Professional Documents
Culture Documents
2010 PETROLIAM NASIONAL BERHAD (PETRONAS) All rights reserved. No part of this document may be reproduced, stored in a retrieval system or transmitted in any form or by any means (electronic, mechanical, photocopying, recording or otherwise) without the permission of the copyright owner
TABLE OF CONTENTS
1.0 1.1 1.2 1.3 1.4 2. 3. 3.1 3.2 3.3 3.4 3.5 3.6 3.7 3.8 4. 4.1 4.2 4.3 4.4 4.5 4.6 4.7 4.8 4.9 4.10 4.11 4.12 4.13 5.0 6.0 7.0 8. 9. 10. 11. INTRODUCTION ...............................................................................................................1 SCOPE AND OBJECTIVES ..............................................................................................1 DISTRIBUTION, INTENDED USE AND REGULATORY CONSIDERATIONS....................1 DEFINITIONS....................................................................................................................1 ABBREVIATIONS..............................................................................................................5 CODES AND STANDARDS ................................................................................................7 ALARM GUIDELINES .........................................................................................................8 ALARM PARAMETERS SHALL NOT BE ALTERED WITHOUT PROPER MANAGEMENT OF ..........................................................................................................8 ALARMS ARE NOT A SUBSTITUTE FOR AN OPERATOR'S ROUTINE SURVEILLANCE OF UNIT ................................................................................................8 AN ALARM MUST REQUIRE IMMEDIATE ACTION BY THE OPERATOR ........................8 THERE SHALL NOT BE MULTIPLE ALARMS THAT PROMPT THE SAME OPERATOR ACTION ............................................................................................................................9 ALARM PRIORITY DEFINES THE DEGREE OF URGENCY OF CORRECTIVE ACTION BY THE OPERATOR ........................................................................................................9 ALARMS SHOULD PROVIDE TIMELY ADVICE THAT THERE ARE PROBLEMS REQUIRING OPERATOR INTERVENTION.....................................................................10 AN ALARM SHOULD HELP THE OPERATOR TO QUICKLY IDENTIFY THE CAUSE OF A PROBLEM ...................................................................................................................10 SIGNALS WHICH DO NOT QUALIFY AS ALARMS.........................................................10 ALARM MANAGEMENT PROCESS .................................................................................11 ALARM MANAGEMENT PHILOSOPHY ..........................................................................13 IDENTIFICATION ............................................................................................................13 ALARM RATIONALIZATION............................................................................................13 ALARM DESIGN .............................................................................................................15 IMPLEMENTATION.........................................................................................................26 OPERATION ...................................................................................................................26 PERFORMANCE MONITORING .....................................................................................26 MAINTENANCE ..............................................................................................................28 ASSESSMENT................................................................................................................28 MANAGEMENT OF CHANGE .........................................................................................28 ALARM MANAGEMENT PROCESS LOOPS ...................................................................29 ALARM DOCUMENTATION ............................................................................................30 ALARM HISTORY RETENTION ..................................................................................30 PRIORITY ASSIGNMENT ...............................................................................................31 BENCHMARKING, PERFORMANCE METRICS AND REPORTING................................32 ALARM PRESENTATION................................................................................................34 AUDIBLE SIGNALS CONSIDERATIONS..........................................................................35 TRAINING ........................................................................................................................36 ROLES AND RESPONSIBILITIES...................................................................................37 REFERENCES................................................................................................................38
APPENDICES APPENDIX 1: ALARM REVIEW FORM .....................................................................................39 APPENDIX 2: DCS ALARM PRIORITIZATION RISK ASSESSMENT MATRIX ..........................40
PREFACE
PETRONAS Technical Standards (PTS) publications reflect the views, at the time of publication, of PETRONAS OPU(s)/Division(s). They are based on the experience acquired during the involvement with the design, construction, operation and maintenance of processing units and facilities. Where appropriate they are based on, or reference is made to, national and international standards and codes of practice. The objective is to set the recommended standard for good technical practice to be applied by PETRONAS' OPU(s) in oil and gas production facilities, refineries, gas processing plants, chemical plants, marketing facilities or any other such facility, and thereby to achieve maximum technical and economic benefit from standardisation. The information set forth in these publications is provided to users for their consideration and decision to implement. This is of particular importance where PTS may not cover every requirement or diversity of condition at each locality. The system of PTS is expected to be sufficiently flexible to allow individual operating units to adapt the information set forth in PTS to their own environment and requirements. When Contractors or Manufacturers/Suppliers use PTS they shall be solely responsible for the quality of work and the attainment of the required design and engineering standards. In particular, for those requirements not specifically covered, the Principal will expect them to follow those design and engineering practices which will achieve the same level of integrity as reflected in the PTS. If in doubt, the Contractor or Manufacturer/Supplier shall, without detracting from his own responsibility, consult the Principal or its technical advisor. The right to use PTS rests with three categories of users: 1) PETRONAS and its affiliates. 2) Other parties who are authorised to use PTS subject to appropriate contractual arrangements. 3) Contractors/subcontractors and Manufacturers/Suppliers under a contract with users referred to under 1) and 2) which requires that tenders for projects, materials supplied or - generally - work performed on behalf of the said users comply with the relevant standards. Subject to any particular terms and conditions as may be set forth in specific agreements with users, PETRONAS disclaims any liability of whatsoever nature for any damage (including injury or death) suffered by any company or person whomsoever as a result of or in connection with the use, application or implementation of any PTS, combination of PTS or any part thereof. The benefit of this disclaimer shall inure in all respects to PETRONAS and/or any company affiliated to PETRONAS that may issue PTS or require the use of PTS. Without prejudice to any specific terms in respect of confidentiality under relevant contractual arrangements, PTS shall not, without the prior written consent of PETRONAS, be disclosed by users to any company or person whomsoever and the PTS shall be used exclusively for the purpose they have been provided to the user. They shall be returned after use, including any copies which shall only be made by users with the express prior written consent of PETRONAS. The copyright of PTS vests in PETRONAS. Users shall arrange for PTS to be held in safe custody and PETRONAS may at any time require information satisfactory to PETRONAS in order to ascertain how users implement this requirement.
1.0 1.1
1.2
1.3 1.3.1
1.3.2
Acknowledge
The operator action that confirms recognition of an alarm.
Activate
The process of enabling an alarm functions within the alarm system.
Adjustable Alarm
An alarm for which the limits are changed, automatically or manually, based on operating conditions.
Alarm
An audible and/or visible means of indicating to the operator an equipment malfunction, process deviation, or abnormal condition requiring a response. .
Alarm class
A grouping, or class, used to specify design, operation, monitoring and audit requirements for an alarm.
Alarm condition
The indication of the type and level of an alarm.
Alarm deadband
The range through which an input must be varied from the alarm limit necessary to clear the alarm.
Alarm group
A set of alarms associated with a process unit or within a process area.
Alarm log
The historical record of alarm messages.
Alarm philosophy
A document that establishes the basic definitions, principles, and processes to design, implement, and maintain an alarm system.
Alarm priority
The level of importance assigned to an alarm within the alarm system to indicate importance (e.g. seriousness of consequences) and urgency.
Alarm summary
A display that lists alarm with selected information, such as date, time, priority, and alarm condition.
Alarm system
The collection of hardware and software that detects an alarm state, transmits the indication of that state to the operators attention, and records changes in the alarm state.
Alert
An audible and/or visible means of indicating to the operator an equipment or process condition that requires awareness and that action may be needed when time permits.
Bypass
To manually modify a function to prevent its activation. (This term is used to describe instrumented functions other than alarms.)
Control system
A system that responds to input signals from the equipment under control and/or from an operator and generates output signals that cause the equipment under control to operate in the desired manner.
Chattering alarm
An alarm that repeatedly transitions between the alarm state and the normal state. For example, any parameter that crosses its alarm threshold three (3) times or more within a one (1) minute period.
Clear
An alternate description of the state of an alarm that has transitioned to the normal state.
Console
The interface for an operator to monitor the process, which may include multiple displays or annunciations.
Deviation alarm
An alarm generated when the difference between two analog values exceeds a set limit. Disabled Alarm An alarm that is disabled by the operator such that the alarm will not be generated even though the base alarm condition is present.
Note : Uncontrolled disabling of alarm(s) is not allowed.
Discrepancy alarm
An alarm generated by error between the comparison of an expected plant or device state to its actual state (e.g. when a motor fails to start after it is commanded to the ON state).
Dynamic alarming
The automatic modification of alarms based on process state or conditions.
Initiating event
A malfunction, failure or other condition that can cause an alarm indication.
Latching alarm
An alarm that remains in alarm state after the process has returned to normal and requires an operator action beyond acknowledgement before it will clear.
Nuisance alarm
An alarm that transitions from the normal state to the alarm state more frequently than the response action is needed.
Operator
The primary person responsible for ensuring the process parameters are maintained within limits.
Operator-set alarm
An alarm in which the setting may be manually adjusted by the operator to suit his needs.
Out-of-service
A state that suppresses the alarm indication so that maintenance can be performed.
Plant state
A defined state of operation of a process plant (e.g., shutdown, start-up, operating).
Prioritization
The process of assigning to an alarm a level of importance, or priority, which can be implemented within the alarm system.
Rate-of-change alarm
Alarm generated when a limit value for the rate of change of a process parameter d(PV)/dt is exceeded.
Rationalization
The review of a potential alarm against the principles of the alarm philosophy to establish and document the rationale and design requirements for the alarm.
Remote alarm
An alarm from a remotely operated facility or a remote interface.
Reset
The operator action that unlatches a latched alarm.
Re-triggering alarm
An alarm that is automatically re-annunciated to the operator under certain conditions.
Return to normal
The alarm system indication that an alarm condition has transitioned to the normal state.
Shelve
To prevent the transmission of the alarm indication to the operator through a controlled methodology initiated by the operator. The controlled methodology shall be determined by the OPU.
Stale alarm
An alarm that remains in the alarm state for 24 hours or more.
Standing alarms
A measure of the number of stale alarms.
Station
A single human machine interface within the operator console.
Suppress
To prevent the indication of the alarm to the operator when the base alarm condition is present, initiated automatically by logic or manually by the operator.
Unacknowledged
An alarm in the alarm state which has not been acknowledged by the operator.
1.4
ABBREVIATIONS
AMT ASM MOC DCS EEMUA HAZOP IPF P&ID SS RAM ACK - Alarm Management Team - Abnormal Situation Management - Management Of Change - Distributed Control System - Engineering Equipment and Materials Users Association - Hazard & Operability Study - Instrumented Protective Function - Piping & Instrumentation Diagram - Shift Superintendent - Risk Assessment Matrix - Acknowledge or Acknowledged
PTS 32.30.60.19 December 2008 Page 6 BPCS cGMP CLR HMI PFD PHA PIMS RTN SIL SIF SIS UNACK - Basic Process Control System - Current Good Manufacturing Practice - Clear - Human Machine Interface - Process Flow Diagram or Probability of Failure on Demand - Process Hazards Analysis - Plant Information Management System - Return To Normal (see definition) - Safety Integrity level - Safety Instrumented Function - Safety Instrumented System - Unacknowledged
2.
3.
ALARM GUIDELINES
Alarms are signals annunciated to the operator typically by an audible sound and by some form of visual indication on the operator display, both of which differs according to the alarm priority. Alarms are important in that they help the operator to monitor deviations from desired operating conditions which may lead to the hazardous situations. Alarms help the operator to maintain the plant within a safe operating envelope. The general philosophy for configuring an alarm should be any one or more of the following:b. c. d. the alarm shall indicate a need for Operator intervention the alarm shall indicate when a control system can no longer control the alarm shall indicate the need for timely Operator response
Alarms shall not be configured if the intent cannot be met by any of the above three. In order to ensure that alarms remain relevant and helpful to the operator, each configured alarm in the DCS shall comply with the following set of guidelines:
3.1
ALARM PARAMETERS SHALL NOT BE ALTERED WITHOUT PROPER MANAGEMENT OF Change (MOC)
Modifications to existing alarms or additions of new alarms shall be part of MOC, where proper justification and an alarm design review are required.
3.2
ALARMS ARE NOT A SUBSTITUTE FOR AN OPERATOR'S ROUTINE SURVEILLANCE OF UNIT operation
Process changes that should be caught by operators during their normal monitoring of the process, and pose no safety issues, shall not be alarmed. The alarm system should be an aid for the operator, not a replacement. Operators are expected to investigate alarms occurring by accessing the appropriate graphic and reviewing trends. The normal and expected process conditions shall not be alarmed. i.e. Sequence process or ON/OFF control
3.1.2
3.1.3 3.1.4
3.1.5
3.3
3.3.1 3.3.2 3.3.3
3.3.4
3.4
THERE SHALL NOT BE MULTIPLE ALARMS THAT PROMPT THE SAME OPERATOR ACTION
Redundant instrumentation due to shut down systems will either a. not be alarmed, b. use logic to prevent multiple alarms, or c. have alarm on deviation between the primary (alarmed) variable and other instruments. Common alarms should be created for multiple alarms on different variables that require the same response If there are many alarm points, determine which is the best to use based on factors such as measurement reliability, minimization of nuisance alarms, speed of initiation, close logical association with the problem cause. Alarms shall be configured within the DCS controller or Input/output block in order to avoid any redundant alarm, as follows : 1. Loop with Controller All alarm shall be configured in the controller block inclusive with analog input alarm, analog output and bad input. Loop without Controller- Alarm shall be configured in the individual Digital input or output block, analog input or output block block i.e.
3.3.5
3.3.6
3.3.7
3.3.8
2.
3.5
ALARM PRIORITY DEFINES THE DEGREE OF URGENCY OF CORRECTIVE ACTION BY THE OPERATOR
The degree of urgency of an alarm at any instant, and thus its priority, are dependant on these factors: a. The severity of the consequences (in safety, environmental and economic terms), of failing to take the corrective action associated with the alarm (refer Appendix 2). The time available and required for the corrective action to be performed (Process Safety Time refer Figure 2) and to have the desired effect.
3.3.9
b.
3.5.2
Thus, the order in which an operator should take corrective action when a number of alarms are present shall be based on the alarm priorities, where the alarm with the highest priority shall receive operator attention (see Section 5 for Priority Assignment). Each alarm priority shall be configured with a different audible sound, with the highest pitch sound reserved for Emergency / Urgent priority and so forth. Note: Muting of alarms is not allowed.
3.5.3
3.6
ALARMS SHOULD PROVIDE TIMELY ADVICE THAT PROBLEMS REQUIRING OPERATOR INTERVENTION
THERE
ARE
3.6.1
An alarm setpoint shall be configured to give the operator at least 5 minutes to take corrective action. The alarm setpoint shall depend on the process safety time, which is defined as the time between the process value reaching the alarm setpoint and the consequences occurring if not acted upon under normal operating conditions. This time gap depends on the normal rate of change of the process value e.g. a small tank with high receiving flow shall have a lower high level alarm setpoint than a large tank with small receiving flow.
3.7
AN ALARM SHOULD HELP THE OPERATOR TO QUICKLY IDENTIFY THE CAUSE OF A PROBLEM
Clear and understandable alarm tag descriptors are important to help identify the cause. Consistent abbreviations shall be used so that it is clearly understood by all operators. An alarm tags Associate Display parameter shall be configured to provide quick access to the relevant schematic.
3.8
However if the maintenance override switch / bypass switch is located and operated outside the control room, its initiation shall be alarmed. Common bypass alarm shall be sent to DCS.
4.
whilst minimising, as far as is reasonably practicable: standing alarms; nuisance alarms; chattering alarms; alarm floods.
In an ideal situation the few alarms that occur are understood and handled properly by the operator. Each of these alarms are genuine, not duplicated and not repetitive, and call for an action for which the operator has sufficient time, even during plant upset or trip situations. A process plant typically requires the following types of alarms: Process alarms Trip (IPF) alarms F&G alarms Common alarms from packaged units Diagnostic alarms (from SIS, DCS, Fieldbus etc.)
Not all alarms and messages should necessarily be routed to the operator. Other recipients of alarms and messages, such as DCS/SIS maintenance engineer, should also be considered. The alarm management / rationalisation study should therefore also consider the various alarm recipients, their availability etc. When the configuration of an existing installation is reviewed, it is also necessary to balance the effort expended in the review against the potential improvements to be gained. In practice, this means that the process starts by identifying the Bad Actors of alarms followed by the highest priority of alarms and so forth. The assigned alarm priorities in the DCS are only used to distinguish between the kinds of activity to be executed.
PTS 32.30.60.19 December 2008 Page 12 The alarm management process covers the design and maintenance activities from philosophy to management of change. The process is useful in identifying the requirements and roles for implementing an alarm management system. This process flowchart shows the essential steps, in implementing the alarm management system. PHILOSOPHY / POLICY / MANUAL
IDENTIFICATION
RATIONALIZATION
MOC
DESIGN
MAINTENANCE
OPERATION
PERFORMANCE MONITORING
ASSESSMENT
4.1
4.2
IDENTIFICATION
In the identification stage, the alarms configured in the plant control system are to be evaluated. An alarm list to be generated from the DCS. In addition, it is also necessary to vet through all of HAZOP reports, IPF review reports and incident investigation reports to identify a list of conditions that need to be protected by operator intervention.
4.3
ALARM RATIONALIZATION
Rationalization is the process of reconciling each individual alarm against the principles and requirements of the alarm philosophy. The exercise involves reviewing and documenting each alarm which exists in the DCS for the particular unit. In this process, form as per Appendix 1 shall be used to address the following questions: 1. 2. 3. 4. 5. 6. 7. 8. What is the purpose of the alarm i.e. what is the potential hazard or event is the alarm intended to prevent? What are the causes of the alarms? What action is required by the operator? What are the consequences of the operator failing to respond to the alarm? How quickly is the operator required to respond? How long will it take for the operators action to have the required effect? How likely is it that the operator will be able to prevent the event or hazard? Does the alarm comply with the agreed philosophy?
This information is critical to improve alarm clarity to the operator. Once the consequences and the response time has been documented, alarm priority must be assigned based on the matrix of consequences versus priorities. The result will also be used to generate alarm response documentation and in defining alarm retention. The completed forms constitute the alarm narratives for the project/plant/OPUs. The overall alarm narratives shall be endorsed by the plant management as per clause 9.0.
PTS 32.30.60.19 December 2008 Page 14 Documents / tools required for this exercise are: 1. 2. 3. 4. 5. Updated P&ID for the unit Control and/or Safeguarding narratives, design documents HAZOP and IPF Classification results Updated DCS alarms, setpoints and tag list Plant Historian (e.g. PIMS) database to view process trends
An Alarm Management Team (AMT) shall be formed which comprises of: 1. 2. Alarm Management Team Leader (Operation Engineer) who shall monitor and manage the overall progress of the team. Alarm Management Coordinator/Facilitator (Instrument and Control Engineer) who shall facilitate the alarm rationalization process and compile and execute all the changes required. Operation and Process Technologist Representatives (Panel men/operator from 2 different shifts and Process Technology engineer) who shall discuss and rationalize the alarms. Maintenance Subject Matters Representative (Instrument and Control engineer/technician, Electrical and/or Mechanical engineer/technician) who shall help the review especially in equipment related alarms.
3.
4.
The AMT shall develop a detailed plan and schedule to for alarm rationalization review. The process of alarm rationalization is as follows: 1. 2. 3. 4. Using DCS database, determine the existing alarm parameters for the tag. Also from the DCS database, review most frequent alarms, if applicable. From the P&ID, reconcile the selected DCS alarm tag.. Rationalize an alarm parameter by entering it into the Alarm Reference Database. The database shall be configured as per Appendix 1. Refer to narratives or other supporting documents to help determine the purpose, causes, corrective actions, consequences and finally the priority of the alarm. Qualify the alarm parameter against the alarm guidelines (Section 5). If the alarm parameter does not meet the guidelines, decide what the required changes are. Repeat steps (4) and (5) for each alarm parameter for the tag. Continue for the next tag on the DCS database and/or P&ID until all the selected alarms for the unit have been reviewed. Compile all the changes required and raise MOC to obtain proper approvals Modifications shall be implemented by the instrument /control engineer. An Alarm Review Form shall be printed from the Alarm Reference Database such as Filemaker and signed by the AMT. (example format in Appendix 1).
5.
6. 7.
8. 9. 10.
Every alarm shall be accompanied with an Alarm Review Form as per Appendix 1.
4.4
ALARM DESIGN
The design stage includes evaluation of the basic configuration of alarms in the DCS, the design of graphics and other HMI for alarms and the advance/intelligent method for alarm management- 4.4.2 (the use of Alarm Management System for example). This process also includes obtaining feedback from operators, as well as defining the testing methods of the alarm system functions. In addition, one of the key deliverable of this stage is to develop the Alarm Reference Database. This document identifies what the alarm is, how it is configured, why it is there, what the operator is supposed to do about it and what are the consequences of failing to perform the actions. Once the necessary approvals have been obtained, the new alarm configurations are implemented in the DCS. This process includes training for the Operator and initial testing of the alarm system functions.
4.4.1
PTS 32.30.60.19 December 2008 Page 16 What is the dead-time of the sensor and signal processing? How many features (e.g. alarms, trips, relief valves) have to be fitted in the gap between the edge of the normal operating band and the constraining value at which a hazard or concern arises?
The design stage includes evaluation of the basic configuration of alarms in the DCS, the design of graphics and other HMI for alarms and the advance method for alarm management (the use of Alarm Management System for example). This process also includes obtaining feedback from operators, as well as defining the testing methods of the alarm system functions. One of the key deliverable of this stage is to develop the Operator Alarm Response Manual, as per Section 4.3. Once the necessary approvals have been obtained, the new alarm configurations are implemented in the DCS. This process includes training for the operator and initial testing of the alarm system functions.
In all cases the alarm shall be set such that: No alarm occurs within the normal process fluctuations and signal noise. There is sufficient operator response time
PTS 32.30.60.19 December 2008 Page 17 The process does not exceed the equipment or process constraint assuming correct and timely operator action and a worst but credible process dead time. Uncertainties/Inaccuracies in the equipment or process constraints are taken into account.
Note: Uncertainties/Inaccuracies in the process measurement at the point of the desired alarm setting are taken into account. A particular consideration applies to low flow alarms, where the flow measurement comes from a dP-based device such as an orifice plate or venturi meter. The measurement on the DCS appears linear but the original input signal has a (flow)2 characteristic. This means that an alarm set at 10 % of flow range corresponds to only 1 % of DP input signal, which could potentially be disabled by a zero error arising from the meter or its process hook-up. On the other hand, under some circumstances a higher setting might increase the risk of nuisance alarms. The setting of low flow alarms therefore involves a balance between avoiding such alarms and retaining measurement accuracy.
Another consideration applies to measurements that are influenced by specific properties of the medium such as the liquid and vapor density for dP and displacer type level measurements, the density for orifice type flow meters, etc. In these cases the worst case of all foreseeable operating modes including start-up and shutdown modes shall be considered. If conflicts arise between the factors influencing the correct alarm setting, it may become impossible to set an acceptable alarm setting. In these cases there are the following options: Redesign the process / equipment. This is the most desirable but often impractical solution. Set the alarm setting at a level closer to the normal operating conditions. Accept that spurious alarms will occur under some operating conditions. This option reduces the confidence in the alarm and affects the probability that the operator would initiate the required actions in the event of a genuine alarm. This is the least desirable option. Set the alarm setting at a level closer to the constraints. Accept that the operator may not have enough time to prevent the hazardous event in all cases (e.g. in the event of a rapid upset). This option does not reduce the confidence in the alarm but affects the probability that the operator would complete the required action in time. As well as defining the alarm setting, the expected accuracy of the switch point shall also C). be defined (e.g. 210 C!2 The switching inaccuracy is the maximum allowable difference between the actual process parameter and the alarm setting at the moment the alarm activated. It includes the inaccuracy of the sensor, signal processing, switch amplifier, A/D converter etc. The inaccuracy does not include any possible dynamic effects whereby the measurement lags behind the actual process parameter. A typical accuracy would be 2 % of instrument span.
4.4.2
4.4.2.2 Increasing the delay timer for digital measurements to reduce intermittent signals. The common values shall be referred as per Table 2. Table 2 - Default signal filter time constants st Type of Process 1 order time constant De-bouncer timer Variable (digital signals) Flow 2s 15 s Level 2s 60 s Liquid Pressure 1s 15 s Gas Pressure 1s 15 s Temperature 0s 60 s
Other techniques require more detailed study and may also be implemented. The following describes the 3 most accepted methods:
PTS 32.30.60.19 December 2008 Page 19 4.4.2.3 Shelving Shelving is a facility where an alarm is temporarily inhibited by the operator to prevent an alarm from being displayed to him when it is a nuisance. This technique requires easy operator access to a list of shelved alarms and unshelving facility. Shelved alarms shall be automatically unshelved at a predetermined time before the shift change over. Time to automatically unshelf the alarms shall be determined by OPUs. The maximum number of shelved alarms per operator should be 30. 4.4.2.4 Static Alarm Suppression Static alarm suppression is used to suppress alarms which are always active but not relevant for a particular process unit or major equipment when it is shutdown for maintenance. This technique requires the configuration of soft keys to activate logic which will disable/enable the particular group of alarms in the unit or equipment. Operators often find alarm systems difficult to manage when relatively large numbers of alarms are permanently or semi-permanently activated. There is the risk of any new alarm remaining unnoticed and the standing alarms cannot be "meaningful" to the operator. In order to minimise the number of standing alarms, static alarm suppression is required. Care has to be taken in grouping the tags to be suppressed. Sometimes there are tags within a section that Operations prefers to watch and alarm even when the rest of the unit is down, e.g. charge drum vacuum or pressure. Alarms that are always active when a process unit or a large piece of equipment is shut down are statically suppressed. Static alarm suppression shall be implemented on one plant section, process unit or equipment item at any one time. Static suppression shall never rely on manual selection only. A redundant process signal shall always be part of the suppression logic to confirm that the unit/equipment is out of service and to remove the suppression when it is put back in service. Only after the manual suppression command and the suppression permissive states have been met shall static alarm suppression be allowed. Process signals that are part of permissive logic shall be redundant so that there is no single point of failure that could lead to the inadvertent suppression of alarms or to leaving alarms inadvertently suppressed. Voting shall be such that: Two or more independent process measurements are used, such as the feed to a column, tray temperature or valve position. Correlated measurements with a high probability of common cause failure (e.g. plugged line) are not used. Deadbands are used on the voting permissive (i.e. independent process measurements) to prevent mode cycling. Signals with bad PVs are excluded from voting.
PTS 32.30.60.19 December 2008 Page 20 Switching on the static alarm suppression shall only be possible when defined process permissive is met. These conditions differ for each alarm suppression group. The static suppression shall be automatically switched off and a message to the operator shall be generated when the defined process conditions are no longer satisfied
Figure 3 Static Alarm Suppression Alarms generated in the DCS from analogue inputs that are suppressed through this functionality shall be visible to the operator in the process graphics individual tag faceplate. (e.g. as a blue measurement). The actual alarm condition is not visible (in general no buzzer, no alarm in the alarm list, no alarm to the printer, system or measurement faults not visible). The alarm status, however, is still available on the individual tags faceplate. When the alarm suppression for a group is released, the suppressed alarms are not to be regenerated (not sounding the buzzer, flashing etc.). When defining static alarm suppression groups, the following data shall be recorded: Static Alarm Suppression Group and Group descriptor A reference tag name of the group and Group descriptor to allow reference and proper administration. Permissive Boolean statement with the (DCS) tags and conditions (signals) that have to be "true" to permit the static suppression to be switched ON. This includes the condition (alarm, H alarm, LL alarm etc.). Static Suppression Group This is a list of instrument tags to be suppressed.
NOTES: 1 The static alarm suppression may not differentiate between H or L or LL alarms, Bad PV etc.. All alarms associated with the listed tag number may be suppressed. This is done to prevent alarms being generated due to maintenance activities on the shut down section. EXAMPLE: What are the consequences of a block valve leaking, allowing undetected flow into the idle equipment/process? If they are undesirable, the high pressure alarm should be left active.
PTS 32.30.60.19 December 2008 Page 21 4.4.2.5 Dynamic Alarm Suppression Dynamic alarm suppression is used to suppress alarms following a trip or process upset. The first alarm in a defined group is triggered, shown in the alarm list and printed in the alarm printer with subsequent alarms in the group suppressed. This minimizes the number of alarms appearing following a trip, thus eliminating alarm flooding and helping operator respond better to the alarm. A soft switch shall be provided to enable dynamic alarm suppression. Triggers shall be redundant (i.e. a confirmed trigger) so that there is no single point of failure that could lead to the inadvertent suppression of alarms or to leaving alarms inadvertently suppressed.
NOTE: A trigger is usually not the trip transmitter exceeding the trip setting but rather the trip command to the unit or equipment, i.e. the soft signal internal in the safety PLC. However the trip may fail partly or completely so that a confirmation of the trip action is required to trigger suppression. For example, not only the compressor trip command is used as trigger but also the running contact as confirmation.
Trigger voting shall be such that: Two or more independent process measurements are used, such as the feed to a column, tray temperature or valve position. Correlated measurements with a high probability of common cause failure (e.g. plugged line) are not used. Dead bands are used on the voting permissive (i.e. independent process measurements) to prevent mode cycling. Signals with bad PVs are excluded from voting.
Dynamic suppression will be automatically turned off after a configurable time period (default 30 min) or when all trigger alarms return to normal. See Figure 4.
PTS 32.30.60.19 December 2008 Page 22 A timer will be started when the first of the groups trigger alarms is received. Once the timer has expired any new alarm in the group will sound the buzzer but existing alarms will remain suppressed. If the new alarm is a trigger, it will restart the timer, reinstating a further (30 min) period of dynamic suppression. The operator can choose to manually suppress the alarm group, by means of static alarm suppression, at this time if appropriate. However, the grouping for static alarm suppression is not necessarily the same as the grouping for dynamic alarm suppression. The alarm state sequence diagram for alarms that are in a dynamic alarm suppression group is shown in Figure 5.
The performance of the alarm suppression logic shall be such that it suppresses subsequent alarms within 4 s after the trigger. This is the time for the trip system to respond to a trip condition, final elements to reach their safe position and the process response to generate the next alarm. The available 4 s includes signal transmission via gateways and various nodes on the control system network. For alarms that come faster after a trigger, part of the suppression logic may have to be implemented in the IPS using the "first-up" signal as the trigger. The process graphics will show the actual alarm condition for all suppressed alarms. The condition of auto suppressed trip alarms is also visible on the Cause & Effect matrix graphics. Where triggers are Trip initiators, the trigger shall be disabled when the MOS is switched ON. Likewise the dynamic alarm check shall be disabled for the point as well. If an alarm in a group is not generated even though it is expected to come on as a consequence of a trip, a common fault alarm is raised to the operator. This is a common alarm for the group, not one related to each suppressed alarm. If the operator wishes to know which alarm did not come on, the alarm suppression graphic will have to be consulted.
NOTE: This fault alarm is also available when the dynamic alarm suppression is not enabled.
PTS 32.30.60.19 December 2008 Page 23 When dynamic alarm suppression groups are defined, the following data shall be recorded: Dynamic alarm Group name and description The dynamic alarm suppression group is usually a subset of the tags associated with the equipment safeguarding system (a UZ block). The Group name should be selected to show the relation with the system, e.g. 016UZ-250. Delay before alarm on check The Delay Before Alarm On Check (the delay time the control system allows before checking to determine whether all expected alarms, marked dynamic, have in fact been activated) is to be 60 seconds greater than the largest individual dynamic suppressed alarm Time for Alarm to Come Up. Each and every alarm tag marked with a cross in the dynamic box should always alarm when each and every trigger is activated. Dynamic suppression Switch Off delay The Dynamic Suppression Switch Off Delay should always be 1800 s unless the Delay Before Alarm On Check is 1800 s or more. Dynamic Grouping Comments Comments may be added to clarify particular issues for future reference. Dynamic Suppressed Tag numbers For each of the Dynamic Suppressed Tag numbers the following is to be recorded:Tag number and service description as taken from the tag number database A check box indicating whether the tag number also serves as a trigger A check box indicating whether the alarm needs to be dynamically checked Time for Alarm to Come Up The time when alarm is expected to be activated after system trigger (seconds). If the time is less than 4 s, a remark is to be added Fast suppression logic required as discussed above.
NOTES: 1. Group Trigger alarms will almost always be trip alarms or drive failure indicators. If the group trigger is not an alarm (e.g. a motor running status) and therefore not in the database, the tag should be added. All new trigger tags added that are not alarms should be record only. 2. In some instances dynamic suppression will need to be applied to groups not related to a particular equipment safeguarding system. For these cases a new dynamic suppression group tag number shall be defined. The tag may be based upon sequence logic blocks (KS blocks) or on the major trigger tag for a group. For example, if the major trigger tag for a group not related to a safeguarding system was 214LZA555 then the dynamic suppression group tag could be 214UL555 (U standing for Multivariable). A trigger alarm can be suppressed. However the actual trigger shall not be suppressed.
3.
PTS 32.30.60.19 December 2008 Page 24 4.4.2.6 Dynamic Mode Dependent Alarm Settings Dynamic mode dependent alarm setting may be required to further reduce the meaningless alarm rate. Mode dependent alarm settings may be required where systems have distinct operational modes that require distinct alarm settings. This is for instance the case for furnaces having a normal mode and a decoke mode. Also the burner management system may have Oil firing mode, a Gas firing mode and a dual firing mode. A dryer will have an operating and a regeneration mode. A crude distiller may have different alarm settings depending on the crude being processed. With dynamic mode dependent alarm settings, the alarm settings of analogue or digital points are changed according to the detected mode of operation or are available in the form of batch recipes in the case of sequential (batch) programming. The mode switching is detected from a set of process parameters and may also involve a manual switch.
Figure 6 Dynamic Mode Dependent Alarm Settings Upon a detected mode change, the new set of alarm settings is automatically downloaded into the DCS point. These new settings will be applicable until the next mode change is detected or the dynamic mode dependent alarm setting enable switch is disabled. When disabled the default set of settings is downloaded into the DCS point automatically. See Figure 3. Sensors used for mode detection shall be redundant (i.e. a confirmed mode) so that there is no single point of failure that could lead to the inadvertent alteration of alarm settings or to leaving alarms inadvertently incorrect.
PTS 32.30.60.19 December 2008 Page 25 Mode detection voting shall be such that: Two or more independent process measurements are used, such as the feed to a column, tray temperature or valve position. Correlated measurements with a high probability of common cause failure (e.g. plugged line) are not used. Dead bands are used on the voting permissives (i.e. independent process measurements) to prevent mode cycling. Signals with bad PVs are excluded from voting.
If none of the defined modes are detected (e.g. because of conflicting mode signals), the default mode shall be selected automatically. The default mode settings table contains the most conservative alarm settings, i.e. those settings that would alarm approaching a constraint in any mode; for high alarms the lowest of all mode settings and for low alarms, the highest. Obviously this could lead to many spurious alarms. Dynamic mode dependent alarm settings shall not be applied to IPFs and their prealarms since these settings are based on the excursion of safe operating envelopes that should not be mode dependent. Where pre-alarms are also used to alarm excursion from the normal operating envelope, they may have dynamic mode dependent alarm settings. Alarm setting changes (each mode change) shall be logged in the DCS for each point When dynamic mode dependent alarm setting groups are defined, the following data shall be recorded: Mode dependent alarm setting group tag name and descriptor A reference tag name of the group and group descriptor to allow reference and proper administration The group name and description should give a reference to the system (e.g. furnace) having different operating modes. Various modes names and descriptors A reference tag name of the mode and operating mode name to allow reference and proper administration Permissive and comments For each mode, a Boolean statement with the (DCS) tags and conditions (signals) that have to be "true" or "false" to detect the mode switch to be made. This includes the condition (alarm, H alarm, LL alarm etc.). Conditions may include timers to limit the time during which a particular mode may be on. Mode dependent alarm setting group with default settings This is a list of the instrument tags (and attributes such as L, HH etc.) to be manipulated including the default settings. Alarm settings for each defined mode This is a list of alarm settings for each instrument tag defined in the dynamic alarm settings group. Such a list should be prepared for each mode of operation defined in the list of operating modes.
PTS 32.30.60.19 December 2008 Page 26 Comments Comments may be added for each instrument tag to clarify particular issues for future reference.
The lists various modes, mode dependent alarm setting group, alarm settings for each defined mode and comments are best combined in tabular form with the instrument tags listed vertically in the first column and the default and mode dependent settings listed in subsequent columns. 4.4.2.7 Alarm Suppression in Batch Operations A special class of suppression is commonly found in sequential control programs, e.g. for batch operations. Such programs should follow a standard way of enabling / disabling alarms that can be expected to occur.
EXAMPLE: - Start pump - Wait until flow reaches Alarm value + x % - Enable low flow alarm - ... - Disable low flow alarm - Stop pump
4.5
IMPLEMENTATION
Implementation is the stage where the design is put into service. This process includes training for the operator and initial testing of the alarm system functions. This process is one step in addressing alarm clarity.
4.6
OPERATION
Operation is the stage when the alarm is in service and effectively reporting abnormal conditions to the operator.
4.7
PERFORMANCE MONITORING
Performance monitoring is the periodic collection and analysis of data from alarms in the operation life cycle stage. Without monitoring, it is almost impossible to maintain an effective alarm system. This process shall be automated to take place frequently. Monitoring is the primary method to detect problems such as nuisance alarms, stale alarms, and alarm floods. The DCS vendor Alarm Management Software, shall be used as the tools for this process. A systematic review shall be conducted to analyse the most frequent alarms logged by the Alarm Management Software. The review process is detailed out as follows. 4.3.1.1 Most Frequent Alarms Review Nuisance Alarm Reduction Repeating alarms i.e. the same alarm raising and clearing repeatedly over a period may be generated in several ways e.g. noise on a process variable when it is near an alarm setting, real high frequency fluctuations of a process variable or repeated action of on-off control loops.
PTS 32.30.60.19 December 2008 Page 27 The intent of this review is to analyze and quickly eliminate repeating alarms especially alarms due to faulty equipment or incorrect settings. This review shall be conducted every two weeks as part of the AMT work process. A list of the most frequent alarms shall be generated and discussed during the review. The review process shall follow Figure 1a. : Start
Yes
Faulty Equipment
No
Yes
Fig 1a: Alarm Review Flowchart 1. Select the most frequent alarm and determine the cause(s) and originating equipment.
2.
3. 4. 5. 6. 7.
PTS 32.30.60.19 December 2008 Page 28 Based on the cause(s), determine the action that must be taken to eliminate or reduce the alarm occurrence e.g. : a. If it is due to faulty equipment, the Shift Supervisor to raise notification in SAP. b. If normal operation is near the alarm setting, consider reducing the alarm deadband or changing the alarm setting, only if this does not affect the process safety time. Qualify the alarm against the alarm guidelines described in Section 3. If the alarm parameter does not meet the guidelines, decide what the required changes are. Continue to review the most frequent alarms. Compile the rest of the changes required and raise MOC to get the proper approvals. Modifications shall be implemented by the Instrument/control engineer as per the configuration guidelines. Data on each Alarm Review Form shall be updated into the Alarm Reference Database.
4.8
MAINTENANCE
Maintenance is a necessary step in the alarm life cycle. The process measurement instrument may need maintenance or some other component of the alarm system may need repair. The repair frequency could be scheduled or determined by monitoring. Periodic testing is also a maintenance function. During the maintenance stage, when the alarm is not in operation, the panel operator shall have alternative means of being alerted. Every plant shall have a documented testing philosophy and written test procedures for testing of alarms. As a minimum, Urgent alarms shall be tested during every DOSH shutdown. In the event that the alarm requirement has been identified through IPF Studies, the required testing frequency shall be followed. Every test shall be recorded with the date of test, the unique alarm tag, personnel who have conducted the test, the approving authority and the results of the test.
4.9
ASSESSMENT
Assessment is a periodic audit of the alarm system and the alarm management processes detailed in the alarm management philosophy. The assessment may determine the need to modify processes, the philosophy, the design guidance, or the need to improve the organizations discipline to follow the processes.
4.10
MANAGEMENT OF CHANGE
Management of Change is the structured process of approval and authorization to make additions, modifications, and deletions of alarms from the system. Changes may be identified by many means, including operator suggestions and monitoring. The change process should feed back to the identification stage to ensure that each change is consistent with the alarm philosophy.
PTS 32.30.60.19 December 2008 Page 29 Changing the setting or configuration of alarms may alter many aspects of the operators task in responding to them. This may, in turn, require corresponding changes to schematic displays, operating procedures or other work practices so that an overall consistency is maintained. As such, any changes (new, modify or delete) of alarm setpoints and priorities must be initiated through MOC. Prior to approval of the MOC, an Alarm Review Form must be filled for each change. This is to ensure that: 1. The alarms are justified and properly designed with respect to setpoint, priority and associated displays. Impact to existing logic design and multiple operator displays due to the changes in the alarm settings are extensively reviewed prior to implementation. Data on each Alarm Review Form shall be updated into the Alarm Reference Database.
2.
3.
4.11
4.12
ALARM DOCUMENTATION
An Alarm Reference Database shall be established using readily available and user friendly database software e.g. Filemaker. The alarm database shall be updated quarterly to show the latest alarm settings as configured in the DCS. Each completed Alarm Review Form and the changes made shall be updated into the database. A history of the changes made to each alarm parameter shall be available via this database. A full set of alarm system documentation (similar to an IPF requirements specification according to PTS 32.80.10.12) shall be kept as built containing: Overall alarm philosophy The alarm template definitions Alarm settings, rationale and related constraints Alarm narratives resulting from the alarm studies The decision alarm or IPF? Alarm suppression design, permissive, etc.
Where possible, the use of automatic documentation tools from the DCS Alarm Management Software is encouraged.
4.13
5.0
PRIORITY ASSIGNMENT
The primary purpose of prioritization is to make it easier for the operator to identify important alarms when a number of them occur together. In assigning the priority of an alarm, these factors must be considered: 1. 2. The severity of the consequences (in safety, environmental and economic terms), of Operator failing to take the corrective action associated with the alarm. The time available (from the onset of the alarm setpoint) and required for the corrective action to be performed and to have the desired effect.
In essence, the prioritization of an alarm shall be based on the expected consequences that the operator can prevent by responding appropriately to it. When performing an alarm review and/or alarm rationalization,, the team shall use the Alarm Prioritization Risk Matrix (Appendix 2). and follow the steps below: 1. Determine the hazards that may occur if corrective action is not taken in response to an alarm. Identify the safety, environmental and economic consequences of the hazards. Determine the response time available to the panel man before the hazards occur. Assign the alarm priority based on the RAM.
2. 3. 4.
Note that there maybe mitigation systems upstream of the alarm, for example, relief valves or emergency shutdown systems, which are designed to prevent the hazards from occurring. In order for prioritization to be effective, the relative frequency of occurrence of different alarm priorities should reduce with increased priority. Thus, during system design, alarms should be configured with the following priority distribution: Table 3 Priority Settings Percentage of total configured alarms a target of 5% and no more than 10%, or 2 to 3 emergency alarms per piece of major equipment a target of 10% and no more than 20% the rest, i.e. a target of 85% and no less than 70%
6.0
The benchmark asks a number of important questions about the alarm system configuration and behavior, and includes a questionnaire of the operators on their experience of the alarm system. Typically, the following are measured: 1. 2. 3. 4. 5. 6. 7. 8. Number of standing alarms in normal operation Number of alarms per operator Number of alarms per control loop Number of alarms per protected event Ratio of emergency: high: low priority alarms New alarm rate in normal operation New alarm rate in typical disturbance Number of chattering alarm
To acquire this information, the use of an independent plant DCS vendor based Alarm Management Software is recommended. There is also a requirement to analyze events during some typical disturbances, where the Alarm Management Software provides the distinct advantage of an automatic alarm data collection and analysis tool. The results from this bench-mark would indicate which of the two improvement steps previously discussed is needed. Success criteria of the initiative will be derived from the bench-marking result above. A selection of alarm performance metrics shall be used to measure the performance of PETRONAS DCS alarm systems. The metrics shall include: 1. 2. 3. Average alarm rate per 10 minutes, per hour and per day Peak alarm rate per 10 minutes Percentage of 10 minutes periods in a day with fewer than 5 alarms
The metrics data shall be compared to the EEMUA benchmark to continually assess PETRONAS alarm systems performance. For a plant in steady state or stable operation, the average alarm rate per 10 minutes will determine the following risks and categorization (from EEMUA recommendations):
PTS 32.30.60.19 December 2008 Page 33 Table 4 Steady State Alarm Rates Average Alarm Rate in Steady-state Operation, per Acceptability Categorization 10 minute period More than 10 alarms Very likely to be unacceptable More than 5 but less than 10 Likely to be over-demanding More than 2 but less than 5 Possibly over-demanding 1 or more but less than 2 Manageable Less than 1 alarm Very likely to be acceptable
For a plant experiencing an upset, the number of alarms displayed in 10 minutes following the upset will determine the following risks and categorization (from EEMUA recommendations): Table 5 Alarm Rates During Upset Conditions Number of alarms displayed in 10 minutes following a Acceptability Categorization major plant upset Definitely excessive and very More than 100 alarms likely to lead to operator abandoning use of the system 20-100 Hard to cope with 10-20 Possibly hard to cope with Under 10 Should be manageable Very likely to be acceptable but may be difficult if several of the alarms require a complex operator response. Efficient / World Class
The metrics shall be calculated from alarm data captured in the Alarm Management System, using the Frequency Analysis and Alarm Rates modules. Hence, it is critical to ensure that the Alarm Management System is continuously capturing alarms from the DCS. Monthly Alarm System Performance reports shall be generated through Alarm Management System, which includes the alarm activity trend over the month including the most active points and the distribution of alarm priorities. A summary report for all areas shall also be generated.
7.0
7.1
ALARM PRESENTATION
The operating philosophy used in most control rooms is the Management by Awareness principle where: The panel operator will regularly need to scan overviews of process conditions, which may be presented by means of standard displays or custom graphics. Display structures and hierarchy shall be designed to facilitate this activity. Situations requiring fast action by panel operator are indicated by the DCS system through means of an alarm management system, with direct access to associated displays. To attract the operators attention, in order for him to take corrective actions, the presentation of process graphics shall be carried out. In addition, the following table shall be applied. Situation In alarm but suppressed Not in alarm but suppressed Background colour Soft white Soft white Colour of the value Blue Black
7.2
The following should be considered when incorporating alarms into DCS operator displays: Color coding for displays should be muted or altered such that the alarms visual indicators are more salient and not masked by other color-coding. On process graphics, blinking text should not be used to indicate alarms as this makes it difficult for the operator to read the text. unacknowledged
Alarms should be displayed by a changing box outline around the text or by using icons. The color of the box outline or icons shall change according to the condition below: Table 6 Alarm Colour Codes Alarm Priority Urgent High Low Unacknowledged Red (Blinking) Orange (Blinking) Magenta (Blinking) Acknowledged Red (Static) Orange (Static) Magenta (Static)
8.
9.
TRAINING
Training is a key area that induces change to improve human reliability and lower the probability of failures or during abnormal situations. Training would generally be required under the following circumstances : 1. 2. 3. 4. Startup of a new system Implementation of alarm changes New Operators Annual Refresher
Items for training 1. 2. 3. 4. 5. 6. 7. 8. 9. Alarm philosophy Alarm priority definitions Alarm presentation features Defined alarm responses Procedures for handling alarm floods Site MOC process as it relates to alarms Alarm setting audit and enforcement Performance metrics Alarm testing procedures
Specific training on Urgent alarms shall be provided to Console Operators at a minimum frequency of once per year. Operators shall be tested on: 1. 2. 3. 4. Understanding of the alarms Mechanism of annunciation Consequence of missing the alarms Operators response
10.
PTS 32.30.60.19 December 2008 Page 38 Reliability Engineer Responsible for reviewing the Alarm System Performance report for each Asset Team monthly. Responsible for tracking alarm management activities based on Alarm System Performance report for each Asset Team.
11.
REFERENCES
Human Machine Interface in a Control Room Management of Change(Guidelines) Alarm System A Guide to Design, Management and Procurement Management of Alarm Systems for the Process Industries Alarm Management ASM Consortium Guidelines Effective Alarm Management Practices PTS 32.00.00.11 PTS 60.2201 EEMUA 191 2007 Draft ISA 18.02 2008.04.01 DEP 32.80.10.14-Gen Revision 5
Instructions:
The Alarm Review Form shall be filled up and agreed by the following minimum mandatory participants: Operations Engineer, Panel Operator, Process Engineer and Instrument Engineer Complete all sections IDENTIFICATION Alarm Parameter
Causes (List the cause(s) or precursor(s) of the alarm and list any tags which may help identifying the cause(s)
Corrective Actions (Define operator action required to return the process to normal)
Consequence (define consequence(s) of the alarm event when no corrective action is taken to return the process to
normal
PRIORITY
Determine the priority of the alarm from the DCS Alarm Prioritization Matrix. Record the consequence and response below
Consequence Class
Response Class
PRIORITY CLASS
L L L
No/Slight Effect (<10k)
Response Class
M M L
Minor Effect (10-100k)
E M M
Medium Effect (100k-1M)
*E *E *M
Major Effect (1M to 10M)
*E *E *E
Extensive (>10M)
MEDIUM
5-15 mins
>15 mins
No/Slight Injury
Minor Injury
Major Injury
Single Fatality
Multiple Fatalities
No/Slight Effect
Minor Effect
Local Effect
Major Effect
Massive
CONSEQUENCE CLASS
NEGLIGIBLE
LOW
MEDIUM
HIGH
EXTREME
E Emergency / Urgent / High M - Medium L Low Note : *M and *E - priority class that is driven by Health & Safety and / or Environment shall be escalated to IPF Layer Classification.
ECONOMICS (Repair and Production Loss Expressed in USD) Consequence No/Slight Effect Description/Definition Estimated cost less than USD10K or no disruption to unit production
Minor Effect
Medium Effect
Major Effect
Extensive
Minor Injury
Major Injury
ENVIRONMENT Consequence No/Slight Effect Description/Definition No environmental damage or local environmental damage. Within the fence and within systems. Negligible financial consequences Contamination. Damage sufficiently large to attack the environment. Single exceedance of statutory or prescribe criterion. Single complaint. No permanent effect on environment Limited loss of discharges of known toxicity. Repeated exceedance of statutory or prescribed limit. Affecting neighborhood Severe environmental damage. The company is required to take extensive measures to restore the contaminated environment to its original state. Extended exceedance of statutory or prescribed limits. Persistent severe environmental damage or severe nuisance extending over a large area. In terms of commercial or recreational use or nature conservancy, a major economic loss for the company. Constant, high exceedance of statutory or prescribed limits
Minor Effect
Local Effect
Major Effect
Massive