North ENGINEERING GUIDELINE Atlanticextportal.vale.com/eng/Sud/standards/pdf/GUID-84012.pdfEMMUA Publication 191, Alarm Systems: A Guide to Design, Management, and Procurement o ISA

ENGINEERING GUIDELINE North

Atlantic

TITLE

PROCESS AUTOMATION GUIDELINE FOR PROPER IMPLEMENTATION OF PLANT ALARM SYSTEMS BEST PRACTICES FOR ALARM MANAGEMENT

VALE # GUID-84012

PAGE

1/43

REV.

1

REVISIONS

Rev Description Rev’n by

App Sud

App PC

App Thom

App VB

App LH

App Clyd

App Act

Issue Date YYYY/MM/

DD 1 1ST ISSUE GS

2012/11/23 PC

2012/12/03 Pending Pending Pending Pending Pending Pending 2013/06/25

Sud = Sudbury, Ontario, PC = Port Colborne, Thom = Thompson, Manitoba, VB = Voisey’s Bay, LH = Long Harbour, Act = Acton, England, Clyd = Clydach, Wales, N/A = Not Applicable


Atlantic

TITLE


VALE # GUID-84012

PAGE

2/43

REV.

1

1.0 PURPOSE

The purpose of this document is to establish uniform criteria for process alarm management in order to promote the safe and efficient operation of large processes. In addition, this document governs the Documentation & Rationalization (D&R) process, and serves as a long term guide for alarm systems improvements and maintenance. The concepts presented in this document will improve the ability for Vale to:

1. Improve the status of the existing alarm system 2. Improve process reliability, safety and environmental issues 3. Reduce operator distraction and confusion during abnormal situations. 4. Reduce the number and ultimately, the costs of abnormal situations. 5. Establish consistent expectations for the alarm requirements for new projects

Implementation of this Alarm Philosophy should provide: 1. More useful and meaningful alarms presented to operating personnel 2. Improved operator response to abnormal conditions 3. Improved equipment reliability, availability, and safety 4. More consistent development, review, and documentation of new and revised alarms

Moreover, this philosophy establishes criteria for the appropriate configuration of the alarm systems to improve its overall functionality. This improvement initiative is expected to reduce the number of alarms, eliminate redundant and nuisance alarms, and properly prioritize alarms.

2.0 APPLICATION

This guideline, applies at any Vale locations indicated with approval on the cover page, with the following exceptions: 2.1 EXCEPTIONS

None 3.0 SCOPE

This document outlines the following key topics:

1. The core philosophies, definition of an alarm system, and identification of the key elements and alarm design principles

2. Detailed alarm configuration guidelines 3. Methods to maintain the integrity of the alarm system through change management,

knowledge management, training, alarm system performance, and lifecycle maintenance 4. Key performance measures for alarm systems to be monitored on an ongoing basis, and

benchmarks for these key performance indicators


Atlantic

TITLE


VALE # GUID-84012

PAGE

3/43

REV.

1

5. Personnel requirements Alarm management solutions 6. Guidelines for the definition, implementation, and modification of alarms 7. Alarm selection, priority setting and configuration

Due to the large number of different control systems and strategies in use throughout the Vale Nickel Business, each area must apply these recommendations within its own context. Plant specific requirements are identified in the attached Appendices at the end of this document. This document is intended for use by process control personnel who are responsible for implementing and managing alarm systems.


Atlantic

TITLE


VALE # GUID-84012

PAGE

4/43

REV.

1

TABLE OF CONTENTS 1. PURPOSE 1

2. SCOPE 1

3. REFERENCES 4

4. DEFINITION OF TERMS 5

5. ALARM DEFINITION AND DESIGN 7

5.1. DEFINITION AND PURPOSE OF ALARMS 7

5.2. ALARM DESIGN PHILOSOPHY 7

5.2.1. CORE PHILOSOPHY 7

5.2.2. ALARM CREATION 8

5.2.2.1. ROOT CAUSE INDICTION 8

5.2.2.2. ABNORMAL OPERATION 8

5.2.2.3. ALARM STATES 8

5.2.3. ALARM LIFECYCLE 9

5.2.4. ALARM DETECTION AND DISPLAY 9

5.2.5. SUMMERY OF DESIGN PHILOSOPHY 10

6. PRIORITY DESIGN FOR ALARMS 10

6.1. JUSTIFICATION FOR PRIORITY ALARMS 10

6.2. BASIC DESIGN OF PRIORITY SYSTEM 10

6.3. ESTABLISHING ALARM PRIORITY 11

6.4. ALARM PRIORITY DISTRIBUTION 12

6.5. ALARM FREQUENCY REQUIREMENTS 12

6.6. ALARM AND EVENT DESCRIPTORS 13

7. SETTING ALARM LIMITS 14

8. RATIONALIZATION ANALYSIS OF ALARMS 15

8.1. PROCEDURAL STEPS FOR RATIONALIZATION PROCESS 16

9. ALARMING PROBLEMS 16

9.1. TYPES OF “BAD ACTOR” ALARMS 17

9.2. ALARM PROBLEM SOLVING METHODS 17

10. MEASURING ALARM SYSTEM PERFORMANCE 19

10.1. PERFORMANCE TIMELINE 19


Atlantic

TITLE


VALE # GUID-84012

PAGE

5/43

REV.

1

10.2. KEY PERFORMANCE INDICATORS 20

10.3. REPORT OF ALARM SYSTEM PERFORMANCE 20

11. MANAGEMENT OF CHANGE 20

12. PERSONNEL TRAINING 21

22 APPENDIX A - PLANT/SYSTEM SPECIFIC TERMS 22

A.1. FOXBORO I/A SPECIFIC TERMS 23

A.2. LONG HARBOUR SPECIFIC TERMS 23

APPENDIX B - SITE SPECIFIC ALARM DETECTION AND DISPLAY 23

B.1. COPPER CLIFF FOXBORO SYSTEM 23

B.1.1. ALARM PRESENTATION REQUIREMENTS 23

B.1.2. ALARM MESSAGING 23

B.1.3. ALARM AUDIBILITY 24

B.1.4. PROCESS GRAPHICS 24

B.1.5. DISPLAY NAVIGATION 24

B.1.6. ALARM ROUTING 25

B.2. LONG HARBOUR SYSTEM 25

APPENDIX C - SITE SPECIFIC ALARM PRIORITY SYSTEM 26

C.1. FOXBORO PRIORITY SYSTEM 26

C.2. LONGHARBOUR PRIORITY SYSTEM 26

C.3. ADDITIONAL SITE SPECIFIC PRIORITY SYSTEM 28

APPENDIX D - SITE SPECIFIC RATIONALIZATION PROCESS 29

D.1. TEAM AND PROCESS RATIONALIZATION AT COPPER CLIFF 30

D.2. VENDOR ALARM INPUT POLICY AT LONG HARBOUR 30

APPENDIX E - SITE SPECIFIC ALARM CONFIGURATION GUIDELINES 30

E.1. CONFIGURATION AT COPPER CLIFF 30

E.2. CONFIGURATION AT LONG HARBOUR 30


Atlantic

TITLE


VALE # GUID-84012

PAGE

6/43

REV.

1

4.0 REFERENCES:

This section presents the documents, standards and guidelines followed when preparing this Alarm Management Philosophy Document.

o EEMUA – Engineering Equipment and Materials Users Association

EMMUA Publication 191, Alarm Systems: A Guide to Design, Management, and Procurement

o ISA – International Society of Automation

ISA 18.2 – Management of Alarm Systems for the Process Industries

o Independent Alarm Management Company

PAS - The Alarm Management Handbook

o PAS Alarm Philosophy Recommendations

Vale Document # 69-010-705-JRT-1001

The Alarm philosophy presented in this document is based on a combination of a development workshop between Vale Inco and Invensys, as well as recommended best practices of process control associations such as ISA, EEMUA, ASM, NAMUR and other industry experts such as Matrikon and PAS.


Atlantic

TITLE


VALE # GUID-84012

PAGE

7/43

REV.

1

5.0 DEFINITION OF TERMS

Term/Acronym Description

AIN block Analog input block

Alarm Groups A number between 1 and 8 that can be assigned to each alarm. Each number designation can be associated with the desired set of alarm destination devices

Chattering Alarms Alarms that transition into and out of alarm in a short period of time (sometimes with no action by the operator)

Compound Unique identifier for a collection of related blocks

Consequential Alarms Involve multiple alarms from the same event, which tell the operator the same thing in different ways

CAD Current Alarm Display; a basic display showing alarm priorities, time each alarm activated and alarm descriptions

Duplicate Alarms Alarms that persistently occur within a short period of other alarms (i.e. within one second)

D&R

Documentation and Rationalization; the process by which alarms are evaluated to determine their need to exist, priority, activation points and the summery of information needed for understanding and management

EEMUA Engineering Equipment and Materials Users Association

First Out Initiating trip in a series of events

GCIO Graphics Control Input/Output Module

HAZOP Hazard and Operability Studies

HMI

The Human Machine Interface is the interface to the control of the devices, instruments and equipment within the plant. It is through the HMI the control room operator can “see” what is happening with the process and take corrective actions to keep the plant operating in a safe state.

Interlock The shutdown (or start prevention) of piece of equipment due to a condition that poses a risk to personnel, the environment, production or equipment which is maintained while the cause condition is active

Node Group of Workstations and processor modules used to segregate different areas of the plant

Operator Area Area of the plant which the operator controls/is responsible for

OMC The Operator Message Centre is a software tool that is intended to create an ease of shift information transfer between shift operators,


Atlantic

TITLE


VALE # GUID-84012

PAGE

8/43

REV.

1

supervisors and other plant personal, such as maintenance, management and process teams.

OSHE Occupational Safety, Health, Environment

PIDA Block Proportional, Integral, Derivative controller block

PSS Plant State Suite; the software tool used during the D&R process and stores the master alarm database

REALM Block Alarm block that allows plant to configure alarms or trips independent of input/output blocks or controller blocks

State Alarms Alarms that continuously remain in the alarm state for an extended period, (e.g. 24 hours)

Start Permissive Condition(s) that must be satisfied in order to manipulate (start, open, close) a component

Station Block Unique block for each Control Processor that allows one to configure specific alarm group devices for specific groups

Trip Condition(s) that places a component in a zero state energy or predetermined safe condition (usually off or closed)

Alarm Activation Point The point at which an alarm is triggered, must allow for operator sufficient time to manage the alarm

Alarm Flood The situation where more alarms are received that can be physically addressed by the operator

Refer to Appendix 1.2 for a list of Foxboro I/A specific definitions


Atlantic

TITLE


VALE # GUID-84012

PAGE

9/43

REV.

1

6.0 ALARM DEFINITION AND DESIGN

1.1. DEFINITION AND PURPOSE OF ALARMS

Alarms are signals which are annunciated to the operator, typically by an audible indication, by a form of visual indication (usually colors and flashing), and by the presentation of a message or an identifier. An alarm will indicate a problem that requires operator action, and is generally initiated by a process measurement passing a defined alarm setting as it approaches an undesirable or potentially unsafe value. Alarm systems are a very important way of automatically monitoring plant conditions and attracting the attention of the plant operator to significant changes that require assessment or action. In terms of operator support, alarms are meant to:

1. To maintain the plant within a safe operating envelope. A good alarm system helps the operator to correct situations before the process or safety interlocks are forced to intervene. This improves plant availability.

2. To recognize and act to avoid hazardous situations. It is the role of the process and safety interlocks to intervene before a hazard arises. Also there may be cases where operator action following an alarm has been explicitly identified within the plant safety procedures as a measure of protection.

3. To identify deviations from desired operating conditions that could lead to financial loss such as: loss of production capacity, and environmental exceedances.

4. To better understand complex process conditions. Alarms should be an important diagnostic tool, and are one of several sources of information that an operator uses during an upset.

The “alarm system” refers to the complete system for generation and handling of alarms including field equipment, signal conditioning and transmission, alarm processing and alarm display. It also includes hardware, software, and supporting information (e.g., alarm response procedures, management controls). 1.2. ALARM DESIGN PHILOSOPHY

1.2.1. CORE PHILOSOPHY

There are four core philosophies related to alarm systems: 1. The main purpose of alarms is to provide the operator with enough information to correctly

select among multiple alarms and guide him in resolving the situation. Therefore, alarm systems should be designed to meet operator’s needs and operate within the operator’s capabilities. This means that the information alarm systems present should:

i. Be relevant to the operator’s role at the time

ii. Be easy to understand

iii. Indicate clearly what response is required

iv. Be presented at a rate that the operator can effectively manage


Atlantic

TITLE


VALE # GUID-84012

PAGE

10/43

REV.

1

2. The contribution of the alarm system to protecting the safety of people, the environment, and the plant equipment should be clearly identified. Any claims made for operator action in response to alarms should be based upon sound human performance data and principles.

3. The performance of the alarm system should be assessed during design and commissioning to ensure that it is usable and effective under all operating conditions. Regular auditing should be continued throughout the life of the plant to ensure that good performance is maintained. Alarm management personnel should be assigned to the task of supervising, maintaining, and organizing the alarm system.

4. Alarm systems should be engineered to appropriate industry-recognized standards. When new alarm systems are developed (or existing systems are modified), the design should follow a structured methodology in which every alarm is justified and properly engineered. The initial investment in system design should be sufficient to appropriately manage the operational problems, and the safety, environmental and financial risks that often arise and result in overall higher lifetime costs. Strategies should be chosen to ensure that alarm systems are engineered to good standards.

1.2.2. ALARM CREATION

Knowing when to create or not to create an alarm is an essential and fundamental part of alarm management. Only events that require action should generate alarms. Events that do not require operator action will be presented to the operator through HMI graphic displays. Alarms are always created for the benefit of the operator. An alarm should be created regardless of any effect it will have on the operator’s attention to other alarms. Alarms are created to provide root cause indication of abnormal events requiring operator action. It is important to note that “operator action” denotes process decision changes, troubleshooting or monitoring decisions, initiation of maintenance or changes of operating modes. An alarm which reflects “operator action” is not meant to include tasks such as logbook record notifications, “nice to knows”, indications of normal process operations, etc.

1.2.2.1. ROOT CAUSE INDICATION

A process upset that generates many alarms must be avoided. Alarms are configured for the benefit of the operator and to assist him or her in performing their job more efficiently. In order to achieve this, the most important alarm to give an operator on a process upset is indication of the root cause of the process upset. If there are no associated trips or interlocks occurring the root cause is alarmed. If there is an associated trip at an alarm point the practice is to alarm the interlocked equipment which in turn will direct the operator to the root cause by the first out indication. As a general rule, operators will get an alarm to initiate action on the deviating process variable before an equipment interlock would occur. It is very important to be aware of double alarming in this situation there may be parent child relationships that must be avoided.

1.2.2.2. ABNORMAL OPERATION


Atlantic

TITLE


VALE # GUID-84012

PAGE

11/43

REV.

1

There are many situations in a plant that are normal events (i.e. filter presses change stages, batch tanks regularly hit cyclic levels, polishing filters backwash, switching sequences). The operator might want to know what filter press stage it is but it is not appropriate to alarm on such a normal event. These events should be displayed through graphical representation not alarms. Alarms must only activate from abnormal cases of operation.

1.2.2.3. ALARM STATES

Alarms require different states of operation when they are designed. A plant can operate in various operating modes; Start-up, Normal, Reduced Rate, Standby, Shutdown. These modes or states will have to be reviewed during rationalization and addressed in each alarm design. When there is a change in operating rates the operator response time for level alarms would also change but the standard determined for alarm design in this case is to maintain the respond time and resulting priority level according to normal operating rates.

1.2.3. ALARM LIFECYCLE

ISA and industry experts, together known as the SP18 committee, have joined together to create a new ISA standard in Alarm Management practices, this new standard is known as ISA 18.02. A key inclusion in this standard is the Life Cycle Model of Alarm Management; a representation of this model has been shown in Diagram 1 below.


Atlantic

TITLE


VALE # GUID-84012

PAGE

12/43

REV.

1

Diagram 1: Alarm System Life Cycle Model Representation

This model shows the essential steps of all activities of alarm management from the initial design and continued maintenance of the philosophy to the management of change stage. 1.2.4. ALARM DETECTION AND DISPLAY

There are multiple methods of detection and identification of an alarming variable for an operator. All alarms should be displayed on an alarm summary screen. This summary screen should be able to display the alarms in a variety of ways and have a variety of features. The summary screen should:

Be able to sort alarms by priority, chronological order or process area

Be able to colour code alarms by priority

Be able to temporarily freeze the screen during periods of high activity

Be able to suppress low priority alarms sounds

Be designed to minimize the number of keystrokes required for the operator to identify, access and verify alarms

Have dynamic graphics based on the state of the alarm; graphics configuration should change with a change in alarm configuration

Only use a specific colour once if that colour is used to specifically denote an alarm or its priority (i.e. that colour should not be used in any other graphic on the screen)

Be organized to minimize error by and maximize familiarity with the operator

Only request that the operator acknowledges a specific alarm once

For examples of implementations of alarm detection displays and additional considerations by specific plants see Appendix 2. 1.2.5. SUMMARY OF DESIGN PHILOSOPHY

In general, a good alarm will be: 1. Relevant: It should have some significant operational value. It should always demand

some response from the operator. It should not lull an operator into thinking that alarms can be ignored.

2. Unique: It should not duplicate other alarms.

3. Timely: It should not occur so early that no operator response is needed, or so late that there is no time left to correct the fault.


Atlantic

TITLE


VALE # GUID-84012

PAGE

13/43

REV.

1

4. Prioritized: It should have a proper importance assigned that is indicative of the significance of the problem (see Section 6 for details).

5. Understandable: It should have an appropriate message that is easily read and understood.

6. Diagnostic: It should help the operator identify the problem causing the alarm.

7. Advisory: It should direct an operator to take appropriate action.

8. Focusing: It should attract attention toward the most important issues.

If any alarm is safety related then it should be designed, operated and maintained in accordance with requirements set out in the appropriate safety standard.

7.0 PRIORITY DESIGN FOR ALARMS

1.3. JUSTIFICATION OF PRIORITY ALARMS

When it has been determined that an event should be alarmed, a priority must be assigned. In an alarm system, it is necessary to prioritize alarms such that the more important alarms at any given time are more obvious to the operator. This helps the operator to decide which alarms to respond to first when several occur at the same time. This can be particularly useful during periods of high alarm activity when the operator needs to structure his response so that essential and important actions are carried out first. During less busy times, prioritization brings urgent standing alarms clearly to the operator’s attention. Consistent prioritization is a basic requirement of a reliable and credible alarm system. 1.4. BASIC DESIGN OF PRIORITY SYSTEMS

There are several aspects of alarm priority to consider: a) Number of alarm priorities to assign and their corresponding labels

b) Basis for setting alarm priority

c) Priority distribution, both configured settings and actual alarms

Experience has shown that the use of three priority levels within any one type of display is ergonomically effective for the presentation of alarms. However, a plant may have more than one alarm system. Just as an example, there may be alarms implemented within the process control system, alarms (some of which are safety related) on a hard-wired annunciator panel, plus a separate fire and gas alarm panel. The use of priority should therefore be adapted to suit the particular arrangement chosen. However, it is recommended that definitions of alarm priority should be consistent across systems. There are other areas of flexibility in the general guidance of having three priorities in any alarm system, for example:


Atlantic

TITLE


VALE # GUID-84012

PAGE

14/43

REV.

1

Additional levels - to simplify the operator interface it may be convenient to assign additional priority levels to signals not normally displayed, but which the operator may wish to sometimes examine using the standard alarm display facilities such as the alarm list. For example, this could refer to gas levels that, while abnormal, do not contribute to any plant status changes (i.e. do not pose a critical danger to plant operations)

Subdivision – for very unusual situations, it may be useful to further sub-divide priorities. For example, fire alarms might be categorized as critical safety related alarms but displayed differently from other critical alarms and have a different audible warning. If adopted, such sub-division should be done with great care to avoid any confusion of established prioritization.

The priority of every individual alarm should not necessarily be fixed for all time. If achievable within the alarm system, it can be very effective to dynamically modify an alarm’s priority according to the prevailing plant state (see Section 14).

1.5. ESTABLISHING ALARM PRIORITY

The appropriate priority for an alarm point may be established by considering both the severity of the situation as well as the appropriate response time. Severity is assessed by considering the consequences assuming that no action is taken when the alarm is sounded. Risk assessment is generally categorized into different severity levels based on three categories of probable impact:

Health and Safety

Environment

Cost

The amount of impact on each of these three categories is captured by assigning an appropriate severity level to each:

Minor

Major

Severe

The resulting impact and severity definitions, along with the operator response time, are used to develop an alarm priority matrix (Table 1 below). This alarm priority matrix will be used during the D&R process to assess and assign a priority to each configured alarm. For example tables concerning the details of consequence severity at various plants see Appendix 3.3.

Response Time Maximum Severity


Atlantic

TITLE


VALE # GUID-84012

PAGE

15/43

REV.

1

Operator Response

Maximum time for Operator Response

Consequence MINOR

Consequence MAJOR

Consequence SEVERE

Extended >30 minutes No Alarm No Alarm No Alarm

Shortly 20 to 30 minutes Notice Notice Notice

Promptly 10 to 20 minutes Notice Warning Warning

Rapidly <10 minutes Warning Critical Critical

Emergency Immediate Response

Critical Emergency Emergency

Table 1: The Priority Defining Matrix

1.6. ALARM PRIORITY DISTRIBUTION

Alarm priorities will be designed according to the guidelines presented in Table 1 above. After initial design, alarm priority distribution should reflect the percentages shown in the Table 2 below. If the distribution is found to be largely skewed from the ranges given, then the design process must be iterated until the alarms satisfy the above guidelines and reflect the guidelines in Table 2 below.

Table 2: EEMUA Guidelines for Alarm Configuration

Other considerations may affect the distribution requirements of the design specific to the plant for which the alarms are designed. These have been included in Appendix 3.

1.7. ALARM FREQUENCY REQUIREMENTS

The single purpose of prioritization is risk management, i.e., to make it easier for the operator to identify important alarms during periods of high alarm activity. In order for the operator to effectively discriminate between the importances of different alarm priority levels, the relative

Priority Level Alarms Configured During System Design

High (Priority 1) 3% - 7% (5%) of total

Medium (Priority 2) 15% - 25% (15%) of total

Low (Priority 3) 70% - 80% (80%) of total


Atlantic

TITLE


VALE # GUID-84012

PAGE

16/43

REV.

1

frequency of alarms of different priority should decrease with increasing priority. Target maximum rates of occurrence of alarms of different priorities are stated in Table 3 below as given by EEMUA guidelines.

Table 3: EEMUA Guidelines for Target Maximum Occurrence Rate

1.8. ALARM AND EVENT DESCRIPTORS

Within each priority setting there are various alarm or event descriptors. These are listed below. Please note not all event descriptors will be on all loops. The event descriptors found on each loop will be defined during the rationalization process. The purpose of alarm descriptors is to add additional information for the benefit of the operator. The event descriptor is meant to provide additional information to aid in operator diagnosis. For example, if a thickener underflow transmitter can show a low flow value, it is pointless to display “low flow” as the descriptor. Instead “Plug” may be displayed to inform the operator of a plug that could be causing the reduction of flow. Examples of descriptors are given below:

Plug – This event descriptor indicates a possible process line plug. This maybe applicable to process solution lines, oxygen addition lines, filter lines that require manual cleaning or switching, etc.

Set Point Deviation HI (Dev_HI) – This event descriptor indicates when process variables are not meeting there set point within a high defined percent deviation from the operator entered set point.

Set Point Deviation LO (Dev LO) – This event descriptor indicates when process variables are not meeting there set point within a low defined percent deviation from the operator entered set point.

Rate of Change (ROC) – This event descriptor indicates when the process changes in an unexpected rate pattern.

Interlock Event (INTLK) – The interlock event descriptor indicates when an equipment or loop interlock occurs. All interlocks will alarm and the associated cause will be seen on the interlocked equipments faceplate. The operators can access the cause faceplate through the graphic interface in order to reach the alarm help of the cause. By default interlock cause’s will have an annunciated alarm but will have a defined priority that gives operator indication with associated alarm help on the graphic display and equipment faceplate.

Priority Level Target Maximum Occurrence Rate

High (Priority 1) Less than 5 per shift

Medium (Priority 2) Less than 2 per hour

Low (Priority 3) Less than 10 per hour


Atlantic

TITLE


VALE # GUID-84012

PAGE

17/43

REV.

1

Interlocks that are hardwired in the field will always activate in maintenance and remote modes unlike software interlocks that will activate in remote modes only.

Fail Alarm (FAIL) – This event descriptor indicates when device feedback determines the device set point can not be reached for some failure reason.

Low Event (LOW) – The LO event descriptor indicates the pre warning alarm to the operator of a trip condition or of an undesired process consequence.

High Event (HI) – The HI event descriptor indicates the pre warning alarm to the operator of a trip condition or of an undesired process consequence.

Low Low event (LOLO) – This event descriptor signifies an undesired process condition. A low low event point will usually trigger an interlock action. Where low low event points are used for interlocking actions they will not announce to the operator.

Low Low A event (LOLOA) - This event descriptor signifies a tank level is below the recommended level required for the agitator. This low low event point will trigger an interlock action. Where low low event points are used for interlocking actions they will not announce to the operator.

High High event (HIHI) – This event descriptor signifies an undesired process condition. A high high event point will usually trigger an interlock action. Where high high event points are used for interlock actions they will not announce to the operator.

Output Hi (OP HI) – Output of loop has reached a saturation point.

Output Lo (OP LO) – Output of loop has reached a saturation point.

Faulty IO – Device input or output has generated an internal alarm requiring maintenance. Unless rationalization determines the priority differently; this event type will be an information alert and go directly to the maintenance station. The event will be recorded in the event journal and while event is active the operator will have visual indication on the graphical interface. If rationalization determines that faulty I/O is an alarm, the alarm priority will be identical to the highest priority alarm related to the I/O. If there is no instrument within a loop it should not have the ability to generate a faulty IO alarm.

8.0 SETTING ALARM LIMITS

The most critical and determining factor in having a managed alarm system is having correct alarm limit settings. Alarm limit settings should be carefully considered and reviewed when process changes occur. If alarms are not configured in a consistent manner, they may ring in too early or worse, they may not ring in at all. Table 4 shown below has been developed to assist in determination of alarm limit settings. It is expected that some alarm limits will change as personnel become experienced with the process and process conditions. Changing alarm limits will require an MOC procedure authorized by the proper personnel.


Atlantic

TITLE


VALE # GUID-84012

PAGE

18/43

REV.

1

Process Signal Alarm Limits Defined By General Guidelines of limit selection

Temperature Temperature limits are typically defined by metallurgical/design limits, reaction chemistry, they may also be a function of down stream equipment

or process line limits.

The upper limit should be the lowest high limit of the listed criteria.

The lower limit should be the highest low limit of the listed criteria.

Pressure Pressure limits are typically defined by metallurgical/design limits, safety

limits, chemical reaction limits, they may also be a function of down

stream equipment or process line limits. Where pressure safety valves

exist alarming must occur before lifting



Flow Flow limits are typically defined by process design flow, reaction

chemistry or upstream or down stream equipment limits.



Level The desired time to respond and tank size will define the process alarm limit

for tank level

A response time of 5 to 10 minutes is desired for tanks that have been

designed for surge capacity.

Table 4: General Considerations for Determining Alarm Limits

The Alarm Limit is the value at which a specific alarm is triggered. An alarm should be issued such that the operator has sufficient time to return the process to optimal condition before the alarmed variable reaches a critical value. On the other hand, the alarm limit must be set so as to avoid producing nuisance alarms. The initial alarm limit values should be selected based on the normal engineered operating range of the process and should take into account:

Safety processes and equipment abilities

Not-to-exceed limits

Interlocks

Standard procedures and regulations regarding the process


Atlantic

TITLE


VALE # GUID-84012

PAGE

19/43

REV.

1

An example of a limit determination process is shown below: If historical information or valuable operator experience is available, it should be used to set tune the alarm limit. Limits should be continually adjusted to meet the needs of the process and operator associated with the alarms. It is important to note that alarms without deadband settings typically create nuisance alarms. The table below demonstrates recommended initial points for deadband settings:

Table : Initial Deadband Settings

Signal Type Deadband

Flow 5%

Level 5%

Pressure 2%

Temperature 1%


Atlantic

TITLE


VALE # GUID-84012

PAGE

20/43

REV.

1

9.0 RATIONALIZATION ANALYSIS OF ALARMS

Alarm Rationalization is the group process of reviewing each and every possible plant alarm against the principles and requirements of the alarm philosophy document. During this process, an alarm is created when it supports the rationale for an alarm. The fundamental information of operator action, operator response time, and consequence of no response is clearly documented for use to the operator and operations staff. It is during the rationalization process that identified alarm priorities are assigned based on the priority defining matrix. Alarm Rationalization is an organized, consistent, and controlled method of analyzing, determining, documenting and prioritizing all possible alarms in the plant control system. During rationalization, situations maybe presented where members insist that specific alarms require a higher priority setting than rationalizing produced. It is acceptable that alarm priorities may be increased. These increases shall be document with justification during rationalization of that alarm. When packaged equipment is supplied to the plant, each package vendor is required to provide a rationalized alarm and event list. Throughout the plant operation vendor alarms will require rationalizing to ensure they meet the Vale alarm configuration guidelines within the alarm philosophy.

It is expected with ongoing operations there will be changes to the alarm system with the re-evaluation of existing alarms and the addition of missing alarms. Operators are expected to provide continuous improvement to the operation of the alarm system throughout the plant lifecycle.

During an alarm rationalization procedure it is a recognized best practice to include members of the operations, safety, maintenance, process control and process engineering teams. To fully evaluate alarms during rationalization, resources available include relevant PFD’s and PID’s, HAZOP results, System Design Criteria, Stream Tables, functional narratives, updated unit P&ID’s, DCS configuration information, start permissive system logic, operating procedures, incident reports, plant safety standards, plant operational standards, OSHE requirements, cause and effect matrices and the alarm philosophy document.

1.9. PROCEDURAL STEPS FOR RATIONALIZATION PROCESS

The following procedure is the best practice method of performing an alarm system rationalization:

Step 1. Each process area P&ID should be referred to separately. Each point or process control loop should be addressed independently to identify whether or not it meets the criteria for an alarm.

Step 2. On each identified point, review each alarm and event descriptor and ask if this descriptor requires operator action on this point. Not all descriptors should be on one loop, rationalizing each descriptor for each loop will result in the best descriptor selection for the loop. (Refer to section 6.6 Alarm and Event Descriptors)

Step 3. Identification of a descriptor for a specified loop requires documentation of the possible causes, recommended actions and the event justification or consequences of no action. If there are no identified actions then this descriptor does not qualify as an alarm.


Atlantic

TITLE


VALE # GUID-84012

PAGE

21/43

REV.

1

Step 4. Each identified alarm should be reviewed for its possibilities of double alarming or parent child relationships. In the case of double alarming only one alarm should be configured to indicate the root cause.

Step 5. For each identified alarm the proper trip point setting must be decided. The initial trip point setting should be based on safety limits, process targets, process limits, environmental limits, product specific limits, equipment protection limits. (Refer to section 7 for Setting Alarm Limits).

Step 6. For each alarm type, determine how long the operator has to respond before a consequence could occur.

Step 7. For each alarm, determine the category of consequence level.

Step 8. The operator response time and the consequence level have to be identified before referring to the Priority Defining Matrix (see Table 1) to determine the alarm priority.

Step 9. For every alarm identified, different modes of operation should be reviewed to identify any needs for State Based alarming strategies or other requirements to incorporate an alarm problem solver. (Refer to section 9.2 Alarm Problem Solving Methods)

Step 10. Record any important details to be announced to the operator with the alarm. The details must be relevant and help the operator in assessing the alarm.

Step 11. Identify and document any specialized process displays or process sequences needed.

Step 12. Identify duplicate alarms that maybe generated through any Safety Instrumented System (SIS) system.

2. ALARMING PROBLEMS

Most of the alarming problems found in plant control systems, are listed below: Stale Alarms – Alarms that activate and remain active for extended periods of time. Industry

experts say alarms that remain active for over 24 hours should be considered stale alarms.

Alarm Suppression - Alarms that have been turned off and will not activate until someone turns them on again.

False Alarms – Alarms that are configured based on normal operating procedures or processes.

Alarm Flooding – Alarms are not configured in adaptable ways to handle process upsets. (10 or more alarms per 10 minutes)

Bad Actor Alarms – Nuisance alarms or bad actor alarms that incorrectly alert the operator, they are usually repetitive in short time spans and require some type of alarm problem solver to correct, e.g. On delay, off delay, deadband, etc.

2.1. TYPES OF “BAD ACTOR” ALARMS

An expansion on bad actor alarms is given here:


Atlantic

TITLE


VALE # GUID-84012

PAGE

22/43

REV.

1

Chattering – Alarms that are constantly activating and deactivating before an operator can respond to them (3 alarm sounds in 1 minute).

Parent Child Relationships – both alarms can occur independently; however, one of them always sounds if the other has sounded.

Double Alarming – Alarms on separate loops that indicate the same process upset.

Bad Measurement Alarms – When an instrument has a bad measurement status and is generating device alerts to the DCS system.

2.2. ALARM PROBLEM SOLVING METHODS

Below is a list of possible solutions that can be used based on the alarming problems identified during alarm rationalization. When these problem solving methods are used they must be documented in the master alarm database software that is used during rationalization.

1. Adaptive Alarming – Process targets or set points change when the associated alarm limits change. The alarm always suits the operational set point.

2. Group Alarming – This is an alarming method that can deal with alarm flooding. Group alarming will allow just one configured alarm for a specified group to annunciate during a process upset. This alarm will be the “first event” in the group. If this problem solving method is used there must be direct links to the main display of the “first event”.

3. State Based Alarming – Alarm limits change/de-activate depending on the equipment status or operator input. In Alarm Rationalization this will need to be reviewed on a case by case basis. Some example states include Area Startup, Area Running, Area Shutdown, Feed Rates changing, Equipment shutdown, Ball mill shutdown, SMD shutdown, AC Shutdown, AC Hot Standby, AC Flushing, Flash cooler running, Belt filter running, Standby Thickener mode on, Cl Compressor running, Pre-leach running.

4. On Delays – A required time period must elapse while the process variable (PV) is within the alarm limit before the alarm will activate. The alarm will deactivate immediately when the PV is no longer within the alarm limits. Table 5 below indicates the recommended EEMUA starting delay times when implementing new points. These will be refined on a case by case basis.

Process Signal On Delay Time Off Delay Time

Flow 15s 0s

Level 30s 0s


Atlantic

TITLE


VALE # GUID-84012

PAGE

23/43

REV.

1

Pressure 15s 0s

Temperature

(non-critical)

60s 0s

Table 5: Recommended ISA 18.2 On / Off Delay Times (Seconds)

5. Off Delays – The alarm will activate immediately as the PV enters the alarm limit but will not deactivate until an elapsed time has passed and the PV stays outside the alarm limit.

6. Deadband – When a deadband is set, the alarm will ring in when the actual limit is hit (see Figure 1). In order to return to normal, it must go below (or above) the alarm point by the deadband applied. Applying deadband to a signal will prevent noisy signals from generating multiple alarms when near an alarm point. It is important to remember the operating range and target set points when applying deadband. If the general rules shown in Table 6 below are used; they must be practical in the application. These will be refined on a case by case basis.


Atlantic

TITLE


VALE # GUID-84012

PAGE

24/43

REV.

1

7.

Alarm State

Alarmed Variable

Alarm Off

Alarm On

Table 6: Recommended ISA 18.2 Deadband Setting

Figure 1: Alarm Deadband

8. Alarm Suppression – Alarm Suppression is a temporary way for operators to “snooze” alarms for a set time period. The alarm shelving procedure should have a maximum shelving (“snooze”) time limit. When snooze time is up the alarm will automatically become re-enabled. The functionality of automatic restore is used to ensure that alarms can not be shelved indefinitely which can lead to potential alarm failure. The ability to snooze higher priority alarms such as critical and emergency should not be available.

9. Operator Message Center – The operator requires a method by which he or she can monitor chosen process variables at exception limits for some abnormal operational task. These types of tasks can be handled through the operator message center.

10. Value Filtering – Appling value filtering to a value reduces noise from signals. General rules are shown in Table 7 below.

Measurement Filter Time Constant

Flow 2 sec

Level 2 sec

Pressure 1 sec

Temperature 0 sec

Table 7: Recommended PAS Value Filtering settings

3. MEASURING ALARM SYSTEM PERFORMANCE

Alarm system performance measurement is a necessary element of maintaining an alarm system. Alarm management software is recommended for analysis of alarm systems due to the time required

Measurement Deadband %

(operating range)

Flow 5

Level 5

Pressure 2

Temperature 1


Atlantic

TITLE


VALE # GUID-84012

PAGE

25/43

REV.

1

and usually the lack of time available for a manual type analysis. Within alarm management software packages there are a variety of preconfigured charts and graphs that are the stepping stones of proper alarm system measurement. There should be a report at minimum once a month outlining recommended analyses of the alarm system. The most important analysis, as multiple studies recommend, is the number of alarms per day per operator. EEMUA states that alarm rates of 150 alarms per day per operator is manageable and rates above 300 alarms per day is unacceptable. The acceptable average for a 10 minute alarm rate is one alarm.

3.1. KEY PERFORMANCE INDICATORS

To ensure that the alarm system and plant continue to function as an entity, the following metrics to assess potential problems with the plant will be used:

1. Number of chattering or frequently recurring alarms after rationalization implementation 2. Production rate compared to hourly alarm rate 3. Safety statistics compared to hourly alarm rate 4. Product quality statistics compared to hourly alarm rate 5. Cost statistics compared to hourly alarm rate

To ensure that the alarm system continues to meet the targets described in this document, the following metrics to assess alarm system performance on a regular basis will be used:

1. Operator feedback on alarm system performance 2. Time to Acknowledge 3. Number of code changes and software jumpers installed in the alarm system 4. Number and type of alarms that have been shelved, bypassed, disabled and/or inhibited

3.2. PERFORMANCE TIMELINE

It is important to have a prescribed progress for the development of alarm systems in terms of performance. Table 8 below represents the initial target KPI’s (Key Performance Indicators) for the Alarm system performance based on three stages of progression, beginning from the Processing Plant start-up. Targets have been aligned with industry recommendations.

Key Performance Indicator (KPI)

Interim Target for Systems Undergoing Alarm Improvement

Long-Term Target

Target Average Process Alarm Rate

<300 per day <150 per day

Percentage of time alarm rate exceeds Target Average Process Alarm Rate

5% 0%

Alarm Event Priority Distribution based on at least one week of data

~80% low, ~15% high, <=5% critical, <1% emergency

~80% low, ~15% high, <=5% critical, <1% emergency


Atlantic

TITLE


VALE # GUID-84012

PAGE

26/43

REV.

1

Suppressed Alarms Zero (unless as part of defined Shelving, Flood Suppression, or State-based strategy)

Zero (unless as part of defined Shelving, Flood Suppression, or State-based strategy)

Chattering Alarms 10 occurrences or less in a one-week period

0 per day

Stale Alarms (>24 hours) 20 or less in a one week period

0 per day

Floods (10 to 20 alarms in a 10 minute period)

<=5 per day <=3 per day

Floods (>20 alarms in a 10 minute period)

<=3 per day 0 per day

Process changes in Alarm Priority, Alarm Trip Point, Alarm Suppression Status, Point Execution Status

None that are unauthorized. None that are not part of a defined Shelving, Flood Suppression, State-based Strategy

None that are unauthorized. None that are not part of a defined Shelving, Flood Suppression, State-based Strategy

Table 8: Alarm System Key Performance Indicators as recommended by PAS

3.3. REPORTING OF ALARM SYSTEM PERFORMANCE

Reports will be distributed to managers, staff and operators once a month. It is also recommended that after major upsets or incidents, the alarm system reporting can provide details prior, during and after the incident. Other important information that will be available in the report will include bypassed interlocks and the frequency of each. Progress towards standardized reports and an automated report generating system is strongly encouraged. In lieu of an automated system, manual reports of the alarm system shall be generated.

4. MANAGEMENT OF CHANGE

Since the alarm systems are part of the plant’s defense against hazards, any changes resulting from alarm reviews need to be carried out in a responsible way. Thus all proposed changes should be fully analyzed, their consequences should be determined, and agreed changes should be recorded with reasons. Vale MOC process will be used to manage changes to the alarm system. Specific alarm system changes that will undergo the MOC process include, but are not limited to, the following:

1. Changes to regular non-trip alarm settings and interlock or trip alarm settings (setpoint, priority, inhibit filters).

2. Any procedural modifications will be initiated and executed by operations. Procedural changes will follow established guidelines.

3. Changes to the master alarm database.


Atlantic

TITLE


VALE # GUID-84012

PAGE

27/43

REV.

1

4. Removal or addition of alarms (including new alarms derived from new equipment and/or projects). In addition to following the MOC process, these changes must follow this Philosophy document.

5. Changes to downstream processes and instrumentation resulting from alarm system changes. As well, previous design changes to the process and instrumentation will be reviewed to ensure further changes are made per the MOC process.

6. Maintenance of alarm system documentation, including this Philosophy document In addition, the current MOC process will be updated as necessary to align with the principles described in this Philosophy document. A Vale employee will be assigned the role of “Alarm Process Manager”. The Alarm Process Manager will have authority over all changes made to the alarm system database and to the alarm system documentation, including but not limited to items #1 through #6 described above. Furthermore, DCS Operators from all four shifts must review and sign off the appropriate documentation to ensure that changes to the alarm system have been communicated and understood.

4.1. ROLES AND RESPONSIBILITIES

In addition to the Alarm Process Manager, various teams will also be responsible for certain elements of the alarm lifecycle. Ensuring that certain roles and responsibilities are fulfilled is essential to the optimal function of the alarm system as a whole. The roles and responsibilities of operations, maintenance, automation, engineering and other functions are shown in the table below:

Roles Responsibilities

Alarm Process Manager

Maintain and administer the alarm management software and the Master Alarm Database.

Manage the implementation of the alarm rationalization process.

Provide a qualified representative(s) to participate on the Site Alarm Management team

Ensure that changes to the alarm management system follow an MOC process.

Track adherence to alarm philosophy

Periodically review and revise the alarm philosophy to address advances in alarm management practices.

Coordinate the development of investment proposals for alarm management.


Atlantic

TITLE


VALE # GUID-84012

PAGE

28/43

REV.

1

Alarm Process Control Specialist

Ensure that the alarm system achieves and maintains the performance levels defined by the KPI’s.

Report on the Performance of the Process Alarm Management System using the site KPI’s.

Initiate work orders to repair malfunctioning field devices responsible for bad actor alarms.

Ensure that operators have been trained on the functionality and use of the Process Alarm Management System.

Provide a qualified representative(s) to participate on the Site Alarm Management team

Needs to validate all new alarms or modifications to existing alarms before implementation.

Update the Master Alarm Database for rationalized alarms.

Maintenance Instrumentation Technician

Implement the changes in the control system reflected in the alarm master database.

Test Alarms

Provide a qualified representative(s) to participate on the Site Alarm Management team.

Table : Roles and Responsibilities For Alarm Management Teams

13. PERSONNEL TRAINING

The operator will be trained on the new alarm system for their individual process area. Training should be incorporated into the competency assessment of each operator, which should be regularly reviewed. At a minimum, operators should understand:

1. Alarm Management Philosophy 2. Alarm System (graphics, Alarm Panel, etc.) 3. Alarm priorities as related to safety, environmental and economic performance of plant 4. Expected action and speed-of-response to each process alarm 5. How to access documentation 6. Use of the alarm summary features during periods of high alarm rates

All operators will be trained in the realistic use of the alarm systems that they work with. This will include refresher training and training in any new alarm system functions.


Atlantic

TITLE


VALE # GUID-84012

PAGE

29/43

REV.

1

OVERLOADED REACTIVE STABLE ROBUST PRODUCTIVE

IMPROVEMENT PLANS: Specific Steps to move from one stage to the next

Vale training requirements include:

1. All training materials will be updated to reflect the principles described in this Philosophy. 2. New and existing operators will be provided with training on the new alarm system 3. Maintenance will be trained on the PSS application 4. The training department will communicate to all Operations and Maintenance personnel that the current alarm standards are changing and a reliable alarm system is being implemented 5. New projects must conform to standards and principles described in this Philosophy

14. ALARM SYSTEM PERFORMANCE LEVELS

A performance level can be assigned to a system given the analysis procedures shown above. PAS proposes a five stage scale to direct improvement of alarm systems. This scale is demonstrated below along with the improvement steps at each phase:

Figure : Performance Level Improvement Diagram

The Table below gives the necessary steps at each stage that are required to improve the system to the next stage:

SYSTEM PERFORMANCE LEVEL

DESCRIPTION IMPROVEMENT STEPS

OVERLOADED Continually high rate of alarms

Operators do not make use of alarms

Impossible to determine priority among alarms

Develop Alarm Philosophy Document and Management of Change Principle

Perform alarm analysis and resolve bad actor and nuisance alarms


Atlantic

TITLE


VALE # GUID-84012

PAGE

30/43

REV.

1

REACTIVE System is stable, but still of no use during upsets

Provides the operator with prioritized warnings

System MOC and alarm suppression improved but not under control

Perform Alarm Documentation and Rationalization

Produce alarm metrics

Enable alarm shelving

Group alarms into categories and produce a Master Alarm Database

Implement an automated audit and enforcement for alarm database

STABLE Reliable; operators confident in system

Provide warning before an upset, but are less useful during upset

MOC fully controlled

Implement State-Based Alarm System (active alarms change based on plant state)

State-Based Alarm suppression

Online Alarm Response Manual for operators

Online Loop Performance Analysis

ROBUST System reliable during all plant modes (normal and upset)

Operators are highly confident with system

MOC prevents detrimental changes

Early Fault Detection

Early Fault Diagnosis and Advice

Procedural Automation based on alarm upsets

Implementation of operator support systems: pattern matching, adaptive graphics, artificial intelligence, and other experimental technologies

PREDICTIVE Stable system at all times; minimizes the impact of upsets

System allows operators to actively “patrol” process and prevent upsets

Maintain all previous steps to maintain the predictive system

Table : Alarm System Performance Levels With Improvement Procedures


Atlantic

TITLE


VALE # GUID-84012

PAGE

31/43

REV.

1

PLANT/SYSTEM SPECIFIC TERMS A.1. FOXBORO I/A SPECIFIC TERMS Alarm Enable Status: The Foxboro I/A specific alarm enable status determines the reporting

mechanism for all process alarms. The standard settings for the alarm status are “ENABLED”, “DISABLED”, or “INHIBITED”.

1. Enabled Alarm - The enabled status indicates that the alarm is functioning as configured. An alarm that is enabled provides reporting to the Alarm Managers. All features of alarm detection, the initiation of user-written programs and writing to the alarm journal are active.

2. Disabled Alarm - A disabled alarm operates without operator notification (no reporting anywhere). Disabling an alarm prevents the detection and distribution to the Alarm Manager. No indication is made that the alarm condition has occurred.

3. Inhibited Alarm - The inhibited status indicates that the alarm has been taken out of service. An inhibited alarm will not audibly notify the operator (no reporting to the Alarm Manager) in the event the criterion for an alarm exists.

Inhibited alarms are visible as being in alarm in group displays. Alarm detection and program initiation are still active for an inhibited alarm.

Alarm Priority: Foxboro provides priority settings 1 through 5: a. Priority 1 - High Alarm is reported and historized to the system and annunciated b. Priority 2 - Medium Alarm is reported and historized to the system and annunciated c. Priority 3 - Low Alarm is reported and historized to the system and annunciated d. Priority 4 - Historized and reported on a separate alarm display e. Priority 5 - Historized and reported on a separate alarm display

BAD: Bad is a Boolean output parameter which is set true when the input to the block is unacceptable in any way.

BADOPT: Bad and Out-of-Range Option is a short integer option that specifies the conditions that set the BAD output true. Values are:

a. 0 = Bad Status only b. 1 = Bad Status or Low Out-of-Range (LOR) c. 2 = Bad Status or High Out-of-Range (HOR) d. 3 = Bad Status or LOR or HOR

HLDB: High/Low Deadband is a real input that defines the size of the deadband that applies to the high, low, high-high, and low-low absolute alarm limits of the PNT output.

HLOP: High/Low Option is a configured short integer input that enables Absolute High and/or Low alarming of the PNT output, or disables absolute alarming altogether. Values:

a. 0 = No Alarming b. 1 = High and Low Absolute Alarming c. 2 = High Absolute Alarming Only d. 3 = Low Absolute Alarming Only

SAO: State Alarm Option is a configurable Boolean which, when true, enables the generation of State Alarms.

a. 0 = No Alarming b. 1 = Alarming

INHIB: Suppresses all alarm messages reporting, but alarm detection continues to function. INHOPT: Specifies these alarm inhibit options:


Atlantic

TITLE


VALE # GUID-84012

PAGE

32/43

REV.

1

a. 0 = Disable alarm messages when alarms are inhibited b. 1 = Disable alarm detection when alarms are inhibited c. 2 = Same as 0, and enable automatic acknowledgment d. 3 = Same as 1, and enable automatic acknowledgment

OSV: Output Span Variance is a configurable real input which defines the percentage by which the output clamp limits exceed the output range defined by HSCO1 and LSCO1.

A.2. LONG HARBOUR SPECIFIC TERMS Hold: The forcing of a controller output to a safe condition during the time a cause condition is

active. This hold is maintained while the cause condition is active and does not generate an alarm.

Permissive: The prevention of starting a piece of equipment due to a cause condition that poses a risk to personnel, the environment, production or equipment. This prevention is maintained while the cause condition is active. Activation of this cause condition will however not stop the equipment if it is already running.

Assessment: When referring to the alarm management system, an assessment is a standard way to audit the alarm system and its agreement with the alarm management philosophy. It may be evident through assessment of the alarm management system and philosophy that modification is required to align with the operational needs of the plant.


Atlantic

TITLE


VALE # GUID-84012

PAGE

33/43

REV.

1

APPENDIX B - SITE SPECIFIC ALARM DETECTION AND DISPLAY

B.1. COPPER CLIFF FOXBORO SYSTEM B.1.1. ALARM PRESENTATION REQUIRMENTS

The operator user interface and its components will be designed to support and augment alarms by providing the console operators with good situational awareness and response capabilities. Some of the human factors that should be considered while designing effective operator interfaces are:

1. Systematic designs of shape, color, and behavior to limit visual noises yet enhance the operator’s ability in pattern recognition.

2. Multi-level hierarchical information (graphics, trends, online information) and navigation techniques (display hierarchy, annunciator keyboard, mouse) that allow intuitive and quick access to relevant data.

3. The interface requirements are oriented to operator tasks and account for operator requirements in both normal and upset conditions.

4. Provide comprehensive and integrated alarm indication, summary, and priority information to the appropriate level of detail for the various levels of information in the display hierarchy.

5. A standardized set of identifying terms, labels, and abbreviations will be used for all plant elements and other labels used for alarm information and notification.

6. Presentation of alarms on the annunciator keyboards.

B.1.2. ALARM MESSAGING The following are attributes of a good alarm message:

1. Clear identification of the condition that has occurred 2. Use of terms familiar to the operator 3. Use of consistent terms and abbreviations from a standard site dictionary 4. A consistent message structure 5. Does not rely on memorization of tag names or numbers 6. Checked for usability during actual plant operation

In addition to the attributes listed above, Vale Inco requires that alarm messages are clearly defined and that there are no “blank” alarms. There will not be any alarm messages that contain only the tag name. In addition, Vale Inco requires that all alarm message abbreviations, acronyms, terms and text are consistent, and that all loop tags are consistent with ISA standards. Messages will be clearly defined indicating the correct alarm condition (for example: HIGH LEVEL for a high level alarm), and operators should not have to memorize the tag names and associated alarms for each flash furnace.

B.1.3. ALARM AUDIBILITY Audible alarms are used to inform the operator of a particular alarm in the control system. Audible indications can be performed through using external horns. Vale Inco requires that a unique annunciator tone shall be used for each flash furnace for alarms with priority levels 1,


Atlantic

TITLE


VALE # GUID-84012

PAGE

34/43

REV.

1

2 and 3. The two unique tones will allow the operator to quickly identify and respond to the problem. The operator will also have the ability to silence audible alarms. Non-furnace area alarms will use an annunciator tone identical to the tone configured for Furnace #2.

B.1.4. PROCESS GRAPHICS Process graphics may enhance the cognitive ability and the speed at which the operator can process the alarm information presented. The Vale Inco requirements for process graphics include:

1. Background of elements on process graphics will turn red when in alarm and will flash continuously when in an unacknowledged state.

2. Background of elements on process graphics will remain solid red after the condition has been acknowledged until the value returns to the normal operating range.

3. All text on the CAD will be black on a white background. When an alarm appears on the CAD, its colour will be dependent on the priority. Each alarm priority will be displayed with a unique color scheme on the CAD.

4. As with the process graphics, alarms on the CAD will flash while the alarm is in an unacknowledged state. Once acknowledged, the alarm color will remain solid until the value in alarm returns to the normal operating range.

5. Red will not be used exclusively for alarms on the process graphics (red may also be used to show equipment status)

B.1.5. DISPLAY NAVIGATION

Graphics will be updated as required to ensure that navigation between screens is intuitive and quick. Furthermore, Vale Inco requires that Priority 1, 2 and 3 alarms be sent to annunciator keyboards. By having priority 1, 2 and 3 alarms go to the annunciator keyboard, it will be easier for the operator to respond to alarms because the annunciator keyboard will take the operator directly to the appropriate process graphic that contains the alarm point.

B.1.6. ALARM ROUTING One of the flexibilities of the Foxboro I/A system is that alarms can be grouped and these groups can be directed to a specific list of desired workstations, printers, or historians. Routing in the Foxboro I/A system is based on a group number from 1 to 8 for alarm device destination and distribution. Up to eight destination devices can be specified for each group between group number 1 and group number 3 by configuring the GRx and DVy parameters in the compound containing the block. Up to 16 destination devices can be specified for each group between group number 4 and group number 8 by configuring the GRx and DVy parameters of the station block for the station containing the block.

B.2. LONG HARBOUR SYSTEM All notice, warning, critical and emergency priority alarms are displayed on the alarm summary screen and a scrolling alarm banner. The alarm summary screen has the ability to annunciate in chorological priority order, unacknowledged followed by acknowledged. All alarms can


Atlantic

TITLE


VALE # GUID-84012

PAGE

35/43

REV.

1

annunciate with a priority defined horn. In addition to an alarm annunciated on the alarm summary screen the DCS graphics will also indicate those control loops that are in alarm through alarm tiles on the associated graphic displays with the associated priority color, alarm type and indication of acknowledgement. The alarm reason and suggested operator response to any alarm is available from the alarm summary screen by having access to the alarming control loop faceplate and associated graphic. When set points are entered by an operator the process limits will be the set point limits of the controller. By practicing this, operators can not create an alarm condition by entering a set point higher/lower then the process would allow. Examples include AC Temp set points, EW separator vacuum set points, etc. For Emergency priority gas and safety shower alarms there will be an external light indication on the plant floor in addition to DCS indications so that plant floor personal can quickly response upon visual indication. Operator acknowledgement of alarms can happen from a variety of interfaces. The faceplate, the alarm summary screen, and the primary control graphic will have the ability to acknowledge active alarms associated with that display. Operator acknowledgement of alarms can happen from a variety of interfaces. The faceplate, the alarm summary screen, and the primary control graphic will have the ability to acknowledge active alarms associated with that display. For investigation into the alarm, the operator has a one click access to the alarm history from the associated faceplate. The operator also has a one click access to the loops real time history trends and has the ability to create custom made history trends with the desired points of interest. For those miscellaneous operational events that require notification the notification can be sent to the OMC. Through the OMC the operator can monitor or receive notification of desired process variables reaching a certain limit or after a specified time period. The operator will take corrective actions based on his or her understanding and experience with the process. The operator will also be able to access an “Alarm Reasons and Responses” (Alarm Help) faceplate from the alarm summary display or the control loop/indicator faceplate, this is a functionality of the Delta V version 11 software. With proper authority operators can edit the fields of the Alarm Help faceplate. The editable fields will include the possible alarm reasons, and the suggested operator responses, as these reasons and responses will become clearer throughout the plants operation. The non-editable fields include the time in alarm, the time to response and the consequence of no response. All alarm reasons and response are initially captured during the alarm rationalization exercise. The master alarm database will be from the software used during the rationalization process. This database will be exported and imported into the Delta V software during configuration of the control system. During the plants operation phase the alarm configuration will be regularly exported and imported back into the alarm rationalization software so that any updates to the alarm reasons and responses by the operators can be captured. The alarm rationalization database will also be readily accessible to all plant management and staff via the business network where it will be stored.


Atlantic

TITLE


VALE # GUID-84012

PAGE

36/43

REV.

1

APPENDIX C - SITE SPECIFIC ALARM PRIORITY SYSTEM

C.1. FOXBORO PRIORITY SYSTEM Five priority levels (Foxboro I/A priorities 1 through 5) will be used:

1. Priority 1: High where the consequences of abnormal events may be reasonably expected to lead to personnel injury, an environmental incident, equipment damage, or an unplanned unit shut down.

2. Priority 2: Medium where the consequences of abnormal events may be reasonably expected to lead to a significant unit upset or economic loss. There should not be a reasonable probability of personnel injury, environmental violation, equipment damage, or unplanned unit shutdown.

3. Priority 3: Low where the consequences of abnormal events are of relatively minor significance. Delayed operator response should not affect personnel safety, environmental performance, or continued unit operation.

4. Priority 4: Operator Messages which describe events that do not require operator action. These messages will be sent to a separate screen on the operator workstations.

5. Priority 5: Maintenance Alarms which require only action by Maintenance personnel and do not require Operator action. Maintenance alarms will be sent to an information screen on the Engineering workstations in the control room. Instrumentation personnel will check these messages daily and generate work orders for the appropriate trades. In addition, Priority 5 alarms will be sent to the operator workstations and the operator will be given the ability to filter all Priority 5 alarms.

All alarms will be sent to the Alarm Historian database. C.2. LONG HARBOUR PRIORITY SYSTEM Industry expert’s best practice promotes assigning priorities to alarms in a logical and consistent manner. Every alarm created using this alarm management philosophy will follow these industry guidelines, each alarm priority will be assigned its own unique color that shall not represent anything else in the DCS displays. There have been four process alarm priorities defined and two display indication settings, one for maintenance messages and the second for silent event tracking. The priorities defined for Vale NL are defined in the Table 1. (Alarm colors may require updating during graphics development)

Priority/Setting Indication Color Sound Indication Auto Ack

Low Info Alert BLUE No sound Yes

Medium Info Alert YELLOW No sound Yes

Notice PINK No sound* No

Warning PURPLE Wav file 1 No

Critical ORANGE Wav file 2 No


Atlantic

TITLE


VALE # GUID-84012

PAGE

37/43

REV.

1

Emergency RED Wav file 3 No

Appendix Table 1: Priority Setting Display and Announcement Table

In order to have consistent alarm priorities to promote operator response and effectiveness; industry experts recommends the development of two important matrices, The Time to Respond Matrix and The Consequence of No Response Matrix. Priority settings – Priority is the urgency placed on an alarm. Alarm priority settings are determined during the rationalization process through the time to respond and the consequences of no response matrices. Notice priority Alarms that are least critical and have lowest priority. Operator response time is between 20 to 30 minutes. Warning priority – Alarms that are medium priority. Operator response time is between 10 to 20 minutes. Critical priority – Alarms that are most critical and have highest priority. Operator response time is less than 10 minutes. Emergency priority – Alarms that require immediate operator action and have the highest priority. These alarms may signify the potential for Emergency Medical First Response or personnel evacuation,. All Emergency priority alarms will include an on screen popup to the operator. The HMI tool bar will have a distinctive indication of an active emergency alarm. There will also be an emergency alarm interactive graphic for operators to be immediately aware of where the emergency situation is occurring. Another priority setting has been defined for information alerts. This priority has been split into two settings for use though neither setting will be announced as an alarm to the operator. Information Alert – This priority will be used when it is required to track events but not produce operational alarms on these events. This priority has two settings and each setting has a different color indication that indicates the associated changes in control actions.

Medium Alert – this alert type will display on the operator graphics in the alarm tile and on the modules faceplate. This priority will signify equipment has potential disabled alarms and/or interlocks. Bypasses, out of service and calibration/maintenance alerts use this priority. This alert is used to remind the operator of the “out of normal” operation of a piece of equipment or instrument. Low Alert – This alert type will display on the operator graphics in the alarm tile and on the modules faceplate. Transmitter Faulty IO alerts use this priority. These alerts will be alarmed at the maintenance stations throughout the plant where maintenance or control system personal will have the responsibility of troubleshooting the alert. This alert will also be used for displaying information needed to operators before they engage control actions on various


Atlantic

TITLE


VALE # GUID-84012

PAGE

38/43

REV.

1

pieces of equipment. For example, a sump pump will display the low alert on its graphic and faceplate where a potential destination tank is at a high level.

There are also some predefined settings for priorities that relate to particular alarms that are applied as general rules and have not been evaluated based on response time due to there particular details. (This section will be expended in the next revision) Interlock Alarm – This alarm is set as a Warning Priority which will sound with a horn for the operator. Interlocks in general put the plant at a safe state and therefore corrective action has been taken, it is the operator’s responsibility to investigate the interlock for an explanation of its occurrence before putting the process back online. Fail Alarm – This alarm is set as a Warning Priority which will sound with a horn for the operator. Fail Alarms in general notify the operator that a control request failed to complete. It is the operator’s responsibility to investigate the failed control action for an explanation of its occurrence before putting the process back online.

C.3. ADDITIONAL SITE SPECIFIC PRIORITY TABLES

Operator Response Maximum Time to Respond

Extended >30 minutes

Shortly 20 to 30 minutes

Promptly 10 to 20 minutes

Rapidly <10 minutes

Emergency Immediate Response

Appendix Table 4: Operator Response Time Matrix (all plants)

Minor Major Severe

Safety First Aid - No disability or Lost Time Injury (LTI)

Minor Injury - (No LTI)

LTI


Atlantic

TITLE


VALE # GUID-84012

PAGE

39/43

REV.

1

Appendix Table 5: Consequence of No Action Level Matrix Long Harbour

Impact and Severity Definitions

Severity None Minor Moderate Major Catastrophic

Impact Health & Safety

No Injuries

First aid; no lost time

Medical Treatment; modified

work but no lost time

Extensive injuries; lost time but will eventually

return to work

Permanent disability or fatality; no

return to work

Environment No Injuries

Workplace; Spill

contained to specific work

area

Level 1; spill contained to the building

Level 2; spill contained to

the plant

Level 3; spill that impacts the

community

Cost No Injuries

<$100K and/or minor equipment damage; 1

furnace down for 1

hour

>$100K and < $1MM and/or

equipment damage; 1

furnace down for 1

shift

> $1MM and < $10 MM

and/or significant equipment damage ;1

furnace down for 1 week

>$10MM and/or facility loss/plant

shutdown; 2 furnaces down for 24 hours or

longer

Appendix Table 5: Consequence of No Action Level Matrix Copper Cliff

Environment Contained Release – tank overflow within bounded area,

no immediately harmful solutions or temperatures.

Contained Release – tank overflow within bounded area, hot

temperatures

Reportable Uncontained Release, tank

overflow within a bounded area,

immediately harmful solutions

Downtime / Production

Loss / Financial

Slowdown/Disruption or less than $50000 cost

Shutdown unit operations / product

quality damage / Between $50,000 and $500,000 cost

Shutdown multiple unit operations /

Greater than $500,000

Priority Level Target Maximum Occurrence Rate


Atlantic

TITLE


VALE # GUID-84012

PAGE

40/43

REV.

1

Appendix Table 6: Copper Cliff Requirements for Target Maximum Occurrence Rate

APPENDIX D - SITE SPECIFIC RATIONALIZATION PROCESS D.1. TEAM AND PROCESS RATIONALIZATION REQUIREMENTS AT COPPER CLIFF The rationalization team should consist of a facilitator, at least one knowledgeable process operator, a process engineer, and a control engineer or specialist. Other stakeholders with knowledge of the process unit, its operation, hazards, and the alarm philosophy shall participate as needed. A minimum of two Vale Inco employees and a facilitator from Invensys will form the rationalization team. At least one team member will be an experienced Flash Furnace DCS control room operator, the second team member may be a DCS operator or a representative from Process Technology, Instrumentation, Mechanical Engineering, DCS, Combustion, Electrical, ERP (environmental), API, area management (superintendent) or OSHE. Other representatives from these departments will be consulted as necessary. All rationalization team members shall be rotated as necessary to maximize the efficiency of the rationalization process. Rationalization is accomplished by evaluating every point in the system on an individual basis using the P&ID’s as a guide. The first step is to determine if an alarm is needed. If an alarm is needed, an appropriate activation point and priority is established. The results are documented as the team goes through the rationalization process using a checklist or other appropriate database. The rationalization process may be streamlined by developing alarm templates. Templates used for rationalization process at Vale Inco will be designed and reviewed by personnel from Operations Management, Process Technology, Environment, Instrumentation, OSHE and Invensys.

D.2. VENDOR ALARM INPUT POLICY AT LONG HARBOUR The commercial plant has many vendor equipment packages. Each vendor is required to provide a rationalized alarm and event list. Vale shall use the vendor alarm list for importing into the Delta V software during commissioning. Throughout the plant operation vendor alarms will require rationalizing to ensure they meet the Vale alarm configuration guidelines within the alarm philosophy.

APPENDIX E - SITE SPECIFIC ALARM CONFIGURATION GUIDELINES

E.1. CONFIGURATION AT COPPER CLIFF

High (Priority 1) Less than or equal to 6

per hour

Less than 150 per day Medium (Priority 2)

Low (Priority 3)


Atlantic

TITLE


VALE # GUID-84012

PAGE

41/43

REV.

1

The following guidelines will be followed in the alarm configuration process at Vale Copper Cliff: 1. The master alarm database will reside in the PSS software. 2. If the current functionality includes having both high and high-high alarms or both low and

low-low alarms generated for start permissive or equipment trip conditions, consideration must be given to determine if it is necessary to have both alarms presented to the operator for the same process variable. Furthermore, both alarms may have different responses from the operator. Alarms that do not require the operator to take a defined response should be eliminated.

3. Consideration should be given to the idea that pre-alarms may need to be at a higher priority than the trip point because once the trip point has been reached, there is little that the operator can do.

4. One of the challenges will be to maintain the integrity of the database. The existing operator log will be used to communicate status of alarm system and track alarm setting changes, and the current MOC process will be used to document and implement database changes.

E.2. CONFIGURATION AT LONG HARBOUR The items below should always be applied where the situation exists.

The goal of the alarm system is to help the operator in mitigating undesired situations within the plant, the use of pre-alarms are encouraged where the operator actions are different in the pre-alarm condition and the response time for the pre-alarm condition is sufficient enough to respond and take corrective action.

In general and where possible emergency or critical priority alarms should have a pre-alarm to allow the operator to take corrective action earlier.

If there is no instrument within a module then the faulty IO alarm should not be enabled. Rationalization will determine if the event should be an alarm and be directed to the operator station otherwise the event is transferred to the maintenance station.

No alarms will be generated on associated loops or devices of a locked out piece of equipment, but there will be an on screen indication of a maintenance lockout and the associated equipment will be unable to be started remotely.

An instrument being placed out of service while being calibrated should not activate interlocks and alarms related to the control loop. An “out of service” message should be seen on the Operator message center.

Any equipment running whether in maintenance or remote modes is considered running in the DCS

Alarming should be state based if there are multiple modes in which the equipment operates.

In batch operated systems a tank is expected to be fed or discharged until certain high or low levels are hit, no alarming is necessary because this will be part of this systems normal operation. This type of process may require a sequence that can be displayed on the DCS. For normal operating sequences of equipment the surrounding alarms must be


Atlantic

TITLE


VALE # GUID-84012

PAGE

42/43

REV.

1

reviewed for false alarming possibilities. Be sure to document any steps of the sequence where alarm settings require change during rationalization.

All redundant equipment must have alarms configured so that when one is running the second is not in alarm, this configuration should enable both to operate at the same time and still produce an interlock alarm, if one is interlocked for some reason.

In situations where a parent -child relationship exists the alarm indication should be on the best indicator of the situations root cause. If an interlock occurs then the interlock with the associated first out would be the best indicator of the root cause.

It is Vale plan to update this section throughout the plant lifecycle to include configuration guidelines for specific alarm types including but not limited to

o Flammable and toxic gas priorities

o Safety shower and eye wash station activations

o External device health and status alarms

o ESD shutdowns and bypass alarms

All options described below are methods of dealing with an alarm problem conceived through rationalization or analysis. Methods are implemented on a case by case basis.

When the feed or discharge to a loop is stopped (i.e. the pump is off) then the loop can choose to silence any low flow alarms, lo level alarms, or hi level alarms that were annunciated prior to the feed or discharge stopping. The same rules can apply for heat exchangers, pressure transmitters, etc.

Plant standard is to generate an alarm in a redundant pump set when both pumps are running after a set amount of time.

If set points are accepted to be changed regularly or it is process preferred to maintain process variables within a range of set point then set point deviation alarms should be used in the loop.

Flows that can regularly plug up can have a plug alarm setup on them. This plug alarm should be based on the current set point and output compared with a “time period” ago. If the set point is equal and the output has increased more than a decided percentage then this alarm will ring in to warn the operator of the plugging.

It is preferred to have percent hi or lo deviation alarms on flow setpoints instead of hi and lo flow alarms. Where a pump needs to stop on a lo lo flow there should be an interlock.

Level indications can have a rate of change alarm that would draw attention to a potential problem. The operator can enter a desired level indication set point to base the rate of change on.


Atlantic

TITLE


VALE # GUID-84012

PAGE

43/43

REV.

1

10.0 APPENDICES

Appendix A: Revision and Transition Notes Appendix B: Keywords

Appendix A: Revision and Transition Notes (Revisions are listed in reverse chronological order with most recent revision at the top. Revision notes describe: what was changed, why it was changed, and the plan to implement the change, including whether changes are retroactive) Revision 1 1st Issue

Appendix B: Keywords

Documents

North ENGINEERING GUIDELINE Atlanticextportal.vale.com/eng/Sud/standards/pdf/GUID-84012.pdfEMMUA Publication 191, Alarm Systems: A Guide to Design, Management, and Procurement o ISA