Alarm Rationalization & Management
What is Alarm Rationalization?
Alarm rationalization is a structured process that reviews all potential or current alarms based on set guidelines in an alarm philosophy document. Its main purpose is to determine which alarms are crucial, design them appropriately, and note details like their cause, impact, and required operator action.
The objective is to ensure each alarm brought to the operator’s attention is relevant and meaningful. A good alarm alerts the operator about unique abnormal situations and provides necessary actions to prevent undesirable outcomes. By streamlining this process, we can reduce unnecessary alarms, prioritize crucial alerts, and enhance the operator’s efficiency and effectiveness.
To develop a system with the right number of alarms essential for maintaining safety and standard operational limits. Alarm rationalization involves a team of varied plant experts who can assess and validate each alarm based on guiding principles for alarm use.
Every tag in the control system, should undergo this review. Even those without alarms are evaluated the team decides whether to keep alarm-free or suggests introducing new alarms. Skipping over tags without alarms might lead to missed opportunities in alarm optimization. For example, an existing alarm could be substituted with a new one on a different tag for clearer identification of discrepancies.
Key Benefits of Alarm Rationalization & Management
- Alarm Rationalization & Management can help operators be more effective by eliminating the number of alarms they need to respond to, eliminating nuisance alarms, and prioritizing the most important alarms can lead to improved safety, reliability, and efficiency.
- Alarm overload is a situation where operators are overwhelmed by the number of alarms they need to respond to. This can lead to missing emergency alarms, delayed responses, and other errors. Alarm rationalization and management helps in reducing the risk of alarm overload and prioritizing the most important ones.
- Operators can respond to alarms more effectively by providing them with more information about the alarm, such as the cause of the alarm, recommended response, and consequences of not responding on time. This can lead to faster and effective responses to alarms, to prevent accidents and minimize damage.
- Reducing the costs by improving operator effectiveness, reducing the risk of alarm overload, and improving alarm response can lead to reduced downtime, improved safety, and reduced maintenance costs.
Alarm Management Procedure defines the following:-
- Accountabilities and organizational capability.
- Requirement for the design, implementation, and operation of the Alarm system.
- The methods used for Alarm handling and performance measurement.
- The expectations on Projects to deliver compliant Alarm systems.
- The expectations on operations to achieve continuous improvement.
Whilst this procedure does not apply directly to the annunciator panels or dedicated trip / shutdown systems etc., unless they act as source of Alarm which are repeated to, or annunciate solely on the automation system; many of the principles laid out in this procedure may still be relevant to implementation / modification of such systems.
In addition, this procedure governs Documentation and Rationalization (D&R) process and serves as a long-term guide for Alarm system improvements and maintenance.
The Asset Manager or a Personnel of Equivalent Cadre of an manager from the Client’s Organization as the “Process Owner” for Alarm Management shall demonstrate in his capacity the ongoing commitment to improve and maintain Alarm performance at acceptable levels by sponsoring Alarm management improvement activities continuously.
This includes, but is not limited to, ensuring that sufficient and competent resources are in place to drive Alarm improvements forward and sustain this performance in line with Process Safety Management framework.
The Alarm system Process Owner can delegate aspects of Alarm management, but retains accountability for overall Alarm system specification, Performance and conformance with this procedure.
In terms of management of Alarm systems for Process Industries, an Alarm class is a “collection of Alarms with a routine set of Alarm management requirement (e.g. training, testing,monitoring, and audit requirements)”. A category of Alarm classification that exists is referred as safety critical Alarms. These Alarms are specifically designated as being critical to the safety of a given process, with the aim of safeguarding human life and the environment.
There are six distinct categories of Alarms:
- Process Alarms.
- Safety related Alarms.
- Equipment Protection Alarms.
- Personal safety Alarms.
- Environmental Alarms.
- System Alarms.
An Alarm will typically notify the operator that
- A normal operating limit has been exceeded (e.g. Column pressure/temperature)
- A normal equipment limit has been exceeded (e.g. machine vibration, etc.).
The operators shall acknowledge the Alarm and silence the Alarm sounder and take corrective action.
- Adjusting a process variable e.g. Valve position, Controller Set point.
- Alerting an outside worker to take an action e.g. to close a manual valve.
- Shutting down a piece of equipment e.g. stop a pump.
- Logging a maintenance request.
- Informing a member of the maintenance department of a failed piece of equipment.
The Alarm rationalization process represents a comprehensive engineering review, and the appropriate re-engineering of the Alarm configuration parameters. Rationalization is the process by which Alarms are evaluated to determine their need to exist, their priority, their activation points, their dead bands and the summary information needed for their understanding and management. In order to optimize the effectiveness of an Alarm system, all process Alarms within an operator’s area should be rationalized at the same time. The possible exceptions are Alarms required to be located in an independent Alarm system.
Representatives from other departments to be consulted as necessary. All rationalization team members shall be rotated as necessary to maximize the efficiency of the rationalization process. Rationalization begins with the “Method of Flows” to a given unit area.
The Method of Flows focuses on rationalizing Alarms following the flow of P&IDs.
- Select an Alarm tag.
- Identify Alarm tag setting, cause, set point, consequences, operator response, operator response time, severity and operator guided message.
- Review Alarm settings.
- Assign Alarm priority as detailed in the procedure.
- Complete for all tags.
- Select and record tags that can be suppressed, grouped defining conditions for suppression / grouping.
Deciding the most relevant priority for an Alarm requires accounting of both the consequence severity and the time within which the Operator can functionally rectify the Alarm. By combining the severity factor and the response time, the systematic approach for setting Alarm priorities is defined. The following matrix provides the guidelines for determining the priority of an Alarm. The Alarm priority assignment matrix is given below.
Rationalization is accomplished by evaluating every potential Alarm in the system on an individual basis using the P&IDs as the guide using flowchart shown below.
The first step is to determine if an Alarm is needed. If an Alarm is needed, an appropriate activation point and priority is established. The appropriate dead band is also to be determined. The Alarm activation point is determined by the amount of time required for the operator to see the Alarm, interpret the Alarm, decide on a corrective action, and implement the corrective action as calculated.
The rationalization team consists of a Facilitator, at least one knowledgeable Operator, a Process Engineer, a Process Safety Engineer and an Instrument Engineer. Not all members of the team need to work at the same time. Other stakeholders with knowledge of the process unit, its operation, hazards, and the Alarm philosophy shall participate as needed.
The following section details the necessary methodical steps required to perform a site or system prioritization exercise. Alarm rationalization ensures that all Alarms are assigned an appropriate priority, such that the operators can identify the order in which the Alarms should be addressed:
- During plant upsets, when there are many Alarms competing for attention. – Alarm prioritization indicates the Alarms the operator should attend first.
- During quieter periods, when there are few Alarms. – Alarm prioritization indicates the level of urgency required of the Operator.
All Alarms shall be categorized based on the consequences of the hazard, if the Alarm is not acted up on and time to respond, refer to section 8.6. Any Alarms classified as HMA (Highly Managed Alarms) and shall be given the highest priority.
The following Alarm priorities are to be considered:
- Critical
- Priority 1 – High
- Priority 2 – Medium 4. Priority 3 – Low
The Industrial Automation and Control Systems (IACS) shall be configured with following priority cases:
Critical / Major: Identified as part of a safety assessment, e.g. FTA or LOPA and shall include all HMAs.
- Priority 1: These are the most operation critical Alarms.
- Priority 2: Urgent remedial action required.
- Priority 3: Lowest priority of Alarm and should account for the majority of Alarms.
- Alert / Message: Requires an operator response, but will not lead to a hazard event, i.e. sequence hold.
- Event: An event which is visually displayed to the operator, but does not require an operator response, but can subsequently be used as part of any sequence of events review.
High Risk : Unacceptable high, this level of risk exposes to intolerable losses to People, Assets, Environment or Reputation. The hazard should be eliminated or it should be reduced to tolerable levels immediately. It is imperative to promptly implement measures aimed at reducing the level of risk.
Medium Risk: The hazard must be managed to reduce the frequency and / or the severity of the hazardous events. It is imperative to plan and procedure measures aimed at reducing risks.
Low Risk: Acceptable without requiring further action. Corrections may be applied as resourced allow.
Alarms are to be set at the point where the process is about to move from normal operating conditions to an area that is still safe (i.e. not near the shutdown limit) but will require Operator intervention to bring the process back into the normal operating range.
Traditional analogue point Alarm thresholds should be used to warn the Operator when the process is moving outside the normal working envelope. The threshold values should be set so that they allow time for Operator intervention whilst having sufficient gap between operation and Alarm to avoid nuisance Alarms.
The appropriate priority for an Alarm point will be established by considering the severity of the probable resulting event, and the operator response time required.
The severity levels are based on the following four categories of consequences
- People
- Asset Damage & Business losses
- Environmental Effect
- Reputation Impact
The amount of impact on each of these four categories is captured by assigning an appropriate potential severity level 0, 1, 2, 3, 4 & 5 and the likelihood probability as below
- Minor (Low Risk)
- Moderate (Medium Risk)
- Major (High Risk)
Here the above three levels of severity will be used, with Minor as the least severe and Major as the most severe severity level.
It is desired to have a rationalization process once in every 2 years after commissioning. The rationalization activity shall be substantiated with the Alarm system performance audit. All Alarm shall be rationalized before implementation in the DCS to confirm that they meet the criteria for a good Alarm and to ensure that all relevant Alarm rationalization guidelines are included as per Appendix A.
Whilst the challenges of a bulk retrospective exercise differ from those of a new project, the principles and process to be followed are the same: all proposed Alarms are to be evaluated against the agreed definitions given above in this procedure. Any proposed Alarm which does not “Qualify” as an Alarm is to be re-categorized “No Alarm” or an “Event”.
For new projects and system modifications, Alarm rationalization is a key stage in the Alarm management lifecycle and is required to be completed before detailed DCS specification and design. The Alarm rationalization is to be a phased process, to be invoked as necessary to sustain performance at target levels, as part of Alarm system continuous improvement. Therefore, project team shall incorporate Alarm rationalization exercise within as part of all projects where any Alarms are being added/modified.
It is imperative that a methodical and structured approach is adopted in design of each Alarm, wherein all design choices are duly recorded. This shall be maintained through-out the remaining Alarm management life cycle stages. The Master Alarm database shall have the following information. Procedure shall include the following as a minimum is detailed below. Any additional field can be included based on the project requirements such as:
- Alarm Tag
- Alarm Type
- Alarm set point
- Potential cause of Alarm
- Nature and severity of the consequences associated with failing to respond to the Alarm
- Potential corrective actions or response to the Alarm
- Time available for the operator to respond the Alarm
- Alarm Priority
- Alarm Message
- Alarm Classification
- Grouping/Suppression requirements
- Operator Guidance message
Alarm system Procedure shall include:
- Alarm Philosophy Procedure – This shall be site specific in line with International standards
- Master Alarm Database (MAD) – This shall be preferably on MS Excel /MS Access format or as per IACS system requirement
- Alarm Rationalization workshop with detailed procedures and records
- Alarm Response Manual (ARM)
- DCS, ESD and FGS I/O schedule with description and details
- Alarm Management Procedure (AMP)
- Alarm Management Training Procedure
- Alarm Testing Procedure (ATP)
- Proof Test Methods for any Alarms requiring periodic testing
- Update of Process graphics
- Alarm configuration in accordance with MAD as part of implementation phase.
- P&ID updates
- Alarm Management System Engineering and user manuals.
Alarm procedure for any changes to the Alarm system shall include, as a minimum.
- Alarm Philosophy (this procedure, supplemented as appropriate by any project specific information)
- Master Alarm Database
- DCS I/O register
- Cause and Effect
- Alarm and trip schedule
- P&ID’s
Alarms are activated when the process value diverges from typical operational parameters, specifically in the presence of anomalous operating scenarios. Alarm Management pertains to the proficient development, execution, functioning, and upkeep of Alarms in Industrial manufacturing and process plant settings.
Standing Alarms are alarms that remain in active state for a prolonged duration. A high number of standing Alarms may indicate inefficiency in Operations and maintenance, or that the Alarm system is generating a lot of Alarms that may not necessarily need operator intervention
The fundamental characteristics of a ‘Good’ Alarm are as follows;
- Each Alarm should alert, inform and guide.
- Every Alarm presented to the operator should be useful to the operator.
- Every Alarm should have a defined and necessary response.
- Adequate time should be allowed for the operator to carry out the defined response.
If an Alarm does not have a defined response and provide the operator adequate time to respond, then by above definition it should not be considered as an Alarm.
An Alarm should NOT occur:-
- As a consequence of some other event or condition that has already been Alarmed.
- When obviously inappropriate (e.g. start up, shutdown).
These principles shall apply to all Alarms regardless of Alarm initiating source or Alarm priority. It is generally accepted that there is no preferred method for identification and selection of Alarms and it is envisaged that Alarms will continue to be specified through a diverse range of techniques, among which are, but not restricted to: –
- P&ID Reviews
- Quantitative / Qualitative Risk Assessments
- Environmental Permits and Incident investigations
- Packaged equipment vendor recommendations
- HAZOP, LOPA and SIL Assessment etc.
Care should be taken when selecting the Alarm set points to ensure the Process Operators have sufficient time to respond to Alarm and carry out defined operator response to prevent the undesired event from occurring.
Applicable Alarm sources include:-
- System
- Hardware
- Software
- Process
ESD trips should not be considered as Alarms, when there is no defined operator response required (automatic initiation has occurred).
Going forward special considerations for ESD systems shall include the following:
- For each ESD trip a pre-trip Alarm shall be configured in the Control System.
- Discrepancy Alarms only shall be generated from ESD valve limit positions where the valve fails to reach it’s commanded position within an allotted time (i.e., Alarms shall not be generated to indicate the expected open or closed status of the valve).
Alarm deadbands are an Alarm attribute within the process control system that requires the process variable to cross the Alarm set point into normal operating range by some percentage of the range. The establishment of deadbands is commonly determined by taking into account the standard operating range of process variable, the level of measurement noise, and the nature of the process variable. The utilization of deadbands has proven to be a highly efficacious approach in mitigating the occurrence of superfluous Alarms.
For Alarms generated from analog measurements, the use of a deadband is very effective in eliminating chattering Alarms. When a deadband is applied, the Alarm is set to be in Alarm at one value, but cleared at a different level. The picture below depicts this concept:
A sample Table below provides recommendations which represent a good starting point for common process.
The state of an Alarm at any point in time can be described by one of a number of Alarm states, which include:-
- Normal
- Active Unacknowledged
- Active Acknowledged
- Return to Normal
- Shelved
- Suppressed
- Out of Service (inactive)
The Alarm state transition diagram is shown below.
The table and figure below describe the Alarm state definition and Alarm state transition diagram with option.
The Alarm system shall be capable of providing the operator with a clear overview of all shelved, suppressed and out of service Alarms in the system via status lists. The status lists shall provide the following information:
- Time of activation of the inhibit / override
- Purpose (short text)
- Expected duration
- Person or position responsible for activation
At the start of each shift, the list of inhibits and overrides shall be reviewed to ensure that no inhibits and overrides are inadvertently left on the system for longer than necessary. Assets should develop a guideline(s) to manage the shelving and suppression of Alarms and include discussion on list of inhibits and overrides during each shift handover.
The following are Alarm handling Techniques :-
- Shelving (Manual Suppression)
Manual suppression (Alarm Shelving), defined as preventing indication of the Alarm to the operator when the base Alarm condition is present, is a useful function for helping to ensure that Alarms are only presented to operators if they are deemed relevant.
- Suppression by Design (Automatic Suppression)
Automatic Suppression (Suppression by Design), an effective designed suppression scheme includes a state (event) detection algorithm and a suppression rule set. If the conditions defining the state detection are satisfied, then the state suppression rules are applied to determine which Alarms should be suppressed from the operator. The algorithm for state detection has the potential to employ a combination of inclusive criteria (i.e. AND conditions) and decision-makers (i.e. OR conditions). The nomenclature commonly employed to refer a collection of rules designed to inhibit Alarms is an Alarm suppression group.
- Static suppression (State based Suppression)
The technique of state-based suppression, also referred as static Alarm suppression, involves the suppression of Alarms that remain active at all times and lack significance when a process area, unit, or equipment is operating in a specific mode. The implementation of this approach has demonstrated efficacy in mitigating the occurrence of false Alarms that have lost their relevance.
- Dynamic suppression (Alarm flood suppression)
The process of Alarm flood suppression, which is also referred as dynamic Alarm suppression, involves the real-time management of predetermined sets of Alarms that are triggered by specific equipment states and events. The application of a methodology to inhibit Alarms subsequent to an occurrence (e.g. the failure of a distillation column) in cases where they lack relevance or significance to the operator.
- Alarm Masking
It is an action that prevents events from being reported to the system. Although any Alarms will continue to be triggered as usual, masking them prevents any of the selected Alarms from being treated like real emergencies, meaning that alerts won’t be sent out and no other steps needed to be taken.
- Alarm grouping
Alarms that have the same Operator response can be grouped using an OR function and present the Operators with a single grouped Alarm, e.g. 2oo3, the Alarm would only annunciate when two out of three Alarms are active.
- Alarm Eclipsing
The inclusion of this level in the Alarm system can effectively tackle scenarios wherein multiple Alarm points are produced from a single process measurement. An instance of this scenario could be the measurement of the level of a container. When the liquid level in a container reaches high-high level, it can be inferred that high level has been surpassed. Thus, in this scenario, it is imperative to devise an Alarm system that effectively conceals the elevated level through activation of high-high level Alarm.
- Others
The Alarm system usually supports advanced Alarm techniques, such as Model based Reasoning, Pattern recognition, knowledge-based reasoning, Neural nets and Fuzzy logic. The Operator user interface and its components shall be designed in line with Functional Design Specification Human Machine Interface, to support and augment Alarms by providing the console Operators with good situational awareness and response capabilities. Several Human factors must be taken into account when designing Operator interfaces that are effective.
- Systematic designs of shape, color, and behavior of visual indications
- Multi-level hierarchical information (graphics, trends, online information) and navigation techniques that allow intuitive and quick access to relevant data
- The display hierarchy should be equipped with a comprehensive and integrated system that provides appropriate levels of detail for Alarm indication, summary, and priority information.
- A standardized set of identifying terms, labels, and abbreviations will be used for all plant elements and other labels used for Alarm information and notification.
The Alarm overview /summary display provides a multi-page display of existing and/or unacknowledged Alarms. Alarm Overview / Summary List shall be organized in different pages:
- Alarm List
- Alarm History List
The Alarm Summary list shall contain the following for each Alarm:
- Alarm point tag
- Settings
- Normal operating value
- Service description
- Violation / deviation type such as high, low, bad value etc.
Alarms are displayed to the process operators using a variety of displays and associated features. These include:-
- Alarm Banner Display: – The latest Alarm appears on each of the systems control display providing constant prominent visibility
- Alarm Summary screen: – The Alarm summary screen provides an overview of all unacknowledged and acknowledged active Alarms. An Alarm can be selected from the summary display via a right click of the mouse. An Alarm Priority list can be displayed using the “Priority List” icon.
- Event Summary screen: – The Event summary screen provides an overview of all active, unacknowledged and acknowledged and inactive events. An event can be selected from the summary display and via a right click of the mouse.
- Shelved / Suppressed Alarm display.
- It should be possible to navigate from Alarm message to associated graphic / faceplate.
Details on an individual Alarm can be accessed by opening Alarm faceplate from Alarm display and accessing the Alarm Tab.
An Alarm message shall be generated for each Alarm, providing further information on Alarm, beyond priority and status. The Alarm message shall be displayed in the Alarm summary. Alarm messages shall not be displayed in process graphic. The text should be meaningful and unambiguous and shall follow these rules:
- Similar and consistent message structure (i.e. variable, state, unit, equipment).
- Tag numbers should not be used.
- Abbreviations should be consistent.
- Terms used should be familiar to Operator.
- Message should clearly indicate the condition.
HMI or Operator station serves as a primary interface to Operators and various users and provides Alarms and events information in real time. The HMI or Operator stations consist of the following display panes:
- Alarm & Event Browser Pane
- Alarm & Event Message Pane
- Filters Pane
- Shelves Pane
- Detail Pane
The HMI or Operator stations should have the capability to selectively display particular Alarms and events of users’ interest using filters, shelves and so forth. However, the range of process Alarms and events information displayed shall be solely dependent on configuration of the standard User Security function. The configuration of HMI and Operator Station should not alter the range of process Alarms and events information displayed, unless a specific requirement arises
Audible indication to be used to inform the operator of a particular Alarm in the control system. Different Alarm tones shall be configured in DCS as shown in the below Sample table
The Installation, Testing and validation of the Alarm system shall follow the Functional Design Specification and test procedures of approved during the project phase. Implementation stage is before operation stage and therefore it is essential that the necessary procedure for Alarm system is available to the operator reflecting complete and correct information.
Projects with the potential to impact the Alarm system shall consider the following:-
- Disruption to operation
- Testing / validation
- Commissioning
- Training
- Abiding by Procedures
Alarm System Operation is the Alarm management lifecycle following implementation and returning from maintenance. In the operation stage, the Alarm system is active and it performs its intended function. The appropriate tools can be utilized for Alarm handing within the operating state.
Alarm shelving is an important and advanced capability to help operators manage nuisance Alarms. An operator-triggered mechanism designed to temporarily inhibit an Alarm. The purpose of this feature is to provide a means for operators to temporarily conceal Alarms that they perceive as extraneous or disruptive, thereby facilitating their ability to concentrate on Alarms that demand their immediate attention. Moreover, it is a prevalent factor that contributes to incidents related to Alarm management.
Project requirements for Alarm shelving include:
- Alarms will be shelved for equipment that is temporarily out of service, for equipment that is not currently in use but will be used in future, and for stale Alarms.
- The duration of the equipment outage will be used to determine when a shelved Alarm will be unshelved.
- A list of shelved Alarms will be available for viewing on the Operator Station or HMI by the console operator.
- After the rationalization effort is complete and Operator Station or HMI is installed, console operators will be able to shelve Alarms for non-working, non-critical equipment
- For non-working, critical equipment, alternate Alarms / additional information has to be put in place while the equipment is under repair.
Basic activities that promote and maintain good Alarm management throughout the life of the Alarm system may include:
- Continuously monitoring of Alarm system performance and reacting appropriately to mitigate degradation and resolve Alarm bad actors. Alarm performance shall be a part of regular facility meetings.
- Investigation of upsets resulting in Alarm floods and implementation of mitigating solutions.
- Enforcement of the Alarm system philosophy.
- Periodic equipment maintenance and Alarm system checks.
- Regular re-evaluation of the Alarm management process.
- Review KPIs and revise where needed these indicators and/or the Alarm system accordingly, through the MOC process.
The requirements and recommendations for Alarm system performance monitoring and associated metrics includes:-
- Monitoring and reporting of system performance per operator workstation.
- KPI reporting capability
- Comprehensive ad-hoc Alarm analysis capability to facilitate troubleshooting and ongoing operational improvement.
- All modern automation systems have good toolsets for Alarm logging and analysis.
- Monthly Alarm management team meetings (Team comprising of the following: Alarm Champion, Shift supervisor / Senior control room operator, Senior Systems engineer, Operations support engineer, Lead C&I engineer) shall be carried out.
- Annual Alarm reviews / audit – Alarm Manager
At the time of design, it will probably be difficult to predict what the Alarm occurrence rate will be in practice. As a guide it is suggested that during design, Alarms shall be configured in the approximate ratio as shown in the Sample Table. Performance should then be reviewed during commissioning and early operation, and priorities should be adjusted to achieve the performance similar to that shown in the Sample Table below.
It is strongly emphasized that the number in the above Table should be taken as approximate indicators of effective discrimination between priorities rather than exact targets. In particular, the priority distribution is expected to be dependent on the type of plant and the speed of response required. On plants with fast dynamic responses, there are likely to be a higher proportion of higher priority Alarms.
To ensure that the Alarm system and the plant continue to function as an entity, the Instrument maintenance team to periodically review the number of chattering, consequential, duplicate, repeating, stale and standing Alarms and attempt to eliminate them. In addition, the number of Alarm floods, time to clear each Alarm and number of tags in calibration mode to be analyzed to assess potential problems with the plant.
To ensure that the Alarm system continues to meet the targets described in this procedure, the following metrics to be used as reference to assess Alarm system performance on a regular basis. An example of an Alarm summery sheet is given in the below table.
A five-level model has been devised which can be used to define an appropriate target for new systems or as a way of measuring where a system currently stands and where it is seeking to move to.
The five levels of Alarm system performance range from ‘Overloaded’ at the bottom end of the scale, through ‘Reactive’, ‘Stable’ and ‘Robust’ to ‘Predictive’ as the highest level of performance. This phenomenon is depicted in the figure presented below.
- Overloaded: Difficult to use during normal operation, ignored during process upsets.
- Reactive: More stable and useful during normal operation, unstable during process upsets.
- Stable: Well defined for normal operation, less useful during upsets with improvements on average Alarm and peak Alarm rates.
- Robust: Reliable during normal operation and process upsets.
- The predictive system remains consistent throughout all instances and furnishes the operator with pertinent data in a timely manner to prevent disturbances and reduce their consequences.
Alarms and the Alarm system are a key layer of protection. Hence, any changes shall be managed to ensure that Alarms operate effectively when needed. To avoid inadvertent changes to Alarms, proper engineering study and Management of Change requirements shall be followed rigorously.
While change is a necessary and desirable feature of operations as process and equipment are adapted to meet operational demands and constraints, the potential risks associated with modifying Alarm settings or removal of Alarms, either permanently or temporary and need to be identified and managed.
Since the Alarm systems are part of the Plant’s defence against hazards, any changes resulting from Alarm reviews needs to be carried out in a responsible way. Thus, all proposed changes should be fully analyzed, their consequences should be determined, and agreed changes should be recorded with reasons. These changes has to be maintained by Client’s Instrument Maintenance Team.
Specific Alarm system changes that should undergo MOC process may include, but are not limited to, the following:
- Changes to Master (control) Alarm database.
- Any Procedural modifications, including those initiated and executed by Operations. Procedural changes to follow established guidelines.
- Removal or addition of Alarms (including new Alarms derived from new equipment and/or projects). In addition to following the MOC process, these changes must follow the philosophy procedure.
- Changes to Downstream Process and Instrumentation resulting from Alarm system changes. As well, previous design changes to Process and Instrumentation to be reviewed to ensure further changes are made as per MOC process.
- Maintenance of Alarm system procedure, including this philosophy procedure
- All Alarms associated with replacement and/or new equipment, including “like-for-like”.
During MOC process, the respective Instrument Maintenance Team shall be the Alarm System Owner. The Production Supervisor Engineer shall be the Alarm system champion for the task. They will have authority over all changes made to the Alarm system database and to the Alarm system procedure, including but not limited to items 1 through item 5 described above. If any modifications are done in Alarm system, the verification of changes to be done by Operations & Instrument maintenance team. Any testing of F&G Alarms shall be carried out every 6 Months time period. Online MOC system should be used to manage all changes.
It is recommended to have a periodic Audit in order to maintain the integrity of the Alarm system and Alarm Management Process. The primary purpose of audit is to reveal the gaps not apparent from monitoring. The Alarm system and associated Alarm Management processes are assessed against Alarm Management Guidelines and Alarm Philosophy procedure. It helps to identify any requirement for system improvements to Alarm philosophy or the work process defined. Audit also includes validation of Alarm management practices against latest Alarm management industry guidelines.
The routine and periodic process for Nuisance and Standing Alarm review is fundamental to sustained “Improving” performance level. The Alarm Managers (Operation/Plant) are responsible for ensuring that every month, the “Bad Actors” and oldest standing Alarms are analyzed to identify root cause issues and appropriate actions assigned and tracked through completion, so as to ensure that they do not continue to devalue the Alarm system as well as degrading system performance.