(). ANSI/ISA - Management of Alarm Systems for the Process Industries. . Alarms configured in the controller or FactoryTalk View A&E server. Duty of care also includes the provision of a control system that does not put the Alarm Management Standards – Are You Taking Them Seriously? 2. Table of. A Path Forward for DCS Alarm Management. Bill Hollifield . responded to the alarm bust by making numerous process changes (up to 35 in a 10 minute period .
|Language:||English, Spanish, Hindi|
|Genre:||Politics & Laws|
|ePub File Size:||18.38 MB|
|PDF File Size:||9.36 MB|
|Distribution:||Free* [*Regsitration Required]|
Lessons for Successful Alarm Management. Important Design .. Statistical Process Control and Alarm Management. Background. Control. Alarm Management for Process Control. Douglas H. Rothenberg thenberg. A Best-Practice Guide for. Design, Implementation, and Use of Industrial. plants still use the alarm management philosophy developed by the engi- neering The age of digital process control transformed the role of the alarm. In the.
Namespaces Article Talk. The database shall be configured as per Appendix 1. The alarm state sequence diagram for alarms that are in a dynamic alarm suppression group is shown in Figure 5. A comprehensive design and guideline document is produced which defines a plant standard employing a best-practise alarm management methodology. So instrumentation indicating operating units with the plant was grouped together for recognition sake and ease of problem solution. This option reduces the confidence in the alarm and affects the probability that the operator would initiate the required actions in the event of a genuine alarm.
Refer to narratives or other supporting documents to help determine the purpose. If the alarm parameter does not meet the guidelines. The process of alarm rationalization is as follows: Alarm Management Team Leader Operation Engineer who shall monitor and manage the overall progress of the team.
The database shall be configured as per Appendix 1. Using DCS database. This could be a relief valve setting.
Whenever an alarm setting is made. This document identifies what the alarm is. The general rule is that the alarm setpoint. See also Figure 2. However experience has shown that too often alarm settings are set incorrectly or even beyond the constraints of the process or equipment the alarm should protect. This process includes training for the Operator and initial testing of the alarm system functions.
This is the process dead time. Each alarm setting and its rationale should therefore be re-established. This is the highest credible rate of change. This process also includes obtaining feedback from operators. Once the necessary approvals have been obtained. Figure 2 Parameters involved in establishing the alarm setting In all cases the alarm shall be set such that: The design stage includes evaluation of the basic configuration of alarms in the DCS.
One of the key deliverable of this stage is to develop the Operator Alarm Response Manual.
This process includes training for the operator and initial testing of the alarm system functions. The inaccuracy does not include any possible dynamic effects whereby the measurement lags behind the actual process parameter. If conflicts arise between the factors influencing the correct alarm setting. On the other hand. A particular consideration applies to low flow alarms. It includes the inaccuracy of the sensor.
In these cases the worst case of all foreseeable operating modes including start-up and shutdown modes shall be considered. Accept that the operator may not have enough time to prevent the hazardous event in all cases e. Another consideration applies to measurements that are influenced by specific properties of the medium such as the liquid and vapor density for dP and displacer type level measurements.
This option does not reduce the confidence in the alarm but affects the probability that the operator would complete the required action in time.
The setting of low flow alarms therefore involves a balance between avoiding such alarms and retaining measurement accuracy. The measurement on the DCS appears linear but the original input signal has a flow 2 characteristic. As well as defining the alarm setting. This is the least desirable option.
In these cases there are the following options: Accept that spurious alarms will occur under some operating conditions. The switching inaccuracy is the maximum allowable difference between the actual process parameter and the alarm setting at the moment the alarm activated. This option reduces the confidence in the alarm and affects the probability that the operator would initiate the required actions in the event of a genuine alarm.
This is the most desirable but often impractical solution. Intelligent alarm management however. For repeating or fleeting alarms. The common values shall be referred as per Table 2. Table 2. The following describes the 3 most accepted methods: Deadbands shall be specified in Engineering Units for improved resolution. The deadband should be set according to the type of measurement and its application.
There are various intelligent alarm management techniques available. Table 1. The alarm hysteresis deadband should be carefully selected for each individual alarm. Default signal filter time constants st Type of Process 1 order time constant De-bouncer timer Variable digital signals Flow 2s 15 s Level 2s 60 s Liquid Pressure 1s 15 s Gas Pressure 1s 15 s Temperature 0s 60 s Other techniques require more detailed study and may also be implemented. Typically the values shall be as per Table 1.
Static alarm suppression shall be implemented on one plant section. Time to automatically unshelf the alarms shall be determined by OPUs.
Alarms that are always active when a process unit or a large piece of equipment is shut down are statically suppressed. Voting shall be such that: Operators often find alarm systems difficult to manage when relatively large numbers of alarms are permanently or semi-permanently activated. There is the risk of any new alarm remaining unnoticed and the standing alarms cannot be "meaningful" to the operator. Care has to be taken in grouping the tags to be suppressed. Process signals that are part of permissive logic shall be redundant so that there is no single point of failure that could lead to the inadvertent suppression of alarms or to leaving alarms inadvertently suppressed.
Sometimes there are tags within a section that Operations prefers to watch and alarm even when the rest of the unit is down. In order to minimise the number of standing alarms. The maximum number of shelved alarms per operator should be This technique requires easy operator access to a list of shelved alarms and unshelving facility. Shelved alarms shall be automatically unshelved at a predetermined time before the shift change over. Static suppression shall never rely on manual selection only.
Only after the manual suppression command and the suppression permissive states have been met shall static alarm suppression be allowed. H alarm. What are the consequences of a block valve leaking. Bad PV etc. When defining static alarm suppression groups. LL alarm etc. When the alarm suppression for a group is released. If they are undesirable. This includes the condition alarm. The alarm status. The actual alarm condition is not visible in general no buzzer.
These conditions differ for each alarm suppression group. This is done to prevent alarms being generated due to maintenance activities on the shut down section.
All alarms associated with the listed tag number may be suppressed. Trigger voting shall be such that: Figure 4 Dynamic Alarm Suppression. A soft switch shall be provided to enable dynamic alarm suppression. Dynamic suppression will be automatically turned off after a configurable time period default 30 min or when all trigger alarms return to normal.
However the trip may fail partly or completely so that a confirmation of the trip action is required to trigger suppression. Triggers shall be redundant i. See Figure 4. A trigger is usually not the trip transmitter exceeding the trip setting but rather the trip command to the unit or equipment. The first alarm in a defined group is triggered. This minimizes the number of alarms appearing following a trip.
For alarms that come faster after a trigger. This is the time for the trip system to respond to a trip condition. Once the timer has expired any new alarm in the group will sound the buzzer but existing alarms will remain suppressed. The operator can choose to manually suppress the alarm group. Likewise the dynamic alarm check shall be disabled for the point as well. The alarm state sequence diagram for alarms that are in a dynamic alarm suppression group is shown in Figure 5.
The available 4 s includes signal transmission via gateways and various nodes on the control system network. The process graphics will show the actual alarm condition for all suppressed alarms. This is a common alarm for the group. Figure 5 Dynamic Suppression Alarm State Diagram The performance of the alarm suppression logic shall be such that it suppresses subsequent alarms within 4 s after the trigger.
If the operator wishes to know which alarm did not come on. If the new alarm is a trigger. If an alarm in a group is not generated even though it is expected to come on as a consequence of a trip. Where triggers are Trip initiators. This fault alarm is also available when the dynamic alarm suppression is not enabled. For these cases a new dynamic suppression group tag number shall be defined. If the time is less than 4 s.
If the group trigger is not an alarm e. However the actual trigger shall not be suppressed. In some instances dynamic suppression will need to be applied to groups not related to a particular equipment safeguarding system. Group Trigger alarms will almost always be trip alarms or drive failure indicators.
The Group name should be selected to show the relation with the system. The tag may be based upon sequence logic blocks KS blocks or on the major trigger tag for a group. A trigger alarm can be suppressed. A crude distiller may have different alarm settings depending on the crude being processed. Also the burner management system may have Oil firing mode.
See Figure 3. When disabled the default set of settings is downloaded into the DCS point automatically. This is for instance the case for furnaces having a normal mode and a decoke mode. The mode switching is detected from a set of process parameters and may also involve a manual switch. These new settings will be applicable until the next mode change is detected or the dynamic mode dependent alarm setting enable switch is disabled.
A dryer will have an operating and a regeneration mode. Sensors used for mode detection shall be redundant i. Mode dependent alarm settings may be required where systems have distinct operational modes that require distinct alarm settings.
With dynamic mode dependent alarm settings. HH etc. The default mode settings table contains the most conservative alarm settings. Obviously this could lead to many spurious alarms. Dynamic mode dependent alarm settings shall not be applied to IPFs and their prealarms since these settings are based on the excursion of safe operating envelopes that should not be mode dependent.
Alarm setting changes each mode change shall be logged in the DCS for each point When dynamic mode dependent alarm setting groups are defined. Such a list should be prepared for each mode of operation defined in the list of operating modes. Conditions may include timers to limit the time during which a particular mode may be on. Where pre-alarms are also used to alarm excursion from the normal operating envelope.
If none of the defined modes are detected e. This process is one step in addressing alarm clarity. Stop pump 4. Start pump. Monitoring is the primary method to detect problems such as nuisance alarms. Without monitoring. Disable low flow alarm. Enable low flow alarm. This process shall be automated to take place frequently. The review process is detailed out as follows.. A systematic review shall be conducted to analyse the most frequent alarms logged by the Alarm Management Software.
This review shall be conducted every two weeks as part of the AMT work process. Select the most frequent alarm and determine the cause s and originating equipment. Alarm Review Flowchart 1. A list of the most frequent alarms shall be generated and discussed during the review. The review process shall follow Figure 1a. Every test shall be recorded with the date of test. Compile the rest of the changes required and raise MOC to get the proper approvals.
In the event that the alarm requirement has been identified through IPF Studies. The assessment may determine the need to modify processes. Changes may be identified by many means. During the maintenance stage. Continue to review the most frequent alarms. The change process should feed back to the identification stage to ensure that each change is consistent with the alarm philosophy. Periodic testing is also a maintenance function. The repair frequency could be scheduled or determined by monitoring.
As a minimum. If normal operation is near the alarm setting. Qualify the alarm against the alarm guidelines described in Section 3. The process measurement instrument may need maintenance or some other component of the alarm system may need repair. Every plant shall have a documented testing philosophy and written test procedures for testing of alarms.
Urgent alarms shall be tested during every DOSH shutdown. If it is due to faulty equipment. This may. Included are three loops with significant importance in alarm management. These loops maintain and improve the alarm system.
Prior to approval of the MOC. This process can be simple or very complex depending on the automation systems or safety systems used. Changes may be identified through other means as well.
This is to ensure that: The alarms are justified and properly designed with respect to setpoint. The management of change process can be used to implement advanced alarm management technique to suppress the alarm floods. Impact to existing logic design and multiple operator displays due to the changes in the alarm settings are extensively reviewed prior to implementation. As such.
Changes to nuisance alarms may be initiated through monitoring. There is no set frequency for this loop: Through audits on training and alarm response.
Through monitoring. Where possible. A history of the changes made to each alarm parameter shall be available via this database. Each completed Alarm Review Form and the changes made shall be updated into the database. The alarm database shall be updated quarterly to show the latest alarm settings as configured in the DCS.
Determine the hazards that may occur if corrective action is not taken in response to an alarm. In essence. In order for prioritization to be effective. Assign the alarm priority based on the RAM. Identify the safety.
Determine the response time available to the panel man before the hazards occur. The time available from the onset of the alarm setpoint and required for the corrective action to be performed and to have the desired effect. In assigning the priority of an alarm. Success criteria of the initiative will be derived from the bench-marking result above. Number of standing alarms in normal operation Number of alarms per operator Number of alarms per control loop Number of alarms per protected event Ratio of emergency: Measuring the effectiveness of the alarm system as it stands 2.
There is also a requirement to analyze events during some typical disturbances. The results from this bench-mark would indicate which of the two improvement steps previously discussed is needed. Measuring the degree of improvement actually achieved. For a plant in steady state or stable operation. The benchmark asks a number of important questions about the alarm system configuration and behavior.
The metrics shall include: Average alarm rate per 10 minutes. Defining the required degree of improvement 3.
At first these systems merely yielded information, and a well-trained operator was required to make adjustments either by changing flow rates, or altering energy inputs to keep the process within its designed limits. Alarms were added to alert the operator to a condition that was about to exceed a design limit, or had already exceeded a design limit. Additionally, Emergency Shut Down ESD systems were employed to halt a process that was in danger of exceeding either safety, environmental or monetarily acceptable process limits.
Alarm were indicated to the operator by annunciator horns, and lights of different colours. Panel boards were usually laid out in a manner that replicated the process flow in the plant. So instrumentation indicating operating units with the plant was grouped together for recognition sake and ease of problem solution.
It was a simple matter to look at the entire panel board, and discern whether any section of the plant was running poorly. This was due to both the design of the instruments and the implementation of the alarms associated with the instruments. Instrumentation companies put a lot of effort into the design and individual layout of the instruments they manufactured.
To do this they employed behavioural psychology practices which revealed how much information a human being could collect in a quick glance.
More complex plants had more complex panel boards, and therefore often more human operators or controllers. Thus, in the early days of panel board systems, alarms were regulated by both size and cost.
In essence, they were limited by the amount of available board space, and the cost of running wiring, and hooking up an annunciator horn , indicator light and switches to flip to acknowledge, and clear a resolved alarm. It was often the case that if you wanted a new alarm, you had to decide which old one to give up. As technology developed, the control system and control methods were tasked to continue to advance a higher degree of plant automation with each passing year.
Highly complex material processing called for highly complex control methodologies. Also, global competition pushed manufacturing operations to increase production while using less energy, and producing less waste. In the days of the panel boards, a special kind of engineer was required to understand a combination of the electronic equipment associated with process measurement and control, the control algorithms necessary to control the process PID basics , and the actual process that was being used to make the products.
Around the mid 80's, we entered the digital revolution. Distributed control systems DCS were a boon to the industry. The engineer could now control the process without having to understand the equipment necessary to perform the control functions. Panel boards were no longer required, because all of the information that once came across analogue instruments could be digitised, stuffed into a computer and manipulated to achieve the same control actions once performed with amplifiers and potentiometers.
As a side effect, that also meant that alarms were easy and cheap to configure and deploy. You simply typed in a location, a value to alarm on and set it to active. The unintended result was that soon people alarmed everything. The integration of programmable logic controllers, safety instrumented systems, and packaged equipment controllers has been accompanied by an overwhelming increase in associated alarms.
Multiple pages of information was thus employed to replicate the information on the replaced panel board. Alarms were used to tell an operator to go look at a page he was not viewing. Alarms were used to tell an operator that a tank was filling.
Every mistake made in operations usually resulted in a new alarm. Alarms were everywhere. Incidents began to accrue as a combination of too much data collided with too little useful information. Recognizing that alarms were becoming a problem, industrial control system users banded together and formed the Alarm Management Task Force , which was a customer advisory board led by Honeywell in The AMTF included participants from chemical, petrochemical, and refining operations.
They gathered and wrote a document on the issues associated with alarm management. This group quickly realised that alarm problems were simply a subset of a larger problem, and formed the Abnormal Situation Management Consortium ASM is a registered trademark of Honeywell. The focus of this work was addressing the complex human-system interaction and factors that influence successful performance for process operators.
Automation solutions have often been developed without consideration of the human that needs to interact with the solution. In particular, alarms are intended to improve situation awareness for the control room operator, but a poorly configured alarm system does not achieve this goal. The ASM Consortium has produced documents on best practices in alarm management, as well as operator situation awareness, operator effectiveness, and other operator-oriented issues.
The ASM Consortium provided data from their member companies, and contributed to the editing of the guideline. Several institutions and societies are producing standards on alarm management to assist their members in the best practices use of alarms in industrial manufacturing systems. Several companies also offer software packages to assist users in dealing with alarm management issues.
Among them are DCS manufacturing companies, and third-party vendors who offer add-on systems. The fundamental purpose of alarm annunciation is to alert the operator to deviations from normal operating conditions, i. The ultimate objective is to prevent, or at least minimise, physical and economic loss through operator intervention in response to the condition that was alarmed.
For most digital control system users, losses can result from situations that threaten environmental safety, personnel safety, equipment integrity, economy of operation, and product quality control as well as plant throughput.
A key factor in operator response effectiveness is the speed and accuracy with which the operator can identify the alarms that require immediate action. By default, the assignment of alarm trip points and alarm priorities constitute basic alarm management.
Each individual alarm is designed to provide an alert when that process indication deviates from normal. The main problem with basic alarm management is that these features are static. The resultant alarm annunciation does not respond to changes in the mode of operation or the operating conditions. When a major piece of process equipment like a charge pump, compressor, or fired heater shuts down, many alarms become unnecessary. These alarms are no longer independent exceptions from normal operation.
They indicate, in that situation, secondary, non-critical effects and no longer provide the operator with important information. Similarly, during start-up or shutdown of a process unit, many alarms are not meaningful.
This is often the case because the static alarm conditions conflict with the required operating criteria for start-up and shutdown. In all cases of major equipment failure, start-ups, and shutdowns, the operator must search alarm annunciation displays and analyse which alarms are significant.
This wastes valuable time when the operator needs to make important operating decisions and take swift action. If the resultant flood of alarms becomes too great for the operator to comprehend, then the basic alarm management system has failed as a system that allows the operator to respond quickly and accurately to the alarms that require immediate action. In such cases, the operator has virtually no chance to minimise, let alone prevent, a significant loss. In short, one needs to extend the objectives of alarm management beyond the basic level.