RUWAIS LNG PROJECT

Specification For Alarm Management System

COMPANY DOCUMENT REF. RLNG-000-IC-SP-0102

CONTRACTOR DOC. REF.

215122C-000-JSD-1510-0002

REVISION: 1

PAGE 1 OF 110

ADNOC GAS

Specification For Alarm Management System

COMPANY Contract No.

4700022871

JV TJN RUWAIS Contract No

215122C

Document Class

Class 2

Document Category (for Class 1)

NA

OPERATING CENTER Contract No.

OPERATING CENTER Doc Ref.

1

IFC - Issued for Construction

30-Jan-2025

A.Jatiningasih

0

ICR - Issued for Client Review

28-Jun-2024

A.Jatiningasih

C.Hubert M. Joshi R. Ikeya R. Biju

K.Michineau

K. Michineau M. Joshi R. Ikeya R. Biju

S. Deilles F. Kiyoshi

Rev.

Revision Purpose

Date

Prepared by Checked by Approved by

The terms of Contract / Agreement No: CON22-146 shall apply for any disclosure of this document to any third party.

RUWAIS LNG PROJECT

Specification For Alarm Management System

COMPANY DOCUMENT REF. RLNG-000-IC-SP-0102

CONTRACTOR DOC. REF.

215122C-000-JSD-1510-0002

REVISION: 1

PAGE 2 OF 110

Table of Contents

Contents

Page

1.0

INTRODUCTION… 4 1.1 Scope of the Document … 4 1.2 Holds List … 5 1.3 References … 5 1.3.1 Project Specifications … 5 1.3.2 COMPANY Standards … 5 International Code(s) and Standards … 5 1.3.3 1.3.4 Order of Precedence … 5 1.4 Definitions and Abbreviations … 6 2.0 PROJECT SPECIFIC REQUIREMENTS … 7 2.1 General … 7 2.2 Alarm Principles … 7 2.3 Scope … 8 2.4 Functional Specification … 8 2.5 Applications … 9 2.6 Reporting … 10 2.7 Alarm Suppression … 10 2.8 Hardware … 11 2.9 Virtualisation … 11 2.10 Cyber Security … 11 2.11 Training … 11 3.0 AMENDMENTS TO ADNOC GENERAL ENGINEERING SPECIFICATION AGES-PH-04-003 … 13 4.0 Appendix 1 AGES-PH-04-003 – ALARM RATIONALIZATION PHILOSOPHY … 21 5.0 Appendix 2 ALARM DATABASE WORKSHEET TEMPLATE … 109

The terms of Contract / Agreement No: CON22-146 shall apply for any disclosure of this document to any third party.

RUWAIS LNG PROJECT

Specification For Alarm Management System

COMPANY DOCUMENT REF. RLNG-000-IC-SP-0102

CONTRACTOR DOC. REF.

215122C-000-JSD-1510-0002

REVISION: 1

PAGE 3 OF 110

Table of Changes compared to previous revision (for Procedures and Job Specifications only)

Paragraph

Modification description

Remarks / Origin

All

3.0

5.0

Updated as per COMPANY comments on Rev.0

Amendment to AGES-PH-04-003 to detail the AMS design Update AGES-PH-04-003 Section 11.3.3.1 and Section 11.2 based on CONTRACTOR proposal on TQ RLNG-TQ-IC-0003 Alarm rationalization workflow Alarm database worksheet template is added

The terms of Contract / Agreement No: CON22-146 shall apply for any disclosure of this document to any third party.

RUWAIS LNG PROJECT

Specification For Alarm Management System

COMPANY DOCUMENT REF. RLNG-000-IC-SP-0102

CONTRACTOR DOC. REF.

215122C-000-JSD-1510-0002

REVISION: 1

PAGE 4 OF 110

1.0

INTRODUCTION

The ADNOC Ruwais LNG Project is a two train, near net-zero electrically driven LNG facility, targeting international markets. The feed gas for the project is supplied from the Habshan Gas Processing Plant via a new export gas pipeline. The plant will have two 4.8 MTPA (nominal capacity) electric driven LNG Trains with associated LNG storage/marine export facilities and utilities.

Figure 1 – Project Context

The ADNOC Ruwais LNG Project foresees the following main components at the facility:

• Onshore LNG Liquefaction facilities for 2 x 4.8 MTPA electrically driven LNG Trains (9.6MTPA

total)

• Common facilities including inlet receiving facilities, LNG storage, BOG handling, flare,

refrigerant storage and support buildings.

• Utilities to support the facilities including import power from the national grid.

• Marine facilities for LNG export and bunkering.

1.1

Scope of the Document

This document defines the minimum technical requirements for specification and supply of the Alarm Management System (AMS) for the ADNOC Ruwais LNG Project. AMS is part of the ICSS which will be supplied by ICSS VENDOR.

Section 2.0 of this document defines Project specific requirements, in accordance with COMPANY guidelines for development of a Project specific Functional Specification (FS).

This specification also amends ADNOC General Engineering Specification AGES-PH-04-003 which is attached hereto in Appendix 1. AGES-PH-04-003 is intended to provide guidance and standards to aid in the implementation of the AMS.

Section 3.0 of this document identifies the amendments to the ADNOC General Engineering Specification included in Section 4.0 Appendix 1 AGES-PH-04-003 – Alarm Rationalization Philosophy.

Unless otherwise amended, Section 4.0 Appendix 1 AGES-PH-04-003 – Alarm Rationalization Philosophy shall be applied.

Section 5.0 includes alarm database worksheet template to be used for the project.

The terms of Contract / Agreement No: CON22-146 shall apply for any disclosure of this document to any third party.

RUWAIS LNG PROJECT

Specification For Alarm Management System

COMPANY DOCUMENT REF. RLNG-000-IC-SP-0102

CONTRACTOR DOC. REF.

215122C-000-JSD-1510-0002

REVISION: 1

PAGE 5 OF 110

1.2

Holds List

HOLD

DESCRIPTION

1

2

3

4

DELETED

DELETED

DELETED

COMPANY to provide ADNOC latest corporate 6x6 Risk Matrix to be attached to this specification

1.3

References

1.3.1 Project Specifications

[1] RLNG-000-PM-BOD-2002 [2] RLNG-000-PM-SP-0001 [3] RLNG-000-IC-SP-0002 [4] RLNG-000-IC-SP-0101

Project design basis Cybersecurity Requirements for Vendors

   Philosophy for Automation & Instrumentation Design
   Specification for Integrated Control & Safety System

1.3.2 COMPANY Standards

[1] AGES-PH-04-003

Alarm Rationalization Philosophy

1.3.3

International Code(s) and Standards

[1] 359665-0809-070-LS-9999-001 Applicable Codes and Standards

The reference above complements the normative reference listed in AGES-PH-04-003 (e.g for the version)

1.3.4 Order of Precedence

The order of precedence with respect to codes and regulations that shall be followed for the design of the terminal is as follows in terms of priority:

1. UAE Statutory Legislation and Regulations

2. ADNOC HSE Regulations, Standards and Codes of practice

3. Project Specifications and Standards

4. ADNOC Engineering Specifications, Standards and Procedures

5. ADNOC Guidelines, Procedures & Codes of Practice

6. International Codes & Standards

The latest versions (at the time of contract effective date) of all applicable Codes, Specifications &

Standards shall be used as detailed in Section 1.3.3 Ref [1]

The terms of Contract / Agreement No: CON22-146 shall apply for any disclosure of this document to any third party.

RUWAIS LNG PROJECT

Specification For Alarm Management System

COMPANY DOCUMENT REF. RLNG-000-IC-SP-0102

CONTRACTOR DOC. REF.

215122C-000-JSD-1510-0002

REVISION: 1

PAGE 6 OF 110

1.4

Definitions and Abbreviations

COMPANY

CONTRACTOR

EPC ADOC POC YOC VENDOR

ABU DHABI NATIONAL OIL COMPANY (ADNOC) P.J.S.C. TJN Ruwais, Joint Venture of Technip Energies France-Abu Dhabi, JGC Corporation and National Marines Dredging Company (NMDC) Engineering Procurement Construction Abu Dhabi Operating center - National Marines Dredging Company Paris Operating Center - Technip Energies Yokohama Operating center - JGC Corporation Supplier of goods or services

The terms of Contract / Agreement No: CON22-146 shall apply for any disclosure of this document to any third party.

RUWAIS LNG PROJECT

Specification For Alarm Management System

COMPANY DOCUMENT REF. RLNG-000-IC-SP-0102

CONTRACTOR DOC. REF.

215122C-000-JSD-1510-0002

REVISION: 1

PAGE 7 OF 110

2.0

PROJECT SPECIFIC REQUIREMENTS

The purpose of this section is to provide further definition on specific requirements for the Project to enable the ICSS VENDOR to develop the Functional Design Specification (FDS) for the AMS.

2.1

General

Alarm configuration for the Project shall be performed in accordance with AGES-PH-04-003 and the associated amendments detailed within this Specification.

The DCS shall provide integrated alarm management functionality as a standard feature. In addition, advanced alarm management features shall be provided as part of the AMS implementation for the Project.

The AMS shall comprise of a functional set of hardware, system software, networking, communications, database management and applications, integrated to provide the functionality defined within this Specification.

The AMS shall assist in improving the plant alarm performance, in order to meet EEMUA 191 requirements as required by AGES-PH-04-003.

2.2

Alarm Principles

When an alarm is activated, the system shall emit a combination of visual and audible signals designed to attract the Operator’s attention. The design of the alarm handling system shall be such that the Operator has to be aware of and be able to identify the alarm before he can acknowledge it. The alarm must remain true after acknowledgement if the device is still in the alarm state. The alarm event shall remain in the history after acknowledgment. First-out alarms and Sequence of Events (SOE) shall also be displayed.

The alarm journal shall identify the date and the entry against the alarm and will identify the time of occurrence, return to normal, and acknowledgement. When a process variable goes into alarm, this shall be indicated on every display in which that variable is shown, as well as on any dedicated alarm displays.

The system shall alert the operator to each alarm with an audio and visual signal, regardless of the current display on the screen. A dedicated area for alarm indication shall be required for all HMI displays. The Operator shall be able to call up the proper display with a single keystroke.

The alarm condition of each point shall be clearly shown in alarm, group, and individual point displays. The following alarm types shall be available for configuration in the ICSS, as a minimum:

a. Absolute high-high, high, low, low-low and deviation from set point alarms.

b. Rate of change alarms.

c. System diagnostic alarms.

d.

Input and output open alarms for each point when signals exceed the range.

Refer to AGES-PH-04-003, Appendix A2. Alarm Types for further definition on alarm types and functionality required for each and to Appendix A1 Alarm design principles.

Three (3) levels of alarm priorities shall be provided, excluding Journal. Each priority shall be assigned to each point based on necessity of indication.

The terms of Contract / Agreement No: CON22-146 shall apply for any disclosure of this document to any third party.

RUWAIS LNG PROJECT

Specification For Alarm Management System

COMPANY DOCUMENT REF. RLNG-000-IC-SP-0102

CONTRACTOR DOC. REF.

215122C-000-JSD-1510-0002

REVISION: 1

PAGE 8 OF 110

2.3

Scope

The ICSS VENDOR scope shall include all components detailed below, which are required to deliver a fully functional AMS:

a. A combination of servers, gateways, and routers, etc., as required to fulfil the functions of this

specification.

b. Application software / licenses.

c. All operating system software / licenses, utility and peripheral software required.

d. A reliable and robust interface between the AMS and DCS.

e. Operation instruction manuals and all tools to enable COMPANY to maintain the system software

and hardware.

ICSS VENDOR also expected to deliver below services related to AMS:

a.

AMS configuration and programming development including the implementation of the results of the rationalization process. ICSS VENDOR to ensure appropriate implementation and to hand over the AMS meeting alarm performance criteria

b. Participation during alarm rationalization exercise as needed by CONTRACTOR

c. Conduct a brief training to alarm rationalization participants along with CONTRACTOR to detail the alarm philosophy, how it has been configured in the system, and how it is visualized by the panel operator

d. Offer training to COMPANY operations personnel (See section 2.11 and Section 4.0 Appendix 1 (AGES-PH-04-003 - Alarm Rationalization) Section 12.3 Training of Panel Operators and Plant Personnel).

Refer also to Section 4.0 Appendix 1 (AGES-PH-04-003 - Alarm Rationalization) Section 18 Details of Scope of Supply.

2.4

Functional Specification

The AMS shall provide alarm analysis, reporting and management facilities for the benefit of Operators and other users both on and off-site who require concurrent access to process alarm related information and analysis.

The integrated AMS shall provide various levels of alarming, and alarm summary / details / history reporting. The facility to filter, inhibit and indicate only certain alarms based on criticality and/or other configurable parameters shall be provided.

The AMS shall be designed, engineered, and supplied to improve safety and reliability and assist the operators in correcting potentially dangerous situations before the Safety Instrumented System (SIS) intervenes.

The AMS shall use plant alarm data collected from multiple sources; Distributed Control System (DCS), SIS, Fire & Gas System (FGS), Machinery Protection System (MPS), Compressor Control System (CCS) and third-party Package control systems and create reports for the Operator after analyzing, filtering, and sorting the data. Features of the AMS shall include:

a.

Nuisance alarm detection, diagnosis and activity analysis.

The terms of Contract / Agreement No: CON22-146 shall apply for any disclosure of this document to any third party.

RUWAIS LNG PROJECT

Specification For Alarm Management System

COMPANY DOCUMENT REF. RLNG-000-IC-SP-0102

CONTRACTOR DOC. REF.

215122C-000-JSD-1510-0002

REVISION: 1

PAGE 9 OF 110

b.

Nuisance alarm suppression, review and automatic reactivation.

c. dynamic effects.

Dynamic alarm setting using automatic, semi-automatic and manual intervention to create the

d.

e.

f.

g.

Trend and alarm activity reports.

Tools for alarm flood suppression, Sequence of Event (SOE) reporting and ‘root cause’ analysis.

Alarm inhibition.

Alarm rationalization.

h. measurements.

Performance analysis tools to verify the proper design of the alarm system against baseline

The AMS, including all hardware and software, shall be from the ICSS VENDOR’s standard product line. System components and sub-assemblies not previously provided successfully, or field proven to other purchasers / COMPANY shall not be considered for this Project.

Refer also to AMS software generic requirements Section 4.0 Appendix 1 (AGES-PH-04-003 - Alarm Rationalization) Section 11.4.11 Alarm Management System (AMS) Software

2.5

Applications

The AMS shall be provided with the following functions, as a minimum:

1. Automatic data capture and logging of alarms – shall enable the capture, exception filtering and storage of the alarm data for use by the AMS using alarm data from the ICSS and third-party packages.

2. Control system events e.g., changes between different control modes, should be logged. Operator actions should also be logged; however, this may be executed on a different log to the process alarms.

3. Operator acceptance of alarms should be logged. Every alarm occurrence should be logged even if it repeats at a high frequency. Facilities should be provided for exporting alarm logs to offline management information systems.

4. Sequence of Events (SOE) archive – shall identify alarm floods, analyse and identify the root cause of alarm floods and provide the Operator with a prioritised and simplified report of the situation with an indication of possible consequential alarms.

5. Dynamic alarm setting – shall allow the AMS to identify more than one operating state either automatically using data from the process historian to provide the trigger, manually using an Operator input to provide the trigger or semi-automatically using Operator confirmation of a trigger. Recognising a change in the operating state shall allow the AMS to minimise the number of alarms resulting from a change in operational state.

6. Alarm inhibition – shall allow the Operator to inhibit alarms, under password protection, to allow equipment to be taken out of service for maintenance, while the process continues to operate. The equipment shall be combined in such a fashion to allow group alarm inhibition.

7. Performance analysis – shall provide tools to verify the proper design of the alarm system against baseline measurements. The application shall be capable of analysing an alarm database greater than 100,000 data points.

The terms of Contract / Agreement No: CON22-146 shall apply for any disclosure of this document to any third party.

RUWAIS LNG PROJECT

Specification For Alarm Management System

COMPANY DOCUMENT REF. RLNG-000-IC-SP-0102

CONTRACTOR DOC. REF.

215122C-000-JSD-1510-0002

REVISION: 1

PAGE 10 OF 110

2.6

Reporting

The AMS shall be provided with the functionality to enable Operators to produce, save and re-display reports using the data that may be derived from calculations, current or historised databases. The reports shall be conveniently selectable for either immediate display or printing. Reports shall be provided on a ‘per Operating Area’ basis. All report types shall be provided for each Operating Area console. The following facilities should be provided for analysis of alarm logs:

a. Analysis of total number of alarms in a given period

b. Searches for/counts of occurrences of specific alarms in a given period

c.

Identification of the most frequent alarms in a given period

d.

Identification of repeating alarms

The baseline report for each Operating Area shall include the following, as a minimum:

a. Performance level and benchmark

b. Bad actors

c. Stale / standing alarms; any alarms that remain unacknowledged for extended periods of time

d. Chattering alarms; any alarms activating repeatedly in a short period of time

e. Duplicate alarms: any points that alarm with the same action in multiple locations

f. Disabled and inhibited alarms

g. Dynamic and configured alarm priority distributions

h. Alarm floods

i. Average daily alarm rate

2.7

Alarm Suppression

The following facilities for automatically suppressing alarms from appearing on the Operator Console, while still being journaled, shall be provided:

a. Suppression according to plant operating mode e.g., start-up, shutdown, full load.

b. Suppression according to the operating state of particular plant items e.g., suppression of alarms

related to a pump which is out of service

c. Suppression of alarms from plant under test

d. Suppression of normally expected alarms in a short period after a major event e.g., plant trip or

loss of electrical power

e. Suppression of related alarms in cause-consequence groups

The Operator shall be provided with facilities for observing all alarms which have been automatically suppressed

The terms of Contract / Agreement No: CON22-146 shall apply for any disclosure of this document to any third party.

RUWAIS LNG PROJECT

Specification For Alarm Management System

COMPANY DOCUMENT REF. RLNG-000-IC-SP-0102

CONTRACTOR DOC. REF.

215122C-000-JSD-1510-0002

REVISION: 1

PAGE 11 OF 110

2.8

Hardware

The AMS shall include the following hardware related components:

a. Server and related virtualisation infrastructure

b. Network components including hubs, switches, adapters, and other components required for

network connectivity to the DCS

c. Thin-client workstations. Workstations will be common with ICSS OWS, refer to RLNG-000-IC-

SP-0101- Specification for Integrated Control & Safety System

d. Network printers (common with ICSS printers), refer to RLNG-000-IC-SP-0101- Specification for

Integrated Control & Safety System

2.9

Virtualisation

The AMS shall be based on a virtualised server solution. ICSS VENDOR shall ensure that their proposal includes all required tools and applications to enable monitoring and management of the virtualised system architecture components.

ICSS VENDOR shall include a detailed description of their virtualisation solution for the AMS within their proposal.

2.10 Cyber Security

Cyber Security (OT Security) requirements are covered in RLNG-000-IC-SP-0002, Philosophy for Automation & Instrumentation Design; RLNG-000-PM-SP-0001, Cybersecurity Requirements for Vendors; and AGES-SP-04-013, OT Cyber Security Specification.

ICSS VENDOR shall ensure that design and implementation of the AMS follows all COMPANY Cyber Security requirements. Access control to the AMS and its configuration shall follow COMPANY Cyber Security Policy with two factor authentication. Authorised Username and Password for login to AMS servers shall be used.

2.11

Training

The ICSS VENDOR shall offer training to COMPANY operations personnel at site or at the ICSS VENDOR facility to proficiently utilise the AMS to safely operate the plant. At the completion of the training program, the Operators shall be able to:

a. Quickly identify and correct alarms, upsets and malfunctions.

b. Respond correctly and promptly to emergency situations.

c. Perform safe operating procedures.

Additional requirements for training are specified in RLNG-000-IC-SP-0002, Philosophy for Automation & Instrumentation Design.

The terms of Contract / Agreement No: CON22-146 shall apply for any disclosure of this document to any third party.

RUWAIS LNG PROJECT

Specification For Alarm Management System

COMPANY DOCUMENT REF. RLNG-000-IC-SP-0102

CONTRACTOR DOC. REF.

215122C-000-JSD-1510-0002

REVISION: 1

PAGE 12 OF 110

The training for Maintenance/Engineer/Supervisor is explained in RLNG-000-IC-SP-0101, Specification For Integrated Control & Safety System.

The terms of Contract / Agreement No: CON22-146 shall apply for any disclosure of this document to any third party.

RUWAIS LNG PROJECT

Specification For Alarm Management System

COMPANY DOCUMENT REF. RLNG-000-IC-SP-0102

CONTRACTOR DOC. REF.

215122C-000-JSD-1510-0002

REVISION: 1

PAGE 13 OF 110

3.0

AMENDMENTS TO ADNOC GENERAL ENGINEERING SPECIFICATION AGES-PH-04-003

Instructions contained below such as “Add”, “Substitute”, “Revised”, or “New” shall be interpreted as follows:

1. Add: Requirements shall be a continuation of the paragraph in the referenced specification.

2. Substitute: The requirement of the referenced specification shall be replaced in its entirety by the

requirements below.

3. Revised: The requirement of the referenced specification shall be revised by the specific wording

below.

4. New: A new requirement as described below.

1

GENERAL

1.1

Introduction – add below wording:

‘When reading this philosophy, Process Control System (PCS) shall be read as Distributed Control System (DCS).

ESD system shall be read as Safety Instrumented System (SIS).

F&G system shall be read as Fire & Gas System (FGS).

This is to align with the terminology used on the Reference Project.’

1.3.2 Abbreviations – Add below definitions:

DCS

FGS

SIS

Distributed Control System

Fire & Gas System

Safety Instrumented System

SECTION A – GENERAL

2

REFERENCE DOCUMENTS

2.2

ADNOC Specifications

The following AGES references are substituted with Project documents as detailed below:

AGES Reference Project Document No.

Project Document Title

AGES-PH-04-001 RLNG-000-IC-SP-0002

Philosophy for Automation & Instrumentation Design

AGES-PH-04-002 RLNG-000-IC-SP-0005

Specification for HMI Graphics

AGES-SP-04-001 RLNG-000-IC-SP-0101

AGES-SP-04-003 RLNG-000-IC-SP-0101

AGES-SP-04-004 RLNG-000-IC-SP-0101

Specification for Integrated Control & Safety System

Specification for Integrated Control & Safety System

Specification for Integrated Control & Safety System

The terms of Contract / Agreement No: CON22-146 shall apply for any disclosure of this document to any third party.

RUWAIS LNG PROJECT

Specification For Alarm Management System

COMPANY DOCUMENT REF. RLNG-000-IC-SP-0102

CONTRACTOR DOC. REF.

215122C-000-JSD-1510-0002

REVISION: 1

PAGE 14 OF 110

6.1

DESIGN CONSIDERATIONS / MINIMUM DESIGN REQUIREMENTS

Engineering Units – Substitute entire paragraph for below:

‘Units of Measure shall be as defined in RLNG-000-PM-BOD-2002, Project design basis’.

8.2

ALARM MANAGEMENT LIFECYCLE

Alarm Management Lifecycle Stages

8.2.9 Management of Change (I)

Add:

‘This section is applicable during operation phase (Out of EPC scope)’

ALARM IDENTIFICATION

10.3

Alarm Attributes

10.3.3 Alarm On-Delay and Off-Delay

Add after Table 10.4 On-Delay / Off-Delay:

‘Above On-Delay / Off-Delay shall be implemented in operation for alarms only in DCS identified by AMS as problematic. Timer should be adjusted case by case (Depending on operator response time)’

10.5

Alarm Prioritization

10.5.2 Consequence/Severity Assessment

Revised first paragraph ‘ADNOC latest corporate 6x6 Risk Matrix shall be used for assessing the consequence/severity and risk.’

With:

‘ADNOC latest corporate 6x6 Risk Matrix shall be used for assessing the consequence/severity and risk. (HOLD 4)’

ALARM RATIONALISATION

11.2

Preparation

Revised the last paragraph ‘Alarm rationalization is typically performed as a group activity similar to some of the safety studies. However, several tasks should be completed prior to assembling the group.’

With:

‘Alarm rationalization is typically performed as a group activity similar to some of the safety studies. However, several tasks should be completed prior to assembling the group as below:

• Review criteria matrix (Especially Severity of consequences and operator response time) between all partners and COMPANY

• When agreed, CONTRACTOR to provide template with different type of alarms filled

• Review in workshop with all the people implied that we are agreed on the methodology

• CONTRACTOR to pre-fill all the database of alarm rationalization

The terms of Contract / Agreement No: CON22-146 shall apply for any disclosure of this document to any third party.

RUWAIS LNG PROJECT

Specification For Alarm Management System

COMPANY DOCUMENT REF. RLNG-000-IC-SP-0102

CONTRACTOR DOC. REF.

215122C-000-JSD-1510-0002

REVISION: 1

PAGE 15 OF 110

• COMPANY review and comment it

• Make a final workshop implying CONTRACTOR (Process/instrumentation) and COMPANY (Operation/Process) only on Company comments

• CONTRACTOR to update alarm report with workshop conclusions’

11.3

Pre-Requisites

11.3.3 Identify Team/Personnel

11.3.3.1 Full-Time Participants

Revised point ‘e. An experienced alarm rationalization facilitator (3rd party approved by COMPANY), knowledgeable in alarm management principles and practices, with a background in areas such as human factors, process engineering, operations, control systems.’

With:

‘An experienced alarm rationalization facilitator, knowledgeable in alarm management principles and practices, with a background in areas such as human factors, process engineering, operations, control systems’

OPERATIONS AND MAINTENANCE

13.6

Suppression and Shelving of Alarms

13.6.3 Alarm Suppression

Add:

‘13.6.4 Alarm Condition

Conditioning alarms is done to inhibit all actions and alarms regarding trip/Interlocks not necessary in an operating mode or consequences of process conditions.

Examples of alarm conditioning

a)

FSLL, PSLL or PAL or FSL alarm are determined:

If pump (or compressor…) is stopped, then associated (LL consequential to a stop) alarms/actions are not active.

b)

Analyser alarms

Alarms are determined with a minimum flow.

For SIS and FGS, logic to inhibit the trips/alarms is called automatic start-up inhibit.’

OPERATIONS AND MAINTENANCE

14.2 Alarm System Performance States

Add:

‘This section is applicable during operation phase (Out of EPC scope)’

The terms of Contract / Agreement No: CON22-146 shall apply for any disclosure of this document to any third party.

RUWAIS LNG PROJECT

Specification For Alarm Management System

COMPANY DOCUMENT REF. RLNG-000-IC-SP-0102

CONTRACTOR DOC. REF.

215122C-000-JSD-1510-0002

REVISION: 1

PAGE 16 OF 110

SECTION E- APPENDICES

APPENDIX A1. ALARM DESIGN PRINCIPLES

A1.3. Suppression

A1.3.2 Dynamic Alarm Suppression

Add after the last paragraph:

‘Following generic dynamic alarm suppression rules will be applied for RUWAIS project:

• will be dynamically suppressed.

In case of one equipment/Process section is isolated for maintenance, all unnecessary alarms

•

•

•

LL alarms will dynamically suppress L alarms

HH alarms will dynamically suppress H alarms

Voting NooM: Voting trip will dynamically suppress individual alarms.

• suppressed.

In case of Alarm group, if alarm group is active then individual alarms are dynamically

• suppressed.

In case of start-up-inhibit on ESD transmitter, corresponding alarm will be dynamically

• In case of first out detected, consequential alarms will be dynamically suppressed ( Example: When first out fault detected in a safety bar then all consequential alarms on this safety bar will be dynamically suppressed).

• the alarms linked to this device will be dynamically suppressed.

When a communication failure through serial link (MCC, package) is detected with a device, all

Note: Dynamic alarm suppression is different than alarm Conditioning and shelving. Dynamic alarm suppression is done in Automatic depending of process conditions but animation on display is still present and associated actions are still valid (If any).’

APPENDIX A4

Substitute ‘Table 31.1 Rule-Based Prioritization Exemplars..’

With:

‘Table 31.1 Rule-Based Prioritization for RUWAIS project

Description

Priority

Fire and Gas Detection Associated Alarms

1

Confirmed fire, flammable gas, H2S gas detection in Voting NooM (including 1oo1)

1

The terms of Contract / Agreement No: CON22-146 shall apply for any disclosure of this document to any third party.

RUWAIS LNG PROJECT

Specification For Alarm Management System

COMPANY DOCUMENT REF. RLNG-000-IC-SP-0102

CONTRACTOR DOC. REF.

215122C-000-JSD-1510-0002

REVISION: 1

PAGE 17 OF 110

Description

Priority

2

3

4

Confirmed smoke, heat detector activation in Voting NooM (including 1oo1)

Un-confirmed fire, flammable gas, H2S gas detection (Single Fire or Gas detection alarm in Voting NooM)

Un-confirmed smoke, HSSD, heat detector activation (Single detection alarm in Voting NooM)

5

Manual call point activation

6

Detector diagnostic alarm including under range and over range

7

F&G detector in calibration mode

8

Fire suppression activation

9

Fire suppression aborted

10

Fire suppression inhibited

11

Deluge activated

12

F&G inter-trip to ESD system

1

2

2

1

2

3

1

3

1

1

1

13

F&G MOS (maintenance override) status

Alarm/Journal

14

F&G MOS time out

15

F&G MOS renewal

3

Alarm/Journal

16

F&G detector fault, F&G 50% detector fault, all the detector fault

3

The terms of Contract / Agreement No: CON22-146 shall apply for any disclosure of this document to any third party.

RUWAIS LNG PROJECT

Specification For Alarm Management System

COMPANY DOCUMENT REF. RLNG-000-IC-SP-0102

CONTRACTOR DOC. REF.

215122C-000-JSD-1510-0002

REVISION: 1

PAGE 18 OF 110

Description

Priority

17 Manual call point contact discrepancy

18 Manual call point fault

3

2

Alarm/Journal (already individual device fault has generated an alarm)

19

Common 1ooN – voting degradation alarm

20

Feedback fault for a safety equipment (Deluge valve, fire damper)

21 Other FGS alarms (no voting)

Emergency Shutdown System Associated Alarms

22

Equipment trip, higher-level ESD trips

23

Deviation Alarm between 1oo2, 2oo3 voted sensor

24

Deviation Alarm between 1oo2D voted sensor

25 One of the device alarms in voted group (if no trip occurs)

26

27

28

29

30

31

32

33

34

35

36

Bad PV of ESD analogue sensor (1oo1), if not configured not to trip

Bad PV of ESD analogue sensor in voted group

ESD valve travel/discrepancy alarms

Command failure ESD valve (valve moved without command, valve not moved with command)

Bypass active alarm (trip/interlock impairment)

ESD trip alarms (LL or HH) or NooM confirmed detection

Start-up bypass (SUB) status/time out

PST in progress

PST failure

FST in progress

FST failure

37

ESD device is in MOS

38 MOS timed out

39 MOS renewal

1

2

3

3

3

2

1

2

1

1

1

3

4

3

1

3

3

3

3

1

The terms of Contract / Agreement No: CON22-146 shall apply for any disclosure of this document to any third party.

RUWAIS LNG PROJECT

Specification For Alarm Management System

COMPANY DOCUMENT REF. RLNG-000-IC-SP-0102

CONTRACTOR DOC. REF.

215122C-000-JSD-1510-0002

REVISION: 1

PAGE 19 OF 110

Description

Priority

40

Alarms used as Independent Protection Layer (IPL)/with credit taken in LOPA

41

System cabinet alarm (DCS, ESD, F&G, PLC)

1

3

42

Command failure isolation valve (valve moved without command, valve not moved with command)

3 (elevated to 2 if it is critical)

43

ESD manual Pushbutton

44

Field Safety transmitter failure (SIS)

Distributed Control System Associated Alarms

45

Bad PV of PCS analogue sensor (Measure, analog output)

46

Bad PV of PCS analogue sensor (Measure in a controller PID)

3

3

3

2

As per the highest priority between high and low alarms

Depending of alarm rationalization 3 (elevated to 2 if it is critical)

47

Indicator of process status

48

PCS high or low alarm

49

50

51

52

53

Non-ESD valve travel/discrepancy alarms

Alarm comparison between DCS and SIS Transmitter

Control Loop Deviation Alarm between SP and PV

Equipment interlocked (Pumps, valves)

Unavailable/fault signal for a pump/heater/compressor where operator actions are identified

54 Other alarms(HVAC, utilities, Metering…)

55

Serial link communication failure

56 MCC and Motor related Alarms single/ redundant unit

57 Motor/pump failure

58

Third-party PLC/Controller common alarm

ICSS (DCS/SIS/FGS) Associated Alarms

59

Any ICSS maintenance required

The terms of Contract / Agreement No: CON22-146 shall apply for any disclosure of this document to any third party.

2

2

3

3

3

2

3

3

3

3

RUWAIS LNG PROJECT

Specification For Alarm Management System

COMPANY DOCUMENT REF. RLNG-000-IC-SP-0102

CONTRACTOR DOC. REF.

215122C-000-JSD-1510-0002

REVISION: 1

PAGE 20 OF 110

Description

Priority

60

61

62

ICSS IO cards, CPU, Network and redundancy failures (ex: Power supply), any system diagnostics.. ICSS Power system diagnostic Alarms

ICSS UPS/Switchgear/Battery fault

3

3

1

The terms of Contract / Agreement No: CON22-146 shall apply for any disclosure of this document to any third party.

RUWAIS LNG PROJECT

Specification For Alarm Management System

COMPANY DOCUMENT REF. RLNG-000-IC-SP-0102

CONTRACTOR DOC. REF.

215122C-000-JSD-1510-0002

REVISION: 1

PAGE 21 OF 110

4.0

APPENDIX 1 AGES-PH-04-003 – ALARM RATIONALIZATION PHILOSOPHY

The terms of Contract / Agreement No: CON22-146 shall apply for any disclosure of this document to any third party.

AGES-PH-04-003 - ALARM RATIONALIZATION PHILOSOPHY.PDFADNOC Classification: Internal

THE CONTENTS OF THIS DOCUMENT ARE PROPRIETARY AND CONFIDENTIAL.

ADNOC GROUP PROJECTS AND ENGINEERING

ALARM RATIONALIZATION

Philosophy

APPROVED BY:

NAME: Abdulmunim Al Kindy TITLE: Executive Director PT&CS EFFECTIVE DATE:

AGES-PH-04-003

All parties consent to this document being signed electronically -PT&CS/GP/INT/2022/291Abdul Munim Al Kindy

ADNOC Classification: Internal

GROUP PROJECTS & ENGINEERING / PT&CS DIRECTORATE

CUSTODIAN ADNOC

Group Projects & Engineering / PT&CS Specification applicable to ADNOC & ADNOC Group Companies

REVISION HISTORY

DATE

REV.

NO

04 Jan 2022

1

PREPARED BY (Designation / Initial) Annamalai Kulandaivel Sr. Eng. I-C

REVIEWED BY (Designation / Initial) Mahmoud Abdel Hakim/ HOD Pipeline Eng. – GPE

ENDORSED BY (Designation / Initial) Najem Qambar/ VP Group Eng. – GPE

ENDORSED BY (Designation / Initial) Ebraheem AlRomaithi/ SVP- GPE

Group Projects & Engineering is the owner of this Philosophy and responsible for its custody, maintenance and periodic update.

In addition, Group Projects & Engineering is responsible for communication and distribution of any changes to this Specification and its version control.

This Philosophy will be reviewed and updated in case of any changes affecting the activities described in this document.

AGES-PH-04-003

Rev. No: 1 Page 2 of 87

07/01/2022All parties consent to this document being signed electronically -PT&CS/GP/INT/2022/29112/01/2022

ADNOC Classification: Internal

INTER-RELATIONSHIPS AND STAKEHOLDERS

The following are inter-relationships for implementation of this Philosophy:

i. ADNOC Upstream and ADNOC Downstream Industry, Marketing & Trading Directorate.

ii. ADNOC Onshore, ADNOC Offshore, ADNOC Sour Gas, ADNOC Gas Processing. ADNOC LNG,

ADNOC Refining, ADNOC Fertilisers, Borouge, Al Dhafra Petroleum, Al Yasat

The following are stakeholders for the purpose of this Philosophy:

i. ADNOC PT&CS Directorate

This Philosophy has been approved by the ADNOC PT&CS is to be implemented by each ADNOC Group company included above subject to and in accordance with their Delegation of Authority and other governance-related processes in order to ensure compliance.

Each ADNOC Group company must establish/nominate a Technical Authority responsible for compliance with this Philosophy.

DEFINITIONS

“ADNOC” means Abu Dhabi National Oil Company.

“ADNOC Group” means ADNOC together with each company in which ADNOC, directly or indirectly, controls fifty percent (50%) or more of the share capital.

“Approving Authority” means the decision-making body or employee with the required authority to approve Policies & Procedures or any changes to it.

“Business Line Directorates” or “BLD” means a directorate of ADNOC which is responsible for one or more Group Companies reporting to, or operating within the same line of business as, such directorate.

“Business Support Directorates and Functions” or “Non- BLD” means all the ADNOC functions and the remaining directorates, which are not ADNOC Business Line Directorates.

“CEO” means chief executive officer.

“Group Company” means any company within the ADNOC Group other than ADNOC.

“Philosophy” means this Alarm Rationalization Philosophy.

CONTROLLED INTRANET COPY The intranet copy of this document located in the section under Group Policies on One ADNOC is the only controlled document. Copies or extracts of this document, which have been downloaded from the intranet, are uncontrolled copies and cannot be guaranteed to be the latest version.

AGES-PH-04-003

Rev. No: 1 Page 3 of 87

All parties consent to this document being signed electronically -PT&CS/GP/INT/2022/291ADNOC Classification: Internal

TABLE OF CONTENTS

GENERAL … 9

INTRODUCTION … 9

PURPOSE … 9

DEFINITIONS AND ABBREVIATIONS … 11

SECTION A – GENERAL … 18

REFERENCE DOCUMENTS … 18

INTERNATIONAL CODES AND STANDARDS … 18

ADNOC SPECIFICATIONS … 19

OTHER REFERENCES … 19

DOCUMENT PRECEDENCE … 19

SPECIFICATION DEVIATION / CONCESSION CONTROL … 20

PROCESS SAFETY REQUIREMENTS … 20

DESIGN CONSIDERATIONS / MINIMUM DESIGN REQUIREMENTS … 20

ENGINEERING UNITS … 20

SECTION B – TECHNICAL REQUIREMENTS … 21

ALARM MANAGEMENT ORGANISATION … 21

LEADERSHIP AND COMMITMENT … 21

ROLES AND RESPONSIBILITIES … 21

ALARM MANAGEMENT LIFECYCLE … 23

ALARM MANAGEMENT LIFECYCLE MODEL … 23

ALARM MANAGEMENT LIFECYCLE STAGES … 24

ALARM MANAGEMENT LIFECYCLE STAGE REQUIREMENTS … 26

ALARM PHILOSOPHY … 28

ROLE OF ALARM SYSTEM IN MANAGING ABNORMAL SITUATIONS… 28

ALARMS … 28

ALARM SOURCES … 29

OPERATING CONSTRAINTS, LIMITS, AND SETTINGS … 29

MANAGING STANDING ALARMS … 30

MANAGING UPDATE OF MADB… 30

ALARM MANAGEMENT PHILOSOPHY DOCUMENT … 30

ALARM IDENTIFICATION … 31

ALARM DESIGN PRINCIPLES … 31

ALARM TYPES … 32

AGES-PH-04-003

Rev. No: 1 Page 4 of 87

All parties consent to this document being signed electronically -PT&CS/GP/INT/2022/291ADNOC Classification: Internal

ALARM ATTRIBUTES … 33

CATEGORISATION, CLASSIFICATION AND GROUPING OF ALARMS … 35

ALARM PRIORITIZATION … 38

ALARM MESSAGE … 40

ALARM RATIONALISATION … 41

PURPOSE … 41

PREPARATION … 41

PRE-REQUISITES … 41

ALARM RATIONALIZATION PROCESS … 45

DETAILED DESIGN AND IMPLEMENTATION … 52

DETAILED DESIGN … 52

IMPLEMENTATION … 53

TRAINING OF PANEL OPERATORS AND PLANT PERSONNEL … 53

OPERATIONS AND MAINTENANCE … 54

OVERVIEW … 54

OBJECTIVES … 54

KEY FOCUS AREAS FOR PERFORMANCE … 54

ALARM MANAGEMENT PERFORMANCE IMPROVEMENT PROCESSES … 55

MASTER ALARM DATABASE … 56

SUPPRESSION AND SHELVING OF ALARMS … 57

PERIODIC TESTING … 58

TRAINING IN OPERATIONS … 59

ALARM SYSTEM PERFORMANCE MEASUREMENT … 59

MAIN PERFORMANCE MEASURES … 59

ALARM SYSTEM PERFORMANCE STATES … 60

KEY PERFORMANCE INDICATORS (KPIS) … 61

ADDITIONAL RECOMMENDED SITE PERFORMANCE METRICS … 63

MAIN BENCHMARK VALUES … 64

MANAGEMENT OF CHANGE PROCEDURE … 66

AUDIT … 66

ADDITIONAL SPECIFIC REQUIREMENTS … 66

SECTION C – OTHER REQUIREMENTS … 67

DETAILS OF SCOPE SUPPLY … 67

QUALITY CONTROL AND ASSURANCE … 67

AGES-PH-04-003

Rev. No: 1 Page 5 of 87

All parties consent to this document being signed electronically -PT&CS/GP/INT/2022/291

ADNOC Classification: Internal

SUB-CONTRACTORS, SUB-SUPPLIERS … 68

CERTIFICATION … 69

INSPECTION AND TESTING REQUIREMENTS … 69

SPARE PARTS, CONSUMABLES AND SPECIAL TOOLS … 69

PAINTING, PRESERVATION AND SHIPMENT … 69

INSTALLTION, COMMISSIONING AND MAINTENANCE SUPPORT … 69

TRAINING … 69

DOCUMENTATION / MANUFACTURER DATA RECORDS … 69

GUARANTEES AND WARRANTY … 69

PROJECT ADMINISTRATION… 69

SECTION D – STANDARD DRAWINGS & DATASHEETS … 70

DATASHEET TEMPLATES … 70

STANDARD DRAWINGS … 70

SECTION E - APPENDICES … 71

ALARM DESIGN PRINCIPLES … 71

A1.1. ALARM METHODOLOGY … 71

A1.2. ALARM SHELVING … 71

A1.3. SUPPRESSION … 72

A1.4. REDUNDANCY LOGIC … 76

A1.5. ECLIPSING … 76

A1.6. OUT-OF-SERVICE PLANT … 76

A1.7. OPERATING MODE … 77

A1.8. MAJOR EVENT … 77

A1.9. ALARMS FROM EQUIPMENT UNDER TEST … 77

ALARM TYPES … 78

A2.1. ABSOLUTE ALARMS … 78

A2.2. DEVIATION ALARMS … 78

A2.3. RATE-OF-CHANGE ALARMS … 78

A2.4. DISCREPANCY ALARMS (COMMAND-DISAGREE) … 78

A2.5. SYSTEM DIAGNOSTIC ALARMS … 78

A2.6. INSTRUMENT DIAGNOSTIC ALARMS … 79

A2.7. BAD-MEASUREMENT ALARMS… 79

A2.8. ADJUSTABLE ALARMS … 79

A2.9. ADAPTIVE ALARMS … 79

AGES-PH-04-003

Rev. No: 1 Page 6 of 87

All parties consent to this document being signed electronically -PT&CS/GP/INT/2022/291

ADNOC Classification: Internal

A2.10.

A2.11.

A2.12.

FIRST-OUT ALARMS (FIRST-UP ALARMS) … 79

COMMON ALARMS (GROUP ALARMS, COMMON TROUBLE ALARMS) … 80

DISCRETE ALARMS … 80

ALARM REVIEW WORKFLOWS … 81

A3.1. MONTHLY ALARM REVIEW WORKFLOW … 81

A3.2. ALARM MANAGEMENT WORKFLOW … 82

RULE-BASED PRIORITIZATION EXEMPLARS … 83

ISA 18.2 – RECOMMENDED PERFORMANCE METRICS (MARCH 2016) … 86

EEMUA 191-GUIDELINES FOR TESTING OF ALARMS … 87

A6.1. MANAGEMENT OF TESTING … 87

A6.2. TEST METHODOLOGY … 87

AGES-PH-04-003

Rev. No: 1 Page 7 of 87

All parties consent to this document being signed electronically -PT&CS/GP/INT/2022/291ADNOC Classification: Internal

LIST OF TABLES

TABLE 1.1 LIST OF ABBREVIATIONS … 12 TABLE 1.2 LIST OF TECHNICAL DEFINITIONS … 14 TABLE 8.1 ALARM MANAGEMENT LIFECYCLE STAGES REQUIREMENTS (BASED ON ISA 18.2) … 26 TABLE 9.1 TYPICAL CONTENT-ALARM MANAGEMENT PHILOSOPHY DOCUMENT (REF. EEMUA 191) … 30 TABLE 10.1 GOOD ALARM DEFINITION … 31 TABLE 10.2 EXAMPLE ALARM TYPES … 32 TABLE 10.3 HSE UK CRR 166/1998 DEFINED DEAD-BAND … 34 TABLE 10.4 ON-DELAY / OFF-DELAY … 35 TABLE 10.5 ALARM CLASSES … 37 TABLE 10.6 THREE-PRIORITY SYSTEM … 38 TABLE 10.7 ALLOWABLE RESPONSE TIMES … 39 TABLE 10.8 PRIORITY SELECTION … 39 TABLE 10.9 PRIORITY PROPORTION … 39 TABLE 11.1 MADB MINIMUM FIELDS (REFERENCE EEMUA 191) … 50 TABLE 14.1 ALARM SYSTEM PERFORMANCE STATES … 60 TABLE 14.2 REPORTABLE KPIS … 62 TABLE 14.3 ADDITIONAL RECOMMENDED ALARM METRICS PER OPERATOR CONSOLE … 63 TABLE 14.4 LONG TERM AVERAGE ALARM RATE IN NORMAL STEADY-STATE OPERATION … 65 TABLE 14.5 LONG TERM AVERAGE ALARM RATE IN ABNORMAL UPSET-STATE OPERATIONS … 65 TABLE 14.6 PRIORITY DISTRIBUTION … 65 TABLE 31.1 RULE-BASED PRIORITIZATION EXEMPLARS … 83 TABLE 31.2 ISA 18.2 RECOMMENDED ALARM PERFORMANCE METRICS SUMMARY … 86

LIST OF FIGURES

FIGURE 1 OPERATING LIMITS … 16 FIGURE 2 ALARM MANAGEMENT COMMITTEE … 23 FIGURE 3 ALARM LIFE CYCLE MODEL … 23 FIGURE 4 ALARM PROCESSING … 33 FIGURE 5 RATIONALIZATION PROCESS … 46 FIGURE 6 STATIC ALARM SUPPRESSION … 73 FIGURE 7 DYNAMIC ALARM SUPPRESSION … 75 FIGURE 8 MONTHLY ALARM REVIEW WORKFLOW … 81 FIGURE 9 ALARM MANAGEMENT WORKFLOW … 82

AGES-PH-04-003

Rev. No: 1 Page 8 of 87

All parties consent to this document being signed electronically -PT&CS/GP/INT/2022/291

ADNOC Classification: Internal

GENERAL

Introduction

This philosophy defines the minimum principles, high level requirements and work processes for designing, implementing, and maintaining safe, efficient, and effective alarm systems.

Alarm Philosophy and Design Guideline documents for projects shall be developed to meet this philosophy.

Ineffective alarm systems can be significant contributing factors in major process incidents. Effective Alarm Management results in safer and more efficient operations.

An Alarm Management system shall be designed with the end-user (the plant control room panel operator) in mind. Based on studies of Human ergonomics, a control room panel operator can only react and make correct decisions to a limited number of alarms each hour. Overload of alarms can lead to wrong decisions and lack of effective interventions, which in turn can cause process incidents. Thus, a primary objective of any Alarm Management System is to categorise, prioritise and rationalize all alarms based on the timely response requirements.

The key principles of alarm management are:

Alarms should direct the panel operator’s attention towards plant conditions requiring timely assessment or action.

Alarms should inform and guide required operator action.

Every alarm should be useful and relevant to the panel operator and have a defined response.

Alarm levels should be set such that the plant operators have sufficient time to carry out their defined response before the plant abnormal condition escalates.

The alarm system shall accommodate human capabilities and limitations.

This philosophy has been prepared with due consideration to International standards ISA 18.2, IEC 62682, and EEMUA-191, existing practices within the ADNOC Group Companies and other guidance documents that are used throughout the industry.

Purpose

The Control Room panel operator must always be provided with reliable and accurate information with respect to any abnormal situation, an equipment malfunction or a process upset condition that could potentially trigger a process shutdown. The information needs to be presented to the panel operator with a clear identification of its importance and relevance, to enable an effective and diligent operator action.

In addition, the alarm system is required to notify the panel operator of the abnormal situations at the right time and direct their attention so that corrective action is taken in a timely manner to prevent any undesired consequence. The alarm system shall be designed for effective handling of a single alarm during normal operations and multiple alarms during a major plant upset.

This means that the information alarm systems present should be relevant to the operator’s role at the time; indicate clearly what response is required; be presented at a rate that the panel operator can deal with and be easy to understand.

Key to active Alarm Management is an effective performance monitoring and rationalization process in operations; a commitment by Senior Management to continuous improvement and maintaining relevant Key Performance Indicators (KPIs) to drive that improvement.

AGES-PH-04-003

Rev. No: 1 Page 9 of 87

All parties consent to this document being signed electronically -PT&CS/GP/INT/2022/291ADNOC Classification: Internal

This Philosophy presents the Life Cycle Approach for effective ‘alarm management’ throughout plant life from Design through to Operations, including identification, implementation and management of alarms (Section 8).

‘Alarm management’ includes multiple work processes to identify, implement and effectively manage the alarms within the ‘Alarm management lifecycle’.

This Philosophy provides general guidelines of ‘alarm design principles’ for use in designing the control systems in new process facilities or to the control systems in the existing facilities. This includes a robust process for ‘Rationalization’ in the Design Phase (see Section 11).

These ‘alarm design principles’ shall be applied to plant ICSS (PCS, ESD and F&G systems), Programmable Logic Control (PLC) systems, various SUPPLIER packages systems/sub-systems and any systems within process facilities that generate an alarm to be presented to the panel operator.

The practices included in this Philosophy are applicable mainly to continuous processes. Batch and discrete processes may require a different Alarm Philosophy and different performance measures, which should be developed at project/facility level. There could be differences in alarm implementation methodology to meet the specific needs of process type and control systems deployed from different SUPPLIERs.

This Philosophy also provides a methodology to continually improve the Alarm management performance of existing operational ADNOC facilities (see Section 13).

This Philosophy presents the minimum expectations of the Master Alarm Database (MADB) with associated Alarm response Procedures, documentation, training, Management of Change (MOC) requirements, alarm performance monitoring and KPIs for effective implementation of “Alarm Management Life Cycle”.

The details included in the Philosophy address the following:

Alignment with corporate risk management goals/objectives

Alignment with good engineering practices

Efficient alarm rationalization and design activities

This philosophy is intended to define the minimum requirements for ‘Alarm Management’ to be applied to new and existing process facilities within ADNOC. The alarm design principles shall be adopted for all new projects in ADNOC facilities. Compliance is mandatory for Greenfield projects, and major brownfield projects. Retroactive application to existing operational Alarm systems is not mandated, but subject to local company business justification.

The performance of existing alarm systems on operational sites designed and constructed in accordance with earlier codes, standards or practices prior to the issue of this Philosophy, shall be monitored and managed and the performance reported against the KPIs set forth in this document.

The following alarm systems are not within the scope of this document:

Security system alarms

Public address system alarms

Personal gas detector alarms

Office building alarms

Evacuation alarms

Telecommunication system alarms that are not plant related

AGES-PH-04-003

Rev. No: 1 Page 10 of 87

All parties consent to this document being signed electronically -PT&CS/GP/INT/2022/291

ADNOC Classification: Internal

Unless otherwise stated in this philosophy, the alarm management systems shall comply fully with the requirements of relevant AGES, ADNOC Group standards / guidelines, industry, and international standards.

The requirements detailed within this philosophy shall apply to both offshore and onshore installations, unless specifically stated to apply for either one or the other, i.e., requirement starting with “for installations offshore” applies only to equipment to be located on an offshore installation.

This philosophy provides the structure to support standardisation and its associated savings in lifecycle costs, including total cost of ownership, and maintenance requirements.

Definitions and Abbreviations

1.3.1

Definitions

The following defined terms are used throughout this philosophy:

‘[PSR]’ indicates a mandatory Process Safety Requirement

“COMPANY” means ADNOC, ADNOC Group or an ADNOC Group Company, and includes any agent or consultant authorized to act for, and on behalf of the COMPANY.

“CONTRACTOR” means the parties that carry out all or part of the design, engineering, procurement, construction, commissioning or management for ADNOC projects. CONTRACTOR includes its approved MANUFACTURER(s), SUPPLIER(s), SUB-SUPPLIER(s), and SUB-CONTRACTOR(s).

“MANUFACTURER” means the Original Equipment Manufacturer (OEM) or MANUFACTURER of one or more of the component(s) which make up a sub-assembly or item of equipment assembled by the main SUPPLIER or his nominated SUB-SUPPLIER.

‘may’ means a permitted option

‘shall’ indicates mandatory requirements

‘should’ means a recommendation

“SUB-CONTRACTOR” means any party engaged by the CONTRACTOR to undertake any assigned work on their behalf. COMPANY maintains the right to review all proposed SUB-CONTRACTORs; this right does not relieve the CONTRACTOR of their obligations under the Contract, nor does it create any contractual relationship between COMPANY and the SUB-CONTRACTOR.

“SUPPLIER” means the party entering into a Contract with CONTRACTOR to provide the materials, equipment, supporting technical documents and/or drawings, guarantees, warranties and/or agreed services in accordance with the requirements of the purchase order and relevant specification(s). The term SUPPLIER includes any legally appointed successors and/or nominated representatives of the SUPPLIER.

“SUB-SUPPLIER” means the sub-contracted SUPPLIER of equipment sub-components, software and/or support services relating to the equipment / package, or part thereof, to be provided by the SUPPLIER. COMPANY maintains the right to review all proposed SUB-SUPPLIERS, but this right does not relieve the SUPPLIER of their obligations under the Contract, nor does it create any contractual relationship between COMPANY and any individual SUB-SUPPLIER.

“CONCESSION REQUEST” - A deviation requested by the CONTRACTOR or SUPPLIER, usually after receiving the contract package or purchase order. Often, it refers to an authorization to use, repair, recondition, reclaim or release materials, components or equipment already in progress or completely manufactured but which does not meet or comply with COMPANY requirements. A CONCESSION REQUEST is subject to COMPANY approval.

AGES-PH-04-003

Rev. No: 1 Page 11 of 87

All parties consent to this document being signed electronically -PT&CS/GP/INT/2022/291

ADNOC Classification: Internal

1.3.2

Abbreviations

The abbreviations used throughout this philosophy are shown in Table 1.2

Table 1.1 List of Abbreviations

Abbreviations

Abu Dhabi National Oil Company

ADNOC Group Companies

As Low As Reasonably Practical

Alarm Management Hazard Analysis

Alarm Management System

Alarm System Requirements Specification

Basic Process Control System

Critical Fault Alarm

Codes of Practice

ADNOC

AGC

ALARP

AMHAZ

AMS

ASRS

BPCS

CFA

COP

EEMUA

Engineering Equipment and Materials Users Association

EPC

ESD

F&G

FAT

FDS

FEED

FS

FST

HAZID

HAZOP

HH

HMA

HMI

HSE

I/O

ICSS

IEC

IES

IFAT

IOM

ISA

Engineering Procurement and Construction

Emergency Shutdown

Fire and Gas

Factory Acceptance Test

Functional Design Specification

Front End Engineering Design

Functional Specification

Full Stroke Test

Hazard Identification

Hazard and Operability

High High

Highly Managed Alarm

Human Machine Interface

Health, Safety & Environment

Input/Output

Integrated Control and Safety System

International Electrotechnical Commission

Instrument Equipment Shelter

Integrated Factory Acceptance Test

Installation, Operation and Maintenance

International Society for Automation

AGES-PH-04-003

Rev. No: 1 Page 12 of 87

All parties consent to this document being signed electronically -PT&CS/GP/INT/2022/291

ADNOC Classification: Internal

ISO

ITP

KPI

LL

LOPA

MA

MADB

MOC

MOS

OEM

P&ID

PCS

PFD

PHA

PLC

PST

PV

QA

QC

RACI

SAT

Abbreviations

International Organisation for Standardisation

Inspection and Test Plan

Key Performance Indicator

Low Low

Layers of Protection Analysis

Mitigation Alarm

Master Alarm Database

Management of Change

Maintenance Override Switch

Original Equipment Manufacturer

Piping & Instrument Diagram

Process Control System

Probability of Failure on Demand

Process Hazard Analysis

Programmable Logic Control

Partial Stroke Test

Process Value

Quality Assurance

Quality Control

Review Approve Consult Information

Site Acceptance Test

SCADA

Supervisory Control And Data Acquisition

SIF

SIL

SIT

SME

SOE

SRS

TR

UCP

Safety Instrumented Function

Safety Integrity Level

Site Installation Test

Subject Matter Expert

Sequence of Events

Safety Requirements Specification

Technical Report

Unit Control Panel

1.3.3

Technical Definitions

The technical definitions used throughout this philosophy are shown in Table 1.2

AGES-PH-04-003

Rev. No: 1 Page 13 of 87

All parties consent to this document being signed electronically -PT&CS/GP/INT/2022/291ADNOC Classification: Internal

Table 1.2 List of Technical Definitions

Term

Definition

Absolute Alarm

An alarm generated when the set point is exceeded.

Abnormal Situation

The exceedance of any defined critical, standard or target limit or the condition when the process is not behaving as expected or when other threats have impacted operations.

Acknowledge

The panel operator action that confirms recognition of an alarm.

Advanced alarming

A collection of techniques (e.g., state-based alarming, and dynamic prioritization) that can help manage alarm rates in specific situations.

Alarm

An audible and/or visible notification indicating to the panel operator an equipment malfunction, process deviation, or abnormal situation requiring an operator response.

Alarm attributes (Alarm parameters)

The settings for an alarm within the process control system (e.g., alarm set point, alarm priority).

Alarm class

Alarm dead band (Alarm hysteresis)

A group of alarms with common alarm management requirements (e.g., testing, training, monitoring, and audit requirements).

The change in signal from the alarm set point necessary to clear the alarm.

Alarm flood (Alarm shower)

A condition during which the alarm rate is greater than the panel operator can effectively manage (e.g., more than 10 alarms per 10 minutes).

Alarm group

A set of alarms with the common association (e.g., process unit, process area, equipment set, or service).

Alarm historian

The long-term repository for alarm records.

Alarm log

The short-term repository for alarm records.

Alarm (system) management

The processes and practices for determining, documenting, designing, operating, monitoring, and maintaining alarm systems.

Alarm priority

The relative importance assigned to an alarm within the alarm system to indicate the urgency of response (e.g., the seriousness of consequences and allowable response time).

Alarm set point (Alarm limit, Alarm trip point)

The threshold value of a process variable or discrete state that triggers the alarm indication.

Alarm summary

A display that lists alarms with selected information (e.g., date, time, priority, and alarm type).

Alarm type (Alarm condition)

A specific alarm on a process measurement (e.g., low process variable alarm, high process variable alarm, or discrepancy alarm).

Allowable response time

The maximum time between the annunciation of the alarm and the time the plant operator must take corrective action to avoid the consequence.

Allowable time in exceedance

The time a standard limit may be exceeded without the onset of potential degradation of equipment integrity.

Bad measurement alarm

An alarm generated when the signal for process measurement is outside the expected range (e.g., 3.8mA for a 4-20mA signal).

Basic Process Control System (BPCS)

Chattering alarm

A configurable microprocessor-based process control system. The term includes PCS, PLC, and SCADA process control systems but excludes the ESD (SIS) and FGS.

An alarm that repeatedly transitions between the alarm state and the normal state in a defined short period of time (more than 5 times in a minute).

AGES-PH-04-003

Rev. No: 1 Page 14 of 87

All parties consent to this document being signed electronically -PT&CS/GP/INT/2022/291

ADNOC Classification: Internal

Term

Classification

The process of separating alarms into classes based on common requirements (e.g., testing, training, monitoring, and auditing requirements).

Definition

Clear

An alternate description of the state of an alarm that has transitioned to the normal state.

Configuration

The combination and the setting of parameters of predefined, application specific library functions and their parameters to implement the alarm system functionality.

constraint

critical limit

An identified restriction on the equipment, such as the design pressure or design temperature of a vessel, a relief valve setting, an IPF setting etc. which constraints (i.e., limits or restricts) the operation of the equipment

The value at which the panel operator has a last opportunity to timely diagnose a situation and respond in order to correct the process and prevent the consequences

Deviation alarm

An alarm generated when the difference between two analogue values exceeds a limit (e.g., the deviation between primary and redundant instruments or a deviation between the process variable and set point).

Discrepancy alarm (Mismatch alarm)

An alarm generated by the error between the comparison of an expected plant or device state to its actual state (e.g., when a motor fails to start after it is commanded to the “on” state).

Enforcement

An enhanced alarming technique that can verify and restore alarm attributes in the control system to the values in the MADB.

Facility

The group of physical equipment that functions together, as a single unit, to perform a specific operation such as crude oil/gas production, separation, refining, chemicals manufacturing, chemical process, storage, transfer, (un)loading stations, treating or any other operations involved in the production, manufacturing and handling of crude oil, gas, oil products and/or chemicals, including but not limited to, process units (operating and idle), utilities, water and effluent treating units, tank farms and other storage, pipelines, pumping, compression, loading and unloading stations. (Process unit, plant, asset)

Instrument diagnostic alarm

An alarm generated by a field device to indicate a fault (e.g., sensor failure).

Latching alarm

An alarm that remains in alarm state after the process has returned to normal and requires an operator reset before it will clear

Limit

The critical, standard or target limit(s) of a variable

Master alarm Database (MADB)

A database under Management of Change that contains all facility constraints, critical, standard and target limits, alarms, consequences of exceeding critical, standard and target limits, suggested operator responses and other related information.

Nuisance alarm

Operator Panel

An alarm that annunciates excessively, unnecessarily, or does not return to normal after the correct response is taken (e.g., chattering, fleeting, or standing alarms)

A single Video Display Unit used as the Human Machine Interface in a PCS system, as part of a console allocated to monitor and control a specific area within a facility.

Operator Console

One or more Operator panels and associated equipment dedicated to monitor and control a specific area within a facility.

Out-of-service

Plant state (Plant mode)

The state of an alarm during which the alarm indication is suppressed, typically manually, for reasons such as maintenance

A defined set of operational conditions for a process plant (e.g., shutdown, operating)

process response

Time from completion of operator action to reversal of process direction.

AGES-PH-04-003

Rev. No: 1 Page 15 of 87

All parties consent to this document being signed electronically -PT&CS/GP/INT/2022/291

ADNOC Classification: Internal

Term

time

Definition

process safety time

Period of time in which the process can be operated without protection and with a demand present without entering a dangerous condition. The Process Safety Time determines the dynamic response requirements of an IPF.

Within the engineering constraints of the equipment the following limits and typical responses are defined (see figure below:

• Critical limits (permitted) – immediate action required • Standard limits (acceptable) – action required to mitigate slow, cumulative

degradation Target limits (desired) – related to optimisation

•

Note: Response time is more accurately defined as part of the process to define Alarm Priority. It is imperative that aspects of limits and constraints are identified. Limits may be from mechanical, process, quality, or operational constraints. This requires a disciplinary approach. A standard limit usually comes with a critical limit unless it can be demonstrated that there is no critical limit that can be exceeded. A detailed assessment of individual limits is required. Many critical limits, however, do not have associated standard limits.

Figure 1 Operating Limits

Operating Limit

Rationalization

A structured process to review Alarm data, priorities, and response requirements in order to achieve the alarm system performance targets.

Rate-of-change alarm

An alarm generated when the change in process variable per unit time, (dPV/dt), exceeds a defined limit

Reset

The panel operator action that unlatches a latched alarm

Return to normal

The indication an alarm condition has transitioned to the normal state

Re-alarming alarm (Re- triggering alarm)

An alarm that is automatically re-annunciated to the panel operator under certain conditions

Safety alarm

An alarm that is classified as critical to process safety or the protection of human life

AGES-PH-04-003

Rev. No: 1 Page 16 of 87

All parties consent to this document being signed electronically -PT&CS/GP/INT/2022/291

ADNOC Classification: Internal

Term

setting

Shelve

Definition

The value as set in the device (e.g., a trip amplifier) to generate the notification at the desired limit.

A mechanism, typically initiated by the panel operator, to temporarily suppress an Alarm

Silence

The panel operator action that terminates the audible alarm indication

Standing alarm

An alarm that is in the alarm state for a long time (in excess of the allowable time in exceedance for standard alarms or more than 24 hours for critical alarms). An alarm may be standing during maintenance, when it is spurious, i.e. not representing a genuine hazardous situation, or when the hazardous situation actually exists but has not been dealt with.)

Suppression

Preventing one or more notifications from being annunciated to the panel operator if they are considered redundant or inappropriate.

suppression–static

suppression– dynamic

Tag (Point)

Suppression of notifications that are associated with a facility or piece of equipment that is out of service. The out of service status of the unit/equipment makes associated notifications redundant if no hazardous situation could possibly arise from the limit being exceeded.

Suppression of notifications resulting from an event (such as a facility trip) if the operating circumstances following the event make it impossible for a hazardous situation to arise from the associated limits being exceeded.

The unique identifier assigned to process measurement, calculation, or device within the control system

target

A value at which the variable is controlled to optimize performance.

target limit

The limits of the range that business and operating targets may be set within, due to reliability, stability or operability reasons

time in exceedance

Time during which the process may exceed a constraint without unacceptable consequences (if accumulated). The consequences will only occur if the (accumulated) time during which the process exceeds the constraint is longer than the time in exceedance. The time in exceedance is specific for each standard limit, i.e. standard limits do not necessarily have the same time in exceedance value.

Unacknowledged

A state in which the panel operator has not yet confirmed recognition of an alarm indication

variable

Property or condition which may be measured (instrumented or not). A variable may also be calculated from measured variables.

AGES-PH-04-003

Rev. No: 1 Page 17 of 87

All parties consent to this document being signed electronically -PT&CS/GP/INT/2022/291

ADNOC Classification: Internal

SECTION A – GENERAL

REFERENCE DOCUMENTS

International Codes and Standards

The following Codes and Standards shall form a part of this philosophy. When an edition date is not indicated for a Code or Standard, the latest edition in force at the time of the contract award shall apply.

AMERICAN PETROLEUM INSTITUTE

API RP 14C

Analysis, Design, Installation, and Testing of Basic Surface Safety Systems for Offshore Production Platforms

API RP 554

Process Control Systems (All parts)

ENGINEERING EQUIPMENT AND MATERIALS USERS ASSOCIATION

EEMUA-191

EEMUA-201

Alarm Systems – A Guide to Design, Management and Procurement

Control Rooms: A Guide to their Specification, Design, Commissioning and Operation

INTERNATIONAL ELECTRO-TECHNICAL COMMISSION (IEC)

IEC 61511

Functional Safety – Safety Instrumented Systems for the Process Industry Sector

IEC 62682

Management of Alarm Systems for the Process Industries

INTERNATIONAL SOCIETY OF AUTOMATION (ISA)

ANSI/ISA 18.2

Management of Alarm Systems for the Process Industries

ISA TR 18.2.2

ISA TR 18.2.3

ISA TR 18.2.4

ISA TR 18.2.5

ISA TR 18.2.6

Alarm Identification and Rationalization

Basic Alarm Design

Enhanced and Advanced Alarm Methods

Alarm System Monitoring, Assessment, and Auditing

Alarm Systems for Batch and Discrete Processes

INTERNATIONAL ORGANIZATION FOR STANDARDISATION (ISO)

ISO 9001

ISO 9004

ISO 13702

Quality Management Systems – Requirements

Managing for the sustained success of an organization – A quality management approach

Petroleum and Natural Gas Industries – Control and Mitigation of Fires and Explosions on Offshore Production Installations – Requirements and Guidelines

AGES-PH-04-003

Rev. No: 1 Page 18 of 87

All parties consent to this document being signed electronically -PT&CS/GP/INT/2022/291

ADNOC Classification: Internal

ISO 15544

Petroleum and Natural Gas Industries - Offshore Production Installations - Requirements and Guidelines for Emergency Response

ISO 19011

Guidelines for Auditing Management Systems

ADNOC Specifications

ADNOC COP IM-1.4

Operating Integrity

ADNOC HSE-GA-ST07

HSE Design Philosophy

ADNOC HSE-RM-ST05

Safety Integrity Levels (SIL) Determination

AHQ/UPS/PRD/STD/ 004/R00/20

Alarm Management

AGES-PH-04-001

Automation and Instrumentation Design Philosophy

AGES-PH-04-002

Control System Design (Graphic Rules & Functional Loops) Philosophy

AGES-SP-04-001

Process Control System Specification

AGES-SP-04-003

Fire & Gas System Specification

AGES-SP-04-004

Emergency Shutdown (SIS) System Specification

Other References

HSE UK CRR 166/1998

The Management of Alarm Systems

DOCUMENT PRECEDENCE

The specifications and codes referred to in this philosophy shall, unless stated otherwise, be the latest approved issue at the time of contract award.

It shall be the CONTRACTOR’s responsibility to be, or to become, knowledgeable of the requirements of the referenced Codes and Standards.

The CONTRACTOR shall notify the COMPANY of any apparent conflict between this philosophy, the related data sheets, the Codes and Standards and any other specifications noted herein.

Resolution and/or interpretation precedence shall be obtained from the COMPANY in writing before proceeding with the design/manufacture.

In case of conflict, the order of document precedence shall be:

UAE Statutory requirements

ADNOC HSE Standards

Equipment datasheets and drawings

Project Specifications and standard drawings

Company Specifications

National / International Codes and Standards

AGES-PH-04-003

Rev. No: 1 Page 19 of 87

All parties consent to this document being signed electronically -PT&CS/GP/INT/2022/291ADNOC Classification: Internal

SPECIFICATION DEVIATION / CONCESSION CONTROL

Deviations from this philosophy are only acceptable where the CONTRACTOR/SUPPLIER has listed in his quotation the requirements he cannot, or does not wish to comply with, and the COMPANY/CONTRACTOR has accepted in writing the deviations before the order is placed.

In the absence of a list of deviations, it will be assumed that the CONTRACTOR/SUPPLIER complies fully with this philosophy.

Any technical deviations to the Purchase Order and its attachments including, but not limited to, the Data Sheets and Specifications shall be sought by the SUPPLIER only through Concession Request Format. Concession requests require CONTRACTOR’s and COMPANY’s review / approval, prior to the proposed technical changes being implemented. Technical changes implemented prior to COMPANY approval are subject to rejection.

PROCESS SAFETY REQUIREMENTS

Sr. No. Description

1

2

3

3

The alarm philosophy shall describe methods to minimise the number of alarms that are not significant for operations during abnormal situations.

All alarm and trip settings shall be within 10% to 90% of the relevant instrument ranges to ensure visibility of the success or failure of automatic or manual actions.

A Master Alarm Database (MADB) shall be created, including all associated data – ranges, setpoints, response times, and required operator actions.

Safety related alarms (credit taken for risk reduction), Safety system diagnostic alarms (component failure, mode change, forcing of Inputs/Outputs, first out, Deviation alarms on voted signals, final element discrepancy, etc.) shall be considered in compliance with IEC 61511.

DESIGN CONSIDERATIONS / MINIMUM DESIGN REQUIREMENTS

Engineering Units

Reference shall be made to Project Engineering Design basis for Units of Measure. For brownfield projects, units shall be followed as per existing plant’s design basis.

AGES-PH-04-003

Rev. No: 1 Page 20 of 87

All parties consent to this document being signed electronically -PT&CS/GP/INT/2022/291

ADNOC Classification: Internal

SECTION B – TECHNICAL REQUIREMENTS

ALARM MANAGEMENT ORGANISATION

Leadership and Commitment

Effective Alarm Management is critical to safe and efficient operations. Adequate resources shall be allocated to this by senior management. This shall include commitment and allocation of personnel, services, documentation, and alarm management systems, supported, and underpinned by this ADNOC Standard. In a company or Asset where it is considered a strategic priority to drive Alarm management performance improvement, best practice is to appoint a senior sponsor, whose role is to lead the improvement effort by requesting priority, resources, plans and performance tracking.

Roles and Responsibilities

Roles and Responsibilities RACI (R-Review, A-Approve, C-Consult, I-Info) matrix for Alarm management across the asset life cycle shall be clearly defined and documented, including the requirement for the involvement of operations in the alarm design process. Clear Alarm system performance criteria shall be specified and incorporated into Project handover assurance procedures.

At every operational facility, an Alarm Focal Point role shall be assigned to an individual or team who has responsibility for meeting Alarm Management performance objectives by managing and coordinating the overall alarm management process. In addition, where applicable, it is recommended best practice to establish an Alarm Management Committee at the Asset level to provide leadership and oversight. These two roles are further defined below.

7.2.1

Alarm Focal Point

The purpose of the alarm Focal Point Role is to provide the day-to-day management of the alarm systems and to ensure consistency of operation across all alarm systems.

Specifically, the alarm Focal Point should:

Lead the alarm optimisation process (see section 13.4.2)

Interface with ongoing projects with scope that impacts new or existing alarms; ensure alarm systems as implemented as per Alarm Philosophy.

Plan and schedule Alarm optimisation and alarm Rationalisation exercises, based on Alarm performance

analysis

Define actions to address standing alarms and testing failures

Responsible for Alarm performance monitoring and reporting

Interface with ICSS SUPPLIER support representatives in all matters pertaining to Alarm performance

Take ownership of the MADB, Alarm Response procedures and Alarm Management systems

Manage the Alarm auditing and review process

Manage the Alarms MOC processes

Seek ways of continually improving the operation of alarm systems

AGES-PH-04-003

Rev. No: 1 Page 21 of 87

All parties consent to this document being signed electronically -PT&CS/GP/INT/2022/291

ADNOC Classification: Internal

The alarm Focal Point should put into practice the objectives of the alarm management committee and report the progress or otherwise of any of these objectives back to the committee.

7.2.2

Alarm Management Committee

It is industry best practice and thus recommended, that every operational facility appoints an Alarm Management Committee.

The committee has the overall objective of ensuring the safe and effective operation of all control room alarm systems through the allocation and implementation of the necessary processes and resources. Responsibilities include:

Performing an assessment of the overall alarm performance and driving continuous improvement.

Providing support and leadership to the Alarm Focal Point and the overall process.

Review and approval of additional resources if required.

Reviewing any requirements for changes to the alarm management processes, standards or any associated engineering specifications.

Ensuring that there are satisfactory arrangements for specifying new alarms introduced via all projects and maintenance modifications.

Reviewing the performance of the alarm systems against the defined KPIs.

Ensuring appropriate training is provided.

Defining the policy for any remedial/upgrade work to existing alarm systems.

Learning and sharing lessons and new knowledge relating to alarm systems and external incidents.

Setting up any working parties as necessary to carry out specific tasks or projects.

Define requirements for any local improvement programmes via ongoing optimisation processes and planned rationalization projects.

Drive, promote & approve local AGC alarm management procedure/guideline, as applicable.

Ensure training programs and budgets are available.

The Committee should be chaired by the alarm Focal Point (or process control team), and Include process engineering SMEs, instrument and control automation engineers and operations team leads.

A local RACI should be defined.

Typically, the steering committee workflow should be as illustrated in Figure 2 below. Local site variations may occur.

AGES-PH-04-003

Rev. No: 1 Page 22 of 87

All parties consent to this document being signed electronically -PT&CS/GP/INT/2022/291ADNOC Classification: Internal

Figure 2 Alarm Management Committee

ALARM MANAGEMENT LIFECYCLE

Alarm Management Lifecycle Model

Figure 3 illustrates the Alarm Management Lifecycle and is consistent with the requirements of IEC 62682/ISA 18.2.

Figure 3 Alarm Life Cycle Model

AGES-PH-04-003

Rev. No: 1 Page 23 of 87

All parties consent to this document being signed electronically -PT&CS/GP/INT/2022/291

ADNOC Classification: Internal

It presents the relationship between the stages of the alarm management lifecycle. The alarm management lifecycle covers alarm system specification, design, implementation, operation, monitoring, maintenance and management of change activities from initial inception through decommissioning. The lifecycle model is useful in organizing the requirements and responsibilities for implementing an alarm management system.

The lifecycle approach is applicable for new alarm systems as well as for existing systems. This standard provides additional guidance and requirements on operational performance monitoring, management and rationalization in Sections 11, 12 and 13.

Alarm Management Lifecycle Stages

The alarm management lifecycle stages illustrated in Figure 3 are briefly described in the following sections, and further detailed in sections 9 to 14.

8.2.1

Alarm Philosophy (A)

Each ADNOC Project with a process control scope shall document a project specific Alarm Philosophy, fully aligned with the definitions and requirements stated in this philosophy. For new systems, the alarm philosophy serves as the basis for the “Alarm System Requirements Specification (ASRS)” document. The ASRS shall preferably be one specific document addressing all the requirements of Alarm System.

The philosophy starts with the basic definitions and extends them to operational definitions. The criteria for alarm prioritization and the definition of alarm classes, performance metrics, performance limits and reporting requirements are based on the objectives and principles for alarm systems. The schemes for the presentation of alarm indications in the HMI, including use of priorities, should be consistent with the overall HMI design. The philosophy specifies the processes used in alarm management lifecycle stages. The alarm philosophy needs to be maintained to ensure consistent alarm management throughout the lifecycle of the alarm system.

8.2.2

Identification (B)

The identification stage is to identify all the potential alarms through various design processes such as process hazards analysis, safety requirements specifications, recommendations from an incident investigation, good manufacturing practice, environmental permits, P&ID development or operating procedure reviews. Information from identification (e.g., alarm set point, consequence) should be captured for rationalization. Process modifications and operating tests can also generate the need for alarms or modifications. Some alarm changes will be identified from the routine monitoring of alarm system performance. At this stage, the need for a new alarm or modifications to an existing alarm has been identified and the MADB shall be created and made available to be rationalized. The MADB will be updated and maintained once rationalization is completed.

8.2.3

Rationalization (C)

The rationalization process in the Design and Construct phase of a new system or modification reconciles the necessity of specific alarms in due consideration with alarm design principles and definitions in the alarm philosophy. Rationalization is the process of reviewing the requirement of an alarm and generating the supporting documentation such as the purpose, the consequence and corrective action that can be taken by the panel or plant operator. Rationalization includes the prioritization of an alarm (section 10.5) and confirmation of the Alarm attributes (section 10.3/10.4). The rationalization results are documented in the MADB, which is maintained for the life of the alarm system and subject to management of change.

AGES-PH-04-003

Rev. No: 1 Page 24 of 87

All parties consent to this document being signed electronically -PT&CS/GP/INT/2022/291

ADNOC Classification: Internal

8.2.4

Detailed Design (D)

In the detailed design stage, the output from the rationalisation process and the MADB are incorporated into the detailed design package. There are three areas of design: basic alarm design, HMI design, and design of advanced alarming techniques. The basic design for each alarm is derived from the MADB. The HMI design includes display and annunciation for the alarms, including the indications of alarm state and alarm priority. Advanced alarming techniques are additional functions that improve the effectiveness of the alarm system beyond the basic alarm and HMI design (e.g., state-based alarming, dynamic suppression etc.)

8.2.5

Implementation (E)

In the implementation stage, the activities necessary to install an alarm or alarm system and bring it to operational status are completed. Implementation of a new alarm or a new alarm system includes the physical and logical installation and functional verification of the system. Since panel operators are an essential part of the alarm system, panel operator training is an important activity during implementation. Testing of new alarms is often an implementation requirement.

8.2.6

Operation (F)

In the operation stage, the alarm or alarm system is in service, and it performs its intended function. Refresher training on both the alarm philosophy and the purpose of each alarm to be considered in this stage.

8.2.7

Maintenance (G)

In the maintenance stage, the alarm or alarm system is not operational but is being tested or repaired. Periodic maintenance (e.g., testing of instruments) is necessary to ensure the alarm system functions as designed.

8.2.8

Monitoring and Assessment (H)

In the monitoring and assessment stage, the overall performance of the alarm system and individual alarms are continuously monitored against the performance metrics and KPIs stated in this alarm philosophy. Regular Bad Actor alarm review exercises and Alarm Optimisation exercises are carried out to ensure Alarm performance continues to meet the performance standard. Full alarm rationalisation projects may be initiated if Alarm performance has deteriorated to the “overloaded” sate (see section 13, 14 and APPENDIX A3) Guideline requirements are detailed in subsequent sections.

Monitoring and assessment of the data from the operation stage will trigger maintenance work or identify the need for changes to the alarm system or operating procedures. Without monitoring, the performance of an alarm system is likely to degrade over time.

8.2.9

Management of Change (I)

Any modifications or changes to notifications that require update of the MADB shall follow an approved MOC process which ensures risk assessment and technical approvals. The MOC process should follow each of the alarm management lifecycle stages from identification to implementation. It can be an MOC process specific to the Alarm System, or it can be combined with a broader technical MOC process.

8.2.10 Audit (J)

Audit stage ensures periodic reviews are conducted to evaluate the effectiveness of the alarm management process and maintain the integrity of the alarm system. Audits of system performance can reveal gaps not apparent from routine monitoring.

AGES-PH-04-003

Rev. No: 1 Page 25 of 87

All parties consent to this document being signed electronically -PT&CS/GP/INT/2022/291

ADNOC Classification: Internal

Execution against the alarm philosophy is audited to identify system improvements including modifications to the alarm philosophy.

Alarm Management Lifecycle Stage Requirements

The table below captures all the Alarm Management Lifecycle stages together with respective stage requirements detailing the activities involved, inputs required, outputs generated, and the responsible entities for the given stage.

Table 8.1 Alarm Management Lifecycle Stages Requirements (Based on ISA 18.2)

Alarm Management Lifecycle Stage

Alarm Management Lifecycle Stage Requirements

Stage

Stage Title

Stage Activities

A

B

Philosophy – Project//Site (Note-a)

Develop Project/Site specific philosophy (Supplementing this philosophy)

Identification (Note b, c)

Identify Potential Alarms

C

Rationalization (Note-c)

Alarms Rationalization, Prioritization, Classification

D

Detailed Design (Note-c)

Implementation (Note-c)

Develop Alarm System Requirements Specification (ASRS) covering functional and HMI requirements

Install, test Alarm systems and training

E

F

Stage Input Requirements

Objectives (Specific), Site Alarm Management Operational Procedures

This Philosophy, Project Alarm Management Philosophy, P&IDs & PHA reports, Standards, Operating Procedures

This Philosophy, Project Alarm Management Philosophy, P&IDs & PHA reports, HAZOP and SIL Reports, Standards, Operating Procedures

This Philosophy, Project Alarm Management Philosophy, MADB

This Philosophy, Project Alarm Management Philosophy, MADB, ASRS

Operation (Note-d)

Operator responds to alarms

This Philosophy, Project Alarm

Stage Outputs

Responsibility

Project/Site Alarm Management Philosophy

Potential Alarms List

FEED Consultant / CONTRACTOR and COMPANY’s Project Engineering Team (feedback from Site Operations Team shall be taken)

FEED Consultant / CONTRACTOR and COMPANY’s Project Engineering Team

Master Alarm Database (MADB)

CONTRACTOR and COMPANY’s Project Engineering Team and Site Operations Teams, Qualified Facilitator

ASRS

CONTRACTOR/Alarm System SUPPLIER and COMPANY’s Project Engineering Team

Alarm System with Operational Alarms, Installation, Operation and Maintenance (IOM) Manuals

Alarms Data

CONTRACTOR/Alarm System SUPPLIER and COMPANY’s Project Engineering Team and Site Operations / Maintenance Team (Note-e)

COMPANY’s Site Operations Team

AGES-PH-04-003

Rev. No: 1 Page 26 of 87

All parties consent to this document being signed electronically -PT&CS/GP/INT/2022/291

ADNOC Classification: Internal

Alarm Management Lifecycle Stage

Alarm Management Lifecycle Stage Requirements

Stage

Stage Title

Stage Activities

G

H

I

J

Notes:

Maintenance (Note-d)

Periodic Testing, Out-of-service, Equipment Repair/Replacement

Monitoring & Assessment (Note-d)

Monitoring alarm data and report performance

Stage Outputs

Responsibility

Alarm records, Alarm System Maintenance Logs (including lessons learned)

Alarm Assessment Reports (Note-f)

COMPANY’s Maintenance/Operations Team

COMPANY’s Operations Team

Stage Input Requirements

Management Philosophy, MADB, IOM manuals

This Philosophy, Project Alarm Management Philosophy, MADB, IOM manuals, Diagnostic Alarms

This Philosophy, Project Alarm Management Philosophy, Alarm records, Alarm System Maintenance Logs (including Lessons Learned), Alarm Management System

Management of Change (Note-d)

Process to authorize changes in the alarm systems

Audit/Survey Report Gap Analysis Report, MOC procedure

MOC Implementation Records/Reports

As per COMPANY’s MOC Procedure

Audit (Note-d)

Audit of alarm management processes

This Philosophy, Project Alarm Management Philosophy, Standards

COMPANY

Project/Site specific Alarm Management Philosophy is recommended to be developed during FEED by the consultant. This stage shall primarily capture the project/site specific requirements pertaining to the Alarm System / Management. As a norm, FEED documents shall be revisited during EPC/Detail Design stage of the project.

“Potential Alarms List” is not required to the developed as a separate document during FEED stage. Alarms should however be reflected in the FEED deliverables like P&ID, Specifications, etc. Alarms should also be reflected in the system I/O list. During EPC/ Detail Design stage “Potential Alarms List” shall be developed by the CONTRACTOR. As a norm, FEED documents shall be revisited and modified during EPC/Detail Design stage of the project.

Stage(s) primary responsibility is with Consultant/CONTRACTOR.

Stage(s) primary responsibility is with COMPANY.

Formal handover of the Alarm Systems to COMPANY’s Operations Team shall only be undertaken after successful execution of works in “Stage-E: Implementation”. Primary deliverables that are required to be provided to COMPANY’s Operations Team during handover includes updated MADB, ASRS, and IOM Manuals.

AGES-PH-04-003

Rev. No: 1 Page 27 of 87

All parties consent to this document being signed electronically -PT&CS/GP/INT/2022/291ADNOC Classification: Internal

Alarm Assessment Reports should include the following: Tabulation of Alarm System Target KPIs Vs Achieved Performance (averaged over 30 days period), Alarm Lists (depicting specific instances of nuisance, shelving/ suppression, etc if required), Alarm & Trip Set Point List, Maintenance Logs & Lessons Learnt, Graphic Print-out, P&IDs, etc. Requirements of ISA TR 18.2.5 Section 5.11- Report design, should be used as guidance for generating alarm assessment reports.

ALARM PHILOSOPHY

This section is intended to align all ADNOC Group Companies on the principles, standard terms and definitions of Alarm System Management. This alignment is critical to achieving consistency, performance measurement and continuous improvement across the ADNOC Group. It does not replace the requirement to document a specific Alarm Philosophy for each project and operating asset which complies with these broad guidelines.

Role of Alarm System in Managing Abnormal Situations

The panel operator continuously monitors and controls the process back to operating targets to prevent the occurrence of abnormal situations.

The role of the alarm system is to notify panel operators of the exceedance of any defined critical, standard or target limits or the condition when the process is not behaving as expected or when other threats have impacted operations.

The notifications are designed to initiate documented, predefined panel operator responses to the abnormal situation, either to bring the process back to the targets or to prevent exceedances of equipment constraints. The panel operator is empowered to manage abnormal situations through actions that stabilize, slow down or shut down the process.

Alarms

Alarms are designed for each operating location based on the business type, the Hazards and Effects particular to the process, the operating philosophy, (e.g., continuously manned, partially manned or unmanned) and the automation systems deployed (e.g., PCS or SCADA). It is important that unnecessary Alarms do not contribute to overloading of the panel operator.

9.2.1

Definition of Alarms

ISA-18.2 defines an Alarm as “an audible and/or visible means of indicating to the panel operator about an equipment malfunction, process deviation or abnormal condition requiring an operator response”. Alarms are used to annunciate the impending process variable or equipment operating limit exceedances. A defined operator action is required as part of the HSE barrier counting to manage the risk to ALARP (As Low as Reasonably Practicable). An Alarm is used to attract the attention of the panel operator to significant changes that will require timely assessment and action. It will provide a layer of protection against loss, whether safety, environmental or financial.

From this definition, an Alarm:

Requires audible and visible annunciation.

Indicates an equipment malfunction, process deviation, or abnormal condition.

Requires a response from Panel Operator.

The panel operator actions are not limited to merely acknowledging the alarm; rather they should either restore back the process into normal operating envelopes or ensure that equipment/instruments are attended to ensure that they are in healthy operating condition. A notification that has no associated panel operator action as stated

AGES-PH-04-003

Rev. No: 1 Page 28 of 87

All parties consent to this document being signed electronically -PT&CS/GP/INT/2022/291

ADNOC Classification: Internal

above shall be considered as message (sometimes called “journal”) and logged in the system for any post-event analysis or to be used as historical data.

Alarm Sources

Control systems annunciate process deviations, abnormal conditions and faults in the hardware/software that make up the system.

The basic alarm design process may differ based on the source of the alarm. Alarms are initiated from various sources in a control system. These include:

I/O infrastructure

ICSS

HMI

Advanced alarm applications

Sub-systems/SUPPLIER packages

Note that the adoption of smart field devices and the interconnection between components of a control system have exacerbated the potential for Alarm overload.

Generating duplicate alarms for a single abnormal condition can negatively affect panel operator performance. For example, a transmitter failure alarm could be initiated from the field device, the I/O module, the PCS controller, or the application logic in the control system (input block, controller block, output block, separate alarm block, etc.). A single instrument diagnostic alarm often propagates through the control logic producing multiple, simultaneous alarms for this single deviation.

Operating Constraints, Limits, and Settings

Before defining any alarms, it is necessary to determine the limits upon which these will be based. This standard adopts a simple, straightforward work process to define operating limits with a strict nomenclature to achieve a standard approach to Alarm Management.

9.4.1

Constraint

An identified restriction on the equipment, such as design pressure or temperature of a vessel, which constrains (i.e., restricts) the operation of the equipment. There are usually several constraints.

9.4.2

Limits

The critical, standard or target limit of a variable (pressure, temperature, pH, etc.) associated with an instrument, equipment, facility, or site. If the variable exceeds the limit a notification is generated. A limit is expressed in the same engineering units as the process variable. Critical and standard limits shall be controlled under MOC.

9.4.3

Settings

The limit is used to calculate the setting of a device (e.g., trip amplifier) that generates the notification. The setting may be in the engineering units of the device (e.g., mA) or in the engineering unit of the process variable (e.g., the alarm setting of a variable in the PCS).

AGES-PH-04-003

Rev. No: 1 Page 29 of 87

All parties consent to this document being signed electronically -PT&CS/GP/INT/2022/291

ADNOC Classification: Internal

Managing Standing Alarms

Alarms that remain in the BPCS Alarm Summary for time periods that exceed the “allowable time in exceedance” or the time to respond to the abnormal situation fade rapidly from the panel operator’s awareness. Their presence in the Alarm Summary may interfere with the recognition of new alarms, and as such should be minimised. The number of standing alarms shall be monitored (see section 14 “Alarm Monitoring and KPIs”), and regular initiatives taken to reduce the number to <10, which is the benchmark considered to be manageable.

Alarm shelving techniques should be employed to temporarily remove standing alarms.

Static/dynamic alarm suppression or mode-dependent techniques should be used to reconfigure alarm settings for process areas that are confirmed to be out of service. In this case, alarm notifications do not constitute an abnormal situation.

Refer to Section 13.6 for more information on shelving and suppression.

Managing Update of MADB

The alarm system is the first of several engineered barriers that act when the process has exceeded the normally defined region for stable, safe and profitable production. Their integrity as a barrier depends on the alarm configuration, i.e., settings and priorities, being unchanged from the approved values.

Updating the MADB manually shall be followed. Any automatic update of setpoints to PCS shall not be encouraged.

Alarm Management Philosophy Document

An Alarm Management Philosophy is a comprehensive guideline for the development, implementation, and modification of alarms. It provides basis for alarm selection, priority setting, configuration, response, handling methods and system monitoring.

This document shall be the guideline for project specific “Alarm Management Philosophy” document. Table 9.2 below provides typical content requirement as per EEMUA 191.

Table 9.1 Typical Content-Alarm Management Philosophy Document (Ref. EEMUA 191)

Alarm Management Philosophy Document

• Allocation of roles and responsibilities for design of the alarm system, including what user

involvement there is to be Identification of the alarm system users and their needs

• • A definition of what an alarm should be • A definition of the safety role of the alarm system • Define how any alarms claimed to contribute to safety cases are to be registered (e.g., a list of

safety-related alarms)

• Definitions of alarm system performance targets (e.g., maximum rates) • Rules for prioritization of alarms • Checklist for designers on the information to be recorded for each alarm • Dictionary of terms and abbreviations to be used in alarm messages • Guidance to sub-contractors on the design of alarms (where appropriate) • Guidance on content and structure of alarm response definitions (e.g., procedures, task aids, etc.) • Guidance on interpreting patterns of alarms, and their grouping, suppressing and acceptance

(where appropriate)

• Guidance on alarm system configuration • Guidance on establishing alarm equipment test frequencies

AGES-PH-04-003

Rev. No: 1 Page 30 of 87

All parties consent to this document being signed electronically -PT&CS/GP/INT/2022/291

ADNOC Classification: Internal

ALARM IDENTIFICATION

Alarm identification stage of alarm management lifecycle involves generating the initial list of potential alarms in a given project which shall be made based on the following projects associated documents:

P&IDs

PHA reports inclusive of HAZOP, HAZID, SIL Assessment, etc reports

Project applicable Standards/ References requirements,

Specific facility/ site requirements/ practice,

Facility/ Site investigation/ study reports,

The initial list of potential alarms should contain the following information for each potential alarm which is required for the next stage of the alarm management lifecycle, i.e., alarm rationalization:

Consequence threshold

Operator response

Consequence of inaction

Probable cause

Basis for the consequence threshold

Alarm Design Principles

The purpose of an alarm system is to direct the panel operator’s attention towards plant conditions

requiring timely assessment or action.

Poor design and configuration practices are a leading cause of alarm management issues.

Frequent nuisance alarms can desensitize the panel operator, leading to the missing of important alarms. Some events will contribute to an increased level of stress that can negatively impact the panel operator’s performance.

Whatever its source, every alarm should be justified (safety, environmental or business needs), properly

engineered and be consistent with the overall alarm philosophy and plant risk assessment.

An alarm system should be explicitly designed to take account of human limitations.

The characteristic of a good alarm as defined in EEMUA PUBLICATION 191 is listed in Table 10.1 below.

Table 10.1 Good Alarm Definition

Characteristics

Description

Relevant

Not of low operational value or spuriously occurs

Unique

Timely

Not duplicating with another alarm

Not too early before any response is needed or too late to do anything

Prioritized

Indicating the importance for the operator to deal with the problem

Understandable Having a message which is clear and easy to understand

Diagnostic

Identifying the problem that has occurred

AGES-PH-04-003

Rev. No: 1 Page 31 of 87

All parties consent to this document being signed electronically -PT&CS/GP/INT/2022/291

ADNOC Classification: Internal

Characteristics

Description

Advisory

Focusing

Indicative of the action to be taken

Drawing attention to the most important issues

Alarm Types

Various types of alarms are configured as part of the control system based on the requirement to manage the plant effectively and efficiently within the normal operating window. Some examples of typical alarm types are listed in Table 10.2. More detail is provided in APPENDIX A2 around the purpose of their configuration, and a more definitive list and explanation of alarm types for the purpose of design can be found in ISA-TR18.2.3.

Table 10.2 Example Alarm Types

Alarm Type

Description

Process alarms

Absolute alarm

To warn if a process variable is exceeding a defined limit

Process alarm associated with a trip setting e.g., HH, LL

Fire & Gas alarms

To warn activation of F&G system (example of absolute alarm)

ESD/Safety System Alarms

To warn activation of ESD or Trips (example of absolute alarm)

Deviation alarm

Reports difference >5% of the calibrated range between different transmitters monitoring the same variable.

Rate of change alarm

Reports rate of change of a process parameter within a time period.

Discrepancy alarm & System diagnostic alarms

Reports if a piece of equipment or device is in a different state than commanded or expected.

Instrument diagnostic alarms

Reports performance of the individual instruments and un-expected variance.

Bad measurement alarms

The control system logic reports when process measurements are outside of the expected range. The fault could be because of the instrument itself and could cause a cascade of others.

Adjustable alarms

Adaptive alarms

Alarms which the panel Operator can adjust the set point of manually (usually after MOC).

Used where an alarm set point must be continuously modified based on process conditions.

First out alarms (first-up)

This is an alarm type used to determine which alarm condition was ‘first’ in a multiple alarm situation.

Common alarms (group alarms, common trouble alarms)

Discrete alarms

The sensors are not individually alarmed but instead initiate a single alarm common to all the alarm points. Common alarm – is often implemented for some skid-based sub- systems where the details of individual deviations are not relevant to the panel operator and notification of a generic equipment problem is sufficient. (Such systems do exist but are discouraged in new systems).

A discrete alarm is initiated with on/off status. Digital I/O points (discrete inputs from field devices/sensors or the discrete commands sent to field equipment) are a common source used for discrete alarming.

All Alarm types can be grouped into Alarm Class and Alarm Category for ease of display and to assist in the Rationalisation process (See section 10.4)

AGES-PH-04-003

Rev. No: 1 Page 32 of 87

All parties consent to this document being signed electronically -PT&CS/GP/INT/2022/291

ADNOC Classification: Internal

Alarm Attributes

10.3.1 Alarm Set point

The careful selection of an appropriate set point value for an alarm has a large impact on the overall effectiveness of the alarm management. The inappropriate setting of alarm limit can cause alarms to be triggered:

When not necessary

Not triggered when necessary

Alarm set points should be defined sufficiently far away from the consequence threshold in order for the plant operator to have adequate time to respond. Alarms configured too close to the normal operating condition will trigger nuisance alarms as a result of normal process variation.

A common mistake in creating alarms is to configure alarm set points based on rules of the thumb relative to the engineering range of the point in the control system. An example is configuring the set points for High-High, High, Low, and Low-Low as 90%, 80%, 20%, and 10% of range respectively.

This results in alarm set points that do not properly take into account the following (See Figure 4):

Time the plant operator has to respond.

Process variable’s rate of change.

Process dead time.

Figure 4 Alarm Processing

The allowable plant operator response time needs to consider Process dead time so that the process can respond prior to crossing consequence threshold.

AGES-PH-04-003

Rev. No: 1 Page 33 of 87

All parties consent to this document being signed electronically -PT&CS/GP/INT/2022/291ADNOC Classification: Internal

However, there are many factors that influence both the Operator response and process to return to normal, as detailed below:

Operator awareness and training

Operator workload

Complexity of determining the operator action

Complexity of the operator action

Measurement accuracy

Alarm on-delay

System processing speed

HMI design and clarity

Process dead time is influenced by the following:

i. System processing speed

ii. Final element response time

iii. Process dynamic response

The actual response time for the alarm is the time beginning when the alarm is annunciated and ending when the operator takes the corrective action. The upper limit of the response time is the allowable response time for the operator, the point beyond which the consequence will occur even if action is taken.

Hence, the allowable operator response time will be based on process dead time, the rate of change of the process variable and the separation between the alarm set point and the consequence threshold.

10.3.2 Alarm Dead-Band

Alarm dead-band is a function used to reduce the number of times an alarm triggers for a given abnormal condition. It prevents an alarm from returning to normal until the process variable has moved outside the dead band. Alarm dead band can be used to address the common problem of chattering alarms, which is a type of nuisance alarm.

If misapplied, alarm dead band can also prevent an alarm from returning to normal when the process state is normal, causing another common alarm problem called as ‘standing’ alarms. Hence, the alarm dead-band should be cautiously configured. Dead bands are normally configured as a percentage of the instrument calibration range.

Alarm dead-band should be determined with consideration to alarm set points. The general guideline as per HSE UK CRR 166/1998 is listed in Table 10.3.

Table 10.3 HSE UK CRR 166/1998 Defined Dead-Band

Signal Type

Dead-Band (% of Calibration Range)

Flow

Level

Pressure

Temperature

~ 5%

~ 5%

~ 2%

~ 1% of span or 2°C – whichever is less

AGES-PH-04-003

Rev. No: 1 Page 34 of 87

All parties consent to this document being signed electronically -PT&CS/GP/INT/2022/291

ADNOC Classification: Internal

10.3.3 Alarm On-Delay and Off-Delay

In the control system configuration, on-delay and off-delay timers are used for reducing chattering and fleeting alarms. The on-delay prevents the initial annunciation of an alarm for a specified number of seconds. If the alarm clears during that time, it is never annunciated at all. The off-delay immediately annunciates an alarm, but when the alarm clears, the cleared condition is not put into effect for the specified number of seconds. If the alarm re- occurs during that interval, the cleared condition is never made known, and the alarm simply persists.

A fleeting alarm is a transition between the alarm state and the normal state in a short period of time, but which does not immediately repeat. If they repeat, they are called a chattering alarm.

On-delays may be effective against both fleeting and chattering alarms. Off-delays may be effective against chattering alarms, but do not reduce fleeting alarms. These methods are recommended after a proper alarm dead- band has been applied but the chattering or fleeting condition persists. Further applying on-delay timer needs to be considered carefully as this will reduce operator response time. Alarm on-delays of more than 30 seconds to a minute must be applied with considerable care.

It is the process conditions and the sensing hardware that result in chattering and fleeting behaviour, and root cause investigation might find installation or hardware problems. Implementation of delay times is not a substitute for identifying and fixing the root cause of such problems.

The general guideline provided by HSE UK CRR 166/1998 is listed in Table 10.4.

Table 10.4 On-Delay / Off-Delay

Signal Type

Delay Time (On or Off)

Flow

Level

Pressure

Temperature

~ 15 seconds

~ 60 seconds

~ 15 seconds

~ 60 seconds

Categorisation, Classification and Grouping of Alarms

Assigning all types of alarms to categories and classes assists the alarm rationalization process and facilitates effective management of the alarm. Certain classes of alarms may have special testing, training, MOC, reporting or reliability requirements. Classification provides a way to consistently assign requirements and then support verification that the requirements have been met. The criteria for each alarm class should be defined in the alarm philosophy, including which alarm classes are highly managed. Assigning a recommended alarm class is usually undertaken as part of the rationalization process.

Classifications of alarms facilitate a clear identification of each alarm in a hierarchical way. This also facilitates consistency in the prioritization and rationalization assessment.

10.4.1 Alarm Categorization

It is recommended to categorise alarms as follows:

HMA (highly managed alarms) and further subcategorized as:

i. SRA (Safety Related Alarm)

ii. MA (Mitigation Alarm)

AGES-PH-04-003

Rev. No: 1 Page 35 of 87

All parties consent to this document being signed electronically -PT&CS/GP/INT/2022/291

ADNOC Classification: Internal

iii. CFA (Critical Fault Alarm)

Non-HMA (highly managed alarms)

The Highly managed alarms (HMA) require a higher degree of integrity (in both hardware and human response) and accordingly additional requirements related to design, maintenance, operation and management are to be considered.

Safety Related Alarm (SRA)

Safety Related Alarms associated with a manual response will contribute significantly to managing the risk associated with Personnel (safety), Asset and Environmental risk. SRAs shall be assigned with the highest priority level and shall be periodically proof tested.

The following alarms are typically considered as SRA:

Alarms that are formally documented as providing a quantified risk reduction e.g., alarms identified during HAZOP as a safeguard.

Alarms that are considered as an additional layer of Protection in SIL review.

Alarms that can prevent major plant disturbance such as loss of critical utilities. E.g., cooling water, fuel gas pressure, instrument air pressure, critical power supplies, and fire water main pressure. A list of all such alarms should be reviewed and agreed during the Rationalization process.

Mitigation Alarm (MA)

Mitigation alarms indicate that a safety or environmental hazardous event has already occurred and therefore requires an immediate or emergency response to mitigate potential consequences of the hazard. The following alarms are typically considered as MAs:

Fire detection alarms (High High)

Flammable gas detection alarms (High High)

Toxic gas detection alarms (High High)

Manual call point activation alarms

Fire Suppression system activation alarm

Oxygen deficient atmosphere alarms

Safety shower or eyebath activation alarms

Imminent collision detection alarms

MAs should be assigned the highest priority level and should be periodically proof tested.

Critical Fault Alarm (CFA)

Critical Fault alarms are those providing a warning that a safety system or risk reduction system or a component of the same is faulty and could result in potentially increased operational risk. The following alarms are typically considered as CFAs:

Unavailability of the emergency system e.g., loss of pressurization of Equipment Room/IES etc.

Unavailability or failure of multiple F&G detectors.

Degraded redundancy in an ESD or F&G logic solver.

AGES-PH-04-003

Rev. No: 1 Page 36 of 87

All parties consent to this document being signed electronically -PT&CS/GP/INT/2022/291ADNOC Classification: Internal

Unavailability of emergency systems (e.g., firewater pumps, NOVEC).

Control or protective systems running on batteries.

Dangerous ESD/SIF failure (e.g., partial stroke test failure and SIF instrument failure diagnostic).

Fault/Bad PV on the devices that initiates Safety-related alarms.

10.4.2 Alarm Classes

Assigning classes to alarms can facilitate segregation of an alarm for easy identification and for efficient management of the alarms and is a recommended good practice. Different BPCS SUPPLIERs may use different names and formats for Alarm Class.

The following four-alarm classes listed Table 10.5 should be clearly defined as a minimum.

Table 10.5 Alarm Classes

Alarm Class

Class Assignment

Process Alarm

Fire and Gas

ESD/Safety System Alarms

Other Alarm Types

Process Note: Avoid “P” since this is used to denote priority

FG

SS

Other

Other alarm classes that may or may not be assigned are:

Package alarms

Marine system alarms

Telecommunication system alarms

Machine Monitoring system alarms (rotating equipment)

Electrical alarms

Weather monitoring alarms

Discrepancy alarms

Permissive alarms

Deviation alarms

Controls and Instrumentation systems alarms

Bad Quality alarms

Bid pattern alarms

Calculated alarms

Rate of Change alarms

Recipe driven alarms

First-up alarms

AGES-PH-04-003

Rev. No: 1 Page 37 of 87

All parties consent to this document being signed electronically -PT&CS/GP/INT/2022/291

ADNOC Classification: Internal

ZMVC alarms (Measurement, Validation and Comparison)

Security Alarms (specifically for pipelines)

Alarm Prioritization

10.5.1 Overview

Alarm prioritization is a means to make some alarms appear more compelling to the panel operator than others. Alarm priority helps the panel operator prioritize his action, enabling him to focus on more urgent alarms before the less urgent. When multiple alarms annunciate in a short period of time, alarm priorities become critical. In general, the greatest number of alarms should be of the lowest priority, with fewer in a higher level of priority. The process for alarm prioritization is outlined below:

The severity of consequence and criticality (in terms of safety, environmental and economic impact) that

the operator can prevent by taking the appropriate corrective action associated with the alarm.

The time available compared with the time required for the corrective action to be performed and to have

the desired effect.

The relative frequency of occurrence of alarms of different priority should reduce with increased priority e.g., high priority alarms may appear once per shift whereas low priority alarms may appear 10 per shift. Priorities should be revised/adjusted based on operational experience.

A three-priority system shall be adopted, which excludes Journal (Note: some legacy systems may assign journals to a priority 4, which is also acceptable). See Table 10.6.

Table 10.6 Three-Priority System

Alarm Priority

P1

P2

P3

High

Medium

Low

Journal

10.5.2 Consequence/Severity Assessment

ADNOC latest corporate 6x6 Risk Matrix shall be used for assessing the consequence/severity and risk.

The matrix is used by first selecting the consequence or severity of inaction or incorrect action then selecting its likelihood. From the ADNOC 6x6 matrix, the risk is categorized as:

High (Category 1)

High-Medium (Category 2)

Medium (Category 3)

10.5.3 Estimate Urgency

The urgency is classified as the difference between ‘Time to Event’ and ‘Operator response time’. The following time can be considered as guidelines for Operator response time:

AGES-PH-04-003

Rev. No: 1 Page 38 of 87

All parties consent to this document being signed electronically -PT&CS/GP/INT/2022/291

ADNOC Classification: Internal

2 minutes to execute an immediate, simple response action through ICSS

5 minutes to execute an immediate, complex response action through ICSS

10 minutes to any response action requiring an operation in the field

Table 10.7 lists the criteria to determine the urgency.

Table 10.7 Allowable Response Times

Time available to respond

0 to 5 minutes

5min and ⇐ 15min

15min and ⇐ 30min

30min

Urgency

Immediate

Rapid

Prompt

Not Urgent

10.5.4 Selection of Alarm Priority

Based on the severity (Risk) and time available for operator response, priority can be assigned based on the severity and time available for operator response. Priority can be assigned as listed in Table 10.8.

Table 10.8 Priority Selection

Urgency

Low

Immediate

P2 (Medium)

Rapid

Prompt

P3 (Low)

P3 (Low)

Event Severity (Risk)

Medium

P1 (High)

P2 (Medium)

P3 (Low)

Not Urgent

P3 (Low) – or Journal

P3 (Low) – or Journal

Medium-High/High

P1 (High)

P2 (Medium)

P2 (Medium)

P3 (Low)

Priority proportion (Distribution) of Alarms configured during system design should be (see Table 10.9):

Table 10.9 Priority Proportion

P1 (High)

5%

P2(Medium)

15%

P3 (Low)

80%

10.5.5 Rule-Based Prioritization Exemplars

General guidelines on priorities for various non-process (and some process) related alarms are presented in APPENDIX A4.

AGES-PH-04-003

Rev. No: 1 Page 39 of 87

All parties consent to this document being signed electronically -PT&CS/GP/INT/2022/291

ADNOC Classification: Internal

Alarm Message

Alarm messages in the alarms summary display in the panel operator Human Machine Interface (HMI) shall be clear and concise for ease of understanding. The panel operator very often relies on the alarm message text description rather than the tags.

In order for the panel operator to diagnose the anomaly and formulate a response within the given time, it is important all messages are clear and well-thought-out and consistent in format taking into consideration character limitations of the control system. In addition, the alarm messages should be logged as part of the plant Historian and Sequence event records used for post-event analysis.

The following guidelines can be used while developing the alarm test messages:

Clearly identify the condition of alarm that has occurred e.g., ‘Separator A, level High’ rather ‘Separator-A

alarm’.

Do not duplicate information provided by other displayed fields in alarm list such as alarm priority, tag

name or alarm type as part of the text.

Use terms that the panel operator is familiar with common and consistent abbreviations need to be used. Abbreviation as per ISA RP 60.6 can be used to ensure consistency. The final list of abbreviations shall be agreed with the COMPANY prior to the start of implementation.

Defined consistent message structure will minimize panel operator response time.

Indicate the cause of the trip or shut down for first-out alarm messages. e.g., WI Pump S/D on high discharge pressure.

The font size and type of font should be as per COMPANY specification and should be readable by panel

operator form normal operating position.

10.6.1 Operator Help Menu Guidelines

A good alarm system should assist the panel operator in evaluating the situation, which is fundamental to identifying the correct actions to take. Depending on the circumstances, these actions can be directed at either avoiding an event or mitigating its consequences.

Therefore, as a best practice, ‘operator’s help’ should be available for each alarm. As a guideline, the operator should be able to request for help by clicking on the alarm-line on the alarm summary or on the process graphics. A window should appear showing, for example:

Purpose of the alarm

Consequence of No Action

Type of Activity

Most likely required Operator Action. (Containing context sensitive buttons to check other data)

Less likely required Operator Action (containing context sensitive buttons to check other data)

The data tables containing these help texts should be easily maintainable by an assigned operator acting to collect the best practices for alarm responses.

AGES-PH-04-003

Rev. No: 1 Page 40 of 87

All parties consent to this document being signed electronically -PT&CS/GP/INT/2022/291

ADNOC Classification: Internal

ALARM RATIONALISATION

Purpose

The purpose of alarm rationalization stage of alarm management lifecycle is to justify, prioritize and classify the alarms from the list of potential alarms generated during the Alarm Identification stage.

Rationalization is the process by which every alarm identified in the “identification (B)” life-cycle step is compared to the criteria in the alarm philosophy to verify that should it be an alarm and to set the correct attributes.

Alarm rationalization is a rigorous process that begins in the design phase of a project and continues throughout the asset lifecycle. Effective rationalization in Design and Construction phase of Greenfield and brownfield projects will deliver safe and efficient operations. This process is defined in this Section.

Rationalization will continue throughout the operational life of an asset as operational parameters change, modifications are implemented, and operational experience grows. The basis of this rationalization and ongoing review process in operations is defined in Section 12.

The objectives of Alarm Rationalization are:

To ensure that every alarm is an indication of an abnormal condition requiring a timely operator response.

To ensure that every abnormal condition requiring a timely operator action is appropriately alarmed based

on agreed priority.

To meet Alarm System Performance standards.

To capture all details of alarm attributes and required operator responses in a MADB.

The following sections describe a general methodology that can be adopted to complete an alarm rationalization exercise or project.

Preparation

Alarm rationalization is typically performed as a group activity similar to some of the safety studies. However, several tasks should be completed prior to assembling the group.

Pre-Requisites

11.3.1 Documentation

The following are minimum pre-requisites that need to be ensured for an effective Rationalization workshop.

Alarm Philosophy

As the rationalization exercise is a comparison of an alarm to the criteria in the philosophy document, the alarm philosophy needs to be made available to the team. See section 4.11 for Alarm Philosophy project-specific contents requirements.

Master Alarm Database (MADB) and Alarm Response Procedures

The MADB (see section 11.4.9), as initially provided during the design phase, shall be available to be updated after the rationalization process.

AGES-PH-04-003

Rev. No: 1 Page 41 of 87

All parties consent to this document being signed electronically -PT&CS/GP/INT/2022/291

ADNOC Classification: Internal

The MADB should contain or be linked to the Alarm Response Procedures (sometimes known as the Alarm Response Manual – ARM), which documents what the operator responses should be for every alarm. A key input to this is the initial MADB and the results of the rationalization process.

The Alarm Response Manual shall be prepopulated with the relevant data prior to Rationalization process. The Facilitator should review the MADB and alarm response procedures prior to the rationalization session and also pre-populate his worksheets/software prior to the start of Workshop.

Minimum content requirements for the MADB and Alarm Response Procedures are given in Section 11.4.10.

Note: For old facilities where a MADB was either never delivered by the project, or has become lost or outdated, it is highly recommended to complete a minor project to produce an updated and fully verified MADB and Alarm Response Manual prior to conducting an Alarm Rationalization process.

Process Related Details

Different processes impose different requirements on rationalization. Operational details of the process are needed along with back up calculations for hold-up volume, details of time available to operator response prior to trip etc. The following information should be made available:

P&ID (duly updated with HAZOP and SIL recommendations)

Hazard and risk analysis (e.g., HAZOP) reports

LOPA results and safety requirements specifications

Safe operating limits

Equipment design parameters, such as temperature, pressure and capacity

Interlocks/cause-effect diagrams

Key operating procedures

Complex loop documentation

Operating graphics (on-line or hardcopy) from System OEM

Details of the system (including network switches/servers) generated alarm from System OEM

Details of Field devices/system diagnostic alarm

Details of alarm generated for each functional block used to configure in the System-to be obtained from

system OEM

Incident reports (during existing system rationalization)

Access to process historical data; (during existing system rationalization)

Process narrative or description

Manufacturer/licensor alarm requirements/recommendations

Instrument parameters such as span and response time

Alarm System Performance

For an existing operational system, the following data/details would help the analysis of the alarm system performance:

Bad actors

AGES-PH-04-003

Rev. No: 1 Page 42 of 87

All parties consent to this document being signed electronically -PT&CS/GP/INT/2022/291

ADNOC Classification: Internal

Average and Peak alarm rates

Standing alarms

Highly correlated/duplicate alarms (alarm sequences)

In addition to the above, a history of alarm system activity and characteristics can be useful during the rationalization sessions. Operator interviews/audits can also be used to establish alarm management issues. Several months of alarm data is typically needed to capture the range of plant operations needed to assess alarm problem areas.

11.3.2

Identification of Rationalization Approach and Scope

Rationalization should be done comprehensively. The comprehensive approach is to perform the rationalization exercise for all facilities alarms at one time. This approach has both the greatest benefit and uses resources most efficiently. The allocated schedule can be optimized, by performing rationalization of typical plants e.g., for all the similar WHT, it is sufficient to rationalize alarms for one WHT, it is also sufficient to perform one train in case of parallel trains etc., the Contractor/facilitating chairman should discuss and agree with the Company the optimized time schedule.

11.3.3

Identify Team/Personnel

Rationalization should be performed by representatives with the knowledge and skills listed below. More specialized personnel can attend on an as-needed basis.

Full-Time Participants

The following members should participate full time (CONTRACTOR, Consultant and COMPANY):

Process engineers familiar with the process

Operations (production Engineers, supervisors, panel operators), preferably two panel operators from

different shift teams with experience in use of the control system

Control Engineers/System Engineers

Process Safety or Safety engineers

An experienced alarm rationalization facilitator (3rd party approved by COMPANY), knowledgeable in alarm management principles and practices, with a background in areas such as human factors, process engineering, operations, control systems.

Scribe (depending on the workload).

As-Needed Participants

The following team should supplement as needed:

Plant ICSS system OEM (with PCS, ESD and F&G system knowledge)

Package SUPPLIER’s Process and Control Engineer (during respective Package SUPPLIER’s Alarm

rationalization)

Senior Management (to demonstrate support and commitment to the process)

Health, Safety, and Environmental support

Maintenance/equipment reliability (usually when specific equipment is being discussed)

AGES-PH-04-003

Rev. No: 1 Page 43 of 87

All parties consent to this document being signed electronically -PT&CS/GP/INT/2022/291

ADNOC Classification: Internal

Management (may only need to be involved in the kick-off meeting and MOC process)

Instrumentation/analyzer specialists

Electrical and rotating equipment engineers

11.3.4 Kick-Off Meeting

A kick-off session should be held with senior management to acquaint them and all other interested parties as to the reasons for and potential results of the rationalization process. It is important for management support to ensure resource availability (operators, engineers) and for management understanding of the results of the rationalization.

A review of the current alarm system performance usually confirms the need for improvement. A presentation on the basis for alarm rationalization, as well as examples of past rationalizations, will assist the group in understanding the overall intent of the effort. The kick-off meeting can include the first part of the rationalization team training.

11.3.5 Training of the Rationalization Team

Prior to the commencement of the actual rationalization sessions, it is useful to conduct a brief training session on alarm rationalization to all likely participants. This would include full and part-time members, as well as anyone in the organization that may be impacted by the results (e.g., safety, instrument maintenance, operations). The course should cover the objectives/goals, methodology, roles and responsibilities, scope, TOR, daily progress requirement, alarm design (including terminologies) and team’s commitment etc. As a part of any training, the Engineering lead from the CONTRACTOR and System OEM will detail the alarm philosophy, how this has been configured in the system and how it is visualized by the panel operator.

11.3.6 Roles and Responsibilities

Facilitator

The success of the rationalization process depends heavily upon the capability of the facilitator. Their key role in the activity includes the following:

Keep the rationalization moving – Since a rationalization can be expected to cover anywhere from 1000 to 50,000 alarms, it is imperative to keep the process moving. For large facilities with >10,000 alarms, it is recommended to break down by areas as covered by single or multiple consoles.

Enforce/Interpret alarm philosophy – The foundation of the rationalization is the alarm philosophy or selection criteria. The facilitator must enforce and interpret the philosophy. Any exceptions to the philosophy are needed and accepted by the team, the same should be documented.

Suggest better ways to handle alarms – The facilitator needs to be sensitive to alternate methods to achieve both operational and alarm objectives. Plant personnel often overly accept the alarm system as it is currently designed/as experienced in their existing system.

Capture generic issues – The facilitator also needs to be sensitive to issues that apply beyond a particular alarm. In discussing a particular alarm, general classes of problems will become apparent and need to be captured.

Ensure consistency – The facilitator should ensure consistency, both during the rationalization and after. During the course of the rationalization, the facilitator needs to highlight if related alarms are not being handled in the same fashion or if the alarm guidelines are not being consistently applied.

AGES-PH-04-003

Rev. No: 1 Page 44 of 87

All parties consent to this document being signed electronically -PT&CS/GP/INT/2022/291

ADNOC Classification: Internal

Challenge team decisions – If the necessary expertise is not present to truly assess the required alarm or alarm characteristics, the facilitator should call in the needed discipline(s) to ensure availability of required team for effective discussion.

Process/Control and Instrumentation Engineers

Provide detailed technical input of the Alarm Management system and the production process. Have a

detailed knowledge of all facility P&IDs.

Provide detailed knowledge of the ICSS (PCS, ESD and F&G)/BPCS systems and ensure representation

of a SUPPLIER specialist as required.

Represent the “design intent” of the facility; entire input from specialist design engineers as required.

Operations

Provide detailed knowledge of the facility operations and monitoring.

Provide challenge to Alarm Priorities based on knowledge of risk and severity.

Provide input to Alarm response times.

Maintenance

Provide detailed knowledge of the facility maintenance, integrity, and reliability.

Process Safety and Safety Engineers

Support the team in all aspects of risk management and technical safety systems.

Scribe

Assist facilitator with all event organization issues.

Capture a Minutes of Meeting.

Update the MADB and Alarm Response Procedures, preferable in “real time” as the workshop proceeds.

Alarm Rationalization Process

See Figure 5 for an overview of the rationalization process. The rationalization process may also be termed the Alarm Management Hazard Analysis (AMHAZ) workshop. This workshop is conducted in the same way as any other safety study workshop.

The Alarm rationalization process is one of the critical phases in the Alarm Management Life cycle. It is important for the team members to understand the objectives of good alarm management, particularly how alarms are to be selected and prioritized. For effective rationalization the approach is to work progressively through the process flow of the P&IDs or graphic displays, rationalizing all instruments and controls in a given area together.

The alarm response procedures should be pre-populated in parallel with the rationalization process. If the process has identical or redundant equipment/systems (e.g., parallel trains, multiple compressors, identical platforms (e.g., WHT)), then one can be done in the group session with the alarms copied to the duplicates outside the group session. However, MADB and study report should include all the individual tags of entire facility irrespective, whether it is similar or parallel train/equipment.

Each identified alarm should be evaluated in accordance with the following steps and results documented for every applicable process state.

AGES-PH-04-003

Rev. No: 1 Page 45 of 87

All parties consent to this document being signed electronically -PT&CS/GP/INT/2022/291

ADNOC Classification: Internal

Figure 5 Rationalization Process

AGES-PH-04-003

Rev. No: 1 Page 46 of 87

All parties consent to this document being signed electronically -PT&CS/GP/INT/2022/291

ADNOC Classification: Internal

11.4.1

Justify the Alarm

Every existing and proposed alarm should be reviewed to ensure that it meets the basic requirements for an alarm in the alarm philosophy, such as:

Does it indicate a malfunction, deviation, or abnormal condition?

The alarm must indicate a problem and not an event expected during normal operation. Events such as a sump pump starting automatically based on a high level or a process measurement reaching a value that does NOT result in an undesired consequence should NOT be configured as an alarm.

Does it require a timely operator action in order to avoid defined consequences?

Acknowledging the alarm or making an entry in a logbook is NOT considered a valid response. A valid operator response is one that attempts to correct the deviation or abnormal condition.

Does it provide the operator with adequate time to respond?

If the operator will not have enough time to execute the corrective actions, the alarm set point should be adjusted to allow adequate time, or the alarm should be eliminated and replaced with an automatic response from the system.

Is it unique?

Multiple alarms indicating the same condition should be avoided.

Is it the best indicator of the root cause of the abnormal condition?

The best indicator would be the alarm that would give the operator adequate time to respond, would always indicate the condition regardless of the cause and would originate from the most reliable sensor.

If an alarm is not justified, the rationale for deletion is documented. In some cases, an alarm may fail to meet the above requirements but will exist, due to the requirement enforced by Safety reviews or HAZOPs or SIL. Removal of such alarms requires further review and respective team concurrence via an MOC process.

There could be resistance to an alarm removal due to a desire to still have the status condition visible. This can be accomplished by ensuring the condition is indicated in the HMI (as a status indicator), rather than generating an alarm. Further, it can be also configured as an event log that can be used for later troubleshooting.

11.4.2 Determine the Alarm Set point or Logical Condition

The alarm set point should be:

Far enough away from the consequence threshold such that the operator has sufficient time to act.

Not so close to the normal process value as to cause nuisance alarm annunciations as a result of normal

process variations.

The set point should be defined by the discipline specialist responsible for engineering the process and cannot be determined by Rationalization team.

Assigning the correct logical condition for a digital or discrete alarm is an important consideration. The rationalization team is responsible for this determination as well.

AGES-PH-04-003

Rev. No: 1 Page 47 of 87

All parties consent to this document being signed electronically -PT&CS/GP/INT/2022/291

ADNOC Classification: Internal

11.4.3 Document the Alarm Objective Analysis

Purpose of Alarm

Review and document the purpose of the Alarm.

Consequence/Severity of Inaction

Document the immediate consequences and severity of insufficient operator response (or ineffective response) to the alarm. The consequences should assume the condition alarmed continues or gets worse.

Each alarm should have an undesired consequence that results if the operator does not take action within an allowable response time. The documented consequence should represent the direct and immediate result of the abnormal situation identified by the alarm and not a possible consequence requiring a series of other failures (the ultimate or unmitigated consequence).

Another way to think about it is “what consequence can the operator prevent directly by taking the appropriate corrective action?” Note that since HAZOP’s and LOPA’s define the ultimate (unmitigated) consequence of a hazard (after all layers of protection fail) and the rationalization/AMHAZ study defines the direct (mitigated) consequence of the ONLY the failure of alarm layer. The recorded consequences will likely differ between these two activities.

Estimate the Allowable Response Time

Document the time allowed for the operator to respond to the alarm based on process safety. This is the duration available for the operator to take successful action, from when the alarm occurs to when the consequence is no longer avoidable. This will play a role in priority determination. If there is not sufficient time for the operator to respond, the alarm should be redesigned if possible. This could be as simple as changing the alarm set point to allow for more response time. If this is not an option, consider if another process measurement would provide an earlier warning against the consequence in question.

Allowable response time can seldom be calculated precisely. For that reason, it is usually best to use operations experience rather than engineering principles for this determination. Also, allowable response time is usually documented as a range rather than a fixed number. Refer to Section 10.5 for Priority and details on timing.

Alarm’s Root Cause(s)

Document the likely root causes of the process condition that would result in the alarm. The cause documented should be as close to the root-cause failure as possible.

Operator Corrective Action(s)

Document the operator action which must be taken to prevent or mitigate the consequence. Valid operator actions include:

Making process changes by manipulation of the control system (e.g., change the output of a controller, starting a backup pump from the HMI).

Requesting others to make changes to the process or control system (e.g., field operator to manually close a valve or start a pump).

Creating maintenance or corrective action work order.

Investigate and/or troubleshoot to determine the most likely cause of the alarm.

AGES-PH-04-003

Rev. No: 1 Page 48 of 87

All parties consent to this document being signed electronically -PT&CS/GP/INT/2022/291ADNOC Classification: Internal

11.4.4 Alarm Classes

Review the Alarm Class according to the Alarm Philosophy (see section 10.4).

11.4.5 Assign Alarm Priority

Alarm priority is a tool for the panel operator to differentiate relative levels of urgency in the active alarms. There are a variety of logical methods for designating alarm priority. Refer to the Alarm Philosophy and Section 10.5.

11.4.6 Alarm Attributes

Each alarm should be configured with attributes to avoid nuisance alarms. Refer to section 10.3 for the details of alarm attributes.

11.4.7 Assess Need for Special Handling

Some alarms require special handling to meet the criteria in the alarm philosophy and should be clearly identified at this time. This will consider different plant states (start-up, shutdown, or equipment trip), changing the alarm parameters (set point and priority) and/or suppression of alarms, shelving of alarms, first-out alarm, grouping of alarm, plant/equipment out of service etc. The Advanced Design principles outlined in APPENDIX A1 should be used for Alarms assessed as having special handling requirements. Note: Special handling of alarms is also dependent on the PCS system in use and should be considered in the initial project design specification.

11.4.8 Review Results

Considering that the rationalization process may take several days/weeks to complete a periodical ‘stop and review’ of the results is required prior to continuing. This is to ensure consistency of application and assessment. Inconsistencies in priorities and/or consequences for alarms need to be identified and corrected.

11.4.9 Master Alarm Database and Alarm Response Documentation

General

A typical plant ICSS can have tens of thousands of instruments and associated alarms. Hence, it is essential to document and track all the alarm data and required operator responses. This requires a centralized database i.e., MADB.

Rationalization ensures that alarms meet the requirements described in the alarm philosophy. This includes the task of documenting all the information collected during the rationalization process. The documentation is crucial for the entire alarm management Life cycle.

Alarm response procedures are a key requirement for Operations. Alarm response procedures can reduce the time it takes the panel operator to diagnose a problem and determine the appropriate corrective action, as well as promoting consistency of response between panel operators.

The MADB should contain the minimum details and fields required to document the Alarm Response activity and time. It may also refer to additional procedural detail in a separate Alarm response procedures manual or database.

The MADB minimum requirements are shown in Table 11.1. An MADB shall be created by Projects and handed over to Operations for ongoing update and maintenance.

The MADB is subject to the management of change control and maintained for the life of the alarm system. Whenever the MADB is updated any referenced alarm response procedures shall be also reviewed, updated, and maintained.

AGES-PH-04-003

Rev. No: 1 Page 49 of 87

All parties consent to this document being signed electronically -PT&CS/GP/INT/2022/291

ADNOC Classification: Internal

For old facilities it is possible that an MADB and related Alarm Response Procedures either do not exist or have become out of date and unreliable. In such instances it can be a large, time consuming and expensive activity to create them as required to conduct a full rationalization exercise. However, without doing so it is very unlikely the facility will ever meet and sustain the required Alarm System performance. It is recommended that in such cases a business case is created, based on risk exposure principles, to justify a project to create a new MADB and related Alarm Response procedures. This could be integrated with any scheduled BPCS or ICSS upgrade.

MADB shall include alarms related to entire process facility including all the vendor packages., i.e., any or all the alarms appearing to the operator.

11.4.10 MADB Minimum Content

The MADB is critical to the overall alarm management process both in design and operations. As a minimum, the fields listed in Table 11.1 shall be provided.

Table 11.1 MADB Minimum Fields (Reference EEMUA 191)

Category

Fields

Tag Information:

Alarm details:

Tag reference, Description Loop number (optional) Plant area (optional) P&ID reference (optional)

Alarm category (optional) Alarm class (optional) Enable/disable status Alarm message text Audible y/n SIL Classified Alarm (Y/N) Grouping applicable (Y/N)

Measurement details:

Alarm parameters:

Operator Response

Instrument range Normal Operating range Engineering units Signal type Alarm settings and limits Alternate measurement (optional)

Alarm Priority Hysteresis value (including deviation alarms) Alarm dead band/time delay Dynamic Suppression applicable (Y/N) Static Suppression applicable (Y/N) Shelving requirements

Purpose of Alarm Possible Causes of Alarm Expected Operator Action (can refer to a separate Alarm Response Manual) Consequences of Exceeding Alarm Limit/Alarm State Risk Matrix Severity Operator Response Time (Min) Process Safety Time (Min)

Plant Change Request/MOC log

Record details of approved changes

AGES-PH-04-003

Rev. No: 1 Page 50 of 87

All parties consent to this document being signed electronically -PT&CS/GP/INT/2022/291

ADNOC Classification: Internal

Category

Fields

PCR/MOC Number; Implementation Date; Change Applied Reason for Change; Original Setting Updated (Y/N) Technical details of change e.g., function block, signal filtering and Corresponding SIL Tag etc.

Operator Feedback and Revision control

Operational assets may have an existing MADB. This should be verified against these requirements. Additional fields may be added to supplement these as required.

11.4.11 Alarm Management System (AMS) Software

Alarm Management Software, containing the MADB and any referenced Alarm Response Procedures, is the industry best practice for managing Alarm data and monitoring Alarm performance. Alarm management systems are generally provided by ICSS system SUPPLIERs as part of the Plant ICSS system architecture. Alarm management software shall be specified as a requirement in all new projects. For existing facilities where the systems are not available, plans shall be approved for incorporating Alarm management software and/or tools in future ICSS upgrades.

The following generic requirements can be used to specify Alarm Management Software:

The MADB should use the plant hierarchy based on customizable fields to facilitate the required format.

The MADB should be capable of easy updates when the control system itself is changed (e.g., addition,

deletion, or modification of tags). The system should support import/export file-based data transfers.

The system should facilitate the inclusion of documents associated with each Plant Hierarchy Node and

Alarm for reference.

The system should facilitate Alarm shelving and suppression tracking and reporting.

Rich database sorting, filtering, and copying capabilities.

The MADB should include all of the relevant alarm attributes contained in the control system along with a

facility to add additional attributes.

Alarm attribute changes should be possible according to defined rules. This is useful when applying

changes to many attributes at once based on an established rule in the alarm philosophy.

The database system should facilitate entry of multiple set points for the equipment/process state, with the

possibility to enforce a desired set point in the system.

The database system should provide a method of summarizing changes, in a format suitable for the

generation of MOC documentation.

The database should be capable to track the progress of rationalization tasks.

The system should be capable of comparing the alarms presented in the MADB with the ICSS and

generate alarms for any inconsistencies.

The MADB should provide for change tracking and revision control of its contents.

The AMS should enable configuration of Alarm Performance metrics at panel level, with defined interfaces to external monitoring, analysis or reporting tools (such as dashboards). Updating and control of the matrices should be possible.

AGES-PH-04-003

Rev. No: 1 Page 51 of 87

All parties consent to this document being signed electronically -PT&CS/GP/INT/2022/291

ADNOC Classification: Internal

The AMS should enable generating various reports as defined in ISA 18.2 and EUMMA-191, including reporting of Alarm Performance metrics, both within the system and via an interface to other systems, and such reports should be configurable.

The AMS shall have a storage capacity for a minimum of one year to store data up to the hard disk capacity without intermediate archiving. All alarm data must be archived automatically in removable state of the art media. Removable archival media shall be latest model and technology at the time of detail design. The system shall provide an alarm for changing of archive media when it reaches 80% of its capacity.

The AMS should comply with all IT and process control security protocols.

11.4.12 Modifications to Existing Alarm Systems

Many facilities will be implementing the principles of alarm management to existing alarm systems. The alarm configuration on such systems may be based on previous codes and practice, potentially with previous historical upgrades.

As part of any rationalization effort on an existing system, it is essential to prepare the MADB reflecting all of the current alarm settings and attributes. The database should contain both the existing alarms and the potential alarms that can be set up on each tag if the control system has such a default capability (e.g., Process Hi, Process High-High, Rate-of-Change, etc.). The rationalization stage activities of justification, prioritization, documentation, and classification can use this database to include the outcome of the rationalization process.

In dealing with the initial list, the rationalization process will confirm/modify existing alarms or possibly add new alarms (see Section 12.2). The resulting documentation should also indicate that while the control system may have the standard capability for many different alarms on a tag, the rationalization process is not only selecting alarms to be activated in the alarm system but is also indicating that other potential alarms should not be activated. Also, during the rationalization process, all the alarms should be carefully reviewed with clear justification whether these come to into the category of HMA etc.

The completion of the rationalization stage results in the MADB. This reflects the desired configuration of all alarms, which is then used as an input for implementation. Thereafter, the same needs to be maintained throughout the remainder of the life cycle.

11.4.13 Alarm System Performance Improvement in Older Generation Alarm Systems

One of the objectives of Alarm Rationalization exercises is to improve the Alarm System Performance to achieve the standards defined in section 14 “Alarm System Performance Measurement”. However, some older generation PCS systems may not have the required Alarm shelving, suppression and eclipsing functionalities required to deal with certain operations, such as alarm testing or instrument preventive maintenance routines that generate large numbers of alarms. This could limit the extent of performance improvement, until investment is made in system upgrades, which is a business decision requiring cost/benefit analysis. In such cases, risk assessment should be done to define any risk mitigation measures that can be used during periods of high alarm rates, such as appointing an extra panel operator on a temporary basis during Alarm testing activities.

DETAILED DESIGN AND IMPLEMENTATION

Detailed Design

The purpose of the detailed design stage is to primarily develop the ASRS to capture in detail the functional and technical requirements of the alarm system.

AGES-PH-04-003

Rev. No: 1 Page 52 of 87

All parties consent to this document being signed electronically -PT&CS/GP/INT/2022/291

ADNOC Classification: Internal

This section of the document only captures the generic requirements for designing alarm systems which shall be incorporated in the project specific ASRS. In addition to this document, the Project/Site Alarm Management Philosophy, MADB shall also be referred in developing ASRS.

Requirements of detailed design is identified in section 8.2.4 and APPENDIX A1.

Implementation

Detailed design activities and requirements have been previously addressed. General guidance is also provided in APPENDIX A1. Rationalization is a key part of this.

Implementation of the results of the rationalization process as part of a new-build system is straight forward with competent support and competent SUPPLIERs. For new-build systems / Projects, it is the responsibility of the Contractor along with system SUPPLIERs to ensure appropriate implementation and to hand over the system meeting alarm Performance criteria. However, there are practical challenges in implementing and integrating requirements into an existing system. Guidance is provided in Section 13.

Rationalization activities should be performed to review and optimize existing alarm systems (see Section 13). The result of rationalization and detailed alarm design on an existing system can result in changes and refinements.

Any modification and up-date must also consider the existing system, its availability, and its capability.

Typical modification scopes might include:

Addition of new alarms.

Deletion of existing alarm.

Modification of existing alarms (e.g., set points, priorities, dead bands, logical conditions).

Alteration of HMI displays related to alarm functionality or depiction.

Implementation of new procedural requirements for handling alarms (e.g., alarm shelving procedures).

The implementation of advanced alarm handling methodologies such as suppression.

In many control systems, not every desired alarm change can be accomplished in bulk or online without disturbing the plant operation. In some cases, a tag may have to be taken off-line to accomplish the change and then reactivated. Care must be taken so that running plant is not disturbed during these changes.

Engagement of systems SUPPLIERs, operators along with Company system and Instrumentation experts are essential to perform the risk assessment and agree on the practicality and mode of implementation. All changes should go through a formal MOC process.

Training of Panel Operators and Plant Personnel

For new and existing alarm systems, training of panel operators and other personnel involved in the plant operation is required. It may also be necessary after the implementation of projects and rationalization of existing systems. Both initial training and refresher training should be included in employee training plans. The training should include the following minimum requirements:

General overview of the alarm philosophy.

Use and designation of alarm priority.

Alarm presentation, annunciation, and management.

Graphic presentation and alarms color coding.

AGES-PH-04-003

Rev. No: 1 Page 53 of 87

All parties consent to this document being signed electronically -PT&CS/GP/INT/2022/291

ADNOC Classification: Internal

Brief details on why rationalization is important.

Difference in pre and post-implementation of rationalization changes for the panel operator.

Procedures regarding the handling and reporting of nuisance alarms.

Features of the control system on shelving and suppression.

Permissible and non-permissible changes to the alarm system by operations.

The management of change procedure for the changes to the process alarms.

Accessing on-line MADB information.

Alarm system performance reporting.

Access methods for retrieving alarm documentation.

Management of HMAs and proof test requirement.

Training in the alarm response procedure.

OPERATIONS AND MAINTENANCE

Overview

Within the Alarm Management Life Cycle, the Operations and Maintenance’ stages follow on after the Detailed Design/ Implementation phase. Achieving safe, successful, and reliable operations requires an ongoing process of active alarm management with trained and competent panel operators and operational staff. Active rationalization, optimization and performance monitoring are required to continuously maintain alarm levels within industry acceptable limits and maintain panel Operator load to within manageable levels.

Objectives

Successful Alarm Management in Operations depends on real and continued commitment to improve

supported by Senior Leadership.

Operating staff should be deeply involved in the improvement process.

The improvement process should be structured and driven by performance metrics.

Periodic review (weekly or monthly) of top 10 bad actor alarms and immediate corrective action should be

part of the ongoing Alarm Management.

Improvement programs should address both normal and upset operation.

Simple techniques can eliminate many nuisance alarms, but these have to be applied by individuals who

understand plant operation.

Alarm system changes should be controlled through a formal MOC process.

Key Focus Areas for Performance

The following focus areas should be applied continuously during operations:

Eliminate: Alarms having no defined panel operator response.

Ensure: Critical and high priority alarms are rationalized e.g., consequence evaluation, response time etc.

AGES-PH-04-003

Rev. No: 1 Page 54 of 87

All parties consent to this document being signed electronically -PT&CS/GP/INT/2022/291

ADNOC Classification: Internal

Adjust Dead-Bands: For chattering, fleeting, or standing alarms.

Adjust Alarm Setting: For nuisance alarms.

Review Alarm Attributes: Alarm not understood, or actions are not clear.

Shelve: Auto/alarm shelving facility based on certain criteria.

Single line Annunciation Display: For repeating alarms on alarm list displays.

Suppress: Auto/suppress trailing/secondary alarms.

Confirm Usability: Review upset incidents for its alarm event history.

Fatigue: Sufficient number of panel operators to avoid fatigues.

Alarm Management Performance Improvement Processes

13.4.1 Overview

Ongoing Alarm Management and optimization within the operational assets should be managed through a locally defined process. Examples to be considered in defining the process are:

A frequent assessment (weekly or monthly, depending on alarm performance state) at the site level by the operations team. This process should be led by the Alarm Coordinator. The objective is to target the top 20 bad actors each month with a review to driving continuous improvement and performance.

An ‘annual review’ by a defined alarms management committee. This committee comprises senior managers who have a vested interest in the effective alarm management of the asset and who can provide the necessary resources to support continuous improvements.

Defined Alarm optimization exercises aimed at eliminating bad actors and addressing standing, and

chattering alarms.

Defined Alarm Rationalization workshops as required to address ICSS panels that have deteriorated into

“Overload” status as a result of plant modifications or neglect over time.

13.4.2 Regular Alarm Performance Review Process

The Alarm Performance Review Process should follow the Workflow processes provided in APPENDIX A3.

The review team should be multidisciplinary and should typically include:

Alarm Coordinator

Operations Supervisor/Leadership

Senior Control and Automation Engineer

Relevant Senior Process Engineer

Relevant Senior Process Safety Engineer

Additional representatives may participate as required.

Guidance on the process for these reviews is provided in Section 3 of EEEMUA 191.

13.4.3 Annual Review

AGES-PH-04-003

Rev. No: 1 Page 55 of 87

All parties consent to this document being signed electronically -PT&CS/GP/INT/2022/291

ADNOC Classification: Internal

An annual review of the overall alarm performance and alarm management should be performed by the alarm management committee. (See section 7.2.2). This review should initiate and approve improvement plans for the following year.

13.4.4 Alarm Review and Optimization Exercises

Based on the regular review and analysis of Alarm System Performance metrics, the Alarm Coordinator should arrange specific exercises and mini workshops to address “bad actor” alarms, standing alarms, and chattering alarms. Poor performance may have come from many influences internal and external. Assets should have sufficient analytical capability to interrogate the Alarm Performance metrics and identify problem areas and opportunities for improvement.

Influences to consider are:

Noisy analogue signals from field transmitters.

Poor control of the process.

Changes in the operation of the process.

Faulty equipment.

Third-party equipment.

New processes requiring new alarms.

Equipment taken out of service for long periods.

13.4.5 Alarm Rationalization Workshops

Based on the Annual review process, any operator panels that have deteriorated into “Overload” state should be scheduled to undergo a full rationalization process as defined in Section 11 “Alarm System rationalization”. Depending on the number of alarms, and thus the scope, this may be defined as a workshop or a project, with an approved Terms of Reference and budget. The limitations imposed by some older generation PCS systems is recognized (See section 11.4.13 “Alarm System Performance Improvement in Older Generation Alarm Systems”)

Master Alarm Database

The MADB (sometimes referred to as the master alarm register or variable table), which contains the Alarm Response Procedures, is a critical reference for the ongoing alarm management and rationalization process. The MADB shall be maintained and updated throughout operations. Any changes shall be managed and recorded through a formal MOC process.

Recording alarms, alarm performance and operator responses to those alarms is critical. Access to this data will assist the review teams to assess performance and identify potential solutions.

Alarm Response Procedures in particular must be updated and maintained throughout the Operate phase. Minor and major MOC projects may impact these and they should be revised accordingly as part of the MOC close-out process. The alarm response procedures should be readily accessible to the panel operator. It should also be clear to the panel Operator how to access the alarm response procedures most effectively e.g., via the Operator interface. Operator training and refresher training on these procedures is required. Requirements are given in Section 11.4.9.

AGES-PH-04-003

Rev. No: 1 Page 56 of 87

All parties consent to this document being signed electronically -PT&CS/GP/INT/2022/291ADNOC Classification: Internal

Suppression and Shelving of Alarms

13.6.1 General

Alarm shelving and suppression shall be allowed under controlled conditions.

A distinction shall be made between alarm Shelving and alarm Suppression. Shelving is typically short term and time bound and is governed by a Shelving Procedure (or Permit to Work Defeat procedure in some cases). Long Term suppression (or Inhibition) should be governed by a more stringent procedure with tighter control measures.

If a highly managed alarm class is used, then shelving highly managed alarms should follow authorization and reauthorization requirements.

Documentation shall be maintained, including approval, interim alarms and procedures, and reauthorization details.

13.6.2 Alarm Shelving

Alarm shelving is a mechanism, typically initiated by the panel operator to temporarily suppress an alarm. Shelving’s are performed with ‘time-bound’ shelving time and the alarm returns to active mode once time associated shelving is completed. As shelving can ‘hide’ the alarms, shelving should be used only in the following circumstances:

The panel operator has quick/easy access to view the list of shelved alarms and can easily un-shelve an

alarm.

The operating procedure to include the panel operators at shift changeover to check the list of shelved

alarms and the reasons for them being there.

The panel operators are fully trained and aware of the implications of shelving and are seen to be using it

responsibly.

Strict access rights are implemented. One panel operator controlling a plant area cannot shelve an alarm

in the other plant area managed by a different panel operator.

Shelving is normally performed from an alarm list. Each alarm to be shelved should have to be individually selected. Once selected, it is acceptable to allow several alarms to be shelved as a group.

The shelved alarms should be displayed on plant graphics with an identification.

The shelving will be performed with higher access right, with supervisor access. The system should include the shelving record with the following minimum information:

The alarm shelved.

The person shelving the alarm.

The reason for shelving.

The time of shelving.

The planned time of un-shelving.

In general, the shelving can use the time period of one shift (12 hrs.), after which alarms will be automatically un- shelved.

As part of rationalization, careful consideration should be given to whether some critical alarms should be defined as non-shelvable, based on the seriousness of potential consequences.

AGES-PH-04-003

Rev. No: 1 Page 57 of 87

All parties consent to this document being signed electronically -PT&CS/GP/INT/2022/291

ADNOC Classification: Internal

There are different modes of shelving. More detailed design requirements are included in APPENDIX A1.

13.6.3 Alarm Suppression

Alarm suppression techniques result in alarm signals from equipment being assessed as not appropriate for display to the panel operator e.g., standby equipment and equipment under long term maintenance. These techniques can be very valuable but should be applied with care. Safety problems will arise due to inappropriate use of suppression.

The logical processing methods for implementing the alarms will improve the operational value of alarms. It is also important that the panel operator should be kept informed regarding logical processing of removing the alarms from the display, e.g., by automatic suppression.

If the alarm is safety-related, the implementation of logical processing should comply with the requirements of IEC 61508.

Though alarms annunciation is suppressed, the suppression needs to be identified in the graphics against the individual device with a colored symbol, to avoid confusion to the panel operator.

Alarm suppression should be applied to the alarms associated with standby equipment based on the running status of the main equipment. During the start of the standby pump, the alarms need to be unmasked after a time delay or when startup bypass (SUB) is initiated. Alarms that need to be masked should be analyzed during Rationalization and agreed accordingly. E.g., on detection of pump standby/offline, low pressure and/or low flow alarms on pump suction/discharge is suppressed.

However, as a general guideline, no masking on flow high alarms, pressure high alarms, pressure differential high alarms, bearing temperature high alarms, temperature high alarms on motor winding, vibration alarms, seal pressure low alarm and other non-process alarms (e.g., valve/pump discrepancy alarms). These parameters need to be monitored to ensure the standby pump can start on demand. Hence, should not be masked.

Any equipment /package under overhaul should be masked through the soft button in the HMI with the higher access right. However, the actual status of equipment/ devices along with suppression status should be displayed graphically.

All the alarms should be unmasked prior to the start of equipment and plant automatically.

The following types of suppression are defined in more detail in APPENDIX A1:

Static alarm suppression

Dynamic alarm suppression

Dynamic mode dependent alarm settings

Periodic Testing

ADNOC Group Companies shall periodically test the correct functioning of Alarms, in order to ensure that the alarms continue to perform as designed. Periodic testing routines shall be determined by the Alarm criticality. Guidelines on testing are provided specifically in Section 15 of ISA 18.2 (see APPENDIX A6).

Testing requirements and guidelines for each Asset shall be determined, recorded, and implemented on a site- specific basis as part of the Maintenance Management System.

AGES-PH-04-003

Rev. No: 1 Page 58 of 87

All parties consent to this document being signed electronically -PT&CS/GP/INT/2022/291

ADNOC Classification: Internal

Training in Operations

The Alarm management committee should ensure Awareness sessions are held regarding the Alarm Management processes for the personnel who are involved in Alarm Management work. At least one formal session should be carried out on a yearly basis.

All panel operators shall be trained in the use of the alarm systems that they work with. This should comprise initial training, refresher training and training in any subsequent new alarm system facilities.

Panel Operators should receive refresher training that involves alarm response procedures. The training should cover a broad range of process scenarios. The training should include:

The rationalization information of the alarm.

The audible and visual indications for the alarm.

Refresher training should be carried out on a regular basis by senior operation engineers for response actions associated with Priority 1 (Critical) alarms. All senior operators (panel operators) should undertake such training at least once per year covering their relevant areas.

A record of refresher training should be maintained recording who received the training and the time it was received.

Training should be designed to ensure that the panel operator remains familiar with the functionality of the alarm system and knows how it should be used. Training should also cover the diagnosis of faults in the alarm system itself and the operator response to such faults.

ALARM SYSTEM PERFORMANCE MEASUREMENT

Main Performance Measures

14.1.1 Average Alarm Rate

This is the total annunciated alarms at a defined operator console, managed by a single operator, measured per 10 minutes time interval, averaged over a 1-month time period, and expressed as Alarms/hour.

It includes Priority 1/2/3 alarms only, i.e., excludes journals.

For large control panels, divide by the number of permanent panel operators assigned to the operator console in order to express the average in terms of a single panel operator.

14.1.2 Peak Alarm Rate

This is the maximum number of alarms annunciated in any 10-minute interval slice within a 1-month time period, at a defined operator console, managed by a single operator, expressed as Alarms/10 mins.

It includes Priority 1/2/3 alarms only, i.e., excludes journals.

For large control panels, divide by the number of permanent panel operators assigned to the operator console in order to express the average in terms of a single panel operator.

14.1.3 Percentage Upset Time

The alarm upset condition (sometimes referred to as “alarm flood”) begins when the number of alarms crosses the threshold value of 10 in a 10-minute period.

AGES-PH-04-003

Rev. No: 1 Page 59 of 87

All parties consent to this document being signed electronically -PT&CS/GP/INT/2022/291

ADNOC Classification: Internal

This measure is defined as the number of 10-minute slices within a 1-month measurement window when the no. of alarms/10 mins exceeds 10, measured at a defined operator console, managed by a single operator, expressed as a percentage.

It includes Priority 1/2/3 alarms only, i.e., excludes journals.

For large control panels, divide by the number of permanent panel operators assigned to the operator console in order to express the average in terms of a single panel operator.

Alarm System Performance States

The alarm system may pass through a number of performance levels during its lifecycle. The objective of Alarm System performance management is to achieve and maintain a “Robust” state, with the occasional excursion into “Stable”, as defined below. The following Alarm Performance states shall be standardized across ADNOC for reporting of Alarm performance:

State 1: Robust (Acceptable)

State 2: Stable (Manageable)

State 3: Reactive (Over-Demanding)

State 4: Overloaded (Unacceptable)

To determine the Alarm System Performance State, take the average state from each of the three KPI states (see example below).

Table 14.1 Alarm System Performance States

State

Performance

Avg. Alarm Rate /Hr.

Peak Alarm Rate / 10 mins

State 1

State 2

State 3

State 4

Example:

Robust

Stable

Reactive

Overloaded

⇐6

⇐12 >6

⇐60 >12

60

⇐10

⇐50 >10

⇐500 >50

500

% Upset Time

⇐1%

⇐2.5% > 1%

⇐10% >2.5%

10%

Average Alarm Rate: 4 alarms/hr. = state 1

Peak alarm rate: 350 alarms/10 mins. = state 3

% upset time: 0.7% = state 1

Alarm System Performance state = Avg. (1; 3; 1;) = 1.67 = state 2 (rounded to nearest state)

State 4 – Overloaded: In this state, the alarm system is subject to a continuously high rate of alarms and deteriorates rapidly during a process upset. The Panel operator is unlikely to be able to react in a correct and timely manner to abnormal situations. Mitigation strategies are required. Improvement is best achieved by full rationalization exercises.

State 3 – Reactive: In this state, the Alarm system has likely been subject to a limited Alarm rationalization exercise, but still represents a challenge to the panel operator. This could be considered the minimum ‘entry-level’ for most new plants. It is, typically, representative of a new PCS that has been implemented with the minimum of best practice, or an existing system that has received some initial attention particularly with regard to the ‘bad actor’ alarms. Some improvement has been made to the average alarm rate, by comparison with State 4, but the

AGES-PH-04-003

Rev. No: 1 Page 60 of 87

All parties consent to this document being signed electronically -PT&CS/GP/INT/2022/291ADNOC Classification: Internal

peak rate during upset is still unmanageable and the alarm system will continue to represent an unhelpful distraction to the panel operator for long periods.

State 2 – Stable: In this state, the Alarm system has been well designed and subjected to an Alarm rationalization exercise, but still has opportunity to improve in terms of optimal panel operator monitoring. Typically, by careful selection of which variables to alarm, either via a rationalization exercise or via robust engineering of alarms up- front during a project phase, improvements have now been made to both the average alarm and peak alarm rates, by comparison with State 3. Problems due to ‘bad actors’ have been kept under control by regular review and continuous improvement, but there still remains a problem with the burst alarm rate. In general, the alarms have been well defined for normal operation, but the system is less useful during plant upset.

State 1 – Robust: Possibly at the limit of what is achievable with commercially available technology today, this level of performance represents a realistic target for most plants. Both the average and the peak alarm rates are under control, the latter under the full range of foreseeable plant operating scenarios. The use of dynamic techniques to improve the real-time performance of the alarm system is likely to be extensive.

With new facilities based on proper engineering and subsequent rationalization process, the facility should be aimed to target to the robust state (‘state-1’). The Contractor/consultant/system provider shall demonstrate the same during plant handover.

For existing plants, progressively, it should be aimed to achieve robust state (state-1) within a pre-determined time period. It is understood that some older generation PCS systems will not have the in-built functionality to suppress large groups of alarms (for instance during alarm testing and instrument preventive maintenance activities), and this will have a negative impact on the alarm system performance state. In such cases it becomes a COMPANY business decision whether or not to invest in PCS system upgrades in order to meet alarm system performance standards.

Key Performance Indicators (KPIs)

In order to manage and continually improve performance levels for an alarm system, it is necessary to define a set of quantitative KPIs. These KPIs relate to the basic usability metrics and benchmarks and are calculated over a reasonably long period of time. 1 month or 30 days is recommended by ISA 18.2 and should be used for the calculation and reporting of these KPIs.

For reference, the Performance Metrics recommended by ISA 18.2 are presented in the Appendices of this standard.

14.3.1 Definition of Operator Console as used in KPI measurement

Several KPIs relate to the Operator Console, which is defined in section 1.3.3 as “One or more Operator panels and associated equipment dedicated to monitor and control a specific area within a facility”. Data for Alarm performance is captured for a defined Operator Console.

The assumption in performance monitoring is that a single operator console is managed by a single panel operator, and the performance standard is based on the capability of a single panel operator to respond safely to an alarm. In some facility Control Rooms, an Operator Console may be manned permanently by 2 or more panel operators. In this case, the data collected at the Operator Console should be further divided by the number of permanent panel operators assigned to the console. This should be noted and made transparent in the KPI performance reporting.

14.3.2 ADNOC Reportable KPIs Summary

The standardized KPIs to be recorded and reported at different levels are listed in Table 14.2.

AGES-PH-04-003

Rev. No: 1 Page 61 of 87

All parties consent to this document being signed electronically -PT&CS/GP/INT/2022/291

ADNOC Classification: Internal

Only KPIs 1 – 4 are required to be reported to ADNOC HQ level, reflecting the overall performance of all operating sites within the AGC.

KPIs 5-9 are optional but can be used to aggregate across all the individual sites in order to measure trends at the AGC level.

KPIs 10-15 should be recorded at each individual panel level, and reported at Control Room level, in order to enable the compilation of KPIs 1-4 for reporting purposes.

Table 14.2 Reportable KPIs

KPI

Measured at

Description

Level 1: Recorded at AGC level, reported to ADNOC HQ

1

2

3

4

Company Level

Company Average Alarm Rate: % Operator Consoles (per AGC) not meeting Average Alarm “Stable” standard (less than 12/panel/hr.) – derived from KPI 10 below.

Company Peak Alarm Rate: % Operator Consoles (per AGC) not meeting Peak Alarm rate “Stable” standard (less than 50/panel/10minute interval) – derived from KPI 11 below.

Company Upset Time Percentage: % Operator Consoles (per AGC) not meeting Upset Time percentage “Stable” standard - less than 2.5% time in upset condition (> 10 alarms / 10 minutes) – derived from KPI 12 below.

Company Alarm performance state summary: % Facilities in each performance state: (Overloaded /Reactive /Stable /Robust).

Note: For a facility, the performance state is defined by the lowest state of any single operator console at the facility.

Level 2: (Optional): Recorded at Facility level, reported to AGC Corporate Level

5

6

7

8

9

Site average alarm rate: ∑ (KPI 10) / (No. of Consoles on-site).

Site average Peak alarm rate: ∑ (KPI 11) / (No. of Consoles on-site).

Facility Level

Site Average upset time percentage: ∑ (KPI 12) / (No. of Consoles on-site).

Standing alarms: ∑ (KPI 15) / (No. of Consoles on-site).

Alarm performance state: # operator consoles in each state (Overload/Reactive/Stable/Robust)

Level 3: Recorded at Individual Console Level, reported to Facility Level

10

11

Operator Console Level

Average alarm rate: Average number of alarms annunciated per operator console per hour. Reported over a 1-month period. Note:

• P1/2/3 alarms only. Excludes journals. • Divide by No. permanent panel operators assigned to the operator console

Peak Alarm Rate: Max no. of alarms per operator console per 10-minute interval, in any 10-minute interval, measured over a 1-month period.

• P1/2/3 alarms only. Excludes journals. • Divide by No. permanent panel operators assigned to the operator console

AGES-PH-04-003

Rev. No: 1 Page 62 of 87

All parties consent to this document being signed electronically -PT&CS/GP/INT/2022/291

ADNOC Classification: Internal

KPI

Measured at

Description

12

13

14

15

Percent Upset Time: The number of 10-minute slices within a 1 month measurement window when the no. of alarms/10 mins exceeds 10, expressed as a percentage (No. of 10-minute intervals when Alarms >10) x100 / (6x24x30) (Measured over a 30-day period)

Percentage time that Average alarm rate misses “stable” standard. % of time Average Alarm rate > 12 alarms/console/hr.: (No. of 10-minute intervals when Avg. Alarm rate >12) x100 / (6x24x30) (Measured over a 30-day period).

Performance state: Based on 1 months data (KPIs 10-12 above) – reference to table 14.1

Standing alarms: Average no. of standing alarms per day. No. of alarms present for > 24 hrs. to be calculated and recorded at the end of each day, then averaged over the month.

(Standing alarms are not reportable)

Note: In reporting KPIs, it is recognized that some facilities with older generation PCS systems may not be able to meet stable or robust performance standards, despite conducting optimization and rationalization exercises, due to the lack of functionality for alarm shelving and alarm suppression (See section 11.4.13 “Alarm System Performance Improvement in Older Generation Alarm Systems”).

For such facilities, reference should be made either to system upgrade plans or to risk assessment and mitigation plans.

Additional Recommended Site Performance Metrics

In addition to the reportable KPIs in Table 14.2, each Facility should adopt performance metrics within their own reporting processes to feed the local alarm management rationalization processes.

The first three quantitative metrics listed in Table 14.3 below can be used as the raw data to assess the dynamic performance of the alarm system. Monitoring the current alarm status of the control system is essential to ensure that the performance KPIs are met.

Table 14.3 Additional Recommended Alarm Metrics per Operator Console

Criteria

Methodology

Performance in steady-state operation

In addition to KPI 10: Numbers of chattering alarms: Average no. of chattering alarms in place for > 24 hrs measured over a 30-day period. Number of fleeting alarms Number of shelved alarms: Average no. of shelved alarms per day over 30-day period. Number of suppressed alarms: Average no. of suppressed alarms per day over 30-day period.

Performance during a major upset.

In addition to KPI 11: Long Term Average Alarm Rate in Abnormal Upset-State Operations Total number of alarm floods Individual duration of each alarm flood

AGES-PH-04-003

Rev. No: 1 Page 63 of 87

All parties consent to this document being signed electronically -PT&CS/GP/INT/2022/291

ADNOC Classification: Internal

Criteria

Methodology

Alarm count in each alarm flood Peak alarm rate for each alarm flood

Alarms which are occurring most often.

Measure individual alarm frequency per defined time period. Top 10 “bad actor” load percentage: (∑top 10 bad actor alarms) x 100 / ∑total alarms annunciated (measured over 30 days) Note: This requires the 10 most frequent alarms to be identified and totalized over the 30- day period.

The distribution of alarm priorities.

Measure percentage priority distribution of all alarms annunciated on the system. % Priority 1 (High) alarms annunciated: # P1(High) Alarms x 100 / Total Alarms annunciated

Number of alarms annunciated.

Operator’s general satisfaction with the system.

Measure the total number of alarms annunciated on the system: Total No. of Alarms annunciated per panel (as measured on the last day of each month – report monthly).

Operator questionnaire (See EEMUA-191 for guidelines).

Operators view of how useful the individual alarms and the quality of the alarms.

Alarm usefulness questionnaire.

Operator Response Time

Measure time duration to normalize and Alarm state.

General performance during a plant upset.

Recording and analysing alarm data when a plant incident has occurred.

Main Benchmark Values

Benchmarking of alarms is done based on the two different states:

Plant in steady-state operation

Plant in abnormal/upset condition

The alarm system issues associated with these two states are different.

Steady state operating condition is when a plant is operating within its Safe Operating Limits, and actions taken in response to alarms are aimed at preventing any automated trips or shutdown functions.

Upset Operating condition is when the plant or part of a plant or an equipment item has tripped on either an IPF or ESD setting or a manual shutdown command. In upset state it is expected that a higher number of alarms will be annunciated, and thus the performance benchmark criteria are different.

14.5.1 Steady-State Usability Benchmarks

The steady-state benchmark values are used to assess the usability of the alarm system in normal operation and the proposed values are generally appropriate to all types of continuous processes (see section 1.2: batch processes may require specific local benchmarks). The main metric for a plant in steady-state operation is the ‘long term average alarm rate’. For ADNOC this benchmark corresponds to the performance state summarized in Table 14.1 and can be expressed in the same terms used in EEMUA-191 as shown in Table 14.4 below.

AGES-PH-04-003

Rev. No: 1 Page 64 of 87

All parties consent to this document being signed electronically -PT&CS/GP/INT/2022/291

ADNOC Classification: Internal

Table 14.4 Long Term Average Alarm Rate in Normal Steady-State Operation

Long Term Average Alarm Rate in Steady-State Operation

No. of Alarms per Operator Console

Per Hour

Per 10 mins.

1 alarm per minute

1 alarm per 2 minutes

1 alarm per 5 minutes

< 1 alarm per 10 minutes

60

30

12

< 6

10

5

2

< 1

Acceptability

Very likely to be unacceptable

Likely to be over-demanding

Manageable

Very likely to be acceptable

14.5.2 Upset State Usability Benchmarks

These benchmark values are used to assess the usability of the alarm system in an upset state and the proposed values are generally applicable to all type of plants. The main metric for a plant in the upset condition is ‘number of alarms displayed in 10 minutes slices following a major plant upset’. This can be expressed as a “peak rate”, which is the maximum seen by the operator in any 10-minute slice and used for the Alarm System Performance state shown in Table 14.1. In addition, it can also be measured as the long-term average rate during the defined upset period, in which case the benchmark figures are shown in Table 14.5 below.

Table 14.5 Long Term Average Alarm Rate in Abnormal Upset-State Operations

Avg. No. of Alarms Displayed in 10 Minutes

Acceptability

More than 100

Definitely excessive and very likely to lead to the panel operator abandoning the system

20 - 100

Hard to cope with

Under 10

Should be manageable, unless otherwise if several alarms require a complex operator response

In addition, ISA18.2 includes that alarm system should not be in flood condition for more than 1% of the time during the 1-month period.

The alarm flood period begins when an alarm crosses excess of 10 in a 10-minute period. These correspond to the benchmark set forth in the steady-state alarm ‘very likely unacceptable to over-demanding’.

14.5.3 General Usability Benchmarks

The most important structural benchmark for usability is priority distribution. For situations in which a panel operator is faced with multiple alarms occurring together, it will be a great advantage to know which should be addressed first. A typical priority distribution is listed in Table 14.6. (Refer ISA 18.2 for additional information).

Table 14.6 Priority Distribution

High

5%

Medium

15%

Low

80%

14.5.4 Standing Alarms

The benchmark for standing alarms on any one system should be under 10. This benchmark is particularly relevant for alarm systems which rely heavily on basic list displays and relates to approximately half a page of alarms.

AGES-PH-04-003

Rev. No: 1 Page 65 of 87

All parties consent to this document being signed electronically -PT&CS/GP/INT/2022/291ADNOC Classification: Internal

MANAGEMENT OF CHANGE PROCEDURE

A defined MOC procedure shall be used to affect any changes to alarms that require updating of the MADB. The scope of the change will determine the appropriate levels of authorization required. The MOC process will determine the required documentation as per COMPANY procedure. It is acceptable to either use an MOC process specific to the alarm System, or to incorporate Alarms in an existing technical MOC procedure.

AUDIT

An audit is an essential stage of the Alarm Management Life Cycle. Audits should be conducted periodically to maintain the integrity of the alarm system and alarm management work processes. An audit of system performance will reveal gaps not apparent from alarm performance monitoring.

Audits will be performed based on a clear checklist prepared prior to the audit. The checklist should include verification compliance to Alarm Philosophy and final MADB. The audit should also cover the current status of system performance against the performance metrics and target KPIs identified in these documents.

The results of the monthly and annual reviews defined in Section 13are key inputs to the Audits as are the KPI results identified in Section 14. It is recommended weekly/monthly performance monitoring is performed and recorded and available for audit. The performance monitoring should include both primary and secondary KPIs.

The frequency of the audits can be set by the individual asset based on the current condition of the alarm system performance but is not to exceed 12 months.

ADDITIONAL SPECIFIC REQUIREMENTS

Not applicable

AGES-PH-04-003

Rev. No: 1 Page 66 of 87

All parties consent to this document being signed electronically -PT&CS/GP/INT/2022/291

ADNOC Classification: Internal

SECTION C – OTHER REQUIREMENTS

DETAILS OF SCOPE SUPPLY

Detailed engineering and design of the Alarm Management System in accordance with this philosophy and all specifications, standards, datasheets, and other statements of requirement included with or referenced in the requisition.

The SUPPLIER shall have single point responsibility for all aspects of the works, inclusive of all components sub- contracted or purchased from other parties. These shall include, but not be limited to:

Total system engineering definition of the Alarm Management System for ICSS (/BPCS) and functional design in the form of a Functional Design Specification (FDS) based upon the Functional Specification (FS), datasheets and COMPANY specifications provided by CONTRACTOR. FDSs shall be written by the SUPPLIER and approved by COMPANY during the Design Phase to detail the SUPPLIER scope of work.

The agreed FDS

Design, configure and supply Alarm Management System for ICSS / BPCS systems.

Participation in Alarm Rationalisation Reviews conducted by CONTRACTOR.

Supply of system configuration, MADB formats, graphic application/development and functional

configuration software including its design and configuration.

Supply of test procedures, all necessary test workstations/equipment, and personnel for all tests. Perform

tests for witness by the CONTRACTOR’s representative and COMPANY.

Provide all software licenses on removable media that is clean and free of any malware. Licenses that

require internet connections are not permitted.

Documentation and certification in accordance with the material requisition, this philosophy, specifications

and the standards referenced herein.

Guarantee compliance with the standard project operating systems proposed by the ICSS/BPCS SUPPLIER during the EPC stage of the project. This includes facilitating the expeditious roll out of patches to the known solutions of attacks to their operating systems, third party equipment and the Cyber security. The SUPPLIER shall guarantee that updates can be rolled out without disruption to running plant.

Special software configurations tools required for installation, operation, and maintenance.

Commissioning; start-up and long-term support.

SUPPLIER shall include all system and application software, configuration, documentation, and other equipment required for a fully functional, operable, reliable, and maintainable system.

SUPPLIER shall accept total responsibility for the overall system as specified. This includes system design, procurement, configuration, FAT, IFAT, packing and shipment. SUPPLIER shall provide site supervision and assistance for installation, perform tests SIT, SAT, pre-commissioning, and commissioning.

QUALITY CONTROL AND ASSURANCE

SUPPLIER’s quality management systems shall comply with all the requirements of ISO 9001 - Quality Management Systems – Requirements and ISO 9004 - Quality Management — Quality of an Organization — Guidance to Achieve Sustained Success. The quality system shall provide for the planned and systematic control of all quality-related activities performed during design.

AGES-PH-04-003

Rev. No: 1 Page 67 of 87

All parties consent to this document being signed electronically -PT&CS/GP/INT/2022/291

ADNOC Classification: Internal

The quality management system shall be implemented in accordance with the CONTRACTOR’s Quality Manual and the Project Quality Plan, which shall both together with all related / referenced procedures, be submitted to COMPANY for review, comment, and approval.

CONTRACTOR shall have in effect at all times, a QA/QC program, which clearly establishes the authority and responsibility of those responsible for the quality management system. Persons performing quality functions shall have sufficient and well-defined authority to enforce quality requirements that initiate, identify, recommend, and provide solutions to quality problems and verify the effectiveness of the corrective action.

CONTRACTOR shall identify in purchase documents to its SUB-CONTRACTORs all applicable QA/QC requirements imposed by the COMPANY and shall ensure compliance. On request, CONTRACTOR shall provide objective evidence of its QA/QC surveillance of its SUB-CONTRACTORs activities. If selected SUB- CONTRACTORs have ISO 9001 certification, as required for contracted scope, then copies of these certifications are to be provided for COMPANY review. The COMPANY may elect to waive their audits in favour of ISO 9001 registrar audits. Any contracted services without ISO 9001 certification will be subject to COMPANY audit requirements.

A representative/service engineer from shall be available at site during site installation, SIT, Commissioning & SAT phases, in order to ensure QA/QC of the installation.

COMPANY reserves the right to inspect materials and workmanship standards at all stages of manufacture and to witness any or all tests. CONTRACTOR, thirty (30) days after award but prior to the pre-inspection meeting, shall provide COMPANY with a copy of its manufacturing Inspection and Test Plan (ITP) for review and inclusion of any mandatory COMPANY/CONTRACTOR witness or hold points.

Equipment shall only be purchased from SUPPLIERs approved by COMPANY Category Management. This approval indicates that the SUPPLIER has an approved Quality management system and a proven track record in supply of this equipment type.

SUPPLIER shall comply to Criticality Rating for Equipment outlined in respective ADNOC Group Company’s Quality System Specifications for requirements of production checks, shop inspection, testing and material certification.

The SUPPLIER shall provide equipment inspection and test reports as per approved Inspection and Test Plan by CONTRACTOR.

SUPPLIER shall submit a quality plan for approval by COMPANY.

SUB-CONTRACTORS, SUB-SUPPLIERS

All subcontracted services and hardware shall be approved in writing by COMPANY. The term services include all System hardware design, fabrication, assembly, configuration, programming, and testing.

SUPPLIER shall assume responsibility and overall guarantee for all supply and services provided by SUB- CONTRACTOR/SUB-SUPPLIER.

The SUPPLIER shall transmit all relevant Purchase Order documents including specifications to his SUB- CONTRACTORS.

It is the SUPPLIER’s responsibility to enforce all Purchase Order and Specification requirements on his SUB- CONTRACTORS.

The SUPPLIER shall submit all relevant SUB-CONTRACTOR drawings and engineering data to the CONTRACTOR.

SUPPLIER shall obtain necessary warranties from SUB-CONTRACTORS/ SUB-SUPPLIERS.

AGES-PH-04-003

Rev. No: 1 Page 68 of 87

All parties consent to this document being signed electronically -PT&CS/GP/INT/2022/291

ADNOC Classification: Internal

CERTIFICATION

Not applicable.

INSPECTION AND TESTING REQUIREMENTS

Refer to AGES-PH-04-001, Automation and Instrument Design Philosophy and AGES-SP-04-001, Process Control System, for inspection and testing requirements.

SPARE PARTS, CONSUMABLES AND SPECIAL TOOLS

Not applicable.

PAINTING, PRESERVATION AND SHIPMENT

Not applicable.

INSTALLTION, COMMISSIONING AND MAINTENANCE SUPPORT

Not applicable.

TRAINING

Not applicable.

DOCUMENTATION / MANUFACTURER DATA RECORDS

Not applicable.

GUARANTEES AND WARRANTY

Not applicable.

PROJECT ADMINISTRATION

Not applicable.

AGES-PH-04-003

Rev. No: 1 Page 69 of 87

All parties consent to this document being signed electronically -PT&CS/GP/INT/2022/291ADNOC Classification: Internal

SECTION D – STANDARD DRAWINGS & DATASHEETS

DATASHEET TEMPLATES

Not Applicable

STANDARD DRAWINGS

Not Applicable

AGES-PH-04-003

Rev. No: 1 Page 70 of 87

All parties consent to this document being signed electronically -PT&CS/GP/INT/2022/291ADNOC Classification: Internal

SECTION E - APPENDICES

ALARM DESIGN PRINCIPLES

A1.1.

Alarm Methodology

Different control systems either existing or new have various means to detect alarm state change, representation of alarm, alarm suppression methods etc. Always, it is a good practice to develop a common approach to designing the control logic to ensure that the changes to alarm set points or alarm suppression do not affect the execution of the control logic.

Based on the requirement alarms can be implemented as below:

A1.1.1 Re-Alarming

Re-alarming is a practice of re-annunciating an alarm that has not cleared and once again bring the panel operator’s attention to a specific alarm. Such a requirement needs to be carefully evaluated and implemented for specific critical alarm, where panel operators need to pay attention to any time/process bound conditions. This requirement should be reviewed during the rationalization and implemented. Configuring a large number of alarms to “re-alarm” state will worsen alarm load to the panel operator.

Alarm Latching

Alarm latching can be used to provide an additional step to confirm that an alarming condition has been corrected. For example, without latching, an acknowledged analogue alarm would clear as soon as the process variable no longer exceeds the alarm set point. With latching, an alarm is not cleared even after the alarming condition has been corrected until the panel operator takes the additional step of resetting the latch function.

In general, all the safety system such as ESD and F&G systems alarms are latched type. Normalization of these alarms requires a reset after normalization of all the associated process abnormalities of plant/ equipment and ready to restart.

Alarm Grouping

A common alarm may be used to display a number of different initiating events from a plant system if all the alarms are of the same priority and the panel operator needs to provide the same initial response. However, any new events (alarms) occurring within a grouped alarm are required to be re-annunciated.

A1.2.

Alarm Shelving

Alarm shelving is a mechanism, typically initiated by the panel operator to temporarily suppress an alarm. Shelving’s are performed with ‘time-bound’ shelving time and the alarm returns to active mode once time associated shelving is completed.

There are different modes of shelving as detailed below.

A1.2.1 Release (‘One-Shot’ Shelving)

A ‘release’ is a facility that can be applied to a standing alarm. A released alarm is temporarily removed from the alarm list and put on the shelf. There is no indication to the panel operator when the alarm clears, but it is taken off the shelf. Hence, when the alarm is raised again it appears on the alarm list in the normal way. Thus, the release is effectively ‘one-shot’ shelving. This facility is useful when there is an alarm which the panel operator fully understands (e.g., because it is from a plant under maintenance) and expects to stand for some time.

AGES-PH-04-003

Rev. No: 1 Page 71 of 87

All parties consent to this document being signed electronically -PT&CS/GP/INT/2022/291ADNOC Classification: Internal

A1.2.2 Continuous Shelving

This is also applicable to standing alarms. The alarms are shelved until the predetermined timeout period elapses. If the same alarms are received again before the timeout period elapses, it is also shelved. Furthermore, if there are any alarms related to recovery messages, they are also shelved. Once time period elapses alarm will reappear, if the alarm is not cleared.

A1.2.3 Auto-Shelving

An algorithm can be used for automatically shelving alarms which are detected as repeating frequently. The algorithm works as follows:

If more than 9 occurrences of an alarm occur in 5 minutes or less, then the 10th alarm is marked on the HMI screen in a colour to indicate it is a ‘repeating’ alarm. When this is accepted by the panel operator, the alarm is automatically shelved for 20 minutes. After 20 minutes, it is put back on the alarm list ‘on trial’. If it does not repeat more than 9 times in any 5-minute period during the next 20 minutes, then it ceases to be ‘on trial’ and becomes ‘normal’. However, if repeating does recur when the alarm is on trial, then the alarm is automatically re-shelved for twice the original period (i.e., for 40 minutes). This process of doubling up the shelve time can continue up to a limit of 720 minutes. When the alarm has been automatically shelved, the panel operator can unshelve it manually if the panel operator wishes (though this does not reset the on-trial timer).

In general, one shot and continuous shelving methods are used.

A1.3.

Suppression

If alarm suppression techniques are applied:

Alarm suppression logic shall be implemented in the BPCS and not in the safety system logic solver.

When signals used in the permissive, trigger or mode detection logic of alarm suppression schemes show a bad PV or otherwise a diagnosed fault, the alarm suppression logic shall treat the signal in a fail-safe way such that the alarm(s) are not suppressed (depending on voting architecture) if they depend solely on this signal.

All suppression events shall be logged (i.e., in a journal) on the BPCS. If the panel operator manually de-

activates suppression, the event shall be recorded in the panel operator’s journal.

The panel operator shall be able to view a list of all currently suppressed alarms.

The panel operator shall be able to view a list of all configured alarm suppression groups (static, dynamic

and mode dependent alarm settings).

Hardwired alarms (light boxes) shall not be suppressed.

The following types of suppression are defined below with their individual requirements:

Static alarm suppression

Dynamic alarm suppression

Dynamic mode dependent alarm settings

A1.3.1 Static Alarm Suppression

Static alarm suppression is required in order to minimise the number of standing alarms. Alarms that are always in alarm when a process unit or a large piece of equipment is shut down can be statically suppressed. Only after the manual suppression command and the suppression permissive are met, are the alarms suppressed.

AGES-PH-04-003

Rev. No: 1 Page 72 of 87

All parties consent to this document being signed electronically -PT&CS/GP/INT/2022/291

ADNOC Classification: Internal

Static alarm suppression should be implemented on per a section (process unit, piece of equipment) of the plant, basis. Switching on the static alarm suppression is only possible when defined process permissive are met.

When defining static alarms suppression groups, the following data should be recorded:

Static Alarm Suppression Group and Group name: A reference tag name of the group and Group name

to allow reference and proper administration.

Permissive: Boolean statement with the (BPCS) tags and conditions (signals) that have to be ‘true’ to permit the static suppression to be switched ON. This includes the condition (alarm, H alarm, LL alarm etc.).

Static Suppression Group: This is a list of Instrument Tags to be suppressed.

In addition, the following requirements should be applied:

Static suppression shall not rely on manual selection only.

A process signal and confirmed out of service shall always be part of the suppression logic to confirm that the unit/equipment is out of service and to automatically remove the suppression when the unit/equipment is put back in service.

Process signals that are part of permissive logic shall be redundant so that there is no single point of failure that could lead to the inadvertent suppression of alarms or to leaving alarms inadvertently suppressed.

Figure 6 Static Alarm Suppression

A1.3.2 Dynamic Alarm Suppression

Panel Operators often find alarm systems difficult to manage following a trip. In order to minimise the number of alarms following the trip automatic and dynamic alarm suppression may be used.

With dynamic alarm suppression, the first alarm in a group sounds the buzzer until silenced by the panel operator. It is shown on the alarm list and printed on the alarm printer. Subsequent alarms in the same group do not sound the buzzer, are not shown on the alarm list and are not printed.

Apart from the dynamic aspects, another difference between static suppression and dynamic suppression is that static suppression suppresses all alarms related to a tag while dynamic alarm suppression suppresses only one specific alarm. For example, static alarm suppression suppresses both H, L and fault alarms while dynamic alarm suppression suppresses only H.

AGES-PH-04-003

Rev. No: 1 Page 73 of 87

All parties consent to this document being signed electronically -PT&CS/GP/INT/2022/291

ADNOC Classification: Internal

A soft switch should be provided to disable dynamic alarm suppression.

Dynamic suppression will be automatically turned off after a configurable time period (default 30 min) or when all trigger alarms return to normal.

When defining dynamic alarm suppression groups, the following data should be recorded:

Dynamic Alarm Group Name and Description: The dynamic alarm suppression group is usually a subset of the tags associated with the equipment safeguarding system (a UZ block). The Group name should be selected to show the relation with the system, e.g., 016UZ-250.

Delay Before Alarm On Check: The “Delay Before Alarm On Check” (the delay time the control system allows before checking to determine if all expected alarms, marked dynamic, have in fact activated) is to be 60 seconds greater than the largest individual dynamic suppressed alarm “Time for Alarm to Come Up”. Each and every alarm tag, marked with a cross in the “dynamic” box, should always alarm when each and every trigger is activated.

Dynamic Suppression Switch Off Delay: The “Dynamic Suppression Switch Off Delay”, should always

be 1800 seconds unless the Delay Before Alarm On Check is 1800 seconds or more.

Dynamic Grouping Comments: Comments may be added to clarify particular issues for future reference.

Dynamic Suppressed Tag numbers: For each of the Dynamic Suppressed Tag numbers, the following

is to be recorded:

i. Tag number and service description as taken from the tag number database.

ii. A checkbox indicating if the tag number also serves as a trigger.

iii. A checkbox indicating if the alarm needs to be dynamically checked.

iv. Time for Alarm to Come Up.

The “Time for Alarm to Come Up” is the estimated time (in seconds) expected for the alarm to reappear after the reset of group trigger If the time is less than 4 seconds, a remark is to be added “Fast suppression logic required” as discussed above.

Notes:

Group Trigger alarms will almost always be trip alarms or drive failure indicators. If the group trigger is not an alarm (e.g., a motor running status) and therefore not in the database the tag should be added. All new trigger tags added that are not alarms should be “record only”.

In some instances, dynamic suppression will need to be applied to groups not related to a particular equipment safeguarding system. For these cases, a new dynamic suppression group tag number will need to be defined. The tag may be based upon sequence logic blocks (KS blocks) or on the major trigger tag for a group. For example, if the major trigger tag for a group not related to a safeguarding system, was 214LZA555 then the dynamic suppression group tag could be 214UL555 (U standing for Multivariable).

A triggered alarm can be suppressed. However, the actual trigger shall not be suppressed.

Dynamic suppression shall not be based on any manual selection.

A process signal or confirmed out of service shall always be part of the suppression logic to confirm that the unit/equipment is out of service and to automatically remove the suppression when the unit/equipment is put back in service.

Process signals that are part of permissive logic shall be redundant so that there is no single point of failure that could lead to the inadvertent suppression of alarms or to leaving alarms inadvertently suppressed.

AGES-PH-04-003

Rev. No: 1 Page 74 of 87

All parties consent to this document being signed electronically -PT&CS/GP/INT/2022/291

ADNOC Classification: Internal

Figure 7 Dynamic Alarm Suppression

A1.3.3 Dynamic Mode Dependent Alarm Settings

Dynamic mode dependent alarm setting may be required to further reduce the meaningless alarm rate. Mode dependant alarm setting may be required where systems have distinct operational modes that require distinct alarm settings. This is, for instance, the case for furnaces having a normal mode and a decoke mode. Also, the burner management system may have Oil firing mode, a Gas firing mode and a combination of both (dual-firing mode). A dryer will have an operating and a regeneration mode. A crude distiller may have different alarm settings depending on the crude being processed.

With dynamic mode dependant alarm settings, the alarm settings of analogue or digital points are changed based on the detected mode of operation. The mode switching is detected from a set of process parameters and may also involve a manual switch.

Upon a detected mode change, the new set of alarm settings is automatically downloaded into the BPCS point. These new settings will be applicable until the next mode change is detected or the dynamic mode dependant alarm setting enable switch is disabled. When disabled the default set of settings is downloaded into the BPCS point automatically When none of the defined modes is detected, the default mode should be selected automatically.

Dynamic mode dependant alarm setting should not be normally applied to IPF’s of SIL1 and above since these settings are based on the excursion of safe operating envelops that should not be mode dependant. Where mode- dependent settings are absolutely essential for some IPF’s of SIL1 and above, then the complete mode selection and control should be implemented in the IPS using special algorithms to assure the IPF class integrity. Where pre-alarms are also used to alarm excursion from the normal operating envelope, they may have dynamic mode dependent alarm settings.

Alarm setting changes (each mode change) should be logged in the BPCS for each point.

When defining Dynamic mode dependant alarm setting groups, the following data should be recorded:

“Mode Dependant Alarm Setting” Group Name and Description: For each Mode, a reference tag name of the group and Group name should be recorded and maintained to provide documentation and support system administration. The group name and description should give a reference to the system (e.g., furnace) having the different operating modes.

AGES-PH-04-003

Rev. No: 1 Page 75 of 87

All parties consent to this document being signed electronically -PT&CS/GP/INT/2022/291

ADNOC Classification: Internal

Various Modes Names and Description: For each Mode, a reference tag name of the mode and operating mode name should be recorded and maintained to provide documentation and support system administration.

Permissive and Comments: For each Mode, a Boolean statement should be developed complete with the (BPCS) tags and conditions (signals) that have to be ‘true’ or ‘false’ to detect the mode switch. This includes the condition (alarm, H alarm, LL alarm etc.). Conditions may include timers to limit the time a particular mode may be on.

“Mode Dependant Alarm Setting” Group with Default Settings: This is a list with Instrument Tags (and

attribute such as L, HH etc.) to be manipulated including the default settings.

Alarm Settings for Each Defined Mode: This is a list of alarm settings for each instrument tag defined in the dynamic alarm settings group. A detailed alarm setting list should be prepared for each dynamic mode of operation defined in the list identifying the various operating modes.

Comments: Comments may be added for each instrument tag to clarify particular issues for future

reference.

The lists “Various Modes”, “Mode dependant alarm setting Group”, “Alarm settings for each defined mode” and “Comments” are best combined in tabular form where instrument tags are listed vertically in the first column and the default and mode-dependent settings are listed in subsequent columns.

A1.4.

Redundancy Logic

Often multiple measurements are made of the same process variable (e.g., devices used in the voting configuration in the safety & F&G systems). If alarms are generated from these individual measurements concurrently, then there will be multiple alarms all indicating the same measurements. Suppression logic can ensure that only a single alarm is annunciated to the panel operator, whereas individual alarms can be logged as an event and also indicated in Graphics.

A1.5.

Eclipsing

Sometimes there will be several alarms generated from a single process variable such as high alarm and high- high alarm based on the process need using control and shutdown systems. Logic can be used to suppress the alarms of lower operational significance when the more significant alarms are raised as. For example, a high alarm can be suppressed when a high-high alarm is initiated. The eclipsing will reduce the number of standing alarms on a list display but may not necessarily reduce the number of alarms the panel operator has to accept. The eclipsed alarm will re-annunciate, if a high-high alarm is normalized (after process below the high-high alarm set point and reset has been performed), however, still the process is above high alarm set-point.

A1.6.

Out-of-Service Plant

Some alarms are of operational significance when a plant item is running, but not when it is out of service. For example, a low discharge flow alarm from a pump will not be relevant when the pump is not running. The computation of the equipment/ unit/plant running logic flag should consider various ways of operating the plant. This is particularly true when computing flags representing the running status of very large plant systems or of the complete plant. Plant running flags should also take account of the detail of the start-up sequence for the plant item. For example, when starting a large machine, auxiliary systems such as lube oil, heater services need to start up before the machine starts to rotate, and hence auxiliary equipment alarms need to be made active prior to the start of the main compressor. Different logic will be required when the equipment is in shut down. Hence, suppression needs to be done with due diligence.

AGES-PH-04-003

Rev. No: 1 Page 76 of 87

All parties consent to this document being signed electronically -PT&CS/GP/INT/2022/291

ADNOC Classification: Internal

A1.7.

Operating Mode

Certain alarms are only relevant in particular plant operating modes to avoid transient alarm during the start-up. In such a case, these alarms can be either suppressed with the time limit or dynamically elevated with a different set point with the time limit.

A1.8. Major Event

Typically, the biggest alarm load on the panel operator is after a major plant upset. Such disturbances are often particularly stressful for the panel operator and can also be considered as relatively hazardous periods of operation. Many of the alarms occurring after a major upset will relate to events that are expected to happen. For example, if a total plant shutdown is initiated then it will initiate cascaded trips of lower shutdown levels within the plant and to other plants. In addition, many process parameters will go outside their normal operating ranges. The use of logic to suppress these expected alarms offers a significant benefit. Only first-up alarm and the critical alarms can be annunciated. All the other initiating events can be provided as the logging events for post-incident analysis. However, graphically alarm status of all the devices should be indicated.

In addition, the use of logic to identify missing events is operationally important. For example, in a plant shut down many trips will operate. The panel operator wants to know only about the trips that do not operate, or the valves that do not shut. Hence, important to alarm the panel operator regarding missing cause and effect actions e.g., some of the shutdown valves are not closed and in-line with cause and effect, etc.

A1.9.

Alarms from Equipment Under Test

It is common for numerous alarms to be generated from plant and equipment when it is undergoing maintenance or testing. Routine testing of automatic protection systems can be a particular problem. Logic can, in principle, be used to automatically suppress these alarms, but this may conflict with the testing requirement during the maintenance. Accordingly, shutdown and maintenance mode selection soft button can be provided for equipment/plant/unit the system. Based on the maintenance mode selection, alarms associated with equipment/plant/unit; the system can be dynamically demoted to a priority at which they are graphically displayed but do not generate an audible warning or require acceptance.

This approach is relatively simple to implement but does require responsible and systematic use by the panel operator to avoid alarms being left demoted when testing is completed. Hence, plant mode selection/start- up/opening status of certain equipment/valves that are essential for equipment/plant/unit start-up should be dynamically linked to automatically restore the designed alarm priority.

AGES-PH-04-003

Rev. No: 1 Page 77 of 87

All parties consent to this document being signed electronically -PT&CS/GP/INT/2022/291

ADNOC Classification: Internal

ALARM TYPES

A2.1.

Absolute Alarms

Absolute alarms such as high, low are the most commonly used alarm types. These alarms are best used to warn that a process variable is exceeding an operational limit.

Low-Low and High-High are configured to identify the ESD events of plant trip (see Figure 1).

A2.2.

Deviation Alarms

This alarm will be generated, if there is a difference (typically 5% of calibrated range) in measured value between two transmitters that measures same process parameters and installed in same locations. This could be between voted transmitters or between the transmitter used in PCS and ESD. This alarm type is typically used to indicate that the instruments are not performing effectively and needs maintenance.

In addition, common applications include detecting the deviation between the process variable and controller set point, between controller output and final control element actual measured position. It is important to apply appropriate time delays to prevent false triggering of deviation alarms.

A2.3.

Rate-of-Change Alarms

This is an alarm generated when the change in process variable per unit time, (dPV/dt), exceeds a defined limit. These alarms should only be configured if it is a critical requirement for process safety or process control to monitor a rate of change parameter. They present a risk of spurious activation due to the natural fluctuation in the measurement if it is not configured appropriately. Also, the accuracy of rate-of-change alarms can be impacted by the calculation algorithm, which can include factors such as the use of digital filtering, the number of samples and the control system’s scan rate.

A2.4.

Discrepancy Alarms (Command-Disagree)

These alarms are used to indicate that a piece of equipment or device is in a different state than commanded or expected. Discrepancy alarms are commonly used with equipment such as motors, to indicate that they have failed to start or failed to stop (when commanded), or discrete valves to indicate that they have failed to open or failed to close within an allowable travel time. To prevent generating nuisance alarms, it is necessary to adjust the allowable travel/transition time to compensate for equipment to wear matching with actual performance.

A2.5.

System Diagnostic Alarms

This alarm is used to indicate that a fault has occurred in the control system hardware, software or components (e.g., communication error or I/O card failure). If these alarms are displayed as part of the alarm list, they should contain a clear description for the panel operator to understand. This alarm type can cause nuisance alarms for a panel operator and contribute to unnecessarily high alarm rates; so, during the rationalization process, it is important to consider whether every alarm should be presented to the panel operator or is it sufficient to provide a common alarm, which can be navigated to the detailed status page in graphics. Consideration should be given to prioritizing such notifications as alarms or log events and providing a separate notifications page for system diagnostic alarms which is distinct from process alarms.

AGES-PH-04-003

Rev. No: 1 Page 78 of 87

All parties consent to this document being signed electronically -PT&CS/GP/INT/2022/291ADNOC Classification: Internal

A2.6.

Instrument Diagnostic Alarms

Various diagnostic features based on the type of field instruments (based on various protocols such as Foundation field bus, Profibus and HART etc.) can be directly routed to the Asset Management Systems. However, critical diagnostic alarms should be displayed to the panel operator.

In general, the instruments/devices diagnostic alarms could be numerous and the same needs to be grouped appropriately and identified as part of the Asset Management system. Each alarm should be provided with clear guideline information to carry out the maintenance activities. These alarms can be linked to trigger the maintenance work order.

A2.7.

Bad-Measurement Alarms

Bad-measurement alarms are a subset of instrument diagnostic alarms. These alarms are generated by the control system to indicate that a process measurement is outside of its expected range (e.g., <3.8 mA and >20.5mA for a 4-20 mA signal as per NAMUR). Many control systems provide the functionality to configure the process measurement thresholds as a part of I/O channel definition. These alarms can indicate a partial or impending failure in the sensor, a sensor out of calibration or other degradation condition. They are often accompanied by other alarms coming from the control logic where the signal is used. For example, a bad input signal from an instrument (which triggered a bad-measurement alarm) could also trigger other alarms configured for the point (such as absolute alarms, deviation alarms or rate-of-change alarms) or for connected points such as totalizer points or selector points or controller points. Bad- measurement alarms should suppress dynamically other alarms initiated by logic due to the use of bad measurement value as part of logic.

A2.8.

Adjustable Alarms

Adjustable alarms are used in situations where the panel operator may be required to modify the alarm set point manually. Use of these types of alarms should be avoided. Any such changes need MOC process. In such a case, the panel operator can be provided with ‘Alarm’ to set within the operating limit to provide an early warning.

A2.9.

Adaptive Alarms

Adaptive alarms are used when an alarm set point must be continuously modified based on process conditions. They can be applied to absolute alarm conditions as well as rate-of-change or deviation alarms. Such changes should be pre-configured in the systems so that changes are managed dynamically by the control systems.

A2.10. First-Out Alarms (First-Up Alarms)

This is an alarm type whose purpose is to determine which alarm condition was first in a multiple alarm scenario. It is commonly used to identify the cause of automatic equipment shutdowns or plant trips where multiple events would be triggered in fractions of a second after the initiating event.

First-out alarming is one of the simplest advanced alarming techniques and it has been used for many years. A group of alarms is connected to latching logic. When any one of the alarms in the group is triggered, the logic latches. The first alarm is latched and annunciated. Succeeding alarms in the first-out group are masked and only indicated visually on displays and cause and effect graphics. The first out alarm remains latched until the panel operator resets and all alarms in the group have returned to normal. NO alarm should be masked during start-up.

AGES-PH-04-003

Rev. No: 1 Page 79 of 87

All parties consent to this document being signed electronically -PT&CS/GP/INT/2022/291ADNOC Classification: Internal

A2.11. Common Alarms (Group Alarms, Common Trouble Alarms)

A common alarm is a type of alarm where several related input sensors feed a single point and the panel operator’s response is identical for each individual alarm condition within the common group. This practice may exist on existing systems but is now discouraged.

The sensors are not individually alarmed but instead initiates a single alarm common to all the alarm points. A common alarm is often implemented for some skid-based sub-systems where the details of individual deviations are not relevant to the panel operator and notification of a generic equipment problem is sufficient. When common alarms are used, it is good practice to provide a graphic page, which shows the status of all of the initiators of the common alarm point. Additionally, providing the first-out indication will facilitate the panel operator to take the appropriate corrective action.

A2.12. Discrete Alarms

A discrete alarm is one that is initiated with on/off status. Digital I/O points (discrete inputs from field devices/sensors or the discrete commands sent to field equipment) are a common source used for discrete alarming.

To avoid nuisance alarms, it is important to segregate the process abnormality with respect to equipment status. Equipment status during normal operation needs to be considered as an event rather than alarms. E.g., pump running.

AGES-PH-04-003

Rev. No: 1 Page 80 of 87

All parties consent to this document being signed electronically -PT&CS/GP/INT/2022/291ADNOC Classification: Internal

ALARM REVIEW WORKFLOWS

A3.1. Monthly Alarm Review Workflow

The monthly alarm review workflow is illustrated in Figure 8.

Figure 8 Monthly Alarm Review Workflow

AGES-PH-04-003

Rev. No: 1 Page 81 of 87

All parties consent to this document being signed electronically -PT&CS/GP/INT/2022/291

ADNOC Classification: Internal

A3.2.

Alarm Management Workflow

The alarm management workflow is illustrated in Figure 9 below.

Figure 9 Alarm Management Workflow

AGES-PH-04-003

Rev. No: 1 Page 82 of 87

All parties consent to this document being signed electronically -PT&CS/GP/INT/2022/291

ADNOC Classification: Internal

RULE-BASED PRIORITIZATION EXEMPLARS

General guidelines/ examples for various process and non-process related alarms are given below. These are guidelines only and should be validated within the rationalization workshops.

It is important that a system SUPPLIER is engaged as part of the Rationalization/AMHAZ team to review all function blocks used in the plant ICSS and subsystems to develop the logic/sequence, alarm processing. This is essential as part of Rationalization workshop to ensure that each alarm is prioritized and rationalized/de-activated to avoid unnecessary alarms. See Table 31.1.

Table 31.1 Rule-Based Prioritization Exemplars

S. No.

Description

Priority

Fire and Gas Detection Associated Alarms

Confirmed fire, flammable gas, H2S gas detection

Confirmed smoke, heat detector activation

Un-confirmed fire, flammable gas, H2S gas detection

Un-confirmed smoke, heat detector activation

Manual call point activation

Detector diagnostic alarm including under range and over range

F&G detector in calibration mode

Fire suppression activation

Fire suppression aborted

Fire suppression inhibited

Deluge activated

F&G inter-trip to ESD system

F&G MOS (maintenance override) status

F&G MOS time out

F&G MOS renewal

F&G calibration mode

F&G detector fault, F&G 50% detector fault, all the detector fault

Manual call point contact discrepancy

Manual call point fault

Common 1ooN – voting degradation alarm

First out alarm

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

1

1

2

2

1

2

3

1

3

1

1

1

Alarm/Journal

3

Alarm/Journal

3

2

3

2

Alarm/Journal (already individual device fault has generated an alarm)

3

AGES-PH-04-003

Rev. No: 1 Page 83 of 87

All parties consent to this document being signed electronically -PT&CS/GP/INT/2022/291

ADNOC Classification: Internal

S. No.

Description

Priority

Emergency Shutdown System Associated Alarms

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

Equipment trip, higher-level ESD trips

First out alarm

Deviation Alarm between 1oo2, 2oo3 voted sensor

Deviation Alarm between 1oo2D voted sensor

One of the device alarms in voted group (if no trip occurs)

Bad PV of ESD analogue sensor (1oo1), if not configured not to trip

Bad PV of ESD analogue sensor in voted group

ESD valve travel/discrepancy alarms

Command failure ESD valve (valve moved without command, valve not moved with command)

Bypass active alarm (trip/interlock impairment)

ESD trip alarms

Start-up bypass (SUB) status/time out

PST in progress

PST failure

FST in progress

FST failure

ESD device is in MOS

MOS timed out

MOS renewal

Process Control System (PCS) associated alarms

Alarms used as Independent Protection Layer (IPL)

Bad PV of PCS analogue sensor

System cabinet alarm (PCS, ESD, F&G, PLC)

Indicator of process status

PCS high or low alarm

Non-ESD valve travel/discrepancy alarms

Command failure isolation valve (valve moved without command, valve not moved with command)

Electrical System Interface

3

3

2

1

2

1

2

1

1

1

3

4

3

1

3

3

1

3

1

1

As per the highest priority between high and low alarms

2

Alarm/Journal

As per the highest priority between high and low alarms

3

3 (elevated to 2 if it is critical)

3 (elevated to 2 if it is critical)

AGES-PH-04-003

Rev. No: 1 Page 84 of 87

All parties consent to this document being signed electronically -PT&CS/GP/INT/2022/291

ADNOC Classification: Internal

S. No.

Description

Priority

49

50

51

52

53

MCC and Motor related Alarms single/ redundant unit

Motor/pump failure

Power system diagnostic Alarms

UPS/Switchgear/Battery fault

Third-party PLC/Controller common alarm

Third-Party Systems

3

3

3

1

3

AGES-PH-04-003

Rev. No: 1 Page 85 of 87

All parties consent to this document being signed electronically -PT&CS/GP/INT/2022/291

ADNOC Classification: Internal

ISA 18.2 – RECOMMENDED PERFORMANCE METRICS (MARCH 2016)

The ISA 18.2 recommended alarm performance metrics summary is shown in Table 31.2. This is for information and reference purposes only. The principles have been adopted in formulating the ADNOC KPIs (Table 14.2) and performance standards, which are the standard to be used in ADNOC.

Table 31.2 ISA 18.2 Recommended Alarm Performance Metrics Summary

Alarm performance metrics based upon at least 30 days of data

Metric

Target Value

Annunciated alarms per time

Target value: very likely to be acceptable

Target value: maximum manageable

Annunciated alarms per hour per operator console

Annunciated alarms per 10 minutes per operator console

Metric

Percentage of 10-minute periods containing more than 10 alarms

Maximum number of alarms in a 10-minute period

Percentage of time the alarm system is in a flood condition

Percentage contribution of the top 10 most frequent alarms to the overall alarm load

Quantity of chattering and fleeting alarms

~6 (average)

~12 (average)

~1 (average)

~2 (average)

Target Value

~<1%

≤10

~<1%

~<1% to 5% maximum, with action plans to address deficiencies.

Zero, action plans to correct any that occur.

Standing alarms

Less than 5 presents on any day, with action plans to address.

Annunciated priority distribution

3 priorities: ~80% low, ~15% medium, ~5% high or 4 priorities: ~80% low, ~15% medium, ~5% high, ~<1%highest

• • • Other special-purpose priorities) excluded from the calculation

AGES-PH-04-003

Rev. No: 1 Page 86 of 87

All parties consent to this document being signed electronically -PT&CS/GP/INT/2022/291

ADNOC Classification: Internal

EEMUA 191-GUIDELINES FOR TESTING OF ALARMS

A6.1. Management of Testing

A strategy should be developed for the testing of alarms.

In particular, the strategy should address the testing of safety related alarms to assure their reliability, where the test interval should be calculated to achieve the required target PFDavg. Testing of other higher priority alarms may be required where there is a financial or environmental justification. Testing is unlikely to be necessary if the correct functioning of the alarm is regularly demonstrated in normal operation or where the effects of failure of the alarm does not justify testing.

There should be written test procedures. These may be generic for a number of devices or specific to the individual device. The test procedures should specify realistic tolerances on the point at which the alarm should become active (typically within ± 2.5% span of the alarm setting). This should be done to ensure that results do not depend on the subjective judgement of the person carrying out the test.

Testing should be carried out by suitably trained competent individuals. The operator may need to take an active part in the test. Whether the operator does so or not, they should be kept aware of which alarms are being tested. It may be appropriate to divert alarms from the normal operator display while testing.

Results of the tests should be recorded, and these should be the results as found. Corrective actions should be recorded. The status and results of individual tests should be monitored. An overall review of the results of testing should be carried out periodically. It is good practice to review test results over time as it may be possible to amend test frequencies.

Testing should be carried out on the equipment as found. Any necessary maintenance, e.g., clearing of impulse lines, should be carried out following, not before testing.

Ideally, faults should be rectified at the time of testing. Where this is not appropriate, rectification should be initiated with the appropriate priority. The operator should be made aware of any outstanding defects.

A6.2.

Test Methodology

Where it can be done safely and without significant economic loss, and provided that it can be carried out in an acceptably short period of time, the test should be carried out by driving the alarmed process variable into the alarm state. This may be especially appropriate for some flow and level alarms.

Where simulation of a measurement is necessary, this should be done by injecting a signal into the primary side of the transmitter via the impulse piping and ensuring that the alarm operates at the appropriate point.

It is emphasized that alarms should not be tested by altering the alarm setting; this does not prove that the transmitter is capable of achieving the appropriate output. Similarly, alarms from smart instruments should not be tested by artificially overwriting the instrument output.

Where blockage of the impulse lines to an instrument is credible, the test should include a check that the impulse lines are clear.

Where there are alarms and trips on the same measurement, trips should be tested at the same time.

Batch plants may require different alarm settings for different products. Consideration should be given to testing before the first batch of each different product.

Different parts of the loop may be tested at different times, and, if appropriate, at different intervals, provided that, for safety related alarms, the required PFDavg is achieved.

AGES-PH-04-003

Rev. No: 1 Page 87 of 87

All parties consent to this document being signed electronically -PT&CS/GP/INT/2022/291RUWAIS LNG PROJECT

Specification For Alarm Management System

COMPANY DOCUMENT REF. RLNG-000-IC-SP-0102

CONTRACTOR DOC. REF.

215122C-000-JSD-1510-0002

REVISION: 1

PAGE 109 OF 110

5.0

APPENDIX 2 ALARM DATABASE WORKSHEET TEMPLATE

The terms of Contract / Agreement No: CON22-146 shall apply for any disclosure of this document to any third party.

Alarm database template.xlsxItem Tag No.

Service

Type

P&ID No.

Cause

Consequence

Corrective Action

Operator response time

Min

Max

Unit

LL

L

H

HH

DCS Range

Severity

S

E

A

Priority

Dynamic Suppression applicable (Y/N)

Static Suppression applicable (Y/N)

Credited in SIL or not

Remarks

1

2

3

4

5

Project: Q-32859 - NMDC - Ruwais Folder: RFQ Files