Engineering Procedure

SAEP-368 15 January 2011

Alarm System Management
Document Responsibility: Process Control Standards Committee

Saudi Aramco DeskTop Standards

Table of Contents

1 Scope............................................................ 2
2 Conflicts and Deviations................................ 2
3 Applicable Documents................................... 2
4 Definitions…………....................................... 3
5 Responsibilities.............................................. 6
6 Instructions.................................................... 7

Appendix A – Alarm Philosophy Document

Development Guidance....................... 10

Appendix B – Alarm System

Performance Assessment.................... 22

Previous Issue: New Next Planned Update: 15 January 2016

Page 1 of 24
Primary contact: Abbud, Saad Mohammad on 966-3-8736678

Copyright©Saudi Aramco 2010. All rights reserved.

Document Responsibility: Process Control Standards Committee SAEP-368
Issue Date: 15 January 2011
Next Planned Update: 15 January 2016 Alarm System Management

1 Scope

This Saudi Aramco Engineering Procedure (SAEP) sets out specific requirements for
the planning, engineering, rationalization, configuration and maintenance of alarms
within DCS and SCADA Alarm Systems. This procedure is applicable to both existing
and new facilities.

The objective of this procedure is to ensure that only the necessary alarms with the
appropriate priorities and set-points are configured within the system and those alarms
can be effectively managed by the console operator.

This document also defines the roles and responsibilities for Proponent Departments,
Project Management and Process & Control Systems Department (P&CSD).

2 Conflicts and Deviations

2.1 Any conflicts between this procedure and other applicable Saudi Aramco
Engineering Procedures (SAEPs), Saudi Aramco Engineering Standards
(SAESs), Saudi Aramco Materials System Specifications (SAMSSs), Saudi
Aramco Standard Drawings (SASDs), or industry standards, codes, and forms
shall be resolved in writing through the Manager, Process & Control Systems
Department of Saudi Aramco, Dhahran.

2.2 Direct all requests to deviate from this procedure in writing to the Company or
Buyer Representative, who shall follow internal company procedure SAEP-302
and forward such requests to the Manager, Process & Control Systems
Department of Saudi Aramco, Dhahran.

3 Applicable Documents

The requirements contained in the following document apply to the extent specified in
this procedure:

 Saudi Aramco Engineering Procedure

SAEP-302 Instructions for Obtaining a Waiver of a Mandatory Saudi
Aramco Engineering Requirement

The following references contain additional information and industry guidelines for
Alarm System Management applications that may be referenced:
ANSI/ISA-18.2 Management of Alarm Systems for the Process Industries
EEMUA, Publication 191 Alarm Systems: A Guide to Design, Management
and Procurement

Page 2 of 24
Document Responsibility: Process Control Standards Committee SAEP-368
Issue Date: 15 January 2011
Next Planned Update: 15 January 2016 Alarm System Management

4 Definitions

4.1 Acronyms
DCS Distributed Control System
ESD Emergency Shutdown System
FAT Factory Acceptance Test
HMI Human Machine Interface
MOC Management of Change
P&ID Piping and Instrument Diagram
PHA Process Hazard Analysis
SAES Saudi Aramco Engineering Standard
SAEP Saudi Aramco Engineering Procedure
SAMSS Saudi Aramco Materials System Specification
SAPMT Saudi Aramco Project Management Team
SCADA Supervisory Control and Data Acquisition
HAZOP Hazard and Operability Study

4.2 Definitions of Terms

Advanced Alarm Handling: A technique provides multiple sets of appropriate

alarm settings, which are switched in and out based on real-time detection of the
current operating state. This enables automated alarm suppression and shelving
based on operating conditions and provides proper alarm settings for all plant
operating states.

Alarm: An audible and/or visible means of indicating to the operator an

equipment malfunction, process deviation, or abnormal condition requiring a
response.

Alert: An audible and/or visible means of indicating to the operator an equipment

or process condition that requires awareness, that is indicated separately from
alarm indications, and which does not meet the criteria for an alarm.

Alarm Class: Alarm classification is a method for grouping of alarms with

similar requirements for testing, training, and management of change. Alarm
class should be assigned for each alarm and be used to keep track of these
requirements.

Alarm Floods: Alarm floods are defined as periods of alarm activity with

Page 3 of 24
Document Responsibility: Process Control Standards Committee SAEP-368
Issue Date: 15 January 2011
Next Planned Update: 15 January 2016 Alarm System Management

presentation rates higher than the operator can respond. Alarm floods can make
a difficult process situation much worse. In a severe flood, the alarm system
becomes a nuisance, a hindrance, or a distraction, rather than a useful tool.

Alarm Management System Champion: A person whose responsibility is to

maintain the integrity of the alarm system and ensure compliance with the
Alarm Philosophy Document at his plant/site.

Alarms per Day: Number of alarms per day is a good indicator of the health of
the alarm management system. Periods of unusually high alarm activity are
easily identified in the trend charts. Excessive alarm events can result from
abnormal conditions or equipment failure.

Alarm Philosophy Document: A document that establishes the basic definitions,

principles, and processes to design, implement, and maintain an alarm system.

Alarm Priority: The relative importance assigned to an alarm within the alarm
system to indicate the urgency of response (e.g., seriousness of consequences
and allowable response time).

Alarm Settings: Alarm settings constitute the configuration of a tag and its
alarms. The alarm algorithm, alarm trip points, priority, and dead band are
examples of alarm settings.

Alarm System: The collection of hardware and software that detects an alarm
state, communicates the indication of that state to the operator, and records
changes in the alarm state.

Alarmable Tags: Alarmable tags are tags that can have at least one alarm.
Best Practice guidelines provide that only about 75% of alarmable tags should
have one or more alarms set.

Allowable Response Time: The maximum time between the annunciation of

the alarm and the time the operator must take corrective action to avoid the
consequence.

Bad Actors Alarms: nuisance alarms including chattering, frequent, and

standing alarms.

Chattering Alarm: Chattering alarms are nuisance alarms that repeatedly

transition into and out of alarm in a short amount of time.

Consequential Alarms: Consequential alarms are a subset of most frequently

occurring alarms. They are source alarms around which other alarms are
occurring within a specific time. Consequential alarms are often multiple alarms

Page 4 of 24
Document Responsibility: Process Control Standards Committee SAEP-368
Issue Date: 15 January 2011
Next Planned Update: 15 January 2016 Alarm System Management

from the same event, essentially telling the operator the same thing in different
ways.

Distributed Control System (DCS): A process control system is composed of

distinct modules. These modules may be physically and functionally distributed
over the plant area. The distributed control system contains all the modules and
associated software required to accomplish the regulatory control and
monitoring of a process plant, excluding field instruments, remote terminal
units, auxiliary control systems and management information systems.

Duplicate Alarms: Duplicate alarms are alarms that persistently occur within a
short time period of other alarms. Alarms are considered duplicate or redundant
when they consistently occur within one second of each other.

Frequently Occurring Alarms: A relatively few tags often produce large

percentages of the total system alarm load. The top 20 most frequently
occurring alarms are analyzed showing frequency and accumulated percent, for
both Recorded and Annunciated alarms.

Management of Change (MOC): MOC is a process to verify that changes in

alarm system are evaluated, authorized and managed to ensure that the safety,
health and environmental risks arising from these changes are controlled.

Nuisance Alarm: An alarm that annunciates excessively, unnecessarily, or

does not return to normal after the correct response is taken (e.g., chattering,
fleeting, or stale alarms).

Rationalization: The process to review potential alarms using the principles of

the Alarm Philosophy Document, to select alarms for design, and to document
the rationale for each alarm.

Shelve: A mechanism, typically initiated by the operator, to temporarily

suppress an alarm.

Site: A process facility that is identified by physical, geographical, or logical

segmentation within Saudi Aramco. A site may contain areas, sections, units,
equipment modules, and control modules.

Stale Alarm: Stale alarms are in the alarm state continuously for more than
24 hours. Following their initial appearance, stale alarms provide no valuable
information to the operators. They clutter the alarm displays and interfere with
the operator’s ability to detect and respond to new and meaningful alarms.

Standing Alarm: An alarm in an active alarm state (e.g., unacknowledged

alarm, acknowledge alarm).

Page 5 of 24
Document Responsibility: Process Control Standards Committee SAEP-368
Issue Date: 15 January 2011
Next Planned Update: 15 January 2016 Alarm System Management

State-based Alarm: An alarm that is automatically modified or suppressed

based on process state or conditions.

Suppress: Any mechanism to prevent the indication of the alarm to the

operator when the base alarm condition is present (i.e., shelving, suppressed by
design, out-of-service).

5 Responsibilities

5.1 Saudi Aramco Project Management Team (SAPMT)

a. Develop an Alarm Philosophy Document. This document shall be
consistent for all units within the facility.
b. Provide the Alarm System Database and rationalize the identified alarms
based on the Alarm Philosophy Document.
c. Submit the above documents for review to the appropriate Saudi Aramco
organizations.
d. Update the appropriate DCS and SCADA engineering design documents
and configuration files to include the final rationalized Alarms System
Database.
e. During the FAT, verify that each alarm and any advanced alarm handling
configuration (masking, suppression, shelving, etc.) comply with the
Alarm Philosophy Document and the rationalized Alarm System Database.
f. Provide standard alarm reports as outlined in the Alarm Philosophy
Document and this procedure.

5.2 Proponent Organizations

5.2.1 New Facilities

a. Review and approve the Alarm Philosophy Document.
b. Participate in the alarms identification process.
c. Review alarm documents, alarm reports, Alarm System Database
and configuration files associated with the project.
d. Participate in the FAT to verify that each Alarm and any Advanced
Alarm handling configuration (masking, suppression, shelving,
etc.) complies with the Alarm Philosophy Document and the
rationalized Alarm System Database.

5.2.2 Existing Facilities

a. Develop Alarm Philosophy Document.

Page 6 of 24
Document Responsibility: Process Control Standards Committee SAEP-368
Issue Date: 15 January 2011
Next Planned Update: 15 January 2016 Alarm System Management

b. Assign engineers to participate in the Alarm Rationalization process.

c. Provide alarm system baseline reports, rationalized Alarm System
Database and configuration files, P&ID’s, and HAZOP reviews
associated with the process units to be used during the process of
alarm management system performance improvement.
d. Have a MOC signed for all changes to alarms and their set points
and priorities by authorized operations and engineering personnel
in the facility.
e. Implement the rationalized Alarm System Database and update the
configuration files in the appropriate operating units in the facility.
f. Provide a weekly/biweekly report to maintenance of the most
frequent alarms, i.e., “Bad Actors.”
g. Allocate resources to provide timely maintenance on malfunctioned
instruments that generate nuisance and stale alarms.

5.3 Process & Control Systems Department (P&CSD)

New and Existing Facilities

Process Automation System Unit (PASU) will:

a) Provide necessary consultation and technical supports required for Alarm
Management Optimization,
b) Participate in the alarms identification process,
c) Review the Alarm Philosophy Document,
d) Evaluate and recommend Alarm Management Optimization technologies
and applications,
e) Conduct/coordinate fundamental Alarm Management Optimization
training courses.

6 Instructions

The following instructions are provided for each of the major activities as follows:

6.1 Development of Site Alarm Philosophy Document

Every site that deploys a DCS or SCADA System shall develop an Alarm
Philosophy Document based on the guidelines stated in Appendix A. This
document shall provide the criteria for alarm selection, priority setting, set-point
allocation and the configuration of any alarm handling methods to minimizing
duplication, repetition alarm floods.

Page 7 of 24
Document Responsibility: Process Control Standards Committee SAEP-368
Issue Date: 15 January 2011
Next Planned Update: 15 January 2016 Alarm System Management

6.2 Development of a Rationalized Alarm System Database

6.2.1 Every site that deploys a DCS or SCADA System shall develop a
Rationalized Alarm System Database based on the site Alarm
Philosophy Document. This Database shall provide the details of the
alarms, their type, set-point, and any specific configuration requirements.

6.2.2 Every site/project shall use a standard database engine approved by

Saudi Aramco to store the master alarm database.

6.2.3 Documents required for rationalization includes:

a. Unit P&ID's
b. Operating Instructions
c. DCS configuration data
d. Results from HAZOP or PHA reviews
e. ESD point lists, ESD trip set-points and
f. DCS trends and or archived PI point database.

6.2.4 The master alarm database, P&ID and any relevant documents shall be
updated to contain the final alarm configuration.

6.2.5 A MOC shall be signed for all changes to alarms and their set-points and
priorities by authorized operations and engineering personnel in the
facility.

6.3 Alarm System Performance Monitoring, Assessment, and Auditing

This section provides guidance for alarm system ongoing monitoring and
periodic performance assessment that are essential to achieve and maintain the
acceptable performance target at Saudi Aramco processing facilities.

6.3.1 Regular alarm system reports shall be received by Maintenance and

Operations highlighting the most frequent alarms generated per
tag/operating area. See also Appendix B, Guidelines for Alarm System
Performance Assessment.

6.3.2 The alarm tags generating the most frequent alarms shall be resolved
through proper and timely maintenance of faulty or malfunctioning
instruments and sensors.

6.3.3 When sensor noise or chattering occurs, filters and time delays on input
signals in the DCS should be reviewed and appropriate value should be
assigned.

Page 8 of 24
Document Responsibility: Process Control Standards Committee SAEP-368
Issue Date: 15 January 2011
Next Planned Update: 15 January 2016 Alarm System Management

6.3.4 When equipment is off normal state, alarms shall be masked

appropriately when not required.

6.3.5 For existing facilities, a base-line report shall be prepared to determine

the operating alarm system performance. See Appendix B for report
outlines.

6.3.6 Every site shall use Alarm Management Optimization application

approved by P&CSD, Dhahran.

Revision Summary
15 January 2011 New Saudi Aramco Engineering Procedure.

Page 9 of 24
Document Responsibility: Process Control Standards Committee SAEP-368
Issue Date: 15 January 2011
Next Planned Update: 15 January 2016 Alarm System Management

Appendix A – Alarm Philosophy Document Development Guidance

This appendix provides the guidance to develop Alarm Philosophy Document for each specific
site. It outlines potential approaches that can be included in an Alarm Philosophy Document in
order to properly manage the identification, rationalization, configuration, implementation,
operations, maintenance, monitoring and assessment, Management of Change, and audit
processes.

The Alarm Philosophy Document may include the following sections:

1. Introduction

Each Alarm Philosophy Document should contain the following phrase in this section:

This document serves as a guideline for the development, implementation, and

modification of alarms for the <vendor name> Distributed Control System (DCS)/
Supervisory Control and Data Acquisition (SCADA) for the Saudi Aramco <site
name>. These guidelines should provide an optimum basis for alarm selection, priority
setting, and configuration to promote safety and reliable plant operation while
minimizing duplication, noise, and confusion.

This document has been developed for the <vendor name and DCS/SCADA model>.
Periodically, this document should be revised to incorporate new control system
features available from < DCS/SCADA model> and other hardware and software.

2. Purpose and Use of Alarm System

This section should describe the purpose and use of the alarm system.

The site will set up alarm system to meet their operating goals on one or more of the
following:
a. Safety, health, and environmental,
b. Reliability,
c. Product quality, and
d. Production rate and efficiency.

3. Definition of Alarms

The Alarm Philosophy Document should contain the operational definition of

appropriate alarms for the site. To define alarms, the following characteristics shall be
considered:

Page 10 of 24
Document Responsibility: Process Control Standards Committee SAEP-368
Issue Date: 15 January 2011
Next Planned Update: 15 January 2016 Alarm System Management

3.1 Type of Events

Example of events that may qualify alarms requirements are:

a. Process abnormalities that may result in severity of circumstances or a unit
production limitation.
b. Process deviations due to significant process disturbances that may result
in product specification discrepancy.
c. Equipment and instruments malfunctions.

3.2 Alarm Definition Thresholds

The decision to inform the operator of an event is the first step to take when
defining alarms. The following circumstances are used to determine when a
process alarm is necessary:
a. Making process changes by manipulation of the control system,
b. Directing others to make changes in the control or process system,
c. Contacting maintenance or engineering personnel regarding a situation,
d. Alarms should have the aspect of urgency, and indicate situations
requiring, operator actions to avoid or mitigate undesirable consequences,
e. Time between the annunciation of the alarm and operator corrective
actions to comprehend the defined consequence should be adequate,
f. Alarms should only indicate abnormal situations, and
g. An alarm should indicate a sole event and should not duplicate a condition
already indicated by another alarm.

3.3 Alarm Presentation and Annunciation

Alarm annunciation should be represented in a clear and understandable

presentation to effectively aid the operator controls the process in the best
possible mechanisms. The following can be considered for alarm annunciation:
a. Operator roles and responsibilities to response to alarms,
b. Clearly instructive alarm messages,
c. Alarms routed to multiple relevant operators / locations,
d. Alarm summary display characteristics and usage (An indication on
graphics in the HMI used by the operator to control the process),

Page 11 of 24
Document Responsibility: Process Control Standards Committee SAEP-368
Issue Date: 15 January 2011
Next Planned Update: 15 January 2016 Alarm System Management

e. Proper alarm indication on graphics,

f. Identification of alarm priority (Separate and distinct visual and audible
indications should be provided for each alarm priority),
g. The alarm indication color and priority standards shall be consistent on
each DCS/SCADA),
h. Navigation and alarm response,
i. An indication on external annunciators.

4. Console Operator Handling Methods

In this section, steps for operator to handle the alarms should be described. The steps
involved in the overall operator response to an alarm are listed in the shown table.

No. Step Description

Detection refers to the operator’s ability to detect the presence
of an abnormal condition. This is achieved visually, and/or
1 Detection
through screen-based displays, or audibly via alarm
annunciator horns.
Identification is the recognition of the alarm through its system
2 Identification tag I.D. and point description. The audible signal is typically
silenced at this point.
Verification involves checking for other indications to validate the
3 Verification
accuracy of the identified alarm.
Acknowledgement of an alarm conveys to the system that the
4 Acknowledgement
operator has verified the alarm.
Assessment involves rapid evaluation of the overall affected
5 Assessment
area in the unit before taking corrective action.

6 Corrective action Corrective action is the operator’s direct response to the alarm.

The operator will monitor the variable, repeating steps #5 & #6

7 Monitor
until the alarm has cleared.

5. Alarm Selection and Priority Definition

Reliable method for alarm selection and priority is essential as it will improve the
operator’s ability to determine what is happening and will increase the probability of a
correct response. Many problematic alarms can be avoided by ensuring that the best
possible alarm type is selected for detection of an abnormal condition. This section
should address a consistent practice for alarm selection and priority definition, as follows:

Page 12 of 24
Document Responsibility: Process Control Standards Committee SAEP-368
Issue Date: 15 January 2011
Next Planned Update: 15 January 2016 Alarm System Management

5.1 Alarm Selection

The decision to inform the operator of an event is the first step to take when
maintaining an alarm management based system. The two questions below are
used to determine conditions when a process alarm is necessary.
a. Does the event require operator action? (Examples: a process change, an
observation, consultation, or notification of others.)
b. Is the event being alarmed the best indicator of the root cause of the
situation?

5.2 Priority Definition

Alarm priority is a means to convey the seriousness of a specific process

condition to the operator and should drive the operator’s responses. The
DCS/SCADA control system allows multiple alarm priorities to distinguish
alarms, as well as separate alarm priority assignment for each alarmable
parameter of a tag or point (with some template limitations). A logical and
consistent approach for rationalizing, and/or developing alarm priorities is
required to prevent arbitrary configuration and problems during abnormal
events. Industrial studies and best practices recommend the following
breakdown:
 Alarm Priority Percentage of Total Alarms
 Priority 3 (Low) 80%
 Priority 2 (High) 15%
 Priority 1 (Emergency) 5%
Priority 3 - Operator action required, but unit is still within safe operating
limits.
Priority 2 - Rapid operator action is required, unit shutdown is possible, or a
safety violation might occur.
Priority 1 - Immediate operator action is required, a unit shutdown will occur,
or a safety violation will occur if action is not immediately taken.

Two important factors will be considered when determining the priority of an

alarm:
 Severity of consequences, and
 Maximum time to respond.

Page 13 of 24
Document Responsibility: Process Control Standards Committee SAEP-368
Issue Date: 15 January 2011
Next Planned Update: 15 January 2016 Alarm System Management

5.3 Severity of Consequences

The selection of an alarm priority depends heavily on the consequences of the

abnormal condition if the operator fails to take corrective action(s) in a timely
fashion. For each alarm to be rationalized, the potential consequences without
any operator actions must be identified. The Severity of Consequence criteria
will use the shown Risk Matrix.

Risk Matrix
Impact Category Minor Major Severe
Personnel First aid injury, no Lost time injury, or Life Threatening
disability, no lost Worker disabling, or
time recordable severe injuries
Public or Minimal exposure. Exposed to hazards Exposed to life
Environment that may cause threatening hazard.
No impact. Does
injury.
not cross fence Disruption of basic
Hospitalizations
line. Contained services. Impact
and medical first aid
release. Little, if involving the
possible.
any, clean up. community.
Damage Claims.
Source eliminated. Catastrophic property
damage.
Uncontained release
of hazardous
materials with major
environmental impact
and 3rd party impact.
Plant/Equipment Equipment Results in unit Results in loss of
damage that downtime up to entire unit or critical
result in negligible 15 days, some to equipment for more
unit downtime. severe equipment than 15 days.
damage.
Event costing Event costing
Costs/Production Event costing >5MM$
<50M$ 50M$-5MM$

5.4 Maximum Time to Respond

Maximum time to respond is the time within which the operators can take
action(s) to prevent or mitigate undesired consequence(s) caused by an abnormal
condition. This response time must include the action of outside personnel
following direction from the board operator. The board operator’s ability to
respond to an alarm in a timely fashion determines the degree of success in
preventing loss. The consequences of an uncorrected alarm generally get worse
with the passage of time.

Page 14 of 24
Document Responsibility: Process Control Standards Committee SAEP-368
Issue Date: 15 January 2011
Next Planned Update: 15 January 2016 Alarm System Management

Action Speed Maximum Time to Respond in Minutes

Immediately Less than 3 (time < 3)
Rapidly Greater than 3 and less than 10 (3>time> 10)
Promptly Greater than 10 and less than 30 (10>time> 30)
No Action Greater than 30 (time > 30)

During an abnormal condition, the board operator is confronted with making

decisions on numerous tasks that must be performed in an appropriate sequence.
The timing and the order of executing these tasks determines the outcome of the
operator’s effort. For example, if two process variables are deviating from
normal and can potentially cause the same significant loss, the operator must
quickly decide which variable to address first. In such a case, the operator must
take action to address the variable that is more volatile or can reach the point of
loss in the shortest time.

Therefore, the shorter the time to respond, the higher the priority of the alarm
will be, assuming equal consequences can result.

For each alarm being rationalized, and, for each area, the maximum time
allowable to respond will be identified. This value will allow the response time
to be placed in one of the response time classes as shown in the table.

5.5 Severity of Consequences and Time to Respond Matrix

Determining the most appropriate priority for an alarm requires consideration of

both severity of consequences and the time within which the operator can
effectively correct the alarm. By combining the severity factor and the response
time, the systematic approach for setting alarm priorities is defined. The
following matrix provides the guideline for determining the priority of an alarm.

Maximum Time to
Minor Major Severe
Respond in Minutes
Time > 30 No Alarm No Alarm No Alarm
10>Time>30 Priority 3 Priority 3 Priority 2
3>Time>10 Priority 3 Priority 2 Priority 2
Time< 3 Priority 2 Priority 1 Priority 1

Page 15 of 24
Document Responsibility: Process Control Standards Committee SAEP-368
Issue Date: 15 January 2011
Next Planned Update: 15 January 2016 Alarm System Management

6. Alarm Settings

Alarm setpoints are typically determined by the engineer responsible for that part of the
plant who is familiar with the process variable and process operation. This clause of the
Alarm Philosophy Document should include:
a. Methods of determining alarm set points,
b. Criteria of determining alarm set points,
c. Process dynamics and time needed to response, and
d. How to handle third party system.

Prior to startup mode and to minimize chattering alarms, appropriate alarm dead bands
and digital delay times are recommended. In the philosophy document it may be helpful
to supplement default values with important exceptions and known special considerations
or conditions. It may also be helpful to document procedures for reviewing the starting
values and adjusting them as necessary after significant operating experience. The
recommended design settings for delay time and dead band are shown below.

Signal Type Delay Time (Digital) Dead Band (Analog)

Flow 2 sec 5%
Level 2 sec 5%
Pressure 1 sec 2%
Temperature 0 sec 1%
Recommended Alarm Dead Band and Digital Delay Times

7. Alarm System Performance Monitoring and Assessment

This section should define the Key Performance Indicators (KPI’s), types of analyses
and reports recommended by industry best practices to support alarm system monitoring
and assessment. Appendix B, Alarm System Performance Assessment, includes
examples of such analyses and reports. The assessment should cover, as a minimum the
following:

7.1 Nuisance Alarm

Nuisance alarms are alarms (from a variety of causes) requiring special

considerations during normal operation. Nuisance alarms should be identified
and properly addressed to ensure optimal system performance. The following
are examples of nuisance alarms:
a. Frequent Alarms

Page 16 of 24
Document Responsibility: Process Control Standards Committee SAEP-368
Issue Date: 15 January 2011
Next Planned Update: 15 January 2016 Alarm System Management

b. Chattering Alarms
c. Standing/Stale Alarms
d. Duplicate Alarms
e. Consequential Alarms

7.2 Process Changes

a. Operator Response Time
b. Alarm Trip Point Change
c. Operator Controller Change Rate
d. Summary of Operator
e. Controller Mode
f. Controller Set-point
g. Controller Analog Output
h. Digital Output
i. Alarm Enable State
j. Range Changes
k. Tuning Changes

7.3 Alarm Key Performance Indicators

This section should list the Key Performance Indicators (KPI’s) required to
measure the performance of the alarm system. The KPI’s in the below table can
be used to measure the performance of the alarm system.

KPI’s Interim Target Long Term Target

Average Process Alarm Rate <300 per day <150 per day
Percentage of time alarm
5% 0%
rate exceeds target
Alarm Event Priority ~80% Low, ~15% High, ~80% Low, ~15% High,
Distribution ~5 Emergency ~5 Emergency
Zero (Unless as part of Zero (Unless as part of
defined Shelving, Flood defined Shelving, Flood
Suppressed Alarms
Suppression, or State- Suppression, or State-
based Strategy) based Strategy)
Not more than 10
Chattering Alarms 0 per day
occurrences/week
Stale/Standing Alarms Not more than 20
0 per day
(more than 24 hours old) occurrences/week

Page 17 of 24
Document Responsibility: Process Control Standards Committee SAEP-368
Issue Date: 15 January 2011
Next Planned Update: 15 January 2016 Alarm System Management

KPI’s Interim Target Long Term Target

Floods (10 to 20 alarms
Not more than 5 per day Not more than 3 per day
in a 10 minute period)
Floods (>20 alarms in a
Not more than 3 per day 0 per day
10 minute period)
Changes in Alarm Priority,
None that are None that are
Alarm Trip Point, Alarm
unauthorized unauthorized
Suppression

7.4 Monitoring and Reporting

The Alarm Management System champion should generate an alarm

performance report at least once a month. For some systems, weekly reports are
appropriate. The report should be distributed to concerned parties, including the
area process control engineer, team leader operation specialist, and production
engineer. The alarm performance report should include, as a minimum,
information listed in the Appendix B.

8. Alarm Handling Methods during Operation and Maintenance

This section should address methods that maybe required to be applied during the plant
operation and maintenance processes as recommended in ISA 18.2.

8.1 Alarm Response Procedures

Alarm response procedure should be written as a section of the operating

procedures to maintain the effectiveness of the alarm system during operation.
The procedures may include:
 The alarm type
 Alarm set-point
 Potential causes
 Consequence
 Corrective action
 Allowable response time
 Alarm priority
 Alarm class.

8.2 Training

To enable the operators to effectively handle the alarm system and take the
correct action to respond to each alarm, an initial training should be conducted

Page 18 of 24
Document Responsibility: Process Control Standards Committee SAEP-368
Issue Date: 15 January 2011
Next Planned Update: 15 January 2016 Alarm System Management

during the configuration of new alarm system or rationalized alarms

implementation. The Alarm Philosophy Document should not specify details of
the site training program, only additional information related to alarms, which is
recommended to include:
 The audible and visual indications for alarms,
 The distinction of alarm priorities,
 The use of the alarm HMI features (e.g., alarm summary sorting and filtering),
 The approved methods for shelving and suppression,
 The approved methods for removing an alarm from service,
 The approved methods for returning an alarm to service,
 The approved procedure for management of change.

8.3 Alarm Shelving Procedure

The Alarm Philosophy Document should include guidance on alarm shelving

used, during the operation stage of the lifecycle. Typically, the philosophy
contains only broad guidance on the use of shelving and references an operating
procedure that specifies the method to shelve alarms. There are typically limits
on which alarms can be shelved and shelving duration, based on class or
priority.

8.4 Alarm Suppression Procedure

The Alarm Philosophy Document should include guidance on alarm suppression

used, during flood period. There are typically limits on which alarms can be
suppressed based on class or priority.

8.5 Alarm Out-of-Service Procedure

The Alarm Philosophy Document should include guidance on removing an

alarm from service, used during the operation and maintenance stages of the
lifecycle. Typically, the philosophy specifies the method and authorization
requirements to remove an alarm from service. The site practice should specify
the authorization level required to place an alarm out-of-service, which may
vary by the class of the alarm. The permit to remove an alarm from service may
include:
 The alarm placed out-of-service.
 The class of the alarm.
 The consequence of deviation related to the alarm.

Page 19 of 24
Document Responsibility: Process Control Standards Committee SAEP-368
Issue Date: 15 January 2011
Next Planned Update: 15 January 2016 Alarm System Management

 The reason the alarm is taken out of service.

 The date the alarm is placed out-of-service.
 The name of the person requesting the alarm be placed out-of-service.
 The name of the person authorizing the alarm be placed out-of-service.
 The name of the person placing the alarm out-of-service.
 The method used to place the alarm out-of-service.
 Any alternate protection for the consequence, if necessary.
 The date the alarm is returned to service.
 The name of the person returning the alarm to service.

8.6 Incident Investigation

The Alarm Philosophy Document may include guidance on information to

collect as part of incident investigations. This information should also be
captured in the site incident investigation procedure.

When process incidents occur, the alarm and event log for the time surrounding
the incident should be examined during the investigation to determine if alarm
system performance was a contributing factor in the incident.

8.7 Alarm System Chronology

The Alarm Philosophy Document may include guidance on the alarm system
chronology, a logbook that records the problems in the process and in the alarm
system identified by the monitoring system, the actions taken to resolve those
problems, and the results of the actions. This document or file captures the
business value of alarm management practices.

9. Alarm Documentation and Rationalization

This section should specify a methodology that can be used to verify the necessity,
prioritization, setting determination, and documentation of each process alarm to
alleviate process alarms level of performance. This methodology is referred to as
Documentation and Rationalization of alarms (D&R).

During a unit rationalization, all DCS/SCADA points shall be rationalized, along with
any other systems which provide alarm or abnormal situation notification to the board
operator.

The impact, severity, and response time matrices defined in Section 5 of this Appendix,
should be used to rationalize each alarm and will be documented in the Alarm Master

Page 20 of 24
Document Responsibility: Process Control Standards Committee SAEP-368
Issue Date: 15 January 2011
Next Planned Update: 15 January 2016 Alarm System Management

Database. The Alarm Philosophy Document specifies which of the following aspects
will be documented during the rationalization process:
a) Control System tag identification,
b) Alarm description and type,
c) Alarm classification,
d) Existing alarm priority,
e) Proposed priority,
f) Override priority,
g) Alarm set-point value or logical condition,
h) Existing trip point and proposed trip point,
i) Potential cause of alarm,
j) Operator action,
k) The time available for the operator to respond to the alarm,
l) Consequence of inaction or incorrect action,
m) Advanced alarm handling techniques if necessary,
n) Related reference documents such as HAZOP study.

10. Alarm System Management of Change (MOC)

The management of change (MOC) section of the Alarm Philosophy Document should
define both the applicable MOC procedure(s) and the types of change subject to those
MOC procedures.

Page 21 of 24
Document Responsibility: Process Control Standards Committee SAEP-368
Issue Date: 15 January 2011
Next Planned Update: 15 January 2016 Alarm System Management

Appendix B – Alarm System Performance Assessment

The Alarm System Performance Assessment Report shall include but not limited to the following
outline:

1. Executive Summary of Analysis

1.1 Objective
1.2 Executive Summary of Findings
1.3 Executive Summary of Recommendations

2. Alarm System Performance

2.1 Alarms per Day
a. Alarm per Day (Recorded)
b. Alarm per Day (Annunciated)
c. Alarm per Day Analysis
2.2 Alarm Floods
a. Alarm Floods – Count
b. Alarm Floods – Duration
c. Alarm Floods Analysis
2.3 Average Alarm Rates
Average Alarm Analysis
2.4 Frequent Alarms
a. Frequent Alarms (Recorded)
b. Frequent Alarms (Annunciated)
c. Frequent Alarm Analysis
2.5 Chattering Alarms
a. Chattering Alarms (Recorded)
b. Chattering Alarms (Annunciated)
c. Chattering Alarm Analysis

Page 22 of 24
Document Responsibility: Process Control Standards Committee SAEP-368
Issue Date: 15 January 2011
Next Planned Update: 15 January 2016 Alarm System Management

2.6 Stale Alarms

a. Stale Alarms (Recorded)
b. Stale Alarms (Annunciated)
c. Stale Alarm Analysis
2.7 Duplicate Alarms
a. Duplicate Alarms (Recorded)
b. Duplicate Alarms (Annunciated)
c. Duplicate Alarm Analysis
2.8 Consequential Alarms
a. Consequential Alarms (Recorded)
b. Consequential Alarms (Annunciated)
c. Consequential Alarm Analysis
2.9 Alarms Suppression
a. Alarms Suppression (Recorded)
b. Alarms Suppression (Annunciated)
c. Alarms Suppression Analysis
2.10 Alarms by Type
a. Alarms by Type (Recorded)
b. Alarms by Type (Annunciated)
c. Alarms by Type Analysis
2.11 Alarms per Unit
2.12 Priority Distribution

3. Process Changes Analysis

3.1 Operator Response Time
3.2 Alarm Trip Point Change
3.3 Operator Controller Change Rate
3.4 Summary of Operator
3.5 Controller Mode

Page 23 of 24
Document Responsibility: Process Control Standards Committee SAEP-368
Issue Date: 15 January 2011
Next Planned Update: 15 January 2016 Alarm System Management

3.6 Controller Set-point

3.7 Controller Analog Output
3.8 Digital Output
3.9 Alarm Enable State
a. Range Changes
b. Tuning Changes

4. Recommended Solutions

This section should contain solutions for the identified bad actors and necessary actions
that can be taken to implement the recommended solutions.

Page 24 of 24