Standards

Certification

Education & Training

Publishing

Conferences & Exhibits

Alarm Management

Meets SIS

Darwin E. Logerot

ProSys, Inc.

2

Presenter

Darwin E. Logerot

– Senior Consulting Engineer, ProSys, Inc., Houston TX

– ChE, LSU, 1973

– 40+ yrs in chemicals, petrochemicals and refining

– Process engineering, operations, project management, controls,

alarm management

– Joined ProSys in 2006

– Voting member, ISA 18 committee

About ProSys

ProSys is an innovative professional engineering firm

specializing in the area of process control.

Areas of Expertise

– Dynamic Alarm Management

– Operator Interface

– Boundary Management

– Basic Control

– Advanced Control and Optimization

– State Based Control

– Dynamic Simulation

– Control System IT Support

3

Presentation Goals

• SIS alarm requirements

• Alarm concepts applied

– What makes sense

– What doesn’t make sense

• A unified approach to alarming SIS

4

SIS Alarm Requirements

• How many alarms must be configured per the SIS

Standard (ISA-84 Part 1) for an SIF?

– Zero

• How many alarms must be configured per the AM

Standard (ISA-18.2) for an SIF?

– Zero

• How many alarms are necessary for an SIF to correctly

perform its function?

– Zero

• So, if nary a single alarm is actually required, what

alarms make sense?

5

Alarms that Make Sense

– True or False?

• It’s a good idea to provide a pre-alarm before an SIS

must trip to alert the operator of an impending trip

– True

This gives the operator an opportunity to prevent the trip, keeping

the plant running and reducing the demand frequency on the SIF

• Each transmitter in a voting arrangement should alarm

individually

– False

Are we trying to keep our plants operating safely or do we just

throw multiple alarms at the operator?

6

Alarms that Make Sense

– True or False?

• Pre-alarm should always be on the BPCS control or

indicator tag rather than the SIS transmitters

– False

Choice of where to put the pre-alarm is up to the facility, and it’s

a good idea to document this in the Alarm Philosophy

• Disagreements among redundant SIS transmitters and

between SIS and BPCS should be alarmed

– True

With this alarm in place, there is no need for a pre-alarm on more

than one transmitter

7

Alarms that Make Sense

– True or False?

• First out alarm indicating the reason for a trip is a good

idea

– True

IMHO (in my humble opinion), there is no better way to announce

to the operator that a trip has been initiated

• SIS valve moving to trip position should be alarmed

– False

Going to the trip position is the expected response to an SIS trip

– better, provide a failed to trip alarm, which makes noise if the

valve doesn’t work as expected

8

Alarms that Make Sense

– True or False?

• If the console operator initiates an SIS bypass, this

should be alarmed

– False

Although a common practice, this alarm adds little or nothing to

the integrity of the system: “Hey Joe/Mary/Sam/Samantha, you

just pressed a button!”

• If a field operator or maintenance technician initiates an

SIS bypass, this should be alarmed

– True

This may come as a surprise to the console operator, so it’s not a

bad thing to annunciate

9

Alarms that Make Sense

– True or False?

• SIS Bypass re-alarms are a good idea

– Neutral

Bypass and shift changeover procedures exist, but do we follow

them 100%? This is a facility decision. If used, re-alarm shortly

after shift change

• If a bypass is in place, an alarm on the SIS transmitter at

the trip point is a good idea

– False

Why give the operator an alarm that isn’t reliable or won’t be

believed? Find an alternative monitoring plan

10

Alarms that Make Sense

– Unified Approach

• Provide warning of an impending trip

• Provide notification of an actual trip

• Provide warnings when problems (malfunctions) exist

• Don’t over-alarm (one problem, one alarm)

• Don’t alarm console operator actions

• Ensure the integrity of alarms identified as independent

protection layers (IPL)

11

Alarms that Make Sense

– Unified Approach

The pre-alarm

– Warns that a trip might be imminent

– Which transmitter?

– Facility decision

– Good place is median, min or max of voting transmitters

– Control transmitter is usually where operator focuses attention, but it

may be part of the malfunction

– If operator response to an alarm is an IPL, this may dictate the

placement of the pre-alarm

– Alarm setting – as for any alarm, provide a comfortable margin

from operating point, but also consider time to respond before

the trip

– If no good setting can be found, consider no pre-alarm

12

Operator Response to Alarm is IPL

• IPL requirements can dictate the placement of the pre-

alarm

• Alarm should be easily recognizable as an IPL – some

designation in the tag description

• Defined response procedures in place

• Operators trained on recognition and response

• Be careful that IPL is not in the middle of an alarm flood

• Test it

• Max one alarm as IPL per SIF – unless redundant

instrument, redundant control system and second human

13

Alarms that Make Sense

– Unified Approach

The trip alarm

– Use first out if available – gives annunciation of the

trip and the reason for the trip in one alarm

– Use trip signal from SIS if no first out

– Not a good idea to alarm the causes at the trip point –

there are often multiple causes, and some of the trip

conditions can occur as a result of the trip

14

Alarms that Make Sense

– Unified Approach

• If the SIS performs as designed, pre-alarm and trip alarm

are the only alarms that should annunciate

15

Alarms that Make Sense

– Unified Approach

Failure mode alarms

– Fail to trip – one or more final element did not change as

expected (usually valve failed to close or pump failed to stop) –

should be highest priority available

– Fail to reset – one or more final element did not move to

operating position as expected – this is much less serious, but an

alarm, probably lowest priority

– Transmitter deviations – one or more transmitters in a voting

scheme is not agreeing with the others – include BPCS

transmitter also

16

Alarms that Make Sense

– Unified Approach

• Failure mode alarms

– Transmitter failure – one or more transmitters in a voting scheme

has failed – no or bad reading, reading outside of extended

range

– Various SIS system issues – depends on SIS logic solver Vendor

– be careful with these, can be a source of multiple nuisance

alarms

• Caveat on failure alarms – if it can wait until Monday,

don’t annunciate it to the console operator, send it to

Maintenance if that route is available

17

Alarms that Make Sense

– Unified Approach

18

TT_XXX1

TT_XXX2

TT_XXX3

Median PVHPre-Warning

Alarm

PVHH

PVHH

PVHH

2oo3Interlock

Alarm

Redundant Instrument

Deviation Alarm

First Out

PVBAD AlarmOne for each transmitter

System Health Alarms

Field Bypass Alarm

Bypass Re-alarmat shift changeSafety System

Failed to Trip Alarm

Failed to Reset Alarm

TT_YYY TC_YYY

Summary

• Avoid the falses – don’t alarm console operator actions,

avoid multiple alarms

• Obey the trues – provide a unified, sensible alarm

configuration

• Pre-alarm

• First Out

• Failure modes

• Honor IPLs

• Summarize rules in Alarm Philosophy

19

Alarm Management meets SIS

Questions?

Comments?

20