SYMPOSIUM SERIES NO.

156 Hazards XXII # 2011 IChemE

NEW ALARMS AND ALERTS FROM OPERATING ENVELOPES DRIVE ECONOMIC

BENEFITS AS WELL AS SAFER PROCESSES

Robin W. Brooks, Alan Mahoney, John Wilson, and Na Zhao

Process Plant Computing Limited (PPCL), Gerrards Cross, Bucks, UK

Quantifying the economic value of an Alarm System, or even the value of rationalising it, has rarely
been attempted. Alarm Systems are in that category of things imposed upon a plant either by legis-
lation or by the fear of litigation and backed by bodies such as OSHA and HSE or, in the case of
operator alarms, that come over-enthusiastically configured as part of the DCS along with the built-
in need for a later rationalisation project to make them usable. Few, if any, plants actually know
the value, as opposed to the cost, of their alarm systems hence they can not justify and do not see
a need to initiate projects involving additional expenditure on, for instance, alarm rationalisation or
on-going continuous improvement of the alarm systems.
The root cause has been lack of a fundamental understanding of alarms exemplified by the fact
that there has never previously been a general method to find values at which to set the alarm limits,
although this is where many or most of the problems of alarm systems begin and therefore could
end. We show that alarms should be related to the Operating Envelope required to achieve the
plant’s business objectives and so provide a general and easily implemented method for finding
alarm limit values. Operating Envelopes have been poorly understood, although the term is in
common use, and no method for finding or using them has existed. We show how they are
easily found for various business and process objectives and how they are related to alarm
limits. The example used throughout this paper is a hydro-desulphurisation (HDS) unit having
three distinct Modes of operation.
In this paper we show that Alarm Limits and Operating Limits are linked by the Operating Envel-
ope. They should in principle be the same, thus allowing Alarm Limits and their rationalisation to
benefit from the well-developed economic understanding already in existence for Operating Limits.
That they are not the same today is probably because it was not previously possible to see, compare
and work with Operating Envelopes.

Alarms in a process plant fall into one of two categories. possible consequential plant damage and operator alarms
They are either Operator Alarms (aka. Economic Alarms) give the operator time to intervene and correct the situation
which form the first line of defence against process mis- so that they also have an “insurance premium” value in
operation or mal-function or they are Safety Alarms which reducing the demand upon the safety system and thus the
form the second and usually the last line of defence. This small possibility that it will fail when called upon. More
main subject of this paper is Operator Alarms. significant though is that these alarms are often known
Safety Alarm Systems are responsible for taking collectively as “Economic Alarms” because they are also
control and shutting down the process in extreme process intended to help the operator in the achievement of the
excursions which both the process control system and the plant’s economic objectives by assisting him in keeping
operator have been unable to prevent. The value they the plant inside the operating envelope where these objec-
provide is in preventing a loss-of-control from turning into tives can be achieved. Most plants would describe this as
a disaster with liabilities and costs that can run into hundreds “Normal” operation and imagine that their alarm limits
and even thousands of millions of dollars. The costs of a are positioned around, and thus define, the boundary of
Safety Alarm System are viewed as an insurance premium the Operating Envelope within which desired economic
against the economic consequences of a disaster that most results are achieved similarly to Figure 1. This would
plants will never experience. suggest that (a) alarm limits are ideally the same as operat-
ing limits and (b) the economic cost of violating an alarm
limit is the delta cost between the material produced while
OPERATING ENVELOPES in alarm and the operating costs of desired and undesired
Operator Alarm systems are intended to draw the process operation.
operator’s attention to a situation beyond the capability of The “Operating Envelope” noun-phrase has been
the process control system to prevent and requiring appli- used by generations of chemical engineers to describe a
cation of his considerably greater human intelligence to closed boundary with different properties of something
resolve and correct before the safety system intervenes inside and outside the boundary. It is obviously multi-
and trips or shuts down the plant. Automatic plant shut- variable or multi-dimensional but that meant that we
downs are expensive in terms of lost production and couldn’t draw a picture of it.

298
SYMPOSIUM SERIES NO. 156 Hazards XXII # 2011 IChemE

Figure 2. How we think of an Operative Envelope of two

process variables and several quality constraints expressed as
functions of the two process variables

alarm limits to cover all three Modes. When these are super-
imposed on the graph in Figure 7 as red triangles it is
Figure 1. The Vision – Alarm limits defining the Operating immediately apparent that there has been some attempt to
Envelope move some of the alarm limits inside the black area to
equal operating limits, thus alarming undesired operation
and so defining the economic Operating Envelope. Other
The problem of how to see all of the process variables
limits have been set so wide that they will never annunciate.
in one graph is one of n-dimensional geometry which was
They are “good actors” in previous uni-variate alarm ration-
fully described by Riemann1 in 1853 using equations too
alization terminology so would receive no attention and
complex to be solved except in the simplest cases and
might escape the HazOp scrutiny of the multi-disciplinary
without pictures. The problem shown in Figure 2 and
Alarm Review Panel.
Figure 3 of how to represent the fourth axis remained as
The performance of the alarm system is poor in that
an obstacle to understanding of higher-dimensionality geo-
there are typically five – seven alarm annunciations per
metry until Inselberg2 discovered the parallel coordinate
hour (Figure 8) and a Standing Alarm Count (Figure 9) of
transformation in the 1980s. Instead of trying to draw the
four –five during normal operation. During Standby Mode
axes orthogonally he drew them parallel to each other
(low values of most variables) the alarm display showing
causing the representation of a point to transform to a
41 variables in alarm during standby means that any real
poly-line as in Figure 5.
alarm has a high probability of going unnoticed. This
Adding more points to the graph produces distinctive
alarm system conforms to the EEMUA 191 and ANSI/
patterns as in Figure 6, which is the purpose of a graph, and
ISA SP18 guidelines in its Human Factors performance
for the first time gives the ability to see with our own eyes
where the process has operated and how the variables inter-
act with each other. This data came from an oil refinery
hydrodesulphurisation (HDS) unit and is part of a graph of
178 variables at 13,444 5-minute intervals gathered by the
process historian during three months of unit operation.
This plant operates at different times in one of three
main operating Modes3 of Standby, Kerosene desulphuriza-
tion and Light Gas Oil (LGO) desulphurization. This largely
accounts for the bands that are such a prominent visual
feature. Like most plants today, they have one set of

1
Bernhard Riemann’s inaugural lecture Nature, Vol. VIII. Nos. 183,
184, pp. 14–17, 36, 37.
2
A. Inselberg, Parallel Coordinates, DOI 10, 1007/978-0-387-68628-
8_5, Springer Science þ Business Media 2009.
3
Modes refer to the operating intention set by the production planner
whereas States are usually taken to refer to the actual State the plant Figure 3. But because the quality constraints are also functions
is operating in now. We think of the relation of States to Modes in of several other process variables they change when those
the same way as that of PV’s to SP’s. process variables change

299
SYMPOSIUM SERIES NO. 156 Hazards XXII # 2011 IChemE

results from alarm limits generated using the methods

described in this and an earlier paper.5 The objective in
both cases was to produce product within specifications as
measured by subsequent laboratory analyses. Alarms
raised with the traditionally set alarm limits were false
49% of the time whereas those raised by the new methods
for finding Alarm and Alert Limits described in this paper
were false only 10% of the time. The 10% was further
reduced by improved choice of variables in the envelope.
Reducing the total number of alarms annunciated by
39% also reduced the Annunciation Rate, in a similar
proportion.
The discussion has moved to alarm limits because it
Figure 4. The operating envelope is 3-d and alarm limits form is apparent that the dense coloured areas of the parallel
a box coordinate plot are composed of a cloud of points whose
envelope is an Operating Envelope of the process. It is the
Envelope of all operation during the three month period
but this anomaly simply emphasises that there is a missing so contains process excursions and periods when process
quantitative guide measuring the “goodness” of an alarm faults and problems were known to exist. Removing these
system and/or the “quality” of its alarms in protecting the from the graph would leave the Envelope of safe process
process. operation.
Few have attempted to measure the “goodness” of There are many possible Operating Envelopes corre-
their alarms. One case that we were associated with sponding to many possible Operating Objectives (not all are
during a field trial was performed by Ineos Chlor, necessarily desirable) and we can see them in historical
Runcorn, UK4 to prove the quality of the alarms on a real process data by applying the operating objective criteria to
process. They defined alarm quality quantitatively as the select and highlight points that met that objective giving
proportion of false alarms and defined an alarm as false if what most would regard as the Envelope of Normal oper-
subsequent laboratory analysis received several hours later ation. At last we can see an Operating Envelope composed
showed that the product had actually been good at the of as many variables as we wish and shown in as many
time of the alarm and vice versa thus effectively adopting dimensions as necessary. We will go on to see that alarm
the viewpoint of Figure 1 that alarms should delineate the limits and operating limits are merely simple ways to get
boundary of Normal Operation. Ineos Chlor reset their a first approximations of two Operating Envelopes as hyper-
alarm limits using the best experience and knowledge of cubes, which begins to take account of variable interactions
the plants engineers and the results were compared with compared to the strictly univariate methods of the past, and

Figure 5. The parallel coordinate representation of a point in 27 dimensions

4
D. Armstrong, M. Tyrrell, S. Casey, Ineos Chlor Ltd. R. Brooks,
R. Thorpe, J. Wilson, Curvaceous Software Limited. First Experiences
5
at Ineos Chlor Ltd. with GPC for Product Quality and Process Oper- Brooks, R., Thorpe, R., and Wilson J. A New Method for Defining and
ations Improvement. Proceedings of the AspenWorld Conference, Managing Process Alarms and for Correcting Process Operation when
November 2002. Also available via www.ppcl.com. an Alarm Occurs. Journal of Hazardous Materials 115(2004) 169– 174.

300
SYMPOSIUM SERIES NO. 156 Hazards XXII # 2011 IChemE

Figure 6. Part of the operating data for an HDS Unit during three months of operation

Figure 7. Existing HiLo alarm limits superimposed upon three months of operating data

Figure 8. Annunciations per hour peak at 22 during this 92 day period

301
SYMPOSIUM SERIES NO. 156 Hazards XXII # 2011 IChemE

Figure 9. The count of Standing Alarms peaks at 41 during the Standby period and is never less than 3 during the whole 92 days

Figure 10. Kerosene Mode is in pink, Gas Oil Mode is blue and Standby Mode is green. One set of alarm limits (the red triangles) set
at the boundary of where the plant has actually operated will be used for all three Modes. This is “Lumped Mode” Alarming and is how
most plants operate today

later in this paper will introduce Alerts to give a much better filtering out all but a few alarms depending upon the Mode
representation of an Operating Envelope. that they are in.
Moving the alarm limits to the boundaries of where The new “Lumped-Mode” Alarm Limits of Figure 10
the process has operated safely will cure the problems of give the immediate improvement that can be seen by
the alarm system and most likely allow conformance to comparing Figure 11 with Figure 8 and Figure 9. The
the EMUA6/ISA SP187 guidelines but will not, in this hourly annunciation rate peaks at 5 instead of 22 and the
case, assist the operator in achieving operating objectives standing alarm count has one peak at 11 instead of 22
(and thus allow the alarm system to demonstrate an econ- with other infrequent peaks that are rarely greater than 2
omic value) unless we first separate this process into its and at zero otherwise compared to the “never less than 3”
three Modes of operation. This has been done in of the past.
Figure 10. With the existing alarm limits superimposed it The Lumped-Modes Limits will be further improved
can be seen that some of them coincide with extremes of during the Alarm Review, which will be considerably
the pink Kerosene Mode band and others with the blue assisted by the ability that is lacking today to confidently
LGO Mode band. Perhaps the operators have been mentally predict the annunciation rates and standing alarm counts
that would have resulted from any set of alarm limits
6
Alarm Systems. A Guide to Design, Management and Procurement.
having been in use during the time period of the data. The
EEMUA Publication No. 191: 1999 London. ISBN 086931 076 0 much better operating environment that results will give
www.eemua.co.uk. confidence and a realisation that the alarm system can be
7
ISA SP18.02 Management of Alarm Systems for the Process Indus- improved to positively assist operators in achieving their
tries. operating objectives which it does not do today.

302
SYMPOSIUM SERIES NO. 156 Hazards XXII # 2011 IChemE

Figure 11. Annunciation Rate per hour and Standing Alarm Count with the “lumped-mode” alarm limits of Figure 10

ALARMS BY MODE OF OPERATION Figure 10 that ranges of values of variables used by each
The next level of improvement is to separate the process Mode often have considerable overlap which will make
Modes and define a set of alarm limits for each Mode sep- the construction of an automatic State Detector difficult so
arately at the limits of where the plant has operated in that it is probably better, at least initially, to have the Operator
Mode. These values can then be used as the starting point select the Mode he wishes to operate in.
for the alarm review process as before. Figure 12 shows Figure 13 shows in pink the Kerosene Mode only
the hourly annunciation rate and standing alarm count operations and alarm limits from Figure 10 with, in tur-
for Kerosene Mode. The improvement over Figure 11 is quoise, the Operating Limits derived from the subsequent
clearly visible. lab analyses when the Kerosene was in specification. The
Alarm monitoring and annunciation will still be per- obvious question is why should the Alarm Limits be
formed by the DCS with the addition of a facility to outside the Operating Limits? The definition of “Normal”
switch between (or download) the appropriate set of alarm in Figure 1 implies, at the least, making product that is sale-
limits when the operating Mode changes. It can be seen in able and hence in specification. The conclusion is that

Figure 12. Annunciation Rate and Standing Alarm Count when in Kerosene Mode with Mode-based alarm limits

303
SYMPOSIUM SERIES NO. 156 Hazards XXII # 2011 IChemE

Figure 13. In-Specification Kerosene in turquoise on top of the Starting Alarm Limits for Kerosene Mode

Alarm Limits and Operating Limits are and should be two for the operator looks no worse than, for instance, that in
names for the same thing and that wherever pink is visible Figure 12. Why hasn’t this been done already? Probably
in Figure 10 or Figure 13 is bad or abnormal operation because no one could see the in-spec Operating Envelope
that should be eliminated with better operation, better so process control improvements were applied without
process control and better process understanding. being able to see where improvement was really required.
Figure 14 shows what would happen if the Operating To set alarm limits that will achieve the operating
Limits of In-Spec Kerosene in Figure 13 were used as alarm objective with fewer alarms than in Figure 14 we first set
limits today with no change in operation. Operating Limits on the necessary process variables.
The result in Figure 14 is sufficiently good to indicate These will alarm if we attempt to operate outside the
an achievable objective. The question to ask repeatedly until normal space but won’t necessarily alarm well for abnormal
the whole site becomes involved in answering it is “why do situations involving other variables. We introduce
we operate outside of our in-spec product Operating Envel- additional alarms on other variables from consideration of
ope?” The answer will be to use Figure 13 as a guide to unusual conditions that could occur and position these
explaining why pink areas are present while steadily alarms at the edges of the operating space so that they
improving operations and/or process control until it is prac- cannot alarm during unless there is an abnormality. We
tical to operate there all of the time and the alarm situation find which variables are necessary for operation using a

Figure 14. Annunciation Rate per hour and Standing Alarm Count for In-Spec Kerosene Operating Limits

304
SYMPOSIUM SERIES NO. 156 Hazards XXII # 2011 IChemE

Figure 15. Showing part of the result of the question “how much better would the process perform if it were operated in the turquoise
ranges of the in-spec kerosene query”. Yield would rise from 24% to 30% even if there were no change in operating practices. Note
that operating limits are not imposed on the variables to the right of N03TI609.

patented algorithm called the Box Query which answers the many alarms around that boundary as we wish without
question of (a) how well would the plant perform if we oper- fear of the annunciation rates becoming unmanageable
ated in the turquoise ranges projected onto the process vari- (see Figure 16).
ables by the query on the quality specifications in Figure 13 It is a fairly radical concept to set the HiLo alarm
and (b) what is the order of importance of these variables in limits at the boundary of the economic operating envelope
achieving this result. The algorithm works by finding the primarily because process control, economic objectives
lowest dimensionality box that encloses all the turquoise and process alarms have always been treated as separate
points on the process variables. It defines the Selectivity topics with only the process operator being concerned
of each process variable as the ratio of selected to rejected with all three. The Operating Envelope is actually the
points within the operating range, selects the most selective missing unifying root of all three.
variable and then repeats the calculation on the remaining Being able to isolate Modes of operation also allows
variables and points stopping when all turquoise points the actual achievement while in that Mode to be examined
have been selected. An example is shown in Figure 15 and causes for non-achievement identified. Immediate
where the order of importance is shown by the left-to- improvement is obtained by re-setting operating limits/
right ordering of the variables with those having no red tri- alarm limits to be consistent with the economic objectives.
angles not contributing further to reducing variability. It is This also provides a way of, first, identifying the variables
these unselected variables to which we can apply additional where process control most needs improvement and,
alarm limits in anticipation of abnormal or unusual situ- second, continuously tracking improvement progress.
ations that require to be alarmed but by setting them at the
bounds of the turquoise ranges they will not cause alarms ALERTS FROM THE OPERATING ENVELOPE
during normal operation. We have defined the boundary But, delineating the operating envelope with fixed ranges
of Normal Operation as in Figure 1 and can now put as of values on individual variables ignores the richness of

Figure 16. Four years of operation showing the better operation and reduced number of trips (yellow) in the second two years after
alarm limits were brought inside the limits of operation of the previous two years

305
SYMPOSIUM SERIES NO. 156 Hazards XXII # 2011 IChemE

the cloud of blue Gas Oil-Mode points in Figure 10 has

already been found as the cloud of blue points inside the
fixed alarm/operating limits. We just take the blue points
and then use a wrapping algorithm to find the envelope.
The result has proven to be most effectively shown as a
real-time “you are here” display such as that in Figure 18.
Here the fixed Alarm/Operating limit values are on the hori-
zontal grey lines at the top and bottom and the black dots
indicate the value now of each process variable. These
black dots are collectively the current process operating
point. The green lines indicate the space available around
Figure 17. 3-variable hypercube enclosing the Operating
the current operating point when all variable interactions
Envelope
are taken into account. These green lines move at every
time-step as the process operating point changes.
Violations of the green space are multi-variable
variable interactions that occurs in all processes and is excursions outside of the Operating Envelope and are
geometrically equivalent to constructing a hypercube that called “Public Alerts”. They are distinguished from
encloses the used part of a variables operating envelope as Alarms because (a) their limit values are not fixed (b) they
illustrated in the simple 3-variable example in Figure 17 are not included in the Change Management requirements
where it is apparent that fixed values for operating limits/ that are normally mandatory for fixed Alarm Limits.
alarm limits don’t adequately describe the shape of the oper- “Alerts” exist already in some plants and are used by
ating envelope. But, for everyday use they are simple and Operators for their own individual purposes such as setting a
widely used. Making them consistent so that they form a reference value such that they can see some time later
hypercube is the first step in improvement. whether it was reached or passed. Used this way they are
The second step is to model the shape of the operating specific to one operator but very valuable to him so we
envelope itself by finding visually the cloud of multi- propose they should be re-named “Private Alerts” to dis-
dimensional points where the desired objective has pre- tinguish them from the “Public Alerts” that we have just
viously been achieved and then wrapping the cloud in a introduced to you.
skin to obtain the operating envelope. This is much easier The geometric basis for the calculation of the green
than it sounds requiring no further effort since, for instance, lines is remaining interior to the cloud of points so that

Figure 18. Public Alerts have the objective of keeping the process inside its fixed Alarm/Operating Limits

306
SYMPOSIUM SERIES NO. 156 Hazards XXII # 2011 IChemE

should the process stray outside the green space it is possible methods of working. We have shown how a Multi-Mode
to calculate, using geometry, the smallest distance to move process (and all processes have at least two Modes viz.
the manipulable process variables in order to bring the oper- Operating and Shutdown) can be treated as a Lumped-
ating point back inside the Operating Envelope. This gives Mode process with one set of alarm limits as is usually
the operator intrinsically safe advice to correct the process the situation today and how it can easily be separated into
problem and avoid a violation of the fixed alarm/operating its Modes and separate sets of alarm limits found and
limits. One model can handle multiple Modes of operation implemented for each Mode. We have also shown how to
by including the Mode number as a variable in the model. proceed beyond the limitations of fixed limits with little
additional effort to a new dynamic method of operator gui-
dance allowing operation even as tight as the capabilities of
modern process control systems will allow. And by showing
CONCLUSIONS that Alarm Limits and Operating Limits are, or should be,
So, starting from process history data instead of alarm log the same we can use the same well-developed methods of
data and using a wholly graphical method we have shown calculating value from the reduction of excursions outside
how fixed alarm limits and operating limits are first approxi- operating limits for calculating value from alarm limits,
mations to Operating Envelopes and should be combined thus giving an economic Rationale to Alarm Rationalization
and can be improved with little or no change to existing and to Alarms as a whole.

307