alarm management

[ 51 ]

ALARM MANAGEMENT PHILOSOPHY

Project Title: West Qurna Field 2nd Phase Project

Project Number: SO2476

SECL P.O. Number: PO4500094236

Requisition Description: Material Requisition For Integrated Control and Safety System (ICSS)

Requisition Number: 8015-0151-SECL-00-430-IN-RQ-20100

Item Description: ICSS

Item Number Doc.Number:

8015-0151-22-PO-45-0009-4236-J08-00409

APPROVED WITH COMMENTS

REVIEWED RESUBMIT

THIS APPROVAL OR REVIEW DOES NOT RELIEVE THE

VENDOR/SUBCONTRACTOR OF HIS RESPONSIBILITIES

TO MEET ALL OF THE SPECIFIED REQUIREMENTS OF

THE PURCHASE ORDER

ORIGINATOR CHECKED APPD(PR)

SIGN

DATE

SAMSUNG ENGINEERING CO., LTD

00 20121218 Issue For Approval BH.HAM HK.LEE SB.LEE

REV DATE DESCRIPTION MADE BY

CHECKED BY APPROVED BY

EMERSON PROCESS MANAGEMENT

SAMSUNG ENGINEERING CO. LTD.

SEOUL, KOREA

LUKOIL MID-EAST LIMITED

BASRAH, IRAQ

user 09 JAN 2013

user D.K.YOON / J.S.PARK

user S.H.CHO

user K.T.KIM

user 09 JAN 2013

user 09 JAN 2013

user

user

West Qurna Field 2

nd Phase Project

(Early Oil Phase)

Doc. Title ALARM MANAGEMENT PHILOSOPHY Rev. : 00 Page : 2

Doc. No. 8015-0151-22-PO-45-0009-4236-J08-00409 Date Dec.18,2012

DOCUMENT TITLE: ALARM MANAGEMENT PHILOSOPHY DOCUMENT REVISION: 00 REVISION DATE: Dec.18, 2012 PROJECT NUMBER: 3152425 AUTHOR:

Approvals:

EPM:

Date:

Dec.18. 2012

Signature by the EPM Project Manager indicates that this document has been reviewed and approved to be issued in accordance with EPM internal quality procedures.

EPM:

Date:

Dec.18. 2012

Signature by the Lead Engineer indicates that this document has been reviewed and approved to use as a basis for executing the West Qurna 2

nd Phase Project.

Customer:

Date:

Signature by the Customer representative indicates that this document has been reviewed and approved for EPM to use as a basis for executing the Diluted & Concentrated West Qurna Phase 2

nd

Phase Project.

Reference Documents:

West Qurna Field 2

nd Phase Project

(Early Oil Phase)



Revision History:

The following revision system is used:

Revision "P" Preliminary issue - EPM/Customer review.

Revision "00" (00, 01, 02 ... etc.) Issue For Approval (IFA). At this stage, the Customer approved the document.

Revision "A" (A, B.. etc.) Approved For Construction (AFC) or Final after FAT

Revision Revision Date Author Description

00 Dec.18.2012 BH.HAM Issue For Approval

West Qurna Field 2

nd Phase Project

(Early Oil Phase)



Table Of Contents:

Approvals: .................................................................................................................. 2

Revision History: ....................................................................................................... 3

Table Of Contents: .................................................................................................... 4

Reference Documents................................................................................................. 6

1 Introduction ....................................................................................................... 7

1.1 Terms and Abbreviations ................................................................................ 7

2 Alarm System Philosophy ............................................................................... 9

2.1 Alarm Management Principles ........................................................................ 9

3 Alarm System Design Process ....................................................................... 12

3.1 Alarm System Category ................................................................................ 12 3.1.1 Emergency Planning and Response Alarms ..................................................................... 12 3.1.2 Safety Instrumented Systems Alarms ............................................................................... 12 3.1.3 Engineered Alarms ............................................................................................................ 13 3.1.4 Operator Alarms ................................................................................................................ 13 3.1.5 Alarm Suppression ............................................................................................................ 13 3.1.6 Chattering Alarms .............................................................................................................. 13 3.1.7 Flooding Alarms ................................................................................................................ 13 3.1.8 State-Based Alarming ....................................................................................................... 14

3.2 Alarm Selection Design Process ................................................................... 14 3.2.1 Alarm Documentation and Rationalization ........................................................................ 14 3.2.2 Alarm Impact, Severity, and Response Time .................................................................... 16 3.2.3 Alarm Rationalization Grid ................................................................................................. 18

4 Alarm System Implementation ........................................................................ 20

4.1 Operator Alarms ........................................................................................... 20

4.2 Engineered Alarms ....................................................................................... 21

4.3 Maintenance Alarms ..................................................................................... 22

4.4 External Device Health & Status Alarms ....................................................... 23

4.5 SIS Alarm Interface ....................................................................................... 24 4.5.1 General .............................................................................................................................. 24 4.5.2 Pre-Alarms ........................................................................................................................ 26 4.5.3 Shutdown Alarms .............................................................................................................. 26

West Qurna Field 2

nd Phase Project

(Early Oil Phase)



4.5.4 Safety Instrumented Function Displays ............................................................................. 27 4.5.5 Maintenance Override Switch Use .................................................................................... 27 4.5.6 Startup Override Alarm Suppression ................................................................................. 27 4.5.7 Deviation and Rate of Change Alarms/Alerts .................................................................... 28 4.5.8 Conditional Alarm .............................................................................................................. 28 4.5.9 Digital Alarm ...................................................................................................................... 29

4.6 Alarm Priority ................................................................................................ 29 4.6.1 Alarm Importance .............................................................................................................. 30

4.7 Alarm Types and Message ........................................................................... 30

4.8 Alarm Suppression........................................................................................ 33 4.8.1 Automatic Alarm Suppression ........................................................................................... 34

4.9 Alarm Filtering ............................................................................................... 35

4.10 Alarm and Event Logging .............................................................................. 36

4.11 Alarm Summary ............................................................................................ 38

5 Alarm System Maintenance ............................................................................ 40

5.1 Alarm Performance Measures ...................................................................... 40 5.1.1 Alarm Performance Measures ........................................................................................... 41 5.1.2 Design Metrics ................................................................................................................... 41 5.1.3 Alarm Performance System .............................................................................................. 45 5.1.4 State-Based or State-Dependent Alarms .......................................................................... 45 5.1.5 Alarm Flood Suppression .................................................................................................. 46 5.1.6 Emergency Shutdown Systems Special Considerations ................................................... 47 5.1.7 Duplicate Alarms ............................................................................................................... 48 5.1.8 Consequential Alarms ....................................................................................................... 48 5.1.9 Chattering Alarms .............................................................................................................. 48 5.1.10 Alarm Handling for Programs ............................................................................................ 49 5.1.11 PCS System Status Alarms ............................................................................................... 49 5.1.12 Tag and Program References to Alarms ........................................................................... 49

5.2 Management of Change ............................................................................... 50

West Qurna Field 2

nd Phase Project

(Early Oil Phase)



REFERENCE DOCUMENTS

Document No. Document Name Purpose

EEMUA -191-1999 Alarm Systems A guide to design, manage and procurement publication no 191-1999

Alarm guidelines

ISA/ANSI 18.2 2009 Management of Alarm Systems for the Process Industries

Alarm guidelines

Alarm Management Hand book Bill Hollifield and Eddie Habibi

General reading on alarm management practical aspects

West Qurna Field 2

nd Phase Project

(Early Oil Phase)



1 INTRODUCTION

This document covers following aspects on DeltaV alarm philosophy and management for the WQ-2 project

Alarm System Philosophy

Describes what the system is intended to do and the principles of how the system will be designed and implemented

Alarm System Design Process

Describes what the alarm system includes and the process that is used to define the alarm settings, alarm priority, required operator actions, maximum response time, and alarm suppressions

Alarm System Implementation

Effective presentation of information during normal operation and during complex process conditions such as plant upsets or trips. As a result of alarm system implementation, a large number of nuisance alarms, and duplicate alarms will be removed or avoid.

Alarm System Maintenance

System performance measurements in place to drive improvements using a management of change process. The intent is to make the alarm system sustainable

1.1 Terms and Abbreviations

Table 1-1 and Table 1-2 below provides the list of the major terms and abbreviations used throughout this project.

Term Description

Acknowledged Alarm An alarm condition currently exists, the operator is aware

Active Alarm An alarm condition currently exists

Alarm A abnormal condition that must be brought to the operators attention and require the response

Alert A signal to brought the operators aware about the condition, but that it is no response immediate

Automatic Suppression Automatic action that automatically prevents alarm annunciation during temporary situations. See also Suppressed Alarm

Cleared Alarm An alarm condition has returned to normal

Consequential Alarm An alarm that always occurs because of or as a consequence of another alarm or state change.

West Qurna Field 2

nd Phase Project

(Early Oil Phase)



Term Description

Disabled Alarm An alarm that is prevented from being propagated to the operator (and logging system) i.e., the alarm propagation logic is disabled

Device Smart field instrument

Event Log Table containing a time stamped list of events recorded by the control system

Inhibited Alarm As same as Disabled Alarm

Log An entry placed in the event log for historical purposes

Manual Disable Supervisor action that temporarily prevents alarm detection or propagation. Automatic restoration does not occur. See also Disabled Alarm

Suppressed Alarm An alarm that is temporarily prevented from annunciating, both audibly and visually by lowering its priority to log only.

Un-Acknowledged Alarm An alarm condition currently exists, the operator is not yet aware

Table 1-1 Terms

Abbreviation Description

AOA Alarm Objectivity Analysis

EEMUA The Engineering Equipment and Material Users Association

ESD Emergency shutdown system

Emerson Emerson Process Management, Hydrocarbon and Energy Industry Centre

ICSS Integrated Control and Safety System

I/O Input/Output

PCS Process control system

SIS Safety Instrumented System

Table 1-2

Abbreviations and Acronyms

West Qurna Field 2

nd Phase Project

(Early Oil Phase)



2 ALARM SYSTEM PHILOSOPHY

Every alarm should identify to the console operator an abnormal, unsafe, and urgent plant condition that requires them to take action or to make an assessment of the units condition so that, where possible, they can avoid or minimize plant upset, asset, or environmental damage, and improve safety.

An alarm is not

A reminder for the operator to complete a task

A mechanism to help perform routine surveillance of the plant

The purpose of the alarm system is to assist the operator in detecting process problems and prioritizing their response.

All alarms and shutdowns shall annunciate via the operator stations in the control room. Supplemental annunciation devices such as beacons and horns shall be used to annunciate gas or fire detection or facilitate evacuation within the plant.

An alarm system monitors plant conditions and informs the operator of significant changes that require assessment and action. The alarm system helps the operator

Maintain the plant within a safe operating envelope. The alarm system should help the operator correct problems from escalating.

Identify deviations from operating conditions that could lead to financial loss. For example, pump damage from cavitation.

Better understand complex process conditions such as during plant upsets or trips.

The Alarm Help functionality within DeltaV provides the operator with information related to specific alarms.Each alarm can be configured by the plant engineering and operations groups to provide Alarm Help information when the alarm is active.The Alarm Help functionality will assist the WQ-2 Project,facility in complying with alarm system management requirements related to the ISA 18.2 standard for alarm management.

2.1 Alarm Management Principles

Every alarm shall be subjected to following three questions

West Qurna Field 2

nd Phase Project

(Early Oil Phase)



1. Does the event require operator action?

2. Is this alarm the best indicator of the situations root cause?

3. Is this alarm resulting from a truly abnormal situation?

The following two basic rules shall be adhered to

1. Events that do not require operator action shall not be allowed to produce alarms.

2. Alarms must be produced upon abnormal situations only, not from normal situations.

The following principles shall guide the design of the alarm system

All alarms require operator action.

Every alarm, regardless of its priority, is important.

Operator corrective action information is easily accessible from the operator interface.

Alarms present information that is

Relevant to the operators role at the time.

Easy to understand.

Important to the operators.

Presented at a rate that is effective for the operator.

Alarms assist operators in the management of the plant in terms of safety, environmental, production and plant assets.

Alarms identify deviations from desired operating conditions that could lead to financial loss such as off specification product or low efficiency operation

Alarms are designed to provide sufficient time for the operator to respond

Alarm information (as a key component of the control systems integrated operator interface) provides a clear navigational aid and prioritized response aid to the operators

Alarms are categorized and prioritized using a structured review process aimed to meet the operators requirements

The alarm design is documented and includes alarm limits, priorities, causes, consequences, correct actions, response time, and verifying information

West Qurna Field 2

nd Phase Project

(Early Oil Phase)



Changes to alarms are managed under a management of change (MOC) work process. All of change must be evaluated, analyzed properly and communicated to all affected personnel and team

Nuisance alarms, unnecessary alarms and duplicate alarms shall be reduced or avoid during alarm system implementation

The organization establishes a continuous improvement and performance monitoring process to support the alarm system

An alarm system champion is assigned responsibility for the alarm system in each area of the plant

West Qurna Field 2

nd Phase Project

(Early Oil Phase)



3 ALARM SYSTEM DESIGN PROCESS

3.1 Alarm System Category

The categories of alarms ranked in their order of importance are

1. Emergency Planning and Response (fire and gas, deluge, safety showers, evacuation, etc.)

2. Engineered alarms

3. Operator alarms

3.1.1 Emergency Planning and Response Alarms

The following emergency planning and response alarms require panel operator action. These alarms will have high priority.

Fire and gas

Deluge

Safety showers

Evacuation

3.1.2 Safety Instrumented Systems Alarms

Safety instrumented alarms have been selected by the process design team to ensure the safety of the plant and to prevent equipment damage.These alarms will be implemented in the safety instrumented systems and will identify when an automatic action has been initiated due to a severe abnormal condition in the plant.Pre-alarms will provide the plant operators with sufficient warning of the impending trip condition so that corrective actions can be taken to avert the situation.The pre-trip alarms may have higher priority than the trip alarms.The priority of the SIS alarm will be assessed using same alarm priority rationalization grind used for the PCS alarms.The alarm limits will be preset and not permitted to be changed without the appropriate management of change process, considering the safety life cycle (see ANSI/ISA S84.01 1996).

West Qurna Field 2

nd Phase Project

(Early Oil Phase)



3.1.3 Engineered Alarms

Engineered alarms have been determined through the HAZOP reviews of the process design.These alarms settings will identify when the process is moving towards an unsafe operating condition.The alarm limits will be pre-set and not permitted to be changed without the appropriate management of change process review. These alarms are provided in the alarm and trip settings document.This document will be used as the basis for alarm objectivity analysis.

3.1.4 Operator Alarms

Operator alarms are operator configurable alarms to assist in running the plant more efficiently. These alarms should never be safety related or related to some other condition that has a serious impact on the plant or its surroundings since such conditions are properly dealt with in the engineering alarms settings or other protective systems. An alarm priority called operator will be introduced in the system which will be lower than the low alarm priority.

3.1.5 Alarm Suppression

Alarm suppression is the way to temporarily disable annunciation of an alarm in the DeltaV Operator Interface. This means that the suppressed alarm will not set off the workstation alarm horn and will not be displayed in the alarm summary or the alarm banner, but this alarm will still be registered in the alarms/events log.

3.1.6 Chattering Alarms

Appropriate deadband must be selected for all alarms that are activated repeatedly over a short period of time.This may involve the programming of a deadband for analog trip values and a delay time for digital points. Concepts of on-delay, off-delay, and deadband are explained in Section 5.1.9 of this document.

3.1.7 Flooding Alarms

Flooding alarms are several alarms that are shown to the panel operator on the alarm summary that allow the operator to take appropriate action over the process.

West Qurna Field 2

nd Phase Project

(Early Oil Phase)



3.1.8 State-Based Alarming

Most alarms in a process unit pertain to the normal operating state of a piece of equipment. Equipment often has several normal, but differing, operating states. PCS alarm capabilities are normally only for a single-state, single-value trip points, and priorities. Examples include startup, shutdown, product or feed grade changes, half rate operation, etc.

3.2 Alarm Selection Design Process

The selection of alarms and their configuration settings in the control system are critical to its success. Configuring too many alarms can lead to alarm system problems such as alarm floods and high nuisance alarm rates, which can cause the operator to miss critical alarm information. Not identifying or inappropriately setting an alarm limit on an important parameter in the process can lead to an unsafe plant condition or an economic loss for the company.

The design process for the selection of alarms and their settings will use a systematic, structured analysis consistent with the overall alarm philosophy and plant risk assessment. This structured analysis will capture the alarm proposals coming from design engineering and the operational groups, and is called the alarm objectives analysis (AOA) or alarm documentation and rationalization (D&R). The D&R methodology is described below.

3.2.1 Alarm Documentation and Rationalization

Documentation and rationalization (D&R) is a sound, consistent, and logical methodology by which alarms are determined and prioritized. Alarms resulting from the methodology are said to be rationalized.

D&R is used in the following ways

To reduce, on an existing system, the number of configured alarms and thus the alarm load created from them

To correct a misconfigured system for performance improvement

To insure consistency in alarm settings

To eliminate duplicate alarms

To insure proper and meaningful priority and trip point settings

To configure alarms on points added or modified by projects

In conjunction with PHA revalidation if alarms are specified

West Qurna Field 2

nd Phase Project

(Early Oil Phase)



To verify proper configuration of nuisance alarms as they are identified

To create the master alarm database, used as a reference for state-based alarm management, flood alarm suppression, and audit/enforce mechanisms

During a unit rationalization, all alarmable PCS points shall be rationalized, along with any other systems which provide alarm or abnormal situation notification to the board operator. The impact, severity, and response time matrices defined in the next section should be used to rationalize each alarm and will be documented in the results. Background information on the matrix components (impact assumptions, severity, etc.) should also be provided in the documentation for future reference. Any deviation from the alarm priority, as defined in the rationalization matrices, must be identified during the course of the rationalization and documented.

For proper rationalization, it is a recognized best practice that the following groups participate

Operations technicians (operators)

Production and/or process engineers familiar with the process

Safety and environmental (part time as needed)

Process control (part time as needed)

PCS specialists

Other individuals with knowledge of the process unit, its operation and specific equipment, its advanced control schemes, unit hazards, and the alarm philosophy will be needed periodically. The entire team must understand the alarm philosophy before starting the rationalization.

Documents required for a thorough rationalization include

Unit P&IDs

Operating procedures

PCS configuration database

Results from HAZOP or PHA reviews

PCS graphic printouts

Process control and safeguarding narrative

All rationalized process alarms within an operating unit should be documented. The documentation should include all information required to define the alarm, its purpose, and the data required for rationalization.For new projects and

West Qurna Field 2

nd Phase Project

(Early Oil Phase)



incremental changes to the unit, full alarm justification and documentation should be provided as part of the project scope, accompanying any other required project documentation (for example, MOC documents).

For ease of access and maintainability, the alarm system documentation should be maintained through a uniform electronic database system across the entire clients site

As a minimum, the following items will be documented for each alarm

Possible causes of the alarm

Operator response or recommended corrective actions for the alarm

Potential consequences if the operator does not respond to the alarm (or, if the alarm were not present)

Time available for operator to respond and mitigate identified consequences

The reasons for over-riding priority recommendations determined by the rationalization principles

Operations should have on-demand access to the above documentation of the alarm system, preferably electronically, in the form of a master alarm database. The master alarm database has several other important uses, particularly for alarm auditing and settings enforcement.

3.2.2 Alarm Impact, Severity, and Response Time

Key aspects for the selection of alarm priorities are

Alarm priorities will be set for three levels of urgency (low, medium, high) based upon

The potential consequences (safety, environmental, production, and plant assets) that the operator could prevent by responding appropriately

The time available for the operator to carry out the required response

All alarms (regardless of priority) are important and require operator attention

Impact

Category

None Minor Major Severe

Safety Any alarm wherein the failure of proper action to be taken can result in likely harm to a person will be prioritized as high. Assumption is that other layers of protection operate.

West Qurna Field 2

nd Phase Project

(Early Oil Phase)



Impact

Category

None Minor Major Severe

Environmental No Effect Minimal exposure. No impact. Does not cross fence line. Contained release. Little, if any, clean up. Source eliminated. Negligible financial consequences.

Event Type Recordable, No reporting to Alberta

On-site H2S or other release. Contamination causes some non-permanent damage. Event Type Reportable, incident reported as not violating permit.

Isolated neighbor complaints.

Uncontained release of materials with major environmental impact and possible third party impact. Widespread neighbor complaints. Exposed to life-threatening hazard. Disruption of basic services. Impact involving the community. Catastrophic property damage. Extensive cleanup measures and financial consequences. Event Type Reportable incident reported as violating permit.

Costs or Value

Of Production Loss

No loss Event costing $n,000,000 (approximately one day production volume), notification above operations manager level

Table 2

Alarm Rationalization Consequence Grid

The assumptions in Table 3 below were considered while preparing the alarm rationalization consequence grid above.

Assumption Description

Probability It is inappropriate to consider probability in an alarm rationalization consequence grid. The assumption is that the alarm (however improbable the process situation) has occurred. The consequence to be considered is the event that will take place if the alarm is ignored. Alarm rationalization is not a PHA, or SIL, or LOPA review. Such probability and risk analyses are used to determine the need for redundancy in a system, not the priority of an alarm when an event does happen.

Multiple Failures It is inappropriate to assume multiple cascading failures in discussing an alarm consequence scenario. This is best explained by an example. Consider a vessel that has a high pressure alarm. The vessel has a pressure relief device which is routed to the flare that actuates above the high alarm setting. During rationalization, it will be assumed that all protective systems (for example, pressure relief devices or other independent alarms) are active and functional.

Failure to respond to the high pressure alarm would therefore have environmental

West Qurna Field 2

nd Phase Project

(Early Oil Phase)



Assumption Description

(flaring) and/or economic (loss of product to the flare) impacts, but no personnel safety impact. In terms of setting the appropriate alarm priority, it would not be appropriate to say that the consequence would be that in the high pressure scenario, the relief device would also fail, the vessel would rupture, and personnel could be injured (i.e. a personnel safety impact).

Time to Respond Maximum time to respond is the time within which the operators can take action(s) to prevent or mitigate the undesired consequence(s) caused by an abnormal condition. This response time must include the action of outside personnel following direction from the console operator.

To clarify, this is not how long it actually takes the operator to take the action. It is how much time is available to take effective action from when the alarm sounds to when the consequence is unavoidable.

The board operators ability to respond to an alarm in a timely fashion determines the degree of success in preventing loss. The consequences of an uncorrected alarm generally worsen with the passage of time.

During an abnormal condition, the board operator is confronted with making decisions on numerous tasks that must be performed in an appropriate sequence. The timing and the order of executing these tasks determines the outcome of the operators effort. For example, if two process variables are deviating from normal and can potentially cause the same significant loss, the operator must quickly decide which variable to address first. In such a case, the operator must take action to address the variable that is more volatile or can reach the point of loss in the shortest time.

Therefore, the shorter the time available to respond, the higher the priority of the alarm will be, assuming equal consequences can result.

For each alarm being rationalized, and, for each area, the maximum time allowable to respond will be identified. This value will allow the response time to be placed in one of the following response time classes:

greater than 30 minutes

10 to 30 minutes

3 to 10 minutes

less than three minutes

Table 3

Assumptions

3.2.3 Alarm Rationalization Grid

The alarm rationalization grid for WQ-2 Project is derived based on severity of consequence and the time to response and is given in Table 4 below. This grid will be used in identifying the priority of engineering alarms.

West Qurna Field 2

nd Phase Project

(Early Oil Phase)



Potential Consequences

Urgency/Response

Time

No Effect Production/Quality Plant

Asset/Reliability

Safety/Environmental

>30 min No alarm Re-engineer alarm Re-engineer alarm

Re-engineer alarm

10-30 minutes No alarm Low Low Medium

3-10 minutes No alarm Low Medium Medium

Less than three minutes

No alarm Medium High High

Table 4

Alarm Rationalization Grid

Include threshold for not alarming to over 30 minutes. In such a case, the alarm should be redesigned to require action in a shorter time frame. Some exceptions are acceptable.

Note that a maximum time allowable to respond of greater than 30 minutes does not meet the criteria for an alarm. While an operator may have a time horizon of several hours or more in adjusting process parameters and monitoring their effects, it is inappropriate to sound an alarm for which no action is required for more than 30 minutes. Alarms are to signal conditions that require quick action and must have a characteristic of urgency. Something that can be avoided for more than a half hour with no effect is not an event requiring quick action.

This is not an absolute principle, and there will be exceptions. For example, an alarm of the failure of a system that acts to protect the long-term health of equipment, such as a corrosion inhibitor addition system. Failure to take action on the alarm might not have consequences for weeks or months, but the system is needed and the failure must be addressed, not forgotten about. The general rule is that response to such an alarm should be the initiation of a maintenance request before the end of the shift. The need for the alarm system to retain a sense of urgency allows for such exceptions.

West Qurna Field 2

nd Phase Project

(Early Oil Phase)



4 ALARM SYSTEM IMPLEMENTATION

The alarm management features in DeltaV are structured for the effective management of the alarm system.

Alarm priorities, alarm types, alarm suppression, alarm filtration, conditional alarms, operator alarms, engineered alarms, and plant areas all affect the way the system manages individual alarms. This section describes these system-wide concepts.

Alarms from third party packages will be communicated to PCS over a serial link or OPC and will be time stamped and logged into the event chronicle of the DeltaV HMI in the same way as PCS alarms. Each package may have a different alarm area as defined in the configuration specification. There are 100 plant areas available in the DeltaV database and each area may have the same or different alarm priority.

4.1 Operator Alarms

Individual operators have a need for on-the-fly configuration of various system reminders and functions. For example, tank levels when filling or transferring, where the alarm limits do not correspond to the amount desired to be moved. Operator change of the overall alarm system trip points has been proven to be a problematic practice. The setting of individual preferences as alarm limits results in sub-optimization of the process, causes shift-based process variation, introduces non-rationalized alarms, and contributes to alarm floods, and is therefore not in keeping with best practices.

WQ-2 Project , may address this need and problem by providing the operator priority alarm. The settings and existence of these is controllable by the operator. They are not rationalized. The same principles as for regular alarming, however, should be followed, such as operator alarms being configured only for events requiring action. Operator alarms should not be used to replace surveillance of the process (running by alarms).

During periods of engineered alarm activation, the operator alarms can be filtered from the alarm summary display and not interfere with the proper response to rationalized alarms. There are six operator alarms available per PCS control loop.

West Qurna Field 2

nd Phase Project

(Early Oil Phase)



By default, these alarms are disabled from the system configuration. As the systems are being commissioned, the control room operator can enter valid alarm limits and enable the alarm as required to operate the process. Alarm deadband is defaulted to 0.5%.

Alarm Name Operator

Control

Default

Enable

Default

Alarm

Limit % of

Scale

Allowable

Priority Choice

Description

HI_HI_ALM Y N 90 Engineer Engineer high-high alarm

HI_ALM Y N 80 Operator Operator high alarm

LO_ALM Y N 20 Operator Operator low alarm

LO_LO_ALM Y N 10 Engineer Engineer low-low alarm

DV_HI_ALM Y N 5 Operator Operator deviation high alarm

DV_LO_ALM Y N -5 Operator Operator deviation low alarm

Table 5

Summary of Operator Alarms Table Title

Indicates the default values if the alarm is not enabled on P&ID and control narrative otherwise valid values are entered.

4.2 Engineered Alarms

Engineered alarms are not alterable by the operator. They are to provide warning of conditions that require operator action in order to avoid a recognized consequence.

There are six engineered alarms available per PCS control loop and indicator point. The deadband for all engineered alarms and will be set at 0.5 % of the engineered scale by default.

Alarm Name Operator

Control

Default

Enable

Alarm

Setpoint % of

Scale

Priority Description

ENG_HI_ALM N N* All are determined via rationalization

All are determined via rationalization

Engineered high-high alarm

ENG_LO_ALM N N* Engineered high alarm

West Qurna Field 2

nd Phase Project

(Early Oil Phase)



ENG_HI_HI_ALM N N* Engineered low alarm

ENG_LO_LO_ALM N N* Engineered low-low alarm

ENG_DV_LO_ALM N N* Engineered deviation high alarm

ENG_DV_HI_ALM N N* Engineered deviation low alarm

Table 6

Summary of Engineered Alarms

Table 6 Indicates the default values if the alarm is not enabled on P&ID and control narrative otherwise valid values are entered.

Time Base

hh:mm:ss

Process

Variable KPa

Prorate PV for

60 Seconds

Note: 5 Second

Scan for PV

Deviation Alarm

12:00:00 50 Clear

12:00:05 50.1 Abs (50.1-50)* (60/5) = 1.2

Clear

12:00:10 50.2 Abs (50.2-50.1)* (60/5) = 1.2

Clear

12:00:15 51.1 Abs (51.1-50.2)* (60/5) = 10.8

Active unacknowledged

12:00:20 51.1 Abs (51.1-51.1)* (60/5) = 0

Clear unacknowledged

12:00:25 52.6 Abs (52.6-51.1)* (60/5) = 18

Active unacknowledged

12:00:30 52.5 Abs (52.5-52.6)* (60/5) = 1.2

Clear unacknowledged

Table 7

Deviation Alarm Example

4.3 Maintenance Alarms

There will be MAINT_HI, MAINT_LO. The MAINT priority will not show on the operators normal alarm summary display.

West Qurna Field 2

nd Phase Project

(Early Oil Phase)



All instrument malfunction/diagnostics which are not applicable to operator action (for example, many fieldbus diagnostics) shall have a MAINT priority.

Instrument malfunction alarms that do require operator notification will become a part of PV_BAD alarms and their priority is determined during alarm objectivity analysis.

Operator response to those will be an attempt at troubleshooting, then either writing a work order, or calling out for immediate maintenance (based upon a list of important instruments and operator judgment)

The following priorities are recommended for various devices

1. Diagnostics on PCS hardware, such as redundant power supplies, redundant communications boxes, redundant controllers, etc MAINT_HI, possibly on immediate maintenance callout list.

2. Diagnostics on externally connected complex hardware, such as analyzers / surge controllers MAINT_HI. Provide support diagnostics that explain the relevance to the operator.

3. Instrument malfunction alarms that do not require operator notification shall have MAINT_LO.

4. Investigate alarm group displays for PVBAD.

5. Others (case by case, default is MAINT_HI).

4.4 External Device Health & Status Alarms

External systems such as analyzers, surge controllers, equipment cabinets, PLCs, and ESD logic solvers are often connected to the PCS directly or via serial, Modbus, or similar methods. It is common for these systems to have multiple health status indicators. Often these are all individually alarmed, which is not a best practice.The best practice is that System Health & Status Alarms shall be shown on control console by difference levels of pictures.

The operator responses to an external devices health/status alarms should include the following

Understand the new limitations of the connected device relative to the alarm produced. (Is the device failure, fault, or still functional? Can the readings be trusted or are they suspect?)

West Qurna Field 2

nd Phase Project

(Early Oil Phase)



Act accordingly as per procedures. For example if the analyzer is no longer functioning, begin manual sampling

Involve maintenance or staff as appropriate per procedure, based on the particular problem

Proper alarm configuration is to provide a single common trouble point indicating an OR from several status inputs. This common point is alarmed for the operator. Grouping the status points into more than one, but still a small number, of logically-related common trouble points is also acceptable. For example, multiple vibration instruments on the compressor should be combined into a common vibration trouble point based upon any of them reaching a particular value. All are logged, but only the common trouble point is alarmed. Additionally there could be an oil system common trouble point being fed from several oil-related inputs.

The individual status points feeding the common point shall be configured with LOG priority (if it is desired to record their individual time of activation).

For all such common trouble points, provide detailed displays that show the status of all of the health indicator inputs. This should then be the associated display for the common trouble point. The graphics should also indicate the functional groups to contact for repair, based on the failure type.

4.5 SIS Alarm Interface

Alarms from the SIS will be time stamped and logged into the event chronicle of the DeltaV HMI in the same way as PCS alarms. Only a brief discussion is given for SIS alarms here. Please refer to SIS configuration specification for more detail.

4.5.1 General

Prior sections of this document refer to various types of alarms (operator, engineered, conditional). It is important to understand that, for safety reasons, all the safety pre-alarms and shutdown alarms are considered to be engineered alarms. There is no provision to modify these alarms from the DeltaV HMI, nor is there a manner (outside the proper overrides) to bypass or turn off these alarms. All alarm values for an input device shall be visible from the faceplates on the HMI for that device. Deadband values and range settings are treated in a similar manner.

West Qurna Field 2

nd Phase Project

(Early Oil Phase)



Shutdown alarms (also referred to as trip alarms) shall not be suppressed by maintenance overrides. Pre-alarms (also referred to as pre-trip alarms) shall also not be suppressed by maintenance overrides.

SIS Alarms shall be annunciated on the DeltaV HMI alarm banner and alarm list.

The application of ISA S84 or Licensor Design Standards may require the installation of double or triple redundant sensors and alarming in some instances. This may or may not involve voting systems. During process upsets and abnormal situations, the multiple alarming provided may produce undesirable multiple alarms from the same event. In addition, routine shutdowns may result in the activation of several alarms, adding a large number of alarms to the alarm summary. Such nuisance alarms must be avoided if at all possible.

All redundant and voting installations must be designed and reviewed on a case-by-case basis to ensure

minimal multiple alarms result from process deviations

the operator will not receive a flood of unnecessary alarms during routine startup, shutdown, or other periods when the hazard scenario is not valid

pre-trip or trip conditions will not create multiple alarms from different sensors

The case-by-case review of these redundant installations may require further study outside of the normal alarm system documentation and rationalization process. Safety considerations inherent in these redundant installations may necessitate dynamic alarm changes in the logic solver equipment, instead of in the PCS.

There are several techniques to provide the degree of safety provided by sensor redundancies and separate logic solvers, without producing excessive alarms. For example, voting logic within the PCS can be considered for alarm actuation. Annunciation of ESD bypasses must be considered carefully for proper priority selection.

It may well be that rationalization shows that the pre-alarm to a trip might be a higher priority alarm than the trip notification alarm (for example, the shutdown has occurred). This is perfectly acceptable. At the pre-trip point, the operator can still take effective action to avoid the trip, which may have avoidable major

West Qurna Field 2

nd Phase Project

(Early Oil Phase)



consequences. These consequences can no longer be avoided once the trip occurs. The consequences of ignoring the trip notification alarm at that point may make the trip-caused upset worse if the operator fails to take the correct post-trip actions.

The voted alarm result must be clear and easily understood by the operator. Consider voting logic output to a dedicated, alarmed flag, or discrete tag on the PCS.

The operating schematics or graphics must be designed to properly indicate the voted result and the status of the multiple initiators, to prevent operator confusion and provide rapid assessment and verification.

In the event of equipment trips with several possible causes:

alarm the overall trip event

trip initiators may not need alarms

log initiator activation for historical analysis

provide adequate first-out or interlock initiator display to allow the operator to identify the trip cause

4.5.2 Pre-Alarms

Pre-alarms shall give the operator the opportunity to take corrective action before a process shutdown occurs. Reset action is not required, and pre-alarms should not be defeated by maintenance overrides.

A device that is in pre-alarm shall be prioritized by the AOA team. Pre-alarm acknowledgement is purely an HMI function, and once acknowledged the device shall appear as solid alarm colour (non-flashing). If the device reverts to normal before the operator has acknowledged the alarm, the device shall flash in hatch alarm colour.

4.5.3 Shutdown Alarms

Shutdown initiators shall be trapped so that the operator, when troubleshooting, can always find the source of the shutdown (in the event that the initiating condition is only present for a short duration). Reset action is required. Shutdown alarms are not defeated by maintenance overrides (although the actual trip is prevented in such a case).

West Qurna Field 2

nd Phase Project

(Early Oil Phase)



A ready to reset button shall be provided. This button will alert the operator that the initiating condition(s) are normal (the deadband is satisfied) and the interlock is ready to be reset.

A device that is in shutdown and has high priority when in alarm shall appear flashing red on the HMI process screen. Shutdown alarm acknowledgement is purely an HMI function, and once acknowledged the device shall appear as solid red (non-flashing).

Shutdown alarms may be ganged for large pieces of equipment to reduce alarm flooding. For example, a common furnace shutdown may be generated on a furnace trip. The operator will use the safety instrumented function displays to diagnose the cause of the problem.

4.5.4 Safety Instrumented Function Displays

A display scheme will be utilized for shutdown interlocks that have multiple initiators. This shall be displayed on the HMI screens in specialized Level 3 displays. The format of these screens is addressed in the SIS configuration specification.

4.5.5 Maintenance Override Switch Use

Maintenance override switches (MOS) are used to put a device into maintenance mode. They are also referred to as class A overrides. A maintenance person typically puts a device into maintenance bypass when the device is to be repaired or calibrated.

All safety shutdown initiators will be provided with a maintenance override switch (MOS). Pre-alarms and shutdown alarms associated with the sensor will not be disabled while the maintenance override switch is engaged.

For SIL 2 and 3, shutdown alarms the setting of a maintenance override notification alarm shall be initiated whenever something is in MOS. This prevents the operator from unknowingly leaving a device in MOS (the MOS notification alarm cannot be suppressed and therefore cannot be ignored).

4.5.6 Startup Override Alarm Suppression

In programming terms, overrides/bypasses/permissive are typically classified into three categories or classes class A, B, and C. Class A overrides are

West Qurna Field 2

nd Phase Project

(Early Oil Phase)



typically maintenance type overrides, and are analogous to the MOS discussed in the previous section.

Shutdown initiator overrides are often required for start-up. A typical example would be for low flow shutdowns. MOS should not be used for such purposes, since the application of these overrides would adversely affect the availability calculations and hence safety. An operational override shall be used for these requirements, and the override automatically de-activates under predefined conditions. For the above low flow trip the operational override would have a time-out function. In programming terms, this would be called a class B override. In some cases it may be that the trip may need to return to a normal process condition before de-activating. These types of overrides are referred to as a class C override.

Some of these operational override need detailed process information. An example would be the isolation of a feed to storage under high temperature conditions. Since the lines are insulated the material may take some time to cool down. There may be a conditional override based on another temperature (a class C) together with a timed bypass (class B).

While a device is in a startup override mode (class B or C), the shutdown alarms and pre-alarms shall be inhibited.

When a process is intentionally stopped, either through automatic logic or manually, alarms that would normally be suppressed during startup are also viewed as nuisance alarms while shutdown. Therefore, when a process is intentionally stopped and an initiating device would cause an alarm, that alarm will be inhibited by the SIS.

4.5.7 Deviation and Rate of Change Alarms/Alerts

In addition to the internal system diagnostics for initiators, the application will also include custom diagnostic logic to detect out-of-range or faulted status, flat-line and high rate-of-change conditions, and deviation. Depending on the nature of the alarm/alert and which system the equipment is in, either the PCS or SIS will generate the alarm/alert. Refer to SIS Configuration Specification for further details.

4.5.8 Conditional Alarm

The DeltaV conditional alarming feature provides the ability to easily add alarm time delays and enable/disable alarms to minimize nuisance alarms. This is

West Qurna Field 2

nd Phase Project

(Early Oil Phase)



functionality available to the PCS and SIS, however it is only available in the SIS in certain cases. Refer to the SIS Configuration Specification for further detail.

4.5.9 Digital Alarm

The DeltaV Digital Alarm will be from the digital input like Pressure, Level, Limit switchs or another type on discrete input in PCS or SIS system.There will be indication to the operator on the Level-3 process graphics

4.6 Alarm Priority

There are 12 possible alarm priority levels numeric values 4 through 15.The highest priority value is 15 (it is used for the most important alarm). The lowest priority value is 4. The alarm priorities configured for WQ-2 project are given in Table 8.

An operator display will provide a list of all PCS module alarms currently suppressed at any point in time. The operator cannot disable or suppress engineered alarms.

Maintenance alert information will use two of the alarm priorities.This information will not be shown on the alarm summary.

Priority Priority in

DeltaV

Priority

Level

Auto

Acknowledge

Auto

Acknowledge

Inactive

Horn Sound

CRITICAL

S_CRITICAL 15 NO NO YES

E_CRITICAL 14 NO NO YES

F_CRITICAL 13 NO NO YES

WARNING

F_WARNING 11 YES YES None

D_CRITICAL 10 YES YES None

D_WARNING 9 YES YES None

ADVISORY

ADVISORY 7 YES YES None

Table 8

Alarm Priority Settings

West Qurna Field 2

nd Phase Project

(Early Oil Phase)



4.6.1 Alarm Importance

The acknowledged status of the alarm, the current alarm state, the priority value, and the time stamp on the alarm determine the alarm's importance in the system

1. Unacknowledged alarms have a higher importance than acknowledged alarms.

2. After the acknowledgement status is considered, alarms that are still active are considered more important than alarms that have already cleared but have not been acknowledged by the operator yet.

3. When more than one alarm has the same acknowledgment status and active status, alarm with higher priority value has the highest importance.

When more than one alarm has the same priority value, active status, and acknowledgment status, the newer alarm has a higher importance.

For example, the most recent, acknowledged, active alarm with a priority value of 15 is the most important alarm in the system. Then, a new alarm occurs that is unacknowledged and has a priority value of 7. This new alarm is of higher importance than an acknowledged alarm with a priority value of 15 because of the acknowledgement status of the alarms.

4.7 Alarm Types and Message

An alarm type defines a set of characteristics that determine how alarms appear on alarm summary displays and in the event chronicle. The alarm types used in this project are listed in

Alarm Type Name Alarm Word Category Alarm Message

Any Alarm ANY SYSTEM Any alarm value %P1

Change From Normal CFN PROCESS Change from normal value %P1

Change of State COS PROCESS Change of state

Communication Error COMM INSTRUMENT Communication error

Deviation Alarm DEV PROCESS Deviation alarm target %P1 actual %P2

DISC_ALM DISC_ALM PROCESS Change of state from %P1

Discrete Device FAILED PROCESS %P1

ENG_DEV_ALM ENG_DEV PROCESS ENG deviation alarm target %P1 actual P2

ENG_HIGH_ALM ENG_HIGH PROCESS ENG high alarm value %P1 limit %P2

West Qurna Field 2

nd Phase Project

(Early Oil Phase)



Alarm Type Name Alarm Word Category Alarm Message

ENG_HIHI_ALM ENG_HIHI PROCESS ENG high-high alarm value %P1 limit %P2

ENG_LOLO_ALM ENG_LOLO PROCESS ENG low-low alarm value %P1 limit %P2

ENG_LOW_ALM ENG_LOW PROCESS ENG low alarm value %P1 limit %P2

ENG_RATE_ALM ENG_RATE PROCESS ENG rate of change rate %P1 limit %P2

Floating Point Error FLT SYSTEM Floating point error

General I/O Failure IOF INSTRUMENT General I/O failure

High Alarm HIGH PROCESS High alarm value %P1 limit %P2

High High Alarm HIHI PROCESS High-high alarm value %P1 limit %P2

Low Alarm LOW PROCESS Low alarm value %P1 limit %P2

Low Low Alarm LOLO PROCESS Low-low alarm value %P1 limit %P2

New Alarm NEW SYSTEM New alarm value %P1

Open Circuit Detected OCD INSTRUMENT Open circuit detected

Over Range OVER INSTRUMENT Over range value %P1

Rate of Change RATE PROCESS Rate of change rate %P1 limit %P2

Statistical Alarm ERROR SYSTEM Statistical alarm type %P1 value %P2

Under Range UNDER INSTRUMENT Under range value %P1

User Define Alarm 1 desc

ALARM PROCESS %P1

User Define 2 Alarm 2 desc.

ALARM PROCESS %P1 %P2

Table 9 below. Each standard alarm is associated with one of these alarm types.

Alarm Type Name Alarm

Word

Category Alarm Message

Any Alarm ANY SYSTEM Any alarm value %P1

Change From Normal CFN PROCESS Change from normal value %P1

Change of State COS PROCESS Change of state

Communication Error COMM INSTRUMENT Communication error

Deviation Alarm DEV PROCESS Deviation alarm target %P1 actual %P2

DISC_ALM DISC_ALM PROCESS Change of state from %P1

Discrete Device FAILED PROCESS %P1

ENG_DEV_ALM ENG_DEV PROCESS ENG deviation alarm target %P1 actual P2

ENG_HIGH_ALM ENG_HIGH PROCESS ENG high alarm value %P1 limit %P2

ENG_HIHI_ALM ENG_HIHI PROCESS ENG high-high alarm value %P1 limit %P2

ENG_LOLO_ALM ENG_LOLO PROCESS ENG low-low alarm value %P1 limit %P2

ENG_LOW_ALM ENG_LOW PROCESS ENG low alarm value %P1 limit %P2

West Qurna Field 2

nd Phase Project

(Early Oil Phase)



Alarm Type Name Alarm

Word

Category Alarm Message

ENG_RATE_ALM ENG_RATE PROCESS ENG rate of change rate %P1 limit %P2

Floating Point Error FLT SYSTEM Floating point error

General I/O Failure IOF INSTRUMENT General I/O failure

High Alarm HIGH PROCESS High alarm value %P1 limit %P2

High High Alarm HIHI PROCESS High-high alarm value %P1 limit %P2

Low Alarm LOW PROCESS Low alarm value %P1 limit %P2

Low Low Alarm LOLO PROCESS Low-low alarm value %P1 limit %P2

New Alarm NEW SYSTEM New alarm value %P1

Open Circuit Detected OCD INSTRUMENT Open circuit detected

Over Range OVER INSTRUMENT Over range value %P1

Rate of Change RATE PROCESS Rate of change rate %P1 limit %P2

Statistical Alarm ERROR SYSTEM Statistical alarm type %P1 value %P2

Under Range UNDER INSTRUMENT Under range value %P1

User Define Alarm 1 desc

ALARM PROCESS %P1

User Define 2 Alarm 2 desc.

ALARM PROCESS %P1 %P2

Table 9

Standard and Custom Alarm Types, Category, and Message

%P1 and %P2 represent the values of user-defined parameters. User-defined parameters typically capture the value that caused the alarm, the limit value that was in effect at the time the alarm was detected.

For example, the alarm description column would show High Alarm Value 50.5 Limit 45.0 in the alarm summary display.

By default, HH and LL alarms will NOT be configured for PCS alarms. They will be configured only under the following conditions

The operator must take different and/or more severe actions for initial alarm and combination alarm

There must be enough time in-between alarms to perform the successful initial alarm corrective action before the combination alarm trips

Experience shows that 90+% of all HI-HH and LO-LL combinations will be eliminated during rationalization, if these principles are followed. If the HH or LL alarm is actually used to trigger a trip (and is thus a trip notification alarm),

West Qurna Field 2

nd Phase Project

(Early Oil Phase)



then it is allowed. The rule above is met because the action for the trip is different than the action for the pre-trip.

4.8 Alarm Suppression

Alarm suppression is the way to temporarily disable annunciation of an alarm in the DeltaV Operator Interface it means that the suppressed alarm will not set off the workstation alarm horn and will not be displayed in the alarm summary and in the alarm banner, but this alarm will still be registered in the alarms/events log.

Note that suppression uses the OPSUP parameter. The use of this parameter does not affect any interlock activity that is triggered by the alarm. The interlock will function regardless of the value of OPSUP.

Alarm suppression is typically used when the operator needs to suppress a single or small number of alarms. These alarms are typically considered nuisance for the reason that maintenance personnel may be working on a certain transmitter or device that causes the alarm to ring in and out frequently. There are several ways to suppress an alarm, typically

From the detail display, activate the alarm suppression check box

From faceplate, right click on alarm box and select the alarm

From the alarm summary, right click on the alarm and select suppress alarm

Shift supervisor level access will be required to suppress alarms.

Operators should check the suppressed alarm display at the start of every shift.

Alarms suppressed for sensor malfunction reasons must be unsuppressed after sensor repairs are made.

Staff should periodically assess the duration of suppressed alarms and insure the suppression process remains controlled.

All suppressed alarms will be displayed on the alarm suppression screen. This graphic shows information similar to what is on the alarm summary, and will look like this

West Qurna Field 2

nd Phase Project

(Early Oil Phase)



Figure 1

Alarm Suppression Window

The procedure for un-suppressed alarm is typically done from the alarm suppression screen by right clicking on the alarm and selecting un-suppressed alarm or from the detail faceplate as described above. Un-suppressing an active alarm will cause the alarm to be displayed in the alarm banner and alarm summary screen.

Note: Suppressing an alarm only removes the alarm from the alarm banner and alarm summary, but does not remove any interlocks or actions from this alarm that have been configured in the control system.

4.8.1 Automatic Alarm Suppression

Under certain process conditions some alarms shall be suppressed to prevent floods of nuisance alarms (for example, for the steam generator, it does not make sense to show low flow alarms for the passes if the generator is not running and the water system is not commissioned).

Special modules will be configured in each DeltaV controller to suppress alarms in the control modules under the certain conditions. The conditions shall be determined by the process designers and operations.

The alarms suppression shall be implemented by momentary writing 1 to the OPSUP parameter of the selected module alarm(s) when suppression condition becomes active and by momentary writing 0 when the condition becomes inactive

West Qurna Field 2

nd Phase Project

(Early Oil Phase)



4.9 Alarm Filtering

Alarm filtering is typically used when the operator needs to view all the alarms in a process plant area; a typical process area consists of the major equipment like the SIH_05 and SIH_06.

The area alarm filtering icon enables you to turn on the areas from which we want to see alarms and to turn off the areas from which we do not want to see alarms. An area that has been turned off is filtered.

Figure 2

Alarm Filter Window

The alarm filter is used to filter alarms in up to 100 plant areas by the following procedure

1. Check the box next to an area to display that area's alarms in the alarm banner, the alarm summary, and the alarm suppression screen.

2. Clear the check box to filter alarms by preventing that area's alarms from being displayed in the alarm banner, the alarm summary screen, the alarm suppression screen, and the alarm filter screen.

3. Click the all on button to see alarms from all areas that can be turned on. Click the all off button to filter (that is, to prevent display of) alarms from all areas.

4. Click an alarm area to see detailed information (for example, time of alarm, module, description, parameter, alarm description, and message) on the alarms for that area.

5. Click the description column in the detailed information area to open the faceplate picture, the primary control picture, or both pictures for that

West Qurna Field 2

nd Phase Project

(Early Oil Phase)



module. This is known as alarm direct access. Two buttons in the alarm banner enable and disable alarm direct access.

The total count of unacknowledged alarms, active alarms, and suppressed alarms for an area that is checked is displayed next to the plant area name. The total number of alarms, the number of unacknowledged alarms, and the number of suppressed alarms are shown across the top of the area alarm details section. The details section of this picture uses the DeltaV alarm summary object Whenever an area is being filtered or an alarm is being suppressed, an indicator appears on the alarm acknowledge button on the toolbar, as shown below

Indicator Indicator Meaning

Indicates that one or more areas are being filtered out.

Indicates that one or more alarms are being suppressed.

Indicates that an alarm is being suppressed and an area is being filtered.

Table 10

Alarm Indicators

Alarm filtering only affects what is seen through the DeltaV HMI screens. It does not affect the event chronicle database or the association between workstations, users, and alarms that is defined in the PCS or the area keys assigned in the user manager. Alarm filtering affects only the machine on which the filter settings were made and is independent of the user. If you filter alarms and then log off the machine, the next user to log on will not see alarms from the areas that you filtered.

In this project, alarm segregation is done on each operator console according to the area of operation to prevent alarm overload. Wherever helpful, alarms should be segregated for annunciation to the operator.

4.10 Alarm and Event Logging

Alarm logging will be performed on two workstations in the system Application WS running historian (primary storage) and ProPlus WS (backup storage). Both workstations shall have all plant areas assigned to their alarms collection subsystem. Alarms and events records shall be kept in the DeltaV

West Qurna Field 2

nd Phase Project

(Early Oil Phase)



alarms database for 30 days (available through the process history view) and then purged into the text files located in the specified directories.

Process history view application on operator workstations shall be configured to connect to application station when displaying alarms/events.

Figure 3

Alarms Collection Configuration on the ProPlus and Application Workstations

The application process history view provides a spreadsheet view of the events and process alarms that occur. It also captures system events such as operator changes, control module installations, and changes in device status. Each event record is made up of fields such as date/time, event type, category, area, node, module, etc

West Qurna Field 2

nd Phase Project

(Early Oil Phase)



Figure 4

Alarm and Event Viewer

4.11 Alarm Summary

The DeltaV system software provides a visual tool for monitoring alarms called the alarm summary link. The alarm summary link allows you to monitor, acknowledge, and list alarms using a variety of filtering and sorting methods. Alarm messages in the alarm summary link's display can be color-coded to provide visual clues to the operators.

Alarms can be sorted as per the table below.

Attribute Sorts Alarms By

Time In The time the alarm first occurred.

Block Type The block type. For example: AI, AO, DI, DO.

Module The block's name.

Priority The alarm priority, as defined for each block in the process database (low, medium, or high).

Node The node name where the alarm originated. The sort by node on is based on the order the nodes appear in the network list in the SCU.

West Qurna Field 2

nd Phase Project

(Early Oil Phase)



Attribute Sorts Alarms By

Ack/Time Acknowledgement and then by time in. When sorting alarms in descending order, unacknowledged alarms appear before acknowledged alarms.

Ack/Priority Acknowledgement and then by priority. When sorting alarms in descending order, unacknowledged alarms appear before acknowledged alarms.

Table 11

Alarm Summary Parameters

Module alarm information is displayed in the alarm summary display until the module value returns to a normal state and an operator has acknowledged that alarm. The following figure shows a sample alarm summary screen.

Figure 5

Alarm Summary Screen

Note: Only priority and ACK columns background color changes based on alarm priority

West Qurna Field 2

nd Phase Project

(Early Oil Phase)



5 ALARM SYSTEM MAINTENANCE

5.1 Alarm Performance Measures

Despite best efforts to design an alarm system to minimize nuisance alarms and provide only meaningful alarms, there will be a need to change, delete or add new alarms. There is no panacea that can be prescribed to alarms systems, which will provide instant and universal improvement in performance. There are, however, some prerequisites to achieving improvements in alarm systems

1. A real commitment by senior management of the plant to promote a culture of continuous improvement is required. All staff needs to be helped and encouraged to develop a strategy for improving the alarm system.

2. An owner for the alarm system is required to

Ensure consistent standards are set and maintained

Control changes to alarms and alarm system, manage records and documentation

Set performance measures for the alarm system, manage performance reporting and the resulting action for improvements

3. Thorough application of the basic improvement techniques. Some basic techniques are listed below but this is not an exhaustive list

Review alarm behavior following all upsets to confirm usability

Tune alarm settings on nuisance alarms

Adjust deadbands on alarms which often repeat

Review alarm messages which operators do not understand or know how to respond

Review alarm suppression methods and adjust accordingly

Apply de-bounce timers and delay timers to repeating alarms

Introduce logic to combine and simplify redundant sets of alarms

Group alarms which all have the same operator response

West Qurna Field 2

nd Phase Project

(Early Oil Phase)



5.1.1 Alarm Performance Measures

It will be difficult to sustain the alarm system as a usable system unless alarm system performance measurements are put in place. There are several qualitative measures that can be put in place, such as operator questionnaires to determine usefulness or usability of alarms. Below are quantitative metrics that can be used as performance metrics. The source of the metrics is the Alarm Systems - A guide to Design, Management and Procurement, EEMUA, Appendix 11.

5.1.1.1 Key Perforamance Indicator

Alarm System KPI reports both EEMUA-191 and ISA-18.2 stress the importance of periodic measurement of Key Performance Indicators (KPIs). DeltaV Analyze provides a ready-to-use KPI report that can be scheduled or run on-demand and filtered by operator console position. The report contains ten KPI calculations, pie charts for alarm priority and rate distribution, timeline alarm activity charts for the report period and day with the most alarms, top-twenty lists of modules with frequent, fleeting, stale and often-suppressed alarms and a list of disabled alarms. Information sharing is simplified with the reports Microsoft Excel format and user control over file naming and destination folder. Reports can be produced on demand or scheduled by shift, day, week or month.

5.1.2 Design Metrics

Design metrics can be used during the alarm system design phase to check whether the design is appropriate for the type of facility and determine the effort that will be required to maintain the system over the lifetime of the plant. As the complexity of the process increases, one would expect more alarms per operator are required.

5.1.2.1 Operating Metrics

Each area of the plant will periodically assess the performance of its alarm system. The assessment should occur monthly and include the following key performance indicators

Average alarm rate (number of alarms per 10 minute period)

Alarm frequency distribution (for example, % of time at less than one, 1-10 and greater than 10 alarms/10 minute window)

West Qurna Field 2

nd Phase Project

(Early Oil Phase)



Peak alarm rate (maximum number of alarms per 10 minute period)

Standing alarms (average number of active alarms per 10 minute period)

Alarm floods per month (number of 10 minute periods where there were more than 10 incoming alarms)

Worst actors monitor reviewed weekly

5.1.2.2 Average Alarm Rate

The average alarm rate per operator is a simple indication of the workload imposed on the operator by the alarm system. Typically this is measured over a weekly period. Average alarm rates of less than one alarm per 10 minute window should be achieved at Long Lake. This level is successfully being met at many facilities.

Key Performance Indicator

(KPI)

Interim Target for Systems

Undergoing an Alarm

Improvement Effort

Long Term Target

Target Average Process Alarm Rate

300 per day 5 per hour (

West Qurna Field 2

nd Phase Project

(Early Oil Phase)



Priority Target Maximum Rate

Critical (Emergecy) Very infrequently

High Less than 5 per shift

Medium Less than 2 per hour

Low Less than 10 per hour

Table 13

Target occurrence rates of alarms of different priorities

Metric Low Average High

Alarms per Control Valve 1 4 6

Alarms per Analogue Measurment 0.5 1 2

Alarms per Digital Measurment 0.2 0.4 0.6

Table 14

Guidance on alarms per plant sub-system

What is important about these target rates is not only the ability of operators to respond to alarms, but also the operators attention to the importance of the alarm. The greater the number of high priority alarms compared to say low priority alarms, the operator will over time discount the priority of alarms all together and treat each with the same level of attention, thus defeating a key feature of alarm systems.

Table15 provides current industry measurement of the long-term alarm rate average for plants in steady sate operation.It can be easily seen that the industry standard is well above what is recognized as an acceptable level, and is significantly higher than the target maximum rate of one per 10 minute shown in Table15.

Long term average alarm rate

in steady state operation Acceptability

More than 1 per minute Very likely to be unacceptable

One per 2 minutes Likely to be over demanding

One per 5 minutes Manageable

Less than one per 10 minutes Very likely to be acceptable

Table 15

Benchmarks for assessing average alarm rates

West Qurna Field 2

nd Phase Project

(Early Oil Phase)



Other dynamic alarm system metrics, such as the number of alarms following a plant upset, the number of standing alarms and operator response times provide tools to review and modify alarm systems to improve performance. What is lacking at present is a relatively easy method of measuring alarm system performance in terms that are not subject to intensive post mortem studies of events or extensive alarm system data collection.It may remain a fact of alarm system design and maintenance that the effort required for continuous improvement is exhaustive, however the benefits can not be readily argued without a link between operator action, production targets and dynamic alarm activity.

5.1.2.3 Frequency of Alarms/Worst Actors

The 10 worst actor tags often account for over 50 % of the alarm rate. As a component of the alarm performance monitoring, WQ-2 Project , should establish a weekly report showing the 10 worst actor tags and their relative contributions to the alarm rate. The tags identified in this report will be used as a standing work order for review and correction by operations, control, and instrument personnel.

5.1.2.4 Number of Alarms Following a Major Plant Upset

Operator performance during plant upsets is strongly affected by the number of alarms they must deal with. The number of alarms following a plant upset is a good metric for assessing the effectiveness of the alarm design process. As stated in the alarm design process section, accounting for human limitations in the alarm system design is a complex requirement and is difficult to implement. This metric measures the effectiveness of the design relative to this design principle.

Figure 45 in Alarm Systems - A Guide to Design, Management and Procurement, EEMUA Appendix 11, gives some guidance on alarm rates following an upset and it is recommended that this be used as the benchmark for this metric.

If the metric falls into the definitely excessive or hard to cope category, the alarm system design should be reviewed to improve the alarm filtering, suppression and modal alarming and also consider deleting some alarms.

West Qurna Field 2

nd Phase Project

(Early Oil Phase)



5.1.2.5 Number of Standing Alarms

A high number of standing alarms can indicate that many of the generated alarms do not require operator action or are nuisance alarms. Those not requiring operator action should be targeted for deletion. The cause of the nuisance alarms needs to be determined and fixed so as not to create an environment of operator complacency to alarms.

Long standing alarms can also be an indicator of a poorly operated or maintained plant. Thus a periodic review of the long standing alarms can help determine if this is the case.

5.1.2.6 Priority Distribution

The effective use of alarm priority can be checked by looking at the distribution of alarms sorted by priority over a period of time. A large percentage of high priority alarms indicates that the control system is not effectively keeping the process within bounds, and that operator action is needed to avoid a significant consequence. Either that, or the assigned priority is incorrect.

5.1.3 Alarm Performance System

The source of the data for metric calculations/reporting is the CSS alarm and events database. The calculations and reporting should be done using alarm analysis software.

5.1.4 State-Based or State-Dependent Alarms

Most alarms in a process unit pertain to the normal operating state of a piece of equipment. But, equipment often has several normal, but differing, operating states. PCS alarm capabilities are normally only for single-state, single-value trip points and priorities. State examples include startup, shutdown, differing grades of product or feed, half rate operation, etc.

Besides individual pieces of equipment, sections of an operating unit may have different operating modes where fixed alarms produce inconsistent results. For example, the process may run in modes where certain sub-sections are intentionally shut down, producing a variety of alarms. Or, redundant equipment may produce alarms when unused, even though that is a normal and proper operating condition. In these circumstances, the alarms produced

West Qurna Field 2

nd Phase Project

(Early Oil Phase)



do not meet the real criteria for an alarm (there is no operator action to take) and will become stale and contribute to alarm floods and confusion.

It is a best practice that all such normal operating states should not cause alarms. A