Upload
others
View
5
Download
1
Embed Size (px)
Citation preview
ENGINEERING GUIDELINE North
Atlantic
TITLE
PROCESS AUTOMATION GUIDELINE FOR PROPER IMPLEMENTATION OF PLANT ALARM SYSTEMS BEST PRACTICES FOR ALARM MANAGEMENT
VALE # GUID-84012
PAGE
1/43
REV.
1
REVISIONS
Rev Description Rev’n by
App Sud
App PC
App Thom
App VB
App LH
App Clyd
App Act
Issue Date YYYY/MM/
DD 1 1ST ISSUE GS
2012/11/23 PC
2012/12/03 Pending Pending Pending Pending Pending Pending 2013/06/25
Sud = Sudbury, Ontario, PC = Port Colborne, Thom = Thompson, Manitoba, VB = Voisey’s Bay, LH = Long Harbour, Act = Acton, England, Clyd = Clydach, Wales, N/A = Not Applicable
ENGINEERING GUIDELINE North
Atlantic
TITLE
PROCESS AUTOMATION GUIDELINE FOR PROPER IMPLEMENTATION OF PLANT ALARM SYSTEMS BEST PRACTICES FOR ALARM MANAGEMENT
VALE # GUID-84012
PAGE
2/43
REV.
1
1.0 PURPOSE
The purpose of this document is to establish uniform criteria for process alarm management in order to promote the safe and efficient operation of large processes. In addition, this document governs the Documentation & Rationalization (D&R) process, and serves as a long term guide for alarm systems improvements and maintenance. The concepts presented in this document will improve the ability for Vale to:
1. Improve the status of the existing alarm system 2. Improve process reliability, safety and environmental issues 3. Reduce operator distraction and confusion during abnormal situations. 4. Reduce the number and ultimately, the costs of abnormal situations. 5. Establish consistent expectations for the alarm requirements for new projects
Implementation of this Alarm Philosophy should provide: 1. More useful and meaningful alarms presented to operating personnel 2. Improved operator response to abnormal conditions 3. Improved equipment reliability, availability, and safety 4. More consistent development, review, and documentation of new and revised alarms
Moreover, this philosophy establishes criteria for the appropriate configuration of the alarm systems to improve its overall functionality. This improvement initiative is expected to reduce the number of alarms, eliminate redundant and nuisance alarms, and properly prioritize alarms.
2.0 APPLICATION
This guideline, applies at any Vale locations indicated with approval on the cover page, with the following exceptions: 2.1 EXCEPTIONS
None 3.0 SCOPE
This document outlines the following key topics:
1. The core philosophies, definition of an alarm system, and identification of the key elements and alarm design principles
2. Detailed alarm configuration guidelines 3. Methods to maintain the integrity of the alarm system through change management,
knowledge management, training, alarm system performance, and lifecycle maintenance 4. Key performance measures for alarm systems to be monitored on an ongoing basis, and
benchmarks for these key performance indicators
ENGINEERING GUIDELINE North
Atlantic
TITLE
PROCESS AUTOMATION GUIDELINE FOR PROPER IMPLEMENTATION OF PLANT ALARM SYSTEMS BEST PRACTICES FOR ALARM MANAGEMENT
VALE # GUID-84012
PAGE
3/43
REV.
1
5. Personnel requirements Alarm management solutions 6. Guidelines for the definition, implementation, and modification of alarms 7. Alarm selection, priority setting and configuration
Due to the large number of different control systems and strategies in use throughout the Vale Nickel Business, each area must apply these recommendations within its own context. Plant specific requirements are identified in the attached Appendices at the end of this document. This document is intended for use by process control personnel who are responsible for implementing and managing alarm systems.
ENGINEERING GUIDELINE North
Atlantic
TITLE
PROCESS AUTOMATION GUIDELINE FOR PROPER IMPLEMENTATION OF PLANT ALARM SYSTEMS BEST PRACTICES FOR ALARM MANAGEMENT
VALE # GUID-84012
PAGE
4/43
REV.
1
TABLE OF CONTENTS 1. PURPOSE 1
2. SCOPE 1
3. REFERENCES 4
4. DEFINITION OF TERMS 5
5. ALARM DEFINITION AND DESIGN 7
5.1. DEFINITION AND PURPOSE OF ALARMS 7
5.2. ALARM DESIGN PHILOSOPHY 7
5.2.1. CORE PHILOSOPHY 7
5.2.2. ALARM CREATION 8
5.2.2.1. ROOT CAUSE INDICTION 8
5.2.2.2. ABNORMAL OPERATION 8
5.2.2.3. ALARM STATES 8
5.2.3. ALARM LIFECYCLE 9
5.2.4. ALARM DETECTION AND DISPLAY 9
5.2.5. SUMMERY OF DESIGN PHILOSOPHY 10
6. PRIORITY DESIGN FOR ALARMS 10
6.1. JUSTIFICATION FOR PRIORITY ALARMS 10
6.2. BASIC DESIGN OF PRIORITY SYSTEM 10
6.3. ESTABLISHING ALARM PRIORITY 11
6.4. ALARM PRIORITY DISTRIBUTION 12
6.5. ALARM FREQUENCY REQUIREMENTS 12
6.6. ALARM AND EVENT DESCRIPTORS 13
7. SETTING ALARM LIMITS 14
8. RATIONALIZATION ANALYSIS OF ALARMS 15
8.1. PROCEDURAL STEPS FOR RATIONALIZATION PROCESS 16
9. ALARMING PROBLEMS 16
9.1. TYPES OF “BAD ACTOR” ALARMS 17
9.2. ALARM PROBLEM SOLVING METHODS 17
10. MEASURING ALARM SYSTEM PERFORMANCE 19
10.1. PERFORMANCE TIMELINE 19
ENGINEERING GUIDELINE North
Atlantic
TITLE
PROCESS AUTOMATION GUIDELINE FOR PROPER IMPLEMENTATION OF PLANT ALARM SYSTEMS BEST PRACTICES FOR ALARM MANAGEMENT
VALE # GUID-84012
PAGE
5/43
REV.
1
10.2. KEY PERFORMANCE INDICATORS 20
10.3. REPORT OF ALARM SYSTEM PERFORMANCE 20
11. MANAGEMENT OF CHANGE 20
12. PERSONNEL TRAINING 21
22 APPENDIX A - PLANT/SYSTEM SPECIFIC TERMS 22
A.1. FOXBORO I/A SPECIFIC TERMS 23
A.2. LONG HARBOUR SPECIFIC TERMS 23
APPENDIX B - SITE SPECIFIC ALARM DETECTION AND DISPLAY 23
B.1. COPPER CLIFF FOXBORO SYSTEM 23
B.1.1. ALARM PRESENTATION REQUIREMENTS 23
B.1.2. ALARM MESSAGING 23
B.1.3. ALARM AUDIBILITY 24
B.1.4. PROCESS GRAPHICS 24
B.1.5. DISPLAY NAVIGATION 24
B.1.6. ALARM ROUTING 25
B.2. LONG HARBOUR SYSTEM 25
APPENDIX C - SITE SPECIFIC ALARM PRIORITY SYSTEM 26
C.1. FOXBORO PRIORITY SYSTEM 26
C.2. LONGHARBOUR PRIORITY SYSTEM 26
C.3. ADDITIONAL SITE SPECIFIC PRIORITY SYSTEM 28
APPENDIX D - SITE SPECIFIC RATIONALIZATION PROCESS 29
D.1. TEAM AND PROCESS RATIONALIZATION AT COPPER CLIFF 30
D.2. VENDOR ALARM INPUT POLICY AT LONG HARBOUR 30
APPENDIX E - SITE SPECIFIC ALARM CONFIGURATION GUIDELINES 30
E.1. CONFIGURATION AT COPPER CLIFF 30
E.2. CONFIGURATION AT LONG HARBOUR 30
ENGINEERING GUIDELINE North
Atlantic
TITLE
PROCESS AUTOMATION GUIDELINE FOR PROPER IMPLEMENTATION OF PLANT ALARM SYSTEMS BEST PRACTICES FOR ALARM MANAGEMENT
VALE # GUID-84012
PAGE
6/43
REV.
1
4.0 REFERENCES:
This section presents the documents, standards and guidelines followed when preparing this Alarm Management Philosophy Document.
o EEMUA – Engineering Equipment and Materials Users Association
EMMUA Publication 191, Alarm Systems: A Guide to Design, Management, and Procurement
o ISA – International Society of Automation
ISA 18.2 – Management of Alarm Systems for the Process Industries
o Independent Alarm Management Company
PAS - The Alarm Management Handbook
o PAS Alarm Philosophy Recommendations
Vale Document # 69-010-705-JRT-1001
The Alarm philosophy presented in this document is based on a combination of a development workshop between Vale Inco and Invensys, as well as recommended best practices of process control associations such as ISA, EEMUA, ASM, NAMUR and other industry experts such as Matrikon and PAS.
ENGINEERING GUIDELINE North
Atlantic
TITLE
PROCESS AUTOMATION GUIDELINE FOR PROPER IMPLEMENTATION OF PLANT ALARM SYSTEMS BEST PRACTICES FOR ALARM MANAGEMENT
VALE # GUID-84012
PAGE
7/43
REV.
1
5.0 DEFINITION OF TERMS
Term/Acronym Description
AIN block Analog input block
Alarm Groups A number between 1 and 8 that can be assigned to each alarm. Each number designation can be associated with the desired set of alarm destination devices
Chattering Alarms Alarms that transition into and out of alarm in a short period of time (sometimes with no action by the operator)
Compound Unique identifier for a collection of related blocks
Consequential Alarms Involve multiple alarms from the same event, which tell the operator the same thing in different ways
CAD Current Alarm Display; a basic display showing alarm priorities, time each alarm activated and alarm descriptions
Duplicate Alarms Alarms that persistently occur within a short period of other alarms (i.e. within one second)
D&R
Documentation and Rationalization; the process by which alarms are evaluated to determine their need to exist, priority, activation points and the summery of information needed for understanding and management
EEMUA Engineering Equipment and Materials Users Association
First Out Initiating trip in a series of events
GCIO Graphics Control Input/Output Module
HAZOP Hazard and Operability Studies
HMI
The Human Machine Interface is the interface to the control of the devices, instruments and equipment within the plant. It is through the HMI the control room operator can “see” what is happening with the process and take corrective actions to keep the plant operating in a safe state.
Interlock The shutdown (or start prevention) of piece of equipment due to a condition that poses a risk to personnel, the environment, production or equipment which is maintained while the cause condition is active
Node Group of Workstations and processor modules used to segregate different areas of the plant
Operator Area Area of the plant which the operator controls/is responsible for
OMC The Operator Message Centre is a software tool that is intended to create an ease of shift information transfer between shift operators,
ENGINEERING GUIDELINE North
Atlantic
TITLE
PROCESS AUTOMATION GUIDELINE FOR PROPER IMPLEMENTATION OF PLANT ALARM SYSTEMS BEST PRACTICES FOR ALARM MANAGEMENT
VALE # GUID-84012
PAGE
8/43
REV.
1
supervisors and other plant personal, such as maintenance, management and process teams.
OSHE Occupational Safety, Health, Environment
PIDA Block Proportional, Integral, Derivative controller block
PSS Plant State Suite; the software tool used during the D&R process and stores the master alarm database
REALM Block Alarm block that allows plant to configure alarms or trips independent of input/output blocks or controller blocks
State Alarms Alarms that continuously remain in the alarm state for an extended period, (e.g. 24 hours)
Start Permissive Condition(s) that must be satisfied in order to manipulate (start, open, close) a component
Station Block Unique block for each Control Processor that allows one to configure specific alarm group devices for specific groups
Trip Condition(s) that places a component in a zero state energy or predetermined safe condition (usually off or closed)
Alarm Activation Point The point at which an alarm is triggered, must allow for operator sufficient time to manage the alarm
Alarm Flood The situation where more alarms are received that can be physically addressed by the operator
Refer to Appendix 1.2 for a list of Foxboro I/A specific definitions
ENGINEERING GUIDELINE North
Atlantic
TITLE
PROCESS AUTOMATION GUIDELINE FOR PROPER IMPLEMENTATION OF PLANT ALARM SYSTEMS BEST PRACTICES FOR ALARM MANAGEMENT
VALE # GUID-84012
PAGE
9/43
REV.
1
6.0 ALARM DEFINITION AND DESIGN
1.1. DEFINITION AND PURPOSE OF ALARMS
Alarms are signals which are annunciated to the operator, typically by an audible indication, by a form of visual indication (usually colors and flashing), and by the presentation of a message or an identifier. An alarm will indicate a problem that requires operator action, and is generally initiated by a process measurement passing a defined alarm setting as it approaches an undesirable or potentially unsafe value. Alarm systems are a very important way of automatically monitoring plant conditions and attracting the attention of the plant operator to significant changes that require assessment or action. In terms of operator support, alarms are meant to:
1. To maintain the plant within a safe operating envelope. A good alarm system helps the operator to correct situations before the process or safety interlocks are forced to intervene. This improves plant availability.
2. To recognize and act to avoid hazardous situations. It is the role of the process and safety interlocks to intervene before a hazard arises. Also there may be cases where operator action following an alarm has been explicitly identified within the plant safety procedures as a measure of protection.
3. To identify deviations from desired operating conditions that could lead to financial loss such as: loss of production capacity, and environmental exceedances.
4. To better understand complex process conditions. Alarms should be an important diagnostic tool, and are one of several sources of information that an operator uses during an upset.
The “alarm system” refers to the complete system for generation and handling of alarms including field equipment, signal conditioning and transmission, alarm processing and alarm display. It also includes hardware, software, and supporting information (e.g., alarm response procedures, management controls). 1.2. ALARM DESIGN PHILOSOPHY
1.2.1. CORE PHILOSOPHY
There are four core philosophies related to alarm systems: 1. The main purpose of alarms is to provide the operator with enough information to correctly
select among multiple alarms and guide him in resolving the situation. Therefore, alarm systems should be designed to meet operator’s needs and operate within the operator’s capabilities. This means that the information alarm systems present should:
i. Be relevant to the operator’s role at the time
ii. Be easy to understand
iii. Indicate clearly what response is required
iv. Be presented at a rate that the operator can effectively manage
ENGINEERING GUIDELINE North
Atlantic
TITLE
PROCESS AUTOMATION GUIDELINE FOR PROPER IMPLEMENTATION OF PLANT ALARM SYSTEMS BEST PRACTICES FOR ALARM MANAGEMENT
VALE # GUID-84012
PAGE
10/43
REV.
1
2. The contribution of the alarm system to protecting the safety of people, the environment, and the plant equipment should be clearly identified. Any claims made for operator action in response to alarms should be based upon sound human performance data and principles.
3. The performance of the alarm system should be assessed during design and commissioning to ensure that it is usable and effective under all operating conditions. Regular auditing should be continued throughout the life of the plant to ensure that good performance is maintained. Alarm management personnel should be assigned to the task of supervising, maintaining, and organizing the alarm system.
4. Alarm systems should be engineered to appropriate industry-recognized standards. When new alarm systems are developed (or existing systems are modified), the design should follow a structured methodology in which every alarm is justified and properly engineered. The initial investment in system design should be sufficient to appropriately manage the operational problems, and the safety, environmental and financial risks that often arise and result in overall higher lifetime costs. Strategies should be chosen to ensure that alarm systems are engineered to good standards.
1.2.2. ALARM CREATION
Knowing when to create or not to create an alarm is an essential and fundamental part of alarm management. Only events that require action should generate alarms. Events that do not require operator action will be presented to the operator through HMI graphic displays. Alarms are always created for the benefit of the operator. An alarm should be created regardless of any effect it will have on the operator’s attention to other alarms. Alarms are created to provide root cause indication of abnormal events requiring operator action. It is important to note that “operator action” denotes process decision changes, troubleshooting or monitoring decisions, initiation of maintenance or changes of operating modes. An alarm which reflects “operator action” is not meant to include tasks such as logbook record notifications, “nice to knows”, indications of normal process operations, etc.
1.2.2.1. ROOT CAUSE INDICATION
A process upset that generates many alarms must be avoided. Alarms are configured for the benefit of the operator and to assist him or her in performing their job more efficiently. In order to achieve this, the most important alarm to give an operator on a process upset is indication of the root cause of the process upset. If there are no associated trips or interlocks occurring the root cause is alarmed. If there is an associated trip at an alarm point the practice is to alarm the interlocked equipment which in turn will direct the operator to the root cause by the first out indication. As a general rule, operators will get an alarm to initiate action on the deviating process variable before an equipment interlock would occur. It is very important to be aware of double alarming in this situation there may be parent child relationships that must be avoided.
1.2.2.2. ABNORMAL OPERATION
ENGINEERING GUIDELINE North
Atlantic
TITLE
PROCESS AUTOMATION GUIDELINE FOR PROPER IMPLEMENTATION OF PLANT ALARM SYSTEMS BEST PRACTICES FOR ALARM MANAGEMENT
VALE # GUID-84012
PAGE
11/43
REV.
1
There are many situations in a plant that are normal events (i.e. filter presses change stages, batch tanks regularly hit cyclic levels, polishing filters backwash, switching sequences). The operator might want to know what filter press stage it is but it is not appropriate to alarm on such a normal event. These events should be displayed through graphical representation not alarms. Alarms must only activate from abnormal cases of operation.
1.2.2.3. ALARM STATES
Alarms require different states of operation when they are designed. A plant can operate in various operating modes; Start-up, Normal, Reduced Rate, Standby, Shutdown. These modes or states will have to be reviewed during rationalization and addressed in each alarm design. When there is a change in operating rates the operator response time for level alarms would also change but the standard determined for alarm design in this case is to maintain the respond time and resulting priority level according to normal operating rates.
1.2.3. ALARM LIFECYCLE
ISA and industry experts, together known as the SP18 committee, have joined together to create a new ISA standard in Alarm Management practices, this new standard is known as ISA 18.02. A key inclusion in this standard is the Life Cycle Model of Alarm Management; a representation of this model has been shown in Diagram 1 below.
ENGINEERING GUIDELINE North
Atlantic
TITLE
PROCESS AUTOMATION GUIDELINE FOR PROPER IMPLEMENTATION OF PLANT ALARM SYSTEMS BEST PRACTICES FOR ALARM MANAGEMENT
VALE # GUID-84012
PAGE
12/43
REV.
1
Diagram 1: Alarm System Life Cycle Model Representation
This model shows the essential steps of all activities of alarm management from the initial design and continued maintenance of the philosophy to the management of change stage. 1.2.4. ALARM DETECTION AND DISPLAY
There are multiple methods of detection and identification of an alarming variable for an operator. All alarms should be displayed on an alarm summary screen. This summary screen should be able to display the alarms in a variety of ways and have a variety of features. The summary screen should:
Be able to sort alarms by priority, chronological order or process area
Be able to colour code alarms by priority
Be able to temporarily freeze the screen during periods of high activity
Be able to suppress low priority alarms sounds
Be designed to minimize the number of keystrokes required for the operator to identify, access and verify alarms
Have dynamic graphics based on the state of the alarm; graphics configuration should change with a change in alarm configuration
Only use a specific colour once if that colour is used to specifically denote an alarm or its priority (i.e. that colour should not be used in any other graphic on the screen)
Be organized to minimize error by and maximize familiarity with the operator
Only request that the operator acknowledges a specific alarm once
For examples of implementations of alarm detection displays and additional considerations by specific plants see Appendix 2. 1.2.5. SUMMARY OF DESIGN PHILOSOPHY
In general, a good alarm will be: 1. Relevant: It should have some significant operational value. It should always demand
some response from the operator. It should not lull an operator into thinking that alarms can be ignored.
2. Unique: It should not duplicate other alarms.
3. Timely: It should not occur so early that no operator response is needed, or so late that there is no time left to correct the fault.
ENGINEERING GUIDELINE North
Atlantic
TITLE
PROCESS AUTOMATION GUIDELINE FOR PROPER IMPLEMENTATION OF PLANT ALARM SYSTEMS BEST PRACTICES FOR ALARM MANAGEMENT
VALE # GUID-84012
PAGE
13/43
REV.
1
4. Prioritized: It should have a proper importance assigned that is indicative of the significance of the problem (see Section 6 for details).
5. Understandable: It should have an appropriate message that is easily read and understood.
6. Diagnostic: It should help the operator identify the problem causing the alarm.
7. Advisory: It should direct an operator to take appropriate action.
8. Focusing: It should attract attention toward the most important issues.
If any alarm is safety related then it should be designed, operated and maintained in accordance with requirements set out in the appropriate safety standard.
7.0 PRIORITY DESIGN FOR ALARMS
1.3. JUSTIFICATION OF PRIORITY ALARMS
When it has been determined that an event should be alarmed, a priority must be assigned. In an alarm system, it is necessary to prioritize alarms such that the more important alarms at any given time are more obvious to the operator. This helps the operator to decide which alarms to respond to first when several occur at the same time. This can be particularly useful during periods of high alarm activity when the operator needs to structure his response so that essential and important actions are carried out first. During less busy times, prioritization brings urgent standing alarms clearly to the operator’s attention. Consistent prioritization is a basic requirement of a reliable and credible alarm system. 1.4. BASIC DESIGN OF PRIORITY SYSTEMS
There are several aspects of alarm priority to consider: a) Number of alarm priorities to assign and their corresponding labels
b) Basis for setting alarm priority
c) Priority distribution, both configured settings and actual alarms
Experience has shown that the use of three priority levels within any one type of display is ergonomically effective for the presentation of alarms. However, a plant may have more than one alarm system. Just as an example, there may be alarms implemented within the process control system, alarms (some of which are safety related) on a hard-wired annunciator panel, plus a separate fire and gas alarm panel. The use of priority should therefore be adapted to suit the particular arrangement chosen. However, it is recommended that definitions of alarm priority should be consistent across systems. There are other areas of flexibility in the general guidance of having three priorities in any alarm system, for example:
ENGINEERING GUIDELINE North
Atlantic
TITLE
PROCESS AUTOMATION GUIDELINE FOR PROPER IMPLEMENTATION OF PLANT ALARM SYSTEMS BEST PRACTICES FOR ALARM MANAGEMENT
VALE # GUID-84012
PAGE
14/43
REV.
1
Additional levels - to simplify the operator interface it may be convenient to assign additional priority levels to signals not normally displayed, but which the operator may wish to sometimes examine using the standard alarm display facilities such as the alarm list. For example, this could refer to gas levels that, while abnormal, do not contribute to any plant status changes (i.e. do not pose a critical danger to plant operations)
Subdivision – for very unusual situations, it may be useful to further sub-divide priorities. For example, fire alarms might be categorized as critical safety related alarms but displayed differently from other critical alarms and have a different audible warning. If adopted, such sub-division should be done with great care to avoid any confusion of established prioritization.
The priority of every individual alarm should not necessarily be fixed for all time. If achievable within the alarm system, it can be very effective to dynamically modify an alarm’s priority according to the prevailing plant state (see Section 14).
1.5. ESTABLISHING ALARM PRIORITY
The appropriate priority for an alarm point may be established by considering both the severity of the situation as well as the appropriate response time. Severity is assessed by considering the consequences assuming that no action is taken when the alarm is sounded. Risk assessment is generally categorized into different severity levels based on three categories of probable impact:
Health and Safety
Environment
Cost
The amount of impact on each of these three categories is captured by assigning an appropriate severity level to each:
Minor
Major
Severe
The resulting impact and severity definitions, along with the operator response time, are used to develop an alarm priority matrix (Table 1 below). This alarm priority matrix will be used during the D&R process to assess and assign a priority to each configured alarm. For example tables concerning the details of consequence severity at various plants see Appendix 3.3.
Response Time Maximum Severity
ENGINEERING GUIDELINE North
Atlantic
TITLE
PROCESS AUTOMATION GUIDELINE FOR PROPER IMPLEMENTATION OF PLANT ALARM SYSTEMS BEST PRACTICES FOR ALARM MANAGEMENT
VALE # GUID-84012
PAGE
15/43
REV.
1
Operator Response
Maximum time for Operator Response
Consequence MINOR
Consequence MAJOR
Consequence SEVERE
Extended >30 minutes No Alarm No Alarm No Alarm
Shortly 20 to 30 minutes Notice Notice Notice
Promptly 10 to 20 minutes Notice Warning Warning
Rapidly <10 minutes Warning Critical Critical
Emergency Immediate Response
Critical Emergency Emergency
Table 1: The Priority Defining Matrix
1.6. ALARM PRIORITY DISTRIBUTION
Alarm priorities will be designed according to the guidelines presented in Table 1 above. After initial design, alarm priority distribution should reflect the percentages shown in the Table 2 below. If the distribution is found to be largely skewed from the ranges given, then the design process must be iterated until the alarms satisfy the above guidelines and reflect the guidelines in Table 2 below.
Table 2: EEMUA Guidelines for Alarm Configuration
Other considerations may affect the distribution requirements of the design specific to the plant for which the alarms are designed. These have been included in Appendix 3.
1.7. ALARM FREQUENCY REQUIREMENTS
The single purpose of prioritization is risk management, i.e., to make it easier for the operator to identify important alarms during periods of high alarm activity. In order for the operator to effectively discriminate between the importances of different alarm priority levels, the relative
Priority Level Alarms Configured During System Design
High (Priority 1) 3% - 7% (5%) of total
Medium (Priority 2) 15% - 25% (15%) of total
Low (Priority 3) 70% - 80% (80%) of total
ENGINEERING GUIDELINE North
Atlantic
TITLE
PROCESS AUTOMATION GUIDELINE FOR PROPER IMPLEMENTATION OF PLANT ALARM SYSTEMS BEST PRACTICES FOR ALARM MANAGEMENT
VALE # GUID-84012
PAGE
16/43
REV.
1
frequency of alarms of different priority should decrease with increasing priority. Target maximum rates of occurrence of alarms of different priorities are stated in Table 3 below as given by EEMUA guidelines.
Table 3: EEMUA Guidelines for Target Maximum Occurrence Rate
1.8. ALARM AND EVENT DESCRIPTORS
Within each priority setting there are various alarm or event descriptors. These are listed below. Please note not all event descriptors will be on all loops. The event descriptors found on each loop will be defined during the rationalization process. The purpose of alarm descriptors is to add additional information for the benefit of the operator. The event descriptor is meant to provide additional information to aid in operator diagnosis. For example, if a thickener underflow transmitter can show a low flow value, it is pointless to display “low flow” as the descriptor. Instead “Plug” may be displayed to inform the operator of a plug that could be causing the reduction of flow. Examples of descriptors are given below:
Plug – This event descriptor indicates a possible process line plug. This maybe applicable to process solution lines, oxygen addition lines, filter lines that require manual cleaning or switching, etc.
Set Point Deviation HI (Dev_HI) – This event descriptor indicates when process variables are not meeting there set point within a high defined percent deviation from the operator entered set point.
Set Point Deviation LO (Dev LO) – This event descriptor indicates when process variables are not meeting there set point within a low defined percent deviation from the operator entered set point.
Rate of Change (ROC) – This event descriptor indicates when the process changes in an unexpected rate pattern.
Interlock Event (INTLK) – The interlock event descriptor indicates when an equipment or loop interlock occurs. All interlocks will alarm and the associated cause will be seen on the interlocked equipments faceplate. The operators can access the cause faceplate through the graphic interface in order to reach the alarm help of the cause. By default interlock cause’s will have an annunciated alarm but will have a defined priority that gives operator indication with associated alarm help on the graphic display and equipment faceplate.
Priority Level Target Maximum Occurrence Rate
High (Priority 1) Less than 5 per shift
Medium (Priority 2) Less than 2 per hour
Low (Priority 3) Less than 10 per hour
ENGINEERING GUIDELINE North
Atlantic
TITLE
PROCESS AUTOMATION GUIDELINE FOR PROPER IMPLEMENTATION OF PLANT ALARM SYSTEMS BEST PRACTICES FOR ALARM MANAGEMENT
VALE # GUID-84012
PAGE
17/43
REV.
1
Interlocks that are hardwired in the field will always activate in maintenance and remote modes unlike software interlocks that will activate in remote modes only.
Fail Alarm (FAIL) – This event descriptor indicates when device feedback determines the device set point can not be reached for some failure reason.
Low Event (LOW) – The LO event descriptor indicates the pre warning alarm to the operator of a trip condition or of an undesired process consequence.
High Event (HI) – The HI event descriptor indicates the pre warning alarm to the operator of a trip condition or of an undesired process consequence.
Low Low event (LOLO) – This event descriptor signifies an undesired process condition. A low low event point will usually trigger an interlock action. Where low low event points are used for interlocking actions they will not announce to the operator.
Low Low A event (LOLOA) - This event descriptor signifies a tank level is below the recommended level required for the agitator. This low low event point will trigger an interlock action. Where low low event points are used for interlocking actions they will not announce to the operator.
High High event (HIHI) – This event descriptor signifies an undesired process condition. A high high event point will usually trigger an interlock action. Where high high event points are used for interlock actions they will not announce to the operator.
Output Hi (OP HI) – Output of loop has reached a saturation point.
Output Lo (OP LO) – Output of loop has reached a saturation point.
Faulty IO – Device input or output has generated an internal alarm requiring maintenance. Unless rationalization determines the priority differently; this event type will be an information alert and go directly to the maintenance station. The event will be recorded in the event journal and while event is active the operator will have visual indication on the graphical interface. If rationalization determines that faulty I/O is an alarm, the alarm priority will be identical to the highest priority alarm related to the I/O. If there is no instrument within a loop it should not have the ability to generate a faulty IO alarm.
8.0 SETTING ALARM LIMITS
The most critical and determining factor in having a managed alarm system is having correct alarm limit settings. Alarm limit settings should be carefully considered and reviewed when process changes occur. If alarms are not configured in a consistent manner, they may ring in too early or worse, they may not ring in at all. Table 4 shown below has been developed to assist in determination of alarm limit settings. It is expected that some alarm limits will change as personnel become experienced with the process and process conditions. Changing alarm limits will require an MOC procedure authorized by the proper personnel.
ENGINEERING GUIDELINE North
Atlantic
TITLE
PROCESS AUTOMATION GUIDELINE FOR PROPER IMPLEMENTATION OF PLANT ALARM SYSTEMS BEST PRACTICES FOR ALARM MANAGEMENT
VALE # GUID-84012
PAGE
18/43
REV.
1
Process Signal Alarm Limits Defined By General Guidelines of limit selection
Temperature Temperature limits are typically defined by metallurgical/design limits, reaction chemistry, they may also be a function of down stream equipment
or process line limits.
The upper limit should be the lowest high limit of the listed criteria.
The lower limit should be the highest low limit of the listed criteria.
Pressure Pressure limits are typically defined by metallurgical/design limits, safety
limits, chemical reaction limits, they may also be a function of down
stream equipment or process line limits. Where pressure safety valves
exist alarming must occur before lifting
The upper limit should be the lowest high limit of the listed criteria.
The lower limit should be the highest low limit of the listed criteria.
Flow Flow limits are typically defined by process design flow, reaction
chemistry or upstream or down stream equipment limits.
The upper limit should be the lowest high limit of the listed criteria.
The lower limit should be the highest low limit of the listed criteria.
Level The desired time to respond and tank size will define the process alarm limit
for tank level
A response time of 5 to 10 minutes is desired for tanks that have been
designed for surge capacity.
Table 4: General Considerations for Determining Alarm Limits
The Alarm Limit is the value at which a specific alarm is triggered. An alarm should be issued such that the operator has sufficient time to return the process to optimal condition before the alarmed variable reaches a critical value. On the other hand, the alarm limit must be set so as to avoid producing nuisance alarms. The initial alarm limit values should be selected based on the normal engineered operating range of the process and should take into account:
Safety processes and equipment abilities
Not-to-exceed limits
Interlocks
Standard procedures and regulations regarding the process
ENGINEERING GUIDELINE North
Atlantic
TITLE
PROCESS AUTOMATION GUIDELINE FOR PROPER IMPLEMENTATION OF PLANT ALARM SYSTEMS BEST PRACTICES FOR ALARM MANAGEMENT
VALE # GUID-84012
PAGE
19/43
REV.
1
An example of a limit determination process is shown below: If historical information or valuable operator experience is available, it should be used to set tune the alarm limit. Limits should be continually adjusted to meet the needs of the process and operator associated with the alarms. It is important to note that alarms without deadband settings typically create nuisance alarms. The table below demonstrates recommended initial points for deadband settings:
Table : Initial Deadband Settings
Signal Type Deadband
Flow 5%
Level 5%
Pressure 2%
Temperature 1%
ENGINEERING GUIDELINE North
Atlantic
TITLE
PROCESS AUTOMATION GUIDELINE FOR PROPER IMPLEMENTATION OF PLANT ALARM SYSTEMS BEST PRACTICES FOR ALARM MANAGEMENT
VALE # GUID-84012
PAGE
20/43
REV.
1
9.0 RATIONALIZATION ANALYSIS OF ALARMS
Alarm Rationalization is the group process of reviewing each and every possible plant alarm against the principles and requirements of the alarm philosophy document. During this process, an alarm is created when it supports the rationale for an alarm. The fundamental information of operator action, operator response time, and consequence of no response is clearly documented for use to the operator and operations staff. It is during the rationalization process that identified alarm priorities are assigned based on the priority defining matrix. Alarm Rationalization is an organized, consistent, and controlled method of analyzing, determining, documenting and prioritizing all possible alarms in the plant control system. During rationalization, situations maybe presented where members insist that specific alarms require a higher priority setting than rationalizing produced. It is acceptable that alarm priorities may be increased. These increases shall be document with justification during rationalization of that alarm. When packaged equipment is supplied to the plant, each package vendor is required to provide a rationalized alarm and event list. Throughout the plant operation vendor alarms will require rationalizing to ensure they meet the Vale alarm configuration guidelines within the alarm philosophy.
It is expected with ongoing operations there will be changes to the alarm system with the re-evaluation of existing alarms and the addition of missing alarms. Operators are expected to provide continuous improvement to the operation of the alarm system throughout the plant lifecycle.
During an alarm rationalization procedure it is a recognized best practice to include members of the operations, safety, maintenance, process control and process engineering teams. To fully evaluate alarms during rationalization, resources available include relevant PFD’s and PID’s, HAZOP results, System Design Criteria, Stream Tables, functional narratives, updated unit P&ID’s, DCS configuration information, start permissive system logic, operating procedures, incident reports, plant safety standards, plant operational standards, OSHE requirements, cause and effect matrices and the alarm philosophy document.
1.9. PROCEDURAL STEPS FOR RATIONALIZATION PROCESS
The following procedure is the best practice method of performing an alarm system rationalization:
Step 1. Each process area P&ID should be referred to separately. Each point or process control loop should be addressed independently to identify whether or not it meets the criteria for an alarm.
Step 2. On each identified point, review each alarm and event descriptor and ask if this descriptor requires operator action on this point. Not all descriptors should be on one loop, rationalizing each descriptor for each loop will result in the best descriptor selection for the loop. (Refer to section 6.6 Alarm and Event Descriptors)
Step 3. Identification of a descriptor for a specified loop requires documentation of the possible causes, recommended actions and the event justification or consequences of no action. If there are no identified actions then this descriptor does not qualify as an alarm.
ENGINEERING GUIDELINE North
Atlantic
TITLE
PROCESS AUTOMATION GUIDELINE FOR PROPER IMPLEMENTATION OF PLANT ALARM SYSTEMS BEST PRACTICES FOR ALARM MANAGEMENT
VALE # GUID-84012
PAGE
21/43
REV.
1
Step 4. Each identified alarm should be reviewed for its possibilities of double alarming or parent child relationships. In the case of double alarming only one alarm should be configured to indicate the root cause.
Step 5. For each identified alarm the proper trip point setting must be decided. The initial trip point setting should be based on safety limits, process targets, process limits, environmental limits, product specific limits, equipment protection limits. (Refer to section 7 for Setting Alarm Limits).
Step 6. For each alarm type, determine how long the operator has to respond before a consequence could occur.
Step 7. For each alarm, determine the category of consequence level.
Step 8. The operator response time and the consequence level have to be identified before referring to the Priority Defining Matrix (see Table 1) to determine the alarm priority.
Step 9. For every alarm identified, different modes of operation should be reviewed to identify any needs for State Based alarming strategies or other requirements to incorporate an alarm problem solver. (Refer to section 9.2 Alarm Problem Solving Methods)
Step 10. Record any important details to be announced to the operator with the alarm. The details must be relevant and help the operator in assessing the alarm.
Step 11. Identify and document any specialized process displays or process sequences needed.
Step 12. Identify duplicate alarms that maybe generated through any Safety Instrumented System (SIS) system.
2. ALARMING PROBLEMS
Most of the alarming problems found in plant control systems, are listed below: Stale Alarms – Alarms that activate and remain active for extended periods of time. Industry
experts say alarms that remain active for over 24 hours should be considered stale alarms.
Alarm Suppression - Alarms that have been turned off and will not activate until someone turns them on again.
False Alarms – Alarms that are configured based on normal operating procedures or processes.
Alarm Flooding – Alarms are not configured in adaptable ways to handle process upsets. (10 or more alarms per 10 minutes)
Bad Actor Alarms – Nuisance alarms or bad actor alarms that incorrectly alert the operator, they are usually repetitive in short time spans and require some type of alarm problem solver to correct, e.g. On delay, off delay, deadband, etc.
2.1. TYPES OF “BAD ACTOR” ALARMS
An expansion on bad actor alarms is given here:
ENGINEERING GUIDELINE North
Atlantic
TITLE
PROCESS AUTOMATION GUIDELINE FOR PROPER IMPLEMENTATION OF PLANT ALARM SYSTEMS BEST PRACTICES FOR ALARM MANAGEMENT
VALE # GUID-84012
PAGE
22/43
REV.
1
Chattering – Alarms that are constantly activating and deactivating before an operator can respond to them (3 alarm sounds in 1 minute).
Parent Child Relationships – both alarms can occur independently; however, one of them always sounds if the other has sounded.
Double Alarming – Alarms on separate loops that indicate the same process upset.
Bad Measurement Alarms – When an instrument has a bad measurement status and is generating device alerts to the DCS system.
2.2. ALARM PROBLEM SOLVING METHODS
Below is a list of possible solutions that can be used based on the alarming problems identified during alarm rationalization. When these problem solving methods are used they must be documented in the master alarm database software that is used during rationalization.
1. Adaptive Alarming – Process targets or set points change when the associated alarm limits change. The alarm always suits the operational set point.
2. Group Alarming – This is an alarming method that can deal with alarm flooding. Group alarming will allow just one configured alarm for a specified group to annunciate during a process upset. This alarm will be the “first event” in the group. If this problem solving method is used there must be direct links to the main display of the “first event”.
3. State Based Alarming – Alarm limits change/de-activate depending on the equipment status or operator input. In Alarm Rationalization this will need to be reviewed on a case by case basis. Some example states include Area Startup, Area Running, Area Shutdown, Feed Rates changing, Equipment shutdown, Ball mill shutdown, SMD shutdown, AC Shutdown, AC Hot Standby, AC Flushing, Flash cooler running, Belt filter running, Standby Thickener mode on, Cl Compressor running, Pre-leach running.
4. On Delays – A required time period must elapse while the process variable (PV) is within the alarm limit before the alarm will activate. The alarm will deactivate immediately when the PV is no longer within the alarm limits. Table 5 below indicates the recommended EEMUA starting delay times when implementing new points. These will be refined on a case by case basis.
Process Signal On Delay Time Off Delay Time
Flow 15s 0s
Level 30s 0s
ENGINEERING GUIDELINE North
Atlantic
TITLE
PROCESS AUTOMATION GUIDELINE FOR PROPER IMPLEMENTATION OF PLANT ALARM SYSTEMS BEST PRACTICES FOR ALARM MANAGEMENT
VALE # GUID-84012
PAGE
23/43
REV.
1
Pressure 15s 0s
Temperature
(non-critical)
60s 0s
Table 5: Recommended ISA 18.2 On / Off Delay Times (Seconds)
5. Off Delays – The alarm will activate immediately as the PV enters the alarm limit but will not deactivate until an elapsed time has passed and the PV stays outside the alarm limit.
6. Deadband – When a deadband is set, the alarm will ring in when the actual limit is hit (see Figure 1). In order to return to normal, it must go below (or above) the alarm point by the deadband applied. Applying deadband to a signal will prevent noisy signals from generating multiple alarms when near an alarm point. It is important to remember the operating range and target set points when applying deadband. If the general rules shown in Table 6 below are used; they must be practical in the application. These will be refined on a case by case basis.
ENGINEERING GUIDELINE North
Atlantic
TITLE
PROCESS AUTOMATION GUIDELINE FOR PROPER IMPLEMENTATION OF PLANT ALARM SYSTEMS BEST PRACTICES FOR ALARM MANAGEMENT
VALE # GUID-84012
PAGE
24/43
REV.
1
7.
Alarm State
Alarmed Variable
Alarm Off
Alarm On
Table 6: Recommended ISA 18.2 Deadband Setting
Figure 1: Alarm Deadband
8. Alarm Suppression – Alarm Suppression is a temporary way for operators to “snooze” alarms for a set time period. The alarm shelving procedure should have a maximum shelving (“snooze”) time limit. When snooze time is up the alarm will automatically become re-enabled. The functionality of automatic restore is used to ensure that alarms can not be shelved indefinitely which can lead to potential alarm failure. The ability to snooze higher priority alarms such as critical and emergency should not be available.
9. Operator Message Center – The operator requires a method by which he or she can monitor chosen process variables at exception limits for some abnormal operational task. These types of tasks can be handled through the operator message center.
10. Value Filtering – Appling value filtering to a value reduces noise from signals. General rules are shown in Table 7 below.
Measurement Filter Time Constant
Flow 2 sec
Level 2 sec
Pressure 1 sec
Temperature 0 sec
Table 7: Recommended PAS Value Filtering settings
3. MEASURING ALARM SYSTEM PERFORMANCE
Alarm system performance measurement is a necessary element of maintaining an alarm system. Alarm management software is recommended for analysis of alarm systems due to the time required
Measurement Deadband %
(operating range)
Flow 5
Level 5
Pressure 2
Temperature 1
ENGINEERING GUIDELINE North
Atlantic
TITLE
PROCESS AUTOMATION GUIDELINE FOR PROPER IMPLEMENTATION OF PLANT ALARM SYSTEMS BEST PRACTICES FOR ALARM MANAGEMENT
VALE # GUID-84012
PAGE
25/43
REV.
1
and usually the lack of time available for a manual type analysis. Within alarm management software packages there are a variety of preconfigured charts and graphs that are the stepping stones of proper alarm system measurement. There should be a report at minimum once a month outlining recommended analyses of the alarm system. The most important analysis, as multiple studies recommend, is the number of alarms per day per operator. EEMUA states that alarm rates of 150 alarms per day per operator is manageable and rates above 300 alarms per day is unacceptable. The acceptable average for a 10 minute alarm rate is one alarm.
3.1. KEY PERFORMANCE INDICATORS
To ensure that the alarm system and plant continue to function as an entity, the following metrics to assess potential problems with the plant will be used:
1. Number of chattering or frequently recurring alarms after rationalization implementation 2. Production rate compared to hourly alarm rate 3. Safety statistics compared to hourly alarm rate 4. Product quality statistics compared to hourly alarm rate 5. Cost statistics compared to hourly alarm rate
To ensure that the alarm system continues to meet the targets described in this document, the following metrics to assess alarm system performance on a regular basis will be used:
1. Operator feedback on alarm system performance 2. Time to Acknowledge 3. Number of code changes and software jumpers installed in the alarm system 4. Number and type of alarms that have been shelved, bypassed, disabled and/or inhibited
3.2. PERFORMANCE TIMELINE
It is important to have a prescribed progress for the development of alarm systems in terms of performance. Table 8 below represents the initial target KPI’s (Key Performance Indicators) for the Alarm system performance based on three stages of progression, beginning from the Processing Plant start-up. Targets have been aligned with industry recommendations.
Key Performance Indicator (KPI)
Interim Target for Systems Undergoing Alarm Improvement
Long-Term Target
Target Average Process Alarm Rate
<300 per day <150 per day
Percentage of time alarm rate exceeds Target Average Process Alarm Rate
5% 0%
Alarm Event Priority Distribution based on at least one week of data
~80% low, ~15% high, <=5% critical, <1% emergency
~80% low, ~15% high, <=5% critical, <1% emergency
ENGINEERING GUIDELINE North
Atlantic
TITLE
PROCESS AUTOMATION GUIDELINE FOR PROPER IMPLEMENTATION OF PLANT ALARM SYSTEMS BEST PRACTICES FOR ALARM MANAGEMENT
VALE # GUID-84012
PAGE
26/43
REV.
1
Suppressed Alarms Zero (unless as part of defined Shelving, Flood Suppression, or State-based strategy)
Zero (unless as part of defined Shelving, Flood Suppression, or State-based strategy)
Chattering Alarms 10 occurrences or less in a one-week period
0 per day
Stale Alarms (>24 hours) 20 or less in a one week period
0 per day
Floods (10 to 20 alarms in a 10 minute period)
<=5 per day <=3 per day
Floods (>20 alarms in a 10 minute period)
<=3 per day 0 per day
Process changes in Alarm Priority, Alarm Trip Point, Alarm Suppression Status, Point Execution Status
None that are unauthorized. None that are not part of a defined Shelving, Flood Suppression, State-based Strategy
None that are unauthorized. None that are not part of a defined Shelving, Flood Suppression, State-based Strategy
Table 8: Alarm System Key Performance Indicators as recommended by PAS
3.3. REPORTING OF ALARM SYSTEM PERFORMANCE
Reports will be distributed to managers, staff and operators once a month. It is also recommended that after major upsets or incidents, the alarm system reporting can provide details prior, during and after the incident. Other important information that will be available in the report will include bypassed interlocks and the frequency of each. Progress towards standardized reports and an automated report generating system is strongly encouraged. In lieu of an automated system, manual reports of the alarm system shall be generated.
4. MANAGEMENT OF CHANGE
Since the alarm systems are part of the plant’s defense against hazards, any changes resulting from alarm reviews need to be carried out in a responsible way. Thus all proposed changes should be fully analyzed, their consequences should be determined, and agreed changes should be recorded with reasons. Vale MOC process will be used to manage changes to the alarm system. Specific alarm system changes that will undergo the MOC process include, but are not limited to, the following:
1. Changes to regular non-trip alarm settings and interlock or trip alarm settings (setpoint, priority, inhibit filters).
2. Any procedural modifications will be initiated and executed by operations. Procedural changes will follow established guidelines.
3. Changes to the master alarm database.
ENGINEERING GUIDELINE North
Atlantic
TITLE
PROCESS AUTOMATION GUIDELINE FOR PROPER IMPLEMENTATION OF PLANT ALARM SYSTEMS BEST PRACTICES FOR ALARM MANAGEMENT
VALE # GUID-84012
PAGE
27/43
REV.
1
4. Removal or addition of alarms (including new alarms derived from new equipment and/or projects). In addition to following the MOC process, these changes must follow this Philosophy document.
5. Changes to downstream processes and instrumentation resulting from alarm system changes. As well, previous design changes to the process and instrumentation will be reviewed to ensure further changes are made per the MOC process.
6. Maintenance of alarm system documentation, including this Philosophy document In addition, the current MOC process will be updated as necessary to align with the principles described in this Philosophy document. A Vale employee will be assigned the role of “Alarm Process Manager”. The Alarm Process Manager will have authority over all changes made to the alarm system database and to the alarm system documentation, including but not limited to items #1 through #6 described above. Furthermore, DCS Operators from all four shifts must review and sign off the appropriate documentation to ensure that changes to the alarm system have been communicated and understood.
4.1. ROLES AND RESPONSIBILITIES
In addition to the Alarm Process Manager, various teams will also be responsible for certain elements of the alarm lifecycle. Ensuring that certain roles and responsibilities are fulfilled is essential to the optimal function of the alarm system as a whole. The roles and responsibilities of operations, maintenance, automation, engineering and other functions are shown in the table below:
Roles Responsibilities
Alarm Process Manager
Maintain and administer the alarm management software and the Master Alarm Database.
Manage the implementation of the alarm rationalization process.
Provide a qualified representative(s) to participate on the Site Alarm Management team
Ensure that changes to the alarm management system follow an MOC process.
Track adherence to alarm philosophy
Periodically review and revise the alarm philosophy to address advances in alarm management practices.
Coordinate the development of investment proposals for alarm management.
ENGINEERING GUIDELINE North
Atlantic
TITLE
PROCESS AUTOMATION GUIDELINE FOR PROPER IMPLEMENTATION OF PLANT ALARM SYSTEMS BEST PRACTICES FOR ALARM MANAGEMENT
VALE # GUID-84012
PAGE
28/43
REV.
1
Alarm Process Control Specialist
Ensure that the alarm system achieves and maintains the performance levels defined by the KPI’s.
Report on the Performance of the Process Alarm Management System using the site KPI’s.
Initiate work orders to repair malfunctioning field devices responsible for bad actor alarms.
Ensure that operators have been trained on the functionality and use of the Process Alarm Management System.
Provide a qualified representative(s) to participate on the Site Alarm Management team
Needs to validate all new alarms or modifications to existing alarms before implementation.
Update the Master Alarm Database for rationalized alarms.
Maintenance Instrumentation Technician
Implement the changes in the control system reflected in the alarm master database.
Test Alarms
Provide a qualified representative(s) to participate on the Site Alarm Management team.
Table : Roles and Responsibilities For Alarm Management Teams
13. PERSONNEL TRAINING
The operator will be trained on the new alarm system for their individual process area. Training should be incorporated into the competency assessment of each operator, which should be regularly reviewed. At a minimum, operators should understand:
1. Alarm Management Philosophy 2. Alarm System (graphics, Alarm Panel, etc.) 3. Alarm priorities as related to safety, environmental and economic performance of plant 4. Expected action and speed-of-response to each process alarm 5. How to access documentation 6. Use of the alarm summary features during periods of high alarm rates
All operators will be trained in the realistic use of the alarm systems that they work with. This will include refresher training and training in any new alarm system functions.
ENGINEERING GUIDELINE North
Atlantic
TITLE
PROCESS AUTOMATION GUIDELINE FOR PROPER IMPLEMENTATION OF PLANT ALARM SYSTEMS BEST PRACTICES FOR ALARM MANAGEMENT
VALE # GUID-84012
PAGE
29/43
REV.
1
OVERLOADED REACTIVE STABLE ROBUST PRODUCTIVE
IMPROVEMENT PLANS: Specific Steps to move from one stage to the next
Vale training requirements include:
1. All training materials will be updated to reflect the principles described in this Philosophy. 2. New and existing operators will be provided with training on the new alarm system 3. Maintenance will be trained on the PSS application 4. The training department will communicate to all Operations and Maintenance personnel that the current alarm standards are changing and a reliable alarm system is being implemented 5. New projects must conform to standards and principles described in this Philosophy
14. ALARM SYSTEM PERFORMANCE LEVELS
A performance level can be assigned to a system given the analysis procedures shown above. PAS proposes a five stage scale to direct improvement of alarm systems. This scale is demonstrated below along with the improvement steps at each phase:
Figure : Performance Level Improvement Diagram
The Table below gives the necessary steps at each stage that are required to improve the system to the next stage:
SYSTEM PERFORMANCE LEVEL
DESCRIPTION IMPROVEMENT STEPS
OVERLOADED Continually high rate of alarms
Operators do not make use of alarms
Impossible to determine priority among alarms
Develop Alarm Philosophy Document and Management of Change Principle
Perform alarm analysis and resolve bad actor and nuisance alarms
ENGINEERING GUIDELINE North
Atlantic
TITLE
PROCESS AUTOMATION GUIDELINE FOR PROPER IMPLEMENTATION OF PLANT ALARM SYSTEMS BEST PRACTICES FOR ALARM MANAGEMENT
VALE # GUID-84012
PAGE
30/43
REV.
1
REACTIVE System is stable, but still of no use during upsets
Provides the operator with prioritized warnings
System MOC and alarm suppression improved but not under control
Perform Alarm Documentation and Rationalization
Produce alarm metrics
Enable alarm shelving
Group alarms into categories and produce a Master Alarm Database
Implement an automated audit and enforcement for alarm database
STABLE Reliable; operators confident in system
Provide warning before an upset, but are less useful during upset
MOC fully controlled
Implement State-Based Alarm System (active alarms change based on plant state)
State-Based Alarm suppression
Online Alarm Response Manual for operators
Online Loop Performance Analysis
ROBUST System reliable during all plant modes (normal and upset)
Operators are highly confident with system
MOC prevents detrimental changes
Early Fault Detection
Early Fault Diagnosis and Advice
Procedural Automation based on alarm upsets
Implementation of operator support systems: pattern matching, adaptive graphics, artificial intelligence, and other experimental technologies
PREDICTIVE Stable system at all times; minimizes the impact of upsets
System allows operators to actively “patrol” process and prevent upsets
Maintain all previous steps to maintain the predictive system
Table : Alarm System Performance Levels With Improvement Procedures
ENGINEERING GUIDELINE North
Atlantic
TITLE
PROCESS AUTOMATION GUIDELINE FOR PROPER IMPLEMENTATION OF PLANT ALARM SYSTEMS BEST PRACTICES FOR ALARM MANAGEMENT
VALE # GUID-84012
PAGE
31/43
REV.
1
PLANT/SYSTEM SPECIFIC TERMS A.1. FOXBORO I/A SPECIFIC TERMS Alarm Enable Status: The Foxboro I/A specific alarm enable status determines the reporting
mechanism for all process alarms. The standard settings for the alarm status are “ENABLED”, “DISABLED”, or “INHIBITED”.
1. Enabled Alarm - The enabled status indicates that the alarm is functioning as configured. An alarm that is enabled provides reporting to the Alarm Managers. All features of alarm detection, the initiation of user-written programs and writing to the alarm journal are active.
2. Disabled Alarm - A disabled alarm operates without operator notification (no reporting anywhere). Disabling an alarm prevents the detection and distribution to the Alarm Manager. No indication is made that the alarm condition has occurred.
3. Inhibited Alarm - The inhibited status indicates that the alarm has been taken out of service. An inhibited alarm will not audibly notify the operator (no reporting to the Alarm Manager) in the event the criterion for an alarm exists.
Inhibited alarms are visible as being in alarm in group displays. Alarm detection and program initiation are still active for an inhibited alarm.
Alarm Priority: Foxboro provides priority settings 1 through 5: a. Priority 1 - High Alarm is reported and historized to the system and annunciated b. Priority 2 - Medium Alarm is reported and historized to the system and annunciated c. Priority 3 - Low Alarm is reported and historized to the system and annunciated d. Priority 4 - Historized and reported on a separate alarm display e. Priority 5 - Historized and reported on a separate alarm display
BAD: Bad is a Boolean output parameter which is set true when the input to the block is unacceptable in any way.
BADOPT: Bad and Out-of-Range Option is a short integer option that specifies the conditions that set the BAD output true. Values are:
a. 0 = Bad Status only b. 1 = Bad Status or Low Out-of-Range (LOR) c. 2 = Bad Status or High Out-of-Range (HOR) d. 3 = Bad Status or LOR or HOR
HLDB: High/Low Deadband is a real input that defines the size of the deadband that applies to the high, low, high-high, and low-low absolute alarm limits of the PNT output.
HLOP: High/Low Option is a configured short integer input that enables Absolute High and/or Low alarming of the PNT output, or disables absolute alarming altogether. Values:
a. 0 = No Alarming b. 1 = High and Low Absolute Alarming c. 2 = High Absolute Alarming Only d. 3 = Low Absolute Alarming Only
SAO: State Alarm Option is a configurable Boolean which, when true, enables the generation of State Alarms.
a. 0 = No Alarming b. 1 = Alarming
INHIB: Suppresses all alarm messages reporting, but alarm detection continues to function. INHOPT: Specifies these alarm inhibit options:
ENGINEERING GUIDELINE North
Atlantic
TITLE
PROCESS AUTOMATION GUIDELINE FOR PROPER IMPLEMENTATION OF PLANT ALARM SYSTEMS BEST PRACTICES FOR ALARM MANAGEMENT
VALE # GUID-84012
PAGE
32/43
REV.
1
a. 0 = Disable alarm messages when alarms are inhibited b. 1 = Disable alarm detection when alarms are inhibited c. 2 = Same as 0, and enable automatic acknowledgment d. 3 = Same as 1, and enable automatic acknowledgment
OSV: Output Span Variance is a configurable real input which defines the percentage by which the output clamp limits exceed the output range defined by HSCO1 and LSCO1.
A.2. LONG HARBOUR SPECIFIC TERMS Hold: The forcing of a controller output to a safe condition during the time a cause condition is
active. This hold is maintained while the cause condition is active and does not generate an alarm.
Permissive: The prevention of starting a piece of equipment due to a cause condition that poses a risk to personnel, the environment, production or equipment. This prevention is maintained while the cause condition is active. Activation of this cause condition will however not stop the equipment if it is already running.
Assessment: When referring to the alarm management system, an assessment is a standard way to audit the alarm system and its agreement with the alarm management philosophy. It may be evident through assessment of the alarm management system and philosophy that modification is required to align with the operational needs of the plant.
ENGINEERING GUIDELINE North
Atlantic
TITLE
PROCESS AUTOMATION GUIDELINE FOR PROPER IMPLEMENTATION OF PLANT ALARM SYSTEMS BEST PRACTICES FOR ALARM MANAGEMENT
VALE # GUID-84012
PAGE
33/43
REV.
1
APPENDIX B - SITE SPECIFIC ALARM DETECTION AND DISPLAY
B.1. COPPER CLIFF FOXBORO SYSTEM B.1.1. ALARM PRESENTATION REQUIRMENTS
The operator user interface and its components will be designed to support and augment alarms by providing the console operators with good situational awareness and response capabilities. Some of the human factors that should be considered while designing effective operator interfaces are:
1. Systematic designs of shape, color, and behavior to limit visual noises yet enhance the operator’s ability in pattern recognition.
2. Multi-level hierarchical information (graphics, trends, online information) and navigation techniques (display hierarchy, annunciator keyboard, mouse) that allow intuitive and quick access to relevant data.
3. The interface requirements are oriented to operator tasks and account for operator requirements in both normal and upset conditions.
4. Provide comprehensive and integrated alarm indication, summary, and priority information to the appropriate level of detail for the various levels of information in the display hierarchy.
5. A standardized set of identifying terms, labels, and abbreviations will be used for all plant elements and other labels used for alarm information and notification.
6. Presentation of alarms on the annunciator keyboards.
B.1.2. ALARM MESSAGING The following are attributes of a good alarm message:
1. Clear identification of the condition that has occurred 2. Use of terms familiar to the operator 3. Use of consistent terms and abbreviations from a standard site dictionary 4. A consistent message structure 5. Does not rely on memorization of tag names or numbers 6. Checked for usability during actual plant operation
In addition to the attributes listed above, Vale Inco requires that alarm messages are clearly defined and that there are no “blank” alarms. There will not be any alarm messages that contain only the tag name. In addition, Vale Inco requires that all alarm message abbreviations, acronyms, terms and text are consistent, and that all loop tags are consistent with ISA standards. Messages will be clearly defined indicating the correct alarm condition (for example: HIGH LEVEL for a high level alarm), and operators should not have to memorize the tag names and associated alarms for each flash furnace.
B.1.3. ALARM AUDIBILITY Audible alarms are used to inform the operator of a particular alarm in the control system. Audible indications can be performed through using external horns. Vale Inco requires that a unique annunciator tone shall be used for each flash furnace for alarms with priority levels 1,
ENGINEERING GUIDELINE North
Atlantic
TITLE
PROCESS AUTOMATION GUIDELINE FOR PROPER IMPLEMENTATION OF PLANT ALARM SYSTEMS BEST PRACTICES FOR ALARM MANAGEMENT
VALE # GUID-84012
PAGE
34/43
REV.
1
2 and 3. The two unique tones will allow the operator to quickly identify and respond to the problem. The operator will also have the ability to silence audible alarms. Non-furnace area alarms will use an annunciator tone identical to the tone configured for Furnace #2.
B.1.4. PROCESS GRAPHICS Process graphics may enhance the cognitive ability and the speed at which the operator can process the alarm information presented. The Vale Inco requirements for process graphics include:
1. Background of elements on process graphics will turn red when in alarm and will flash continuously when in an unacknowledged state.
2. Background of elements on process graphics will remain solid red after the condition has been acknowledged until the value returns to the normal operating range.
3. All text on the CAD will be black on a white background. When an alarm appears on the CAD, its colour will be dependent on the priority. Each alarm priority will be displayed with a unique color scheme on the CAD.
4. As with the process graphics, alarms on the CAD will flash while the alarm is in an unacknowledged state. Once acknowledged, the alarm color will remain solid until the value in alarm returns to the normal operating range.
5. Red will not be used exclusively for alarms on the process graphics (red may also be used to show equipment status)
B.1.5. DISPLAY NAVIGATION
Graphics will be updated as required to ensure that navigation between screens is intuitive and quick. Furthermore, Vale Inco requires that Priority 1, 2 and 3 alarms be sent to annunciator keyboards. By having priority 1, 2 and 3 alarms go to the annunciator keyboard, it will be easier for the operator to respond to alarms because the annunciator keyboard will take the operator directly to the appropriate process graphic that contains the alarm point.
B.1.6. ALARM ROUTING One of the flexibilities of the Foxboro I/A system is that alarms can be grouped and these groups can be directed to a specific list of desired workstations, printers, or historians. Routing in the Foxboro I/A system is based on a group number from 1 to 8 for alarm device destination and distribution. Up to eight destination devices can be specified for each group between group number 1 and group number 3 by configuring the GRx and DVy parameters in the compound containing the block. Up to 16 destination devices can be specified for each group between group number 4 and group number 8 by configuring the GRx and DVy parameters of the station block for the station containing the block.
B.2. LONG HARBOUR SYSTEM All notice, warning, critical and emergency priority alarms are displayed on the alarm summary screen and a scrolling alarm banner. The alarm summary screen has the ability to annunciate in chorological priority order, unacknowledged followed by acknowledged. All alarms can
ENGINEERING GUIDELINE North
Atlantic
TITLE
PROCESS AUTOMATION GUIDELINE FOR PROPER IMPLEMENTATION OF PLANT ALARM SYSTEMS BEST PRACTICES FOR ALARM MANAGEMENT
VALE # GUID-84012
PAGE
35/43
REV.
1
annunciate with a priority defined horn. In addition to an alarm annunciated on the alarm summary screen the DCS graphics will also indicate those control loops that are in alarm through alarm tiles on the associated graphic displays with the associated priority color, alarm type and indication of acknowledgement. The alarm reason and suggested operator response to any alarm is available from the alarm summary screen by having access to the alarming control loop faceplate and associated graphic. When set points are entered by an operator the process limits will be the set point limits of the controller. By practicing this, operators can not create an alarm condition by entering a set point higher/lower then the process would allow. Examples include AC Temp set points, EW separator vacuum set points, etc. For Emergency priority gas and safety shower alarms there will be an external light indication on the plant floor in addition to DCS indications so that plant floor personal can quickly response upon visual indication. Operator acknowledgement of alarms can happen from a variety of interfaces. The faceplate, the alarm summary screen, and the primary control graphic will have the ability to acknowledge active alarms associated with that display. Operator acknowledgement of alarms can happen from a variety of interfaces. The faceplate, the alarm summary screen, and the primary control graphic will have the ability to acknowledge active alarms associated with that display. For investigation into the alarm, the operator has a one click access to the alarm history from the associated faceplate. The operator also has a one click access to the loops real time history trends and has the ability to create custom made history trends with the desired points of interest. For those miscellaneous operational events that require notification the notification can be sent to the OMC. Through the OMC the operator can monitor or receive notification of desired process variables reaching a certain limit or after a specified time period. The operator will take corrective actions based on his or her understanding and experience with the process. The operator will also be able to access an “Alarm Reasons and Responses” (Alarm Help) faceplate from the alarm summary display or the control loop/indicator faceplate, this is a functionality of the Delta V version 11 software. With proper authority operators can edit the fields of the Alarm Help faceplate. The editable fields will include the possible alarm reasons, and the suggested operator responses, as these reasons and responses will become clearer throughout the plants operation. The non-editable fields include the time in alarm, the time to response and the consequence of no response. All alarm reasons and response are initially captured during the alarm rationalization exercise. The master alarm database will be from the software used during the rationalization process. This database will be exported and imported into the Delta V software during configuration of the control system. During the plants operation phase the alarm configuration will be regularly exported and imported back into the alarm rationalization software so that any updates to the alarm reasons and responses by the operators can be captured. The alarm rationalization database will also be readily accessible to all plant management and staff via the business network where it will be stored.
ENGINEERING GUIDELINE North
Atlantic
TITLE
PROCESS AUTOMATION GUIDELINE FOR PROPER IMPLEMENTATION OF PLANT ALARM SYSTEMS BEST PRACTICES FOR ALARM MANAGEMENT
VALE # GUID-84012
PAGE
36/43
REV.
1
APPENDIX C - SITE SPECIFIC ALARM PRIORITY SYSTEM
C.1. FOXBORO PRIORITY SYSTEM Five priority levels (Foxboro I/A priorities 1 through 5) will be used:
1. Priority 1: High where the consequences of abnormal events may be reasonably expected to lead to personnel injury, an environmental incident, equipment damage, or an unplanned unit shut down.
2. Priority 2: Medium where the consequences of abnormal events may be reasonably expected to lead to a significant unit upset or economic loss. There should not be a reasonable probability of personnel injury, environmental violation, equipment damage, or unplanned unit shutdown.
3. Priority 3: Low where the consequences of abnormal events are of relatively minor significance. Delayed operator response should not affect personnel safety, environmental performance, or continued unit operation.
4. Priority 4: Operator Messages which describe events that do not require operator action. These messages will be sent to a separate screen on the operator workstations.
5. Priority 5: Maintenance Alarms which require only action by Maintenance personnel and do not require Operator action. Maintenance alarms will be sent to an information screen on the Engineering workstations in the control room. Instrumentation personnel will check these messages daily and generate work orders for the appropriate trades. In addition, Priority 5 alarms will be sent to the operator workstations and the operator will be given the ability to filter all Priority 5 alarms.
All alarms will be sent to the Alarm Historian database. C.2. LONG HARBOUR PRIORITY SYSTEM Industry expert’s best practice promotes assigning priorities to alarms in a logical and consistent manner. Every alarm created using this alarm management philosophy will follow these industry guidelines, each alarm priority will be assigned its own unique color that shall not represent anything else in the DCS displays. There have been four process alarm priorities defined and two display indication settings, one for maintenance messages and the second for silent event tracking. The priorities defined for Vale NL are defined in the Table 1. (Alarm colors may require updating during graphics development)
Priority/Setting Indication Color Sound Indication Auto Ack
Low Info Alert BLUE No sound Yes
Medium Info Alert YELLOW No sound Yes
Notice PINK No sound* No
Warning PURPLE Wav file 1 No
Critical ORANGE Wav file 2 No
ENGINEERING GUIDELINE North
Atlantic
TITLE
PROCESS AUTOMATION GUIDELINE FOR PROPER IMPLEMENTATION OF PLANT ALARM SYSTEMS BEST PRACTICES FOR ALARM MANAGEMENT
VALE # GUID-84012
PAGE
37/43
REV.
1
Emergency RED Wav file 3 No
Appendix Table 1: Priority Setting Display and Announcement Table
In order to have consistent alarm priorities to promote operator response and effectiveness; industry experts recommends the development of two important matrices, The Time to Respond Matrix and The Consequence of No Response Matrix. Priority settings – Priority is the urgency placed on an alarm. Alarm priority settings are determined during the rationalization process through the time to respond and the consequences of no response matrices. Notice priority Alarms that are least critical and have lowest priority. Operator response time is between 20 to 30 minutes. Warning priority – Alarms that are medium priority. Operator response time is between 10 to 20 minutes. Critical priority – Alarms that are most critical and have highest priority. Operator response time is less than 10 minutes. Emergency priority – Alarms that require immediate operator action and have the highest priority. These alarms may signify the potential for Emergency Medical First Response or personnel evacuation,. All Emergency priority alarms will include an on screen popup to the operator. The HMI tool bar will have a distinctive indication of an active emergency alarm. There will also be an emergency alarm interactive graphic for operators to be immediately aware of where the emergency situation is occurring. Another priority setting has been defined for information alerts. This priority has been split into two settings for use though neither setting will be announced as an alarm to the operator. Information Alert – This priority will be used when it is required to track events but not produce operational alarms on these events. This priority has two settings and each setting has a different color indication that indicates the associated changes in control actions.
Medium Alert – this alert type will display on the operator graphics in the alarm tile and on the modules faceplate. This priority will signify equipment has potential disabled alarms and/or interlocks. Bypasses, out of service and calibration/maintenance alerts use this priority. This alert is used to remind the operator of the “out of normal” operation of a piece of equipment or instrument. Low Alert – This alert type will display on the operator graphics in the alarm tile and on the modules faceplate. Transmitter Faulty IO alerts use this priority. These alerts will be alarmed at the maintenance stations throughout the plant where maintenance or control system personal will have the responsibility of troubleshooting the alert. This alert will also be used for displaying information needed to operators before they engage control actions on various
ENGINEERING GUIDELINE North
Atlantic
TITLE
PROCESS AUTOMATION GUIDELINE FOR PROPER IMPLEMENTATION OF PLANT ALARM SYSTEMS BEST PRACTICES FOR ALARM MANAGEMENT
VALE # GUID-84012
PAGE
38/43
REV.
1
pieces of equipment. For example, a sump pump will display the low alert on its graphic and faceplate where a potential destination tank is at a high level.
There are also some predefined settings for priorities that relate to particular alarms that are applied as general rules and have not been evaluated based on response time due to there particular details. (This section will be expended in the next revision) Interlock Alarm – This alarm is set as a Warning Priority which will sound with a horn for the operator. Interlocks in general put the plant at a safe state and therefore corrective action has been taken, it is the operator’s responsibility to investigate the interlock for an explanation of its occurrence before putting the process back online. Fail Alarm – This alarm is set as a Warning Priority which will sound with a horn for the operator. Fail Alarms in general notify the operator that a control request failed to complete. It is the operator’s responsibility to investigate the failed control action for an explanation of its occurrence before putting the process back online.
C.3. ADDITIONAL SITE SPECIFIC PRIORITY TABLES
Operator Response Maximum Time to Respond
Extended >30 minutes
Shortly 20 to 30 minutes
Promptly 10 to 20 minutes
Rapidly <10 minutes
Emergency Immediate Response
Appendix Table 4: Operator Response Time Matrix (all plants)
Minor Major Severe
Safety First Aid - No disability or Lost Time Injury (LTI)
Minor Injury - (No LTI)
LTI
ENGINEERING GUIDELINE North
Atlantic
TITLE
PROCESS AUTOMATION GUIDELINE FOR PROPER IMPLEMENTATION OF PLANT ALARM SYSTEMS BEST PRACTICES FOR ALARM MANAGEMENT
VALE # GUID-84012
PAGE
39/43
REV.
1
Appendix Table 5: Consequence of No Action Level Matrix Long Harbour
Impact and Severity Definitions
Severity None Minor Moderate Major Catastrophic
Impact Health & Safety
No Injuries
First aid; no lost time
Medical Treatment; modified
work but no lost time
Extensive injuries; lost time but will eventually
return to work
Permanent disability or fatality; no
return to work
Environment No Injuries
Workplace; Spill
contained to specific work
area
Level 1; spill contained to the building
Level 2; spill contained to
the plant
Level 3; spill that impacts the
community
Cost No Injuries
<$100K and/or minor equipment damage; 1
furnace down for 1
hour
>$100K and < $1MM and/or
equipment damage; 1
furnace down for 1
shift
> $1MM and < $10 MM
and/or significant equipment damage ;1
furnace down for 1 week
>$10MM and/or facility loss/plant
shutdown; 2 furnaces down for 24 hours or
longer
Appendix Table 5: Consequence of No Action Level Matrix Copper Cliff
Environment Contained Release – tank overflow within bounded area,
no immediately harmful solutions or temperatures.
Contained Release – tank overflow within bounded area, hot
temperatures
Reportable Uncontained Release, tank
overflow within a bounded area,
immediately harmful solutions
Downtime / Production
Loss / Financial
Slowdown/Disruption or less than $50000 cost
Shutdown unit operations / product
quality damage / Between $50,000 and $500,000 cost
Shutdown multiple unit operations /
Greater than $500,000
Priority Level Target Maximum Occurrence Rate
ENGINEERING GUIDELINE North
Atlantic
TITLE
PROCESS AUTOMATION GUIDELINE FOR PROPER IMPLEMENTATION OF PLANT ALARM SYSTEMS BEST PRACTICES FOR ALARM MANAGEMENT
VALE # GUID-84012
PAGE
40/43
REV.
1
Appendix Table 6: Copper Cliff Requirements for Target Maximum Occurrence Rate
APPENDIX D - SITE SPECIFIC RATIONALIZATION PROCESS D.1. TEAM AND PROCESS RATIONALIZATION REQUIREMENTS AT COPPER CLIFF The rationalization team should consist of a facilitator, at least one knowledgeable process operator, a process engineer, and a control engineer or specialist. Other stakeholders with knowledge of the process unit, its operation, hazards, and the alarm philosophy shall participate as needed. A minimum of two Vale Inco employees and a facilitator from Invensys will form the rationalization team. At least one team member will be an experienced Flash Furnace DCS control room operator, the second team member may be a DCS operator or a representative from Process Technology, Instrumentation, Mechanical Engineering, DCS, Combustion, Electrical, ERP (environmental), API, area management (superintendent) or OSHE. Other representatives from these departments will be consulted as necessary. All rationalization team members shall be rotated as necessary to maximize the efficiency of the rationalization process. Rationalization is accomplished by evaluating every point in the system on an individual basis using the P&ID’s as a guide. The first step is to determine if an alarm is needed. If an alarm is needed, an appropriate activation point and priority is established. The results are documented as the team goes through the rationalization process using a checklist or other appropriate database. The rationalization process may be streamlined by developing alarm templates. Templates used for rationalization process at Vale Inco will be designed and reviewed by personnel from Operations Management, Process Technology, Environment, Instrumentation, OSHE and Invensys.
D.2. VENDOR ALARM INPUT POLICY AT LONG HARBOUR The commercial plant has many vendor equipment packages. Each vendor is required to provide a rationalized alarm and event list. Vale shall use the vendor alarm list for importing into the Delta V software during commissioning. Throughout the plant operation vendor alarms will require rationalizing to ensure they meet the Vale alarm configuration guidelines within the alarm philosophy.
APPENDIX E - SITE SPECIFIC ALARM CONFIGURATION GUIDELINES
E.1. CONFIGURATION AT COPPER CLIFF
High (Priority 1) Less than or equal to 6
per hour
Less than 150 per day Medium (Priority 2)
Low (Priority 3)
ENGINEERING GUIDELINE North
Atlantic
TITLE
PROCESS AUTOMATION GUIDELINE FOR PROPER IMPLEMENTATION OF PLANT ALARM SYSTEMS BEST PRACTICES FOR ALARM MANAGEMENT
VALE # GUID-84012
PAGE
41/43
REV.
1
The following guidelines will be followed in the alarm configuration process at Vale Copper Cliff: 1. The master alarm database will reside in the PSS software. 2. If the current functionality includes having both high and high-high alarms or both low and
low-low alarms generated for start permissive or equipment trip conditions, consideration must be given to determine if it is necessary to have both alarms presented to the operator for the same process variable. Furthermore, both alarms may have different responses from the operator. Alarms that do not require the operator to take a defined response should be eliminated.
3. Consideration should be given to the idea that pre-alarms may need to be at a higher priority than the trip point because once the trip point has been reached, there is little that the operator can do.
4. One of the challenges will be to maintain the integrity of the database. The existing operator log will be used to communicate status of alarm system and track alarm setting changes, and the current MOC process will be used to document and implement database changes.
E.2. CONFIGURATION AT LONG HARBOUR The items below should always be applied where the situation exists.
The goal of the alarm system is to help the operator in mitigating undesired situations within the plant, the use of pre-alarms are encouraged where the operator actions are different in the pre-alarm condition and the response time for the pre-alarm condition is sufficient enough to respond and take corrective action.
In general and where possible emergency or critical priority alarms should have a pre-alarm to allow the operator to take corrective action earlier.
If there is no instrument within a module then the faulty IO alarm should not be enabled. Rationalization will determine if the event should be an alarm and be directed to the operator station otherwise the event is transferred to the maintenance station.
No alarms will be generated on associated loops or devices of a locked out piece of equipment, but there will be an on screen indication of a maintenance lockout and the associated equipment will be unable to be started remotely.
An instrument being placed out of service while being calibrated should not activate interlocks and alarms related to the control loop. An “out of service” message should be seen on the Operator message center.
Any equipment running whether in maintenance or remote modes is considered running in the DCS
Alarming should be state based if there are multiple modes in which the equipment operates.
In batch operated systems a tank is expected to be fed or discharged until certain high or low levels are hit, no alarming is necessary because this will be part of this systems normal operation. This type of process may require a sequence that can be displayed on the DCS. For normal operating sequences of equipment the surrounding alarms must be
ENGINEERING GUIDELINE North
Atlantic
TITLE
PROCESS AUTOMATION GUIDELINE FOR PROPER IMPLEMENTATION OF PLANT ALARM SYSTEMS BEST PRACTICES FOR ALARM MANAGEMENT
VALE # GUID-84012
PAGE
42/43
REV.
1
reviewed for false alarming possibilities. Be sure to document any steps of the sequence where alarm settings require change during rationalization.
All redundant equipment must have alarms configured so that when one is running the second is not in alarm, this configuration should enable both to operate at the same time and still produce an interlock alarm, if one is interlocked for some reason.
In situations where a parent -child relationship exists the alarm indication should be on the best indicator of the situations root cause. If an interlock occurs then the interlock with the associated first out would be the best indicator of the root cause.
It is Vale plan to update this section throughout the plant lifecycle to include configuration guidelines for specific alarm types including but not limited to
o Flammable and toxic gas priorities
o Safety shower and eye wash station activations
o External device health and status alarms
o ESD shutdowns and bypass alarms
All options described below are methods of dealing with an alarm problem conceived through rationalization or analysis. Methods are implemented on a case by case basis.
When the feed or discharge to a loop is stopped (i.e. the pump is off) then the loop can choose to silence any low flow alarms, lo level alarms, or hi level alarms that were annunciated prior to the feed or discharge stopping. The same rules can apply for heat exchangers, pressure transmitters, etc.
Plant standard is to generate an alarm in a redundant pump set when both pumps are running after a set amount of time.
If set points are accepted to be changed regularly or it is process preferred to maintain process variables within a range of set point then set point deviation alarms should be used in the loop.
Flows that can regularly plug up can have a plug alarm setup on them. This plug alarm should be based on the current set point and output compared with a “time period” ago. If the set point is equal and the output has increased more than a decided percentage then this alarm will ring in to warn the operator of the plugging.
It is preferred to have percent hi or lo deviation alarms on flow setpoints instead of hi and lo flow alarms. Where a pump needs to stop on a lo lo flow there should be an interlock.
Level indications can have a rate of change alarm that would draw attention to a potential problem. The operator can enter a desired level indication set point to base the rate of change on.
ENGINEERING GUIDELINE North
Atlantic
TITLE
PROCESS AUTOMATION GUIDELINE FOR PROPER IMPLEMENTATION OF PLANT ALARM SYSTEMS BEST PRACTICES FOR ALARM MANAGEMENT
VALE # GUID-84012
PAGE
43/43
REV.
1
10.0 APPENDICES
Appendix A: Revision and Transition Notes Appendix B: Keywords
Appendix A: Revision and Transition Notes (Revisions are listed in reverse chronological order with most recent revision at the top. Revision notes describe: what was changed, why it was changed, and the plan to implement the change, including whether changes are retroactive) Revision 1 1st Issue
Appendix B: Keywords