Friday, October 21, 2016

Why do you have too many alarms?

These days it happens several time every month, that I receive emails from ABB or GE about their offerings in the area of SCADA systems. I have started wondering if the decision about which SCADA systems to buy has moved from the engineers and operators, who will use it in their day to day work, to the supply department, just like buying paper for the photocopier/printer or coffee for the office coffee-machine. The latest email from GE had a link to their so-called blog shown below:
This made me think: Why is it, that we have too many alarms in our chemical plants and refineries today?

When I worked at a major facility in Sarnia many years ago, the process engineers in charge of the plant had an alarm policy, which among other things stated, that if you implemented an alarm, then you needed to specify what action you wanted the operator to take, when that alarm came in. The result was, that our Honeywell process control system only generated 2-3 alarms every hour on most days, and that it took the process engineer just a few minutes to scan the alarm log from the night shift.

To be fair to today's plant and control engineers we also were two control engineers to ensure, that the process control system did control the plant most of the time. Great efforts were taken to maintain the basic flow-, level- and temperature-control loops as well as the supervisory loops on cracking furnaces or a distillation towers. My guess is, that today this manpower has been significantly reduced, and hence the basic and supervisory control loops are not as well tuned as 30 years ago.That is a shame! Because without a well tuned set of basic control loops any attempt to implement a unit wide model based control, such as MPC, to operate the facility as close to a constraint as possible will most likely fail.
Because of our well tuned supervisory control loops the facility did not implement MPC until the mid nineties - many years after I left. However, when those MPC's were finally implemented they were equipped with operator displays based on our experience from the supervisory control loops. This meant, that the operator decided which constraint the MPC should take into account, and that the operator could see which contraints were active. That transparency made the MPC's a huge success - even with the mentioned manpower reductions.

I am certain Alicia Bowers, who wrote the blog for GE, is an intelligent writer, but I don't buy her suggestions, that the many alarms can be handled by
  • Using analysis tools to reduce the number of alarms that occur.
  • Drive response on the alarms that matter.
  • Leverage HMI/SCADA design best practices.
I think a more fundamental look at who and what decides when and where an alarm is implemented is needed together with a look at the tuning of the basic control loops. After all most alarms are properly implemented to notify the operator about a deviation, which the basic control loop is unable to cope with. So let us go back to basics:
  • Tune your basic control loops well. This can take time. I recall one of our instrument engineers spending several weeks tuning our polyethylene reactor temperature control loop.
  • Implement only alarms for which a specific operator action can be identified. This properly require input from experienced operators.
When that is done, then consider providing the operator with displays that are consistently designed either according to best practices such as defined e.g. by the Abnormal Situation Management Consortium or by a company display design guideline.

And now about the question in the title of the blog. I think the many alarms that many operators have to copy with is a result of it being to easy to implement alarms in a modern SCADA system. For example it is not uncommon for a supplier of a pump to request and get implemented several dozen alarms on a simple large pump. Most if not all of these alarms are irrelevant for the operator during day to day operations, and in my view should never be implemented as alarms. These pump related events are relevant for maintenance of the pump, and hence should just be logged to an event file, which the maintenance engineer could then review and take action on.

One approach to limit the number of alarms implemented on a SCADA system would be to simply require, that all new alarms are subject to a MOC review - even those implemented during a project. After all most SCADA systems don't come with any alarms preconfigured. So the implementation of an alarm is a change to the SCADA system, which should be subject to MOC review.

Friday, October 14, 2016

Do Electrical Area Classifications Require Detailed Release Calculations? No!

In the August issue of Hydrocarbon Processing publish an article titled "Consider post-design changes to confine a hazardous area". From the title it is unclear whether we are looking at toxicity hazards or flammability hazards. However, in the introductory paragraph it becomes clear, that the subject is electrical area classification, since it is stated, that objective is to avoid that one in the same area have an ignition source and a flammable mixture. The article is written by Sanjay Bapat from Petrokon Utama Sdn Bhd in Brunei, and it contain three sections: Introduction, Analysis of HAC classification, and Recommendations.

Mr. Bapat states, that a hazardous area represents the volume of the plant, which contain significant quantities of flammable mixture during normal operations, startup or shutdown. This statement is not directly wrong, but as far as electrical area classification the classification depends on the likely of hydrocarbons being present in the area. For example an area in which hydrocarbons are present all or most of the time during normal operation is classified as Zone 0. Zone 1 are areas, where hydrocarbons could be present during normal operations, and Zone 2 are areas, where hydrocarbons may be present during abnormal events or operations.

Mr. Bapat propose to perform numerous release calculations from potential sources, such as flanges, and states that areas are designated Zone 0, 1 or 2 depending on release duration and type of ventilation. He further states, that areas are classified to minimize the likelihood of flammable mixtures spreading over ignition sources. According to Mr. Bapat the key steps in area classification are:
  1. Identify the release sources and establish the size.
  2. Identify the fluid catagory that could be released through each source, along with its operating temperature and pressure.
  3. Estimate the hazard radius from the standard, or by performing dispersion calculations.
  4. Establish duration of release and nature of ventilation, and determine the zone type.
  5. Identify the cloud limits and build the hazardous area boundaries.
  6. Perform analysis.
  7. Recommend the gas group (allowable energy) and the temperature class (allowable maximum temperature) for electrical equipment.
These seven steps to me looks what one do, when using the Dow Chemical Exposure Index and/or the Dow Fire & Explosion Index. Recalling from Atex presentations I have attended electrical area classification do not involve release calculation at all.

The figure above is titled "Example of a hazardous area classification". Some of the elements are structure one encounter in on shore facilities, such as control room, internal and external roads (properly should have been separated), admin. building, and some are mostly encountered on off shore facilities, such as helideck and boat landing (properly also should have been separated). Other such as "Unrestricted vehicle movement" and "Unrestricted public movement" seem to be properties of some of the already mentioned items, such as Internal and external roads or Admin building.

The section "Analysis of HAC classification" list five situations in which changes to area classifications may occur:
  1. During the engineering phase, or while performing the detailed design.
  2. During capacity revamp, or rejuvenation phase (brownfield projects).
  3. During temporary operations phase that may determine the HAC.
  4. During the reassessment phase, or during the "legacy-as-building" phase.
  5. During the drawing preparation phase, due to human error.
Some of the statements which make me uncertain about the purpose of Mr. Bapat are "..the detail of each source of release is available.", "sometimes a few flanges are intentionally introduced..", "Sometimes... the flare load is increased.", "..the increased quantity of released gas increases the zone area.". Again this look more like issues in connection with Dow Index calculations, than issues in electrical area classification.

As far as I can see, are the purposes of the five subsections listed above not clear. The final section list nine recommendations relating to confining hazardous area and zone sizes:

  1. Involve competent personnel.
  2. Plan the piping routing study early.
  3. Consider procedural controls.
  4. Select the right fluid category.
  5. Select normal operating conditions. 
  6. Size of release source should be precise.
  7. Consider performing dispersion calculations.
  8. Consider operation of pressurization unit.
  9. Isolate all ignition sources.
As far as I can tell none of these so-called recommendations have anything to do with electrical area classification in plant or laboratory. Also some provide advice, which is not in line with proper safety practices, such as e.g. selecting process conditions, which limits the area influenced by a release.

The article provide two references to respectively a website about the US electrical area classification and a website about the UK electrical area classification. Neither of these have any information about performing release calculations in connection with electrical area classification.

I hope, that Hydrocarbon Processing will soon re-visit the topic of area classification at facilities processing hydrocarbons both from the point of view of electrical areas and from the point of view of fires and explosions. But writer competence is as important here, at maintenance competence is for keeping our production facilities safe.