Does your DCS Alarm Management System know about your SIS

ISA Safety Symposium 2006 Houston, TX

Standards Certification Education & Training Publishing Conferences & Exhibits

May 24, 2006

Presenter

Charles M. Fialkowski, C.F.S.E.

National Process Safety Manager for Siemens Process Safety Safety Systems Specialist for > 10 years 8 years experience as a field Service and I&C engineer for Foster Wheeler Energy Corp.

Member of the ISAs technical committee SP84 on Safety Systems

Developed and Instructed courses on BMS and LOPA Chairman for ISAs Safety Division on Fire and Gas systems CTM, Certified Toastmaster

Reference Data

Draft ISA 18.02; Management of Alarm

Systems for the Process Industries

(EEMUA) Engineering Equipment and Materials User Associations Publication No. 191:99 Alarm Systems - A Guide to
Design, Management and Procurement

ANSI/ISA-84.00.01-2004; Application of
Safety Instrumented Systems for the Process Industries

Management of Alarm Systems for the Process Industries (ISA 18.02)

Objective
The objective is to define the terminology, models, and work processes to effectively implement and manage an alarm system within a process sector facility.
Alarm System

Sensors

Monitor SIS I/O

Historian Logger

Final Control Elements

BPCS

HMI

I/O Operator Panel Alternate HMI

Process

Automation & Safety Systems

Interface

The Alarm Management Lifecycle

10 1

Philosophy / System Requirements

9 2

Identification

Rationalization / Design Requirements Management of Change

Design

Assessment & Audit

Implementation & Training

8 6

Operation Monitoring
7

Maintenance & Training

Process Condition Model

Shutdown/ Disposal

This simple model is a useful reference in the development of alarm principles and the alarm philosophy. The warnings and indications are not to suggest alarms are required, only that under some circumstances alarms may be warranted.

Trip Indication

Upset Pre-Trip Warning Normal Target

Upset Indication

Pre-Upset Warning

Off-Target Indication

Alarm Cycle Model

Describes the overwhelming majority of alarms and therefore serve as a useful model for the development of alarm system principles. .

Alarm Timeline
Normal (A) New Alarm (B) Ackd & response (C)

process response without operator action

consequence threshold

Process Variable

sensor

process limit exceeded

process response to operator action

deadband delay

alarm limit sensor & error delay Ack delay operator response delay alarm limit deadband process response delay

process deadtime

Time

Using the state transition diagram it is possible to map some states to a timeline, and clarify the definition of terms related to time. The diagram shows parallel lines representing true process conditions and the indicated process condition. The lines have two possible paths; one path if the operator takes corrective action and one path if no action is taken.

Alarms defined per S84

1st Generation Safety Systems

Introduced in the late 1980s
Special purpose Safety PLCs introduced to improve safety and availability Employ redundancy and voting techniques (2oo3 or TMR) to enhance safety and availability TV certified to DIN/VDE standards (AK1-AK6) Examples: Triconex Tricon August Systems ICS Triplex Regent

10

2nd Generation Safety Systems

Introduced in the 1990s Employ high levels of self-diagnostics (D) coupled with redundancy and voting techniques (1oo2D or DMR) to provide comparable levels of safety & availability with less hardware (lower cost) than 1st Generation systems TV certified to DIN/VDE (AK1-AK6) and IEC 61508 (SIL1SIL3) standards Windows-based IEC 61131-3 Programming Tools Improved integration with DCS systems Examples:
Honeywell FSC Moore QUADLOG Yokogawa ProSafe-PLC ABB Master Safeguard HIMA H41q/H51q
11

Trends in Process Safety

Closer Integration with Control Systems Increased Focus on Overall Safety Enhanced Control Functionality Flexibility and Scalability

Reference: Trends in Process Safety, Asish Ghosh, ARC Advisory Group, July 2004

12

3rd Generation Safety Systems

Introduced in the early 2000s Very high levels of self-diagnostics (D) to achieve high safety Optional redundancy to achieve high availability. Highly modular and scaleable TV certified to IEC 61508 (SIL1SIL3) standards All offer tight integration with respective DCS systems Some offer advanced programming tools Some offer distributed safety I/O Some integrate safety fieldbus technology Examples:
Siemens SIMATIC S7-F/FH Emerson Delta V SIS Yokogawa ProSafe-RS ABB 800xA (SIL 2 only)

13

Levels of Integrated Control and Safety

ENG

HMI

ENG

INTERFACED

DCS

Gateway

SIS

ENG

HMI

INTEGRATED

DCS

SIS

ENG

HMI

COMMON

DCS

SIS

14

Consider the interfaces and actions

Forcing, bypassing Communications Fault detection, diagnostics and reactions
SIS

Gateway

BPCS

HMI

SIS

BPCS

PS

ESD action

Trip Point

Pressure

Alarm high Pressure

High Pressure Alarm

SV

PCV

PT1

PT2

Process Control
Normal Pressure

Low level

15

Alarm requirements
Provide Operator Training Define Operator action Validated everything
DO DO DI AI AI

Simplex
DO DO DI AI AI

Dual

1oo1 LS

Triple
AI

1oo2 Valves

2oo3 PT
16

Poor Alarm Management

Nuisance alarms alarms go off and on regularly or intermittently Alarm floods too many alarms are presented to the operator during abnormal situations Cascading alarms specific alarms always occur together Alarm messages do not provide meaningful information (problem or corrective action) Too many high priority alarms are present in the system Standing alarms too many alarms are present continuously in the system even during steady-state conditions (and operators ignore them)

17

Good Alarm Management

The ability to focus the operators attention on the most important alarms Providing clear and understandable alarm messages Providing information on the recommended corrective action The ability to suppress (lock) all alarms from a device or from a process area The ability to analyze alarm system performance metrics to identify nuisance alarms or areas requiring additional training

18

Prioritize and suppress Alarms

EEMUA studies have shown that to maximize operator effectiveness, no more than three different sets of alarm priorities should be configured in a system.
19

Clear and Understandable

Tagname Alarm Message includes tag description and Alarm Meaning Process Area Alarm State Alarm Priority

Message Type (Alarm, Warning or System Event)

Additional Info Exists (Corrective Action)

20

Recommended Corrective Action

21

Conclusions
Proper alarm management CAN be used as a method of risk reduction by reducing the demand rate on the SIS providing:
1.The sensor is not used for control purposes where loss of control would lead to a demand on the SIF 2.The sensor is not used as part of the SIS 3.Limits taken into account with respect to risk reduction that can be claimed for the BPCS and common cause issues.

The alarm interfaces between the SIS and the operator need to be fully described (pre-shutdown alarms, shutdown alarms, bypass alarms, diagnostic alarms), graphics,

22

Thanks
Charles.Fialkowski@siemens.com

23