-PUBLIC -

N-2900 ENGLISH 11 / 2010

Alarm Management

Procedure

The CONTEC - Authoring Subcommittee provides guidance on the

interpretation of this Standard when questions arise regarding its contents. The
Department of PETROBRAS that uses this Standard is responsible for adopting
and applying the sections, subsections and enumerates thereof.

Technical Requirement: A provision established as the most adequate and

which shall be used strictly in accordance with this Standard. If a decision is
CONTEC taken not to follow the requirement (“non-conformity” to this Standard) it shall be
Comissão de Normalização based on well-founded economic and management reasons, and be approved
Técnica and registered by the Department of PETROBRAS that uses this Standard. It is
characterized by imperative nature.
Recommended Practice: A provision that may be adopted under the conditions
of this Standard, but which admits (and draws attention to) the possibility of
there being a more adequate alternative (not written in this Standard) to the
particular application. The alternative adopted shall be approved and registered
by the Department of PETROBRAS that uses this Standard. It is characterized
by verbs of a nonmandatory nature. It is indicated by the expression:
[Recommended Practice].
Copies of the registered “non-conformities” to this Standard that may contribute
to the improvement thereof shall be submitted to the CONTEC - Authoring
SC - 10 Subcommittee.

Industrial Automation and Proposed revisions to this Standard shall be submitted to the CONTEC -
Instrumentation Authoring Subcommittee, indicating the alphanumeric identification and revision
of the Standard, the section, subsection and enumerate to be revised, the
proposed text, and technical/economic justification for revision. The proposals
are evaluated during the work for alteration of this Standard.

“The present Standard is the exclusive property of PETRÓLEO

BRASILEIRO S.A. - PETROBRAS, for internal use in the Company, and any
reproduction for external use or disclosure, without previous and express
authorization from the owner, will imply an unlawful act pursuant to the
relevant legislation through which the applicable responsibilities shall be
imputed. External circulation shall be regulated by a specific clause of
Secrecy and Confidentiality pursuant to the terms of intellectual and
industrial property law.”

Introduction
PETROBRAS Technical Standards are prepared by Working Groups - WG
(consisting specialized of Technical Collaborators from Company and its Subsidiaries), are
commented by Company Units and its Subsidiaries, are approved by the Authoring Subcommittees -
SCs (consisting of technicians from the same specialty, representing the various Company Units and
its Subsidiaries), and ratified by the Executive Nucleus (consisting of representatives of the Company
Units and its Subsidiaries). A PETROBRAS Technical Standard is subject to revision at any time by its
Authoring Subcommittee and shall be reviewed every 5 years to be revalidated, revised or cancelled.
PETROBRAS Technical Standards are prepared in accordance with PETROBRAS Technical
Standard N-1. For complete information about PETROBRAS Technical Standards see PETROBRAS
Technical Standards Catalog.
.

PROPERTY OF PETROBRAS 24 pages, Index of Revisions and WG

 -PUBLIC-

N-2900 ENGLISH 11 / 2010

Summary

Foreword.................................................................................................................................................. 4

1 Scope................................................................................................................................................... 4

2 Normative References......................................................................................................................... 4

3 Terms and Definitions.......................................................................................................................... 4

4 Symbols and Abbreviations ................................................................................................................. 7

5 Alarm Philosophy................................................................................................................................. 7

5.1 Objective ................................................................................................................................ 7

5.2 Basic Requirements ............................................................................................................... 7

5.3 Alarm Prioritization ................................................................................................................. 8

5.4 Performance Indicators .......................................................................................................... 9

6 Alarm Management Life cycle ........................................................................................................... 10

6.1 Identification and Rationalization ......................................................................................... 10

6.2 Detail and Implementation ................................................................................................... 12

6.2.1 Characteristics of an Alarm System............................................................................. 12

6.2.2 Implementation of Processing Strategies in the Alarm Systems ................................. 13

6.2.3 Alarm System Interface Design Practices.................................................................... 17

6.3 Commissioning and Training................................................................................................ 18

6.4 Operation and Monitoring..................................................................................................... 19

6.5 Management of Change, Maintenance and Audit................................................................ 19

Annex A - Determination of Severity due to Financial and Asset Losses ............................................. 20

A.1 Minor Operational Disturbances or Reduced or Negligible Equipment Damages......................... 20

A.2 Moderate Operational Disturbances or Moderate Equipment Damages....................................... 20

A.3 Major Operational Disturbances or Severe Equipment Damages ................................................. 20

A.4 Production Loss Associated with Damage to Essential Equipment .............................................. 20

Annex B - Procedure for Alarms Rationalization ................................................................................... 22

2
 -PUBLIC-

N-2900 ENGLISH 11 / 2010

Figure

Figure 1- Alarm Deadband ...................................................................................................................... 5

Figura 2 - Example of Supression of Alarms Configured in one Single Variable.................................. 14

Figure B.1 - Procedure for Alarm Rationalization.................................................................................. 22

Table

Table 1 - Response Time ........................................................................................................................ 8

Table 2 - Determination of Priority - Loss of Production and Assets (See Examples - Annex A)........... 9

Table 3 - Determination of Priority - Enviromental Damage.................................................................... 9

Table 4 - Determination of Priority - Personnel Safety............................................................................ 9

Table 5 - Metrics after Digital System Configuration ............................................................................. 10

Table 6 - Performance Metrics per Priority during Operation in Steady State Regime ........................ 10

Table 7 - Content of the List of Alarms and Setpoints........................................................................... 11

3
 -PUBLIC-

N-2900 ENGLISH 11 / 2010

Foreword

This Standard is the English version (issued in 10/2012) of PETROBRAS N-2900 REV. 0 11/2010,
(including its Amendment - 11/2011. In case of doubt, the Portuguese version, which is the valid
document for all intents and purposes, shall be used.

1 Scope

1.1 The purpose of the present Standard is to define PETROBRAS alarm management philosophy.
This Standard applies to design, operation and maintenance of alarm systems in PETROBRAS units.

1.2 The present Standard complements ANSI ISA 18.2.

1.3 The present Standard applies to procedures initiated from the date of its issue.

1.4 The present Standard contains technical requirements and recommended practices.

2 Normative References

The following referenced documents are indispensable for the application of this document. For dated
references, only the edition cited applies. For undated references, the latest edition of the referenced
document applies.

PETROBRAS N-2595 - Critérios de Projeto e Manutenção para Sistemas Instrumentados de

Segurança em Unidades Industriais;

ANSI ISA 18.2 - Management of Alarm Systems for the Process Industries.

NOTE For documents referred in this Standard and for which only the Portuguese version is
available, the PETROBRAS department that uses this Standard should be consulted for any
information required for the specific application.

3 Terms and Definitions

For the purposes of this document, the following terms and definitions apply.

3.1
alarm
any audible or visual mean that indicates an abnormal condition associated with the process or
equipment and that requires an action in a limited time.

NOTE The term equipment also applies to systems and instruments.

3.2
deviation alarm
an alarm generated when the difference between two analogical values exceeds a limit.

3.3
discrepancy alarm
an alarm generated by the error between the comparison of an expected state of the plant or
equipment and its real state

4
 -PUBLIC-

N-2900 ENGLISH 11 / 2010

3.4
nuisance alarm
an alarm that announces excessively, unnecessarily, or does not return to its normal state after the
correct response is taken.

3.5
alert
a signaling less important than the alarm, characterized by operational conditions that require
attention, and whose actions shall be taken whenever time allows it.

3.6
alarm annunciation
a way to inform that an alarm condition has been reached.

3.7
alarm flood
a condition during which the alarm rate is higher than the one that can be effectively managed.

3.8
bad-actors
the alarms that, during a specified time interval, present a much higher number of annunciations than
the others.

3.9
alarm deadband
the range in which the alarm is not altered, regardless of the variation of the signal (Figure 1).

Alarm Alarm
Annunciation Return

Alarm State

Alarm Setup

Dead
band

PV

Time

Figure 1- Alarm Deadband

3.10
Return to Normal(RTN)
the state in which the condition for alarm annunciation no longer exists.

5
 -PUBLIC-

N-2900 ENGLISH 11 / 2010

3.11
event
a change in the conditions of the plant, of a piece of equipment or a variable.

3.12
alarm philosophy
the documentation that establishes the basic definitions, principles and procedures to design,
implement and maintain an alarm system.

3.13
alarm timer filter
the minimum time that a variable must remain beyond its alarm setpoint for the alarm to be
announced.

NOTE This filter can also be applied to remove the alarm annunciation.

3.14
alarm management
the processes and practices to conceive, design, document, operate, monitor and maintain an alarm
system.

3.15
alarm group
a set of alarms, determined by some logical criteria of grouping, such as: physical location, function,
system, etc.

3.16
alarm priority
the relative importance attributed to an alarm within an alarm system to indicate the urgency of a
response.

3.17
rationalization
the alarm analysis using the alarm philosophy to justify and document their conception and/or use.

3.18
Acknowledge - ACK
an action that confirms the acknowledgment of the alarm annunciation.

NOTE This does not mean solving the cause of the alarm.

3.19
shelve
a mechanism, typically initiated manually, in order to temporarily suppress an alarm.

3.20
alarm system
a set of hardware and software that enables the detection of alarm states, annunciation, and also
registers its changes.

6
 -PUBLIC-

N-2900 ENGLISH 11 / 2010

3.21
suppression
any mechanism to prevent the annunciation of the alarm when an abnormal condition is present.

3.22
allowable response time
the maximum time between the alarm annunciation and the beginning of a corrective action on the
process, regardless where the action will be executed to avoid the consequences of the abnormal
condition.

3.23
alarm set point
a threshold value of a process variable or discrete state that announces the alarm.

4 Symbols and Abbreviations

ESD - Emergency Shutdown;
HAZOP - Hazard and Operability Study;
HMI - Human Machine Interface;
PV - Process Variable;
SCADA - Supervisory Control and Data Acquisition System;
DCS - Distributed Control System;
SIS - Safety Instrumented System
BPCS - Basic Process Control System;
CPU - Central Processing Unit.

NOTE This document shall use the term BPCS to generally refer to automation architectures
adopted in different business segments of the company, replacing terms such as SCADA,
DCS and other similar systems.

5 Alarm Philosophy

5.1 Objective

5.1.1 The definition of a philosophy for an alarm system has the following goals:

— to ensure consistency and uniformity of the alarm management for all company plants;
— to ensure alignment with management goals and objectives;
— to allow the specification, implementation, operation, monitoring and maintenance of a
robust and efficient alarm system.

5.1.2 The alarm system does not replace the SIS, but it helps the operator to take actions that will
prevent plant shutdown caused by safety instrumented system action.

5.2 Basic Requirements

In order to to comply with the definition, an alarm shall be designed regarding human limitations, and
shall have the following features:

— relevance: shall have a defined operational significance; if no response is associated with

the signal generator of the alarm, such signal shall not be an alarm;
— singularity: the same information shall not be represented by two different alarms,
avoiding duplication of response procedures that can confuse and overload the operator;
— precision: no alarm shall be announced so much before its response or too late for the
corrective actions be taken;

7
 -PUBLIC-

N-2900 ENGLISH 11 / 2010

— degree of importance: every alarm shall have a priority to facilitate the operator’s
decision-making;
— clarity: the alarm message shall be easy to understand and focus on the descrition of the
problem.

5.3 Alarm Prioritization

5.3.1 All the alarms shall be prioritized so that their interface be properly designed considering the
characteristics previously presented.

5.3.2 Alarms shall be prioritized based on the time available for the operator’s response, and the
impacts caused on the plant when no response is taken. These impacts may be related to loss of
production and assets, environment damage and personnel safety, considering, within these
categories, the alarms set for compliance with local legislation or company’s internal policies.

5.3.3 During the assessment of these impacts, the protection layers available in the plant shall be
considered. These protection layers may be safety instrumented functions or mechanical protection
devices such as safety valves. The lack of appropriate protection layers tends to cause the alarm to
acquire a high priority. The availability of a well designed SIS, for example, will tend to reduce the
impact related to environment and personnel safety, and increase the impact related to loss of
production, since in the absence of the operator’s alarm response, one shall consider that the SIS will
actuate. High alarm priorities may indicate a possible need for review on the upper protection
layers. The impact shall be verified in other documents (e.g., HAZOP, SIL selection) if an alarm has its
status changed to alert or if it is removed.

5.3.4 Criteria for Alarm Prioritization

5.3.4.1 The criteria presented below shall be applied to each alarm. This analysis results in priority,
which can be used to lead the operator to choose which alarm he/she shall deal with first, when two or
more alarms are announced simultaneously.

5.3.4.2 Determination of Response Time (RT)

5.3.4.2.1 Table 1 shall be used to determine the response time.

Table 1 - Response Time

RT Criterion
Long More than 10 minutes and less than an hour
Medium Between 3 and 10 minutes
Short Less than 3 minutes

5.3.4.2.2 For response times longer than one hour, any abnormal signaling shall be considered as an
"ALERT".

5.3.4.2.3 For periods of time shorter than 1 minute, it shall be evaluated if the operator’s action can be
performed accordingly. In case this action is not possible, it shall be forseen an automatic actuation.
For periods of time between 1 and 3 minutes, special alarm annunciation mechanisms and special
training for the operation staff shall be considered in order to respond to any abnormal event.

8
 -PUBLIC-

N-2900 ENGLISH 11 / 2010

5.3.4.3 Determination of Priority

5.3.4.3.1 The alarm priority shall be determined from the response time available to the operator
regarding the alarm and the impact on the plant if the operational action is not applied. This analysis
shall be performed using the Tables 2-4. The highest priority value obtained shall be adopted.

Table 2 - Determination of Priority - Loss of Production and Assets (See Examples -

Annex A)

Moderate
Minor operational
operational Significant
disturbances or Loss of production
disturbance or operational
reduced / related to damage
RT moderate damage disturbance or
insignificant to essential
to repairable and severe damage to
damage to the equipment
low cost equipment
equipment
equipment
Short Low Medium High High
Medium Low Low Medium High
Long Low Low Low Medium

Table 3 - Determination of Priority - Enviromental Damage

Release within the company’s Release outside the company’s

RT geographical boundaries with geographical boundaries with
environmental consequences environmental consequences
Short High Critical
Medium High Critical
Long Medium High

Table 4 - Determination of Priority - Personnel Safety

RT Injury with or without removal Disability or death

Short Critical Critical
Medium Critical Critical
Long High Critical

5.3.4.3.2 There shall not be different prioritization criteria for a single plant. Expansions or adaptations
of new facilities on existing plants shall go through a review of prioritization criteria according to this
standard.

5.4 Performance Indicators

5.4.1 For plants operating in steady state regime, one shall aim for the value of 12 alarms per hour
per operator, regardless of the priority, as a maximum manageable value.

5.4.2 Alarm flood is characterized in the ANSI ISA 18.2 standard as more than 10 alarms in 10
minutes, per operator. An alarm flood shall be avoided by implementing strategies of detailed design
and implementation as stated in this Standard.

9
 -PUBLIC-

N-2900 ENGLISH 11 / 2010

5.4.3 It is recommended that the distribution of priorities for all configured alarms be based on Table 5.
[Recommended Practice]

Table 5 - Metrics after Digital System Configuration

Alarm Priority Number of configured alarms

Critical Less or equal to 1 % of the total
High About 5 % of the total
Medium About 15 % of the total
Low About 80 % of the total

5.4.4 The statistical distribution of the alarm priorities, during the operation of a plant in the steady
state regime, shall be according to Table 6.

Table 6 - Performance Metrics per Priority during Operation in Steady State Regime

Alarm Priority Maximum rate to be aimed per operator

Critical See Note
High Less than 5 per shift
Medium Less than 2 per hour
Low Less than 10 per hour
NOTE Due to consequences associated with this alarm priority, the rate to
be aimed shall be zero.

6 Alarm Management Life Cycle

Alarm Management is a process that can be observed like a cycle, as presented by the ANSI ISA 18.2.

Alarm management shall comprise the basic and detail design of the plant, the configuration and test
stages of digital systems and the plant’s operation and maintenance phases .

6.1 Identification and Rationalization

6.1.1 Alarms discriminated on Process’ Data Sheets of Instruments shall be defined by the person in
charge of the area (process, utilities, equipment, etc.) during the basic design of the plant.

6.1.2 All alarms shall be rationalized and documented. Complementary information concerning the
alarms defined during basic design shall be provided in the Preliminary List of Alarms and Setpoints.

6.1.3 The Preliminary List of Alarms and Setpoints shall include the initiating cause, the operational
action, the operator’s response time, the impact or consequence of a non intervention by the operator,
alarm priority and strategies for suppression, if applicable.

10
 -PUBLIC-

N-2900 ENGLISH 11 / 2010

6.1.4 Alarms not listed in the Process Data Sheet (e.g. alarm of low ratio between two flow rates)
shall also be documented in the Preliminary List of Alarms and Setpoints.

6.1.5 The executive design shall prepare a List of Alarms and Setpoints containing the information
present in the Process Data Sheets, in the Preliminary List of Alarms and Setpoints and in other
alarms identified along the project’s lifecycle.

6.1.6 The List of Alarms and Setpoints shall contain, at least, the information presented in Table 7.

Table 7 - Content of the List of Alarms and Setpoints

Information Description

TAG Identification or automatic action of the alarm

Description Descritpion or automatic action of the alarm

Initiating Cause(s) Factor(s) that initiate an abnormal event

Operational procedure due to the identification of the

Action
abnormal event
Time available between the announcement of the alarm
Operator’s Response Time and the moment the operator shall initiate the corrective
action, according to the field “RT” of the Table 1
Consequences on the plant in case the action is not
Impact
executed

Relative importance assigned to an alarm within an alarm

Alarm Priority
system to indicate the urgency of the response

Strategy for suppression Condition in which the alarm can be suppressed

Limit value, or discrete state of a process variable that

Alarm Setpoint
start the alarm or an automatic action

Filter Alarm timer filter or automatic action, if applicable

Deadband Alarm deadband or automatic action, if applicable

Notes Applicable notes

6.1.7 All the alarms configured in the BPCS shall be documented in the List of Alarms and Setpoints.

6.1.8 Signals that have been reclassified from alarms to events shall be kept on the List of Alarms
and Setpoints for traceability purpose.

11
 -PUBLIC-

N-2900 ENGLISH 11 / 2010

6.1.9 Minimize the use of 2 levels of alarms (e.g. high and high-high, low and low-low). Two levels of
alarms shall only be applicable if the associated operational actions are different.

6.1.10 A SIS demand can often be avoided by an action initiated to to reestablish the normal
operational condition, thus characterizing the need for a pre-trip alarm. Such alarm shall be set in a
way that the operator can actuate in order to avoid the SIS actuation.

6.1.11 The need for an alarm trip is justified, because actions are often required in order to provide a
faster, cheaper and safer reestablishment of the plant’s operational condition after the SIS actuation,.

6.1.12 Announcements that may be characterized as alerts shall also be included in the List of Alarms
and Setpoints for traceability purposes. In this case, it is suggested to indicate such condition as a
note.

6.1.13 It is recommended to perform the rationalization of alarms with the participation of process,
automation and operation disciplines. During the analysis of some equipment such as compressors
and furnaces, the specialists of the respective areas may be invited. [Recommended Practice]

6.1.14 During the conception of the alarms, the operational feedback and good practices adopted in
the unit shall be considered. The hazard and operability study (HAZOP) of the plant is also an
opportunity for rationalization.

6.1.15 The alarm rationalization process shall be executed whenever new alarms are conceived.

6.1.16 For existing plants, the rationalization process shall review the existing alarms and, if
necessary, include new alarms. As a result of the revision, an alarm can be removed or have its
characteristics (priority, setpoint, suppression logics, etc.) altered.

6.1.17 The rationalization procedure is presented in Annex B.

6.1.18 The documentation of the alarm shall be made available for the unit and updated according to
the management of change process.

6.2 Detail and Implementation

6.2.1 Characteristics of an Alarm System

6.2.1.1 The plant’s alarm systems shall incorporate the following requirements:

— capability to differenciate alarms, alerts and events;

— capability to differenciate alarms by priority;
— capability to announce alarms by different means (color, symbols or sounds);
— capability to filter alarms by groups;
— functionalities for alarm shelving;
— capability to suppress alarms;
— capability to configure dead band or timer filters;
— capability to set off alarms with guidance messages to the operator and batch actions;
— capability to monitor and to assess the alarm performance;
— capability to create reports.

12
 -PUBLIC-

N-2900 ENGLISH 11 / 2010

6.2.1.2 As part of the alarm system, a data collection system shall be made available for statistical
processing of alarms in order to enable the assessment of the plant’s performance against abnormal
situations and the management of alarms throughout the plant’s lifetime.

6.2.1.3 All information concerning the alarms of the plant shall be incorporated into this database
system, which will document all the alarm history, allowing for its update during the management of
change process.

6.2.2 Implementation of Processing Strategies in the Alarm Systems

6.2.2.1 Strategies for alarm processing shall be implemented in the BPCS configuration level for
suppression of alarms in real time, enabling the rational availability of information to the operator,
minimizing the amount of alarms and increasing plant reliability.

6.2.2.2 The processing strategies shall be implemented based on knowledge of the plant and
equipment in order to always take them to a better state of operational reliability.

6.2.2.3 Processing Strategies

6.2.2.3.1 Alarms Associated with Automatic ON-OFF Controls

Actions associated with equipment’s automatic on-off controls or open-close “ON-OFF” valve shall
operate according to the following strategy: when the equipment is controlled and it properly respond
to the command, no alarm shall be activated. This action shall be characterized as an event.

EXAMPLE 1

Automatic start up of a backup pump - when a backup pump sets off automatically by low
pressure at the the output, the low pressure alarm shall be announced only after an adjustable
time, which considers the pressure recovery transient caused by the pump start up. If the
pressure is not restored after this time, the alarm shall be announced. The operating status of
the backup pump shall be announced as an event.

EXAMPLE 2

Automatic liquid drainage in vessels - when a controller commands the valve opening due to
a high level in a vessel, neither the command nor the valve opening itself shall generate an
alarm; the alarm shall be announced in case the valve is not opened after an expected time,
or if the level reaches a value above the setpoint value for automatic opening of the valve.

6.2.2.3.2 Alarms Configured in the same Variable

6.2.2.3.2.1 When there are two levels of alarms for the same process variable, the second alarm shall
suppress the first. Thus, high-high (HH) alarms shall suppress high (H) alarms, and low-low (LL)
alarms shall suppress low (L) alarms.

6.2.2.3.2.2 This suppression shall be applied for two alarms associated with one single instrument.

6.2.2.3.2.3 The acknowledgement of a high-high (HH) or low-low (LL) alarm shall imply the
acknowledge of the High (H) or Low (L) alarms, respectively.

13
 -PUBLIC-

N-2900 ENGLISH 11 / 2010

HH

PV

Time

Figura 2 - Example of Supression of Alarms Configured in one Single Variable

6.2.2.3.2.4 In Figure 2, the evolution of the process variable (PV) is shown. As time goes by, the PV
value goes from normal to high (H) then to high-high (HH), and returns to high (H) and normal:

— when the process variable reaches the high, value the H alarm will be announced;
— when it reaches the high-high value, the HH alarm shall be announced, and the H alarm
shall be suppressed;
— when the condition for the HH alarm annunciation ceases to exist, the H alarm is
announced once again;
— when the value returns to normal, the H alarm shall no longer be announced.

6.2.2.3.3 Deviation Alarms

6.2.2.3.3.1 When a measuring point has more than one sensor, it is recommend to set the detection
of differences between these measures. [Recommended Practice]

6.2.2.3.3.2 These deviations shall be characterized as alerts when the response time is
undetermined. The setting value for the detection of the deviation between the sensors shall consider
the maximum uncertainty between instruments and the need for timer filters in order to prevent
nuisance alarms.

6.2.2.3.4 Discrepancy Alarms

Alarms shall be configured to detect inconsistency between the command and its actuation.

EXAMPLE 1

Failure on the motor start-up command shall be considered as a discrepancy alarm.

EXAMPLE 2

Failure on the command of control or "ON-OFF" valves shall be considered as a discrepancy

alarm, as well as a spurious closing or opening.

14
 -PUBLIC-

N-2900 ENGLISH 11 / 2010

NOTE The indication associated with limit switches of control or "ON-OFF" valves shall not be
configured as an alarm when the indication is in accordance with the command issued. This
shall be part of the plant’s event list.

6.2.2.3.5 Alarms for Instrument or System Failure

6.2.2.3.5.1 The priority of alarms associated with the failure of the sensor or transmitter shall be set
considering the service performed by this instrument [Recommended Practice]

6.2.2.3.5.2 An interface shall be provided to indicate all the instruments in the failure state, sorted by
the priority of the alarm associated with each instrument. [Recommended Practice]

6.2.2.3.5.3 CPU failures and communication failures between digital systems shall be kept as alarms.

6.2.2.3.6 Package Unit Alarms

Only the alarms or a summary of alarms that require an action of the control room operator shall be
issued from the equipment supplied by third parties (e.g. compressors) to the alarm list in the BPCS.

6.2.2.3.7 Alarms and Equipment State

6.2.2.3.7.1 Alarms shall be set according to the state of a piece of equipment. The following states
may be characterized for a piece of equipment: start-up, steady operation, shutdown and out-of-
service. Thus, alarms that apply just to the equipment under steady operation shall be suppressed
when they are on startup, shutdown or out-of-service states. [verificar ISA 18.2 – estados]

6.2.2.3.7.2 The detection of the steady operating condition of a equipment may be automatic,
according to one or more operational variables, or may be informed by the operator.

EXAMPLE 1

A furnace in out-of-service state shall not alarm lack of feed.

EXAMPLE 2

The lack of flame on pilots and burnes of a furnace or boiler shall alarm only after an actual
demand of flame.

EXAMPLE 3

An overcurrent alarm on pump motors shall be suppressed for a predetermined time during
the start-up of the pump.

EXAMPLE 4

Undue shutdown of a pump shall generate an alarm associated with the abnormality which
caused the shutdown. The pump shutdown initiated by the operator shall not generate any
alarm.

6.2.2.3.8 Alarms Associated with Redundant Instruments

Alarms generated by redundant instruments shall be displayed as a single alarm when the abnormal
condition occurs. All alarms, however, shall be registered.

15
 -PUBLIC-

N-2900 ENGLISH 11 / 2010

EXAMPLE

When, for a single variable, there are an instrument associated to a control loop and 3
instruments associated with the SIS (for example: sensors in a 2oo3 voting scheme), a
single alarm shall be announced when any of those instruments accuse the abnormal
situation. Detail screens may display, however, all the alarms associated with each
instrument.

6.2.2.3.9 Alarms and SIS

Alarms preceding a trip event, and related to the trip, shall be suppressed when the trip occurs.

6.2.2.3.10 Related Alarms

When two or more alarms are closely related, only one of them shall be announced.

EXAMPLE

Suppress the second alarm generated between low flow rate and low pressure in the pump
discharge if there is only one single operational action to treat both alarms.

6.2.2.3.11 Deadband

Deadbands are recommended to reduce the number of nuisance alarms. The values for these bands
are an initial reference and are suggested according to the process variable. The reference values for
deadbands are described in ANSI ISA 18.2. Adjustments shall be performed in these values based on
operational experience.

6.2.2.3.12 Timer Filters

6.2.2.3.12.1 There shall be considered 2 parameters for timer filters: one for the annunciation
(on-delay) and another to remove the annunciation (off-delay).

6.2.2.3.12.2 This filtering mechanism shall be met differently from the mechanism that performs the
filtering of noise signals in transmitters.

6.2.2.3.12.3 The reference value for all types of variables measured is 5 s, and may be different for
the annunciation or removal of the annunciation.

6.2.2.3.12.4 The values of these filters are an initial reference. Adjustments on values shall be
performed based on operational experience, especially in terms of response time available for the
operator.

6.2.2.3.13 Automatic Alarm Acknowledgement

6.2.2.3.13.1 Low priority alarms can be automatically acknowledged by the BPCS, when the condition
for the alarm annunciation no longer exists. [Recommended Practice]

6.2.2.3.13.2 Highest priority alarms shall be acknowledged preferably by the operator.

[Recommended Practice]

16
 -PUBLIC-

N-2900 ENGLISH 11 / 2010

6.2.2.3.13.3 Alarms without auto-acknowledgement, when ceasing to be supressed, can rerturn to the
same state they were at the moment of the suppression. [Prática Recomendada]

6.2.3 Alarm System Interface Design Practices

6.2.3.1 The highest priority alarms shall be audibly and visually highlighted from the lowest ones.

6.2.3.2 Critical priority alarms may also be announced in the same way as the high priority ones
according to criterias used in the plant.

6.2.3.3 It is suggested the use of alarm announciator panels, directly connected to the controllers
output module for the critical priority alarms of the plant. [Recommended Practice]

6.2.3.4 The alarm list shall be separated from the event list in the HMI and shall contain the alarms of
all priorities.

6.2.3.5 The alarms shall be listed per state, starting with not acknowledged alarms and sorted chronologicaly.
There shall be also the possibility to filter or sort them by priority, state, group and type of alarm.

EXAMPLE

Alarm groups: control and instrument system alarms, alarms due to instrument failure, process
alarms, etc.

6.2.3.6 The Annunciation of the alerts shall be inserted in the alarms list. In case of sorting by priority,
the alerts shall be listed after the low-priority alarms. The annunciation of the alert shall have a visual
an audible treatment different from the alarm.

6.2.3.7 The indication of an instrument or equipment failure shall be configured as an alarm or alert,
depending on the urgency to call up the maintenance team.

6.2.3.8 Out-of-service and under maintenance instrument alarms shall be grouped. The inclusion in
this group shall be controlled.

6.2.3.9 Alarms shall also be grouped and presented filtered by area of the plant. These groups can be
presented in different operation stations depending on how the operation responsibility of the various
areas of the plant is distributed.

EXAMPLE 1

In production plants, the following groups may be implement per operational station:

— Production and Fire&Gas;

— Facilities and Fire&Gas;
— Ship and Fire&Gas.

EXAMPLE 2

In refinery plants, the following groups may be implemented per operational station:

— Distillation Unit;
— FCC Unit;
— Utilities;
— Tanking.

17
 -PUBLIC-

N-2900 ENGLISH 11 / 2010

6.2.3.10 For uppstream plants, alarms shall be grouped also according to the emergency shutdown
levels (ESD) of the oil platforms. These alarms are:

— ESD-3 alarms, fire and gas and other alarms that are identified as critical priority ones;
— alarms that precede the occurrence of the ESD-2, identified as high priority alarms;
— ESD-2 and ESD-1 alarms, identified as medium priority alarms;
— other alarms identified as low priority ones.

6.2.3.11 The alarm message shall be clear and guide the operator's attention to the problem needed
to be treated. Pop-up windows shall not be used to display the alarms considering the large number of
windows that might compromise the identification of the problem.

6.2.3.12 The messages shall contain at least the following information: date, time, TAG, description,
the alarm priority and alarm state, according to the ANSI ISA 18.2 standard.

6.2.3.13 The description shall inform the location in the plant or equipment, and the equipment
service in the plant. Abbreviations, when used, shall be standardized and applied uniformly throughout
the plant.

6.2.3.14 It shall be adopted standard colors and terminologies for the alarms, in order to reduce
diversity. Static and non animated information shall be configured with smooth colors. Alarm
information shall have stronger colors so it is possible to detect abnormalities through contrasts.

6.2.3.15 Alarm messages shall not blink, causing difficulty for these to be read clearly.

6.2.3.16 Distinct interfaces shall be provided for alarms with different people in charge.

EXAMPLE

Alarms whose action is responsibility of the operation team, and alarms whose responsibility
is of the maintenance team.

6.2.3.17 The alarm and its corresponding acknowlegment shall be made available on all consoles
associated with the monitoring of the same plant.

6.2.3.18 Alarms removed from the alarm summary by shelving shall also be listed on a separate
interface and be presented with the same features of the alarms listed in the main summary.

6.2.3.19 It shall be considered flexibility to hide TAG from equipment and tools through an operational
command in order to decrease the amount of information in the HMI. [Recommended Practice]

6.3 Commissioning and Training

6.3.1 Tests on the alarm system shall be performed during the instruments commissioning in the
BPCS. These tests shall involve verification of the alarm’s actuation for the respective configured
setpoint and the suppression strategies.

6.3.2 The training described in 6.3.2.1 and 6.3.2.2 shall be considered.

6.3.2.1 Management Philosophy and Rationalization of Alarms Applied to the Design

[Recommended Practice]

18
 -PUBLIC-

N-2900 ENGLISH 11 / 2010

This training is recommended for:

— operators, process and instrumentation/automation design technicians;

— operational monitoring technicians (engineers and operators);
— systems integration and implementation technicians;
— instrumentation and automation maintenance technicians.

6.3.2.2 Statistical Alarm Analysis System [Recommended Practice]

This training is recommended for:

— operators;
— operational monitoring technicians (engineers and operators).

6.4 Operation and Monitoring

6.4.1 Statistical alarm analysis shall be part of the operational routine, and its monitoring frequency
shall take place at least once a month.

6.4.2 The main indicators to be assessed during the alarm system operation are:

— the bad actos per period of time (every ten minutes, hour, day, week, and month) per
operational station;
— average duration of each alarm ;
— distribution of alarms per group;
— distribution of alarms per priority;
— alarm floods;
— number of unacknowledged alarms.
— number of suppressed alarms.

6.4.3 From these data, actions shall be taken to achieve the metrics specified in this Standard and in
ANSI ISA 18.2 (item related to the performance metrics of an Alarm System). In case of divergence,
the metrics listed in this Standard shall prevail.

6.5 Management of Change, Maintenance and Audit

6.5.1 Any required changes concerning setpoint values, alarm suppression, cancellation or inclusion
of an alarm,strategies of digital system configuration, etc, shall be controlled.

6.5.2 The responsibility for the alarm system performance shall be assigned to the operational team,
and may be shared with the process, automation and maintenance teams. An operational group shall
be formed with members from each discipline, for performance monitoring, corrective actions
implementation and improvements in the alarm system.

6.5.3 A group to manage the alarm system shall be created to ensure that the philosophy and
practices adopted are uniformly applied in all existing plants and for those that may be designed in the
future for the Unit.

6.5.4 Periodic audits shall be conducted in order to check the philosophies and practices in course or
even to identify the need to review them against feedbacks from the design, operation and
maintenance areas.

19
 -PUBLIC-

N-2900 ENGLISH 11 / 2010

Annex A - Determination of Severity due to Financial and Asset Losses

A.1 Minor Operational Disturbances or Reduced or Negligible Equipment Damages

Examples of minor operational disturbances:

— off-specification production;
— small amounts of fluid relief.

Examples of reduced equipment damage:

— cavitation of conventional pumps;

— possibility of moderate or severe damage to essential or non-essential equipment caused
by long duration events, but do not require a fast operator intervention.

A.2 Moderate Operational Disturbances or Moderate Equipment Damages

Examples of moderate operational disturbances:

— disturbance in the utilities area affecting other areas, such as liquid injection into gas
streams for the fuel gas system;
— large quantities of fluid relief;
— reduction of production or feed in the unit for up to 60 minutes.

Examples of moderate equipment damage:

— damage to non-essential equipment without backup;

— need for low costing repairs to essential equipment with backup.

A.3 Major Operational Disturbances or Severe Equipment Damages

Examples of major operational disturbance:

— abrupt relief of large amounts of mass causing violent release of energy, such as sudden
depressurization in high pressure systems;
— overflow of process fluids;
— complete or partial production shutdown for less than 60 minutes.

Examples of severe equipment damage:

— cavitation in high-speed pumps or multistage pumps;

— need for costing repairs to essential equipment with backup;
— need for low cost repairs to essential equipment without backup.

A.4 Production Loss Associated with Damage to Essential Equipment

Examples of loss of production:

— over temperature in out of control exothermic reactions;

20
 -PUBLIC-

N-2900 ENGLISH 11 / 2010

— over pressure in systems where the safety loop is the final protection device, due to the
impossibility of installing a relief and safety device;
— complete shutdown of the plant for undetermined time.

Examples of damage to essential equipment:

— explosion of furnaces and boilers;

— mechanical damage to compressors without backup, due to the passage of fluid;
— solidification of products within large dimension lines requiring expensive corrective
actions;
— need of expansive repairs to essential equipment without backup.

21
 -PUBLIC-

N-2900 ENGLISH 11 / 2010

Annex B - Procedure for Alarms Rationalization

Start the alarm

rationalization

Describe the following alarm data:

tag;
alarm type;
possible causes; and
possible impacts.

Is there at least one

N Treat as an EVENT
action that the operator
shall execute to treat
this alarm?

Describe the actions that shall be

taken by the operator so that the
condition that activated the alarm 4
returns to its normal condition

Is the time for the

Y Implement an automatic
operator to execute the
necessary actions lower action
than one minute?

Select, on the “Response Time

Table”, the time necessary for the
operator to execute all actions

1 2

Figure B.1 - Procedure for Alarm Rationalization

22
 -PUBLIC-

N-2900 ENGLISH 11 / 2010

1 2

Is the response
time longer than Y
Treat as an ALERT
one hour?

Select the priority on the table

“Damage to Production/Equipment”
considering the defined response
time

Select the priority on the table

“Damage to Environment”
considering the defined
response time

Select the priority on the table

“Damage to People”
considering the defined
response time

The alarm’s priority shall be the

major priority found among the
three priorities previously
identified
(production/equipment,
environment, people)

3 2

Figure B.1 - Procedure for Alarm Rationalization (Continued)

23
 -PUBLIC-

N-2900 ENGLISH 11 / 2010

3 2

Is alarm suppression N Document the alarm that does

allowed? not allow suppression

Inform the suppression’s strategy

Is the alarm setpoint value Y

too close to the operation’s Alter the alarm setpoint
setpoint and can this provoke
more frequent activations of
the alarm?

N 4

Conclude the alarm rationalization

Figure B.1 - Procedure for Alarm Rationalization (Continued)

24