Professional Documents
Culture Documents
BL-22-IG-262 - 0 - Alarm Protective Equipment Management
BL-22-IG-262 - 0 - Alarm Protective Equipment Management
BL-22-IG-262
SMS ELEMENT#
07
N/A
Rev
No
OWNER
REVIEW INTERVAL
36 Months
Approvals
Date
Originator
Owner
Checked
Approval
Authority
CMMS TECH
SUPT
Asset Integrity
Specialist
Facilities
Maintenance
Superintendent
060/5/14
RAJ
Sean DArcy
Andrew
Gibbons
Gareth Gill
22/06/14
RAJ
Sean DArcy
Andrew
Gibbons
Gareth Gill
06/08/14
RAJ
Sean DArcy
Andrew
Gibbons
Gareth Gill
15/08/14
RAJ
Sean DArcy
Andrew
Gibbons
Gareth Gill
02/09/14
RAJ
Sean DArcy
Andrew
Gibbons
Gareth Gill
AEL Authority
BL-22-IG-262
REVISION HISTORY
Revision
Amendment
2 of 12
BL-22-IG-262
CONTENTS
1.
PURPOSE ................................................................................................................................. 4
2.
SCOPE...................................................................................................................................... 4
3.
REFERENCE .............................................................................................................................. 4
4.
ABBREVIATIONS ...................................................................................................................... 5
5.
6.
6.1
6.2
6.3
6.4
6.5
6.6
6.7
6.8
6.9
6.10
6.11
7.
3 of 12
BL-22-IG-262
1.
PURPOSE
The purpose of this document is to define the Integrated Control and Safety System (ICSS) in FPSO ARMADA
CLAIRE, which will operate in Australia.
Modern Integrated Control and Shutdown Systems (ICSS), with their increasing level of integration and
highly configurable operator interfaces offer many possibilities for alarm generation and presentation.
This procedure will cover the following items:
Types of Alarms
Response to Alarms
Alarm Rationalization
2.
SCOPE
The Scope required to ensure that the FPSO ICSS alarm system acts as a tool to effectively help the Panel
Operator to take the correct action(s) at the correct time.
The document also aims to help with the following, i.e. that:
Alarms are configured consistently in accordance with industry best practice guidelines.
Alarms are presented at a rate that the Panel Operator can effectively handle.
Panel Operators can rapidly assess the location and relative importance of all process alarms.
Panel Operators can process alarm information during high frequency alarm actuation events.
3.
REFERENCE
Document Number
21009-ABB-43800-PC-MN-0005
21009ETA76300INLS0003
21009-BAE-70000-IN-RL-0002
21009-BAE-70000-IN-RL-0003
21009-ABB-43800-PC-SP-0002
21009-BAE-70000-IN-RP-0004
Title
ICSS Software Library Manual
PCS System I/O List
ESD System I/O List
F&G System I/O List
ICSS HMI Functional Design Specification
ALARM MANAGEMENT PHILOSOPHY FOR
INTEGRATED CONTROL & SHUTDOWN SYSTEM
4 of 12
BL-22-IG-262
4.
5.
ABBREVIATIONS
A&E
AMS
CAAP
CCR
ESD
EEMUA
HAZOP
HSE
ICSS
LAN
LOPA
MADB
MOC
Management Of Change
MOS
PHA
POS
PCS
PSD
PV
Process Value
SIL
SCR
SOE
Sequence Of Events
SYSTEM DESCRIPTION
The system is based on ABBs Industrial IT product family offering state-of-art technology for Integrated
Control and Safety System, ICSS. Through redundancy, the system is designed to meet the highest possible
availability and reliability for the process controlled
The ICSS system comprises of:
All subsystems listed above are based on the 800xA process control platform and integrated through a
Common information / operator interface utilizing the ABBs Process Portal Information/operator interface.
5 of 12
BL-22-IG-262
The ICSS shall be utilized for monitoring, control and safeguarding requirements for the topsides, marine.
The FPSO topsides process and ancillary facilities comprise of:
Power Generation
Emergency Generator
Boiler
Bilge Alarm
Chain Table
Manifold Deck
Turret piping
All the above facilities will be monitored, controlled and shut down by the ICSS Alarm & Protective
Management System.
6.
A process alarm is defined as a mechanism for informing a Panel Operator of an abnormal process
condition for which an operator action is required. The Panel Operator is notified in order to prevent or
mitigate process upsets and disturbances.
Alarm and Protective Equipment Management
6 of 12
BL-22-IG-262
Directing others to make changes in the control or process system (manually start pumps, operate
valves, check items for function, take samples, etc.)
Logging conditions for the necessary purposes of later examination, maintenance, or repair.
6.1
6.2
Types of Alarm
The Armada Claire FPSO ICSS includes the main PCS, a Fire & Gas system (FGS) and also a Safety
Instrumented System (ESD). The ESD contains safety functions including those rated at SIL1, 2 and SIL 3.
Some pre-alarms annunciate via the PCS are documented in the SIL Study as independent layers of
protection in LOPA analyses of SIL requirements. As per the Reliability Claims outlined in EEMUA 191 2.3.4,
this suggests specific requirements on human reliability.
In addition to those alarms identified in the SIL Study, it is anticipated that the categorisation as Special
Alarm will also include any alarm relied upon to provide significant reduction of risk of potential Personnel
Safety or Environmental impact *e.g. as outlined in any other Safety Case documentation.
Special Alarms are identified on the process graphics and alarm banner with the inclusion of an asterisk
before and after the Instrument Service descriptor. When a Special Alarm appears on the Operator
graphics, the Operator will take immediate action to address the alarm. The Operator needs to first
understand the cause of this alarm and take the necessary actions in a timely manner to mitigate the threat
of any hazardous scenario.
7 of 12
BL-22-IG-262
6.3
Alarm Priorities
Alarm priorities are configured to give the operator information related to the importance of the alarms at
any time and enable the operator to act on the most important alarms within a reasonable time.
The operator does not have the possibility to change the priority. Alarms are classified according to the
possible state the plant can develop to if no action is taken. To fulfil this demand a recommendation of four
priorities are defined.
The four alarm priorities are listed below:
Alarm priority 1: Safety Critical Alarms
Priority 1 is used for alarms from the safety systems, i.e. ESD, F&G.
Action alarms from ESD, F&G, will also be assigned priority 1. These action alarms will always need the
operators immediate action. E.g. if a module has been electrically isolated upon smoke detection,
personnel will be informed by process alarms.
Failure in performing safety shutdown actions during an emergency shutdown situation will be assigned
priority 1, e.g. a shutdown valve not reaching the closed position after an emergency shutdown.
Coincidence alarms i.e. if an emergency shutdown command is initiated on blocked equipment.
Alarm priority 2: Escalating Alarms
Priority 2 is assigned to alarms which give the operator the possibility to perform corrective actions to
prevent escalation of the situation into a production shutdown.
Priority 2 is used for all warning alarms that may escalate to a shutdown, e.g. high level in a compressor
suction scrubber.
Critical system and component failures will be assigned priority 2, e.g. loss of communication to system that
eventually will initiate PSD, while system and component failure`s in general shall be given priority 3 or 4.
Alarm priority 3: Non-escalating Alarms
This priority will be used for PCS warning alarms, and PCS action alarms that will not escalate to a
production shutdown. E.g. warning about to high pressure across a strainer if there is no high high
shutdown action, or shutdown of one out of two pumps in a duty standby configuration.
Priority 3 is also assigned to PSD action alarms. Failure in performing PSD shutdown actions will be assigned
priority 3, e.g. a HZV valve not reaching the closed position after a process shutdown. The same will apply
to PCS valves.
Priority 3 is given to non-safety related coincidence alarms i.e. if a shutdown command is initiated on
blocked equipment. Component failure in SIL loops and important faults in PSD and PCS are also given
priority 3.
Alarm priority 4: Non-critical Alarms
Priority 4 are intended to be used for alarms that do not need the process operator immediate physical
response, but just a cognitive action to decide immediate or general handling by e.g. maintenance
personnel.
This priority is used for system and fault alarms in the control system itself, e.g. ICSS alarming that one of
the redundant communication links are unavailable.
8 of 12
BL-22-IG-262
6.4
Alarm colours
In order to assist the operators in accessing the information from the alarm system, different colours have
been used in the alarm lists. The same colours can also be used in the alarm list as in the process displays.
Background colours are designed in such ways that alarm texts are easy to read.
Colour
Sound
Auto Ack
Critical
Red
Buzz
No
Warning
Yellow
Alert
No
Advisory
Cyan
Beep
No
PVBAD
Magenta
None
No
BYPASS
Blue
None
Yes
None
Yes
Event
6.5
Purpose
Priority
Audible Signals
In order to assist the operators in accessing the information from the alarm system, different audible
signals and levels is used.
Upcoming alarms will be followed by an audible signal to alert the operator.
The alarm is soft to avoid unnecessary stress.
Different sounds are used for different alarm priorities. In addition, a dedicated lamp may be used to alert
the operators when alarms occur.
Global silencing of audible/visual signals is done by pressing a button on an operator workplace or by
acknowledging the alarm. When an alarm is acknowledged, the corresponding alarm sound shall
automatically be silenced.
6.6
It is important for operators to distinguish the most important alarms to attend to. Human operators are
limited by both their cognitive processing abilities and their physical response times to the number of
alarms they can respond to in any given unit of time.
EEMUA 191 offers eight characteristics of a good alarm:
Timely not long before any response is needed or it is too late to do anything
Prioritized indicative of the importance of the operator dealing with the problem
9 of 12
BL-22-IG-262
6.7
Operators response to an alarm includes the action to be used to correct the indicated event and the
identification and verification of the situation prior to taking action. The steps involved in the overall
Operators response to an alarm include
Detection Detection refers to the Operators ability to detect the presence of an abnormal
condition. This is achieved visually, and/or through screen-based displays, and audibly via alarm
annunciator horns.
Identification Identification is the recognition of the alarm through its system tag I.D. and point
description. The audible signal is typically silenced at this point.
Verification Verification involves checking for other indications to validate the accuracy of the
identified alarm.
Assessment Assessment involves rapid evaluation of the overall affected area in the unit before
taking corrective action.
Corrective action Corrective action is the Panel Operators direct response to the alarm.
Monitor The Panel Operator will monitor the variable, repeating steps #5 & #6 until the alarm
has cleared.
6.8
All alarms are presented on a main alarm list, and will be dynamically updated.
An alarm is automatically reset (deactivated) when it is acknowledged and the alarm condition has
returned to normal. The main alarm lists will thus contain acknowledged, unacknowledged and deactivated
unacknowledged alarms requiring operator action.
The main alarm list is accessible for all operator stations. This implies that when an alarm is acknowledged
on one operator station, this status shall be reflected on all operator stations.
The operator will use the alarm list as guidance to detailed information related to a specific alarm (e.g.
through links from the alarm list).
Alarms subject to manual alarm hiding will not appear in the alarm lists but are stored in event logs. This
also applies to logical hidden alarms.
Paper copies (i.e. printouts) of alarm lists are available upon request.
In addition to the main alarm list the operator have the possibility to select alarms from a free selection
criterion such as e.g. time span, priority, etc. Selective alarm lists will also be dynamically updated.
6.9
Event Lists
Event lists, in addition to what is shown on the alarm lists, contain process status information, operator
interactions and information about when tag was activated or deactivated.
All alarms and events in the system shall be presented in the event list. This applies to both active alarms
and alarms that are subject to alarm hiding. However for suppressed signals neither alarms nor events will
be generated in the system.
Typical events are operator input to the system such as:
Digital input (e.g. open/close valves, start/stop pumps, activate/deactivate action inhibit,
manual/auto selection on controllers and equipment, etc.)
Analogue input (e.g. changing set points on controllers, start/stop of pumps, etc.) is classified as
10 of 12
BL-22-IG-262
events.
Information about automatic sequences (automatic start, completion of, etc.) is classified as events.
The requirement also applies to status information, e.g. valves opening according to automatic sequences,
etc. Normal start/stop information from a mechanical package is classified as an event.
Operators comments to the events in the event list may be made in an Information Management System.
This is particularly useful for manual blocking operations, where the reason for the manual action can be
noted.
6.10
6.10.1
Action
Annunciation
Event
Yes
No
No
No
Yes
No
Yes
Yes
No
Alarm Hiding
The main objective of using alarm hiding is to reduce the amount of information presented to the operator
at a given point in time to only what is relevant for the situation, by using context based hiding
functionality.
Particular focus of utilizing alarm hiding is during major disturbances and in dynamic process situations,
when a large number of alarms can be generated. Of all the alarms normally generated during such a
situation only a few are relevant in order to describe the situation to the operator so that the operator can
focus on what is the most important and needs immediate attention. Knock on alarms will be suppressed or
alarm hidden. The rules and implementation techniques of alarm hiding has been informed to all relevant
personnel working with the alarm system.
It is important to understand that no alarm actions will be influenced by alarm hiding, only the information
presented to the operator through the operator interface.
Alarm hiding on safety related alarms are not implemented.
6.10.2
Suppression
Suppression may be initiated by the logic or manually by the operator. Suppression is used to prevent
process alarms from appearing in the alarm system e.g. for still standing equipment and to enable ordinary
start-up override functionality. This function may be implemented besides an eventual alarm hiding
functionality.
The intention of suppress is that operator can easily override a faulty device until it is being replaced by
maintenance personnel. The Suppress function must not be mixed with the Block or Forced function. Some
users also uses the Suppress function e.g. during start-up of the plant in cases where shutdown actions and
alarm- and events are not desirable.
It is important to understand that suppress has, from a safety point of view, worse consequences on input
device than the output device Function Blocks.
6.10.3
Blocking
It is possible to block input and output signals manually or by the logic. Blocked signals are clearly indicated
on the detailed process displays as well as on dedicated displays for blocked operations. Blocking will be
logged in the event log.
6.10.4
Signal Filtering
Signal filtering is used to remove repetitive alarms caused by noise or faults on signals. Signal filtering will
Alarm and Protective Equipment Management
11 of 12
BL-22-IG-262
Alarms and status is presented in a grouped overview from predefined process sections such overview is
easily readable and available to the operator.
7.
To maintain the Integrity of the System, plan Maintenance should be in accordance to Maintenance Plan.
INSPECT, ICSS INTERNAL DIAGNOSTICS
E&I personnel review and assessment of diagnostics report Report assessment that no standing items
impede functionality or reliability and SIL is maintained,
Inspection will be carried out every 3 month according to Performance Standard.
Refer Operations Performance Standard (FEC-01) Fire and Gas Detection R1 BL-22-RG-140
12 of 12