Sie sind auf Seite 1von 51

ALARM MANAGEMENT PHILOSOPHY

Project Title:
Project Number:
SECL P.O. Number:
Requisition Description:
Requisition Number:
Item Description:
Item Number
Doc.Number:

West Qurna Field 2nd Phase Project


SO2476
PO4500094236
Material Requisition For Integrated Control and Safety System (ICSS)
8015-0151-SECL-00-430-IN-RQ-20100
ICSS
8015-0151-22-PO-45-0009-4236-J08-00409

APPROVED
REVIEWED

WITH COMMENTS
RESUBMIT

THIS APPROVAL OR REVIEW DOES NOT RELIEVE THE


VENDOR/SUBCONTRACTOR OF HIS RESPONSIBILITIES
TO MEET ALL OF THE SPECIFIED REQUIREMENTS OF
THE PURCHASE ORDER

SIGN
DATE

ORIGINATOR

CHECKED

APPD(PR)

D.K.YOON / J.S.PARK

S.H.CHO

K.T.KIM
09 JAN 2013

09 JAN 2013

09 JAN 2013

SAMSUNG ENGINEERING CO., LTD

00

20121218

Issue For Approval

BH.HAM

HK.LEE

SB.LEE

REV

DATE

DESCRIPTION

MADE BY

CHECKED BY

APPROVED BY

EMERSON PROCESS MANAGEMENT

SAMSUNG ENGINEERING CO. LTD.


SEOUL, KOREA
LUKOIL MID-EAST LIMITED
BASRAH, IRAQ

[ 51 ]

West Qurna Field


nd
2 Phase Project
(Early Oil Phase)
Doc. Title

ALARM MANAGEMENT PHILOSOPHY

Doc. No.

8015-0151-22-PO-45-0009-4236-J08-00409

DOCUMENT TITLE:
DOCUMENT REVISION:
REVISION DATE:
PROJECT NUMBER:
AUTHOR:

Rev. : 00
Date

ALARM MANAGEMENT PHILOSOPHY


00
Dec.18, 2012
3152425

Approvals:

EPM:
Date: Dec.18. 2012
Signature by the EPM Project Manager indicates that this document
has been reviewed and approved to be issued in accordance with
EPM internal quality procedures.

EPM:

Date: Dec.18. 2012


Signature by the Lead Engineer indicates that this document has
been reviewed and approved to use as a basis for executing the
West Qurna 2nd Phase Project.

Customer:

Date:
Signature by the Customer representative indicates that this
document has been reviewed and approved for EPM to use as a
basis for executing the Diluted & Concentrated West Qurna Phase 2nd
Phase Project.

Reference Documents:

Page : 2
Dec.18,2012

West Qurna Field


nd
2 Phase Project
(Early Oil Phase)
Doc. Title

ALARM MANAGEMENT PHILOSOPHY

Rev. : 00

Doc. No.

8015-0151-22-PO-45-0009-4236-J08-00409

Date

Page : 3
Dec.18,2012

Revision History:
The following revision system is used:
Revision "P" Preliminary issue - EPM/Customer review.
Revision "00" (00, 01, 02 ... etc.) Issue For Approval (IFA). At this stage, the Customer approved the
document.
Revision "A" (A, B.. etc.) Approved For Construction (AFC) or Final after FAT

Revision

Revision Date

Author

Description

00

Dec.18.2012

BH.HAM

Issue For Approval

West Qurna Field


nd
2 Phase Project
(Early Oil Phase)
Doc. Title

ALARM MANAGEMENT PHILOSOPHY

Doc. No.

8015-0151-22-PO-45-0009-4236-J08-00409

Rev. : 00
Date

Page : 4
Dec.18,2012

Table Of Contents:

Approvals: .................................................................................................................. 2
Revision History: ....................................................................................................... 3
Table Of Contents: .................................................................................................... 4
Reference Documents................................................................................................. 6
1

Introduction ....................................................................................................... 7
1.1

Alarm System Philosophy ............................................................................... 9


2.1

Terms and Abbreviations ................................................................................ 7

Alarm Management Principles ........................................................................ 9

Alarm System Design Process ....................................................................... 12


3.1

Alarm System Category ................................................................................ 12


3.1.1
3.1.2
3.1.3
3.1.4
3.1.5
3.1.6
3.1.7
3.1.8

3.2

Alarm Selection Design Process ................................................................... 14


3.2.1
3.2.2
3.2.3

Emergency Planning and Response Alarms .....................................................................12


Safety Instrumented Systems Alarms ...............................................................................12
Engineered Alarms ............................................................................................................13
Operator Alarms ................................................................................................................13
Alarm Suppression ............................................................................................................13
Chattering Alarms..............................................................................................................13
Flooding Alarms ................................................................................................................13
State-Based Alarming .......................................................................................................14
Alarm Documentation and Rationalization ........................................................................14
Alarm Impact, Severity, and Response Time ....................................................................16
Alarm Rationalization Grid .................................................................................................18

Alarm System Implementation ........................................................................ 20


4.1
4.2
4.3
4.4
4.5

Operator Alarms ........................................................................................... 20


Engineered Alarms ....................................................................................... 21
Maintenance Alarms ..................................................................................... 22
External Device Health & Status Alarms ....................................................... 23
SIS Alarm Interface....................................................................................... 24
4.5.1
4.5.2
4.5.3

General..............................................................................................................................24
Pre-Alarms ........................................................................................................................26
Shutdown Alarms ..............................................................................................................26

West Qurna Field


nd
2 Phase Project
(Early Oil Phase)
Doc. Title

ALARM MANAGEMENT PHILOSOPHY

Doc. No.

8015-0151-22-PO-45-0009-4236-J08-00409
4.5.4
4.5.5
4.5.6
4.5.7
4.5.8
4.5.9

4.6

Dec.18,2012

Safety Instrumented Function Displays .............................................................................27


Maintenance Override Switch Use ....................................................................................27
Startup Override Alarm Suppression .................................................................................27
Deviation and Rate of Change Alarms/Alerts ....................................................................28
Conditional Alarm ..............................................................................................................28
Digital Alarm ......................................................................................................................29
Alarm Importance ..............................................................................................................30

Alarm Types and Message ........................................................................... 30


Alarm Suppression........................................................................................ 33
4.8.1

4.9
4.10
4.11

Date

Page : 5

Alarm Priority ................................................................................................ 29


4.6.1

4.7
4.8

Rev. : 00

Automatic Alarm Suppression ...........................................................................................34

Alarm Filtering............................................................................................... 35
Alarm and Event Logging .............................................................................. 36
Alarm Summary ............................................................................................ 38

Alarm System Maintenance ............................................................................ 40


5.1

Alarm Performance Measures ...................................................................... 40


5.1.1
5.1.2
5.1.3
5.1.4
5.1.5
5.1.6
5.1.7
5.1.8
5.1.9
5.1.10
5.1.11
5.1.12

5.2

Alarm Performance Measures ...........................................................................................41


Design Metrics ...................................................................................................................41
Alarm Performance System ..............................................................................................45
State-Based or State-Dependent Alarms ..........................................................................45
Alarm Flood Suppression ..................................................................................................46
Emergency Shutdown Systems Special Considerations ...................................................47
Duplicate Alarms ...............................................................................................................48
Consequential Alarms .......................................................................................................48
Chattering Alarms..............................................................................................................48
Alarm Handling for Programs ............................................................................................49
PCS System Status Alarms ...............................................................................................49
Tag and Program References to Alarms ...........................................................................49

Management of Change ............................................................................... 50

West Qurna Field


nd
2 Phase Project
(Early Oil Phase)
Doc. Title

ALARM MANAGEMENT PHILOSOPHY

Doc. No.

8015-0151-22-PO-45-0009-4236-J08-00409

Rev. : 00
Date

Page : 6
Dec.18,2012

REFERENCE DOCUMENTS
Document No.

Document Name

Purpose

EEMUA -191-1999

Alarm Systems A guide to design, manage and


procurement publication no 191-1999

Alarm guidelines

ISA/ANSI 18.2 2009

Management of Alarm Systems for the Process


Industries

Alarm guidelines

Alarm Management Hand book Bill Hollifield and


Eddie Habibi

General reading on alarm


management practical aspects

West Qurna Field


nd
2 Phase Project
(Early Oil Phase)

Doc. Title

ALARM MANAGEMENT PHILOSOPHY

Doc. No.

8015-0151-22-PO-45-0009-4236-J08-00409

Rev. : 00
Date

Page : 7
Dec.18,2012

INTRODUCTION
This document covers following aspects on DeltaV alarm philosophy and
management for the WQ-2 project
Alarm System Philosophy
Describes what the system is intended to do and the principles of how
the system will be designed and implemented
Alarm System Design Process
Describes what the alarm system includes and the process that is used
to define the alarm settings, alarm priority, required operator actions,
maximum response time, and alarm suppressions
Alarm System Implementation
Effective presentation of information during normal operation and during
complex process conditions such as plant upsets or trips. As a result of
alarm system implementation, a large number of nuisance alarms, and
duplicate alarms will be removed or avoid.
Alarm System Maintenance
System performance measurements in place to drive improvements
using a management of change process. The intent is to make the
alarm system sustainable

1.1

Terms and Abbreviations


Table 1-1 and Table 1-2 below provides the list of the major terms and
abbreviations used throughout this project.
Term

Description

Acknowledged Alarm

An alarm condition currently exists, the operator is aware

Active Alarm

An alarm condition currently exists

Alarm

A abnormal condition that must be brought to the operators attention and


require the response

Alert

A signal to brought the operators aware about the condition, but that it is
no response immediate

Automatic Suppression

Automatic action that automatically prevents alarm annunciation during


temporary situations. See also Suppressed Alarm

Cleared Alarm

An alarm condition has returned to normal

Consequential Alarm

An alarm that always occurs because of or as a consequence of another


alarm or state change.

West Qurna Field


nd
2 Phase Project
(Early Oil Phase)
Doc. Title

ALARM MANAGEMENT PHILOSOPHY

Doc. No.

8015-0151-22-PO-45-0009-4236-J08-00409
Term

Rev. : 00
Date

Page : 8
Dec.18,2012

Description

Disabled Alarm

An alarm that is prevented from being propagated to the operator (and


logging system) i.e., the alarm propagation logic is disabled

Device

Smart field instrument

Event Log

Table containing a time stamped list of events recorded by the control


system

Inhibited Alarm

As same as Disabled Alarm

Log

An entry placed in the event log for historical purposes

Manual Disable

Supervisor action that temporarily prevents alarm detection or


propagation. Automatic restoration does not occur. See also Disabled
Alarm

Suppressed Alarm

An alarm that is temporarily prevented from annunciating, both audibly and


visually by lowering its priority to log only.

Un-Acknowledged Alarm

An alarm condition currently exists, the operator is not yet aware

Table 1-1 Terms


Abbreviation

Description

AOA

Alarm Objectivity Analysis

EEMUA

The Engineering Equipment and Material Users Association

ESD

Emergency shutdown system

Emerson

Emerson Process Management, Hydrocarbon and Energy Industry Centre

ICSS

Integrated Control and Safety System

I/O

Input/Output

PCS

Process control system

SIS

Safety Instrumented System

Table 1-2
Abbreviations and Acronyms

West Qurna Field


nd
2 Phase Project
(Early Oil Phase)

Doc. Title

ALARM MANAGEMENT PHILOSOPHY

Doc. No.

8015-0151-22-PO-45-0009-4236-J08-00409

Rev. : 00
Date

Page : 9
Dec.18,2012

ALARM SYSTEM PHILOSOPHY


Every alarm should identify to the console operator an abnormal, unsafe, and
urgent plant condition that requires them to take action or to make an
assessment of the units condition so that, where possible, they can avoid or
minimize plant upset, asset, or environmental damage, and improve safety.
An alarm is not
A reminder for the operator to complete a task
A mechanism to help perform routine surveillance of the plant
The purpose of the alarm system is to assist the operator in detecting process
problems and prioritizing their response.
All alarms and shutdowns shall annunciate via the operator stations in the
control room. Supplemental annunciation devices such as beacons and horns
shall be used to annunciate gas or fire detection or facilitate evacuation within
the plant.
An alarm system monitors plant conditions and informs the operator of
significant changes that require assessment and action. The alarm system
helps the operator
Maintain the plant within a safe operating envelope. The alarm system
should help the operator correct problems from escalating.
Identify deviations from operating conditions that could lead to financial
loss. For example, pump damage from cavitation.
Better understand complex process conditions such as during plant
upsets or trips.
The Alarm Help functionality within DeltaV provides the operator with
information related to specific alarms.Each alarm can be configured by the
plant engineering and operations groups to provide Alarm Help information
when the alarm is active.The Alarm Help functionality will assist the WQ-2
Project,facility in complying with alarm system management requirements
related to the ISA 18.2 standard for alarm management.

2.1

Alarm Management Principles


Every alarm shall be subjected to following three questions

West Qurna Field


nd
2 Phase Project
(Early Oil Phase)
Doc. Title

ALARM MANAGEMENT PHILOSOPHY

Doc. No.

8015-0151-22-PO-45-0009-4236-J08-00409

Rev. : 00
Date

Page : 10
Dec.18,2012

1. Does the event require operator action?


2. Is this alarm the best indicator of the situations root cause?
3. Is this alarm resulting from a truly abnormal situation?
The following two basic rules shall be adhered to
1. Events that do not require operator action shall not be allowed to produce
alarms.
2. Alarms must be produced upon abnormal situations only, not from normal
situations.
The following principles shall guide the design of the alarm system
All alarms require operator action.
Every alarm, regardless of its priority, is important.
Operator corrective action information is easily accessible from the
operator interface.
Alarms present information that is
Relevant to the operators role at the time.
Easy to understand.
Important to the operators.
Presented at a rate that is effective for the operator.
Alarms assist operators in the management of the plant in terms of
safety, environmental, production and plant assets.
Alarms identify deviations from desired operating conditions that could
lead to financial loss such as off specification product or low efficiency
operation
Alarms are designed to provide sufficient time for the operator to
respond
Alarm information (as a key component of the control systems
integrated operator interface) provides a clear navigational aid and
prioritized response aid to the operators
Alarms are categorized and prioritized using a structured review process
aimed to meet the operators requirements
The alarm design is documented and includes alarm limits, priorities,
causes, consequences, correct actions, response time, and verifying
information

West Qurna Field


nd
2 Phase Project
(Early Oil Phase)
Doc. Title

ALARM MANAGEMENT PHILOSOPHY

Doc. No.

8015-0151-22-PO-45-0009-4236-J08-00409

Rev. : 00
Date

Page : 11
Dec.18,2012

Changes to alarms are managed under a management of change


(MOC) work process. All of change must be evaluated, analyzed
properly and communicated to all affected personnel and team
Nuisance alarms, unnecessary alarms and duplicate alarms shall be
reduced or avoid during alarm system implementation
The organization establishes a continuous improvement and
performance monitoring process to support the alarm system
An alarm system champion is assigned responsibility for the alarm
system in each area of the plant

West Qurna Field


nd
2 Phase Project
(Early Oil Phase)
Doc. Title

ALARM MANAGEMENT PHILOSOPHY

Doc. No.

8015-0151-22-PO-45-0009-4236-J08-00409

ALARM SYSTEM DESIGN PROCESS

3.1

Alarm System Category

Rev. : 00
Date

Page : 12
Dec.18,2012

The categories of alarms ranked in their order of importance are


1. Emergency Planning and Response (fire and gas, deluge, safety
showers, evacuation, etc.)
2. Engineered alarms
3. Operator alarms
3.1.1

Emergency Planning and Response Alarms


The following emergency planning and response alarms require panel operator
action. These alarms will have high priority.
Fire and gas
Deluge
Safety showers
Evacuation

3.1.2

Safety Instrumented Systems Alarms


Safety instrumented alarms have been selected by the process design team to
ensure the safety of the plant and to prevent equipment damage.These alarms
will be implemented in the safety instrumented systems and will identify when
an automatic action has been initiated due to a severe abnormal condition in
the plant.Pre-alarms will provide the plant operators with sufficient warning of
the impending trip condition so that corrective actions can be taken to avert the
situation.The pre-trip alarms may have higher priority than the trip alarms.The
priority of the SIS alarm will be assessed using same alarm priority
rationalization grind used for the PCS alarms.The alarm limits will be preset
and not permitted to be changed without the appropriate management of
change process, considering the safety life cycle (see ANSI/ISA S84.01 1996).

West Qurna Field


nd
2 Phase Project
(Early Oil Phase)

3.1.3

Doc. Title

ALARM MANAGEMENT PHILOSOPHY

Doc. No.

8015-0151-22-PO-45-0009-4236-J08-00409

Rev. : 00
Date

Page : 13
Dec.18,2012

Engineered Alarms
Engineered alarms have been determined through the HAZOP reviews of the
process design.These alarms settings will identify when the process is moving
towards an unsafe operating condition.The alarm limits will be pre-set and not
permitted to be changed without the appropriate management of change
process review. These alarms are provided in the alarm and trip settings
document.This document will be used as the basis for alarm objectivity
analysis.

3.1.4

Operator Alarms
Operator alarms are operator configurable alarms to assist in running the plant
more efficiently. These alarms should never be safety related or related to
some other condition that has a serious impact on the plant or its surroundings
since such conditions are properly dealt with in the engineering alarms settings
or other protective systems. An alarm priority called operator will be
introduced in the system which will be lower than the low alarm priority.

3.1.5

Alarm Suppression
Alarm suppression is the way to temporarily disable annunciation of an alarm in
the DeltaV Operator Interface. This means that the suppressed alarm will not
set off the workstation alarm horn and will not be displayed in the alarm
summary or the alarm banner, but this alarm will still be registered in the
alarms/events log.

3.1.6

Chattering Alarms
Appropriate deadband must be selected for all alarms that are activated
repeatedly over a short period of time.This may involve the programming of a
deadband for analog trip values and a delay time for digital points. Concepts of
on-delay, off-delay, and deadband are explained in Section 5.1.9 of this
document.

3.1.7

Flooding Alarms
Flooding alarms are several alarms that are shown to the panel operator on the
alarm summary that allow the operator to take appropriate action over the
process.

West Qurna Field


nd
2 Phase Project
(Early Oil Phase)

3.1.8

Doc. Title

ALARM MANAGEMENT PHILOSOPHY

Doc. No.

8015-0151-22-PO-45-0009-4236-J08-00409

Rev. : 00
Date

Page : 14
Dec.18,2012

State-Based Alarming
Most alarms in a process unit pertain to the normal operating state of a piece
of equipment. Equipment often has several normal, but differing, operating
states. PCS alarm capabilities are normally only for a single-state, single-value
trip points, and priorities. Examples include startup, shutdown, product or feed
grade changes, half rate operation, etc.

3.2

Alarm Selection Design Process


The selection of alarms and their configuration settings in the control system
are critical to its success. Configuring too many alarms can lead to alarm
system problems such as alarm floods and high nuisance alarm rates, which
can cause the operator to miss critical alarm information. Not identifying or
inappropriately setting an alarm limit on an important parameter in the process
can lead to an unsafe plant condition or an economic loss for the company.
The design process for the selection of alarms and their settings will use a
systematic, structured analysis consistent with the overall alarm philosophy
and plant risk assessment. This structured analysis will capture the alarm
proposals coming from design engineering and the operational groups, and is
called the alarm objectives analysis (AOA) or alarm documentation and
rationalization (D&R). The D&R methodology is described below.

3.2.1

Alarm Documentation and Rationalization


Documentation and rationalization (D&R) is a sound, consistent, and logical
methodology by which alarms are determined and prioritized. Alarms resulting
from the methodology are said to be rationalized.
D&R is used in the following ways
To reduce, on an existing system, the number of configured alarms and
thus the alarm load created from them
To correct a misconfigured system for performance improvement
To insure consistency in alarm settings
To eliminate duplicate alarms
To insure proper and meaningful priority and trip point settings
To configure alarms on points added or modified by projects
In conjunction with PHA revalidation if alarms are specified

West Qurna Field


nd
2 Phase Project
(Early Oil Phase)
Doc. Title

ALARM MANAGEMENT PHILOSOPHY

Doc. No.

8015-0151-22-PO-45-0009-4236-J08-00409

Rev. : 00
Date

Page : 15
Dec.18,2012

To verify proper configuration of nuisance alarms as they are identified


To create the master alarm database, used as a reference for statebased alarm management, flood alarm suppression, and audit/enforce
mechanisms

During a unit rationalization, all alarmable PCS points shall be rationalized,


along with any other systems which provide alarm or abnormal situation
notification to the board operator. The impact, severity, and response time
matrices defined in the next section should be used to rationalize each alarm
and will be documented in the results. Background information on the matrix
components (impact assumptions, severity, etc.) should also be provided in the
documentation for future reference. Any deviation from the alarm priority, as
defined in the rationalization matrices, must be identified during the course of
the rationalization and documented.
For proper rationalization, it is a recognized best practice that the following
groups participate
Operations technicians (operators)
Production and/or process engineers familiar with the process
Safety and environmental (part time as needed)
Process control (part time as needed)
PCS specialists
Other individuals with knowledge of the process unit, its operation and specific
equipment, its advanced control schemes, unit hazards, and the alarm
philosophy will be needed periodically. The entire team must understand the
alarm philosophy before starting the rationalization.
Documents required for a thorough rationalization include
Unit P&IDs
Operating procedures
PCS configuration database
Results from HAZOP or PHA reviews
PCS graphic printouts
Process control and safeguarding narrative
All rationalized process alarms within an operating unit should be documented.
The documentation should include all information required to define the alarm,
its purpose, and the data required for rationalization.For new projects and

West Qurna Field


nd
2 Phase Project
(Early Oil Phase)
Doc. Title

ALARM MANAGEMENT PHILOSOPHY

Rev. : 00

Doc. No.

8015-0151-22-PO-45-0009-4236-J08-00409

Date

Page : 16
Dec.18,2012

incremental changes to the unit, full alarm justification and documentation


should be provided as part of the project scope, accompanying any other
required project documentation (for example, MOC documents).
For ease of access and maintainability, the alarm system documentation
should be maintained through a uniform electronic database system across the
entire clients site
As a minimum, the following items will be documented for each alarm
Possible causes of the alarm
Operator response or recommended corrective actions for the alarm
Potential consequences if the operator does not respond to the alarm
(or, if the alarm were not present)
Time available for operator to respond and mitigate identified
consequences
The reasons for over-riding priority recommendations determined by the
rationalization principles
Operations should have on-demand access to the above documentation of the
alarm system, preferably electronically, in the form of a master alarm database.
The master alarm database has several other important uses, particularly for
alarm auditing and settings enforcement.
3.2.2

Alarm Impact, Severity, and Response Time


Key aspects for the selection of alarm priorities are
Alarm priorities will be set for three levels of urgency (low, medium, high)
based upon
The potential consequences (safety, environmental, production, and
plant assets) that the operator could prevent by responding
appropriately
The time available for the operator to carry out the required response
All alarms (regardless of priority) are important and require operator
attention
Impact
Category
Safety

None

Minor

Major

Severe

Any alarm wherein the failure of proper action to be taken can result in likely harm to a
person will be prioritized as high. Assumption is that other layers of protection
operate.

West Qurna Field


nd
2 Phase Project
(Early Oil Phase)
Doc. Title

ALARM MANAGEMENT PHILOSOPHY

Doc. No.

8015-0151-22-PO-45-0009-4236-J08-00409
Impact
Category

None

Environmental

No Effect

Minor
Minimal exposure. No
impact. Does not cross
fence line. Contained
release. Little, if any,
clean up. Source
eliminated. Negligible
financial
consequences.
Event Type
Recordable, No
reporting to Alberta

Rev. : 00
Date

Of Production
Loss

No loss

Event costing
<$100,000, notification
only at operations
superintendent level

Dec.18,2012

Major

Severe

On-site H2S or
other release.
Contamination
causes some
non-permanent
damage. Event
Type
Reportable,
incident reported
as not violating
permit.

Uncontained release
of materials with
major environmental
impact and possible
third party impact.
Widespread neighbor
complaints. Exposed
to life-threatening
hazard. Disruption of
basic services.
Impact involving the
community.
Catastrophic property
damage. Extensive
cleanup measures
and financial
consequences.
Event Type
Reportable incident
reported as violating
permit.

Isolated neighbor
complaints.

Costs or Value

Page : 17

Event costing
loss of ~ half day
production,
notification at
operations
manager level

Event costing
>$n,000,000
(approximately one
day production
volume), notification
above operations
manager level

Table 2
Alarm Rationalization Consequence Grid
The assumptions in Table 3 below were considered while preparing the alarm
rationalization consequence grid above.
Assumption

Description

Probability

It is inappropriate to consider probability in an alarm rationalization consequence grid.


The assumption is that the alarm (however improbable the process situation) has
occurred. The consequence to be considered is the event that will take place if the
alarm is ignored. Alarm rationalization is not a PHA, or SIL, or LOPA review. Such
probability and risk analyses are used to determine the need for redundancy in a
system, not the priority of an alarm when an event does happen.

Multiple Failures

It is inappropriate to assume multiple cascading failures in discussing an alarm


consequence scenario. This is best explained by an example. Consider a vessel that
has a high pressure alarm. The vessel has a pressure relief device which is routed to
the flare that actuates above the high alarm setting. During rationalization, it will be
assumed that all protective systems (for example, pressure relief devices or other
independent alarms) are active and functional.
Failure to respond to the high pressure alarm would therefore have environmental

West Qurna Field


nd
2 Phase Project
(Early Oil Phase)
Doc. Title

ALARM MANAGEMENT PHILOSOPHY

Doc. No.

8015-0151-22-PO-45-0009-4236-J08-00409
Assumption

Time to Respond

Rev. : 00
Date

Page : 18
Dec.18,2012

Description
(flaring) and/or economic (loss of product to the flare) impacts, but no personnel safety
impact. In terms of setting the appropriate alarm priority, it would not be appropriate to
say that the consequence would be that in the high pressure scenario, the relief device
would also fail, the vessel would rupture, and personnel could be injured (i.e. a
personnel safety impact).
Maximum time to respond is the time within which the operators can take action(s) to
prevent or mitigate the undesired consequence(s) caused by an abnormal condition.
This response time must include the action of outside personnel following direction
from the console operator.
To clarify, this is not how long it actually takes the operator to take the action. It is how
much time is available to take effective action from when the alarm sounds to when the
consequence is unavoidable.
The board operators ability to respond to an alarm in a timely fashion determines the
degree of success in preventing loss. The consequences of an uncorrected alarm
generally worsen with the passage of time.
During an abnormal condition, the board operator is confronted with making decisions
on numerous tasks that must be performed in an appropriate sequence. The timing
and the order of executing these tasks determines the outcome of the operators effort.
For example, if two process variables are deviating from normal and can potentially
cause the same significant loss, the operator must quickly decide which variable to
address first. In such a case, the operator must take action to address the variable that
is more volatile or can reach the point of loss in the shortest time.
Therefore, the shorter the time available to respond, the higher the priority of the alarm
will be, assuming equal consequences can result.
For each alarm being rationalized, and, for each area, the maximum time allowable to
respond will be identified. This value will allow the response time to be placed in one of
the following response time classes:
greater than 30 minutes
10 to 30 minutes
3 to 10 minutes
less than three minutes

Table 3
Assumptions
3.2.3

Alarm Rationalization Grid


The alarm rationalization grid for WQ-2 Project is derived based on severity of
consequence and the time to response and is given in Table 4 below. This grid
will be used in identifying the priority of engineering alarms.

West Qurna Field


nd
2 Phase Project
(Early Oil Phase)
Doc. Title

ALARM MANAGEMENT PHILOSOPHY

Doc. No.

8015-0151-22-PO-45-0009-4236-J08-00409

Rev. : 00

Page : 19

Date

Dec.18,2012

Potential Consequences
Urgency/Response
Time

No Effect

Production/Quality

Plant
Asset/Reliability

Safety/Environmental

>30 min

No alarm

Re-engineer alarm

Re-engineer
alarm

Re-engineer alarm

10-30 minutes

No alarm

Low

Low

Medium

3-10 minutes

No alarm

Low

Medium

Medium

Less than three


minutes

No alarm

Medium

High

High

Table 4
Alarm Rationalization Grid
Include threshold for not alarming to over 30 minutes. In such a case, the
alarm should be redesigned to require action in a shorter time frame. Some
exceptions are acceptable.
Note that a maximum time allowable to respond of greater than 30 minutes
does not meet the criteria for an alarm. While an operator may have a time
horizon of several hours or more in adjusting process parameters and
monitoring their effects, it is inappropriate to sound an alarm for which no
action is required for more than 30 minutes. Alarms are to signal conditions
that require quick action and must have a characteristic of urgency. Something
that can be avoided for more than a half hour with no effect is not an event
requiring quick action.
This is not an absolute principle, and there will be exceptions. For example, an
alarm of the failure of a system that acts to protect the long-term health of
equipment, such as a corrosion inhibitor addition system. Failure to take action
on the alarm might not have consequences for weeks or months, but the
system is needed and the failure must be addressed, not forgotten about. The
general rule is that response to such an alarm should be the initiation of a
maintenance request before the end of the shift. The need for the alarm
system to retain a sense of urgency allows for such exceptions.

West Qurna Field


nd
2 Phase Project
(Early Oil Phase)

Doc. Title

ALARM MANAGEMENT PHILOSOPHY

Doc. No.

8015-0151-22-PO-45-0009-4236-J08-00409

Rev. : 00
Date

Page : 20
Dec.18,2012

ALARM SYSTEM IMPLEMENTATION


The alarm management features in DeltaV are structured for the effective
management of the alarm system.
Alarm priorities, alarm types, alarm suppression, alarm filtration, conditional
alarms, operator alarms, engineered alarms, and plant areas all affect the way
the system manages individual alarms. This section describes these systemwide concepts.
Alarms from third party packages will be communicated to PCS over a serial
link or OPC and will be time stamped and logged into the event chronicle of the
DeltaV HMI in the same way as PCS alarms. Each package may have a
different alarm area as defined in the configuration specification. There are 100
plant areas available in the DeltaV database and each area may have the
same or different alarm priority.

4.1

Operator Alarms
Individual operators have a need for on-the-fly configuration of various
system reminders and functions. For example, tank levels when filling or
transferring, where the alarm limits do not correspond to the amount desired to
be moved. Operator change of the overall alarm system trip points has been
proven to be a problematic practice. The setting of individual preferences as
alarm limits results in sub-optimization of the process, causes shift-based
process variation, introduces non-rationalized alarms, and contributes to alarm
floods, and is therefore not in keeping with best practices.
WQ-2 Project , may address this need and problem by providing the operator
priority alarm. The settings and existence of these is controllable by the
operator. They are not rationalized. The same principles as for regular
alarming, however, should be followed, such as operator alarms being
configured only for events requiring action. Operator alarms should not be used
to replace surveillance of the process (running by alarms).
During periods of engineered alarm activation, the operator alarms can be
filtered from the alarm summary display and not interfere with the proper
response to rationalized alarms. There are six operator alarms available per
PCS control loop.

West Qurna Field


nd
2 Phase Project
(Early Oil Phase)
Doc. Title

ALARM MANAGEMENT PHILOSOPHY

Doc. No.

8015-0151-22-PO-45-0009-4236-J08-00409

Rev. : 00

Page : 21

Date

Dec.18,2012

By default, these alarms are disabled from the system configuration. As the
systems are being commissioned, the control room operator can enter valid
alarm limits and enable the alarm as required to operate the process. Alarm
deadband is defaulted to 0.5%.
Alarm Name

Operator
Control

Default
Enable

Default
Alarm
Limit % of
Scale

Allowable
Priority Choice

Description

HI_HI_ALM

90

Engineer

Engineer high-high
alarm

HI_ALM

80

Operator

Operator high alarm

LO_ALM

20

Operator

Operator low alarm

LO_LO_ALM

10

Engineer

Engineer low-low alarm

DV_HI_ALM

Operator

Operator deviation high


alarm

DV_LO_ALM

-5

Operator

Operator deviation low


alarm

Table 5
Summary of Operator Alarms Table Title
Indicates the default values if the alarm is not enabled on P&ID and control
narrative otherwise valid values are entered.

4.2

Engineered Alarms
Engineered alarms are not alterable by the operator. They are to provide
warning of conditions that require operator action in order to avoid a
recognized consequence.
There are six engineered alarms available per PCS control loop and indicator
point. The deadband for all engineered alarms and will be set at 0.5 % of the
engineered scale by default.
Alarm Name

Operator
Control

Default
Enable

Alarm
Setpoint % of
Scale

Priority

ENG_HI_ALM

ENG_LO_ALM

Description

N*

All are
determined via
rationalization

All are determined via


rationalization

Engineered
high-high
alarm

N*

Engineered
high alarm

West Qurna Field


nd
2 Phase Project
(Early Oil Phase)
Doc. Title

ALARM MANAGEMENT PHILOSOPHY

Doc. No.

8015-0151-22-PO-45-0009-4236-J08-00409

Rev. : 00
Date

Page : 22
Dec.18,2012

ENG_HI_HI_ALM

N*

Engineered
low alarm

ENG_LO_LO_ALM

N*

Engineered
low-low alarm

ENG_DV_LO_ALM

N*

Engineered
deviation high
alarm

ENG_DV_HI_ALM

N*

Engineered
deviation low
alarm

Table 6
Summary of Engineered Alarms
Table 6 Indicates the default values if the alarm is not enabled on P&ID and
control narrative otherwise valid values are entered.
Time Base
hh:mm:ss

Process
Variable KPa

Prorate PV for
60 Seconds

Deviation Alarm

Note: 5 Second
Scan for PV
12:00:00

50

12:00:05

50.1

Abs (50.1-50)*
(60/5) = 1.2

Clear
Clear

12:00:10

50.2

Abs (50.2-50.1)*
(60/5) = 1.2

Clear

12:00:15

51.1

Abs (51.1-50.2)*
(60/5) = 10.8

Active unacknowledged

12:00:20

51.1

Abs (51.1-51.1)*
(60/5) = 0

Clear unacknowledged

12:00:25

52.6

Abs (52.6-51.1)*
(60/5) = 18

Active unacknowledged

12:00:30

52.5

Abs (52.5-52.6)*
(60/5) = 1.2

Clear unacknowledged

Table 7
Deviation Alarm Example

4.3

Maintenance Alarms
There will be MAINT_HI, MAINT_LO. The MAINT priority will not show on the
operators normal alarm summary display.

West Qurna Field


nd
2 Phase Project
(Early Oil Phase)
Doc. Title

ALARM MANAGEMENT PHILOSOPHY

Doc. No.

8015-0151-22-PO-45-0009-4236-J08-00409

Rev. : 00
Date

Page : 23
Dec.18,2012

All instrument malfunction/diagnostics which are not applicable to operator


action (for example, many fieldbus diagnostics) shall have a MAINT priority.
Instrument malfunction alarms that do require operator notification will become
a part of PV_BAD alarms and their priority is determined during alarm
objectivity analysis.
Operator response to those will be an attempt at troubleshooting, then either
writing a work order, or calling out for immediate maintenance (based upon a
list of important instruments and operator judgment)
The following priorities are recommended for various devices
1. Diagnostics on PCS hardware, such as redundant power supplies,
redundant communications boxes, redundant controllers, etc
MAINT_HI, possibly on immediate maintenance callout list.
2. Diagnostics on externally connected complex hardware, such as
analyzers / surge controllers MAINT_HI. Provide support diagnostics
that explain the relevance to the operator.
3. Instrument malfunction alarms that do not require operator notification
shall have MAINT_LO.
4. Investigate alarm group displays for PVBAD.
5. Others (case by case, default is MAINT_HI).

4.4

External Device Health & Status Alarms


External systems such as analyzers, surge controllers, equipment cabinets,
PLCs, and ESD logic solvers are often connected to the PCS directly or via
serial, Modbus, or similar methods. It is common for these systems to have
multiple health status indicators. Often these are all individually alarmed, which
is not a best practice.The best practice is that System Health & Status Alarms
shall be shown on control console by difference levels of pictures.
The operator responses to an external devices health/status alarms should
include the following
Understand the new limitations of the connected device relative to the
alarm produced. (Is the device failure, fault, or still functional? Can the
readings be trusted or are they suspect?)

West Qurna Field


nd
2 Phase Project
(Early Oil Phase)
Doc. Title

ALARM MANAGEMENT PHILOSOPHY

Doc. No.

8015-0151-22-PO-45-0009-4236-J08-00409

Rev. : 00
Date

Page : 24
Dec.18,2012

Act accordingly as per procedures. For example if the analyzer is no


longer functioning, begin manual sampling
Involve maintenance or staff as appropriate per procedure, based on the
particular problem

Proper alarm configuration is to provide a single common trouble point


indicating an OR from several status inputs. This common point is alarmed
for the operator. Grouping the status points into more than one, but still a small
number, of logically-related common trouble points is also acceptable. For
example, multiple vibration instruments on the compressor should be
combined into a common vibration trouble point based upon any of them
reaching a particular value. All are logged, but only the common trouble point is
alarmed. Additionally there could be an oil system common trouble point being
fed from several oil-related inputs.
The individual status points feeding the common point shall be configured with
LOG priority (if it is desired to record their individual time of activation).
For all such common trouble points, provide detailed displays that show the
status of all of the health indicator inputs. This should then be the associated
display for the common trouble point. The graphics should also indicate the
functional groups to contact for repair, based on the failure type.

4.5

SIS Alarm Interface


Alarms from the SIS will be time stamped and logged into the event chronicle
of the DeltaV HMI in the same way as PCS alarms. Only a brief discussion is
given for SIS alarms here. Please refer to SIS configuration specification for
more detail.

4.5.1

General
Prior sections of this document refer to various types of alarms (operator,
engineered, conditional). It is important to understand that, for safety reasons,
all the safety pre-alarms and shutdown alarms are considered to be
engineered alarms. There is no provision to modify these alarms from the
DeltaV HMI, nor is there a manner (outside the proper overrides) to bypass or
turn off these alarms. All alarm values for an input device shall be visible from
the faceplates on the HMI for that device. Deadband values and range settings
are treated in a similar manner.

West Qurna Field


nd
2 Phase Project
(Early Oil Phase)
Doc. Title

ALARM MANAGEMENT PHILOSOPHY

Doc. No.

8015-0151-22-PO-45-0009-4236-J08-00409

Rev. : 00
Date

Page : 25
Dec.18,2012

Shutdown alarms (also referred to as trip alarms) shall not be suppressed by


maintenance overrides. Pre-alarms (also referred to as pre-trip alarms) shall
also not be suppressed by maintenance overrides.
SIS Alarms shall be annunciated on the DeltaV HMI alarm banner and alarm
list.
The application of ISA S84 or Licensor Design Standards may require the
installation of double or triple redundant sensors and alarming in some
instances. This may or may not involve voting systems. During process
upsets and abnormal situations, the multiple alarming provided may produce
undesirable multiple alarms from the same event. In addition, routine
shutdowns may result in the activation of several alarms, adding a large
number of alarms to the alarm summary. Such nuisance alarms must be
avoided if at all possible.
All redundant and voting installations must be designed and reviewed on a
case-by-case basis to ensure
minimal multiple alarms result from process deviations
the operator will not receive a flood of unnecessary alarms during
routine startup, shutdown, or other periods when the hazard scenario is
not valid
pre-trip or trip conditions will not create multiple alarms from different
sensors
The case-by-case review of these redundant installations may require further
study outside of the normal alarm system documentation and rationalization
process. Safety considerations inherent in these redundant installations may
necessitate dynamic alarm changes in the logic solver equipment, instead of in
the PCS.
There are several techniques to provide the degree of safety provided by
sensor redundancies and separate logic solvers, without producing excessive
alarms. For example, voting logic within the PCS can be considered for alarm
actuation. Annunciation of ESD bypasses must be considered carefully for
proper priority selection.
It may well be that rationalization shows that the pre-alarm to a trip might be a
higher priority alarm than the trip notification alarm (for example, the shutdown
has occurred). This is perfectly acceptable. At the pre-trip point, the operator
can still take effective action to avoid the trip, which may have avoidable major

West Qurna Field


nd
2 Phase Project
(Early Oil Phase)
Doc. Title

ALARM MANAGEMENT PHILOSOPHY

Doc. No.

8015-0151-22-PO-45-0009-4236-J08-00409

Rev. : 00
Date

Page : 26
Dec.18,2012

consequences. These consequences can no longer be avoided once the trip


occurs. The consequences of ignoring the trip notification alarm at that point
may make the trip-caused upset worse if the operator fails to take the correct
post-trip actions.
The voted alarm result must be clear and easily understood by the operator.
Consider voting logic output to a dedicated, alarmed flag, or discrete tag on the
PCS.
The operating schematics or graphics must be designed to properly indicate
the voted result and the status of the multiple initiators, to prevent operator
confusion and provide rapid assessment and verification.
In the event of equipment trips with several possible causes:
alarm the overall trip event
trip initiators may not need alarms
log initiator activation for historical analysis
provide adequate first-out or interlock initiator display to allow the
operator to identify the trip cause
4.5.2

Pre-Alarms
Pre-alarms shall give the operator the opportunity to take corrective action
before a process shutdown occurs. Reset action is not required, and prealarms should not be defeated by maintenance overrides.
A device that is in pre-alarm shall be prioritized by the AOA team. Pre-alarm
acknowledgement is purely an HMI function, and once acknowledged the
device shall appear as solid alarm colour (non-flashing). If the device reverts to
normal before the operator has acknowledged the alarm, the device shall flash
in hatch alarm colour.

4.5.3

Shutdown Alarms
Shutdown initiators shall be trapped so that the operator, when troubleshooting,
can always find the source of the shutdown (in the event that the initiating
condition is only present for a short duration). Reset action is required.
Shutdown alarms are not defeated by maintenance overrides (although the
actual trip is prevented in such a case).

West Qurna Field


nd
2 Phase Project
(Early Oil Phase)
Doc. Title

ALARM MANAGEMENT PHILOSOPHY

Doc. No.

8015-0151-22-PO-45-0009-4236-J08-00409

Rev. : 00
Date

Page : 27
Dec.18,2012

A ready to reset button shall be provided. This button will alert the operator
that the initiating condition(s) are normal (the deadband is satisfied) and the
interlock is ready to be reset.
A device that is in shutdown and has high priority when in alarm shall appear
flashing red on the HMI process screen. Shutdown alarm acknowledgement is
purely an HMI function, and once acknowledged the device shall appear as
solid red (non-flashing).
Shutdown alarms may be ganged for large pieces of equipment to reduce
alarm flooding. For example, a common furnace shutdown may be generated
on a furnace trip. The operator will use the safety instrumented function
displays to diagnose the cause of the problem.
4.5.4

Safety Instrumented Function Displays


A display scheme will be utilized for shutdown interlocks that have multiple
initiators. This shall be displayed on the HMI screens in specialized Level 3
displays. The format of these screens is addressed in the SIS configuration
specification.

4.5.5

Maintenance Override Switch Use


Maintenance override switches (MOS) are used to put a device into
maintenance mode. They are also referred to as class A overrides. A
maintenance person typically puts a device into maintenance bypass when the
device is to be repaired or calibrated.
All safety shutdown initiators will be provided with a maintenance override
switch (MOS). Pre-alarms and shutdown alarms associated with the sensor will
not be disabled while the maintenance override switch is engaged.
For SIL 2 and 3, shutdown alarms the setting of a maintenance override
notification alarm shall be initiated whenever something is in MOS. This
prevents the operator from unknowingly leaving a device in MOS (the MOS
notification alarm cannot be suppressed and therefore cannot be ignored).

4.5.6

Startup Override Alarm Suppression


In programming terms, overrides/bypasses/permissive are typically classified
into three categories or classes class A, B, and C. Class A overrides are

West Qurna Field


nd
2 Phase Project
(Early Oil Phase)
Doc. Title

ALARM MANAGEMENT PHILOSOPHY

Doc. No.

8015-0151-22-PO-45-0009-4236-J08-00409

Rev. : 00
Date

Page : 28
Dec.18,2012

typically maintenance type overrides, and are analogous to the MOS discussed
in the previous section.
Shutdown initiator overrides are often required for start-up. A typical example
would be for low flow shutdowns. MOS should not be used for such purposes,
since the application of these overrides would adversely affect the availability
calculations and hence safety. An operational override shall be used for these
requirements, and the override automatically de-activates under predefined
conditions. For the above low flow trip the operational override would have a
time-out function. In programming terms, this would be called a class B
override. In some cases it may be that the trip may need to return to a normal
process condition before de-activating. These types of overrides are referred to
as a class C override.
Some of these operational override need detailed process information. An
example would be the isolation of a feed to storage under high temperature
conditions. Since the lines are insulated the material may take some time to
cool down. There may be a conditional override based on another temperature
(a class C) together with a timed bypass (class B).
While a device is in a startup override mode (class B or C), the shutdown
alarms and pre-alarms shall be inhibited.
When a process is intentionally stopped, either through automatic logic or
manually, alarms that would normally be suppressed during startup are also
viewed as nuisance alarms while shutdown. Therefore, when a process is
intentionally stopped and an initiating device would cause an alarm, that alarm
will be inhibited by the SIS.
4.5.7

Deviation and Rate of Change Alarms/Alerts


In addition to the internal system diagnostics for initiators, the application will
also include custom diagnostic logic to detect out-of-range or faulted status,
flat-line and high rate-of-change conditions, and deviation. Depending on the
nature of the alarm/alert and which system the equipment is in, either the PCS
or SIS will generate the alarm/alert. Refer to SIS Configuration Specification for
further details.

4.5.8

Conditional Alarm
The DeltaV conditional alarming feature provides the ability to easily add alarm
time delays and enable/disable alarms to minimize nuisance alarms. This is

West Qurna Field


nd
2 Phase Project
(Early Oil Phase)
Doc. Title

ALARM MANAGEMENT PHILOSOPHY

Doc. No.

8015-0151-22-PO-45-0009-4236-J08-00409

Rev. : 00
Date

Page : 29
Dec.18,2012

functionality available to the PCS and SIS, however it is only available in the
SIS in certain cases. Refer to the SIS Configuration Specification for further
detail.
4.5.9

Digital Alarm
The DeltaV Digital Alarm will be from the digital input like Pressure, Level, Limit
switchs or another type on discrete input in PCS or SIS system.There will be
indication to the operator on the Level-3 process graphics

4.6

Alarm Priority
There are 12 possible alarm priority levels numeric values 4 through 15.The
highest priority value is 15 (it is used for the most important alarm). The lowest
priority value is 4. The alarm priorities configured for WQ-2 project are given in
Table 8.
An operator display will provide a list of all PCS module alarms currently
suppressed at any point in time. The operator cannot disable or suppress
engineered alarms.
Maintenance alert information will use two of the alarm priorities.This
information will not be shown on the alarm summary.
Priority

CRITICAL

WARNING

ADVISORY

Priority in
DeltaV

Priority
Level

Auto
Acknowledge

Auto
Acknowledge
Inactive

Horn Sound

S_CRITICAL

15

NO

NO

YES

E_CRITICAL

14

NO

NO

YES

F_CRITICAL

13

NO

NO

YES

F_WARNING

11

YES

YES

None

D_CRITICAL

10

YES

YES

None

D_WARNING

YES

YES

None

ADVISORY

YES

YES

None

Table 8
Alarm Priority Settings

West Qurna Field


nd
2 Phase Project
(Early Oil Phase)

4.6.1

Doc. Title

ALARM MANAGEMENT PHILOSOPHY

Doc. No.

8015-0151-22-PO-45-0009-4236-J08-00409

Rev. : 00
Date

Page : 30
Dec.18,2012

Alarm Importance
The acknowledged status of the alarm, the current alarm state, the priority
value, and the time stamp on the alarm determine the alarm's importance in
the system
1. Unacknowledged alarms have a higher importance than acknowledged
alarms.
2. After the acknowledgement status is considered, alarms that are still
active are considered more important than alarms that have already
cleared but have not been acknowledged by the operator yet.
3. When more than one alarm has the same acknowledgment status and
active status, alarm with higher priority value has the highest importance.
When more than one alarm has the same priority value, active status, and
acknowledgment status, the newer alarm has a higher importance.
For example, the most recent, acknowledged, active alarm with a priority value
of 15 is the most important alarm in the system. Then, a new alarm occurs that
is unacknowledged and has a priority value of 7. This new alarm is of higher
importance than an acknowledged alarm with a priority value of 15 because of
the acknowledgement status of the alarms.

4.7

Alarm Types and Message


An alarm type defines a set of characteristics that determine how alarms
appear on alarm summary displays and in the event chronicle. The alarm types
used in this project are listed in
Alarm Type Name

Alarm Word

Category

Alarm Message

Any Alarm

ANY

SYSTEM

Any alarm value %P1

Change From Normal

CFN

PROCESS

Change from normal value %P1

Change of State

COS

PROCESS

Change of state

Communication Error

COMM

INSTRUMENT

Communication error

Deviation Alarm

DEV

PROCESS

Deviation alarm target %P1 actual %P2

DISC_ALM

DISC_ALM

PROCESS

Change of state from %P1

Discrete Device

FAILED

PROCESS

%P1

ENG_DEV_ALM

ENG_DEV

PROCESS

ENG deviation alarm target %P1 actual P2

ENG_HIGH_ALM

ENG_HIGH

PROCESS

ENG high alarm value %P1 limit %P2

West Qurna Field


nd
2 Phase Project
(Early Oil Phase)
Doc. Title

ALARM MANAGEMENT PHILOSOPHY

Doc. No.

8015-0151-22-PO-45-0009-4236-J08-00409
Alarm Type Name

Alarm Word

Category

Rev. : 00
Date

Page : 31
Dec.18,2012

Alarm Message

ENG_HIHI_ALM

ENG_HIHI

PROCESS

ENG high-high alarm value %P1 limit %P2

ENG_LOLO_ALM

ENG_LOLO

PROCESS

ENG low-low alarm value %P1 limit %P2

ENG_LOW_ALM

ENG_LOW

PROCESS

ENG low alarm value %P1 limit %P2

ENG_RATE_ALM

ENG_RATE

PROCESS

ENG rate of change rate %P1 limit %P2

Floating Point Error

FLT

SYSTEM

Floating point error

General I/O Failure

IOF

INSTRUMENT

General I/O failure

High Alarm

HIGH

PROCESS

High alarm value %P1 limit %P2

High High Alarm

HIHI

PROCESS

High-high alarm value %P1 limit %P2

Low Alarm

LOW

PROCESS

Low alarm value %P1 limit %P2

Low Low Alarm

LOLO

PROCESS

Low-low alarm value %P1 limit %P2

New Alarm

NEW

SYSTEM

New alarm value %P1

Open Circuit Detected

OCD

INSTRUMENT

Open circuit detected

Over Range

OVER

INSTRUMENT

Over range value %P1

Rate of Change

RATE

PROCESS

Rate of change rate %P1 limit %P2

Statistical Alarm

ERROR

SYSTEM

Statistical alarm type %P1 value %P2

Under Range

UNDER

INSTRUMENT

Under range value %P1

User Define Alarm 1


desc

ALARM

PROCESS

%P1

User Define 2 Alarm 2


desc.

ALARM

PROCESS

%P1 %P2

Table 9 below. Each standard alarm is associated with one of these alarm
types.
Alarm Type Name

Alarm
Word

Category

Alarm Message

Any Alarm

ANY

SYSTEM

Any alarm value %P1

Change From Normal

CFN

PROCESS

Change from normal value %P1

Change of State

COS

PROCESS

Change of state

Communication Error

COMM

INSTRUMENT

Communication error

Deviation Alarm

DEV

PROCESS

Deviation alarm target %P1 actual %P2

DISC_ALM

DISC_ALM

PROCESS

Change of state from %P1

Discrete Device

FAILED

PROCESS

%P1

ENG_DEV_ALM

ENG_DEV

PROCESS

ENG deviation alarm target %P1 actual P2

ENG_HIGH_ALM

ENG_HIGH

PROCESS

ENG high alarm value %P1 limit %P2

ENG_HIHI_ALM

ENG_HIHI

PROCESS

ENG high-high alarm value %P1 limit %P2

ENG_LOLO_ALM

ENG_LOLO

PROCESS

ENG low-low alarm value %P1 limit %P2

ENG_LOW_ALM

ENG_LOW

PROCESS

ENG low alarm value %P1 limit %P2

West Qurna Field


nd
2 Phase Project
(Early Oil Phase)
Doc. Title

ALARM MANAGEMENT PHILOSOPHY

Doc. No.

8015-0151-22-PO-45-0009-4236-J08-00409
Alarm Type Name

Alarm
Word

Category

Rev. : 00
Date

Page : 32
Dec.18,2012

Alarm Message

ENG_RATE_ALM

ENG_RATE

PROCESS

ENG rate of change rate %P1 limit %P2

Floating Point Error

FLT

SYSTEM

Floating point error

General I/O Failure

IOF

INSTRUMENT

General I/O failure

High Alarm

HIGH

PROCESS

High alarm value %P1 limit %P2

High High Alarm

HIHI

PROCESS

High-high alarm value %P1 limit %P2

Low Alarm

LOW

PROCESS

Low alarm value %P1 limit %P2

Low Low Alarm

LOLO

PROCESS

Low-low alarm value %P1 limit %P2

New Alarm

NEW

SYSTEM

New alarm value %P1

Open Circuit Detected

OCD

INSTRUMENT

Open circuit detected

Over Range

OVER

INSTRUMENT

Over range value %P1

Rate of Change

RATE

PROCESS

Rate of change rate %P1 limit %P2

Statistical Alarm

ERROR

SYSTEM

Statistical alarm type %P1 value %P2

Under Range

UNDER

INSTRUMENT

Under range value %P1

User Define Alarm 1


desc

ALARM

PROCESS

%P1

User Define 2 Alarm 2


desc.

ALARM

PROCESS

%P1 %P2

Table 9
Standard and Custom Alarm Types, Category, and Message
%P1 and %P2 represent the values of user-defined parameters. User-defined
parameters typically capture the value that caused the alarm, the limit value
that was in effect at the time the alarm was detected.
For example, the alarm description column would show High Alarm Value 50.5
Limit 45.0 in the alarm summary display.
By default, HH and LL alarms will NOT be configured for PCS alarms. They will
be configured only under the following conditions
The operator must take different and/or more severe actions for initial
alarm and combination alarm
There must be enough time in-between alarms to perform the
successful initial alarm corrective action before the combination alarm
trips
Experience shows that 90+% of all HI-HH and LO-LL combinations will be
eliminated during rationalization, if these principles are followed. If the HH or
LL alarm is actually used to trigger a trip (and is thus a trip notification alarm),

West Qurna Field


nd
2 Phase Project
(Early Oil Phase)
Doc. Title

ALARM MANAGEMENT PHILOSOPHY

Doc. No.

8015-0151-22-PO-45-0009-4236-J08-00409

Rev. : 00
Date

Page : 33
Dec.18,2012

then it is allowed. The rule above is met because the action for the trip is
different than the action for the pre-trip.

4.8

Alarm Suppression
Alarm suppression is the way to temporarily disable annunciation of an alarm in
the DeltaV Operator Interface it means that the suppressed alarm will not set
off the workstation alarm horn and will not be displayed in the alarm summary
and in the alarm banner, but this alarm will still be registered in the
alarms/events log.
Note that suppression uses the OPSUP parameter. The use of this parameter
does not affect any interlock activity that is triggered by the alarm. The interlock
will function regardless of the value of OPSUP.
Alarm suppression is typically used when the operator needs to suppress a
single or small number of alarms. These alarms are typically considered
nuisance for the reason that maintenance personnel may be working on a
certain transmitter or device that causes the alarm to ring in and out frequently.
There are several ways to suppress an alarm, typically
From the detail display, activate the alarm suppression check box
From faceplate, right click on alarm box and select the alarm
From the alarm summary, right click on the alarm and select suppress
alarm
Shift supervisor level access will be required to suppress alarms.
Operators should check the suppressed alarm display at the start of every shift.
Alarms suppressed for sensor malfunction reasons must be unsuppressed
after sensor repairs are made.
Staff should periodically assess the duration of suppressed alarms and insure
the suppression process remains controlled.
All suppressed alarms will be displayed on the alarm suppression screen. This
graphic shows information similar to what is on the alarm summary, and will
look like this

West Qurna Field


nd
2 Phase Project
(Early Oil Phase)
Doc. Title

ALARM MANAGEMENT PHILOSOPHY

Doc. No.

8015-0151-22-PO-45-0009-4236-J08-00409

Rev. : 00
Date

Page : 34
Dec.18,2012

Figure 1
Alarm Suppression Window
The procedure for un-suppressed alarm is typically done from the alarm
suppression screen by right clicking on the alarm and selecting un-suppressed
alarm or from the detail faceplate as described above. Un-suppressing an
active alarm will cause the alarm to be displayed in the alarm banner and alarm
summary screen.
Note: Suppressing an alarm only removes the alarm from the alarm banner
and alarm summary, but does not remove any interlocks or actions from this
alarm that have been configured in the control system.
4.8.1

Automatic Alarm Suppression


Under certain process conditions some alarms shall be suppressed to prevent
floods of nuisance alarms (for example, for the steam generator, it does not
make sense to show low flow alarms for the passes if the generator is not
running and the water system is not commissioned).
Special modules will be configured in each DeltaV controller to suppress
alarms in the control modules under the certain conditions. The conditions shall
be determined by the process designers and operations.
The alarms suppression shall be implemented by momentary writing 1 to the
OPSUP parameter of the selected module alarm(s) when suppression
condition becomes active and by momentary writing 0 when the condition
becomes inactive

West Qurna Field


nd
2 Phase Project
(Early Oil Phase)

4.9

Doc. Title

ALARM MANAGEMENT PHILOSOPHY

Doc. No.

8015-0151-22-PO-45-0009-4236-J08-00409

Rev. : 00
Date

Page : 35
Dec.18,2012

Alarm Filtering
Alarm filtering is typically used when the operator needs to view all the alarms
in a process plant area; a typical process area consists of the major equipment
like the SIH_05 and SIH_06.
The area alarm filtering icon
enables you to turn on the areas from which
we want to see alarms and to turn off the areas from which we do not want to
see alarms. An area that has been turned off is filtered.

Figure 2
Alarm Filter Window
The alarm filter is used to filter alarms in up to 100 plant areas by the following
procedure
1. Check the box next to an area to display that area's alarms in the alarm
banner, the alarm summary, and the alarm suppression screen.
2. Clear the check box to filter alarms by preventing that area's alarms
from being displayed in the alarm banner, the alarm summary screen,
the alarm suppression screen, and the alarm filter screen.
3. Click the all on button to see alarms from all areas that can be turned
on. Click the all off button to filter (that is, to prevent display of) alarms
from all areas.
4. Click an alarm area to see detailed information (for example, time of
alarm, module, description, parameter, alarm description, and message)
on the alarms for that area.
5. Click the description column in the detailed information area to open
the faceplate picture, the primary control picture, or both pictures for that

West Qurna Field


nd
2 Phase Project
(Early Oil Phase)
Doc. Title

ALARM MANAGEMENT PHILOSOPHY

Doc. No.

8015-0151-22-PO-45-0009-4236-J08-00409

Rev. : 00
Date

Page : 36
Dec.18,2012

module. This is known as alarm direct access. Two buttons in the alarm
banner enable and disable alarm direct access.
The total count of unacknowledged alarms, active alarms, and suppressed
alarms for an area that is checked is displayed next to the plant area name.
The total number of alarms, the number of unacknowledged alarms, and the
number of suppressed alarms are shown across the top of the area alarm
details section. The details section of this picture uses the DeltaV alarm
summary object Whenever an area is being filtered or an alarm is being
suppressed, an indicator appears on the alarm acknowledge button on the
toolbar, as shown below
Indicator

Indicator Meaning
Indicates that one or more areas are being filtered out.

Indicates that one or more alarms are being suppressed.

Indicates that an alarm is being suppressed and an area is being filtered.

Table 10
Alarm Indicators
Alarm filtering only affects what is seen through the DeltaV HMI screens. It
does not affect the event chronicle database or the association between
workstations, users, and alarms that is defined in the PCS or the area keys
assigned in the user manager. Alarm filtering affects only the machine on
which the filter settings were made and is independent of the user. If you filter
alarms and then log off the machine, the next user to log on will not see alarms
from the areas that you filtered.
In this project, alarm segregation is done on each operator console according
to the area of operation to prevent alarm overload. Wherever helpful, alarms
should be segregated for annunciation to the operator.

4.10

Alarm and Event Logging


Alarm logging will be performed on two workstations in the system
Application WS running historian (primary storage) and ProPlus WS (backup
storage). Both workstations shall have all plant areas assigned to their alarms
collection subsystem. Alarms and events records shall be kept in the DeltaV

West Qurna Field


nd
2 Phase Project
(Early Oil Phase)
Doc. Title

ALARM MANAGEMENT PHILOSOPHY

Doc. No.

8015-0151-22-PO-45-0009-4236-J08-00409

Rev. : 00
Date

Page : 37
Dec.18,2012

alarms database for 30 days (available through the process history view) and
then purged into the text files located in the specified directories.
Process history view application on operator workstations shall be configured
to connect to application station when displaying alarms/events.

Figure 3
Alarms Collection Configuration on the ProPlus and Application Workstations
The application process history view provides a spreadsheet view of the events and
process alarms that occur. It also captures system events such as operator
changes, control module installations, and changes in device status. Each event
record is made up of fields such as date/time, event type, category, area, node,
module, etc

West Qurna Field


nd
2 Phase Project
(Early Oil Phase)
Doc. Title

ALARM MANAGEMENT PHILOSOPHY

Doc. No.

8015-0151-22-PO-45-0009-4236-J08-00409

Rev. : 00
Date

Page : 38
Dec.18,2012

Figure 4
Alarm and Event Viewer

4.11

Alarm Summary
The DeltaV system software provides a visual tool for monitoring alarms called
the alarm summary link. The alarm summary link allows you to monitor,
acknowledge, and list alarms using a variety of filtering and sorting methods.
Alarm messages in the alarm summary link's display can be color-coded to
provide visual clues to the operators.
Alarms can be sorted as per the table below.
Attribute

Sorts Alarms By

Time In

The time the alarm first occurred.

Block Type

The block type. For example: AI, AO, DI, DO.

Module

The block's name.

Priority

The alarm priority, as defined for each block in the process database (low, medium,
or high).

Node

The node name where the alarm originated. The sort by node on is based on the
order the nodes appear in the network list in the SCU.

West Qurna Field


nd
2 Phase Project
(Early Oil Phase)
Doc. Title

ALARM MANAGEMENT PHILOSOPHY

Doc. No.

8015-0151-22-PO-45-0009-4236-J08-00409
Attribute

Rev. : 00
Date

Page : 39
Dec.18,2012

Sorts Alarms By

Ack/Time

Acknowledgement and then by time in. When sorting alarms in descending order,
unacknowledged alarms appear before acknowledged alarms.

Ack/Priority

Acknowledgement and then by priority. When sorting alarms in descending order,


unacknowledged alarms appear before acknowledged alarms.

Table 11
Alarm Summary Parameters
Module alarm information is displayed in the alarm summary display until the
module value returns to a normal state and an operator has acknowledged that
alarm. The following figure shows a sample alarm summary screen.

Figure 5
Alarm Summary Screen
Note: Only priority and ACK columns background color changes based on alarm
priority

West Qurna Field


nd
2 Phase Project
(Early Oil Phase)
Doc. Title

ALARM MANAGEMENT PHILOSOPHY

Doc. No.

8015-0151-22-PO-45-0009-4236-J08-00409

ALARM SYSTEM MAINTENANCE

5.1

Alarm Performance Measures

Rev. : 00
Date

Page : 40
Dec.18,2012

Despite best efforts to design an alarm system to minimize nuisance alarms


and provide only meaningful alarms, there will be a need to change, delete or
add new alarms. There is no panacea that can be prescribed to alarms
systems, which will provide instant and universal improvement in performance.
There are, however, some prerequisites to achieving improvements in alarm
systems
1.

A real commitment by senior management of the plant to promote a


culture of continuous improvement is required. All staff needs to be
helped and encouraged to develop a strategy for improving the alarm
system.

2.

An owner for the alarm system is required to


Ensure consistent standards are set and maintained
Control changes to alarms and alarm system, manage records and
documentation
Set performance measures for the alarm system, manage performance
reporting and the resulting action for improvements

3.

Thorough application of the basic improvement techniques. Some basic


techniques are listed below but this is not an exhaustive list
Review alarm behavior following all upsets to confirm usability
Tune alarm settings on nuisance alarms
Adjust deadbands on alarms which often repeat
Review alarm messages which operators do not understand or know
how to respond
Review alarm suppression methods and adjust accordingly
Apply de-bounce timers and delay timers to repeating alarms
Introduce logic to combine and simplify redundant sets of alarms
Group alarms which all have the same operator response

West Qurna Field


nd
2 Phase Project
(Early Oil Phase)
Doc. Title

ALARM MANAGEMENT PHILOSOPHY

Doc. No.

8015-0151-22-PO-45-0009-4236-J08-00409

5.1.1

Rev. : 00
Date

Page : 41
Dec.18,2012

Alarm Performance Measures


It will be difficult to sustain the alarm system as a usable system unless alarm
system performance measurements are put in place. There are several
qualitative measures that can be put in place, such as operator questionnaires
to determine usefulness or usability of alarms. Below are quantitative metrics
that can be used as performance metrics. The source of the metrics is the
Alarm Systems - A guide to Design, Management and Procurement, EEMUA,
Appendix 11.

5.1.1.1

Key Perforamance Indicator


Alarm System KPI reports both EEMUA-191 and ISA-18.2 stress the
importance of periodic measurement of Key Performance Indicators (KPIs).
DeltaV Analyze provides a ready-to-use KPI report that can be scheduled or
run on-demand and filtered by operator console position. The report contains
ten KPI calculations, pie charts for alarm priority and rate distribution, timeline
alarm activity charts for the report period and day with the most alarms, toptwenty lists of modules with frequent, fleeting, stale and often-suppressed
alarms and a list of disabled alarms. Information sharing is simplified with the
reports Microsoft Excel format and user control over file naming and
destination folder. Reports can be produced on demand or scheduled by shift,
day, week or month.

5.1.2

Design Metrics
Design metrics can be used during the alarm system design phase to check
whether the design is appropriate for the type of facility and determine the
effort that will be required to maintain the system over the lifetime of the plant.
As the complexity of the process increases, one would expect more alarms per
operator are required.

5.1.2.1

Operating Metrics
Each area of the plant will periodically assess the performance of its alarm
system. The assessment should occur monthly and include the following key
performance indicators
Average alarm rate (number of alarms per 10 minute period)
Alarm frequency distribution (for example, % of time at less than one, 110 and greater than 10 alarms/10 minute window)

West Qurna Field


nd
2 Phase Project
(Early Oil Phase)
Doc. Title

ALARM MANAGEMENT PHILOSOPHY

Doc. No.

8015-0151-22-PO-45-0009-4236-J08-00409

5.1.2.2

Rev. : 00
Date

Page : 42
Dec.18,2012

Peak alarm rate (maximum number of alarms per 10 minute period)


Standing alarms (average number of active alarms per 10 minute
period)
Alarm floods per month (number of 10 minute periods where there were
more than 10 incoming alarms)
Worst actors monitor reviewed weekly

Average Alarm Rate


The average alarm rate per operator is a simple indication of the workload
imposed on the operator by the alarm system. Typically this is measured over
a weekly period. Average alarm rates of less than one alarm per 10 minute
window should be achieved at Long Lake. This level is successfully being met
at many facilities.
Key Performance Indicator
(KPI)

Interim Target for Systems


Undergoing an Alarm
Improvement Effort

Long Term Target

Target Average Process Alarm


Rate

300 per day

5 per hour (<120 per day


EEMUA)

Percentage of time alarm rate


exceeds Target Average Process
Alarm rate

5%

0% - EEMUA

Alarm Event Priority Distribution


based on at least one week of
data

~80% Low, ~15% High, <=5%


Emergency EEMUA

~80% Low, ~15% High, <=5%


Emergency EEMUA

Inhibited / Disabled or otherwise


Suppressed Alarms

Zero (Unless as part of defined


shelving, flood suppression, or
state-based strategy)

Zero (Unless as part of defined


shelving, flood suppression, or
state-based strategy)

Chattering Alarms

10 or less in a one-week period

0 per day

Stale alarms (more than 24 hours


old)

20 or less in a one-week period

0 per day

Floods (10 to 20 alarms in a 10


minute period)

<= 5 per day

<= 3 / day

Floods (>20 alarms in a 10 minute


period)

<= 3 per day

0 per day

Process changes in Alarm


Priority, Alarm Trip Point, Alarm
Enable Status, Tag execution
status

None that are unauthorized.

None that are unauthorized.

None that are not part of a


defined Shelving, Flood
Suppression, or State-based
Strategy.

None that are not part of a


defined shelving, flood
suppression, or state-based
strategy.

Table 12
Benchmarks for Assessing Average Alarm Rates

West Qurna Field


nd
2 Phase Project
(Early Oil Phase)
Doc. Title

ALARM MANAGEMENT PHILOSOPHY

Doc. No.

8015-0151-22-PO-45-0009-4236-J08-00409
Priority

Rev. : 00
Date

Page : 43
Dec.18,2012

Target Maximum Rate

Critical (Emergecy)

Very infrequently

High

Less than 5 per shift

Medium

Less than 2 per hour

Low

Less than 10 per hour

Table 13
Target occurrence rates of alarms of different priorities
Metric
Alarms per Control Valve

Low

Average

High

Alarms per Analogue Measurment

0.5

Alarms per Digital Measurment

0.2

0.4

0.6

Table 14
Guidance on alarms per plant sub-system
What is important about these target rates is not only the ability of operators to
respond to alarms, but also the operators attention to the importance of the
alarm. The greater the number of high priority alarms compared to say low
priority alarms, the operator will over time discount the priority of alarms all
together and treat each with the same level of attention, thus defeating a key
feature of alarm systems.
Table15 provides current industry measurement of the long-term alarm rate
average for plants in steady sate operation.It can be easily seen that the
industry standard is well above what is recognized as an acceptable level, and
is significantly higher than the target maximum rate of one per 10 minute
shown in Table15.
Long term average alarm rate
in steady state operation

Acceptability

More than 1 per minute

Very likely to be unacceptable

One per 2 minutes

Likely to be over demanding

One per 5 minutes

Manageable

Less than one per 10 minutes

Very likely to be acceptable

Table 15
Benchmarks for assessing average alarm rates

West Qurna Field


nd
2 Phase Project
(Early Oil Phase)
Doc. Title

ALARM MANAGEMENT PHILOSOPHY

Doc. No.

8015-0151-22-PO-45-0009-4236-J08-00409

Rev. : 00
Date

Page : 44
Dec.18,2012

Other dynamic alarm system metrics, such as the number of alarms following a
plant upset, the number of standing alarms and operator response times
provide tools to review and modify alarm systems to improve performance.
What is lacking at present is a relatively easy method of measuring alarm
system performance in terms that are not subject to intensive post mortem
studies of events or extensive alarm system data collection.It may remain a
fact of alarm system design and maintenance that the effort required for
continuous improvement is exhaustive, however the benefits can not be readily
argued without a link between operator action, production targets and dynamic
alarm activity.
5.1.2.3

Frequency of Alarms/Worst Actors


The 10 worst actor tags often account for over 50 % of the alarm rate. As a
component of the alarm performance monitoring, WQ-2 Project , should
establish a weekly report showing the 10 worst actor tags and their relative
contributions to the alarm rate. The tags identified in this report will be used as
a standing work order for review and correction by operations, control, and
instrument personnel.

5.1.2.4

Number of Alarms Following a Major Plant Upset


Operator performance during plant upsets is strongly affected by the number of
alarms they must deal with. The number of alarms following a plant upset is a
good metric for assessing the effectiveness of the alarm design process. As
stated in the alarm design process section, accounting for human limitations in
the alarm system design is a complex requirement and is difficult to implement.
This metric measures the effectiveness of the design relative to this design
principle.
Figure 45 in Alarm Systems - A Guide to Design, Management and
Procurement, EEMUA Appendix 11, gives some guidance on alarm rates
following an upset and it is recommended that this be used as the benchmark
for this metric.
If the metric falls into the definitely excessive or hard to cope category, the
alarm system design should be reviewed to improve the alarm filtering,
suppression and modal alarming and also consider deleting some alarms.

West Qurna Field


nd
2 Phase Project
(Early Oil Phase)
Doc. Title

ALARM MANAGEMENT PHILOSOPHY

Doc. No.

8015-0151-22-PO-45-0009-4236-J08-00409

5.1.2.5

Rev. : 00
Date

Page : 45
Dec.18,2012

Number of Standing Alarms


A high number of standing alarms can indicate that many of the generated
alarms do not require operator action or are nuisance alarms. Those not
requiring operator action should be targeted for deletion. The cause of the
nuisance alarms needs to be determined and fixed so as not to create an
environment of operator complacency to alarms.
Long standing alarms can also be an indicator of a poorly operated or
maintained plant. Thus a periodic review of the long standing alarms can help
determine if this is the case.

5.1.2.6

Priority Distribution
The effective use of alarm priority can be checked by looking at the distribution
of alarms sorted by priority over a period of time. A large percentage of high
priority alarms indicates that the control system is not effectively keeping the
process within bounds, and that operator action is needed to avoid a significant
consequence. Either that, or the assigned priority is incorrect.

5.1.3

Alarm Performance System


The source of the data for metric calculations/reporting is the CSS alarm and
events database. The calculations and reporting should be done using alarm
analysis software.

5.1.4

State-Based or State-Dependent Alarms


Most alarms in a process unit pertain to the normal operating state of a piece
of equipment. But, equipment often has several normal, but differing, operating
states. PCS alarm capabilities are normally only for single-state, single-value
trip points and priorities. State examples include startup, shutdown, differing
grades of product or feed, half rate operation, etc.
Besides individual pieces of equipment, sections of an operating unit may have
different operating modes where fixed alarms produce inconsistent results. For
example, the process may run in modes where certain sub-sections are
intentionally shut down, producing a variety of alarms. Or, redundant
equipment may produce alarms when unused, even though that is a normal
and proper operating condition. In these circumstances, the alarms produced

West Qurna Field


nd
2 Phase Project
(Early Oil Phase)
Doc. Title

ALARM MANAGEMENT PHILOSOPHY

Doc. No.

8015-0151-22-PO-45-0009-4236-J08-00409

Rev. : 00
Date

Page : 46
Dec.18,2012

do not meet the real criteria for an alarm (there is no operator action to take)
and will become stale and contribute to alarm floods and confusion.
It is a best practice that all such normal operating states should not cause
alarms. Alarms should be produced only upon abnormal or unexpected events.
State-based methodologies produce dynamic alarm configurations based upon
the specific process & equipment conditions. Multiple alarm trip point and
priority settings are configured for appropriate alarms and enabled based on
plant state.
Two components are required for handling state based alarms a state detector
and a state enforcer. The detector uses available information (which can
include operator input if desired) to correctly identify the current operating state
of the equipment, while the enforcer actually makes the desired alarm
modifications. Neither of these tasks may be automated.
If multiple process states producing differing alarms are identified, these must
be documented during the alarm rationalization. State transitions requiring
alarm system modifications should be handled by one of the following methods
Fully automated transition, with no input required from the operator
Semi-automated transition, utilizing the operator to identify/confirm the
correct state and initiate the change
Manual transition, with changes identified and performed individually by
the operator
For fully automatic transitions, documentation and other indication must be
provided to communicate the current operating state to the operator. Automatic
transitions requiring operator initiation should include a failsafe to monitor the
process and return critical alarms to service.
The manual transitions shall be fully documented for the operator, and include
custom designed operating schematics or reports for review, and to approve
that all settings are correct.
Any software methodology for dynamic change of alarms must be robust and
have fail-safe mechanisms.
5.1.5

Alarm Flood Suppression


Alarms give the proper information to the operator so that the best possible
actions can be taken to prevent or mitigate operational upsets. Alarms will not

West Qurna Field


nd
2 Phase Project
(Early Oil Phase)
Doc. Title

ALARM MANAGEMENT PHILOSOPHY

Doc. No.

8015-0151-22-PO-45-0009-4236-J08-00409

Rev. : 00
Date

Page : 47
Dec.18,2012

be presented to the operator at a rate faster than he/she can respond. Periods
of alarm activity with presentation rates higher than the operator can respond
are defined as alarm floods. When the operator experiences an alarm flood,
his/her effectiveness is diminished because important information could be
missed.
Alarm floods can make a difficult process situation much worse. In a severe
flood, the alarm system becomes a nuisance, a hindrance, or a distraction,
rather than a useful tool.
Flood suppression is the dynamic management of pre-defined groups of
alarms based on detection of equipment state and triggering events.
5.1.6

Emergency Shutdown Systems Special Considerations


Special considerations for ESD systems include the following
If there are duplicate or similar analog measurements input to both the
PCS and the ESD (for control and trip determination, respectively), do
not provide multiple alarms from both sources for the same process
condition. The reading not alarmed may be displayed on the graphic
and also logged. If the ESD reading is chosen to be alarmed as a pretrip indicator, insure that its associated display parameter goes to the
correct PCS graphic for taking corrective action. Often the PCS tag, not
the ESD reading, is the preferable place for the alarms, since the PCS is
where the operator can take corrective, pre-trip action
Valve position switches on ESD shutoff valves are often set to alarm
when the valve performs the ESD action. This is incorrect; there should
be an alarm only when the valve did not perform the proper action, so
that the operator can take further action
Bad value alarms on devices connected only into the PLC should not
produce a general PLC health/status alarm when activated. Such alarms
should annunciate in the PCS as a bad value alarm on a tag
representing the point in the PLC
The process for obtaining ESD input or output bypass authority (generally for
testing purposes) must be done per the WQ-2 Project site procedure and
recorded properly. New facilities must be designed and implemented to work
within the procedural guidelines established in that procedure.

West Qurna Field


nd
2 Phase Project
(Early Oil Phase)
Doc. Title

ALARM MANAGEMENT PHILOSOPHY

Doc. No.

8015-0151-22-PO-45-0009-4236-J08-00409

Rev. : 00
Date

Page : 48
Dec.18,2012

When inputs or outputs to an ESD system are bypassed for testing, such a
condition must be annunciated per standards and displayed to the operator on
the schematics.
5.1.7

Duplicate Alarms
Duplicate alarms, where several alarms on different process parameters
indicate the same abnormal situation, should be removed. In most cases, the
documentation and rationalization team shall select the best indicator of the
root cause and place the alarm on that device.

5.1.8

Consequential Alarms
WQ-2 Project facility process units are highly integrated systems with many
interrelations. A single alarm may propagate through other alarms in the
system. For example, a pump trip alarm may result in numerous low header
pressure or low feed flow alarms. Often a consequential alarm can be handled
by the same methods as duplicate alarms and voting alarms, or incorporated
into a state-based alarming strategy.

5.1.9

Chattering Alarms
To minimize chattering alarms, which activate repeatedly over a short period of
time, appropriate deadbands must be selected for all alarms. This may involve
the programming of a deadband for analog trip values, and a delay time or filter
for discrete points. Determination by historical performance is recommended.
Best practice starting points for design are listed in Table 16 below.
Signal Type

Filter Time Constant

Deadband

Delay Time

Flow

2 sec

5%

15 sec

Level

2 sec

5%

60 sec

Pressure

1 sec

2%

15 sec

Temperature

0 sec

1%

60 sec

Table 16
Deadband and Delay Time
Delay time sometimes called a debounce timer is a selectable system
capability of some alarm types. An ON-DELAY requires that an alarm be in
effect for the specified number of seconds before it is initially annunciated to

West Qurna Field


nd
2 Phase Project
(Early Oil Phase)
Doc. Title

ALARM MANAGEMENT PHILOSOPHY

Doc. No.

8015-0151-22-PO-45-0009-4236-J08-00409

Rev. : 00
Date

Page : 49
Dec.18,2012

the operator. An OFF-DELAY immediately annunciates the alarm to the


operator but will not clear it until it has remained clear for the specified number
of seconds. Both techniques can be quite powerful for dealing with chattering
alarms.
Select on-delay time > 30 seconds while keeping in mind the impact of
delaying an initial alarm display.
5.1.10

Alarm Handling for Programs


In general, a program implemented in a PCS does a task that the operator
relies on. Failure of that program means the operator must act in a different
way very similar to the treatment of an external device health alarm. Programs,
however, often produce cryptic or unexplained alarms or error messages,
some of which are useful to the program creator but not to the operator. Such
alarms must be eliminated. Programs must be accompanied by documentation
for the operator regarding the action to take based on the specific alarm.

5.1.11

PCS System Status Alarms


Alarms specific to the internal workings of a PCS system should be absent
under normal operating conditions, and they should not be tolerated when they
occur. PCS status displays should have no stale error messages. If many
system status errors are present, new system alarms are difficult to recognize
and respond to. Operators should know the proper response to each type of
system status alarm, including the functional group to contact and the degree
of urgency for the contact.

5.1.12

Tag and Program References to Alarms


A logic point should not look at parameters on a source point that depend on
the alarm function of the point in some way because those parameters are too
easily changed. Instead, a logic point should look at the PV of a source point
and compare that to a numeric value coded in the logic point itself or stored in
an array point. These are much less likely to be changed. The same concept
applies to programs implemented on the PCS and for communication between
points other than logic points.

West Qurna Field


nd
2 Phase Project
(Early Oil Phase)

5.2

Doc. Title

ALARM MANAGEMENT PHILOSOPHY

Doc. No.

8015-0151-22-PO-45-0009-4236-J08-00409

Rev. : 00
Date

Page : 50
Dec.18,2012

Management of Change
Having expended time and effort into determining proper alarm settings, these
must be maintained and not allowed to drift into other configurations. To
maintain the integrity of the alarm system, management of change procedures
must be in effect that address changes to alarm systems. Such changes must
be properly evaluated, authorized and communicated to all affected personnel
and shifts.
MOC procedures must define the minimum level to invoke appropriate
approvals and documentation.
Changes in alarm priority
Changes in alarm trip point
Creation of new alarms
Deletion of existing alarms
Change of alarm type
Change of alarm description or text message
Temporary suppression of alarms (an approved shelving methodology
must be used)
Point execution status (turning a sensor on or off)
Changes in alarm presentation on graphics
Additions of, modifications to, or updates to alarm handling capabilities
such as alarm shelving systems or state based alarming configuration
The following changes should be controlled in a way to ensure that only
authorized, knowledgeable people perform the changes.
Controller tuning parameters
Point ranges
Modification of logic points, interlocks, embedded programs, PCS
operating system software, and similar functions
The change system itself must be designed to accommodate the number of
certain types of changes that are necessary, without an over-burden of
paperwork, but without compromising safety.
Audit and enforcement software should be used to periodically check for
changes from the proper settings, to report such changes, and to restore the
system to the proper settings.

West Qurna Field


nd
2 Phase Project
(Early Oil Phase)
Doc. Title

ALARM MANAGEMENT PHILOSOPHY

Doc. No.

8015-0151-22-PO-45-0009-4236-J08-00409

Rev. : 00
Date

Page : 51
Dec.18,2012

The proper settings reside in a master alarm database. The MOC system must
insure timely update of that database so that proper changes do not get
undone by the enforcement software.
Note that audit and enforcement software/methodologies must understand any
state-based, flood suppression, shelving, or other alarm handling strategies
being employed and work correctly in conjunction with them.
To emphasize, best practices support that the integrity of the overall alarm
system is of such importance as to require MOC around all alarm priorities,
including low. This is why a separate operator alert system/priority is a best
practice as well.
The alarm system champion for the area in question should be notified of any
and all alarm changes so that they can maintain the integrity of the alarm
system.
Exceptions that do not require an MOC include the operation of alarm handling
strategies of state based, flood suppression, or shelving as defined in this
philosophy document. Alterations to the configuration of these strategies
themselves, however, must be done utilizing MOC and proper review and
authorization.