Engineering Procedure

SAEP-368 22 June 2016

Alarm System Management
Document Responsibility: Process Control Standards Committee

Contents
1 Scope.............................................................. 2
2 Applicable Documents.................................... 2
3 Definitions....................................................... 2
4 Instructions...................................................... 6
5 Responsibilities............................................... 7
Revision Summary................................................. 9

Appendix A - Alarm Philosophy

Document Development......................... 10
Appendix B - Alarm System
Performance Report............................... 22

Previous Issue: 15 January 2011 Next Planned Update: 22 June 2019

Page 1 of 23
Contact: Abbud, Saad Mohammad (abbusm0a) on +966-13-8801834

©Saudi Aramco 2016. All rights reserved.

Document Responsibility: Process Control Standards Committee SAEP-368
Issue Date: 22 June 2016
Next Planned Update: 22 June 2019 Alarm System Management

1 Scope

This Saudi Aramco Engineering Procedure (SAEP) defines requirements for the
planning, engineering, rationalization, configuration and maintenance of alarm systems
within DCS and SCADA Systems. This procedure is applicable to both existing and
new facilities.

The objective of this procedure is to ensure that only the necessary alarms with the
appropriate priorities and set-points are configured within the system and those alarms
can be effectively managed by the console operator.

This document also defines the roles and responsibilities for Proponent Departments,
Project Management and Process & Control Systems Department (P&CSD).

2 Applicable Documents

The requirements contained in the following document apply to the extent specified in
this procedure:

 Industry Standards

American National Standards Institute/International Society of Automation

ANSI/ISA-18.2 Management of Alarm Systems for the Process
Industries, 2nd Edition, 2015

Engineering Equipment and Materials Users Association (EEMUA)

EEMUA Publication 191 Alarm Systems: A Guide to Design, Management,
and Procurement

3 Definitions

3.1 Acronyms
DCS Distributed Control System
ESD Emergency Shutdown System
FAT Factory Acceptance Test
HMI Human Machine Interface
MOC Management of Change
P&ID Piping and Instrument Diagram
PHA Process Hazard Analysis

Page 2 of 23
Document Responsibility: Process Control Standards Committee SAEP-368
Issue Date: 22 June 2016
Next Planned Update: 22 June 2019 Alarm System Management

SAES Saudi Aramco Engineering Standard

SAEP Saudi Aramco Engineering Procedure
SAMSS Saudi Aramco Materials System Specification
SAPMT Saudi Aramco Project Management Team
SCADA Supervisory Control and Data Acquisition
HAZOP Hazard and Operability Study

3.2 Definitions of Terms

Advanced Alarm Handling: A technique provides multiple sets of appropriate

alarm settings, which are switched in and out based on real-time detection of the
current operating state. This enables automated alarm suppression and shelving
based on operating conditions and provides proper alarm settings for all plant
operating states.

Alarm: An audible and/or visible means of indicating to the operator an equipment

malfunction, process deviation, or abnormal condition requiring a response.

Alert: An audible and/or visible means of indicating to the operator an equipment

or process condition that requires awareness, that is indicated separately from
alarm indications, and which does not meet the criteria for an alarm.

Alarm Class: Alarm classification is a method for grouping of alarms

with similar requirements for testing, training, and management of change.
Alarm class should be assigned for each alarm and be used to keep track of these
requirements.

Alarm Floods: Alarm floods are defined as periods of alarm activity with
presentation rates higher than the operator can respond. Alarm floods can make
a difficult process situation much worse. In a severe flood, the alarm system
becomes a nuisance, a hindrance, or a distraction, rather than a useful tool.

Alarm Management System Champion: A person whose responsibility is to

maintain the integrity of the alarm system and ensure compliance with the
Alarm Philosophy Document at his plant/site.

Alarm Message: A text string displayed with the alarm indication that provides
additional information to the operator.

Alarms per Day: Number of alarms per day is a good indicator of the health of
the alarm management system. Periods of unusually high alarm activity are
easily identified in the trend charts. Excessive alarm events can result from
abnormal conditions or equipment failure.

Page 3 of 23
Document Responsibility: Process Control Standards Committee SAEP-368
Issue Date: 22 June 2016
Next Planned Update: 22 June 2019 Alarm System Management

Alarm Philosophy Document: A document that establishes the basic definitions,

principles, and processes to design, implement, and maintain an alarm system.

Alarm Priority: The relative importance assigned to an alarm within the alarm
system to indicate the urgency of response (e.g., seriousness of consequences
and allowable response time).

Alarm Settings: Alarm settings constitute the configuration of a tag and its
alarms. The alarm algorithm, alarm trip points, priority, and dead band are
examples of alarm settings.

Alarm System: The collection of hardware and software that detects an alarm
state, communicates the indication of that state to the operator, and records
changes in the alarm state.

Alarmable Tags: Alarmable tags are tags that can have at least one alarm.
Best Practice guidelines provide that only about 75% of alarmable tags should
have one or more alarms set.

Allowable Response Time: The maximum time between the annunciation of

the alarm and the time the operator must take corrective action to avoid the
consequence.

Bad Actors Alarms: Nuisance alarms including chattering, frequent, and

standing alarms.

Chattering Alarm: Chattering alarms are nuisance alarms that repeatedly

transition into and out of alarm in a short amount of time.

Consequential Alarms: Consequential alarms are a subset of most frequently

occurring alarms. They are source alarms around which other alarms are occurring
within a specific time. Consequential alarms are often multiple alarms from the
same event, essentially telling the operator the same thing in different ways.

Distributed Control System (DCS): A process control system is composed of

distinct modules. These modules may be physically and functionally distributed
over the plant area. The distributed control system contains all the modules and
associated software required to accomplish the regulatory control and
monitoring of a process plant, excluding field instruments, remote terminal
units, auxiliary control systems, and management information systems.

Duplicate Alarms: Duplicate alarms are alarms that persistently occur within a
short time period of other alarms. Alarms are considered duplicate or redundant
when they consistently occur within one second of each other.

Page 4 of 23
Document Responsibility: Process Control Standards Committee SAEP-368
Issue Date: 22 June 2016
Next Planned Update: 22 June 2019 Alarm System Management

Frequently Occurring Alarms: A relatively few tags often produce large

percentages of the total system alarm load. The top 20 most frequently
occurring alarms are analyzed showing frequency and accumulated percent, for
both Recorded and Annunciated alarms.

Management of Change (MOC): MOC is a process to verify that changes in

alarm system are evaluated, authorized, and managed to ensure that the safety,
health and environmental risks arising from these changes are controlled.

Nuisance Alarm: An alarm that annunciates excessively, unnecessarily, or

does not return to normal after the correct response is taken (e.g., chattering,
fleeting, or stale alarms).

Rationalization: The process to review potential alarms using the principles of

the Alarm Philosophy Document, to select alarms for design, and to document
the rationale for each alarm.

Shelve: A mechanism, typically initiated by the operator, to temporarily

suppress an alarm.

Site: A process facility that is identified by physical, geographical, or logical

segmentation within Saudi Aramco. A site may contain areas, sections, units,
equipment modules, and control modules.

Stale Alarm: Stale alarms are in the alarm state continuously for more than
24 hours. Following their initial appearance, stale alarms provide no valuable
information to the operators. They clutter the alarm displays and interfere with
the operator’s ability to detect and respond to new and meaningful alarms.

Standing Alarm: An alarm in an active alarm state (e.g., unacknowledged

alarm, acknowledge alarm).

State-based Alarm: An alarm that is automatically modified or suppressed

based on process state or conditions.

Supervisory Control and Data Acquisition (SCADA): An industrial control

system for monitoring and control of remote equipment that operates using
industrial protocols over communication channels to communicate with Remote
Terminal Units.

Suppress: Any mechanism to prevent the indication of the alarm to the

operator when the base alarm condition is present (i.e., shelving, suppressed by
design, out-of-service).

Page 5 of 23
Document Responsibility: Process Control Standards Committee SAEP-368
Issue Date: 22 June 2016
Next Planned Update: 22 June 2019 Alarm System Management

4 Instructions

4.1 Alarm Philosophy Document

Every site that deploys a DCS or SCADA System shall develop an Alarm
Philosophy Document based on the guidelines stated in Appendix A.
This document shall provide the criteria for alarm selection, priority setting,
set-point allocation and the configuration of any alarm handling methods to
minimizing duplication, repetition alarm floods.

4.2 Alarm Rationalization and Master Alarm System Database

4.2.1 Every site/project that deploys a DCS or SCADA system shall conduct
alarm rationalization of proposed alarms using the alarm philosophy as a
guideline. The output of the rationalization process is a rationalized
Master Alarm System Database. This database shall provide the details,
on a per alarm basis of alarm set-points, priority and any specific
configuration requirements.

4.2.2 Documents required for alarm rationalization include:

a. P&IDs
b. Operating Instructions
c. DCS configuration data
d. Results from HAZOP or PHA reviews
e. ESD point lists, ESD trip set-points and
f. DCS trends and or archived PI point database

4.2.3 Every site/project shall use a standard database engine (i.e., MS-SQL or
Oracle) to develop and maintain the rationalized alarm system database.

4.2.4 The master alarm database, P&ID drawings and other relevant
documents shall be updated to contain the final alarm configuration.

4.2.5 Appropriate Management of Change (MOC) procedures shall be

following prior to changes to alarm set-points and/or priorities by
authorized operations and engineering personnel in the facility.

4.3 Alarm System Performance Monitoring, Assessment, and Auditing

This section provides guidance for alarm system ongoing monitoring and
periodic performance assessment that are essential to achieve and maintain the
acceptable performance target at Saudi Aramco processing facilities.

Page 6 of 23
Document Responsibility: Process Control Standards Committee SAEP-368
Issue Date: 22 June 2016
Next Planned Update: 22 June 2019 Alarm System Management

4.3.1 Regular alarm system performance reports shall be received by

Maintenance and Operations highlighting the most frequent alarms
generated per tag/operating area. See also Appendix B, Guidelines for
Alarm System Performance Report.

4.3.2 The alarm tags generating the most frequent alarms shall be resolved
through proper and timely maintenance of faulty or malfunctioning
instruments and sensors.

4.3.3 When sensor noise or chattering occurs, the first line of action will be to
correct the field instrument should be checked to determine if sensor
malfunction is the cause of the alarm. If this is not the case, then signal
filters and/or time delays should be reviewed to determine if appropriate
values have been assigned.

4.3.4 For existing facilities, a base-line report shall be prepared to determine

the operating alarm system performance. See Appendix B for report
outlines.

4.3.5 Every site/project that deploys a DCS or SCADA system shall install and
utilize an Alarm Management Optimization application.

5 Responsibilities

5.1 Saudi Aramco Project Management Team (SAPMT) – Applicable for new
projects
a. Develop an Alarm Philosophy Document. This document shall be
consistent for all units within the facility.
b. Provide the Alarm System Database and rationalize the identified alarms
based on the Alarm Philosophy Document.
c. Submit the above documents for review to the appropriate Saudi Aramco
organizations.
d. Update the appropriate DCS and SCADA engineering design documents
and configuration files to include the final rationalized Alarms System
Database.
e. Conduct Factory Acceptance Testing (FAT) of alarm management systems
to ensure the system complies with mandatory requirements. The FAT
shall also confirm that the alarm system configuration is consistent with the
Master Alarm System Database. Testing shall also include any advanced
alarming functions, such as masking, suppression or shelving.
f. Provide standard alarm performance reports as detailed in Appendix B of
this procedure.

Page 7 of 23
Document Responsibility: Process Control Standards Committee SAEP-368
Issue Date: 22 June 2016
Next Planned Update: 22 June 2019 Alarm System Management

5.2 Proponent Organizations

5.2.1 New Facilities

a. Review and approve the Alarm Philosophy Document.
b. Participate in the alarm identification and rationalization process.
c. Review proposed alarm configuration, performance report
configuration and other alarm design documents associated with the
project.
d. Participate in the FAT to verify the design and functionality of the
alarm management system.

5.2.2 Existing Facilities

a. Develop Alarm Philosophy Document.
b. Develop alarm system baseline reports and develop a Master Alarm
System Database.
c. Conduct an Alarm Rationalization process for each operating unit.
d. Implement the rationalized Alarm System Database and update the
configuration files in the appropriate operating units in the facility.
e. Implement an alarm management system to ensure the automatic
generation of weekly or bi-weekly alarm system performance
reports to maintenance and operations.
f. Ensure timely maintenance on malfunctioned instruments that
generate nuisance and stale alarms.
g. Implement a Management of Change (MOC) procedure for all
changes to alarm set points, priorities and other critical alarm
configuration parameters.

5.3 Process & Control Systems Department (P&CSD)

a. Provide consultation and technical supports required for implementation of
Alarm Management Systems.
b. Evaluate and recommend Alarm Management Optimization technologies
and applications.
c. Conduct / coordinate Alarm Management optimization training courses and
knowledge sharing events.

Page 8 of 23
Document Responsibility: Process Control Standards Committee SAEP-368
Issue Date: 22 June 2016
Next Planned Update: 22 June 2019 Alarm System Management

Revision Summary
15 January 2011 New Saudi Aramco Engineering Procedure.
22 June 2016 Revised the Next Planned Update, reaffirmed the content of the document, and reissued as
major revision.

Page 9 of 23
Document Responsibility: Process Control Standards Committee SAEP-368
Issue Date: 22 June 2016
Next Planned Update: 22 June 2019 Alarm System Management

Appendix A - Alarm Philosophy Document Development

This appendix provides the guidance to develop Alarm Philosophy Document for each specific
site. It outlines potential approaches that can be included in an Alarm Philosophy Document in
order to properly manage the identification, rationalization, configuration, implementation,
operations, maintenance, monitoring and assessment, Management of Change, and audit
processes.

The Alarm Philosophy Document may include the following sections:

1. Introduction

Each Alarm Philosophy Document should contain the following phrase in this section:

This document serves as a guideline for the development, implementation, and

modification of alarms for the <vendor name> Distributed Control System (DCS)/
Supervisory Control and Data Acquisition (SCADA) for the Saudi Aramco <site
name>. These guidelines should provide an optimum basis for alarm selection, priority
setting, and configuration to promote safety and reliable plant operation while
minimizing duplication, noise, and confusion.

This document has been developed for the <vendor name and DCS/SCADA model>.
Periodically, this document should be revised to incorporate new control system
features available from < DCS/SCADA model> and other hardware and software.

2. Purpose and Use of Alarm System

This section should describe the purpose and use of the alarm system.

The site will set up alarm system to meet their operating goals on one or more of the
following:
a. Safety, health, and environmental
b. Reliability
c. Product quality
d. Production rate and efficiency

3. Definition of Alarms

The Alarm Philosophy document should contain the operational definition of

appropriate alarms for the site. To define alarms, the following characteristics shall be
considered:

Page 10 of 23
Document Responsibility: Process Control Standards Committee SAEP-368
Issue Date: 22 June 2016
Next Planned Update: 22 June 2019 Alarm System Management

3.1 Type of Events

Example of events that may qualify alarms requirements are:

a. Process abnormalities that may result in severity of circumstances or a unit
production limitation
b. Process deviations due to significant process disturbances that may result in
product specification discrepancy
c. Equipment and instruments malfunctions

3.2 Alarm Definition Thresholds

The decision to inform the operator of an event is the first step to take when
defining alarms. The following circumstances are used to determine when a
process alarm is necessary:
a. Making process changes by manipulation of the control system
b. Directing others to make changes in the control or process system
c. Contacting maintenance or engineering personnel regarding a situation
d. Alarms should have the aspect of urgency, and indicate situations requiring,
operator actions to avoid or mitigate undesirable consequences
e. Time between the annunciation of the alarm and operator corrective actions
to comprehend the defined consequence should be adequate
f. Alarms should only indicate abnormal situations
g. An alarm should indicate a sole event and should not duplicate a condition
already indicated by another alarm

3.3 Alarm Presentation and Annunciation

Alarm annunciation should be represented in a clear and understandable

presentation to effectively aid the operator controls the process in the best
possible mechanisms. The following can be considered for alarm annunciation:
a. Operator roles and responsibilities to response to alarms,
b. Clearly instructive alarm messages
c. Alarms routed to multiple relevant operators/locations
d. Alarm summary display characteristics and usage (An indication on
graphics in the HMI used by the operator to control the process)

Page 11 of 23
Document Responsibility: Process Control Standards Committee SAEP-368
Issue Date: 22 June 2016
Next Planned Update: 22 June 2019 Alarm System Management

e. Proper alarm indication on graphics

f. Identification of alarm priority (Separate and distinct visual and audible
indications should be provided for each alarm priority)
g. The alarm indication color and priority standards shall be consistent on each
DCS/SCADA)
h. Navigation and alarm response
i. An indication on external annunciators

4. Console Operator Handling Methods

In this section, steps for operator to handle the alarms should be described. The steps
involved in the overall operator response to an alarm are listed below.

No. Step Description

Detection refers to the operator’s ability to detect the presence
of an abnormal condition. This is achieved visually, and/or
1 Detection
through screen-based displays, or audibly via alarm
annunciator horns.
Identification is the recognition of the alarm through its system
2 Identification tag I.D. and point description. The audible signal is typically
silenced at this point.
Verification involves checking for other indications to validate the
3 Verification
accuracy of the identified alarm.
Acknowledgement of an alarm conveys to the system that the
4 Acknowledgement
operator has verified the alarm.
Assessment involves rapid evaluation of the overall affected
5 Assessment
area in the unit before taking corrective action.

6 Corrective action Corrective action is the operator’s direct response to the alarm.

The operator will monitor the variable, repeating steps #5 & #6

7 Monitor
until the alarm has cleared.

5. Alarm Selection and Priority Definition

Reliable method for alarm selection and priority is essential as it will improve the
operator’s ability to determine what is happening and will increase the probability of a
correct response. Many problematic alarms can be avoided by ensuring that the best
possible alarm type is selected for detection of an abnormal condition. This section
should address a consistent practice for alarm selection and priority definition, as follows:

Page 12 of 23
Document Responsibility: Process Control Standards Committee SAEP-368
Issue Date: 22 June 2016
Next Planned Update: 22 June 2019 Alarm System Management

5.1 Alarm Selection

The decision to inform the operator of an event is the first step to take when
maintaining an alarm management based system. The two questions below are
used to determine conditions when a process alarm is necessary.
a. Does the event require operator action? (Examples: a process change, an
observation, consultation, or notification of others.)
b. Is the event being alarmed the best indicator of the root cause of the
situation?

5.2 Priority Definition

Alarm priority is a means to convey the seriousness of a specific process condition

to the operator and should drive the operator’s responses. The DCS/SCADA
control system allows multiple alarm priorities to distinguish alarms, as well as
separate alarm priority assignment for each alarmable parameter of a tag or point
(with some template limitations). A logical and consistent approach for
rationalizing, and/or developing alarm priorities is required to prevent arbitrary
configuration and problems during abnormal events. Industrial studies and best
practices recommend the following breakdown:
 Alarm Priority Percentage of Total Alarms
 Priority 3 (Low) 80%
 Priority 2 (High) 15%
 Priority 1 (Emergency) 5%
Priority 3 - Operator action required, but unit is still within safe operating
limits.
Priority 2 - Rapid operator action is required, unit shutdown is possible, or a
safety violation might occur.
Priority 1 - Immediate operator action is required, a unit shutdown will occur,
or a safety violation will occur if action is not immediately taken.

Two important factors should be considered when determining the priority of an

alarm:
 Severity of consequences
 Maximum time to respond

Page 13 of 23
Document Responsibility: Process Control Standards Committee SAEP-368
Issue Date: 22 June 2016
Next Planned Update: 22 June 2019 Alarm System Management

5.3 Severity of Consequences

The selection of an alarm priority depends heavily on the consequences of the

abnormal condition if the operator fails to take corrective action(s) in a timely
fashion. For each alarm to be rationalized, the potential consequences without
any operator actions must be identified. The Severity of Consequence criteria
will use the shown Risk Matrix.

Risk Matrix
Impact Category Minor Major Severe
Personnel First aid injury, no Lost time injury, or Life Threatening
disability, no lost Worker disabling, or
time recordable severe injuries
Public or Minimal exposure. Exposed to hazards Exposed to life
Environment that may cause threatening hazard.
No impact. Does
injury.
not cross fence Disruption of basic
Hospitalizations
line. Contained services. Impact
and medical first aid
release. Little, if involving the
possible.
any, clean up. community.
Damage Claims.
Source eliminated. Catastrophic property
damage.
Uncontained release
of hazardous
materials with major
environmental impact
and 3rd party impact.
Plant/Equipment Equipment Results in unit Results in loss of
damage that downtime up to entire unit or critical
result in negligible 15 days, some to equipment for more
unit downtime. severe equipment than 15 days.
damage.
Event costing Event costing
Costs/Production Event costing >$5MM
<$50M $50M-$5MM

5.4 Maximum Time to Respond

Maximum time to respond is the time within which the operators can take
action(s) to prevent or mitigate undesired consequence(s) caused by an abnormal
condition. This response time must include the action of outside personnel
following direction from the board operator. The board operator’s ability to
respond to an alarm in a timely fashion determines the degree of success in
preventing loss. The consequences of an uncorrected alarm generally get worse
with the passage of time.

Page 14 of 23
Document Responsibility: Process Control Standards Committee SAEP-368
Issue Date: 22 June 2016
Next Planned Update: 22 June 2019 Alarm System Management

Action Speed Maximum Time to Respond in Minutes

Immediately Less than 3 (time < 3)
Rapidly Greater than 3 and less than 10 (3>time> 10)
Promptly Greater than 10 and less than 30 (10>time> 30)
No Action Greater than 30 (time > 30)

During an abnormal condition, the board operator is confronted with making

decisions on numerous tasks that must be performed in an appropriate sequence.
The timing and the order of executing these tasks determines the outcome of the
operator’s effort. For example, if two process variables are deviating from
normal and can potentially cause the same significant loss, the operator must
quickly decide which variable to address first. In such a case, the operator must
take action to address the variable that is more volatile or can reach the point of
loss in the shortest time.

Therefore, the shorter the time to respond, the higher the priority of the alarm
will be, assuming equal consequences can result.

For each alarm being rationalized, and, for each area, the maximum time
allowable to respond will be identified. This value will allow the response time
to be placed in one of the response time classes as shown in the table.

5.5 Severity of Consequences and Time to Respond Matrix

Determining the most appropriate priority for an alarm requires consideration

of both severity of consequences and the time within which the operator can
effectively correct the alarm. By combining the severity factor and the
response time, the systematic approach for setting alarm priorities is defined.
The following matrix provides the guideline for determining the priority of an
alarm.

Maximum Time to
Minor Major Severe
Respond in Minutes
Time > 30 No Alarm No Alarm No Alarm
10>Time>30 Priority 3 Priority 3 Priority 2
3>Time>10 Priority 3 Priority 2 Priority 2
Time< 3 Priority 2 Priority 1 Priority 1

Page 15 of 23
Document Responsibility: Process Control Standards Committee SAEP-368
Issue Date: 22 June 2016
Next Planned Update: 22 June 2019 Alarm System Management

6. Alarm Settings

Alarm setpoints are typically determined by the engineer responsible for that part of the
plant who is familiar with the process variable and process operation. This clause of the
Alarm Philosophy Document should include:
a. Methods of determining alarm set points,
b. Criteria of determining alarm set points,
c. Process dynamics and time needed to response, and
d. How to handle third party system.

Prior to startup mode and to minimize chattering alarms, appropriate alarm dead bands
and digital delay times are recommended. In the philosophy document it may be
helpful to supplement default values with important exceptions and known special
considerations or conditions. It may also be helpful to document procedures for
reviewing the starting values and adjusting them as necessary after significant operating
experience. The recommended design settings for delay time and dead band are shown
below.

Delay Time Dead Band

Signal Type
(On or Off) (Analog)
Flow Rate 15 sec 5%
Level 60 sec 5%
Pressure 15 sec 2%
Temperature 60 sec 1%
Recommended Alarm Dead Band and Digital Delay Times

7. Alarm System Performance Monitoring and Assessment

This section should define the Key Performance Indicators (KPIs), types of analyses and
reports recommended by industry best practices to support alarm system monitoring and
assessment. Appendix B, Alarm System Performance Assessment, includes examples of
such analyses and reports. The assessment should cover, as a minimum the following:

7.1 Nuisance Alarm

Nuisance alarms are alarms (from a variety of causes) requiring special

considerations during normal operation. Nuisance alarms should be identified
and properly addressed to ensure optimal system performance. The following
are examples of nuisance alarms:
a. Frequent alarms
b. Chattering alarms

Page 16 of 23
Document Responsibility: Process Control Standards Committee SAEP-368
Issue Date: 22 June 2016
Next Planned Update: 22 June 2019 Alarm System Management

c. Standing/Stale alarms
d. Duplicate alarms
e. Consequential alarms

7.2 Process Changes

a. Operator Response Time
b. Alarm Trip Point Change
c. Operator Controller Change Rate
d. Controller Mode
e. Controller Set-point
f. Controller Analog Output
g. Digital Output
h. Alarm Enable State
i. Range Changes
j. Tuning Changes

7.3 Alarm Key Performance Indicators

This section should list the Key Performance Indicators (KPIs) required to
measure the performance of the alarm system. The KPI’s in the below table can
be used to measure the performance of the alarm system.

KPI’s Interim Target Long Term Target

Average Process Alarm Rate <300 per day <150 per day
Percentage of time alarm
5% 0%
rate exceeds target
Alarm Event Priority ~80% Low, ~15% High, ~80% Low, ~15% High,
Distribution ~5 Emergency ~5 Emergency
Zero (Unless as part of Zero (Unless as part of
defined Shelving, Flood defined Shelving, Flood
Suppressed Alarms
Suppression, or State- Suppression, or State-
based Strategy) based Strategy)
Not more than 10
Chattering Alarms 0 per day
occurrences/week
Stale/Standing Alarms Not more than 20
0 per day
(more than 24 hours old) occurrences/week
Floods (10 to 20 alarms
Not more than 5 per day Not more than 3 per day
in a 10 minute period)
Floods (>20 alarms in a
Not more than 3 per day 0 per day
10 minute period)
Changes in Alarm Priority,
None that are None that are
Alarm Trip Point, Alarm
unauthorized unauthorized
Suppression

Page 17 of 23
Document Responsibility: Process Control Standards Committee SAEP-368
Issue Date: 22 June 2016
Next Planned Update: 22 June 2019 Alarm System Management

7.4 Monitoring and Reporting

The Alarm Management System champion should generate an alarm

performance report at least once a month. For some systems, weekly reports are
appropriate. The report should be distributed to concerned parties, including the
area process control engineer, team leader operation specialist, and production
engineer. The alarm performance report should include, as a minimum,
information listed in the Appendix B.

8. Alarm Handling Methods during Operation and Maintenance

This section should address methods that maybe required to be applied during the plant
operation and maintenance processes.

8.1 Alarm Response Procedures

Alarm response procedure should be written as a section of the operating

procedures to maintain the effectiveness of the alarm system during operation.
The procedures may include:
 The alarm type
 Alarm set-point
 Potential causes
 Consequence
 Corrective action
 Allowable response time
 Alarm priority
 Alarm class

8.2 Training

To enable the operators to effectively handle the alarm system and take the
correct action to respond to each alarm, an initial training should be conducted
during the configuration of new alarm system or rationalized alarms
implementation. The Alarm Philosophy Document should not specify details of
the site training program, only additional information related to alarms, which is
recommended to include:
 The audible and visual indications for alarms
 The distinction of alarm priorities
 The use of the alarm HMI features (e.g., alarm summary sorting and filtering)
 The approved methods for shelving and suppression

Page 18 of 23
Document Responsibility: Process Control Standards Committee SAEP-368
Issue Date: 22 June 2016
Next Planned Update: 22 June 2019 Alarm System Management

 The approved methods for removing an alarm from service

 The approved methods for returning an alarm to service
 The approved procedure for management of change

8.3 Alarm Shelving Procedure

The Alarm Philosophy Document should include guidance on alarm shelving

used, during the operation stage of the lifecycle. Typically, the philosophy
contains only broad guidance on the use of shelving and references an operating
procedure that specifies the method to shelve alarms. There are typically limits
on which alarms can be shelved and shelving duration, based on class or
priority.

8.4 Alarm Suppression Procedure

The Alarm Philosophy Document should include guidance on alarm suppression

used, during flood period. There are typically limits on which alarms can be
suppressed based on class or priority.

8.5 Alarm Out-of-Service Procedure

The Alarm Philosophy Document should include guidance on removing an

alarm from service, used during the operation and maintenance stages of the
lifecycle. Typically, the philosophy specifies the method and authorization
requirements to remove an alarm from service. The site practice should specify
the authorization level required to place an alarm out-of-service, which may
vary by the class of the alarm. The permit to remove an alarm from service may
include:
 The alarm placed out-of-service
 The class of the alarm
 The consequence of deviation related to the alarm
 The reason the alarm is taken out of service
 The date the alarm is placed out-of-service
 The name of the person requesting the alarm be placed out-of-service
 The name of the person authorizing the alarm be placed out-of-service
 The name of the person placing the alarm out-of-service
 The method used to place the alarm out-of-service
 Any alternate protection for the consequence, if necessary
 The date the alarm is returned to service
 The name of the person returning the alarm to service

Page 19 of 23
Document Responsibility: Process Control Standards Committee SAEP-368
Issue Date: 22 June 2016
Next Planned Update: 22 June 2019 Alarm System Management

8.6 Incident Investigation

The Alarm Philosophy Document may include guidance on information to

collect as part of incident investigations. This information should also be
captured in the site incident investigation procedure.

When process incidents occur, the alarm and event log for the time surrounding
the incident should be examined during the investigation to determine if alarm
system performance was a contributing factor in the incident.

8.7 Alarm System Chronology

The Alarm Philosophy Document may include guidance on the alarm system
chronology, a logbook that records the problems in the process and in the alarm
system identified by the monitoring system, the actions taken to resolve those
problems, and the results of the actions. This document or file captures the
business value of alarm management practices.

9. Alarm Documentation and Rationalization

This section should specify a methodology that can be used to verify the necessity,
prioritization, setting determination, and documentation of each process alarm to
alleviate process alarms level of performance. This methodology is referred to as
Documentation and Rationalization of alarms (D&R).

During a unit rationalization, all DCS/SCADA points shall be rationalized, along with
any other systems which provide alarm or abnormal situation notification to the board
operator.

The impact, severity, and response time matrices defined in Section 5 of this Appendix,
should be used to rationalize each alarm and will be documented in the Alarm Master
Database. The Alarm Philosophy Document specifies which of the following aspects
will be documented during the rationalization process:
a) Control System tag identification
b) Alarm description and type
c) Alarm classification
d) Existing alarm priority
e) Proposed priority
f) Override priority
g) Alarm set-point value or logical condition
h) Existing trip point and proposed trip point
i) Potential cause of alarm

Page 20 of 23
Document Responsibility: Process Control Standards Committee SAEP-368
Issue Date: 22 June 2016
Next Planned Update: 22 June 2019 Alarm System Management

j) Operator action
k) The time available for the operator to respond to the alarm
l) Consequence of inaction or incorrect action
m) Advanced alarm handling techniques if necessary
n) Related reference documents such as HAZOP study

10. Alarm System Management of Change (MOC)

The management of change (MOC) section of the Alarm Philosophy Document should
define both the applicable MOC procedure(s) and the types of change subject to those
MOC procedures.

Page 21 of 23
Document Responsibility: Process Control Standards Committee SAEP-368
Issue Date: 22 June 2016
Next Planned Update: 22 June 2019 Alarm System Management

Appendix B - Alarm System Performance Report

The Alarm Management System shall be configured to generate periodic alarm performance
reports. Report should be distributed to concerned parties, including the area process control
engineer, operations shift supervisors and maintenance and technical support engineers.

The following alarm system performance parameters are used to measure performance.

# Parameter Description
Total number of alarms received per operator console in a defined
Average Alarm Rate period of time. Used as an indicator of overall performance.
1
per Operator Console Avg. Alarm rate is typically reported in alarms / hour (avg) and
alarms per day.
Maximum Alarm Rate This is the maximum average alarm rate per hour over a 24 hr
2
per Operator Console period.
Typically, the top ten (10) most frequent alarms per report period
(i.e., weekly) are listed. These alarms are referred to as ‘Bad
3 Most Frequent Alarms
Actors’. Substantial improvements in alarm system performance
can be achieved by addressing Bad Actors.
An alarm which repeatedly transitions between alarm state and
normal state is referred to as a chattering alarm. These alarms can
4 Chattering Alarms
be reduced by addressing instrumentation issues or increasing alarm
deadbands.
Alarms which remain in alarm state for more than 24 hrs are
referred to as stale alarms. Stale alarms should be examined to
5 Stale Alarms
ensure they were properly rationalized. State based alarming may
be used to prevent stale alarms.
The number of alarms which are inhibited or disabled, not through
Inhibited or Disabled
6 automatic alarm suppression or other authorized means, should be
alarms.
reported.
Duplicate alarms occur when two alarms are raised for the same
event. As an example, BAD PV may be alarmed at the input block
7 Duplicate Alarms and also in the PID control block. Duplicate alarms should be
reported to enable engineering teams to eliminate duplicate alarms
and potentially update the alarm philosophy document, if required.
Alarm Priority This metric provides the distribution of alarm priorities for a defined
8
Distribution time period as a percentage of total alarms received.

Page 22 of 23
Document Responsibility: Process Control Standards Committee SAEP-368
Issue Date: 22 June 2016
Next Planned Update: 22 June 2019 Alarm System Management

The Alarm System Performance Report shall include, but not limited to, the following outline:

1. Executive Summary of Analysis

1.1 Objective
1.2 Executive Summary of Findings and Recommendations

2. Alarm System Key Performance Indicators

This section should list Key Performance Indicators (KPIs) with the targets vs. the
actual measured from the system. The recommended KPIs are shown below.

KPI Interim Target Long Term Target Actual

Average Alarm Rate per

<300 <150
Console per Day
Average Alarm Rate per
<12 <6
Console per Hour
Percentage of time alarm
5% 0%
rate exceeds target
5% Emergency 5% Emergency
Alarm Priority Distribution 15% High 15% High
80% Low 80% Low
Inhibited or Disabled
0 0
Alarms

# Chattering Alarms 10/week 0/day

# Stale Alarms 20/week 0/day

Floods (10 to 20 alarms

<5/day 0/day
in a 10 minute period)
# of Alarm Floods
(>20 alarms in a <3/day 0/day
10 minute period)
None that are None that are
Unauthorized changes
unauthorized unauthorized

3. Recommended Actions

This section should contain solutions for the identified bad actors and necessary actions
that can be taken to implement the recommended solutions.

Page 23 of 23