.
Alarm Management Team. Acknowledge or Acknowledged. Stale alarm An alarm that remains in the alarm state for 24 hours or more. Standing alarms A measure of the number of stale alarms. Unacknowledged An alarm in the alarm state which has not been acknowledged by the operator. Suppress To prevent the indication of the alarm to the operator when the base alarm condition is present.
Re-triggering alarm An alarm that is automatically re-annunciated to the operator under certain conditions. Shelve To prevent the transmission of the alarm indication to the operator through a controlled methodology initiated by the operator. Station A single human machine interface within the operator console. The controlled methodology shall be determined by the OPU. Return to normal The alarm system indication that an alarm condition has transitioned to the normal state. Basic Process Control System.
Clear HMI. Safety Integrity level SIF. Management and Procurement" is widely accepted in the industry as the reference document for alarm management. A Guide to Design. The standard is in final review stage and is due for release in Pending the establishment of an international standard on alarm management. Alarms are important in that they help the operator to monitor deviations from desired operating conditions which may lead to the hazardous situations. Alarms help the operator to maintain the plant within a safe operating envelope.
In order to ensure that alarms remain relevant and helpful to the operator. The general philosophy for configuring an alarm should be any one or more of the following: Loop with Controller — All alarm shall be configured in the controller block inclusive with analog input alarm.
Muting of alarms is not allowed. The time available and required for the corrective action to be performed Process Safety Time — refer Figure 2 and to have the desired effect. Loop without Controller. The severity of the consequences in safety. Alarm shall be configured in the individual Digital input or output block.
This time gap depends on the normal rate of change of the process value e. Common bypass alarm shall be sent to DCS. Alarms are always linked to human follow-up. Therefore human intervention should only be assumed to provide a limited reduction of risks. Not all alarms and messages should necessarily be routed to the operator. A process plant typically requires the following types of alarms: The assigned alarm priorities in the DCS are only used to distinguish between the kinds of activity to be executed.
Alarm management process is intended to guide users to a safe. The human may also make mistakes or act too late. In practice. Each of these alarms are genuine. Fieldbus etc. Other recipients of alarms and messages. The overall objective of the alarm management system is to provide the operator with: When the configuration of an existing installation is reviewed.
In an ideal situation the few alarms that occur are understood and handled properly by the operator. A human is generally not capable of dealing with huge information overloads. They indicate undesired or potentially unsafe situations to the operator. IPF panels. The process is useful in identifying the requirements and roles for implementing an alarm management system. This process flowchart shows the essential steps. The philosophy specifies the processes used for each of the life cycle stages.
For new systems the alarm philosophy serves as the basis for the alarm system requirements specification. The result will also be used to generate alarm response documentation and in defining alarm retention. The philosophy is maintained to ensure consistent alarm management throughout the life cycle of the alarm system.
The philosophy starts with the basic definitions and extends them to operational definitions using principles. The definition of alarm priorities. The exercise involves reviewing and documenting each alarm which exists in the DCS for the particular unit. IPF review reports and incident investigation reports to identify a list of conditions that need to be protected by operator intervention.
In this process. In addition.
Generally the first step is the development of an alarm management philosophy that documents the objectives of the alarm system and the processes to meet those objectives. What is the purpose of the alarm i. Once the consequences and the response time has been documented. Prior to designing a new alarm system or modifying an existing system.
What are the causes of the alarms? What action is required by the operator? What are the consequences of the operator failing to respond to the alarm? How quickly is the operator required to respond?
How likely is it that the operator will be able to prevent the event or hazard? Does the alarm comply with the agreed philosophy?
This information is critical to improve alarm clarity to the operator. An alarm list to be generated from the DCS. The schemes for presentation of alarm indications in the HMI. The overall alarm narratives shall be endorsed by the plant management as per clause 9. Every alarm shall be accompanied with an Alarm Review Form as per Appendix 1.
Rationalize an alarm parameter by entering it into the Alarm Reference Database.
Qualify the alarm parameter against the alarm guidelines Section 5. Repeat steps 4 and 5 for each alarm parameter for the tag. The AMT shall develop a detailed plan and schedule to for alarm rationalization review. Also from the DCS database.. Compile all the changes required and raise MOC to obtain proper approvals 9. Refer to narratives or other supporting documents to help determine the purpose. If the alarm parameter does not meet the guidelines.
The process of alarm rationalization is as follows: Alarm Management Team Leader Operation Engineer who shall monitor and manage the overall progress of the team.
The database shall be configured as per Appendix 1. Using DCS database. This could be a relief valve setting. Whenever an alarm setting is made. This document identifies what the alarm is.
The general rule is that the alarm setpoint. See also Figure 2. However experience has shown that too often alarm settings are set incorrectly or even beyond the constraints of the process or equipment the alarm should protect. This process includes training for the Operator and initial testing of the alarm system functions.
This is the process dead time. Each alarm setting and its rationale should therefore be re-established. This is the highest credible rate of change. This process also includes obtaining feedback from operators. Once the necessary approvals have been obtained. Figure 2 Parameters involved in establishing the alarm setting In all cases the alarm shall be set such that: The design stage includes evaluation of the basic configuration of alarms in the DCS.
One of the key deliverable of this stage is to develop the Operator Alarm Response Manual.
This process includes training for the operator and initial testing of the alarm system functions. The inaccuracy does not include any possible dynamic effects whereby the measurement lags behind the actual process parameter. If conflicts arise between the factors influencing the correct alarm setting. On the other hand. A particular consideration applies to low flow alarms.
It includes the inaccuracy of the sensor.
In these cases the worst case of all foreseeable operating modes including start-up and shutdown modes shall be considered. Accept that the operator may not have enough time to prevent the hazardous event in all cases e.
Another consideration applies to measurements that are influenced by specific properties of the medium such as the liquid and vapor density for dP and displacer type level measurements. This option does not reduce the confidence in the alarm but affects the probability that the operator would complete the required action in time.
The setting of low flow alarms therefore involves a balance between avoiding such alarms and retaining measurement accuracy. The measurement on the DCS appears linear but the original input signal has a flow 2 characteristic. As well as defining the alarm setting. This is the least desirable option.
In these cases there are the following options: Accept that spurious alarms will occur under some operating conditions. The switching inaccuracy is the maximum allowable difference between the actual process parameter and the alarm setting at the moment the alarm activated. This option reduces the confidence in the alarm and affects the probability that the operator would initiate the required actions in the event of a genuine alarm.
This is the most desirable but often impractical solution. Intelligent alarm management however. For repeating or fleeting alarms. The common values shall be referred as per Table 2. Table 2. The following describes the 3 most accepted methods: Deadbands shall be specified in Engineering Units for improved resolution.
The deadband should be set according to the type of measurement and its application. There are various intelligent alarm management techniques available. Table 1. The alarm hysteresis deadband should be carefully selected for each individual alarm. Default signal filter time constants st Type of Process 1 order time constant De-bouncer timer Variable digital signals Flow 2s 15 s Level 2s 60 s Liquid Pressure 1s 15 s Gas Pressure 1s 15 s Temperature 0s 60 s Other techniques require more detailed study and may also be implemented.
Typically the values shall be as per Table 1. Static alarm suppression shall be implemented on one plant section. Time to automatically unshelf the alarms shall be determined by OPUs.
Alarms that are always active when a process unit or a large piece of equipment is shut down are statically suppressed. Voting shall be such that: Operators often find alarm systems difficult to manage when relatively large numbers of alarms are permanently or semi-permanently activated. There is the risk of any new alarm remaining unnoticed and the standing alarms cannot be "meaningful" to the operator. Care has to be taken in grouping the tags to be suppressed. Process signals that are part of permissive logic shall be redundant so that there is no single point of failure that could lead to the inadvertent suppression of alarms or to leaving alarms inadvertently suppressed.
Sometimes there are tags within a section that Operations prefers to watch and alarm even when the rest of the unit is down. In order to minimise the number of standing alarms.
The maximum number of shelved alarms per operator should be This technique requires easy operator access to a list of shelved alarms and unshelving facility. Shelved alarms shall be automatically unshelved at a predetermined time before the shift change over.
Static suppression shall never rely on manual selection only. Only after the manual suppression command and the suppression permissive states have been met shall static alarm suppression be allowed. H alarm. What are the consequences of a block valve leaking. Bad PV etc. When defining static alarm suppression groups. LL alarm etc. When the alarm suppression for a group is released. If they are undesirable. This includes the condition alarm. The alarm status. The actual alarm condition is not visible in general no buzzer.
These conditions differ for each alarm suppression group. This is done to prevent alarms being generated due to maintenance activities on the shut down section. All alarms associated with the listed tag number may be suppressed. Trigger voting shall be such that: Figure 4 Dynamic Alarm Suppression.
A soft switch shall be provided to enable dynamic alarm suppression. Dynamic suppression will be automatically turned off after a configurable time period default 30 min or when all trigger alarms return to normal. However the trip may fail partly or completely so that a confirmation of the trip action is required to trigger suppression.
Triggers shall be redundant i. See Figure 4. A trigger is usually not the trip transmitter exceeding the trip setting but rather the trip command to the unit or equipment.
The first alarm in a defined group is triggered. This minimizes the number of alarms appearing following a trip. For alarms that come faster after a trigger. This is the time for the trip system to respond to a trip condition. Once the timer has expired any new alarm in the group will sound the buzzer but existing alarms will remain suppressed. The operator can choose to manually suppress the alarm group. Likewise the dynamic alarm check shall be disabled for the point as well.
The alarm state sequence diagram for alarms that are in a dynamic alarm suppression group is shown in Figure 5. The available 4 s includes signal transmission via gateways and various nodes on the control system network. The process graphics will show the actual alarm condition for all suppressed alarms. This is a common alarm for the group. Figure 5 Dynamic Suppression Alarm State Diagram The performance of the alarm suppression logic shall be such that it suppresses subsequent alarms within 4 s after the trigger.
If the operator wishes to know which alarm did not come on. If the new alarm is a trigger. If an alarm in a group is not generated even though it is expected to come on as a consequence of a trip. The focus of this work was addressing the complex human-system interaction and factors that influence successful performance for process operators.
Automation solutions have often been developed without consideration of the human that needs to interact with the solution.
In particular, alarms are intended to improve situation awareness for the control room operator, but a poorly configured alarm system does not achieve this goal.
The ASM Consortium has produced documents on best practices in alarm management, as well as operator situation awareness, operator effectiveness, and other operator-oriented issues. The ASM Consortium provided data from their member companies, and contributed to the editing of the guideline. Several institutions and societies are producing standards on alarm management to assist their members in the best practices use of alarms in industrial manufacturing systems.
Several companies also offer software packages to assist users in dealing with alarm management issues. Among them are DCS manufacturing companies, and third-party vendors who offer add-on systems. The fundamental purpose of alarm annunciation is to alert the operator to deviations from normal operating conditions, i.
The ultimate objective is to prevent, or at least minimise, physical and economic loss through operator intervention in response to the condition that was alarmed. For most digital control system users, losses can result from situations that threaten environmental safety, personnel safety, equipment integrity, economy of operation, and product quality control as well as plant throughput.
A key factor in operator response effectiveness is the speed and accuracy with which the operator can identify the alarms that require immediate action. By default, the assignment of alarm trip points and alarm priorities constitute basic alarm management.
Each individual alarm is designed to provide an alert when that process indication deviates from normal. The main problem with basic alarm management is that these features are static. The resultant alarm annunciation does not respond to changes in the mode of operation or the operating conditions.
When a major piece of process equipment like a charge pump, compressor, or fired heater shuts down, many alarms become unnecessary. These alarms are no longer independent exceptions from normal operation. They indicate, in that situation, secondary, non-critical effects and no longer provide the operator with important information. Similarly, during start-up or shutdown of a process unit, many alarms are not meaningful. This is often the case because the static alarm conditions conflict with the required operating criteria for start-up and shutdown.
In all cases of major equipment failure, start-ups, and shutdowns, the operator must search alarm annunciation displays and analyse which alarms are significant. This wastes valuable time when the operator needs to make important operating decisions and take swift action.
If the resultant flood of alarms becomes too great for the operator to comprehend, then the basic alarm management system has failed as a system that allows the operator to respond quickly and accurately to the alarms that require immediate action. In such cases, the operator has virtually no chance to minimise, let alone prevent, a significant loss. In short, one needs to extend the objectives of alarm management beyond the basic level.
It is not sufficient to utilise multiple priority levels because priority itself is often dynamic. Likewise, alarm disabling based on unit association or suppressing audible annunciation based on priority do not provide dynamic, selective alarm annunciation. The solution must be an alarm management system that can dynamically filter the process alarms based on the current plant operation and conditions so that only the currently significant alarms are annunciated.
The fundamental purpose of dynamic alarm annunciation is to alert the operator to relevant abnormal operating situations. They include situations that have a necessary or possible operator response to ensure:.
The ultimate objectives are no different from the previous basic alarm annunciation management objectives. Alarm management is usually necessary in a process manufacturing environment that is controlled by an operator using a supervisory control system, such as a DCS , a SCADA or a programmable logic controller PLC. Such a system may have hundreds of individual alarms that up until very recently have probably been designed with only limited consideration of other alarms in the system.
Since humans can only do one thing at a time and can pay attention to a limited number of things at a time, there needs to be a way to ensure that alarms are presented at a rate that can be assimilated by a human operator, particularly when the plant is upset or in an unusual condition. Alarms also need to be capable of directing the operator's attention to the most important problem that he or she needs to act upon, using a priority to indicate degree of importance or rank, for instance.
To ensure a continuous production, a seamless service, a perfect quality at any time of day or night, there must be an organisation which implies several teams of people handling, one after the other, the occurring events.
This is more commonly called the on-call management. The on-call management relies on a team of one or more persons site manager, maintenance staff or on external organisation gards, telesurveillance centre. This information transmission will enable the on-call staff to be more mobile, more efficient and will allow it to perform other tasks at the same time.
The techniques for achieving rate reduction range from the extremely simple ones of reducing nuisance and low value alarms to redesigning the alarm system in a holistic way that considers the relationships among individual alarms. This step involves documenting the methodology or philosophy of how to design alarms. It can include things such as what to alarm, standards for alarm annunciation and text messages, how the operator will interact with the alarms.
This phase is a detailed review of all alarms to document their design purpose, and to ensure that they are selected and set properly and meet the design criteria. Ideally this stage will result in a reduction of alarms, but doesn't always. The above steps will often still fail to prevent an alarm flood in an operational upset, so advanced methods such as alarm suppression under certain circumstances are then necessary. As an example, shutting down a pump will always cause a low flow alarm on the pump outlet flow, so the low flow alarm may be suppressed if the pump was shut down since it adds no value for the operator, because he or she already knows it was caused by the pump being shut down.
This technique can of course get very complicated and requires considerable care in design. In the above case for instance, it can be argued that the low flow alarm does add value as it confirms to the operator that the pump has indeed stopped.
Process boundaries Boundary Management must also be taken into account. Alarm management becomes more and more necessary as the complexity and size of manufacturing systems increases.
A lot of the need for alarm management also arises because alarms can be configured on a DCS at nearly zero incremental cost, whereas in the past on physical control panel systems that consisted of individual pneumatic or electronic analogue instruments , each alarm required expenditure and control panel area, so more thought usually went into the need for an alarm.
Numerous disasters such as Three Mile Island , Chernobyl accident and the Deepwater Horizon have established a clear need for alarm management. A comprehensive design and guideline document is produced which defines a plant standard employing a best-practise alarm management methodology. Analyze the alarm system to determine its strengths and deficiencies, and effectively map out a practical solution to improve it.
From experience, it is known that around half of the entire alarm load usually comes from a relatively few alarms. The methods for making them work properly are documented, and can be applied with minimum effort and maximum performance improvement. A full overhaul of the alarm system to ensure that each alarm complies with the alarm philosophy and the principles of good alarm management.
DCS alarm systems are notoriously easy to change and generally lack proper security. Methods are needed to ensure that the alarm system does not drift from its rationalised state. More advanced alarm management techniques are often needed to ensure that the alarm system properly supports, rather than hinders, the operator in all operating scenarios.
Proper management of change and longer term analysis and KPI monitoring are needed, to ensure that the gains that have been achieved from performing the steps above do not dwindle away over time.