PresenterCharles M. Fialkowski, C.F.S.E.National Process Safety Manager for Siemens Process SafetySafety Systems Specialist for > 10 years8 years experience as a field Service and I&C engineer for Foster Wheeler Energy Corp.Member of the ISAs technical committee SP84 on Safety SystemsDeveloped and Instructed courses on BMS and LOPAChairman for ISAs Safety Division on Fire and Gas systemsCTM, Certified Toastmaster

Reference DataDraft ISA 18.02; Management of Alarm Systems for the Process Industries(EEMUA) Engineering Equipment and Materials User Associations Publication No. 191:99 Alarm Systems - A Guide to Design, Management and Procurement ANSI/ISA-84.00.01-2004; Application of Safety Instrumented Systems for the Process Industries

Management of Alarm Systems for the Process Industries (ISA 18.02) ObjectiveThe objective is to define the terminology, models, and work processes to effectively implement and manage an alarm system within a process sector facility.

The Alarm Management Lifecycle

Process Condition Model

This simple model is a useful reference in the development of alarm principles and the alarm philosophy. The warnings and indications are not to suggest alarms are required, only that under some circumstances alarms may be warranted.

Alarm Cycle Model

Describes the overwhelming majority of alarms and therefore serve as a useful model for the development of alarm system principles. .

Alarm Timeline

Using the state transition diagram it is possible to map some states to a timeline, and clarify the definition of terms related to time. The diagram shows parallel lines representing true process conditions and the indicated process condition. The lines have two possible paths; one path if the operator takes corrective action and one path if no action is taken.

Alarms defined per S84

1st Generation Safety Systems Introduced in the late 1980sSpecial purpose Safety PLCs introduced to improve safety and availabilityEmploy redundancy and voting techniques (2oo3 or TMR) to enhance safety and availabilityTV certified to DIN/VDE standards (AK1-AK6)

Examples:Triconex TriconAugust SystemsICS Triplex Regent

2nd Generation Safety Systems Introduced in the 1990sEmploy high levels of self-diagnostics (D) coupled with redundancy and voting techniques (1oo2D or DMR) to provide comparable levels of safety & availability with less hardware (lower cost) than 1st Generation systemsTV certified to DIN/VDE (AK1-AK6) and IEC 61508 (SIL1SIL3) standardsWindows-based IEC 61131-3 Programming ToolsImproved integration with DCS systemsExamples:Honeywell FSC Moore QUADLOGYokogawa ProSafe-PLCABB Master SafeguardHIMA H41q/H51q

Trends in Process SafetyCloser Integration with Control SystemsIncreased Focus on Overall SafetyEnhanced Control FunctionalityFlexibility and Scalability

Reference: Trends in Process Safety, Asish Ghosh, ARC Advisory Group, July 2004

3rd Generation Safety Systems Introduced in the early 2000sVery high levels of self-diagnostics (D) to achieve high safetyOptional redundancy to achieve high availability. Highly modular and scaleableTV certified to IEC 61508 (SIL1SIL3) standardsAll offer tight integration with respective DCS systemsSome offer advanced programming toolsSome offer distributed safety I/OSome integrate safety fieldbus technology

Examples:Siemens SIMATIC S7-F/FH Emerson Delta V SISYokogawa ProSafe-RSABB 800xA (SIL 2 only)

Levels of Integrated Control and Safety

Forcing, bypassingCommunicationsFault detection, diagnostics and reactionsHMIBPCSSISTrip Point High Pressure AlarmAlarm high PressureProcess ControlESD actionLow levelNormal PressurePressureSVPCVPT1PT2PSConsider the interfaces and actionsGatewaySISBPCS

Alarm requirementsProvide Operator TrainingDefine Operator actionValidated everything

2oo3 PTDualTriple1oo1 LSSimplex

Poor Alarm ManagementNuisance alarms alarms go off and on regularly or intermittentlyAlarm floods too many alarms are presented to the operator during abnormal situationsCascading alarms specific alarms always occur togetherAlarm messages do not provide meaningful information (problem or corrective action)Too many high priority alarms are present in the systemStanding alarms too many alarms are present continuously in the system even during steady-state conditions (and operators ignore them)

Good Alarm ManagementThe ability to focus the operators attention on the most important alarmsProviding clear and understandable alarm messagesProviding information on the recommended corrective actionThe ability to suppress (lock) all alarms from a device or from a process areaThe ability to analyze alarm system performance metrics to identify nuisance alarms or areas requiring additional training

Prioritize and suppress AlarmsEEMUA studies have shown that to maximize operator effectiveness, no more than three different sets of alarm priorities should be configured in a system.

Clear and Understandable

Recommended Corrective Action

ConclusionsProper alarm management CAN be used as a method of risk reduction by reducing the demand rate on the SIS providing:The sensor is not used for control purposes where loss of control would lead to a demand on the SIFThe sensor is not used as part of the SISLimits taken into account with respect to risk reduction that can be claimed for the BPCS and common cause issues.The alarm interfaces between the SIS and the operator need to be fully described (pre-shutdown alarms, shutdown alarms, bypass alarms, diagnostic alarms), graphics,

ThanksCharles.Fialkowski@siemens.com

191:99 Alarm Systems - A Guide to Design, Management and Procurement This Publication relates to Alarm Systems provided for people operating industrial processes such as petroleum and chemical plant, power stations, transport systems etc. It gives guidance on: Alarm system philosophy, the design of alarm processing systems and their functionality, the optimisation of the operation of existing alarm system, the specification and purchase requirements for new alarm systems. The ultimate objective is to provide guidance to designers to develop alarm systems which are more usable and which result in safer and more cost effective operation of Industrial systems. The book has been developed and written by practitioners in association with the US, Abnormal System Management Consortium (ASM) and has been able to identify areas and resolve issues where somewhat different terminology and practices might have been otherwise confusing. Basic requirements for alarm and annunciation systems are detailed in several Chapters. From there 18 Appendices have been prepared, each giving more intensive detailed on specific aspects, including: Individual alarm design, quantitative and qualitative risk assessment, priority settings, logical processing, repeating and fleeting alarms, sensors, operator questionnaires, the cost of poor performance, suppression study. Because of the breadth of its technical content, and to assist readers a Road map is included to provide directions to key information. Issued 1999 ISBN 0 85931 076 0 Process ConditionsTargetThe target range is the set of optimal operating conditions within the normal range. These conditions may reflect highest yield, lowest cost, or target capacity operation of the process. Optimal conditions usually apply to only a subset of process variables. The target range may change over time.NormalThe normal range of operation is the expected operating envelope around the optimal target value. The normal range is sometimes called standard operating conditions.UpsetThe upset condition is an abnormal condition that may result in off quality material, non-standard product, or increased emissions or may lead to more severe consequences.Shutdown/ DisposalThe shutdown or disposal condition is the result of safety or non-safety interlocks, unacceptable process conditions or manual shutdown to avoid unacceptable operating conditions or unacceptable product.Process Condition Warnings and IndicationsThe transitions between process conditions are the usual points for alarm indications to operators. This model should not be interpreted to suggest alarms for all of the transitions, but that for different types of process variables different transitions may be selected for indications, whether alarms, alerts, or events.Off-Target IndicationThe off-target indication is triggered at the boundary of the target operating envelope. These indications provide the notification that a process variable, while still in the normal range, is no longer in the optimal target range.Pre-Upset WarningThe pre-upset warning provides advance notice of abnormal conditions. Not all process indications provide warning of upset conditions. Where upset or non-standard conditions have significant consequences, such as off-quality material, there may be a warning that provides enough time to avert the upset conditions. Upset IndicationThe upset condition indication provides notification of the upset condition. When a pre-upset warning is not justified, this may be the first notification of an abnormal condition. Where pre-upset warnings are provided, the upset condition indication may be a confirmation of upset operation such as off-quality material or a permit violation. Pre-Trip WarningThe pre-trip warning provides an opportunity to avoid the shutdown trip or condition that requires disposition of the product. The term trip may refer to an emergency shutdown of a plant or a local process interlock on a single piece of equipment. The disposition limit is the point of no return after which a product is unsaleable.Trip IndicationThe trip indication provides an indication that a shutdown has occurred or a disposition limit has been violated. Alarm Cycle StatesThe circles in the diagram represent states. The letter is an identifier used in the text below. The second line is a state name, often abbreviated. The third line describes process conditions, while the fourth and fifth lines list the alarm state and its acknowledgement.Ackd is an abbreviation for acknowledged.RTN is an abbreviation for return to normal.Unack is an abbreviation for unacknowledged.Normal (A)The normal alarm state is defined as the state in which the process is operating within normal specifications, no active alarms exist and all past alarms have been acknowledged. New Alarm (B)The new alarm state is the initial state upon trigger of an alarm due to off-target, upset, or shutdown process conditions. In this state the alarm is unacknowledged. In some cases, previously acknowledged alarms may be configured to re-alarm, triggering a return to this state.Ackd Alarm (C)The acknowledged alarm state is reached when an alarm has not cleared, but an operator has noticed and acknowledged the alarm condition.RTN Unack (D)The returned to normal unacknowledged state is reached when the process returns within normal limits and the alarm clears automatically (sometimes called auto-reset) before an operator has acknowledged the alarm condition. Latch Unack (E)Similar to the RTN Unack state above, the latched unacknowledged alarm state occurs when the process returns to normal parameters before the operator has acknowledged the alarm. However, in this case, the alarm itself remains latched and requires further action by the operator to reset the alarm.Latch Ackd (F)The latched acknowledged alarm state is the state in which the operator has acknowledged the alarm and the process has returned within normal limits but the alarm remains latched, pending operator reset. Alarm Cycle Transition PathsThe arrows in the diagram represent transitions between states. Dotted lines represent transitions against the normal flow.For simplicity, the diagram does not illustrate effects of deadband and time delays. When the process is considered to be in alarm, it has been beyond the alarm trigger point for the alarm delay period. When the process is shown as returned to normal, it has moved away from the alarm trigger point beyond the deadband and has been in this normal range for any alarm clearing delay that may be implemented in the control system.Alarm Occurs (A->B)This path shows the transition from normal to new alarm. The process has gone out of the normal range beyond the alarm trigger point and has remained in this state long enough to trigger the alarm. Operator Ackd (B->C)This path is the normal transition when an operator notices an active alarm and acknowledges it before taking action to return the process to normal.Re-Alarm (C->B and F->B)The re-alarm path shows another alarm option. This rarely used option periodically generates repetitive alarm indications for a single alarm. Process RTN Alarm Clears (C->A)This is part of a normal sequence for a non-latching alarm that does not require a separate action to reset it. The alarm moves from the acknowledged state to normal.Process RTN (C->F)If the alarm latches the alarm indication will remain after the process has returned to normal.Process RTN and Alarm Clears (B->D)This path is followed when the process returns to normal before an operator has acknowledged the alarm and the alarm does not latch.Operator Ackd (D->A)When an operator acknowledges an alarm that has already cleared the normal state is entered.Process RTN (B->E)The process returns to normal before an operator acknowledges the alarm but the alarm is latched.Operator Resets (E->D)In this case an operator resets an alarm (perhaps at a field pushbutton station) before acknowledging it (in the control room).Operator Ackd (E->F)This is the path followed when an operator acknowledges a latched alarm for which the process has returned to normal.Operator Resets (F->A)In this case the latching alarm has been acknowledged and the process has returned to normal. When the alarm is reset, the normal state is entered.Chattering Alarm Path (A->B->D->A)Alarms that cycle rapidly in and out of alarm state follow this path. This type of situation can become a nuisance that adds to operator workload.Normal (A)The normal alarm state is defined as the state in which the process is operating within normal specifications, no active alarms exist and all past alarms have been acknowledged. New Alarm (B)The new alarm state results when the sensor measurement crosses the alarm limit. There are several factors that affect the uncertainty of the alarm trigger time such as:Sensor accuracy, sensitivity, and deadbandAlarm setting accuracy, sensitivity and deadbandFrom the time the process reaches the condition until the alarm trigger time is also called the time to detect.Ackd & Response (C)The acknowledged alarm state is reached when an operatr acknowledges the alarm condition. In this state the alarm has not cleared. While not all alarms are acknowledged when a response is taken, for the alarm to be useful an operator is expected to take an action. There are several factors that affect the uncertainty of the response time such as:System processing speedHMI design and clarityOperator awareness and trainingOperator loadingComplexity of determining the required actionComplexity of the required actionFrom the time the alarm is triggered until the operator responds is the actual response time for the alarm. It includes the recognition of the alarm, the determination of the corrective action, and the execution of that corrective action. The upper limit is the allowable operator response time, the point at which the consequence results even if action is taken.Return to Normal (A)The normal alarm state results from the correct action within the required response time. There are several factors that affect the uncertainty of the return to normal time. These include:The actual time for the operator to take actionThe degree of action takenThe response time of the process to the corrective actionSensor accuracy, sensitivity, and deadbandAlarm setting accuracy, sensitivity and deadbandConsequence ThresholdThe consequences result when no operator action is taken, the incorrect action is taken, or action is taken after the maximum allowable response time. The consequences begin to occur at the consequence threshold. There are several factors that affect the uncertainty of this timing:The type of consequenceThe response time of the processIt is best to allow the maximum time for operator response prior to the impact of the consequences. This must be balanced with setting the alarm point to close to the normal operating range, thus creating a nuisance alarm.Like the process automation market the process safety market has changed dramatically in the last several years. Many of these changes have been driven by international standards, new technology and market demand for more cost effective solutions.

ARC, who analyzes this market, has quite accurately identified these 4 major trends. There are basically 3 levels of integrating control and safety systems. Each one has pros and cons.

Interfaced: Majority of systems today due to historical reasons and what major suppliers had to offer. Pros: No common causeCons: higher cost, higher engineering, additional training, maintenance, no single pt. of responsibility, gateway issues. Integrated: Not a new concept. Introduced in mid-90s. Adoption slow with major end-users due to huge investment and trust in traditional suppliers. New standards and need to modernize control & safety systems is bringing this issue to the forefront.Pros: opposite of interfaced consCons: ?Common:Also not a new concept. Several TMR suppliers have unsuccessfully attempted to encourage this. Drawbacks were the SIS didnt provide full DCS capability. Newer systems offer the technology needed. The question of separation and layers of protection still remains as a roadblock for many applications. Pros: Lower hardware costsCons: Higher false trip rate?

IntegratedUnified engineering toolsSecure communications without a gatewaySharing of signals for comparison purposesFewer spare partsSingle point of responsibilityYet IndependentFirewalls between control & safetyVisual differentiation between control & safety environmentProper access protection