Alarm and Protective Equipment Management

BL-22-IG-262
SMS ELEMENT#

07

ISM / ISPS ELEMENT#

N/A

Rev
No

OWNER

REVIEW INTERVAL

Asset Integrity Specialist

36 Months

Approvals
Date

Originator

Owner

Checked

Approval
Authority

CMMS TECH
SUPT

Asset Integrity
Specialist

Facilities
Maintenance
Superintendent

AMO OPS MGR

060/5/14

RAJ

Sean DArcy

Andrew
Gibbons

Gareth Gill

22/06/14

RAJ

Sean DArcy

Andrew
Gibbons

Gareth Gill

06/08/14

RAJ

Sean DArcy

Andrew
Gibbons

Gareth Gill

15/08/14

RAJ

Sean DArcy

Andrew
Gibbons

Gareth Gill

02/09/14

RAJ

Sean DArcy

Andrew
Gibbons

Gareth Gill

AEL Authority

Holders of Controlled Copies:

Perth Library
Any hard copy of this document, other than those identified above, are uncontrolled. Please refer to the
Armada Claire server for the latest revision.

APACHE ENERGY LTD (ABN 39 009 301 964)

100 ST GEORGES TERRACE / PERTH / WA / 6000

TEL (08) 6218 7100 / FAX (08) 6218 7200

BL-22-IG-262

REVISION HISTORY
Revision

Amendment

Draft for review, comment & update

For AEL review & comment

Re-write as per review comments

Further update as per additional AEL comments

Issued for use

Alarm and Protective Equipment Management

2 of 12

BL-22-IG-262

CONTENTS
1.

PURPOSE ................................................................................................................................. 4

2.

SCOPE...................................................................................................................................... 4

3.

REFERENCE .............................................................................................................................. 4

4.

ABBREVIATIONS ...................................................................................................................... 5

5.

SYSTEM DESCRIPTION .............................................................................................................. 5

6.
6.1
6.2
6.3
6.4
6.5
6.6
6.7
6.8
6.9
6.10
6.11

ALARM SYSTEM IN GENERAL .................................................................................................... 6

Alarm Block Diagram in ICSS..................................................................................................... 7
Types of Alarm......................................................................................................................... 7
Alarm Priorities........................................................................................................................ 8
Alarm colours .......................................................................................................................... 9
Audible Signals ........................................................................................................................ 9
Alarm System Performance ...................................................................................................... 9
Alarm Annunciation and Response ......................................................................................... 10
Alarm List Displays ................................................................................................................. 10
Event Lists ............................................................................................................................. 10
Alarm Hiding and Suppression................................................................................................ 11
Alarm and status overview ..................................................................................................... 12

7.

INTEGRITY OF THE SYSTEM..................................................................................................... 12

Alarm and Protective Equipment Management

3 of 12

BL-22-IG-262

1.

PURPOSE

The purpose of this document is to define the Integrated Control and Safety System (ICSS) in FPSO ARMADA
CLAIRE, which will operate in Australia.
Modern Integrated Control and Shutdown Systems (ICSS), with their increasing level of integration and
highly configurable operator interfaces offer many possibilities for alarm generation and presentation.
This procedure will cover the following items:

Types of Alarms

Response to Alarms

Temporary suppression of Alarms

Alarm Rationalization

Changes to Alarm Set points including

Permanent changes to ESD Alarm Set points

Permanent changes to PCS advisory Alarm Set points

Temporary changes to PCS advisory Alarm Set points

2.

SCOPE

The Scope required to ensure that the FPSO ICSS alarm system acts as a tool to effectively help the Panel
Operator to take the correct action(s) at the correct time.
The document also aims to help with the following, i.e. that:

Alarms are properly chosen and implemented.

Alarms are relevant, clear, and easy to understand.

Alarms are configured consistently in accordance with industry best practice guidelines.

Alarms are presented at a rate that the Panel Operator can effectively handle.

Panel Operators can rapidly assess the location and relative importance of all process alarms.

Panel Operators can process alarm information during high frequency alarm actuation events.

Alarm systems are properly controlled, monitored, and maintained.

3.

REFERENCE
Document Number
21009-ABB-43800-PC-MN-0005
21009ETA76300INLS0003
21009-BAE-70000-IN-RL-0002
21009-BAE-70000-IN-RL-0003
21009-ABB-43800-PC-SP-0002
21009-BAE-70000-IN-RP-0004

Alarm and Protective Equipment Management

Title
ICSS Software Library Manual
PCS System I/O List
ESD System I/O List
F&G System I/O List
ICSS HMI Functional Design Specification
ALARM MANAGEMENT PHILOSOPHY FOR
INTEGRATED CONTROL & SHUTDOWN SYSTEM

4 of 12

BL-22-IG-262

4.

5.

ABBREVIATIONS
A&E

Audit and Enforce

AMS

Alarm Management System

CAAP

Critical Alarm & Action Panel

CCR

Central Control Room

ESD

Emergency Shutdown System (Part of ICSS)

EEMUA

Engineering Equipment and Materials Users Association

HAZOP

Hazard & Operability Study

HSE

Health, Safety, Environmental

ICSS

Integrated Control & Shutdown System

LAN

Local Area Network

LOPA

Layer Of Protection Analysis

MADB

Master Alarm Database MOC

MOC

Management Of Change

MOS

Maintenance Override Switch

PHA

Process Hazard Analysis

POS

Process Override Switch

PCS

Process Control System (Part of ICSS)

PSD

Process Shutdown System

PV

Process Value

SIL

Safety Integrity Level

SCR

Software Change Request

SOE

Sequence Of Events

SYSTEM DESCRIPTION

The system is based on ABBs Industrial IT product family offering state-of-art technology for Integrated
Control and Safety System, ICSS. Through redundancy, the system is designed to meet the highest possible
availability and reliability for the process controlled
The ICSS system comprises of:

ABB Process Portal, Operator stations & System Servers (PPA)

Process Control System (PCS)

Process Shutdown System (PSD)

Emergency Shutdown System (ESD)

Fire & Gas System (Including AFDS) (FGS)

All subsystems listed above are based on the 800xA process control platform and integrated through a
Common information / operator interface utilizing the ABBs Process Portal Information/operator interface.

Alarm and Protective Equipment Management

5 of 12

BL-22-IG-262

The ICSS shall be utilized for monitoring, control and safeguarding requirements for the topsides, marine.
The FPSO topsides process and ancillary facilities comprise of:

Crude Stabilization Unit (CSU)

Produced Water Treatment

Fuel Gas Treatment/Compression

Chemical Injection System

Power Generation

Seawater Lift, Treatment and Injection

Flare System, including Knockout Drum

Open and Closed Drain

Ancillaries (Instrument Air, Utility Air and Inert Gas)

The marine and accommodation system facilities comprise of:

Emergency Generator

Boiler

Fire Fighting System, including Deluge Valves

Addressable Fire Detection System (AFDS) for Accommodation

Accommodation and Engine Room HVAC System

Bilge Alarm

Status monitoring of Marine System

Tank Gauging System

Cargo/ Slop Tank Control System

The Turret system facilities comprise of:

Turret, turret head and structures

Chain Table

Manifold Deck

Turret piping

Swivel structures and Monorail

Auto Lubrication system

Load Condition monitoring

Control Modules, including Hydraulics and Utilities

All the above facilities will be monitored, controlled and shut down by the ICSS Alarm & Protective
Management System.
6.

ALARM SYSTEM IN GENERAL

A process alarm is defined as a mechanism for informing a Panel Operator of an abnormal process
condition for which an operator action is required. The Panel Operator is notified in order to prevent or
mitigate process upsets and disturbances.
Alarm and Protective Equipment Management

6 of 12

BL-22-IG-262

Operator actions include:

Making process changes by manipulation of the control system

Directing others to make changes in the control or process system (manually start pumps, operate
valves, check items for function, take samples, etc.)

Beginning troubleshooting and / or analysis of a situation

Contacting other people or functional groups regarding a situation

Logging conditions for the necessary purposes of later examination, maintenance, or repair.

6.1

Alarm Block Diagram in ICSS

6.2

Types of Alarm

The Armada Claire FPSO ICSS includes the main PCS, a Fire & Gas system (FGS) and also a Safety
Instrumented System (ESD). The ESD contains safety functions including those rated at SIL1, 2 and SIL 3.
Some pre-alarms annunciate via the PCS are documented in the SIL Study as independent layers of
protection in LOPA analyses of SIL requirements. As per the Reliability Claims outlined in EEMUA 191 2.3.4,
this suggests specific requirements on human reliability.
In addition to those alarms identified in the SIL Study, it is anticipated that the categorisation as Special
Alarm will also include any alarm relied upon to provide significant reduction of risk of potential Personnel
Safety or Environmental impact *e.g. as outlined in any other Safety Case documentation.
Special Alarms are identified on the process graphics and alarm banner with the inclusion of an asterisk
before and after the Instrument Service descriptor. When a Special Alarm appears on the Operator
graphics, the Operator will take immediate action to address the alarm. The Operator needs to first
understand the cause of this alarm and take the necessary actions in a timely manner to mitigate the threat
of any hazardous scenario.

Alarm and Protective Equipment Management

7 of 12

BL-22-IG-262

6.3

Alarm Priorities

Alarm priorities are configured to give the operator information related to the importance of the alarms at
any time and enable the operator to act on the most important alarms within a reasonable time.
The operator does not have the possibility to change the priority. Alarms are classified according to the
possible state the plant can develop to if no action is taken. To fulfil this demand a recommendation of four
priorities are defined.
The four alarm priorities are listed below:
Alarm priority 1: Safety Critical Alarms
Priority 1 is used for alarms from the safety systems, i.e. ESD, F&G.
Action alarms from ESD, F&G, will also be assigned priority 1. These action alarms will always need the
operators immediate action. E.g. if a module has been electrically isolated upon smoke detection,
personnel will be informed by process alarms.
Failure in performing safety shutdown actions during an emergency shutdown situation will be assigned
priority 1, e.g. a shutdown valve not reaching the closed position after an emergency shutdown.
Coincidence alarms i.e. if an emergency shutdown command is initiated on blocked equipment.
Alarm priority 2: Escalating Alarms
Priority 2 is assigned to alarms which give the operator the possibility to perform corrective actions to
prevent escalation of the situation into a production shutdown.
Priority 2 is used for all warning alarms that may escalate to a shutdown, e.g. high level in a compressor
suction scrubber.
Critical system and component failures will be assigned priority 2, e.g. loss of communication to system that
eventually will initiate PSD, while system and component failure`s in general shall be given priority 3 or 4.
Alarm priority 3: Non-escalating Alarms
This priority will be used for PCS warning alarms, and PCS action alarms that will not escalate to a
production shutdown. E.g. warning about to high pressure across a strainer if there is no high high
shutdown action, or shutdown of one out of two pumps in a duty standby configuration.
Priority 3 is also assigned to PSD action alarms. Failure in performing PSD shutdown actions will be assigned
priority 3, e.g. a HZV valve not reaching the closed position after a process shutdown. The same will apply
to PCS valves.
Priority 3 is given to non-safety related coincidence alarms i.e. if a shutdown command is initiated on
blocked equipment. Component failure in SIL loops and important faults in PSD and PCS are also given
priority 3.
Alarm priority 4: Non-critical Alarms
Priority 4 are intended to be used for alarms that do not need the process operator immediate physical
response, but just a cognitive action to decide immediate or general handling by e.g. maintenance
personnel.
This priority is used for system and fault alarms in the control system itself, e.g. ICSS alarming that one of
the redundant communication links are unavailable.

Alarm and Protective Equipment Management

8 of 12

BL-22-IG-262

6.4

Alarm colours

In order to assist the operators in accessing the information from the alarm system, different colours have
been used in the alarm lists. The same colours can also be used in the alarm list as in the process displays.
Background colours are designed in such ways that alarm texts are easy to read.
Colour

Sound

Auto Ack

Critical

Red

Buzz

No

To advice the operator of a situation

that requires an immediate response

Warning

Yellow

Alert

No

To advice the operator of an abnormal

Process condition that requires prompt
Operator intervention

Advisory

Cyan

Beep

No

PVBAD

Magenta

None

No

BYPASS

Blue

None

Yes

None

Yes

Event

6.5

Purpose

Priority

To advice the operator of an abnormal

Process condition that requires
Operator intervention
Measurement To advice the operator
of a device or failure
Recording when a bypass / override
Becomes active or inactive
Recording events

Audible Signals

In order to assist the operators in accessing the information from the alarm system, different audible
signals and levels is used.
Upcoming alarms will be followed by an audible signal to alert the operator.
The alarm is soft to avoid unnecessary stress.
Different sounds are used for different alarm priorities. In addition, a dedicated lamp may be used to alert
the operators when alarms occur.
Global silencing of audible/visual signals is done by pressing a button on an operator workplace or by
acknowledging the alarm. When an alarm is acknowledged, the corresponding alarm sound shall
automatically be silenced.
6.6

Alarm System Performance

It is important for operators to distinguish the most important alarms to attend to. Human operators are
limited by both their cognitive processing abilities and their physical response times to the number of
alarms they can respond to in any given unit of time.
EEMUA 191 offers eight characteristics of a good alarm:

Relevant not spurious or of low operational value

Unique not duplicating another alarm

Timely not long before any response is needed or it is too late to do anything

Prioritized indicative of the importance of the operator dealing with the problem

Understandable clear and easy to understand

Diagnostic identifies the problem that has occurred

Advisory indicative of action to be taken

Focusing draws attention to the most important issues.

Alarm and Protective Equipment Management

9 of 12

BL-22-IG-262

6.7

Alarm Annunciation and Response

Operators response to an alarm includes the action to be used to correct the indicated event and the
identification and verification of the situation prior to taking action. The steps involved in the overall
Operators response to an alarm include

Detection Detection refers to the Operators ability to detect the presence of an abnormal
condition. This is achieved visually, and/or through screen-based displays, and audibly via alarm
annunciator horns.

Identification Identification is the recognition of the alarm through its system tag I.D. and point
description. The audible signal is typically silenced at this point.

Verification Verification involves checking for other indications to validate the accuracy of the
identified alarm.

Acknowledgement Acknowledgement of an alarm conveys to the system that the Panel

Operator has verified the alarm.

Assessment Assessment involves rapid evaluation of the overall affected area in the unit before
taking corrective action.

Corrective action Corrective action is the Panel Operators direct response to the alarm.

Monitor The Panel Operator will monitor the variable, repeating steps #5 & #6 until the alarm
has cleared.

6.8

Alarm List Displays

All alarms are presented on a main alarm list, and will be dynamically updated.
An alarm is automatically reset (deactivated) when it is acknowledged and the alarm condition has
returned to normal. The main alarm lists will thus contain acknowledged, unacknowledged and deactivated
unacknowledged alarms requiring operator action.
The main alarm list is accessible for all operator stations. This implies that when an alarm is acknowledged
on one operator station, this status shall be reflected on all operator stations.
The operator will use the alarm list as guidance to detailed information related to a specific alarm (e.g.
through links from the alarm list).
Alarms subject to manual alarm hiding will not appear in the alarm lists but are stored in event logs. This
also applies to logical hidden alarms.
Paper copies (i.e. printouts) of alarm lists are available upon request.
In addition to the main alarm list the operator have the possibility to select alarms from a free selection
criterion such as e.g. time span, priority, etc. Selective alarm lists will also be dynamically updated.
6.9

Event Lists

Event lists, in addition to what is shown on the alarm lists, contain process status information, operator
interactions and information about when tag was activated or deactivated.
All alarms and events in the system shall be presented in the event list. This applies to both active alarms
and alarms that are subject to alarm hiding. However for suppressed signals neither alarms nor events will
be generated in the system.
Typical events are operator input to the system such as:

Digital input (e.g. open/close valves, start/stop pumps, activate/deactivate action inhibit,
manual/auto selection on controllers and equipment, etc.)

Analogue input (e.g. changing set points on controllers, start/stop of pumps, etc.) is classified as

Alarm and Protective Equipment Management

10 of 12

BL-22-IG-262

events.
Information about automatic sequences (automatic start, completion of, etc.) is classified as events.
The requirement also applies to status information, e.g. valves opening according to automatic sequences,
etc. Normal start/stop information from a mechanical package is classified as an event.
Operators comments to the events in the event list may be made in an Information Management System.
This is particularly useful for manual blocking operations, where the reason for the manual action can be
noted.
6.10

Alarm Hiding and Suppression

Alarm Treatment and the Respective Effects

Term
Alarm hiding
Blocking
Suppression

6.10.1

Action

Annunciation

Event

Yes
No
No

No
Yes
No

Yes
Yes
No

Alarm Hiding

The main objective of using alarm hiding is to reduce the amount of information presented to the operator
at a given point in time to only what is relevant for the situation, by using context based hiding
functionality.
Particular focus of utilizing alarm hiding is during major disturbances and in dynamic process situations,
when a large number of alarms can be generated. Of all the alarms normally generated during such a
situation only a few are relevant in order to describe the situation to the operator so that the operator can
focus on what is the most important and needs immediate attention. Knock on alarms will be suppressed or
alarm hidden. The rules and implementation techniques of alarm hiding has been informed to all relevant
personnel working with the alarm system.
It is important to understand that no alarm actions will be influenced by alarm hiding, only the information
presented to the operator through the operator interface.
Alarm hiding on safety related alarms are not implemented.
6.10.2

Suppression

Suppression may be initiated by the logic or manually by the operator. Suppression is used to prevent
process alarms from appearing in the alarm system e.g. for still standing equipment and to enable ordinary
start-up override functionality. This function may be implemented besides an eventual alarm hiding
functionality.
The intention of suppress is that operator can easily override a faulty device until it is being replaced by
maintenance personnel. The Suppress function must not be mixed with the Block or Forced function. Some
users also uses the Suppress function e.g. during start-up of the plant in cases where shutdown actions and
alarm- and events are not desirable.
It is important to understand that suppress has, from a safety point of view, worse consequences on input
device than the output device Function Blocks.
6.10.3

Blocking

It is possible to block input and output signals manually or by the logic. Blocked signals are clearly indicated
on the detailed process displays as well as on dedicated displays for blocked operations. Blocking will be
logged in the event log.
6.10.4

Signal Filtering

Signal filtering is used to remove repetitive alarms caused by noise or faults on signals. Signal filtering will
Alarm and Protective Equipment Management

11 of 12

BL-22-IG-262

not jeopardize a consistent operator presentation of the alarm situation.

6.11

Alarm and status overview

Alarms and status is presented in a grouped overview from predefined process sections such overview is
easily readable and available to the operator.
7.

INTEGRITY OF THE SYSTEM

To maintain the Integrity of the System, plan Maintenance should be in accordance to Maintenance Plan.
INSPECT, ICSS INTERNAL DIAGNOSTICS
E&I personnel review and assessment of diagnostics report Report assessment that no standing items
impede functionality or reliability and SIL is maintained,
Inspection will be carried out every 3 month according to Performance Standard.
Refer Operations Performance Standard (FEC-01) Fire and Gas Detection R1 BL-22-RG-140

Alarm and Protective Equipment Management

12 of 12