GU-513 - PDO - Guidelines For Alarm Management and Rationalization, Dec 2009

Petroleum Development Oman L.L.C.
UNRESTRICTED Document ID: GU-513

Dec-09 Filing Key: Business Control
Engineering and Operations
Guidelines for Alarm

Management And
Rationalisation
User Note:
A controlled copy of the current version of this document is on PDO's EDMS. Before making
reference to this document, it is the user's responsibility to ensure that any hard copy, or
electronic copy, is current. For assistance, contact the Document Custodian or the Document
Controller.
Users are encouraged to participate in the ongoing improvement of this document by providing
constructive feedback.
Please familiarise yourself with the

Document Security Classification Definitions
They apply to this Document!
This document is the property of Petroleum Development Oman, LLC. Neither the whole nor any part of
this document may be disclosed to others or reproduced, stored in a retrieval system, or transmitted in
any form by any means (electronic, mechanical, reprographic recording or otherwise) without prior
written consent of the owner.
Revision: 2.0
Petroleum Development Oman LLC Effective: Dec-09
This page was intentionally left blank
Page 2 GU-513 - Guidelines for Alarm Management And Printed 12/11/20

Rationalisation
The controlled version of this CMF Document resides online in Livelink®. Printed copies are UNCONTROLLED.
Revision: 2.0
i Document Authorisation
Authorised For Issue – December 2009
Document Authorisation
Document Authority Document Custodian Document Controller
(CFDH)

Rationalisation
Revision: 2.0
ii Revision History
The following is a brief summary of the 4 most recent revisions to this document. Details of all
revisions prior to these are held on file by the issuing department.
Revision No. Date Author Scope / Remarks
2.0 Dec–09 Salim Hinai, UES Refer to Appendix 7 for Summary of

Changes
1.0 Dec-05 M. Shujauddin / Salim First Issue for Implemetation
Hinai
iii Related Business Processes

Code Business Process (EPBM 4.0)
EP.64 Design, Construct, Modify and Abandon Facilities
iv Related Corporate Management Frame Work (CMF)

Documents
The related CMF Documents can be retrieved from the CMF Business Control Portal.
CP-114 Maintenance and Integrity Management - CoP

SP-1243 Corporate Philosophy for Control & Automation

Rationalisation
Revision: 2.0
TABLE OF CONTENTS
i Document Authorisation........................................................................................................ 3
ii Revision History.................................................................................................................... 4
iii Related Business Processes................................................................................................4
iv Related Corporate Management Frame Work (CMF) Documents........................................4
Summary...................................................................................................................................... 7
1 Introduction........................................................................................................................... 8
1.1 Background..................................................................................................................... 8
1.2 Scope and objectives...................................................................................................... 8
1.3 Operational Excellence.................................................................................................... 9
1.4 Alarm Response analysis.............................................................................................. 10
1.5 Distribution, intended use and regulatory considerations..............................................12
2 Definitions and Meanings.................................................................................................... 13
2.1 General definitions........................................................................................................ 13
2.2 Specific definitions Include definitions for each alarm type...........................................13
3 ALARM RATIONALISATION REVIEW...............................................................................14
3.1 General Requirements.................................................................................................. 14
3.2 Recommended Measures............................................................................................. 14
3.3 Alarm Management and Rationalisation Review Process.............................................16
3.4 Steps for Alarm Management and Rationalisation study...............................................16
3.4.1 Preparatory works................................................................................................... 16
3.4.2 Timing..................................................................................................................... 16
3.4.3 Required Documents.............................................................................................. 17
3.4.4 Team Composition.................................................................................................. 17
3.4.5 AMR Facilitator....................................................................................................... 17
3.4.6 AMR Secretary....................................................................................................... 18
3.4.7 Master alarm database and report..........................................................................18
4 ALARM PRIORITISATION GUIDELINES...........................................................................20
4.1 Assigning of Activities and Alarm Priorities...................................................................20
4.2 Guidelines for Normal Distribution of Alarms among Priority Level...............................22
5 ALARM SUPPRESSION – IMPLEMENTATION GUIDELINES..........................................23
5.1 Static alarm suppression............................................................................................... 23
5.2 Dynamic Alarm Suppression......................................................................................... 24
5.3 Dynamic mode dependent alarm settings.....................................................................26
6 OPERATOR’S HELP MENU............................................................................................... 29
7 ALARM MANAGEMENT PERFORMANCE MEASUREMENT...........................................30
7.1 The number of configured alarms per panel operator...................................................30
7.2 The average alarm rate per PANEL operator................................................................31
7.3 Indication of frequent alarms......................................................................................... 31

Rationalisation
Revision: 2.0
7.4 The Mean Time Between Alarm....................................................................................31

7.5 Number of alarms following a trip..................................................................................31
7.6 Number of standing alarms........................................................................................... 32
7.7 Benchmarking............................................................................................................... 32
7.8 Improvement................................................................................................................. 33
7.9 Overall Alarm Management process.............................................................................33
8 REFERENCES................................................................................................................... 37
Appendix 1 – Typical ARM Info Pack......................................................................................... 38
Appendix 2 – AMR Report/Close Out Report.............................................................................39
Appendix 3 – AMR Work Process.............................................................................................40
Appendix 4 – AMR Workshop Request.....................................................................................42
Appendix 5 – Abbreviations....................................................................................................... 43
Appendix 6 – Master Alarm Database to be used for Alarm Rationalization Exercise..............44
Appendix 7 – Summary of Changes.......................................................................................... 45

Rationalisation
Revision: 2.0
Summary
This document is created to provide a guide for the execution of Alarm Rationalisation Review
of PDO facilities, in order to provide operator with meaningful alarms, i.e. an adequate set of
warning facilities during normal and upset operation whilst minimising, as far as is reasonably
practicable:
 Standing alarms
 Nuisance alarms
 Repeating alarms
 Alarms floods
 Bad PV alarms
 System Alarms
It thus:
1. Gives a brief overview on the Alarm Rationalisation review process and alarm
prioritisation guidelines.
2. Contains specific PDO data which are necessary to ensure a fit-for-purpose and
consistent approach to all alarm rationalisation review process.
3. Outlines the endorsement process of the recommendations and the close-out
procedure.
4. Guides users to a safe, cost effective and consistent design and implementation of
alarms in an instrumentation system (FCS, DCS, IPS panels (if any), F&G Panels,
Local panels etc.
5. Gives a brief overview of the overall Alarm Management Process for new facilities and
existing facilities.
This document shall always be used in conjunction with the Shell DEP 32.80.10.14-Gen Alarm
Management, June’2007

Rationalisation
Revision: 2.0
1 Introduction
1.1 Background
It has been widely recognised that lack of a clear philosophy for “Alarm Management”
on process plants controlled by a Distributed control system (DCS) or a Fieldbus based
control system (FCS) often results in there being too many alarms, leading to problems
with:
 Standing alarms;
 Nuisance alarms;
 Bad PV alarms;
 Frequently repeating alarms;
 Alarm floods;
 System alarms
 The operator’s inability to prioritise remedial actions.
Alarms, if not rationalised and managed can seriously impair the operator’s ability to
manage the process. Alarms floods during upset conditions can cause a minor event to
escalate into a more serious incident. This is contrary to the design intent, which should
seek to assist the operator to control the plant, avoid upsets and mitigate the
consequences of undesirable events.
The guidelines on setting alarm priorities are generally based on the actions the
operator needs to perform upon the alarm. Practical experience has shown that
establishing the alarm priority based on an assessment of risk and the consequence
when the alarm is not actioned upon requires disproportional efforts in relation to the
results. Moreover this risk-based approach often does not offer acceptable or reliable
results.
Setting the priorities of alarms is meant to help the operator to prioritise his actions.
However if the alarm rate is low, prioritisation is not required. If the alarm rate is high,
the operational situation is already deteriorated to such an extent that the operator no
longer uses the alarm system to assess the situation and to prioritise his actions.
Hence just setting different alarm priorities have little practical relevance.
It is therefore felt that instead of spending efforts on setting alarm priorities, attention
should be focussed on the ability of the alarm system to provide meaningful alarms
under most or all the operating conditions including upset and trip conditions.
1.2 Scope and objectives

This document provides Guidelines for classifying the alarms, assigning of alarm
priorities, reviewing the alarm configurations and guidelines for managing them.
The guidelines provided in this document are based on good industry practice rather
than any national or international regulations or standards or codes of practice. Whilst
there is presently no such document covering the configurations of FCS/ DCS alarm
systems in general, some standards and codes of practice for machinery and other
equipment may include specific requirements on alarm provisions. Under these
circumstances, it may be necessary to adjust this methodology to maintain compliance
with mandatory aspects of these codes and standards.
The overall objective is to review all alarms given their prime purpose, to ensure only
meaningful alarms are provided and to achieve a significant improvement in the alarm
system operability.

Rationalisation
Revision: 2.0
A “best practice” alarm system provides meaningful alarms under operating conditions
including upset and trip conditions.
The Operator role varies considerably within PDO plants. There are 3 types of operator
roles that have major impacts on alarm management:
1. Plants run with an Operator staffing the panel (manned, for 8 hrs minimum).
2. Plants run with Operators routinely making trips to wells etc. that may be 30
minutes drive or more from the panel. In this case, it is clear that no alarm
should require quick action – unless the alarm is used to avoid automatic
shutdowns where the Operator happens to be present when the alarm occurs.
3. There is also a Central Control Room (CCR) where Operators remotely monitor
all PDO plants. It is clear that this case means that CCR Operators are
effectively covering far more alarms than is reasonable – but they cannot act
on many of them anyway due to their remote location. It may be appropriate to
consider displaying only the higher-priority alarms at this location (e.g. Urgent
and High as per Table 4.1).
This document defines the generic Alarm Guidelines for all PDO sites and will need to
be augmented by other documents that cover system-specific considerations.
The guidelines provided in this document are based on established industry best
practices and, in particular, the EEMUA 191 guidance. That guidance is primarily
oriented to situations as per the first case above – where there is an Operator present
at the panel
1.3 Operational Excellence

Currently operators spend 20 to 25% of their time on scheduled activities. The
remainder of their time is spent on unscheduled re-active work responding to situations
that actually should not have happened. This is visualised in Figure 1-1.
100%
Handling trips
80%
Handling the alarms
60%
process upsets
40%
20% Unscheduled activities

non-control
0%
Scheduled activities
Good
Normal
Excellent
Figure 1-1: Percentage of time an operator spends on various activities

Rationalisation
Revision: 2.0
In Figure 1.1 the 'normal' shows the current state of affairs. A disproportional fraction of
the time is spent on handling alarms. The fraction of time spent on correcting process
upsets is even less than in the 'good' situation as the upset condition generates a lot of
meaningless alarms that still need to be handled.
In a much-improved situation, the operator spends 50% of his time on pro-active
activities. Ideally this percentage is even 80% as shown in the 'excellent' column.
The 'good' and 'excellent' are shown as targets to base the design of the alarm system
on.
The alarm management methodology described in this paragraph aims at bridging the
gap between the current state of affairs in most operating units and the good/excellent
targets.
Of course apart from managing alarms properly, base layer control and IPF's should be
optimised as well to allow the targets to be achieved.
1.4 Alarm Response analysis

When considering the design of an alarm system, it is reasonable to assume that
operators and technicians are well trained and knowledgeable about the equipment
they operate and maintain. The function of the alarm system is then to:
 Trigger a trained response to certain emergency conditions.
 Alert the operator to plant conditions that need consideration and possible
action.
 Advise the operator of further developments that need action.
The aspect of 'acknowledge' and "consideration" - the analysis of the situation, the
identification of the correct action and its execution or communication - is one that has
been ignored in many past alarm system implementations. This results in cognitive
overload for operators in upset situations and an increased potential for escalation. A
good alarm system should assist the operator in evaluating the situation, which is
fundamental to identifying the correct actions. Depending on the circumstances, these
actions can be directed either at avoiding an event or mitigating its consequences.
This alarm handling process is visualised in Figure 1-2:

Rationalisation
Revision: 2.0
Alarm Response Improvement
intelligent disciplined trained staff applying

pre-decided validated knowledge & Improved Effectiveness of operator actions
practices
trial and error
Normal condition
Alarm condition
time
Time for the response (or any other subsequent attempt)

Time to acknowledge the alarm (0.1-5 min)
to restore to a normal situation
Time to consider an initial response (0.1 - 5 min)
Figure 1.2: Alarm Response diagram

The process of "acknowledge" and "consideration" described above takes typically 0.1
to 5 minutes each. Taking an average figure of say 5 minutes for a complete response,
the maximum alarms (i.e. the meaningful alarms) load that one operator can handle
effectively is limited to around 1 alarm per 5 minutes. However considering that the
operator has many additional tasks, the average number of alarms should be limited to
the quantities as given in the table 1-1 below.
Table 1-1: Average number of alarms.
% of time spent on alarm # of alarms that effectively
handling can/should be handled
Normal (current) 40% 4 - 6 per hour
Good 10% 1 per 1 hour
Excellent 4% 1 per 2 hours
For the numbers above in the table, an upset situation will probably be ignored.
However it is important not only to avoid unnecessary alarms during normal steady
state conditions but also under upset conditions. It is also important for the operator to
be able to access relevant plant information quickly and effectively, in order to speed up
the process of responding to an alarm, and thus improves the effectiveness of his
corrective actions as shown in Figure 1-2. The design of the operator control interface
and the rapid and comprehensive availability of current and trended information are
important facets of alarm system design.
The configuration of an alarm system is therefore a balancing act between giving the
operator an extensive set of warning facilities for normal operation and the need to
avoid information overload under upset conditions.

Rationalisation
Revision: 2.0
1.5 Distribution, intended use and regulatory considerations

Unless otherwise authorised by PDO, the distribution of this document is confined to
Petroleum Development Oman and their nominated design and Construction
contractors.
This document is intended for use in the oil and gas installations and production
facilities, in conjunction with any type of operator’s alarm facility.
It shall form the basis of approach for Engineering and Operations, for the Alarm review
and handling in the existing or new build facilities.
If national and/or local regulations exist in which some of the requirements may be
more stringent than in this document, the Contractor shall determine by careful
scrutiny, which of the requirements are the more stringent and which combination of
requirements will be acceptable with regards to safety, environmental, economic and
legal aspects. In all cases the Contractor shall inform the Principal of any deviation from
the requirements of this document which is considered to be necessary in order to
comply with national and/or local regulations.
Any queries relating this document such as technical content, scope and/or philosophy
should be referred to CFDH, Control & Automation.
Any reader is invited to give his/her opinion, experience and suggestions for any
improvement.

Rationalisation
Revision: 2.0
2 Definitions and Meanings
2.1 General definitions

The Contractor is the party, which carries out all or part of the design, engineering,
procurement, construction, commissioning or management of a project or operation of
a facility. If the contract allows, the Principal may undertake all or part of the duties of
the Contractor.
The Manufacturer, Vendor, Supplier, Seller is the party which manufactures or
supplies equipment and services to perform the duties specified by the Contractor.
The Principal is the party, which initiates the project and is ultimately accountable. The
Principal will generally specify the technical requirements. The Principal may also
include an agent or consultant who is authorised to act for, and on behalf of, the
Principal.
The word Shall indicates a mandatory requirement.
The word Should indicates a strong recommendation.
2.2 Specific definitions

Alarm priority - A parameter that is set during the configuration of an alarm to match
the perceived importance of an alarm. In the control system, the priority of an alarm is
used to control how the alarm is presented to the operator. The IPF initiated alarms are
also transmitted to the Control systems where the priority is defined.
In this document, the following priority descriptions are used:
 Emergency or Urgent priority (U).
A priority assigned to alarms that require immediate operator attention and
action for emergency responses. This is meant for those emergencies or
events that may lead to have major impact on the HSE e.g. a major
environmental incident, unplanned unit shutdown and a major economic loss to
the Company. These include Fire/Gas alarms and alarms tied to executive
functions
 High priority (H).
A priority assigned to alarms that require very fast operator attention and
action to prevent a major operational upset or shut down. This is meant for
those events that are likely to lead to major process upset, plant/ unit shut
downs, moderate economic loss and minor HSE issues.
 Low priority (L).
A priority assigned to alarms that do not require fast operator action, but which
should nevertheless be brought to the operator’s attention. This is meant to
cover those incidents that have minor significance. Delayed response should
never pose a threat to Company’s HSE matters, or a stable operation of the
unit
 Journal (J).
A Facility for recording time sequenced historical event. This meant to cover
those incidents that result in deviation from normal operations, operational
mode changes and status of equipment/ systems etc.

Rationalisation
Revision: 2.0
3 ALARM RATIONALISATION REVIEW
3.1 General Requirements

A formal Alarm management and rationalisation study is required to provide the
operator with meaningful alarms, i.e. an adequate set of warning facilities during normal
and upset operation whilst minimising, as far as is reasonably practicable:
 standing alarms;
 nuisance alarms;
 repeating alarms;
 alarms floods;
 bad PV alarms;
 System alarms
Summarising, alarm management is intended to guide users to a safe, cost effective
and consistent design and implementation for alarms in an instrumentation system
(FCS, DCS, IPS panels (if any), F&G panels, local panels etc.).
3.2 Recommended Measures

The following measures will improve alarm management such that alarms become
more 'meaningful':-
 Setting Alarm priorities and Destination
The setting of alarm priorities such that the operator only gets alarms that he
can actually take action on. For existing installations, this includes the
downgrading of the alarm priorities or removal of the alarm function.
 Optimising alarm parameters
Alarm parameters such as filtering and dead-band allow the reduction of
repeating alarms.
 Static alarm suppression
Alarms that are always in alarm when a process unit or a large piece of
equipment is shutdown are suppressed.
 Dynamic alarm suppression
Alarms that always follow after a process trip are suppressed.
 Dynamic mode dependant alarm settings
Alarm settings are dynamically changed based on detected operational mode
changes.
 Measuring alarm management performance
By measuring the performance of the alarm management, attention and effort
can be focused to aspects of existing alarm systems such that it can be
optimised with the minimum of effort. Alarm management performance is
measured using benchmarks.
 Optimise Alarm ergonomics
By optimising the way alarms are presented to the operator, operator alarm
handling may be greatly enhanced. This includes on-line alarm help.

Rationalisation
Revision: 2.0
 Better Use of Deadbands

Many existing systems use poor settings (e.g. 1% of EU range) for dead-bands
on analogue PVs. The EEMUA 191 guidance suggests the following defaults:
 Flow: 5%
 Level: 5%
 Pressure: 2%
 Temperature: 1%
Increased values for dead-bands will often reduce the number of “repeating”
alarms.
 Use of Alarm Delay Options
Delay the activation and/or the clearing of alarm messages:
 Delaying activation is particularly appropriate where “spikes” are often
seen in analogue signals. The alarm is not displayed as active unless it
violates the alarm limit for longer than a specified period of time.
 Delaying clearing is particularly appropriate when an alarm would
otherwise cycle on and off due to small changes in an analogue signal.
The alarm does not clear until a specified period of time has elapsed and
the analogue value is still not violating the alarm limit.
Alarm rates can often be substantially reduced using these facilities. Alarm
delay functionality is sometimes described as “debounce” functionality or “time
dead-banding” functionality.
Alarm delay functionality is described in more detail in EEMUA 191
 Use of Alarm Shelving
This allows an Operator to temporarily move an alarm from the Alarm
Summary to a “shelf” (another display) where the list of shelved alarms may be
viewed at any time. The benefit is that the Alarm Summary is not filled by
“standing alarms” that are well known to the Operator and reduce his
effectiveness.
This also helps to reduce the number of standing alarms so that there will be
less use of multiple pages of alarms on the Alarm Summary. (EEMUA 191
recommends that there should be less than 10 standing alarms and less than
30 shelved alarms).
Shelving functionality is described in more detail in EEMUA 191.
 Use of BAD VALUE Functionality
It has been observed that a disproportionate number of BAD VALUE alarms
occur during upsets. This occurs because analogue values are driven to
extreme ends of the instrument range during upsets. These extreme values
may then violate the defined Minimum and maximum values for the
measurement because of drift in the instrument calibration.
There are two distinct ways of reducing the number of BAD VALUE activations:
 Use of “extended range” functionality where available on the DCS.
Extended range will avoid BAD VALUE alarms for small (e.g. typically a
few %) drifts in calibration.
 During rationalization, the team should critically question the need for
BAD VALUE alarms where the measurement concerned is not being used
for control purposes. The priority of BAD VALUE alarms should also be
considered in such cases – since it may be appropriate to route such

Rationalisation
Revision: 2.0
alarms to maintenance staff but not to Operators.

 Use of Improved Alarm Displays
It is widely recognised (e.g. see EEMUA 191) that alarm display is an important
aspect of “best practice” alarm management.
 Use of a Master Alarm Database
A “master alarm database” enables “capturing” of the as-agreed alarm
configuration parameters from rationalization. It also allows for “enforcement” of
that data when changes in the DCS values are detected during exception
reporting.
The master alarm database can also support mode-based alarming (which may
be required for effective alarm suppression) and electronic “Operator Help”.
3.3 Alarm Management and Rationalisation Review Process

The alarms review and rationalisation should be carried out as recommended in the
flow chart in Appendix 3.
In principle, the review should take place for all the alarms. The IPF database / I/O list
for the project can be extracted for preparing the master alarm database. However, in
the case of existing installations, this may be done on a selection basis for those alarms
that have been frequently seen as standing or nuisance alarms or full review of the
facility as to suit the operational requirements.
Alarms shall be grouped on the basis of the process units that would help defining the
static and dynamic alarm suppression groups. To speed up the review process,
identical or similar alarms functions can be grouped and limited to one review for such a
group. Eg. Causes of an ESD or Electrical Alarms or System alarms can be grouped
together.
All applicable or related tags should be listed in the same alarm function sheet as
applicable.
3.4 Steps for Alarm Management and Rationalisation study

It is essential to set up a structure to optimise team productivity and quality of output.
Refer Appendix 1 for the AMR information package requirements and Appendix 3 for
the AMR Study work process.
3.4.1 Preparatory works

To minimise delays, all preparatory work shall be done prior to the study.
The Master Alarm database should be pre-loaded with all information as defined in
Appendix 6.
Once the team has started the alarm management and rationalisation study process no
time should be lost doing work that could have been done in advance. A PC containing
the master alarms database shall be available alongwith pre-requisites for generating a
report after the Alarm Rationalisation Exercise.
3.4.2 Timing
The Alarm rationalisation review should be undertaken during detailed engineering
phase of a project after IPF actions are closed-out, for existing installations, at any time
when it is felt or demonstrated from actual events that:

Rationalisation
Revision: 2.0
 there are too many standing alarms;

 there are too many and/or too often nuisance / meaningless alarms;
 some alarms are frequently repeated causing flooding alarm lists, event
recorders and alarm buffers;
 alarm floods occur during process upsets or trips;
 the operator has difficulty to evaluate the situation with increased potential for
escalation.
3.4.3 Required Documents

The alarm management study essentially requires more or less the same set of
documents used for the IPF classification exercise. Refer Appendix 1 for the list of
documents required for the rationalization exercise.
3.4.4 Team Composition

The composition shall, as a minimum, be with the following members.
 Facilitator
 Secretary
 Operation’s representative
 Process engineer
 Control & Automation engineer
 DCS system Engineer and Instrument Maintenance Engineer, when required
The facilitator shall be from the Approved facilitator’s list maintained by the CFDH,
Control & Automation.
The facilitator shall be well conversant with the Alarm management methodology. The
task of the facilitator is to guide the team through the review process and to ensure that
the discussions are sufficient enough to meet the objectives of the alarm study.
3.4.5 AMR Facilitator

The AMR leader shall be an experienced facilities engineer and thoroughly familiar with
the AMR methodology. AMR leader’s task is to guide the rationalisation team through
the methodology and ensure that each step is sufficiently debated and recorded to the
satisfaction of all team members before proceeding to the next step.
Furthermore, the AMR leader should function as a facilitator, ensuring that each
member provides input into the exercise and amongst others, end debates when these
are no longer productive.
The AMR leader must have attended the at least one major AMR exercises before
he/she can be considered as a potential leader. The candidate will be assessed by the
CFDH C&A (UES) and if found competent he will be certified as a Leader.
The leader shall be completely independent from the design team for the facility being
classified.
UES (CFDH, Control & Automation) approves the AMR leaders and is the authority
responsible for appointing a leader for any AMR study.

Rationalisation
Revision: 2.0
3.4.6 AMR Secretary

The secretary is responsible to record all the alarm rationalization study review results
and associated discussions. He/she should have a technical background and be fully
conversant with the Alarm Rationalization study and the Master Alarm Database
prepared for the project. There is no special certification requirement to be a secretary.
3.4.7 Master alarm database and report

For each alarm function, the following data shall be recorded to create function
database:
 Purpose of the alarm
Briefly note the design intent of the alarm
 Alarm Type
Alarm types are classified into following categories. Alarm type shall be defined
for each function during the study.
Standalone alarm
Pre alarm
Trip alarm
FGS alarm
System alarm
Fault alarm
Override alarm
Common alarm
Misc alarm
Diagnostic Alarm
 Consequence of No Action
Briefly note what is expected to happen if the alarm sounds and the operator
takes no action at appropriate time. For pre alarms the consequence of no
action should be the same as the IPF safe failure for the corresponding trip tag.
 Type of Activity
Select from Table 4-1 the appropriate type of activity, e.g. "Emergency, Plant
shutdown, Normal Process Upset etc." The type of activity should be based on
urgency of the required action.
The activity types are defined from the possible potential consequences so as
to mean the preventive or corrective measures required.
 Most likely Required Operator Action
A brief description of what the operator is most likely (80% of the case)
required to do upon hearing the alarm. In some instances plant operators will
be unable to do anything upon hearing an alarm. In these instances the word
"Nothing" should be entered. In that case the alarm should be an "operational
message only".
 Less likely required Operator Action
A brief description of what the operator is less likely (20% of the case) to do
when the most likely action is not appropriate.

Rationalisation
Revision: 2.0
Note: The list of types of activities may be extended or altered to suit local
conditions and procedures.
Review if “Most likely and less likely” is required or it should be “required
operator action” only.
 Refer Appendix 6 for Master Alarm Database format to be used during the
Alarm Rationlization exercise.
After the Alarm Rationalization exercise, an alarm study report shall be made.
 Refer Appendix 2 for Alarm Rationalization Study report and close out
report requirements. Any action items generated during the review exercise
shall be logged and should be closed out during the course of the project.
 Refer Appendix 3 for the Alarm Rationalization work process. A copy of the
final Alarm Rationalization results (Master Alarm Database-as in Appendix
6) is maintained by functional control and automation project support
leader. On completion of the Alarm Rationalization exercise the pdf file of
close-out report and the back-up of the Master Alarm Database shall be
sent to functional control and automation project support leader.

Rationalisation
Revision: 2.0
4 ALARM PRIORITISATION GUIDELINES
4.1 Assigning of Activities and Alarm Priorities

For each alarm the activity type should be defined. The table below gives the typical
example of the activity type and correspondingly the action type and priority.
Alarm priorities are to be assigned based on the required action upon receipt of alarm.
All alarms, including system alarms shall be prioritised. Key factors in determining
alarm priority shall be; time available for operator action, consequence of failure to take
corrective action and if they are HSE-critical. Priority shall be distinguished by display
location and/or colour according to the guidelines in the relevant standards.
Table 4.1: Assigning of activities & alarm priorities based on urgency of operator
response.
Action
Activity Type Priority
Type
Fire
Gas release
Immediate Urgent
Major rupture
Emergency
Plant shutdown
System failure to plant shutdown

Fast High
Major equipment shutdown
Major process upset
Equipment trip/shutdown
Normal process upset

Normal Low
MOS/OOS switching
System faults, but plant in operation
Stand by in operation
Events
Set point changes

Record Journal
Mode changes
Operational messages
Raise work order (Note-6)

Notes:
1. The response time available from the alarm notification to take operational
corrective action should be taken into account while determining the
consequences and the priorities. In case the response time (e.g. buffer volume in
separator) available is very short by which the operator’s corrective action is not
possible, then the presence of that pre-alarm has no meaning and as such should
be removed rather than assigning with high priority.
Rationalisation
Revision: 2.0
2. Switching actions such as starting or stopping pumps or opening/ closing valves

as normal (on/off) control behaviour shall not be alarms.
3. Note that separate alarm analysis shall be carried out for each different setting as
they have different functions and hence different actions to be taken upon alarm.
For example, a high and low alarm to the same measurement may have different
operation actions.
4. In case one setting has different required actions depending on the mode of
operation, the severest case needs to be assigned. Alternatively, different alarms
are to be configured with the same setting of which only one is active in the
appropriate mode of operation. The others are then automatically suppressed.
5. Bad Value alarms, normally configured for over or under range signals, have a
potential for generating nuisance alarm floods during process upsets. They
should, therefore, be used with care and not given high priorities. However critical
measurements, which can lead to major upsets or shut down on failure, can be
considered for high priorities.
6. Journal is selected in case work order is to be raised through work management
system. Messages to be repeated to specific engineers alarm summary (if
available).Note that this feature is not used at present but is planned to be used in
future with SAP.
Table 4-2: Alarm Priorities – Specific Requirements. Update based on Table 4-1
Urgent alarm Audible tone, printer log, events log, visual
U
(emergency) alarm, hardwired visual alarm & siren.
High priority Audible tone, printer log, events log & visual
H
Alarm Alarm alarm.
priority Low priority

L Printer log, events log & visual alarm.
Alarm
J Journal Events log.
Notes:
1) The priority U effectively means that a hardwired (e.g. Fire & Gas) alarm
panel is required. In case hardwired mimic panel is not provided in the facility
control room, then the alarm should be made available to the system/HMI,
which has at least 8 hours power back-up.

Rationalisation
Revision: 2.0
4.2 Guidelines for Normal Distribution of Alarms among Priority Level

According to EEMUA publication No.191, Statistical guidelines for proportional
prioritisation of Alarms should be as follows:
 less than 5% of all alarms Should be in a process unit should be High priority
 less than 15% of all alarms Should be in a process unit should be Medium
priority
 Greater than 80 % of all alarms in a process unit should be Low priority.
Figure 4.3: Prioritize in Proportion

According to EEMUA Guideline the number of alarms of each priority--high, medium,
low--should be proportioned as shown.

Rationalisation
Revision: 2.0
5 ALARM SUPPRESSION – IMPLEMENTATION GUIDELINES
5.1 Static alarm suppression

Operators often find alarm systems difficult to manage when larger quantities of alarms
are (semi) permanent in alarm. There is the risk of any new alarm to stay unnoticed
and the standing alarms cannot be 'meaningful' to the operator. Static alarm
suppression is required in order to minimise the number of standing alarms (to achieve
the benchmark as given in para 7.7).
Manual static Static alarm suppression of section….

suppression command 011FRCA-123
Static suppression
& 011PIA-011
011PIA-012
permissives
for section …. 012FRCA-123
012PIA-011
011PIA-014
011GBA-012
011XA-011
011XZA-012
012FRA-120
013PIA-012
011PIA-014
Figure 5-1: Static Alarm Suppression

Alarms that are always in alarm when a process unit or a large piece of equipment is
shut down are statically suppressed. Only after the manual suppression command and
the suppression permissive are met, the alarms are suppressed.
Static alarm suppression shall be implemented on per a section (process unit, piece of
equipment) of the plant, basis.
Switching on the static alarm suppression is only possible when defined process
permissives are met. These conditions differ for each alarm suppression group. When,
with static alarm suppression switched on, the defined process conditions are no longer
satisfied, the static suppression is automatically to be switched off and a message to
the operator is to be generated.
Alarms generated in the FCS/DCS from analogue inputs that are suppressed through
this functionality show in the process graphic e.g. as a blue measurement. The actual
alarm condition is not visible (in general no buzzer, no alarm in the alarm list, no alarm
to the printer, system or measurement faults not visible). The alarm status however, is
still available on the individual tag's faceplate.
When the alarm suppression for a group is released, the suppressed alarms are not to
be
Rationalisation
Revision: 2.0
regenerated (not sounding the buzzer, flashing etc.)

When defining static alarms suppression groups, the following data shall be recorded:
 Static Alarm Suppression Group and Group name
A reference tag name of the group and Group name to allow reference and
proper administration.
 Permissives
Boolean statement with the (FCS/DCS) tags and conditions (signals) that have
to be 'true' to permit the static suppression to be switched ON. This includes
the condition (alarm, H alarm, LL alarm etc.)
 Static Suppression Group
This is a list Instrument Tags to be suppressed.
Note: The static alarm suppression does not differentiate between H or L or LL
alarms, Bad PV etc. All alarms associated to the listed tag number are to be
suppressed. This is done to prevent alarms that are generated as a result of
maintenance activities on the shut down section.
5.2 Dynamic Alarm Suppression

Operators often find alarm systems difficult to manage following a trip. The stress of the
situation makes matters even worse. In order to minimise the number of alarms
following the trip (to achieve the benchmark as given in para. 7.7) automatic and
dynamic alarm suppression is required.
With dynamic alarm suppression, the first alarm in a group sounds the buzzer until
silenced by the operator. It is shown on the alarm list and printed on the alarm printer.
Subsequent alarms in the same group do not sound the buzzer, are not shown on the
alarm list and are not printed.
Apart from the dynamic aspects, another difference between static suppression and
dynamic suppression is that static suppression suppresses all alarms related to a tag
while dynamic alarm suppression suppresses only one specific alarm. For example
static alarm suppression suppresses both H, L and fault alarms while dynamic alarm
suppression suppresses only H.
A soft switch shall be provided to enable dynamic alarm suppression.
Dynamic suppression will be automatically turned off after a configurable time period
(default 30 min) or when all trigger alarms return to normal. See Figure 5-2.

Rationalisation
Revision: 2.0
Dynamic alarm suppression Dynamic alarm check
Enable dynamic suppression

Dynamic alarm Dynamic alarm
& suppression of…. Check?
Alarm
011FRCA-123 HH X
(=‘1’)
Dynamic
Suppress when ‘1’

011PIA-011 LL
Dynamic
Suppression timer & 011PIA-012 L X Alarm
suppression
initiators OR 012FRCA-123 H
(alarm = 1)
012PIA-011 L X Alarm
pulse: T= X sec.
011PIA-014 H X Alarm OR
011GBA-012
011XA-011 X Alarm
etc.
011XZA-012 X Alarm
012FRA-120 L X Alarm mismatch
013PIA-012 H & alarm (=‘1’)
011PIA-014 H
etc. etc.
Delay on timer
y seconds
Note:- Delay Before Alarm On Check
1) The actual trigger alarm shall not be suppressed.
2) This scheme does not show all logic required to obtain fully functional dynamic alarm suppression.
Figure 5-2: Dynamic Alarm Suppression
A timer will be started when the first of the group's trigger alarms is received. Once the
timer has expired any new alarm in the group will sound the buzzer but existing alarms
will remain suppressed. In case the new alarm is a trigger, it will restart the timer,
reinstating a further (30 min) period of dynamic suppression. The operator can choose
to manually suppress the alarm group, by means of static alarm suppression, at this
time if appropriate. It shall be realised however that the grouping for static alarm
suppression is not necessarily the same as the grouping for dynamic alarm
suppression.
The performance of the alarm suppression logic shall be such that it suppresses
subsequent alarms within 4 seconds after the trigger. This is the time for the trip
system to respond to a trip condition, final elements to reach their safe position and the
process response to generate the next alarm. The available 4 seconds includes signal
transmission via gateways and various nodes on the control system network. For
alarms that come faster after a trigger, part of the suppression logic may have to be
implemented in the IPS using the 'first-up' signal as the trigger.
The process graphics will show the actual alarm condition for all suppressed alarms.
Where triggers are Trip initiators, the trigger shall be disabled when the MOS is
switched ON. Likewise the dynamic alarm check shall be disabled for the point as well.
In case an alarm in a group is not generated while it is expected to come on as a
consequence of a trip, a common fault alarm is raised to the operator. This is a
common alarm for the group, not the one related to each suppressed alarm. In case the
operator wishes to know which alarm did not come on, the alarm suppression graphic
will have to be checked.
Note: Note that this fault alarm is also available when the dynamic alarm suppression is
not enabled.
When defining dynamic alarm suppression groups, the following data shall be recorded:
 Dynamic alarm Group name and description

Rationalisation
Revision: 2.0
The dynamic alarm suppression group is usually a subset of the tags

associated to the equipment safeguarding system (an UZ block). The Group
name should be selected to show the relation with the system, e.g. 016UZ-250.
 Delay before alarm on check
The "Delay Before Alarm On Check" (the delay time the control system allows
before checking to determine if all expected alarms, marked dynamic, have in
fact activated) is to be 60 seconds greater than the largest individual dynamic
suppressed alarm "Time for Alarm to Come Up". Each and every alarm tag,
marked with a cross in the "dynamic" box, should always alarm when each and
every trigger is activated.
 Dynamic suppression Switch Off delay
The "Dynamic Suppression Switch Off Delay, should always be 1800 seconds
unless the Delay Before Alarm On Check is 1800 seconds or more.
 Dynamic Grouping Comments
Comments may be added to clarify particular issues for future reference.
 Dynamic Suppressed Tag numbers
For each of the Dynamic Suppressed Tag numbers the following is to be
recorded:
- Tag number and service description as taken from the tag number database
- A check box indicating if the tag number also serves as a trigger
- A check box indicating if the alarm needs to be dynamically checked.
- Time for Alarm to Come Up
The “Time for Alarm to Come Up” is the estimated time (in seconds) expected
for the alarm to reappear after the reset of group trigger If the time is less than
4 seconds, a remark is to be added "Fast suppression logic required" as
discussed above.
Notes:
1. Group Trigger alarms will almost always be trip alarms or drive failure indicators.
If the group trigger is not an alarm (e.g. a motor running status) and therefore not
in the database the tag should be added. All new trigger tags added that are not
alarms should be "record only".
2. In some instances dynamic suppression will need to be applied to groups not
related to a particular equipment safeguarding system. For these cases a new
dynamic suppression group tag number will need to be defined. The tag may be
based upon sequence logic blocks (KS blocks) or on the major trigger tag for a
group. For example if the major trigger tag for a group not related to a
safeguarding system, was 214LZA555 then the dynamic suppression group tag
could be 21 4UL555 (U standing for Multivariable).
3. A trigger alarm can be suppressed. However the actual trigger shall not be
suppressed.
5.3 Dynamic mode dependent alarm settings

Dynamic mode dependent alarm setting may be required to further reduce the
meaningless alarm rate. Mode dependant alarm setting may be required where
systems have distinct operational modes that require distinct alarm settings. This is for
instance the case for furnaces having a normal mode and a decoke mode. Also the
burner management system may have Oil firing mode, a Gas firing mode and a
combination of both (dual-firing mode). A dryer will have an operating and a
Rationalisation
Revision: 2.0
regeneration mode. A crude distiller may have different alarm settings depending on the
crude being processed.
With dynamic mode dependant alarm settings, the alarm settings of analogue or digital
points are changed based on the detected mode of operation. The mode switching is
detected from a set of process parameters and may also involve a manual switch.
Upon a detected mode change, the new set of alarm settings is automatically
downloaded into the FCS/DCS point. These new settings will be applicable until the
next mode change is detected or the dynamic mode dependant alarm setting enable
switch is disabled. When disabled the default set of settings is downloaded into the
FCS/DCS point automatically See Figure 5-3.
Default settings table

Dynamic alarm Dyn. alarm
setting of…. setpoint Mode A, B etc. settings table
011FRCA-123 Dynamic
HH 80%
alarm Dyn. alarm DCS control boxes
011PIA-011 LLsetting 0.5of….
Dynamic Bara
alarm setpoint
Dyn. alarm
Dynamic
L setting
011PIA-012011FRCA-123 alarm setpoint
of….
1.3 Barg Dyn. alarm
HH 80% DCS point setpoint
012FRCA-123011PIA-011
H setting
011FRCA-123
83%LL of…. setpoint
HH 0.5 Bara
80%
011FRCA-123 HH 80% 011FRCA-123 HH 80%
012PIA-011 L011PIA-012
011PIA-011
0.3 BargL LLLL1.30.5
BargBara
011PIA-011
011PIA-014 012FRCA-123
H 011PIA-012
34 BargHL 1.30.5 Bara
Barg 011PIA-011 LL 0.5 Bara
011PIA-012 L 83% 011PIA-012 L 1.3 Barg
011GBA-012 012PIA-011
012FRCA-123
OpenL H 0.3 Barg 83%Barg
1.3
012FRCA-123
011XA-011 011PIA-014 10 H L H340.3
012PIA-011 83%
Barg 012FRCA-123 H 83%
012PIA-011 Barg 012PIA-011 L 0.3 Barg
011XZA-012 011GBA-012
011PIA-014
20 H L Open
340.3 Barg
Barg
011PIA-014 H 34 Barg 011PIA-014 H 34 Barg
012FRA-120 L 011XA-011
011GBA-012
20% Open
10 Open
011GBA-012 011GBA-012 Open
013PIA-012 H 011XZA-012
011XA-011
2 Barg 201010
011XA-011 011XA-011 10
011PIA-014 H012FRA-120
011XZA-012
1.2 BargL 20% 20
011XZA-012 20 011XZA-012 20
etc. 012FRA-120
013PIA-012etc. H L 20%
2 Barg
012FRA-120
013PIA-012 L
H 1.2 2Barg 20%
Barg 012FRA-120 L 20%
011PIA-014 H
013PIA-012 013PIA-012 H 2 Barg
011PIA-014
etc. H H 1.2 2Barg
Barg
011PIA-014
etc. H etc. 1.2
etc.Barg 011PIA-014 H 1.2 Barg
etc. etc. etc. etc.
Xfer
Enable dynamic
suppression
& Xfer
Mode A conditions
Mode B conditions
& Xfer
Mode C conditions
& Xfer
etc.
Figure 5-3: Dynamic mode dependent alarm settings

When none of the defined modes are detected, the default mode shall be selected
automatically.
Dynamic mode dependant alarm setting shall not be normally applied to IPF's of SIL1
and above, since these settings are based on the excursion of safe operating envelops
that should not be mode dependant. Where mode dependent settings are absolutely
essential for some IPF’s of SIL1 and above, then the complete mode selection and
control should be implemented in the IPS using special algorithms to assure the IPF
class integrity. Where pre-alarms are also used to alarm excursion from the normal
operating envelope, they may have dynamic mode dependent alarm settings.
Alarm setting changes (each mode change) shall be logged in the FCS/DCS for each
point.
When defining Dynamic mode dependant alarm setting groups, the following data shall
be recorded:
 "Mode dependant alarm setting " Group name and description

Rationalisation
Revision: 2.0
For each Mode, a reference tag name of the group and Group name shall be
recorded and maintained to provide documentation and support system
administration. The group name and description should give a reference to the
system (e.g. furnace) having the different operating modes.
 Various Modes names and description
For each Mode, a reference tag name of the mode and operating mode name
shall be recorded and maintained to provide documentation and support
system administration.
 Permissives and Comments
For each Mode, a boolean statement shall be developed complete with the
(FCS/DCS) tags and conditions (signals) that have to be 'true' or 'false' to
detect the mode switch. This includes the condition (alarm, H alarm, LL alarm
etc.). Conditions may include timers to limit the time a particular mode may be
on.
 "Mode dependant alarm setting " Group with default settings
This is a list with Instrument Tags (and attribute such as L, HH etc.) to be
manipulated including the default settings.
 Alarm settings for each defined mode
This is a list of alarm settings for each instrument tag defined in the dynamic
alarm settings group. A detailed alarm setting list should be prepared for each
dynamic mode of operation defined in the list identifying the various operating
modes.
 Comments
Comments may be added for each instrument tag to clarify particular issues for
future reference.
The lists "Various Modes", "Mode dependant alarm setting Group", "Alarm settings for
each defined mode" and "Comments" are best combined in tabular form where
instrument tags are listed vertically in the first column and the default and mode
dependant settings are listed in subsequent columns.

Rationalisation
Revision: 2.0
6 OPERATOR’S HELP MENU

A good alarm system should assist the operator in evaluating the situation, which is
fundamental to identifying the correct actions. Depending on the circumstances, these
actions can be directed either at avoiding an event or mitigating its consequences.
This will help to improve the overall alarm response time as visualised in Figure 1-2.
Therefore ‘operator’s help’ should be available to each alarm. The operator may
request for help by clicking on the alarm-line on the alarm summary or on the process
graphics. A window should appear showing the data initially entered as recorded:
 Purpose of the alarm
 Consequence of No Action
 Type of Activity
 Most likely required Operator Action. (containing context sensitive buttons to
check other data)
 Less likely required Operator Action (containing context sensitive buttons to
check other data)
The data tables containing these help texts should be easily maintainable by an
assigned operator acting to collect the best practices for alarm responses.

Rationalisation
Revision: 2.0
7 ALARM MANAGEMENT PERFORMANCE MEASUREMENT

The extent as to how successful the alarm system is in presenting the operator with
meaningful alarms at an acceptable rate can be measured using benchmarks.
Benchmarking the alarm system provides the means for possible improvement
measures to those areas where the system is weakest and to those measures that
score the highest effect.
This paragraph below gives an extract from the guidelines given by EEMUA for the
measurement of the performance, i.e. the capability of the alarm system to provide
'meaningful alarms'.
The following benchmarks are recommended to be used to assess the alarm system
performance:
 The number of configured alarms per panel operator
 The average alarm rate per operator
 Indication of frequent alarms
 The Mean Time Between Alarm
 Number of alarms following a trip
 Number of standing alarms
Following paragraphs discuss each of the benchmarks. These factors should be
considered in any new design as well as during the audit of an existing system.
7.1 The number of configured alarms per panel operator

The more alarms that are configured per panel operator, the higher the average alarm
rate will be. Therefore, by limiting the amount of alarms configured per panel operator,
the more likely the average alarm rate will remain within acceptable limits.
If alarm suppression techniques can or will not be implemented the number of alarms
should be limited to some 1000 per panel operator. The more this quantity is exceeded
the more likelihood alarm management problems will exist.
When many more alarms are configured per panel operator, a check could be made on
the number of alarms that should be expected to be configured per instrument. The
values given in Table 7-1 below are only indicative, but provide an indication as to
whether designers are likely to have installed too many or too few alarms on a plant.
Table 7-1: Guidance on alarms per instrument
Low Average High
Alarms per control valve 1 4 6
Alarms per analogue measurement 0.5 1 2
Alarms per digital measurement 0.2 0.4 0.6
The total number of alarms "Low", "Average" and "High" are calculated by adding the
number of alarms to be expected per control valve, analogue measurement and digital
measurement. Trip transmitters should also be counted as analogue measurement, trip
switches (e.g. pressure switch) as digital measurement.
A controller (analogue measurement, controller and control valve) shall be counted as
'control valve' (without an additional analogue measurement).
The figures in Table 7-1 apply to continuous processes. For batch processes these
values should not be used for benchmarking.

Rationalisation
Revision: 2.0
7.2 The average alarm rate per PANEL operator

The following Table 7-2 provides benchmarks for average alarm rates:
Long term average alarm rate in Acceptability
steady operation
More than 1 per minute Unacceptable
One per 2 minutes Over-demanding
(industry average in HSE survey)
One per 5 minutes Likely to be over demanding
Less than one per 10 minutes Very likely to be tolerable
Less than one per hour Good
Less than one per 2 hours Excellent
This table is based on an average response (acknowledge and consideration) time of 1
– 5 minutes for an alarm. As the operator also has other plant supervisory duties and
tasks, and alarms may come in bursts rather than in a steady rate over longer time
periods, the average alarm rate should be significantly less than 1 per 10 minutes.
7.3 Indication of frequent alarms

Often a very small number of alarms have a large contribution to the alarm rate. In
some instances only 5% of the configured alarms contributed to 50% of the alarms
generated! By analysing the frequency distribution of the alarms generated both in
steady state and during upset conditions, one may achieve significant improvements in
the performance of the alarm system with relative little effort.
7.4 The Mean Time Between Alarm

Often the same alarm is alarmed soon after corrective action has been taken. The
mean time between a repeat alarm is an good indication of how successful remedial
action has been. The benchmarks for MTBA are shown in Table 7-3.
Table 7-3: Benchmarks for MTBA
Mean Time between repeat alarm Acceptability
Less than 3 day Unacceptable
Less than 1 month requires urgent improvement
Less than 1 year manage to improve
more than I year Good
7.5 Number of alarms following a trip

Operators often find alarm systems difficult to manage following a trip. The stress of the
situation makes matters even worse. A good performance indication for proper alarm
management is the number of alarms in the 1st 10 minutes following a trip.
The following Table 7-4, shows performance indicators for the number of alarms
following a trip. The table is again based on an average of 1-5 minutes required to
handle a meaningful alarm.
Table 7-4: Performance indication for the number of alarms following a trip
Number of alarms displayed in 10 Acceptability
Rationalisation
Revision: 2.0
minutes following a major plant upset

more than 100 Definitely excessive and very likely to
lead to the operator abandoning use of
the system.
20-100
Hard to cope with
under 20
Should be manageable - but may be
difficult if several of the alarms require a
complex operator response
7.6 Number of standing alarms

Operators often find alarm systems difficult to manage when larger quantities of alarms
are (semi) permanent in alarm. There is the risk of any new alarm to stay unnoticed
and the standing alarms cannot be 'meaningful' to the operator.
Alarm systems should have less than 10 standing alarms per operator. When the alarm
system is capable of 'shelving' of alarms (Shelving is a facility where the operator is
able to temporarily prevent an alarm from being displayed to him when it is causing him
nuisance) the number of shelved alarms shall be less than 30 per operator.
7.7 Benchmarking
The performance of the completed alarm management system needs to be bench
marked. For new projects this is best done as part of the integrated FAT, by defining
typical alarm scenarios (simulation) and test if the alarm system will lead to information
overload of the operator during normal, process upset and trip conditions. If the
information leads to an overload situation as measured against benchmarks, the
system needs to be refined and tested again.
The performance may be evaluated under actual field conditions if Operations report
that the performance is still not satisfactory with changes implemented accordingly until
desired improvements have been obtained. After the system is commissioned and fully
operational, the alarm summary shall be evaluated and the findings summarised and
compared against the benchmark values in table 7-5.
The performance of an alarm management system can be summarised and
benchmarked in the Table 7-5.
Table 7-5: Score chart for alarm management systems
Performance Indicator Score description Score
Number of configured  >> 3000 0
alarms per panel
 3000< Qty <1000 0.5
operator
 < 1000 1
Average alarm rate per  more than I per minute 0

panel operator
 more than one per 10 minutes 0.5
 more than one per 1 hour 1.5
 more than one per 2 hour 3.5
Frequent alarms per  5% of configured alarms cause 50% of alarms 0
panel operator
 10% of configured alarms cause 50% of alarms 0.5
 20% of configured alarms cause 50% of alarms 1.5

Rationalisation
Revision: 2.0
Average Mean Time  Less than 3 day 0

between Alarms
 Less than 1 month 0.2
 Less than 1 year 0.5
 more than 1 year 1
Alarms following a trip  more than 100 0
per panel operator
 20-100 1
 under 20 2.5
Number of standing  More than 30 0
alarms per panel
 More than 10 and less than 30 1
operator
 less than 10 1.5
Total score 1-10

Score <7 : Not satisfactory, requires improvement.
7 : Average
8 to 9 : Good
10 : Excellent
7.8 Improvement
If the alarm system requires improvement on one or more areas (performance
indicators as listed in Table 7-4) the proposed changes should first be evaluated for
effectiveness.
This is completed by capturing the alarm scenarios followed by evaluating the effect of
the proposed changes on the performance of the alarm system. E.g. when alarm
suppression techniques are proposed to reduce the number of alarms following a trip,
one should evaluate which alarms will be suppressed from the actual alarms presented
to the operator following a number of trips (alarm scenarios) and to what extent this
results in a significant improvement.
7.9 Overall Alarm Management process

The problems seen in FCS-based alarm systems are often too great to be addressed
simply by reviewing one alarm parameter alone, such as priority assignments. It is
usually necessary to:
- substantially reduce the total number of alarm points;
- reduce the frequency at which the remaining alarms are triggered;
- help the operator to recognise the most important alarms during an upset.
Ideally, all of the key parameters for any point should be reviewed by asking:
- Is an alarm on this point helpful to the operator?
- How will it behave in routine process upsets?
- How will it behave during start-ups, when alarm flooding is common?
- What priority setting should it be given?
- What is the optimum trigger point (i.e. the numeric setting of the alarm)?
- How wide a dead band can be set?

Rationalisation
Revision: 2.0
- Is there any advantage in a time delay or similar feature?

However, whilst a rigorous approach should be applied to the alarm configuration in a
new-build design, the effort required for a point-by-point review of all alarms in an
existing installation can be prohibitive. Instead, a more pragmatic approach is needed,
seeking to maximise the benefits from the effort applied.
The objective of the alarm management process is to provide a structured way to carry
out alarm management. The process is different for new facilities and for existing
facilities as shown in Figure below. Therefore alarm management may be split into 3
elements:
- For new installations: Alarm system design
- For existing installations: Alarm rationalisation or alarm system re-design
- During operation: Alarm handling.
Start
Establish overall alarm

philosophy
existing Existing
DCS Establish bad actors
or new plant
Are new Alarm narrativetypicals

no
there obvious F&G alarms
bad actors?
yes Diagnostic alarms
Manual trip alarms
Process alarms
Alarm work process Alarm work process

(see Figure 4) (see Figure 4)
Alarm system
Basis of design
For each bad actor For each alarm
Update Alarm system Design Alarm system
Establish alarm system Establish alarm system

KPIs KPIs
no yes
KPIs OK?
no yes
KPIs OK? Finished
The overall alarm management process
New facilties:
For new facilities, the alarm system design is part of the engineering effort. In this case
the aim is to realise an alarm system that performs satisfactorily from the initial start-up
onwards. If this is not (yet) the case, the alarm system is further treated as an existing
alarm system.
Rationalisation
Revision: 2.0
For a new facility the alarm system design process first defines the alarm philosophies
and generic configurations. This again results in templates that include the handling of
fire & gas alarms, diagnostic alarms, alarms related to manual trips and common
alarms.
For new facility, all configured alarms shall either be assigned to one of the pre-defined
alarm categories (templates) or analysed individually. Individual analysis is potentially a
time-consuming exercise, hence the maximum use of templates.
For each configured alarm that does not fall into one of the predefined categories
(templates), the review mainly establishes the priority (including whether the alarm is
really required) and the optimum parameters such as setting, dead band and signal
filtering. If required to achieve an acceptable performance, any required alarm
suppression techniques are identified. Additionally the opportunity is taken to record the
purpose of the alarm, the consequence of no action and the possible operator
responses.
Following the realisation and commissioning of the alarm system, the performance of
the alarm system is measured. If performance is satisfactory, the review process is
completed. If performance is not acceptable the further improvement effort follows the
same process as for an existing plant.
Two phases
The alarm study (or alarm review process) is split into two phases. The first phase of
the alarm study is intended to establish whether an alarm is really necessary or
appropriate, or whether the risk associated with the hazardous situation becomes
ALARP with an alarm.
If there are doubts whether the risk is ALARP, the IPF method or HEMP method should
be applied.
The first phase also establishes expected operator response times, process safety time
and the severity of consequences if the alarm is not responded to. By means of Figure
10, the alarm priority is derived from the process safety time and the severity of the
consequences.
The second phase of the alarm study establishes the required operator actions,
suppression requirements and other relevant parameters.
Existing facilities:
For existing facilities, the alarm rationalisation and alarm system re-design aims to
restore the performance of an existing alarm system to satisfactory levels. Quick gains
are important and a more pragmatic approach is needed, seeking to maximise the
benefits from the effort applied.
For an existing facility, the HAZOP study may not be complete or may be absent
altogether. The alarm setting documentation may be incomplete and settings may have
developed over time to levels that are ill advised. Therefore, for existing facilities, the
alarm settings/ limits shall be confirmed and re-defined, based on an understanding of
the process and equipment constraints, process dynamics, operator response times
etc.
For existing facility the alarm rationalisation and alarm system re-design initially
concentrates on bad actors that make a disproportionate contribution to the poor
performance of the alarm system.
However, before the bad actors are analysed, alarm philosophies and generic
configurations need to be agreed upon. This process produces templates for F&G
alarms, diagnostic alarms (alarms that indicate possible malfunctioning of instruments
or equipment that may not immediately result in a process upset), alarms related to
manual trips and common alarms. These templates (generic configurations) allow these

Rationalisation
Revision: 2.0
alarms to be applied in a consistent manner throughout the alarm listing without further
detailed analysis..
For each bad acting alarm, the alarm work process mainly establishes the priority
(including if the alarm is really required) and the optimum parameters such as setting,
dead band and signal filtering. If required to achieve an acceptable performance, any
required alarm suppression techniques are identified. Additionally, the opportunity is
taken to record the purpose of the alarm, the consequence of no action and the
possible operator responses.
The bad actor analysis is repeated until either the alarm system performance (KPIs) is
acceptable or no obvious bad actors are left. In the latter case the improvement effort
follows the same process as for a new plant.

Rationalisation
Revision: 2.0
8 REFERENCES
In this document, reference is made to the following main publications.
NOTE Unless specifically designated by date, the latest edition of each publication
shall be used, together with any amendments/supplements/revisions thereto.
Document name Document No. PDO ref. No (if
applicable)
STANDARDS
Human – Machine interface in a control room DEP32.00.00.11-PDO SP1192
Measurement Validation and Comparison MF 94-0495
Classification and implementation of DEP32.80.10.10-GEN,
instrumented protective functions Oct.2001
Instrument engineering procedures DEP32.31.00.10
Instruments for measurement and control DEP32.31.00.32
Instrumented Protective systems DEP32.80.10.30
Fire, Gas & Smoke detection system DEP32.30.20.11
EUROPEAN STANDARDS
Generic standard on “Functional safety of IEC 61508
Electric/ Electronic Programmable (E/E/PES)
safety related systems”
Specific standard for the Petrochemical IEC 61511
industry on “Functional safety of Electric/
Electronic Programmable (E/E/PES) safety
related systems”
INDUSTRY PRACTICES
EEMUAEngineering Equipment & Materials 191
Users Association

Rationalisation
Revision: 2.0
Appendix 1 – Typical ARM Info Pack
Typical AMR Info Pack

Documents / Information required for AMR
1. Process Engineering and Utility flow schemes (PEFS /UEFS)

2. Process flow schemes (PFS) and Process safeguarding flow schemes (PSFS)
3. Cause & Effect matrices including fire and gas detection system
4. IPF Classification report (for reference, if available).
5. Operating philosophy or plant operating manuals.
6. Control & Safeguarding narratives
7. List of alarm & trip set points (alarm & trip database)
8. Master Alarm Database
9. List of Standing Alarms during typical steady operation (applies to existing facilities)
10. Alarm Journal printouts following typical upsets (applies to existing facilities)

Rationalisation
Revision: 2.0
Appendix 2 – AMR Report/Close Out Report
TABLE OF CONTENTS
1.0 Introduction
2.0 Process Description
3.0 AMR Team and Meeting Details
4.0 AMR Basis & Assumptions
5.0 Action points
Annexure
1. PSFS/PEFS
2. Cause & Effect Diagram.
3. Alarm Rationalisation database
4. Action Point Close out
5. Variance Logs

Rationalisation
Revision: 2.0
Appendix 3 – AMR Work Process
AMR Work Process Activity Action Party

Request UES for AMR Facilitator PDO PE using AMR Web tool
ARRANGE AMR MEETING (6
weeks prior to actual AMR date) Contractor / Consultant (Project
Arrange AMR Secretary
Engineer)
Refer Appendix 1
AMR INFORMATION PACKAGE Contractor / Consultant
for Typical AMR info pack
AMR Secretary in consultation with

Function Identification
AMR Facilitator
AMR MEETING PREPARATION Alarms into AMR Database (Master Alarm AMR Secretary
database)
Contractor / Consultant
Invite participants PDO PE

AMR CLASSIFICATION
MEETING Contractor / Consultant (Project
Arrange Facilities
Engineer)
Print AMR Classification sheets

Print of Action points
DRAFT AMR CLASSIFICATION
AMR Secretary (within 5 days)
REPORT Note : Design team to proceed with close-out
of AMR and action points on receipt of the
above sheets
Prepare AMR report including

Master Alarm Database Contractor / Consultant
AMR CLOSE-OUTS
Alarm function database & report
Report review PDO Project C&A Engineer
AMR ACTION CLOSE-OUT PDO / Contractor / Consultant

Invite participants from the AMR
MEETING (if required) (Project Engineer)
Compilation of the final report consisting of

AMR worksheets, PEFS, C&E, Alarm Master Contractor / Consultant
Alarm Database, Alarm prioritisation etc.
AMR FINAL REPORT

Report Approval PDO TA-2 Approval
Distribute copies to project team and issue

one hardcopy (master) including electronic
Contractor / Consultant (Project
copy (pdf version, with links from Table of
Engineer)
contents to individual section) of final report
to UES

Rationalisation
Revision: 2.0
Alarm Rationalization Review Process
Collect
START
documents
Prepare alarms Preparation

data base
Make alarm
groups
Review and
classify alarms
Assign priorities classification
Evaluate the
results
Prepare report and

END implementation plan Close-out

Rationalisation
Revision: 2.0
Appendix 4 – AMR Workshop Request
Submit Work Shop

Request
Schedule Work Shop

Re-Schedule Work Shop
Request
NO
Complete Work Shop? Change Request
YES
Issue Draft Report Cancel Work Shop
RE-VISIT Send Review Comments

Review Draft Report?
Documents
ACCEPTED
Issue Final Report

Legend
Custodian
Project Engineer
Upload Final Report at Live
Link
Final Completion

Rationalisation
Revision: 2.0
Appendix 5 – Abbreviations
ALARP As Low As Reasonably Practicable

CFDH Corporate Functional Discipline Head
DCS Distributed Control System
EEMUA Engineering Equipment & Materials Users Association
ESD Emergency Shut Down
FCS Field bus Control System
FGS Fire, Gas and Smoke Detection System
HSE Health, Safety, and Environment
IPF Instrumented Protective Function
IPS Instrumented Protective System
MAD Master Alarm Database
PLC Programmable Logic Controller
PV Process Variable
SIL Safety Integrity Level
AMR Alarm Management and Rationalisation

Rationalisation
Revision: 2.0
Appendix 6 – Master Alarm Database to be used for Alarm

Rationalization Exercise

Rationalisation
Revision: 2.0
Appendix 7 – Summary of Changes
Summary of Changes at Revision 2

The previous edition of this guideline Dec 2005. Other than editorial changes, the following are
the main changes since that edition:
 Section 1.2 – Scope & Objectives - 3 types of operator roles included.

 Section 3.1 – System alarms included
 Section 3.2 – included – Deadbands, Alarm Delay options, Alarm Shelving, BAD
VALUE Functionality, Improved Alarm displays, Master Alarm database.
Section 3.3 - Alarm Management and Rationalisation Review Process included as flow
chart in Appendix 3.
 Section 3.4.1 & 3.4.3 – additional sub points included.
 Section 3.4.5 - AMR Facilitator & Section 3.4.6 - AMR Secretary included.
 Section 7.9 added
 Appendix 1 - Typical ARM Info pack included
 Appendix 2 - Typical ARM Report / Close-out Report included
 Appended 3 - AMR Work Process included
 Appendix 4 - AMR Workshop Request included
 Section 2.3 Abbreviations included in Appendix 5
 Appendix 6 - Master Alarm Database to be used for Alarm Rationalization Exercise
included.

Rationalisation

GU-513 - PDO - Guidelines For Alarm Management and Rationalization, Dec 2009

Uploaded by

Copyright:

Available Formats

GU-513 - PDO - Guidelines For Alarm Management and Rationalization, Dec 2009

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

GU-513 - PDO - Guidelines For Alarm Management and Rationalization, Dec 2009

Uploaded by

Copyright:

Available Formats

What is the purpose of this document?

What is the purpose of this document?

What are the main changes from the previous revision?

What are the main changes from the previous revision?

Petroleum Development Oman L.L.C.

UNRESTRICTED Document ID: GU-513

Engineering and Operations

Guidelines for Alarm

Please familiarise yourself with the

This page was intentionally left blank

Page 2 GU-513 - Guidelines for Alarm Management And Printed 12/11/20

Document Authority Document Custodian Document Controller

Page 3 GU-513 - Guidelines for Alarm Management And Printed 12/11/20

Revision No. Date Author Scope / Remarks

2.0 Dec–09 Salim Hinai, UES Refer to Appendix 7 for Summary of

iii Related Business Processes

iv Related Corporate Management Frame Work (CMF)

CP-114 Maintenance and Integrity Management - CoP

Page 4 GU-513 - Guidelines for Alarm Management And Printed 12/11/20

Page 5 GU-513 - Guidelines for Alarm Management And Printed 12/11/20

7.4 The Mean Time Between Alarm....................................................................................31

Page 6 GU-513 - Guidelines for Alarm Management And Printed 12/11/20

Page 7 GU-513 - Guidelines for Alarm Management And Printed 12/11/20

1.2 Scope and objectives

Page 8 GU-513 - Guidelines for Alarm Management And Printed 12/11/20

1.3 Operational Excellence

20% Unscheduled activities

Figure 1-1: Percentage of time an operator spends on various activities

1.4 Alarm Response analysis

Page 10 GU-513 - Guidelines for Alarm Management And Printed 12/11/20

Alarm Response Improvement

intelligent disciplined trained staff applying

Time for the response (or any other subsequent attempt)

Figure 1.2: Alarm Response diagram

Page 11 GU-513 - Guidelines for Alarm Management And Printed 12/11/20

1.5 Distribution, intended use and regulatory considerations

Page 12 GU-513 - Guidelines for Alarm Management And Printed 12/11/20

2 Definitions and Meanings

2.1 General definitions

2.2 Specific definitions

Page 13 GU-513 - Guidelines for Alarm Management And Printed 12/11/20

3 ALARM RATIONALISATION REVIEW

3.1 General Requirements

3.2 Recommended Measures

Page 14 GU-513 - Guidelines for Alarm Management And Printed 12/11/20

 Better Use of Deadbands

Page 15 GU-513 - Guidelines for Alarm Management And Printed 12/11/20

alarms to maintenance staff but not to Operators.

3.3 Alarm Management and Rationalisation Review Process

3.4 Steps for Alarm Management and Rationalisation study

3.4.1 Preparatory works

Page 16 GU-513 - Guidelines for Alarm Management And Printed 12/11/20

 there are too many standing alarms;

3.4.3 Required Documents

3.4.4 Team Composition

3.4.5 AMR Facilitator

Page 17 GU-513 - Guidelines for Alarm Management And Printed 12/11/20

3.4.6 AMR Secretary

3.4.7 Master alarm database and report