1. Traversing N-Space with Todd
The practical application of N-
dimensional visualization tools for Alarm
Management
2. Photography & Video Recording Policy
Photography and audio/video recording is not permitted in any session, or in the exhibition
areas, without press credentials or written permission from the Emerson Exchange Board of
Directors. Inquiries should be directed to:
EmersonExchange@Emerson.com
Thank you!
5. Presenter (2) – Todd Stauffer
■ Alarm Management Consultant at exida
■ Product Manager, SILAlarm
■ 18+ Years of Experience in Automation
■ Editor & Voting member of ISA18.2
■ Co-chair of ISA 18.2 Working Group 3
■ Trainer for ISA Alarm Management Class
6. Alarm Management – a Descent through the 7 Circles?
PHA-
HAZOP
LOPA
ALARM
RATIONALIZATION
People
designing
overview
displays
7. There’s Value Beyond Mere “Compliance”
■ Sure, it’s OSHA RAGAGEP -
■ Experienced operators headed out the door for
full-time golf
■ Experienced engineers headed out the door for
full-time golf
■ More and more spots being filled by operators
who’ve yet to “see it all”
■ THE DCS DOES LITTLE TO GUIDE
PEOPLE’S ACTIONS DURING UPSETS
■ “Alarm Help”- an opportunity for knowledge
transfer
9. Selling the Project to Management
■ The Plant Manager was sold on the effort as “knowledge transfer”
■ We were pleasantly surprised to find both “sister” plants and upper
management were in tune with the effort
■ It was preferable to fund as a capital project
■ We didn’t want to “DIY” an Alarm Management Program
■ PPCL CVE purchased for its usefulness in analyzing alarm limits &
operating envelopes, as well as other capabilities e.g. analyzing
abnormal situations
■ Based our Phase II funding on LBP/Exida proposal, chosen for its
unique integration capabilities with DeltaV DCS
10. What is an Alarm?
■ Alarm: An audible and/or visual means of indicating
to the operator
an equipment malfunction, process deviation or other
abnormal condition
requiring a (timely) response. (ISA-18.2/IEC 62682)
Type of Event Operator Action Required
No Operator Action
Required (Informational)
Abnormal Alarm Alert
Expected Prompt Message
Events
Alarms
Alerts
Prompts
11. 8-11
What is Alarm Rationalization
■ Rationalization: The process to review potential
alarms using the principles of the alarm
philosophy, to select alarms for design, and to
document the rationale for each alarm.
Goal - to create the minimum set of alarms needed to keep the plant
safe and within normal operating limits
Rationalization Process
1. Check Alarm Validity
2. Determine Consequence of
Inaction
3. Document Cause, Confirmation,
and Corrective Actions
4. Document Operator Response
Time
5. Assign Alarm Priority
6. Alarm Classification
7. Determine Alarm Activation Point
(Limit)
8. Verify remainder of alarm
attributes
9. Assess need for special handling
Monitoring &
Assessment
Philosophy
Audit
Rationalization
Identificati
on
Detailed Design
Implementation
Maintenance
Operation
Management
of Change
D
C
E
A J
B
G
H
F
I
12. How We Use It . . .
■ Exida SILalarm® optimized for DeltaV
■ A structured process for rationalization meetings
■ If we can fill these boxes with meaningful causes, consequence, and
corrective actions, then it “passes muster” as an alarm (it is valid)
This box gets checked if you have
“Alarm Help” to populate
Cause
Consequence
Corrective Actions
13. Once You Decide It’s an Alarm . . .
■ An Alarm Setpoint can perhaps be “optimized”
– Optimum time for operator response (early warning but not “too early”)
– Not so close to normal operations that it creates nuisance alarms
14. Ashland Alarm Design – Possible Alarm Conditions
■ Every alarm evaluated for distinct cause, consequence, and
operator action
Set based on
Design Constraints
Candidates for
Optimization (CVE)
15. Process Constraints
■ Process limits are
interdependent and dynamic
■ We can visualize constraints
in 2 or 3 dimensions
■ A process unit can have
hundreds of variables with
varying degrees of
interdependence
■ The real “normal” operating
envelope is a multidimensional
cube whose shape is
changing with time
Upper Safe Limit
Lower Safe Limit
Upper Control Limit
Lower Control Limit
Normal Operating Range
16. The “normal” or “optimum” envelope . . .
■ Constraint “box” isn’t a box
■ It isn’t static
■ Variables interact
17. If the Envelope isn’t a box, how do you visualize it?
■ Using parallel coordinates:
22. A “Pre-Rationalization” Process
■ One moderately experienced individual working alone can
perform pre-work to identify alarm rate, bad actors, potential
redundancies based on “reality” of history
■ Derive a comprehensive operating envelope and suggested
(improved) alarm settings for various process states
■ Identify operational modes: Startup, normal operation, total
recycle, shutdown
■ Test the new alarm limits against historical data
23. ■ Export tags and setpoints, using SILalarm export capabilities
■ Query historian (PI) and create CSV file
Feed CVE Your Plant Data
Do simple PI queries to
check that the tags are in PI
historian, then use the list to
construct a CVE data file
Each row becomes a “line”
of observations on the
parallel coordinate graph
24. Data is first filtered for target operating state
The gaps in
“Elapsed
Time” show
when the
process was
down.
25. Import Alarm Limits (High & Low only)
Red tick
marks
indicate
alarm
limits
Yellow band
is
observations
with zero
alarms
26. Still a painstaking process . . .
■ Begin by identifying variables which were never in alarm (possibly easy
targets for rationalization)
■ Sort out those variables with “a countable few” observations in alarm;
verify with queries
■ Progress through all alarming variables up to and including “bad actors”
■ Look for uniqueness & redundancies . . .
28. Tentative Alarm Settings Generated:
These can be exported as
a CSV file and pasted
back into the spreadsheet
exported by SILAlarm as
“CVE Limits”
29. Method 2: Have an Instance of CVE Open
■ If we weren’t able to prepare CVE limits in advance, we could load data
for the process area of interest and test alarm limits as we went
■ Participants could see how many / what percent of observations would
have been in alarm
(CVE Demo Here)
30. Before
■ Enabled Alarms: 6,989 (out of 7309)
■ Priority Distribution
Rationalization Results
After
■ Enabled Alarms: 2,163
■ Eliminated Alarms: 4,442*
■ Non Alarms: 670 (Alerts / Prompts)
■ Priority Distribution
2.0%
31. ■ Helps the Operator respond more effectively
– What happened? (Likely cause(s) for the alarm)
– What will happen if I don’t respond? (Consequences)
– What should I do? (Operator Action)
– How can I verify its not a false alarm? (Confirmation)
– How much time do I have to respond?
■ Implement directly from rationalization results (SILAlarm)
■ Operator acceptance / feedback?
DeltaV Alarm Help
DeltaV Alarm Help
SILAlarm
32. Rationalization – Lessons Learned
■ A large number of High-High and Low-Low alarms require no further
operator response
■ We have a larger than expected number of “LOPA Listed” alarms –
more reliance on individual measurements than we thought
■ Involving operators from all crews helps with buy-in and training
■ State based suppression is intimidating – how to detect boundaries
between states, potential aw-shucks – are we smart enough?
■ HAZOP revalidation will be performed more mindful of the alarm system
■ Rationalization sessions were educational for novice and intermediate
operators
33. Operator Training
■ Inform operators of changing alarm priorities, sounds, and alarm
help
■ Many configured alarms are going away:
– The alarm was never configured (setpoints were at the “default” -9999 or +9999 since
2000)
– No additional operator action (that is, the “High-High” or “Low Low” have the exact
same cause, consequence, and response as the “High” or “Low”)
– No operator response (MUX_COMM, for example)
– Better Indications for abnormal situations (another alarm is going to alert you to a
problem and this one would be redundant at best – for example, the turbine lube oil
temperature (on the skid) is a better indication of a problem than the reservoir
temperature)
– No consequence of concern (like low temperature on the suction of the air machine)
– Equipment out of service (John Crane seals, TEP skid)
34. Operator Training: Priority = Urgency + Severity
■ Priorities
now have
different
(more
meaningful)
meanings:
35. Operator Training: Prompts and Alerts are new
■ Toolbar
button and
separate
summary for
prompts and
alerts
37. Operator Training: Alarms that are no more
■ What isn’t an alarm anymore and why . . .
LIC-89507-P-DV_HI_ALM LIC-89507 LP Condensat Drum Level Deviation Alarm % 0 100 No Alarm WARNING Per ART, Alarm Never Configure
LIC-89507-P-DV_LO_ALM LIC-89507 LP Condensat Drum Level Deviation Alarm % 0 100 No Alarm WARNING Per ART, Alarm Never Configure
LIC-89507-P-HI_ALM LIC-89507 LP Condensat Drum Level High Alarm % 0 100 Advisory WARNING 5-15 M
LIC-89507-P-HI_HI_ALM LIC-89507 LP Condensat Drum Level High High Alarm % 0 100 No Alarm WARNING no additional operator action
LIC-89507-P-LO_ALM LIC-89507 LP Condensat Drum Level Low Alarm % 0 100 Advisory WARNING 15-45
LIC-89507-P-LO_LO_ALM LIC-89507 LP Condensat Drum Level Low Low Alarm % 0 100 No Alarm WARNING no additional operator action
LIC-89507-P-PVBAD_ALM LIC-89507 LP Condensat Drum Level General I/O Failure Advisory ADVISORY per APD
LIC-89508-P-CUST-OUTPUT LIC-89508 MP Condensat Drum Level Deviation Alarm No Alarm LOG No operator response
■ *Formatted report from SILalarm
38. Alarm Management - Next Steps
■ Complete Rationalization
■ Operator Training
■ Deploy rationalized database to
DeltaV
■ Enable Conditional Alarming
■ Implement Advanced Alarming
– State-Based Alarming
– Alarm Flood Suppression
■ DeltaV Alarm Help
Alarm Management Program / Process
39. With About 60% of Rationalized Alarms Deployed
■ Alarm Flood is still a vexing issue – about 800 in an hour
0
200
400
600
800
1000
1200
CRITICAL
SAFETY_EQUIP
ENVIRONMENTAL
ISO9000
WARNING
ADVISORY
ALERT
PROMPT
Alerts & Prompts account
for > 25% of “flood”
40. But a Big Improvement over Days of Yore
■ Roughly 35% of former alarm rate
0
500
1000
1500
2000
2500
CRITICAL
SAFETY_EQUIP
ENVIRONMENTAL
ISO9000
WARNING
ADVISORY
Initially, Hydrogen
plant trip caused its
own flood
Without reliable
Hydrogen supply, the
rest of the unit is
intentionally shut down
41. Another Prior Year Shutdown Flood
0
500
1000
1500
2000
2500
CRITICAL
SAFETY_EQUIP
ENVIRONMENTAL
ISO9000
WARNING
ADVISORY Priority distribution is flat,
giving operators little guidance
about what’s important
High alarm load prior to trip
may have contributed to
(novice) operator error
43. Business Results Achieved
■ Alarm System is transforming from a nuisance to a useful tool for
situational awareness
■ Alarm Help is aiding novice and intermediate operators to understand
the meaning and consequence of configured alarms
■ There’s a better understanding of the degree to which the plant relies on
the measurement and control system, and where to focus efforts for
calibration and testing
44. Summary
■ Alarm Management – There’s Value Beyond Compliance
■ Cool tools allow us to reveal the mysteries of the operating envelope
■ New relationships (e.g., valve position versus flow) can be tested for a
reliable indication of abnormal situations
■ Advanced alarming – state based suppression – is necessary for
managing alarm loads during trip events
45. Where To Get More Information
■ Exida.com
■ Ppcl.com
46. Thank You for Attending!
Enjoy the rest of the conference.