Controller Effectiveness: Alarm

Management and High Performance HMI

Bill Hollifield
Principal Alarm Management and
HMI Consultant for PAS

API Control Room Conference

October 2009
San Antonio, Texas c

Controller Effectiveness Resources

Bill Hollifield
Principal Alarm
ANSI/ISA SOON:
Management
18.2 API RP-1167
and HMI Management Alarm
Consultant for of Alarm Management
PAS Systems for For Pipeline
the Process Systems
Industries
c

Controller Effectiveness: Support Factors
This Presentation:

Effective
Alarm
Management Very Effective Controller!

Control Loop
Performance
High
Note from Bill: Aren¶t we all
Performance tired of the ³3-legged stool´
HMI analogy?

c

Related ISA Standards
ANSI/ISA±18.2±2009 ISA 101
Management of Alarm Systems for the A vital and Human Machine
essential next Interface -
Process Industries In early draft stage
Begun 2003, Released June 2009 step for alarm Release Date
management ! 2011+???

ISA-18.2 has: The Standard does not have:

A ÷
  of alarm 
 
  ÷
management life cycle steps 

r




and activities  



Mandatory practices  

 
Recommended practices  ÷
 


Some additional content will be  ÷


 
published in follow-on
³Technical Reports´
(2011-2012)

The ³WHAT´ Not the ³HOW´

c

ISA-18.2 Regulatory Impact

oes ISA-18.2 Apply to You?

YES ± if you have a CS, SCAA systems, PLCs, Safety Systems, or anything where a
controller responds to alarms!
This includes Petrochemical, Chemical, Refining, Platform, Pipelines, Power Plants,
Pharmaceuticals, Mining & Metals. Also for continuous, batch, semi-batch, or discrete
processes.

Regulatory Impact
ISA-18.2 is a ³recognized and generally accepted good engineering practice.´ (RAGAGEP!)
OSHA and other agencies have General Duty Clauses: , ³The employer shall document that
equipment complies with recognized and generally accepted good engineering practices.´
Regulatory agencies will take notice of ISA-18.2.

A regulated industry can be expected to either comply with RAGAGEP or show that they are
doing something ³just as good or better.´

Grandfathering
ISA-18.2 says: D r 

  











  


c

API RP1167 ƛ High Points
u

 

 

 
÷

   
  

÷! 

!  
   
   "  

The alarm system should be reserved for items meeting this definition.

 Alarm Philosophy
 Alarm Systems ± Proper Characteristics
 Proper Alarm Prioritization
 Proper Alarm ocumentation & Rationalization
 Master Alarm atabase
 Roles and Responsibilities
 Proper Alarm Handling
 NO UNCONTROLLE ALARM SUPPRESSION
 ALARM CHANGES BY CONTROLLERS TIGHTLY CONTROLLE
 MANAGEMENT OF CHANGE
 Alarm Shelving
 Advanced Alarm Methodologies overview
 Alarm System Monitoring and Performance Metrics (TARGET NUMBERS!)
 Alarm System Audits
 General Information: SCAA Alarm types and typical features

c


API RP1167 ƛ Alarm System Performance

Alarm Performance Metrics per Controller Position
Based upon at least 30 days of data
Metric Target Value
Target Value: Very
Likely to be Target Value: Maximum
Annunciated Alarms per Time: Acceptable Manageable

Annunciated Alarms Per ay per Controller Position ~150 alarms per day ~300 alarms per day

Annunciated Alarms Per Hour per Controller Position ~6 (average) ~12 (average)

Annunciated Alarms Per 10 Minutes per Controller Position ~1 (average) ~2 (average)

Metric Target Value

Percentage of hours containing > 30 alarms ~ <1%

Percentage of 10-minute periods containing >5 alarms ~ <1%

Maximum number of alarms in a 10 minute period 10 or less

Percentage of time alarm system is in a flood condition ~ <1%

Percentage contribution of the top 10 most frequent alarms ~<1% to 5% maximum, with action plans to
to the overall alarm load address deficiencies.

Quantity of chattering and fleeting alarms
Stale Alarms
Annunciated or Configured Priority istribution
Unauthorized Alarm Suppression
Improper Alarm Attribute Change
Zero, action plans to correct any that occur.
Less than 5 present on any day, with action
plans to address
3 priorities: ~80% P3, ~15% P2, ~5% P1 or
4 priorities: ~80% P3, ~15% P2, ~5% P1, ~<1%
³Priority Critical.´ Other special-purpose
priorities (³iagnostic´) excluded from the
calculations
Zero alarms suppressed outside of controlled or
approved methodologies
Zero alarm attribute changes outside of
approved methodologies or MOC
c

The 7-Step Alarm Management Improvement
Process ƛ A Proven Methodology

Step 1: evelop, Adopt, and Maintain an Alarm Philosophy Always

Needed

Step 2: Collect ata and Benchmark Your Systems

Often Done
Step 3: Perform ³Bad Actor´ Alarm Resolution Simultaneously

Step 4: Perform Alarm ocumentation and Rationalization (&R)

Step 5: Implement Alarm Audit and Enforcement Technology Needed Based

Upon
Performance
Step 6: Implement Real Time Alarm Management

Step 7: Control and Maintain Your Improved System

The WHAT and the HOW

A primary focus on improvement of existing systems, with
applicability to new systems.
c

Alarm Philosophy and Analysis
An Alarm Alarm Analysis
Philosophy ( peci ic Pro lem denti ication$
(a comprehensive document $ op %& ' ost (re)uent Annunciated Alarms

on 


 #$ ˜˜˜˜ ˜˜˜

˜˜˜˜ ˜˜

˜˜

˜˜˜˜


˜˜

    An Alarm Philosophy  peciic Alarm Desin onsiderations  ˜˜˜˜




Philosophy
ntroduction

u

 Alarm  andlin o Alarms rom
nstrument ˜˜˜˜˜
˜˜

and se
 Purpose ˜˜
Deinition and riteria   alunctions
 Alarm
³d d
˜˜˜˜

 Annunciation and esponse  or edundant ensors and
˜˜

 Alarm Alarms
  avi ation and Alarm esponse
˜˜˜˜

  otin ystems
Device ealth and tatus Alarms
˜˜

  se o ternal Annunciators  ternal
˜˜˜˜

 
s
k

D ystems
˜˜
 ard ired  itches
 Annunciated Alarm Priority  D ypasses
 Duplicate Alarms
˜˜˜˜ ˜˜
 Alarm ystem Perormance
 Alarm ystem hampion  onseuential Alarms ˜ ˜˜



˜˜

˜



 s!´




˜˜


˜



˜˜


˜

 PreAlarms


 Alarm ystem KP
s
 Alarm Perormance eport 9 lamma le and oic !as Detectors u
s
y
 Alarm andlin ethods  aety hoer and ye ath Actuation Alarms

˜

˜
 uisance Alarms  uildinelated Alarms +
*
ecorded
˜˜˜
  Alarm andlin or Prorams
helvin
a 
ep able(˜˜)
 Alarm
tateased Alarms
 Alarms to
nitiate anual as"s anageable(˜)
 Alarm lood uppression  D  ystem tatus Alarms ˜˜˜

perator Alert ystems  Point and Proram eerences to Alarms
 Alarm ationaliation 
perator essain ystem
˜˜˜
 Areas o
mpact and  
9  rainin
ana ement o han e

 everity o onseuences  Alarm aintenance #or"lo Process ˜˜˜
aimum ime or esponse
 and orrection
atri Plus Appendices
˜˜˜
 Priority
 Alarm Documentation
rip Point election ˜˜˜
 Alarm

he ocused D ption
˜
-8ks-

c

Fix Your ƠBad Actorơ Alarms!

r
 

  
   The Ơtop 10ơ alarms
˜˜˜˜ ˜˜˜ usually make up 20% to
˜˜˜˜ ˜˜

˜˜
80% of the entire alarm

˜˜˜˜

 ˜˜˜˜ 
 % ˜˜ system load



   

˜˜
˜˜˜˜˜
&  ˜˜  Many types: Chattering,
˜˜˜˜
&
˜˜˜˜

˜˜

˜˜
Fleeting, Frequent, Stale,

˜˜˜˜
˜˜ Duplicate, Nuisance
˜˜˜˜

˜
˜˜

˜˜
Diagnostic, etc.


˜˜

˜






˜˜


˜



˜˜


˜




 The methods are simple

˜

˜

to learn and apply.

c

Alarm Documentation and Rationalization
Ensures your actual alarms comply with your alarm
philosophy (operator actions, priorities, time to
respond, etc.)

ocuments your alarms (Set Points, Causes,

Consequences, Corrective Actions), creating a
Master Alarm atabase.
, -,
r cess ist ry

  1.0

*+


 % 0.8

10 ( 

u'
0.6

u
 0.4
,



 0.2
  
u
% 0.0

./
1
3
5
7

2
4
6
8
11

13
15

17
19

21
23
25
27
29

31

10
12
14
16

Ñix problems
ata  i ts

(
(
while they
u (
) are small
u



'  
'÷
 *-÷

la t Experie ce & wledge & 
Process, Equipment, Operations, Procedures

c

Audit / Enforce Proper Alarm Settings
 Alarm Configuration security is often ineffective.
 ƠAlarm Creepơ will occur after D&R unless positive steps are taken.
 Best Practice: Automatically audit alarm settings to ensure they are not
improperly changed.

c  y    
u  
   
    
y     

yD 
u
y
 


  !" ##"

 $%& '% #(

 %'%#)
$g  g"
$g *" u#%'
##u(
 


u 
  D
y 5

c

Implement Real Time Alarm Management
 Real-time, dynamic Alarm Management Detect Plant
techniques are used to reduce inappropriate State Change
alarms caused by changing operating
conditions. These techniques include:
 Advanced Alarm Shelving (Temporarily suppress Automatically
alarms safely, with proper tracking and control) Alter Alarm
 State-Based Alarming (Sets of multiple alarm Settings to
settings that are optimum and correct for all your Match New
operating conditions.) State
 Alarm Flood Suppression
(Minimize these hazardous
conditions!
 Operator Alert Systems
(A toolset for notification of
things that should not be alarms.)

c

Control and Maintain Your Improved System

 ?
  - Insure that gains

are not lost over time.

 e b
e.
?
e
  e.
 Ee Pe Meme

 ?e
|

On-Going KPIs

c

If you havenƞt started already, get started now! OrƦ
Be on the TV news! Get to know your Regulatory inspectors
really well. They just want to help you.

c

Alarm Management Summary
 Poorly performing alarm systems AND HMIs are
contributing factors to major accidents and poor operating
performance.
 Proper Alarm System Management and Alarm System
Performance is essential to maximum-efficiency operations.
 The solutions to the problems are well known and fully
documented.

c
 

c


Most Existing HMIs are POOR!

Common, but
ineffective
process
depictions!
³Numbers
sprinkled on a
P&I screen´
Inconsistent,
improper use of
color
No trends
No condition
information
Many
other poor
practices
c

Poor Alarm Systems and HMIs Encourage ƠOperating by Alarmơ

No way to run a process:

Alarm! Too High!

Alarm! Right of
course!

Alarm!
Too
Low!
Alarm!
Left of
course!

c

DCS Graphics Were Introduced in an Era with No Guidelines!

Poor Graphics
encourage Poor
Operating
Practices

Poor Graphics
persist for
decades!

 Many Poor Practices

c

Vendor Examples are Some of the Worst!

10% of the
screen is
poorly-
presented
numeric data,

90% is just a
³pretty picture´
Flashy marketing graphics for selling a system!
c

Where is the information the operator needs?

5% of the
screen is
poorly-
presented
numeric
data,
95% is a
³pretty
picture´

c

Other Industries Do It Better
± Nearby
Airports
GARMIN ® 1000 Avionics System
± Engine
diagnostics
± Data on
Available
Services at
Airports
± Positions of
nearby
aircraft
± Real-time
weather &
lightning
± Glide
Radius
± Comm & Nav
Ñrequencies
± Instrument
Approaches
± Much more«

± Speed
Situation Awareness ± Altitude
± Time Enroute
± Time to next
± Ñuel Remaining
± Ground and
is a High Priority! ± Position Waypoint Terrain Proximity
± Course ± Time to Destination
c

High Performance HMI Benefits
Time after time, poor HMIs are cited as
contributing factors to major accidents

 Study by Nova Chemicals and ASM® Consortium

Task Improvement
ö800,000 per
etecting Abnormal
Situations Before
A 5X year savings
Alarms Occur increase
Success Rate in
anticipated on
37% over
Handling Abnormal
Situation base case 1 ethylene
Time to Complete
Abnormal Situation
41% plant
Tasks reduction

c

Data is Not Information: Is Fluffy Sick?

Blood Tests for Ñluffy -1

Test Results

HCT 31.7%

HGB 10.2 g/dl

MCHC 32.2 6/dl

WBC .2 x10 /L

GRANS 6.5 x10 /L

L/M 2.7 x10 /L

PLT 310 x10 /L  Answer: Unless you are

vet, how can you know?
c

How About Now?
Blood Tests for Ñluffy -3
Test Results Range Indicator
Low ± Normal - High
HCT 31.7% 24.0 ± 45.0

HGB 10.2 g/dl 8.0 ± 15.0

MCHC 32.2 6/dl 30.0 - 36.

WBC .2 x10 /L 5.0 ± 18.

GRANS 6.5 x10 /L 2.5 ± 12.5

L/M 2.7 x10 /L 1.5 ± 7.8

PLT 310 x10 /L 175 - 500

ABNORMAL VALUES can be seen at a glance.

c

Data is Not Information:


(%.


(%. 
j°F 
j°F 
°F
96.2% ³XYZ´ 
°F j

 
   
45.1°
(%.
98.2 MPPH % 
j°F

221.2 PSI 48.2° % 

(%

42.9° 50.6° DP INH20

12-15 22.8 + (#  (#
53.8° 1-12 16.3
54.9° 1-15 39.1 + % O#% - j
  % O#% -


D%, - j j
j O
(
77.8 MPPH
22.5% 60.1°  ‰ots of Data but
22.3% ³ABC´ Not Much Information!
 Poor Presentation
i


  High Mental Workload
to Decipher
c


 Show INFORMATION not DATA

Compressor Status Showing Alarm/Shutdown Limits
RECYCLE COMPRESSOR 43
Cool Suct Inter Dsch Suct Inter Dsch E. Vib N. Vib W. Vib Motor Oil Oil
gpm psig psig psig degÑ degÑ degÑ mil mil mil Amps psig degÑ Alarm Indicator
Appears here
2 with Priority
Level and
Color
2 0 Alarm Range
depicted and
(for some)
170
shutdown
value
38.7 Desirable
3.1 5 120 12 Operating
185 170
8 Range shown
as pale blue
42.7 area
80

Alarm Range
depicted and
(for some)
interlock
Show Values Show Trends value
Operational status
Buttons for additional
functionality is obvious at a
single glance! c

Analog is powerful!

j
 ptional-


ine olor
j
j


in i ate(
j
 a normalit)/
j
 alarm i( not
j
 )et a ti,ate 


A .oo e(/ t i( Too ot at e,iation or

profile one i( t e top/ too a (olute num er(
ol at t e optionall) to..le
ottom

A Column Temperature Profile

c

r   

r c 
7500
10 3-4 traces maximum, with rare
20 exceptions.
Air
LBH
7400
Econ
O2%
5.0
³What is good´ element next to
Sec trend. Color coded with traces.
Air
in.H2O
7.0
5000
5000
20 min 15
0 2LBH
2LBH
0 in.H2O
0 Main
Steam
4750

Implement: Feed
Water
AUTO-RANGE 4580

AUTO-TIME rum
Level
Show Boundaries of ³What is -0.5
2 Hrs
Good´ -15
3500
3500

c

Alarm Indications
WORST 
 
 


% %#) % %#) % %#)



(% O  0% O#%



(% 

(% 

(% 

(%

 %O. (#% % %#) % %#) % %#)
% %#)



(% 

(% 

(% 

(%

 %O. (#% % %#) % %#) % %#)
% %#)

Be(#: 


(% 

(% 

(% 

(%
Re0u 0O#
%O. (#% % %#) % %#) % %#)
C 0%. % %#)

c

Status Depiction
Pumps with Run Indication Sensor:

Wrong Better
Bright
saturated color
Not is used to
Running or
Energized
STOPPE
(Shape is Unfilled
indicate
and darker) abnormal
situations only
Running or
Not Using bright,
Energized RUNNING
(Shape is Ñilled
saturated red
Better
Wrong and lighter) and green to
Pumps without Run Indication Sensing have a fill matching the background: show Run/Stop
is a poor
practice!

c

 >eep it Simple! Wrong Wrong

Good HMIs Have:

 No Animation
 Limited use of color, reserved for
|
indicating abnormal situations
and alarms
 2-, not 3!
 No non-relevant internal
equipment depiction
 MANY TRENS:
 Integrated Alarm Information All Wrong!
 ozens of other factors
10
F0
$23

Poor Graphics encourage Poor

Operating Practices
2

)   ## $0

(( ((  (( ((
, ,  ,
c
 ,
0% O#%  0% O#%  0% O#%  0% O#%
 More Poor Practices. Where are these from?
In Document ³XXX´: ³Color should not be the only indication for information.´
Then 7 pages later the following is recommended:


 
 G


   
c
 
 

D
  

  

 
|
     
  
|
       ÷ 
 |
      
  |
     
 






   

More ³recommended´ examples:

By the way, what is
the most common
color-blindness?

c

Is This Really a Good Example?
|

c

The BP ISOM Unit HMI ƛ a Contributing Factor
|

 No Overview  No material balance (ÑLOW IN is  No condition indication

 No trends on a different graphic)  Essentially just a P&ID segment
 Inconsistent colors and alarms sprinkled with live values.
c

‰evel 1 Overview ƛ ƠAt-A-Glance Statusơ

O
t r 

O
tr =

1 ilO:
)0r.  2) irfr O
 I0i
Otr(

t1Ol:

t1Ol:

E 3 4 Q

 
 l i 
 :0: 5
ir0:
ir ri it )
l < E0 E0 ,r(i ffi
i
)
;
tOt:
< tOt: i- 6 
i-# 

I
 

.it:
.it: 87 9 

(: !" #
1
t J
(

(
 
OlO

I>
I ?@$
4$

.
GH
# t

!
 j F#
I: $ 
L Q
i((i( i it
Oti
j. 
: $
j F# KI: 8
I: $ 9  .

(: !" # j F#

O
tr  = ilO:

1
)0r. 

t1Ol:

t1Ol:

E j 8 5 0 0

 
 l i 
 ir0: # -
#- )
l
;tOt: i-# 
tOt:
< 

 
j F#
.it: 7 9
.it: 8 .

(: !" # 1
t J
(

(

OlO
 F0 )(t 1 )(t (
I>
I ?@$
4$ 
F0  F0  F0  ) $ i  
.

GH
# t !
I: $ 
L

: $
.
j F# KI: 8
I: $ 9 
j F#
t,  t,  ir( 5Ii i
ti t$ 

(: !" #

lOr (: P
 j i
i $..l
i(t / % NrO
2   j Oi
O
tr
O
tr )0r. )0r.
M
4 2
42     1 D   
j  ::
  
SQ4I$6 Q
lr $-I R
$-1t
$- 1t i(
 1ll- 1
 r

B C 1(
$r0 F0 1
1
trl A
)(
)( A)(
)(
 

c


‰evel 2 Process Unit Control

Ñeed Components: A - B - C VENT SYS Product: Thionite State: Mid-Run
Agitator
ON
Main Ñeed Reactor M5 U
M5 Pressure Material Balance
P 76.8 MPH P U8.0 psig
SHUT Reset
S 76.0 Analysis: Purity T S 5.0
O 88.5 T 40.0 O 44.3 T DOWN
AUTO AUTO M5 IN OUT

Main Ñeed MPH +10X

80.0
+/- 5 psi, 2hr
ÑREEZE
32.0
-90 -60 -30 2 Hours +/- 1 X, 2hr M5

Analysis: Inhibitor Concentration T

72.0
6.0 -10X
-90 -60 -30 2 Hours
M5 Level T U U
1 707 1 301
AdditiveU1 P 71.0 T ISOLATE
S 70.0 Calc Diff: 2.1 T
P 11. MPH M5
S 12.0 O 54.3 T Hours: 238.1
O 22.3 T AUTO Since: 06/02/07
AUTO 14:00:00
4.0
-90 -60 -30 2 Hours
14.0 Additive 1 MPH 5.0 T Run Plan:
Actual:

U
2.0 MPH
PRODUCT
52.3 T
10.0 Hours
-90 -60 -30 2 Pumps Pump 1 Diagnostics Pump 2
Additive 2 Needed 1 RUNNING 1-O W 2-BA STOPPE
P 4.0 MPH 4
S 4.0
O 44.3 T To
AUTO M5 Temp Temperature VC
Coils P 45.0 VC 48.0
6.0 Additive 2 MPH S 45.0
O 54.3 T
AUTO

Coolant Purge Cat.

Ñlow Rate Activity
40.0
Coolant Conversion Reserve COOLING SYS -90 -60 -30 2 Hours
2.0 Temp Efficiency Capacity
-90 -60 -30 2 Hours

Level 1 M5 M5 - Level 3 - - Level 3 -

Main Trend Ñeed Product
Reaction M4 M6 Startup Sequence M5 M5 Cooling
Menu Control System Recovery
Overview Overlay Overlay Interlocks System
c

7 Steps for Creating High Performance Displays
Step 1: Develop a High Performance HMI Philosophy and Style Guide
Step 2: Assess and benchmark existing graphics against the HMI
Philosophy
Step 3: Determine specific performance and goal objectives for the
control of the process, for all modes of operation
Step 4: Perform task analysis to determine the control manipulations
needed to achieve the performance and goal objectives
Step 5: Design and build high performance graphics, using the design
principles in the HMI Philosophy and elements from the Style
Guide, to address the identified tasks
Step 6: Install, commission, and provide training on the new HMI
Step 7: Control, maintain, and periodically reassess the HMI
performance
c

Summary
 Poor HMIs have been
cited as contributing ??? ???
factors to incidents ???
and accidents
 Poor HMI practices are
common ??? ? ???
 Proper HMIs are an
important success factor
 A High Performance HMI You can:
is practical and ASSESS and BENCHMARK your HMI
achievable. Do a GAP ANALYSIS for Improvement
DESIGN, CREATE, and IMPLEMENT a
á  
á


c

uestions?
Any uestions?

Bill Hollifield (Bhollifield@pas.com)

www.pas.com (281) 286-6565

c