8/13/2019 32306019 Dec 08

1/45

PETRONAS TECHNICAL STANDARDS

DESIGN AND ENGINEERING PRACTICE

ALARM MANAGEMENT GUIDELINES

PTS 32.30.60.19DECEMBER 2008

2010 PETROLIAM NASIONAL BERHAD (PETRONAS)All rights reserved. No part of this document may be reproduced, stored in a retrieval system or transmitted in any form or by any means (electronic,

mechanical, photocopying, recording or otherwise) without the permission of the copyright owner

8/13/2019 32306019 Dec 08

2/45

8/13/2019 32306019 Dec 08

3/45

TABLE OF CONTENTS

1.0 INTRODUCTION...............................................................................................................1 1.1 SCOPE AND OBJECTIVES ...................... ......................... ......................... ......................11.2 DISTRIBUTION, INTENDED USE AND REGULATORY CONSIDERATIONS............ ........11.3 DEFINITIONS....................................................................................................................1 1.4 ABBREVIATIONS..............................................................................................................5 2. CODES AND STANDARDS................................................................................................73. ALARM GUIDELINES ......................... ......................... ......................... ......................... .....83.1 ALARM PARAMETERS SHALL NOT BE ALTERED WITHOUT PROPER

MANAGEMENT OF..........................................................................................................8 3.2 ALARMS ARE NOT A SUBSTITUTE FOR AN OPERATOR'S ROUTINE

SURVEILLANCE OF UNIT................................................................................................8 3.3 AN ALARM MUST REQUIRE IMMEDIATE ACTION BY THE OPERATOR........................ 83.4 THERE SHALL NOT BE MULTIPLE ALARMS THAT PROMPT THE SAME OPERATOR

ACTION ......................... ......................... ......................... ......................... ........................ 93.5 ALARM PRIORITY DEFINES THE DEGREE OF URGENCY OF CORRECTIVE ACTION

BY THEOPERATOR........................................................................................................9 3.6 ALARMS SHOULD PROVIDE TIMELY ADVICE THAT THERE ARE PROBLEMS

REQUIRING OPERATOR INTERVENTION.............................. ......................... .............. 103.7 AN ALARM SHOULD HELP THE OPERATOR TO QUICKLY IDENTIFY THE CAUSE OF

A PROBLEM .................... ......................... ......................... ......................... .................... 103.8 SIGNALS WHICH DO NOT QUALIFY AS ALARMS............................. ......................... ...104. ALARM MANAGEMENT PROCESS......................... ......................... ......................... ......114.1 ALARM MANAGEMENT PHILOSOPHY ..................... ......................... ......................... ...134.2 IDENTIFICATION............................................................................................................13 4.3 ALARM RATIONALIZATION............................................................................................134.4 ALARM DESIGN ....................... ......................... ......................... ......................... ...........154.5 IMPLEMENTATION.........................................................................................................26 4.6 OPERATION .................... ......................... ......................... ......................... .................... 264.7 PERFORMANCE MONITORING.....................................................................................264.8 MAINTENANCE ..................... ......................... ......................... ......................... .............. 284.9 ASSESSMENT................................................................................................................28 4.10 MANAGEMENT OF CHANGE......................... ......................... ......................... .............. 284.11 ALARM MANAGEMENT PROCESS LOOPS...................................................................294.12 ALARM DOCUMENTATION............................................................................................304.13 ALARM HISTORY RETENTION ..................... ......................... ......................... ...........305.0 PRIORITY ASSIGNMENT ......................... ......................... ......................... .................... 316.0 BENCHMARKING, PERFORMANCE METRICS AND REPORTING............ .................... 327.0 ALARM PRESENTATION................................................................................................348. AUDIBLE SIGNALS CONSIDERATIONS..........................................................................359. TRAINING ......................... ......................... ......................... ......................... .................... 3610. ROLES AND RESPONSIBILITIES...................................................................................3711. REFERENCES................................................................................................................38

APPENDICESAPPENDIX 1: ALARM REVIEW FORM..................... ......................... ......................... .............. 39APPENDIX 2: DCS ALARM PRIORITIZATION RISK ASSESSMENT MATRIX.................... ......40

8/13/2019 32306019 Dec 08

4/45

PREFACE

PETRONAS Technical Standards (PTS) publications reflect the views, at the time of publication,of PETRONAS OPU(s)/Division(s).

They are based on the experience acquired during the involvement with the design, construction,operation and maintenance of processing units and facilities. Where appropriate they are basedon, or reference is made to, national and international standards and codes of practice.

The objective is to set the recommended standard for good technical practice to be applied byPETRONAS' OPU(s) in oil and gas production facilities, refineries, gas processing plants,chemical plants, marketing facilities or any other such facility, and thereby to achieve maximumtechnical and economic benefit from standardisation.

The information set forth in these publications is provided to users for their consideration anddecision to implement. This is of particular importance where PTS may not cover everyrequirement or diversity of condition at each locality. The system of PTS is expected to besufficiently flexible to allow individual operating units to adapt the information set forth in PTS totheir own environment and requirements.

When Contractors or Manufacturers/Suppliers use PTS they shall be solely responsible for thequality of work and the attainment of the required design and engineering standards. In particular,for those requirements not specifically covered, the Principal will expect them to follow thosedesign and engineering practices which will achieve the same level of integrity as reflected in thePTS. If in doubt, the Contractor or Manufacturer/Supplier shall, without detracting from his ownresponsibility, consult the Principal or its technical advisor.

The right to use PTS rests with three categories of users:1) PETRONAS and its affiliates.2) Other parties who are authorised to use PTS subject to appropriate contractual

arrangements.3) Contractors/subcontractors and Manufacturers/Suppliers under a contract with users

referred to under 1) and 2) which requires that tenders for projects, materialssupplied or - generally - work performed on behalf of the said users comply with therelevant standards.

Subject to any particular terms and conditions as may be set forth in specific agreements withusers, PETRONAS disclaims any liability of whatsoever nature for any damage (including injuryor death) suffered by any company or person whomsoever as a result of or in connection with theuse, application or implementation of any PTS, combination of PTS or any part thereof. Thebenefit of this disclaimer shall inure in all respects to PETRONAS and/or any company affiliatedto PETRONAS that may issue PTS or require the use of PTS.

Without prejudice to any specific terms in respect of confidentiality under relevant contractualarrangements, PTS shall not, without the prior written consent of PETRONAS, be disclosed by

users to any company or person whomsoever and the PTS shall be used exclusively for thepurpose they have been provided to the user. They shall be returned after use, including anycopies which shall only be made by users with the express prior written consent of PETRONAS.The copyright of PTS vests in PETRONAS. Users shall arrange for PTS to be held in safecustody and PETRONAS may at any time require information satisfactory to PETRONAS in orderto ascertain how users implement this requirement.

8/13/2019 32306019 Dec 08

5/45

PTS 32.30.60.19December 2008

Page 1

1.0 INTRODUCTION

1.1 SCOPE AND OBJECTIVES

This document describes the guidelines for the management of Distributed ControlSystem (DCS) alarms within PETRONAS plants, both new and existing.

The objectives of this guideline are:

Establish the work processes in alarm management for PETRONAS;

Provide engineering guidelines for consistent and efficient alarm configuration; and

Achieve world class alarm system performance for all areas by implementing the workprocesses described.

This guideline shall apply to all audible and visual alarms generated by the DCS on theoperator consoles.

This PTS is developed together with the Technical Professionals and experienced plantpersonnel of Skill Group 14. The Custodian of this PTS shall be consulted or anydeviation.

1.2 DISTRIBUTION, INTENDED USE AND REGULATORY CONSIDERATIONS

Unless otherwise authorised by PETRONAS, the distribution of this PTS is confined tocompanies forming part of PETRONAS group and to contractors andmanufacturers/suppliers nominated by them.

1.3 DEFINITIONS

1.3.1 GENERAL DEFINITIONS

The Contractor is the party which carries out all or part of the design, engineering,procurement, construction, commissioning or management of a project or operation of afacility. The Principal may undertake all or part of the duties of the Contractor.

The Manufacturer/Supplier/Vendor is the party which manufactures or suppliesequipment and services to perform the duties specified by the Contractor or the PlantOwner.

The Plant Owneris the PETRONAS instrumentation party responsible for the operationand maintenance of the equipment, who in turn, is responsible to the plant management.

The Principal is the PETRONAS party which initiates the project (new or revamp) andultimately pays for its design and construction. The Principal will generally specify thetechnical requirements.

The Custodianis the originator and technical owner of this PTS.

The word Shallindicate a requirement.

The word Shouldindicate a recommendation.

8/13/2019 32306019 Dec 08

6/45

8/13/2019 32306019 Dec 08

7/45

PTS 32.30.60.19December 2008

Page 3

Alarm philosophyA document that establishes the basic definitions, principles, and processes to design,implement, and maintain an alarm system.

Alarm priorityThe level of importance assigned to an alarm within the alarm system to indicateimportance (e.g. seriousness of consequences) and urgency.

Alarm summaryA display that lists alarm with selected information, such as date, time, priority, and alarmcondition.

Alarm systemThe collection of hardware and software that detects an alarm state, transmits theindication of that state to the operators attention, and records changes in the alarmstate.AlertAn audible and/or visible means of indicating to the operator an equipment or processcondition that requires awareness and that action may be needed when time permits.

BypassTo manually modify a function to prevent its activation. (This term is used to describeinstrumented functions other than alarms.)

Control systemA system that responds to input signals from the equipment under control and/or from anoperator and generates output signals that cause the equipment under control tooperate in the desired manner.

Chattering alarmAn alarm that repeatedly transitions between the alarm state and the normal state. Forexample, any parameter that crosses its alarm threshold three (3) times or more within aone (1) minute period.

ClearAn alternate description of the state of an alarm that has transitioned to the normal state.

ConsoleThe interface for an operator to monitor the process, which may include multiple displaysor annunciations.

Deviation alarmAn alarm generated when the difference between two analog values exceeds a set limit.

Disabled AlarmAn alarm that is disabled by the operator such that the alarm will not be generated eventhough the base alarm condition is present.

Note : Uncontrolled disabling of alarm(s) is not allowed.

8/13/2019 32306019 Dec 08

8/45

8/13/2019 32306019 Dec 08

9/45

PTS 32.30.60.19December 2008

Page 5

Remote alarmAn alarm from a remotely operated facility or a remote interface.

ResetThe operator action that unlatches a latched alarm.

Re-triggering alarmAn alarm that is automatically re-annunciated to the operator under certain conditions.

Return to normalThe alarm system indication that an alarm condition has transitioned to the normal state.

ShelveTo prevent the transmission of the alarm indication to the operator through a controlledmethodology initiated by the operator. The controlled methodology shall be determinedby the OPU.

Stale alarmAn alarm that remains in the alarm state for 24 hours or more.

Standing alarmsA measure of the number of stale alarms.

StationA single human machine interface within the operator console.

SuppressTo prevent the indication of the alarm to the operator when the base alarm condition is

present, initiated automatically by logic or manually by the operator.

UnacknowledgedAn alarm in the alarm state which has not been acknowledged by the operator.

1.4 ABBREVIATIONS

AMT - Alarm Management Team

ASM - Abnormal Situation Management

MOC - Management Of Change

DCS - Distributed Control System

EEMUA - Engineering Equipment and Materials Users Association

HAZOP - Hazard & Operability Study

IPF - Instrumented Protective Function

P&ID - Piping & Instrumentation Diagram

SS - Shift Superintendent

RAM - Risk Assessment Matrix

ACK - Acknowledge or Acknowledged

8/13/2019 32306019 Dec 08

10/45

PTS 32.30.60.19December 2008

Page 6BPCS - Basic Process Control System

cGMP - Current Good Manufacturing Practice

CLR - ClearHMI - Human Machine Interface

PFD - Process Flow Diagram or Probability of Failure on Demand

PHA - Process Hazards Analysis

PIMS - Plant Information Management System

RTN - Return To Normal (see definition)

SIL - Safety Integrity level

SIF - Safety Instrumented Function

SIS - Safety Instrumented System

UNACK - Unacknowledged

8/13/2019 32306019 Dec 08

11/45

PTS 32.30.60.19December 2008

Page 7

2. CODES AND STANDARDS

There are no codes or standards related to alarm management yet established at the

time this guideline is written. The Instrument Society of America is currently drafting theISA SP18.02 Instrument Signals and Alarms Standard. The standard is in final reviewstage and is due for release in 2008. However, the EEMUA Publication No. 191,published in 2007, entitled "Alarm Systems, A Guide to Design, Management andProcurement" is widely accepted in the industry as the reference document for alarmmanagement. Pending the establishment of an international standard on alarmmanagement, pertinent recommendations found in the EEMUA document shall be thereference for this guideline, together with the ASM Consortium Guidelines on EffectiveAlarm Management Practices Version 5, which documents the best practices for alarmmanagement.

8/13/2019 32306019 Dec 08

12/45

PTS 32.30.60.19December 2008

Page 8

3. ALARM GUIDELINES

Alarms are signals annunciated to the operator typically by an audible sound and by

some form of visual indication on the operator display, both of which differs according tothe alarm priority.

Alarms are important in that they help the operator to monitor deviations from desiredoperating conditions which may lead to the hazardous situations. Alarms help theoperator to maintain the plant within a safe operating envelope. The general philosophyfor configuring an alarm should be any one or more of the following:-

b. the alarm shall indicate a need for Operator interventionc. the alarm shall indicate when a control system can no longer controld. the alarm shall indicate the need for timely Operator response

Alarms shall not be configured if the intent cannot be met by any of the above three.

In order to ensure that alarms remain relevant and helpful to the operator, eachconfigured alarm in the DCS shall comply with the following set of guidelines:

3.1 ALARM PARAMETERS SHALL NOT BE ALTERED WITHOUT PROPER

MANAGEMENT OFChange (MOC)

Modifications to existing alarms or additions of new alarms shall be part of MOC, whereproper justification and an alarm design review are required.

3.2 ALARMS ARE NOT A SUBSTITUTE FOR AN OPERATOR'S ROUTINE

SURVEILLANCE OF UNIToperation

3.1.2 Process changes that should be caught by operators during their normal monitoring ofthe process, and pose no safety issues, shall not be alarmed.

3.1.3 The alarm system should be an aid for the operator, not a replacement.

3.1.4 Operators are expected to investigate alarms occurring by accessing the appropriategraphic and reviewing trends.

3.1.5 The normal and expected process conditions shall not be alarmed. i.e. Sequenceprocess or ON/OFF control

3.3 AN ALARM MUST REQUIRE IMMEDIATE ACTION BY THE OPERATOR

3.3.1 Alarms shall not be configured for which there is no Operators corrective action possible.

3.3.2 The action required in response to each alarm shall be specified.

3.3.3 The consequence of the action not being taken shall be specified in the Alarm ReferenceDatabase (sect. 4.4)

3.3.4 All alarms are important and should be acted upon as soon as possible.

8/13/2019 32306019 Dec 08

13/45

PTS 32.30.60.19December 2008

Page 9

3.4 THERE SHALL NOT BE MULTIPLE ALARMS THAT PROMPT THE SAMEOPERATOR ACTION

3.3.5 Redundant instrumentation due to shut down systems will eithera. not be alarmed,b. use logic to prevent multiple alarms, orc. have alarm on deviation between the primary (alarmed) variable and other

instruments.

3.3.6 Common alarms should be created for multiple alarms on different variables that requirethe same response

3.3.7 If there are many alarm points, determine which is the best to use based on factors suchas measurement reliability, minimization of nuisance alarms, speed of initiation, closelogical association with the problem cause.

3.3.8 Alarms shall be configured within the DCS controller or Input/output block in order toavoid any redundant alarm, as follows :

1. Loop with Controller All alarm shall be configured in the controller block inclusivewith analog input alarm, analog output and bad input.

2. Loop without Controller- Alarm shall be configured in the individual block i.e.Digital input or output block, analog input or output block

3.5 ALARM PRIORITY DEFINES THE DEGREE OF URGENCY OF CORRECTIVE

ACTION BY THEOPERATOR

3.3.9 The degree of urgency of an alarm at any instant, and thus its priority, are dependant onthese factors:

a. The severity of the consequences (in safety, environmental and economic terms),of failing to take the corrective action associated with the alarm (refer Appendix 2).

b. The time available and required for the corrective action to be performed (ProcessSafety Time refer Figure 2) and to have the desired effect.

3.5.2 Thus, the order in which an operator should take corrective action when a number ofalarms are present shall be based on the alarm priorities, where the alarm with thehighest priority shall receive operator attention (see Section 5 for Priority Assignment).

3.5.3 Each alarm priority shall be configured with a different audible sound, with the highest

pitch sound reserved for Emergency / Urgent priority and so forth.Note: Muting of alarms is not allowed.

8/13/2019 32306019 Dec 08

14/45

PTS 32.30.60.19December 2008

Page 10

3.6 ALARMS SHOULD PROVIDE TIMELY ADVICE THAT THERE AREPROBLEMS REQUIRING OPERATOR INTERVENTION

3.6.1 An alarm setpoint shall be configured to give the operator at least 5 minutes to takecorrective action. The alarm setpoint shall depend on the process safety time, which isdefined as the time between the process value reaching the alarm setpoint and theconsequences occurring if not acted upon under normal operating conditions. This timegap depends on the normal rate of change of the process value e.g. a small tank withhigh receiving flow shall have a lower high level alarm setpoint than a large tank withsmall receiving flow.

3.7 AN ALARM SHOULD HELP THE OPERATOR TO QUICKLY IDENTIFY THECAUSE OF A PROBLEM

3.6.2 Clear and understandable alarm tag descriptors are important to help identify the cause.

3.6.3 Consistent abbreviations shall be used so that it is clearly understood by all operators.

3.6.4 An alarm tags Associate Display parameter shall be configured to provide quick accessto the relevant schematic.

3.8 SIGNALS WHICH DO NOT QUALIFY AS ALARMS

The following signals do NOT qualify as alarms but may be classified as "journal" ormessage signals

Status change of switches through automatic sequence i.e starting or stoppingpumps or opening/closing valves as normal (on/off) control behaviour.

Status changes of switches manually initiated by panel operators such as amaintenance override switch / bypass switch, manual trip command etc.

Status change of operating mode by automatic sequence or manual initiation e.g.TSA (Temperature Swing Adsorbers) sequence

Status change of control mode by automatic sequence or manual initiation i.e.MANUAL-AUTO, AUTO-CASCADE

Generally, system alarms shall not be alarmed in the DCS, unless deemed critical forOperators action.

However if the maintenance override switch / bypass switch is located and operatedoutside the control room, its initiation shall be alarmed. Common bypass alarm shall besent to DCS.

8/13/2019 32306019 Dec 08

15/45

PTS 32.30.60.19December 2008

Page 11

4. ALARM MANAGEMENT PROCESS

Alarm systems are part of the safety systems of process plants. They indicate undesired

or potentially unsafe situations to the operator. Alarms are always linked to humanfollow-up. Therefore, the foremost principle when designing or reviewing alarm systemsis recognition of the human factors involved. A human is generally not capable of dealingwith huge information overloads. The human may also make mistakes or act too late.Therefore human intervention should only be assumed to provide a limited reduction ofrisks.

Alarm management process is intended to guide users to a safe, cost effective andconsistent design and implementation of alarms in an instrumentation system (DCS, IPFpanels, F&G panels, local panels etc.).

The overall objective of the alarm management system is to provide the operator with:

an adequate set of warning facilities during normal operation.

the ability to recognise the most important alarms during upsets.

to provide adequate guideline to perform corrective action

whilst minimising, as far as is reasonably practicable:

standing alarms;

nuisance alarms;

chattering alarms;

alarm floods.

In an ideal situation the few alarms that occur are understood and handled properly bythe operator. Each of these alarms are genuine, not duplicated and not repetitive, andcall for an action for which the operator has sufficient time, even during plant upset ortrip situations.

A process plant typically requires the following types of alarms:

Process alarms

Trip (IPF) alarms

F&G alarms

Common alarms from packaged units

Diagnostic alarms (from SIS, DCS, Fieldbus etc.)

Not all alarms and messages should necessarily be routed to the operator. Otherrecipients of alarms and messages, such as DCS/SIS maintenance engineer, shouldalso be considered. The alarm management / rationalisation study should therefore alsoconsider the various alarm recipients, their availability etc.

When the configuration of an existing installation is reviewed, it is also necessary tobalance the effort expended in the review against the potential improvements to begained. In practice, this means that the process starts by identifying the Bad Actors ofalarms followed by the highest priority of alarms and so forth.

The assigned alarm priorities in the DCS are only used to distinguish between the kindsof activity to be executed.

8/13/2019 32306019 Dec 08

16/45

PTS 32.30.60.19December 2008

Page 12The alarm management process covers the design and maintenance activities fromphilosophy to management of change. The process is useful in identifying therequirements and roles for implementing an alarm management system. This process

flowchart shows the essential steps, in implementing the alarm management system.

FIGURE 1 : ALARM MANAGEMENT PROCESS

PHILOSOPHY /POLICY /MANUAL

IDENTIFICATION

RATIONALIZATION

DESIGN

IMPLEMENTATION& TRAINING

ASSESSMENT

MAINTENANCE PERFORMANCEMONITORING

MOC

OPERATION

8/13/2019 32306019 Dec 08

17/45

PTS 32.30.60.19December 2008

Page 13

4.1 ALARM MANAGEMENT PHILOSOPHY

An Alarm Management Philosophy is required for all plants, both new and existing as

well as projects.

Prior to designing a new alarm system or modifying an existing system, some basicgroundwork is required. Generally the first step is the development of an alarmmanagement philosophy that documents the objectives of the alarm system and theprocesses to meet those objectives. For new systems the alarm philosophy serves asthe basis for the alarm system requirements specification.

The philosophy starts with the basic definitions and extends them to operationaldefinitions using principles. The definition of alarm priorities, classes, performancemetrics, performance limits, and reporting requirements are determined based on theobjectives, definitions, and principles. The schemes for presentation of alarm indicationsin the HMI, including use of priorities, are also set in the alarm philosophy, which shallbe consistent with the overall HMI design.

The philosophy specifies the processes used for each of the life cycle stages, such asthe threshold for the management of change process and the specific requirements forchange. The philosophy is maintained to ensure consistent alarm managementthroughout the life cycle of the alarm system.

4.2 IDENTIFICATION

In the identification stage, the alarms configured in the plant control system are to beevaluated. An alarm list to be generated from the DCS. In addition, it is also necessaryto vet through all of HAZOP reports, IPF review reports and incident investigation reportsto identify a list of conditions that need to be protected by operator intervention.

4.3 ALARM RATIONALIZATION

Rationalization is the process of reconciling each individual alarm against the principlesand requirements of the alarm philosophy. The exercise involves reviewing anddocumenting each alarm which exists in the DCS for the particular unit. In this process,form as per Appendix 1 shall be used to address the following questions:

1. What is the purpose of the alarm i.e. what is the potential hazard or event is thealarm intended to prevent?

2. What are the causes of the alarms?3. What action is required by the operator?

4. What are the consequences of the operator failing to respond to the alarm?5. How quickly is the operator required to respond?6. How long will it take for the operators action to have the required effect?7. How likely is it that the operator will be able to prevent the event or hazard?8. Does the alarm comply with the agreed philosophy?

This information is critical to improve alarm clarity to the operator. Once theconsequences and the response time has been documented, alarm priority must beassigned based on the matrix of consequences versus priorities. The result will also beused to generate alarm response documentation and in defining alarm retention.

The completed forms constitute the alarm narratives for the project/plant/OPUs. Theoverall alarm narratives shall be endorsed by the plant management as per clause 9.0.

8/13/2019 32306019 Dec 08

18/45

PTS 32.30.60.19December 2008

Page 14Documents / tools required for this exercise are:

1. Updated P&ID for the unit

2. Control and/or Safeguarding narratives, design documents3. HAZOP and IPF Classification results4. Updated DCS alarms, setpoints and tag list5. Plant Historian (e.g. PIMS) database to view process trends

An Alarm Management Team (AMT)shall be formed which comprises of:

1. Alarm Management Team Leader (Operation Engineer) who shall monitor andmanage the overall progress of the team.

2. Alarm Management Coordinator/Facilitator (Instrument and Control Engineer)who shall facilitate the alarm rationalization process and compile and execute allthe changes required.

3. Operation and Process Technologist Representatives (Panel men/operator from2 different shifts and Process Technology engineer) who shall discuss and

rationalize the alarms.4. Maintenance Subject Matters Representative (Instrument and Control

engineer/technician, Electricaland/or Mechanicalengineer/technician) who shallhelp the review especially in equipment related alarms.

The AMTshall develop a detailed plan and schedule to for alarm rationalization review.

The process of alarm rationalization is as follows:

1. Using DCS database, determine the existing alarm parameters for the tag.

2. Also from the DCS database, review most frequent alarms, if applicable.

3. From the P&ID, reconcile the selected DCS alarm tag..

4. Rationalize an alarm parameter by entering it into the Alarm ReferenceDatabase. The database shall be configured as per Appendix 1. Refer tonarratives or other supporting documents to help determine the purpose,causes, corrective actions, consequences and finally the priority of the alarm.

5. Qualify the alarm parameter against the alarm guidelines (Section 5). If thealarm parameter does not meet the guidelines, decide what the requiredchanges are.

6. Repeat steps (4) and (5) for each alarm parameter for the tag.

7. Continue for the next tag on the DCS database and/or P&ID until all the selectedalarms for the unit have been reviewed.

8. Compile all the changes required and raise MOC to obtain proper approvals

9. Modifications shall be implemented by the instrument /control engineer.

10. An Alarm Review Form shall be printed from the Alarm Reference Databasesuch as Filemaker and signed by the AMT. (example format in Appendix 1).

Every alarm shall be accompanied with an Alarm Review Form as per Appendix 1.

8/13/2019 32306019 Dec 08

19/45

PTS 32.30.60.19December 2008

Page 15

4.4 ALARM DESIGN

The design stage includes evaluation of the basic configuration of alarms in the DCS, the

design of graphics and other HMI for alarms and the advance/intelligent method foralarm management- 4.4.2 (the use of Alarm Management System for example).

This process also includes obtaining feedback from operators, as well as defining thetesting methods of the alarm system functions.

In addition, one of the key deliverable of this stage is to develop the Alarm ReferenceDatabase. This document identifies what the alarm is, how it is configured, why it isthere, what the operator is supposed to do about it and what are the consequences offailing to perform the actions.

Once the necessary approvals have been obtained, the new alarm configurations areimplemented in the DCS. This process includes training for the Operator and initialtesting of the alarm system functions.

4.4.1 SETTING OF ALARM SETPOINTS

A full review of alarm setpoints and dead bands is a time-consuming exercise. Howeverexperience has shown that too often alarm settings are set incorrectly or even beyondthe constraints of the process or equipment the alarm should protect. Each alarm settingand its rationale should therefore be re-established.

The general rule is that the alarm setpoint, i.e. the value at which it is activated, shouldbe as far from the normal value as practicable whilst still giving adequate protection andample operator response time.

Whenever an alarm setting is made, a number of questions should be answered and

documented, as follows. See also Figure 2.

At what value does a hazard or concern arise, i.e. what is the constrainingvalue? This could be a relief valve setting, an IPF trip setting, an equipmentdesign limit, a catalyst temperature limit, the pH at which corrosion accelerates,the temperature at which coke formation in the tubes accelerates, etc.

What is the inaccuracy of a constraint? For example, a relief valve may alreadystart to open at 99 % of its set pressure.

How fast is the value likely to approach this point? This is the highest crediblerate of change.

How much time does the panel or field operator need to complete the actionsthat aim to reverse the process?

How much will the process continue to rise following the completion of theoperator action? This is the process dead time.

How wide is the operating band under normal and routinely abnormalconditions?

What is the expected inaccuracy of the sensor and receiving switch used togenerate the alarm?

8/13/2019 32306019 Dec 08

20/45

PTS 32.30.60.19December 2008

Page 16What is the dead-time of the sensor and signal processing?

How many features (e.g. alarms, trips, relief valves) have to be fitted in the gap

between the edge of the normal operating band and the constraining value atwhich a hazard or concern arises?

The design stage includes evaluation of the basic configuration of alarms in the DCS, thedesign of graphics and other HMI for alarms and the advance method for alarmmanagement (the use of Alarm Management System for example).

This process also includes obtaining feedback from operators, as well as defining thetesting methods of the alarm system functions.

One of the key deliverable of this stage is to develop the Operator Alarm ResponseManual, as per Section 4.3.

Once the necessary approvals have been obtained, the new alarm configurations areimplemented in the DCS. This process includes training for the operator and initialtesting of the alarm system functions.

Figure 2 Parameters involved in establishing the alarm setting

In all cases the alarm shall be set such that:

No alarm occurs within the normal process fluctuations and signal noise.

There is sufficient operator response time

8/13/2019 32306019 Dec 08

21/45

PTS 32.30.60.19December 2008

Page 17

The process does not exceed the equipment or process constraint assumingcorrect and timely operator action and a worst but credible process dead time.

Uncertainties/Inaccuracies in the equipment or process constraints are taken intoaccount.

Note:Uncertainties/Inaccuracies in the process measurement at the point of the desired alarm setting aretaken into account. A particular consideration applies to low flow alarms, where the flow measurementcomes from a dP-based device such as an orifice plate or venturi meter. The measurement on the DCSappears linear but the original input signal has a (flow)2 characteristic. This means that an alarm set at 10% of flow range corresponds to only 1 % of DP input signal, which could potentially be disabled by a zeroerror arising from the meter or its process hook-up. On the other hand, under some circumstances ahigher setting might increase the risk of nuisance alarms. The setting of low flow alarms therefore involvesa balance between avoiding such alarms and retaining measurement accuracy.

Another consideration applies to measurements that are influenced by specific propertiesof the medium such as the liquid and vapor density for dP and displacer type level

measurements, the density for orifice type flow meters, etc.

In these cases the worst case of all foreseeable operating modes including start-up andshutdown modes shall be considered.

If conflicts arise between the factors influencing the correct alarm setting, it may becomeimpossible to set an acceptable alarm setting. In these cases there are the followingoptions:

Redesign the process / equipment. This is the most desirable but oftenimpractical solution.

Set the alarm setting at a level closer to the normal operating conditions. Acceptthat spurious alarms will occur under some operating conditions.

This option reduces the confidence in the alarm and affects the probability thatthe operator would initiate the required actions in the event of a genuine alarm.This is the least desirable option.

Set the alarm setting at a level closer to the constraints. Accept that the operatormay not have enough time to prevent the hazardous event in all cases (e.g. inthe event of a rapid upset).

This option does not reduce the confidence in the alarm but affects the probabilitythat the operator would complete the required action in time.

As well as defining the alarm setting, the expected accuracy of the switch point shall also

be defined (e.g. 210 C !2 C).

The switching inaccuracy is the maximum allowable difference between the actualprocess parameter and the alarm setting at the moment the alarm activated. It includesthe inaccuracy of the sensor, signal processing, switch amplifier, A/D converter etc. Theinaccuracy does not include any possible dynamic effects whereby the measurementlags behind the actual process parameter.

A typical accuracy would be 2 % of instrument span.

8/13/2019 32306019 Dec 08

22/45

8/13/2019 32306019 Dec 08

23/45

PTS 32.30.60.19December 2008

Page 194.4.2.3 Shelving

Shelving is a facility where an alarm is temporarily inhibited by the operator to

prevent an alarm from being displayed to him when it is a nuisance. Thistechnique requires easy operator access to a list of shelved alarms and un-shelving facility. Shelved alarms shall be automatically unshelved at apredetermined time before the shift change over. Time to automatically unshelfthe alarms shall be determined by OPUs. The maximum number of shelvedalarms per operator should be 30.

4.4.2.4 Static Alarm Suppression

Static alarm suppression is used to suppress alarms which are always active butnot relevant for a particular process unit or major equipment when it is shutdownfor maintenance. This technique requires the configuration of soft keys toactivate logic which will disable/enable the particular group of alarms in the unitor equipment.

Operators often find alarm systems difficult to manage when relatively largenumbers of alarms are permanently or semi-permanently activated. There is therisk of any new alarm remaining unnoticed and the standing alarms cannot be"meaningful" to the operator. In order to minimise the number of standingalarms, static alarm suppression is required. Care has to be taken in groupingthe tags to be suppressed. Sometimes there are tags within a section thatOperations prefers to watch and alarm even when the rest of the unit is down,e.g. charge drum vacuum or pressure.

Alarms that are always active when a process unit or a large piece of equipmentis shut down are statically suppressed.

Static alarm suppression shall be implemented on one plant section, processunit or equipment item at any one time.

Static suppression shall never rely on manual selection only. A redundantprocess signal shall always be part of the suppression logic to confirm that theunit/equipment is out of service and to remove the suppression when it is putback in service.

Only after the manual suppression command and the suppression permissivestates have been met shall static alarm suppression be allowed.

Process signals that are part of permissive logic shall be redundant so that thereis no single point of failure that could lead to the inadvertent suppression of

alarms or to leaving alarms inadvertently suppressed.

Voting shall be such that:

Two or more independent process measurements are used, such as thefeed to a column, tray temperature or valve position.

Correlated measurements with a high probability of common cause failure(e.g. plugged line) are not used.

Deadbands are used on the voting permissive (i.e. independent processmeasurements) to prevent mode cycling.

Signals with bad PVs are excluded from voting.

8/13/2019 32306019 Dec 08

24/45

PTS 32.30.60.19December 2008

Page 20Switching on the static alarm suppression shall only be possible when defined processpermissive is met. These conditions differ for each alarm suppression group. The staticsuppression shall be automatically switched off and a message to the operator shall be

generated when the defined process conditions are no longer satisfied

Figure 3 Static Alarm Suppression

Alarms generated in the DCS from analogue inputs that are suppressed through thisfunctionality shall be visible to the operator in the process graphics individual tagfaceplate. (e.g. as a blue measurement). The actual alarm condition is not visible (ingeneral no buzzer, no alarm in the alarm list, no alarm to the printer, system ormeasurement faults not visible). The alarm status, however, is still available on theindividual tags faceplate.

When the alarm suppression for a group is released, the suppressed alarms are not tobe regenerated (not sounding the buzzer, flashing etc.).

When defining static alarm suppression groups, the following data shall be recorded:-

Static Alarm Suppression Group and Group descriptorA reference tag name of the group and Group descriptor to allow reference andproper administration.

PermissiveBoolean statement with the (DCS) tags and conditions (signals) that have to be"true" to permit the static suppression to be switched ON. This includes the

condition (alarm, H alarm, LL alarm etc.).

Static Suppression GroupThis is a list of instrument tags to be suppressed.

NOTES:1 The static alarm suppression may not differentiate between H or L or LL alarms, Bad PV etc.. All

alarms associated with the listed tag number may be suppressed. This is done to prevent alarmsbeing generated due to maintenance activities on the shut down section.

EXAMPLE:What are the consequences of a block valve leaking, allowing undetected flow into the idleequipment/process? If they are undesirable, the high pressure alarm should be left active.

8/13/2019 32306019 Dec 08

25/45

PTS 32.30.60.19December 2008

Page 214.4.2.5 Dynamic Alarm Suppression

Dynamic alarm suppression is used to suppress alarms following a trip or process upset.

The first alarm in a defined group is triggered, shown in the alarm list and printed in thealarm printer with subsequent alarms in the group suppressed. This minimizes thenumber of alarms appearing following a trip, thus eliminating alarm flooding and helpingoperator respond better to the alarm.

A soft switch shall be provided to enable dynamic alarm suppression.

Triggers shall be redundant (i.e. a confirmed trigger) so that there is no single point offailure that could lead to the inadvertent suppression of alarms or to leaving alarmsinadvertently suppressed.

NOTE: A trigger is usually not the trip transmitter exceeding the trip setting but rather the trip command to theunit or equipment, i.e. the soft signal internal in the safety PLC. However the trip may fail partly or completelyso that a confirmation of the trip action is required to trigger suppression. For example, not only the compressortrip command is used as trigger but also the running contact as confirmation.

Trigger voting shall be such that:

Two or more independent process measurements are used, such as the feed to acolumn, tray temperature or valve position.

Correlated measurements with a high probability of common cause failure (e.g.plugged line) are not used.

Dead bands are used on the voting permissive (i.e. independent processmeasurements) to prevent mode cycling.

Signals with bad PVs are excluded from voting.

Dynamic suppression will be automatically turned off after a configurable time period(default 30 min) or when all trigger alarms return to normal. See Figure 4.

Figure 4 Dynamic Alarm Suppression

8/13/2019 32306019 Dec 08

26/45

PTS 32.30.60.19December 2008

Page 22A timer will be started when the first of the groups trigger alarms is received. Once thetimer has expired any new alarm in the group will sound the buzzer but existing alarmswill remain suppressed. If the new alarm is a trigger, it will restart the timer, reinstating a

further (30 min) period of dynamic suppression. The operator can choose to manuallysuppress the alarm group, by means of static alarm suppression, at this time ifappropriate. However, the grouping for static alarm suppression is not necessarily thesame as the grouping for dynamic alarm suppression.

The alarm state sequence diagram for alarms that are in a dynamic alarm suppressiongroup is shown in Figure 5.

Figure 5 Dynamic Suppression Alarm State Diagram

The performance of the alarm suppression logic shall be such that it suppressessubsequent alarms within 4 s after the trigger. This is the time for the trip system torespond to a trip condition, final elements to reach their safe position and the processresponse to generate the next alarm. The available 4 s includes signal transmission viagateways and various nodes on the control system network. For alarms that come fasterafter a trigger, part of the suppression logic may have to be implemented in the IPS usingthe "first-up" signal as the trigger.

The process graphics will show the actual alarm condition for all suppressed alarms. Thecondition of auto suppressed trip alarms is also visible on the Cause & Effect matrix

graphics.

Where triggers are Trip initiators, the trigger shall be disabled when the MOS is switchedON. Likewise the dynamic alarm check shall be disabled for the point as well.

If an alarm in a group is not generated even though it is expected to come on as aconsequence of a trip, a common fault alarm is raised to the operator. This is a commonalarm for the group, not one related to each suppressed alarm. If the operator wishes toknow which alarm did not come on, the alarm suppression graphic will have to beconsulted.

NOTE: This fault alarm is also available when the dynamic alarm suppression is not enabled.

8/13/2019 32306019 Dec 08

27/45

PTS 32.30.60.19December 2008

Page 23When dynamic alarm suppression groups are defined, the following data shall berecorded:

Dynamic alarm Group name and descriptionThe dynamic alarm suppression group is usually a subset of the tags associatedwith the equipment safeguarding system (a UZ block). The Group name shouldbe selected to show the relation with the system, e.g. 016UZ-250.

Delay before alarm on checkThe Delay Before Alarm On Check (the delay time the control system allowsbefore checking to determine whether all expected alarms, marked dynamic,have in fact been activated) is to be 60 seconds greater than the largestindividual dynamic suppressed alarm Time for Alarm to Come Up. Each andevery alarm tag marked with a cross in the dynamic box should always alarmwhen each and every trigger is activated.

Dynamic suppression Switch Off delayThe Dynamic Suppression Switch Off Delay should always be 1800 s unlessthe Delay Before Alarm On Check is 1800 s or more.

Dynamic Grouping CommentsComments may be added to clarify particular issues for future reference.

Dynamic Suppressed Tag numbersFor each of the Dynamic Suppressed Tag numbers the following is to berecorded:- Tag number and service description as taken from the tag number

database A check box indicating whether the tag number also serves as a trigger A check box indicating whether the alarm needs to be dynamically

checked Time for Alarm to Come Up

The time when alarm is expected to be activated after system trigger(seconds). If the time is less than 4 s, a remark is to be added Fastsuppression logic required as discussed above.

NOTES:1. Group Trigger alarms will almost always be trip alarms or drive failure indicators. If the group

trigger is not an alarm (e.g. a motor running status) and therefore not in the database, the tagshould be added. All new trigger tags added that are not alarms should be record only.

2. In some instances dynamic suppression will need to be applied to groups not related to aparticular equipment safeguarding system. For these cases a new dynamic suppression grouptag number shall be defined. The tag may be based upon sequence logic blocks (KS blocks) oron the major trigger tag for a group. For example, if the major trigger tag for a group not related

to a safeguarding system was 214LZA555 then the dynamic suppression group tag could be214UL555 (U standing for Multivariable).

3. A trigger alarm can be suppressed. However the actual trigger shall not be suppressed.

8/13/2019 32306019 Dec 08

28/45

PTS 32.30.60.19December 2008

Page 244.4.2.6 Dynamic Mode Dependent Alarm Settings

Dynamic mode dependent alarm setting may be required to further reduce the

meaningless alarm rate. Mode dependent alarm settings may be requiredwhere systems have distinct operational modes that require distinct alarmsettings. This is for instance the case for furnaces having a normal mode anda decoke mode. Also the burner management system may have Oil firingmode, a Gas firing mode and a dual firing mode. A dryer will have anoperating and a regeneration mode. A crude distiller may have different alarmsettings depending on the crude being processed.

With dynamic mode dependent alarm settings, the alarm settings of analogueor digital points are changed according to the detected mode of operation orare available in the form of batch recipes in the case of sequential (batch)programming. The mode switching is detected from a set of processparameters and may also involve a manual switch.

Figure 6 Dynamic Mode Dependent Alarm Settings

Upon a detected mode change, the new set of alarm settings is automaticallydownloaded into the DCS point. These new settings will be applicable until the nextmode change is detected or the dynamic mode dependent alarm setting enable switch isdisabled. When disabled the default set of settings is downloaded into the DCS pointautomatically. See Figure 3.

Sensors used for mode detection shall be redundant (i.e. a confirmed mode) so thatthere is no single point of failure that could lead to the inadvertent alteration of alarmsettings or to leaving alarms inadvertently incorrect.

8/13/2019 32306019 Dec 08

29/45

PTS 32.30.60.19December 2008

Page 25Mode detection voting shall be such that:

Two or more independent process measurements are used, such as the feed to

a column, tray temperature or valve position.

Correlated measurements with a high probability of common cause failure (e.g.plugged line) are not used.

Dead bands are used on the voting permissives (i.e. independent processmeasurements) to prevent mode cycling.

Signals with bad PVs are excluded from voting.

If none of the defined modes are detected (e.g. because of conflicting mode signals), thedefault mode shall be selected automatically.

The default mode settings table contains the most conservative alarm settings, i.e. thosesettings that would alarm approaching a constraint in any mode; for high alarms thelowest of all mode settings and for low alarms, the highest. Obviously this could lead tomany spurious alarms.

Dynamic mode dependent alarm settings shall not be applied to IPFs and their pre-alarms since these settings are based on the excursion of safe operating envelopes thatshould not be mode dependent. Where pre-alarms are also used to alarm excursion fromthe normal operating envelope, they may have dynamic mode dependent alarm settings.

Alarm setting changes (each mode change) shall be logged in the DCS for each pointWhen dynamic mode dependent alarm setting groups are defined, the following datashall be recorded:

Mode dependent alarm setting group tag name and descriptorA reference tag name of the group and group descriptor to allow reference andproper administration The group name and description should give a referenceto the system (e.g. furnace) having different operating modes.

Various modes names and descriptorsA reference tag name of the mode and operating mode name to allow referenceand proper administration

Permissive and commentsFor each mode, a Boolean statement with the (DCS) tags and conditions(signals) that have to be "true" or "false" to detect the mode switch to be made.This includes the condition (alarm, H alarm, LL alarm etc.). Conditions may

include timers to limit the time during which a particular mode may be on.

Mode dependent alarm setting group with default settingsThis is a list of the instrument tags (and attributes such as L, HH etc.) to bemanipulated including the default settings.

Alarm settings for each defined modeThis is a list of alarm settings for each instrument tag defined in the dynamicalarm settings group. Such a list should be prepared for each mode of operationdefined in the list of operating modes.

8/13/2019 32306019 Dec 08

30/45

PTS 32.30.60.19December 2008

Page 26 Comments

Comments may be added for each instrument tag to clarify particular issues forfuture reference.

The lists various modes, mode dependent alarm setting group, alarm settings foreach defined mode and comments are best combined in tabular form with theinstrument tags listed vertically in the first column and the default and mode dependentsettings listed in subsequent columns.

4.4.2.7 Alarm Suppression in Batch Operations

A special class of suppression is commonly found in sequential controlprograms, e.g. for batch operations. Such programs should follow a standardway of enabling / disabling alarms that can be expected to occur.

EXAMPLE:

- Start pump- Wait until flow reaches Alarm value + x %- Enable low flow alarm- ...- Disable low flow alarm- Stop pump

4.5 IMPLEMENTATION

Implementation is the stage where the design is put into service. This process includestraining for the operator and initial testing of the alarm system functions. This process isone step in addressing alarm clarity.

4.6 OPERATION

Operation is the stage when the alarm is in service and effectively reporting abnormalconditions to the operator.

4.7 PERFORMANCE MONITORING

Performance monitoring is the periodic collection and analysis of data from alarms in theoperation life cycle stage. Without monitoring, it is almost impossible to maintain aneffective alarm system. This process shall be automated to take place frequently.Monitoring is the primary method to detect problems such as nuisance alarms, stalealarms, and alarm floods.

The DCS vendor Alarm Management Software, shall be used as the tools for thisprocess. A systematic review shall be conducted to analyse the most frequent alarmslogged by the Alarm Management Software. The review process is detailed out asfollows.

4.3.1.1 Most Frequent Alarms Review Nuisance Alarm Reduction

Repeating alarms i.e. the same alarm raising and clearing repeatedly over a period maybe generated in several ways e.g. noise on a process variable when it is near an alarmsetting, real high frequency fluctuations of a process variable or repeated action of on-offcontrol loops.

8/13/2019 32306019 Dec 08

31/45

PTS 32.30.60.19December 2008

Page 27The intent of this review is to analyze and quickly eliminate repeating alarms especiallyalarms due to faulty equipment or incorrect settings. This review shall be conductedevery two weeks as part of the AMT work process. A list of the most frequent alarms

shall be generated and discussed during the review.

The review process shall follow Figure 1a. :

Fig 1a: Alarm Review Flowchart

1. Select the most frequent alarm and determine the cause(s) and originatingequipment.

Start

Select MostFrequent Alarms

SAP

AlarmRationalization

Process

AlarmSetting

Change via MOC

ActualProcess

ReviewDCS/Alarm Setting/

Alarm Deadband

FaultyEquipment

ChangeEffect

Safety /products

No

Yes

Yes

No

8/13/2019 32306019 Dec 08

32/45

PTS 32.30.60.19December 2008

Page 282. Based on the cause(s), determine the action that must be taken to eliminate or

reduce the alarm occurrence e.g. :a. If it is due to faulty equipment, the Shift Supervisor to raise notification in SAP.

b. If normal operation is near the alarm setting, consider reducing the alarmdeadband or changing the alarm setting, only if this does not affect theprocess safety time.

3. Qualify the alarm against the alarm guidelines described in Section 3. If the alarmparameter does not meet the guidelines, decide what the required changes are.

4. Continue to review the most frequent alarms.5. Compile the rest of the changes required and raise MOC to get the proper

approvals.6. Modifications shall be implemented by the Instrument/control engineer as per the

configuration guidelines.7. Data on each Alarm Review Form shall be updated into the Alarm Reference

Database.

4.8 MAINTENANCE

Maintenance is a necessary step in the alarm life cycle. The process measurementinstrument may need maintenance or some other component of the alarm system mayneed repair. The repair frequency could be scheduled or determined by monitoring.Periodic testing is also a maintenance function. During the maintenance stage, when thealarm is not in operation, the panel operator shall have alternative means of beingalerted.

Every plant shall have a documented testing philosophy and written test procedures fortesting of alarms. As a minimum, Urgent alarms shall be tested during every DOSHshutdown.

In the event that the alarm requirement has been identified through IPF Studies, therequired testing frequency shall be followed.

Every test shall be recorded with the date of test, the unique alarm tag, personnel whohave conducted the test, the approving authority and the results of the test.

4.9 ASSESSMENT

Assessment is a periodic audit of the alarm system and the alarm managementprocesses detailed in the alarm management philosophy. The assessment maydetermine the need to modify processes, the philosophy, the design guidance, or theneed to improve the organizations discipline to follow the processes.

4.10 MANAGEMENT OF CHANGE

Management of Change is the structured process of approval and authorization to makeadditions, modifications, and deletions of alarms from the system. Changes may beidentified by many means, including operator suggestions and monitoring. The changeprocess should feed back to the identification stage to ensure that each change isconsistent with the alarm philosophy.

8/13/2019 32306019 Dec 08

33/45

PTS 32.30.60.19December 2008

Page 29Changing the setting or configuration of alarms may alter many aspects of the operatorstask in responding to them. This may, in turn, require corresponding changes toschematic displays, operating procedures or other work practices so that an overall

consistency is maintained. As such, any changes (new, modify or delete) of alarmsetpoints and priorities must be initiated through MOC. Prior to approval of the MOC, anAlarm Review Form must be filled for each change. This is to ensure that:

1. The alarms are justified and properly designed with respect to setpoint, priority andassociated displays.

2. Impact to existing logic design and multiple operator displays due to the changesin the alarm settings are extensively reviewed prior to implementation.

3. Data on each Alarm Review Form shall be updated into the Alarm ReferenceDatabase.

4.11 ALARM MANAGEMENT PROCESS LOOPS

The alarm management process flowchart of Figure 1 shows the relationship betweenthe major stages. Included are three loops with significant importance in alarmmanagement. These loops maintain and improve the alarm system.

4.11.1 MONITORING AND MAINTENANCE LOOP

The operation-monitoring-maintenance loop is the daily or weekly process of analyzingthe monitored data to determine what unauthorized changes have been made and whatinstruments need to be repaired. This process can be simple or very complex dependingon the automation systems or safety systems used.

4.11.2 MONITORING AND MANAGEMENT OF CHANGE LOOPThe management of change loop is a less frequent, but very necessary process ofidentifying changes to the alarm system based on analysis of the monitored data.Changes may be identified through other means as well, such as operator suggestions.Changes to nuisance alarms may be initiated through monitoring. Through monitoring,alarm floods may also be identified. The management of change process can be used toimplement advanced alarm management technique to suppress the alarm floods. Thereis no set frequency for this loop: it happens on demand.

4.11.3 ASSESSMENT LOOPThe assessment-philosophy loop is a 5 year periodic audit of the implementation of thealarm philosophy and all of the processes described there. Through audits on trainingand alarm response, improvements in alarm clarity can be identified as well as changes

to the processes and alarm philosophy.

8/13/2019 32306019 Dec 08

34/45

PTS 32.30.60.19December 2008

Page 30

4.12 ALARM DOCUMENTATION

An Alarm Reference Database shall be established using readily available and userfriendly database software e.g. Filemaker. The alarm database shall be updatedquarterly to show the latest alarm settings as configured in the DCS.

Each completed Alarm Review Form and the changes made shall be updated into thedatabase. A history of the changes made to each alarm parameter shall be available viathis database.

A full set of alarm system documentation (similar to an IPF requirements specificationaccording to PTS 32.80.10.12) shall be kept as built containing:

Overall alarm philosophy

The alarm template definitions

Alarm settings, rationale and related constraints Alarm narratives resulting from the alarm studies

The decision alarm or IPF?

Alarm suppression design, permissive, etc.

Where possible, the use of automatic documentation tools from the DCS AlarmManagement Software is encouraged.

4.13 ALARM HISTORY RETENTIONThe alarm history shall be retained for not less than one year.

8/13/2019 32306019 Dec 08

35/45

8/13/2019 32306019 Dec 08

36/45

PTS 32.30.60.19December 2008

Page 32

6.0 BENCHMARKING, PERFORMANCE METRICS AND REPORTING

Benchmarking provides a means of:

1. Measuring the effectiveness of the alarm system as it stands

2. Defining the required degree of improvement

3. Measuring the degree of improvement actually achieved.

The benchmark asks a number of important questions about the alarm systemconfiguration and behavior, and includes a questionnaire of the operators on theirexperience of the alarm system.

Typically, the following are measured:

1. Number of standing alarms in normal operation2. Number of alarms per operator3. Number of alarms per control loop4. Number of alarms per protected event5. Ratio of emergency: high: low priority alarms6. New alarm rate in normal operation7. New alarm rate in typical disturbance8. Number of chattering alarm

To acquire this information, the use of an independent plant DCS vendor based AlarmManagement Software is recommended. There is also a requirement to analyze eventsduring some typical disturbances, where the Alarm Management Software provides thedistinct advantage of an automatic alarm data collection and analysis tool. The resultsfrom this bench-mark would indicate which of the two improvement steps previously

discussed is needed.

Success criteria of the initiative will be derived from the bench-marking result above. Aselection of alarm performance metrics shall be used to measure the performance ofPETRONAS DCS alarm systems. The metrics shall include:

1. Average alarm rate per 10 minutes, per hour and per day2. Peak alarm rate per 10 minutes3. Percentage of 10 minutes periods in a day with fewer than 5 alarms

The metrics data shall be compared to the EEMUA benchmark to continually assessPETRONAS alarm systems performance.

For a plant in steady state or stable operation, the average alarm rate per 10 minutes willdetermine the following risks and categorization (from EEMUA recommendations):

8/13/2019 32306019 Dec 08

37/45

PTS 32.30.60.19December 2008

Page 33Table 4 Steady State Alarm Rates

Average Alarm Rate inSteady-state Operation, per

10 minute period

Acceptability Categorization Performance and Risk

More than 10 alarms Very likely to beunacceptable

Inefficient / High risk

More than 5 but less than 10 Likely to be over-demandingMore than 2 but less than 5 Possibly over-demanding

1 or more but less than 2 Manageable

Medium performanceand risk

Less than 1 alarm Very likely to be acceptable Efficient / WorldClass, Low risk

For a plant experiencing an upset, the number of alarms displayed in 10 minutesfollowing the upset will determine the following risks and categorization (from EEMUArecommendations):

Table 5 Alarm Rates During Upset Conditions

Number of alarms displayedin 10 minutes following amajor plant upset

Acceptability Categorization Performance and Risk

More than 100 alarmsDefinitely excessive and verylikely to lead to operatorabandoning use of thesystem

Inefficient / High risk

20-100 Hard to cope with10-20 Possibly hard to cope withUnder 10 Should be manageable

Medium performanceand risk

Less than 1 alarm

Very likely to be acceptablebut may be difficult if severalof the alarms require acomplex operator response.Efficient / World Class

Efficient / WorldClass, Low risk

The metrics shall be calculated from alarm data captured in the Alarm ManagementSystem, using the Frequency Analysis and Alarm Rates modules. Hence, it is critical toensure that the Alarm Management System is continuously capturing alarms from theDCS.

Monthly Alarm System Performance reports shall be generated through AlarmManagement System, which includes the alarm activity trend over the month includingthe most active points and the distribution of alarm priorities. A summary report for all

areas shall also be generated.

8/13/2019 32306019 Dec 08

38/45

PTS 32.30.60.19December 2008

Page 34

7.0 ALARM PRESENTATION

7.1 The operating philosophy used in most control rooms is the Management by

Awareness principle where:

The panel operator will regularly need to scan overviews of process conditions, whichmay be presented by means of standard displays or custom graphics. Display structuresand hierarchy shall be designed to facilitate this activity.

Situations requiring fast action by panel operator are indicated by the DCS systemthrough means of an alarm management system, with direct access to associateddisplays.

To attract the operators attention, in order for him to take corrective actions, thepresentation of process graphics shall be carried out. In addition, the following table shallbe applied.

Situation Background colour Colour of the value

In alarm but suppressed Soft white BlueNot in alarm but suppressed Soft white Black

7.2 The following should be considered when incorporating alarms into DCS operatordisplays:

Color coding for displays should be muted or altered such that the alarms visualindicators are more salient and not masked by other color-coding.

On process graphics, blinking text should not be used to indicate unacknowledgedalarms as this makes it difficult for the operator to read the text.

Alarms should be displayed by a changing box outline around the text or by using icons.The color of the box outline or icons shall change according to the condition below:

Table 6 Alarm Colour Codes

Alarm Priority Unacknowledged AcknowledgedUrgent Red (Blinking) Red (Static)

High Orange (Blinking) Orange (Static)Low Magenta

(Blinking)Magenta (Static)

8/13/2019 32306019 Dec 08

39/45

PTS 32.30.60.19December 2008

Page 35

8. AUDIBLE SIGNALS CONSIDERATIONS

The audible of alarm information should be designed such that the operator is moreaware of alarms at higher priorities, providing a hierarchy of awareness from the highestto the lowest level of alarm.

The audible tone alarm shall be separated clearly between plant area (i.e. Process andutility)

8/13/2019 32306019 Dec 08

40/45

PTS 32.30.60.19December 2008

Page 36

9. TRAINING

Training is a key area that induces change to improve human reliability and lower the

probability of failures or during abnormal situations.

Training would generally be required under the following circumstances :

1. Startup of a new system2. Implementation of alarm changes3. New Operators4. Annual Refresher

Items for training

1. Alarm philosophy2. Alarm priority definitions3. Alarm presentation features4. Defined alarm responses5. Procedures for handling alarm floods6. Site MOC process as it relates to alarms7. Alarm setting audit and enforcement8. Performance metrics9. Alarm testing procedures

Specific training on Urgent alarms shall be provided to Console Operators at a minimumfrequency of once per year. Operators shall be tested on:

1. Understanding of the alarms2. Mechanism of annunciation3. Consequence of missing the alarms

4. Operators response

8/13/2019 32306019 Dec 08

41/45

PTS 32.30.60.19December 2008

Page 37

10. ROLES AND RESPONSIBILITIES

Plant Manager

Approval of Alarm Management Philosophy. Review and approval of any future amendments to this philosophy.

Manager, Operations

Approval of DCS alarm settings changes as per MOC approval process.

Allocation of budget for the execution of alarm management activities, if required.

Responsible for the development of alarm management strategy to reduce alarms tothe world class benchmark.

Manager, Maintenance

Responsible for the execution of maintenance strategy to reduce alarms within thearea.

Ensure the approval of notifications registered in SAP, i.e. request for rectification

work related to alarm management activities. Allocation of asset maintenance manpower for the execution of alarm management

activities, if required.

Operation Engineer / Process Engineer

Responsible in leading the Alarm Management Team.

Responsible for the execution of operation strategy to reduce alarms within the area.

Allocation of operation manpower for the execution of alarm management activities,if required.

Shift Supervisor (SS)

Ensure all panel operators understand and follow their roles and responsibilities asoutlined in this philosophy.

Notify in SAP any abnormal alarms and any alarms which is a result from anequipment failure.

Inform relevant parties (Maintenance, Instrument Engineer) if an alarm is overloadinga particular operator.

Panel Operator

React immediately to an alarm with the proper corrective action.

React immediately to the alarm with the highest priority.

Inform SS if he is overloaded and unable to react to a particular alarm.

Inform SS if there are any abnormal alarms.

Instrument/Control Engineer

Monitor DCS system alarms and take corrective action immediately.

Propose solutions based on the inherent capabilities of the DCS to solve any alarmproblems.

Execute the alarm changes required on the DCS as approved by MOC

Lead any major changes on the DCS alarm system.

Update the alarm reference database with any Alarm Review Forms (generatedeither from alarm rationalization / review

Generate and distribute the Alarm System Performance reports for each unit

Generate and distribute the 20 most frequent alarms report for each area bi-weekly.

8/13/2019 32306019 Dec 08

42/45

PTS 32.30.60.19December 2008

Page 38Reliability Engineer

Responsible for reviewing the Alarm System Performance report for each AssetTeam monthly.

Responsible for tracking alarm management activities based on Alarm SystemPerformance report for each Asset Team.

11. REFERENCES

Human Machine Interface in a Control Room PTS 32.00.00.11Management of Change(Guidelines) PTS 60.2201Alarm System A Guide to Design, Management andProcurement

EEMUA 191 2007

Management of Alarm Systems for the ProcessIndustriesAlarm ManagementASM Consortium Guidelines Effective AlarmManagement Practices

Draft ISA 18.02 2008.04.01

DEP 32.80.10.14-Gen

Revision 5

8/13/2019 32306019 Dec 08

43/45

PTS 32.30.60.19December 2008

Appendix 1

APPENDIX 1: ALARM REVIEW FORM

Alarm Review FormAuthor: Issue Date: Review Date:

Instructions:

The Alarm Review Form shall be filled up and agreed by the following minimum mandatory participants:Operations Engineer, Panel Operator, Process Engineer and Instrument Engineer

Complete all sections

IDENTIFICATION

Tag Number Alarm Parameter

Tag Description

Alarm Setpoint (Current) Alarm Setpoint (New)

RATIONALIZATION

Purpose(List the purpose(s) of the alarm)

Causes(List the cause(s) or precursor(s) of the alarm and list any tags which may help identifying the cause(s)

Corrective Actions(Define operator action required to return the process to normal)

Consequence(define consequence(s) of the alarm event when no corrective action is taken to return the process tonormal

PRIORITYDetermine the priority of the alarm from the DCS Alarm Prioritization Matrix. Record the consequence and responsebelow

Consequence

Category

Consequence Class Response Class

Economics

Health and Safety

Environment

Resulting Priority

8/13/2019 32306019 Dec 08

44/45

PTS 32.30.60.19December 2008

Appendix 2

APPENDIX 2: DCS ALARM PRIORITIZATION RISK ASSESSMENT MATRIX

AvailableResponse

Time PRIORITY CLASSSHORT < 5 mins L M E *E *E

MEDIUM 5-15 mins L M M *E *EResponseClass

LONG >15 mins L L M *M *E

ECONOMICSNo/Slight Effect

(10M)

HEALTH & SAFETY No/Slight Injury Minor Injury Major Injury Single Fatality Multiple Fatalities

Consequence

Category

ENVIRONMENT No/Slight Effect Minor Effect Local Effect Major Effect Massive

CONSEQUENCE CLASS NEGLIGIBLE LOW MEDIUM HIGH EXTREME

E Emergency / Urgent / HighM - MediumL Low

Note :*M and *E - priority class that is driven by Health & Safety and / or Environment shall be

escalated to IPF Layer Classification.

ECONOMICS (Repair and Production Loss Expressed in USD)

Consequence Description/Definition

No/Slight Effect Estimated cost less than USD10K or no disruption to unit production

Minor Effect Estimated cost between USD10K to USD100K or brief disruption

Medium Effect Estimated cost between USD0.1M to USD1M or partial shutdown, can be restarted

Major Effect Estimated cost between USD1M to USD10M or partial operation loss

Extensive Estimated cost more than USD10M or substantial/total loss of operation

8/13/2019 32306019 Dec 08

45/45

PTS 32.30.60.19December 2008

Appendix 2

HEALTH AND SAFETY

Consequence Description/Definition

No/Slight Injury Nor affecting work performance or causing disability

Minor InjuryAffecting work performance, such as restriction to activities (RWC) or a need to take a fewdays to fully recover (Lost Workday Case, LTI). Limited health effects which are reversible e.g.skin irritation, food poisoning

Major InjuryAffecting work performances in the longer term such as prolong absence of work (includingPermanent Partial Disability). Irreversible health damage without loss of life e.g. noise inducedhearing loss, chronic back injuries.

Single Fatality From an accident or occupational illness (poisoning, cancer)

MultipleFatalities

From an accident or occupational illness (poisoning, cancer)

ENVIRONMENT

Consequence Description/Definition

No/Slight EffectNo environmental damage or local environmental damage. Within the fence and withinsystems. Negligible financial consequences

Minor EffectContamination. Damage sufficiently large to attack the environment. Single exceedance ofstatutory or prescribe criterion. Single complaint. No permanent effect on environment

Local EffectLimited loss of discharges of known toxicity. Repeated exceedance of statutory or prescribedlimit. Affecting neighborhood

Major Effect

Severe environmental damage. The company is required to take extensive measures to restore

the contaminated environment to its original state. Extended exceedance of statutory orprescribed limits.

MassivePersistent severe environmental damage or severe nuisance extending over a large area. Interms of commercial or recreational use or nature conservancy, a major economic loss for thecompany. Constant, high exceedance of statutory or prescribed limits